--- /dev/null
+# This file will be included into CreateSysInfo
+DIR_INFO=/srv/www/sys.info/nest1.gemeinwohl-gesellschaft.de
+# a blank separated list of mount points formatted with BTRFS, e.g. "/media/fs.cache /media/fs.system"
+BTRFS_FS="/media/fs.cache /media/fs.system"
+# a blank separated list of devices that should be controlled by smartmon, e.g. 'sda sdb'
+SMART_MON_DEVS='nvme0n1'
+# set to yes if mdadm manages software raid devices
+HAS_SOFT_RAID=yes
+MK_HOME_TAR=yes
+USE_ZFS=no
+# a blank separated list of "--exclude=<dir>" entries. That listed subdirs will not be saved in the TAR archive
+EXCLUDE_HOME="--exclude=jails"
+# each subdirectory of /home containing that file will not be saved as TAR archive
+TAG_FILE=.do.not.save.as.home
+
--- /dev/null
+../../ansknife/playbooks.templates/i_11_user.yaml
\ No newline at end of file
+++ /dev/null
-../../ansknife/playbooks.templates/i_21_nginx_sites.yaml
\ No newline at end of file
--- /dev/null
+../../ansknife/playbooks.templates/i_51_seafile.yaml
\ No newline at end of file
--- /dev/null
+../../ansknife/playbooks.templates/lets_multi_certificate.yaml
\ No newline at end of file
path_script_local: "{{ path_script }}/{{ hostname }}"
hostname_short: Nest1
vars_files:
- - ../var/common.yaml
+ - ../vars/common.yaml
tasks:
- name: Creates a cron file for clearing the swap files
ansible.builtin.cron:
path_script: /usr/local/bin
path_script_local: "{{ path_script }}/{{hostname}}"
vars_files:
- - ../var/common.yaml
+ - ../vars/common.yaml
tasks:
- name: create facts
ansible.builtin.set_fact:
- SaveOwner
- ClearSwap
- SaveDatabases
- - "{{ hostname_short }}Backup"
\ No newline at end of file
+ - "{{ hostname_short }}Backup"
--- /dev/null
+../../ansknife/playbooks.templates/nginx_sites.yaml
\ No newline at end of file
--- /dev/null
+../../ansknife/playbooks.templates/opencloud_install.yaml
\ No newline at end of file
--- /dev/null
+../../ansknife/playbooks.templates/ssl_mult_certificate.yaml
\ No newline at end of file
--- /dev/null
+../../ansknife/tasks.templates/t_docker_install.yaml
\ No newline at end of file
--- /dev/null
+../../ansknife/tasks.templates/t_docker_internal.yaml
\ No newline at end of file
--- /dev/null
+../../ansknife/tasks.templates/t_lets_multi_cert.yaml
\ No newline at end of file
--- /dev/null
+../../ansknife/tasks.templates/t_ssl_multi_cert.yaml
\ No newline at end of file
local domain=$1
if [ -e $BASE_WEBAPPS/$domain.conf ]; then
. $BASE_WEBAPPS/$domain.conf
- if [ -n "$db_name" ]; then
+ if [ -n "$db_name" -a "$db_type" = mysql ]; then
local sql=$BASE_DIR/$domain/db/$domain.sql.gz
- mysqldump -u $db_user "-p$db_password" $db_name | gzip > $sql
+ mysqldump -h $db_host -u $db_user "-p$db_password" $db_name | gzip > $sql
test -n "$VERBOSE" && ls -ld $sql
fi
fi
--- /dev/null
+# Ansible controlled. Do not change this file on the remote server manually.
+server {
+ listen 80;
+ listen [::]:80;
+ server_name civi.gemeinwohl-gesellschaft.de;
+ include snippets/letsencrypt.conf;
+ root /srv/www/civi.gemeinwohl-gesellschaft.de;
+ location / {
+ return 301 https://civi.gemeinwohl-gesellschaft.de$request_uri;
+ }
+}
+
+server {
+ listen 443 ssl http2;
+ listen [::]:443 ssl http2;
+
+ server_name civi.gemeinwohl-gesellschaft.de;
+
+ access_log /var/log/nginx/a_civi.log;
+ error_log /var/log/nginx/e_civi.log;
+
+ ssl_certificate /etc/letsencrypt/live/civi.gemeinwohl-gesellschaft.de/fullchain.pem;
+ ssl_certificate_key /etc/letsencrypt/live/civi.gemeinwohl-gesellschaft.de/privkey.pem;
+ #ssl_certificate /etc/ssl/certs/civi.gemeinwohl-gesellschaft.de.pem;
+ #ssl_certificate_key /etc/ssl/private/civi.gemeinwohl-gesellschaft.de.key;
+
+ root /srv/www/civi.gemeinwohl-gesellschaft.de;
+
+ location = /favicon.ico {
+ log_not_found off;
+ access_log off;
+ }
+
+ location = /robots.txt {
+ allow all;
+ log_not_found off;
+ access_log off;
+ }
+ location ^~ /civicrm/ {
+
+ # Some requests can be slow, we can allow them more time to run.
+ # Note that PHP FPM also has timeouts. If nginx's timeouts exceed PHP's
+ # then PHP will keep running after nginx gives up waiting for it.
+ location ~*^/civicrm/(dashboard/|contact/dedupefind|contact/import|activity/search|contribute/import|ajax/status\?|payment/ipn/\d+) {
+ fastcgi_index index.php;
+ include fastcgi.conf;
+ fastcgi_read_timeout 300s;
+ fastcgi_param SCRIPT_NAME /index.php;
+ fastcgi_param SCRIPT_FILENAME $document_root/index.php;
+ fastcgi_param QUERY_STRING q=$uri&$args;
+ fastcgi_pass unix:/run/php/php8.3-fpm.sock;
+ }
+
+ # All requests go via Civi with the default read timeout.
+ fastcgi_index index.php;
+ include fastcgi.conf;
+ fastcgi_param SCRIPT_NAME /index.php;
+ fastcgi_param SCRIPT_FILENAME $document_root/index.php;
+ fastcgi_param QUERY_STRING q=$uri&$args;
+ fastcgi_pass unix:/run/php/php8.3-fpm.sock;
+ }
+
+ # ---------------------
+ # Regex match locations (these are processed after longest-prefix)
+ # ---------------------
+
+ # Allow access to reasonable assets shipped with core, extensions, or from the public dir.
+ # @todo do you need extra extensions here?
+ # @todo if, say, you want to allow downloading of .sql or .zip or .tar etc. files from /public
+ # then create a separate rule that covers strictly what you expect and nothing wider.
+ # You want to ensure that any files a developer might accidentally create/leave around
+ # like backups, sql dumps etc. are not world-accessible.
+ location ~ ^/(public|core|ext)/.*\.(png|css|jpg|js|mjs|json|webp|gif|ico|svg|woff2|html)$ {
+ # Return the file if it exists, or a 404
+ try_files $uri 404;
+ }
+
+ ## Allow direct access to running known PHP files in 'extern/' (deprecated)
+ location ~ ^/core/extern/(authorizeIPN|cxn|ipn|open|rest|soap|url|widget).php$ {
+ fastcgi_index index.php;
+ include fastcgi.conf;
+ fastcgi_param SCRIPT_FILENAME $document_root$1;
+ fastcgi_param PATH_INFO $2;
+ fastcgi_param HTTPS on;
+ fastcgi_pass unix:/run/php/php8.3-fpm.sock;
+ }
+
+
+
+ location ~* ^.+\.(jpg|jpeg|gif|bmp|ico|png|css|js|swf)$ {
+ expires 30d;
+ # Optional: Don't log access to assets
+ access_log off;
+ }
+ location ~ ^(.+?\.php)(/.*)?$ {
+ try_files $1 = 404;
+
+ include fastcgi_params;
+ fastcgi_param SCRIPT_FILENAME $document_root$1;
+ fastcgi_param PATH_INFO $2;
+ fastcgi_param HTTPS on;
+ fastcgi_pass unix:/run/php/php8.3-fpm.sock;
+ }
+
+}
\ No newline at end of file
--- /dev/null
+#
+# This file is offered as a starting point for hosting CiviCRM Standalone with NGINX
+#
+# It has not really been tested
+# Your server may be quite different
+# Your needs may be different
+#
+# Where configuration allows, we use a security-first aproach: ban everything, then
+#
+# - Only allow running php files via index.php and /extern/ (deprecated)
+#
+# - Only allow accessing other files from expected places and with expected extensions.
+#
+# @todo Replace civi.gemeinwohl-gesellschaft.de with your domain, including subdomain if using.
+# @todo scan for @todo in the file!
+
+
+# Define your upstream. You may already have this defined elsewhere.
+# @todo check/update and if using a different name to php-fpm, update references below.
+upstream php-fpm {
+ server unix:/run/php/php8.3-fpm.sock;
+}
+
+# Create a macro/variable so we can limit the http methods we allow.
+map $request_method $not_an_allowed_http_method {
+ default 1;
+ OPTIONS 0;
+ GET 0;
+ HEAD 0;
+ POST 0;
+}
+
+# Define a nicer log format - using JSON. This makes searching/summarising your logs much easier.
+# Optional. If you don't want it, remove jsonlog from the access_log directive below.
+# rq = request. rs = response.
+log_format jsonlog escape=json
+ '{'
+ '"rsTime":"$time_iso8601",'
+ '"rsStatus":"$status",'
+ '"rqIp":"$remote_addr",'
+ '"rq":"$request",'
+ '"rqUser":"$remote_user",'
+ '"rqRef":"$http_referer",'
+ '"rqUA":"$http_user_agent",'
+ '"rsB":"$body_bytes_sent",'
+ '"rsTook":"$request_time",'
+ '"phpTook":"$upstream_response_time"'
+ '}';
+
+# Redirect http to https
+server {
+ listen 80;
+ listen [::]:80;
+ server_name civi.gemeinwohl-gesellschaft.de;
+ # Allow "Well-Known URIs" as per RFC 5785
+ location ^~ /.well-known/ {
+ try_files $uri 404;
+ }
+ return 301 https://civi.gemeinwohl-gesellschaft.de$request_uri;
+}
+
+server {
+ listen 443 ssl;
+ server_name civi.gemeinwohl-gesellschaft.de;
+ # The docroot is the directory in which you find the index.php file.
+ # If you extract a zip file from the releases page, you'll see everything
+ # under a civicrm-standalone dir. You can rename it whatever you want
+ # (e.g. docroot or web or publicHtml are common) - it doesn't matter
+ # as long as the following path points to it.
+ root /srv/www/civi.gemeinwohl-gesellschaft.de;
+
+ charset utf-8;
+
+ #error_log /var/log/nginx/e_civi.log;
+ # or:
+ error_log /var/log/nginx/e_civi.log info;
+
+ # access_log /var/log/nginx/a_civi.log jsonlog;
+ # or, without the jsonlog bit:
+ access_log /var/log/nginx/access.log;
+
+ # @todo paths to your SSL here. (Or let certbot replace these for you.)
+ ssl_certificate /etc/letsencrypt/live/civi.gemeinwohl-gesellschaft.de/fullchain.pem;
+ ssl_certificate_key /etc/letsencrypt/live/civi.gemeinwohl-gesellschaft.de/privkey.pem;
+
+ # @todo You may want to limit the ssl_ciphers here. This is a moving target.
+ # https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility
+ # Example at time of writing.
+ # ssl_prefer_server_ciphers on;
+ # ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
+
+ # Say that we expect https for up to 1 year.
+ # @todo review
+ add_header Strict-Transport-Security max-age=31622400;
+
+ fastcgi_keep_conn on; # keep alive to the FCGI upstream
+ index index.php;
+
+ # Only accept expected http methods.
+ if ($not_an_allowed_http_method) {
+ return 405;
+ }
+
+ # Note: nginx processes different types of 'location' block in priority order,
+ # somewhat regardless of the order they are declared here. To help a human reason this,
+ # the location blocks are mostly presented in priority order.
+
+ # ---------------------
+ # Exact match locations
+ # ---------------------
+
+ location = / {
+ include fastcgi.conf;
+ fastcgi_param SCRIPT_NAME /index.php;
+ fastcgi_param SCRIPT_FILENAME $document_root/index.php;
+ fastcgi_param QUERY_STRING q=$uri&$args;
+ fastcgi_pass php-fpm;
+ }
+
+ location = /robots.txt {
+ try_files $uri 404;
+ # @todo consider:
+ # log_not_found off;
+ # access_log off;
+ }
+
+ # ---------------------
+ # Longest prefix match locations. Identified by ^~ this is a plain-text match (not a regex!)
+ # ---------------------
+
+ # All CiviCRM paths are under /civicrm/ (because CiviCRM also runs in CMS contexts and uses this as a namespace)
+ location ^~ /civicrm/ {
+
+ # Some requests can be slow, we can allow them more time to run.
+ # Note that PHP FPM also has timeouts. If nginx's timeouts exceed PHP's
+ # then PHP will keep running after nginx gives up waiting for it.
+ location ~*^/civicrm/(dashboard/|contact/dedupefind|contact/import|activity/search|contribute/import|ajax/status\?|payment/ipn/\d+) {
+ fastcgi_index index.php;
+ include fastcgi.conf;
+ fastcgi_read_timeout 300s;
+ fastcgi_param SCRIPT_NAME /index.php;
+ fastcgi_param SCRIPT_FILENAME $document_root/index.php;
+ fastcgi_param QUERY_STRING q=$uri&$args;
+ fastcgi_pass php-fpm;
+ }
+
+ # All requests go via Civi with the default read timeout.
+ fastcgi_index index.php;
+ include fastcgi.conf;
+ fastcgi_param SCRIPT_NAME /index.php;
+ fastcgi_param SCRIPT_FILENAME $document_root/index.php;
+ fastcgi_param QUERY_STRING q=$uri&$args;
+ fastcgi_pass php-fpm;
+ }
+
+ # ---------------------
+ # Regex match locations (these are processed after longest-prefix)
+ # ---------------------
+
+ # Allow access to reasonable assets shipped with core, extensions, or from the public dir.
+ # @todo do you need extra extensions here?
+ # @todo if, say, you want to allow downloading of .sql or .zip or .tar etc. files from /public
+ # then create a separate rule that covers strictly what you expect and nothing wider.
+ # You want to ensure that any files a developer might accidentally create/leave around
+ # like backups, sql dumps etc. are not world-accessible.
+ location ~ ^/(public|core|ext)/.*\.(png|css|jpg|js|mjs|json|webp|gif|ico|svg|woff2|html)$ {
+ # Return the file if it exists, or a 404
+ try_files $uri 404;
+ }
+
+ ## Allow direct access to running known PHP files in 'extern/' (deprecated)
+ location ~ ^/core/extern/(authorizeIPN|cxn|ipn|open|rest|soap|url|widget).php$ {
+ fastcgi_index index.php;
+ include fastcgi.conf;
+ fastcgi_pass php-fpm;
+ }
+
+
+ # @todo If you have migrated from Drupal7 and moved your images
+ # to the new location, you can use something like this which will
+ # allow requests to the old paths to serve the images from their new paths.
+ # location /sites/default/files/civicrm/persist/contribute/images/ {
+ # alias /var/www/civi.gemeinwohl-gesellschaft.de/docroot/public/media/images/;
+ # }
+
+ # Default location.
+ location / {
+ return 404;
+ }
+}
\ No newline at end of file
--- /dev/null
+server {
+ listen 80;
+ server_name cloud.gemeinwohl-gesellschaft.de collabora.gemeinwohl-gesellschaft.de wopiserver.gemeinwohl-gesellschaft.de traefik.gemeinwohl-gesellschaft.de;
+ include snippets/letsencrypt.conf;
+ root /srv/www/cloud.gemeinwohl-gesellschaft.de;
+ location / {
+ return 301 https://$server_name$request_uri; # enforce https
+ }
+}
+
+server {
+ listen 443 ssl http2;
+ server_name cloud.gemeinwohl-gesellschaft.de collabora.gemeinwohl-gesellschaft.de wopiserver.gemeinwohl-gesellschaft.de traefik.gemeinwohl-gesellschaft.de;
+ access_log /var/log/nginx/a_cloud.log;
+ error_log /var/log/nginx/e_cloud.log;
+
+ ssl_certificate /etc/letsencrypt/live/cloud.gemeinwohl-gesellschaft.de/fullchain.pem;
+ ssl_certificate_key /etc/letsencrypt/live/cloud.gemeinwohl-gesellschaft.de/privkey.pem;
+ #ssl_certificate /etc/ssl/certs/cloud.gemeinwohl-gesellschaft.de.pem;
+ #ssl_certificate_key /etc/ssl/private/cloud.gemeinwohl-gesellschaft.de.key;
+ location / {
+ #proxy_pass https://0.0.0.0:9443;
+ proxy_pass https://127.0.0.1:9443;
+ proxy_set_header Host $host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Proto $scheme;
+ }
+}
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name nest1.gemeinwohl-gesellschaft.de;
+
access_log /var/log/nginx/a_nest1.log;
error_log /var/log/nginx/e_nest1.log;
--- /dev/null
+server {
+ listen 80;
+ server_name seafile.gemeinwohl-gesellschaft.de;
+ include snippets/letsencrypt.conf;
+ root /srv/www/seafile.gemeinwohl-gesellschaft.de;
+ location / {
+ return 301 https://$server_name$request_uri; # enforce https
+ }
+}
+
+server {
+ listen 443 ssl http2;
+ server_name seafile.gemeinwohl-gesellschaft.de;
+ access_log /var/log/nginx/a_seafile.log;
+ error_log /var/log/nginx/e_seafile.log;
+
+ ssl_certificate /etc/letsencrypt/live/seafile.gemeinwohl-gesellschaft.de/fullchain.pem;
+ ssl_certificate_key /etc/letsencrypt/live/seafile.gemeinwohl-gesellschaft.de/privkey.pem;
+ #ssl_certificate /etc/ssl/certs/seafile.gemeinwohl-gesellschaft.de.pem;
+ #ssl_certificate_key /etc/ssl/private/seafile.gemeinwohl-gesellschaft.de.key;
+ location / {
+ proxy_pass http://127.0.0.1:8080;
+ proxy_set_header Host $host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Proto $scheme;
+ }
+}
\ No newline at end of file
--- /dev/null
+# This file will be included into CreateSysInfo
+DIR_INFO=/srv/www/sys.info/nest1.gemeinwohl-gesellschaft.de
+# a blank separated list of mount points formatted with BTRFS, e.g. "/media/fs.cache /media/fs.system"
+BTRFS_FS=""
+# a blank separated list of devices that should be controlled by smartmon, e.g. 'sda sdb'
+SMART_MON_DEVS='sda'
+# set to yes if mdadm manages software raid devices
+HAS_SOFT_RAID=no
+MK_HOME_TAR=yes
+USE_ZFS=no
+# a blank separated list of "--exclude=<dir>" entries. That listed subdirs will not be saved in the TAR archive
+EXCLUDE_HOME="--exclude=jails"
+# each subdirectory of /home containing that file will not be saved as TAR archive
+TAG_FILE=.do.not.save.as.home
+
+++ /dev/null
-# Ansible controlled: do not change on server
-dkim_domains: ["f-r-e-i.de"]
-dkim_opendkim_config_dir: /etc/opendkim
-dkim_config_file: /etc/opendkim.conf
-dkim_selector: "20250419"
-dkim_user: opendkim
-dkim_group: opendkim
-dkim_rsa_keylen: 2048
-dkim_socket_port: 12301
-
-dmarc_config_file: /etc/opendmarc.conf
-dmarc_config_dir: /etc/opendmarc
-dmarc_email_report: report.dmarc@hamatoma.de
-dmarc_user: opendmarc
-dmarc_group: opendmarc
+++ /dev/null
-configuration_directory: /etc/ansknife
-remote_webapps_directory: "{{ configuration_directory }}/webapps.d"
-local_webapps_directory: "../webapps"
-remote_www_directory: "/home/www"
-systemd_journal_system_max_use: 200M
-systemd_journal_system_max_file_size: 50M
-postfix_host: "nest1.gemeinwohl-gesellschaft.de"
-postfix_domain: "gemeinwohl-gesellschaft.de"
-postfix_receipient_email: "nest1.mail@hamatoma.de"
-postfix_mode: email_forwarding
-webmaster_email: "nest1@hamatoma.de"
+++ /dev/null
----
-# Creation of the central password file:
-# echo "top_secret_password" > resources/.vaults
-# Creation of the encrypted vault file:
-# ansible-vault encrypt_string --vault-password-file resources/.vault --name 'vault_dba_password' --stdin-name 'vault_dba_password' | tee var/vault_db.yaml
-# Find the password file: ANSIBLE_VAULT_PASSWORD_FILE=resources/.vault
-dba_name: dba
-dba_password: "{{ vault_dba_password }}"
\ No newline at end of file
+++ /dev/null
----
-# php.yaml:
-# Defines variables for the PHP role.
-# This file is used to set up the PHP environment and configuration.
-# needed variables: PHP_VERS
-
-php_packages:
- - php{{PHP_VERS}}-common
- - php{{PHP_VERS}}-curl
- - php{{PHP_VERS}}-fpm
- - php{{PHP_VERS}}-gd
- - php{{PHP_VERS}}-igbinary
- - php{{PHP_VERS}}-imagick
- - php{{PHP_VERS}}-imap
- - php{{PHP_VERS}}-intl
- - php{{PHP_VERS}}-mbstring
- - php{{PHP_VERS}}-memcached
- - php{{PHP_VERS}}-msgpack
- - php{{PHP_VERS}}-mysql
- - php{{PHP_VERS}}-opcache
- - php{{PHP_VERS}}-phpdbg
- - php{{PHP_VERS}}-readline
- - php{{PHP_VERS}}-redis
- - php{{PHP_VERS}}-xdebug
- - php{{PHP_VERS}}-xml
- - php{{PHP_VERS}}-zip
-php_additional_packages:
- - redis-server
- - imagemagick
-
-php_ini_settings:
- - { section: "DEFAULT", option: "memory_limit", value: "512M" }
- - { section: "DEFAULT", option: "upload_max_filesize", value: "512M" }
- - { section: "DEFAULT", option: "max_file_uploads", value: 100 }
- - { section: "DEFAULT", option: "post_max_size", value: "512M" }
- - { section: "DEFAULT", option: "max_execution_time", value: 600 }
- - { section: "DEFAULT", option: "max_input_time", value: 600 }
- - { section: "DEFAULT", option: "default_socket_timeout", value: 600 }
- - { section: "Session", option: "session.save_handler", value: "redis" }
- - { section: "Session", option: "session.save_path", value: "tcp://127.0.0.1:6379" }
- - { section: "opcache", option: "opcache.enable", value: 1 }
- - { section: "opcache", option: "opcache.memory_consumption", value: 512 }
- - { section: "opcache", option: "opcache.interned_strings_buffer", value: 256 }
-
+++ /dev/null
----
-# "/C=DE/ST=NRW/L=Bochum/O=IT/CN={{hostname}}"
-ssl_country: DE
-ssl_state: Bavaria
-ssl_locality: Kempten
-ssl_organization: 'Gemeinwohl-Gesellschaft e.V.'
-ssl_lifetime: 365
-ssl_rsa_key_size: 2048
+++ /dev/null
-vault_dba_password: {{ vault_state_infeos_net_db_password }}
\ No newline at end of file
+++ /dev/null
-- vault_state_infeos_net_db_password: Sekret.Top
\ No newline at end of file
+++ /dev/null
-webapps_list:
- - webapp_name: 'nest1.gemeinwohl-gesellschaft.de'
- db_name: ''
- db_user: ''
- db_password: ''
- directory: '/srv/www/nest1.gemeinwohl-gesellschaft.de'
- - webapp_name: 'wissen.gemeinwohl-gesellschaft.org'
- db_name: 'mwwissen'
- db_user: 'wissen'
- db_password: 'NobodyKennts'
- directory: '/srv/www/wissen.gemeinwohl-gesellschaft.org'
- - webapp_name: 'zentrum.gemeinwohl-gesellschaft.org'
- db_name: 'lrvzentrum'
- db_user: 'lrvzentrum'
- db_password: 'TopSecret'
- directory: '/srv/www/zentrum.gemeinwohl-gesellschaft.org'
--- /dev/null
+# Ansible controlled: do not change on server
+dkim_domains: ["f-r-e-i.de"]
+dkim_opendkim_config_dir: /etc/opendkim
+dkim_config_file: /etc/opendkim.conf
+dkim_selector: "20250419"
+dkim_user: opendkim
+dkim_group: opendkim
+dkim_rsa_keylen: 2048
+dkim_socket_port: 12301
+
+dmarc_config_file: /etc/opendmarc.conf
+dmarc_config_dir: /etc/opendmarc
+dmarc_email_report: report.dmarc@hamatoma.de
+dmarc_user: opendmarc
+dmarc_group: opendmarc
--- /dev/null
+configuration_directory: /etc/ansknife
+remote_webapps_directory: "{{ configuration_directory }}/webapps.d"
+local_webapps_directory: "../webapps"
+remote_www_directory: "/home/www"
+systemd_journal_system_max_use: 200M
+systemd_journal_system_max_file_size: 50M
+postfix_host: "nest1.gemeinwohl-gesellschaft.de"
+postfix_domain: "gemeinwohl-gesellschaft.de"
+postfix_receipient_email: "nest1.mail@hamatoma.de"
+postfix_mode: email_forwarding
+webmaster_email: "nest1@hamatoma.de"
+seafile_user_id: 261
--- /dev/null
+---
+# Creation of the central password file:
+# echo "top_secret_password" > resources/.vaults
+# Creation of the encrypted vault file:
+# ansible-vault encrypt_string --vault-password-file resources/.vault --name 'dba_password_vault' --stdin-name 'dba_password_vault' | tee var/mysql_vault.yaml
+# Find the password file: ANSIBLE_VAULT_PASSWORD_FILE=resources/.vault
+dba_name: dba
+dba_password: "{{ dba_password_vault }}"
--- /dev/null
+---
+# Passwords for mysql databases
+dba_password_vault: "Never.Ever.47"
--- /dev/null
+# Configuration of opencloud
+
+opencloud_base: /opt
+opencloud_domain: gemeinwohl-gesellschaft.de
+opencloud_email: opencloud.hamatoma.de
+opencloud_config_file: "{{ opencloud_base}}/opencloud/deployments/examples/opencloud_full/.env"
+opencloud_port80: 9080
+opencloud_port443: 9443
+
+opencloud_configs:
+ "^(# )?INSECURE=true": "INSECURE=false"
+ "^TRAEFIK_DOMAIN=": "TRAEFIK_DOMAIN=traefik.{{ opencloud_domain }}"
+ "^OC_DOMAIN=": "OC_DOMAIN=cloud.{{ opencloud_domain }}"
+ "^COLLABORA_DOMAIN=": "COLLABORA_DOMAIN=collabora.{{ opencloud_domain }}"
+ "^WOPISERVER_DOMAIN=": "WOPISERVER_DOMAIN=wopiserver..{{ opencloud_domain }}"
+ "^ADMIN_PASSWORD=": "ADMIN_PASSWORD=FORR33alll.Guyss"
+ "^TRAEFIK_ACME_MAIL=": "TRAEFIK_ACME_MAIL={{ opencloud_email }}"
+ "^(# )?OC_CONFIG_DIR=": "OC_CONFIG_DIR={{ opencloud_base }}/opencloud_config"
+ "^(# )?OC_DATA_DIR=": "OC_DATA_DIR={{ opencloud_base }}/opencloud_data"
--- /dev/null
+---
+# php.yaml:
+# Defines variables for the PHP role.
+# This file is used to set up the PHP environment and configuration.
+# needed variables: php_version
+
+php_packages:
+ - php{{ php_version }}-common
+ - php{{ php_version }}-curl
+ - php{{ php_version }}-fpm
+ - php{{ php_version }}-gd
+ - php{{ php_version }}-igbinary
+ - php{{ php_version }}-imagick
+ - php{{ php_version }}-imap
+ - php{{ php_version }}-intl
+ - php{{ php_version }}-mbstring
+ - php{{ php_version }}-memcached
+ - php{{ php_version }}-msgpack
+ - php{{ php_version }}-mysql
+ - php{{ php_version }}-opcache
+ - php{{ php_version }}-phpdbg
+ - php{{ php_version }}-readline
+ - php{{ php_version }}-redis
+ - php{{ php_version }}-xdebug
+ - php{{ php_version }}-xml
+ - php{{ php_version }}-zip
+php_additional_packages:
+ - redis-server
+ - imagemagick
+
+php_ini_settings:
+ - { section: "DEFAULT", option: "memory_limit", value: "512M" }
+ - { section: "DEFAULT", option: "upload_max_filesize", value: "512M" }
+ - { section: "DEFAULT", option: "max_file_uploads", value: 100 }
+ - { section: "DEFAULT", option: "post_max_size", value: "512M" }
+ - { section: "DEFAULT", option: "max_execution_time", value: 600 }
+ - { section: "DEFAULT", option: "max_input_time", value: 600 }
+ - { section: "DEFAULT", option: "default_socket_timeout", value: 600 }
+ - { section: "Session", option: "session.save_handler", value: "redis" }
+ - { section: "Session", option: "session.save_path", value: "tcp://127.0.0.1:6379" }
+ - { section: "opcache", option: "opcache.enable", value: 1 }
+ - { section: "opcache", option: "opcache.memory_consumption", value: 512 }
+ - { section: "opcache", option: "opcache.interned_strings_buffer", value: 256 }
--- /dev/null
+---
+# Configuration of seafile-server
+seafile_user: seafile
+seafile_version: "12.0"
+seafile_download_tar: https://s3.eu-central-1.amazonaws.com/download.seadrive.org/seafile-server_12.0.11_x86-64.tar.gz
--- /dev/null
+---
+# "/C=DE/ST=NRW/L=Bochum/O=IT/CN={{hostname}}"
+ssl_country: DE
+ssl_state: Bavaria
+ssl_locality: Kempten
+ssl_organization: 'Gemeinwohl-Gesellschaft e.V.'
+ssl_lifetime: 365
+ssl_rsa_key_size: 2048
--- /dev/null
+---
+# human users
+user_humans:
+ wk: 1000
+ andreas: 1501
+
+# the following users can use sudo to receive root rights
+user_sudo_members:
+ - wk
+ - andreas
--- /dev/null
+---
+# Configuration data of the webapps
+webapps_list:
+ - webapp_name: 'nest1.gemeinwohl-gesellschaft.de'
+ db_name: ''
+ db_type: 'none'
+ db_host: ''
+ db_user: ''
+ db_password: ''
+ directory: '/srv/www/nest1.gemeinwohl-gesellschaft.de'
+ - webapp_name: 'wissen.gemeinwohl-gesellschaft.org'
+ db_name: 'mwwissen'
+ db_type: 'myslq'
+ db_host: 'localhost'
+ db_user: 'wissen'
+ db_password: 'NobodyKennts'
+ directory: '/srv/www/wissen.gemeinwohl-gesellschaft.org'
+ - webapp_name: 'zentrum.gemeinwohl-gesellschaft.org'
+ db_name: 'lrvzentrum'
+ db_type: 'myslq'
+ db_host: 'localhost'
+ db_user: 'lrvzentrum'
+ db_password: 'TopSecret'
+ directory: '/srv/www/zentrum.gemeinwohl-gesellschaft.org'
+ - webapp_name: 'civi.gemeinwohl-gesellschaft.de'
+ db_name: 'civigwg'
+ db_type: 'mysql'
+ db_host: 'localhost'
+ db_user: 'civigwg'
+ db_password: 'NieUnd.Nimmer47'
+ directory: '/srv/www/civi.gemeinwohl-gesellschaft.de'
+ - webapp_name: 'seafile.gemeinwohl-gesellschaft.de'
+ db_name: ''
+ db_type: ''
+ db_host: ''
+ db_user: ''
+ db_password: 'NieUnd.Nimmer47'
+ directory: '/srv/www/seafile.gemeinwohl-gesellschaft.de'
--- /dev/null
+---
+- db_password: "Sekret.Top"
projects / nest_ansible.git / commitdiff