Merge branch 'master' of ssh://dev.ccchb.de:2222/ccchb/ansible
This commit is contained in:
commit
faaa5c71a5
23 changed files with 616 additions and 0 deletions
|
@ -17,4 +17,10 @@ user_mgmt_default:
|
||||||
ssh_key:
|
ssh_key:
|
||||||
present:
|
present:
|
||||||
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEay33koXmcBcrDuCQKkCBlw/gKiPtwLswATPqIR7udl fritz@fluorine.grimpen.net"
|
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEay33koXmcBcrDuCQKkCBlw/gKiPtwLswATPqIR7udl fritz@fluorine.grimpen.net"
|
||||||
|
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEyVVwh0cUPxZ/wwRsB8YRsQE/cxjEX6gomS7EPArXuX fritz@NaOH"
|
||||||
|
absent: []
|
||||||
|
deelkar:
|
||||||
|
ssh_key:
|
||||||
|
present:
|
||||||
|
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBz7TX/Nm+tE/8RZ2XLuboFWUmBR0oCD0yTaRm2NILm3 deelkar@artena"
|
||||||
absent: []
|
absent: []
|
||||||
|
|
|
@ -27,6 +27,8 @@ haproxy_http:
|
||||||
addr: '2a01:4f8:150:926f::11'
|
addr: '2a01:4f8:150:926f::11'
|
||||||
- host: 'embassy.ccchb.de'
|
- host: 'embassy.ccchb.de'
|
||||||
addr: '2a01:4f8:150:926f::11'
|
addr: '2a01:4f8:150:926f::11'
|
||||||
|
- host: 'jabber.ccchb.de'
|
||||||
|
addr: '2a01:4f8:150:926f::13'
|
||||||
|
|
||||||
haproxy_sni:
|
haproxy_sni:
|
||||||
- host: 'ccchb.de'
|
- host: 'ccchb.de'
|
||||||
|
@ -45,6 +47,8 @@ haproxy_sni:
|
||||||
addr: '2a01:4f8:150:926f::11'
|
addr: '2a01:4f8:150:926f::11'
|
||||||
- host: 'embassy.ccchb.de'
|
- host: 'embassy.ccchb.de'
|
||||||
addr: '2a01:4f8:150:926f::11'
|
addr: '2a01:4f8:150:926f::11'
|
||||||
|
- host: 'jabber.ccchb.de'
|
||||||
|
addr: '2a01:4f8:150:926f::13'
|
||||||
|
|
||||||
bhyve_ipv4: 10.0.0.0
|
bhyve_ipv4: 10.0.0.0
|
||||||
bhyve_ipv6: 2a01:4f8:150:926f::4
|
bhyve_ipv6: 2a01:4f8:150:926f::4
|
||||||
|
@ -165,3 +169,19 @@ bhyve_guests:
|
||||||
volblocksize: 64k
|
volblocksize: 64k
|
||||||
primarycache: metadata
|
primarycache: metadata
|
||||||
|
|
||||||
|
- name: jabber
|
||||||
|
index: 7
|
||||||
|
enabled: true
|
||||||
|
ram: 1G
|
||||||
|
cpus: 1
|
||||||
|
image: debian-10.5.0-amd64-netinst.iso
|
||||||
|
password: foobar
|
||||||
|
order:
|
||||||
|
- DISKS
|
||||||
|
disks:
|
||||||
|
- name: disk
|
||||||
|
properties:
|
||||||
|
volsize: 32g
|
||||||
|
volblocksize: 64k
|
||||||
|
primarycache: metadata
|
||||||
|
|
||||||
|
|
12
host_vars/jabber.emma.ccchb.de.yml
Normal file
12
host_vars/jabber.emma.ccchb.de.yml
Normal file
|
@ -0,0 +1,12 @@
|
||||||
|
vm_index: 7
|
||||||
|
|
||||||
|
user_mgmt:
|
||||||
|
crest:
|
||||||
|
state: present
|
||||||
|
groups: sudo
|
||||||
|
genofire:
|
||||||
|
state: present
|
||||||
|
groups: sudo
|
||||||
|
fritz:
|
||||||
|
state: present
|
||||||
|
groups: sudo
|
18
host_vars/wiki.emma.ccchb.de.yml
Normal file
18
host_vars/wiki.emma.ccchb.de.yml
Normal file
|
@ -0,0 +1,18 @@
|
||||||
|
vm_index: 6
|
||||||
|
|
||||||
|
user_mgmt:
|
||||||
|
crest:
|
||||||
|
state: present
|
||||||
|
groups: sudo
|
||||||
|
genofire:
|
||||||
|
state: present
|
||||||
|
groups: sudo
|
||||||
|
fritz:
|
||||||
|
state: present
|
||||||
|
groups: sudo
|
||||||
|
|
||||||
|
certbot_certs:
|
||||||
|
- [ "wiki.ccchb.de" ]
|
||||||
|
- [ "ccchb.de", "www.ccchb.de" ]
|
||||||
|
- [ "files.ccchb.de" ]
|
||||||
|
|
2
hosts/10_jabber
Normal file
2
hosts/10_jabber
Normal file
|
@ -0,0 +1,2 @@
|
||||||
|
[jabber]
|
||||||
|
jabber.emma.ccchb.de
|
2
hosts/10_wiki
Normal file
2
hosts/10_wiki
Normal file
|
@ -0,0 +1,2 @@
|
||||||
|
[wiki]
|
||||||
|
wiki.emma.ccchb.de
|
|
@ -4,3 +4,5 @@ dn42.emma.ccchb.de
|
||||||
[debian:children]
|
[debian:children]
|
||||||
nextcloud
|
nextcloud
|
||||||
gitea
|
gitea
|
||||||
|
wiki
|
||||||
|
jabber
|
||||||
|
|
11
roles/certbot/defaults/main.yml
Normal file
11
roles/certbot/defaults/main.yml
Normal file
|
@ -0,0 +1,11 @@
|
||||||
|
---
|
||||||
|
certbot_admin_email: hostmaster@ccchb.de
|
||||||
|
|
||||||
|
certbot_package: letsencrypt
|
||||||
|
|
||||||
|
certbot_method: webroot
|
||||||
|
certbot_webroot: /var/www/html
|
||||||
|
|
||||||
|
certbot_certs: []
|
||||||
|
|
||||||
|
certbot_renew: true
|
22
roles/certbot/tasks/main.yml
Normal file
22
roles/certbot/tasks/main.yml
Normal file
|
@ -0,0 +1,22 @@
|
||||||
|
---
|
||||||
|
- name: Enable certbot timer.
|
||||||
|
systemd:
|
||||||
|
name: certbot.timer
|
||||||
|
enabled: yes
|
||||||
|
|
||||||
|
- name: Install certbot.
|
||||||
|
package:
|
||||||
|
name: "{{ certbot_package }}"
|
||||||
|
state: present
|
||||||
|
|
||||||
|
- name: Check for presence of certificates.
|
||||||
|
stat:
|
||||||
|
path: "/etc/letsencrypt/live/{{ item | first | replace(\"*.\", \"\") }}/cert.pem"
|
||||||
|
register: certs_presence
|
||||||
|
loop: "{{ certbot_certs }}"
|
||||||
|
|
||||||
|
- name: Obtain certificates.
|
||||||
|
include_tasks: 'obtain_{{ certbot_method }}.yml'
|
||||||
|
when: not item.stat.exists
|
||||||
|
loop: "{{ certs_presence.results }}"
|
||||||
|
...
|
4
roles/certbot/tasks/obtain_standalone.yml
Normal file
4
roles/certbot/tasks/obtain_standalone.yml
Normal file
|
@ -0,0 +1,4 @@
|
||||||
|
---
|
||||||
|
- name: "Obtain certificate for {{ item.item | join(',') }}"
|
||||||
|
command: "certbot certonly --agree-tos -m {{ certbot_admin_email | quote }} -d {{ item.item | join(',') }} --standalone"
|
||||||
|
...
|
4
roles/certbot/tasks/obtain_webroot.yml
Normal file
4
roles/certbot/tasks/obtain_webroot.yml
Normal file
|
@ -0,0 +1,4 @@
|
||||||
|
---
|
||||||
|
- name: "Obtain certificate for {{ item.item | join(',') }}"
|
||||||
|
command: "certbot certonly --agree-tos -m {{ certbot_admin_email | quote }} -d {{ item.item | join(',') }} --webroot -w {{ certbot_webroot | quote }}"
|
||||||
|
...
|
4
roles/certbot/templates/certbot.conf.j2
Normal file
4
roles/certbot/templates/certbot.conf.j2
Normal file
|
@ -0,0 +1,4 @@
|
||||||
|
location /.well-known/acme-challenge/ {
|
||||||
|
alias {{ certbot_webroot }}/.well-known/acme-challenge/;
|
||||||
|
allow all;
|
||||||
|
}
|
46
roles/mediawiki/defaults/main.yml
Normal file
46
roles/mediawiki/defaults/main.yml
Normal file
|
@ -0,0 +1,46 @@
|
||||||
|
---
|
||||||
|
mediawiki_domain: wiki.ccchb.de
|
||||||
|
|
||||||
|
mediawiki_webroot: /var/www/wiki.ccchb.de/webroot
|
||||||
|
mediawiki_path: /w
|
||||||
|
|
||||||
|
mediawiki_extensions:
|
||||||
|
- CategoryTree
|
||||||
|
- ParserFunctions
|
||||||
|
- PdfHandler
|
||||||
|
- Renameuser
|
||||||
|
- Interwiki
|
||||||
|
- ConfirmEdit
|
||||||
|
- ConfirmEdit/QuestyCaptcha
|
||||||
|
- WikiEditor
|
||||||
|
- MobileFrontend
|
||||||
|
|
||||||
|
mediawiki_skins:
|
||||||
|
- MonoBook
|
||||||
|
- Timeless
|
||||||
|
- Vector
|
||||||
|
- MinervaNeue
|
||||||
|
|
||||||
|
mediawiki_sitename: "CCC Bremen"
|
||||||
|
|
||||||
|
mediawiki_email: "webmaster@ccchb.de"
|
||||||
|
|
||||||
|
mediawiki_install_nginx: true
|
||||||
|
mediawiki_php_socket: "unix:/run/php/php7.3-fpm.sock"
|
||||||
|
|
||||||
|
mediawiki_nginx_conf: |
|
||||||
|
listen [::]:443 ssl http2;
|
||||||
|
listen 443 ssl http2;
|
||||||
|
|
||||||
|
server_name {{ mediawiki_domain }};
|
||||||
|
|
||||||
|
root {{ mediawiki_webroot }};
|
||||||
|
|
||||||
|
ssl_certificate /etc/letsencrypt/live/{{ mediawiki_domain }}/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/{{ mediawiki_domain }}/privkey.pem;
|
||||||
|
ssl_trusted_certificate /etc/letsencrypt/live/{{ mediawiki_domain }}/chain.pem;
|
||||||
|
|
||||||
|
client_max_body_size 100M;
|
||||||
|
|
||||||
|
include snippets/certbot.conf;
|
||||||
|
...
|
21
roles/mediawiki/tasks/main.yml
Normal file
21
roles/mediawiki/tasks/main.yml
Normal file
|
@ -0,0 +1,21 @@
|
||||||
|
---
|
||||||
|
- name: Configure Mediawiki
|
||||||
|
template:
|
||||||
|
src: LocalSettings.php.j2
|
||||||
|
dest: "{{ mediawiki_webroot }}/{{ mediawiki_path }}/LocalSettings.php"
|
||||||
|
owner: www-data
|
||||||
|
group: www-data
|
||||||
|
mode: '0600'
|
||||||
|
|
||||||
|
- name: Install nginx site
|
||||||
|
template:
|
||||||
|
src: nginx.j2
|
||||||
|
dest: /etc/nginx/sites-available/{{ mediawiki_domain }}
|
||||||
|
when: mediawiki_install_nginx
|
||||||
|
|
||||||
|
- name: Activate site {{ mediawiki_install_nginx }}
|
||||||
|
file:
|
||||||
|
src: /etc/nginx/sites-available/{{ mediawiki_domain }}
|
||||||
|
dest: /etc/nginx/sites-enabled/{{ mediawiki_domain }}
|
||||||
|
when: mediawiki_install_nginx
|
||||||
|
...
|
115
roles/mediawiki/templates/LocalSettings.php.j2
Normal file
115
roles/mediawiki/templates/LocalSettings.php.j2
Normal file
|
@ -0,0 +1,115 @@
|
||||||
|
<?php
|
||||||
|
## {{ ansible_managed }}
|
||||||
|
|
||||||
|
$wgSitename = "{{ mediawiki_sitename }}";
|
||||||
|
|
||||||
|
$wgScriptPath = "/w";
|
||||||
|
$wgArticlePath = "/wiki/$1";
|
||||||
|
$wgUsePathInfo = true;
|
||||||
|
|
||||||
|
$wgResourceBasePath = $wgScriptPath;
|
||||||
|
|
||||||
|
$wgEnableEmail = true;
|
||||||
|
$wgEnableUserEmail = true;
|
||||||
|
|
||||||
|
$wgEmergencyContact = "{{ mediawiki_email }}";
|
||||||
|
$wgPasswordSender = "{{ mediawiki_email }}";
|
||||||
|
|
||||||
|
## For a detailed description of the following switches see
|
||||||
|
## http://www.mediawiki.org/wiki/Extension:Email_notification
|
||||||
|
## and http://www.mediawiki.org/wiki/Extension:Email_notification
|
||||||
|
## There are many more options for fine tuning available see
|
||||||
|
## /includes/DefaultSettings.php
|
||||||
|
## UPO means: this is also a user preference option
|
||||||
|
$wgEnotifUserTalk = true; # UPO
|
||||||
|
$wgEnotifWatchlist = true; # UPO
|
||||||
|
$wgEmailAuthentication = true;
|
||||||
|
|
||||||
|
## Database secrets managed outside Ansible
|
||||||
|
require 'LocalSettings_secrets.php';
|
||||||
|
|
||||||
|
## Shared memory settings
|
||||||
|
$wgMainCacheType = CACHE_NONE;
|
||||||
|
$wgMemCachedServers = array();
|
||||||
|
|
||||||
|
## To enable image uploads, make sure the 'images' directory
|
||||||
|
## is writable, then set this to true:
|
||||||
|
$wgEnableUploads = true;
|
||||||
|
$wgUseImageMagick = true;
|
||||||
|
$wgImageMagickConvertCommand = "/usr/bin/convert";
|
||||||
|
|
||||||
|
## If you want to use image uploads under safe mode,
|
||||||
|
## create the directories images/archive, images/thumb and
|
||||||
|
## images/temp, and make them all writable. Then uncomment
|
||||||
|
## this, if it's not already uncommented:
|
||||||
|
# $wgHashedUploadDirectory = false;
|
||||||
|
|
||||||
|
# to work with safe mode (as by https://www.mediawiki.org/wiki/Safe_mode)
|
||||||
|
# $wgFileStore['deleted']['hash'] = 0;
|
||||||
|
# $wgLocaltimezone = "Europe/Berlin";
|
||||||
|
# generate Thumbs on _every_ client request (NOTE this is a bad idea)
|
||||||
|
# $wgThumbnailScriptPath = "{$wgScriptPath}/thumb.php";
|
||||||
|
|
||||||
|
## If you have the appropriate support software installed
|
||||||
|
## you can enable inline LaTeX equations:
|
||||||
|
$wgUseTeX = false;
|
||||||
|
|
||||||
|
$wgLocalInterwiki = $wgSitename;
|
||||||
|
|
||||||
|
$wgLanguageCode = "de";
|
||||||
|
|
||||||
|
## Default skin: you can change the default skin. Use the internal symbolic
|
||||||
|
## names, ie 'standard', 'nostalgia', 'cologneblue', 'monobook':
|
||||||
|
$wgDefaultSkin = 'vector';
|
||||||
|
$wgLogo = '/w/images/3/3b/Ccchb_wiki.png';
|
||||||
|
|
||||||
|
## For attaching licensing metadata to pages, and displaying an
|
||||||
|
## appropriate copyright notice / icon. GNU Free Documentation
|
||||||
|
## License and Creative Commons licenses are supported so far.
|
||||||
|
$wgEnableCreativeCommonsRdf = true;
|
||||||
|
$wgRightsPage = ""; # Set to the title of a wiki page that describes your license/copyright
|
||||||
|
$wgRightsUrl = "http://www.gnu.org/copyleft/fdl.html";
|
||||||
|
$wgRightsText = "GNU Free Documentation License 1.2";
|
||||||
|
$wgRightsIcon = "${wgScriptPath}/skins/common/images/gnu-fdl.png";
|
||||||
|
# $wgRightsCode = "gfdl"; # Not yet used
|
||||||
|
|
||||||
|
$wgFileExtensions = [ 'png', 'gif', 'jpg', 'jpeg', 'webp', 'svg', 'pdf', 'ai' ];
|
||||||
|
|
||||||
|
{% for extension in mediawiki_extensions %}
|
||||||
|
wfLoadExtension( "{{ extension }}" );
|
||||||
|
{% endfor %}
|
||||||
|
|
||||||
|
{% for skin in mediawiki_skins %}
|
||||||
|
wfLoadSkin( "{{ skin }}" );
|
||||||
|
{% endfor %}
|
||||||
|
|
||||||
|
$wgServer = "https://wiki.ccchb.de";
|
||||||
|
|
||||||
|
$wgNamespacesWithSubpages[NS_MAIN] = true;
|
||||||
|
|
||||||
|
$wgMFDefaultSkinClass = 'SkinMinerva';
|
||||||
|
|
||||||
|
$wgDiff3 = "/usr/bin/diff3";
|
||||||
|
|
||||||
|
$wgSVGConverter = 'rsvg';
|
||||||
|
|
||||||
|
$wgRestrictionLevels[] = 'legal';
|
||||||
|
|
||||||
|
$wgGroupPermissions['*']['edit'] = false;
|
||||||
|
$wgGroupPermissions['user']['writeapi'] = true;
|
||||||
|
$wgGroupPermissions['vorstand']['legal'] = true;
|
||||||
|
|
||||||
|
$wgCaptchaClass = 'QuestyCaptcha';
|
||||||
|
|
||||||
|
$wgCaptchaQuestions[] = array( 'question' => 'Die Antwort auf die Frage nach dem Leben, dem Universum und allem?', 'answer' => '42' );
|
||||||
|
$wgCaptchaQuestions[] = array( 'question' => 'Wie lautet der Kurzname dieses Vereins?', 'answer' => 'CCCHB' );
|
||||||
|
$wgCaptchaQuestions[] = array( 'question' => 'Gib einfach das Wort Passion ein (kleingeschrieben):', 'answer' => 'passion' );
|
||||||
|
$wgCaptchaQuestions[] = array( 'question' => 'Gib bitte Fünfhundertsiebenundsechzig als Zahl ein:', 'answer' => '567' );
|
||||||
|
$wgCaptchaQuestions[] = array( 'question' => 'An welchem Wochentag treffen wir uns regelmäßig?', 'answer' => 'Dienstag' );
|
||||||
|
$wgCaptchaQuestions[] = array( 'question' => 'Der erste Congress im CCH (2012)', 'answer' => '29c3' );
|
||||||
|
$wgCaptchaQuestions[] = array( 'question' => 'Der letzte Congress im bcc (2011)', 'answer' => '28c3' );
|
||||||
|
$wgCaptchaQuestions[] = array( 'question' => 'Wie kürzt man Erfahrungsaustauschkreis in 4 Buchstaben ab? (alles großgeschrieben)', 'answer' => 'ERFA' );
|
||||||
|
|
||||||
|
$wgShowExceptionDetails = true;
|
||||||
|
$wgShowDBErrorBacktrace = true;
|
||||||
|
|
58
roles/mediawiki/templates/nginx.j2
Normal file
58
roles/mediawiki/templates/nginx.j2
Normal file
|
@ -0,0 +1,58 @@
|
||||||
|
# {{ ansible_managed }}
|
||||||
|
|
||||||
|
server {
|
||||||
|
{{ mediawiki_nginx_conf }}
|
||||||
|
|
||||||
|
location ~ ^{{ mediawiki_path }}/(index|load|api|thumb|opensearch_desc|rest|img_auth)\.php$ {
|
||||||
|
include fastcgi_params;
|
||||||
|
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
||||||
|
fastcgi_pass {{ mediawiki_php_socket }};
|
||||||
|
}
|
||||||
|
|
||||||
|
# Images
|
||||||
|
location {{ mediawiki_path }}/images {
|
||||||
|
# Separate location for images/ so .php execution won't apply
|
||||||
|
}
|
||||||
|
location {{ mediawiki_path }}/images/deleted {
|
||||||
|
# Deny access to deleted images folder
|
||||||
|
deny all;
|
||||||
|
}
|
||||||
|
# MediaWiki assets (usually images)
|
||||||
|
location ~ ^{{ mediawiki_path }}/resources/(assets|lib|src) {
|
||||||
|
try_files $uri 404;
|
||||||
|
add_header Cache-Control "public";
|
||||||
|
expires 7d;
|
||||||
|
}
|
||||||
|
# Assets, scripts and styles from skins and extensions
|
||||||
|
location ~ ^{{ mediawiki_path }}/(skins|extensions)/.+\.(css|js|gif|jpg|jpeg|png|svg|wasm)$ {
|
||||||
|
try_files $uri 404;
|
||||||
|
add_header Cache-Control "public";
|
||||||
|
expires 7d;
|
||||||
|
}
|
||||||
|
# Favicon
|
||||||
|
location = /favicon.ico {
|
||||||
|
add_header Cache-Control "public";
|
||||||
|
expires 7d;
|
||||||
|
}
|
||||||
|
|
||||||
|
location {{ mediawiki_path }}/rest.php/ {
|
||||||
|
try_files $uri $uri/ {{ mediawiki_path }}/rest.php?$query_string;
|
||||||
|
}
|
||||||
|
|
||||||
|
# Handling for the article path (pretty URLs)
|
||||||
|
location /wiki/ {
|
||||||
|
rewrite ^/wiki/(?<pagename>.*)$ {{ mediawiki_path }}/index.php;
|
||||||
|
}
|
||||||
|
|
||||||
|
# Allow robots.txt in case you have one
|
||||||
|
location = /robots.txt {
|
||||||
|
}
|
||||||
|
# Explicit access to the root website, redirect to main page (adapt as needed)
|
||||||
|
location = / {
|
||||||
|
return 301 /wiki/Hauptseite;
|
||||||
|
}
|
||||||
|
|
||||||
|
location / {
|
||||||
|
return 404;
|
||||||
|
}
|
||||||
|
}
|
57
roles/prosody/defaults/main.yml
Normal file
57
roles/prosody/defaults/main.yml
Normal file
|
@ -0,0 +1,57 @@
|
||||||
|
---
|
||||||
|
prosody_domain: "jabber.ccchb.de"
|
||||||
|
prosody_ssl_cert: "/etc/letsencrypt/live/{{ prosody_domain }}/fullchain.pem"
|
||||||
|
prosody_ssl_key: "/etc/letsencrypt/live/{{ prosody_domain }}/privkey.pem"
|
||||||
|
prosody_allow_registration: false
|
||||||
|
prosody_modules:
|
||||||
|
- roster
|
||||||
|
- saslauth
|
||||||
|
- tls
|
||||||
|
- dialback
|
||||||
|
- disco
|
||||||
|
- private
|
||||||
|
- bookmarks
|
||||||
|
- vcard
|
||||||
|
- proxy65
|
||||||
|
- legacyauth
|
||||||
|
- version
|
||||||
|
- uptime
|
||||||
|
- time
|
||||||
|
- ping
|
||||||
|
- pep
|
||||||
|
- register
|
||||||
|
- adhoc
|
||||||
|
- admin_adhoc
|
||||||
|
- posix
|
||||||
|
- bosh
|
||||||
|
- websocket
|
||||||
|
- groups
|
||||||
|
- announce
|
||||||
|
- watchregistrations
|
||||||
|
- blocking
|
||||||
|
- smacks
|
||||||
|
- carbons
|
||||||
|
- cloud_notify
|
||||||
|
- csi
|
||||||
|
- mam
|
||||||
|
- filter_chatstates
|
||||||
|
- throttle_presence
|
||||||
|
- http_upload
|
||||||
|
- turncredentials
|
||||||
|
- vcard_legacy
|
||||||
|
|
||||||
|
prosody_nginx_install: true
|
||||||
|
prosody_nginx_conf: |
|
||||||
|
listen [::]:443 ssl http2;
|
||||||
|
listen 443 ssl http2;
|
||||||
|
|
||||||
|
server_name {{ prosody_domain }};
|
||||||
|
|
||||||
|
root /var/www/html;
|
||||||
|
|
||||||
|
ssl_certificate {{ prosody_ssl_cert }};
|
||||||
|
ssl_certificate_key {{ prosody_ssl_key }};
|
||||||
|
ssl_trusted_certificate /etc/letsencrypt/live/{{ prosody_domain }}/chain.pem;
|
||||||
|
|
||||||
|
include snippets/certbot.conf;
|
||||||
|
...
|
5
roles/prosody/handlers/main.yml
Normal file
5
roles/prosody/handlers/main.yml
Normal file
|
@ -0,0 +1,5 @@
|
||||||
|
---
|
||||||
|
- name: reload nginx
|
||||||
|
systemd:
|
||||||
|
name: nginx
|
||||||
|
state: reloaded
|
21
roles/prosody/tasks/main.yml
Normal file
21
roles/prosody/tasks/main.yml
Normal file
|
@ -0,0 +1,21 @@
|
||||||
|
---
|
||||||
|
- name: Install prosody http site
|
||||||
|
template:
|
||||||
|
src: nginx.j2
|
||||||
|
dest: "/etc/nginx/sites-available/{{ prosody_domain }}"
|
||||||
|
when: prosody_nginx_install
|
||||||
|
|
||||||
|
- name: Enable prosody http site
|
||||||
|
notify: reload nginx
|
||||||
|
file:
|
||||||
|
src: /etc/nginx/sites-available/{{ prosody_domain }}
|
||||||
|
dest: /etc/nginx/sites-enabled/{{ prosody_domain }}
|
||||||
|
state: link
|
||||||
|
when: prosody_nginx_install
|
||||||
|
|
||||||
|
- name: Configure prosody
|
||||||
|
template:
|
||||||
|
src: prosody.cfg.lua.j2
|
||||||
|
dest: /etc/prosody/prosody_test.cfg.lua
|
||||||
|
|
||||||
|
...
|
18
roles/prosody/templates/nginx.j2
Normal file
18
roles/prosody/templates/nginx.j2
Normal file
|
@ -0,0 +1,18 @@
|
||||||
|
# {{ ansible_managed }}
|
||||||
|
|
||||||
|
server {
|
||||||
|
{{ prosody_nginx_conf }}
|
||||||
|
|
||||||
|
location /http-bind {
|
||||||
|
proxy_pass http://127.0.0.1:5280/http-bind;
|
||||||
|
}
|
||||||
|
|
||||||
|
location /xmpp-websocket {
|
||||||
|
proxy_pass http://127.0.0.1:5280/xmpp-websocket;
|
||||||
|
}
|
||||||
|
|
||||||
|
location /upload {
|
||||||
|
proxy_set_header Host {{ prosody_domain }};
|
||||||
|
proxy_pass http://127.0.0.1:5280/upload;
|
||||||
|
}
|
||||||
|
}
|
160
roles/prosody/templates/prosody.cfg.lua.j2
Normal file
160
roles/prosody/templates/prosody.cfg.lua.j2
Normal file
|
@ -0,0 +1,160 @@
|
||||||
|
-- Prosody XMPP Server Configuration
|
||||||
|
-- {{ ansible_managed }}
|
||||||
|
|
||||||
|
---------- Server-wide settings ----------
|
||||||
|
-- Settings in this section apply to the whole server and are the default settings
|
||||||
|
-- for any virtual hosts
|
||||||
|
|
||||||
|
-- This is a (by default, empty) list of accounts that are admins
|
||||||
|
-- for the server. Note that you must create the accounts separately
|
||||||
|
-- (see http://prosody.im/doc/creating_accounts for info)
|
||||||
|
-- Example: admins = { "user1@example.com", "user2@example.net" }
|
||||||
|
admins = { "deelkar@jabber.ccchb.de", "freak@jabber.ccchb.de", "jali@jabber.ccchb.de" }
|
||||||
|
|
||||||
|
-- Enable use of libevent for better performance under high load
|
||||||
|
-- For more information see: http://prosody.im/doc/libevent
|
||||||
|
use_libevent = false;
|
||||||
|
|
||||||
|
plugin_paths = { "/opt/prosody-modules" }
|
||||||
|
|
||||||
|
-- This is the list of modules Prosody will load on startup.
|
||||||
|
-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
|
||||||
|
-- Documentation on modules can be found at: http://prosody.im/doc/modules
|
||||||
|
modules_enabled = {
|
||||||
|
{% for module in prosody_modules %}
|
||||||
|
"{{ module }}";
|
||||||
|
{% endfor %}
|
||||||
|
};
|
||||||
|
|
||||||
|
-- These modules are auto-loaded, should you
|
||||||
|
-- (for some mad reason) want to disable
|
||||||
|
-- them then uncomment them below
|
||||||
|
modules_disabled = {
|
||||||
|
-- "presence"; -- Route user/contact status information
|
||||||
|
-- "message"; -- Route messages
|
||||||
|
-- "iq"; -- Route info queries
|
||||||
|
-- "offline"; -- Store offline messages
|
||||||
|
};
|
||||||
|
|
||||||
|
-- Disable account creation by default, for security
|
||||||
|
-- For more information see http://prosody.im/doc/creating_accounts
|
||||||
|
allow_registration = {{ prosody_allow_registration }};
|
||||||
|
|
||||||
|
-- These are the SSL/TLS-related settings. If you don't want
|
||||||
|
-- to use SSL/TLS, you may comment or remove this
|
||||||
|
-- *** DUMMY CERT *** DO NOT CHANGE *** SET CERT IN HOST SECTION ***
|
||||||
|
ssl = {
|
||||||
|
protocol = "sslv23";
|
||||||
|
key = "{{ prosody_ssl_key }}";
|
||||||
|
certificate = "{{ prosody_ssl_cert }}";
|
||||||
|
dhparam = "/etc/prosody/certs/dh-2048.pem";
|
||||||
|
options = { "no_sslv2", "no_sslv3", "no_ticket", "no_compression", "cipher_server_preference", "single_dh_use", "single_ecdh_use" };
|
||||||
|
ciphers = "ECDH:DH:HIGH+kEDH:HIGH+kEECDH:HIGH:!CAMELLIA128:!3DES:!MD5:!RC4:!aNULL:!NULL:!EXPORT:!LOW:!MEDIUM";
|
||||||
|
}
|
||||||
|
legacy_ssl_ports = { 5223 }
|
||||||
|
http_external_url = "https://{{ prosody_domain }}/"
|
||||||
|
|
||||||
|
-- Only allow encrypted streams? Encryption is already used when
|
||||||
|
-- available. These options will cause Prosody to deny connections that
|
||||||
|
-- are not encrypted. Note that some servers do not support s2s
|
||||||
|
-- encryption or have it disabled, including gmail.com and Google Apps
|
||||||
|
-- domains.
|
||||||
|
|
||||||
|
--c2s_require_encryption = false
|
||||||
|
--s2s_require_encryption = false
|
||||||
|
|
||||||
|
-- Select the authentication backend to use. The 'internal' providers
|
||||||
|
-- use Prosody's configured data storage to store the authentication data.
|
||||||
|
-- To allow Prosody to offer secure authentication mechanisms to clients, the
|
||||||
|
-- default provider stores passwords in plaintext. If you do not trust your
|
||||||
|
-- server please see http://prosody.im/doc/modules/mod_auth_internal_hashed
|
||||||
|
-- for information about using the hashed backend.
|
||||||
|
|
||||||
|
authentication = "internal_hashed"
|
||||||
|
|
||||||
|
-- Select the storage backend to use. By default Prosody uses flat files
|
||||||
|
-- in its configured data directory, but it also supports more backends
|
||||||
|
-- through modules. An "sql" backend is included by default, but requires
|
||||||
|
-- additional dependencies. See http://prosody.im/doc/storage for more info.
|
||||||
|
|
||||||
|
--storage = "sql" -- Default is "internal"
|
||||||
|
|
||||||
|
-- For the "sql" backend, you can uncomment *one* of the below to configure:
|
||||||
|
--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
|
||||||
|
--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||||
|
--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||||
|
|
||||||
|
|
||||||
|
-- STUN/TURN
|
||||||
|
--turncredentials_host = "jabber.emma.ccchb.de"
|
||||||
|
turncredentials_host = "einstein.cskreie.de"
|
||||||
|
turncredentials_secret = "gabbagabbahey"
|
||||||
|
|
||||||
|
|
||||||
|
-- HTTP-UPLOAD
|
||||||
|
http_upload_file_size_limit = 10485760 -- 10M
|
||||||
|
http_max_content_size = 20971520 -- 20M
|
||||||
|
http_upload_quota = 104857600 -- 100M
|
||||||
|
http_upload_expire_after = 2592000 -- 30d
|
||||||
|
|
||||||
|
-- Logging configuration
|
||||||
|
-- For advanced logging see http://prosody.im/doc/logging
|
||||||
|
-- Hint: If you create a new log file or rename them, don't forget
|
||||||
|
-- to update the logrotate config at /etc/logrotate.d/prosody
|
||||||
|
log = {
|
||||||
|
-- Log all error messages to prosody.err
|
||||||
|
error = "/var/log/prosody/prosody.err";
|
||||||
|
-- Log everything of level "info" and higher (that is, all except "debug" messages)
|
||||||
|
-- to prosody.log
|
||||||
|
-- info = "/var/log/prosody/prosody.log"; -- Change 'info' to 'debug' for more verbose logging
|
||||||
|
-- debug = "/var/log/prosody/prosody.log"; -- Change 'info' to 'debug' for more verbose logging
|
||||||
|
--"*syslog"; -- Uncomment this for logging to syslog
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Pidfile, used by prosodyctl and the init.d script
|
||||||
|
pidfile = "/var/run/prosody/prosody.pid";
|
||||||
|
|
||||||
|
----------- Virtual hosts -----------
|
||||||
|
-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
|
||||||
|
-- Settings under each VirtualHost entry apply *only* to that host.
|
||||||
|
|
||||||
|
VirtualHost "localhost"
|
||||||
|
|
||||||
|
VirtualHost "{{ prosody_domain }}"
|
||||||
|
enabled = true -- Remove this line to enable this host
|
||||||
|
|
||||||
|
-- Assign this host a certificate for TLS, otherwise it would use the one
|
||||||
|
-- set in the global section (if any).
|
||||||
|
-- Note that old-style SSL on port 5223 only supports one certificate, and will always
|
||||||
|
-- use the global one.
|
||||||
|
ssl = {
|
||||||
|
protocol = "sslv23";
|
||||||
|
key = "{{ prosody_ssl_key }}";
|
||||||
|
certificate = "{{ prosody_ssl_cert }}";
|
||||||
|
dhparam = "/etc/prosody/certs/dh-2048.pem";
|
||||||
|
options = { "no_sslv2", "no_sslv3", "no_ticket", "no_compression", "cipher_server_preference", "single_dh_use", "single_ecdh_use" };
|
||||||
|
ciphers = "ECDH:DH:HIGH+kEDH:HIGH+kEECDH:HIGH:!CAMELLIA128:!3DES:!MD5:!RC4:!aNULL:!NULL:!EXPORT:!LOW:!MEDIUM";
|
||||||
|
}
|
||||||
|
|
||||||
|
------ Components ------
|
||||||
|
-- You can specify components to add hosts that provide special services,
|
||||||
|
-- like multi-user conferences, and transports.
|
||||||
|
-- For more information on components, see http://prosody.im/doc/components
|
||||||
|
|
||||||
|
---Set up a MUC (multi-user chat) room server on conference.example.com:
|
||||||
|
Component "muc.{{ prosody_domain }}" "muc"
|
||||||
|
modules_enabled = {
|
||||||
|
"vcard_muc", "muc_mam",
|
||||||
|
}
|
||||||
|
-- Set up a SOCKS5 bytestream proxy for server-proxied file transfers:
|
||||||
|
--Component "proxy.example.com" "proxy65"
|
||||||
|
|
||||||
|
---Set up an external component (default component port is 5347)
|
||||||
|
--
|
||||||
|
-- External components allow adding various services, such as gateways/
|
||||||
|
-- transports to other networks like ICQ, MSN and Yahoo. For more info
|
||||||
|
-- see: http://prosody.im/doc/components#adding_an_external_component
|
||||||
|
--
|
||||||
|
--Component "gateway.example.com"
|
||||||
|
-- component_secret = "password"
|
||||||
|
|
1
site.yml
1
site.yml
|
@ -6,3 +6,4 @@
|
||||||
- import_playbook: bhyve.yml
|
- import_playbook: bhyve.yml
|
||||||
- import_playbook: mail.yml
|
- import_playbook: mail.yml
|
||||||
- import_playbook: restic.yml
|
- import_playbook: restic.yml
|
||||||
|
- import_playbook: wiki.yml
|
||||||
|
|
7
wiki.yml
Normal file
7
wiki.yml
Normal file
|
@ -0,0 +1,7 @@
|
||||||
|
---
|
||||||
|
- hosts:
|
||||||
|
- wiki
|
||||||
|
become: yes
|
||||||
|
roles:
|
||||||
|
- mediawiki
|
||||||
|
- certbot
|
Loading…
Reference in a new issue