raven/ansible
1
0
Fork 0
forked from infra/ansible
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: raven:master
Branches Tags
raven:master
raven:sip-dect
raven:pizza
infra:kea
infra:master
infra:pizza
..
compare: raven:sip-dect
Branches Tags
raven:master
raven:sip-dect
raven:pizza
infra:kea
infra:master
infra:pizza

1 Commits
master ... sip-dect

Author SHA1 Message Date
Markus Hauschild
1effca7820 omm: new role (SIP-DECT OMM) 2021-11-27 18:31:18 +01:00
93 changed files with 1165 additions and 2070 deletions
Show Stats Expand all files Collapse all files

13
group_vars/all/vars.yml
View File

@ -44,7 +44,6 @@ icinga_domain: icinga.binary.kitchen
icinga_dbname: icinga
icinga_dbuser: icinga
icinga_dbpass: "{{ vault_icinga_dbpass }}"
icinga_server: nabia.binary.kitchen
icingaweb_dbname: icingaweb
icingaweb_dbuser: icingaweb
icingaweb_dbpass: "{{ vault_icingaweb_dbpass }}"
@ -73,15 +72,12 @@ mail_server: mail.binary-kitchen.de
mailman_domain: lists.binary-kitchen.de
mail_trusted:
- 213.166.246.0/28
- 213.166.246.37/32
- 213.166.246.45/32
- 213.166.246.250/32
- 2a02:958:0:f6::/124
- 2a02:958:0:f6::37/128
- 2a02:958:0:f6::45/128
mail_aliases:
- "auweg@binary-kitchen.de venti@binary-kitchen.de,anti@binary-kitchen.de,anke@binary-kitchen.de,gruenewald.clemens@gmail.com"
- "bbb@binary-kitchen.de timo.schindler@binary-kitchen.de"
- "dasfilament@binary-kitchen.de taxx@binary-kitchen.de"
- "epvpn@binary-kitchen.de noby@binary-kitchen.de"
- "google@binary-kitchen.de vorstand@binary-kitchen.de"
@ -92,9 +88,8 @@ mail_aliases:
- "openhab@binary-kitchen.de noby@binary-kitchen.de"
- "orga@ccc-r.de orga@ccc-regensburg.de"
- "orga@ccc-regensburg.de anti@binary-kitchen.de"
- "paypal@binary-kitchen.de ralf@binary-kitchen.de"
- "paypal@binary-kitchen.de timo.schindler@binary-kitchen.de"
- "post@makerspace-regensburg.de vorstand@binary-kitchen.de"
- "pretix@binary-kitchen.de moepman@binary-kitchen.de"
- "root@binary-kitchen.de moepman@binary-kitchen.de,kishi@binary-kitchen.de"
- "seife@binary-kitchen.de anke@binary-kitchen.de"
- "siebdruck@binary-kitchen.de anke@binary-kitchen.de"
@ -135,11 +130,13 @@ nslcd_base_group: ou=groups,dc=binary-kitchen,dc=de
nslcd_base_shadow: ou=people,dc=binary-kitchen,dc=de
nslcd_base_passwd: ou=people,dc=binary-kitchen,dc=de
pretix_domain: pretix.events.binary-kitchen.de
omm_domain: omm.binary.kitchen
pretix_domain: pretix.rc3.binary-kitchen.de
pretix_dbname: pretix
pretix_dbuser: pretix
pretix_dbpass: "{{ vault_pretix_dbpass }}"
pretix_mail: pretix@binary-kitchen.de
pretix_mail: rc3@binary-kitchen.de
prometheus_pve_user: prometheus@pve
prometheus_pve_pass: "{{ vault_prometheus_pve_pass }}"

184
group_vars/all/vault.yml
View File

@ -1,102 +1,84 @@
$ANSIBLE_VAULT;1.1;AES256
34313430623638333161613331623835666163626232326164366136373833633138373733333231
6563336334663666373235313064363364646361643033310a663033616232363434306230313765
31386338646433393334663031623261353661333565663763363834313264363463383562633934
3663623932356635360a306231613431623763663130656634623365643730336564663862336536
34663863313364613831656162663663646634636432656539643531326163653363376662393935
61343934313135623265646539616136306231633566616534383562393964663565323534386162
31646233313339383863313334353031386166653264353831383133633761306539636533656336
37643866646538316234633736613136356166613037383638303465663639633432326533653832
30313862646132393063393239656561646566336362643466386435613734623632613361323266
64316166313635306631396166303132626139386563613231646439356637393662623530353261
62326661663064393362653136346262313762376130623461313563613161623838356363306263
38376438333632623962646535313239343038383030383736313536303935346236326631616632
65376162613630343064356361336535623030316435333036363635623461626330663635653631
61313435373839366363613338666630366333383962393734333662646239663237386437373333
31373065336139643033643666653737306664626134643937343264646539616264393530343462
38366232393832666439383066383738643966363132663832396562646238306638343266353934
38396236373830303661336635646137306236386436343033383764666535323834313534346533
35333665303534383634303732346164616666643731313839353462343365356338386561613231
35333965353736386531356565376434393563653562373261633664623438346638613765303736
65336230636539613332616433326335326436333136636566383731306437663438306636363930
31376230353230613038636662623432646361383263663532396234656133333237333738666233
61613961343963393437393664393265306564373164316265363232303831663331393130356662
39313230616463636163386261353431356338353833393161313861643137646166363864313861
64306161653565396339656333346235346365373836373633376231333833313034353864656434
33623861326664356339336333663365663663353061323037346330653133396235363831623136
63343662356235633332373733626232353437373263343038663932636232363030336436616131
65376436663962363631386664353531303963313263633261633766326566383262643334646466
65363664306332656134633039643135323134616535613834313533626633353066343762646132
31353761373366313365373632366661646235333039656231323030366338326264333162646562
39343265376234363635306537636464323030316231306564316635656563303565336539326237
36393632386564343730616566373535616263383564343866353665373363363333343935346464
31646338353235356231353135663062323766663231383730396235373934303465346239303961
66646463663762633963336365356431323431383938373839346364303464633031633633663937
36646165633661633361313635393134646133363334373863663132376266336233336435356435
38303862613564363731313062316533633465353830316436326431656132353431373231646337
33343464353039623236643633636239343965643633343966326562343934313664633563613730
63313930643936393838636634613331633835656434646163386661663037376330646366656232
32623461633935353134343533626266653031666335336236343039363066396337633639363235
38626233383461356264616534656537633931663936383330386532363434383833613835613439
64306262626539623136376630646439353335623266306139306434663331346237306331666533
37363433343433363632336333633065313865626564633134616462393831626237333638333739
61623030386235666132666661623462323332393666623539636139326530623233396533373939
32396261306661663739333138353335663734316232303661353166376133653934306233343739
33353833323739343163396234633264373139346264653933633433393132363966636135393365
36363530396166363630643764633436663037666631343535366132373334663938333930396133
36303864303961333664653635343935353266396231313964646262363038626561653466646438
62306434373136393738303835656130333936663430636139383137633536383131616533613634
62343464636332343031326365383964326666636466666636663236633935356635336435313437
33626137326238356537353762613164653731326563663239316537646338643131643564663632
33353536383265303030343735616530666236343064323337623232396130393366363161356636
61333862313432323139313963386538393365373335373139353533356537383739373539646134
37623936653933326633643961313530663533326532383133353238303336643432353833393338
31633065666336373236386537636536326236636639376465346136326535653764373131636135
61393932643639383234396163326633393733616563343637613661326432623461393934653965
32643162386238316261633733613366323834393365633430643964666262306339633766613533
65366264313431333132303063393564383062346365633133383463376631303933643065613137
61383231393339363465363064633862633135326536663163366234623764626439346461303164
32373738636533306362333138643832643862656239303464373434303537653336646430356633
36626436356231616166666163346539633738623734343031373735346165303664346137343132
31663230343934333138656333626339623133323630336266353831653135616363333432616361
33613236623538333663366136656563663331366237303763653238336139363163366635646532
37316430623433336436376462656331373336303831393333626166346135333737326435353834
37636162646438313162303462633830353239623565393331316662616535343138613437653665
31316563346234633031653131666531333266306139346566383263303835343532363633373665
30336462626434393063343234356633636433356164363163363564383263623364386435383239
33323738366534633730666436303433343731306662393863323633653263316138386365376666
35316365303361623030383836316436323663646464386231346432396563663133643834383636
61326534313237316130393538613834656231303732656163346237643535663239366536636633
36306137616664623735613966343264653932363035373336636465323163393539363064386562
31626138316163393466323333613530376265386136376330636364363166323061383034623336
38643166363864383264373665323238326232376633653565356536376466303834313733613531
65333734353036303935333533306334306231373731353463346461353930316562316439356562
38336435366335333230323766626134376131323435323735653736336662313962393766383435
39323734643037643066363338373332653830393337306633336131663131616164336536393837
35383366316130343162663231343763373331613261393566366133346564636334643464373535
37633536323531613831656662323263316630623061383930363637346438623735383430366538
39303961326461323661346630313636643531303265393461373036306435353863643036623665
66333965303032653537613232633162303138343632396134336130333430636666376430323466
61323535313463653866666265313765623831376633666534623033643063386231623238656439
63323166373764306162613233323466366363666535643339646361306638343762393834343131
31393437373733343138306563363032353831616334383631656266346131303161633265343461
62343234383936303664643234323665343635626435613766343737396564656137393061666165
66313531666562303030323764356632626233333432343461393362303563643661336335366339
62346366643835303563646161366434386532363265313531303634336136653062613464376138
66336333623565623263363561303537303337623137656430353830353937323265313837333237
62343132326665326130376566626661366534353335366532623539303536323762646462306261
63383133633462376162316338663765393933663536663239636439643733376434333030616131
63326332336563326232346430643534336133376334646635653862333133306135666132353839
37336136346464363365633262623630343463343035666161626665663030346533303266313837
32323566393630626566393334353832383235626161343532323930656430343739663432333866
62663136333637663563366536303437363964666638326134373766313837383431663733383630
63336432656239393465353666383131326536643531663337396234396663373432303163653331
33626237386237626433653637313835376632613131663235353037336231613134633065323035
31366531343131303937663561336262623062313961366233633430323639383332656236363535
35353639633366366439666532326539666230323338643931383264306436386634316331393133
33393963303734303037353139356436313036343766646131333735356266333434333039363339
62396231303137303236626439633331306663313630653437363733656130653863646537316536
39346233633436323565363466653862333630633030666136613237333663643339306334613532
63343565393632353138616637356339623639373135636334333130323032346536626465323430
63383363313338636466316464303039633236343038613734633632633234313837656436663137
62643130383463333137363537646233613366653664613137623130333330636362
35323963326634353430373361636231303663373264616131356530663738306563303332363762
3436613664633530623163353436323035346463623737390a383665663266313338356361626161
39643939393939333361663434353237633861303032323730336661633663373636326432663135
3430313238313836610a343432396536316462313230656236366363343034383732646163626231
30643132316365613664333834356630666336633635373037326162646538333062363237363465
30303632303339616166323932303865313766316436623232633335613263323437633331346133
64633161383236346536616231333634626466373232366265333062306635663631663565666531
30653633643430356164386364386336323162383164663639323430343239333366306161336365
39663663343037396566366363353461656330353636306162626639663137666136306235656165
66613338623232316336323830303830383364396537633161373032323739316131336431313035
63346662366562656638363961613263363134646131623436316463326265646138323238303437
31363734376333343961356137373764656534363437316633656665616430323231383563633766
30653565373563376664303133653665356264363735333939646339653735633765306261633836
31313465323238316263343166646132356333373033616361333532623564336338373838303536
65333962636161633038353135303466353839663833626530616635666337346161623635383963
66636230393331316239616434613265343139636632396630656630623662306464633162366139
35646332623137643130373738336265623930376165343238626233356235613434636564313939
34636266383536383936313263373538666165633163396635313365616339303264663566316234
65353262313062653061326239363266333637316362366539616136373062313764316330663138
64343337356133643163383864343962623237316230343763653838613738393739343131323835
38623063626531613764356265376230336530326364643635383438363463333931333461393563
37343231366165616666376664653633616332346661383935393435653934336562343531323664
38396233306266623361636566663262393336343434383532393336343533653364666264306463
66393234376137643761396635626337656465383066303863383535636363336463343234363361
61626365633639643237336464653666396131343535636431636438343265663138346631316335
63343136656131653039396539323231663730316134306432613034363635343230353361616338
34303931343866343831623333386533313733613663363565313666353139356265333461336237
34643265623739376565663039343638343839633362303035386562333264333438313835393039
39376266643831343561653832353266313461363738663533383935376234636338343734353731
36396634316561336363633339653566323134306430373536613763303763653764336237633465
39313562373062666566663437386538663733643261656361346364393935613638393464663062
31643035356630363630363532353137626431643366383437663437333761613062363663633832
30663331333036653362646164313134316136663839386464353731303065376634313138656337
34306234303233613136353661643436666538623634323137343861346165333730303430386237
39313762313339356430303934343837336230303231613266643231376634333739353366333139
39393436366339616166393530313862303961353131646163306633386637376634363534363461
31363634653638633334346334613061333234633061343732363330363636656333316366383838
39343234616461656432653836623233343965636432616630313037366535366131393033383063
31343038646162616666613264363738366434613939333536656534336339326537366435383263
66376638376133303136346663386561336239643465376336633665656563666133666165323633
30613032343735653231356663333033653436393331653133646162333531613930316635356533
38663830383463663366393034656638643136383261373332383636333331396639346361376334
32333633316433616664643662636634323038306664663538386330356261323461396264323635
66376133666434363932353762663461333861376139323439653431663638343362326166336133
37396532306135386661353665356562363135656338333261386437376431363663383662303339
30343534393965646231303037366435333238343931393036616364643631333163336331396364
39303766363938383831316531303265383236646334616365613732643134366338366438623266
61346132623333343933373666363937376332653766313463333132626466373763346330613433
37383631656662386164633566376235366465663531383134613139656330313561633030643139
31646264316533303638303939656539663936306465656366303761343335383562366238316332
36623265383739376332393565386436653934316438313631626333343234656564623335386133
64363538396631363538653361373138393637326533386239353532316531376166313265303463
66306637383237303236306264373831636636643766383565326230313165356337633662663832
39666464646365313536633539366330333938643431633136643166336566343137653066343735
38653037346332373139356439656436366339323431626331636538346639303034323231663034
36626536343236326439653665323563326431386462666331386163623232333661613437313865
65363237643266393866363761316534666537616633393863366562666539633761613465616436
30346435363431393261336361333564313537353564333136633866643466353261666430376130
66333765306162666361393133636661393766333733363033663739646633303561623662316231
61653332346361363565343466363339323064313537343537396637343730653563653734313337
38316334376136636365373338313362313836613666643034343964353236313433303330366332
66356562643636353465343133323462313465653434383835636535666135363438653833623836
32636638313635326537336633656162346166303262386232613366366639326338316638656230
65613763353031386537333332363736636236623561323036623864313830316661633362613164
64356161376234666535393961376138656632653266306434343335373734663265383537326234
35636131303133666366326434323832633865626538333864653236343135383636373437303864
38663339666262373063643162343037343537383235326633623165396539633161303862623938
32663433396637643765363837316439363863386162316363633136633232643635363166646534
61366665356238653764623237613861323139366638633432343137336438316237333030613431
37323463636162333231303234383831333138306163643630633335383465313737383832646161
33643637373037666562366536383662663737373962373937633839633933323738366236323361
63663330346436343232616364353261613635646339333062643038363634623561623163643932
65306466363464376336353965633535356437333237666161383465393631333963393030316663
62343564383838383938646338383466383533646539336239323064383565333834396535396634
30616131643463663235636334613165343133646562656537396334623234383734396131643930
66373765333538643661386435666166633438383035663563333339663536663137393162343865
39326463316133343331633137363365653366643439613062633665633132633036333337323935
31393665623938316230653936353966396539353730353364346434646434616636663563336666
32623861363864383430356236396366616361326334656639613061636239306663626435636435
36316135633739313364336634376635303131616239666262613230666165636533613935643664
35356538613062646635336332613635643135396665376439323331386163356631383531376230
36386661326362633833333133356366633264353061356665353131323737303339396333613763
386531643264353562356563663961626139

5
host_vars/lock-auweg.binary.kitchen
View File

@ -1,5 +0,0 @@
---
root_keys_host:
- "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAgEAkXY3fQFMG7LkTBWtBNY7q7RCwb/R4Z8Y96e3pToddfXbtmtVxMZfd6hC+3kGt3NnPYDFmZf/RXblNBPwL/n8bEjA0bmfU60LMjFT0mG99bLU+5CgDxaSf34jzgtzLbHKqeSYxNpXNebbDZRw+cxuDjxJ+lYbc/hNQTy6hqKXUSQ25LAqplKVYbxlPWPxxKnJCvWj2pCdJGj1EK/Y+saafNOhA7uEPNt8HtWWNMhxNi+P9OkkLpYqRM8V0miR7aAYOY+RllMn+H5DIJg2gk319AHhlBDP7NXd/tmWg+bI7xYPDe9Q6gMrV8OnQmuNjWsLNhp8ktwQxpsv71t6ztXLpceIkV9yfDSeBpZG5QnsMOy/ua91S6hmMg4bIEBsqkPUYEwEIDFaV0TrlKeXMkU+ovthZnw0CWgV5KEWDHtuGu8nBBpks/geclh+0yqeFEaacnlTTNEhvCcp7vOsqDJnZSn1L4O6C+u/A4NJGRH7XQMWrXBdeTVIT9KLsdZJsoPIH8BRaw/qOYPY6wZzHcLvrsayUBBiiLDIN1lE/3OV70dKX7F0Q7hyl8o9EoGdEYnGBonWGC58hroiAE4FTVdWLKtHzHSG2AdTWf53sJzGVEh5swm44KD/Dh52bE4YjUxC0b68Twb3/L1QpH8KZNUVEcRNmiRshefMPSXbPv3bNzc= 20170818Tobias@Teubl.de"
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa tom"

3
host_vars/magnesium.binary-kitchen.net
View File

@ -1,3 +0,0 @@
---
acertmgr_mode: standalone

1
host_vars/molybdenum.binary-kitchen.net
View File

@ -4,4 +4,3 @@ grafana_domain: zelle.binary-kitchen.de
root_keys_host:
- "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAib/9jl5oDkCF0g9Z2m0chruxA779TmQLy9nYFWq5qwxhCrBwgPBsHjyYJoA9vE6o+MB2Uc76hPNHxrY5WqOp+3L6z7B8I7CDww8gUBcvLXWFeQ8Qq5jjvtJfT6ziIRlEfJBHn7mQEZ6ekuOOraWXSt7EVJPYcTtSz/aqbSHNF6/iYLqK/qJQdrzwKF8aMbJk9+68XE5pPTyk+Ak9wpFtiKA+u1b0JAJr2Z0nZGVpe+QlMkgwysjcJik+ZOFfVRplJQSn7lEnG5tkKxySb3ewaTCmk5nkeV40ETiyXs6DGxw0ImVdsAZ2gjBlCVMUhiCgznREzGmlkSTQSPw7f62edw== venti"
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa tom"

4
host_vars/pancake.binary.kitchen
View File

@ -1,4 +0,0 @@
---
root_keys_host:
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q== noby"

4
hosts
View File

@ -12,9 +12,8 @@ bob.binary.kitchen ansible_host=172.23.2.37
bowle.binary.kitchen ansible_host=172.23.2.62
salat.binary.kitchen ansible_host=172.23.9.61
[auweg]
weizen.binary.kitchen ansible_host=172.23.12.61
aeron.binary.kitchen ansible_host=172.23.13.3
lock-auweg.binary.kitchen ansible_host=172.23.13.12
weizen.binary.kitchen ansible_host=172.23.12.61
[fan_rz]
helium.binary-kitchen.net
lithium.binary-kitchen.net
@ -26,7 +25,6 @@ oxygen.binary-kitchen.net
fluorine.binary-kitchen.net
neon.binary-kitchen.net
sodium.binary-kitchen.net
magnesium.binary-kitchen.net
krypton.binary-kitchen.net
yttrium.binary-kitchen.net
zirconium.binary-kitchen.net

5
roles/bk_dss/tasks/main.yml
View File

@ -44,8 +44,3 @@
- name: Enable vhosts
file: src=/etc/nginx/sites-available/dss dest=/etc/nginx/sites-enabled/dss state=link
notify: Restart nginx
- name: Enable monitoring
include_role: name=icinga-monitor tasks_from=http
vars:
vhost: "{{ dss_domain }}"

3
roles/common/defaults/main.yml
View File

@ -6,6 +6,3 @@ logrotate_excludes:
- "/etc/logrotate.d/dbconfig-common"
- "/etc/logrotate.d/btmp"
- "/etc/logrotate.d/wtmp"
sshd_password_authentication: "no"
sshd_permit_root_login: "prohibit-password"

3
roles/common/handlers/main.yml
View File

@ -6,9 +6,6 @@
- name: Restart journald
service: name=systemd-journald state=restarted
- name: Restart sshd
service: name=sshd state=restarted
- name: update-grub
command: update-grub

10
roles/common/tasks/Debian.yml
View File

@ -5,7 +5,6 @@
name:
- apt-transport-https
- dnsutils
- fdisk
- gnupg2
- htop
- less
@ -102,12 +101,3 @@
regexp: "rotate [0-9]+"
replace: "rotate 7"
loop: "{{ logrotateconfigpaths }}"
- name: Configure ssh password login
template:
src: sshd_config.j2
dest: /etc/ssh/sshd_config
owner: root
group: root
mode: '0644'
notify: Restart sshd

123
roles/common/templates/sshd_config.j2
View File

@ -1,123 +0,0 @@
# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
Include /etc/ssh/sshd_config.d/*.conf
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key
# Ciphers and keying
#RekeyLimit default none
# Logging
#SyslogFacility AUTH
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
PermitRootLogin {{ sshd_permit_root_login }}
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
#PubkeyAuthentication yes
# Expect .ssh/authorized_keys2 to be disregarded by default in future.
#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
#AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication {{ sshd_password_authentication }}
#PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
# no default banner path
#Banner none
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
# override default of no subsystems
Subsystem sftp /usr/lib/openssh/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server

6
roles/coturn/handlers/main.yml
View File

@ -1,10 +1,4 @@
---
- name: Reload systemd
systemd: daemon_reload=yes
- name: Restart coturn
service: name=coturn state=restarted
- name: Run acertmgr
command: /usr/bin/acertmgr

22
roles/coturn/tasks/main.yml
View File

@ -3,28 +3,6 @@
- name: Install coturn
apt: name=coturn
- name: Create coturn service override directory
file: path=/etc/systemd/system/coturn.service.d state=directory
- name: Configure coturn service override
template: src=coturn.override.j2 dest=/etc/systemd/system/coturn.service.d/override.conf
notify:
- Reload systemd
- Restart coturn
- name: Create gitea directories
file: path={{ item }} state=directory owner=turnserver
with_items:
- /etc/turnserver
- /etc/turnserver/certs
- name: Ensure certificates are available
command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/turnserver/certs/{{ coturn_realm }}.key -out /etc/turnserver/certs/{{ coturn_realm }}.crt -days 730 -subj "/CN={{ coturn_realm }}" creates=/etc/turnserver/certs/{{ coturn_realm }}.crt
- name: Configure certificate manager
template: src=certs.j2 dest=/etc/acertmgr/{{ coturn_realm }}.conf
notify: Run acertmgr
- name: Configure coturn
template: src={{ item }}.j2 dest=/etc/{{ item }}
with_items:

15
roles/coturn/templates/certs.j2
View File

@ -1,15 +0,0 @@
---
{{ coturn_realm }}:
- path: /etc/turnserver/certs/{{ coturn_realm }}.key
user: turnserver
group: turnserver
perm: '400'
format: key
action: '/usr/sbin/service coturn restart'
- path: /etc/turnserver/certs/{{ coturn_realm }}.crt
user: turnserver
group: turnserver
perm: '400'
format: crt,ca
action: '/usr/sbin/service coturn restart'

2
roles/coturn/templates/coturn.override.j2
View File

@ -1,2 +0,0 @@
[Service]
AmbientCapabilities=CAP_NET_BIND_SERVICE

21
roles/coturn/templates/turnserver.conf.j2
View File

@ -15,7 +15,7 @@
# Note: actually, TLS & DTLS sessions can connect to the
# "plain" TCP & UDP port(s), too - if allowed by configuration.
#
listening-port=443
#listening-port=3478
# TURN listener port for TLS (Default: 5349).
# Note: actually, "plain" TCP & UDP sessions can connect to the TLS & DTLS
@ -27,7 +27,7 @@ listening-port=443
# TLS version 1.0, 1.1 and 1.2.
# For secure UDP connections, Coturn supports DTLS version 1.
#
tls-listening-port=443
#tls-listening-port=5349
# Alternative listening port for UDP and TCP listeners;
# default (or zero) value means "listening port plus one".
@ -125,10 +125,7 @@ tls-listening-port=443
#
# By default, this value is empty, and no address mapping is used.
#
external-ip={{ ansible_default_ipv4.address }}
{% if ansible_default_ipv6.address is defined %}
external-ip={{ ansible_default_ipv6.address }}
{% endif %}
#external-ip=60.70.80.91
#
#OR:
#
@ -402,17 +399,17 @@ realm={{ coturn_realm }}
# Uncomment if no TCP client listener is desired.
# By default TCP client listener is always started.
#
#no-tcp
no-tcp
# Uncomment if no TLS client listener is desired.
# By default TLS client listener is always started.
#
#no-tls
no-tls
# Uncomment if no DTLS client listener is desired.
# By default DTLS client listener is always started.
#
#no-dtls
no-dtls
# Uncomment if no UDP relay endpoints are allowed.
# By default UDP relay endpoints are enabled (like in RFC 5766).
@ -749,6 +746,6 @@ mobility
# Do not allow an TLS/DTLS version of protocol
#
#no-tlsv1
#no-tlsv1_1
#no-tlsv1_2
no-tlsv1
no-tlsv1_1
no-tlsv1_2

27
roles/dhcpd/templates/dhcp/dhcpd.conf.j2
View File

@ -106,7 +106,7 @@ subnet 172.23.13.0 netmask 255.255.255.0 {
# Users Auweg
subnet 172.23.14.0 netmask 255.255.255.0 {
option routers 172.23.14.1;
option routers 172.23.3.1;
ddns-domainname "users.binary.kitchen";
option domain-search "binary.kitchen", "users.binary.kitchen";
pool {
@ -119,7 +119,7 @@ subnet 172.23.14.0 netmask 255.255.255.0 {
# MQTT Auweg
subnet 172.23.15.0 netmask 255.255.255.0 {
option routers 172.23.15.1;
option routers 172.23.4.1;
pool {
{% if dhcpd_failover == true %}
failover peer "failover-partner";
@ -157,23 +157,13 @@ host ap06 {
fixed-address ap06.binary.kitchen;
}
host ap11 {
hardware ethernet 18:64:72:c6:c2:0c;
fixed-address ap11.binary.kitchen;
}
host ap12 {
hardware ethernet 18:64:72:c6:c4:98;
fixed-address ap12.binary.kitchen;
}
host bowle {
hardware ethernet ac:1f:6b:25:16:b6;
fixed-address bowle.binary.kitchen;
}
host cannelloni {
hardware ethernet b8:27:eb:18:5c:11;
hardware ethernet 00:10:f3:15:88:ac;
fixed-address cannelloni.binary.kitchen;
}
@ -182,6 +172,11 @@ host fusilli {
fixed-address fusilli.binary.kitchen;
}
host garlic {
hardware ethernet b8:27:eb:56:2b:7c;
fixed-address garlic.binary.kitchen;
}
host habdisplay1 {
hardware ethernet b8:27:eb:b6:62:be;
fixed-address habdisplay1.mqtt.binary.kitchen;
@ -203,7 +198,7 @@ host lock {
}
host maccaroni {
hardware ethernet b8:27:eb:f5:9e:a1;
hardware ethernet b8:27:eb:18:5c:11;
fixed-address maccaroni.binary.kitchen;
}
@ -223,7 +218,7 @@ host mpcnc {
}
host noodlehub {
hardware ethernet b8:27:eb:56:2b:7c;
hardware ethernet b8:27:eb:eb:e5:88;
fixed-address noodlehub.binary.kitchen;
}
@ -238,7 +233,7 @@ host pizza {
}
host spaghetti {
hardware ethernet b8:27:eb:eb:e5:88;
hardware ethernet b8:27:eb:e3:e9:f1;
fixed-address spaghetti.binary.kitchen;
}

13
roles/dns_intern/templates/bind/23.172.in-addr.arpa.zone.j2
View File

@ -1,7 +1,7 @@
$ORIGIN 23.172.in-addr.arpa. ; base for unqualified names
$TTL 1h ; default time-to-live
@ IN SOA ns1.binary.kitchen. hostmaster.binary.kitchen. (
2022071600; serial
2021112701; serial
1d; refresh
2h; retry
4w; expire
@ -20,11 +20,12 @@ $TTL 1h ; default time-to-live
21.1 IN PTR pdu1.binary.kitchen.
22.1 IN PTR pdu2.binary.kitchen.
23.1 IN PTR pdu3.binary.kitchen.
31.1 IN PTR sw-butchery.binary.kitchen.
32.1 IN PTR sw-mini.binary.kitchen.
33.1 IN PTR sw-rack.binary.kitchen.
31.1 IN PTR sw01.binary.kitchen.
32.1 IN PTR sw02.binary.kitchen.
33.1 IN PTR sw03.binary.kitchen.
41.1 IN PTR ap01.binary.kitchen.
42.1 IN PTR ap02.binary.kitchen.
43.1 IN PTR ap03.binary.kitchen.
44.1 IN PTR ap04.binary.kitchen.
45.1 IN PTR ap05.binary.kitchen.
46.1 IN PTR ap06.binary.kitchen.
@ -59,6 +60,7 @@ $GENERATE 10-230 $.3 IN PTR dhcp-${0,3,d}-03.binary.kitchen.
240.3 IN PTR fusilli.binary.kitchen.
241.3 IN PTR klopi.binary.kitchen.
242.3 IN PTR mpcnc.binary.kitchen.
243.3 IN PTR garlic.binary.kitchen.
244.3 IN PTR mirror.binary.kitchen.
245.3 IN PTR spaghetti.binary.kitchen.
246.3 IN PTR maccaroni.binary.kitchen.
@ -85,13 +87,10 @@ $GENERATE 10-240 $.4 IN PTR dhcp-${0,3,d}-04.binary.kitchen.
$GENERATE 2-254 $.10 IN PTR vpn-${0,3,d}-10.binary.kitchen.
; Management Auweg
31.12 IN PTR sw-auweg.binary.kitchen.
41.12 IN PTR ap11.binary.kitchen.
42.12 IN PTR ap12.binary.kitchen.
61.12 IN PTR weizen.binary.kitchen.
111.12 IN PTR rfp11.binary.kitchen.
; Services Auweg
3.13 IN PTR aeron.binary.kitchen.
12.13 IN PTR lock-auweg.binary.kitchen.
; Clients Auweg
$GENERATE 10-230 $.14 IN PTR dhcp-${0,3,d}-14.binary.kitchen.
; MQTT

13
roles/dns_intern/templates/bind/binary.kitchen.zone.j2
View File

@ -1,7 +1,7 @@
$ORIGIN binary.kitchen ; base for unqualified names
$TTL 1h ; default time-to-live
@ IN SOA ns1.binary.kitchen. hostmaster.binary.kitchen. (
2022071600; serial
2021112701; serial
1d; refresh
2h; retry
4w; expire
@ -44,11 +44,12 @@ ups1 IN A 172.23.1.11
pdu1 IN A 172.23.1.21
pdu2 IN A 172.23.1.22
pdu3 IN A 172.23.1.23
sw-butchery IN A 172.23.1.31
sw-mini IN A 172.23.1.32
sw-rack IN A 172.23.1.33
sw01 IN A 172.23.1.31
sw02 IN A 172.23.1.32
sw03 IN A 172.23.1.33
ap01 IN A 172.23.1.41
ap02 IN A 172.23.1.42
ap03 IN A 172.23.1.43
ap04 IN A 172.23.1.44
ap05 IN A 172.23.1.45
ap06 IN A 172.23.1.46
@ -83,6 +84,7 @@ $GENERATE 10-230 dhcp-${0,3,d}-03 IN A 172.23.3.$
fusilli IN A 172.23.3.240
klopi IN A 172.23.3.241
mpcnc IN A 172.23.3.242
garlic IN A 172.23.3.243
mirror IN A 172.23.3.244
spaghetti IN A 172.23.3.245
maccaroni IN A 172.23.3.246
@ -106,13 +108,10 @@ salat-bmc IN A 172.23.9.81
; Services RZ
; Management Auweg
sw-auweg IN A 172.23.12.31
ap11 IN A 172.23.12.41
ap12 IN A 172.23.12.42
weizen IN A 172.23.12.61
rfp11 IN A 172.23.12.111
; Services Auweg
aeron IN A 172.23.13.3
lock-auweg IN A 172.23.13.12
; Clients Auweg
$GENERATE 10-230 dhcp-${0,3,d}-14 IN A 172.23.14.$
; MQTT Auweg

5
roles/drone/tasks/main.yml
View File

@ -50,8 +50,3 @@
- name: Enable drone
service: name=drone enabled=yes
- name: Enable monitoring
include_role: name=icinga-monitor tasks_from=http
vars:
vhost: "{{ drone_domain }}"

6
roles/gitea/defaults/main.yml
View File

@ -3,6 +3,6 @@
gitea_user: gogs
gitea_group: gogs
gitea_checksum: sha256:bc4a8e1f5d5f64d4be2e50c387de08d07c062aecdba2f742c2f61c20accfcc46
gitea_version: 1.17.0
gitea_url: https://github.com/go-gitea/gitea/releases/download/v{{ gitea_version }}/gitea-{{ gitea_version }}-linux-amd64
gitea_checksum: sha256:1b7473b5993e07b33fec58edbc1a90f15f040759ca4647e97317c33d5dfe58be
gitea_version: 1.15.6
gitea_url: https://dl.gitea.io/gitea/{{ gitea_version }}/gitea-{{ gitea_version }}-linux-amd64

8
roles/gitea/tasks/main.yml
View File

@ -50,9 +50,6 @@
template: src=certs.j2 dest=/etc/acertmgr/{{ gitea_domain }}.conf
notify: Run acertmgr
- name: Configure robots.txt for gitea
template: src=robots.txt.j2 dest=/opt/gitea/custom/robots.txt owner={{ gitea_user }}
- name: Configure vhost
template: src=vhost.j2 dest=/etc/nginx/sites-available/gitea
notify: Restart nginx
@ -63,8 +60,3 @@
- name: Enable gitea
service: name=gitea enabled=yes
- name: Enable monitoring
include_role: name=icinga-monitor tasks_from=http
vars:
vhost: "{{ gitea_domain }}"

7
roles/gitea/templates/app.ini.j2
View File

@ -43,10 +43,3 @@ LEVEL = warn
[oauth2]
JWT_SECRET = {{ gitea_jwt_secret }}
[cron]
ENABLED = true
[cron.archive_cleanup]
SCHEDULE = @midnight
OLDER_THAN = 168h

4
roles/gitea/templates/robots.txt.j2
View File

@ -1,4 +0,0 @@
User-agent: *
Disallow: /*/*/archive/*.bundle$
Disallow: /*/*/archive/*.tar.gz$
Disallow: /*/*/archive/*.zip$

4
roles/gitea/templates/vhost.j2
View File

@ -23,10 +23,6 @@ server {
ssl_certificate_key /etc/nginx/ssl/{{ gitea_domain }}.key;
ssl_certificate /etc/nginx/ssl/{{ gitea_domain }}.crt;
location /robots.txt {
alias /opt/gitea/custom/robots.txt;
}
location / {
client_max_body_size 1024M;
proxy_set_header X-Real-IP $remote_addr;

5
roles/grafana/tasks/main.yml
View File

@ -34,8 +34,3 @@
- name: Start grafana
service: name=grafana-server state=started enabled=yes
- name: Enable monitoring
include_role: name=icinga-monitor tasks_from=http
vars:
vhost: "{{ grafana_domain }}"

3
roles/grafana/templates/vhost.j2
View File

@ -25,8 +25,7 @@ server {
location / {
client_max_body_size 1024M;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_pass http://localhost:3000;
}
}

2
roles/hackmd/defaults/main.yml
View File

@ -1,4 +1,4 @@
---
hedgedoc_version: 1.9.3
hedgedoc_version: 1.8.2
hedgedoc_archive: https://github.com/hedgedoc/hedgedoc/archive/{{ hedgedoc_version }}.tar.gz

5
roles/hackmd/tasks/main.yml
View File

@ -103,8 +103,3 @@
- name: Start the hedgedoc service
service: name=hedgedoc state=started enabled=yes
- name: Enable monitoring
include_role: name=icinga-monitor tasks_from=http
vars:
vhost: "{{ hedgedoc_domain }}"

4
roles/icinga-monitor/defaults/main.yml
View File

@ -1,4 +0,0 @@
---
icinga_user: nagios
icinga_group: nagios

5
roles/icinga-monitor/handlers/main.yml
View File

@ -1,5 +0,0 @@
---
- name: Restart icinga2
service: name=icinga2 state=restarted
delegate_to: "{{ icinga_server }}"

17
roles/icinga-monitor/tasks/http.yml
View File

@ -1,17 +0,0 @@
---
- name: Configure monitoring for vhost
template:
src: http.j2
dest: /etc/icinga2/conf.d/hosts/{{ inventory_hostname }}.http_{{ vhost }}
owner: "{{ icinga_user }}"
group: "{{ icinga_group }}"
delegate_to: "{{ icinga_server }}"
- name: Regenerate hosts.conf
assemble:
src: /etc/icinga2/conf.d/hosts
dest: /etc/icinga2/conf.d/hosts.conf
# validate: /usr/sbin/icinga2 daemon -c %s --validate
notify: Restart icinga2
delegate_to: "{{ icinga_server }}"

13
roles/icinga-monitor/templates/http.j2
View File

@ -1,13 +0,0 @@
vars.http_vhosts["{{ vhost }}"] = {
http_sni = "true"
http_ssl = "true"
http_vhost = "{{ vhost }}"
}
vars.http_vhosts["{{ vhost }} cert"] = {
http_certificate = "25,15"
http_sni = "true"
http_ssl = "true"
http_vhost = "{{ vhost }}"
}

17
roles/icinga/tasks/main.yml
View File

@ -62,20 +62,9 @@
changed_when: "'for these changes to take effect' in features_result.stdout"
notify: Restart icinga2
- name: Ensure directory for host snippets exists
file:
path: /etc/icinga2/conf.d/hosts
state: directory
owner: "{{ icinga_user }}"
group: "{{ icinga_group }}"
- name: Prepare host snippets
template: src=icinga2/conf.d/hosts.header.j2 dest=/etc/icinga2/conf.d/hosts/{{ item }}.00_header owner={{ icinga_user }} group={{ icinga_group }}
loop: "{{ groups['all'] }}"
- name: Prepare host snippets
template: src=icinga2/conf.d/hosts.footer.j2 dest=/etc/icinga2/conf.d/hosts/{{ item }}.zz_footer owner={{ icinga_user }} group={{ icinga_group }}
loop: "{{ groups['all'] }}"
- name: Configure known hosts for icinga
template: src=icinga2/conf.d/hosts.conf.j2 dest=/etc/icinga2/conf.d/hosts.conf owner={{ icinga_user }} group={{ icinga_group }}
notify: Restart icinga2
- name: Create group icingaweb2
group: name=icingaweb2 system=yes

7
roles/icinga/templates/icinga2/conf.d/hosts.header.j2 → roles/icinga/templates/icinga2/conf.d/hosts.conf.j2
View File

@ -1,9 +1,12 @@
object Host "{{ item }}" {
{% for host in groups['all'] %}
object Host "{{ host }}" {
/* Import the default host template defined in `templates.conf`. */
import "generic-host"
/* Specify the address attributes for checks e.g. `ssh` or `http`. */
address = "{{ item }}"
address = "{{ host }}"
/* Set custom variable `os` for hostgroup assignment in `groups.conf`. */
vars.os = "Linux"
}
{% endfor %}

2
roles/icinga/templates/icinga2/conf.d/hosts.footer.j2
View File

@ -1,2 +0,0 @@
}

5
roles/librenms/tasks/main.yml
View File

@ -78,8 +78,3 @@
- name: Start php7.4-fpm
service: name=php7.4-fpm state=started enabled=yes
- name: Enable monitoring
include_role: name=icinga-monitor tasks_from=http
vars:
vhost: "{{ librenms_domain }}"

52
roles/mail/files/mailman/uwsgi.ini
View File

@ -1,52 +0,0 @@
[uwsgi]
# Port on which uwsgi will be listening.
uwsgi-socket = /run/mailman3-web/uwsgi.sock
#Enable threading for python
enable-threads = true
# Move to the directory wher the django files are.
chdir = /usr/share/mailman3-web
# Use the wsgi file provided with the django project.
#wsgi-file = wsgi.py
mount = /mailman3=wsgi.py
manage-script-name = true
# Setup default number of processes and threads per process.
master = true
process = 2
threads = 2
# Drop privielges and don't run as root.
uid = www-data
gid = www-data
plugins = python3
# Setup the django_q related worker processes.
attach-daemon = python3 manage.py qcluster
# Setup hyperkitty's cron jobs.
#unique-cron = -1 -1 -1 -1 -1 ./manage.py runjobs minutely
#unique-cron = -15 -1 -1 -1 -1 ./manage.py runjobs quarter_hourly
#unique-cron = 0 -1 -1 -1 -1 ./manage.py runjobs hourly
#unique-cron = 0 0 -1 -1 -1 ./manage.py runjobs daily
#unique-cron = 0 0 1 -1 -1 ./manage.py runjobs monthly
#unique-cron = 0 0 -1 -1 0 ./manage.py runjobs weekly
#unique-cron = 0 0 1 1 -1 ./manage.py runjobs yearly
# Setup the request log.
#req-logger = file:/var/log/mailman3/web/mailman-web.log
# Log cron seperately.
#logger = cron file:/var/log/mailman3/web/mailman-web-cron.log
#log-route = cron uwsgi-cron
# Log qcluster commands seperately.
#logger = qcluster file:/var/log/mailman3/web/mailman-web-qcluster.log
#log-route = qcluster uwsgi-daemons
# Last log and it logs the rest of the stuff.
#logger = file:/var/log/mailman3/web/mailman-web-error.log
logto = /var/log/mailman3/web/mailman-web.log

17
roles/mail/tasks/main.yml
View File

@ -16,6 +16,8 @@
- dovecot-ldap
- dovecot-managesieved
- dovecot-sieve
- fcgiwrap
- mailman
- mailman3-full
- python3-psycopg2
- postgresql
@ -99,6 +101,12 @@
file: path=/etc/dovecot/ssl/{{ mail_server }}.key owner=dovecot mode=0400
notify: Restart dovecot
- name: Configure mailman
template: src={{ item }}.j2 dest=/etc/{{ item }}
with_items:
- mailman/mm_cfg.py
notify: Restart postfix
- name: Configure mailman vhost
template: src=nginx/vhost.j2 dest=/etc/nginx/sites-available/mailman
notify: Restart nginx
@ -135,18 +143,10 @@
template: src=mailman/mailman.cfg.j2 dest=/etc/mailman3/mailman.cfg
notify: Restart mailman3
- name: Configure mailman3 hyperkitty plugin
template: src=mailman/mailman-hyperkitty.cfg.j2 dest=/etc/mailman3/mailman-hyperkitty.cfg
notify: Restart mailman3
- name: Configure mailman3-web
template: src=mailman/mailman-web.py.j2 dest=/etc/mailman3/mailman-web.py
notify: Restart mailman3web
- name: Configure mailman3-web uwsgi
copy: src=mailman/uwsgi.ini dest=/etc/mailman3/uwsgi.ini
notify: Restart mailman3web
- name: Run mailman3-web migration script
command:
cmd: ./manage.py migrate
@ -174,6 +174,7 @@
template: src={{ item }}.j2 dest=/etc/{{ item }}
with_items:
- postfix/helo_access
- postfix/transport
- postfix/virtual-alias
notify: Run postmap

5
roles/mail/templates/dovecot/dovecot-ldap.conf.ext.j2
View File

@ -31,7 +31,8 @@ dn = {{ ldap_binddn }}
dnpass = {{ ldap_bindpw }}
# Use SASL binding instead of the simple binding. Note that this changes
# ldap_version automatically to be 3 if it's lower.
# ldap_version automatically to be 3 if it's lower. Also note that SASL binds
# and auth_bind=yes don't work together.
#sasl_bind = no
# SASL mechanism name to use.
#sasl_mech =
@ -45,7 +46,7 @@ dnpass = {{ ldap_bindpw }}
#tls = no
# TLS options, currently supported only with OpenLDAP:
tls_ca_cert_file = /etc/ssl/certs/ca-certificates.crt
#tls_ca_cert_dir =
#tls_ca_cert_dir = /etc/ssl/certs
#tls_cipher_suite =
# TLS cert/key is used only if LDAP server requires a client certificate.
#tls_cert_file =

21
roles/mail/templates/mailman/mailman-hyperkitty.cfg.j2
View File

@ -1,21 +0,0 @@
# This is the mailman extension configuration file to enable HyperKitty as an
# archiver. Remember to add the following lines in the mailman.cfg file:
#
# [archiver.hyperkitty]
# class: mailman_hyperkitty.Archiver
# enable: yes
# configuration: /etc/mailman3/mailman-hyperkitty.cfg
#
[general]
# This is your HyperKitty installation, preferably on the localhost. This
# address will be used by Mailman to forward incoming emails to HyperKitty
# for archiving. It does not need to be publicly available, in fact it's
# better if it is not.
#base_url: http://localhost/mailman3/hyperkitty/
base_url: https://{{ mailman_domain }}/mailman3/hyperkitty/
# Shared API key, must be the identical to the value in HyperKitty's
# settings.
api_key: {{ mailman3_archiverkey }}

19
roles/mail/templates/mailman/mailman-web.py.j2
View File

@ -16,8 +16,7 @@ ALLOWED_HOSTS = [
#"localhost", # Archiving API from Mailman, keep it.
# "lists.your-domain.org",
# Add here all production URLs you may have.
'localhost',
'{{ mailman_domain }}'
'*'
]
# Mailman API credentials
@ -25,16 +24,7 @@ MAILMAN_REST_API_URL = 'http://localhost:8001'
MAILMAN_REST_API_USER = 'restadmin'
MAILMAN_REST_API_PASS = '{{ mailman3_restadminpass }}'
MAILMAN_ARCHIVER_KEY = '{{ mailman3_archiverkey }}'
MAILMAN_ARCHIVER_FROM = (
'127.0.0.1',
'::1',
{% if hostvars[inventory_hostname]['ansible_default_ipv4']['address'] is defined %}
'{{ hostvars[inventory_hostname]['ansible_default_ipv4']['address']}}',
{% endif%}
{% if hostvars[inventory_hostname]['ansible_default_ipv6']['address'] is defined %}
'{{ hostvars[inventory_hostname]['ansible_default_ipv6']['address']}}',
{% endif%}
)
MAILMAN_ARCHIVER_FROM = ('127.0.0.1', '::1')
# Application definition
@ -140,7 +130,7 @@ USE_TZ = True
# Set default domain for email addresses.
EMAILNAME = '{{ mail_domain }}'
EMAILNAME = 'localhost.local'
# If you enable internal authentication, this is the address that the emails
# will appear to be coming from. Make sure you set a valid domain name,
@ -199,6 +189,3 @@ SOCIALACCOUNT_PROVIDERS = {
COMPRESS_OFFLINE = True
POSTORIUS_TEMPLATE_BASE_URL = 'http://localhost/mailman3/'
# This is a quick and dirty hack - maybe there is a way to reliably retrieve the right ID?
SITE_ID = 2

7
roles/mail/templates/mailman/mailman.cfg.j2
View File

@ -57,8 +57,6 @@ admin_user: restadmin
admin_pass: {{ mailman3_restadminpass }}
[mta]
remove_dkim_headers: yes
dmarc_mitigate_action: wrap_message
incoming: mailman.mta.postfix.LMTP
outgoing: mailman.mta.deliver.deliver
smtp_host: localhost
@ -68,8 +66,3 @@ smtp_pass:
lmtp_host: 127.0.0.1
lmtp_port: 8024
configuration: python:mailman.config.postfix
[archiver.hyperkitty]
class: mailman_hyperkitty.Archiver
enable: yes
configuration: /etc/mailman3/mailman-hyperkitty.cfg

115
roles/mail/templates/mailman/mm_cfg.py.j2 Normal file
View File

@ -0,0 +1,115 @@
# -*- python -*-
# Copyright (C) 1998,1999,2000 by the Free Software Foundation, Inc.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
# 02110-1301 USA
"""This is the module which takes your site-specific settings.
From a raw distribution it should be copied to mm_cfg.py. If you
already have an mm_cfg.py, be careful to add in only the new settings
you want. The complete set of distributed defaults, with annotation,
are in ./Defaults. In mm_cfg, override only those you want to
change, after the
from Defaults import *
line (see below).
Note that these are just default settings - many can be overridden via the
admin and user interfaces on a per-list or per-user basis.
Note also that some of the settings are resolved against the active list
setting by using the value as a format string against the
list-instance-object's dictionary - see the distributed value of
DEFAULT_MSG_FOOTER for an example."""
#######################################################
# Here's where we get the distributed defaults. #
from Defaults import *
##############################################################
# Put YOUR site-specific configuration below, in mm_cfg.py . #
# See Defaults.py for explanations of the values. #
#-------------------------------------------------------------
# The name of the list Mailman uses to send password reminders
# and similar. Don't change if you want mailman-owner to be
# a valid local part.
MAILMAN_SITE_LIST = 'mailman'
#-------------------------------------------------------------
# If you change these, you have to configure your http server
# accordingly (Alias and ScriptAlias directives in most httpds)
#DEFAULT_URL_PATTERN = 'http://%s/cgi-bin/mailman/'
DEFAULT_URL_PATTERN = 'https://%s/'
IMAGE_LOGOS = '/images/mailman/'
#-------------------------------------------------------------
# Default domain for email addresses of newly created MLs
DEFAULT_EMAIL_HOST = '{{ mailman_domain }}'
#-------------------------------------------------------------
# Default host for web interface of newly created MLs
DEFAULT_URL_HOST = '{{ mailman_domain }}'
#-------------------------------------------------------------
# Required when setting any of its arguments.
add_virtualhost(DEFAULT_URL_HOST, DEFAULT_EMAIL_HOST)
#-------------------------------------------------------------
# The default language for this server.
DEFAULT_SERVER_LANGUAGE = 'en'
#-------------------------------------------------------------
# Iirc this was used in pre 2.1, leave it for now
USE_ENVELOPE_SENDER = 0 # Still used?
#-------------------------------------------------------------
# Unset send_reminders on newly created lists
DEFAULT_SEND_REMINDERS = 0
#-------------------------------------------------------------
# Uncomment this if you configured your MTA such that it
# automatically recognizes newly created lists.
# (see /usr/share/doc/mailman/README.Exim4.Debian or
# /usr/share/mailman/postfix-to-mailman.py)
# MTA=None # Misnomer, suppresses alias output on newlist
#-------------------------------------------------------------
# Uncomment if you use Postfix virtual domains (but not
# postfix-to-mailman.py), but be sure to see
# /usr/share/doc/mailman/README.Debian first.
MTA='Postfix'
#-------------------------------------------------------------
# Uncomment if you want to filter mail with SpamAssassin. For
# more information please visit this website:
# http://www.jamesh.id.au/articles/mailman-spamassassin/
# GLOBAL_PIPELINE.insert(1, 'SpamAssassin')
POSTFIX_STYLE_VIRTUAL_DOMAINS = ['{{ mailman_domain }}']
# alias for postmaster, abuse and mailer-daemon
DEB_LISTMASTER = 'postmaster@{{ mail_domain }}'
# Remove, rename and preserve DKIM headers
REMOVE_DKIM_HEADERS = 3
# Munge From for DMARC
DEFAULT_DMARC_MODERATION_ACTION = 1
# Note - if you're looking for something that is imported from mm_cfg, but you
# didn't find it above, it's probably in /usr/lib/mailman/Mailman/Defaults.py.

31
roles/mail/templates/nginx/vhost.j2
View File

@ -7,7 +7,7 @@ server {
server_name {{ mailman_domain }};
root /var/www/html/;
root /usr/lib/cgi-bin/mailman/;
location /.well-known/acme-challenge {
default_type "text/plain";
@ -15,27 +15,24 @@ server {
}
location = / {
rewrite ^ /mailman3 redirect;
rewrite ^ /listinfo permanent;
}
location / {
rewrite ^ /mailman3 redirect;
root /usr/lib/cgi-bin/mailman;
fastcgi_split_path_info (^/[^/]*)(.*)$;
fastcgi_pass unix:///var/run/fcgiwrap.socket;
include /etc/nginx/fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
}
location = /listinfo {
rewrite ^ /mailman3 redirect;
location /images/mailman {
alias /usr/share/images/mailman;
}
location /mailman3/ {
include /etc/nginx/uwsgi_params;
uwsgi_pass unix:/run/mailman3-web/uwsgi.sock;
}
location /mailman3/static {
alias /var/lib/mailman3/web/static;
}
location /mailman3/static/favicon.ico {
alias /var/lib/mailman3/web/static/postorius/img/favicon.ico;
}
location /pipermail {
alias /var/lib/mailman/archives/public;
autoindex on;
}
}

4
roles/mail/templates/postfix/main.cf.j2
View File

@ -118,10 +118,14 @@ unverified_recipient_reject_reason = Recipient unknown
# mailman
relay_domains =
hash:/var/lib/mailman3/data/postfix_domains
{{ mailman_domain }}
local_recipient_maps =
hash:/var/lib/mailman3/data/postfix_lmtp
hash:/var/lib/mailman/data/virtual-mailman
transport_maps =
hash:/var/lib/mailman3/data/postfix_lmtp
hash:/etc/postfix/transport
mailman_destination_recipient_limit = 1
# postsrsd
# sender_canonical_maps = tcp:localhost:10001 - > see master.cf

2
roles/mail/templates/postfix/master.cf.j2
View File

@ -131,3 +131,5 @@ bsmtp unix - n n - - pipe
flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n n - 2 pipe
flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman unix - n n - - pipe
flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop} ${user}

1
roles/mail/templates/postfix/transport.j2 Normal file
View File

@ -0,0 +1 @@
{{ mailman_domain }} mailman:

3
roles/mail/templates/rspamd/local.d/arc.conf.j2
View File

@ -2,8 +2,5 @@ allow_username_mismatch = true;
sign_networks = [127.0.0.1, ::1, {{ mail_trusted | join(", ") }}];
check_pubkey = true;
try_fallback = false;
use_esld = false;
allow_hdrfrom_mismatch = true;
use_domain = "envelope";
path = "/var/lib/rspamd/dkim/$domain.$selector.key";
selector_map = "/etc/rspamd/local.d/arc_selectors.map";

3
roles/mail/templates/rspamd/local.d/dkim_signing.conf.j2
View File

@ -2,8 +2,5 @@ allow_username_mismatch = true;
sign_networks = [127.0.0.1, ::1, {{ mail_trusted | join(", ") }}];
check_pubkey = true;
try_fallback = false;
use_esld = false;
allow_hdrfrom_mismatch = true;
use_domain = "envelope";
path = "/var/lib/rspamd/dkim/$domain.$selector.key";
selector_map = "/etc/rspamd/local.d/dkim_selectors.map";

2
roles/mail/templates/rspamd/local.d/settings.conf.j2
View File

@ -9,7 +9,7 @@ localhost_mail {
reject = null;
greylist = null;
"add header" = null;
"rewrite subject" = null;
spam = null;
}
}
}

5
roles/matrix/tasks/main.yml
View File

@ -46,8 +46,3 @@
- name: Enable vhost
file: src=/etc/nginx/sites-available/matrix dest=/etc/nginx/sites-enabled/matrix state=link
notify: Restart nginx
- name: Enable monitoring
include_role: name=icinga-monitor tasks_from=http
vars:
vhost: "{{ matrix_domain }}"

988
roles/matrix/templates/matrix-synapse/homeserver.yaml.j2
View File

File diff suppressed because it is too large Load Diff

33
roles/matrix/templates/matrix-synapse/log.yaml.j2
View File

@ -3,11 +3,7 @@
# This is a YAML file containing a standard Python logging configuration
# dictionary. See [1] for details on the valid settings.
#
# Synapse also supports structured logging for machine readable logs which can
# be ingested by ELK stacks. See [2] for details.
#
# [1]: https://docs.python.org/3.7/library/logging.config.html#configuration-dictionary-schema
# [2]: https://matrix-org.github.io/synapse/latest/structured_logging.html
version: 1
@ -24,31 +20,18 @@ handlers:
backupCount: 3 # Does not include the current log file.
encoding: utf8
# Default to buffering writes to log file for efficiency.
# WARNING/ERROR logs will still be flushed immediately, but there will be a
# delay (of up to `period` seconds, or until the buffer is full with
# `capacity` messages) before INFO/DEBUG logs get written.
# Default to buffering writes to log file for efficiency. This means that
# will be a delay for INFO/DEBUG logs to get written, but WARNING/ERROR
# logs will still be flushed immediately.
buffer:
class: synapse.logging.handlers.PeriodicallyFlushingMemoryHandler
class: logging.handlers.MemoryHandler
target: file
# The capacity is the maximum number of log lines that are buffered
# before being written to disk. Increasing this will lead to better
# The capacity is the number of log lines that are buffered before
# being written to disk. Increasing this will lead to better
# performance, at the expensive of it taking longer for log lines to
# be written to disk.
# This parameter is required.
capacity: 10
# Logs with a level at or above the flush level will cause the buffer to
# be flushed immediately.
# Default value: 40 (ERROR)
# Other values: 50 (CRITICAL), 30 (WARNING), 20 (INFO), 10 (DEBUG)
flushLevel: 30 # Flush immediately for WARNING logs and higher
# The period of time, in seconds, between forced flushes.
# Messages will not be delayed for longer than this time.
# Default value: 5 seconds
period: 5
flushLevel: 30 # Flush for WARNING logs as well
# A handler that writes logs to stderr. Unused by default, but can be used
# instead of "buffer" and "file" in the logger handlers.
@ -77,7 +60,7 @@ root:
# then write them to a file.
#
# Replace "buffer" with "console" to log to stderr instead. (Note that you'll
# also need to update the configuration for the `twisted` logger above, in
# also need to update the configuation for the `twisted` logger above, in
# this case.)
#
handlers: [buffer]

2
roles/netbox/defaults/main.yml
View File

@ -2,4 +2,4 @@
netbox_group: netbox
netbox_user: netbox
netbox_version: 3.2.5
netbox_version: 3.0.10

6
roles/netbox/tasks/main.yml
View File

@ -60,7 +60,6 @@
dest: "/opt/netbox-{{ netbox_version }}/netbox/netbox/configuration.py"
owner: "{{ netbox_user }}"
group: "{{ netbox_group }}"
notify: Restart netbox
- name: Configure gunicorn
template:
@ -144,8 +143,3 @@
with_items:
- netbox
- netbox-rq
- name: Enable monitoring
include_role: name=icinga-monitor tasks_from=http
vars:
vhost: "{{ netbox_domain }}"

74
roles/netbox/templates/configuration.py.j2
View File

@ -69,13 +69,29 @@ SECRET_KEY = '{{ netbox_secret }}'
# Specify one or more name and email address tuples representing NetBox administrators. These people will be notified of
# application errors (assuming correct email settings are provided).
ADMINS = [
# ('John Doe', 'jdoe@example.com'),
# ['John Doe', 'jdoe@example.com'],
]
# Base URL path if accessing NetBox within a directory. For example, if installed at https://example.com/netbox/, set:
# URL schemes that are allowed within links in NetBox
ALLOWED_URL_SCHEMES = (
'file', 'ftp', 'ftps', 'http', 'https', 'irc', 'mailto', 'sftp', 'ssh', 'tel', 'telnet', 'tftp', 'vnc', 'xmpp',
)
# Optionally display a persistent banner at the top and/or bottom of every page. HTML is allowed. To display the same
# content in both banners, define BANNER_TOP and set BANNER_BOTTOM = BANNER_TOP.
BANNER_TOP = ''
BANNER_BOTTOM = ''
# Text to include on the login page above the login form. HTML is allowed.
BANNER_LOGIN = ''
# Base URL path if accessing NetBox within a directory. For example, if installed at http://example.com/netbox/, set:
# BASE_PATH = 'netbox/'
BASE_PATH = ''
# Maximum number of days to retain logged changes. Set to 0 to retain changes indefinitely. (Default: 90)
CHANGELOG_RETENTION = 90
# API Cross-Origin Resource Sharing (CORS) settings. If CORS_ORIGIN_ALLOW_ALL is set to True, all origins will be
# allowed. Otherwise, define a list of allowed origins using either CORS_ORIGIN_WHITELIST or
# CORS_ORIGIN_REGEX_WHITELIST. For more information, see https://github.com/ottoyiu/django-cors-headers
@ -87,6 +103,20 @@ CORS_ORIGIN_REGEX_WHITELIST = [
# r'^(https?://)?(\w+\.)?example\.com$',
]
# Specify any custom validators here, as a mapping of model to a list of validators classes. Validators should be
# instances of or inherit from CustomValidator.
# from extras.validators import CustomValidator
CUSTOM_VALIDATORS = {
# 'dcim.site': [
# CustomValidator({
# 'name': {
# 'min_length': 10,
# 'regex': r'\d{3}$',
# }
# })
# ],
}
# Set to True to enable server debugging. WARNING: Debugging introduces a substantial performance penalty and may reveal
# sensitive information about your installation. Only enable debugging while performing testing. Never enable debugging
# on a production system.
@ -104,6 +134,10 @@ EMAIL = {
'FROM_EMAIL': '',
}
# Enforcement of unique IP space can be toggled on a per-VRF basis. To enforce unique IP space within the global table
# (all prefixes and IP addresses not assigned to a VRF), set ENFORCE_GLOBAL_UNIQUE to True.
ENFORCE_GLOBAL_UNIQUE = False
# Exempt certain models from the enforcement of view permissions. Models listed here will be viewable by all users and
# by anonymous users. List models in the form `<app>.<model>`. Add '*' to this list to exempt all models.
EXEMPT_VIEW_PERMISSIONS = [
@ -112,6 +146,9 @@ EXEMPT_VIEW_PERMISSIONS = [
# 'ipam.prefix',
]
# Enable the GraphQL API
GRAPHQL_ENABLED = True
# HTTP proxies NetBox should use when sending outbound HTTP requests (e.g. for webhooks).
# HTTP_PROXIES = {
# 'http': 'http://10.10.1.10:3128',
@ -138,6 +175,17 @@ LOGIN_REQUIRED = True
# re-authenticate. (Default: 1209600 [14 days])
LOGIN_TIMEOUT = None
# Setting this to True will display a "maintenance mode" banner at the top of every page.
MAINTENANCE_MODE = False
# The URL to use when mapping physical addresses or GPS coordinates
MAPS_URL = 'https://maps.google.com/?q='
# An API consumer can request an arbitrary number of objects =by appending the "limit" parameter to the URL (e.g.
# "?limit=1000"). This setting defines the maximum limit. Setting it to 0 or None will allow an API consumer to request
# all objects by specifying "?limit=0".
MAX_PAGE_SIZE = 1000
# The file path where uploaded media such as image attachments are stored. A trailing slash is not needed. Note that
# the default value of this setting is derived from the installed location.
# MEDIA_ROOT = '/opt/netbox/netbox/media'
@ -155,6 +203,20 @@ LOGIN_TIMEOUT = None
# Expose Prometheus monitoring metrics at the HTTP endpoint '/metrics'
METRICS_ENABLED = False
# Credentials that NetBox will uses to authenticate to devices when connecting via NAPALM.
NAPALM_USERNAME = ''
NAPALM_PASSWORD = ''
# NAPALM timeout (in seconds). (Default: 30)
NAPALM_TIMEOUT = 30
# NAPALM optional arguments (see https://napalm.readthedocs.io/en/latest/support/#optional-arguments). Arguments must
# be provided as a dictionary.
NAPALM_ARGS = {}
# Determine how many objects to display per page within a list. (Default: 50)
PAGINATE_COUNT = 50
# Enable installed plugins. Add the name of each plugin to the list.
PLUGINS = []
@ -167,6 +229,14 @@ PLUGINS = []
# }
# }
# When determining the primary IP address for a device, IPv6 is preferred over IPv4 by default. Set this to True to
# prefer IPv4 instead.
PREFER_IPV4 = False
# Rack elevation size defaults, in pixels. For best results, the ratio of width to height should be roughly 10:1.
RACK_ELEVATION_DEFAULT_UNIT_HEIGHT = 22
RACK_ELEVATION_DEFAULT_UNIT_WIDTH = 220
# Remote authentication support
REMOTE_AUTH_ENABLED = False
REMOTE_AUTH_BACKEND = 'netbox.authentication.RemoteUserBackend'

2
roles/nextcloud/files/www.conf
View File

@ -230,7 +230,7 @@ pm.max_spare_servers = 15
; last request memory: 0
;
; Note: There is a real-time FPM status monitoring sample web page available
; It's available in: /usr/share/php/8.1/fpm/status.html
; It's available in: /usr/share/php/8.0/fpm/status.html
;
; Note: The value must start with a leading slash (/). The value can be
; anything, but it may not be a good idea to use the .php extension or it

4
roles/nextcloud/handlers/main.yml
View File

@ -3,5 +3,5 @@
- name: Restart nginx
service: name=nginx state=restarted
- name: Restart php8.1-fpm
service: name=php8.1-fpm state=restarted
- name: Restart php8.0-fpm
service: name=php8.0-fpm state=restarted

74
roles/nextcloud/tasks/main.yml
View File

@ -15,33 +15,32 @@
- name: Install packages
apt:
name:
- php8.1
- php8.1-apcu
- php8.1-bcmath
- php8.1-bz2
- php8.1-cli
- php8.1-common
- php8.1-curl
- php8.1-dev
- php8.1-fpm
- php8.1-gd
- php8.1-gmp
- php8.1-imagick
- php8.1-imap
- php8.1-intl
- php8.1-ldap
- php8.1-mbstring
- php8.1-mysql
- php8.1-opcache
- php8.1-pgsql
- php8.1-readline
- php8.1-redis
- php8.1-soap
- php8.1-sqlite3
- php8.1-tidy
- php8.1-xml
- php8.1-xmlrpc
- php8.1-zip
- php-redis
- php8.0
- php8.0-apcu
- php8.0-bcmath
- php8.0-bz2
- php8.0-cli
- php8.0-common
- php8.0-curl
- php8.0-dev
- php8.0-fpm
- php8.0-gd
- php8.0-gmp
- php8.0-imap
- php8.0-intl
- php8.0-ldap
- php8.0-mbstring
- php8.0-mysql
- php8.0-opcache
- php8.0-pgsql
- php8.0-readline
- php8.0-soap
- php8.0-sqlite3
- php8.0-tidy
- php8.0-xml
- php8.0-xmlrpc
- php8.0-zip
- postgresql
- python3-psycopg2
@ -70,25 +69,20 @@
template: src=vhost.j2 dest=/etc/nginx/sites-available/nextcloud
notify: Restart nginx
- name: Configure php8.1-fpm
copy: src=www.conf dest=/etc/php/8.1/fpm/pool.d/www.conf
notify: Restart php8.1-fpm
- name: Configure php8.0-fpm
copy: src=www.conf dest=/etc/php/8.0/fpm/pool.d/www.conf
notify: Restart php8.0-fpm
- name: Configure php8.1 opcache
copy: src=opcache.ini dest=/etc/php/8.1/mods-available/opcache.ini
notify: Restart php8.1-fpm
- name: Configure php8.0 opcache
copy: src=opcache.ini dest=/etc/php/8.0/mods-available/opcache.ini
notify: Restart php8.0-fpm
- name: Enable vhost
file: src=/etc/nginx/sites-available/nextcloud dest=/etc/nginx/sites-enabled/nextcloud state=link
notify: Restart nginx
- name: Start php8.1-fpm
service: name=php8.1-fpm state=started enabled=yes
- name: Start php8.0-fpm
service: name=php8.0-fpm state=started enabled=yes
- name: Start PostgreSQL
service: name=postgresql state=started enabled=yes
- name: Enable monitoring
include_role: name=icinga-monitor tasks_from=http
vars:
vhost: "{{ nextcloud_domain }}"

8
roles/nextcloud/templates/vhost.j2
View File

@ -49,7 +49,7 @@ server {
index index.php index.html /index.php$request_uri;
location ^~ /browser {
location ^~ /loleaflet {
proxy_pass http://localhost:9980;
proxy_set_header Host $http_host;
}
@ -64,7 +64,7 @@ server {
proxy_set_header Host $http_host;
}
location ~ ^/cool/(.*)/ws$ {
location ~ ^/lool/(.*)/ws$ {
proxy_pass http://localhost:9980;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
@ -72,12 +72,12 @@ server {
proxy_read_timeout 36000s;
}
location ~ ^/(c|l)ool {
location ~ ^/lool {
proxy_pass http://localhost:9980;
proxy_set_header Host $http_host;
}
location ^~ /cool/adminws {
location ^~ /lool/adminws {
proxy_pass http://localhost:9980;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";

4
roles/omm/defaults/main.yml Normal file
View File

@ -0,0 +1,4 @@
---
omm_http_port: 8000
omm_https_port: 8443

10
roles/omm/handlers/main.yml Normal file
View File

@ -0,0 +1,10 @@
---
- name: Reload systemd
systemd: daemon_reload=yes
- name: Restart sip-dect-ics
service: name=sip-dect-ics state=restarted
- name: Restart sip-dect-omm
service: name=sip-dect-omm state=restarted

1
roles/coturn/meta/main.yml → roles/omm/meta/main.yml
View File

@ -2,3 +2,4 @@
dependencies:
- { role: acertmgr }
- { role: nginx, nginx_ssl: True }

80
roles/omm/tasks/main.yml Normal file
View File

@ -0,0 +1,80 @@
---
- name: Install dependencies
apt:
name:
- alien
- sysvinit-utils
- telnet
- name: Add i386 architecture
command: dpkg --add-architecture i386
args:
creates: /var/lib/dpkg/arch
when: ansible_architecture != 'i386'
register: add_i386
- name: Install 32bit dependencies
apt:
name:
- libstdc++6:i386
- zlib1g:i386
update_cache: "{{ add_i386.changed }}"
# TODO check if still needed since we don't use the start-script anymore
- name: Create compatibility symlinks
file:
src: /usr/bin/pidof
dest: /sbin/pidof
state: link
# TODO manual steps
# alien --target=amd64 /tmp/SIP-DECT-OMM-8.1_SP4_GE30-0.i686.rpm
# dpkg -i sip-dect-omm_8.1SP4GE30-1_amd64.deb
# alien --target=amd64 /tmp/SIP-DECT-HANDSET-8.1_SP4_GE30-0.i686.rpm
# dpkg -i sip-dect-handset_8.1SP4GE30-1_amd64.deb
# rm /etc/init.d/sip-dect-omm
# rm /etc/sysconfig/SIP-DECT
- name: Install systemd units
template: src={{ item }}.service.j2 dest=/lib/systemd/system/{{ item }}.service
with_items:
- sip-dect-ics
- sip-dect-omm
notify:
- Reload systemd
- Restart sip-dect-ics
- Restart sip-dect-omm
- name: Enable services
service: name={{ item }} state=started enabled=yes
with_items:
- sip-dect-ics
- sip-dect-omm
- name: Ensure certificates are available
command:
cmd: >
openssl req -x509 -nodes -newkey rsa:2048
-keyout /etc/nginx/ssl/{{ omm_domain }}.key -out /etc/nginx/ssl/{{ omm_domain }}.crt
-days 730 -subj "/CN={{ omm_domain }}"
creates: /etc/nginx/ssl/{{ omm_domain }}.crt
notify: Restart nginx
- name: Request nsupdate key for certificate
include_role: name=acme-dnskey-generate
vars:
acme_dnskey_san_domains:
- "{{ omm_domain }}"
- name: Configure certificate manager for omm
template: src=certs.j2 dest=/etc/acertmgr/{{ omm_domain }}.conf
notify: Run acertmgr
- name: Configure vhost
template: src=vhost.j2 dest=/etc/nginx/sites-available/omm
notify: Restart nginx
- name: Enable vhost
file: src=/etc/nginx/sites-available/omm dest=/etc/nginx/sites-enabled/omm state=link
notify: Restart nginx

18
roles/omm/templates/certs.j2 Normal file
View File

@ -0,0 +1,18 @@
---
{{ omm_domain }}:
- mode: dns.nsupdate
nsupdate_server: {{ acme_dnskey_server }}
nsupdate_keyfile: {{ acme_dnskey_file }}
- path: /etc/nginx/ssl/{{ omm_domain }}.key
user: root
group: root
perm: '400'
format: key
action: '/usr/sbin/service nginx restart'
- path: /etc/nginx/ssl/{{ omm_domain }}.crt
user: root
group: root
perm: '400'
format: crt,ca
action: '/usr/sbin/service nginx restart'

15
roles/omm/templates/sip-dect-ics.service.j2 Normal file
View File

@ -0,0 +1,15 @@
[Unit]
Description=Mitel SIP-DECT ICS (Integrated Conference Server)
After=syslog.target
After=network.target
Requires=sip-dect-omm.service
[Service]
RestartSec=2s
Type=forking
WorkingDirectory=/opt/SIP-DECT/
ExecStart=/opt/SIP-DECT/bin/ics -d
Restart=always
[Install]
WantedBy=multi-user.target

14
roles/omm/templates/sip-dect-omm.service.j2 Normal file
View File

@ -0,0 +1,14 @@
[Unit]
Description=Mitel SIP-DECT OMM (Open Mobility Manager)
After=syslog.target
After=network.target
[Service]
RestartSec=2s
Type=forking
WorkingDirectory=/opt/SIP-DECT/
ExecStart=/opt/SIP-DECT/bin/SIP-DECT -f /opt/SIP-DECT/tmp/omm_conf.txt -http {{ omm_http_port }} -https {{ omm_https_port }} -d
Restart=always
[Install]
WantedBy=multi-user.target

30
roles/omm/templates/vhost.j2 Normal file
View File

@ -0,0 +1,30 @@
server {
listen 80;
listen [::]:80;
server_name {{ omm_domain }};
location /.well-known/acme-challenge {
default_type "text/plain";
alias /var/www/acme-challenge;
}
location / {
return 301 https://{{ omm_domain }}$request_uri;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name {{ omm_domain }};
ssl_certificate_key /etc/nginx/ssl/{{ omm_domain }}.key;
ssl_certificate /etc/nginx/ssl/{{ omm_domain }}.crt;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_pass https://localhost:{{ omm_https_port }};
}
}

4
roles/pretix/templates/pretix.cfg.j2
View File

@ -1,6 +1,6 @@
[pretix]
instance_name=Binary Kitchen Event Pretix
url=https://{{ pretix_domain }}
instance_name=Binary Kitchen RC3 Pretix
url=https://pretix.rc3.binary-kitchen.de
currency=EUR
datadir=/opt/pretix/data
trust_x_forwarded_for=on

19
roles/workadventure/tasks/main.yml
View File

@ -6,20 +6,6 @@
- name: Install docker-compose
apt: name=docker-compose
- name: Install git
apt: name=git
- name: Create workadventure group
group: name=workadventure
- name: Create workadventure user
user:
name: workadventure
home: /opt/workadventure
shell: /bin/zsh
group: workadventure
groups: docker
- name: Install systemd unit
template: src=workadventure.service.j2 dest=/lib/systemd/system/workadventure.service
notify:
@ -44,8 +30,3 @@
- name: Enable workadventure
service: name=workadventure enabled=yes
- name: Enable monitoring
include_role: name=icinga-monitor tasks_from=http
vars:
vhost: "{{ workadventure_domain }}"

2
roles/workadventure/templates/vhost.j2
View File

@ -38,7 +38,7 @@ server {
ssl_certificate /etc/nginx/ssl/{{ workadventure_domain }}.crt;
location / {
root /opt/workadventure/source/src/front/dist;
root /opt/workadventure/source/front/dist;
try_files $uri uri/ /index.html?$args;
}
}

7
roles/workadventure/templates/workadventure.service.j2
View File

@ -2,7 +2,6 @@
Description=WorkAdventure service using docker compose
Requires=docker.service
After=docker.service
Before=nginx.service
[Service]
Type=simple
@ -16,13 +15,13 @@ TimeoutStartSec=1200
WorkingDirectory=/opt/workadventure/source/
# Make sure no old containers are running
ExecStartPre=/usr/bin/docker-compose down -v
ExecStartPre=/usr/bin/docker-compose -f docker-compose.bk.yaml down -v
# Compose up
ExecStart=/usr/bin/docker-compose up
ExecStart=/usr/bin/docker-compose -f docker-compose.bk.yaml up
# Compose down, remove containers and volumes
ExecStop=/usr/bin/docker-compose down -v
ExecStop=/usr/bin/docker-compose -f docker-compose.bk.yaml down -v
[Install]
WantedBy=multi-user.target

19
roles/xrdp_apphost/README.md
View File

@ -1,19 +0,0 @@
xrdp_apphost
============
Manual installation steps
-------------------------
After the role has applied several manual installation steps have to be applied
by a admin user.
* Estlcam
* Login as tsadmin user and execute the following commands
$ sudo -u estlcam --preserve-env=DISPLAY /bin/bash
$ cd ~
$ export WINEPREFIX=~/.wine32
$ export WINEARCH=win32
$ wineboot
$ winetricks dotnet40 gdiplus d3dx9_36
$ wget http://www.estlcam.de/downloads/Estlcam_32_11244.exe
$ wine Estlcam_32_11243.exe

64
roles/xrdp_apphost/defaults/main.yml
View File

@ -1,64 +0,0 @@
---
xrdp_maxsessions: 10
xrdp_killdisconnected: true
xrdp_policy: UBDC
xrdp_ls_title: Binary Kitchen Application Server
xrdp_ls_top_window_bg_color: 003377
xrdp_ls_bg_color: dedede
xrdp_ls_width: 350
xrdp_ls_height: 430
xrdp_ls_logo_filename: KitchenLogo.bmp
xrdp_ls_logo_x_pos: 55
xrdp_ls_logo_y_pos: 50
xrdp_ls_label_x_pos: 30
xrdp_ls_label_width: 65
xrdp_ls_input_x_pos: 110
xrdp_ls_input_width: 210
xrdp_ls_input_y_pos: 220
xrdp_ls_btn_ok_x_pos: 142
xrdp_ls_btn_ok_y_pos: 370
xrdp_ls_btn_cancel_x_pos: 237
xrdp_ls_btn_cancel_y_pos: 370
info_folder_name: "___Files\ older\ than\ 30\ days\ will\ be\ automatically\ deleted"
xrdp_applications:
LightBurn:
user: lightburn
group: lightburn
pass: "{{ vault_xrdp_apphost_lightburn_pass }}"
salt: "{{ vault_xrdp_apphost_lightburn_salt }}"
git_config_folder: /home/lightburn/.config/LightBurn/
checksum: sha256:b57a3af710d61c10f8ca66b81f753973d3289fb44ebcfd429fb26db7268b7f14
version: 1.2.00
Estlcam:
user: estlcam
group: estlcam
pass: "{{ vault_xrdp_apphost_estlcam_pass }}"
salt: "{{ vault_xrdp_apphost_estlcam_salt }}"
git_config_folder: /home/estlcam/.wine32/drive_c/ProgramData/Estlcam/
Slicer:
user: slicer
group: slicer
pass: "{{ vault_xrdp_apphost_slicer_pass }}"
salt: "{{ vault_xrdp_apphost_slicer_salt }}"
git_config_folder: /home/slicer/.config/PrusaSlicer/
checksum: sha256:b36f49a577ab88d568d8165a94ac62e9eb6d9b4dcc46516a82e1a6131fdcea6e
version_base: 2.4.2
version: 2.4.2+linux-x64-GTK3-202204251120
lightburn_url: https://github.com/LightBurnSoftware/deployment/releases/download/{{ xrdp_applications.LightBurn.version }}/LightBurn-Linux64-v{{ xrdp_applications.LightBurn.version }}.run
lightburn_target: /home/{{ xrdp_applications.LightBurn.user }}/LightBurn-Linux64-v{{ xrdp_applications.LightBurn.version }}.run
slicer_url: https://github.com/prusa3d/PrusaSlicer/releases/download/version_{{ xrdp_applications.Slicer.version_base }}/PrusaSlicer-{{ xrdp_applications.Slicer.version }}.AppImage
slicer_target: /home/{{ xrdp_applications.Slicer.user }}/PrusaSlicer-{{ xrdp_applications.Slicer.version }}.AppImage
tsadmin_user: tsadmin
tsadmin_group: tsadmin
tsadmin_pass: "{{ vault_xrdp_apphost_tsadmin_pass }}"
tsadmin_salt: "{{ vault_xrdp_apphost_tsadmin_salt }}"

BIN
roles/xrdp_apphost/files/KitchenLogo.bmp
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 99 KiB

12
roles/xrdp_apphost/handlers/main.yml
View File

@ -1,12 +0,0 @@
---
- name: Restart xrdp
service: name=xrdp state=restarted
- name: Install LightBurn
shell: "{{ lightburn_target }}"
become: yes
become_user: "{{ xrdp_applications.LightBurn.user }}"
- name: Reload smbd
service: name=smbd state=reloaded

105
roles/xrdp_apphost/tasks/app_common.yml
View File

@ -1,105 +0,0 @@
---
- name: Install global dependencies
apt:
name:
- git
- name: Create Application groups
group: name={{ item.value.group }}
with_dict:
- "{{ xrdp_applications }}"
- name: Create Application users
user: name={{ item.value.user }} password={{ item.value.pass | password_hash('sha512', item.value.salt) }} home=/home/{{ item.value.user }} group={{ item.value.group }}
with_dict:
- "{{ xrdp_applications }}"
- name: Create Application .xsession
template: src={{ item.value.user }}_xsession.j2 dest=/home/{{ item.value.user }}/.xsession
with_dict:
- "{{ xrdp_applications }}"
- name: Create Application data directories
file: path=/home/{{ item.value.user }}/data state=directory mode=0755 owner={{ item.value.user }} group={{ item.value.group }}
with_dict:
- "{{ xrdp_applications }}"
- name: Create info directory
file:
path: "/home/{{ item.value.user }}/data/{{ info_folder_name }}"
state: directory
mode: 0444
owner: root
group: root
attributes: '+i'
with_dict:
- "{{ xrdp_applications }}"
- name: Create file cleanup cron
cron:
name: "Delete files older than 30 days"
minute: "0"
hour: "5"
job: "find /home/{{ item.value.user }}/data -type f -mtime +30 ! -name \"{{ info_folder_name }}\" -delete"
user: "{{ item.value.user }}"
with_dict:
- "{{ xrdp_applications }}"
- name: Create directory cleanup cron
cron:
name: "Delete empty directories"
minute: "1"
hour: "5"
job: "find /home/{{ item.value.user }}/data -type d -empty ! -name \"{{ info_folder_name }}\" -delete"
user: "{{ item.value.user }}"
with_dict:
- "{{ xrdp_applications }}"
- name: Create config directory
file:
path: "{{ item.value.git_config_folder }}"
state: directory
become: yes
become_user: "{{ item.value.user }}"
with_dict:
- "{{ xrdp_applications }}"
- name: Create git repo for configs
command: git init {{ item.value.git_config_folder }}
become: yes
become_user: "{{ item.value.user }}"
args:
creates: "{{ item.value.git_config_folder }}/.git"
with_dict:
- "{{ xrdp_applications }}"
- name: Setup git user names
git_config:
name: user.name
scope: global
value: "{{ item.value.user }}"
become: yes
become_user: "{{ item.value.user }}"
with_dict:
- "{{ xrdp_applications }}"
- name: Setup git E-Mail
git_config:
name: user.email
scope: global
value: "{{ item.value.user }}@{{ inventory_hostname }}"
become: yes
become_user: "{{ item.value.user }}"
with_dict:
- "{{ xrdp_applications }}"
- name: Create config git commit cron
cron:
name: "Add and commit all changes"
minute: "5"
hour: "5"
job: "cd {{ item.value.git_config_folder }} && git add -A && git commit -m 'Commit via cronjob'"
user: "{{ item.value.user }}"
with_dict:
- "{{ xrdp_applications }}"

24
roles/xrdp_apphost/tasks/estlcam.yml
View File

@ -1,24 +0,0 @@
---
- name: Enable contrib repositories
apt_repository:
repo: deb http://deb.debian.org/debian {{ ansible_distribution_release }} contrib
- name: Add i386 Architecture
command: dpkg --add-architecture i386
args:
creates: /var/lib/dpkg/arch
when: ansible_architecture != 'i386'
register: archrc
- name: Update APT Cache for i386
apt:
update_cache: true
when: archrc is defined and archrc.changed
- name: Install Estlcam dependencies
apt:
name:
- winetricks
- wine32
- xfwm4

12
roles/xrdp_apphost/tasks/lightburn.yml
View File

@ -1,12 +0,0 @@
---
- name: Install LightBurn dependencies
apt:
name:
- libpulse-mainloop-glib0
- libnss3
- libxkbcommon-x11-0
- name: Download LightBurn binary
get_url: url={{ lightburn_url }} dest={{ lightburn_target }} checksum={{ xrdp_applications.LightBurn.checksum }} mode=0755
notify: Install LightBurn

35
roles/xrdp_apphost/tasks/main.yml
View File

@ -1,35 +0,0 @@
---
- name: Set Default umask for Users
lineinfile:
dest: '/etc/login.defs'
regexp: "UMASK"
line: "UMASK 027"
state: present
- include: xrdp.yml
- include: app_common.yml
- include: samba.yml
- include: lightburn.yml
- include: estlcam.yml
- include: slicer.yml
- name: Create tsadmin group
group: name={{ tsadmin_group }}
- name: Create tsadmin_user
user: name={{ tsadmin_user }} password={{ tsadmin_pass | password_hash('sha512', tsadmin_salt) }} home=/home/{{ tsadmin_user }} group={{ tsadmin_group }}
- name: Allow 'tsadmin_user' group to have passwordless sudo to other users
lineinfile:
dest: /etc/sudoers
state: present
regexp: '^{{ tsadmin_user }} ALL=({{ item.value.user }}) NOPASSWD: ALL'
line: '{{ tsadmin_user }} ALL=({{ item.value.user }}) NOPASSWD: ALL'
validate: visudo -cf %s
with_dict:
- "{{ xrdp_applications }}"
- name: Create tsadmin_user .xsession
template: src=tsadmin_xsession.j2 dest=/home/{{ tsadmin_user }}/.xsession

12
roles/xrdp_apphost/tasks/samba.yml
View File

@ -1,12 +0,0 @@
---
- name: Install samba
apt:
name:
- samba
- name: Configure samba
template:
src: smb.conf.j2
dest: /etc/samba/smb.conf
notify: Reload smbd

9
roles/xrdp_apphost/tasks/slicer.yml
View File

@ -1,9 +0,0 @@
---
- name: Install Slic3r dependencies
apt:
name:
- libgtk2.0-0
- name: Download Slic3r binary
get_url: url={{ slicer_url }} dest={{ slicer_target }} checksum={{ xrdp_applications.Slicer.checksum }} mode=0755

23
roles/xrdp_apphost/tasks/xrdp.yml
View File

@ -1,23 +0,0 @@
---
- name: Install main dependencies
apt:
name:
- xrdp
- libasound2
- matchbox-window-manager
- name: Configure xrdp.ini
template: src=xrdp.ini.j2 dest=/etc/xrdp/xrdp.ini
notify: Restart xrdp
- name: Configure sesman.ini
template: src=sesman.ini.j2 dest=/etc/xrdp/sesman.ini
notify: Restart xrdp
- name: Create xrdp directory
file: path=/usr/local/share/xrdp/ state=directory mode=0755 owner=root group=root
- name: Copy Binary Kitchen Logo
copy: src={{ xrdp_ls_logo_filename }} dest=/usr/local/share/xrdp/{{ xrdp_ls_logo_filename }}
notify: Restart xrdp

5
roles/xrdp_apphost/templates/estlcam_xsession.j2
View File

@ -1,5 +0,0 @@
{{ ansible_managed | comment }}
export WINEPREFIX=~/.wine32
xfwm4 &
exec wine "/home/{{ xrdp_applications.Estlcam.user }}/.wine32/drive_c/Program Files/Estlcam11/Estlcam.exe"

4
roles/xrdp_apphost/templates/lightburn_xsession.j2
View File

@ -1,4 +0,0 @@
{{ ansible_managed | comment }}
matchbox-window-manager &
exec /home/{{ xrdp_applications.LightBurn.user }}/.local/share/LightBurn/LightBurn

115
roles/xrdp_apphost/templates/sesman.ini.j2
View File

@ -1,115 +0,0 @@
{{ ansible_managed | comment(decoration = '; ') }}
;; See `man 5 sesman.ini` for details
[Globals]
ListenAddress=127.0.0.1
ListenPort=3350
EnableUserWindowManager=true
; Give in relative path to user's home directory
UserWindowManager=startwm.sh
; Give in full path or relative path to /etc/xrdp
DefaultWindowManager=startwm.sh
; Give in full path or relative path to /etc/xrdp
ReconnectScript=reconnectwm.sh
[Security]
AllowRootLogin=true
MaxLoginRetry=4
TerminalServerUsers=tsusers
TerminalServerAdmins=tsadmins
; When AlwaysGroupCheck=false access will be permitted
; if the group TerminalServerUsers is not defined.
AlwaysGroupCheck=false
; When RestrictOutboundClipboard=true clipboard from the
; server is not pushed to the client.
RestrictOutboundClipboard=false
[Sessions]
;; X11DisplayOffset - x11 display number offset
; Type: integer
; Default: 10
X11DisplayOffset=10
;; MaxSessions - maximum number of connections to an xrdp server
; Type: integer
; Default: 0
MaxSessions={{ xrdp_maxsessions }}
;; KillDisconnected - kill disconnected sessions
; Type: boolean
; Default: false
; if 1, true, or yes, kill session after 60 seconds
KillDisconnected={{ xrdp_killdisconnected }}
;; DisconnectedTimeLimit - when to kill idle sessions
; Type: integer
; Default: 0
; if not zero, the seconds before a disconnected session is killed
; min 60 seconds
DisconnectedTimeLimit=0
;; IdleTimeLimit (specify in second) - wait before disconnect idle sessions
; Type: integer
; Default: 0
; Set to 0 to disable idle disconnection.
IdleTimeLimit=0
;; Policy - session allocation policy
; Type: enum [ "Default" | "UBD" | "UBI" | "UBC" | "UBDI" | "UBDC" ]
; Default: Xrdp:<User,BitPerPixel> and Xvnc:<User,BitPerPixel,DisplaySize>
; "UBD" session per <User,BitPerPixel,DisplaySize>
; "UBI" session per <User,BitPerPixel,IPAddr>
; "UBC" session per <User,BitPerPixel,Connection>
; "UBDI" session per <User,BitPerPixel,DisplaySize,IPAddr>
; "UBDC" session per <User,BitPerPixel,DisplaySize,Connection>
Policy={{ xrdp_policy }}
[Logging]
LogFile=xrdp-sesman.log
LogLevel=DEBUG
EnableSyslog=1
SyslogLevel=DEBUG
;
; Session definitions - startup command-line parameters for each session type
;
[Xorg]
; Specify the path of non-suid Xorg executable. It might differ depending
; on your distribution and version. The typical path is shown as follows:
;
; Fedora 26 or later : param=/usr/libexec/Xorg
; Debian 9 or later : param=/usr/lib/xorg/Xorg
; Ubuntu 16.04 or later : param=/usr/lib/xorg/Xorg
; Arch Linux : param=/usr/lib/xorg-server/Xorg
; CentOS 7 : param=/usr/bin/Xorg or param=Xorg
;
param=/usr/lib/xorg/Xorg
; Leave the rest paramaters as-is unless you understand what will happen.
param=-config
param=xrdp/xorg.conf
param=-noreset
param=-nolisten
param=tcp
param=-logfile
param=.xorgxrdp.%s.log
[Xvnc]
param=Xvnc
param=-bs
param=-nolisten
param=tcp
param=-localhost
param=-dpi
param=96
[Chansrv]
; drive redirection, defaults to xrdp_client if not set
FuseMountName=thinclient_drives
; this value allows only the user to acess their own mapped drives.
; Make this more permissive (e.g. 022) if required.
FileUmask=077
[SessionVariables]
PULSE_SCRIPT=/etc/xrdp/pulse/default.pa

4
roles/xrdp_apphost/templates/slicer_xsession.j2
View File

@ -1,4 +0,0 @@
{{ ansible_managed | comment }}
matchbox-window-manager &
exec /home/{{ xrdp_applications.Slicer.user }}/PrusaSlicer-{{ xrdp_applications.Slicer.version }}.AppImage

252
roles/xrdp_apphost/templates/smb.conf.j2
View File

@ -1,252 +0,0 @@
{{ ansible_managed | comment }}
#
# Sample configuration file for the Samba suite for Debian GNU/Linux.
#
#
# This is the main Samba configuration file. You should read the
# smb.conf(5) manual page in order to understand the options listed
# here. Samba has a huge number of configurable options most of which
# are not shown in this example
#
# Some options that are often worth tuning have been included as
# commented-out examples in this file.
# - When such options are commented with ";", the proposed setting
# differs from the default Samba behaviour
# - When commented with "#", the proposed setting is the default
# behaviour of Samba but the option is considered important
# enough to be mentioned here
#
# NOTE: Whenever you modify this file you should run the command
# "testparm" to check that you have not made any basic syntactic
# errors.
#======================= Global Settings =======================
[global]
## Browsing/Identification ###
# Change this to the workgroup/NT-domain name your Samba server will part of
workgroup = WORKGROUP
#### Networking ####
# The specific set of interfaces / networks to bind to
# This can be either the interface name or an IP address/netmask;
# interface names are normally preferred
; interfaces = 127.0.0.0/8 eth0
# Only bind to the named interfaces and/or networks; you must use the
# 'interfaces' option above to use this.
# It is recommended that you enable this feature if your Samba machine is
# not protected by a firewall or is a firewall itself. However, this
# option cannot handle dynamic or non-broadcast interfaces correctly.
; bind interfaces only = yes
#### Debugging/Accounting ####
# This tells Samba to use a separate log file for each machine
# that connects
log file = /var/log/samba/log.%m
# Cap the size of the individual log files (in KiB).
max log size = 1000
# We want Samba to only log to /var/log/samba/log.{smbd,nmbd}.
# Append syslog@1 if you want important messages to be sent to syslog too.
logging = file
# Do something sensible when Samba crashes: mail the admin a backtrace
panic action = /usr/share/samba/panic-action %d
####### Authentication #######
# Server role. Defines in which mode Samba will operate. Possible
# values are "standalone server", "member server", "classic primary
# domain controller", "classic backup domain controller", "active
# directory domain controller".
#
# Most people will want "standalone server" or "member server".
# Running as "active directory domain controller" will require first
# running "samba-tool domain provision" to wipe databases and create a
# new domain.
server role = standalone server
obey pam restrictions = yes
# This boolean parameter controls whether Samba attempts to sync the Unix
# password with the SMB password when the encrypted SMB password in the
# passdb is changed.
unix password sync = yes
# For Unix password sync to work on a Debian GNU/Linux system, the following
# parameters must be set (thanks to Ian Kahan <<kahan@informatik.tu-muenchen.de> for
# sending the correct chat script for the passwd program in Debian Sarge).
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
# This boolean controls whether PAM will be used for password changes
# when requested by an SMB client instead of the program listed in
# 'passwd program'. The default is 'no'.
pam password change = yes
# This option controls how unsuccessful authentication attempts are mapped
# to anonymous connections
map to guest = bad user
########## Domains ###########
#
# The following settings only takes effect if 'server role = classic
# primary domain controller', 'server role = classic backup domain controller'
# or 'domain logons' is set
#
# It specifies the location of the user's
# profile directory from the client point of view) The following
# required a [profiles] share to be setup on the samba server (see
# below)
; logon path = \\%N\profiles\%U
# Another common choice is storing the profile in the user's home directory
# (this is Samba's default)
# logon path = \\%N\%U\profile
# The following setting only takes effect if 'domain logons' is set
# It specifies the location of a user's home directory (from the client
# point of view)
; logon drive = H:
# logon home = \\%N\%U
# The following setting only takes effect if 'domain logons' is set
# It specifies the script to run during logon. The script must be stored
# in the [netlogon] share
# NOTE: Must be store in 'DOS' file format convention
; logon script = logon.cmd
# This allows Unix users to be created on the domain controller via the SAMR
# RPC pipe. The example command creates a user account with a disabled Unix
# password; please adapt to your needs
; add user script = /usr/sbin/adduser --quiet --disabled-password --gecos "" %u
# This allows machine accounts to be created on the domain controller via the
# SAMR RPC pipe.
# The following assumes a "machines" group exists on the system
; add machine script = /usr/sbin/useradd -g machines -c "%u machine account" -d /var/lib/samba -s /bin/false %u
# This allows Unix groups to be created on the domain controller via the SAMR
# RPC pipe.
; add group script = /usr/sbin/addgroup --force-badname %g
############ Misc ############
# Using the following line enables you to customise your configuration
# on a per machine basis. The %m gets replaced with the netbios name
# of the machine that is connecting
; include = /home/samba/etc/smb.conf.%m
# Some defaults for winbind (make sure you're not using the ranges
# for something else.)
; idmap config * : backend = tdb
; idmap config * : range = 3000-7999
; idmap config YOURDOMAINHERE : backend = tdb
; idmap config YOURDOMAINHERE : range = 100000-999999
; template shell = /bin/bash
# Setup usershare options to enable non-root users to share folders
# with the net usershare command.
# Maximum number of usershare. 0 means that usershare is disabled.
# usershare max shares = 100
# Allow users who've been granted usershare privileges to create
# public shares, not just authenticated ones
usershare allow guests = yes
#======================= Share Definitions =======================
;[homes]
; comment = Home Directories
; browseable = no
# By default, the home directories are exported read-only. Change the
# next parameter to 'no' if you want to be able to write to them.
; read only = yes
# File creation mask is set to 0700 for security reasons. If you want to
# create files with group=rw permissions, set next parameter to 0775.
; create mask = 0700
# Directory creation mask is set to 0700 for security reasons. If you want to
# create dirs. with group=rw permissions, set next parameter to 0775.
; directory mask = 0700
# By default, \\server\username shares can be connected to by anyone
# with access to the samba server.
# The following parameter makes sure that only "username" can connect
# to \\server\username
# This might need tweaking when using external authentication schemes
; valid users = %S
# Un-comment the following and create the netlogon directory for Domain Logons
# (you need to configure Samba to act as a domain controller too.)
;[netlogon]
; comment = Network Logon Service
; path = /home/samba/netlogon
; guest ok = yes
; read only = yes
# Un-comment the following and create the profiles directory to store
# users profiles (see the "logon path" option above)
# (you need to configure Samba to act as a domain controller too.)
# The path below should be writable by all users so that their
# profile directory may be created the first time they log on
;[profiles]
; comment = Users profiles
; path = /home/samba/profiles
; guest ok = no
; browseable = no
; create mask = 0600
; directory mask = 0700
;[printers]
; comment = All Printers
; browseable = no
; path = /var/spool/samba
; printable = yes
; guest ok = no
; read only = yes
; create mask = 0700
# Windows clients look for this share name as a source of downloadable
# printer drivers
;[print$]
; comment = Printer Drivers
; path = /var/lib/samba/printers
; browseable = yes
; read only = yes
; guest ok = no
# Uncomment to allow remote administration of Windows print drivers.
# You may need to replace 'lpadmin' with the name of the group your
# admin users are members of.
# Please note that you also need to set appropriate Unix permissions
# to the drivers directory for these users to have write rights in it
; write list = root, @lpadmin
{% for app, config in xrdp_applications.items() %}
# {{ app}} share
[{{ app | lower }}]
comment = {{ app }} data folder
path = /home/{{ config.user }}/data
browseable = yes
read only = no
guest ok = yes
create mask = 0600
directory mask = 0700
force user = {{ config.user }}
hide dot files = yes
{% endfor %}

7
roles/xrdp_apphost/templates/tsadmin_xsession.j2
View File

@ -1,7 +0,0 @@
{{ ansible_managed | comment }}
{% for app, config in xrdp_applications.items() %}
xhost si:localuser:{{ config.user }}
{% endfor %}
xfwm4 &
exec xterm

241
roles/xrdp_apphost/templates/xrdp.ini.j2
View File

@ -1,241 +0,0 @@
{{ ansible_managed | comment(decoration = '; ') }}
[Globals]
; xrdp.ini file version number
ini_version=1
; fork a new process for each incoming connection
fork=true
; ports to listen on, number alone means listen on all interfaces
; 0.0.0.0 or :: if ipv6 is configured
; space between multiple occurrences
;
; Examples:
; port=3389
; port=unix://./tmp/xrdp.socket
; port=tcp://.:3389 127.0.0.1:3389
; port=tcp://:3389 *:3389
; port=tcp://<any ipv4 format addr>:3389 192.168.1.1:3389
; port=tcp6://.:3389 ::1:3389
; port=tcp6://:3389 *:3389
; port=tcp6://{<any ipv6 format addr>}:3389 {FC00:0:0:0:0:0:0:1}:3389
; port=vsock://<cid>:<port>
port=3389
; 'port' above should be connected to with vsock instead of tcp
; use this only with number alone in port above
; prefer use vsock://<cid>:<port> above
use_vsock=false
; regulate if the listening socket use socket option tcp_nodelay
; no buffering will be performed in the TCP stack
tcp_nodelay=true
; regulate if the listening socket use socket option keepalive
; if the network connection disappear without close messages the connection will be closed
tcp_keepalive=true
; set tcp send/recv buffer (for experts)
#tcp_send_buffer_bytes=32768
#tcp_recv_buffer_bytes=32768
; security layer can be 'tls', 'rdp' or 'negotiate'
; for client compatible layer
security_layer=negotiate
; minimum security level allowed for client for classic RDP encryption
; use tls_ciphers to configure TLS encryption
; can be 'none', 'low', 'medium', 'high', 'fips'
crypt_level=high
; X.509 certificate and private key
; openssl req -x509 -newkey rsa:2048 -nodes -keyout key.pem -out cert.pem -days 365
; note this needs the user xrdp to be a member of the ssl-cert group, do with e.g.
;$ sudo adduser xrdp ssl-cert
certificate=
key_file=
; set SSL protocols
; can be comma separated list of 'SSLv3', 'TLSv1', 'TLSv1.1', 'TLSv1.2', 'TLSv1.3'
ssl_protocols=TLSv1.2, TLSv1.3
; set TLS cipher suites
#tls_ciphers=HIGH
; Section name to use for automatic login if the client sends username
; and password. If empty, the domain name sent by the client is used.
; If empty and no domain name is given, the first suitable section in
; this file will be used.
autorun=
allow_channels=true
allow_multimon=true
bitmap_cache=true
bitmap_compression=true
bulk_compression=true
#hidelogwindow=true
max_bpp=32
new_cursors=true
; fastpath - can be 'input', 'output', 'both', 'none'
use_fastpath=both
; when true, userid/password *must* be passed on cmd line
#require_credentials=true
; You can set the PAM error text in a gateway setup (MAX 256 chars)
#pamerrortxt=change your password according to policy at http://url
;
; colors used by windows in RGB format
;
blue=009cb5
grey=dedede
#black=000000
#dark_grey=808080
#blue=08246b
#dark_blue=08246b
#white=ffffff
#red=ff0000
#green=00ff00
#background=626c72
;
; configure login screen
;
; Login Screen Window Title
ls_title={{ xrdp_ls_title }}
; top level window background color in RGB format
ls_top_window_bg_color={{ xrdp_ls_top_window_bg_color }}
; width and height of login screen
ls_width={{ xrdp_ls_width }}
ls_height={{ xrdp_ls_height }}
; login screen background color in RGB format
ls_bg_color={{ xrdp_ls_bg_color }}
; optional background image filename (bmp format).
#ls_background_image=
; logo
; full path to bmp-file or file in shared folder
ls_logo_filename=/usr/local/share/xrdp/{{ xrdp_ls_logo_filename }}
ls_logo_x_pos={{ xrdp_ls_logo_x_pos }}
ls_logo_y_pos={{ xrdp_ls_logo_y_pos }}
; for positioning labels such as username, password etc
ls_label_x_pos={{ xrdp_ls_label_x_pos }}
ls_label_width={{ xrdp_ls_label_width }}
; for positioning text and combo boxes next to above labels
ls_input_x_pos={{ xrdp_ls_input_x_pos }}
ls_input_width={{ xrdp_ls_input_width }}
; y pos for first label and combo box
ls_input_y_pos={{ xrdp_ls_input_y_pos }}
; OK button
ls_btn_ok_x_pos={{ xrdp_ls_btn_ok_x_pos }}
ls_btn_ok_y_pos={{ xrdp_ls_btn_ok_y_pos }}
ls_btn_ok_width=85
ls_btn_ok_height=30
; Cancel button
ls_btn_cancel_x_pos={{ xrdp_ls_btn_cancel_x_pos }}
ls_btn_cancel_y_pos={{ xrdp_ls_btn_cancel_y_pos }}
ls_btn_cancel_width=85
ls_btn_cancel_height=30
[Logging]
LogFile=xrdp.log
LogLevel=DEBUG
EnableSyslog=true
SyslogLevel=DEBUG
; LogLevel and SysLogLevel could by any of: core, error, warning, info or debug
[Channels]
; Channel names not listed here will be blocked by XRDP.
; You can block any channel by setting its value to false.
; IMPORTANT! All channels are not supported in all use
; cases even if you set all values to true.
; You can override these settings on each session type
; These settings are only used if allow_channels=true
rdpdr=true
rdpsnd=true
drdynvc=true
cliprdr=true
rail=true
xrdpvr=true
tcutils=true
; for debugging xrdp, in section xrdp1, change port=-1 to this:
#port=/tmp/.xrdp/xrdp_display_10
; for debugging xrdp, add following line to section xrdp1
#chansrvport=/tmp/.xrdp/xrdp_chansrv_socket_7210
;
; Session types
;
; Some session types such as Xorg, X11rdp and Xvnc start a display server.
; Startup command-line parameters for the display server are configured
; in sesman.ini. See and configure also sesman.ini.
{% for app, config in xrdp_applications.items() %}
[{{ app }}]
name={{ app }}
lib=libxup.so
username={{ config.user }}
password={{ config.pass }}
ip=127.0.0.1
port=-1
code=20
{% endfor %}
[Xorg]
name=Xorg
lib=libxup.so
username=ask
password=ask
ip=127.0.0.1
port=-1
code=20
#[Xvnc]
#name=Xvnc
#lib=libvnc.so
#username=ask
#password=ask
#ip=127.0.0.1
#port=-1
##xserverbpp=24
##delay_ms=2000
#[vnc-any]
#name=vnc-any
#lib=libvnc.so
#ip=ask
#port=ask5900
#username=na
#password=ask
##pamusername=asksame
##pampassword=asksame
##pamsessionmng=127.0.0.1
##delay_ms=2000
#[neutrinordp-any]
#name=neutrinordp-any
#lib=libxrdpneutrinordp.so
#ip=ask
#port=ask3389
#username=ask
#password=ask
; You can override the common channel settings for each session type
#channel.rdpdr=true
#channel.rdpsnd=true
#channel.drdynvc=true
#channel.cliprdr=true
#channel.rail=true
#channel.xrdpvr=true

14
site.yml
View File

@ -7,7 +7,7 @@
- root_keys
- name: Setup unattended updates
hosts: [sulis.binary.kitchen, nabia.binary.kitchen, epona.binary.kitchen, pizza.binary.kitchen, pancake.binary.kitchen, knoedel.binary.kitchen, bob.binary.kitchen, bowle.binary.kitchen, beryllium.binary-kitchen.net, boron.binary-kitchen.net, carbon.binary-kitchen.net, nitrogen.binary-kitchen.net, oxygen.binary-kitchen.net, fluorine.binary-kitchen.net, neon.binary-kitchen.net, sodium.binary-kitchen.net, magnesium.binary-kitchen.net, krypton.binary-kitchen.net, yttrium.binary-kitchen.net, zirconium.binary-kitchen.net, molybdenum.binary-kitchen.net, ruthenium.binary-kitchen.net, rhodium.binary-kitchen.net, barium.binary-kitchen.net]
hosts: [sulis.binary.kitchen, nabia.binary.kitchen, epona.binary.kitchen, pancake.binary.kitchen, knoedel.binary.kitchen, bob.binary.kitchen, bowle.binary.kitchen, beryllium.binary-kitchen.net, boron.binary-kitchen.net, carbon.binary-kitchen.net, nitrogen.binary-kitchen.net, oxygen.binary-kitchen.net, fluorine.binary-kitchen.net, neon.binary-kitchen.net, sodium.binary-kitchen.net, krypton.binary-kitchen.net, yttrium.binary-kitchen.net, zirconium.binary-kitchen.net, molybdenum.binary-kitchen.net, ruthenium.binary-kitchen.net, ruthenium.binary-kitchen.net, barium.binary-kitchen.net]
roles:
- uau
@ -42,10 +42,10 @@
roles:
- netbox
- name: Setup XRDP host
hosts: pancake.binary.kitchen
- name: Setup SIP-DECT OMM
hosts: knoedel.binary.kitchen
roles:
- xrdp_apphost
- omm
- name: Setup drone runner
hosts: bob.binary.kitchen
@ -103,12 +103,8 @@
- name: Setup matrix server
hosts: sodium.binary-kitchen.net
roles:
- matrix
- name: Setup turn server
hosts: magnesium.binary-kitchen.net
roles:
- coturn
- matrix
- name: Setup jitsi server
hosts: zirconium.binary-kitchen.net