From ccd20af08134e907a9513897206a00daf08a35d0 Mon Sep 17 00:00:00 2001 From: Kevin Veen-Birkenbach Date: Thu, 24 Dec 2020 14:27:31 +0100 Subject: [PATCH] initial cleanup server-manager --- .gitignore | 2 + README.md | 24 + host_vars/.gitignore | 1 + roles/docker-gitea/meta/main.yml | 2 + roles/docker-gitea/tasks/main.yml | 49 ++ roles/docker-jenkins/meta/main.yml | 2 + roles/docker-jenkins/tasks/main.yml | 19 + roles/docker-joomla/README.md | 6 + roles/docker-joomla/meta/main.yml | 2 + roles/docker-joomla/tasks/main.yml | 36 + roles/docker-mediawiki/README.md | 144 ++++ roles/docker-mediawiki/meta/main.yml | 2 + roles/docker-mediawiki/tasks/main.yml | 30 + roles/docker-mybb/README.md | 7 + roles/docker-mybb/defaults/main.yml | 5 + roles/docker-mybb/meta/main.yml | 2 + roles/docker-mybb/tasks/main.yml | 47 ++ roles/docker-mybb/templates/default.conf | 32 + roles/docker-nextcloud/README.md | 22 + roles/docker-nextcloud/meta/main.yml | 2 + roles/docker-nextcloud/tasks/main.yml | 38 + .../templates/nextcloud.conf.j2 | 37 + roles/docker-postfix/README.md | 5 + roles/docker-postfix/meta/main.yml | 2 + roles/docker-postfix/tasks/main.yml | 36 + roles/docker-wireguard/README.md | 7 + roles/docker-wireguard/meta/main.yml | 2 + roles/docker-wireguard/tasks/main.yml | 41 ++ roles/docker-wordpress/meta/main.yml | 2 + roles/docker-wordpress/tasks/main.yml | 40 ++ roles/docker-yourls/meta/main.yml | 2 + roles/docker-yourls/tasks/main.yml | 39 + roles/native-certbot-nginx/handlers/main.yml | 4 + roles/native-certbot-nginx/meta/main.yml | 2 + roles/native-certbot-nginx/tasks/main.yml | 13 + .../templates/certbot.service | 7 + .../templates/certbot.timer | 10 + .../handlers/main.yml | 4 + .../native-docker-volume-backup/meta/main.yml | 3 + .../tasks/main.yml | 13 + .../templates/docker-volume-backup.service | 6 + .../templates/docker-volume-backup.timer | 9 + roles/native-docker/handlers/main.yml | 3 + roles/native-docker/tasks/main.yml | 9 + roles/native-git/tasks/main.yml | 2 + roles/native-homepage/meta/main.yml | 3 + roles/native-homepage/tasks/main.yml | 12 + .../templates/homepage.nginx.conf | 23 + roles/native-https-server/meta/main.yml | 3 + roles/native-letsencrypt/meta/main.yml | 2 + roles/native-letsencrypt/tasks/main.yml | 6 + .../templates/letsencrypt.conf.j2 | 16 + .../templates/ssl_header.j2 | 12 + roles/native-locales/tasks/main.yml | 8 + roles/native-locales/templates/locale.conf | 2 + roles/native-locales/templates/locale.gen | 498 +++++++++++++ roles/native-mariadb/handlers/main.yml | 3 + roles/native-mariadb/tasks/main.yml | 8 + roles/native-nginx-docker-proxy/meta/main.yml | 3 + .../templates/domain.conf.j2 | 13 + .../templates/proxy_pass.conf.j2 | 11 + roles/native-nginx/handlers/main.yml | 3 + roles/native-nginx/tasks/main.yml | 17 + roles/native-nginx/templates/nginx.conf | 21 + roles/native-pacman/tasks/main.yml | 4 + roles/native-postfix/meta/main.yml | 2 + roles/native-postfix/tasks/main.yml | 4 + roles/native-postfix/templates/aliases.j2 | 264 +++++++ roles/native-postfix/templates/main.cf.j2 | 680 ++++++++++++++++++ roles/native-security/meta/main.yml | 2 + roles/native-ssh/handlers/main.yml | 2 + roles/native-ssh/tasks/main.yml | 3 + roles/native-ssh/templates/sshd_config | 118 +++ roles/native-user-administrator/Readme.md | 3 + .../native-user-administrator/tasks/main.yml | 7 + roles/native-user-alarm/tasks/main.yml | 5 + roles/native-user-datasafer/tasks/main.yml | 6 + roles/native-wireguard/README.md | 10 + roles/native-wireguard/handlers/main.yml | 2 + roles/native-wireguard/tasks/main.yml | 6 + site.yml | 47 ++ 81 files changed, 2601 insertions(+) create mode 100644 .gitignore create mode 100644 README.md create mode 100644 host_vars/.gitignore create mode 100644 roles/docker-gitea/meta/main.yml create mode 100644 roles/docker-gitea/tasks/main.yml create mode 100644 roles/docker-jenkins/meta/main.yml create mode 100644 roles/docker-jenkins/tasks/main.yml create mode 100644 roles/docker-joomla/README.md create mode 100644 roles/docker-joomla/meta/main.yml create mode 100644 roles/docker-joomla/tasks/main.yml create mode 100644 roles/docker-mediawiki/README.md create mode 100644 roles/docker-mediawiki/meta/main.yml create mode 100644 roles/docker-mediawiki/tasks/main.yml create mode 100644 roles/docker-mybb/README.md create mode 100644 roles/docker-mybb/defaults/main.yml create mode 100644 roles/docker-mybb/meta/main.yml create mode 100644 roles/docker-mybb/tasks/main.yml create mode 100644 roles/docker-mybb/templates/default.conf create mode 100644 roles/docker-nextcloud/README.md create mode 100644 roles/docker-nextcloud/meta/main.yml create mode 100644 roles/docker-nextcloud/tasks/main.yml create mode 100644 roles/docker-nextcloud/templates/nextcloud.conf.j2 create mode 100644 roles/docker-postfix/README.md create mode 100644 roles/docker-postfix/meta/main.yml create mode 100644 roles/docker-postfix/tasks/main.yml create mode 100644 roles/docker-wireguard/README.md create mode 100644 roles/docker-wireguard/meta/main.yml create mode 100644 roles/docker-wireguard/tasks/main.yml create mode 100644 roles/docker-wordpress/meta/main.yml create mode 100644 roles/docker-wordpress/tasks/main.yml create mode 100644 roles/docker-yourls/meta/main.yml create mode 100644 roles/docker-yourls/tasks/main.yml create mode 100644 roles/native-certbot-nginx/handlers/main.yml create mode 100644 roles/native-certbot-nginx/meta/main.yml create mode 100644 roles/native-certbot-nginx/tasks/main.yml create mode 100644 roles/native-certbot-nginx/templates/certbot.service create mode 100644 roles/native-certbot-nginx/templates/certbot.timer create mode 100644 roles/native-docker-volume-backup/handlers/main.yml create mode 100644 roles/native-docker-volume-backup/meta/main.yml create mode 100644 roles/native-docker-volume-backup/tasks/main.yml create mode 100644 roles/native-docker-volume-backup/templates/docker-volume-backup.service create mode 100644 roles/native-docker-volume-backup/templates/docker-volume-backup.timer create mode 100644 roles/native-docker/handlers/main.yml create mode 100644 roles/native-docker/tasks/main.yml create mode 100644 roles/native-git/tasks/main.yml create mode 100644 roles/native-homepage/meta/main.yml create mode 100644 roles/native-homepage/tasks/main.yml create mode 100644 roles/native-homepage/templates/homepage.nginx.conf create mode 100644 roles/native-https-server/meta/main.yml create mode 100644 roles/native-letsencrypt/meta/main.yml create mode 100644 roles/native-letsencrypt/tasks/main.yml create mode 100644 roles/native-letsencrypt/templates/letsencrypt.conf.j2 create mode 100644 roles/native-letsencrypt/templates/ssl_header.j2 create mode 100644 roles/native-locales/tasks/main.yml create mode 100644 roles/native-locales/templates/locale.conf create mode 100644 roles/native-locales/templates/locale.gen create mode 100644 roles/native-mariadb/handlers/main.yml create mode 100644 roles/native-mariadb/tasks/main.yml create mode 100644 roles/native-nginx-docker-proxy/meta/main.yml create mode 100644 roles/native-nginx-docker-proxy/templates/domain.conf.j2 create mode 100644 roles/native-nginx-docker-proxy/templates/proxy_pass.conf.j2 create mode 100644 roles/native-nginx/handlers/main.yml create mode 100644 roles/native-nginx/tasks/main.yml create mode 100644 roles/native-nginx/templates/nginx.conf create mode 100644 roles/native-pacman/tasks/main.yml create mode 100644 roles/native-postfix/meta/main.yml create mode 100644 roles/native-postfix/tasks/main.yml create mode 100644 roles/native-postfix/templates/aliases.j2 create mode 100644 roles/native-postfix/templates/main.cf.j2 create mode 100644 roles/native-security/meta/main.yml create mode 100644 roles/native-ssh/handlers/main.yml create mode 100644 roles/native-ssh/tasks/main.yml create mode 100644 roles/native-ssh/templates/sshd_config create mode 100644 roles/native-user-administrator/Readme.md create mode 100644 roles/native-user-administrator/tasks/main.yml create mode 100644 roles/native-user-alarm/tasks/main.yml create mode 100644 roles/native-user-datasafer/tasks/main.yml create mode 100644 roles/native-wireguard/README.md create mode 100644 roles/native-wireguard/handlers/main.yml create mode 100644 roles/native-wireguard/tasks/main.yml create mode 100644 site.yml diff --git a/.gitignore b/.gitignore new file mode 100644 index 00000000..98fe1bde --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +site.retry +hosts diff --git a/README.md b/README.md new file mode 100644 index 00000000..7fe822fb --- /dev/null +++ b/README.md @@ -0,0 +1,24 @@ +# Server-Manager +## Description +Ansible script to manage servers. + +## Setup +To use this script execute: +``bash +ansible-galaxy install kewlfft.aur +`` + +## Update +``bash +ansible-playbook -i hosts site.yml +`` + +## Debug +### Cleanup docker +``bash +docker stop $(docker ps -aq); docker rm $(docker ps -aq); docker volume rm $(docker volume ls -q); +`` + +## topdo +- implement smtp +- implement administrator mail diff --git a/host_vars/.gitignore b/host_vars/.gitignore new file mode 100644 index 00000000..1cda54be --- /dev/null +++ b/host_vars/.gitignore @@ -0,0 +1 @@ +*.yml diff --git a/roles/docker-gitea/meta/main.yml b/roles/docker-gitea/meta/main.yml new file mode 100644 index 00000000..ce762785 --- /dev/null +++ b/roles/docker-gitea/meta/main.yml @@ -0,0 +1,2 @@ +dependencies: +- native-nginx-docker-proxy diff --git a/roles/docker-gitea/tasks/main.yml b/roles/docker-gitea/tasks/main.yml new file mode 100644 index 00000000..5e31a11a --- /dev/null +++ b/roles/docker-gitea/tasks/main.yml @@ -0,0 +1,49 @@ +--- +- name: recieve {{domain}} certificate + command: certbot certonly --agree-tos --email {{administrator_email}} --non-interactive --webroot -w /var/lib/letsencrypt/ -d {{domain}} + +- name: configure {{domain}} https + template: src=roles/native-nginx-docker-proxy/templates/domain.conf.j2 dest=/etc/nginx/conf.d/{{domain}}.conf + notify: restart nginx + +- name: container present + docker_compose: + project_name: gitea + definition: + application: + restart: always + image: gitea/gitea:latest + environment: + - USER_UID=1000 + - USER_GID=1000 + - DB_TYPE=mysql + - DB_HOST=database:3306 + - DB_NAME=gitea + - DB_USER=gitea + - DB_PASSWD={{gitea_database_password}} + - SSH_PORT={{ssh_port}} + - SSH_LISTEN_PORT=22 + - DOMAIN={{domain}} + - SSH_DOMAIN={{domain}} + - RUN_MODE="{{run_mode}}" + ports: + - "{{http_port}}:3000" + - "{{ssh_port}}:22" + links: + - database + volumes: + - gitea-data:/data + - /etc/timezone:/etc/timezone:ro + - /etc/localtime:/etc/localtime:ro + database: + image: mariadb + environment: + MYSQL_DATABASE: "gitea" + MYSQL_USER: "gitea" + MYSQL_PASSWORD: "{{gitea_database_password}}" + MYSQL_RANDOM_ROOT_PASSWORD: 'yes' + volumes: + - gitea-database:/var/lib/mysql + restart: always + expose: + - "3306" diff --git a/roles/docker-jenkins/meta/main.yml b/roles/docker-jenkins/meta/main.yml new file mode 100644 index 00000000..ce762785 --- /dev/null +++ b/roles/docker-jenkins/meta/main.yml @@ -0,0 +1,2 @@ +dependencies: +- native-nginx-docker-proxy diff --git a/roles/docker-jenkins/tasks/main.yml b/roles/docker-jenkins/tasks/main.yml new file mode 100644 index 00000000..b5d8a698 --- /dev/null +++ b/roles/docker-jenkins/tasks/main.yml @@ -0,0 +1,19 @@ +- name: recieve {{domain}} certificate + command: certbot certonly --agree-tos --email {{administrator_email}} --non-interactive --webroot -w /var/lib/letsencrypt/ -d {{domain}} + +- name: configure {{domain}}.conf + template: src=roles/native-nginx-docker-proxy/templates/domain.conf.j2 dest=/etc/nginx/conf.d/{{domain}}.conf + notify: restart nginx + +- name: "docker jenkins" + docker_compose: + project_name: jenkins + definition: + application: + image: jenkins/jenkins:lts + restart: always + ports: + - "{{http_port}}:8080" + restart: always + volumes: + - jenkins_data:/var/jenkins_home diff --git a/roles/docker-joomla/README.md b/roles/docker-joomla/README.md new file mode 100644 index 00000000..2d4ad253 --- /dev/null +++ b/roles/docker-joomla/README.md @@ -0,0 +1,6 @@ +# role docker-joomla +## delete all data +```bash +docker stop joomla_application_1; docker rm -f joomla_application_1; docker volume rm -f joomla-data; +docker stop joomla_database_1; docker rm -f joomla_database_1; docker volume rm -f joomla-database; +``` diff --git a/roles/docker-joomla/meta/main.yml b/roles/docker-joomla/meta/main.yml new file mode 100644 index 00000000..ce762785 --- /dev/null +++ b/roles/docker-joomla/meta/main.yml @@ -0,0 +1,2 @@ +dependencies: +- native-nginx-docker-proxy diff --git a/roles/docker-joomla/tasks/main.yml b/roles/docker-joomla/tasks/main.yml new file mode 100644 index 00000000..84e03340 --- /dev/null +++ b/roles/docker-joomla/tasks/main.yml @@ -0,0 +1,36 @@ +--- +- name: recieve {{domain}} certificate + command: certbot certonly --agree-tos --email {{administrator_email}} --non-interactive --webroot -w /var/lib/letsencrypt/ -d {{domain}} + +- name: configure {{domain}}.conf + template: src=roles/native-nginx-docker-proxy/templates/domain.conf.j2 dest=/etc/nginx/conf.d/{{domain}}.conf + notify: restart nginx + +- name: "setup joomla" + docker_compose: + project_name: joomla + definition: + application: + image: joomla + environment: + JOOMLA_DB_HOST: "database:3306" + JOOMLA_DB_USER: "joomla" + JOOMLA_DB_PASSWORD: "{{joomla_database_password}}" + JOOMLA_DB_NAME: "joomla" + restart: always + links: + - database + volumes: + - joomla-data:/var/www/html + ports: + - "{{http_port}}:80" + database: + image: mariadb + environment: + MYSQL_DATABASE: "joomla" + MYSQL_USER: "joomla" + MYSQL_PASSWORD: "{{joomla_database_password}}" + MYSQL_RANDOM_ROOT_PASSWORD: 'yes' + volumes: + - joomla-database:/var/lib/mysql + restart: always diff --git a/roles/docker-mediawiki/README.md b/roles/docker-mediawiki/README.md new file mode 100644 index 00000000..9ff8c415 --- /dev/null +++ b/roles/docker-mediawiki/README.md @@ -0,0 +1,144 @@ +# role docker-mediawiki +## Generate LocalSettings.php +Login to the container: + +```bash +docker exec -it mediawiki_application_1 /bin/sh +``` + +Seed the LocalSettings.php: + +```bash +cat > LocalSettings.php << EOF + "\$wgResourceBasePath/resources/assets/wiki.png" ]; + +## UPO means: this is also a user preference option + +\$wgEnableEmail = true; +\$wgEnableUserEmail = true; # UPO + +\$wgEmergencyContact = "apache@🌻.invalid"; +\$wgPasswordSender = "apache@🌻.invalid"; + +\$wgEnotifUserTalk = false; # UPO +\$wgEnotifWatchlist = false; # UPO +\$wgEmailAuthentication = true; + +## Database settings +\$wgDBtype = "mysql"; +\$wgDBserver = "database:3306"; +\$wgDBname = "mediawiki"; +\$wgDBuser = "mediawiki"; +\$wgDBpassword = "test"; + +# MySQL specific settings +\$wgDBprefix = ""; + +# MySQL table options to use during installation or update +\$wgDBTableOptions = "ENGINE=InnoDB, DEFAULT CHARSET=binary"; + +## Shared memory settings +\$wgMainCacheType = CACHE_NONE; +\$wgMemCachedServers = []; + +## To enable image uploads, make sure the 'images' directory +## is writable, then set this to true: +\$wgEnableUploads = false; +\$wgUseImageMagick = true; +\$wgImageMagickConvertCommand = "/usr/bin/convert"; + +# InstantCommons allows wiki to use images from https://commons.wikimedia.org +\$wgUseInstantCommons = false; + +# Periodically send a pingback to https://www.mediawiki.org/ with basic data +# about this MediaWiki instance. The Wikimedia Foundation shares this data +# with MediaWiki developers to help guide future development efforts. +\$wgPingback = true; + +## If you use ImageMagick (or any other shell command) on a +## Linux server, this will need to be set to the name of an +## available UTF-8 locale +\$wgShellLocale = "C.UTF-8"; + +## Set \$wgCacheDirectory to a writable directory on the web server +## to make your wiki go slightly faster. The directory should not +## be publicly accessible from the web. +#\$wgCacheDirectory = "\$IP/cache"; + +# Site language code, should be one of the list in ./languages/data/Names.php +\$wgLanguageCode = "en"; + +\$wgSecretKey = "603fe88c985b05706f19aaf77d2a61459555ff21a4a4d4ef0aa15c8f8ec50f00"; + +# Changing this will log out all existing sessions. +\$wgAuthenticationTokenVersion = "1"; + +# Site upgrade key. Must be set to a string (default provided) to turn on the +# web installer while LocalSettings.php is in place +\$wgUpgradeKey = "f99263b0f3a7c59a"; + +## For attaching licensing metadata to pages, and displaying an +## appropriate copyright notice / icon. GNU Free Documentation +## License and Creative Commons licenses are supported so far. +\$wgRightsPage = ""; # Set to the title of a wiki page that describes your license/copyright +\$wgRightsUrl = ""; +\$wgRightsText = ""; +\$wgRightsIcon = ""; + +# Path to the GNU diff3 utility. Used for conflict resolution. +\$wgDiff3 = "/usr/bin/diff3"; + +## Default skin: you can change the default skin. Use the internal symbolic +## names, ie 'vector', 'monobook': +\$wgDefaultSkin = "vector"; + +# Enabled skins. +# The following skins were automatically enabled: +wfLoadSkin( 'MonoBook' ); +wfLoadSkin( 'Timeless' ); +wfLoadSkin( 'Vector' ); + + +# End of automatically generated settings. +# Add more configuration options below. +EOF +``` diff --git a/roles/docker-mediawiki/meta/main.yml b/roles/docker-mediawiki/meta/main.yml new file mode 100644 index 00000000..ce762785 --- /dev/null +++ b/roles/docker-mediawiki/meta/main.yml @@ -0,0 +1,2 @@ +dependencies: +- native-nginx-docker-proxy diff --git a/roles/docker-mediawiki/tasks/main.yml b/roles/docker-mediawiki/tasks/main.yml new file mode 100644 index 00000000..6052c30a --- /dev/null +++ b/roles/docker-mediawiki/tasks/main.yml @@ -0,0 +1,30 @@ +- name: recieve {{domain}} certificate + command: certbot certonly --agree-tos --email {{administrator_email}} --non-interactive --webroot -w /var/lib/letsencrypt/ -d {{domain}} + +- name: configure {{domain}}.conf + template: src=roles/native-nginx-docker-proxy/templates/domain.conf.j2 dest=/etc/nginx/conf.d/{{domain}}.conf + notify: restart nginx + +- name: "docker mediawiki" + docker_compose: + project_name: mediawiki + definition: + application: + image: mediawiki + restart: always + links: + - database + volumes: + - "mediawiki-data:/var/www/html/" + ports: + - "{{http_port}}:80" + database: + image: mariadb + environment: + MYSQL_DATABASE: mediawiki + MYSQL_RANDOM_ROOT_PASSWORD: 'yes' + MYSQL_USER: mediawiki + MYSQL_PASSWORD: "{{mediawiki_mysql_user_password}}" + volumes: + - mediawiki-database:/var/lib/mysql + restart: always diff --git a/roles/docker-mybb/README.md b/roles/docker-mybb/README.md new file mode 100644 index 00000000..8aa00579 --- /dev/null +++ b/roles/docker-mybb/README.md @@ -0,0 +1,7 @@ +# role mybb +## install plugins +Extract the plugins to /mnt. +Execute: +```bash +docker run --rm -v mybb-data:/target/ -v /mnt/:/origin/ "kevinveenbirkenbach/alpine-rsync" sh -c "rsync -avv /origin/inc/plugins/ /target/" +``` diff --git a/roles/docker-mybb/defaults/main.yml b/roles/docker-mybb/defaults/main.yml new file mode 100644 index 00000000..63fa33c1 --- /dev/null +++ b/roles/docker-mybb/defaults/main.yml @@ -0,0 +1,5 @@ +--- +conf_d_path: "/etc/nginx/conf.d/" +#default_conf_path: "/etc/nginx/nginx.conf" +conf_d_docker_path: "/etc/docker/applications/mybb{{conf_d_path}}" +default_conf_docker_path: "{{conf_d_docker_path}}default.conf" diff --git a/roles/docker-mybb/meta/main.yml b/roles/docker-mybb/meta/main.yml new file mode 100644 index 00000000..ce762785 --- /dev/null +++ b/roles/docker-mybb/meta/main.yml @@ -0,0 +1,2 @@ +dependencies: +- native-nginx-docker-proxy diff --git a/roles/docker-mybb/tasks/main.yml b/roles/docker-mybb/tasks/main.yml new file mode 100644 index 00000000..cd17beb4 --- /dev/null +++ b/roles/docker-mybb/tasks/main.yml @@ -0,0 +1,47 @@ +--- +- name: recieve {{domain}} certificate + command: certbot certonly --agree-tos --email {{administrator_email}} --non-interactive --webroot -w /var/lib/letsencrypt/ -d {{domain}} + +- name: configure {{domain}}.conf + template: src=roles/native-nginx-docker-proxy/templates/domain.conf.j2 dest=/etc/nginx/conf.d/{{domain}}.conf + notify: restart nginx + +- name: create data folder + file: + path: "{{conf_d_docker_path}}" + state: directory + +- name: "create {{default_conf_docker_path}}" + template: src="default.conf" dest="{{default_conf_docker_path}}" + +- name: "setup mybb" + docker_compose: + project_name: mybb + definition: + application: + image: mybb/mybb:latest + restart: always + links: + - database + volumes: + - mybb-data:/var/www/html + server: + links: + - application + image: nginx:mainline + restart: always + ports: + - "{{http_port}}:80" + volumes: + - "{{conf_d_docker_path}}:{{conf_d_path}}" + - "mybb-data:/var/www/html:ro" + database: + image: mariadb + environment: + MYSQL_DATABASE: "mybb" + MYSQL_USER: "mybb" + MYSQL_PASSWORD: "{{mybb_database_password}}" + MYSQL_RANDOM_ROOT_PASSWORD: 'yes' + volumes: + - mybb-database:/var/lib/mysql + restart: always diff --git a/roles/docker-mybb/templates/default.conf b/roles/docker-mybb/templates/default.conf new file mode 100644 index 00000000..490ee816 --- /dev/null +++ b/roles/docker-mybb/templates/default.conf @@ -0,0 +1,32 @@ +upstream mybb { + server application:9000 weight=5; +} + +server { + listen 80; + + root /var/www/html; + index index.html index.php; + + location / { + try_files $uri $uri/ /index.php?$args; + } + + location ~ inc/ { + internal; + } + + location ~ ^/(images|cache|jscripts|uploads)/ { + access_log off; + } + + location ~ \.php$ { + try_files $uri =404; + fastcgi_split_path_info ^(.+\.php)(/.+)$; + fastcgi_pass mybb; + fastcgi_index index.php; + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param PATH_INFO $fastcgi_path_info; + } +} diff --git a/roles/docker-nextcloud/README.md b/roles/docker-nextcloud/README.md new file mode 100644 index 00000000..0d44830a --- /dev/null +++ b/roles/docker-nextcloud/README.md @@ -0,0 +1,22 @@ +# role docker-nextcloud + +## database access +To access the database execute +```bash + docker exec -it nextcloud_database_1 /bin/mysql -u nextcloud -p +``` + +## occ + +To use occ run: + +```bash + docker exec -it -u www-data nextcloud_application_1 /var/www/html/occ +``` + +## unlock files +```bash +docker exec -it -u www-data nextcloud_application_1 /var/www/html/occ maintenance:mode --on +docker exec -it nextcloud_database_1 mysql -u nextcloud -pPASSWORD1234132 -D nextcloud -e "delete from oc_file_locks where 1" +docker exec -it -u www-data nextcloud_application_1 /var/www/html/occ maintenance:mode --off +``` diff --git a/roles/docker-nextcloud/meta/main.yml b/roles/docker-nextcloud/meta/main.yml new file mode 100644 index 00000000..ce762785 --- /dev/null +++ b/roles/docker-nextcloud/meta/main.yml @@ -0,0 +1,2 @@ +dependencies: +- native-nginx-docker-proxy diff --git a/roles/docker-nextcloud/tasks/main.yml b/roles/docker-nextcloud/tasks/main.yml new file mode 100644 index 00000000..d098c065 --- /dev/null +++ b/roles/docker-nextcloud/tasks/main.yml @@ -0,0 +1,38 @@ +--- +- name: recieve {{domain}} certificate + command: certbot certonly --agree-tos --email {{administrator_email}} --non-interactive --webroot -w /var/lib/letsencrypt/ -d {{domain}} + +- name: configure {{domain}}.conf + template: src=templates/nextcloud.conf.j2 dest=/etc/nginx/conf.d/{{domain}}.conf + notify: restart nginx + +- name: "setup nextcloud" + docker_compose: + project_name: nextcloud + definition: + application: + image: nextcloud + restart: always + links: + - database + volumes: + - nextcloud-data:/var/www/html + ports: + - "{{http_port}}:80" + environment: + MYSQL_DATABASE: "nextcloud" + MYSQL_USER: "nextcloud" + MYSQL_PASSWORD: "{{nextcloud_database_password}}" + MYSQL_HOST: database:3306 + database: + image: mariadb + environment: + MYSQL_DATABASE: "nextcloud" + MYSQL_USER: "nextcloud" + MYSQL_PASSWORD: "{{nextcloud_database_password}}" + MYSQL_RANDOM_ROOT_PASSWORD: 'yes' + volumes: + - nextcloud-database:/var/lib/mysql + restart: always + expose: + - "3306" diff --git a/roles/docker-nextcloud/templates/nextcloud.conf.j2 b/roles/docker-nextcloud/templates/nextcloud.conf.j2 new file mode 100644 index 00000000..eba052bb --- /dev/null +++ b/roles/docker-nextcloud/templates/nextcloud.conf.j2 @@ -0,0 +1,37 @@ +server +{ + server_name {{domain}}; + + {% include 'roles/native-letsencrypt/templates/ssl_header.j2' %} + + # Remove X-Powered-By, which is an information leak + fastcgi_hide_header X-Powered-By; + + # set max upload size + client_max_body_size 10G; + client_body_buffer_size 400M; + fastcgi_buffers 64 4K; + + # Enable gzip but do not remove ETag headers + gzip on; + gzip_vary on; + gzip_comp_level 4; + gzip_min_length 256; + gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; + gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; + + + {% include 'roles/native-nginx-docker-proxy/templates/proxy_pass.conf.j2' %} + + location ^~ /.well-known { + rewrite ^/\.well-known/host-meta\.json /public.php?service=host-meta-json last; + rewrite ^/\.well-known/host-meta /public.php?service=host-meta last; + rewrite ^/\.well-known/webfinger /public.php?service=webfinger last; + rewrite ^/\.well-known/nodeinfo /public.php?service=nodeinfo last; + + location = /.well-known/carddav { return 301 /remote.php/dav/; } + location = /.well-known/caldav { return 301 /remote.php/dav/; } + + try_files $uri $uri/ =404; + } +} diff --git a/roles/docker-postfix/README.md b/roles/docker-postfix/README.md new file mode 100644 index 00000000..d12ff2a7 --- /dev/null +++ b/roles/docker-postfix/README.md @@ -0,0 +1,5 @@ +# role docker-postfix +## delete all data +```bash +docker stop postfix_database_1; docker rm -f postfix_database_1; docker volume rm -f postfix-database; +``` diff --git a/roles/docker-postfix/meta/main.yml b/roles/docker-postfix/meta/main.yml new file mode 100644 index 00000000..ce762785 --- /dev/null +++ b/roles/docker-postfix/meta/main.yml @@ -0,0 +1,2 @@ +dependencies: +- native-nginx-docker-proxy diff --git a/roles/docker-postfix/tasks/main.yml b/roles/docker-postfix/tasks/main.yml new file mode 100644 index 00000000..36822e87 --- /dev/null +++ b/roles/docker-postfix/tasks/main.yml @@ -0,0 +1,36 @@ +--- +- name: recieve {{domain}} certificate + command: certbot certonly --agree-tos --email {{administrator_email}} --non-interactive --webroot -w /var/lib/letsencrypt/ -d {{domain}} + +- name: configure {{domain}}.conf + template: src=roles/native-nginx-docker-proxy/templates/domain.conf.j2 dest=/etc/nginx/conf.d/{{domain}}.conf + notify: restart nginx + +- name: "setup postfix" + docker_compose: + project_name: postfix + definition: + application: + image: postfixadmin:apache + environment: + POSTFIXADMIN_DB_TYPE: mysqli + POSTFIXADMIN_DB_HOST: "database" + POSTFIXADMIN_DB_USER: postfixadmin + POSTFIXADMIN_DB_NAME: postfixadmin + POSTFIXADMIN_DB_PASSWORD: "{{postfixadmin_database_password}}" + POSTFIXADMIN_SETUP_PASSWORD: "{{postfixadmin_setup_password}}" + restart: always + links: + - database + ports: + - "{{http_port}}:80" + database: + image: mariadb + environment: + MYSQL_DATABASE: "postfixadmin" + MYSQL_USER: "postfixadmin" + MYSQL_PASSWORD: "{{postfixadmin_database_password}}" + MYSQL_RANDOM_ROOT_PASSWORD: 'yes' + volumes: + - postfixadmin-database:/var/lib/mysql + restart: always diff --git a/roles/docker-wireguard/README.md b/roles/docker-wireguard/README.md new file mode 100644 index 00000000..a4c4015c --- /dev/null +++ b/roles/docker-wireguard/README.md @@ -0,0 +1,7 @@ +# Role Wireguard +This role is not fully implemented yet. Instead use the role native-wireguard. +## Preparation +Execute +``bash +ansible-galaxy collection install community.general +`` diff --git a/roles/docker-wireguard/meta/main.yml b/roles/docker-wireguard/meta/main.yml new file mode 100644 index 00000000..ce762785 --- /dev/null +++ b/roles/docker-wireguard/meta/main.yml @@ -0,0 +1,2 @@ +dependencies: +- native-nginx-docker-proxy diff --git a/roles/docker-wireguard/tasks/main.yml b/roles/docker-wireguard/tasks/main.yml new file mode 100644 index 00000000..5b503ae5 --- /dev/null +++ b/roles/docker-wireguard/tasks/main.yml @@ -0,0 +1,41 @@ +--- +- name: configure {{domain}}.conf + template: src=roles/native-nginx-docker-proxy/templates/domain.conf.j2 dest=/etc/nginx/conf.d/{{domain}}.conf + notify: restart nginx + +- name: recieve {{domain}} certificate + command: certbot certonly --agree-tos --email {{administrator_email}} --non-interactive --webroot -w /var/lib/letsencrypt/ -d {{domain}} + +- sysctl: + name: net.ipv4.conf.all.src_valid_mark + value: 1 + sysctl_set: yes + +- name: "setup wireguard" + docker_compose: + project_name: wireguard + definition: + application: + image: linuxserver/wireguard + restart: always + ports: + - "{{http_port}}:80" + cap_add: + - NET_ADMIN + - SYS_MODULE + environment: + - PUID=1000 + - PGID=1000 + - TZ=Europe/London + - SERVERURL={{domain}} + - SERVERPORT=51820 #optional + - PEERS=1 #optional + - PEERDNS=auto #optional + - INTERNAL_SUBNET=10.13.13.0 #optional + - ALLOWEDIPS=192.168.1.0/24,192.168.2.0/24 #optional + volumes: + - /path/to/appdata/config:/config + - /lib/modules:/lib/modules + ports: + - 51820:51820/udp + restart: unless-stopped diff --git a/roles/docker-wordpress/meta/main.yml b/roles/docker-wordpress/meta/main.yml new file mode 100644 index 00000000..ce762785 --- /dev/null +++ b/roles/docker-wordpress/meta/main.yml @@ -0,0 +1,2 @@ +dependencies: +- native-nginx-docker-proxy diff --git a/roles/docker-wordpress/tasks/main.yml b/roles/docker-wordpress/tasks/main.yml new file mode 100644 index 00000000..7da6ae93 --- /dev/null +++ b/roles/docker-wordpress/tasks/main.yml @@ -0,0 +1,40 @@ +--- +- name: recieve {{domain}} certificate + command: certbot certonly --agree-tos --email {{administrator_email}} --non-interactive --webroot -w /var/lib/letsencrypt/ -d {{domain}} + +- name: configure {{domain}}.conf + vars: + client_max_body_size: "2M" + template: src=roles/native-nginx-docker-proxy/templates/domain.conf.j2 dest=/etc/nginx/conf.d/{{domain}}.conf + notify: restart nginx + +- name: "setup wordpress" + docker_compose: + project_name: wordpress + definition: + application: + image: wordpress + restart: always + ports: + - "{{http_port}}:80" + environment: + WORDPRESS_DB_HOST: database:3306 + WORDPRESS_DB_USER: "wordpress" + WORDPRESS_DB_PASSWORD: "{{wordpress_database_password}}" + WORDPRESS_DB_NAME: "wordpress" + links: + - database + volumes: + - wordpress-data:/var/www/html + database: + image: mariadb + restart: always + environment: + MYSQL_DATABASE: "wordpress" + MYSQL_USER: "wordpress" + MYSQL_PASSWORD: "{{wordpress_database_password}}" + MYSQL_RANDOM_ROOT_PASSWORD: 'yes' + volumes: + - wordpress-database:/var/lib/mysql + expose: + - "3306" diff --git a/roles/docker-yourls/meta/main.yml b/roles/docker-yourls/meta/main.yml new file mode 100644 index 00000000..ce762785 --- /dev/null +++ b/roles/docker-yourls/meta/main.yml @@ -0,0 +1,2 @@ +dependencies: +- native-nginx-docker-proxy diff --git a/roles/docker-yourls/tasks/main.yml b/roles/docker-yourls/tasks/main.yml new file mode 100644 index 00000000..592e110d --- /dev/null +++ b/roles/docker-yourls/tasks/main.yml @@ -0,0 +1,39 @@ +--- +- name: recieve {{domain}} certificate + command: certbot certonly --agree-tos --email {{administrator_email}} --non-interactive --webroot -w /var/lib/letsencrypt/ -d {{domain}} + +- name: configure {{domain}}.conf + template: src=roles/native-nginx-docker-proxy/templates/domain.conf.j2 dest=/etc/nginx/conf.d/{{domain}}.conf + notify: restart nginx + +- name: "setup yourls" + docker_compose: + project_name: yourls + definition: + application: + image: yourls + restart: always + ports: + - "{{http_port}}:80" + environment: + YOURLS_DB_HOST: "database:3306" + YOURLS_DB_USER: "yourls" + YOURLS_DB_PASS: "{{yourls_database_password}}" + YOURLS_DB_NAME: "yourls" + YOURLS_SITE: "https://{{domain}}" + YOURLS_USER: "{{yourls_user}}" + YOURLS_PASS: "{{yourls_user_password}}" + links: + - database + database: + image: mariadb + restart: always + environment: + MYSQL_DATABASE: "yourls" + MYSQL_USER: "yourls" + MYSQL_PASSWORD: "{{yourls_database_password}}" + MYSQL_RANDOM_ROOT_PASSWORD: 'yes' + volumes: + - yourls-database:/var/lib/mysql + expose: + - "3306" diff --git a/roles/native-certbot-nginx/handlers/main.yml b/roles/native-certbot-nginx/handlers/main.yml new file mode 100644 index 00000000..57b7c396 --- /dev/null +++ b/roles/native-certbot-nginx/handlers/main.yml @@ -0,0 +1,4 @@ +- name: restart certbot service + service: name=certbot.service state=restarted enabled=yes +- name: restart certbot timer + service: name=certbot.timer state=restarted enabled=yes diff --git a/roles/native-certbot-nginx/meta/main.yml b/roles/native-certbot-nginx/meta/main.yml new file mode 100644 index 00000000..ea890f22 --- /dev/null +++ b/roles/native-certbot-nginx/meta/main.yml @@ -0,0 +1,2 @@ +dependencies: +- native-nginx diff --git a/roles/native-certbot-nginx/tasks/main.yml b/roles/native-certbot-nginx/tasks/main.yml new file mode 100644 index 00000000..a574f9ab --- /dev/null +++ b/roles/native-certbot-nginx/tasks/main.yml @@ -0,0 +1,13 @@ +- name: install certbot + pacman: + name: [certbot,certbot-nginx] + state: present + notify: restart certbot service + +- name: configure certbot.service.tpl + template: src=certbot.service dest=/etc/systemd/system/certbot.service + notify: restart certbot service + +- name: configure certbot.timer.tpl + template: src=certbot.timer dest=/etc/systemd/system/certbot.timer + notify: restart certbot timer diff --git a/roles/native-certbot-nginx/templates/certbot.service b/roles/native-certbot-nginx/templates/certbot.service new file mode 100644 index 00000000..39fb814c --- /dev/null +++ b/roles/native-certbot-nginx/templates/certbot.service @@ -0,0 +1,7 @@ +[Unit] +Description=Let's Encrypt renewal + +[Service] +Type=oneshot +ExecStart=/usr/bin/certbot renew --quiet --agree-tos +ExecStartPost=/bin/systemctl reload nginx.service diff --git a/roles/native-certbot-nginx/templates/certbot.timer b/roles/native-certbot-nginx/templates/certbot.timer new file mode 100644 index 00000000..94c8b8be --- /dev/null +++ b/roles/native-certbot-nginx/templates/certbot.timer @@ -0,0 +1,10 @@ +[Unit] +Description=Twice daily renewal of Let's Encrypt's certificates + +[Timer] +OnCalendar=0/12:00:00 +RandomizedDelaySec=1h +Persistent=true + +[Install] +WantedBy=timers.target diff --git a/roles/native-docker-volume-backup/handlers/main.yml b/roles/native-docker-volume-backup/handlers/main.yml new file mode 100644 index 00000000..e20b9a69 --- /dev/null +++ b/roles/native-docker-volume-backup/handlers/main.yml @@ -0,0 +1,4 @@ +- name: restart docker-volume-backup service + service: name=docker-volume-backup.service state=restarted enabled=yes +- name: restart docker-volume-backup timer + service: name=docker-volume-backup.timer state=restarted enabled=yes diff --git a/roles/native-docker-volume-backup/meta/main.yml b/roles/native-docker-volume-backup/meta/main.yml new file mode 100644 index 00000000..ec276173 --- /dev/null +++ b/roles/native-docker-volume-backup/meta/main.yml @@ -0,0 +1,3 @@ +dependencies: + - native-docker + - native-git diff --git a/roles/native-docker-volume-backup/tasks/main.yml b/roles/native-docker-volume-backup/tasks/main.yml new file mode 100644 index 00000000..1b47f6f3 --- /dev/null +++ b/roles/native-docker-volume-backup/tasks/main.yml @@ -0,0 +1,13 @@ +- name: docker-volume-backup git + git: + repo: "https://github.com/kevinveenbirkenbach/docker-volume-backup.git" + dest: "/usr/local/bin/docker-volume-backup" + update: yes + +- name: configure docker-volume-backup.service.tpl + template: src=docker-volume-backup.service dest=/etc/systemd/system/docker-volume-backup.service + notify: restart docker-volume-backup service + +- name: configure docker-volume-backup.timer.tpl + template: src=docker-volume-backup.timer dest=/etc/systemd/system/docker-volume-backup.timer + notify: restart docker-volume-backup timer diff --git a/roles/native-docker-volume-backup/templates/docker-volume-backup.service b/roles/native-docker-volume-backup/templates/docker-volume-backup.service new file mode 100644 index 00000000..57b32fe2 --- /dev/null +++ b/roles/native-docker-volume-backup/templates/docker-volume-backup.service @@ -0,0 +1,6 @@ +[Unit] +Description=docker volume update + +[Service] +Type=oneshot +ExecStart=/usr/bin/bash /usr/local/bin/docker-volume-backup/docker-volume-backup.sh diff --git a/roles/native-docker-volume-backup/templates/docker-volume-backup.timer b/roles/native-docker-volume-backup/templates/docker-volume-backup.timer new file mode 100644 index 00000000..5d0451bc --- /dev/null +++ b/roles/native-docker-volume-backup/templates/docker-volume-backup.timer @@ -0,0 +1,9 @@ +[Unit] +Description=backups the docker volumes + +[Timer] +OnCalendar=3:00 +RandomizedDelaySec=1h + +[Install] +WantedBy=timers.target diff --git a/roles/native-docker/handlers/main.yml b/roles/native-docker/handlers/main.yml new file mode 100644 index 00000000..92e62bf8 --- /dev/null +++ b/roles/native-docker/handlers/main.yml @@ -0,0 +1,3 @@ +--- +- name: docker restart + service: name=docker.service state=restarted enabled=yes diff --git a/roles/native-docker/tasks/main.yml b/roles/native-docker/tasks/main.yml new file mode 100644 index 00000000..6e63d892 --- /dev/null +++ b/roles/native-docker/tasks/main.yml @@ -0,0 +1,9 @@ +--- +- name: docker & docker compose install + pacman: + name: ['docker','docker-compose'] + state: present + notify: docker restart + +- name: flush docker service + meta: flush_handlers diff --git a/roles/native-git/tasks/main.yml b/roles/native-git/tasks/main.yml new file mode 100644 index 00000000..db22afc5 --- /dev/null +++ b/roles/native-git/tasks/main.yml @@ -0,0 +1,2 @@ +- name: install git + pacman: name=git state=present diff --git a/roles/native-homepage/meta/main.yml b/roles/native-homepage/meta/main.yml new file mode 100644 index 00000000..de989663 --- /dev/null +++ b/roles/native-homepage/meta/main.yml @@ -0,0 +1,3 @@ +dependencies: +- native-https-server +- native-git diff --git a/roles/native-homepage/tasks/main.yml b/roles/native-homepage/tasks/main.yml new file mode 100644 index 00000000..af9562d0 --- /dev/null +++ b/roles/native-homepage/tasks/main.yml @@ -0,0 +1,12 @@ +- name: configure {{domain}}.conf + template: src=homepage.nginx.conf dest=/etc/nginx/conf.d/{{domain}}.conf + notify: restart nginx + +- name: recieve {{domain}} certificate + command: certbot certonly --agree-tos --email {{administrator_email}} --non-interactive --webroot -w /var/lib/letsencrypt/ -d {{domain}} + +- name: homepage repo git + git: + repo: "{{homepage_repository_address}}" + dest: "/usr/share/nginx/homepage" + update: yes diff --git a/roles/native-homepage/templates/homepage.nginx.conf b/roles/native-homepage/templates/homepage.nginx.conf new file mode 100644 index 00000000..421834ec --- /dev/null +++ b/roles/native-homepage/templates/homepage.nginx.conf @@ -0,0 +1,23 @@ +#default +server +{ + server_name {{domain}}; + listen 443 ssl http2; + listen [::]:443 ssl http2; + ssl_session_timeout 1d; + ssl_session_cache shared:SSL:50m; + ssl_session_tickets off; + ssl_prefer_server_ciphers on; + add_header Strict-Transport-Security max-age=15768000; + ssl_stapling on; + ssl_stapling_verify on; + ssl_certificate /etc/letsencrypt/live/{{domain}}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/{{domain}}/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/{{domain}}/chain.pem; + + location / + { + root /usr/share/nginx/homepage; + index index.html index.htm; + } +} diff --git a/roles/native-https-server/meta/main.yml b/roles/native-https-server/meta/main.yml new file mode 100644 index 00000000..5a1624c3 --- /dev/null +++ b/roles/native-https-server/meta/main.yml @@ -0,0 +1,3 @@ +dependencies: +- native-nginx +- native-letsencrypt diff --git a/roles/native-letsencrypt/meta/main.yml b/roles/native-letsencrypt/meta/main.yml new file mode 100644 index 00000000..a2823175 --- /dev/null +++ b/roles/native-letsencrypt/meta/main.yml @@ -0,0 +1,2 @@ +dependencies: +- native-certbot-nginx diff --git a/roles/native-letsencrypt/tasks/main.yml b/roles/native-letsencrypt/tasks/main.yml new file mode 100644 index 00000000..e9f690ee --- /dev/null +++ b/roles/native-letsencrypt/tasks/main.yml @@ -0,0 +1,6 @@ +- name: create nginx letsencrypt config file + template: src=letsencrypt.conf.j2 dest=/etc/nginx/conf.d/letsencrypt.conf + notify: restart nginx + +- name: flush nginx service + meta: flush_handlers diff --git a/roles/native-letsencrypt/templates/letsencrypt.conf.j2 b/roles/native-letsencrypt/templates/letsencrypt.conf.j2 new file mode 100644 index 00000000..c139b01c --- /dev/null +++ b/roles/native-letsencrypt/templates/letsencrypt.conf.j2 @@ -0,0 +1,16 @@ +server +{ + listen 80; + listen [::]:80; + location / + { + return 301 https://$host$request_uri; + } + #letsencrypt + location ^~ /.well-known/acme-challenge/ { + allow all; + root /var/lib/letsencrypt/; + default_type "text/plain"; + try_files $uri =404; + } +} diff --git a/roles/native-letsencrypt/templates/ssl_header.j2 b/roles/native-letsencrypt/templates/ssl_header.j2 new file mode 100644 index 00000000..dc4f69c9 --- /dev/null +++ b/roles/native-letsencrypt/templates/ssl_header.j2 @@ -0,0 +1,12 @@ +listen 443 ssl http2; +listen [::]:443 ssl http2; +ssl_session_timeout 1d; +ssl_session_cache shared:SSL:50m; +ssl_session_tickets off; +ssl_prefer_server_ciphers on; +add_header Strict-Transport-Security max-age=15768000; +ssl_stapling on; +ssl_stapling_verify on; +ssl_certificate /etc/letsencrypt/live/{{domain}}/fullchain.pem; +ssl_certificate_key /etc/letsencrypt/live/{{domain}}/privkey.pem; +ssl_trusted_certificate /etc/letsencrypt/live/{{domain}}/chain.pem; diff --git a/roles/native-locales/tasks/main.yml b/roles/native-locales/tasks/main.yml new file mode 100644 index 00000000..701cdfd0 --- /dev/null +++ b/roles/native-locales/tasks/main.yml @@ -0,0 +1,8 @@ +--- +- name: Setup locale.gen + template: src=locale.gen dest=/etc/locale.gen +- name: Setup locale.conf + template: src=locale.conf dest=/etc/locale.conf +- name: Generate locales + shell: locale-gen + become: yes diff --git a/roles/native-locales/templates/locale.conf b/roles/native-locales/templates/locale.conf new file mode 100644 index 00000000..456b20a7 --- /dev/null +++ b/roles/native-locales/templates/locale.conf @@ -0,0 +1,2 @@ +LANG=en_US.UTF-8 +LANGUAGE=en_US.UTF-8 diff --git a/roles/native-locales/templates/locale.gen b/roles/native-locales/templates/locale.gen new file mode 100644 index 00000000..54a54756 --- /dev/null +++ b/roles/native-locales/templates/locale.gen @@ -0,0 +1,498 @@ +# Configuration file for locale-gen +# +# lists of locales that are to be generated by the locale-gen command. +# +# Each line is of the form: +# +# +# +# where is one of the locales given in /usr/share/i18n/locales +# and is one of the character sets listed in /usr/share/i18n/charmaps +# +# Examples: +# en_US ISO-8859-1 +# en_US.UTF-8 UTF-8 +# de_DE ISO-8859-1 +# de_DE@euro ISO-8859-15 +# +# The locale-gen command will generate all the locales, +# placing them in /usr/lib/locale. +# +# A list of supported locales is included in this file. +# Uncomment the ones you need. +# +#aa_DJ.UTF-8 UTF-8 +#aa_DJ ISO-8859-1 +#aa_ER UTF-8 +#aa_ER@saaho UTF-8 +#aa_ET UTF-8 +#af_ZA.UTF-8 UTF-8 +#af_ZA ISO-8859-1 +#agr_PE UTF-8 +#ak_GH UTF-8 +#am_ET UTF-8 +#an_ES.UTF-8 UTF-8 +#an_ES ISO-8859-15 +#anp_IN UTF-8 +#ar_AE.UTF-8 UTF-8 +#ar_AE ISO-8859-6 +#ar_BH.UTF-8 UTF-8 +#ar_BH ISO-8859-6 +#ar_DZ.UTF-8 UTF-8 +#ar_DZ ISO-8859-6 +#ar_EG.UTF-8 UTF-8 +#ar_EG ISO-8859-6 +#ar_IN UTF-8 +#ar_IQ.UTF-8 UTF-8 +#ar_IQ ISO-8859-6 +#ar_JO.UTF-8 UTF-8 +#ar_JO ISO-8859-6 +#ar_KW.UTF-8 UTF-8 +#ar_KW ISO-8859-6 +#ar_LB.UTF-8 UTF-8 +#ar_LB ISO-8859-6 +#ar_LY.UTF-8 UTF-8 +#ar_LY ISO-8859-6 +#ar_MA.UTF-8 UTF-8 +#ar_MA ISO-8859-6 +#ar_OM.UTF-8 UTF-8 +#ar_OM ISO-8859-6 +#ar_QA.UTF-8 UTF-8 +#ar_QA ISO-8859-6 +#ar_SA.UTF-8 UTF-8 +#ar_SA ISO-8859-6 +#ar_SD.UTF-8 UTF-8 +#ar_SD ISO-8859-6 +#ar_SS UTF-8 +#ar_SY.UTF-8 UTF-8 +#ar_SY ISO-8859-6 +#ar_TN.UTF-8 UTF-8 +#ar_TN ISO-8859-6 +#ar_YE.UTF-8 UTF-8 +#ar_YE ISO-8859-6 +#ayc_PE UTF-8 +#az_AZ UTF-8 +#az_IR UTF-8 +#as_IN UTF-8 +#ast_ES.UTF-8 UTF-8 +#ast_ES ISO-8859-15 +#be_BY.UTF-8 UTF-8 +#be_BY CP1251 +#be_BY@latin UTF-8 +#bem_ZM UTF-8 +#ber_DZ UTF-8 +#ber_MA UTF-8 +#bg_BG.UTF-8 UTF-8 +#bg_BG CP1251 +#bhb_IN.UTF-8 UTF-8 +#bho_IN UTF-8 +#bi_VU UTF-8 +#bn_BD UTF-8 +#bn_IN UTF-8 +#bo_CN UTF-8 +#bo_IN UTF-8 +#br_FR.UTF-8 UTF-8 +#br_FR ISO-8859-1 +#br_FR@euro ISO-8859-15 +#brx_IN UTF-8 +#bs_BA.UTF-8 UTF-8 +#bs_BA ISO-8859-2 +#byn_ER UTF-8 +#ca_AD.UTF-8 UTF-8 +#ca_AD ISO-8859-15 +#ca_ES.UTF-8 UTF-8 +#ca_ES ISO-8859-1 +#ca_ES@euro ISO-8859-15 +#ca_FR.UTF-8 UTF-8 +#ca_FR ISO-8859-15 +#ca_IT.UTF-8 UTF-8 +#ca_IT ISO-8859-15 +#ce_RU UTF-8 +#chr_US UTF-8 +#cmn_TW UTF-8 +#crh_UA UTF-8 +#cs_CZ.UTF-8 UTF-8 +#cs_CZ ISO-8859-2 +#csb_PL UTF-8 +#cv_RU UTF-8 +#cy_GB.UTF-8 UTF-8 +#cy_GB ISO-8859-14 +#da_DK.UTF-8 UTF-8 +#da_DK ISO-8859-1 +#de_AT.UTF-8 UTF-8 +#de_AT ISO-8859-1 +#de_AT@euro ISO-8859-15 +#de_BE.UTF-8 UTF-8 +#de_BE ISO-8859-1 +#de_BE@euro ISO-8859-15 +#de_CH.UTF-8 UTF-8 +#de_CH ISO-8859-1 +de_DE.UTF-8 UTF-8 +#de_DE ISO-8859-1 +#de_DE@euro ISO-8859-15 +#de_IT.UTF-8 UTF-8 +#de_IT ISO-8859-1 +#de_LI.UTF-8 UTF-8 +#de_LU.UTF-8 UTF-8 +#de_LU ISO-8859-1 +#de_LU@euro ISO-8859-15 +#doi_IN UTF-8 +#dv_MV UTF-8 +#dz_BT UTF-8 +#el_GR.UTF-8 UTF-8 +#el_GR ISO-8859-7 +#el_GR@euro ISO-8859-7 +#el_CY.UTF-8 UTF-8 +#el_CY ISO-8859-7 +#en_AG UTF-8 +#en_AU.UTF-8 UTF-8 +#en_AU ISO-8859-1 +#en_BW.UTF-8 UTF-8 +#en_BW ISO-8859-1 +#en_CA.UTF-8 UTF-8 +#en_CA ISO-8859-1 +#en_DK.UTF-8 UTF-8 +#en_DK ISO-8859-1 +#en_GB.UTF-8 UTF-8 +#en_GB ISO-8859-1 +#en_HK.UTF-8 UTF-8 +#en_HK ISO-8859-1 +#en_IE.UTF-8 UTF-8 +#en_IE ISO-8859-1 +#en_IE@euro ISO-8859-15 +#en_IL UTF-8 +#en_IN UTF-8 +#en_NG UTF-8 +#en_NZ.UTF-8 UTF-8 +#en_NZ ISO-8859-1 +#en_PH.UTF-8 UTF-8 +#en_PH ISO-8859-1 +#en_SG.UTF-8 UTF-8 +#en_SG ISO-8859-1 +en_US.UTF-8 UTF-8 +#en_US ISO-8859-1 +#en_ZA.UTF-8 UTF-8 +#en_ZA ISO-8859-1 +#en_ZM UTF-8 +#en_ZW.UTF-8 UTF-8 +#en_ZW ISO-8859-1 +eo UTF-8 +#es_AR.UTF-8 UTF-8 +#es_AR ISO-8859-1 +#es_BO.UTF-8 UTF-8 +#es_BO ISO-8859-1 +#es_CL.UTF-8 UTF-8 +#es_CL ISO-8859-1 +#es_CO.UTF-8 UTF-8 +#es_CO ISO-8859-1 +#es_CR.UTF-8 UTF-8 +#es_CR ISO-8859-1 +#es_CU UTF-8 +#es_DO.UTF-8 UTF-8 +#es_DO ISO-8859-1 +#es_EC.UTF-8 UTF-8 +#es_EC ISO-8859-1 +#es_ES.UTF-8 UTF-8 +#es_ES ISO-8859-1 +#es_ES@euro ISO-8859-15 +#es_GT.UTF-8 UTF-8 +#es_GT ISO-8859-1 +#es_HN.UTF-8 UTF-8 +#es_HN ISO-8859-1 +#es_MX.UTF-8 UTF-8 +#es_MX ISO-8859-1 +#es_NI.UTF-8 UTF-8 +#es_NI ISO-8859-1 +#es_PA.UTF-8 UTF-8 +#es_PA ISO-8859-1 +#es_PE.UTF-8 UTF-8 +#es_PE ISO-8859-1 +#es_PR.UTF-8 UTF-8 +#es_PR ISO-8859-1 +#es_PY.UTF-8 UTF-8 +#es_PY ISO-8859-1 +#es_SV.UTF-8 UTF-8 +#es_SV ISO-8859-1 +#es_US.UTF-8 UTF-8 +#es_US ISO-8859-1 +#es_UY.UTF-8 UTF-8 +#es_UY ISO-8859-1 +#es_VE.UTF-8 UTF-8 +#es_VE ISO-8859-1 +#et_EE.UTF-8 UTF-8 +#et_EE ISO-8859-1 +#et_EE.ISO-8859-15 ISO-8859-15 +#eu_ES.UTF-8 UTF-8 +#eu_ES ISO-8859-1 +#eu_ES@euro ISO-8859-15 +#fa_IR UTF-8 +#ff_SN UTF-8 +#fi_FI.UTF-8 UTF-8 +#fi_FI ISO-8859-1 +#fi_FI@euro ISO-8859-15 +#fil_PH UTF-8 +#fo_FO.UTF-8 UTF-8 +#fo_FO ISO-8859-1 +#fr_BE.UTF-8 UTF-8 +#fr_BE ISO-8859-1 +#fr_BE@euro ISO-8859-15 +#fr_CA.UTF-8 UTF-8 +#fr_CA ISO-8859-1 +#fr_CH.UTF-8 UTF-8 +#fr_CH ISO-8859-1 +#fr_FR.UTF-8 UTF-8 +#fr_FR ISO-8859-1 +#fr_FR@euro ISO-8859-15 +#fr_LU.UTF-8 UTF-8 +#fr_LU ISO-8859-1 +#fr_LU@euro ISO-8859-15 +#fur_IT UTF-8 +#fy_NL UTF-8 +#fy_DE UTF-8 +#ga_IE.UTF-8 UTF-8 +#ga_IE ISO-8859-1 +#ga_IE@euro ISO-8859-15 +#gd_GB.UTF-8 UTF-8 +#gd_GB ISO-8859-15 +#gez_ER UTF-8 +#gez_ER@abegede UTF-8 +#gez_ET UTF-8 +#gez_ET@abegede UTF-8 +#gl_ES.UTF-8 UTF-8 +#gl_ES ISO-8859-1 +#gl_ES@euro ISO-8859-15 +#gu_IN UTF-8 +#gv_GB.UTF-8 UTF-8 +#gv_GB ISO-8859-1 +#ha_NG UTF-8 +#hak_TW UTF-8 +#he_IL.UTF-8 UTF-8 +#he_IL ISO-8859-8 +#hi_IN UTF-8 +#hif_FJ UTF-8 +#hne_IN UTF-8 +#hr_HR.UTF-8 UTF-8 +#hr_HR ISO-8859-2 +#hsb_DE ISO-8859-2 +#hsb_DE.UTF-8 UTF-8 +#ht_HT UTF-8 +#hu_HU.UTF-8 UTF-8 +#hu_HU ISO-8859-2 +#hy_AM UTF-8 +#hy_AM.ARMSCII-8 ARMSCII-8 +#ia_FR UTF-8 +#id_ID.UTF-8 UTF-8 +#id_ID ISO-8859-1 +#ig_NG UTF-8 +#ik_CA UTF-8 +#is_IS.UTF-8 UTF-8 +#is_IS ISO-8859-1 +#it_CH.UTF-8 UTF-8 +#it_CH ISO-8859-1 +#it_IT.UTF-8 UTF-8 +#it_IT ISO-8859-1 +#it_IT@euro ISO-8859-15 +#iu_CA UTF-8 +#ja_JP.EUC-JP EUC-JP +#ja_JP.UTF-8 UTF-8 +#ka_GE.UTF-8 UTF-8 +#ka_GE GEORGIAN-PS +#kk_KZ.UTF-8 UTF-8 +#kk_KZ PT154 +#kl_GL.UTF-8 UTF-8 +#kl_GL ISO-8859-1 +#km_KH UTF-8 +#kn_IN UTF-8 +#ko_KR.EUC-KR EUC-KR +#ko_KR.UTF-8 UTF-8 +#kok_IN UTF-8 +#ks_IN UTF-8 +#ks_IN@devanagari UTF-8 +#ku_TR.UTF-8 UTF-8 +#ku_TR ISO-8859-9 +#kw_GB.UTF-8 UTF-8 +#kw_GB ISO-8859-1 +#ky_KG UTF-8 +#lb_LU UTF-8 +#lg_UG.UTF-8 UTF-8 +#lg_UG ISO-8859-10 +#li_BE UTF-8 +#li_NL UTF-8 +#lij_IT UTF-8 +#ln_CD UTF-8 +#lo_LA UTF-8 +#lt_LT.UTF-8 UTF-8 +#lt_LT ISO-8859-13 +#lv_LV.UTF-8 UTF-8 +#lv_LV ISO-8859-13 +#lzh_TW UTF-8 +#mag_IN UTF-8 +#mai_IN UTF-8 +#mai_NP UTF-8 +#mg_MG.UTF-8 UTF-8 +#mg_MG ISO-8859-15 +#mhr_RU UTF-8 +#mi_NZ.UTF-8 UTF-8 +#mi_NZ ISO-8859-13 +#mk_MK.UTF-8 UTF-8 +#mk_MK ISO-8859-5 +#ml_IN UTF-8 +#mn_MN UTF-8 +#mni_IN UTF-8 +#mr_IN UTF-8 +#ms_MY.UTF-8 UTF-8 +#ms_MY ISO-8859-1 +#mt_MT.UTF-8 UTF-8 +#mt_MT ISO-8859-3 +#my_MM UTF-8 +#nan_TW UTF-8 +#nan_TW@latin UTF-8 +#nb_NO.UTF-8 UTF-8 +#nb_NO ISO-8859-1 +#nds_DE UTF-8 +#nds_NL UTF-8 +#ne_NP UTF-8 +#nhn_MX UTF-8 +#niu_NU UTF-8 +#niu_NZ UTF-8 +#nl_AW UTF-8 +#nl_BE.UTF-8 UTF-8 +#nl_BE ISO-8859-1 +#nl_BE@euro ISO-8859-15 +#nl_NL.UTF-8 UTF-8 +#nl_NL ISO-8859-1 +#nl_NL@euro ISO-8859-15 +#nn_NO.UTF-8 UTF-8 +#nn_NO ISO-8859-1 +#nr_ZA UTF-8 +#nso_ZA UTF-8 +#oc_FR.UTF-8 UTF-8 +#oc_FR ISO-8859-1 +#om_ET UTF-8 +#om_KE.UTF-8 UTF-8 +#om_KE ISO-8859-1 +#or_IN UTF-8 +#os_RU UTF-8 +#pa_IN UTF-8 +#pa_PK UTF-8 +#pap_AW UTF-8 +#pap_CW UTF-8 +#pl_PL.UTF-8 UTF-8 +#pl_PL ISO-8859-2 +#ps_AF UTF-8 +#pt_BR.UTF-8 UTF-8 +#pt_BR ISO-8859-1 +#pt_PT.UTF-8 UTF-8 +#pt_PT ISO-8859-1 +#pt_PT@euro ISO-8859-15 +#quz_PE UTF-8 +#raj_IN UTF-8 +#ro_RO.UTF-8 UTF-8 +#ro_RO ISO-8859-2 +#ru_RU.KOI8-R KOI8-R +#ru_RU.UTF-8 UTF-8 +#ru_RU ISO-8859-5 +#ru_UA.UTF-8 UTF-8 +#ru_UA KOI8-U +#rw_RW UTF-8 +#sa_IN UTF-8 +#sat_IN UTF-8 +#sc_IT UTF-8 +#sd_IN UTF-8 +#sd_IN@devanagari UTF-8 +#se_NO UTF-8 +#sgs_LT UTF-8 +#shs_CA UTF-8 +#si_LK UTF-8 +#sid_ET UTF-8 +#sk_SK.UTF-8 UTF-8 +#sk_SK ISO-8859-2 +#sl_SI.UTF-8 UTF-8 +#sl_SI ISO-8859-2 +#sm_WS UTF-8 +#so_DJ.UTF-8 UTF-8 +#so_DJ ISO-8859-1 +#so_ET UTF-8 +#so_KE.UTF-8 UTF-8 +#so_KE ISO-8859-1 +#so_SO.UTF-8 UTF-8 +#so_SO ISO-8859-1 +#sq_AL.UTF-8 UTF-8 +#sq_AL ISO-8859-1 +#sq_MK UTF-8 +#sr_ME UTF-8 +#sr_RS UTF-8 +#sr_RS@latin UTF-8 +#ss_ZA UTF-8 +#st_ZA.UTF-8 UTF-8 +#st_ZA ISO-8859-1 +#sv_FI.UTF-8 UTF-8 +#sv_FI ISO-8859-1 +#sv_FI@euro ISO-8859-15 +#sv_SE.UTF-8 UTF-8 +#sv_SE ISO-8859-1 +#sw_KE UTF-8 +#sw_TZ UTF-8 +#szl_PL UTF-8 +#ta_IN UTF-8 +#ta_LK UTF-8 +#tcy_IN.UTF-8 UTF-8 +#te_IN UTF-8 +#tg_TJ.UTF-8 UTF-8 +#tg_TJ KOI8-T +#th_TH.UTF-8 UTF-8 +#th_TH TIS-620 +#the_NP UTF-8 +#ti_ER UTF-8 +#ti_ET UTF-8 +#tig_ER UTF-8 +#tk_TM UTF-8 +#tl_PH.UTF-8 UTF-8 +#tl_PH ISO-8859-1 +#tn_ZA UTF-8 +#to_TO UTF-8 +#tpi_PG UTF-8 +#tr_CY.UTF-8 UTF-8 +#tr_CY ISO-8859-9 +#tr_TR.UTF-8 UTF-8 +#tr_TR ISO-8859-9 +#ts_ZA UTF-8 +#tt_RU UTF-8 +#tt_RU@iqtelif UTF-8 +#ug_CN UTF-8 +#uk_UA.UTF-8 UTF-8 +#uk_UA KOI8-U +#unm_US UTF-8 +#ur_IN UTF-8 +#ur_PK UTF-8 +#uz_UZ.UTF-8 UTF-8 +#uz_UZ ISO-8859-1 +#uz_UZ@cyrillic UTF-8 +#ve_ZA UTF-8 +#vi_VN UTF-8 +#wa_BE ISO-8859-1 +#wa_BE@euro ISO-8859-15 +#wa_BE.UTF-8 UTF-8 +#wae_CH UTF-8 +#wal_ET UTF-8 +#wo_SN UTF-8 +#xh_ZA.UTF-8 UTF-8 +#xh_ZA ISO-8859-1 +#yi_US.UTF-8 UTF-8 +#yi_US CP1255 +#yo_NG UTF-8 +#yue_HK UTF-8 +#zh_CN.GB18030 GB18030 +#zh_CN.GBK GBK +#zh_CN.UTF-8 UTF-8 +#zh_CN GB2312 +#zh_HK.UTF-8 UTF-8 +#zh_HK BIG5-HKSCS +#zh_SG.UTF-8 UTF-8 +#zh_SG.GBK GBK +#zh_SG GB2312 +#zh_TW.EUC-TW EUC-TW +#zh_TW.UTF-8 UTF-8 +#zh_TW BIG5 +#zu_ZA.UTF-8 UTF-8 +#zu_ZA ISO-8859-1 diff --git a/roles/native-mariadb/handlers/main.yml b/roles/native-mariadb/handlers/main.yml new file mode 100644 index 00000000..25d7fdb7 --- /dev/null +++ b/roles/native-mariadb/handlers/main.yml @@ -0,0 +1,3 @@ +--- +- name: mariadb restart + service: name=mariadb state=restarted enabled=yes diff --git a/roles/native-mariadb/tasks/main.yml b/roles/native-mariadb/tasks/main.yml new file mode 100644 index 00000000..8a6b7d15 --- /dev/null +++ b/roles/native-mariadb/tasks/main.yml @@ -0,0 +1,8 @@ +--- +- name: install MariaDB + pacman: name=mariadb state=present + notify: mariadb restart + +- name: executing installation script + command: mariadb-install-db --user=mysql --basedir=/usr --datadir=/var/lib/mysql + notify: mariadb restart diff --git a/roles/native-nginx-docker-proxy/meta/main.yml b/roles/native-nginx-docker-proxy/meta/main.yml new file mode 100644 index 00000000..d33a1cab --- /dev/null +++ b/roles/native-nginx-docker-proxy/meta/main.yml @@ -0,0 +1,3 @@ +dependencies: +- native-docker +- native-https-server diff --git a/roles/native-nginx-docker-proxy/templates/domain.conf.j2 b/roles/native-nginx-docker-proxy/templates/domain.conf.j2 new file mode 100644 index 00000000..6482acf1 --- /dev/null +++ b/roles/native-nginx-docker-proxy/templates/domain.conf.j2 @@ -0,0 +1,13 @@ +server +{ + server_name {{domain}}; + + {% if client_max_body_size is defined %} + client_max_body_size {{ client_max_body_size }}; + {% endif %} + + {% include 'roles/native-letsencrypt/templates/ssl_header.j2' %} + + {% include 'proxy_pass.conf.j2' %} + +} diff --git a/roles/native-nginx-docker-proxy/templates/proxy_pass.conf.j2 b/roles/native-nginx-docker-proxy/templates/proxy_pass.conf.j2 new file mode 100644 index 00000000..2d8f1103 --- /dev/null +++ b/roles/native-nginx-docker-proxy/templates/proxy_pass.conf.j2 @@ -0,0 +1,11 @@ +location / +{ + proxy_pass http://127.0.0.1:{{http_port}}/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto; + proxy_connect_timeout 300; + proxy_send_timeout 300; + proxy_read_timeout 300; + send_timeout 300; +} diff --git a/roles/native-nginx/handlers/main.yml b/roles/native-nginx/handlers/main.yml new file mode 100644 index 00000000..16d81924 --- /dev/null +++ b/roles/native-nginx/handlers/main.yml @@ -0,0 +1,3 @@ +--- +- name: restart nginx + service: name=nginx state=restarted enabled=yes diff --git a/roles/native-nginx/tasks/main.yml b/roles/native-nginx/tasks/main.yml new file mode 100644 index 00000000..fa050e4a --- /dev/null +++ b/roles/native-nginx/tasks/main.yml @@ -0,0 +1,17 @@ +--- +- name: install nginx + pacman: name=nginx state=present + notify: restart nginx + +- name: set /etc/nginx/conf.d + file: + path: /etc/nginx/conf.d + state: directory + mode: 0755 + +- name: create nginx config file + template: src=nginx.conf dest=/etc/nginx/nginx.conf + notify: restart nginx + +- name: flush nginx service + meta: flush_handlers diff --git a/roles/native-nginx/templates/nginx.conf b/roles/native-nginx/templates/nginx.conf new file mode 100644 index 00000000..7150d326 --- /dev/null +++ b/roles/native-nginx/templates/nginx.conf @@ -0,0 +1,21 @@ +worker_processes auto; + +events +{ + worker_connections 1024; +} + +http +{ + include mime.types; + default_type text/html; + + #access_log /var/log/nginx/access.log main; + error_log /var/log/nginx/error.log debug; + sendfile on; + keepalive_timeout 65; + gzip on; + types_hash_max_size 4096; + + include conf.d/*.conf; +} diff --git a/roles/native-pacman/tasks/main.yml b/roles/native-pacman/tasks/main.yml new file mode 100644 index 00000000..f7285d6f --- /dev/null +++ b/roles/native-pacman/tasks/main.yml @@ -0,0 +1,4 @@ +- name: update pacman + pacman: + update_cache: yes + upgrade: yes diff --git a/roles/native-postfix/meta/main.yml b/roles/native-postfix/meta/main.yml new file mode 100644 index 00000000..cd801777 --- /dev/null +++ b/roles/native-postfix/meta/main.yml @@ -0,0 +1,2 @@ +dependencies: +- native-user-administrator diff --git a/roles/native-postfix/tasks/main.yml b/roles/native-postfix/tasks/main.yml new file mode 100644 index 00000000..474c48d9 --- /dev/null +++ b/roles/native-postfix/tasks/main.yml @@ -0,0 +1,4 @@ +- name: install postfix + pacman: + name: postfix + state: present diff --git a/roles/native-postfix/templates/aliases.j2 b/roles/native-postfix/templates/aliases.j2 new file mode 100644 index 00000000..cb0d898c --- /dev/null +++ b/roles/native-postfix/templates/aliases.j2 @@ -0,0 +1,264 @@ +# +# Sample aliases file. Install in the location as specified by the +# output from the command "postconf alias_maps". Typical path names +# are /etc/aliases or /etc/mail/aliases. +# +# >>>>>>>>>> The program "newaliases" must be run after +# >> NOTE >> this file is updated for any changes to +# >>>>>>>>>> show through to Postfix. +# + +# Person who should get root's mail. Don't receive mail as root! +root: administrator + +# Basic system aliases -- these MUST be present +MAILER-DAEMON: postmaster +postmaster: root + +# General redirections for pseudo accounts +bin: root +daemon: root +named: root +nobody: root +uucp: root +www: root +ftp-bugs: root +postfix: root + +# Put your local aliases here. + +# Well-known aliases +manager: root +dumper: root +operator: root +abuse: postmaster + +# trap decode to catch security attacks +decode: root + +# ALIASES(5) ALIASES(5) +# +# NAME +# aliases - Postfix local alias database format +# +# SYNOPSIS +# newaliases +# +# DESCRIPTION +# The aliases(5) table provides a system-wide mechanism to +# redirect mail for local recipients. The redirections are +# processed by the Postfix local(8) delivery agent. +# +# Normally, the aliases(5) table is specified as a text file +# that serves as input to the postalias(1) command. The +# result, an indexed file in dbm or db format, is used for +# fast lookup by the mail system. Execute the command +# newaliases in order to rebuild the indexed file after +# changing the Postfix alias database. +# +# When the table is provided via other means such as NIS, +# LDAP or SQL, the same lookups are done as for ordinary +# indexed files. +# +# Alternatively, the table can be provided as a regu- +# lar-expression map where patterns are given as regular +# expressions. In this case, the lookups are done in a +# slightly different way as described below under "REGULAR +# EXPRESSION TABLES". +# +# Users can control delivery of their own mail by setting up +# .forward files in their home directory. Lines in per-user +# .forward files have the same syntax as the right-hand side +# of aliases(5) entries. +# +# The format of the alias database input file is as follows: +# +# o An alias definition has the form +# +# name: value1, value2, ... +# +# o Empty lines and whitespace-only lines are ignored, +# as are lines whose first non-whitespace character +# is a `#'. +# +# o A logical line starts with non-whitespace text. A +# line that starts with whitespace continues a logi- +# cal line. +# +# The name is a local address (no domain part). Use double +# quotes when the name contains any special characters such +# as whitespace, `#', `:', or `@'. The name is folded to +# lowercase, in order to make database lookups case insensi- +# tive. +# +# In addition, when an alias exists for owner-name, this +# will override the envelope sender address, so that deliv- +# ery diagnostics are directed to owner-name, instead of the +# originator of the message (for details, see +# owner_request_special, expand_owner_alias and +# reset_owner_alias). This is typically used to direct +# delivery errors to the maintainer of a mailing list, who +# is in a better position to deal with mailing list delivery +# problems than the originator of the undelivered mail. +# +# The value contains one or more of the following: +# +# address +# Mail is forwarded to address, which is compatible +# with the RFC 822 standard. +# +# /file/name +# Mail is appended to /file/name. See local(8) for +# details of delivery to file. Delivery is not lim- +# ited to regular files. For example, to dispose of +# unwanted mail, deflect it to /dev/null. +# +# |command +# Mail is piped into command. Commands that contain +# special characters, such as whitespace, should be +# enclosed between double quotes. See local(8) for +# details of delivery to command. +# +# When the command fails, a limited amount of command +# output is mailed back to the sender. The file +# /usr/include/sysexits.h defines the expected exit +# status codes. For example, use "|exit 67" to simu- +# late a "user unknown" error, and "|exit 0" to +# implement an expensive black hole. +# +# :include:/file/name +# Mail is sent to the destinations listed in the +# named file. Lines in :include: files have the same +# syntax as the right-hand side of alias entries. +# +# A destination can be any destination that is +# described in this manual page. However, delivery to +# "|command" and /file/name is disallowed by default. +# To enable, edit the allow_mail_to_commands and +# allow_mail_to_files configuration parameters. +# +# ADDRESS EXTENSION +# When alias database search fails, and the recipient local- +# part contains the optional recipient delimiter (e.g., +# user+foo), the search is repeated for the unextended +# address (e.g., user). +# +# The propagate_unmatched_extensions parameter controls +# whether an unmatched address extension (+foo) is propa- +# gated to the result of table lookup. +# +# CASE FOLDING +# The local(8) delivery agent always folds the search string +# to lowercase before database lookup. +# +# REGULAR EXPRESSION TABLES +# This section describes how the table lookups change when +# the table is given in the form of regular expressions. For +# a description of regular expression lookup table syntax, +# see regexp_table(5) or pcre_table(5). NOTE: these formats +# do not use ":" at the end of a pattern. +# +# Each regular expression is applied to the entire search +# string. Thus, a search string user+foo is not broken up +# into user and foo. +# +# Regular expressions are applied in the order as specified +# in the table, until a regular expression is found that +# matches the search string. +# +# Lookup results are the same as with indexed file lookups. +# For security reasons there is no support for $1, $2 etc. +# substring interpolation. +# +# SECURITY +# The local(8) delivery agent disallows regular expression +# substitution of $1 etc. in alias_maps, because that would +# open a security hole. +# +# The local(8) delivery agent will silently ignore requests +# to use the proxymap(8) server within alias_maps. Instead +# it will open the table directly. Before Postfix version +# 2.2, the local(8) delivery agent will terminate with a +# fatal error. +# +# CONFIGURATION PARAMETERS +# The following main.cf parameters are especially relevant. +# The text below provides only a parameter summary. See +# postconf(5) for more details including examples. +# +# alias_database (see 'postconf -d' output) +# The alias databases for local(8) delivery that are +# updated with "newaliases" or with "sendmail -bi". +# +# alias_maps (see 'postconf -d' output) +# The alias databases that are used for local(8) +# delivery. +# +# allow_mail_to_commands (alias, forward) +# Restrict local(8) mail delivery to external com- +# mands. +# +# allow_mail_to_files (alias, forward) +# Restrict local(8) mail delivery to external files. +# +# expand_owner_alias (no) +# When delivering to an alias "aliasname" that has an +# "owner-aliasname" companion alias, set the envelope +# sender address to the expansion of the +# "owner-aliasname" alias. +# +# propagate_unmatched_extensions (canonical, virtual) +# What address lookup tables copy an address exten- +# sion from the lookup key to the lookup result. +# +# owner_request_special (yes) +# Enable special treatment for owner-listname entries +# in the aliases(5) file, and don't split owner-list- +# name and listname-request address localparts when +# the recipient_delimiter is set to "-". +# +# recipient_delimiter (empty) +# The set of characters that can separate a user name +# from its extension (example: user+foo), or a .for- +# ward file name from its extension (example: .for- +# ward+foo). +# +# Available in Postfix version 2.3 and later: +# +# frozen_delivered_to (yes) +# Update the local(8) delivery agent's idea of the +# Delivered-To: address (see prepend_deliv- +# ered_header) only once, at the start of a delivery +# attempt; do not update the Delivered-To: address +# while expanding aliases or .forward files. +# +# STANDARDS +# RFC 822 (ARPA Internet Text Messages) +# +# SEE ALSO +# local(8), local delivery agent +# newaliases(1), create/update alias database +# postalias(1), create/update alias database +# postconf(5), configuration parameters +# +# README FILES +# Use "postconf readme_directory" or "postconf html_direc- +# tory" to locate this information. +# DATABASE_README, Postfix lookup table overview +# +# LICENSE +# The Secure Mailer license must be distributed with this +# software. +# +# AUTHOR(S) +# Wietse Venema +# IBM T.J. Watson Research +# P.O. Box 704 +# Yorktown Heights, NY 10598, USA +# +# Wietse Venema +# Google, Inc. +# 111 8th Avenue +# New York, NY 10011, USA +# +# ALIASES(5) diff --git a/roles/native-postfix/templates/main.cf.j2 b/roles/native-postfix/templates/main.cf.j2 new file mode 100644 index 00000000..0f8b64e9 --- /dev/null +++ b/roles/native-postfix/templates/main.cf.j2 @@ -0,0 +1,680 @@ +# Global Postfix configuration file. This file lists only a subset +# of all parameters. For the syntax, and for a complete parameter +# list, see the postconf(5) manual page (command: "man 5 postconf"). +# +# For common configuration examples, see BASIC_CONFIGURATION_README +# and STANDARD_CONFIGURATION_README. To find these documents, use +# the command "postconf html_directory readme_directory", or go to +# http://www.postfix.org/BASIC_CONFIGURATION_README.html etc. +# +# For best results, change no more than 2-3 parameters at a time, +# and test if Postfix still works after every change. + +# COMPATIBILITY +# +# The compatibility_level determines what default settings Postfix +# will use for main.cf and master.cf settings. These defaults will +# change over time. +# +# To avoid breaking things, Postfix will use backwards-compatible +# default settings and log where it uses those old backwards-compatible +# default settings, until the system administrator has determined +# if any backwards-compatible default settings need to be made +# permanent in main.cf or master.cf. +# +# When this review is complete, update the compatibility_level setting +# below as recommended in the RELEASE_NOTES file. +# +# The level below is what should be used with new (not upgrade) installs. +# +compatibility_level = 2 + +# SOFT BOUNCE +# +# The soft_bounce parameter provides a limited safety net for +# testing. When soft_bounce is enabled, mail will remain queued that +# would otherwise bounce. This parameter disables locally-generated +# bounces, and prevents the SMTP server from rejecting mail permanently +# (by changing 5xx replies into 4xx replies). However, soft_bounce +# is no cure for address rewriting mistakes or mail routing mistakes. +# +#soft_bounce = no + +# LOCAL PATHNAME INFORMATION +# +# The queue_directory specifies the location of the Postfix queue. +# This is also the root directory of Postfix daemons that run chrooted. +# See the files in examples/chroot-setup for setting up Postfix chroot +# environments on different UNIX systems. +# +queue_directory = /var/spool/postfix + +# The command_directory parameter specifies the location of all +# postXXX commands. +# +command_directory = /usr/bin + +# The daemon_directory parameter specifies the location of all Postfix +# daemon programs (i.e. programs listed in the master.cf file). This +# directory must be owned by root. +# +daemon_directory = /usr/lib/postfix/bin + +# The data_directory parameter specifies the location of Postfix-writable +# data files (caches, random numbers). This directory must be owned +# by the mail_owner account (see below). +# +data_directory = /var/lib/postfix + +# QUEUE AND PROCESS OWNERSHIP +# +# The mail_owner parameter specifies the owner of the Postfix queue +# and of most Postfix daemon processes. Specify the name of a user +# account THAT DOES NOT SHARE ITS USER OR GROUP ID WITH OTHER ACCOUNTS +# AND THAT OWNS NO OTHER FILES OR PROCESSES ON THE SYSTEM. In +# particular, don't specify nobody or daemon. PLEASE USE A DEDICATED +# USER. +# +mail_owner = postfix + +# The default_privs parameter specifies the default rights used by +# the local delivery agent for delivery to external file or command. +# These rights are used in the absence of a recipient user context. +# DO NOT SPECIFY A PRIVILEGED USER OR THE POSTFIX OWNER. +# +#default_privs = nobody + +# INTERNET HOST AND DOMAIN NAMES +# +# The myhostname parameter specifies the internet hostname of this +# mail system. The default is to use the fully-qualified domain name +# from gethostname(). $myhostname is used as a default value for many +# other configuration parameters. +# +#myhostname = host.domain.tld +#myhostname = virtual.domain.tld + +# The mydomain parameter specifies the local internet domain name. +# The default is to use $myhostname minus the first component. +# $mydomain is used as a default value for many other configuration +# parameters. +# +#mydomain = domain.tld + +# SENDING MAIL +# +# The myorigin parameter specifies the domain that locally-posted +# mail appears to come from. The default is to append $myhostname, +# which is fine for small sites. If you run a domain with multiple +# machines, you should (1) change this to $mydomain and (2) set up +# a domain-wide alias database that aliases each user to +# user@that.users.mailhost. +# +# For the sake of consistency between sender and recipient addresses, +# myorigin also specifies the default domain name that is appended +# to recipient addresses that have no @domain part. +# +#myorigin = $myhostname +#myorigin = $mydomain + +# RECEIVING MAIL + +# The inet_interfaces parameter specifies the network interface +# addresses that this mail system receives mail on. By default, +# the software claims all active interfaces on the machine. The +# parameter also controls delivery of mail to user@[ip.address]. +# +# See also the proxy_interfaces parameter, for network addresses that +# are forwarded to us via a proxy or network address translator. +# +# Note: you need to stop/start Postfix when this parameter changes. +# +#inet_interfaces = all +#inet_interfaces = $myhostname +#inet_interfaces = $myhostname, localhost + +# The proxy_interfaces parameter specifies the network interface +# addresses that this mail system receives mail on by way of a +# proxy or network address translation unit. This setting extends +# the address list specified with the inet_interfaces parameter. +# +# You must specify your proxy/NAT addresses when your system is a +# backup MX host for other domains, otherwise mail delivery loops +# will happen when the primary MX host is down. +# +#proxy_interfaces = +#proxy_interfaces = 1.2.3.4 + +# The mydestination parameter specifies the list of domains that this +# machine considers itself the final destination for. +# +# These domains are routed to the delivery agent specified with the +# local_transport parameter setting. By default, that is the UNIX +# compatible delivery agent that lookups all recipients in /etc/passwd +# and /etc/aliases or their equivalent. +# +# The default is $myhostname + localhost.$mydomain + localhost. On +# a mail domain gateway, you should also include $mydomain. +# +# Do not specify the names of virtual domains - those domains are +# specified elsewhere (see VIRTUAL_README). +# +# Do not specify the names of domains that this machine is backup MX +# host for. Specify those names via the relay_domains settings for +# the SMTP server, or use permit_mx_backup if you are lazy (see +# STANDARD_CONFIGURATION_README). +# +# The local machine is always the final destination for mail addressed +# to user@[the.net.work.address] of an interface that the mail system +# receives mail on (see the inet_interfaces parameter). +# +# Specify a list of host or domain names, /file/name or type:table +# patterns, separated by commas and/or whitespace. A /file/name +# pattern is replaced by its contents; a type:table is matched when +# a name matches a lookup key (the right-hand side is ignored). +# Continue long lines by starting the next line with whitespace. +# +# See also below, section "REJECTING MAIL FOR UNKNOWN LOCAL USERS". +# +#mydestination = $myhostname, localhost.$mydomain, localhost +#mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain +#mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain, +# mail.$mydomain, www.$mydomain, ftp.$mydomain + +# REJECTING MAIL FOR UNKNOWN LOCAL USERS +# +# The local_recipient_maps parameter specifies optional lookup tables +# with all names or addresses of users that are local with respect +# to $mydestination, $inet_interfaces or $proxy_interfaces. +# +# If this parameter is defined, then the SMTP server will reject +# mail for unknown local users. This parameter is defined by default. +# +# To turn off local recipient checking in the SMTP server, specify +# local_recipient_maps = (i.e. empty). +# +# The default setting assumes that you use the default Postfix local +# delivery agent for local delivery. You need to update the +# local_recipient_maps setting if: +# +# - You define $mydestination domain recipients in files other than +# /etc/passwd, /etc/aliases, or the $virtual_alias_maps files. +# For example, you define $mydestination domain recipients in +# the $virtual_mailbox_maps files. +# +# - You redefine the local delivery agent in master.cf. +# +# - You redefine the "local_transport" setting in main.cf. +# +# - You use the "luser_relay", "mailbox_transport", or "fallback_transport" +# feature of the Postfix local delivery agent (see local(8)). +# +# Details are described in the LOCAL_RECIPIENT_README file. +# +# Beware: if the Postfix SMTP server runs chrooted, you probably have +# to access the passwd file via the proxymap service, in order to +# overcome chroot restrictions. The alternative, having a copy of +# the system passwd file in the chroot jail is just not practical. +# +# The right-hand side of the lookup tables is conveniently ignored. +# In the left-hand side, specify a bare username, an @domain.tld +# wild-card, or specify a user@domain.tld address. +# +#local_recipient_maps = unix:passwd.byname $alias_maps +#local_recipient_maps = proxy:unix:passwd.byname $alias_maps +#local_recipient_maps = + +# The unknown_local_recipient_reject_code specifies the SMTP server +# response code when a recipient domain matches $mydestination or +# ${proxy,inet}_interfaces, while $local_recipient_maps is non-empty +# and the recipient address or address local-part is not found. +# +# The default setting is 550 (reject mail) but it is safer to start +# with 450 (try again later) until you are certain that your +# local_recipient_maps settings are OK. +# +unknown_local_recipient_reject_code = 550 + +# TRUST AND RELAY CONTROL + +# The mynetworks parameter specifies the list of "trusted" SMTP +# clients that have more privileges than "strangers". +# +# In particular, "trusted" SMTP clients are allowed to relay mail +# through Postfix. See the smtpd_recipient_restrictions parameter +# in postconf(5). +# +# You can specify the list of "trusted" network addresses by hand +# or you can let Postfix do it for you (which is the default). +# +# By default (mynetworks_style = subnet), Postfix "trusts" SMTP +# clients in the same IP subnetworks as the local machine. +# On Linux, this works correctly only with interfaces specified +# with the "ifconfig" command. +# +# Specify "mynetworks_style = class" when Postfix should "trust" SMTP +# clients in the same IP class A/B/C networks as the local machine. +# Don't do this with a dialup site - it would cause Postfix to "trust" +# your entire provider's network. Instead, specify an explicit +# mynetworks list by hand, as described below. +# +# Specify "mynetworks_style = host" when Postfix should "trust" +# only the local machine. +# +#mynetworks_style = class +#mynetworks_style = subnet +#mynetworks_style = host + +# Alternatively, you can specify the mynetworks list by hand, in +# which case Postfix ignores the mynetworks_style setting. +# +# Specify an explicit list of network/netmask patterns, where the +# mask specifies the number of bits in the network part of a host +# address. +# +# You can also specify the absolute pathname of a pattern file instead +# of listing the patterns here. Specify type:table for table-based lookups +# (the value on the table right-hand side is not used). +# +#mynetworks = 168.100.189.0/28, 127.0.0.0/8 +#mynetworks = $config_directory/mynetworks +#mynetworks = hash:/etc/postfix/network_table + +# The relay_domains parameter restricts what destinations this system will +# relay mail to. See the smtpd_recipient_restrictions description in +# postconf(5) for detailed information. +# +# By default, Postfix relays mail +# - from "trusted" clients (IP address matches $mynetworks) to any destination, +# - from "untrusted" clients to destinations that match $relay_domains or +# subdomains thereof, except addresses with sender-specified routing. +# The default relay_domains value is $mydestination. +# +# In addition to the above, the Postfix SMTP server by default accepts mail +# that Postfix is final destination for: +# - destinations that match $inet_interfaces or $proxy_interfaces, +# - destinations that match $mydestination +# - destinations that match $virtual_alias_domains, +# - destinations that match $virtual_mailbox_domains. +# These destinations do not need to be listed in $relay_domains. +# +# Specify a list of hosts or domains, /file/name patterns or type:name +# lookup tables, separated by commas and/or whitespace. Continue +# long lines by starting the next line with whitespace. A file name +# is replaced by its contents; a type:name table is matched when a +# (parent) domain appears as lookup key. +# +# NOTE: Postfix will not automatically forward mail for domains that +# list this system as their primary or backup MX host. See the +# permit_mx_backup restriction description in postconf(5). +# +#relay_domains = $mydestination + +# INTERNET OR INTRANET + +# The relayhost parameter specifies the default host to send mail to +# when no entry is matched in the optional transport(5) table. When +# no relayhost is given, mail is routed directly to the destination. +# +# On an intranet, specify the organizational domain name. If your +# internal DNS uses no MX records, specify the name of the intranet +# gateway host instead. +# +# In the case of SMTP, specify a domain, host, host:port, [host]:port, +# [address] or [address]:port; the form [host] turns off MX lookups. +# +# If you're connected via UUCP, see also the default_transport parameter. +# +#relayhost = $mydomain +#relayhost = [gateway.my.domain] +#relayhost = [mailserver.isp.tld] +#relayhost = uucphost +#relayhost = [an.ip.add.ress] + +# REJECTING UNKNOWN RELAY USERS +# +# The relay_recipient_maps parameter specifies optional lookup tables +# with all addresses in the domains that match $relay_domains. +# +# If this parameter is defined, then the SMTP server will reject +# mail for unknown relay users. This feature is off by default. +# +# The right-hand side of the lookup tables is conveniently ignored. +# In the left-hand side, specify an @domain.tld wild-card, or specify +# a user@domain.tld address. +# +#relay_recipient_maps = hash:/etc/postfix/relay_recipients + +# INPUT RATE CONTROL +# +# The in_flow_delay configuration parameter implements mail input +# flow control. This feature is turned on by default, although it +# still needs further development (it's disabled on SCO UNIX due +# to an SCO bug). +# +# A Postfix process will pause for $in_flow_delay seconds before +# accepting a new message, when the message arrival rate exceeds the +# message delivery rate. With the default 100 SMTP server process +# limit, this limits the mail inflow to 100 messages a second more +# than the number of messages delivered per second. +# +# Specify 0 to disable the feature. Valid delays are 0..10. +# +#in_flow_delay = 1s + +# ADDRESS REWRITING +# +# The ADDRESS_REWRITING_README document gives information about +# address masquerading or other forms of address rewriting including +# username->Firstname.Lastname mapping. + +# ADDRESS REDIRECTION (VIRTUAL DOMAIN) +# +# The VIRTUAL_README document gives information about the many forms +# of domain hosting that Postfix supports. + +# "USER HAS MOVED" BOUNCE MESSAGES +# +# See the discussion in the ADDRESS_REWRITING_README document. + +# TRANSPORT MAP +# +# See the discussion in the ADDRESS_REWRITING_README document. + +# ALIAS DATABASE +# +# The alias_maps parameter specifies the list of alias databases used +# by the local delivery agent. The default list is system dependent. +# +# On systems with NIS, the default is to search the local alias +# database, then the NIS alias database. See aliases(5) for syntax +# details. +# +# If you change the alias database, run "postalias /etc/aliases" (or +# wherever your system stores the mail alias file), or simply run +# "newaliases" to build the necessary DBM or DB file. +# +# It will take a minute or so before changes become visible. Use +# "postfix reload" to eliminate the delay. +# +#alias_maps = dbm:/etc/aliases +#alias_maps = hash:/etc/aliases +#alias_maps = hash:/etc/aliases, nis:mail.aliases +#alias_maps = netinfo:/aliases +alias_maps = hash:/etc/postfix/aliases + +# The alias_database parameter specifies the alias database(s) that +# are built with "newaliases" or "sendmail -bi". This is a separate +# configuration parameter, because alias_maps (see above) may specify +# tables that are not necessarily all under control by Postfix. +# +#alias_database = dbm:/etc/aliases +#alias_database = dbm:/etc/mail/aliases +#alias_database = hash:/etc/aliases +#alias_database = hash:/etc/aliases, hash:/opt/majordomo/aliases +alias_database = $alias_maps + +# ADDRESS EXTENSIONS (e.g., user+foo) +# +# The recipient_delimiter parameter specifies the separator between +# user names and address extensions (user+foo). See canonical(5), +# local(8), relocated(5) and virtual(5) for the effects this has on +# aliases, canonical, virtual, relocated and .forward file lookups. +# Basically, the software tries user+foo and .forward+foo before +# trying user and .forward. +# +#recipient_delimiter = + + +# DELIVERY TO MAILBOX +# +# The home_mailbox parameter specifies the optional pathname of a +# mailbox file relative to a user's home directory. The default +# mailbox file is /var/spool/mail/user or /var/mail/user. Specify +# "Maildir/" for qmail-style delivery (the / is required). +# +#home_mailbox = Mailbox +#home_mailbox = Maildir/ + +# The mail_spool_directory parameter specifies the directory where +# UNIX-style mailboxes are kept. The default setting depends on the +# system type. +# +#mail_spool_directory = /var/mail +#mail_spool_directory = /var/spool/mail + +# The mailbox_command parameter specifies the optional external +# command to use instead of mailbox delivery. The command is run as +# the recipient with proper HOME, SHELL and LOGNAME environment settings. +# Exception: delivery for root is done as $default_user. +# +# Other environment variables of interest: USER (recipient username), +# EXTENSION (address extension), DOMAIN (domain part of address), +# and LOCAL (the address localpart). +# +# Unlike other Postfix configuration parameters, the mailbox_command +# parameter is not subjected to $parameter substitutions. This is to +# make it easier to specify shell syntax (see example below). +# +# Avoid shell meta characters because they will force Postfix to run +# an expensive shell process. Procmail alone is expensive enough. +# +# IF YOU USE THIS TO DELIVER MAIL SYSTEM-WIDE, YOU MUST SET UP AN +# ALIAS THAT FORWARDS MAIL FOR ROOT TO A REAL USER. +# +#mailbox_command = /some/where/procmail +#mailbox_command = /some/where/procmail -a "$EXTENSION" + +# The mailbox_transport specifies the optional transport in master.cf +# to use after processing aliases and .forward files. This parameter +# has precedence over the mailbox_command, fallback_transport and +# luser_relay parameters. +# +# Specify a string of the form transport:nexthop, where transport is +# the name of a mail delivery transport defined in master.cf. The +# :nexthop part is optional. For more details see the sample transport +# configuration file. +# +# NOTE: if you use this feature for accounts not in the UNIX password +# file, then you must update the "local_recipient_maps" setting in +# the main.cf file, otherwise the SMTP server will reject mail for +# non-UNIX accounts with "User unknown in local recipient table". +# +# Cyrus IMAP over LMTP. Specify ``lmtpunix cmd="lmtpd" +# listen="/var/imap/socket/lmtp" prefork=0'' in cyrus.conf. +#mailbox_transport = lmtp:unix:/var/imap/socket/lmtp +# +# Cyrus IMAP via command line. Uncomment the "cyrus...pipe" and +# subsequent line in master.cf. +#mailbox_transport = cyrus + +# The fallback_transport specifies the optional transport in master.cf +# to use for recipients that are not found in the UNIX passwd database. +# This parameter has precedence over the luser_relay parameter. +# +# Specify a string of the form transport:nexthop, where transport is +# the name of a mail delivery transport defined in master.cf. The +# :nexthop part is optional. For more details see the sample transport +# configuration file. +# +# NOTE: if you use this feature for accounts not in the UNIX password +# file, then you must update the "local_recipient_maps" setting in +# the main.cf file, otherwise the SMTP server will reject mail for +# non-UNIX accounts with "User unknown in local recipient table". +# +#fallback_transport = lmtp:unix:/file/name +#fallback_transport = cyrus +#fallback_transport = + +# The luser_relay parameter specifies an optional destination address +# for unknown recipients. By default, mail for unknown@$mydestination, +# unknown@[$inet_interfaces] or unknown@[$proxy_interfaces] is returned +# as undeliverable. +# +# The following expansions are done on luser_relay: $user (recipient +# username), $shell (recipient shell), $home (recipient home directory), +# $recipient (full recipient address), $extension (recipient address +# extension), $domain (recipient domain), $local (entire recipient +# localpart), $recipient_delimiter. Specify ${name?value} or +# ${name:value} to expand value only when $name does (does not) exist. +# +# luser_relay works only for the default Postfix local delivery agent. +# +# NOTE: if you use this feature for accounts not in the UNIX password +# file, then you must specify "local_recipient_maps =" (i.e. empty) in +# the main.cf file, otherwise the SMTP server will reject mail for +# non-UNIX accounts with "User unknown in local recipient table". +# +#luser_relay = $user@other.host +#luser_relay = $local@other.host +#luser_relay = admin+$local + +# JUNK MAIL CONTROLS +# +# The controls listed here are only a very small subset. The file +# SMTPD_ACCESS_README provides an overview. + +# The header_checks parameter specifies an optional table with patterns +# that each logical message header is matched against, including +# headers that span multiple physical lines. +# +# By default, these patterns also apply to MIME headers and to the +# headers of attached messages. With older Postfix versions, MIME and +# attached message headers were treated as body text. +# +# For details, see "man header_checks". +# +#header_checks = regexp:/etc/postfix/header_checks + +# FAST ETRN SERVICE +# +# Postfix maintains per-destination logfiles with information about +# deferred mail, so that mail can be flushed quickly with the SMTP +# "ETRN domain.tld" command, or by executing "sendmail -qRdomain.tld". +# See the ETRN_README document for a detailed description. +# +# The fast_flush_domains parameter controls what destinations are +# eligible for this service. By default, they are all domains that +# this server is willing to relay mail to. +# +#fast_flush_domains = $relay_domains + +# SHOW SOFTWARE VERSION OR NOT +# +# The smtpd_banner parameter specifies the text that follows the 220 +# code in the SMTP server's greeting banner. Some people like to see +# the mail version advertised. By default, Postfix shows no version. +# +# You MUST specify $myhostname at the start of the text. That is an +# RFC requirement. Postfix itself does not care. +# +#smtpd_banner = $myhostname ESMTP $mail_name +#smtpd_banner = $myhostname ESMTP $mail_name ($mail_version) + +# PARALLEL DELIVERY TO THE SAME DESTINATION +# +# How many parallel deliveries to the same user or domain? With local +# delivery, it does not make sense to do massively parallel delivery +# to the same user, because mailbox updates must happen sequentially, +# and expensive pipelines in .forward files can cause disasters when +# too many are run at the same time. With SMTP deliveries, 10 +# simultaneous connections to the same domain could be sufficient to +# raise eyebrows. +# +# Each message delivery transport has its XXX_destination_concurrency_limit +# parameter. The default is $default_destination_concurrency_limit for +# most delivery transports. For the local delivery agent the default is 2. + +#local_destination_concurrency_limit = 2 +#default_destination_concurrency_limit = 20 + +# DEBUGGING CONTROL +# +# The debug_peer_level parameter specifies the increment in verbose +# logging level when an SMTP client or server host name or address +# matches a pattern in the debug_peer_list parameter. +# +debug_peer_level = 2 + +# The debug_peer_list parameter specifies an optional list of domain +# or network patterns, /file/name patterns or type:name tables. When +# an SMTP client or server host name or address matches a pattern, +# increase the verbose logging level by the amount specified in the +# debug_peer_level parameter. +# +#debug_peer_list = 127.0.0.1 +#debug_peer_list = some.domain + +# The debugger_command specifies the external command that is executed +# when a Postfix daemon program is run with the -D option. +# +# Use "command .. & sleep 5" so that the debugger can attach before +# the process marches on. If you use an X-based debugger, be sure to +# set up your XAUTHORITY environment variable before starting Postfix. +# +debugger_command = + PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin + ddd $daemon_directory/$process_name $process_id & sleep 5 + +# If you can't use X, use this to capture the call stack when a +# daemon crashes. The result is in a file in the configuration +# directory, and is named after the process name and the process ID. +# +# debugger_command = +# PATH=/bin:/usr/bin:/usr/local/bin; export PATH; (echo cont; +# echo where) | gdb $daemon_directory/$process_name $process_id 2>&1 +# >$config_directory/$process_name.$process_id.log & sleep 5 +# +# Another possibility is to run gdb under a detached screen session. +# To attach to the screen session, su root and run "screen -r +# " where uniquely matches one of the detached +# sessions (from "screen -list"). +# +# debugger_command = +# PATH=/bin:/usr/bin:/sbin:/usr/sbin; export PATH; screen +# -dmS $process_name gdb $daemon_directory/$process_name +# $process_id & sleep 1 + +# INSTALL-TIME CONFIGURATION INFORMATION +# +# The following parameters are used when installing a new Postfix version. +# +# sendmail_path: The full pathname of the Postfix sendmail command. +# This is the Sendmail-compatible mail posting interface. +# +sendmail_path = /usr/bin/sendmail + +# newaliases_path: The full pathname of the Postfix newaliases command. +# This is the Sendmail-compatible command to build alias databases. +# +newaliases_path = /usr/bin/newaliases + +# mailq_path: The full pathname of the Postfix mailq command. This +# is the Sendmail-compatible mail queue listing command. +# +mailq_path = /usr/bin/mailq + +# setgid_group: The group for mail submission and queue management +# commands. This must be a group name with a numerical group ID that +# is not shared with other accounts, not even with the Postfix account. +# +setgid_group = postdrop + +# html_directory: The location of the Postfix HTML documentation. +# +html_directory = no + +# manpage_directory: The location of the Postfix on-line manual pages. +# +manpage_directory = /usr/share/man + +# sample_directory: The location of the Postfix sample configuration files. +# This parameter is obsolete as of Postfix 2.1. +# +sample_directory = /etc/postfix + +# readme_directory: The location of the Postfix README files. +# +readme_directory = /usr/share/doc/postfix +inet_protocols = ipv4 +meta_directory = /etc/postfix +shlib_directory = /usr/lib/postfix diff --git a/roles/native-security/meta/main.yml b/roles/native-security/meta/main.yml new file mode 100644 index 00000000..02b5a5ad --- /dev/null +++ b/roles/native-security/meta/main.yml @@ -0,0 +1,2 @@ +dependencies: +- native-ssh diff --git a/roles/native-ssh/handlers/main.yml b/roles/native-ssh/handlers/main.yml new file mode 100644 index 00000000..c54a573d --- /dev/null +++ b/roles/native-ssh/handlers/main.yml @@ -0,0 +1,2 @@ +- name: sshd restart + service: name=sshd state=restarted enabled=yes diff --git a/roles/native-ssh/tasks/main.yml b/roles/native-ssh/tasks/main.yml new file mode 100644 index 00000000..bdd6bdb8 --- /dev/null +++ b/roles/native-ssh/tasks/main.yml @@ -0,0 +1,3 @@ +- name: configuring ssh + template: src=sshd_config dest=/etc/ssh/ + notify: sshd restart diff --git a/roles/native-ssh/templates/sshd_config b/roles/native-ssh/templates/sshd_config new file mode 100644 index 00000000..b4426f52 --- /dev/null +++ b/roles/native-ssh/templates/sshd_config @@ -0,0 +1,118 @@ +# $OpenBSD: sshd_config,v 1.101 2017/03/14 07:19:07 djm Exp $ + +# This is the sshd server system-wide configuration file. See +# sshd_config(5) for more information. + +# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin + +# The strategy used for options in the default sshd_config shipped with +# OpenSSH is to specify options with their default value where +# possible, but leave them commented. Uncommented options override the +# default value. + +#Port 22 +#AddressFamily any +#ListenAddress 0.0.0.0 +#ListenAddress :: + +#HostKey /etc/ssh/ssh_host_rsa_key +#HostKey /etc/ssh/ssh_host_dsa_key +#HostKey /etc/ssh/ssh_host_ecdsa_key +#HostKey /etc/ssh/ssh_host_ed25519_key + +# Ciphers and keying +#RekeyLimit default none + +# Logging +#SyslogFacility AUTH +#LogLevel INFO + +# Authentication: + +#LoginGraceTime 2m +PermitRootLogin without-password +#StrictModes yes +#MaxAuthTries 6 +#MaxSessions 10 + +PubkeyAuthentication yes + +# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 +# but this is overridden so installations will only check .ssh/authorized_keys +AuthorizedKeysFile .ssh/authorized_keys + +#AuthorizedPrincipalsFile none + +#AuthorizedKeysCommand none +#AuthorizedKeysCommandUser nobody + +# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts +#HostbasedAuthentication no +# Change to yes if you don't trust ~/.ssh/known_hosts for +# HostbasedAuthentication +#IgnoreUserKnownHosts no +# Don't read the user's ~/.rhosts and ~/.shosts files +#IgnoreRhosts yes + +# To disable tunneled clear text passwords, change to no here! +PasswordAuthentication no +#PermitEmptyPasswords no + +# Change to no to disable s/key passwords +ChallengeResponseAuthentication no + +# Kerberos options +#KerberosAuthentication no +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes +#KerberosGetAFSToken no + +# GSSAPI options +#GSSAPIAuthentication no +#GSSAPICleanupCredentials yes + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +UsePAM yes + +#AllowAgentForwarding yes +#AllowTcpForwarding yes +#GatewayPorts no +#X11Forwarding no +#X11DisplayOffset 10 +#X11UseLocalhost yes +#PermitTTY yes +PrintMotd no # pam does that +#PrintLastLog yes +#TCPKeepAlive yes +#UseLogin no +#PermitUserEnvironment no +#Compression delayed +#ClientAliveInterval 0 +#ClientAliveCountMax 3 +#UseDNS no +#PidFile /run/sshd.pid +#MaxStartups 10:30:100 +#PermitTunnel no +#ChrootDirectory none +#VersionAddendum none + +# no default banner path +#Banner none + +# override default of no subsystems +Subsystem sftp /usr/lib/ssh/sftp-server + +# Example of overriding settings on a per-user basis +#Match User anoncvs +# X11Forwarding no +# AllowTcpForwarding no +# PermitTTY no +# ForceCommand cvs server diff --git a/roles/native-user-administrator/Readme.md b/roles/native-user-administrator/Readme.md new file mode 100644 index 00000000..7361e5f1 --- /dev/null +++ b/roles/native-user-administrator/Readme.md @@ -0,0 +1,3 @@ +# Role Administrator +This role creates an standard administrator user. +For security reasons it's recommended to use this user instead of the standard root user. diff --git a/roles/native-user-administrator/tasks/main.yml b/roles/native-user-administrator/tasks/main.yml new file mode 100644 index 00000000..0f50ff98 --- /dev/null +++ b/roles/native-user-administrator/tasks/main.yml @@ -0,0 +1,7 @@ +- name: create administrator + user: + name: administrator + generate_ssh_key: yes + ssh_key_bits: 4096 + ssh_key_file: .ssh/id_rsa + group: sudo diff --git a/roles/native-user-alarm/tasks/main.yml b/roles/native-user-alarm/tasks/main.yml new file mode 100644 index 00000000..877c3e1e --- /dev/null +++ b/roles/native-user-alarm/tasks/main.yml @@ -0,0 +1,5 @@ +- name: remove the user alarm + user: + name: alarm + state: absent + remove: yes diff --git a/roles/native-user-datasafer/tasks/main.yml b/roles/native-user-datasafer/tasks/main.yml new file mode 100644 index 00000000..af932f4a --- /dev/null +++ b/roles/native-user-datasafer/tasks/main.yml @@ -0,0 +1,6 @@ +- name: create datasaver + user: + name: datasaver + generate_ssh_key: yes + ssh_key_bits: 4096 + ssh_key_file: .ssh/id_rsa diff --git a/roles/native-wireguard/README.md b/roles/native-wireguard/README.md new file mode 100644 index 00000000..25c72e8b --- /dev/null +++ b/roles/native-wireguard/README.md @@ -0,0 +1,10 @@ +# Role Native Wireguard +Manages wireguard natively on host. More information are available in the [Arch wiki](https://wiki.archlinux.org/index.php/WireGuard#Manual_WireGuard_setup). + +## Create Client Key +``bash +wg genkey | tee peer_A.key | wg pubkey > peer_A.pub +`` + +# chown root:systemd-network /etc/systemd/network/99-*.netdev +# chmod 0640 /etc/systemd/network/99-*.netdev diff --git a/roles/native-wireguard/handlers/main.yml b/roles/native-wireguard/handlers/main.yml new file mode 100644 index 00000000..8540009b --- /dev/null +++ b/roles/native-wireguard/handlers/main.yml @@ -0,0 +1,2 @@ +- name: restart wireguard + service: name=wg-quick@wg0.service state=restarted enabled=yes diff --git a/roles/native-wireguard/tasks/main.yml b/roles/native-wireguard/tasks/main.yml new file mode 100644 index 00000000..b143bd8f --- /dev/null +++ b/roles/native-wireguard/tasks/main.yml @@ -0,0 +1,6 @@ +- name: install wireguard + pacman: name=wireguard-tools state=present + +- name: create /etc/wireguard/wg0.conf + template: src={{ inventory_hostname }}.wg0.conf dest=/etc/wireguard/wg0.conf + notify: restart wireguard diff --git a/site.yml b/site.yml new file mode 100644 index 00000000..75e19e5d --- /dev/null +++ b/site.yml @@ -0,0 +1,47 @@ +--- +- name: setup backup servers + hosts: backup_servers + roles: + - native-user-datasafer + +- name: setup arch servers + hosts: arch_servers + roles: + - native-security + - native-pacman + - native-wireguard + - native-user-alarm + - native-user-administrator +- name: setup webservers + hosts: webservers + roles: + - role: native-homepage + vars: + domain: "{{top_domain}}" + - role: docker-nextcloud + vars: + domain: cloud.{{top_domain}} + http_port: 8001 + - role: docker-gitea + vars: + domain: git.{{top_domain}} + http_port: 8002 + ssh_port: 2201 + run_mode: prod + - role: docker-wordpress + vars: + domain: www.{{top_domain}} + http_port: 8003 + - role: docker-mediawiki + vars: + domain: wiki.{{top_domain}} + http_port: 8004 + - role: docker-mybb + vars: + domain: forum.{{top_domain}} + http_port: 8005 + - role: docker-yourls + vars: + domain: s.{{top_domain}} + http_port: 8006 + - native-docker-volume-backup