initial cleanup server-manager

This commit is contained in:
Kevin Veen-Birkenbach 2020-12-24 14:27:31 +01:00
commit ccd20af081
81 changed files with 2601 additions and 0 deletions

2
.gitignore vendored Normal file
View File

@ -0,0 +1,2 @@
site.retry
hosts

24
README.md Normal file
View File

@ -0,0 +1,24 @@
# Server-Manager
## Description
Ansible script to manage servers.
## Setup
To use this script execute:
``bash
ansible-galaxy install kewlfft.aur
``
## Update
``bash
ansible-playbook -i hosts site.yml
``
## Debug
### Cleanup docker
``bash
docker stop $(docker ps -aq); docker rm $(docker ps -aq); docker volume rm $(docker volume ls -q);
``
## topdo
- implement smtp
- implement administrator mail

1
host_vars/.gitignore vendored Normal file
View File

@ -0,0 +1 @@
*.yml

View File

@ -0,0 +1,2 @@
dependencies:
- native-nginx-docker-proxy

View File

@ -0,0 +1,49 @@
---
- name: recieve {{domain}} certificate
command: certbot certonly --agree-tos --email {{administrator_email}} --non-interactive --webroot -w /var/lib/letsencrypt/ -d {{domain}}
- name: configure {{domain}} https
template: src=roles/native-nginx-docker-proxy/templates/domain.conf.j2 dest=/etc/nginx/conf.d/{{domain}}.conf
notify: restart nginx
- name: container present
docker_compose:
project_name: gitea
definition:
application:
restart: always
image: gitea/gitea:latest
environment:
- USER_UID=1000
- USER_GID=1000
- DB_TYPE=mysql
- DB_HOST=database:3306
- DB_NAME=gitea
- DB_USER=gitea
- DB_PASSWD={{gitea_database_password}}
- SSH_PORT={{ssh_port}}
- SSH_LISTEN_PORT=22
- DOMAIN={{domain}}
- SSH_DOMAIN={{domain}}
- RUN_MODE="{{run_mode}}"
ports:
- "{{http_port}}:3000"
- "{{ssh_port}}:22"
links:
- database
volumes:
- gitea-data:/data
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro
database:
image: mariadb
environment:
MYSQL_DATABASE: "gitea"
MYSQL_USER: "gitea"
MYSQL_PASSWORD: "{{gitea_database_password}}"
MYSQL_RANDOM_ROOT_PASSWORD: 'yes'
volumes:
- gitea-database:/var/lib/mysql
restart: always
expose:
- "3306"

View File

@ -0,0 +1,2 @@
dependencies:
- native-nginx-docker-proxy

View File

@ -0,0 +1,19 @@
- name: recieve {{domain}} certificate
command: certbot certonly --agree-tos --email {{administrator_email}} --non-interactive --webroot -w /var/lib/letsencrypt/ -d {{domain}}
- name: configure {{domain}}.conf
template: src=roles/native-nginx-docker-proxy/templates/domain.conf.j2 dest=/etc/nginx/conf.d/{{domain}}.conf
notify: restart nginx
- name: "docker jenkins"
docker_compose:
project_name: jenkins
definition:
application:
image: jenkins/jenkins:lts
restart: always
ports:
- "{{http_port}}:8080"
restart: always
volumes:
- jenkins_data:/var/jenkins_home

View File

@ -0,0 +1,6 @@
# role docker-joomla
## delete all data
```bash
docker stop joomla_application_1; docker rm -f joomla_application_1; docker volume rm -f joomla-data;
docker stop joomla_database_1; docker rm -f joomla_database_1; docker volume rm -f joomla-database;
```

View File

@ -0,0 +1,2 @@
dependencies:
- native-nginx-docker-proxy

View File

@ -0,0 +1,36 @@
---
- name: recieve {{domain}} certificate
command: certbot certonly --agree-tos --email {{administrator_email}} --non-interactive --webroot -w /var/lib/letsencrypt/ -d {{domain}}
- name: configure {{domain}}.conf
template: src=roles/native-nginx-docker-proxy/templates/domain.conf.j2 dest=/etc/nginx/conf.d/{{domain}}.conf
notify: restart nginx
- name: "setup joomla"
docker_compose:
project_name: joomla
definition:
application:
image: joomla
environment:
JOOMLA_DB_HOST: "database:3306"
JOOMLA_DB_USER: "joomla"
JOOMLA_DB_PASSWORD: "{{joomla_database_password}}"
JOOMLA_DB_NAME: "joomla"
restart: always
links:
- database
volumes:
- joomla-data:/var/www/html
ports:
- "{{http_port}}:80"
database:
image: mariadb
environment:
MYSQL_DATABASE: "joomla"
MYSQL_USER: "joomla"
MYSQL_PASSWORD: "{{joomla_database_password}}"
MYSQL_RANDOM_ROOT_PASSWORD: 'yes'
volumes:
- joomla-database:/var/lib/mysql
restart: always

View File

@ -0,0 +1,144 @@
# role docker-mediawiki
## Generate LocalSettings.php
Login to the container:
```bash
docker exec -it mediawiki_application_1 /bin/sh
```
Seed the LocalSettings.php:
```bash
cat > LocalSettings.php << EOF
<?php
# This file was automatically generated by the MediaWiki 1.35.0
# installer. If you make manual changes, please keep track in case you
# need to recreate them later.
#
# See includes/DefaultSettings.php for all configurable settings
# and their default values, but don't forget to make changes in _this_
# file, not there.
#
# Further documentation for configuration settings may be found at:
# https://www.mediawiki.org/wiki/Manual:Configuration_settings
# Protect against web entry
if ( !defined( 'MEDIAWIKI' ) ) {
exit;
}
## Uncomment this to disable output compression
# \$wgDisableOutputCompression = true;
\$wgSitename = "test";
\$wgMetaNamespace = "Test";
## The URL base path to the directory containing the wiki;
## defaults for all runtime URL paths are based off of this.
## For more information on customizing the URLs
## (like /w/index.php/Page_title to /wiki/Page_title) please see:
## https://www.mediawiki.org/wiki/Manual:Short_URL
\$wgScriptPath = "";
## The protocol and server name to use in fully-qualified URLs
\$wgServer = "http://wiki.veen.world";
## The URL path to static resources (images, scripts, etc.)
\$wgResourceBasePath = \$wgScriptPath;
## The URL paths to the logo. Make sure you change this from the default,
## or else you'll overwrite your logo when you upgrade!
\$wgLogos = [ '1x' => "\$wgResourceBasePath/resources/assets/wiki.png" ];
## UPO means: this is also a user preference option
\$wgEnableEmail = true;
\$wgEnableUserEmail = true; # UPO
\$wgEmergencyContact = "apache@🌻.invalid";
\$wgPasswordSender = "apache@🌻.invalid";
\$wgEnotifUserTalk = false; # UPO
\$wgEnotifWatchlist = false; # UPO
\$wgEmailAuthentication = true;
## Database settings
\$wgDBtype = "mysql";
\$wgDBserver = "database:3306";
\$wgDBname = "mediawiki";
\$wgDBuser = "mediawiki";
\$wgDBpassword = "test";
# MySQL specific settings
\$wgDBprefix = "";
# MySQL table options to use during installation or update
\$wgDBTableOptions = "ENGINE=InnoDB, DEFAULT CHARSET=binary";
## Shared memory settings
\$wgMainCacheType = CACHE_NONE;
\$wgMemCachedServers = [];
## To enable image uploads, make sure the 'images' directory
## is writable, then set this to true:
\$wgEnableUploads = false;
\$wgUseImageMagick = true;
\$wgImageMagickConvertCommand = "/usr/bin/convert";
# InstantCommons allows wiki to use images from https://commons.wikimedia.org
\$wgUseInstantCommons = false;
# Periodically send a pingback to https://www.mediawiki.org/ with basic data
# about this MediaWiki instance. The Wikimedia Foundation shares this data
# with MediaWiki developers to help guide future development efforts.
\$wgPingback = true;
## If you use ImageMagick (or any other shell command) on a
## Linux server, this will need to be set to the name of an
## available UTF-8 locale
\$wgShellLocale = "C.UTF-8";
## Set \$wgCacheDirectory to a writable directory on the web server
## to make your wiki go slightly faster. The directory should not
## be publicly accessible from the web.
#\$wgCacheDirectory = "\$IP/cache";
# Site language code, should be one of the list in ./languages/data/Names.php
\$wgLanguageCode = "en";
\$wgSecretKey = "603fe88c985b05706f19aaf77d2a61459555ff21a4a4d4ef0aa15c8f8ec50f00";
# Changing this will log out all existing sessions.
\$wgAuthenticationTokenVersion = "1";
# Site upgrade key. Must be set to a string (default provided) to turn on the
# web installer while LocalSettings.php is in place
\$wgUpgradeKey = "f99263b0f3a7c59a";
## For attaching licensing metadata to pages, and displaying an
## appropriate copyright notice / icon. GNU Free Documentation
## License and Creative Commons licenses are supported so far.
\$wgRightsPage = ""; # Set to the title of a wiki page that describes your license/copyright
\$wgRightsUrl = "";
\$wgRightsText = "";
\$wgRightsIcon = "";
# Path to the GNU diff3 utility. Used for conflict resolution.
\$wgDiff3 = "/usr/bin/diff3";
## Default skin: you can change the default skin. Use the internal symbolic
## names, ie 'vector', 'monobook':
\$wgDefaultSkin = "vector";
# Enabled skins.
# The following skins were automatically enabled:
wfLoadSkin( 'MonoBook' );
wfLoadSkin( 'Timeless' );
wfLoadSkin( 'Vector' );
# End of automatically generated settings.
# Add more configuration options below.
EOF
```

View File

@ -0,0 +1,2 @@
dependencies:
- native-nginx-docker-proxy

View File

@ -0,0 +1,30 @@
- name: recieve {{domain}} certificate
command: certbot certonly --agree-tos --email {{administrator_email}} --non-interactive --webroot -w /var/lib/letsencrypt/ -d {{domain}}
- name: configure {{domain}}.conf
template: src=roles/native-nginx-docker-proxy/templates/domain.conf.j2 dest=/etc/nginx/conf.d/{{domain}}.conf
notify: restart nginx
- name: "docker mediawiki"
docker_compose:
project_name: mediawiki
definition:
application:
image: mediawiki
restart: always
links:
- database
volumes:
- "mediawiki-data:/var/www/html/"
ports:
- "{{http_port}}:80"
database:
image: mariadb
environment:
MYSQL_DATABASE: mediawiki
MYSQL_RANDOM_ROOT_PASSWORD: 'yes'
MYSQL_USER: mediawiki
MYSQL_PASSWORD: "{{mediawiki_mysql_user_password}}"
volumes:
- mediawiki-database:/var/lib/mysql
restart: always

View File

@ -0,0 +1,7 @@
# role mybb
## install plugins
Extract the plugins to /mnt.
Execute:
```bash
docker run --rm -v mybb-data:/target/ -v /mnt/:/origin/ "kevinveenbirkenbach/alpine-rsync" sh -c "rsync -avv /origin/inc/plugins/ /target/"
```

View File

@ -0,0 +1,5 @@
---
conf_d_path: "/etc/nginx/conf.d/"
#default_conf_path: "/etc/nginx/nginx.conf"
conf_d_docker_path: "/etc/docker/applications/mybb{{conf_d_path}}"
default_conf_docker_path: "{{conf_d_docker_path}}default.conf"

View File

@ -0,0 +1,2 @@
dependencies:
- native-nginx-docker-proxy

View File

@ -0,0 +1,47 @@
---
- name: recieve {{domain}} certificate
command: certbot certonly --agree-tos --email {{administrator_email}} --non-interactive --webroot -w /var/lib/letsencrypt/ -d {{domain}}
- name: configure {{domain}}.conf
template: src=roles/native-nginx-docker-proxy/templates/domain.conf.j2 dest=/etc/nginx/conf.d/{{domain}}.conf
notify: restart nginx
- name: create data folder
file:
path: "{{conf_d_docker_path}}"
state: directory
- name: "create {{default_conf_docker_path}}"
template: src="default.conf" dest="{{default_conf_docker_path}}"
- name: "setup mybb"
docker_compose:
project_name: mybb
definition:
application:
image: mybb/mybb:latest
restart: always
links:
- database
volumes:
- mybb-data:/var/www/html
server:
links:
- application
image: nginx:mainline
restart: always
ports:
- "{{http_port}}:80"
volumes:
- "{{conf_d_docker_path}}:{{conf_d_path}}"
- "mybb-data:/var/www/html:ro"
database:
image: mariadb
environment:
MYSQL_DATABASE: "mybb"
MYSQL_USER: "mybb"
MYSQL_PASSWORD: "{{mybb_database_password}}"
MYSQL_RANDOM_ROOT_PASSWORD: 'yes'
volumes:
- mybb-database:/var/lib/mysql
restart: always

View File

@ -0,0 +1,32 @@
upstream mybb {
server application:9000 weight=5;
}
server {
listen 80;
root /var/www/html;
index index.html index.php;
location / {
try_files $uri $uri/ /index.php?$args;
}
location ~ inc/ {
internal;
}
location ~ ^/(images|cache|jscripts|uploads)/ {
access_log off;
}
location ~ \.php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass mybb;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
}
}

View File

@ -0,0 +1,22 @@
# role docker-nextcloud
## database access
To access the database execute
```bash
docker exec -it nextcloud_database_1 /bin/mysql -u nextcloud -p
```
## occ
To use occ run:
```bash
docker exec -it -u www-data nextcloud_application_1 /var/www/html/occ
```
## unlock files
```bash
docker exec -it -u www-data nextcloud_application_1 /var/www/html/occ maintenance:mode --on
docker exec -it nextcloud_database_1 mysql -u nextcloud -pPASSWORD1234132 -D nextcloud -e "delete from oc_file_locks where 1"
docker exec -it -u www-data nextcloud_application_1 /var/www/html/occ maintenance:mode --off
```

View File

@ -0,0 +1,2 @@
dependencies:
- native-nginx-docker-proxy

View File

@ -0,0 +1,38 @@
---
- name: recieve {{domain}} certificate
command: certbot certonly --agree-tos --email {{administrator_email}} --non-interactive --webroot -w /var/lib/letsencrypt/ -d {{domain}}
- name: configure {{domain}}.conf
template: src=templates/nextcloud.conf.j2 dest=/etc/nginx/conf.d/{{domain}}.conf
notify: restart nginx
- name: "setup nextcloud"
docker_compose:
project_name: nextcloud
definition:
application:
image: nextcloud
restart: always
links:
- database
volumes:
- nextcloud-data:/var/www/html
ports:
- "{{http_port}}:80"
environment:
MYSQL_DATABASE: "nextcloud"
MYSQL_USER: "nextcloud"
MYSQL_PASSWORD: "{{nextcloud_database_password}}"
MYSQL_HOST: database:3306
database:
image: mariadb
environment:
MYSQL_DATABASE: "nextcloud"
MYSQL_USER: "nextcloud"
MYSQL_PASSWORD: "{{nextcloud_database_password}}"
MYSQL_RANDOM_ROOT_PASSWORD: 'yes'
volumes:
- nextcloud-database:/var/lib/mysql
restart: always
expose:
- "3306"

View File

@ -0,0 +1,37 @@
server
{
server_name {{domain}};
{% include 'roles/native-letsencrypt/templates/ssl_header.j2' %}
# Remove X-Powered-By, which is an information leak
fastcgi_hide_header X-Powered-By;
# set max upload size
client_max_body_size 10G;
client_body_buffer_size 400M;
fastcgi_buffers 64 4K;
# Enable gzip but do not remove ETag headers
gzip on;
gzip_vary on;
gzip_comp_level 4;
gzip_min_length 256;
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
{% include 'roles/native-nginx-docker-proxy/templates/proxy_pass.conf.j2' %}
location ^~ /.well-known {
rewrite ^/\.well-known/host-meta\.json /public.php?service=host-meta-json last;
rewrite ^/\.well-known/host-meta /public.php?service=host-meta last;
rewrite ^/\.well-known/webfinger /public.php?service=webfinger last;
rewrite ^/\.well-known/nodeinfo /public.php?service=nodeinfo last;
location = /.well-known/carddav { return 301 /remote.php/dav/; }
location = /.well-known/caldav { return 301 /remote.php/dav/; }
try_files $uri $uri/ =404;
}
}

View File

@ -0,0 +1,5 @@
# role docker-postfix
## delete all data
```bash
docker stop postfix_database_1; docker rm -f postfix_database_1; docker volume rm -f postfix-database;
```

View File

@ -0,0 +1,2 @@
dependencies:
- native-nginx-docker-proxy

View File

@ -0,0 +1,36 @@
---
- name: recieve {{domain}} certificate
command: certbot certonly --agree-tos --email {{administrator_email}} --non-interactive --webroot -w /var/lib/letsencrypt/ -d {{domain}}
- name: configure {{domain}}.conf
template: src=roles/native-nginx-docker-proxy/templates/domain.conf.j2 dest=/etc/nginx/conf.d/{{domain}}.conf
notify: restart nginx
- name: "setup postfix"
docker_compose:
project_name: postfix
definition:
application:
image: postfixadmin:apache
environment:
POSTFIXADMIN_DB_TYPE: mysqli
POSTFIXADMIN_DB_HOST: "database"
POSTFIXADMIN_DB_USER: postfixadmin
POSTFIXADMIN_DB_NAME: postfixadmin
POSTFIXADMIN_DB_PASSWORD: "{{postfixadmin_database_password}}"
POSTFIXADMIN_SETUP_PASSWORD: "{{postfixadmin_setup_password}}"
restart: always
links:
- database
ports:
- "{{http_port}}:80"
database:
image: mariadb
environment:
MYSQL_DATABASE: "postfixadmin"
MYSQL_USER: "postfixadmin"
MYSQL_PASSWORD: "{{postfixadmin_database_password}}"
MYSQL_RANDOM_ROOT_PASSWORD: 'yes'
volumes:
- postfixadmin-database:/var/lib/mysql
restart: always

View File

@ -0,0 +1,7 @@
# Role Wireguard
This role is not fully implemented yet. Instead use the role native-wireguard.
## Preparation
Execute
``bash
ansible-galaxy collection install community.general
``

View File

@ -0,0 +1,2 @@
dependencies:
- native-nginx-docker-proxy

View File

@ -0,0 +1,41 @@
---
- name: configure {{domain}}.conf
template: src=roles/native-nginx-docker-proxy/templates/domain.conf.j2 dest=/etc/nginx/conf.d/{{domain}}.conf
notify: restart nginx
- name: recieve {{domain}} certificate
command: certbot certonly --agree-tos --email {{administrator_email}} --non-interactive --webroot -w /var/lib/letsencrypt/ -d {{domain}}
- sysctl:
name: net.ipv4.conf.all.src_valid_mark
value: 1
sysctl_set: yes
- name: "setup wireguard"
docker_compose:
project_name: wireguard
definition:
application:
image: linuxserver/wireguard
restart: always
ports:
- "{{http_port}}:80"
cap_add:
- NET_ADMIN
- SYS_MODULE
environment:
- PUID=1000
- PGID=1000
- TZ=Europe/London
- SERVERURL={{domain}}
- SERVERPORT=51820 #optional
- PEERS=1 #optional
- PEERDNS=auto #optional
- INTERNAL_SUBNET=10.13.13.0 #optional
- ALLOWEDIPS=192.168.1.0/24,192.168.2.0/24 #optional
volumes:
- /path/to/appdata/config:/config
- /lib/modules:/lib/modules
ports:
- 51820:51820/udp
restart: unless-stopped

View File

@ -0,0 +1,2 @@
dependencies:
- native-nginx-docker-proxy

View File

@ -0,0 +1,40 @@
---
- name: recieve {{domain}} certificate
command: certbot certonly --agree-tos --email {{administrator_email}} --non-interactive --webroot -w /var/lib/letsencrypt/ -d {{domain}}
- name: configure {{domain}}.conf
vars:
client_max_body_size: "2M"
template: src=roles/native-nginx-docker-proxy/templates/domain.conf.j2 dest=/etc/nginx/conf.d/{{domain}}.conf
notify: restart nginx
- name: "setup wordpress"
docker_compose:
project_name: wordpress
definition:
application:
image: wordpress
restart: always
ports:
- "{{http_port}}:80"
environment:
WORDPRESS_DB_HOST: database:3306
WORDPRESS_DB_USER: "wordpress"
WORDPRESS_DB_PASSWORD: "{{wordpress_database_password}}"
WORDPRESS_DB_NAME: "wordpress"
links:
- database
volumes:
- wordpress-data:/var/www/html
database:
image: mariadb
restart: always
environment:
MYSQL_DATABASE: "wordpress"
MYSQL_USER: "wordpress"
MYSQL_PASSWORD: "{{wordpress_database_password}}"
MYSQL_RANDOM_ROOT_PASSWORD: 'yes'
volumes:
- wordpress-database:/var/lib/mysql
expose:
- "3306"

View File

@ -0,0 +1,2 @@
dependencies:
- native-nginx-docker-proxy

View File

@ -0,0 +1,39 @@
---
- name: recieve {{domain}} certificate
command: certbot certonly --agree-tos --email {{administrator_email}} --non-interactive --webroot -w /var/lib/letsencrypt/ -d {{domain}}
- name: configure {{domain}}.conf
template: src=roles/native-nginx-docker-proxy/templates/domain.conf.j2 dest=/etc/nginx/conf.d/{{domain}}.conf
notify: restart nginx
- name: "setup yourls"
docker_compose:
project_name: yourls
definition:
application:
image: yourls
restart: always
ports:
- "{{http_port}}:80"
environment:
YOURLS_DB_HOST: "database:3306"
YOURLS_DB_USER: "yourls"
YOURLS_DB_PASS: "{{yourls_database_password}}"
YOURLS_DB_NAME: "yourls"
YOURLS_SITE: "https://{{domain}}"
YOURLS_USER: "{{yourls_user}}"
YOURLS_PASS: "{{yourls_user_password}}"
links:
- database
database:
image: mariadb
restart: always
environment:
MYSQL_DATABASE: "yourls"
MYSQL_USER: "yourls"
MYSQL_PASSWORD: "{{yourls_database_password}}"
MYSQL_RANDOM_ROOT_PASSWORD: 'yes'
volumes:
- yourls-database:/var/lib/mysql
expose:
- "3306"

View File

@ -0,0 +1,4 @@
- name: restart certbot service
service: name=certbot.service state=restarted enabled=yes
- name: restart certbot timer
service: name=certbot.timer state=restarted enabled=yes

View File

@ -0,0 +1,2 @@
dependencies:
- native-nginx

View File

@ -0,0 +1,13 @@
- name: install certbot
pacman:
name: [certbot,certbot-nginx]
state: present
notify: restart certbot service
- name: configure certbot.service.tpl
template: src=certbot.service dest=/etc/systemd/system/certbot.service
notify: restart certbot service
- name: configure certbot.timer.tpl
template: src=certbot.timer dest=/etc/systemd/system/certbot.timer
notify: restart certbot timer

View File

@ -0,0 +1,7 @@
[Unit]
Description=Let's Encrypt renewal
[Service]
Type=oneshot
ExecStart=/usr/bin/certbot renew --quiet --agree-tos
ExecStartPost=/bin/systemctl reload nginx.service

View File

@ -0,0 +1,10 @@
[Unit]
Description=Twice daily renewal of Let's Encrypt's certificates
[Timer]
OnCalendar=0/12:00:00
RandomizedDelaySec=1h
Persistent=true
[Install]
WantedBy=timers.target

View File

@ -0,0 +1,4 @@
- name: restart docker-volume-backup service
service: name=docker-volume-backup.service state=restarted enabled=yes
- name: restart docker-volume-backup timer
service: name=docker-volume-backup.timer state=restarted enabled=yes

View File

@ -0,0 +1,3 @@
dependencies:
- native-docker
- native-git

View File

@ -0,0 +1,13 @@
- name: docker-volume-backup git
git:
repo: "https://github.com/kevinveenbirkenbach/docker-volume-backup.git"
dest: "/usr/local/bin/docker-volume-backup"
update: yes
- name: configure docker-volume-backup.service.tpl
template: src=docker-volume-backup.service dest=/etc/systemd/system/docker-volume-backup.service
notify: restart docker-volume-backup service
- name: configure docker-volume-backup.timer.tpl
template: src=docker-volume-backup.timer dest=/etc/systemd/system/docker-volume-backup.timer
notify: restart docker-volume-backup timer

View File

@ -0,0 +1,6 @@
[Unit]
Description=docker volume update
[Service]
Type=oneshot
ExecStart=/usr/bin/bash /usr/local/bin/docker-volume-backup/docker-volume-backup.sh

View File

@ -0,0 +1,9 @@
[Unit]
Description=backups the docker volumes
[Timer]
OnCalendar=3:00
RandomizedDelaySec=1h
[Install]
WantedBy=timers.target

View File

@ -0,0 +1,3 @@
---
- name: docker restart
service: name=docker.service state=restarted enabled=yes

View File

@ -0,0 +1,9 @@
---
- name: docker & docker compose install
pacman:
name: ['docker','docker-compose']
state: present
notify: docker restart
- name: flush docker service
meta: flush_handlers

View File

@ -0,0 +1,2 @@
- name: install git
pacman: name=git state=present

View File

@ -0,0 +1,3 @@
dependencies:
- native-https-server
- native-git

View File

@ -0,0 +1,12 @@
- name: configure {{domain}}.conf
template: src=homepage.nginx.conf dest=/etc/nginx/conf.d/{{domain}}.conf
notify: restart nginx
- name: recieve {{domain}} certificate
command: certbot certonly --agree-tos --email {{administrator_email}} --non-interactive --webroot -w /var/lib/letsencrypt/ -d {{domain}}
- name: homepage repo git
git:
repo: "{{homepage_repository_address}}"
dest: "/usr/share/nginx/homepage"
update: yes

View File

@ -0,0 +1,23 @@
#default
server
{
server_name {{domain}};
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security max-age=15768000;
ssl_stapling on;
ssl_stapling_verify on;
ssl_certificate /etc/letsencrypt/live/{{domain}}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{domain}}/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/{{domain}}/chain.pem;
location /
{
root /usr/share/nginx/homepage;
index index.html index.htm;
}
}

View File

@ -0,0 +1,3 @@
dependencies:
- native-nginx
- native-letsencrypt

View File

@ -0,0 +1,2 @@
dependencies:
- native-certbot-nginx

View File

@ -0,0 +1,6 @@
- name: create nginx letsencrypt config file
template: src=letsencrypt.conf.j2 dest=/etc/nginx/conf.d/letsencrypt.conf
notify: restart nginx
- name: flush nginx service
meta: flush_handlers

View File

@ -0,0 +1,16 @@
server
{
listen 80;
listen [::]:80;
location /
{
return 301 https://$host$request_uri;
}
#letsencrypt
location ^~ /.well-known/acme-challenge/ {
allow all;
root /var/lib/letsencrypt/;
default_type "text/plain";
try_files $uri =404;
}
}

View File

@ -0,0 +1,12 @@
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security max-age=15768000;
ssl_stapling on;
ssl_stapling_verify on;
ssl_certificate /etc/letsencrypt/live/{{domain}}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{domain}}/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/{{domain}}/chain.pem;

View File

@ -0,0 +1,8 @@
---
- name: Setup locale.gen
template: src=locale.gen dest=/etc/locale.gen
- name: Setup locale.conf
template: src=locale.conf dest=/etc/locale.conf
- name: Generate locales
shell: locale-gen
become: yes

View File

@ -0,0 +1,2 @@
LANG=en_US.UTF-8
LANGUAGE=en_US.UTF-8

View File

@ -0,0 +1,498 @@
# Configuration file for locale-gen
#
# lists of locales that are to be generated by the locale-gen command.
#
# Each line is of the form:
#
# <locale> <charset>
#
# where <locale> is one of the locales given in /usr/share/i18n/locales
# and <charset> is one of the character sets listed in /usr/share/i18n/charmaps
#
# Examples:
# en_US ISO-8859-1
# en_US.UTF-8 UTF-8
# de_DE ISO-8859-1
# de_DE@euro ISO-8859-15
#
# The locale-gen command will generate all the locales,
# placing them in /usr/lib/locale.
#
# A list of supported locales is included in this file.
# Uncomment the ones you need.
#
#aa_DJ.UTF-8 UTF-8
#aa_DJ ISO-8859-1
#aa_ER UTF-8
#aa_ER@saaho UTF-8
#aa_ET UTF-8
#af_ZA.UTF-8 UTF-8
#af_ZA ISO-8859-1
#agr_PE UTF-8
#ak_GH UTF-8
#am_ET UTF-8
#an_ES.UTF-8 UTF-8
#an_ES ISO-8859-15
#anp_IN UTF-8
#ar_AE.UTF-8 UTF-8
#ar_AE ISO-8859-6
#ar_BH.UTF-8 UTF-8
#ar_BH ISO-8859-6
#ar_DZ.UTF-8 UTF-8
#ar_DZ ISO-8859-6
#ar_EG.UTF-8 UTF-8
#ar_EG ISO-8859-6
#ar_IN UTF-8
#ar_IQ.UTF-8 UTF-8
#ar_IQ ISO-8859-6
#ar_JO.UTF-8 UTF-8
#ar_JO ISO-8859-6
#ar_KW.UTF-8 UTF-8
#ar_KW ISO-8859-6
#ar_LB.UTF-8 UTF-8
#ar_LB ISO-8859-6
#ar_LY.UTF-8 UTF-8
#ar_LY ISO-8859-6
#ar_MA.UTF-8 UTF-8
#ar_MA ISO-8859-6
#ar_OM.UTF-8 UTF-8
#ar_OM ISO-8859-6
#ar_QA.UTF-8 UTF-8
#ar_QA ISO-8859-6
#ar_SA.UTF-8 UTF-8
#ar_SA ISO-8859-6
#ar_SD.UTF-8 UTF-8
#ar_SD ISO-8859-6
#ar_SS UTF-8
#ar_SY.UTF-8 UTF-8
#ar_SY ISO-8859-6
#ar_TN.UTF-8 UTF-8
#ar_TN ISO-8859-6
#ar_YE.UTF-8 UTF-8
#ar_YE ISO-8859-6
#ayc_PE UTF-8
#az_AZ UTF-8
#az_IR UTF-8
#as_IN UTF-8
#ast_ES.UTF-8 UTF-8
#ast_ES ISO-8859-15
#be_BY.UTF-8 UTF-8
#be_BY CP1251
#be_BY@latin UTF-8
#bem_ZM UTF-8
#ber_DZ UTF-8
#ber_MA UTF-8
#bg_BG.UTF-8 UTF-8
#bg_BG CP1251
#bhb_IN.UTF-8 UTF-8
#bho_IN UTF-8
#bi_VU UTF-8
#bn_BD UTF-8
#bn_IN UTF-8
#bo_CN UTF-8
#bo_IN UTF-8
#br_FR.UTF-8 UTF-8
#br_FR ISO-8859-1
#br_FR@euro ISO-8859-15
#brx_IN UTF-8
#bs_BA.UTF-8 UTF-8
#bs_BA ISO-8859-2
#byn_ER UTF-8
#ca_AD.UTF-8 UTF-8
#ca_AD ISO-8859-15
#ca_ES.UTF-8 UTF-8
#ca_ES ISO-8859-1
#ca_ES@euro ISO-8859-15
#ca_FR.UTF-8 UTF-8
#ca_FR ISO-8859-15
#ca_IT.UTF-8 UTF-8
#ca_IT ISO-8859-15
#ce_RU UTF-8
#chr_US UTF-8
#cmn_TW UTF-8
#crh_UA UTF-8
#cs_CZ.UTF-8 UTF-8
#cs_CZ ISO-8859-2
#csb_PL UTF-8
#cv_RU UTF-8
#cy_GB.UTF-8 UTF-8
#cy_GB ISO-8859-14
#da_DK.UTF-8 UTF-8
#da_DK ISO-8859-1
#de_AT.UTF-8 UTF-8
#de_AT ISO-8859-1
#de_AT@euro ISO-8859-15
#de_BE.UTF-8 UTF-8
#de_BE ISO-8859-1
#de_BE@euro ISO-8859-15
#de_CH.UTF-8 UTF-8
#de_CH ISO-8859-1
de_DE.UTF-8 UTF-8
#de_DE ISO-8859-1
#de_DE@euro ISO-8859-15
#de_IT.UTF-8 UTF-8
#de_IT ISO-8859-1
#de_LI.UTF-8 UTF-8
#de_LU.UTF-8 UTF-8
#de_LU ISO-8859-1
#de_LU@euro ISO-8859-15
#doi_IN UTF-8
#dv_MV UTF-8
#dz_BT UTF-8
#el_GR.UTF-8 UTF-8
#el_GR ISO-8859-7
#el_GR@euro ISO-8859-7
#el_CY.UTF-8 UTF-8
#el_CY ISO-8859-7
#en_AG UTF-8
#en_AU.UTF-8 UTF-8
#en_AU ISO-8859-1
#en_BW.UTF-8 UTF-8
#en_BW ISO-8859-1
#en_CA.UTF-8 UTF-8
#en_CA ISO-8859-1
#en_DK.UTF-8 UTF-8
#en_DK ISO-8859-1
#en_GB.UTF-8 UTF-8
#en_GB ISO-8859-1
#en_HK.UTF-8 UTF-8
#en_HK ISO-8859-1
#en_IE.UTF-8 UTF-8
#en_IE ISO-8859-1
#en_IE@euro ISO-8859-15
#en_IL UTF-8
#en_IN UTF-8
#en_NG UTF-8
#en_NZ.UTF-8 UTF-8
#en_NZ ISO-8859-1
#en_PH.UTF-8 UTF-8
#en_PH ISO-8859-1
#en_SG.UTF-8 UTF-8
#en_SG ISO-8859-1
en_US.UTF-8 UTF-8
#en_US ISO-8859-1
#en_ZA.UTF-8 UTF-8
#en_ZA ISO-8859-1
#en_ZM UTF-8
#en_ZW.UTF-8 UTF-8
#en_ZW ISO-8859-1
eo UTF-8
#es_AR.UTF-8 UTF-8
#es_AR ISO-8859-1
#es_BO.UTF-8 UTF-8
#es_BO ISO-8859-1
#es_CL.UTF-8 UTF-8
#es_CL ISO-8859-1
#es_CO.UTF-8 UTF-8
#es_CO ISO-8859-1
#es_CR.UTF-8 UTF-8
#es_CR ISO-8859-1
#es_CU UTF-8
#es_DO.UTF-8 UTF-8
#es_DO ISO-8859-1
#es_EC.UTF-8 UTF-8
#es_EC ISO-8859-1
#es_ES.UTF-8 UTF-8
#es_ES ISO-8859-1
#es_ES@euro ISO-8859-15
#es_GT.UTF-8 UTF-8
#es_GT ISO-8859-1
#es_HN.UTF-8 UTF-8
#es_HN ISO-8859-1
#es_MX.UTF-8 UTF-8
#es_MX ISO-8859-1
#es_NI.UTF-8 UTF-8
#es_NI ISO-8859-1
#es_PA.UTF-8 UTF-8
#es_PA ISO-8859-1
#es_PE.UTF-8 UTF-8
#es_PE ISO-8859-1
#es_PR.UTF-8 UTF-8
#es_PR ISO-8859-1
#es_PY.UTF-8 UTF-8
#es_PY ISO-8859-1
#es_SV.UTF-8 UTF-8
#es_SV ISO-8859-1
#es_US.UTF-8 UTF-8
#es_US ISO-8859-1
#es_UY.UTF-8 UTF-8
#es_UY ISO-8859-1
#es_VE.UTF-8 UTF-8
#es_VE ISO-8859-1
#et_EE.UTF-8 UTF-8
#et_EE ISO-8859-1
#et_EE.ISO-8859-15 ISO-8859-15
#eu_ES.UTF-8 UTF-8
#eu_ES ISO-8859-1
#eu_ES@euro ISO-8859-15
#fa_IR UTF-8
#ff_SN UTF-8
#fi_FI.UTF-8 UTF-8
#fi_FI ISO-8859-1
#fi_FI@euro ISO-8859-15
#fil_PH UTF-8
#fo_FO.UTF-8 UTF-8
#fo_FO ISO-8859-1
#fr_BE.UTF-8 UTF-8
#fr_BE ISO-8859-1
#fr_BE@euro ISO-8859-15
#fr_CA.UTF-8 UTF-8
#fr_CA ISO-8859-1
#fr_CH.UTF-8 UTF-8
#fr_CH ISO-8859-1
#fr_FR.UTF-8 UTF-8
#fr_FR ISO-8859-1
#fr_FR@euro ISO-8859-15
#fr_LU.UTF-8 UTF-8
#fr_LU ISO-8859-1
#fr_LU@euro ISO-8859-15
#fur_IT UTF-8
#fy_NL UTF-8
#fy_DE UTF-8
#ga_IE.UTF-8 UTF-8
#ga_IE ISO-8859-1
#ga_IE@euro ISO-8859-15
#gd_GB.UTF-8 UTF-8
#gd_GB ISO-8859-15
#gez_ER UTF-8
#gez_ER@abegede UTF-8
#gez_ET UTF-8
#gez_ET@abegede UTF-8
#gl_ES.UTF-8 UTF-8
#gl_ES ISO-8859-1
#gl_ES@euro ISO-8859-15
#gu_IN UTF-8
#gv_GB.UTF-8 UTF-8
#gv_GB ISO-8859-1
#ha_NG UTF-8
#hak_TW UTF-8
#he_IL.UTF-8 UTF-8
#he_IL ISO-8859-8
#hi_IN UTF-8
#hif_FJ UTF-8
#hne_IN UTF-8
#hr_HR.UTF-8 UTF-8
#hr_HR ISO-8859-2
#hsb_DE ISO-8859-2
#hsb_DE.UTF-8 UTF-8
#ht_HT UTF-8
#hu_HU.UTF-8 UTF-8
#hu_HU ISO-8859-2
#hy_AM UTF-8
#hy_AM.ARMSCII-8 ARMSCII-8
#ia_FR UTF-8
#id_ID.UTF-8 UTF-8
#id_ID ISO-8859-1
#ig_NG UTF-8
#ik_CA UTF-8
#is_IS.UTF-8 UTF-8
#is_IS ISO-8859-1
#it_CH.UTF-8 UTF-8
#it_CH ISO-8859-1
#it_IT.UTF-8 UTF-8
#it_IT ISO-8859-1
#it_IT@euro ISO-8859-15
#iu_CA UTF-8
#ja_JP.EUC-JP EUC-JP
#ja_JP.UTF-8 UTF-8
#ka_GE.UTF-8 UTF-8
#ka_GE GEORGIAN-PS
#kk_KZ.UTF-8 UTF-8
#kk_KZ PT154
#kl_GL.UTF-8 UTF-8
#kl_GL ISO-8859-1
#km_KH UTF-8
#kn_IN UTF-8
#ko_KR.EUC-KR EUC-KR
#ko_KR.UTF-8 UTF-8
#kok_IN UTF-8
#ks_IN UTF-8
#ks_IN@devanagari UTF-8
#ku_TR.UTF-8 UTF-8
#ku_TR ISO-8859-9
#kw_GB.UTF-8 UTF-8
#kw_GB ISO-8859-1
#ky_KG UTF-8
#lb_LU UTF-8
#lg_UG.UTF-8 UTF-8
#lg_UG ISO-8859-10
#li_BE UTF-8
#li_NL UTF-8
#lij_IT UTF-8
#ln_CD UTF-8
#lo_LA UTF-8
#lt_LT.UTF-8 UTF-8
#lt_LT ISO-8859-13
#lv_LV.UTF-8 UTF-8
#lv_LV ISO-8859-13
#lzh_TW UTF-8
#mag_IN UTF-8
#mai_IN UTF-8
#mai_NP UTF-8
#mg_MG.UTF-8 UTF-8
#mg_MG ISO-8859-15
#mhr_RU UTF-8
#mi_NZ.UTF-8 UTF-8
#mi_NZ ISO-8859-13
#mk_MK.UTF-8 UTF-8
#mk_MK ISO-8859-5
#ml_IN UTF-8
#mn_MN UTF-8
#mni_IN UTF-8
#mr_IN UTF-8
#ms_MY.UTF-8 UTF-8
#ms_MY ISO-8859-1
#mt_MT.UTF-8 UTF-8
#mt_MT ISO-8859-3
#my_MM UTF-8
#nan_TW UTF-8
#nan_TW@latin UTF-8
#nb_NO.UTF-8 UTF-8
#nb_NO ISO-8859-1
#nds_DE UTF-8
#nds_NL UTF-8
#ne_NP UTF-8
#nhn_MX UTF-8
#niu_NU UTF-8
#niu_NZ UTF-8
#nl_AW UTF-8
#nl_BE.UTF-8 UTF-8
#nl_BE ISO-8859-1
#nl_BE@euro ISO-8859-15
#nl_NL.UTF-8 UTF-8
#nl_NL ISO-8859-1
#nl_NL@euro ISO-8859-15
#nn_NO.UTF-8 UTF-8
#nn_NO ISO-8859-1
#nr_ZA UTF-8
#nso_ZA UTF-8
#oc_FR.UTF-8 UTF-8
#oc_FR ISO-8859-1
#om_ET UTF-8
#om_KE.UTF-8 UTF-8
#om_KE ISO-8859-1
#or_IN UTF-8
#os_RU UTF-8
#pa_IN UTF-8
#pa_PK UTF-8
#pap_AW UTF-8
#pap_CW UTF-8
#pl_PL.UTF-8 UTF-8
#pl_PL ISO-8859-2
#ps_AF UTF-8
#pt_BR.UTF-8 UTF-8
#pt_BR ISO-8859-1
#pt_PT.UTF-8 UTF-8
#pt_PT ISO-8859-1
#pt_PT@euro ISO-8859-15
#quz_PE UTF-8
#raj_IN UTF-8
#ro_RO.UTF-8 UTF-8
#ro_RO ISO-8859-2
#ru_RU.KOI8-R KOI8-R
#ru_RU.UTF-8 UTF-8
#ru_RU ISO-8859-5
#ru_UA.UTF-8 UTF-8
#ru_UA KOI8-U
#rw_RW UTF-8
#sa_IN UTF-8
#sat_IN UTF-8
#sc_IT UTF-8
#sd_IN UTF-8
#sd_IN@devanagari UTF-8
#se_NO UTF-8
#sgs_LT UTF-8
#shs_CA UTF-8
#si_LK UTF-8
#sid_ET UTF-8
#sk_SK.UTF-8 UTF-8
#sk_SK ISO-8859-2
#sl_SI.UTF-8 UTF-8
#sl_SI ISO-8859-2
#sm_WS UTF-8
#so_DJ.UTF-8 UTF-8
#so_DJ ISO-8859-1
#so_ET UTF-8
#so_KE.UTF-8 UTF-8
#so_KE ISO-8859-1
#so_SO.UTF-8 UTF-8
#so_SO ISO-8859-1
#sq_AL.UTF-8 UTF-8
#sq_AL ISO-8859-1
#sq_MK UTF-8
#sr_ME UTF-8
#sr_RS UTF-8
#sr_RS@latin UTF-8
#ss_ZA UTF-8
#st_ZA.UTF-8 UTF-8
#st_ZA ISO-8859-1
#sv_FI.UTF-8 UTF-8
#sv_FI ISO-8859-1
#sv_FI@euro ISO-8859-15
#sv_SE.UTF-8 UTF-8
#sv_SE ISO-8859-1
#sw_KE UTF-8
#sw_TZ UTF-8
#szl_PL UTF-8
#ta_IN UTF-8
#ta_LK UTF-8
#tcy_IN.UTF-8 UTF-8
#te_IN UTF-8
#tg_TJ.UTF-8 UTF-8
#tg_TJ KOI8-T
#th_TH.UTF-8 UTF-8
#th_TH TIS-620
#the_NP UTF-8
#ti_ER UTF-8
#ti_ET UTF-8
#tig_ER UTF-8
#tk_TM UTF-8
#tl_PH.UTF-8 UTF-8
#tl_PH ISO-8859-1
#tn_ZA UTF-8
#to_TO UTF-8
#tpi_PG UTF-8
#tr_CY.UTF-8 UTF-8
#tr_CY ISO-8859-9
#tr_TR.UTF-8 UTF-8
#tr_TR ISO-8859-9
#ts_ZA UTF-8
#tt_RU UTF-8
#tt_RU@iqtelif UTF-8
#ug_CN UTF-8
#uk_UA.UTF-8 UTF-8
#uk_UA KOI8-U
#unm_US UTF-8
#ur_IN UTF-8
#ur_PK UTF-8
#uz_UZ.UTF-8 UTF-8
#uz_UZ ISO-8859-1
#uz_UZ@cyrillic UTF-8
#ve_ZA UTF-8
#vi_VN UTF-8
#wa_BE ISO-8859-1
#wa_BE@euro ISO-8859-15
#wa_BE.UTF-8 UTF-8
#wae_CH UTF-8
#wal_ET UTF-8
#wo_SN UTF-8
#xh_ZA.UTF-8 UTF-8
#xh_ZA ISO-8859-1
#yi_US.UTF-8 UTF-8
#yi_US CP1255
#yo_NG UTF-8
#yue_HK UTF-8
#zh_CN.GB18030 GB18030
#zh_CN.GBK GBK
#zh_CN.UTF-8 UTF-8
#zh_CN GB2312
#zh_HK.UTF-8 UTF-8
#zh_HK BIG5-HKSCS
#zh_SG.UTF-8 UTF-8
#zh_SG.GBK GBK
#zh_SG GB2312
#zh_TW.EUC-TW EUC-TW
#zh_TW.UTF-8 UTF-8
#zh_TW BIG5
#zu_ZA.UTF-8 UTF-8
#zu_ZA ISO-8859-1

View File

@ -0,0 +1,3 @@
---
- name: mariadb restart
service: name=mariadb state=restarted enabled=yes

View File

@ -0,0 +1,8 @@
---
- name: install MariaDB
pacman: name=mariadb state=present
notify: mariadb restart
- name: executing installation script
command: mariadb-install-db --user=mysql --basedir=/usr --datadir=/var/lib/mysql
notify: mariadb restart

View File

@ -0,0 +1,3 @@
dependencies:
- native-docker
- native-https-server

View File

@ -0,0 +1,13 @@
server
{
server_name {{domain}};
{% if client_max_body_size is defined %}
client_max_body_size {{ client_max_body_size }};
{% endif %}
{% include 'roles/native-letsencrypt/templates/ssl_header.j2' %}
{% include 'proxy_pass.conf.j2' %}
}

View File

@ -0,0 +1,11 @@
location /
{
proxy_pass http://127.0.0.1:{{http_port}}/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
proxy_connect_timeout 300;
proxy_send_timeout 300;
proxy_read_timeout 300;
send_timeout 300;
}

View File

@ -0,0 +1,3 @@
---
- name: restart nginx
service: name=nginx state=restarted enabled=yes

View File

@ -0,0 +1,17 @@
---
- name: install nginx
pacman: name=nginx state=present
notify: restart nginx
- name: set /etc/nginx/conf.d
file:
path: /etc/nginx/conf.d
state: directory
mode: 0755
- name: create nginx config file
template: src=nginx.conf dest=/etc/nginx/nginx.conf
notify: restart nginx
- name: flush nginx service
meta: flush_handlers

View File

@ -0,0 +1,21 @@
worker_processes auto;
events
{
worker_connections 1024;
}
http
{
include mime.types;
default_type text/html;
#access_log /var/log/nginx/access.log main;
error_log /var/log/nginx/error.log debug;
sendfile on;
keepalive_timeout 65;
gzip on;
types_hash_max_size 4096;
include conf.d/*.conf;
}

View File

@ -0,0 +1,4 @@
- name: update pacman
pacman:
update_cache: yes
upgrade: yes

View File

@ -0,0 +1,2 @@
dependencies:
- native-user-administrator

View File

@ -0,0 +1,4 @@
- name: install postfix
pacman:
name: postfix
state: present

View File

@ -0,0 +1,264 @@
#
# Sample aliases file. Install in the location as specified by the
# output from the command "postconf alias_maps". Typical path names
# are /etc/aliases or /etc/mail/aliases.
#
# >>>>>>>>>> The program "newaliases" must be run after
# >> NOTE >> this file is updated for any changes to
# >>>>>>>>>> show through to Postfix.
#
# Person who should get root's mail. Don't receive mail as root!
root: administrator
# Basic system aliases -- these MUST be present
MAILER-DAEMON: postmaster
postmaster: root
# General redirections for pseudo accounts
bin: root
daemon: root
named: root
nobody: root
uucp: root
www: root
ftp-bugs: root
postfix: root
# Put your local aliases here.
# Well-known aliases
manager: root
dumper: root
operator: root
abuse: postmaster
# trap decode to catch security attacks
decode: root
# ALIASES(5) ALIASES(5)
#
# NAME
# aliases - Postfix local alias database format
#
# SYNOPSIS
# newaliases
#
# DESCRIPTION
# The aliases(5) table provides a system-wide mechanism to
# redirect mail for local recipients. The redirections are
# processed by the Postfix local(8) delivery agent.
#
# Normally, the aliases(5) table is specified as a text file
# that serves as input to the postalias(1) command. The
# result, an indexed file in dbm or db format, is used for
# fast lookup by the mail system. Execute the command
# newaliases in order to rebuild the indexed file after
# changing the Postfix alias database.
#
# When the table is provided via other means such as NIS,
# LDAP or SQL, the same lookups are done as for ordinary
# indexed files.
#
# Alternatively, the table can be provided as a regu-
# lar-expression map where patterns are given as regular
# expressions. In this case, the lookups are done in a
# slightly different way as described below under "REGULAR
# EXPRESSION TABLES".
#
# Users can control delivery of their own mail by setting up
# .forward files in their home directory. Lines in per-user
# .forward files have the same syntax as the right-hand side
# of aliases(5) entries.
#
# The format of the alias database input file is as follows:
#
# o An alias definition has the form
#
# name: value1, value2, ...
#
# o Empty lines and whitespace-only lines are ignored,
# as are lines whose first non-whitespace character
# is a `#'.
#
# o A logical line starts with non-whitespace text. A
# line that starts with whitespace continues a logi-
# cal line.
#
# The name is a local address (no domain part). Use double
# quotes when the name contains any special characters such
# as whitespace, `#', `:', or `@'. The name is folded to
# lowercase, in order to make database lookups case insensi-
# tive.
#
# In addition, when an alias exists for owner-name, this
# will override the envelope sender address, so that deliv-
# ery diagnostics are directed to owner-name, instead of the
# originator of the message (for details, see
# owner_request_special, expand_owner_alias and
# reset_owner_alias). This is typically used to direct
# delivery errors to the maintainer of a mailing list, who
# is in a better position to deal with mailing list delivery
# problems than the originator of the undelivered mail.
#
# The value contains one or more of the following:
#
# address
# Mail is forwarded to address, which is compatible
# with the RFC 822 standard.
#
# /file/name
# Mail is appended to /file/name. See local(8) for
# details of delivery to file. Delivery is not lim-
# ited to regular files. For example, to dispose of
# unwanted mail, deflect it to /dev/null.
#
# |command
# Mail is piped into command. Commands that contain
# special characters, such as whitespace, should be
# enclosed between double quotes. See local(8) for
# details of delivery to command.
#
# When the command fails, a limited amount of command
# output is mailed back to the sender. The file
# /usr/include/sysexits.h defines the expected exit
# status codes. For example, use "|exit 67" to simu-
# late a "user unknown" error, and "|exit 0" to
# implement an expensive black hole.
#
# :include:/file/name
# Mail is sent to the destinations listed in the
# named file. Lines in :include: files have the same
# syntax as the right-hand side of alias entries.
#
# A destination can be any destination that is
# described in this manual page. However, delivery to
# "|command" and /file/name is disallowed by default.
# To enable, edit the allow_mail_to_commands and
# allow_mail_to_files configuration parameters.
#
# ADDRESS EXTENSION
# When alias database search fails, and the recipient local-
# part contains the optional recipient delimiter (e.g.,
# user+foo), the search is repeated for the unextended
# address (e.g., user).
#
# The propagate_unmatched_extensions parameter controls
# whether an unmatched address extension (+foo) is propa-
# gated to the result of table lookup.
#
# CASE FOLDING
# The local(8) delivery agent always folds the search string
# to lowercase before database lookup.
#
# REGULAR EXPRESSION TABLES
# This section describes how the table lookups change when
# the table is given in the form of regular expressions. For
# a description of regular expression lookup table syntax,
# see regexp_table(5) or pcre_table(5). NOTE: these formats
# do not use ":" at the end of a pattern.
#
# Each regular expression is applied to the entire search
# string. Thus, a search string user+foo is not broken up
# into user and foo.
#
# Regular expressions are applied in the order as specified
# in the table, until a regular expression is found that
# matches the search string.
#
# Lookup results are the same as with indexed file lookups.
# For security reasons there is no support for $1, $2 etc.
# substring interpolation.
#
# SECURITY
# The local(8) delivery agent disallows regular expression
# substitution of $1 etc. in alias_maps, because that would
# open a security hole.
#
# The local(8) delivery agent will silently ignore requests
# to use the proxymap(8) server within alias_maps. Instead
# it will open the table directly. Before Postfix version
# 2.2, the local(8) delivery agent will terminate with a
# fatal error.
#
# CONFIGURATION PARAMETERS
# The following main.cf parameters are especially relevant.
# The text below provides only a parameter summary. See
# postconf(5) for more details including examples.
#
# alias_database (see 'postconf -d' output)
# The alias databases for local(8) delivery that are
# updated with "newaliases" or with "sendmail -bi".
#
# alias_maps (see 'postconf -d' output)
# The alias databases that are used for local(8)
# delivery.
#
# allow_mail_to_commands (alias, forward)
# Restrict local(8) mail delivery to external com-
# mands.
#
# allow_mail_to_files (alias, forward)
# Restrict local(8) mail delivery to external files.
#
# expand_owner_alias (no)
# When delivering to an alias "aliasname" that has an
# "owner-aliasname" companion alias, set the envelope
# sender address to the expansion of the
# "owner-aliasname" alias.
#
# propagate_unmatched_extensions (canonical, virtual)
# What address lookup tables copy an address exten-
# sion from the lookup key to the lookup result.
#
# owner_request_special (yes)
# Enable special treatment for owner-listname entries
# in the aliases(5) file, and don't split owner-list-
# name and listname-request address localparts when
# the recipient_delimiter is set to "-".
#
# recipient_delimiter (empty)
# The set of characters that can separate a user name
# from its extension (example: user+foo), or a .for-
# ward file name from its extension (example: .for-
# ward+foo).
#
# Available in Postfix version 2.3 and later:
#
# frozen_delivered_to (yes)
# Update the local(8) delivery agent's idea of the
# Delivered-To: address (see prepend_deliv-
# ered_header) only once, at the start of a delivery
# attempt; do not update the Delivered-To: address
# while expanding aliases or .forward files.
#
# STANDARDS
# RFC 822 (ARPA Internet Text Messages)
#
# SEE ALSO
# local(8), local delivery agent
# newaliases(1), create/update alias database
# postalias(1), create/update alias database
# postconf(5), configuration parameters
#
# README FILES
# Use "postconf readme_directory" or "postconf html_direc-
# tory" to locate this information.
# DATABASE_README, Postfix lookup table overview
#
# LICENSE
# The Secure Mailer license must be distributed with this
# software.
#
# AUTHOR(S)
# Wietse Venema
# IBM T.J. Watson Research
# P.O. Box 704
# Yorktown Heights, NY 10598, USA
#
# Wietse Venema
# Google, Inc.
# 111 8th Avenue
# New York, NY 10011, USA
#
# ALIASES(5)

View File

@ -0,0 +1,680 @@
# Global Postfix configuration file. This file lists only a subset
# of all parameters. For the syntax, and for a complete parameter
# list, see the postconf(5) manual page (command: "man 5 postconf").
#
# For common configuration examples, see BASIC_CONFIGURATION_README
# and STANDARD_CONFIGURATION_README. To find these documents, use
# the command "postconf html_directory readme_directory", or go to
# http://www.postfix.org/BASIC_CONFIGURATION_README.html etc.
#
# For best results, change no more than 2-3 parameters at a time,
# and test if Postfix still works after every change.
# COMPATIBILITY
#
# The compatibility_level determines what default settings Postfix
# will use for main.cf and master.cf settings. These defaults will
# change over time.
#
# To avoid breaking things, Postfix will use backwards-compatible
# default settings and log where it uses those old backwards-compatible
# default settings, until the system administrator has determined
# if any backwards-compatible default settings need to be made
# permanent in main.cf or master.cf.
#
# When this review is complete, update the compatibility_level setting
# below as recommended in the RELEASE_NOTES file.
#
# The level below is what should be used with new (not upgrade) installs.
#
compatibility_level = 2
# SOFT BOUNCE
#
# The soft_bounce parameter provides a limited safety net for
# testing. When soft_bounce is enabled, mail will remain queued that
# would otherwise bounce. This parameter disables locally-generated
# bounces, and prevents the SMTP server from rejecting mail permanently
# (by changing 5xx replies into 4xx replies). However, soft_bounce
# is no cure for address rewriting mistakes or mail routing mistakes.
#
#soft_bounce = no
# LOCAL PATHNAME INFORMATION
#
# The queue_directory specifies the location of the Postfix queue.
# This is also the root directory of Postfix daemons that run chrooted.
# See the files in examples/chroot-setup for setting up Postfix chroot
# environments on different UNIX systems.
#
queue_directory = /var/spool/postfix
# The command_directory parameter specifies the location of all
# postXXX commands.
#
command_directory = /usr/bin
# The daemon_directory parameter specifies the location of all Postfix
# daemon programs (i.e. programs listed in the master.cf file). This
# directory must be owned by root.
#
daemon_directory = /usr/lib/postfix/bin
# The data_directory parameter specifies the location of Postfix-writable
# data files (caches, random numbers). This directory must be owned
# by the mail_owner account (see below).
#
data_directory = /var/lib/postfix
# QUEUE AND PROCESS OWNERSHIP
#
# The mail_owner parameter specifies the owner of the Postfix queue
# and of most Postfix daemon processes. Specify the name of a user
# account THAT DOES NOT SHARE ITS USER OR GROUP ID WITH OTHER ACCOUNTS
# AND THAT OWNS NO OTHER FILES OR PROCESSES ON THE SYSTEM. In
# particular, don't specify nobody or daemon. PLEASE USE A DEDICATED
# USER.
#
mail_owner = postfix
# The default_privs parameter specifies the default rights used by
# the local delivery agent for delivery to external file or command.
# These rights are used in the absence of a recipient user context.
# DO NOT SPECIFY A PRIVILEGED USER OR THE POSTFIX OWNER.
#
#default_privs = nobody
# INTERNET HOST AND DOMAIN NAMES
#
# The myhostname parameter specifies the internet hostname of this
# mail system. The default is to use the fully-qualified domain name
# from gethostname(). $myhostname is used as a default value for many
# other configuration parameters.
#
#myhostname = host.domain.tld
#myhostname = virtual.domain.tld
# The mydomain parameter specifies the local internet domain name.
# The default is to use $myhostname minus the first component.
# $mydomain is used as a default value for many other configuration
# parameters.
#
#mydomain = domain.tld
# SENDING MAIL
#
# The myorigin parameter specifies the domain that locally-posted
# mail appears to come from. The default is to append $myhostname,
# which is fine for small sites. If you run a domain with multiple
# machines, you should (1) change this to $mydomain and (2) set up
# a domain-wide alias database that aliases each user to
# user@that.users.mailhost.
#
# For the sake of consistency between sender and recipient addresses,
# myorigin also specifies the default domain name that is appended
# to recipient addresses that have no @domain part.
#
#myorigin = $myhostname
#myorigin = $mydomain
# RECEIVING MAIL
# The inet_interfaces parameter specifies the network interface
# addresses that this mail system receives mail on. By default,
# the software claims all active interfaces on the machine. The
# parameter also controls delivery of mail to user@[ip.address].
#
# See also the proxy_interfaces parameter, for network addresses that
# are forwarded to us via a proxy or network address translator.
#
# Note: you need to stop/start Postfix when this parameter changes.
#
#inet_interfaces = all
#inet_interfaces = $myhostname
#inet_interfaces = $myhostname, localhost
# The proxy_interfaces parameter specifies the network interface
# addresses that this mail system receives mail on by way of a
# proxy or network address translation unit. This setting extends
# the address list specified with the inet_interfaces parameter.
#
# You must specify your proxy/NAT addresses when your system is a
# backup MX host for other domains, otherwise mail delivery loops
# will happen when the primary MX host is down.
#
#proxy_interfaces =
#proxy_interfaces = 1.2.3.4
# The mydestination parameter specifies the list of domains that this
# machine considers itself the final destination for.
#
# These domains are routed to the delivery agent specified with the
# local_transport parameter setting. By default, that is the UNIX
# compatible delivery agent that lookups all recipients in /etc/passwd
# and /etc/aliases or their equivalent.
#
# The default is $myhostname + localhost.$mydomain + localhost. On
# a mail domain gateway, you should also include $mydomain.
#
# Do not specify the names of virtual domains - those domains are
# specified elsewhere (see VIRTUAL_README).
#
# Do not specify the names of domains that this machine is backup MX
# host for. Specify those names via the relay_domains settings for
# the SMTP server, or use permit_mx_backup if you are lazy (see
# STANDARD_CONFIGURATION_README).
#
# The local machine is always the final destination for mail addressed
# to user@[the.net.work.address] of an interface that the mail system
# receives mail on (see the inet_interfaces parameter).
#
# Specify a list of host or domain names, /file/name or type:table
# patterns, separated by commas and/or whitespace. A /file/name
# pattern is replaced by its contents; a type:table is matched when
# a name matches a lookup key (the right-hand side is ignored).
# Continue long lines by starting the next line with whitespace.
#
# See also below, section "REJECTING MAIL FOR UNKNOWN LOCAL USERS".
#
#mydestination = $myhostname, localhost.$mydomain, localhost
#mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
#mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain,
# mail.$mydomain, www.$mydomain, ftp.$mydomain
# REJECTING MAIL FOR UNKNOWN LOCAL USERS
#
# The local_recipient_maps parameter specifies optional lookup tables
# with all names or addresses of users that are local with respect
# to $mydestination, $inet_interfaces or $proxy_interfaces.
#
# If this parameter is defined, then the SMTP server will reject
# mail for unknown local users. This parameter is defined by default.
#
# To turn off local recipient checking in the SMTP server, specify
# local_recipient_maps = (i.e. empty).
#
# The default setting assumes that you use the default Postfix local
# delivery agent for local delivery. You need to update the
# local_recipient_maps setting if:
#
# - You define $mydestination domain recipients in files other than
# /etc/passwd, /etc/aliases, or the $virtual_alias_maps files.
# For example, you define $mydestination domain recipients in
# the $virtual_mailbox_maps files.
#
# - You redefine the local delivery agent in master.cf.
#
# - You redefine the "local_transport" setting in main.cf.
#
# - You use the "luser_relay", "mailbox_transport", or "fallback_transport"
# feature of the Postfix local delivery agent (see local(8)).
#
# Details are described in the LOCAL_RECIPIENT_README file.
#
# Beware: if the Postfix SMTP server runs chrooted, you probably have
# to access the passwd file via the proxymap service, in order to
# overcome chroot restrictions. The alternative, having a copy of
# the system passwd file in the chroot jail is just not practical.
#
# The right-hand side of the lookup tables is conveniently ignored.
# In the left-hand side, specify a bare username, an @domain.tld
# wild-card, or specify a user@domain.tld address.
#
#local_recipient_maps = unix:passwd.byname $alias_maps
#local_recipient_maps = proxy:unix:passwd.byname $alias_maps
#local_recipient_maps =
# The unknown_local_recipient_reject_code specifies the SMTP server
# response code when a recipient domain matches $mydestination or
# ${proxy,inet}_interfaces, while $local_recipient_maps is non-empty
# and the recipient address or address local-part is not found.
#
# The default setting is 550 (reject mail) but it is safer to start
# with 450 (try again later) until you are certain that your
# local_recipient_maps settings are OK.
#
unknown_local_recipient_reject_code = 550
# TRUST AND RELAY CONTROL
# The mynetworks parameter specifies the list of "trusted" SMTP
# clients that have more privileges than "strangers".
#
# In particular, "trusted" SMTP clients are allowed to relay mail
# through Postfix. See the smtpd_recipient_restrictions parameter
# in postconf(5).
#
# You can specify the list of "trusted" network addresses by hand
# or you can let Postfix do it for you (which is the default).
#
# By default (mynetworks_style = subnet), Postfix "trusts" SMTP
# clients in the same IP subnetworks as the local machine.
# On Linux, this works correctly only with interfaces specified
# with the "ifconfig" command.
#
# Specify "mynetworks_style = class" when Postfix should "trust" SMTP
# clients in the same IP class A/B/C networks as the local machine.
# Don't do this with a dialup site - it would cause Postfix to "trust"
# your entire provider's network. Instead, specify an explicit
# mynetworks list by hand, as described below.
#
# Specify "mynetworks_style = host" when Postfix should "trust"
# only the local machine.
#
#mynetworks_style = class
#mynetworks_style = subnet
#mynetworks_style = host
# Alternatively, you can specify the mynetworks list by hand, in
# which case Postfix ignores the mynetworks_style setting.
#
# Specify an explicit list of network/netmask patterns, where the
# mask specifies the number of bits in the network part of a host
# address.
#
# You can also specify the absolute pathname of a pattern file instead
# of listing the patterns here. Specify type:table for table-based lookups
# (the value on the table right-hand side is not used).
#
#mynetworks = 168.100.189.0/28, 127.0.0.0/8
#mynetworks = $config_directory/mynetworks
#mynetworks = hash:/etc/postfix/network_table
# The relay_domains parameter restricts what destinations this system will
# relay mail to. See the smtpd_recipient_restrictions description in
# postconf(5) for detailed information.
#
# By default, Postfix relays mail
# - from "trusted" clients (IP address matches $mynetworks) to any destination,
# - from "untrusted" clients to destinations that match $relay_domains or
# subdomains thereof, except addresses with sender-specified routing.
# The default relay_domains value is $mydestination.
#
# In addition to the above, the Postfix SMTP server by default accepts mail
# that Postfix is final destination for:
# - destinations that match $inet_interfaces or $proxy_interfaces,
# - destinations that match $mydestination
# - destinations that match $virtual_alias_domains,
# - destinations that match $virtual_mailbox_domains.
# These destinations do not need to be listed in $relay_domains.
#
# Specify a list of hosts or domains, /file/name patterns or type:name
# lookup tables, separated by commas and/or whitespace. Continue
# long lines by starting the next line with whitespace. A file name
# is replaced by its contents; a type:name table is matched when a
# (parent) domain appears as lookup key.
#
# NOTE: Postfix will not automatically forward mail for domains that
# list this system as their primary or backup MX host. See the
# permit_mx_backup restriction description in postconf(5).
#
#relay_domains = $mydestination
# INTERNET OR INTRANET
# The relayhost parameter specifies the default host to send mail to
# when no entry is matched in the optional transport(5) table. When
# no relayhost is given, mail is routed directly to the destination.
#
# On an intranet, specify the organizational domain name. If your
# internal DNS uses no MX records, specify the name of the intranet
# gateway host instead.
#
# In the case of SMTP, specify a domain, host, host:port, [host]:port,
# [address] or [address]:port; the form [host] turns off MX lookups.
#
# If you're connected via UUCP, see also the default_transport parameter.
#
#relayhost = $mydomain
#relayhost = [gateway.my.domain]
#relayhost = [mailserver.isp.tld]
#relayhost = uucphost
#relayhost = [an.ip.add.ress]
# REJECTING UNKNOWN RELAY USERS
#
# The relay_recipient_maps parameter specifies optional lookup tables
# with all addresses in the domains that match $relay_domains.
#
# If this parameter is defined, then the SMTP server will reject
# mail for unknown relay users. This feature is off by default.
#
# The right-hand side of the lookup tables is conveniently ignored.
# In the left-hand side, specify an @domain.tld wild-card, or specify
# a user@domain.tld address.
#
#relay_recipient_maps = hash:/etc/postfix/relay_recipients
# INPUT RATE CONTROL
#
# The in_flow_delay configuration parameter implements mail input
# flow control. This feature is turned on by default, although it
# still needs further development (it's disabled on SCO UNIX due
# to an SCO bug).
#
# A Postfix process will pause for $in_flow_delay seconds before
# accepting a new message, when the message arrival rate exceeds the
# message delivery rate. With the default 100 SMTP server process
# limit, this limits the mail inflow to 100 messages a second more
# than the number of messages delivered per second.
#
# Specify 0 to disable the feature. Valid delays are 0..10.
#
#in_flow_delay = 1s
# ADDRESS REWRITING
#
# The ADDRESS_REWRITING_README document gives information about
# address masquerading or other forms of address rewriting including
# username->Firstname.Lastname mapping.
# ADDRESS REDIRECTION (VIRTUAL DOMAIN)
#
# The VIRTUAL_README document gives information about the many forms
# of domain hosting that Postfix supports.
# "USER HAS MOVED" BOUNCE MESSAGES
#
# See the discussion in the ADDRESS_REWRITING_README document.
# TRANSPORT MAP
#
# See the discussion in the ADDRESS_REWRITING_README document.
# ALIAS DATABASE
#
# The alias_maps parameter specifies the list of alias databases used
# by the local delivery agent. The default list is system dependent.
#
# On systems with NIS, the default is to search the local alias
# database, then the NIS alias database. See aliases(5) for syntax
# details.
#
# If you change the alias database, run "postalias /etc/aliases" (or
# wherever your system stores the mail alias file), or simply run
# "newaliases" to build the necessary DBM or DB file.
#
# It will take a minute or so before changes become visible. Use
# "postfix reload" to eliminate the delay.
#
#alias_maps = dbm:/etc/aliases
#alias_maps = hash:/etc/aliases
#alias_maps = hash:/etc/aliases, nis:mail.aliases
#alias_maps = netinfo:/aliases
alias_maps = hash:/etc/postfix/aliases
# The alias_database parameter specifies the alias database(s) that
# are built with "newaliases" or "sendmail -bi". This is a separate
# configuration parameter, because alias_maps (see above) may specify
# tables that are not necessarily all under control by Postfix.
#
#alias_database = dbm:/etc/aliases
#alias_database = dbm:/etc/mail/aliases
#alias_database = hash:/etc/aliases
#alias_database = hash:/etc/aliases, hash:/opt/majordomo/aliases
alias_database = $alias_maps
# ADDRESS EXTENSIONS (e.g., user+foo)
#
# The recipient_delimiter parameter specifies the separator between
# user names and address extensions (user+foo). See canonical(5),
# local(8), relocated(5) and virtual(5) for the effects this has on
# aliases, canonical, virtual, relocated and .forward file lookups.
# Basically, the software tries user+foo and .forward+foo before
# trying user and .forward.
#
#recipient_delimiter = +
# DELIVERY TO MAILBOX
#
# The home_mailbox parameter specifies the optional pathname of a
# mailbox file relative to a user's home directory. The default
# mailbox file is /var/spool/mail/user or /var/mail/user. Specify
# "Maildir/" for qmail-style delivery (the / is required).
#
#home_mailbox = Mailbox
#home_mailbox = Maildir/
# The mail_spool_directory parameter specifies the directory where
# UNIX-style mailboxes are kept. The default setting depends on the
# system type.
#
#mail_spool_directory = /var/mail
#mail_spool_directory = /var/spool/mail
# The mailbox_command parameter specifies the optional external
# command to use instead of mailbox delivery. The command is run as
# the recipient with proper HOME, SHELL and LOGNAME environment settings.
# Exception: delivery for root is done as $default_user.
#
# Other environment variables of interest: USER (recipient username),
# EXTENSION (address extension), DOMAIN (domain part of address),
# and LOCAL (the address localpart).
#
# Unlike other Postfix configuration parameters, the mailbox_command
# parameter is not subjected to $parameter substitutions. This is to
# make it easier to specify shell syntax (see example below).
#
# Avoid shell meta characters because they will force Postfix to run
# an expensive shell process. Procmail alone is expensive enough.
#
# IF YOU USE THIS TO DELIVER MAIL SYSTEM-WIDE, YOU MUST SET UP AN
# ALIAS THAT FORWARDS MAIL FOR ROOT TO A REAL USER.
#
#mailbox_command = /some/where/procmail
#mailbox_command = /some/where/procmail -a "$EXTENSION"
# The mailbox_transport specifies the optional transport in master.cf
# to use after processing aliases and .forward files. This parameter
# has precedence over the mailbox_command, fallback_transport and
# luser_relay parameters.
#
# Specify a string of the form transport:nexthop, where transport is
# the name of a mail delivery transport defined in master.cf. The
# :nexthop part is optional. For more details see the sample transport
# configuration file.
#
# NOTE: if you use this feature for accounts not in the UNIX password
# file, then you must update the "local_recipient_maps" setting in
# the main.cf file, otherwise the SMTP server will reject mail for
# non-UNIX accounts with "User unknown in local recipient table".
#
# Cyrus IMAP over LMTP. Specify ``lmtpunix cmd="lmtpd"
# listen="/var/imap/socket/lmtp" prefork=0'' in cyrus.conf.
#mailbox_transport = lmtp:unix:/var/imap/socket/lmtp
#
# Cyrus IMAP via command line. Uncomment the "cyrus...pipe" and
# subsequent line in master.cf.
#mailbox_transport = cyrus
# The fallback_transport specifies the optional transport in master.cf
# to use for recipients that are not found in the UNIX passwd database.
# This parameter has precedence over the luser_relay parameter.
#
# Specify a string of the form transport:nexthop, where transport is
# the name of a mail delivery transport defined in master.cf. The
# :nexthop part is optional. For more details see the sample transport
# configuration file.
#
# NOTE: if you use this feature for accounts not in the UNIX password
# file, then you must update the "local_recipient_maps" setting in
# the main.cf file, otherwise the SMTP server will reject mail for
# non-UNIX accounts with "User unknown in local recipient table".
#
#fallback_transport = lmtp:unix:/file/name
#fallback_transport = cyrus
#fallback_transport =
# The luser_relay parameter specifies an optional destination address
# for unknown recipients. By default, mail for unknown@$mydestination,
# unknown@[$inet_interfaces] or unknown@[$proxy_interfaces] is returned
# as undeliverable.
#
# The following expansions are done on luser_relay: $user (recipient
# username), $shell (recipient shell), $home (recipient home directory),
# $recipient (full recipient address), $extension (recipient address
# extension), $domain (recipient domain), $local (entire recipient
# localpart), $recipient_delimiter. Specify ${name?value} or
# ${name:value} to expand value only when $name does (does not) exist.
#
# luser_relay works only for the default Postfix local delivery agent.
#
# NOTE: if you use this feature for accounts not in the UNIX password
# file, then you must specify "local_recipient_maps =" (i.e. empty) in
# the main.cf file, otherwise the SMTP server will reject mail for
# non-UNIX accounts with "User unknown in local recipient table".
#
#luser_relay = $user@other.host
#luser_relay = $local@other.host
#luser_relay = admin+$local
# JUNK MAIL CONTROLS
#
# The controls listed here are only a very small subset. The file
# SMTPD_ACCESS_README provides an overview.
# The header_checks parameter specifies an optional table with patterns
# that each logical message header is matched against, including
# headers that span multiple physical lines.
#
# By default, these patterns also apply to MIME headers and to the
# headers of attached messages. With older Postfix versions, MIME and
# attached message headers were treated as body text.
#
# For details, see "man header_checks".
#
#header_checks = regexp:/etc/postfix/header_checks
# FAST ETRN SERVICE
#
# Postfix maintains per-destination logfiles with information about
# deferred mail, so that mail can be flushed quickly with the SMTP
# "ETRN domain.tld" command, or by executing "sendmail -qRdomain.tld".
# See the ETRN_README document for a detailed description.
#
# The fast_flush_domains parameter controls what destinations are
# eligible for this service. By default, they are all domains that
# this server is willing to relay mail to.
#
#fast_flush_domains = $relay_domains
# SHOW SOFTWARE VERSION OR NOT
#
# The smtpd_banner parameter specifies the text that follows the 220
# code in the SMTP server's greeting banner. Some people like to see
# the mail version advertised. By default, Postfix shows no version.
#
# You MUST specify $myhostname at the start of the text. That is an
# RFC requirement. Postfix itself does not care.
#
#smtpd_banner = $myhostname ESMTP $mail_name
#smtpd_banner = $myhostname ESMTP $mail_name ($mail_version)
# PARALLEL DELIVERY TO THE SAME DESTINATION
#
# How many parallel deliveries to the same user or domain? With local
# delivery, it does not make sense to do massively parallel delivery
# to the same user, because mailbox updates must happen sequentially,
# and expensive pipelines in .forward files can cause disasters when
# too many are run at the same time. With SMTP deliveries, 10
# simultaneous connections to the same domain could be sufficient to
# raise eyebrows.
#
# Each message delivery transport has its XXX_destination_concurrency_limit
# parameter. The default is $default_destination_concurrency_limit for
# most delivery transports. For the local delivery agent the default is 2.
#local_destination_concurrency_limit = 2
#default_destination_concurrency_limit = 20
# DEBUGGING CONTROL
#
# The debug_peer_level parameter specifies the increment in verbose
# logging level when an SMTP client or server host name or address
# matches a pattern in the debug_peer_list parameter.
#
debug_peer_level = 2
# The debug_peer_list parameter specifies an optional list of domain
# or network patterns, /file/name patterns or type:name tables. When
# an SMTP client or server host name or address matches a pattern,
# increase the verbose logging level by the amount specified in the
# debug_peer_level parameter.
#
#debug_peer_list = 127.0.0.1
#debug_peer_list = some.domain
# The debugger_command specifies the external command that is executed
# when a Postfix daemon program is run with the -D option.
#
# Use "command .. & sleep 5" so that the debugger can attach before
# the process marches on. If you use an X-based debugger, be sure to
# set up your XAUTHORITY environment variable before starting Postfix.
#
debugger_command =
PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
ddd $daemon_directory/$process_name $process_id & sleep 5
# If you can't use X, use this to capture the call stack when a
# daemon crashes. The result is in a file in the configuration
# directory, and is named after the process name and the process ID.
#
# debugger_command =
# PATH=/bin:/usr/bin:/usr/local/bin; export PATH; (echo cont;
# echo where) | gdb $daemon_directory/$process_name $process_id 2>&1
# >$config_directory/$process_name.$process_id.log & sleep 5
#
# Another possibility is to run gdb under a detached screen session.
# To attach to the screen session, su root and run "screen -r
# <id_string>" where <id_string> uniquely matches one of the detached
# sessions (from "screen -list").
#
# debugger_command =
# PATH=/bin:/usr/bin:/sbin:/usr/sbin; export PATH; screen
# -dmS $process_name gdb $daemon_directory/$process_name
# $process_id & sleep 1
# INSTALL-TIME CONFIGURATION INFORMATION
#
# The following parameters are used when installing a new Postfix version.
#
# sendmail_path: The full pathname of the Postfix sendmail command.
# This is the Sendmail-compatible mail posting interface.
#
sendmail_path = /usr/bin/sendmail
# newaliases_path: The full pathname of the Postfix newaliases command.
# This is the Sendmail-compatible command to build alias databases.
#
newaliases_path = /usr/bin/newaliases
# mailq_path: The full pathname of the Postfix mailq command. This
# is the Sendmail-compatible mail queue listing command.
#
mailq_path = /usr/bin/mailq
# setgid_group: The group for mail submission and queue management
# commands. This must be a group name with a numerical group ID that
# is not shared with other accounts, not even with the Postfix account.
#
setgid_group = postdrop
# html_directory: The location of the Postfix HTML documentation.
#
html_directory = no
# manpage_directory: The location of the Postfix on-line manual pages.
#
manpage_directory = /usr/share/man
# sample_directory: The location of the Postfix sample configuration files.
# This parameter is obsolete as of Postfix 2.1.
#
sample_directory = /etc/postfix
# readme_directory: The location of the Postfix README files.
#
readme_directory = /usr/share/doc/postfix
inet_protocols = ipv4
meta_directory = /etc/postfix
shlib_directory = /usr/lib/postfix

View File

@ -0,0 +1,2 @@
dependencies:
- native-ssh

View File

@ -0,0 +1,2 @@
- name: sshd restart
service: name=sshd state=restarted enabled=yes

View File

@ -0,0 +1,3 @@
- name: configuring ssh
template: src=sshd_config dest=/etc/ssh/
notify: sshd restart

View File

@ -0,0 +1,118 @@
# $OpenBSD: sshd_config,v 1.101 2017/03/14 07:19:07 djm Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key
# Ciphers and keying
#RekeyLimit default none
# Logging
#SyslogFacility AUTH
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
PermitRootLogin without-password
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
PubkeyAuthentication yes
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys
#AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
#PermitEmptyPasswords no
# Change to no to disable s/key passwords
ChallengeResponseAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no # pam does that
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
# no default banner path
#Banner none
# override default of no subsystems
Subsystem sftp /usr/lib/ssh/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server

View File

@ -0,0 +1,3 @@
# Role Administrator
This role creates an standard administrator user.
For security reasons it's recommended to use this user instead of the standard root user.

View File

@ -0,0 +1,7 @@
- name: create administrator
user:
name: administrator
generate_ssh_key: yes
ssh_key_bits: 4096
ssh_key_file: .ssh/id_rsa
group: sudo

View File

@ -0,0 +1,5 @@
- name: remove the user alarm
user:
name: alarm
state: absent
remove: yes

View File

@ -0,0 +1,6 @@
- name: create datasaver
user:
name: datasaver
generate_ssh_key: yes
ssh_key_bits: 4096
ssh_key_file: .ssh/id_rsa

View File

@ -0,0 +1,10 @@
# Role Native Wireguard
Manages wireguard natively on host. More information are available in the [Arch wiki](https://wiki.archlinux.org/index.php/WireGuard#Manual_WireGuard_setup).
## Create Client Key
``bash
wg genkey | tee peer_A.key | wg pubkey > peer_A.pub
``
# chown root:systemd-network /etc/systemd/network/99-*.netdev
# chmod 0640 /etc/systemd/network/99-*.netdev

View File

@ -0,0 +1,2 @@
- name: restart wireguard
service: name=wg-quick@wg0.service state=restarted enabled=yes

View File

@ -0,0 +1,6 @@
- name: install wireguard
pacman: name=wireguard-tools state=present
- name: create /etc/wireguard/wg0.conf
template: src={{ inventory_hostname }}.wg0.conf dest=/etc/wireguard/wg0.conf
notify: restart wireguard

47
site.yml Normal file
View File

@ -0,0 +1,47 @@
---
- name: setup backup servers
hosts: backup_servers
roles:
- native-user-datasafer
- name: setup arch servers
hosts: arch_servers
roles:
- native-security
- native-pacman
- native-wireguard
- native-user-alarm
- native-user-administrator
- name: setup webservers
hosts: webservers
roles:
- role: native-homepage
vars:
domain: "{{top_domain}}"
- role: docker-nextcloud
vars:
domain: cloud.{{top_domain}}
http_port: 8001
- role: docker-gitea
vars:
domain: git.{{top_domain}}
http_port: 8002
ssh_port: 2201
run_mode: prod
- role: docker-wordpress
vars:
domain: www.{{top_domain}}
http_port: 8003
- role: docker-mediawiki
vars:
domain: wiki.{{top_domain}}
http_port: 8004
- role: docker-mybb
vars:
domain: forum.{{top_domain}}
http_port: 8005
- role: docker-yourls
vars:
domain: s.{{top_domain}}
http_port: 8006
- native-docker-volume-backup