From: Hamatoma Date: Mon, 19 May 2025 05:03:56 +0000 (+0200) Subject: Verbesserungen X-Git-Url: https://gitweb.hamatoma.de/?a=commitdiff_plain;h=a154365893240072ad84443e9b216a456f926048;p=nest_ansible.git Verbesserungen --- diff --git a/2 b/2 new file mode 100644 index 0000000..d104434 --- /dev/null +++ b/2 @@ -0,0 +1,15 @@ +# This file will be included into CreateSysInfo +DIR_INFO=/srv/www/sys.info/nest1.gemeinwohl-gesellschaft.de +# a blank separated list of mount points formatted with BTRFS, e.g. "/media/fs.cache /media/fs.system" +BTRFS_FS="/media/fs.cache /media/fs.system" +# a blank separated list of devices that should be controlled by smartmon, e.g. 'sda sdb' +SMART_MON_DEVS='nvme0n1' +# set to yes if mdadm manages software raid devices +HAS_SOFT_RAID=yes +MK_HOME_TAR=yes +USE_ZFS=no +# a blank separated list of "--exclude=" entries. That listed subdirs will not be saved in the TAR archive +EXCLUDE_HOME="--exclude=jails" +# each subdirectory of /home containing that file will not be saved as TAR archive +TAG_FILE=.do.not.save.as.home + diff --git a/playbooks/i_11_user.yaml b/playbooks/i_11_user.yaml new file mode 120000 index 0000000..c40fa7b --- /dev/null +++ b/playbooks/i_11_user.yaml @@ -0,0 +1 @@ +../../ansknife/playbooks.templates/i_11_user.yaml \ No newline at end of file diff --git a/playbooks/i_21_nginx_sites.yaml b/playbooks/i_21_nginx_sites.yaml deleted file mode 120000 index 6534df3..0000000 --- a/playbooks/i_21_nginx_sites.yaml +++ /dev/null @@ -1 +0,0 @@ -../../ansknife/playbooks.templates/i_21_nginx_sites.yaml \ No newline at end of file diff --git a/playbooks/i_51_seafile.yaml b/playbooks/i_51_seafile.yaml new file mode 120000 index 0000000..1a0ba6c --- /dev/null +++ b/playbooks/i_51_seafile.yaml @@ -0,0 +1 @@ +../../ansknife/playbooks.templates/i_51_seafile.yaml \ No newline at end of file diff --git a/playbooks/lets_multi_certificate.yaml b/playbooks/lets_multi_certificate.yaml new file mode 120000 index 0000000..bfead54 --- /dev/null +++ b/playbooks/lets_multi_certificate.yaml @@ -0,0 +1 @@ +../../ansknife/playbooks.templates/lets_multi_certificate.yaml \ No newline at end of file diff --git a/playbooks/nest1_cron.yaml b/playbooks/nest1_cron.yaml index 65f0ee3..dafb2a5 100644 --- a/playbooks/nest1_cron.yaml +++ b/playbooks/nest1_cron.yaml @@ -7,7 +7,7 @@ path_script_local: "{{ path_script }}/{{ hostname }}" hostname_short: Nest1 vars_files: - - ../var/common.yaml + - ../vars/common.yaml tasks: - name: Creates a cron file for clearing the swap files ansible.builtin.cron: diff --git a/playbooks/nest1_cron_install.yaml b/playbooks/nest1_cron_install.yaml index aaac9c0..c3219e1 100644 --- a/playbooks/nest1_cron_install.yaml +++ b/playbooks/nest1_cron_install.yaml @@ -11,7 +11,7 @@ path_script: /usr/local/bin path_script_local: "{{ path_script }}/{{hostname}}" vars_files: - - ../var/common.yaml + - ../vars/common.yaml tasks: - name: create facts ansible.builtin.set_fact: @@ -27,4 +27,4 @@ - SaveOwner - ClearSwap - SaveDatabases - - "{{ hostname_short }}Backup" \ No newline at end of file + - "{{ hostname_short }}Backup" diff --git a/playbooks/nginx_sites.yaml b/playbooks/nginx_sites.yaml new file mode 120000 index 0000000..65abd93 --- /dev/null +++ b/playbooks/nginx_sites.yaml @@ -0,0 +1 @@ +../../ansknife/playbooks.templates/nginx_sites.yaml \ No newline at end of file diff --git a/playbooks/opencloud_install.yaml b/playbooks/opencloud_install.yaml new file mode 120000 index 0000000..21ca93d --- /dev/null +++ b/playbooks/opencloud_install.yaml @@ -0,0 +1 @@ +../../ansknife/playbooks.templates/opencloud_install.yaml \ No newline at end of file diff --git a/playbooks/ssl_mult_certificate.yaml b/playbooks/ssl_mult_certificate.yaml new file mode 120000 index 0000000..a98b6b6 --- /dev/null +++ b/playbooks/ssl_mult_certificate.yaml @@ -0,0 +1 @@ +../../ansknife/playbooks.templates/ssl_mult_certificate.yaml \ No newline at end of file diff --git a/tasks/t_docker_install.yaml b/tasks/t_docker_install.yaml new file mode 120000 index 0000000..9ef7e14 --- /dev/null +++ b/tasks/t_docker_install.yaml @@ -0,0 +1 @@ +../../ansknife/tasks.templates/t_docker_install.yaml \ No newline at end of file diff --git a/tasks/t_docker_internal.yaml b/tasks/t_docker_internal.yaml new file mode 120000 index 0000000..a712b8c --- /dev/null +++ b/tasks/t_docker_internal.yaml @@ -0,0 +1 @@ +../../ansknife/tasks.templates/t_docker_internal.yaml \ No newline at end of file diff --git a/tasks/t_lets_multi_cert.yaml b/tasks/t_lets_multi_cert.yaml new file mode 120000 index 0000000..6bdd652 --- /dev/null +++ b/tasks/t_lets_multi_cert.yaml @@ -0,0 +1 @@ +../../ansknife/tasks.templates/t_lets_multi_cert.yaml \ No newline at end of file diff --git a/tasks/t_ssl_multi_cert.yaml b/tasks/t_ssl_multi_cert.yaml new file mode 120000 index 0000000..1f8a002 --- /dev/null +++ b/tasks/t_ssl_multi_cert.yaml @@ -0,0 +1 @@ +../../ansknife/tasks.templates/t_ssl_multi_cert.yaml \ No newline at end of file diff --git a/templates.local/local_bin/SaveDatabases b/templates.local/local_bin/SaveDatabases index 7c559cd..981d562 100644 --- a/templates.local/local_bin/SaveDatabases +++ b/templates.local/local_bin/SaveDatabases @@ -8,9 +8,9 @@ function SaveOne(){ local domain=$1 if [ -e $BASE_WEBAPPS/$domain.conf ]; then . $BASE_WEBAPPS/$domain.conf - if [ -n "$db_name" ]; then + if [ -n "$db_name" -a "$db_type" = mysql ]; then local sql=$BASE_DIR/$domain/db/$domain.sql.gz - mysqldump -u $db_user "-p$db_password" $db_name | gzip > $sql + mysqldump -h $db_host -u $db_user "-p$db_password" $db_name | gzip > $sql test -n "$VERBOSE" && ls -ld $sql fi fi diff --git a/templates.local/nginx/sites/civi.gemeinwohl-gesellschaft.de b/templates.local/nginx/sites/civi.gemeinwohl-gesellschaft.de new file mode 100644 index 0000000..c6dbcf9 --- /dev/null +++ b/templates.local/nginx/sites/civi.gemeinwohl-gesellschaft.de @@ -0,0 +1,105 @@ +# Ansible controlled. Do not change this file on the remote server manually. +server { + listen 80; + listen [::]:80; + server_name civi.gemeinwohl-gesellschaft.de; + include snippets/letsencrypt.conf; + root /srv/www/civi.gemeinwohl-gesellschaft.de; + location / { + return 301 https://civi.gemeinwohl-gesellschaft.de$request_uri; + } +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name civi.gemeinwohl-gesellschaft.de; + + access_log /var/log/nginx/a_civi.log; + error_log /var/log/nginx/e_civi.log; + + ssl_certificate /etc/letsencrypt/live/civi.gemeinwohl-gesellschaft.de/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/civi.gemeinwohl-gesellschaft.de/privkey.pem; + #ssl_certificate /etc/ssl/certs/civi.gemeinwohl-gesellschaft.de.pem; + #ssl_certificate_key /etc/ssl/private/civi.gemeinwohl-gesellschaft.de.key; + + root /srv/www/civi.gemeinwohl-gesellschaft.de; + + location = /favicon.ico { + log_not_found off; + access_log off; + } + + location = /robots.txt { + allow all; + log_not_found off; + access_log off; + } + location ^~ /civicrm/ { + + # Some requests can be slow, we can allow them more time to run. + # Note that PHP FPM also has timeouts. If nginx's timeouts exceed PHP's + # then PHP will keep running after nginx gives up waiting for it. + location ~*^/civicrm/(dashboard/|contact/dedupefind|contact/import|activity/search|contribute/import|ajax/status\?|payment/ipn/\d+) { + fastcgi_index index.php; + include fastcgi.conf; + fastcgi_read_timeout 300s; + fastcgi_param SCRIPT_NAME /index.php; + fastcgi_param SCRIPT_FILENAME $document_root/index.php; + fastcgi_param QUERY_STRING q=$uri&$args; + fastcgi_pass unix:/run/php/php8.3-fpm.sock; + } + + # All requests go via Civi with the default read timeout. + fastcgi_index index.php; + include fastcgi.conf; + fastcgi_param SCRIPT_NAME /index.php; + fastcgi_param SCRIPT_FILENAME $document_root/index.php; + fastcgi_param QUERY_STRING q=$uri&$args; + fastcgi_pass unix:/run/php/php8.3-fpm.sock; + } + + # --------------------- + # Regex match locations (these are processed after longest-prefix) + # --------------------- + + # Allow access to reasonable assets shipped with core, extensions, or from the public dir. + # @todo do you need extra extensions here? + # @todo if, say, you want to allow downloading of .sql or .zip or .tar etc. files from /public + # then create a separate rule that covers strictly what you expect and nothing wider. + # You want to ensure that any files a developer might accidentally create/leave around + # like backups, sql dumps etc. are not world-accessible. + location ~ ^/(public|core|ext)/.*\.(png|css|jpg|js|mjs|json|webp|gif|ico|svg|woff2|html)$ { + # Return the file if it exists, or a 404 + try_files $uri 404; + } + + ## Allow direct access to running known PHP files in 'extern/' (deprecated) + location ~ ^/core/extern/(authorizeIPN|cxn|ipn|open|rest|soap|url|widget).php$ { + fastcgi_index index.php; + include fastcgi.conf; + fastcgi_param SCRIPT_FILENAME $document_root$1; + fastcgi_param PATH_INFO $2; + fastcgi_param HTTPS on; + fastcgi_pass unix:/run/php/php8.3-fpm.sock; + } + + + + location ~* ^.+\.(jpg|jpeg|gif|bmp|ico|png|css|js|swf)$ { + expires 30d; + # Optional: Don't log access to assets + access_log off; + } + location ~ ^(.+?\.php)(/.*)?$ { + try_files $1 = 404; + + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$1; + fastcgi_param PATH_INFO $2; + fastcgi_param HTTPS on; + fastcgi_pass unix:/run/php/php8.3-fpm.sock; + } + +} \ No newline at end of file diff --git a/templates.local/nginx/sites/civi.gemeinwohl-gesellschaft.org.de b/templates.local/nginx/sites/civi.gemeinwohl-gesellschaft.org.de new file mode 100644 index 0000000..9bbf998 --- /dev/null +++ b/templates.local/nginx/sites/civi.gemeinwohl-gesellschaft.org.de @@ -0,0 +1,190 @@ +# +# This file is offered as a starting point for hosting CiviCRM Standalone with NGINX +# +# It has not really been tested +# Your server may be quite different +# Your needs may be different +# +# Where configuration allows, we use a security-first aproach: ban everything, then +# +# - Only allow running php files via index.php and /extern/ (deprecated) +# +# - Only allow accessing other files from expected places and with expected extensions. +# +# @todo Replace civi.gemeinwohl-gesellschaft.de with your domain, including subdomain if using. +# @todo scan for @todo in the file! + + +# Define your upstream. You may already have this defined elsewhere. +# @todo check/update and if using a different name to php-fpm, update references below. +upstream php-fpm { + server unix:/run/php/php8.3-fpm.sock; +} + +# Create a macro/variable so we can limit the http methods we allow. +map $request_method $not_an_allowed_http_method { + default 1; + OPTIONS 0; + GET 0; + HEAD 0; + POST 0; +} + +# Define a nicer log format - using JSON. This makes searching/summarising your logs much easier. +# Optional. If you don't want it, remove jsonlog from the access_log directive below. +# rq = request. rs = response. +log_format jsonlog escape=json + '{' + '"rsTime":"$time_iso8601",' + '"rsStatus":"$status",' + '"rqIp":"$remote_addr",' + '"rq":"$request",' + '"rqUser":"$remote_user",' + '"rqRef":"$http_referer",' + '"rqUA":"$http_user_agent",' + '"rsB":"$body_bytes_sent",' + '"rsTook":"$request_time",' + '"phpTook":"$upstream_response_time"' + '}'; + +# Redirect http to https +server { + listen 80; + listen [::]:80; + server_name civi.gemeinwohl-gesellschaft.de; + # Allow "Well-Known URIs" as per RFC 5785 + location ^~ /.well-known/ { + try_files $uri 404; + } + return 301 https://civi.gemeinwohl-gesellschaft.de$request_uri; +} + +server { + listen 443 ssl; + server_name civi.gemeinwohl-gesellschaft.de; + # The docroot is the directory in which you find the index.php file. + # If you extract a zip file from the releases page, you'll see everything + # under a civicrm-standalone dir. You can rename it whatever you want + # (e.g. docroot or web or publicHtml are common) - it doesn't matter + # as long as the following path points to it. + root /srv/www/civi.gemeinwohl-gesellschaft.de; + + charset utf-8; + + #error_log /var/log/nginx/e_civi.log; + # or: + error_log /var/log/nginx/e_civi.log info; + + # access_log /var/log/nginx/a_civi.log jsonlog; + # or, without the jsonlog bit: + access_log /var/log/nginx/access.log; + + # @todo paths to your SSL here. (Or let certbot replace these for you.) + ssl_certificate /etc/letsencrypt/live/civi.gemeinwohl-gesellschaft.de/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/civi.gemeinwohl-gesellschaft.de/privkey.pem; + + # @todo You may want to limit the ssl_ciphers here. This is a moving target. + # https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility + # Example at time of writing. + # ssl_prefer_server_ciphers on; + # ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; + + # Say that we expect https for up to 1 year. + # @todo review + add_header Strict-Transport-Security max-age=31622400; + + fastcgi_keep_conn on; # keep alive to the FCGI upstream + index index.php; + + # Only accept expected http methods. + if ($not_an_allowed_http_method) { + return 405; + } + + # Note: nginx processes different types of 'location' block in priority order, + # somewhat regardless of the order they are declared here. To help a human reason this, + # the location blocks are mostly presented in priority order. + + # --------------------- + # Exact match locations + # --------------------- + + location = / { + include fastcgi.conf; + fastcgi_param SCRIPT_NAME /index.php; + fastcgi_param SCRIPT_FILENAME $document_root/index.php; + fastcgi_param QUERY_STRING q=$uri&$args; + fastcgi_pass php-fpm; + } + + location = /robots.txt { + try_files $uri 404; + # @todo consider: + # log_not_found off; + # access_log off; + } + + # --------------------- + # Longest prefix match locations. Identified by ^~ this is a plain-text match (not a regex!) + # --------------------- + + # All CiviCRM paths are under /civicrm/ (because CiviCRM also runs in CMS contexts and uses this as a namespace) + location ^~ /civicrm/ { + + # Some requests can be slow, we can allow them more time to run. + # Note that PHP FPM also has timeouts. If nginx's timeouts exceed PHP's + # then PHP will keep running after nginx gives up waiting for it. + location ~*^/civicrm/(dashboard/|contact/dedupefind|contact/import|activity/search|contribute/import|ajax/status\?|payment/ipn/\d+) { + fastcgi_index index.php; + include fastcgi.conf; + fastcgi_read_timeout 300s; + fastcgi_param SCRIPT_NAME /index.php; + fastcgi_param SCRIPT_FILENAME $document_root/index.php; + fastcgi_param QUERY_STRING q=$uri&$args; + fastcgi_pass php-fpm; + } + + # All requests go via Civi with the default read timeout. + fastcgi_index index.php; + include fastcgi.conf; + fastcgi_param SCRIPT_NAME /index.php; + fastcgi_param SCRIPT_FILENAME $document_root/index.php; + fastcgi_param QUERY_STRING q=$uri&$args; + fastcgi_pass php-fpm; + } + + # --------------------- + # Regex match locations (these are processed after longest-prefix) + # --------------------- + + # Allow access to reasonable assets shipped with core, extensions, or from the public dir. + # @todo do you need extra extensions here? + # @todo if, say, you want to allow downloading of .sql or .zip or .tar etc. files from /public + # then create a separate rule that covers strictly what you expect and nothing wider. + # You want to ensure that any files a developer might accidentally create/leave around + # like backups, sql dumps etc. are not world-accessible. + location ~ ^/(public|core|ext)/.*\.(png|css|jpg|js|mjs|json|webp|gif|ico|svg|woff2|html)$ { + # Return the file if it exists, or a 404 + try_files $uri 404; + } + + ## Allow direct access to running known PHP files in 'extern/' (deprecated) + location ~ ^/core/extern/(authorizeIPN|cxn|ipn|open|rest|soap|url|widget).php$ { + fastcgi_index index.php; + include fastcgi.conf; + fastcgi_pass php-fpm; + } + + + # @todo If you have migrated from Drupal7 and moved your images + # to the new location, you can use something like this which will + # allow requests to the old paths to serve the images from their new paths. + # location /sites/default/files/civicrm/persist/contribute/images/ { + # alias /var/www/civi.gemeinwohl-gesellschaft.de/docroot/public/media/images/; + # } + + # Default location. + location / { + return 404; + } +} \ No newline at end of file diff --git a/templates.local/nginx/sites/cloud.gemeinwohl-gesellschaft.de b/templates.local/nginx/sites/cloud.gemeinwohl-gesellschaft.de new file mode 100644 index 0000000..5e67723 --- /dev/null +++ b/templates.local/nginx/sites/cloud.gemeinwohl-gesellschaft.de @@ -0,0 +1,29 @@ +server { + listen 80; + server_name cloud.gemeinwohl-gesellschaft.de collabora.gemeinwohl-gesellschaft.de wopiserver.gemeinwohl-gesellschaft.de traefik.gemeinwohl-gesellschaft.de; + include snippets/letsencrypt.conf; + root /srv/www/cloud.gemeinwohl-gesellschaft.de; + location / { + return 301 https://$server_name$request_uri; # enforce https + } +} + +server { + listen 443 ssl http2; + server_name cloud.gemeinwohl-gesellschaft.de collabora.gemeinwohl-gesellschaft.de wopiserver.gemeinwohl-gesellschaft.de traefik.gemeinwohl-gesellschaft.de; + access_log /var/log/nginx/a_cloud.log; + error_log /var/log/nginx/e_cloud.log; + + ssl_certificate /etc/letsencrypt/live/cloud.gemeinwohl-gesellschaft.de/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/cloud.gemeinwohl-gesellschaft.de/privkey.pem; + #ssl_certificate /etc/ssl/certs/cloud.gemeinwohl-gesellschaft.de.pem; + #ssl_certificate_key /etc/ssl/private/cloud.gemeinwohl-gesellschaft.de.key; + location / { + #proxy_pass https://0.0.0.0:9443; + proxy_pass https://127.0.0.1:9443; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + } +} diff --git a/templates.local/nginx/sites/nest1.gemeinwohl-gesellschaft.de b/templates.local/nginx/sites/nest1.gemeinwohl-gesellschaft.de index 76ba089..0b01360 100644 --- a/templates.local/nginx/sites/nest1.gemeinwohl-gesellschaft.de +++ b/templates.local/nginx/sites/nest1.gemeinwohl-gesellschaft.de @@ -15,6 +15,7 @@ server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name nest1.gemeinwohl-gesellschaft.de; + access_log /var/log/nginx/a_nest1.log; error_log /var/log/nginx/e_nest1.log; diff --git a/templates.local/nginx/sites/seafile.gemeinwohl-gesellschaft.de b/templates.local/nginx/sites/seafile.gemeinwohl-gesellschaft.de new file mode 100644 index 0000000..d85681c --- /dev/null +++ b/templates.local/nginx/sites/seafile.gemeinwohl-gesellschaft.de @@ -0,0 +1,28 @@ +server { + listen 80; + server_name seafile.gemeinwohl-gesellschaft.de; + include snippets/letsencrypt.conf; + root /srv/www/seafile.gemeinwohl-gesellschaft.de; + location / { + return 301 https://$server_name$request_uri; # enforce https + } +} + +server { + listen 443 ssl http2; + server_name seafile.gemeinwohl-gesellschaft.de; + access_log /var/log/nginx/a_seafile.log; + error_log /var/log/nginx/e_seafile.log; + + ssl_certificate /etc/letsencrypt/live/seafile.gemeinwohl-gesellschaft.de/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/seafile.gemeinwohl-gesellschaft.de/privkey.pem; + #ssl_certificate /etc/ssl/certs/seafile.gemeinwohl-gesellschaft.de.pem; + #ssl_certificate_key /etc/ssl/private/seafile.gemeinwohl-gesellschaft.de.key; + location / { + proxy_pass http://127.0.0.1:8080; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + } +} \ No newline at end of file diff --git a/templates.local/scripts/CreateSysInfo.conf b/templates.local/scripts/CreateSysInfo.conf new file mode 100644 index 0000000..cd58438 --- /dev/null +++ b/templates.local/scripts/CreateSysInfo.conf @@ -0,0 +1,15 @@ +# This file will be included into CreateSysInfo +DIR_INFO=/srv/www/sys.info/nest1.gemeinwohl-gesellschaft.de +# a blank separated list of mount points formatted with BTRFS, e.g. "/media/fs.cache /media/fs.system" +BTRFS_FS="" +# a blank separated list of devices that should be controlled by smartmon, e.g. 'sda sdb' +SMART_MON_DEVS='sda' +# set to yes if mdadm manages software raid devices +HAS_SOFT_RAID=no +MK_HOME_TAR=yes +USE_ZFS=no +# a blank separated list of "--exclude=" entries. That listed subdirs will not be saved in the TAR archive +EXCLUDE_HOME="--exclude=jails" +# each subdirectory of /home containing that file will not be saved as TAR archive +TAG_FILE=.do.not.save.as.home + diff --git a/var/antispam.yaml b/var/antispam.yaml deleted file mode 100644 index a890afc..0000000 --- a/var/antispam.yaml +++ /dev/null @@ -1,15 +0,0 @@ -# Ansible controlled: do not change on server -dkim_domains: ["f-r-e-i.de"] -dkim_opendkim_config_dir: /etc/opendkim -dkim_config_file: /etc/opendkim.conf -dkim_selector: "20250419" -dkim_user: opendkim -dkim_group: opendkim -dkim_rsa_keylen: 2048 -dkim_socket_port: 12301 - -dmarc_config_file: /etc/opendmarc.conf -dmarc_config_dir: /etc/opendmarc -dmarc_email_report: report.dmarc@hamatoma.de -dmarc_user: opendmarc -dmarc_group: opendmarc diff --git a/var/common.yaml b/var/common.yaml deleted file mode 100644 index 45bf7df..0000000 --- a/var/common.yaml +++ /dev/null @@ -1,11 +0,0 @@ -configuration_directory: /etc/ansknife -remote_webapps_directory: "{{ configuration_directory }}/webapps.d" -local_webapps_directory: "../webapps" -remote_www_directory: "/home/www" -systemd_journal_system_max_use: 200M -systemd_journal_system_max_file_size: 50M -postfix_host: "nest1.gemeinwohl-gesellschaft.de" -postfix_domain: "gemeinwohl-gesellschaft.de" -postfix_receipient_email: "nest1.mail@hamatoma.de" -postfix_mode: email_forwarding -webmaster_email: "nest1@hamatoma.de" diff --git a/var/db.yaml b/var/db.yaml deleted file mode 100644 index e713d30..0000000 --- a/var/db.yaml +++ /dev/null @@ -1,8 +0,0 @@ ---- -# Creation of the central password file: -# echo "top_secret_password" > resources/.vaults -# Creation of the encrypted vault file: -# ansible-vault encrypt_string --vault-password-file resources/.vault --name 'vault_dba_password' --stdin-name 'vault_dba_password' | tee var/vault_db.yaml -# Find the password file: ANSIBLE_VAULT_PASSWORD_FILE=resources/.vault -dba_name: dba -dba_password: "{{ vault_dba_password }}" \ No newline at end of file diff --git a/var/php.yaml b/var/php.yaml deleted file mode 100644 index 5bc552c..0000000 --- a/var/php.yaml +++ /dev/null @@ -1,44 +0,0 @@ ---- -# php.yaml: -# Defines variables for the PHP role. -# This file is used to set up the PHP environment and configuration. -# needed variables: PHP_VERS - -php_packages: - - php{{PHP_VERS}}-common - - php{{PHP_VERS}}-curl - - php{{PHP_VERS}}-fpm - - php{{PHP_VERS}}-gd - - php{{PHP_VERS}}-igbinary - - php{{PHP_VERS}}-imagick - - php{{PHP_VERS}}-imap - - php{{PHP_VERS}}-intl - - php{{PHP_VERS}}-mbstring - - php{{PHP_VERS}}-memcached - - php{{PHP_VERS}}-msgpack - - php{{PHP_VERS}}-mysql - - php{{PHP_VERS}}-opcache - - php{{PHP_VERS}}-phpdbg - - php{{PHP_VERS}}-readline - - php{{PHP_VERS}}-redis - - php{{PHP_VERS}}-xdebug - - php{{PHP_VERS}}-xml - - php{{PHP_VERS}}-zip -php_additional_packages: - - redis-server - - imagemagick - -php_ini_settings: - - { section: "DEFAULT", option: "memory_limit", value: "512M" } - - { section: "DEFAULT", option: "upload_max_filesize", value: "512M" } - - { section: "DEFAULT", option: "max_file_uploads", value: 100 } - - { section: "DEFAULT", option: "post_max_size", value: "512M" } - - { section: "DEFAULT", option: "max_execution_time", value: 600 } - - { section: "DEFAULT", option: "max_input_time", value: 600 } - - { section: "DEFAULT", option: "default_socket_timeout", value: 600 } - - { section: "Session", option: "session.save_handler", value: "redis" } - - { section: "Session", option: "session.save_path", value: "tcp://127.0.0.1:6379" } - - { section: "opcache", option: "opcache.enable", value: 1 } - - { section: "opcache", option: "opcache.memory_consumption", value: 512 } - - { section: "opcache", option: "opcache.interned_strings_buffer", value: 256 } - diff --git a/var/ssl-certificate.yaml b/var/ssl-certificate.yaml deleted file mode 100644 index 2710dc9..0000000 --- a/var/ssl-certificate.yaml +++ /dev/null @@ -1,8 +0,0 @@ ---- -# "/C=DE/ST=NRW/L=Bochum/O=IT/CN={{hostname}}" -ssl_country: DE -ssl_state: Bavaria -ssl_locality: Kempten -ssl_organization: 'Gemeinwohl-Gesellschaft e.V.' -ssl_lifetime: 365 -ssl_rsa_key_size: 2048 diff --git a/var/vault_db.yaml b/var/vault_db.yaml deleted file mode 100644 index 315a8bb..0000000 --- a/var/vault_db.yaml +++ /dev/null @@ -1 +0,0 @@ -vault_dba_password: {{ vault_state_infeos_net_db_password }} \ No newline at end of file diff --git a/var/vault_webapps.yaml b/var/vault_webapps.yaml deleted file mode 100644 index 76f37a9..0000000 --- a/var/vault_webapps.yaml +++ /dev/null @@ -1 +0,0 @@ -- vault_state_infeos_net_db_password: Sekret.Top \ No newline at end of file diff --git a/var/webapps.yaml b/var/webapps.yaml deleted file mode 100644 index aa7f0d2..0000000 --- a/var/webapps.yaml +++ /dev/null @@ -1,16 +0,0 @@ -webapps_list: - - webapp_name: 'nest1.gemeinwohl-gesellschaft.de' - db_name: '' - db_user: '' - db_password: '' - directory: '/srv/www/nest1.gemeinwohl-gesellschaft.de' - - webapp_name: 'wissen.gemeinwohl-gesellschaft.org' - db_name: 'mwwissen' - db_user: 'wissen' - db_password: 'NobodyKennts' - directory: '/srv/www/wissen.gemeinwohl-gesellschaft.org' - - webapp_name: 'zentrum.gemeinwohl-gesellschaft.org' - db_name: 'lrvzentrum' - db_user: 'lrvzentrum' - db_password: 'TopSecret' - directory: '/srv/www/zentrum.gemeinwohl-gesellschaft.org' diff --git a/vars/antispam.yaml b/vars/antispam.yaml new file mode 100644 index 0000000..a890afc --- /dev/null +++ b/vars/antispam.yaml @@ -0,0 +1,15 @@ +# Ansible controlled: do not change on server +dkim_domains: ["f-r-e-i.de"] +dkim_opendkim_config_dir: /etc/opendkim +dkim_config_file: /etc/opendkim.conf +dkim_selector: "20250419" +dkim_user: opendkim +dkim_group: opendkim +dkim_rsa_keylen: 2048 +dkim_socket_port: 12301 + +dmarc_config_file: /etc/opendmarc.conf +dmarc_config_dir: /etc/opendmarc +dmarc_email_report: report.dmarc@hamatoma.de +dmarc_user: opendmarc +dmarc_group: opendmarc diff --git a/vars/common.yaml b/vars/common.yaml new file mode 100644 index 0000000..1b744aa --- /dev/null +++ b/vars/common.yaml @@ -0,0 +1,12 @@ +configuration_directory: /etc/ansknife +remote_webapps_directory: "{{ configuration_directory }}/webapps.d" +local_webapps_directory: "../webapps" +remote_www_directory: "/home/www" +systemd_journal_system_max_use: 200M +systemd_journal_system_max_file_size: 50M +postfix_host: "nest1.gemeinwohl-gesellschaft.de" +postfix_domain: "gemeinwohl-gesellschaft.de" +postfix_receipient_email: "nest1.mail@hamatoma.de" +postfix_mode: email_forwarding +webmaster_email: "nest1@hamatoma.de" +seafile_user_id: 261 diff --git a/vars/mysql.yaml b/vars/mysql.yaml new file mode 100644 index 0000000..bf36680 --- /dev/null +++ b/vars/mysql.yaml @@ -0,0 +1,8 @@ +--- +# Creation of the central password file: +# echo "top_secret_password" > resources/.vaults +# Creation of the encrypted vault file: +# ansible-vault encrypt_string --vault-password-file resources/.vault --name 'dba_password_vault' --stdin-name 'dba_password_vault' | tee var/mysql_vault.yaml +# Find the password file: ANSIBLE_VAULT_PASSWORD_FILE=resources/.vault +dba_name: dba +dba_password: "{{ dba_password_vault }}" diff --git a/vars/mysql_vault.yaml b/vars/mysql_vault.yaml new file mode 100644 index 0000000..1d2e57c --- /dev/null +++ b/vars/mysql_vault.yaml @@ -0,0 +1,3 @@ +--- +# Passwords for mysql databases +dba_password_vault: "Never.Ever.47" diff --git a/vars/opencloud.yaml b/vars/opencloud.yaml new file mode 100644 index 0000000..fd2c426 --- /dev/null +++ b/vars/opencloud.yaml @@ -0,0 +1,19 @@ +# Configuration of opencloud + +opencloud_base: /opt +opencloud_domain: gemeinwohl-gesellschaft.de +opencloud_email: opencloud.hamatoma.de +opencloud_config_file: "{{ opencloud_base}}/opencloud/deployments/examples/opencloud_full/.env" +opencloud_port80: 9080 +opencloud_port443: 9443 + +opencloud_configs: + "^(# )?INSECURE=true": "INSECURE=false" + "^TRAEFIK_DOMAIN=": "TRAEFIK_DOMAIN=traefik.{{ opencloud_domain }}" + "^OC_DOMAIN=": "OC_DOMAIN=cloud.{{ opencloud_domain }}" + "^COLLABORA_DOMAIN=": "COLLABORA_DOMAIN=collabora.{{ opencloud_domain }}" + "^WOPISERVER_DOMAIN=": "WOPISERVER_DOMAIN=wopiserver..{{ opencloud_domain }}" + "^ADMIN_PASSWORD=": "ADMIN_PASSWORD=FORR33alll.Guyss" + "^TRAEFIK_ACME_MAIL=": "TRAEFIK_ACME_MAIL={{ opencloud_email }}" + "^(# )?OC_CONFIG_DIR=": "OC_CONFIG_DIR={{ opencloud_base }}/opencloud_config" + "^(# )?OC_DATA_DIR=": "OC_DATA_DIR={{ opencloud_base }}/opencloud_data" diff --git a/vars/php.yaml b/vars/php.yaml new file mode 100644 index 0000000..13710c0 --- /dev/null +++ b/vars/php.yaml @@ -0,0 +1,43 @@ +--- +# php.yaml: +# Defines variables for the PHP role. +# This file is used to set up the PHP environment and configuration. +# needed variables: php_version + +php_packages: + - php{{ php_version }}-common + - php{{ php_version }}-curl + - php{{ php_version }}-fpm + - php{{ php_version }}-gd + - php{{ php_version }}-igbinary + - php{{ php_version }}-imagick + - php{{ php_version }}-imap + - php{{ php_version }}-intl + - php{{ php_version }}-mbstring + - php{{ php_version }}-memcached + - php{{ php_version }}-msgpack + - php{{ php_version }}-mysql + - php{{ php_version }}-opcache + - php{{ php_version }}-phpdbg + - php{{ php_version }}-readline + - php{{ php_version }}-redis + - php{{ php_version }}-xdebug + - php{{ php_version }}-xml + - php{{ php_version }}-zip +php_additional_packages: + - redis-server + - imagemagick + +php_ini_settings: + - { section: "DEFAULT", option: "memory_limit", value: "512M" } + - { section: "DEFAULT", option: "upload_max_filesize", value: "512M" } + - { section: "DEFAULT", option: "max_file_uploads", value: 100 } + - { section: "DEFAULT", option: "post_max_size", value: "512M" } + - { section: "DEFAULT", option: "max_execution_time", value: 600 } + - { section: "DEFAULT", option: "max_input_time", value: 600 } + - { section: "DEFAULT", option: "default_socket_timeout", value: 600 } + - { section: "Session", option: "session.save_handler", value: "redis" } + - { section: "Session", option: "session.save_path", value: "tcp://127.0.0.1:6379" } + - { section: "opcache", option: "opcache.enable", value: 1 } + - { section: "opcache", option: "opcache.memory_consumption", value: 512 } + - { section: "opcache", option: "opcache.interned_strings_buffer", value: 256 } diff --git a/vars/seafile.yaml b/vars/seafile.yaml new file mode 100644 index 0000000..ee326c8 --- /dev/null +++ b/vars/seafile.yaml @@ -0,0 +1,5 @@ +--- +# Configuration of seafile-server +seafile_user: seafile +seafile_version: "12.0" +seafile_download_tar: https://s3.eu-central-1.amazonaws.com/download.seadrive.org/seafile-server_12.0.11_x86-64.tar.gz diff --git a/vars/ssl-certificate.yaml b/vars/ssl-certificate.yaml new file mode 100644 index 0000000..2710dc9 --- /dev/null +++ b/vars/ssl-certificate.yaml @@ -0,0 +1,8 @@ +--- +# "/C=DE/ST=NRW/L=Bochum/O=IT/CN={{hostname}}" +ssl_country: DE +ssl_state: Bavaria +ssl_locality: Kempten +ssl_organization: 'Gemeinwohl-Gesellschaft e.V.' +ssl_lifetime: 365 +ssl_rsa_key_size: 2048 diff --git a/vars/users.yaml b/vars/users.yaml new file mode 100644 index 0000000..46653f3 --- /dev/null +++ b/vars/users.yaml @@ -0,0 +1,10 @@ +--- +# human users +user_humans: + wk: 1000 + andreas: 1501 + +# the following users can use sudo to receive root rights +user_sudo_members: + - wk + - andreas diff --git a/vars/webapps.yaml b/vars/webapps.yaml new file mode 100644 index 0000000..6d2d285 --- /dev/null +++ b/vars/webapps.yaml @@ -0,0 +1,38 @@ +--- +# Configuration data of the webapps +webapps_list: + - webapp_name: 'nest1.gemeinwohl-gesellschaft.de' + db_name: '' + db_type: 'none' + db_host: '' + db_user: '' + db_password: '' + directory: '/srv/www/nest1.gemeinwohl-gesellschaft.de' + - webapp_name: 'wissen.gemeinwohl-gesellschaft.org' + db_name: 'mwwissen' + db_type: 'myslq' + db_host: 'localhost' + db_user: 'wissen' + db_password: 'NobodyKennts' + directory: '/srv/www/wissen.gemeinwohl-gesellschaft.org' + - webapp_name: 'zentrum.gemeinwohl-gesellschaft.org' + db_name: 'lrvzentrum' + db_type: 'myslq' + db_host: 'localhost' + db_user: 'lrvzentrum' + db_password: 'TopSecret' + directory: '/srv/www/zentrum.gemeinwohl-gesellschaft.org' + - webapp_name: 'civi.gemeinwohl-gesellschaft.de' + db_name: 'civigwg' + db_type: 'mysql' + db_host: 'localhost' + db_user: 'civigwg' + db_password: 'NieUnd.Nimmer47' + directory: '/srv/www/civi.gemeinwohl-gesellschaft.de' + - webapp_name: 'seafile.gemeinwohl-gesellschaft.de' + db_name: '' + db_type: '' + db_host: '' + db_user: '' + db_password: 'NieUnd.Nimmer47' + directory: '/srv/www/seafile.gemeinwohl-gesellschaft.de' diff --git a/vars/webapps_vault.yaml b/vars/webapps_vault.yaml new file mode 100644 index 0000000..37379fe --- /dev/null +++ b/vars/webapps_vault.yaml @@ -0,0 +1,2 @@ +--- +- db_password: "Sekret.Top"