Merge branch 'master' of ssh://dev.ccchb.de:2222/ccchb/ansible

This commit is contained in:
Crest 2021-02-10 15:33:15 +01:00
commit faaa5c71a5
23 changed files with 616 additions and 0 deletions

View file

@ -17,4 +17,10 @@ user_mgmt_default:
ssh_key:
present:
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEay33koXmcBcrDuCQKkCBlw/gKiPtwLswATPqIR7udl fritz@fluorine.grimpen.net"
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEyVVwh0cUPxZ/wwRsB8YRsQE/cxjEX6gomS7EPArXuX fritz@NaOH"
absent: []
deelkar:
ssh_key:
present:
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBz7TX/Nm+tE/8RZ2XLuboFWUmBR0oCD0yTaRm2NILm3 deelkar@artena"
absent: []

View file

@ -27,6 +27,8 @@ haproxy_http:
addr: '2a01:4f8:150:926f::11'
- host: 'embassy.ccchb.de'
addr: '2a01:4f8:150:926f::11'
- host: 'jabber.ccchb.de'
addr: '2a01:4f8:150:926f::13'
haproxy_sni:
- host: 'ccchb.de'
@ -45,6 +47,8 @@ haproxy_sni:
addr: '2a01:4f8:150:926f::11'
- host: 'embassy.ccchb.de'
addr: '2a01:4f8:150:926f::11'
- host: 'jabber.ccchb.de'
addr: '2a01:4f8:150:926f::13'
bhyve_ipv4: 10.0.0.0
bhyve_ipv6: 2a01:4f8:150:926f::4
@ -165,3 +169,19 @@ bhyve_guests:
volblocksize: 64k
primarycache: metadata
- name: jabber
index: 7
enabled: true
ram: 1G
cpus: 1
image: debian-10.5.0-amd64-netinst.iso
password: foobar
order:
- DISKS
disks:
- name: disk
properties:
volsize: 32g
volblocksize: 64k
primarycache: metadata

View file

@ -0,0 +1,12 @@
vm_index: 7
user_mgmt:
crest:
state: present
groups: sudo
genofire:
state: present
groups: sudo
fritz:
state: present
groups: sudo

View file

@ -0,0 +1,18 @@
vm_index: 6
user_mgmt:
crest:
state: present
groups: sudo
genofire:
state: present
groups: sudo
fritz:
state: present
groups: sudo
certbot_certs:
- [ "wiki.ccchb.de" ]
- [ "ccchb.de", "www.ccchb.de" ]
- [ "files.ccchb.de" ]

2
hosts/10_jabber Normal file
View file

@ -0,0 +1,2 @@
[jabber]
jabber.emma.ccchb.de

2
hosts/10_wiki Normal file
View file

@ -0,0 +1,2 @@
[wiki]
wiki.emma.ccchb.de

View file

@ -4,3 +4,5 @@ dn42.emma.ccchb.de
[debian:children]
nextcloud
gitea
wiki
jabber

View file

@ -0,0 +1,11 @@
---
certbot_admin_email: hostmaster@ccchb.de
certbot_package: letsencrypt
certbot_method: webroot
certbot_webroot: /var/www/html
certbot_certs: []
certbot_renew: true

View file

@ -0,0 +1,22 @@
---
- name: Enable certbot timer.
systemd:
name: certbot.timer
enabled: yes
- name: Install certbot.
package:
name: "{{ certbot_package }}"
state: present
- name: Check for presence of certificates.
stat:
path: "/etc/letsencrypt/live/{{ item | first | replace(\"*.\", \"\") }}/cert.pem"
register: certs_presence
loop: "{{ certbot_certs }}"
- name: Obtain certificates.
include_tasks: 'obtain_{{ certbot_method }}.yml'
when: not item.stat.exists
loop: "{{ certs_presence.results }}"
...

View file

@ -0,0 +1,4 @@
---
- name: "Obtain certificate for {{ item.item | join(',') }}"
command: "certbot certonly --agree-tos -m {{ certbot_admin_email | quote }} -d {{ item.item | join(',') }} --standalone"
...

View file

@ -0,0 +1,4 @@
---
- name: "Obtain certificate for {{ item.item | join(',') }}"
command: "certbot certonly --agree-tos -m {{ certbot_admin_email | quote }} -d {{ item.item | join(',') }} --webroot -w {{ certbot_webroot | quote }}"
...

View file

@ -0,0 +1,4 @@
location /.well-known/acme-challenge/ {
alias {{ certbot_webroot }}/.well-known/acme-challenge/;
allow all;
}

View file

@ -0,0 +1,46 @@
---
mediawiki_domain: wiki.ccchb.de
mediawiki_webroot: /var/www/wiki.ccchb.de/webroot
mediawiki_path: /w
mediawiki_extensions:
- CategoryTree
- ParserFunctions
- PdfHandler
- Renameuser
- Interwiki
- ConfirmEdit
- ConfirmEdit/QuestyCaptcha
- WikiEditor
- MobileFrontend
mediawiki_skins:
- MonoBook
- Timeless
- Vector
- MinervaNeue
mediawiki_sitename: "CCC Bremen"
mediawiki_email: "webmaster@ccchb.de"
mediawiki_install_nginx: true
mediawiki_php_socket: "unix:/run/php/php7.3-fpm.sock"
mediawiki_nginx_conf: |
listen [::]:443 ssl http2;
listen 443 ssl http2;
server_name {{ mediawiki_domain }};
root {{ mediawiki_webroot }};
ssl_certificate /etc/letsencrypt/live/{{ mediawiki_domain }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{ mediawiki_domain }}/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/{{ mediawiki_domain }}/chain.pem;
client_max_body_size 100M;
include snippets/certbot.conf;
...

View file

@ -0,0 +1,21 @@
---
- name: Configure Mediawiki
template:
src: LocalSettings.php.j2
dest: "{{ mediawiki_webroot }}/{{ mediawiki_path }}/LocalSettings.php"
owner: www-data
group: www-data
mode: '0600'
- name: Install nginx site
template:
src: nginx.j2
dest: /etc/nginx/sites-available/{{ mediawiki_domain }}
when: mediawiki_install_nginx
- name: Activate site {{ mediawiki_install_nginx }}
file:
src: /etc/nginx/sites-available/{{ mediawiki_domain }}
dest: /etc/nginx/sites-enabled/{{ mediawiki_domain }}
when: mediawiki_install_nginx
...

View file

@ -0,0 +1,115 @@
<?php
## {{ ansible_managed }}
$wgSitename = "{{ mediawiki_sitename }}";
$wgScriptPath = "/w";
$wgArticlePath = "/wiki/$1";
$wgUsePathInfo = true;
$wgResourceBasePath = $wgScriptPath;
$wgEnableEmail = true;
$wgEnableUserEmail = true;
$wgEmergencyContact = "{{ mediawiki_email }}";
$wgPasswordSender = "{{ mediawiki_email }}";
## For a detailed description of the following switches see
## http://www.mediawiki.org/wiki/Extension:Email_notification
## and http://www.mediawiki.org/wiki/Extension:Email_notification
## There are many more options for fine tuning available see
## /includes/DefaultSettings.php
## UPO means: this is also a user preference option
$wgEnotifUserTalk = true; # UPO
$wgEnotifWatchlist = true; # UPO
$wgEmailAuthentication = true;
## Database secrets managed outside Ansible
require 'LocalSettings_secrets.php';
## Shared memory settings
$wgMainCacheType = CACHE_NONE;
$wgMemCachedServers = array();
## To enable image uploads, make sure the 'images' directory
## is writable, then set this to true:
$wgEnableUploads = true;
$wgUseImageMagick = true;
$wgImageMagickConvertCommand = "/usr/bin/convert";
## If you want to use image uploads under safe mode,
## create the directories images/archive, images/thumb and
## images/temp, and make them all writable. Then uncomment
## this, if it's not already uncommented:
# $wgHashedUploadDirectory = false;
# to work with safe mode (as by https://www.mediawiki.org/wiki/Safe_mode)
# $wgFileStore['deleted']['hash'] = 0;
# $wgLocaltimezone = "Europe/Berlin";
# generate Thumbs on _every_ client request (NOTE this is a bad idea)
# $wgThumbnailScriptPath = "{$wgScriptPath}/thumb.php";
## If you have the appropriate support software installed
## you can enable inline LaTeX equations:
$wgUseTeX = false;
$wgLocalInterwiki = $wgSitename;
$wgLanguageCode = "de";
## Default skin: you can change the default skin. Use the internal symbolic
## names, ie 'standard', 'nostalgia', 'cologneblue', 'monobook':
$wgDefaultSkin = 'vector';
$wgLogo = '/w/images/3/3b/Ccchb_wiki.png';
## For attaching licensing metadata to pages, and displaying an
## appropriate copyright notice / icon. GNU Free Documentation
## License and Creative Commons licenses are supported so far.
$wgEnableCreativeCommonsRdf = true;
$wgRightsPage = ""; # Set to the title of a wiki page that describes your license/copyright
$wgRightsUrl = "http://www.gnu.org/copyleft/fdl.html";
$wgRightsText = "GNU Free Documentation License 1.2";
$wgRightsIcon = "${wgScriptPath}/skins/common/images/gnu-fdl.png";
# $wgRightsCode = "gfdl"; # Not yet used
$wgFileExtensions = [ 'png', 'gif', 'jpg', 'jpeg', 'webp', 'svg', 'pdf', 'ai' ];
{% for extension in mediawiki_extensions %}
wfLoadExtension( "{{ extension }}" );
{% endfor %}
{% for skin in mediawiki_skins %}
wfLoadSkin( "{{ skin }}" );
{% endfor %}
$wgServer = "https://wiki.ccchb.de";
$wgNamespacesWithSubpages[NS_MAIN] = true;
$wgMFDefaultSkinClass = 'SkinMinerva';
$wgDiff3 = "/usr/bin/diff3";
$wgSVGConverter = 'rsvg';
$wgRestrictionLevels[] = 'legal';
$wgGroupPermissions['*']['edit'] = false;
$wgGroupPermissions['user']['writeapi'] = true;
$wgGroupPermissions['vorstand']['legal'] = true;
$wgCaptchaClass = 'QuestyCaptcha';
$wgCaptchaQuestions[] = array( 'question' => 'Die Antwort auf die Frage nach dem Leben, dem Universum und allem?', 'answer' => '42' );
$wgCaptchaQuestions[] = array( 'question' => 'Wie lautet der Kurzname dieses Vereins?', 'answer' => 'CCCHB' );
$wgCaptchaQuestions[] = array( 'question' => 'Gib einfach das Wort Passion ein (kleingeschrieben):', 'answer' => 'passion' );
$wgCaptchaQuestions[] = array( 'question' => 'Gib bitte Fünfhundertsiebenundsechzig als Zahl ein:', 'answer' => '567' );
$wgCaptchaQuestions[] = array( 'question' => 'An welchem Wochentag treffen wir uns regelmäßig?', 'answer' => 'Dienstag' );
$wgCaptchaQuestions[] = array( 'question' => 'Der erste Congress im CCH (2012)', 'answer' => '29c3' );
$wgCaptchaQuestions[] = array( 'question' => 'Der letzte Congress im bcc (2011)', 'answer' => '28c3' );
$wgCaptchaQuestions[] = array( 'question' => 'Wie kürzt man Erfahrungsaustauschkreis in 4 Buchstaben ab? (alles großgeschrieben)', 'answer' => 'ERFA' );
$wgShowExceptionDetails = true;
$wgShowDBErrorBacktrace = true;

View file

@ -0,0 +1,58 @@
# {{ ansible_managed }}
server {
{{ mediawiki_nginx_conf }}
location ~ ^{{ mediawiki_path }}/(index|load|api|thumb|opensearch_desc|rest|img_auth)\.php$ {
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_pass {{ mediawiki_php_socket }};
}
# Images
location {{ mediawiki_path }}/images {
# Separate location for images/ so .php execution won't apply
}
location {{ mediawiki_path }}/images/deleted {
# Deny access to deleted images folder
deny all;
}
# MediaWiki assets (usually images)
location ~ ^{{ mediawiki_path }}/resources/(assets|lib|src) {
try_files $uri 404;
add_header Cache-Control "public";
expires 7d;
}
# Assets, scripts and styles from skins and extensions
location ~ ^{{ mediawiki_path }}/(skins|extensions)/.+\.(css|js|gif|jpg|jpeg|png|svg|wasm)$ {
try_files $uri 404;
add_header Cache-Control "public";
expires 7d;
}
# Favicon
location = /favicon.ico {
add_header Cache-Control "public";
expires 7d;
}
location {{ mediawiki_path }}/rest.php/ {
try_files $uri $uri/ {{ mediawiki_path }}/rest.php?$query_string;
}
# Handling for the article path (pretty URLs)
location /wiki/ {
rewrite ^/wiki/(?<pagename>.*)$ {{ mediawiki_path }}/index.php;
}
# Allow robots.txt in case you have one
location = /robots.txt {
}
# Explicit access to the root website, redirect to main page (adapt as needed)
location = / {
return 301 /wiki/Hauptseite;
}
location / {
return 404;
}
}

View file

@ -0,0 +1,57 @@
---
prosody_domain: "jabber.ccchb.de"
prosody_ssl_cert: "/etc/letsencrypt/live/{{ prosody_domain }}/fullchain.pem"
prosody_ssl_key: "/etc/letsencrypt/live/{{ prosody_domain }}/privkey.pem"
prosody_allow_registration: false
prosody_modules:
- roster
- saslauth
- tls
- dialback
- disco
- private
- bookmarks
- vcard
- proxy65
- legacyauth
- version
- uptime
- time
- ping
- pep
- register
- adhoc
- admin_adhoc
- posix
- bosh
- websocket
- groups
- announce
- watchregistrations
- blocking
- smacks
- carbons
- cloud_notify
- csi
- mam
- filter_chatstates
- throttle_presence
- http_upload
- turncredentials
- vcard_legacy
prosody_nginx_install: true
prosody_nginx_conf: |
listen [::]:443 ssl http2;
listen 443 ssl http2;
server_name {{ prosody_domain }};
root /var/www/html;
ssl_certificate {{ prosody_ssl_cert }};
ssl_certificate_key {{ prosody_ssl_key }};
ssl_trusted_certificate /etc/letsencrypt/live/{{ prosody_domain }}/chain.pem;
include snippets/certbot.conf;
...

View file

@ -0,0 +1,5 @@
---
- name: reload nginx
systemd:
name: nginx
state: reloaded

View file

@ -0,0 +1,21 @@
---
- name: Install prosody http site
template:
src: nginx.j2
dest: "/etc/nginx/sites-available/{{ prosody_domain }}"
when: prosody_nginx_install
- name: Enable prosody http site
notify: reload nginx
file:
src: /etc/nginx/sites-available/{{ prosody_domain }}
dest: /etc/nginx/sites-enabled/{{ prosody_domain }}
state: link
when: prosody_nginx_install
- name: Configure prosody
template:
src: prosody.cfg.lua.j2
dest: /etc/prosody/prosody_test.cfg.lua
...

View file

@ -0,0 +1,18 @@
# {{ ansible_managed }}
server {
{{ prosody_nginx_conf }}
location /http-bind {
proxy_pass http://127.0.0.1:5280/http-bind;
}
location /xmpp-websocket {
proxy_pass http://127.0.0.1:5280/xmpp-websocket;
}
location /upload {
proxy_set_header Host {{ prosody_domain }};
proxy_pass http://127.0.0.1:5280/upload;
}
}

View file

@ -0,0 +1,160 @@
-- Prosody XMPP Server Configuration
-- {{ ansible_managed }}
---------- Server-wide settings ----------
-- Settings in this section apply to the whole server and are the default settings
-- for any virtual hosts
-- This is a (by default, empty) list of accounts that are admins
-- for the server. Note that you must create the accounts separately
-- (see http://prosody.im/doc/creating_accounts for info)
-- Example: admins = { "user1@example.com", "user2@example.net" }
admins = { "deelkar@jabber.ccchb.de", "freak@jabber.ccchb.de", "jali@jabber.ccchb.de" }
-- Enable use of libevent for better performance under high load
-- For more information see: http://prosody.im/doc/libevent
use_libevent = false;
plugin_paths = { "/opt/prosody-modules" }
-- This is the list of modules Prosody will load on startup.
-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
-- Documentation on modules can be found at: http://prosody.im/doc/modules
modules_enabled = {
{% for module in prosody_modules %}
"{{ module }}";
{% endfor %}
};
-- These modules are auto-loaded, should you
-- (for some mad reason) want to disable
-- them then uncomment them below
modules_disabled = {
-- "presence"; -- Route user/contact status information
-- "message"; -- Route messages
-- "iq"; -- Route info queries
-- "offline"; -- Store offline messages
};
-- Disable account creation by default, for security
-- For more information see http://prosody.im/doc/creating_accounts
allow_registration = {{ prosody_allow_registration }};
-- These are the SSL/TLS-related settings. If you don't want
-- to use SSL/TLS, you may comment or remove this
-- *** DUMMY CERT *** DO NOT CHANGE *** SET CERT IN HOST SECTION ***
ssl = {
protocol = "sslv23";
key = "{{ prosody_ssl_key }}";
certificate = "{{ prosody_ssl_cert }}";
dhparam = "/etc/prosody/certs/dh-2048.pem";
options = { "no_sslv2", "no_sslv3", "no_ticket", "no_compression", "cipher_server_preference", "single_dh_use", "single_ecdh_use" };
ciphers = "ECDH:DH:HIGH+kEDH:HIGH+kEECDH:HIGH:!CAMELLIA128:!3DES:!MD5:!RC4:!aNULL:!NULL:!EXPORT:!LOW:!MEDIUM";
}
legacy_ssl_ports = { 5223 }
http_external_url = "https://{{ prosody_domain }}/"
-- Only allow encrypted streams? Encryption is already used when
-- available. These options will cause Prosody to deny connections that
-- are not encrypted. Note that some servers do not support s2s
-- encryption or have it disabled, including gmail.com and Google Apps
-- domains.
--c2s_require_encryption = false
--s2s_require_encryption = false
-- Select the authentication backend to use. The 'internal' providers
-- use Prosody's configured data storage to store the authentication data.
-- To allow Prosody to offer secure authentication mechanisms to clients, the
-- default provider stores passwords in plaintext. If you do not trust your
-- server please see http://prosody.im/doc/modules/mod_auth_internal_hashed
-- for information about using the hashed backend.
authentication = "internal_hashed"
-- Select the storage backend to use. By default Prosody uses flat files
-- in its configured data directory, but it also supports more backends
-- through modules. An "sql" backend is included by default, but requires
-- additional dependencies. See http://prosody.im/doc/storage for more info.
--storage = "sql" -- Default is "internal"
-- For the "sql" backend, you can uncomment *one* of the below to configure:
--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
-- STUN/TURN
--turncredentials_host = "jabber.emma.ccchb.de"
turncredentials_host = "einstein.cskreie.de"
turncredentials_secret = "gabbagabbahey"
-- HTTP-UPLOAD
http_upload_file_size_limit = 10485760 -- 10M
http_max_content_size = 20971520 -- 20M
http_upload_quota = 104857600 -- 100M
http_upload_expire_after = 2592000 -- 30d
-- Logging configuration
-- For advanced logging see http://prosody.im/doc/logging
-- Hint: If you create a new log file or rename them, don't forget
-- to update the logrotate config at /etc/logrotate.d/prosody
log = {
-- Log all error messages to prosody.err
error = "/var/log/prosody/prosody.err";
-- Log everything of level "info" and higher (that is, all except "debug" messages)
-- to prosody.log
-- info = "/var/log/prosody/prosody.log"; -- Change 'info' to 'debug' for more verbose logging
-- debug = "/var/log/prosody/prosody.log"; -- Change 'info' to 'debug' for more verbose logging
--"*syslog"; -- Uncomment this for logging to syslog
}
-- Pidfile, used by prosodyctl and the init.d script
pidfile = "/var/run/prosody/prosody.pid";
----------- Virtual hosts -----------
-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
-- Settings under each VirtualHost entry apply *only* to that host.
VirtualHost "localhost"
VirtualHost "{{ prosody_domain }}"
enabled = true -- Remove this line to enable this host
-- Assign this host a certificate for TLS, otherwise it would use the one
-- set in the global section (if any).
-- Note that old-style SSL on port 5223 only supports one certificate, and will always
-- use the global one.
ssl = {
protocol = "sslv23";
key = "{{ prosody_ssl_key }}";
certificate = "{{ prosody_ssl_cert }}";
dhparam = "/etc/prosody/certs/dh-2048.pem";
options = { "no_sslv2", "no_sslv3", "no_ticket", "no_compression", "cipher_server_preference", "single_dh_use", "single_ecdh_use" };
ciphers = "ECDH:DH:HIGH+kEDH:HIGH+kEECDH:HIGH:!CAMELLIA128:!3DES:!MD5:!RC4:!aNULL:!NULL:!EXPORT:!LOW:!MEDIUM";
}
------ Components ------
-- You can specify components to add hosts that provide special services,
-- like multi-user conferences, and transports.
-- For more information on components, see http://prosody.im/doc/components
---Set up a MUC (multi-user chat) room server on conference.example.com:
Component "muc.{{ prosody_domain }}" "muc"
modules_enabled = {
"vcard_muc", "muc_mam",
}
-- Set up a SOCKS5 bytestream proxy for server-proxied file transfers:
--Component "proxy.example.com" "proxy65"
---Set up an external component (default component port is 5347)
--
-- External components allow adding various services, such as gateways/
-- transports to other networks like ICQ, MSN and Yahoo. For more info
-- see: http://prosody.im/doc/components#adding_an_external_component
--
--Component "gateway.example.com"
-- component_secret = "password"

View file

@ -6,3 +6,4 @@
- import_playbook: bhyve.yml
- import_playbook: mail.yml
- import_playbook: restic.yml
- import_playbook: wiki.yml

7
wiki.yml Normal file
View file

@ -0,0 +1,7 @@
---
- hosts:
- wiki
become: yes
roles:
- mediawiki
- certbot