forked from infra/ansible
Compare commits
230 Commits
Author | SHA1 | Date | |
---|---|---|---|
cc35e0da6c | |||
26a36701f5 | |||
7403383a4f | |||
b710872b20 | |||
4dd1f87e73 | |||
33e0419253 | |||
ab693499f4 | |||
7e3ee25048 | |||
ce8e6d6cd2 | |||
e1e8da8a2b | |||
cd80847a57 | |||
d5ec34c47e | |||
227926ff12 | |||
|
5ddc8ee09a | ||
d2c83c01fc | |||
3e0cdbe023 | |||
e1856f6ceb | |||
3dbdbc226b | |||
5cbaf1b4a6 | |||
447fcbaad5 | |||
ec6b1d4725 | |||
ad96a50ae8 | |||
ca244db889 | |||
73b36d8bc3 | |||
a1a3091507 | |||
541c061c7d | |||
2d645a13f4 | |||
9eef0c7739 | |||
f565853cd2 | |||
9c2cf94ea2 | |||
7c40f82c6c | |||
bd96df2eb0 | |||
3c09971484 | |||
fabf719de5 | |||
44241e5df5 | |||
da9b432864 | |||
e956702e86 | |||
8bf2704c9b | |||
4f57cf5f62 | |||
02c5e0fa8f | |||
9e194d1d6d | |||
29b0201507 | |||
3214cdacd1 | |||
c57ce61df4 | |||
cec001156b | |||
dbb9a58354 | |||
82f0b278a6 | |||
b87119a1df | |||
792d7dcc90 | |||
359f2f68d7 | |||
|
93e01f3650 | ||
69348ed49b | |||
43a672b064 | |||
beb8fafd1a | |||
e63ad7a34d | |||
cd90151635 | |||
239d2b6f9b | |||
3c901c5e2e | |||
0893017a01 | |||
3fcc39c852 | |||
3cd42908be | |||
dac19a26b6 | |||
cece722363 | |||
9675522a88 | |||
cc62b843ed | |||
6d3f81e32d | |||
c002c52c25 | |||
01811b089e | |||
84c167e9ed | |||
79668ac85d | |||
16bdd2cc5a | |||
848bf5c82c | |||
224d6ef256 | |||
dcc8dfa14b | |||
45cb1623cf | |||
1541f5c7a8 | |||
c23bc49529 | |||
3325ebe70e | |||
0dfc8ca853 | |||
9ea7156394 | |||
347ad26fb6 | |||
bb2ae97f13 | |||
a22c68a76a | |||
e0c869819b | |||
b23c62e0e9 | |||
56b1e62d4b | |||
4633eab53a | |||
9373745171 | |||
7eb37b6cf6 | |||
ca91b3d82d | |||
bd1b350862 | |||
3991fdee84 | |||
608ef53d4e | |||
|
0abe05dc00 | ||
|
e4f346182b | ||
c708de4a40 | |||
59fcac1337 | |||
f003f62989 | |||
4ac6936b54 | |||
7f05bf752d | |||
8f69ef75f1 | |||
7fb80dc1e3 | |||
e47e17cf75 | |||
2276e4efe5 | |||
|
1465af44a6 | ||
|
d3e0e7c8da | ||
|
77a8cc93f0 | ||
60e4ce380d | |||
8541e74ee1 | |||
46bcaf8320 | |||
75c6a18217 | |||
6aff25be20 | |||
f470dd313a | |||
c7e01371c9 | |||
4ff1651100 | |||
a9e7ab626b | |||
758a2efa03 | |||
931d97359e | |||
3c56af2906 | |||
ae88007179 | |||
4af3743d75 | |||
933fa6387e | |||
966e96f2f9 | |||
f367fb6e76 | |||
af2c7e6c2d | |||
e44d76a7be | |||
7ad28a20d0 | |||
8e8b2be194 | |||
cb2887adff | |||
ab82b09431 | |||
75ec080860 | |||
577706dbbe | |||
7bc18ea42f | |||
813d32fd6b | |||
364cda3347 | |||
291a84b65a | |||
61d2b601e9 | |||
9ff860d6ec | |||
60cfb76658 | |||
24e5d5d3fb | |||
f54e173040 | |||
b89409207b | |||
a1ab02769e | |||
10bcd42d02 | |||
d2ad4fe142 | |||
37a8d9c739 | |||
d67048b79b | |||
1de1c7e7ea | |||
6b3f6ae80b | |||
4d67b3fc6e | |||
e8dde1ec94 | |||
35794adb90 | |||
a09942a01e | |||
58e68d1255 | |||
21172dbbd7 | |||
980a705dd6 | |||
7f30b97d69 | |||
51065764da | |||
cdfd65e83f | |||
9a70e83037 | |||
43cf634b96 | |||
77d9ebcd13 | |||
6dceeeb9a4 | |||
f19e8af40f | |||
1f967c2925 | |||
2eb5440c3c | |||
0d288bf6e1 | |||
865c58bd4c | |||
1b0db12005 | |||
36b75e1c6a | |||
0dd467e564 | |||
2438917f79 | |||
26bdefaa10 | |||
de1a36efb1 | |||
ead1afc293 | |||
869a84dc3d | |||
7ac10f0e7d | |||
5e9360bd48 | |||
2f6ae888b5 | |||
be35ad698f | |||
3be8cce6d8 | |||
41a94d7142 | |||
e03d7ab821 | |||
5266df5c52 | |||
f0c55693a8 | |||
241c706625 | |||
1b9b5badd3 | |||
7a4ec7aae1 | |||
09043f39ca | |||
cbee52e0bc | |||
c163f271e3 | |||
870cce1e12 | |||
f96090ca5d | |||
5406efcef1 | |||
046fe91aef | |||
139c8d9904 | |||
1b34fd4944 | |||
d2c46eae8c | |||
b2442be2d8 | |||
7b1f998af2 | |||
3e1cdb6bf5 | |||
e8dcf169e2 | |||
e0a5d012ee | |||
1aebd59435 | |||
66ee1f011e | |||
be3c4f3cf7 | |||
0c1e89c24e | |||
f18c07e9fa | |||
a5620befbe | |||
c93b864f03 | |||
5156bdf33c | |||
9e7f968c7b | |||
e54a60e828 | |||
19242491f5 | |||
1a5f7b7e3f | |||
ae725e673c | |||
8a27fe96b1 | |||
b03c92eba0 | |||
90cbfdb435 | |||
dae9ba85e4 | |||
57709979eb | |||
a7373f86f3 | |||
4cc75159d2 | |||
ac892a93cb | |||
15fbe6c29c | |||
39e5ad9e20 | |||
482ac2078d | |||
2514396745 | |||
b1589a0ec1 | |||
df78e0119f |
|
@ -1,5 +1,6 @@
|
|||
[defaults]
|
||||
ansible_managed = This file is managed by ansible, do not make manual changes - they may be overridden at any time.
|
||||
interpreter_python = auto
|
||||
inventory = ./hosts
|
||||
nocows = 1
|
||||
remote_user = root
|
||||
|
|
|
@ -34,11 +34,20 @@ gitea_dbpass: "{{ vault_gitea_dbpass }}"
|
|||
gitea_secret: "{{ vault_gitea_secret }}"
|
||||
gitea_jwt_secret: "{{ vault_gitea_jwt_secret }}"
|
||||
|
||||
hackmd_domain: pad.binary-kitchen.de
|
||||
hackmd_dbname: hackmd
|
||||
hackmd_dbuser: hackmd
|
||||
hackmd_dbpass: "{{ vault_hackmd_dbpass }}"
|
||||
hackmd_secret: "{{ vault_hackmd_secret }}"
|
||||
hedgedoc_domain: pad.binary-kitchen.de
|
||||
hedgedoc_dbname: hackmd
|
||||
hedgedoc_dbuser: hackmd
|
||||
hedgedoc_dbpass: "{{ vault_hedgedoc_dbpass }}"
|
||||
hedgedoc_secret: "{{ vault_hedgedoc_secret }}"
|
||||
|
||||
icinga_domain: icinga.binary.kitchen
|
||||
icinga_dbname: icinga
|
||||
icinga_dbuser: icinga
|
||||
icinga_dbpass: "{{ vault_icinga_dbpass }}"
|
||||
icinga_server: nabia.binary.kitchen
|
||||
icingaweb_dbname: icingaweb
|
||||
icingaweb_dbuser: icingaweb
|
||||
icingaweb_dbpass: "{{ vault_icingaweb_dbpass }}"
|
||||
|
||||
jitsi_domain: jitsi.binary-kitchen.de
|
||||
jitsi_admin_email: exxess@binary-kitchen.de
|
||||
|
@ -64,10 +73,18 @@ mail_server: mail.binary-kitchen.de
|
|||
mailman_domain: lists.binary-kitchen.de
|
||||
mail_trusted:
|
||||
- 213.166.246.0/28
|
||||
- 213.166.246.37/32
|
||||
- 213.166.246.45/32
|
||||
- 213.166.246.250/32
|
||||
- 2a02:958:0:f6::/124
|
||||
- 2a02:958:0:f6::37/128
|
||||
- 2a02:958:0:f6::45/128
|
||||
mail_aliases:
|
||||
- "auweg@binary-kitchen.de venti@binary-kitchen.de,anti@binary-kitchen.de,anke@binary-kitchen.de,gruenewald.clemens@gmail.com"
|
||||
- "bbb@binary-kitchen.de timo.schindler@binary-kitchen.de"
|
||||
- "dasfilament@binary-kitchen.de taxx@binary-kitchen.de"
|
||||
- "epvpn@binary-kitchen.de noby@binary-kitchen.de"
|
||||
- "google@binary-kitchen.de vorstand@binary-kitchen.de"
|
||||
- "info@binary-kitchen.de vorstand@binary-kitchen.de"
|
||||
- "lebercast@binary-kitchen.de anti@binary-kitchen.de,dragonchaser@binary-kitchen.de,moepman@binary-kitchen.de,philmacfly@binary-kitchen.de,ralf@binary-kitchen.de"
|
||||
- "loetworkshop@binary-kitchen.de timo.schindler@binary-kitchen.de,venti@binary-kitchen.de"
|
||||
|
@ -75,12 +92,13 @@ mail_aliases:
|
|||
- "openhab@binary-kitchen.de noby@binary-kitchen.de"
|
||||
- "orga@ccc-r.de orga@ccc-regensburg.de"
|
||||
- "orga@ccc-regensburg.de anti@binary-kitchen.de"
|
||||
- "paypal@binary-kitchen.de timo.schindler@binary-kitchen.de"
|
||||
- "paypal@binary-kitchen.de ralf@binary-kitchen.de"
|
||||
- "post@makerspace-regensburg.de vorstand@binary-kitchen.de"
|
||||
- "pretix@binary-kitchen.de moepman@binary-kitchen.de"
|
||||
- "root@binary-kitchen.de moepman@binary-kitchen.de,kishi@binary-kitchen.de"
|
||||
- "seife@binary-kitchen.de anke@binary-kitchen.de"
|
||||
- "siebdruck@binary-kitchen.de anke@binary-kitchen.de"
|
||||
- "vorstand@binary-kitchen.de anti@binary-kitchen.de,avarrish@binary-kitchen.de,timo.schindler@binary-kitchen.de,zaesa@binary-kitchen.de"
|
||||
- "vorstand@binary-kitchen.de anti@binary-kitchen.de,avarrish@binary-kitchen.de,ralf@binary-kitchen.de,zaesa@binary-kitchen.de"
|
||||
- "voucher1@binary-kitchen.de exxess@binary-kitchen.de"
|
||||
- "voucher2@binary-kitchen.de exxess@binary-kitchen.de"
|
||||
- "voucher3@binary-kitchen.de exxess@binary-kitchen.de"
|
||||
|
@ -100,19 +118,28 @@ matrix_dbname: matrix
|
|||
matrix_dbuser: matrix
|
||||
matrix_dbpass: "{{ vault_matrix_dbpass }}"
|
||||
|
||||
nslcd_base_group: ou=groups,dc=binary-kitchen,dc=de
|
||||
nslcd_base_shadow: ou=people,dc=binary-kitchen,dc=de
|
||||
nslcd_base_passwd: ou=people,dc=binary-kitchen,dc=de
|
||||
mc_domain: minecraft.binary-kitchen.de
|
||||
|
||||
netbox_domain: netbox.binary.kitchen
|
||||
netbox_dbname: netbox
|
||||
netbox_dbuser: netbox
|
||||
netbox_dbpass: "{{ vault_netbox_dbpass }}"
|
||||
netbox_secret: "{{ vault_netbox_secret }}"
|
||||
|
||||
nextcloud_domain: oc.binary-kitchen.de
|
||||
nextcloud_dbname: owncloud
|
||||
nextcloud_dbuser: owncloud
|
||||
nextcloud_dbpass: "{{ vault_owncloud_dbpass }}"
|
||||
|
||||
plk_domain: plk-regensburg.de
|
||||
plk_dbuser: plkdbuser
|
||||
plk_dbname: plkdb
|
||||
plk_dbpass: "{{ vault_plk_dbpass }}"
|
||||
nslcd_base_group: ou=groups,dc=binary-kitchen,dc=de
|
||||
nslcd_base_shadow: ou=people,dc=binary-kitchen,dc=de
|
||||
nslcd_base_passwd: ou=people,dc=binary-kitchen,dc=de
|
||||
|
||||
pretix_domain: pretix.events.binary-kitchen.de
|
||||
pretix_dbname: pretix
|
||||
pretix_dbuser: pretix
|
||||
pretix_dbpass: "{{ vault_pretix_dbpass }}"
|
||||
pretix_mail: pretix@binary-kitchen.de
|
||||
|
||||
prometheus_pve_user: prometheus@pve
|
||||
prometheus_pve_pass: "{{ vault_prometheus_pve_pass }}"
|
||||
|
@ -126,8 +153,6 @@ pve_targets:
|
|||
|
||||
radius_secret: "{{ vault_radius_secret }}"
|
||||
|
||||
rocketchat_domain: chat.binary-kitchen.de
|
||||
|
||||
root_keys:
|
||||
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJBmZnJLG1WRppbLtOAJw3E4LgLRK0NirfCgpovhhU6h moepman"
|
||||
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINPlktM2x11cNBMKurf57MLE1XcOm2sGQXguc0tl1vYd kishi"
|
||||
|
@ -135,3 +160,5 @@ root_keys:
|
|||
slapd_root_hash: "{SSHA}OB75kTfH6JRyX0dA0fM8/8ldP89qyzb+"
|
||||
slapd_root_pass: "{{ vault_slapd_root_pass }}"
|
||||
slapd_san: ldap.binary.kitchen
|
||||
|
||||
workadventure_domain: wa.binary-kitchen.de
|
||||
|
|
|
@ -1,59 +1,102 @@
|
|||
$ANSIBLE_VAULT;1.1;AES256
|
||||
37303932343462623335393066643531373533636435356462326537373532613534353266396435
|
||||
3636666364306637306266393933383963633032383265650a656563303332303134323135353239
|
||||
34633863333930316564633632313939643664373163373833636139366537646530383736343130
|
||||
6239373931306234620a353966346262646538306631656461613431636230333430663931643933
|
||||
31316362353439393838363666613932313635313864333135636530653238653162353033356437
|
||||
33353063363639346266313631393463623864636133623264613865336536613536343365386230
|
||||
65396263393862626139396430623134316632313637623631623762656139623664356331623066
|
||||
30323430613963313162616135303164663364336634326533346438373635366238356531613461
|
||||
30333736633965333163616437303566666239313962353531393530613265363833396136646262
|
||||
62633662666532396535316361303934613138373365633161393664313234663533363736323335
|
||||
38613762376234663564333333386265633138613839636132346638313430653639636339336239
|
||||
38633564333831326331326166666362353364303933393532643936313564386565643162623435
|
||||
36356437356631666137323039316430656566613436623062656562666139383635653039636463
|
||||
35393438323765303431333737356339343730303531333834306239366533393537626239376163
|
||||
31663332343136323264376234363264343136623365383833666638656531306362663462383033
|
||||
31633838643562613762363634653865353361303666363139636337386439626235336462653036
|
||||
30376461643839313665383430386534656265626139313034646438323861653530383637316139
|
||||
35313539636137303561646564616362313435666262343137616263396465356434363862323137
|
||||
38626464383039386139343665363538326539613837366437623362336639336133323463666235
|
||||
36346333356434363838363634343233323363333762653264333062656133623434666162356433
|
||||
37623862653862643335333931663063623166353534636430323230663838653532356335306632
|
||||
33646265343834363839653565326538353930663061376461646534386637376234646264343933
|
||||
65653763343236653630396238333232633461663333646531323337626235396231383931663264
|
||||
34363564366134663036643332346238373639646336396261316133326235636265323636663335
|
||||
35363537346466396432396162383131306438396431336138666663633132646662316165643333
|
||||
64633434623166343262623038623431343631333962663566303566393761653536303638643037
|
||||
63363963306139336235363537396432383131303763643966313937353537333739393031616439
|
||||
35343361646234663062633631323238656137373464386561656439313636613630323632616332
|
||||
39346239666266623038363066643865373762633532323431373431373165643662663661633365
|
||||
35353361383339623535336362313430616139396561623934346264323462663663383566393165
|
||||
35366637313861386465333530613530623832643333616538336436356134313832306139336361
|
||||
32393162373235356236343332363038393631626534643237383232323735633265333562633231
|
||||
61613164363962323236666365353830346664643263393532343562383736336535353364343638
|
||||
62386465323331653565306234646664393164666334383765336630346438633636353264636138
|
||||
31316231326236313839353465353230353935363330393035373234393039386134366534653636
|
||||
63323730383931353763383739393330316335373563393039366166313031373664636335363363
|
||||
38363131363565326431636361316562313037373664306333313366646336333162663664306539
|
||||
64636530363561393037373766383937616435313333653836363835383231633130396133663635
|
||||
36613531323732623264646666656139333766656562623430313964366236373663626135383437
|
||||
31643663663637613762313465656636396264623362643538323166356636303430613133383664
|
||||
66383332326437333638663562376665386237313533303437623765353661393561373338636130
|
||||
30383665333366643331366536646330633133643566393962633164643563613536363434393234
|
||||
66323931316535353632356432373262623962616264383430623436303637616165386433326231
|
||||
38633730636633643634343833313964653530663034333063313334636134646634363437346161
|
||||
32613061363032383732323263303830363532326239316538393739313730383530633862313039
|
||||
37653865303932313635656332663039376331393161623731623039653865623436363061626538
|
||||
32383934613335363534666461343135303235373262343634306130633536323839393139346662
|
||||
31623265323138353963623938616665383765366230656461383835346230346261623866366630
|
||||
65303965353432386136373562306434623739666262356663656266346439356435613362333563
|
||||
34366539353366346636376662363837303332373866323434366261326164633033353930383038
|
||||
36666433656365366663326163343034306439653262353733323232373133386436333637346563
|
||||
32626533336530633731336631333334353366306538663936643637346335303965626631316562
|
||||
33333061656234393661363766663630316662613764333231326434383465666234653238393965
|
||||
31636561396665383063613433653837363634623337623330666466353532633434383864343464
|
||||
38303436306165353433356536326466306530373635616531393462666336666435633235613937
|
||||
37343832333864643636366632623062363234633365326635386663376439383332306333653161
|
||||
34353830396165366534313334616161323461613066383561343563393330613464373862623062
|
||||
3536303066343262636636393861313539616636643339353562
|
||||
34313430623638333161613331623835666163626232326164366136373833633138373733333231
|
||||
6563336334663666373235313064363364646361643033310a663033616232363434306230313765
|
||||
31386338646433393334663031623261353661333565663763363834313264363463383562633934
|
||||
3663623932356635360a306231613431623763663130656634623365643730336564663862336536
|
||||
34663863313364613831656162663663646634636432656539643531326163653363376662393935
|
||||
61343934313135623265646539616136306231633566616534383562393964663565323534386162
|
||||
31646233313339383863313334353031386166653264353831383133633761306539636533656336
|
||||
37643866646538316234633736613136356166613037383638303465663639633432326533653832
|
||||
30313862646132393063393239656561646566336362643466386435613734623632613361323266
|
||||
64316166313635306631396166303132626139386563613231646439356637393662623530353261
|
||||
62326661663064393362653136346262313762376130623461313563613161623838356363306263
|
||||
38376438333632623962646535313239343038383030383736313536303935346236326631616632
|
||||
65376162613630343064356361336535623030316435333036363635623461626330663635653631
|
||||
61313435373839366363613338666630366333383962393734333662646239663237386437373333
|
||||
31373065336139643033643666653737306664626134643937343264646539616264393530343462
|
||||
38366232393832666439383066383738643966363132663832396562646238306638343266353934
|
||||
38396236373830303661336635646137306236386436343033383764666535323834313534346533
|
||||
35333665303534383634303732346164616666643731313839353462343365356338386561613231
|
||||
35333965353736386531356565376434393563653562373261633664623438346638613765303736
|
||||
65336230636539613332616433326335326436333136636566383731306437663438306636363930
|
||||
31376230353230613038636662623432646361383263663532396234656133333237333738666233
|
||||
61613961343963393437393664393265306564373164316265363232303831663331393130356662
|
||||
39313230616463636163386261353431356338353833393161313861643137646166363864313861
|
||||
64306161653565396339656333346235346365373836373633376231333833313034353864656434
|
||||
33623861326664356339336333663365663663353061323037346330653133396235363831623136
|
||||
63343662356235633332373733626232353437373263343038663932636232363030336436616131
|
||||
65376436663962363631386664353531303963313263633261633766326566383262643334646466
|
||||
65363664306332656134633039643135323134616535613834313533626633353066343762646132
|
||||
31353761373366313365373632366661646235333039656231323030366338326264333162646562
|
||||
39343265376234363635306537636464323030316231306564316635656563303565336539326237
|
||||
36393632386564343730616566373535616263383564343866353665373363363333343935346464
|
||||
31646338353235356231353135663062323766663231383730396235373934303465346239303961
|
||||
66646463663762633963336365356431323431383938373839346364303464633031633633663937
|
||||
36646165633661633361313635393134646133363334373863663132376266336233336435356435
|
||||
38303862613564363731313062316533633465353830316436326431656132353431373231646337
|
||||
33343464353039623236643633636239343965643633343966326562343934313664633563613730
|
||||
63313930643936393838636634613331633835656434646163386661663037376330646366656232
|
||||
32623461633935353134343533626266653031666335336236343039363066396337633639363235
|
||||
38626233383461356264616534656537633931663936383330386532363434383833613835613439
|
||||
64306262626539623136376630646439353335623266306139306434663331346237306331666533
|
||||
37363433343433363632336333633065313865626564633134616462393831626237333638333739
|
||||
61623030386235666132666661623462323332393666623539636139326530623233396533373939
|
||||
32396261306661663739333138353335663734316232303661353166376133653934306233343739
|
||||
33353833323739343163396234633264373139346264653933633433393132363966636135393365
|
||||
36363530396166363630643764633436663037666631343535366132373334663938333930396133
|
||||
36303864303961333664653635343935353266396231313964646262363038626561653466646438
|
||||
62306434373136393738303835656130333936663430636139383137633536383131616533613634
|
||||
62343464636332343031326365383964326666636466666636663236633935356635336435313437
|
||||
33626137326238356537353762613164653731326563663239316537646338643131643564663632
|
||||
33353536383265303030343735616530666236343064323337623232396130393366363161356636
|
||||
61333862313432323139313963386538393365373335373139353533356537383739373539646134
|
||||
37623936653933326633643961313530663533326532383133353238303336643432353833393338
|
||||
31633065666336373236386537636536326236636639376465346136326535653764373131636135
|
||||
61393932643639383234396163326633393733616563343637613661326432623461393934653965
|
||||
32643162386238316261633733613366323834393365633430643964666262306339633766613533
|
||||
65366264313431333132303063393564383062346365633133383463376631303933643065613137
|
||||
61383231393339363465363064633862633135326536663163366234623764626439346461303164
|
||||
32373738636533306362333138643832643862656239303464373434303537653336646430356633
|
||||
36626436356231616166666163346539633738623734343031373735346165303664346137343132
|
||||
31663230343934333138656333626339623133323630336266353831653135616363333432616361
|
||||
33613236623538333663366136656563663331366237303763653238336139363163366635646532
|
||||
37316430623433336436376462656331373336303831393333626166346135333737326435353834
|
||||
37636162646438313162303462633830353239623565393331316662616535343138613437653665
|
||||
31316563346234633031653131666531333266306139346566383263303835343532363633373665
|
||||
30336462626434393063343234356633636433356164363163363564383263623364386435383239
|
||||
33323738366534633730666436303433343731306662393863323633653263316138386365376666
|
||||
35316365303361623030383836316436323663646464386231346432396563663133643834383636
|
||||
61326534313237316130393538613834656231303732656163346237643535663239366536636633
|
||||
36306137616664623735613966343264653932363035373336636465323163393539363064386562
|
||||
31626138316163393466323333613530376265386136376330636364363166323061383034623336
|
||||
38643166363864383264373665323238326232376633653565356536376466303834313733613531
|
||||
65333734353036303935333533306334306231373731353463346461353930316562316439356562
|
||||
38336435366335333230323766626134376131323435323735653736336662313962393766383435
|
||||
39323734643037643066363338373332653830393337306633336131663131616164336536393837
|
||||
35383366316130343162663231343763373331613261393566366133346564636334643464373535
|
||||
37633536323531613831656662323263316630623061383930363637346438623735383430366538
|
||||
39303961326461323661346630313636643531303265393461373036306435353863643036623665
|
||||
66333965303032653537613232633162303138343632396134336130333430636666376430323466
|
||||
61323535313463653866666265313765623831376633666534623033643063386231623238656439
|
||||
63323166373764306162613233323466366363666535643339646361306638343762393834343131
|
||||
31393437373733343138306563363032353831616334383631656266346131303161633265343461
|
||||
62343234383936303664643234323665343635626435613766343737396564656137393061666165
|
||||
66313531666562303030323764356632626233333432343461393362303563643661336335366339
|
||||
62346366643835303563646161366434386532363265313531303634336136653062613464376138
|
||||
66336333623565623263363561303537303337623137656430353830353937323265313837333237
|
||||
62343132326665326130376566626661366534353335366532623539303536323762646462306261
|
||||
63383133633462376162316338663765393933663536663239636439643733376434333030616131
|
||||
63326332336563326232346430643534336133376334646635653862333133306135666132353839
|
||||
37336136346464363365633262623630343463343035666161626665663030346533303266313837
|
||||
32323566393630626566393334353832383235626161343532323930656430343739663432333866
|
||||
62663136333637663563366536303437363964666638326134373766313837383431663733383630
|
||||
63336432656239393465353666383131326536643531663337396234396663373432303163653331
|
||||
33626237386237626433653637313835376632613131663235353037336231613134633065323035
|
||||
31366531343131303937663561336262623062313961366233633430323639383332656236363535
|
||||
35353639633366366439666532326539666230323338643931383264306436386634316331393133
|
||||
33393963303734303037353139356436313036343766646131333735356266333434333039363339
|
||||
62396231303137303236626439633331306663313630653437363733656130653863646537316536
|
||||
39346233633436323565363466653862333630633030666136613237333663643339306334613532
|
||||
63343565393632353138616637356339623639373135636334333130323032346536626465323430
|
||||
63383363313338636466316464303039633236343038613734633632633234313837656436663137
|
||||
62643130383463333137363537646233613366653664613137623130333330636362
|
||||
|
|
14
group_vars/auweg
Normal file
14
group_vars/auweg
Normal file
|
@ -0,0 +1,14 @@
|
|||
---
|
||||
|
||||
dhcpd_failover: false
|
||||
dhcpd_primary: 172.23.13.3
|
||||
|
||||
dns_primary: 172.23.13.3
|
||||
|
||||
name_servers:
|
||||
- 172.23.13.3
|
||||
|
||||
ntp_servers:
|
||||
- 172.23.12.61
|
||||
|
||||
radius_cn: radius.binary.kitchen
|
|
@ -4,6 +4,9 @@ dhcpd_failover: true
|
|||
dhcpd_primary: 172.23.2.3
|
||||
dhcpd_secondary: 172.23.2.4
|
||||
|
||||
dns_primary: 172.23.2.3
|
||||
dns_secondary: 172.23.2.4
|
||||
|
||||
name_servers:
|
||||
- 172.23.2.3
|
||||
- 172.23.2.4
|
||||
|
|
6
host_vars/aeron.binary.kitchen
Normal file
6
host_vars/aeron.binary.kitchen
Normal file
|
@ -0,0 +1,6 @@
|
|||
---
|
||||
|
||||
radius_hostname: radius3.binary.kitchen
|
||||
|
||||
slapd_hostname: ldap3.binary.kitchen
|
||||
slapd_role: slave
|
|
@ -1,9 +1,11 @@
|
|||
---
|
||||
|
||||
ntp_server: true
|
||||
|
||||
ntp_servers:
|
||||
- ptbtime2.ptb.de
|
||||
- ntp1.rrze.uni-erlangen.de
|
||||
- ntps1-0.cs.tu-berlin.de
|
||||
- rustime01.rus.uni-stuttgart.de
|
||||
|
||||
ntp_peers:
|
||||
- 172.23.1.60
|
||||
|
|
2
host_vars/barium.binary-kitchen.net
Normal file
2
host_vars/barium.binary-kitchen.net
Normal file
|
@ -0,0 +1,2 @@
|
|||
root_keys_host:
|
||||
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q== noby"
|
8
host_vars/bowle.binary.kitchen
Normal file
8
host_vars/bowle.binary.kitchen
Normal file
|
@ -0,0 +1,8 @@
|
|||
---
|
||||
|
||||
nfs_exports:
|
||||
- /exports/backup/bk 172.23.1.60(rw,sync,no_subtree_check)
|
||||
- /exports/backup/rz 172.23.9.61(rw,sync,no_subtree_check)
|
||||
- /exports/tank 172.23.0.0/22(rw,sync,no_subtree_check)
|
||||
|
||||
uau_reboot: "false"
|
4
host_vars/knoedel.binary.kitchen
Normal file
4
host_vars/knoedel.binary.kitchen
Normal file
|
@ -0,0 +1,4 @@
|
|||
---
|
||||
|
||||
root_keys_host:
|
||||
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q== noby"
|
5
host_vars/lock-auweg.binary.kitchen
Normal file
5
host_vars/lock-auweg.binary.kitchen
Normal file
|
@ -0,0 +1,5 @@
|
|||
---
|
||||
|
||||
root_keys_host:
|
||||
- "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAgEAkXY3fQFMG7LkTBWtBNY7q7RCwb/R4Z8Y96e3pToddfXbtmtVxMZfd6hC+3kGt3NnPYDFmZf/RXblNBPwL/n8bEjA0bmfU60LMjFT0mG99bLU+5CgDxaSf34jzgtzLbHKqeSYxNpXNebbDZRw+cxuDjxJ+lYbc/hNQTy6hqKXUSQ25LAqplKVYbxlPWPxxKnJCvWj2pCdJGj1EK/Y+saafNOhA7uEPNt8HtWWNMhxNi+P9OkkLpYqRM8V0miR7aAYOY+RllMn+H5DIJg2gk319AHhlBDP7NXd/tmWg+bI7xYPDe9Q6gMrV8OnQmuNjWsLNhp8ktwQxpsv71t6ztXLpceIkV9yfDSeBpZG5QnsMOy/ua91S6hmMg4bIEBsqkPUYEwEIDFaV0TrlKeXMkU+ovthZnw0CWgV5KEWDHtuGu8nBBpks/geclh+0yqeFEaacnlTTNEhvCcp7vOsqDJnZSn1L4O6C+u/A4NJGRH7XQMWrXBdeTVIT9KLsdZJsoPIH8BRaw/qOYPY6wZzHcLvrsayUBBiiLDIN1lE/3OV70dKX7F0Q7hyl8o9EoGdEYnGBonWGC58hroiAE4FTVdWLKtHzHSG2AdTWf53sJzGVEh5swm44KD/Dh52bE4YjUxC0b68Twb3/L1QpH8KZNUVEcRNmiRshefMPSXbPv3bNzc= 20170818Tobias@Teubl.de"
|
||||
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa tom"
|
3
host_vars/magnesium.binary-kitchen.net
Normal file
3
host_vars/magnesium.binary-kitchen.net
Normal file
|
@ -0,0 +1,3 @@
|
|||
---
|
||||
|
||||
acertmgr_mode: standalone
|
|
@ -4,3 +4,4 @@ grafana_domain: zelle.binary-kitchen.de
|
|||
|
||||
root_keys_host:
|
||||
- "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAib/9jl5oDkCF0g9Z2m0chruxA779TmQLy9nYFWq5qwxhCrBwgPBsHjyYJoA9vE6o+MB2Uc76hPNHxrY5WqOp+3L6z7B8I7CDww8gUBcvLXWFeQ8Qq5jjvtJfT6ziIRlEfJBHn7mQEZ6ekuOOraWXSt7EVJPYcTtSz/aqbSHNF6/iYLqK/qJQdrzwKF8aMbJk9+68XE5pPTyk+Ak9wpFtiKA+u1b0JAJr2Z0nZGVpe+QlMkgwysjcJik+ZOFfVRplJQSn7lEnG5tkKxySb3ewaTCmk5nkeV40ETiyXs6DGxw0ImVdsAZ2gjBlCVMUhiCgznREzGmlkSTQSPw7f62edw== venti"
|
||||
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa tom"
|
||||
|
|
|
@ -3,3 +3,5 @@
|
|||
root_keys_host:
|
||||
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJu4xYKnnAhXf2Fe+cI+U4EVkePw3cbPbSR4iPhY2fQf xaver@xm.1drop.de"
|
||||
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGC1Cn/tEqpZKEgLzT3bGrhYibQy0bc21rtoDqm4+elZ xaver@home"
|
||||
|
||||
nginx_anonymize: True
|
||||
|
|
4
host_vars/pancake.binary.kitchen
Normal file
4
host_vars/pancake.binary.kitchen
Normal file
|
@ -0,0 +1,4 @@
|
|||
---
|
||||
|
||||
root_keys_host:
|
||||
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q== noby"
|
8
host_vars/weizen.binary.kitchen
Normal file
8
host_vars/weizen.binary.kitchen
Normal file
|
@ -0,0 +1,8 @@
|
|||
---
|
||||
|
||||
ntp_server: true
|
||||
|
||||
ntp_servers:
|
||||
- ptbtime1.ptb.de
|
||||
- ntp1.rrze.uni-erlangen.de
|
||||
- rustime01.rus.uni-stuttgart.de
|
|
@ -1,9 +1,11 @@
|
|||
---
|
||||
|
||||
ntp_server: true
|
||||
|
||||
ntp_servers:
|
||||
- ptbtime1.ptb.de
|
||||
- ntp1.rrze.uni-erlangen.de
|
||||
- ntps1-0.cs.tu-berlin.de
|
||||
- rustime01.rus.uni-stuttgart.de
|
||||
|
||||
ntp_peers:
|
||||
- 172.23.2.3
|
||||
|
|
13
hosts
13
hosts
|
@ -4,10 +4,17 @@ bacon.binary.kitchen ansible_host=172.23.2.3
|
|||
aveta.binary.kitchen ansible_host=172.23.2.4
|
||||
sulis.binary.kitchen ansible_host=172.23.2.5
|
||||
nabia.binary.kitchen ansible_host=172.23.2.6
|
||||
epona.binary.kitchen ansible_host=172.23.2.7
|
||||
pizza.binary.kitchen ansible_host=172.23.2.33
|
||||
pancake.binary.kitchen ansible_host=172.23.2.34
|
||||
knoedel.binary.kitchen ansible_host=172.23.2.35
|
||||
bob.binary.kitchen ansible_host=172.23.2.37
|
||||
bowle.binary.kitchen ansible_host=172.23.2.62 ansible_python_interpreter=/usr/local/bin/python2.7
|
||||
bowle.binary.kitchen ansible_host=172.23.2.62
|
||||
salat.binary.kitchen ansible_host=172.23.9.61
|
||||
[auweg]
|
||||
weizen.binary.kitchen ansible_host=172.23.12.61
|
||||
aeron.binary.kitchen ansible_host=172.23.13.3
|
||||
lock-auweg.binary.kitchen ansible_host=172.23.13.12
|
||||
[fan_rz]
|
||||
helium.binary-kitchen.net
|
||||
lithium.binary-kitchen.net
|
||||
|
@ -19,9 +26,11 @@ oxygen.binary-kitchen.net
|
|||
fluorine.binary-kitchen.net
|
||||
neon.binary-kitchen.net
|
||||
sodium.binary-kitchen.net
|
||||
magnesium.binary-kitchen.net
|
||||
krypton.binary-kitchen.net
|
||||
yttrium.binary-kitchen.net
|
||||
zirconium.binary-kitchen.net
|
||||
molybdenum.binary-kitchen.net
|
||||
technetium.binary-kitchen.net
|
||||
ruthenium.binary-kitchen.net
|
||||
rhodium.binary-kitchen.net
|
||||
barium.binary-kitchen.net
|
||||
|
|
|
@ -44,3 +44,8 @@
|
|||
- name: Enable vhosts
|
||||
file: src=/etc/nginx/sites-available/dss dest=/etc/nginx/sites-enabled/dss state=link
|
||||
notify: Restart nginx
|
||||
|
||||
- name: Enable monitoring
|
||||
include_role: name=icinga-monitor tasks_from=http
|
||||
vars:
|
||||
vhost: "{{ dss_domain }}"
|
||||
|
|
|
@ -6,3 +6,6 @@ logrotate_excludes:
|
|||
- "/etc/logrotate.d/dbconfig-common"
|
||||
- "/etc/logrotate.d/btmp"
|
||||
- "/etc/logrotate.d/wtmp"
|
||||
|
||||
sshd_password_authentication: "no"
|
||||
sshd_permit_root_login: "prohibit-password"
|
||||
|
|
|
@ -1,10 +0,0 @@
|
|||
# udev 226 introduced predictable interface names for virtio;
|
||||
# disable this for upgrades. You can remove this file if you update your
|
||||
# network configuration to move to the ens* names instead.
|
||||
# See /usr/share/doc/udev/README.Debian.gz for details about predictable
|
||||
# network interface names.
|
||||
[Match]
|
||||
Driver=virtio_net
|
||||
|
||||
[Link]
|
||||
NamePolicy=onboard kernel
|
|
@ -1,6 +0,0 @@
|
|||
# This machine is most likely a virtualized guest, where the old persistent
|
||||
# network interface mechanism (75-persistent-net-generator.rules) did not work.
|
||||
# This file disables /lib/systemd/network/99-default.link to avoid
|
||||
# changing network interface names on upgrade. Please read
|
||||
# /usr/share/doc/udev/README.Debian.gz about how to migrate to the currently
|
||||
# supported mechanism.
|
|
@ -1,7 +1,16 @@
|
|||
---
|
||||
|
||||
- name: Restart chrony
|
||||
service: name=chrony state=restarted
|
||||
|
||||
- name: Restart journald
|
||||
service: name=systemd-journald state=restarted
|
||||
|
||||
- name: Restart sshd
|
||||
service: name=sshd state=restarted
|
||||
|
||||
- name: update-grub
|
||||
command: update-grub
|
||||
|
||||
- name: update-initramfs
|
||||
command: update-initramfs -u -k all
|
||||
|
|
|
@ -3,7 +3,10 @@
|
|||
- name: Install misc software
|
||||
apt:
|
||||
name:
|
||||
- apt-transport-https
|
||||
- dnsutils
|
||||
- fdisk
|
||||
- gnupg2
|
||||
- htop
|
||||
- less
|
||||
- net-tools
|
||||
|
@ -26,35 +29,32 @@
|
|||
copy: src={{ item.src }} dest={{ item.dest }}
|
||||
diff: no
|
||||
with_items:
|
||||
- { src: '.zshrc', dest: '/root/.zshrc' }
|
||||
- { src: '.zshrc.local', dest: '/root/.zshrc.local' }
|
||||
- { src: 'motd', dest: '/etc/motd' }
|
||||
- { src: 'vimrc.local', dest: '/etc/vim/vimrc.local' }
|
||||
- { src: ".zshrc", dest: "/root/.zshrc" }
|
||||
- { src: ".zshrc.local", dest: "/root/.zshrc.local" }
|
||||
- { src: "motd", dest: "/etc/motd" }
|
||||
- { src: "vimrc.local", dest: "/etc/vim/vimrc.local" }
|
||||
|
||||
- name: Set shell for root user
|
||||
user: name=root shell=/bin/zsh
|
||||
|
||||
- name: Create LDAP client config
|
||||
template: src=ldap.conf.j2 dest=/etc/ldap/ldap.conf mode=0644
|
||||
|
||||
- name: Disable hibernation/resume
|
||||
copy: src=resume dest=/etc/initramfs-tools/conf.d/resume
|
||||
notify: update-initramfs
|
||||
|
||||
# TODO template /etc/network/interfaces
|
||||
|
||||
- name: Fix network interface names
|
||||
copy: src={{ item }} dest=/etc/systemd/network/{{ item }}
|
||||
with_items:
|
||||
- 50-virtio-kernel-names.link
|
||||
- 99-default.link
|
||||
notify: update-initramfs
|
||||
- name: Enable serial console on KVM VMs
|
||||
lineinfile:
|
||||
path: "/etc/default/grub"
|
||||
state: "present"
|
||||
regexp: "^#?GRUB_CMDLINE_LINUX=.*"
|
||||
line: "GRUB_CMDLINE_LINUX=\"console=ttyS0,115200 console=tty0\""
|
||||
notify: update-grub
|
||||
when: ansible_virtualization_role == "guest" and ansible_virtualization_type == "kvm"
|
||||
|
||||
- name: Prevent normal users from running su
|
||||
lineinfile:
|
||||
path: /etc/pam.d/su
|
||||
regexp: '^.*auth\s+required\s+pam_wheel.so$'
|
||||
line: 'auth required pam_wheel.so'
|
||||
regexp: "^.*auth\\s+required\\s+pam_wheel.so$"
|
||||
line: "auth required pam_wheel.so"
|
||||
|
||||
- name: Configure journald retention
|
||||
lineinfile:
|
||||
|
@ -89,16 +89,25 @@
|
|||
set_fact:
|
||||
logrotateconfigpaths: "{{ alllogrotateconfigpaths | difference(logrotate_excludes) }}"
|
||||
|
||||
- name: 'Set logrotate.d/* to daily'
|
||||
- name: "Set logrotate.d/* to daily"
|
||||
replace:
|
||||
path: "{{ item }}"
|
||||
regexp: "(?:weekly|monthly)"
|
||||
replace: "daily"
|
||||
loop: "{{ logrotateconfigpaths }}"
|
||||
|
||||
- name: 'Set /etc/logrotate.d/* rotation to 7'
|
||||
- name: "Set /etc/logrotate.d/* rotation to 7"
|
||||
replace:
|
||||
path: "{{ item }}"
|
||||
regexp: "rotate [0-9]+"
|
||||
replace: "rotate 7"
|
||||
loop: "{{ logrotateconfigpaths }}"
|
||||
|
||||
- name: Configure ssh password login
|
||||
template:
|
||||
src: sshd_config.j2
|
||||
dest: /etc/ssh/sshd_config
|
||||
owner: root
|
||||
group: root
|
||||
mode: '0644'
|
||||
notify: Restart sshd
|
||||
|
|
|
@ -1,14 +0,0 @@
|
|||
---
|
||||
|
||||
- name: Install misc software
|
||||
pkgng:
|
||||
name:
|
||||
- vim-lite
|
||||
- htop
|
||||
- zsh
|
||||
|
||||
- name: Configure misc software
|
||||
copy: src={{ item.src }} dest={{ item.dest }}
|
||||
with_items:
|
||||
- { src: '.zshrc', dest: '/root/.zshrc' }
|
||||
- { src: '.zshrc.local', dest: '/root/.zshrc.local' }
|
|
@ -13,11 +13,12 @@
|
|||
|
||||
- name: Configure misc software
|
||||
copy: src={{ item.src }} dest={{ item.dest }}
|
||||
diff: no
|
||||
with_items:
|
||||
- { src: '.zshrc', dest: '/root/.zshrc' }
|
||||
- { src: '.zshrc.local', dest: '/root/.zshrc.local' }
|
||||
- { src: 'motd', dest: '/etc/motd' }
|
||||
- { src: 'vimrc.local', dest: '/etc/vim/vimrc.local' }
|
||||
- { src: ".zshrc", dest: "/root/.zshrc" }
|
||||
- { src: ".zshrc.local", dest: "/root/.zshrc.local" }
|
||||
- { src: "motd", dest: "/etc/motd" }
|
||||
- { src: "vimrc.local", dest: "/etc/vim/vimrc.local" }
|
||||
|
||||
- name: Set shell for root user
|
||||
user: name=root shell=/bin/zsh
|
||||
|
|
8
roles/common/tasks/chrony.yml
Normal file
8
roles/common/tasks/chrony.yml
Normal file
|
@ -0,0 +1,8 @@
|
|||
---
|
||||
|
||||
- name: Install chrony
|
||||
apt: name=chrony
|
||||
|
||||
- name: Configure chrony
|
||||
template: src=chrony.conf.j2 dest=/etc/chrony/chrony.conf
|
||||
notify: Restart chrony
|
|
@ -2,21 +2,20 @@
|
|||
|
||||
- name: Cleanup
|
||||
apt: autoclean=yes
|
||||
when: ansible_os_family == 'Debian'
|
||||
when: ansible_os_family == "Debian"
|
||||
|
||||
- name: Gather package facts
|
||||
package_facts:
|
||||
manager: apt
|
||||
when: ansible_os_family == 'Debian'
|
||||
when: ansible_os_family == "Debian"
|
||||
|
||||
- name: Proxmox
|
||||
include: Proxmox.yml
|
||||
when: ansible_os_family == 'Debian' and 'pve-manager' in ansible_facts.packages
|
||||
when: ansible_os_family == "Debian" and "pve-manager" in ansible_facts.packages
|
||||
|
||||
- name: Debian
|
||||
include: Debian.yml
|
||||
when: ansible_os_family == 'Debian' and 'pve-manager' not in ansible_facts.packages
|
||||
when: ansible_os_family == "Debian" and "pve-manager" not in ansible_facts.packages
|
||||
|
||||
- name: FreeBSD
|
||||
include: FreeBSD.yml
|
||||
when: ansible_distribution == 'FreeBSD'
|
||||
- name: Setup chrony
|
||||
include: chrony.yml
|
||||
|
|
46
roles/common/templates/chrony.conf.j2
Normal file
46
roles/common/templates/chrony.conf.j2
Normal file
|
@ -0,0 +1,46 @@
|
|||
# Welcome to the chrony configuration file. See chrony.conf(5) for more
|
||||
# information about usable directives.
|
||||
|
||||
{% for srv in ntp_servers %}
|
||||
server {{ srv }} iburst
|
||||
{% endfor %}
|
||||
{% if ntp_peers is defined %}
|
||||
|
||||
{% for peer in ntp_peers %}
|
||||
peer {{ peer }}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
|
||||
{% if ntp_server is defined and ntp_server is true %}
|
||||
allow 172.23.0.0/16
|
||||
{% endif -%}
|
||||
|
||||
# This directive specify the location of the file containing ID/key pairs for
|
||||
# NTP authentication.
|
||||
keyfile /etc/chrony/chrony.keys
|
||||
|
||||
# This directive specify the file into which chronyd will store the rate
|
||||
# information.
|
||||
driftfile /var/lib/chrony/chrony.drift
|
||||
|
||||
# Uncomment the following line to turn logging on.
|
||||
#log tracking measurements statistics
|
||||
|
||||
# Log files location.
|
||||
logdir /var/log/chrony
|
||||
|
||||
# Stop bad estimates upsetting machine clock.
|
||||
maxupdateskew 100.0
|
||||
|
||||
# This directive enables kernel synchronisation (every 11 minutes) of the
|
||||
# real-time clock. Note that it can’t be used along with the 'rtcfile' directive.
|
||||
rtcsync
|
||||
|
||||
# Step the system clock instead of slewing it if the adjustment is larger than
|
||||
# one second, but only in the first three clock updates.
|
||||
makestep 1 3
|
||||
|
||||
# Get TAI-UTC offset and leap seconds from the system tz database.
|
||||
# This directive must be commented out when using time sources serving
|
||||
# leap-smeared time.
|
||||
leapsectz right/UTC
|
|
@ -1,19 +0,0 @@
|
|||
#
|
||||
# LDAP Defaults
|
||||
#
|
||||
|
||||
# See ldap.conf(5) for details
|
||||
# This file should be world readable but not world writable.
|
||||
|
||||
BASE {{ ldap_base }}
|
||||
URI {{ ldap_uri }}
|
||||
|
||||
#SIZELIMIT 12
|
||||
#TIMELIMIT 15
|
||||
#DEREF never
|
||||
|
||||
# TLS certificates (needed for GnuTLS)
|
||||
TLS_REQCERT demand
|
||||
TLS_CACERTDIR /etc/ssl/certs
|
||||
TLS_CACERT /etc/ssl/certs/ca-certificates.crt
|
||||
|
123
roles/common/templates/sshd_config.j2
Normal file
123
roles/common/templates/sshd_config.j2
Normal file
|
@ -0,0 +1,123 @@
|
|||
# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
|
||||
|
||||
# This is the sshd server system-wide configuration file. See
|
||||
# sshd_config(5) for more information.
|
||||
|
||||
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
|
||||
|
||||
# The strategy used for options in the default sshd_config shipped with
|
||||
# OpenSSH is to specify options with their default value where
|
||||
# possible, but leave them commented. Uncommented options override the
|
||||
# default value.
|
||||
|
||||
Include /etc/ssh/sshd_config.d/*.conf
|
||||
|
||||
#Port 22
|
||||
#AddressFamily any
|
||||
#ListenAddress 0.0.0.0
|
||||
#ListenAddress ::
|
||||
|
||||
#HostKey /etc/ssh/ssh_host_rsa_key
|
||||
#HostKey /etc/ssh/ssh_host_ecdsa_key
|
||||
#HostKey /etc/ssh/ssh_host_ed25519_key
|
||||
|
||||
# Ciphers and keying
|
||||
#RekeyLimit default none
|
||||
|
||||
# Logging
|
||||
#SyslogFacility AUTH
|
||||
#LogLevel INFO
|
||||
|
||||
# Authentication:
|
||||
|
||||
#LoginGraceTime 2m
|
||||
PermitRootLogin {{ sshd_permit_root_login }}
|
||||
#StrictModes yes
|
||||
#MaxAuthTries 6
|
||||
#MaxSessions 10
|
||||
|
||||
#PubkeyAuthentication yes
|
||||
|
||||
# Expect .ssh/authorized_keys2 to be disregarded by default in future.
|
||||
#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
|
||||
|
||||
#AuthorizedPrincipalsFile none
|
||||
|
||||
#AuthorizedKeysCommand none
|
||||
#AuthorizedKeysCommandUser nobody
|
||||
|
||||
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
|
||||
#HostbasedAuthentication no
|
||||
# Change to yes if you don't trust ~/.ssh/known_hosts for
|
||||
# HostbasedAuthentication
|
||||
#IgnoreUserKnownHosts no
|
||||
# Don't read the user's ~/.rhosts and ~/.shosts files
|
||||
#IgnoreRhosts yes
|
||||
|
||||
# To disable tunneled clear text passwords, change to no here!
|
||||
PasswordAuthentication {{ sshd_password_authentication }}
|
||||
#PermitEmptyPasswords no
|
||||
|
||||
# Change to yes to enable challenge-response passwords (beware issues with
|
||||
# some PAM modules and threads)
|
||||
ChallengeResponseAuthentication no
|
||||
|
||||
# Kerberos options
|
||||
#KerberosAuthentication no
|
||||
#KerberosOrLocalPasswd yes
|
||||
#KerberosTicketCleanup yes
|
||||
#KerberosGetAFSToken no
|
||||
|
||||
# GSSAPI options
|
||||
#GSSAPIAuthentication no
|
||||
#GSSAPICleanupCredentials yes
|
||||
#GSSAPIStrictAcceptorCheck yes
|
||||
#GSSAPIKeyExchange no
|
||||
|
||||
# Set this to 'yes' to enable PAM authentication, account processing,
|
||||
# and session processing. If this is enabled, PAM authentication will
|
||||
# be allowed through the ChallengeResponseAuthentication and
|
||||
# PasswordAuthentication. Depending on your PAM configuration,
|
||||
# PAM authentication via ChallengeResponseAuthentication may bypass
|
||||
# the setting of "PermitRootLogin without-password".
|
||||
# If you just want the PAM account and session checks to run without
|
||||
# PAM authentication, then enable this but set PasswordAuthentication
|
||||
# and ChallengeResponseAuthentication to 'no'.
|
||||
UsePAM yes
|
||||
|
||||
#AllowAgentForwarding yes
|
||||
#AllowTcpForwarding yes
|
||||
#GatewayPorts no
|
||||
X11Forwarding yes
|
||||
#X11DisplayOffset 10
|
||||
#X11UseLocalhost yes
|
||||
#PermitTTY yes
|
||||
PrintMotd no
|
||||
#PrintLastLog yes
|
||||
#TCPKeepAlive yes
|
||||
#PermitUserEnvironment no
|
||||
#Compression delayed
|
||||
#ClientAliveInterval 0
|
||||
#ClientAliveCountMax 3
|
||||
#UseDNS no
|
||||
#PidFile /var/run/sshd.pid
|
||||
#MaxStartups 10:30:100
|
||||
#PermitTunnel no
|
||||
#ChrootDirectory none
|
||||
#VersionAddendum none
|
||||
|
||||
# no default banner path
|
||||
#Banner none
|
||||
|
||||
# Allow client to pass locale environment variables
|
||||
AcceptEnv LANG LC_*
|
||||
|
||||
# override default of no subsystems
|
||||
Subsystem sftp /usr/lib/openssh/sftp-server
|
||||
|
||||
# Example of overriding settings on a per-user basis
|
||||
#Match User anoncvs
|
||||
# X11Forwarding no
|
||||
# AllowTcpForwarding no
|
||||
# PermitTTY no
|
||||
# ForceCommand cvs server
|
|
@ -1,4 +1,10 @@
|
|||
---
|
||||
|
||||
- name: Reload systemd
|
||||
systemd: daemon_reload=yes
|
||||
|
||||
- name: Restart coturn
|
||||
service: name=coturn state=restarted
|
||||
|
||||
- name: Run acertmgr
|
||||
command: /usr/bin/acertmgr
|
||||
|
|
4
roles/coturn/meta/main.yml
Normal file
4
roles/coturn/meta/main.yml
Normal file
|
@ -0,0 +1,4 @@
|
|||
---
|
||||
|
||||
dependencies:
|
||||
- { role: acertmgr }
|
|
@ -3,6 +3,28 @@
|
|||
- name: Install coturn
|
||||
apt: name=coturn
|
||||
|
||||
- name: Create coturn service override directory
|
||||
file: path=/etc/systemd/system/coturn.service.d state=directory
|
||||
|
||||
- name: Configure coturn service override
|
||||
template: src=coturn.override.j2 dest=/etc/systemd/system/coturn.service.d/override.conf
|
||||
notify:
|
||||
- Reload systemd
|
||||
- Restart coturn
|
||||
|
||||
- name: Create gitea directories
|
||||
file: path={{ item }} state=directory owner=turnserver
|
||||
with_items:
|
||||
- /etc/turnserver
|
||||
- /etc/turnserver/certs
|
||||
|
||||
- name: Ensure certificates are available
|
||||
command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/turnserver/certs/{{ coturn_realm }}.key -out /etc/turnserver/certs/{{ coturn_realm }}.crt -days 730 -subj "/CN={{ coturn_realm }}" creates=/etc/turnserver/certs/{{ coturn_realm }}.crt
|
||||
|
||||
- name: Configure certificate manager
|
||||
template: src=certs.j2 dest=/etc/acertmgr/{{ coturn_realm }}.conf
|
||||
notify: Run acertmgr
|
||||
|
||||
- name: Configure coturn
|
||||
template: src={{ item }}.j2 dest=/etc/{{ item }}
|
||||
with_items:
|
||||
|
|
15
roles/coturn/templates/certs.j2
Normal file
15
roles/coturn/templates/certs.j2
Normal file
|
@ -0,0 +1,15 @@
|
|||
---
|
||||
|
||||
{{ coturn_realm }}:
|
||||
- path: /etc/turnserver/certs/{{ coturn_realm }}.key
|
||||
user: turnserver
|
||||
group: turnserver
|
||||
perm: '400'
|
||||
format: key
|
||||
action: '/usr/sbin/service coturn restart'
|
||||
- path: /etc/turnserver/certs/{{ coturn_realm }}.crt
|
||||
user: turnserver
|
||||
group: turnserver
|
||||
perm: '400'
|
||||
format: crt,ca
|
||||
action: '/usr/sbin/service coturn restart'
|
2
roles/coturn/templates/coturn.override.j2
Normal file
2
roles/coturn/templates/coturn.override.j2
Normal file
|
@ -0,0 +1,2 @@
|
|||
[Service]
|
||||
AmbientCapabilities=CAP_NET_BIND_SERVICE
|
|
@ -1,52 +1,60 @@
|
|||
# Coturn TURN SERVER configuration file
|
||||
#
|
||||
# Boolean values note: where boolean value is supposed to be used,
|
||||
# you can use '0', 'off', 'no', 'false', 'f' as 'false,
|
||||
# and you can use '1', 'on', 'yes', 'true', 't' as 'true'
|
||||
# If the value is missed, then it means 'true'.
|
||||
# Boolean values note: where a boolean value is supposed to be used,
|
||||
# you can use '0', 'off', 'no', 'false', or 'f' as 'false,
|
||||
# and you can use '1', 'on', 'yes', 'true', or 't' as 'true'
|
||||
# If the value is missing, then it means 'true' by default.
|
||||
#
|
||||
|
||||
# Listener interface device (optional, Linux only).
|
||||
# NOT RECOMMENDED.
|
||||
# NOT RECOMMENDED.
|
||||
#
|
||||
#listening-device=eth0
|
||||
|
||||
# TURN listener port for UDP and TCP (Default: 3478).
|
||||
# Note: actually, TLS & DTLS sessions can connect to the
|
||||
# Note: actually, TLS & DTLS sessions can connect to the
|
||||
# "plain" TCP & UDP port(s), too - if allowed by configuration.
|
||||
#
|
||||
#listening-port=3478
|
||||
listening-port=443
|
||||
|
||||
# TURN listener port for TLS (Default: 5349).
|
||||
# Note: actually, "plain" TCP & UDP sessions can connect to the TLS & DTLS
|
||||
# port(s), too - if allowed by configuration. The TURN server
|
||||
# port(s), too - if allowed by configuration. The TURN server
|
||||
# "automatically" recognizes the type of traffic. Actually, two listening
|
||||
# endpoints (the "plain" one and the "tls" one) are equivalent in terms of
|
||||
# functionality; but we keep both endpoints to satisfy the RFC 5766 specs.
|
||||
# For secure TCP connections, we currently support SSL version 3 and
|
||||
# functionality; but Coturn keeps both endpoints to satisfy the RFC 5766 specs.
|
||||
# For secure TCP connections, Coturn currently supports
|
||||
# TLS version 1.0, 1.1 and 1.2.
|
||||
# For secure UDP connections, we support DTLS version 1.
|
||||
# For secure UDP connections, Coturn supports DTLS version 1.
|
||||
#
|
||||
#tls-listening-port=5349
|
||||
tls-listening-port=443
|
||||
|
||||
# Alternative listening port for UDP and TCP listeners;
|
||||
# default (or zero) value means "listening port plus one".
|
||||
# default (or zero) value means "listening port plus one".
|
||||
# This is needed for RFC 5780 support
|
||||
# (STUN extension specs, NAT behavior discovery). The TURN Server
|
||||
# supports RFC 5780 only if it is started with more than one
|
||||
# (STUN extension specs, NAT behavior discovery). The TURN Server
|
||||
# supports RFC 5780 only if it is started with more than one
|
||||
# listening IP address of the same family (IPv4 or IPv6).
|
||||
# RFC 5780 is supported only by UDP protocol, other protocols
|
||||
# are listening to that endpoint only for "symmetry".
|
||||
#
|
||||
#alt-listening-port=0
|
||||
|
||||
|
||||
# Alternative listening port for TLS and DTLS protocols.
|
||||
# Default (or zero) value means "TLS listening port plus one".
|
||||
#
|
||||
#alt-tls-listening-port=0
|
||||
|
||||
|
||||
# Some network setups will require using a TCP reverse proxy in front
|
||||
# of the STUN server. If the proxy port option is set a single listener
|
||||
# is started on the given port that accepts connections using the
|
||||
# haproxy proxy protocol v2.
|
||||
# (https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt)
|
||||
#
|
||||
#tcp-proxy-port=5555
|
||||
|
||||
# Listener IP address of relay server. Multiple listeners can be specified.
|
||||
# If no IP(s) specified in the config file or in the command line options,
|
||||
# If no IP(s) specified in the config file or in the command line options,
|
||||
# then all IPv4 and IPv6 system IPs will be used for listening.
|
||||
#
|
||||
#listening-ip=172.17.19.101
|
||||
|
@ -61,7 +69,7 @@
|
|||
# they do not support STUN RFC 5780 functionality (CHANGE REQUEST).
|
||||
#
|
||||
# 2) Auxiliary servers also are never returning ALTERNATIVE-SERVER reply.
|
||||
#
|
||||
#
|
||||
# Valid formats are 1.2.3.4:5555 for IPv4 and [1:2::3:4]:5555 for IPv6.
|
||||
#
|
||||
# There may be multiple aux-server options, each will be used for listening
|
||||
|
@ -73,7 +81,7 @@
|
|||
# (recommended for older Linuxes only)
|
||||
# Automatically balance UDP traffic over auxiliary servers (if configured).
|
||||
# The load balancing is using the ALTERNATE-SERVER mechanism.
|
||||
# The TURN client must support 300 ALTERNATE-SERVER response for this
|
||||
# The TURN client must support 300 ALTERNATE-SERVER response for this
|
||||
# functionality.
|
||||
#
|
||||
#udp-self-balance
|
||||
|
@ -83,13 +91,13 @@
|
|||
#
|
||||
#relay-device=eth1
|
||||
|
||||
# Relay address (the local IP address that will be used to relay the
|
||||
# Relay address (the local IP address that will be used to relay the
|
||||
# packets to the peer).
|
||||
# Multiple relay addresses may be used.
|
||||
# The same IP(s) can be used as both listening IP(s) and relay IP(s).
|
||||
#
|
||||
# If no relay IP(s) specified, then the turnserver will apply the default
|
||||
# policy: it will decide itself which relay addresses to be used, and it
|
||||
# policy: it will decide itself which relay addresses to be used, and it
|
||||
# will always be using the client socket IP address as the relay IP address
|
||||
# of the TURN session (if the requested relay address family is the same
|
||||
# as the family of the client socket).
|
||||
|
@ -112,12 +120,15 @@
|
|||
# that option must be used several times, each entry must
|
||||
# have form "-X <public-ip/private-ip>", to map all involved addresses.
|
||||
# RFC5780 NAT discovery STUN functionality will work correctly,
|
||||
# if the addresses are mapped properly, even when the TURN server itself
|
||||
# if the addresses are mapped properly, even when the TURN server itself
|
||||
# is behind A NAT.
|
||||
#
|
||||
# By default, this value is empty, and no address mapping is used.
|
||||
#
|
||||
#external-ip=60.70.80.91
|
||||
external-ip={{ ansible_default_ipv4.address }}
|
||||
{% if ansible_default_ipv6.address is defined %}
|
||||
external-ip={{ ansible_default_ipv6.address }}
|
||||
{% endif %}
|
||||
#
|
||||
#OR:
|
||||
#
|
||||
|
@ -127,18 +138,18 @@
|
|||
|
||||
# Number of the relay threads to handle the established connections
|
||||
# (in addition to authentication thread and the listener thread).
|
||||
# If explicitly set to 0 then application runs relay process in a
|
||||
# single thread, in the same thread with the listener process
|
||||
# If explicitly set to 0 then application runs relay process in a
|
||||
# single thread, in the same thread with the listener process
|
||||
# (the authentication thread will still be a separate thread).
|
||||
#
|
||||
# If this parameter is not set, then the default OS-dependent
|
||||
# If this parameter is not set, then the default OS-dependent
|
||||
# thread pattern algorithm will be employed. Usually the default
|
||||
# algorithm is the most optimal, so you have to change this option
|
||||
# only if you want to make some fine tweaks.
|
||||
# algorithm is optimal, so you have to change this option
|
||||
# if you want to make some fine tweaks.
|
||||
#
|
||||
# In the older systems (Linux kernel before 3.9),
|
||||
# the number of UDP threads is always one thread per network listening
|
||||
# endpoint - including the auxiliary endpoints - unless 0 (zero) or
|
||||
# endpoint - including the auxiliary endpoints - unless 0 (zero) or
|
||||
# 1 (one) value is set.
|
||||
#
|
||||
#relay-threads=0
|
||||
|
@ -148,15 +159,15 @@
|
|||
#
|
||||
#min-port=49152
|
||||
#max-port=65535
|
||||
|
||||
|
||||
# Uncomment to run TURN server in 'normal' 'moderate' verbose mode.
|
||||
# By default the verbose mode is off.
|
||||
#verbose
|
||||
|
||||
|
||||
# Uncomment to run TURN server in 'extra' verbose mode.
|
||||
# This mode is very annoying and produces lots of output.
|
||||
# Not recommended under any normal circumstances.
|
||||
#
|
||||
# Not recommended under normal circumstances.
|
||||
#
|
||||
#Verbose
|
||||
|
||||
# Uncomment to use fingerprints in the TURN messages.
|
||||
|
@ -169,58 +180,69 @@ fingerprint
|
|||
#
|
||||
#lt-cred-mech
|
||||
|
||||
# This option is opposite to lt-cred-mech.
|
||||
# This option is the opposite of lt-cred-mech.
|
||||
# (TURN Server with no-auth option allows anonymous access).
|
||||
# If neither option is defined, and no users are defined,
|
||||
# then no-auth is default. If at least one user is defined,
|
||||
# in this file or in command line or in usersdb file, then
|
||||
# then no-auth is default. If at least one user is defined,
|
||||
# in this file, in command line or in usersdb file, then
|
||||
# lt-cred-mech is default.
|
||||
#
|
||||
#no-auth
|
||||
|
||||
# Enable prometheus exporter
|
||||
# If enabled the turnserver will expose an endpoint with stats on a prometheus format
|
||||
# this endpoint is listening on a different port to not conflict with other configurations.
|
||||
#
|
||||
# You can simply run the turnserver and access the port 9641 and path /metrics
|
||||
#
|
||||
# For mor info on the prometheus exporter and metrics
|
||||
# https://prometheus.io/docs/introduction/overview/
|
||||
# https://prometheus.io/docs/concepts/data_model/
|
||||
#
|
||||
#prometheus
|
||||
|
||||
# TURN REST API flag.
|
||||
# (Time Limited Long Term Credential)
|
||||
# Flag that sets a special authorization option that is based upon authentication secret.
|
||||
#
|
||||
# This feature's purpose is to support "TURN Server REST API", see
|
||||
# "TURN REST API" link in the project's page
|
||||
# "TURN REST API" link in the project's page
|
||||
# https://github.com/coturn/coturn/
|
||||
#
|
||||
# This option is used with timestamp:
|
||||
#
|
||||
#
|
||||
# usercombo -> "timestamp:userid"
|
||||
# turn user -> usercombo
|
||||
# turn password -> base64(hmac(secret key, usercombo))
|
||||
#
|
||||
# This allows TURN credentials to be accounted for a specific user id.
|
||||
# If you don't have a suitable id, the timestamp alone can be used.
|
||||
# This option is just turning on secret-based authentication.
|
||||
# The actual value of the secret is defined either by option static-auth-secret,
|
||||
# If you don't have a suitable id, then the timestamp alone can be used.
|
||||
# This option is enabled by turning on secret-based authentication.
|
||||
# The actual value of the secret is defined either by the option static-auth-secret,
|
||||
# or can be found in the turn_secret table in the database (see below).
|
||||
#
|
||||
#
|
||||
# Read more about it:
|
||||
# - https://tools.ietf.org/html/draft-uberti-behave-turn-rest-00
|
||||
# - https://www.ietf.org/proceedings/87/slides/slides-87-behave-10.pdf
|
||||
#
|
||||
# Be aware that use-auth-secret overrides some part of lt-cred-mech.
|
||||
# Notice that this feature depends internally on lt-cred-mech, so if you set
|
||||
# use-auth-secret then it enables internally automatically lt-cred-mech option
|
||||
# like if you enable both.
|
||||
# Be aware that use-auth-secret overrides some parts of lt-cred-mech.
|
||||
# The use-auth-secret feature depends internally on lt-cred-mech, so if you set
|
||||
# this option then it automatically enables lt-cred-mech internally
|
||||
# as if you had enabled both.
|
||||
#
|
||||
# You can use only one of the to auth mechanisms in the same time because,
|
||||
# both mechanism use the username and password validation in different way.
|
||||
# Note that you can use only one auth mechanism at the same time! This is because,
|
||||
# both mechanisms conduct username and password validation in different ways.
|
||||
#
|
||||
# This way be aware that you can't use both auth mechnaism in the same time!
|
||||
# Use in config either the lt-cred-mech or the use-auth-secret
|
||||
# Use either lt-cred-mech or use-auth-secret in the conf
|
||||
# to avoid any confusion.
|
||||
#
|
||||
use-auth-secret
|
||||
|
||||
# 'Static' authentication secret value (a string) for TURN REST API only.
|
||||
# 'Static' authentication secret value (a string) for TURN REST API only.
|
||||
# If not set, then the turn server
|
||||
# will try to use the 'dynamic' value in turn_secret table
|
||||
# in user database (if present). The database-stored value can be changed on-the-fly
|
||||
# by a separate program, so this is why that other mode is 'dynamic'.
|
||||
# will try to use the 'dynamic' value in the turn_secret table
|
||||
# in the user database (if present). The database-stored value can be changed on-the-fly
|
||||
# by a separate program, so this is why that mode is considered 'dynamic'.
|
||||
#
|
||||
static-auth-secret={{ coturn_secret }}
|
||||
|
||||
|
@ -234,10 +256,10 @@ static-auth-secret={{ coturn_secret }}
|
|||
#
|
||||
#oauth
|
||||
|
||||
# 'Static' user accounts for long term credentials mechanism, only.
|
||||
# 'Static' user accounts for the long term credentials mechanism, only.
|
||||
# This option cannot be used with TURN REST API.
|
||||
# 'Static' user accounts are NOT dynamically checked by the turnserver process,
|
||||
# so that they can NOT be changed while the turnserver is running.
|
||||
# 'Static' user accounts are NOT dynamically checked by the turnserver process,
|
||||
# so they can NOT be changed while the turnserver is running.
|
||||
#
|
||||
#user=username1:key1
|
||||
#user=username2:key2
|
||||
|
@ -255,7 +277,7 @@ static-auth-secret={{ coturn_secret }}
|
|||
# password. If it has 0x then it is a key, otherwise it is a password).
|
||||
#
|
||||
# The corresponding user account entry in the config file will be:
|
||||
#
|
||||
#
|
||||
#user=ninefingers:0xbc807ee29df3c9ffa736523fb2c4e8ee
|
||||
# Or, equivalently, with open clear password (less secure):
|
||||
#user=ninefingers:youhavetoberealistic
|
||||
|
@ -263,83 +285,83 @@ static-auth-secret={{ coturn_secret }}
|
|||
|
||||
# SQLite database file name.
|
||||
#
|
||||
# Default file name is /var/db/turndb or /usr/local/var/db/turndb or
|
||||
# The default file name is /var/db/turndb or /usr/local/var/db/turndb or
|
||||
# /var/lib/turn/turndb.
|
||||
#
|
||||
#
|
||||
#userdb=/var/db/turndb
|
||||
|
||||
# PostgreSQL database connection string in the case that we are using PostgreSQL
|
||||
# PostgreSQL database connection string in the case that you are using PostgreSQL
|
||||
# as the user database.
|
||||
# This database can be used for long-term credential mechanism
|
||||
# and it can store the secret value for secret-based timed authentication in TURN RESP API.
|
||||
# This database can be used for the long-term credential mechanism
|
||||
# and it can store the secret value for secret-based timed authentication in TURN REST API.
|
||||
# See http://www.postgresql.org/docs/8.4/static/libpq-connect.html for 8.x PostgreSQL
|
||||
# versions connection string format, see
|
||||
# versions connection string format, see
|
||||
# http://www.postgresql.org/docs/9.2/static/libpq-connect.html#LIBPQ-CONNSTRING
|
||||
# for 9.x and newer connection string formats.
|
||||
#
|
||||
#psql-userdb="host=<host> dbname=<database-name> user=<database-user> password=<database-user-password> connect_timeout=30"
|
||||
|
||||
# MySQL database connection string in the case that we are using MySQL
|
||||
# MySQL database connection string in the case that you are using MySQL
|
||||
# as the user database.
|
||||
# This database can be used for long-term credential mechanism
|
||||
# and it can store the secret value for secret-based timed authentication in TURN RESP API.
|
||||
# This database can be used for the long-term credential mechanism
|
||||
# and it can store the secret value for secret-based timed authentication in TURN REST API.
|
||||
#
|
||||
# Optional connection string parameters for the secure communications (SSL):
|
||||
# ca, capath, cert, key, cipher
|
||||
# (see http://dev.mysql.com/doc/refman/5.1/en/ssl-options.html for the
|
||||
# Optional connection string parameters for the secure communications (SSL):
|
||||
# ca, capath, cert, key, cipher
|
||||
# (see http://dev.mysql.com/doc/refman/5.1/en/ssl-options.html for the
|
||||
# command options description).
|
||||
#
|
||||
# Use string format as below (space separated parameters, all optional):
|
||||
# Use the string format below (space separated parameters, all optional):
|
||||
#
|
||||
#mysql-userdb="host=<host> dbname=<database-name> user=<database-user> password=<database-user-password> port=<port> connect_timeout=<seconds> read_timeout=<seconds>"
|
||||
|
||||
# If you want to use in the MySQL connection string the password in encrypted format,
|
||||
# then set in this option the MySQL password encryption secret key file.
|
||||
# If you want to use an encrypted password in the MySQL connection string,
|
||||
# then set the MySQL password encryption secret key file with this option.
|
||||
#
|
||||
# Warning: If this option is set, then mysql password must be set in "mysql-userdb" in encrypted format!
|
||||
# If you want to use cleartext password then do not set this option!
|
||||
# Warning: If this option is set, then the mysql password must be set in "mysql-userdb" in an encrypted format!
|
||||
# If you want to use a cleartext password then do not set this option!
|
||||
#
|
||||
# This is the file path which contain secret key of aes encryption while using password encryption.
|
||||
# This is the file path for the aes encrypted secret key used for password encryption.
|
||||
#
|
||||
#secret-key-file=/path/
|
||||
|
||||
# MongoDB database connection string in the case that we are using MongoDB
|
||||
# MongoDB database connection string in the case that you are using MongoDB
|
||||
# as the user database.
|
||||
# This database can be used for long-term credential mechanism
|
||||
# and it can store the secret value for secret-based timed authentication in TURN RESP API.
|
||||
# Use string format is described at http://hergert.me/docs/mongo-c-driver/mongoc_uri.html
|
||||
# and it can store the secret value for secret-based timed authentication in TURN REST API.
|
||||
# Use the string format described at http://hergert.me/docs/mongo-c-driver/mongoc_uri.html
|
||||
#
|
||||
#mongo-userdb="mongodb://[username:password@]host1[:port1][,host2[:port2],...[,hostN[:portN]]][/[database][?options]]"
|
||||
|
||||
# Redis database connection string in the case that we are using Redis
|
||||
# Redis database connection string in the case that you are using Redis
|
||||
# as the user database.
|
||||
# This database can be used for long-term credential mechanism
|
||||
# and it can store the secret value for secret-based timed authentication in TURN RESP API.
|
||||
# Use string format as below (space separated parameters, all optional):
|
||||
# and it can store the secret value for secret-based timed authentication in TURN REST API.
|
||||
# Use the string format below (space separated parameters, all optional):
|
||||
#
|
||||
#redis-userdb="ip=<ip-address> dbname=<database-number> password=<database-user-password> port=<port> connect_timeout=<seconds>"
|
||||
|
||||
# Redis status and statistics database connection string, if used (default - empty, no Redis stats DB used).
|
||||
# This database keeps allocations status information, and it can be also used for publishing
|
||||
# and delivering traffic and allocation event notifications.
|
||||
# The connection string has the same parameters as redis-userdb connection string.
|
||||
# Use string format as below (space separated parameters, all optional):
|
||||
# The connection string has the same parameters as redis-userdb connection string.
|
||||
# Use the string format below (space separated parameters, all optional):
|
||||
#
|
||||
#redis-statsdb="ip=<ip-address> dbname=<database-number> password=<database-user-password> port=<port> connect_timeout=<seconds>"
|
||||
|
||||
# The default realm to be used for the users when no explicit
|
||||
# origin/realm relationship was found in the database, or if the TURN
|
||||
# The default realm to be used for the users when no explicit
|
||||
# origin/realm relationship is found in the database, or if the TURN
|
||||
# server is not using any database (just the commands-line settings
|
||||
# and the userdb file). Must be used with long-term credentials
|
||||
# and the userdb file). Must be used with long-term credentials
|
||||
# mechanism or with TURN REST API.
|
||||
#
|
||||
# Note: If default realm is not specified at all, then realm falls back to the host domain name.
|
||||
# If domain name is empty string, or '(None)', then it is initialized to am empty string.
|
||||
# Note: If the default realm is not specified, then realm falls back to the host domain name.
|
||||
# If the domain name string is empty, or set to '(None)', then it is initialized as an empty string.
|
||||
#
|
||||
realm={{ coturn_realm }}
|
||||
|
||||
# The flag that sets the origin consistency
|
||||
# check: across the session, all requests must have the same
|
||||
# This flag sets the origin consistency
|
||||
# check. Across the session, all requests must have the same
|
||||
# main ORIGIN attribute value (if the ORIGIN was
|
||||
# initially used by the session).
|
||||
#
|
||||
|
@ -359,7 +381,7 @@ realm={{ coturn_realm }}
|
|||
|
||||
# Max bytes-per-second bandwidth a TURN session is allowed to handle
|
||||
# (input and output network streams are treated separately). Anything above
|
||||
# that limit will be dropped or temporary suppressed (within
|
||||
# that limit will be dropped or temporarily suppressed (within
|
||||
# the available buffer limits).
|
||||
# This option can also be set through the database, for a particular realm.
|
||||
#
|
||||
|
@ -380,17 +402,17 @@ realm={{ coturn_realm }}
|
|||
# Uncomment if no TCP client listener is desired.
|
||||
# By default TCP client listener is always started.
|
||||
#
|
||||
no-tcp
|
||||
#no-tcp
|
||||
|
||||
# Uncomment if no TLS client listener is desired.
|
||||
# By default TLS client listener is always started.
|
||||
#
|
||||
no-tls
|
||||
#no-tls
|
||||
|
||||
# Uncomment if no DTLS client listener is desired.
|
||||
# By default DTLS client listener is always started.
|
||||
#
|
||||
no-dtls
|
||||
#no-dtls
|
||||
|
||||
# Uncomment if no UDP relay endpoints are allowed.
|
||||
# By default UDP relay endpoints are enabled (like in RFC 5766).
|
||||
|
@ -403,11 +425,11 @@ no-dtls
|
|||
#no-tcp-relay
|
||||
|
||||
# Uncomment if extra security is desired,
|
||||
# with nonce value having limited lifetime.
|
||||
# By default, the nonce value is unique for a session,
|
||||
# and has unlimited lifetime.
|
||||
# Set this option to limit the nonce lifetime.
|
||||
# It defaults to 600 secs (10 min) if no value is provided. After that delay,
|
||||
# with nonce value having a limited lifetime.
|
||||
# The nonce value is unique for a session.
|
||||
# Set this option to limit the nonce lifetime.
|
||||
# Set it to 0 for unlimited lifetime.
|
||||
# It defaults to 600 secs (10 min) if no value is provided. After that delay,
|
||||
# the client will get 438 error and will have to re-authenticate itself.
|
||||
#
|
||||
#stale-nonce=600
|
||||
|
@ -433,13 +455,14 @@ no-dtls
|
|||
#permission-lifetime=300
|
||||
|
||||
# Certificate file.
|
||||
# Use an absolute path or path relative to the
|
||||
# Use an absolute path or path relative to the
|
||||
# configuration file.
|
||||
# Use PEM file format.
|
||||
#
|
||||
#cert=/usr/local/etc/turn_server_cert.pem
|
||||
|
||||
# Private key file.
|
||||
# Use an absolute path or path relative to the
|
||||
# Use an absolute path or path relative to the
|
||||
# configuration file.
|
||||
# Use PEM file format.
|
||||
#
|
||||
|
@ -455,29 +478,29 @@ no-dtls
|
|||
#
|
||||
#cipher-list="DEFAULT"
|
||||
|
||||
# CA file in OpenSSL format.
|
||||
# CA file in OpenSSL format.
|
||||
# Forces TURN server to verify the client SSL certificates.
|
||||
# By default it is not set: there is no default value and the client
|
||||
# By default this is not set: there is no default value and the client
|
||||
# certificate is not checked.
|
||||
#
|
||||
# Example:
|
||||
#CA-file=/etc/ssh/id_rsa.cert
|
||||
|
||||
# Curve name for EC ciphers, if supported by OpenSSL
|
||||
# library (TLS and DTLS). The default value is prime256v1,
|
||||
# Curve name for EC ciphers, if supported by OpenSSL
|
||||
# library (TLS and DTLS). The default value is prime256v1,
|
||||
# if pre-OpenSSL 1.0.2 is used. With OpenSSL 1.0.2+,
|
||||
# an optimal curve will be automatically calculated, if not defined
|
||||
# by this option.
|
||||
#
|
||||
#ec-curve-name=prime256v1
|
||||
|
||||
# Use 566 bits predefined DH TLS key. Default size of the key is 1066.
|
||||
# Use 566 bits predefined DH TLS key. Default size of the key is 2066.
|
||||
#
|
||||
#dh566
|
||||
|
||||
# Use 2066 bits predefined DH TLS key. Default size of the key is 1066.
|
||||
# Use 1066 bits predefined DH TLS key. Default size of the key is 2066.
|
||||
#
|
||||
#dh2066
|
||||
#dh1066
|
||||
|
||||
# Use custom DH TLS key, stored in PEM format in the file.
|
||||
# Flags --dh566 and --dh2066 are ignored when the DH key is taken from a file.
|
||||
|
@ -485,21 +508,21 @@ no-dtls
|
|||
#dh-file=<DH-PEM-file-name>
|
||||
|
||||
# Flag to prevent stdout log messages.
|
||||
# By default, all log messages are going to both stdout and to
|
||||
# the configured log file. With this option everything will be
|
||||
# going to the configured log only (unless the log file itself is stdout).
|
||||
# By default, all log messages go to both stdout and to
|
||||
# the configured log file. With this option everything will
|
||||
# go to the configured log only (unless the log file itself is stdout).
|
||||
#
|
||||
#no-stdout-log
|
||||
|
||||
# Option to set the log file name.
|
||||
# By default, the turnserver tries to open a log file in
|
||||
# /var/log, /var/tmp, /tmp and current directories directories
|
||||
# (which open operation succeeds first that file will be used).
|
||||
# By default, the turnserver tries to open a log file in
|
||||
# /var/log, /var/tmp, /tmp and the current directory
|
||||
# (Whichever file open operation succeeds first will be used).
|
||||
# With this option you can set the definite log file name.
|
||||
# The special names are "stdout" and "-" - they will force everything
|
||||
# The special names are "stdout" and "-" - they will force everything
|
||||
# to the stdout. Also, the "syslog" name will force everything to
|
||||
# the system log (syslog).
|
||||
# In the runtime, the logfile can be reset with the SIGHUP signal
|
||||
# the system log (syslog).
|
||||
# In the runtime, the logfile can be reset with the SIGHUP signal
|
||||
# to the turnserver process.
|
||||
#
|
||||
#log-file=/var/tmp/turn.log
|
||||
|
@ -514,41 +537,51 @@ syslog
|
|||
#
|
||||
#simple-log
|
||||
|
||||
# Enable full ISO-8601 timestamp in all logs.
|
||||
#new-log-timestamp
|
||||
|
||||
# Set timestamp format (in strftime(1) format)
|
||||
#new-log-timestamp-format "%FT%T%z"
|
||||
|
||||
# Disabled by default binding logging in verbose log mode to avoid DoS attacks.
|
||||
# Enable binding logging and UDP endpoint logs in verbose log mode.
|
||||
#log-binding
|
||||
|
||||
# Option to set the "redirection" mode. The value of this option
|
||||
# will be the address of the alternate server for UDP & TCP service in form of
|
||||
# will be the address of the alternate server for UDP & TCP service in the form of
|
||||
# <ip>[:<port>]. The server will send this value in the attribute
|
||||
# ALTERNATE-SERVER, with error 300, on ALLOCATE request, to the client.
|
||||
# Client will receive only values with the same address family
|
||||
# as the client network endpoint address family.
|
||||
# See RFC 5389 and RFC 5766 for ALTERNATE-SERVER functionality description.
|
||||
# as the client network endpoint address family.
|
||||
# See RFC 5389 and RFC 5766 for the description of ALTERNATE-SERVER functionality.
|
||||
# The client must use the obtained value for subsequent TURN communications.
|
||||
# If more than one --alternate-server options are provided, then the functionality
|
||||
# can be more accurately described as "load-balancing" than a mere "redirection".
|
||||
# If the port number is omitted, then the default port
|
||||
# If more than one --alternate-server option is provided, then the functionality
|
||||
# can be more accurately described as "load-balancing" than a mere "redirection".
|
||||
# If the port number is omitted, then the default port
|
||||
# number 3478 for the UDP/TCP protocols will be used.
|
||||
# Colon (:) characters in IPv6 addresses may conflict with the syntax of
|
||||
# the option. To alleviate this conflict, literal IPv6 addresses are enclosed
|
||||
# in square brackets in such resource identifiers, for example:
|
||||
# [2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478 .
|
||||
# Colon (:) characters in IPv6 addresses may conflict with the syntax of
|
||||
# the option. To alleviate this conflict, literal IPv6 addresses are enclosed
|
||||
# in square brackets in such resource identifiers, for example:
|
||||
# [2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478 .
|
||||
# Multiple alternate servers can be set. They will be used in the
|
||||
# round-robin manner. All servers in the pool are considered of equal weight and
|
||||
# the load will be distributed equally. For example, if we have 4 alternate servers,
|
||||
# then each server will receive 25% of ALLOCATE requests. A alternate TURN server
|
||||
# address can be used more than one time with the alternate-server option, so this
|
||||
# round-robin manner. All servers in the pool are considered of equal weight and
|
||||
# the load will be distributed equally. For example, if you have 4 alternate servers,
|
||||
# then each server will receive 25% of ALLOCATE requests. A alternate TURN server
|
||||
# address can be used more than one time with the alternate-server option, so this
|
||||
# can emulate "weighting" of the servers.
|
||||
#
|
||||
# Examples:
|
||||
# Examples:
|
||||
#alternate-server=1.2.3.4:5678
|
||||
#alternate-server=11.22.33.44:56789
|
||||
#alternate-server=5.6.7.8
|
||||
#alternate-server=[2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478
|
||||
|
||||
# Option to set alternative server for TLS & DTLS services in form of
|
||||
# <ip>:<port>. If the port number is omitted, then the default port
|
||||
# number 5349 for the TLS/DTLS protocols will be used. See the previous
|
||||
|
||||
# Option to set alternative server for TLS & DTLS services in form of
|
||||
# <ip>:<port>. If the port number is omitted, then the default port
|
||||
# number 5349 for the TLS/DTLS protocols will be used. See the previous
|
||||
# option for the functionality description.
|
||||
#
|
||||
# Examples:
|
||||
# Examples:
|
||||
#tls-alternate-server=1.2.3.4:5678
|
||||
#tls-alternate-server=11.22.33.44:56789
|
||||
#tls-alternate-server=[2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478
|
||||
|
@ -559,6 +592,15 @@ syslog
|
|||
#
|
||||
#stun-only
|
||||
|
||||
# Option to hide software version. Enhance security when used in production.
|
||||
# Revealing the specific software version of the agent through the
|
||||
# SOFTWARE attribute might allow them to become more vulnerable to
|
||||
# attacks against software that is known to contain security holes.
|
||||
# Implementers SHOULD make usage of the SOFTWARE attribute a
|
||||
# configurable option (https://tools.ietf.org/html/rfc5389#section-16.1.2)
|
||||
#
|
||||
#no-software-attribute
|
||||
|
||||
# Option to suppress STUN functionality, only TURN requests will be processed.
|
||||
# Run as TURN server only, all STUN requests will be ignored.
|
||||
# By default, this option is NOT set.
|
||||
|
@ -567,7 +609,7 @@ syslog
|
|||
|
||||
# This is the timestamp/username separator symbol (character) in TURN REST API.
|
||||
# The default value is ':'.
|
||||
# rest-api-separator=:
|
||||
# rest-api-separator=:
|
||||
|
||||
# Flag that can be used to allow peers on the loopback addresses (127.x.x.x and ::1).
|
||||
# This is an extra security measure.
|
||||
|
@ -575,9 +617,9 @@ syslog
|
|||
# (To avoid any security issue that allowing loopback access may raise,
|
||||
# the no-loopback-peers option is replaced by allow-loopback-peers.)
|
||||
#
|
||||
# Allow it only for testing in a development environment!
|
||||
# In production it adds a possible security vulnerability, so for security reasons
|
||||
# it is not allowed using it together with empty cli-password.
|
||||
# Allow it only for testing in a development environment!
|
||||
# In production it adds a possible security vulnerability, so for security reasons
|
||||
# it is not allowed using it together with empty cli-password.
|
||||
#
|
||||
#allow-loopback-peers
|
||||
|
||||
|
@ -586,18 +628,18 @@ syslog
|
|||
#
|
||||
no-multicast-peers
|
||||
|
||||
# Option to set the max time, in seconds, allowed for full allocation establishment.
|
||||
# Option to set the max time, in seconds, allowed for full allocation establishment.
|
||||
# Default is 60 seconds.
|
||||
#
|
||||
#max-allocate-timeout=60
|
||||
|
||||
# Option to allow or ban specific ip addresses or ranges of ip addresses.
|
||||
# If an ip address is specified as both allowed and denied, then the ip address is
|
||||
# considered to be allowed. This is useful when you wish to ban a range of ip
|
||||
# Option to allow or ban specific ip addresses or ranges of ip addresses.
|
||||
# If an ip address is specified as both allowed and denied, then the ip address is
|
||||
# considered to be allowed. This is useful when you wish to ban a range of ip
|
||||
# addresses, except for a few specific ips within that range.
|
||||
#
|
||||
# This can be used when you do not want users of the turn server to be able to access
|
||||
# machines reachable by the turn server, but would otherwise be unreachable from the
|
||||
# machines reachable by the turn server, but would otherwise be unreachable from the
|
||||
# internet (e.g. when the turn server is sitting behind a NAT)
|
||||
#
|
||||
# Examples:
|
||||
|
@ -619,22 +661,22 @@ no-multicast-peers
|
|||
#
|
||||
mobility
|
||||
|
||||
# Allocate Address Family according
|
||||
# If enabled then TURN server allocates address family according the TURN
|
||||
# Allocate Address Family according
|
||||
# If enabled then TURN server allocates address family according the TURN
|
||||
# Client <=> Server communication address family.
|
||||
# (By default coTURN works according RFC 6156.)
|
||||
# (By default Coturn works according RFC 6156.)
|
||||
# !!Warning: Enabling this option breaks RFC6156 section-4.2 (violates use default IPv4)!!
|
||||
#
|
||||
#keep-address-family
|
||||
|
||||
|
||||
# User name to run the process. After the initialization, the turnserver process
|
||||
# will make an attempt to change the current user ID to that user.
|
||||
# will attempt to change the current user ID to that user.
|
||||
#
|
||||
#proc-user=<user-name>
|
||||
|
||||
# Group name to run the process. After the initialization, the turnserver process
|
||||
# will make an attempt to change the current group ID to that group.
|
||||
# will attempt to change the current group ID to that group.
|
||||
#
|
||||
#proc-group=<group-name>
|
||||
|
||||
|
@ -654,8 +696,8 @@ mobility
|
|||
#cli-port=5766
|
||||
|
||||
# CLI access password. Default is empty (no password).
|
||||
# For the security reasons, it is recommended to use the encrypted
|
||||
# for of the password (see the -P command in the turnadmin utility).
|
||||
# For the security reasons, it is recommended that you use the encrypted
|
||||
# form of the password (see the -P command in the turnadmin utility).
|
||||
#
|
||||
# Secure form for password 'qwerty':
|
||||
#
|
||||
|
@ -684,10 +726,14 @@ mobility
|
|||
#
|
||||
#web-admin-listen-on-workers
|
||||
|
||||
# Server relay. NON-STANDARD AND DANGEROUS OPTION.
|
||||
# Only for those applications when we want to run
|
||||
#acme-redirect=http://redirectserver/.well-known/acme-challenge/
|
||||
# Redirect ACME, i.e. HTTP GET requests matching '^/.well-known/acme-challenge/(.*)' to '<URL>$1'.
|
||||
# Default is '', i.e. no special handling for such requests.
|
||||
|
||||
# Server relay. NON-STANDARD AND DANGEROUS OPTION.
|
||||
# Only for those applications when you want to run
|
||||
# server applications on the relay endpoints.
|
||||
# This option eliminates the IP permissions check on
|
||||
# This option eliminates the IP permissions check on
|
||||
# the packets incoming to the relay endpoints.
|
||||
#
|
||||
#server-relay
|
||||
|
@ -703,6 +749,6 @@ mobility
|
|||
|
||||
# Do not allow an TLS/DTLS version of protocol
|
||||
#
|
||||
no-tlsv1
|
||||
no-tlsv1_1
|
||||
no-tlsv1_2
|
||||
#no-tlsv1
|
||||
#no-tlsv1_1
|
||||
#no-tlsv1_2
|
||||
|
|
|
@ -3,10 +3,12 @@
|
|||
#
|
||||
|
||||
# Path to dhcpd's config file (default: /etc/dhcp/dhcpd.conf).
|
||||
#DHCPD_CONF=/etc/dhcp/dhcpd.conf
|
||||
#DHCPDv4_CONF=/etc/dhcp/dhcpd.conf
|
||||
#DHCPDv6_CONF=/etc/dhcp/dhcpd6.conf
|
||||
|
||||
# Path to dhcpd's PID file (default: /var/run/dhcpd.pid).
|
||||
#DHCPD_PID=/var/run/dhcpd.pid
|
||||
#DHCPDv4_PID=/var/run/dhcpd.pid
|
||||
#DHCPDv6_PID=/var/run/dhcpd6.pid
|
||||
|
||||
# Additional options to start dhcpd with.
|
||||
# Don't use options -cf or -pf here; use DHCPD_CONF/ DHCPD_PID instead
|
||||
|
@ -14,4 +16,6 @@
|
|||
|
||||
# On what interfaces should the DHCP server (dhcpd) serve DHCP requests?
|
||||
# Separate multiple interfaces with spaces, e.g. "eth0 eth1".
|
||||
INTERFACES="eth0"
|
||||
INTERFACESv4="{{ ansible_default_ipv4['interface'] }}"
|
||||
INTERFACESv6=""
|
||||
INTERFACES="{{ ansible_default_ipv4['interface'] }}"
|
||||
|
|
|
@ -3,13 +3,24 @@
|
|||
# option definitions common to all supported networks...
|
||||
option domain-name "binary.kitchen";
|
||||
option domain-name-servers {{ name_servers | join(', ') }};
|
||||
option domain-search "binary.kitchen";
|
||||
option ntp-servers 172.23.1.60, 172.23.2.3;
|
||||
|
||||
# options related to Mitel SIP-DECT
|
||||
option space sipdect;
|
||||
option local-encapsulation code 43 = encapsulate sipdect;
|
||||
option sipdect.ommip1 code 10 = ip-address;
|
||||
option sipdect.ommip2 code 19 = ip-address;
|
||||
option sipdect.syslogip code 14 = ip-address;
|
||||
option sipdect.syslogport code 15 = integer 16;
|
||||
option magic_str code 224 = text;
|
||||
|
||||
default-lease-time 7200;
|
||||
max-lease-time 28800;
|
||||
|
||||
# Use this to enble / disable dynamic dns updates globally.
|
||||
ddns-update-style none;
|
||||
ddns-update-style interim;
|
||||
ddns-updates on;
|
||||
|
||||
# If this DHCP server is the official DHCP server for the local
|
||||
# network, the authoritative directive should be uncommented.
|
||||
|
@ -61,6 +72,8 @@ subnet 172.23.2.0 netmask 255.255.255.0 {
|
|||
# Users
|
||||
subnet 172.23.3.0 netmask 255.255.255.0 {
|
||||
option routers 172.23.3.1;
|
||||
ddns-domainname "users.binary.kitchen";
|
||||
option domain-search "binary.kitchen", "users.binary.kitchen";
|
||||
pool {
|
||||
{% if dhcpd_failover == true %}
|
||||
failover peer "failover-partner";
|
||||
|
@ -80,6 +93,47 @@ subnet 172.23.4.0 netmask 255.255.255.0 {
|
|||
}
|
||||
}
|
||||
|
||||
# Management Auweg
|
||||
subnet 172.23.12.0 netmask 255.255.255.0 {
|
||||
option routers 172.23.12.1;
|
||||
}
|
||||
|
||||
# Services Auweg
|
||||
subnet 172.23.13.0 netmask 255.255.255.0 {
|
||||
allow bootp;
|
||||
option routers 172.23.13.1;
|
||||
}
|
||||
|
||||
# Users Auweg
|
||||
subnet 172.23.14.0 netmask 255.255.255.0 {
|
||||
option routers 172.23.14.1;
|
||||
ddns-domainname "users.binary.kitchen";
|
||||
option domain-search "binary.kitchen", "users.binary.kitchen";
|
||||
pool {
|
||||
{% if dhcpd_failover == true %}
|
||||
failover peer "failover-partner";
|
||||
{% endif %}
|
||||
range 172.23.14.10 172.23.14.230;
|
||||
}
|
||||
}
|
||||
|
||||
# MQTT Auweg
|
||||
subnet 172.23.15.0 netmask 255.255.255.0 {
|
||||
option routers 172.23.15.1;
|
||||
pool {
|
||||
{% if dhcpd_failover == true %}
|
||||
failover peer "failover-partner";
|
||||
{% endif %}
|
||||
range 172.23.15.10 172.23.15.240;
|
||||
}
|
||||
}
|
||||
|
||||
# DDNS zones
|
||||
|
||||
zone users.binary.kitchen {
|
||||
primary {{ dns_primary }};
|
||||
}
|
||||
|
||||
|
||||
# Fixed IPs
|
||||
|
||||
|
@ -98,34 +152,44 @@ host ap05 {
|
|||
fixed-address ap05.binary.kitchen;
|
||||
}
|
||||
|
||||
host ap06 {
|
||||
hardware ethernet 94:b4:0f:c0:1d:a0;
|
||||
fixed-address ap06.binary.kitchen;
|
||||
}
|
||||
|
||||
host ap11 {
|
||||
hardware ethernet 18:64:72:c6:c2:0c;
|
||||
fixed-address ap11.binary.kitchen;
|
||||
}
|
||||
|
||||
host ap12 {
|
||||
hardware ethernet 18:64:72:c6:c4:98;
|
||||
fixed-address ap12.binary.kitchen;
|
||||
}
|
||||
|
||||
host bowle {
|
||||
hardware ethernet ac:1f:6b:25:16:b6;
|
||||
fixed-address bowle.binary.kitchen;
|
||||
}
|
||||
|
||||
host cannelloni {
|
||||
hardware ethernet 00:10:f3:15:88:ac;
|
||||
hardware ethernet b8:27:eb:18:5c:11;
|
||||
fixed-address cannelloni.binary.kitchen;
|
||||
}
|
||||
|
||||
host cashdesk {
|
||||
hardware ethernet 00:0b:ca:94:13:f1;
|
||||
fixed-address cashdesk.binary.kitchen;
|
||||
}
|
||||
|
||||
host fusilli {
|
||||
hardware ethernet b8:27:eb:1d:b9:bf;
|
||||
fixed-address fusilli.binary.kitchen;
|
||||
}
|
||||
|
||||
host garlic {
|
||||
hardware ethernet b8:27:eb:56:2b:7c;
|
||||
fixed-address garlic.binary.kitchen;
|
||||
host habdisplay1 {
|
||||
hardware ethernet b8:27:eb:b6:62:be;
|
||||
fixed-address habdisplay1.mqtt.binary.kitchen;
|
||||
}
|
||||
|
||||
host homer {
|
||||
hardware ethernet b8:27:eb:24:b2:12;
|
||||
fixed-address homer.binary.kitchen;
|
||||
host habdisplay2 {
|
||||
hardware ethernet b8:27:eb:df:0b:7b;
|
||||
fixed-address habdisplay2.mqtt.binary.kitchen;
|
||||
}
|
||||
|
||||
host klopi {
|
||||
|
@ -139,7 +203,7 @@ host lock {
|
|||
}
|
||||
|
||||
host maccaroni {
|
||||
hardware ethernet b8:27:eb:18:5c:11;
|
||||
hardware ethernet b8:27:eb:f5:9e:a1;
|
||||
fixed-address maccaroni.binary.kitchen;
|
||||
}
|
||||
|
||||
|
@ -159,22 +223,22 @@ host mpcnc {
|
|||
}
|
||||
|
||||
host noodlehub {
|
||||
hardware ethernet b8:27:eb:eb:e5:88;
|
||||
hardware ethernet b8:27:eb:56:2b:7c;
|
||||
fixed-address noodlehub.binary.kitchen;
|
||||
}
|
||||
|
||||
host openhabgw1 {
|
||||
hardware ethernet dc:a6:32:bf:e2:3e;
|
||||
fixed-address openhabgw1.mqtt.binary.kitchen;
|
||||
}
|
||||
|
||||
host pizza {
|
||||
hardware ethernet 52:54:00:17:02:21;
|
||||
fixed-address pizza.binary.kitchen;
|
||||
}
|
||||
|
||||
host punsch {
|
||||
hardware ethernet 00:21:85:1b:7f:3d;
|
||||
fixed-address punsch.binary.kitchen;
|
||||
}
|
||||
|
||||
host spaghetti {
|
||||
hardware ethernet b8:27:eb:e3:e9:f1;
|
||||
hardware ethernet b8:27:eb:eb:e5:88;
|
||||
fixed-address spaghetti.binary.kitchen;
|
||||
}
|
||||
|
||||
|
@ -217,6 +281,34 @@ host voip04 {
|
|||
}
|
||||
|
||||
|
||||
# Mitel SIP-DECT
|
||||
|
||||
host rfp01 {
|
||||
hardware ethernet 00:30:42:1B:73:5A;
|
||||
fixed-address 172.23.1.111;
|
||||
option host-name "rfp01";
|
||||
option sipdect.ommip1 172.23.2.35;
|
||||
option magic_str = "OpenMobilitySIP-DECT";
|
||||
}
|
||||
|
||||
host rfp02 {
|
||||
hardware ethernet 00:30:42:21:D4:D5;
|
||||
fixed-address 172.23.1.112;
|
||||
option host-name "rfp02";
|
||||
option sipdect.ommip1 172.23.2.35;
|
||||
option magic_str = "OpenMobilitySIP-DECT";
|
||||
}
|
||||
|
||||
host rfp11 {
|
||||
hardware ethernet 00:30:42:1B:8B:9B;
|
||||
fixed-address 172.23.12.111;
|
||||
option host-name "rfp11";
|
||||
option sipdect.ommip1 172.23.2.35;
|
||||
option magic_str = "OpenMobilitySIP-DECT";
|
||||
}
|
||||
|
||||
|
||||
|
||||
# OMAPI
|
||||
|
||||
omapi-port 7911;
|
||||
|
|
|
@ -5,11 +5,21 @@
|
|||
name:
|
||||
- pdns-server
|
||||
- pdns-backend-sqlite3
|
||||
- sqlite3
|
||||
|
||||
- name: Configure powerdns
|
||||
template: src=pdns.conf.j2 dest=/etc/powerdns/pdns.conf
|
||||
notify: Restart powerdns
|
||||
|
||||
- name: Initialize database
|
||||
command:
|
||||
cmd: >
|
||||
sqlite3 -init /usr/share/doc/pdns-backend-sqlite3/schema.sqlite3.sql
|
||||
/var/lib/powerdns/powerdns.sqlite3
|
||||
creates: /var/lib/powerdns/powerdns.sqlite3
|
||||
become: true
|
||||
become_user: pdns
|
||||
|
||||
- name: Copy update policy script
|
||||
copy: src=updatepolicy.lua dest=/etc/powerdns/updatepolicy.lua
|
||||
notify: Restart powerdns
|
||||
|
|
|
@ -11,3 +11,4 @@ allow-axfr-ips=127.0.0.1,::1{% if dns_axfr_ips is defined %},{{ dns_axfr_ips | j
|
|||
{% endif %}
|
||||
allow-dnsupdate-from=0.0.0.0/0,::/0
|
||||
lua-dnsupdate-policy-script=/etc/powerdns/updatepolicy.lua
|
||||
security-poll-suffix=
|
||||
|
|
|
@ -5,3 +5,6 @@
|
|||
with_items:
|
||||
- pdns
|
||||
- pdns-recursor
|
||||
|
||||
- name: Restart dnsdist
|
||||
service: name=dnsdist state=restarted
|
||||
|
|
|
@ -3,8 +3,11 @@
|
|||
- name: Install powerdns
|
||||
apt:
|
||||
name:
|
||||
- dnsdist
|
||||
- pdns-backend-sqlite3
|
||||
- pdns-server
|
||||
- pdns-recursor
|
||||
- sqlite3
|
||||
|
||||
- name: Create zone directory
|
||||
file: path=/etc/powerdns/bind/ state=directory
|
||||
|
@ -19,8 +22,28 @@
|
|||
- bind/23.172.in-addr.arpa.zone
|
||||
- bind/binary.kitchen.zone
|
||||
|
||||
- name: Initialize database
|
||||
command:
|
||||
cmd: >
|
||||
sqlite3 -init /usr/share/doc/pdns-backend-sqlite3/schema.sqlite3.sql
|
||||
/var/lib/powerdns/pdns.sqlite3
|
||||
creates: /var/lib/powerdns/pdns.sqlite3
|
||||
become: true
|
||||
become_user: pdns
|
||||
|
||||
# TODO
|
||||
# Initialize zone users.binary.kitchen using pdnsutil or SQL on the master
|
||||
|
||||
# TODO
|
||||
# Initialize zone users.binary.kitchen using "pdnsutil create-slave-zone users.binary.kitchen 172.23.2.3" on the slave
|
||||
|
||||
- name: Configure dnsdist
|
||||
template: src=dnsdist.conf.j2 dest=/etc/dnsdist/dnsdist.conf
|
||||
notify: Restart dnsdist
|
||||
|
||||
- name: Start the powerdns services
|
||||
service: name={{ item }} state=started enabled=yes
|
||||
with_items:
|
||||
- dnsdist
|
||||
- pdns
|
||||
- pdns-recursor
|
||||
|
|
|
@ -1,52 +1,55 @@
|
|||
$ORIGIN 23.172.in-addr.arpa. ; base for unqualified names
|
||||
$TTL 1h ; default time-to-live
|
||||
@ IN SOA ns.binary.kitchen. hostmaster.binary.kitchen. (
|
||||
2020051101; serial
|
||||
@ IN SOA ns1.binary.kitchen. hostmaster.binary.kitchen. (
|
||||
2022071600; serial
|
||||
1d; refresh
|
||||
2h; retry
|
||||
4w; expire
|
||||
1h; minimum time-to-live
|
||||
)
|
||||
IN NS ns.binary.kitchen.
|
||||
IN NS ns1.binary.kitchen.
|
||||
IN NS ns2.binary.kitchen.
|
||||
; Loopback
|
||||
1.0 IN PTR core.binary.kitchen.
|
||||
2.0 IN PTR erx-bk.binary.kitchen.
|
||||
3.0 IN PTR erx-rz.binary.kitchen.
|
||||
4.0 IN PTR pf-bk.binary.kitchen.
|
||||
5.0 IN PTR pf-rz.binary.kitchen.
|
||||
4.0 IN PTR erx-auweg.binary.kitchen.
|
||||
; Management
|
||||
1.1 IN PTR v2301.core.binary.kitchen.
|
||||
11.1 IN PTR ups1.binary.kitchen.
|
||||
21.1 IN PTR pdu1.binary.kitchen.
|
||||
22.1 IN PTR pdu2.binary.kitchen.
|
||||
23.1 IN PTR pdu3.binary.kitchen.
|
||||
31.1 IN PTR sw01.binary.kitchen.
|
||||
32.1 IN PTR sw02.binary.kitchen.
|
||||
33.1 IN PTR sw03.binary.kitchen.
|
||||
31.1 IN PTR sw-butchery.binary.kitchen.
|
||||
32.1 IN PTR sw-mini.binary.kitchen.
|
||||
33.1 IN PTR sw-rack.binary.kitchen.
|
||||
41.1 IN PTR ap01.binary.kitchen.
|
||||
42.1 IN PTR ap02.binary.kitchen.
|
||||
43.1 IN PTR ap03.binary.kitchen.
|
||||
44.1 IN PTR ap04.binary.kitchen.
|
||||
45.1 IN PTR ap05.binary.kitchen.
|
||||
46.1 IN PTR ap06.binary.kitchen.
|
||||
51.1 IN PTR modem.binary.kitchen.
|
||||
60.1 IN PTR wurst.binary.kitchen.
|
||||
80.1 IN PTR wurst-bmc.binary.kitchen.
|
||||
82.1 IN PTR bowle-bmc.binary.kitchen.
|
||||
101.1 IN PTR nbe-w13b.binary.kitchen.
|
||||
102.1 IN PTR nbe-tr8.binary.kitchen.
|
||||
111.1 IN PTR rfp01.binary.kitchen.
|
||||
112.1 IN PTR rfp02.binary.kitchen.
|
||||
; Services
|
||||
1.2 IN PTR v2302.core.binary.kitchen.
|
||||
2.2 IN PTR ns.binary.kitchen.
|
||||
3.2 IN PTR bacon.binary.kitchen.
|
||||
4.2 IN PTR aveta.binary.kitchen.
|
||||
5.2 IN PTR sulis.binary.kitchen.
|
||||
6.2 IN PTR nabia.binary.kitchen.
|
||||
11.2 IN PTR homer.binary.kitchen.
|
||||
7.2 IN PTR epona.binary.kitchen.
|
||||
12.2 IN PTR lock.binary.kitchen.
|
||||
13.2 IN PTR matrix.binary.kitchen.
|
||||
33.2 IN PTR pizza.binary.kitchen.
|
||||
34.2 IN PTR pancake.binary.kitchen.
|
||||
35.2 IN PTR knoedel.binary.kitchen.
|
||||
36.2 IN PTR schweinshaxn.binary.kitchen.
|
||||
44.2 IN PTR cashdesk.binary.kitchen.
|
||||
37.2 IN PTR bob.binary.kitchen.
|
||||
62.2 IN PTR bowle.binary.kitchen.
|
||||
91.2 IN PTR strammermax.binary.kitchen.
|
||||
92.2 IN PTR obatzda.binary.kitchen.
|
||||
|
@ -56,32 +59,47 @@ $GENERATE 10-230 $.3 IN PTR dhcp-${0,3,d}-03.binary.kitchen.
|
|||
240.3 IN PTR fusilli.binary.kitchen.
|
||||
241.3 IN PTR klopi.binary.kitchen.
|
||||
242.3 IN PTR mpcnc.binary.kitchen.
|
||||
243.3 IN PTR garlic.binary.kitchen.
|
||||
244.3 IN PTR mirror.binary.kitchen.
|
||||
245.3 IN PTR spaghetti.binary.kitchen.
|
||||
246.3 IN PTR maccaroni.binary.kitchen.
|
||||
247.3 IN PTR pve02-bmc.tmp.binary.kitchen.
|
||||
248.3 IN PTR pve02.tmp.binary.kitchen.
|
||||
249.3 IN PTR ffrgb.binary.kitchen.
|
||||
250.3 IN PTR cannelloni.binary.kitchen.
|
||||
251.3 IN PTR noodlehub.binary.kitchen.
|
||||
; MQTT
|
||||
1.4 IN PTR v2304.core.binary.kitchen.
|
||||
6.4 IN PTR pizza.mqtt.binary.kitchen.
|
||||
$GENERATE 10-240 $.4 IN PTR dhcp-${0,3,d}-04.binary.kitchen.
|
||||
241.4 IN PTR habdisplay1.mqtt.binary.kitchen.
|
||||
242.4 IN PTR habdisplay2.mqtt.binary.kitchen.
|
||||
245.4 IN PTR logo1.mqtt.binary.kitchen.
|
||||
246.4 IN PTR logo2.mqtt.binary.kitchen.
|
||||
250.4 IN PTR moodlights1.mqtt.binary.kitchen.
|
||||
251.4 IN PTR openhabgw1.mqtt.binary.kitchen.
|
||||
252.4 IN PTR homematic-ccu2.mqtt.binary.kitchen.
|
||||
; Management RZ
|
||||
1.9 IN PTR switch0.erx-rz.binary.kitchen.
|
||||
61.9 IN PTR salat.binary.kitchen.
|
||||
81.9 IN PTR salat-bmc.binary.kitchen.
|
||||
; Services RZ
|
||||
23.8 IN PTR cernunnos.binary.kitchen.
|
||||
; VPN RZ (ER-X)
|
||||
1.10 IN PTR wg1.erx-rz.binary.kitchen.
|
||||
1.10 IN PTR wg0.erx-rz.binary.kitchen.
|
||||
$GENERATE 2-254 $.10 IN PTR vpn-${0,3,d}-10.binary.kitchen.
|
||||
; VPN RZ (pf)
|
||||
$GENERATE 2-254 $.11 IN PTR vpn-${0,3,d}-11.binary.kitchen.
|
||||
; Management Auweg
|
||||
31.12 IN PTR sw-auweg.binary.kitchen.
|
||||
41.12 IN PTR ap11.binary.kitchen.
|
||||
42.12 IN PTR ap12.binary.kitchen.
|
||||
61.12 IN PTR weizen.binary.kitchen.
|
||||
111.12 IN PTR rfp11.binary.kitchen.
|
||||
; Services Auweg
|
||||
3.13 IN PTR aeron.binary.kitchen.
|
||||
12.13 IN PTR lock-auweg.binary.kitchen.
|
||||
; Clients Auweg
|
||||
$GENERATE 10-230 $.14 IN PTR dhcp-${0,3,d}-14.binary.kitchen.
|
||||
; MQTT
|
||||
$GENERATE 10-240 $.15 IN PTR dhcp-${0,3,d}-15.binary.kitchen.
|
||||
; Point-to-Point
|
||||
1.96 IN PTR v400.erx-bk.binary.kitchen.
|
||||
2.96 IN PTR v400.core.binary.kitchen.
|
||||
1.97 IN PTR wg0.erx-rz.binary.kitchen.
|
||||
2.97 IN PTR wg0.erx-bk.binary.kitchen.
|
||||
1.97 IN PTR wg1.erx-rz.binary.kitchen.
|
||||
2.97 IN PTR wg1.erx-bk.binary.kitchen.
|
||||
5.97 IN PTR wg2.erx-rz.binary.kitchen.
|
||||
6.97 IN PTR wg2.erx-auweg.binary.kitchen.
|
||||
|
|
|
@ -1,25 +1,35 @@
|
|||
$ORIGIN binary.kitchen ; base for unqualified names
|
||||
$TTL 1h ; default time-to-live
|
||||
@ IN SOA ns.binary.kitchen. hostmaster.binary.kitchen. (
|
||||
2020051101; serial
|
||||
@ IN SOA ns1.binary.kitchen. hostmaster.binary.kitchen. (
|
||||
2022071600; serial
|
||||
1d; refresh
|
||||
2h; retry
|
||||
4w; expire
|
||||
1h; minimum time-to-live
|
||||
)
|
||||
IN NS ns.binary.kitchen.
|
||||
IN NS ns1.binary.kitchen.
|
||||
IN NS ns2.binary.kitchen.
|
||||
; Subdomains
|
||||
users IN NS ns1.binary.kitchen.
|
||||
users IN NS ns2.binary.kitchen.
|
||||
; External
|
||||
IN A 213.166.246.4
|
||||
www IN A 213.166.246.4
|
||||
; Aliases
|
||||
3dprinter IN A 172.23.3.251
|
||||
icinga IN A 172.23.2.6
|
||||
ldap IN A 172.23.2.3
|
||||
ldap IN A 172.23.2.4
|
||||
ldap IN A 213.166.246.2
|
||||
ldap1 IN A 172.23.2.3
|
||||
ldap2 IN A 172.23.2.4
|
||||
ldap3 IN A 172.23.13.3
|
||||
ldapm IN A 213.166.246.2
|
||||
librenms IN A 172.23.2.6
|
||||
netbox IN A 172.23.2.7
|
||||
ns1 IN A 172.23.2.3
|
||||
ns2 IN A 172.23.2.4
|
||||
omm IN A 172.23.2.35
|
||||
racktables IN A 172.23.2.6
|
||||
radius IN A 172.23.2.3
|
||||
radius IN A 172.23.2.4
|
||||
|
@ -27,41 +37,43 @@ radius IN A 172.23.2.4
|
|||
core IN A 172.23.0.1
|
||||
erx-bk IN A 172.23.0.2
|
||||
erx-rz IN A 172.23.0.3
|
||||
pf-bk IN A 172.23.0.4
|
||||
pf-rz IN A 172.23.0.5
|
||||
erx-auweg IN A 172.23.0.4
|
||||
; Management
|
||||
v2301.core IN A 172.23.1.1
|
||||
ups1 IN A 172.23.1.11
|
||||
pdu1 IN A 172.23.1.21
|
||||
pdu2 IN A 172.23.1.22
|
||||
pdu3 IN A 172.23.1.23
|
||||
sw01 IN A 172.23.1.31
|
||||
sw02 IN A 172.23.1.32
|
||||
sw03 IN A 172.23.1.33
|
||||
sw-butchery IN A 172.23.1.31
|
||||
sw-mini IN A 172.23.1.32
|
||||
sw-rack IN A 172.23.1.33
|
||||
ap01 IN A 172.23.1.41
|
||||
ap02 IN A 172.23.1.42
|
||||
ap03 IN A 172.23.1.43
|
||||
ap04 IN A 172.23.1.44
|
||||
ap05 IN A 172.23.1.45
|
||||
ap06 IN A 172.23.1.46
|
||||
modem IN A 172.23.1.51
|
||||
wurst IN A 172.23.1.60
|
||||
wurst-bmc IN A 172.23.1.80
|
||||
bowle-bmc IN A 172.23.1.82
|
||||
nbe-w13b IN A 172.23.1.101
|
||||
nbe-tr8 IN A 172.23.1.102
|
||||
rfp01 IN A 172.23.1.111
|
||||
rfp02 IN A 172.23.1.112
|
||||
; Services
|
||||
v2302.core IN A 172.23.2.1
|
||||
ns IN A 172.23.2.2
|
||||
bacon IN A 172.23.2.3
|
||||
aveta IN A 172.23.2.4
|
||||
sulis IN A 172.23.2.5
|
||||
nabia IN A 172.23.2.6
|
||||
homer IN A 172.23.2.11
|
||||
epona IN A 172.23.2.7
|
||||
lock IN A 172.23.2.12
|
||||
matrix IN A 172.23.2.13
|
||||
pizza IN A 172.23.2.33
|
||||
pancake IN A 172.23.2.34
|
||||
knoedel IN A 172.23.2.35
|
||||
schweinshaxn IN A 172.23.2.36
|
||||
cashdesk IN A 172.23.2.44
|
||||
bob IN A 172.23.2.37
|
||||
bowle IN A 172.23.2.62
|
||||
strammermax IN A 172.23.2.91
|
||||
obatzda IN A 172.23.2.92
|
||||
|
@ -71,32 +83,47 @@ $GENERATE 10-230 dhcp-${0,3,d}-03 IN A 172.23.3.$
|
|||
fusilli IN A 172.23.3.240
|
||||
klopi IN A 172.23.3.241
|
||||
mpcnc IN A 172.23.3.242
|
||||
garlic IN A 172.23.3.243
|
||||
mirror IN A 172.23.3.244
|
||||
spaghetti IN A 172.23.3.245
|
||||
maccaroni IN A 172.23.3.246
|
||||
pve02-bmc.tmp IN A 172.23.3.247
|
||||
pve02.tmp IN A 172.23.3.248
|
||||
ffrgb IN A 172.23.3.249
|
||||
cannelloni IN A 172.23.3.250
|
||||
noodlehub IN A 172.23.3.251
|
||||
; MQTT
|
||||
v2304.core IN A 172.23.4.1
|
||||
pizza.mqtt IN A 172.23.4.6
|
||||
$GENERATE 10-240 dhcp-${0,3,d}-04 IN A 172.23.4.$
|
||||
habdisplay1.mqtt IN A 172.23.4.241
|
||||
habdisplay2.mqtt IN A 172.23.4.242
|
||||
logo1.mqtt IN A 172.23.4.245
|
||||
logo2.mqtt IN A 172.23.4.246
|
||||
moodlights1.mqtt IN A 172.23.4.250
|
||||
openhabgw1.mqtt IN A 172.23.4.251
|
||||
homematic-ccu2.mqtt IN A 172.23.4.252
|
||||
; Management RZ
|
||||
switch0.erx-rz IN A 172.23.9.1
|
||||
salat IN A 172.23.9.61
|
||||
salat-bmc IN A 172.23.9.81
|
||||
; Services RZ
|
||||
cernunnos IN A 172.23.8.23
|
||||
; Management Auweg
|
||||
sw-auweg IN A 172.23.12.31
|
||||
ap11 IN A 172.23.12.41
|
||||
ap12 IN A 172.23.12.42
|
||||
weizen IN A 172.23.12.61
|
||||
rfp11 IN A 172.23.12.111
|
||||
; Services Auweg
|
||||
aeron IN A 172.23.13.3
|
||||
lock-auweg IN A 172.23.13.12
|
||||
; Clients Auweg
|
||||
$GENERATE 10-230 dhcp-${0,3,d}-14 IN A 172.23.14.$
|
||||
; MQTT Auweg
|
||||
$GENERATE 10-240 dhcp-${0,3,d}-15 IN A 172.23.15.$
|
||||
; VPN RZ (ER-X)
|
||||
wg1.erx-rz IN A 172.23.10.1
|
||||
wg0.erx-rz IN A 172.23.10.1
|
||||
$GENERATE 2-254 vpn-${0,3,d}-10 IN A 172.23.10.$
|
||||
; VPN RZ (pf)
|
||||
$GENERATE 2-254 vpn-${0,3,d}-11 IN A 172.23.11.$
|
||||
; Point-to-Point
|
||||
v400.erx-bk IN A 172.23.96.1
|
||||
v400.core IN A 172.23.96.2
|
||||
wg0.erx-rz IN A 172.23.97.1
|
||||
wg0.erx-bk IN A 172.23.97.2
|
||||
wg1.erx-rz IN A 172.23.97.1
|
||||
wg1.erx-bk IN A 172.23.97.2
|
||||
wg2.erx-rz IN A 172.23.97.5
|
||||
wg2.erx-auweg IN A 172.23.97.6
|
||||
|
|
27
roles/dns_intern/templates/dnsdist.conf.j2
Normal file
27
roles/dns_intern/templates/dnsdist.conf.j2
Normal file
|
@ -0,0 +1,27 @@
|
|||
-- {{ ansible_managed }}
|
||||
|
||||
setLocal('127.0.0.1')
|
||||
addLocal('::1')
|
||||
addLocal('{{ ansible_default_ipv4.address }}')
|
||||
|
||||
-- define downstream servers/pools
|
||||
newServer({address='127.0.0.1:5300', pool='authdns'})
|
||||
newServer({address='127.0.0.1:5353', pool='resolve'})
|
||||
|
||||
{% if dns_secondary is defined %}
|
||||
-- allow AXFR/IXFR only from slaves
|
||||
addAction(AndRule({OrRule({QTypeRule(dnsdist.AXFR), QTypeRule(dnsdist.IXFR)}), NotRule(makeRule("{{ dns_secondary }}"))}), RCodeAction(dnsdist.REFUSED))
|
||||
{% endif %}
|
||||
|
||||
-- allow NOTIFY only from master
|
||||
addAction(AndRule({OpcodeRule(DNSOpcode.Notify), NotRule(makeRule("{{ dns_primary }}"))}), RCodeAction(dnsdist.REFUSED))
|
||||
|
||||
-- use auth servers for own zones
|
||||
addAction('binary.kitchen', PoolAction('authdns'))
|
||||
addAction('23.172.in-addr.arpa', PoolAction('authdns'))
|
||||
|
||||
-- use resolver for anything else
|
||||
addAction(AllRule(), PoolAction('resolve'))
|
||||
|
||||
-- disable security status polling via DNS
|
||||
setSecurityPollSuffix('')
|
|
@ -1,46 +1,96 @@
|
|||
# {{ ansible_managed }}
|
||||
|
||||
{% if ansible_default_ipv4.address == dns_primary %}
|
||||
#################################
|
||||
# launch Which backends to launch and order to query them in
|
||||
# allow-dnsupdate-from A global setting to allow DNS updates from these IP ranges.
|
||||
#
|
||||
# launch=
|
||||
launch=bind
|
||||
# allow-dnsupdate-from=127.0.0.0/8,::1
|
||||
allow-dnsupdate-from=127.0.0.0/8,::1,{{ dhcpd_primary }}{% if dhcpd_secondary is defined %},{{ dhcpd_secondary }}{% endif %}
|
||||
|
||||
#################################
|
||||
# local-address Local IP addresses to which we bind
|
||||
# dnsupdate Enable/Disable DNS update (RFC2136) support. Default is no.
|
||||
#
|
||||
# dnsupdate=no
|
||||
dnsupdate=yes
|
||||
{% endif %}
|
||||
|
||||
#################################
|
||||
# launch Which backends to launch and order to query them in
|
||||
#
|
||||
# launch=
|
||||
launch=bind,gsqlite3
|
||||
|
||||
#################################
|
||||
# local-address Local IP addresses to which we bind
|
||||
#
|
||||
# local-address=0.0.0.0
|
||||
local-address=127.0.0.1
|
||||
|
||||
#################################
|
||||
# local-ipv6 Local IP address to which we bind
|
||||
# local-ipv6 Local IP address to which we bind
|
||||
#
|
||||
# local-ipv6=::
|
||||
local-ipv6=
|
||||
|
||||
#################################
|
||||
# local-port The port on which we listen
|
||||
# local-port The port on which we listen
|
||||
#
|
||||
# local-port=53
|
||||
local-port=5300
|
||||
|
||||
{% if ansible_default_ipv4.address == dns_primary %}
|
||||
#################################
|
||||
# security-poll-suffix Domain name from which to query security update notifications
|
||||
# master Act as a master
|
||||
#
|
||||
# master=no
|
||||
master=yes
|
||||
|
||||
{% if dns_secondary is defined %}
|
||||
#################################
|
||||
# only-notify Only send AXFR NOTIFY to these IP addresses or netmasks
|
||||
#
|
||||
# only-notify=0.0.0.0/0,::/0
|
||||
only-notify={{ dns_secondary }}
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
||||
#################################
|
||||
# security-poll-suffix Domain name from which to query security update notifications
|
||||
#
|
||||
# security-poll-suffix=secpoll.powerdns.com.
|
||||
security-poll-suffix=
|
||||
|
||||
#################################
|
||||
# setgid If set, change group id to this gid for more security
|
||||
# setgid If set, change group id to this gid for more security
|
||||
#
|
||||
setgid=pdns
|
||||
|
||||
#################################
|
||||
# setuid If set, change user id to this uid for more security
|
||||
# setuid If set, change user id to this uid for more security
|
||||
#
|
||||
setuid=pdns
|
||||
|
||||
{% if dns_secondary is defined and ansible_default_ipv4.address == dns_secondary %}
|
||||
#################################
|
||||
# bind-config Location of the Bind configuration file to parse.
|
||||
# slave Act as a slave
|
||||
#
|
||||
# slave=no
|
||||
slave=yes
|
||||
|
||||
#################################
|
||||
# trusted-notification-proxy IP address of incoming notification proxy
|
||||
#
|
||||
# trusted-notification-proxy=
|
||||
trusted-notification-proxy=127.0.0.1,::1
|
||||
{% endif %}
|
||||
|
||||
#################################
|
||||
# bind-config Location of named.conf
|
||||
#
|
||||
bind-config=/etc/powerdns/bindbackend.conf
|
||||
|
||||
#################################
|
||||
# gsqlite3-database Filename of the SQLite3 database
|
||||
#
|
||||
# gsqlite3-database=
|
||||
gsqlite3-database=/var/lib/powerdns/pdns.sqlite3
|
||||
|
|
|
@ -1,61 +1,55 @@
|
|||
# {{ ansible_managed }}
|
||||
|
||||
#################################
|
||||
# allow-from If set, only allow these comma separated netmasks to recurse
|
||||
# allow-from If set, only allow these comma separated netmasks to recurse
|
||||
#
|
||||
#allow-from=127.0.0.0/8
|
||||
# allow-from=127.0.0.0/8
|
||||
|
||||
#################################
|
||||
# config-dir Location of configuration directory (recursor.conf)
|
||||
# config-dir Location of configuration directory (recursor.conf)
|
||||
#
|
||||
config-dir=/etc/powerdns
|
||||
|
||||
#################################
|
||||
# dnssec DNSSEC mode: off/process-no-validate (default)/process/log-fail/validate
|
||||
# dnssec DNSSEC mode: off/process-no-validate (default)/process/log-fail/validate
|
||||
#
|
||||
# dnssec=process-no-validate
|
||||
dnssec=off
|
||||
|
||||
#################################
|
||||
# forward-zones Zones for which we forward queries, comma separated domain=ip pairs
|
||||
# local-address IP addresses to listen on, separated by spaces or commas. Also accepts ports.
|
||||
#
|
||||
# forward-zones=
|
||||
forward-zones=binary.kitchen=127.0.0.1:5300,23.172.in-addr.arpa=127.0.0.1:5300
|
||||
local-address=127.0.0.1
|
||||
|
||||
#################################
|
||||
# local-address IP addresses to listen on, separated by spaces or commas. Also accepts ports.
|
||||
# local-port port to listen on
|
||||
#
|
||||
local-address=127.0.0.1,{{ ansible_default_ipv4.address }}
|
||||
local-port=5353
|
||||
|
||||
#################################
|
||||
# local-port port to listen on
|
||||
#
|
||||
local-port=53
|
||||
|
||||
#################################
|
||||
# query-local-address6 Send out local IPv6 queries from this address or addresses. Disabled by default, which also disables outgoing
|
||||
# query-local-address6 Source IPv6 address for sending queries. IF UNSET, IPv6 WILL NOT BE USED FOR OUTGOING QUERIES
|
||||
#
|
||||
{% if global_ipv6 is defined %}
|
||||
query-local-address6={{ global_ipv6 | ipaddr('address') }}
|
||||
{% endif %}
|
||||
|
||||
#################################
|
||||
# quiet Suppress logging of questions and answers
|
||||
# quiet Suppress logging of questions and answers
|
||||
#
|
||||
quiet=yes
|
||||
|
||||
#################################
|
||||
# security-poll-suffix Domain name from which to query security update notifications
|
||||
# security-poll-suffix Domain name from which to query security update notifications
|
||||
#
|
||||
# security-poll-suffix=secpoll.powerdns.com.
|
||||
security-poll-suffix=
|
||||
|
||||
#################################
|
||||
# setgid If set, change group id to this gid for more security
|
||||
# setgid If set, change group id to this gid for more security
|
||||
#
|
||||
setgid=pdns
|
||||
|
||||
#################################
|
||||
# setuid If set, change user id to this uid for more security
|
||||
# setuid If set, change user id to this uid for more security
|
||||
#
|
||||
setuid=pdns
|
||||
|
|
|
@ -5,7 +5,7 @@
|
|||
|
||||
- name: Enable docker repository
|
||||
apt_repository:
|
||||
repo: 'deb https://download.docker.com/linux/debian buster stable'
|
||||
repo: 'deb https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable'
|
||||
filename: docker
|
||||
|
||||
- name: Install docker
|
||||
|
@ -14,4 +14,4 @@
|
|||
- docker-ce
|
||||
- docker-ce-cli
|
||||
- containerd.io
|
||||
- python-docker
|
||||
- python3-docker
|
||||
|
|
|
@ -14,7 +14,7 @@
|
|||
apt:
|
||||
name:
|
||||
- postgresql
|
||||
- python-psycopg2
|
||||
- python3-psycopg2
|
||||
|
||||
- name: Configure PostgreSQL database
|
||||
postgresql_db: name={{ drone_dbname }}
|
||||
|
@ -50,3 +50,8 @@
|
|||
|
||||
- name: Enable drone
|
||||
service: name=drone enabled=yes
|
||||
|
||||
- name: Enable monitoring
|
||||
include_role: name=icinga-monitor tasks_from=http
|
||||
vars:
|
||||
vhost: "{{ drone_domain }}"
|
||||
|
|
|
@ -14,6 +14,7 @@
|
|||
DRONE_UI_PASSWORD: "{{ drone_uipass }}"
|
||||
ports:
|
||||
- "3000:3000"
|
||||
pull: yes
|
||||
restart_policy: unless-stopped
|
||||
state: started
|
||||
volumes:
|
||||
|
|
7
roles/fileserver/handlers/main.yml
Normal file
7
roles/fileserver/handlers/main.yml
Normal file
|
@ -0,0 +1,7 @@
|
|||
---
|
||||
|
||||
- name: Reload nfs-server
|
||||
service: name=nfs-server state=reloaded
|
||||
|
||||
- name: Reload smbd
|
||||
service: name=smbd state=reloaded
|
30
roles/fileserver/tasks/main.yml
Normal file
30
roles/fileserver/tasks/main.yml
Normal file
|
@ -0,0 +1,30 @@
|
|||
---
|
||||
|
||||
# TODO also enable contrib for $release-security
|
||||
- name: Enable contrib repositories
|
||||
apt_repository:
|
||||
repo: deb http://deb.debian.org/debian {{ ansible_distribution_release }} contrib
|
||||
|
||||
- name: Install zfs-dkms
|
||||
apt:
|
||||
name: zfs-dkms
|
||||
|
||||
# creating the ZFS pool is not part of this role
|
||||
|
||||
- name: Install NFS and samba
|
||||
apt:
|
||||
name:
|
||||
- nfs-kernel-server
|
||||
- samba
|
||||
|
||||
- name: Configure NFS
|
||||
template:
|
||||
src: exports.j2
|
||||
dest: /etc/exports
|
||||
notify: Reload nfs-server
|
||||
|
||||
- name: Configure samba
|
||||
template:
|
||||
src: smb.conf.j2
|
||||
dest: /etc/samba/smb.conf
|
||||
notify: Reload smbd
|
4
roles/fileserver/templates/exports.j2
Normal file
4
roles/fileserver/templates/exports.j2
Normal file
|
@ -0,0 +1,4 @@
|
|||
# {{ ansible_managed }}
|
||||
{% for item in nfs_exports %}
|
||||
{{ item }}
|
||||
{% endfor %}
|
244
roles/fileserver/templates/smb.conf.j2
Normal file
244
roles/fileserver/templates/smb.conf.j2
Normal file
|
@ -0,0 +1,244 @@
|
|||
#
|
||||
# Sample configuration file for the Samba suite for Debian GNU/Linux.
|
||||
#
|
||||
#
|
||||
# This is the main Samba configuration file. You should read the
|
||||
# smb.conf(5) manual page in order to understand the options listed
|
||||
# here. Samba has a huge number of configurable options most of which
|
||||
# are not shown in this example
|
||||
#
|
||||
# Some options that are often worth tuning have been included as
|
||||
# commented-out examples in this file.
|
||||
# - When such options are commented with ";", the proposed setting
|
||||
# differs from the default Samba behaviour
|
||||
# - When commented with "#", the proposed setting is the default
|
||||
# behaviour of Samba but the option is considered important
|
||||
# enough to be mentioned here
|
||||
#
|
||||
# NOTE: Whenever you modify this file you should run the command
|
||||
# "testparm" to check that you have not made any basic syntactic
|
||||
# errors.
|
||||
|
||||
#======================= Global Settings =======================
|
||||
|
||||
[global]
|
||||
|
||||
## Browsing/Identification ###
|
||||
|
||||
# Change this to the workgroup/NT-domain name your Samba server will part of
|
||||
workgroup = WORKGROUP
|
||||
|
||||
#### Networking ####
|
||||
|
||||
# The specific set of interfaces / networks to bind to
|
||||
# This can be either the interface name or an IP address/netmask;
|
||||
# interface names are normally preferred
|
||||
; interfaces = 127.0.0.0/8 eth0
|
||||
|
||||
# Only bind to the named interfaces and/or networks; you must use the
|
||||
# 'interfaces' option above to use this.
|
||||
# It is recommended that you enable this feature if your Samba machine is
|
||||
# not protected by a firewall or is a firewall itself. However, this
|
||||
# option cannot handle dynamic or non-broadcast interfaces correctly.
|
||||
; bind interfaces only = yes
|
||||
|
||||
|
||||
|
||||
#### Debugging/Accounting ####
|
||||
|
||||
# This tells Samba to use a separate log file for each machine
|
||||
# that connects
|
||||
log file = /var/log/samba/log.%m
|
||||
|
||||
# Cap the size of the individual log files (in KiB).
|
||||
max log size = 1000
|
||||
|
||||
# We want Samba to only log to /var/log/samba/log.{smbd,nmbd}.
|
||||
# Append syslog@1 if you want important messages to be sent to syslog too.
|
||||
logging = file
|
||||
|
||||
# Do something sensible when Samba crashes: mail the admin a backtrace
|
||||
panic action = /usr/share/samba/panic-action %d
|
||||
|
||||
|
||||
####### Authentication #######
|
||||
|
||||
# Server role. Defines in which mode Samba will operate. Possible
|
||||
# values are "standalone server", "member server", "classic primary
|
||||
# domain controller", "classic backup domain controller", "active
|
||||
# directory domain controller".
|
||||
#
|
||||
# Most people will want "standalone server" or "member server".
|
||||
# Running as "active directory domain controller" will require first
|
||||
# running "samba-tool domain provision" to wipe databases and create a
|
||||
# new domain.
|
||||
server role = standalone server
|
||||
|
||||
obey pam restrictions = yes
|
||||
|
||||
# This boolean parameter controls whether Samba attempts to sync the Unix
|
||||
# password with the SMB password when the encrypted SMB password in the
|
||||
# passdb is changed.
|
||||
unix password sync = yes
|
||||
|
||||
# For Unix password sync to work on a Debian GNU/Linux system, the following
|
||||
# parameters must be set (thanks to Ian Kahan <<kahan@informatik.tu-muenchen.de> for
|
||||
# sending the correct chat script for the passwd program in Debian Sarge).
|
||||
passwd program = /usr/bin/passwd %u
|
||||
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
|
||||
|
||||
# This boolean controls whether PAM will be used for password changes
|
||||
# when requested by an SMB client instead of the program listed in
|
||||
# 'passwd program'. The default is 'no'.
|
||||
pam password change = yes
|
||||
|
||||
# This option controls how unsuccessful authentication attempts are mapped
|
||||
# to anonymous connections
|
||||
map to guest = bad user
|
||||
|
||||
########## Domains ###########
|
||||
|
||||
#
|
||||
# The following settings only takes effect if 'server role = classic
|
||||
# primary domain controller', 'server role = classic backup domain controller'
|
||||
# or 'domain logons' is set
|
||||
#
|
||||
|
||||
# It specifies the location of the user's
|
||||
# profile directory from the client point of view) The following
|
||||
# required a [profiles] share to be setup on the samba server (see
|
||||
# below)
|
||||
; logon path = \\%N\profiles\%U
|
||||
# Another common choice is storing the profile in the user's home directory
|
||||
# (this is Samba's default)
|
||||
# logon path = \\%N\%U\profile
|
||||
|
||||
# The following setting only takes effect if 'domain logons' is set
|
||||
# It specifies the location of a user's home directory (from the client
|
||||
# point of view)
|
||||
; logon drive = H:
|
||||
# logon home = \\%N\%U
|
||||
|
||||
# The following setting only takes effect if 'domain logons' is set
|
||||
# It specifies the script to run during logon. The script must be stored
|
||||
# in the [netlogon] share
|
||||
# NOTE: Must be store in 'DOS' file format convention
|
||||
; logon script = logon.cmd
|
||||
|
||||
# This allows Unix users to be created on the domain controller via the SAMR
|
||||
# RPC pipe. The example command creates a user account with a disabled Unix
|
||||
# password; please adapt to your needs
|
||||
; add user script = /usr/sbin/adduser --quiet --disabled-password --gecos "" %u
|
||||
|
||||
# This allows machine accounts to be created on the domain controller via the
|
||||
# SAMR RPC pipe.
|
||||
# The following assumes a "machines" group exists on the system
|
||||
; add machine script = /usr/sbin/useradd -g machines -c "%u machine account" -d /var/lib/samba -s /bin/false %u
|
||||
|
||||
# This allows Unix groups to be created on the domain controller via the SAMR
|
||||
# RPC pipe.
|
||||
; add group script = /usr/sbin/addgroup --force-badname %g
|
||||
|
||||
############ Misc ############
|
||||
|
||||
# Using the following line enables you to customise your configuration
|
||||
# on a per machine basis. The %m gets replaced with the netbios name
|
||||
# of the machine that is connecting
|
||||
; include = /home/samba/etc/smb.conf.%m
|
||||
|
||||
# Some defaults for winbind (make sure you're not using the ranges
|
||||
# for something else.)
|
||||
; idmap config * : backend = tdb
|
||||
; idmap config * : range = 3000-7999
|
||||
; idmap config YOURDOMAINHERE : backend = tdb
|
||||
; idmap config YOURDOMAINHERE : range = 100000-999999
|
||||
; template shell = /bin/bash
|
||||
|
||||
# Setup usershare options to enable non-root users to share folders
|
||||
# with the net usershare command.
|
||||
|
||||
# Maximum number of usershare. 0 means that usershare is disabled.
|
||||
# usershare max shares = 100
|
||||
|
||||
# Allow users who've been granted usershare privileges to create
|
||||
# public shares, not just authenticated ones
|
||||
usershare allow guests = yes
|
||||
|
||||
#======================= Share Definitions =======================
|
||||
|
||||
;[homes]
|
||||
; comment = Home Directories
|
||||
; browseable = no
|
||||
|
||||
# By default, the home directories are exported read-only. Change the
|
||||
# next parameter to 'no' if you want to be able to write to them.
|
||||
; read only = yes
|
||||
|
||||
# File creation mask is set to 0700 for security reasons. If you want to
|
||||
# create files with group=rw permissions, set next parameter to 0775.
|
||||
; create mask = 0700
|
||||
|
||||
# Directory creation mask is set to 0700 for security reasons. If you want to
|
||||
# create dirs. with group=rw permissions, set next parameter to 0775.
|
||||
; directory mask = 0700
|
||||
|
||||
# By default, \\server\username shares can be connected to by anyone
|
||||
# with access to the samba server.
|
||||
# The following parameter makes sure that only "username" can connect
|
||||
# to \\server\username
|
||||
# This might need tweaking when using external authentication schemes
|
||||
; valid users = %S
|
||||
|
||||
# Un-comment the following and create the netlogon directory for Domain Logons
|
||||
# (you need to configure Samba to act as a domain controller too.)
|
||||
;[netlogon]
|
||||
; comment = Network Logon Service
|
||||
; path = /home/samba/netlogon
|
||||
; guest ok = yes
|
||||
; read only = yes
|
||||
|
||||
# Un-comment the following and create the profiles directory to store
|
||||
# users profiles (see the "logon path" option above)
|
||||
# (you need to configure Samba to act as a domain controller too.)
|
||||
# The path below should be writable by all users so that their
|
||||
# profile directory may be created the first time they log on
|
||||
;[profiles]
|
||||
; comment = Users profiles
|
||||
; path = /home/samba/profiles
|
||||
; guest ok = no
|
||||
; browseable = no
|
||||
; create mask = 0600
|
||||
; directory mask = 0700
|
||||
|
||||
;[printers]
|
||||
; comment = All Printers
|
||||
; browseable = no
|
||||
; path = /var/spool/samba
|
||||
; printable = yes
|
||||
; guest ok = no
|
||||
; read only = yes
|
||||
; create mask = 0700
|
||||
|
||||
# Windows clients look for this share name as a source of downloadable
|
||||
# printer drivers
|
||||
;[print$]
|
||||
; comment = Printer Drivers
|
||||
; path = /var/lib/samba/printers
|
||||
; browseable = yes
|
||||
; read only = yes
|
||||
; guest ok = no
|
||||
# Uncomment to allow remote administration of Windows print drivers.
|
||||
# You may need to replace 'lpadmin' with the name of the group your
|
||||
# admin users are members of.
|
||||
# Please note that you also need to set appropriate Unix permissions
|
||||
# to the drivers directory for these users to have write rights in it
|
||||
; write list = root, @lpadmin
|
||||
|
||||
# Binary Kitchen public share
|
||||
[tank]
|
||||
path = /exports/tank
|
||||
browseable = yes
|
||||
read only = no
|
||||
guest ok = yes
|
||||
create mask = 0600
|
||||
directory mask = 0700
|
|
@ -3,6 +3,6 @@
|
|||
gitea_user: gogs
|
||||
gitea_group: gogs
|
||||
|
||||
gitea_checksum: sha256:74417bc8e950b685de79c3a39655029f28d27c99e94adbe83c0ec22325d8771f
|
||||
gitea_version: 1.12.6
|
||||
gitea_url: https://dl.gitea.io/gitea/{{ gitea_version }}/gitea-{{ gitea_version }}-linux-amd64
|
||||
gitea_checksum: sha256:bc4a8e1f5d5f64d4be2e50c387de08d07c062aecdba2f742c2f61c20accfcc46
|
||||
gitea_version: 1.17.0
|
||||
gitea_url: https://github.com/go-gitea/gitea/releases/download/v{{ gitea_version }}/gitea-{{ gitea_version }}-linux-amd64
|
||||
|
|
|
@ -30,7 +30,7 @@
|
|||
apt:
|
||||
name:
|
||||
- postgresql
|
||||
- python-psycopg2
|
||||
- python3-psycopg2
|
||||
|
||||
- name: Configure PostgreSQL database
|
||||
postgresql_db: name={{ gitea_dbname }}
|
||||
|
@ -50,6 +50,9 @@
|
|||
template: src=certs.j2 dest=/etc/acertmgr/{{ gitea_domain }}.conf
|
||||
notify: Run acertmgr
|
||||
|
||||
- name: Configure robots.txt for gitea
|
||||
template: src=robots.txt.j2 dest=/opt/gitea/custom/robots.txt owner={{ gitea_user }}
|
||||
|
||||
- name: Configure vhost
|
||||
template: src=vhost.j2 dest=/etc/nginx/sites-available/gitea
|
||||
notify: Restart nginx
|
||||
|
@ -60,3 +63,8 @@
|
|||
|
||||
- name: Enable gitea
|
||||
service: name=gitea enabled=yes
|
||||
|
||||
- name: Enable monitoring
|
||||
include_role: name=icinga-monitor tasks_from=http
|
||||
vars:
|
||||
vhost: "{{ gitea_domain }}"
|
||||
|
|
|
@ -43,3 +43,10 @@ LEVEL = warn
|
|||
|
||||
[oauth2]
|
||||
JWT_SECRET = {{ gitea_jwt_secret }}
|
||||
|
||||
[cron]
|
||||
ENABLED = true
|
||||
|
||||
[cron.archive_cleanup]
|
||||
SCHEDULE = @midnight
|
||||
OLDER_THAN = 168h
|
||||
|
|
4
roles/gitea/templates/robots.txt.j2
Normal file
4
roles/gitea/templates/robots.txt.j2
Normal file
|
@ -0,0 +1,4 @@
|
|||
User-agent: *
|
||||
Disallow: /*/*/archive/*.bundle$
|
||||
Disallow: /*/*/archive/*.tar.gz$
|
||||
Disallow: /*/*/archive/*.zip$
|
|
@ -23,6 +23,10 @@ server {
|
|||
ssl_certificate_key /etc/nginx/ssl/{{ gitea_domain }}.key;
|
||||
ssl_certificate /etc/nginx/ssl/{{ gitea_domain }}.crt;
|
||||
|
||||
location /robots.txt {
|
||||
alias /opt/gitea/custom/robots.txt;
|
||||
}
|
||||
|
||||
location / {
|
||||
client_max_body_size 1024M;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
|
|
|
@ -1,10 +1,10 @@
|
|||
---
|
||||
|
||||
- name: Enable grafana apt-key
|
||||
apt_key: url='https://packages.grafana.com/gpg.key'
|
||||
apt_key: url="https://packages.grafana.com/gpg.key"
|
||||
|
||||
- name: Enable grafana repository
|
||||
apt_repository: repo='deb https://packages.grafana.com/oss/deb stable main'
|
||||
apt_repository: repo="deb https://packages.grafana.com/oss/deb stable main"
|
||||
|
||||
- name: Install grafana
|
||||
apt: name=grafana
|
||||
|
@ -34,3 +34,8 @@
|
|||
|
||||
- name: Start grafana
|
||||
service: name=grafana-server state=started enabled=yes
|
||||
|
||||
- name: Enable monitoring
|
||||
include_role: name=icinga-monitor tasks_from=http
|
||||
vars:
|
||||
vhost: "{{ grafana_domain }}"
|
||||
|
|
|
@ -25,7 +25,8 @@ server {
|
|||
|
||||
location / {
|
||||
client_max_body_size 1024M;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
proxy_set_header Host $http_host;
|
||||
proxy_pass http://localhost:3000;
|
||||
}
|
||||
}
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
---
|
||||
|
||||
hackmd_version: 1.5.0
|
||||
hackmd_archive: https://github.com/codimd/server/archive/{{ hackmd_version }}.tar.gz
|
||||
hedgedoc_version: 1.9.3
|
||||
hedgedoc_archive: https://github.com/hedgedoc/hedgedoc/archive/{{ hedgedoc_version }}.tar.gz
|
||||
|
|
|
@ -3,8 +3,8 @@
|
|||
- name: Reload systemd
|
||||
systemd: daemon_reload=yes
|
||||
|
||||
- name: Restart hackmd
|
||||
service: name=hackmd state=restarted
|
||||
- name: Restart hedgedoc
|
||||
service: name=hedgedoc state=restarted
|
||||
|
||||
- name: Restart nginx
|
||||
service: name=nginx state=restarted
|
||||
|
|
|
@ -3,14 +3,11 @@
|
|||
- name: Create user
|
||||
user: name=hackmd
|
||||
|
||||
- name: Enable https for apt
|
||||
apt: name=apt-transport-https
|
||||
|
||||
- name: Enable nodesource apt-key
|
||||
apt_key: url="https://deb.nodesource.com/gpgkey/nodesource.gpg.key"
|
||||
|
||||
- name: Enable nodesource repository
|
||||
apt_repository: repo="deb https://deb.nodesource.com/node_8.x/ {{ ansible_distribution_release }} main"
|
||||
apt_repository: repo="deb https://deb.nodesource.com/node_14.x/ {{ ansible_distribution_release }} main"
|
||||
|
||||
- name: Enable yarnpkg apt-key
|
||||
apt_key: url="https://dl.yarnpkg.com/debian/pubkey.gpg"
|
||||
|
@ -34,82 +31,80 @@
|
|||
- git
|
||||
- nodejs
|
||||
- postgresql
|
||||
- python-psycopg2
|
||||
- python3-psycopg2
|
||||
- yarn
|
||||
|
||||
- name: Unpack hackmd
|
||||
unarchive: src={{ hackmd_archive }} dest=/opt owner=hackmd group=hackmd remote_src=yes creates=/opt/codimd-{{ hackmd_version }}
|
||||
register: hackmd_unarchive
|
||||
- name: Unpack hedgedoc
|
||||
unarchive: src={{ hedgedoc_archive }} dest=/opt owner=hackmd group=hackmd remote_src=yes creates=/opt/hedgedoc-{{ hedgedoc_version }}
|
||||
register: hedgedoc_unarchive
|
||||
|
||||
- name: Rename hackmd
|
||||
command: mv /opt/server-{{ hackmd_version }} /opt/codimd-{{ hackmd_version }}
|
||||
when: hackmd_unarchive.changed
|
||||
- name: Create hedgedoc upload path
|
||||
file: path=/opt/hedgedoc/uploads state=directory recurse=yes owner=hackmd group=hackmd
|
||||
|
||||
- name: Create hackmd upload path
|
||||
file: path=/opt/codimd/uploads state=directory recurse=yes owner=hackmd group=hackmd
|
||||
- name: Remove old hedgedoc upload path
|
||||
file: path=/opt/hedgedoc-{{ hedgedoc_version }}/public/uploads state=absent force=yes
|
||||
|
||||
- name: Remove old hackmd upload path
|
||||
file: path=/opt/codimd-{{ hackmd_version }}/public/uploads state=absent force=yes
|
||||
- name: Link hedgedoc upload path
|
||||
file: path=/opt/hedgedoc-{{ hedgedoc_version }}/public/uploads src=/opt/hedgedoc/uploads state=link owner=hackmd group=hackmd
|
||||
|
||||
- name: Link hackmd upload path
|
||||
file: path=/opt/codimd-{{ hackmd_version }}/public/uploads src=/opt/codimd/uploads state=link owner=hackmd group=hackmd
|
||||
|
||||
- name: Setup hackmd
|
||||
command: bin/setup chdir=/opt/codimd-{{ hackmd_version }} creates=/opt/codimd-{{ hackmd_version }}/config.json
|
||||
- name: Setup hedgedoc
|
||||
command: bin/setup chdir=/opt/hedgedoc-{{ hedgedoc_version }} creates=/opt/hedgedoc-{{ hedgedoc_version }}/config.json
|
||||
become: true
|
||||
become_user: hackmd
|
||||
|
||||
- name: Configure hackmd
|
||||
template: src=config.json.j2 dest=/opt/codimd-{{ hackmd_version }}/config.json owner=hackmd
|
||||
register: hackmd_config
|
||||
notify: Restart hackmd
|
||||
- name: Configure hedgedoc
|
||||
template: src=config.json.j2 dest=/opt/hedgedoc-{{ hedgedoc_version }}/config.json owner=hackmd
|
||||
register: hedgedoc_config
|
||||
notify: Restart hedgedoc
|
||||
|
||||
- name: Build hackmd frontend
|
||||
command: /usr/bin/npm run build chdir=/opt/codimd-{{ hackmd_version }}
|
||||
- name: Install hedgedoc frontend deps
|
||||
command: /usr/bin/yarn install chdir=/opt/hedgedoc-{{ hedgedoc_version }}
|
||||
become: true
|
||||
become_user: hackmd
|
||||
when: hackmd_unarchive.changed or hackmd_config.changed
|
||||
when: hedgedoc_unarchive.changed or hedgedoc_config.changed
|
||||
|
||||
- name: Build hedgedoc frontend
|
||||
command: /usr/bin/yarn build chdir=/opt/hedgedoc-{{ hedgedoc_version }}
|
||||
become: true
|
||||
become_user: hackmd
|
||||
when: hedgedoc_unarchive.changed or hedgedoc_config.changed
|
||||
|
||||
- name: Configure PostgreSQL database
|
||||
postgresql_db: name={{ hackmd_dbname }}
|
||||
postgresql_db: name={{ hedgedoc_dbname }}
|
||||
become: true
|
||||
become_user: postgres
|
||||
|
||||
- name: Configure PostgreSQL user
|
||||
postgresql_user: db={{ hackmd_dbname }} name={{ hackmd_dbuser }} password={{ hackmd_dbpass }} priv=ALL state=present
|
||||
postgresql_user: db={{ hedgedoc_dbname }} name={{ hedgedoc_dbuser }} password={{ hedgedoc_dbpass }} priv=ALL state=present
|
||||
become: true
|
||||
become_user: postgres
|
||||
|
||||
- name: Configure sequelize
|
||||
template: src=_sequelizerc.j2 dest=/opt/codimd-{{ hackmd_version }}/.sequelizerc owner=hackmd
|
||||
|
||||
- name: Upgrade database schema
|
||||
command: node_modules/.bin/sequelize db:migrate chdir=/opt/codimd-{{ hackmd_version }}
|
||||
become: true
|
||||
become_user: hackmd
|
||||
when: hackmd_unarchive.changed or hackmd_config.changed
|
||||
|
||||
- name: Ensure certificates are available
|
||||
command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ hackmd_domain }}.key -out /etc/nginx/ssl/{{ hackmd_domain }}.crt -days 730 -subj "/CN={{ hackmd_domain }}" creates=/etc/nginx/ssl/{{ hackmd_domain }}.crt
|
||||
command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ hedgedoc_domain }}.key -out /etc/nginx/ssl/{{ hedgedoc_domain }}.crt -days 730 -subj "/CN={{ hedgedoc_domain }}" creates=/etc/nginx/ssl/{{ hedgedoc_domain }}.crt
|
||||
notify: Restart nginx
|
||||
|
||||
- name: Configure certificate manager for hackmd
|
||||
template: src=certs.j2 dest=/etc/acertmgr/{{ hackmd_domain }}.conf
|
||||
- name: Configure certificate manager for hedgedoc
|
||||
template: src=certs.j2 dest=/etc/acertmgr/{{ hedgedoc_domain }}.conf
|
||||
notify: Run acertmgr
|
||||
|
||||
- name: Configure vhost
|
||||
template: src=vhost.j2 dest=/etc/nginx/sites-available/hackmd
|
||||
template: src=vhost.j2 dest=/etc/nginx/sites-available/hedgedoc
|
||||
notify: Restart nginx
|
||||
|
||||
- name: Enable vhost
|
||||
file: src=/etc/nginx/sites-available/hackmd dest=/etc/nginx/sites-enabled/hackmd state=link
|
||||
file: src=/etc/nginx/sites-available/hedgedoc dest=/etc/nginx/sites-enabled/hedgedoc state=link
|
||||
notify: Restart nginx
|
||||
|
||||
- name: Systemd unit for hackmd
|
||||
template: src=hackmd.service.j2 dest=/etc/systemd/system/hackmd.service
|
||||
- name: Systemd unit for hedgedoc
|
||||
template: src=hedgedoc.service.j2 dest=/etc/systemd/system/hedgedoc.service
|
||||
notify:
|
||||
- Reload systemd
|
||||
- Restart hackmd
|
||||
- Restart hedgedoc
|
||||
|
||||
- name: Start the hackmd service
|
||||
service: name=hackmd state=started enabled=yes
|
||||
- name: Start the hedgedoc service
|
||||
service: name=hedgedoc state=started enabled=yes
|
||||
|
||||
- name: Enable monitoring
|
||||
include_role: name=icinga-monitor tasks_from=http
|
||||
vars:
|
||||
vhost: "{{ hedgedoc_domain }}"
|
||||
|
|
|
@ -1,8 +0,0 @@
|
|||
var path = require('path');
|
||||
|
||||
module.exports = {
|
||||
'config': path.resolve('config.json'),
|
||||
'migrations-path': path.resolve('lib', 'migrations'),
|
||||
'models-path': path.resolve('lib', 'models'),
|
||||
'url': 'postgres://{{ hackmd_dbuser }}:{{ hackmd_dbpass }}@localhost:5432/{{ hackmd_dbname }}'
|
||||
}
|
|
@ -1,13 +1,13 @@
|
|||
---
|
||||
|
||||
{{ hackmd_domain }}:
|
||||
- path: /etc/nginx/ssl/{{ hackmd_domain }}.key
|
||||
{{ hedgedoc_domain }}:
|
||||
- path: /etc/nginx/ssl/{{ hedgedoc_domain }}.key
|
||||
user: root
|
||||
group: root
|
||||
perm: '400'
|
||||
format: key
|
||||
action: '/usr/sbin/service nginx restart'
|
||||
- path: /etc/nginx/ssl/{{ hackmd_domain }}.crt
|
||||
- path: /etc/nginx/ssl/{{ hedgedoc_domain }}.crt
|
||||
user: root
|
||||
group: root
|
||||
perm: '400'
|
||||
|
|
|
@ -1,11 +1,11 @@
|
|||
{
|
||||
"production": {
|
||||
"domain": "{{ hackmd_domain }}",
|
||||
"domain": "{{ hedgedoc_domain }}",
|
||||
"protocolUseSSL": true,
|
||||
"allowAnonymous": false,
|
||||
"allowAnonymousEdits": true,
|
||||
"allowFreeURL": true,
|
||||
"sessionSecret": "{{ hackmd_secret }}",
|
||||
"sessionSecret": "{{ hedgedoc_secret }}",
|
||||
"hsts": {
|
||||
"enable": true,
|
||||
"maxAgeSeconds": 2592000,
|
||||
|
@ -22,9 +22,9 @@
|
|||
"addGoogleAnalytics": true
|
||||
},
|
||||
"db": {
|
||||
"username": "{{ hackmd_dbuser }}",
|
||||
"password": "{{ hackmd_dbpass }}",
|
||||
"database": "{{ hackmd_dbname }}",
|
||||
"username": "{{ hedgedoc_dbuser }}",
|
||||
"password": "{{ hedgedoc_dbpass }}",
|
||||
"database": "{{ hedgedoc_dbname }}",
|
||||
"host": "localhost",
|
||||
"port": "5432",
|
||||
"dialect": "postgres"
|
||||
|
|
|
@ -1,13 +1,13 @@
|
|||
[Unit]
|
||||
Description=HackMD
|
||||
Description=HedgeDoc
|
||||
After=network.target
|
||||
|
||||
[Service]
|
||||
Environment=NODE_ENV=production
|
||||
WorkingDirectory=/opt/codimd-{{ hackmd_version }}
|
||||
WorkingDirectory=/opt/hedgedoc-{{ hedgedoc_version }}
|
||||
Type=simple
|
||||
User=hackmd
|
||||
ExecStart=/usr/bin/node /opt/codimd-{{ hackmd_version }}/app.js
|
||||
ExecStart=/usr/bin/yarn start
|
||||
Restart=on-failure
|
||||
|
||||
[Install]
|
|
@ -1,8 +1,13 @@
|
|||
map $http_upgrade $connection_upgrade {
|
||||
default upgrade;
|
||||
'' close;
|
||||
}
|
||||
|
||||
server {
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
|
||||
server_name {{ hackmd_domain }};
|
||||
server_name {{ hedgedoc_domain }};
|
||||
|
||||
location /.well-known/acme-challenge {
|
||||
default_type "text/plain";
|
||||
|
@ -10,7 +15,7 @@ server {
|
|||
}
|
||||
|
||||
location / {
|
||||
return 301 https://{{ hackmd_domain }}$request_uri;
|
||||
return 301 https://{{ hedgedoc_domain }}$request_uri;
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -18,21 +23,30 @@ server {
|
|||
listen 443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
|
||||
server_name {{ hackmd_domain }};
|
||||
server_name {{ hedgedoc_domain }};
|
||||
|
||||
ssl_certificate_key /etc/nginx/ssl/{{ hackmd_domain }}.key;
|
||||
ssl_certificate /etc/nginx/ssl/{{ hackmd_domain }}.crt;
|
||||
ssl_certificate_key /etc/nginx/ssl/{{ hedgedoc_domain }}.key;
|
||||
ssl_certificate /etc/nginx/ssl/{{ hedgedoc_domain }}.crt;
|
||||
|
||||
# set max upload size
|
||||
client_max_body_size 8M;
|
||||
|
||||
location / {
|
||||
proxy_pass http://localhost:3000;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_pass http://localhost:3000;
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection "Upgrade";
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
}
|
||||
|
||||
|
||||
location /socket.io/ {
|
||||
proxy_pass http://127.0.0.1:3000;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection $connection_upgrade;
|
||||
}
|
||||
}
|
||||
|
|
4
roles/icinga-monitor/defaults/main.yml
Normal file
4
roles/icinga-monitor/defaults/main.yml
Normal file
|
@ -0,0 +1,4 @@
|
|||
---
|
||||
|
||||
icinga_user: nagios
|
||||
icinga_group: nagios
|
5
roles/icinga-monitor/handlers/main.yml
Normal file
5
roles/icinga-monitor/handlers/main.yml
Normal file
|
@ -0,0 +1,5 @@
|
|||
---
|
||||
|
||||
- name: Restart icinga2
|
||||
service: name=icinga2 state=restarted
|
||||
delegate_to: "{{ icinga_server }}"
|
17
roles/icinga-monitor/tasks/http.yml
Normal file
17
roles/icinga-monitor/tasks/http.yml
Normal file
|
@ -0,0 +1,17 @@
|
|||
---
|
||||
|
||||
- name: Configure monitoring for vhost
|
||||
template:
|
||||
src: http.j2
|
||||
dest: /etc/icinga2/conf.d/hosts/{{ inventory_hostname }}.http_{{ vhost }}
|
||||
owner: "{{ icinga_user }}"
|
||||
group: "{{ icinga_group }}"
|
||||
delegate_to: "{{ icinga_server }}"
|
||||
|
||||
- name: Regenerate hosts.conf
|
||||
assemble:
|
||||
src: /etc/icinga2/conf.d/hosts
|
||||
dest: /etc/icinga2/conf.d/hosts.conf
|
||||
# validate: /usr/sbin/icinga2 daemon -c %s --validate
|
||||
notify: Restart icinga2
|
||||
delegate_to: "{{ icinga_server }}"
|
13
roles/icinga-monitor/templates/http.j2
Normal file
13
roles/icinga-monitor/templates/http.j2
Normal file
|
@ -0,0 +1,13 @@
|
|||
|
||||
vars.http_vhosts["{{ vhost }}"] = {
|
||||
http_sni = "true"
|
||||
http_ssl = "true"
|
||||
http_vhost = "{{ vhost }}"
|
||||
}
|
||||
|
||||
vars.http_vhosts["{{ vhost }} cert"] = {
|
||||
http_certificate = "25,15"
|
||||
http_sni = "true"
|
||||
http_ssl = "true"
|
||||
http_vhost = "{{ vhost }}"
|
||||
}
|
4
roles/icinga/defaults/main.yml
Normal file
4
roles/icinga/defaults/main.yml
Normal file
|
@ -0,0 +1,4 @@
|
|||
---
|
||||
|
||||
icinga_user: nagios
|
||||
icinga_group: nagios
|
10
roles/icinga/handlers/main.yml
Normal file
10
roles/icinga/handlers/main.yml
Normal file
|
@ -0,0 +1,10 @@
|
|||
---
|
||||
|
||||
- name: Run acertmgr
|
||||
command: /usr/bin/acertmgr
|
||||
|
||||
- name: Restart icinga2
|
||||
service: name=icinga2 state=restarted
|
||||
|
||||
- name: Restart nginx
|
||||
service: name=nginx state=restarted
|
114
roles/icinga/tasks/main.yml
Normal file
114
roles/icinga/tasks/main.yml
Normal file
|
@ -0,0 +1,114 @@
|
|||
---
|
||||
|
||||
- name: Enable icinga apt-key
|
||||
apt_key: url="https://packages.icinga.com/icinga.key"
|
||||
|
||||
- name: Enable icinga repository
|
||||
apt_repository:
|
||||
repo: "deb https://packages.icinga.com/debian icinga-{{ ansible_distribution_release }} main"
|
||||
filename: icinga
|
||||
|
||||
- name: Install icinga
|
||||
apt:
|
||||
name:
|
||||
- php-fpm
|
||||
- php-pgsql
|
||||
- icinga2
|
||||
- icinga2-ido-pgsql
|
||||
- icingaweb2
|
||||
|
||||
- name: Install PostgreSQL
|
||||
apt:
|
||||
name:
|
||||
- postgresql
|
||||
- python3-psycopg2
|
||||
|
||||
- name: Configure icinga database
|
||||
postgresql_db: name={{ icinga_dbname }}
|
||||
become: true
|
||||
become_user: postgres
|
||||
register: icinga_ido_db
|
||||
|
||||
- name: Configure icinga database user
|
||||
postgresql_user: db={{ icinga_dbname }} name={{ icinga_dbuser }} password={{ icinga_dbpass }} priv=ALL state=present
|
||||
become: true
|
||||
become_user: postgres
|
||||
|
||||
# FIXME it is not possible to use login_username and login_password here in order to change the role to icinga
|
||||
# so as a workaround you have to insert "SET ROLE icinga;" manually at the top of the referred sql file
|
||||
- name: Configure database schema
|
||||
postgresql_db: name={{ icinga_dbname }} target=/usr/share/icinga2-ido-pgsql/schema/pgsql.sql state=restore
|
||||
become: true
|
||||
become_user: postgres
|
||||
when: icinga_ido_db.changed
|
||||
|
||||
- name: Configure icingaweb database
|
||||
postgresql_db: name={{ icingaweb_dbname }}
|
||||
become: true
|
||||
become_user: postgres
|
||||
|
||||
- name: Configure icingaweb database user
|
||||
postgresql_user: db={{ icingaweb_dbname }} name={{ icingaweb_dbuser }} password={{ icingaweb_dbpass }} priv=ALL state=present
|
||||
become: true
|
||||
become_user: postgres
|
||||
|
||||
- name: Configure icinga ido pgsql
|
||||
template: src=icinga2/features-available/ido-pgsql.conf.j2 dest=/etc/icinga2/features-available/ido-pgsql.conf owner={{ icinga_user }} group={{ icinga_group }}
|
||||
notify: Restart icinga2
|
||||
|
||||
- name: Enable icinga ido PostgreSQL
|
||||
command: "icinga2 feature enable ido-pgsql"
|
||||
register: features_result
|
||||
changed_when: "'for these changes to take effect' in features_result.stdout"
|
||||
notify: Restart icinga2
|
||||
|
||||
- name: Ensure directory for host snippets exists
|
||||
file:
|
||||
path: /etc/icinga2/conf.d/hosts
|
||||
state: directory
|
||||
owner: "{{ icinga_user }}"
|
||||
group: "{{ icinga_group }}"
|
||||
|
||||
- name: Prepare host snippets
|
||||
template: src=icinga2/conf.d/hosts.header.j2 dest=/etc/icinga2/conf.d/hosts/{{ item }}.00_header owner={{ icinga_user }} group={{ icinga_group }}
|
||||
loop: "{{ groups['all'] }}"
|
||||
|
||||
- name: Prepare host snippets
|
||||
template: src=icinga2/conf.d/hosts.footer.j2 dest=/etc/icinga2/conf.d/hosts/{{ item }}.zz_footer owner={{ icinga_user }} group={{ icinga_group }}
|
||||
loop: "{{ groups['all'] }}"
|
||||
|
||||
- name: Create group icingaweb2
|
||||
group: name=icingaweb2 system=yes
|
||||
|
||||
- name: Add www-data to icingaweb2
|
||||
user: name=www-data append=yes groups=icingaweb2
|
||||
|
||||
- name: Ensure certificates are available
|
||||
command:
|
||||
cmd: >
|
||||
openssl req -x509 -nodes -newkey rsa:2048
|
||||
-keyout /etc/nginx/ssl/{{ icinga_domain }}.key -out /etc/nginx/ssl/{{ icinga_domain }}.crt
|
||||
-days 730 -subj "/CN={{ icinga_domain }}"
|
||||
creates: /etc/nginx/ssl/{{ icinga_domain }}.crt
|
||||
notify: Restart nginx
|
||||
|
||||
- name: Request nsupdate key for certificate
|
||||
include_role: name=acme-dnskey-generate
|
||||
vars:
|
||||
acme_dnskey_san_domains:
|
||||
- "{{ icinga_domain }}"
|
||||
|
||||
- name: Configure certificate manager for icinga
|
||||
template: src=certs.j2 dest=/etc/acertmgr/{{ icinga_domain }}.conf
|
||||
notify: Run acertmgr
|
||||
|
||||
- name: Configure vhost
|
||||
template: src=vhost.j2 dest=/etc/nginx/sites-available/icinga
|
||||
notify: Restart nginx
|
||||
|
||||
- name: Enable vhost
|
||||
file: src=/etc/nginx/sites-available/icinga dest=/etc/nginx/sites-enabled/icinga state=link
|
||||
notify: Restart nginx
|
||||
|
||||
- name: Start php7.4-fpm
|
||||
service: name=php7.4-fpm state=started enabled=yes
|
18
roles/icinga/templates/certs.j2
Normal file
18
roles/icinga/templates/certs.j2
Normal file
|
@ -0,0 +1,18 @@
|
|||
---
|
||||
|
||||
{{ icinga_domain }}:
|
||||
- mode: dns.nsupdate
|
||||
nsupdate_server: {{ acme_dnskey_server }}
|
||||
nsupdate_keyfile: {{ acme_dnskey_file }}
|
||||
- path: /etc/nginx/ssl/{{ icinga_domain }}.key
|
||||
user: root
|
||||
group: root
|
||||
perm: '400'
|
||||
format: key
|
||||
action: '/usr/sbin/service nginx restart'
|
||||
- path: /etc/nginx/ssl/{{ icinga_domain }}.crt
|
||||
user: root
|
||||
group: root
|
||||
perm: '400'
|
||||
format: crt,ca
|
||||
action: '/usr/sbin/service nginx restart'
|
2
roles/icinga/templates/icinga2/conf.d/hosts.footer.j2
Normal file
2
roles/icinga/templates/icinga2/conf.d/hosts.footer.j2
Normal file
|
@ -0,0 +1,2 @@
|
|||
}
|
||||
|
9
roles/icinga/templates/icinga2/conf.d/hosts.header.j2
Normal file
9
roles/icinga/templates/icinga2/conf.d/hosts.header.j2
Normal file
|
@ -0,0 +1,9 @@
|
|||
object Host "{{ item }}" {
|
||||
/* Import the default host template defined in `templates.conf`. */
|
||||
import "generic-host"
|
||||
|
||||
/* Specify the address attributes for checks e.g. `ssh` or `http`. */
|
||||
address = "{{ item }}"
|
||||
|
||||
/* Set custom variable `os` for hostgroup assignment in `groups.conf`. */
|
||||
vars.os = "Linux"
|
|
@ -0,0 +1,13 @@
|
|||
/**
|
||||
* The db_ido_pgsql library implements IDO functionality
|
||||
* for PostgreSQL.
|
||||
*/
|
||||
|
||||
library "db_ido_pgsql"
|
||||
|
||||
object IdoPgsqlConnection "ido-pgsql" {
|
||||
user = "{{ icinga_dbuser}}",
|
||||
password = "{{ icinga_dbpass }}",
|
||||
host = "localhost",
|
||||
database = "{{ icinga_dbname }}"
|
||||
}
|
36
roles/icinga/templates/vhost.j2
Normal file
36
roles/icinga/templates/vhost.j2
Normal file
|
@ -0,0 +1,36 @@
|
|||
server {
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
|
||||
server_name {{ icinga_domain }};
|
||||
|
||||
location / {
|
||||
return 301 https://{{ icinga_domain }}$request_uri;
|
||||
}
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
|
||||
server_name {{ icinga_domain }};
|
||||
|
||||
ssl_certificate_key /etc/nginx/ssl/{{ icinga_domain }}.key;
|
||||
ssl_certificate /etc/nginx/ssl/{{ icinga_domain }}.crt;
|
||||
|
||||
location ~ ^/icingaweb2/index\.php(.*)$ {
|
||||
fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
|
||||
fastcgi_index index.php;
|
||||
include fastcgi_params;
|
||||
fastcgi_param SCRIPT_FILENAME /usr/share/icingaweb2/public/index.php;
|
||||
fastcgi_param ICINGAWEB_CONFIGDIR /etc/icingaweb2;
|
||||
fastcgi_param REMOTE_USER $remote_user;
|
||||
}
|
||||
|
||||
location ~ ^/icingaweb2(.+)? {
|
||||
alias /usr/share/icingaweb2/public;
|
||||
index index.php;
|
||||
try_files $1 $uri $uri/ /icingaweb2/index.php$is_args$args;
|
||||
}
|
||||
|
||||
}
|
|
@ -1,8 +1,5 @@
|
|||
---
|
||||
|
||||
- name: Ensure apt over https is available
|
||||
apt: name=apt-transport-https
|
||||
|
||||
- name: Add Jitsi repo key
|
||||
apt_key:
|
||||
id: EF8B479E2DC1389C
|
||||
|
|
|
@ -7,20 +7,20 @@
|
|||
- git
|
||||
- graphviz
|
||||
- imagemagick
|
||||
- mtr-tiny
|
||||
- mariadb-server
|
||||
- mtr-tiny
|
||||
- nmap
|
||||
- php-cli
|
||||
- php-curl
|
||||
- php-fpm
|
||||
- php-gd
|
||||
- php-json
|
||||
- php-mbstring
|
||||
- php-mysql
|
||||
- php-net-ipv4
|
||||
- php-net-ipv6
|
||||
- php-pear
|
||||
- php7.3-cli
|
||||
- php7.3-curl
|
||||
- php7.3-fpm
|
||||
- php7.3-gd
|
||||
- php7.3-json
|
||||
- php7.3-mbstring
|
||||
- php7.3-mysql
|
||||
- php7.3-snmp
|
||||
- php-snmp
|
||||
- python3-dotenv
|
||||
- python3-pymysql
|
||||
- python3-redis
|
||||
|
@ -51,8 +51,8 @@
|
|||
regexp: ';?date\.timezone'
|
||||
line: 'date.timezone = Europe/Berlin'
|
||||
with_items:
|
||||
- /etc/php/7.3/cli/php.ini
|
||||
- /etc/php/7.3/fpm/php.ini
|
||||
- /etc/php/7.4/cli/php.ini
|
||||
- /etc/php/7.4/fpm/php.ini
|
||||
|
||||
- name: Ensure certificates are available
|
||||
command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ librenms_domain }}.key -out /etc/nginx/ssl/{{ librenms_domain }}.crt -days 730 -subj "/CN={{ librenms_domain }}" creates=/etc/nginx/ssl/{{ librenms_domain }}.crt
|
||||
|
@ -76,5 +76,10 @@
|
|||
file: src=/etc/nginx/sites-available/librenms dest=/etc/nginx/sites-enabled/librenms state=link
|
||||
notify: Restart nginx
|
||||
|
||||
- name: Start php7.3-fpm
|
||||
service: name=php7.3-fpm state=started enabled=yes
|
||||
- name: Start php7.4-fpm
|
||||
service: name=php7.4-fpm state=started enabled=yes
|
||||
|
||||
- name: Enable monitoring
|
||||
include_role: name=icinga-monitor tasks_from=http
|
||||
vars:
|
||||
vhost: "{{ librenms_domain }}"
|
||||
|
|
|
@ -31,7 +31,7 @@ server {
|
|||
include fastcgi_params;
|
||||
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
||||
fastcgi_param PATH_INFO $fastcgi_path_info;
|
||||
fastcgi_pass unix:/var/run/php/php7.3-fpm.sock;
|
||||
fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
|
||||
fastcgi_intercept_errors on;
|
||||
}
|
||||
|
||||
|
|
|
@ -1,3 +1,12 @@
|
|||
---
|
||||
|
||||
mail_srs_domain: "srs.{{ mail_domain }}"
|
||||
|
||||
mailman3_site_owner: "mailman3@binary-kitchen.de"
|
||||
mailman3_dbname: "mailman3"
|
||||
mailman3web_dbname: "mailman3web"
|
||||
mailman3_dbuser: "mailman3"
|
||||
mailman3_dbpass: "{{ vault_mail_mailman3_dbpass }}"
|
||||
mailman3_restadminpass: "{{ vault_mail_mailman3_restadminpass }}"
|
||||
mailman3_archiverkey: "{{ vault_mail_mailman3_archiverkey }}"
|
||||
mailman3_secretkey: "{{ vault_mail_mailman3_secretkey }}"
|
||||
|
|
52
roles/mail/files/mailman/uwsgi.ini
Normal file
52
roles/mail/files/mailman/uwsgi.ini
Normal file
|
@ -0,0 +1,52 @@
|
|||
[uwsgi]
|
||||
# Port on which uwsgi will be listening.
|
||||
uwsgi-socket = /run/mailman3-web/uwsgi.sock
|
||||
|
||||
#Enable threading for python
|
||||
enable-threads = true
|
||||
|
||||
# Move to the directory wher the django files are.
|
||||
chdir = /usr/share/mailman3-web
|
||||
|
||||
# Use the wsgi file provided with the django project.
|
||||
#wsgi-file = wsgi.py
|
||||
mount = /mailman3=wsgi.py
|
||||
manage-script-name = true
|
||||
|
||||
# Setup default number of processes and threads per process.
|
||||
master = true
|
||||
process = 2
|
||||
threads = 2
|
||||
|
||||
# Drop privielges and don't run as root.
|
||||
uid = www-data
|
||||
gid = www-data
|
||||
|
||||
plugins = python3
|
||||
|
||||
# Setup the django_q related worker processes.
|
||||
attach-daemon = python3 manage.py qcluster
|
||||
|
||||
# Setup hyperkitty's cron jobs.
|
||||
#unique-cron = -1 -1 -1 -1 -1 ./manage.py runjobs minutely
|
||||
#unique-cron = -15 -1 -1 -1 -1 ./manage.py runjobs quarter_hourly
|
||||
#unique-cron = 0 -1 -1 -1 -1 ./manage.py runjobs hourly
|
||||
#unique-cron = 0 0 -1 -1 -1 ./manage.py runjobs daily
|
||||
#unique-cron = 0 0 1 -1 -1 ./manage.py runjobs monthly
|
||||
#unique-cron = 0 0 -1 -1 0 ./manage.py runjobs weekly
|
||||
#unique-cron = 0 0 1 1 -1 ./manage.py runjobs yearly
|
||||
|
||||
# Setup the request log.
|
||||
#req-logger = file:/var/log/mailman3/web/mailman-web.log
|
||||
|
||||
# Log cron seperately.
|
||||
#logger = cron file:/var/log/mailman3/web/mailman-web-cron.log
|
||||
#log-route = cron uwsgi-cron
|
||||
|
||||
# Log qcluster commands seperately.
|
||||
#logger = qcluster file:/var/log/mailman3/web/mailman-web-qcluster.log
|
||||
#log-route = qcluster uwsgi-daemons
|
||||
|
||||
# Last log and it logs the rest of the stuff.
|
||||
#logger = file:/var/log/mailman3/web/mailman-web-error.log
|
||||
logto = /var/log/mailman3/web/mailman-web.log
|
|
@ -17,6 +17,12 @@
|
|||
- name: Restart rspamd
|
||||
service: name=rspamd state=restarted
|
||||
|
||||
- name: Restart mailman3
|
||||
service: name=mailman3 state=restarted
|
||||
|
||||
- name: Restart mailman3web
|
||||
service: name=mailman3-web state=restarted
|
||||
|
||||
- name: Run acertmgr
|
||||
command: /usr/bin/acertmgr
|
||||
|
||||
|
|
|
@ -16,9 +16,9 @@
|
|||
- dovecot-ldap
|
||||
- dovecot-managesieved
|
||||
- dovecot-sieve
|
||||
- fcgiwrap
|
||||
- mailman
|
||||
- mailman3
|
||||
- mailman3-full
|
||||
- python3-psycopg2
|
||||
- postgresql
|
||||
- postfix
|
||||
- postsrsd
|
||||
- redis-server
|
||||
|
@ -99,12 +99,6 @@
|
|||
file: path=/etc/dovecot/ssl/{{ mail_server }}.key owner=dovecot mode=0400
|
||||
notify: Restart dovecot
|
||||
|
||||
- name: Configure mailman
|
||||
template: src={{ item }}.j2 dest=/etc/{{ item }}
|
||||
with_items:
|
||||
- mailman/mm_cfg.py
|
||||
notify: Restart postfix
|
||||
|
||||
- name: Configure mailman vhost
|
||||
template: src=nginx/vhost.j2 dest=/etc/nginx/sites-available/mailman
|
||||
notify: Restart nginx
|
||||
|
@ -121,6 +115,44 @@
|
|||
file: path=/etc/nginx/ssl/{{ mailman_domain }}.key owner=root mode=0400
|
||||
notify: Restart nginx
|
||||
|
||||
- name: Configure PostgreSQL database for mailman3
|
||||
postgresql_db: name={{ mailman3_dbname }}
|
||||
become: true
|
||||
become_user: postgres
|
||||
|
||||
- name: Configure PostgreSQL user
|
||||
postgresql_user: db={{ mailman3_dbname }} name={{ mailman3_dbuser }} password={{ mailman3_dbpass }} priv=ALL state=present
|
||||
become: true
|
||||
become_user: postgres
|
||||
|
||||
- name: Configure PostgreSQL database for mailman3-web
|
||||
postgresql_db: name={{ mailman3web_dbname }} owner={{ mailman3_dbuser }}
|
||||
become: true
|
||||
become_user: postgres
|
||||
register: mailman_createdb
|
||||
|
||||
- name: Configure mailman3
|
||||
template: src=mailman/mailman.cfg.j2 dest=/etc/mailman3/mailman.cfg
|
||||
notify: Restart mailman3
|
||||
|
||||
- name: Configure mailman3 hyperkitty plugin
|
||||
template: src=mailman/mailman-hyperkitty.cfg.j2 dest=/etc/mailman3/mailman-hyperkitty.cfg
|
||||
notify: Restart mailman3
|
||||
|
||||
- name: Configure mailman3-web
|
||||
template: src=mailman/mailman-web.py.j2 dest=/etc/mailman3/mailman-web.py
|
||||
notify: Restart mailman3web
|
||||
|
||||
- name: Configure mailman3-web uwsgi
|
||||
copy: src=mailman/uwsgi.ini dest=/etc/mailman3/uwsgi.ini
|
||||
notify: Restart mailman3web
|
||||
|
||||
- name: Run mailman3-web migration script
|
||||
command:
|
||||
cmd: ./manage.py migrate
|
||||
chdir: /usr/share/mailman3-web
|
||||
when: mailman_createdb.changed
|
||||
|
||||
- name: Create postfix ssl directory
|
||||
file: path=/etc/postfix/ssl state=directory mode=0750 owner=postfix group=postfix
|
||||
|
||||
|
@ -142,7 +174,6 @@
|
|||
template: src={{ item }}.j2 dest=/etc/{{ item }}
|
||||
with_items:
|
||||
- postfix/helo_access
|
||||
- postfix/transport
|
||||
- postfix/virtual-alias
|
||||
notify: Run postmap
|
||||
|
||||
|
@ -182,3 +213,6 @@
|
|||
|
||||
- name: Start rspamd
|
||||
service: name=rspamd state=started enabled=yes
|
||||
|
||||
- name: Start mailman3
|
||||
service: name=mailman3 state=started enabled=yes
|
||||
|
|
|
@ -11,10 +11,10 @@ SRS_DOMAIN={{ mail_srs_domain }}
|
|||
# If a domain name starts with a dot, it matches all subdomains, but not
|
||||
# the domain itself. Separate multiple domains by space or comma.
|
||||
#
|
||||
SRS_EXCLUDE_DOMAINS=.{{ mail_domain }} {{ mail_domain }}
|
||||
SRS_EXCLUDE_DOMAINS=".{{ mail_domain }} {{ mail_domain }}
|
||||
{%- for domain in mail_domains %}
|
||||
.{{ domain }} {{ domain }}
|
||||
{%- endfor %}
|
||||
{%- endfor %}"
|
||||
|
||||
# First separator character after SRS0 or SRS1.
|
||||
# Can be one of: -+=
|
||||
|
|
|
@ -31,8 +31,7 @@ dn = {{ ldap_binddn }}
|
|||
dnpass = {{ ldap_bindpw }}
|
||||
|
||||
# Use SASL binding instead of the simple binding. Note that this changes
|
||||
# ldap_version automatically to be 3 if it's lower. Also note that SASL binds
|
||||
# and auth_bind=yes don't work together.
|
||||
# ldap_version automatically to be 3 if it's lower.
|
||||
#sasl_bind = no
|
||||
# SASL mechanism name to use.
|
||||
#sasl_mech =
|
||||
|
@ -46,7 +45,7 @@ dnpass = {{ ldap_bindpw }}
|
|||
#tls = no
|
||||
# TLS options, currently supported only with OpenLDAP:
|
||||
tls_ca_cert_file = /etc/ssl/certs/ca-certificates.crt
|
||||
#tls_ca_cert_dir = /etc/ssl/certs
|
||||
#tls_ca_cert_dir =
|
||||
#tls_cipher_suite =
|
||||
# TLS cert/key is used only if LDAP server requires a client certificate.
|
||||
#tls_cert_file =
|
||||
|
|
21
roles/mail/templates/mailman/mailman-hyperkitty.cfg.j2
Normal file
21
roles/mail/templates/mailman/mailman-hyperkitty.cfg.j2
Normal file
|
@ -0,0 +1,21 @@
|
|||
# This is the mailman extension configuration file to enable HyperKitty as an
|
||||
# archiver. Remember to add the following lines in the mailman.cfg file:
|
||||
#
|
||||
# [archiver.hyperkitty]
|
||||
# class: mailman_hyperkitty.Archiver
|
||||
# enable: yes
|
||||
# configuration: /etc/mailman3/mailman-hyperkitty.cfg
|
||||
#
|
||||
|
||||
[general]
|
||||
|
||||
# This is your HyperKitty installation, preferably on the localhost. This
|
||||
# address will be used by Mailman to forward incoming emails to HyperKitty
|
||||
# for archiving. It does not need to be publicly available, in fact it's
|
||||
# better if it is not.
|
||||
#base_url: http://localhost/mailman3/hyperkitty/
|
||||
base_url: https://{{ mailman_domain }}/mailman3/hyperkitty/
|
||||
|
||||
# Shared API key, must be the identical to the value in HyperKitty's
|
||||
# settings.
|
||||
api_key: {{ mailman3_archiverkey }}
|
204
roles/mail/templates/mailman/mailman-web.py.j2
Normal file
204
roles/mail/templates/mailman/mailman-web.py.j2
Normal file
|
@ -0,0 +1,204 @@
|
|||
# This file is imported by the Mailman Suite. It is used to override
|
||||
# the default settings from /usr/share/mailman3-web/settings.py.
|
||||
|
||||
# SECURITY WARNING: keep the secret key used in production secret!
|
||||
SECRET_KEY = '{{ mailman3_secretkey }}'
|
||||
|
||||
ADMINS = (
|
||||
('Mailman Suite Admin', 'root@localhost'),
|
||||
)
|
||||
|
||||
# Hosts/domain names that are valid for this site; required if DEBUG is False
|
||||
# See https://docs.djangoproject.com/en/1.8/ref/settings/#allowed-hosts
|
||||
# Set to '*' per default in the Deian package to allow all hostnames. Mailman3
|
||||
# is meant to run behind a webserver reverse proxy anyway.
|
||||
ALLOWED_HOSTS = [
|
||||
#"localhost", # Archiving API from Mailman, keep it.
|
||||
# "lists.your-domain.org",
|
||||
# Add here all production URLs you may have.
|
||||
'localhost',
|
||||
'{{ mailman_domain }}'
|
||||
]
|
||||
|
||||
# Mailman API credentials
|
||||
MAILMAN_REST_API_URL = 'http://localhost:8001'
|
||||
MAILMAN_REST_API_USER = 'restadmin'
|
||||
MAILMAN_REST_API_PASS = '{{ mailman3_restadminpass }}'
|
||||
MAILMAN_ARCHIVER_KEY = '{{ mailman3_archiverkey }}'
|
||||
MAILMAN_ARCHIVER_FROM = (
|
||||
'127.0.0.1',
|
||||
'::1',
|
||||
{% if hostvars[inventory_hostname]['ansible_default_ipv4']['address'] is defined %}
|
||||
'{{ hostvars[inventory_hostname]['ansible_default_ipv4']['address']}}',
|
||||
{% endif%}
|
||||
{% if hostvars[inventory_hostname]['ansible_default_ipv6']['address'] is defined %}
|
||||
'{{ hostvars[inventory_hostname]['ansible_default_ipv6']['address']}}',
|
||||
{% endif%}
|
||||
)
|
||||
|
||||
# Application definition
|
||||
|
||||
INSTALLED_APPS = (
|
||||
'hyperkitty',
|
||||
'postorius',
|
||||
'django_mailman3',
|
||||
# Uncomment the next line to enable the admin:
|
||||
'django.contrib.admin',
|
||||
# Uncomment the next line to enable admin documentation:
|
||||
# 'django.contrib.admindocs',
|
||||
'django.contrib.auth',
|
||||
'django.contrib.contenttypes',
|
||||
'django.contrib.sessions',
|
||||
'django.contrib.sites',
|
||||
'django.contrib.messages',
|
||||
'django.contrib.staticfiles',
|
||||
'rest_framework',
|
||||
'django_gravatar',
|
||||
'compressor',
|
||||
'haystack',
|
||||
'django_extensions',
|
||||
'django_q',
|
||||
'allauth',
|
||||
'allauth.account',
|
||||
'allauth.socialaccount',
|
||||
'django_mailman3.lib.auth.fedora',
|
||||
#'allauth.socialaccount.providers.openid',
|
||||
#'allauth.socialaccount.providers.github',
|
||||
#'allauth.socialaccount.providers.gitlab',
|
||||
#'allauth.socialaccount.providers.google',
|
||||
#'allauth.socialaccount.providers.facebook',
|
||||
#'allauth.socialaccount.providers.twitter',
|
||||
#'allauth.socialaccount.providers.stackexchange',
|
||||
)
|
||||
|
||||
|
||||
# Database
|
||||
# https://docs.djangoproject.com/en/1.8/ref/settings/#databases
|
||||
|
||||
DATABASES = {
|
||||
'default': {
|
||||
# Use 'sqlite3', 'postgresql_psycopg2', 'mysql', 'sqlite3' or 'oracle'.
|
||||
#'ENGINE': 'django.db.backends.sqlite3',
|
||||
'ENGINE': 'django.db.backends.postgresql_psycopg2',
|
||||
#'ENGINE': 'django.db.backends.mysql',
|
||||
# DB name or path to database file if using sqlite3.
|
||||
#'NAME': '/var/lib/mailman3/web/mailman3web.db',
|
||||
'NAME': '{{ mailman3web_dbname }}',
|
||||
# The following settings are not used with sqlite3:
|
||||
'USER': '{{ mailman3_dbuser }}',
|
||||
'PASSWORD': '{{ mailman3_dbpass }}',
|
||||
# HOST: empty for localhost through domain sockets or '127.0.0.1' for
|
||||
# localhost through TCP.
|
||||
'HOST': 'localhost',
|
||||
# PORT: set to empty string for default.
|
||||
'PORT': '5432',
|
||||
# OPTIONS: Extra parameters to use when connecting to the database.
|
||||
'OPTIONS': {
|
||||
# Set sql_mode to 'STRICT_TRANS_TABLES' for MySQL. See
|
||||
# https://docs.djangoproject.com/en/1.11/ref/
|
||||
# databases/#setting-sql-mode
|
||||
#'init_command': "SET sql_mode='STRICT_TRANS_TABLES'",
|
||||
},
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
# If you're behind a proxy, use the X-Forwarded-Host header
|
||||
# See https://docs.djangoproject.com/en/1.8/ref/settings/#use-x-forwarded-host
|
||||
USE_X_FORWARDED_HOST = True
|
||||
|
||||
# And if your proxy does your SSL encoding for you, set SECURE_PROXY_SSL_HEADER
|
||||
# https://docs.djangoproject.com/en/1.8/ref/settings/#secure-proxy-ssl-header
|
||||
# SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
|
||||
# SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_SCHEME', 'https')
|
||||
|
||||
# Other security settings
|
||||
# SECURE_SSL_REDIRECT = True
|
||||
# If you set SECURE_SSL_REDIRECT to True, make sure the SECURE_REDIRECT_EXEMPT
|
||||
# contains at least this line:
|
||||
# SECURE_REDIRECT_EXEMPT = [
|
||||
# "archives/api/mailman/.*", # Request from Mailman.
|
||||
# ]
|
||||
# SESSION_COOKIE_SECURE = True
|
||||
# SECURE_CONTENT_TYPE_NOSNIFF = True
|
||||
# SECURE_BROWSER_XSS_FILTER = True
|
||||
# CSRF_COOKIE_SECURE = True
|
||||
# CSRF_COOKIE_HTTPONLY = True
|
||||
# X_FRAME_OPTIONS = 'DENY'
|
||||
|
||||
|
||||
# Internationalization
|
||||
# https://docs.djangoproject.com/en/1.8/topics/i18n/
|
||||
|
||||
LANGUAGE_CODE = 'en-us'
|
||||
|
||||
TIME_ZONE = 'UTC'
|
||||
|
||||
USE_I18N = True
|
||||
USE_L10N = True
|
||||
USE_TZ = True
|
||||
|
||||
|
||||
# Set default domain for email addresses.
|
||||
EMAILNAME = '{{ mail_domain }}'
|
||||
|
||||
# If you enable internal authentication, this is the address that the emails
|
||||
# will appear to be coming from. Make sure you set a valid domain name,
|
||||
# otherwise the emails may get rejected.
|
||||
# https://docs.djangoproject.com/en/1.8/ref/settings/#default-from-email
|
||||
# DEFAULT_FROM_EMAIL = "mailing-lists@you-domain.org"
|
||||
DEFAULT_FROM_EMAIL = 'postorius@{}'.format(EMAILNAME)
|
||||
|
||||
# If you enable email reporting for error messages, this is where those emails
|
||||
# will appear to be coming from. Make sure you set a valid domain name,
|
||||
# otherwise the emails may get rejected.
|
||||
# https://docs.djangoproject.com/en/1.8/ref/settings/#std:setting-SERVER_EMAIL
|
||||
# SERVER_EMAIL = 'root@your-domain.org'
|
||||
SERVER_EMAIL = 'root@{}'.format(EMAILNAME)
|
||||
|
||||
|
||||
# Django Allauth
|
||||
ACCOUNT_DEFAULT_HTTP_PROTOCOL = "https"
|
||||
|
||||
|
||||
#
|
||||
# Social auth
|
||||
#
|
||||
SOCIALACCOUNT_PROVIDERS = {
|
||||
#'openid': {
|
||||
# 'SERVERS': [
|
||||
# dict(id='yahoo',
|
||||
# name='Yahoo',
|
||||
# openid_url='http://me.yahoo.com'),
|
||||
# ],
|
||||
#},
|
||||
#'google': {
|
||||
# 'SCOPE': ['profile', 'email'],
|
||||
# 'AUTH_PARAMS': {'access_type': 'online'},
|
||||
#},
|
||||
#'facebook': {
|
||||
# 'METHOD': 'oauth2',
|
||||
# 'SCOPE': ['email'],
|
||||
# 'FIELDS': [
|
||||
# 'email',
|
||||
# 'name',
|
||||
# 'first_name',
|
||||
# 'last_name',
|
||||
# 'locale',
|
||||
# 'timezone',
|
||||
# ],
|
||||
# 'VERSION': 'v2.4',
|
||||
#},
|
||||
}
|
||||
|
||||
# On a production setup, setting COMPRESS_OFFLINE to True will bring a
|
||||
# significant performance improvement, as CSS files will not need to be
|
||||
# recompiled on each requests. It means running an additional "compress"
|
||||
# management command after each code upgrade.
|
||||
# http://django-compressor.readthedocs.io/en/latest/usage/#offline-compression
|
||||
COMPRESS_OFFLINE = True
|
||||
|
||||
POSTORIUS_TEMPLATE_BASE_URL = 'http://localhost/mailman3/'
|
||||
|
||||
# This is a quick and dirty hack - maybe there is a way to reliably retrieve the right ID?
|
||||
SITE_ID = 2
|
75
roles/mail/templates/mailman/mailman.cfg.j2
Normal file
75
roles/mail/templates/mailman/mailman.cfg.j2
Normal file
|
@ -0,0 +1,75 @@
|
|||
[mailman]
|
||||
site_owner: {{ mailman3_site_owner }}
|
||||
noreply_address: noreply
|
||||
default_language: en
|
||||
sender_headers: from from_ reply-to sender
|
||||
email_commands_max_lines: 10
|
||||
pending_request_life: 3d
|
||||
cache_life: 7d
|
||||
pre_hook:
|
||||
post_hook:
|
||||
layout: debian
|
||||
filtered_messages_are_preservable: no
|
||||
html_to_plain_text_command: /usr/bin/lynx -dump $filename
|
||||
listname_chars: [-_.0-9a-z]
|
||||
|
||||
[shell]
|
||||
prompt: >>>
|
||||
banner: Welcome to the GNU Mailman shell
|
||||
use_ipython: no
|
||||
history_file:
|
||||
|
||||
[paths.debian]
|
||||
var_dir: /var/lib/mailman3
|
||||
queue_dir: $var_dir/queue
|
||||
bin_dir: /usr/lib/mailman3/bin
|
||||
list_data_dir: $var_dir/lists
|
||||
log_dir: /var/log/mailman3
|
||||
lock_dir: $var_dir/locks
|
||||
data_dir: $var_dir/data
|
||||
cache_dir: $var_dir/cache
|
||||
etc_dir: /etc/mailman3
|
||||
ext_dir: $var_dir/ext
|
||||
messages_dir: $var_dir/messages
|
||||
archive_dir: $var_dir/archives
|
||||
template_dir: $var_dir/templates
|
||||
pid_file: /run/mailman3/master.pid
|
||||
lock_file: $lock_dir/master.lck
|
||||
|
||||
[database]
|
||||
class: mailman.database.postgresql.PostgreSQLDatabase
|
||||
url: postgres://{{ mailman3_dbuser }}:{{ mailman3_dbpass }}@localhost/{{ mailman3_dbname }}
|
||||
debug: no
|
||||
|
||||
[logging.debian]
|
||||
format: %(asctime)s (%(process)d) %(message)s
|
||||
datefmt: %b %d %H:%M:%S %Y
|
||||
propagate: no
|
||||
level: info
|
||||
path: mailman.log
|
||||
[webservice]
|
||||
hostname: localhost
|
||||
port: 8001
|
||||
use_https: no
|
||||
show_tracebacks: yes
|
||||
api_version: 3.1
|
||||
admin_user: restadmin
|
||||
admin_pass: {{ mailman3_restadminpass }}
|
||||
|
||||
[mta]
|
||||
remove_dkim_headers: yes
|
||||
dmarc_mitigate_action: wrap_message
|
||||
incoming: mailman.mta.postfix.LMTP
|
||||
outgoing: mailman.mta.deliver.deliver
|
||||
smtp_host: localhost
|
||||
smtp_port: 25
|
||||
smtp_user:
|
||||
smtp_pass:
|
||||
lmtp_host: 127.0.0.1
|
||||
lmtp_port: 8024
|
||||
configuration: python:mailman.config.postfix
|
||||
|
||||
[archiver.hyperkitty]
|
||||
class: mailman_hyperkitty.Archiver
|
||||
enable: yes
|
||||
configuration: /etc/mailman3/mailman-hyperkitty.cfg
|
|
@ -1,115 +0,0 @@
|
|||
# -*- python -*-
|
||||
|
||||
# Copyright (C) 1998,1999,2000 by the Free Software Foundation, Inc.
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or
|
||||
# modify it under the terms of the GNU General Public License
|
||||
# as published by the Free Software Foundation; either version 2
|
||||
# of the License, or (at your option) any later version.
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program; if not, write to the Free Software
|
||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
|
||||
# 02110-1301 USA
|
||||
|
||||
|
||||
"""This is the module which takes your site-specific settings.
|
||||
|
||||
From a raw distribution it should be copied to mm_cfg.py. If you
|
||||
already have an mm_cfg.py, be careful to add in only the new settings
|
||||
you want. The complete set of distributed defaults, with annotation,
|
||||
are in ./Defaults. In mm_cfg, override only those you want to
|
||||
change, after the
|
||||
|
||||
from Defaults import *
|
||||
|
||||
line (see below).
|
||||
|
||||
Note that these are just default settings - many can be overridden via the
|
||||
admin and user interfaces on a per-list or per-user basis.
|
||||
|
||||
Note also that some of the settings are resolved against the active list
|
||||
setting by using the value as a format string against the
|
||||
list-instance-object's dictionary - see the distributed value of
|
||||
DEFAULT_MSG_FOOTER for an example."""
|
||||
|
||||
|
||||
#######################################################
|
||||
# Here's where we get the distributed defaults. #
|
||||
|
||||
from Defaults import *
|
||||
|
||||
##############################################################
|
||||
# Put YOUR site-specific configuration below, in mm_cfg.py . #
|
||||
# See Defaults.py for explanations of the values. #
|
||||
|
||||
#-------------------------------------------------------------
|
||||
# The name of the list Mailman uses to send password reminders
|
||||
# and similar. Don't change if you want mailman-owner to be
|
||||
# a valid local part.
|
||||
MAILMAN_SITE_LIST = 'mailman'
|
||||
|
||||
#-------------------------------------------------------------
|
||||
# If you change these, you have to configure your http server
|
||||
# accordingly (Alias and ScriptAlias directives in most httpds)
|
||||
#DEFAULT_URL_PATTERN = 'http://%s/cgi-bin/mailman/'
|
||||
DEFAULT_URL_PATTERN = 'https://%s/'
|
||||
IMAGE_LOGOS = '/images/mailman/'
|
||||
|
||||
#-------------------------------------------------------------
|
||||
# Default domain for email addresses of newly created MLs
|
||||
DEFAULT_EMAIL_HOST = '{{ mailman_domain }}'
|
||||
#-------------------------------------------------------------
|
||||
# Default host for web interface of newly created MLs
|
||||
DEFAULT_URL_HOST = '{{ mailman_domain }}'
|
||||
#-------------------------------------------------------------
|
||||
# Required when setting any of its arguments.
|
||||
add_virtualhost(DEFAULT_URL_HOST, DEFAULT_EMAIL_HOST)
|
||||
|
||||
#-------------------------------------------------------------
|
||||
# The default language for this server.
|
||||
DEFAULT_SERVER_LANGUAGE = 'en'
|
||||
|
||||
#-------------------------------------------------------------
|
||||
# Iirc this was used in pre 2.1, leave it for now
|
||||
USE_ENVELOPE_SENDER = 0 # Still used?
|
||||
|
||||
#-------------------------------------------------------------
|
||||
# Unset send_reminders on newly created lists
|
||||
DEFAULT_SEND_REMINDERS = 0
|
||||
|
||||
#-------------------------------------------------------------
|
||||
# Uncomment this if you configured your MTA such that it
|
||||
# automatically recognizes newly created lists.
|
||||
# (see /usr/share/doc/mailman/README.Exim4.Debian or
|
||||
# /usr/share/mailman/postfix-to-mailman.py)
|
||||
# MTA=None # Misnomer, suppresses alias output on newlist
|
||||
|
||||
#-------------------------------------------------------------
|
||||
# Uncomment if you use Postfix virtual domains (but not
|
||||
# postfix-to-mailman.py), but be sure to see
|
||||
# /usr/share/doc/mailman/README.Debian first.
|
||||
MTA='Postfix'
|
||||
|
||||
#-------------------------------------------------------------
|
||||
# Uncomment if you want to filter mail with SpamAssassin. For
|
||||
# more information please visit this website:
|
||||
# http://www.jamesh.id.au/articles/mailman-spamassassin/
|
||||
# GLOBAL_PIPELINE.insert(1, 'SpamAssassin')
|
||||
|
||||
POSTFIX_STYLE_VIRTUAL_DOMAINS = ['{{ mailman_domain }}']
|
||||
# alias for postmaster, abuse and mailer-daemon
|
||||
DEB_LISTMASTER = 'postmaster@{{ mail_domain }}'
|
||||
|
||||
# Remove, rename and preserve DKIM headers
|
||||
REMOVE_DKIM_HEADERS = 3
|
||||
# Munge From for DMARC
|
||||
DEFAULT_DMARC_MODERATION_ACTION = 1
|
||||
|
||||
# Note - if you're looking for something that is imported from mm_cfg, but you
|
||||
# didn't find it above, it's probably in /usr/lib/mailman/Mailman/Defaults.py.
|
|
@ -7,7 +7,7 @@ server {
|
|||
|
||||
server_name {{ mailman_domain }};
|
||||
|
||||
root /usr/lib/cgi-bin/mailman/;
|
||||
root /var/www/html/;
|
||||
|
||||
location /.well-known/acme-challenge {
|
||||
default_type "text/plain";
|
||||
|
@ -15,24 +15,27 @@ server {
|
|||
}
|
||||
|
||||
location = / {
|
||||
rewrite ^ /listinfo permanent;
|
||||
rewrite ^ /mailman3 redirect;
|
||||
}
|
||||
|
||||
location / {
|
||||
root /usr/lib/cgi-bin/mailman;
|
||||
fastcgi_split_path_info (^/[^/]*)(.*)$;
|
||||
fastcgi_pass unix:///var/run/fcgiwrap.socket;
|
||||
include /etc/nginx/fastcgi_params;
|
||||
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
||||
fastcgi_param PATH_INFO $fastcgi_path_info;
|
||||
rewrite ^ /mailman3 redirect;
|
||||
}
|
||||
|
||||
location /images/mailman {
|
||||
alias /usr/share/images/mailman;
|
||||
location = /listinfo {
|
||||
rewrite ^ /mailman3 redirect;
|
||||
}
|
||||
|
||||
location /pipermail {
|
||||
alias /var/lib/mailman/archives/public;
|
||||
autoindex on;
|
||||
}
|
||||
location /mailman3/ {
|
||||
include /etc/nginx/uwsgi_params;
|
||||
uwsgi_pass unix:/run/mailman3-web/uwsgi.sock;
|
||||
}
|
||||
|
||||
location /mailman3/static {
|
||||
alias /var/lib/mailman3/web/static;
|
||||
}
|
||||
|
||||
location /mailman3/static/favicon.ico {
|
||||
alias /var/lib/mailman3/web/static/postorius/img/favicon.ico;
|
||||
}
|
||||
}
|
||||
|
|
|
@ -11,6 +11,7 @@ inet_interfaces = all
|
|||
inet_protocols = all
|
||||
message_size_limit = 50000000
|
||||
recipient_delimiter = +
|
||||
owner_request_special = no
|
||||
unknown_local_recipient_reject_code = 550
|
||||
strict_rfc821_envelopes = yes
|
||||
disable_vrfy_command = yes
|
||||
|
@ -115,10 +116,12 @@ unverified_recipient_reject_code = 550
|
|||
unverified_recipient_reject_reason = Recipient unknown
|
||||
|
||||
# mailman
|
||||
relay_domains = {{ mailman_domain }}
|
||||
relay_recipient_maps = hash:/var/lib/mailman/data/virtual-mailman
|
||||
transport_maps = hash:/etc/postfix/transport
|
||||
mailman_destination_recipient_limit = 1
|
||||
relay_domains =
|
||||
hash:/var/lib/mailman3/data/postfix_domains
|
||||
local_recipient_maps =
|
||||
hash:/var/lib/mailman3/data/postfix_lmtp
|
||||
transport_maps =
|
||||
hash:/var/lib/mailman3/data/postfix_lmtp
|
||||
|
||||
# postsrsd
|
||||
# sender_canonical_maps = tcp:localhost:10001 - > see master.cf
|
||||
|
|
|
@ -131,5 +131,3 @@ bsmtp unix - n n - - pipe
|
|||
flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
|
||||
scalemail-backend unix - n n - 2 pipe
|
||||
flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
|
||||
mailman unix - n n - - pipe
|
||||
flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop} ${user}
|
||||
|
|
|
@ -1 +0,0 @@
|
|||
{{ mailman_domain }} mailman:
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue
Block a user