ccchb/ansible
ccchb/ansible
6
1
Fork 1
Code Issues 3 Pull requests Releases Wiki Activity

Compare commits

base: ccchb:master
Branches Tags
ccchb:master
humm:master
..
compare: humm:master
Branches Tags
humm:master
ccchb:master

1 commit
master ... master

Author SHA1 Message Date
Humm
f3d8080da1 Add user account for humm 2022-07-05 23:38:30 +02:00
44 changed files with 518 additions and 375 deletions
Show stats Expand all files Collapse all files

20
.woodpecker.yaml
View file

@ -1,20 +0,0 @@
clone:
git:
image: woodpeckerci/plugin-git
settings:
submodule_override:
roles/gitea: https://dev.ccchb.de/ccchb/ansible-role-gitea.git
when:
- event: push
branch: main
- event: push
branch: master
steps:
- name: lint
image: alpine
commands:
- apk update
- apk add ansible-lint
- ansible-lint

8
README.md
View file

@ -1,9 +1,3 @@
# ansible
[![status-badge](https://ci.ccchb.de/api/badges/5/status.svg)](https://ci.ccchb.de/repos/5)
CCCHB Ansible
## Deployment
ansible-playbook -i hosts/ [-l HOSTS] [-t TAGS] sites.yml
CCC HB Ansible

23
bhyve.yml
View file

@ -1,18 +1,19 @@
---
- name: Install py-netaddr
hosts:
- localhost
become: true
- hosts:
- localhost
become: yes
tasks:
- name: Install py-netaddr package
ansible.builtin.package:
name: net/py-netaddr
- name: Install passlib
package:
name: py38-netaddr
state: present
- name: Deploy bhyve to virtual machine hosts
hosts:
- hosts:
- emma
become: true
tags: bhyve
become: yes
roles:
- bhyve

6
debian.yml
View file

@ -1,6 +1,6 @@
---
- name: Prepare debian hosts
hosts: debian
become: true
- hosts: debian
become: yes
roles:
- debian
- { role: user_mgmt, tags: [user_mgmt]}

7
dns.yml
View file

@ -1,8 +1,9 @@
---
- name: Deploy DNS servers
hosts:
- hosts:
- mail
become: true
become: yes
roles:
- nsd
- unbound

5
gitea.yml
View file

@ -1,7 +1,6 @@
---
- name: Deploy Forgejo
hosts: gitea
become: true
- hosts: gitea
become: yes
roles:
- gitea
- gitea-ccchb

13
group_vars/all.yml
View file

@ -10,16 +10,14 @@ user_mgmt_default:
genofire:
ssh_key:
present:
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIOr9wE3i1+Cl/06WOf0/6OjxsOnN7veV3LZcWgtHkcS genofire@fireYubi"
absent:
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH8LdgjUiL/MFmA2wM98QAbUEyY/8ixnpettC6kQxKWu genofire@emma.ccchb.de"
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDZm0TZPBzgXrY1vrLoYviNRb/oGZQDQk9vrppPK84sN55ZPlr9VvP+JYE7Qkx8teRuH9ulxqX40+dxKaiAXMUl4HU57KPLjwCb7SnBNIFTv6ZHGxPS8ZgUzKJr4Agph51oenNEO3RziEqAo3EwK67SGnjeIYQQKcjpfwd08+PYMOjv42zSYQ9umooj5LooOvbxoogZ3VpboXv6DeyA4rev1M9RgnMWaWVF2LxJjQ3jVr7xh1vZktVGKuVk/XXKD6WVAuwmGMVEouQzjtG9kepWd8FUYe+fgj5mtdqfeQP9CypxvOcb7jT20wO1Abpp5udS9iPDQHg+lafklIAeKG3qgxxhBDH3otXtnWcoeXUmDpBI8HU/8d/yrGaLHYRfy3HHiSGFq3lBgoxi83QIOl9ELeKWMJC0fWKBApm0NU0flgwfy2j7GRyXmlM7tVFyuj5RTAZNQfgD9g054di9WbtUs7sm/9r3/rQe2+3neE3Jskt4xvZK0xbc4dZSZGn4E2JDWjENqPBvQ2dU5lsjpUKTZWAnxVGPe//BErsDxNLIHWz8emG71r3Q2yud4KPdAR9CgeC8g1bwlCI6JDFZutKBzIlE3QQ4ryKJEioiUL89xi6G+nNB7W5ABsQN0ZtWvZl8TG4Wh00B+oBXzgRER5Y9SdAYcrwWxlGVxxQyElUNrw== genofire-yubikey"
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDZm0TZPBzgXrY1vrLoYviNRb/oGZQDQk9vrppPK84sN55ZPlr9VvP+JYE7Qkx8teRuH9ulxqX40+dxKaiAXMUl4HU57KPLjwCb7SnBNIFTv6ZHGxPS8ZgUzKJr4Agph51oenNEO3RziEqAo3EwK67SGnjeIYQQKcjpfwd08+PYMOjv42zSYQ9umooj5LooOvbxoogZ3VpboXv6DeyA4rev1M9RgnMWaWVF2LxJjQ3jVr7xh1vZktVGKuVk/XXKD6WVAuwmGMVEouQzjtG9kepWd8FUYe+fgj5mtdqfeQP9CypxvOcb7jT20wO1Abpp5udS9iPDQHg+lafklIAeKG3qgxxhBDH3otXtnWcoeXUmDpBI8HU/8d/yrGaLHYRfy3HHiSGFq3lBgoxi83QIOl9ELeKWMJC0fWKBApm0NU0flgwfy2j7GRyXmlM7tVFyuj5RTAZNQfgD9g054di9WbtUs7sm/9r3/rQe2+3neE3Jskt4xvZK0xbc4dZSZGn4E2JDWjENqPBvQ2dU5lsjpUKTZWAnxVGPe//BErsDxNLIHWz8emG71r3Q2yud4KPdAR9CgeC8g1bwlCI6JDFZutKBzIlE3QQ4ryKJEioiUL89xi6G+nNB7W5ABsQN0ZtWvZl8TG4Wh00B+oBXzgRER5Y9SdAYcrwWxlGVxxQyElUNrw== genofire-yubikey"
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH8LdgjUiL/MFmA2wM98QAbUEyY/8ixnpettC6kQxKWu genofire@emma.ccchb.de"
absent: []
fritz:
ssh_key:
present:
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEay33koXmcBcrDuCQKkCBlw/gKiPtwLswATPqIR7udl fritz@fluorine.grimpen.net"
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEyVVwh0cUPxZ/wwRsB8YRsQE/cxjEX6gomS7EPArXuX fritz@NaOH"
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPSZUs/SgJRKK+NgmifBt8xehIbrpdQtpT9MeRkdwdHU fritz@m1air"
absent: []
deelkar:
ssh_key:
@ -31,8 +29,3 @@ user_mgmt_default:
present:
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDSHkU00aO4U98ikMiiiWiEeRj/597UzFcFctwY8iwLy humm@fluorine"
absent: []
blazr:
ssh_key:
present:
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDbxgesllBFfJUfwYX58rZln0ZpOq/Jyp361OmKohiQFHUyWK6wlPqDmfhqJuLPkAZQOjmK25gvLQXJ19+y1arjtGgbgf2nrjkCJ1l/2SHIa088DVYvZDLly+cSDMOUwgM1bzlKrHYK5asFihM+XJDV2oKUBIWaVNLHK99hpmiDXQ== jollyjinx@planetexpress.local"
absent: []

4
group_vars/debian.yml → group_vars/debian
View file

@ -1,5 +1,5 @@
---
ansible_python_interpreter: /usr/bin/python3
ansible_python_interpreter: /usr/bin/python3.7
dns: 213.133.98.98 8.8.8.8
ipv6_subnet: '2a01:4f8:150:926f::'
@ -8,6 +8,6 @@ ipv4_subnet: 10.0.0.0
ipv6: '{{ ipv6_subnet | ipmath(2 * (vm_index +2)+1) }}/127'
ipv6route: '{{ ipv6_subnet | ipmath(2 * (vm_index +2)) }}'
#ansible_ssh_host: '{{ ipv4_subnet | ipmath(2 * vm_index +1) }}'
ansible_ssh_host: '{{ ipv4_subnet | ipmath(2 * vm_index +1) }}'
ipv4: '{{ ipv4_subnet | ipmath(2 * vm_index +1) }}/31'
ipv4route: '{{ ipv4_subnet | ipmath(2 * vm_index) }}'

2
group_vars/freebsd.yml → group_vars/freebsd
View file

@ -1,5 +1,5 @@
---
ansible_python_interpreter: /usr/local/bin/python
ansible_python_interpreter: /usr/local/bin/python3.8
s6_etc_dir: /etc/s6-rc
s6_live_dir: /run/s6-rc
s6_scan_dir: /run/service

2
group_vars/mail.yml → group_vars/mail
View file

@ -7,8 +7,6 @@ dovecot_users:
zeltophil: '{BLF-CRYPT}$2y$05$rct9cKgRnB/X7tZW7MXNUeIfadqCRc..dCMG4DB1fZdefH1Qx6FAq'
haecksen: '{BLF-CRYPT}$2y$05$e2R8ucHVPlZuI39Uy4iX3.EaRszPJ01itsPJfQa0FIeYzBuiGxUZW'
ari: '{BLF-CRYPT}$2y$05$HixjVZIVDVBKy40ReKRKh.ewnuyNV/t84ANsOSjOuxz5BIgk/J7k6'
vorstand: '{BLF-CRYPT}$2y$05$Cw.dfEg54gvRIhT9bDCx1O7xS4TtWf/c7Hh9Owzaf23imfwltMd4e'
fritz: '{BLF-CRYPT}$2y$05$NFh8LBoHfkazQDy3iNiuWODSP.rib.jIEDyf/JUbyBnQbJ03FglI6'
mlmmj_lists:
- name: 'vorstand'

7
haproxy.yml
View file

@ -1,7 +1,8 @@
---
- name: Deploy haproxy
hosts:
- hosts:
- emma
become: true
become: yes
roles:
- haproxy

14
host_vars/brunn.ccchb.de.yml
View file

@ -1,14 +0,0 @@
user_mgmt:
crest:
state: present
groups: sudo
fritz:
state: present
groups: sudo
humm:
state: present
groups: sudo
genofire:
state: present
groups: sudo

60
host_vars/emma.ccchb.de.yml → host_vars/emma.ccchb.de
View file

@ -6,7 +6,6 @@ postfix_my_networks:
- '2a01:4f8:150:926f::2'
- '176.9.59.104'
- '127.0.0.1'
- '10.0.0.0/24'
haproxy_v4: 176.9.59.104
haproxy_v6: 2a01:4f8:150:926f::2
@ -33,14 +32,14 @@ haproxy_http:
addr: '2a01:4f8:150:926f::11'
- host: 'kasse.z1.ccchb.de'
addr: '2a01:4f8:150:926f::11'
- host: 'kasse.zweigstelle.space'
addr: '2a01:4f8:150:926f::11'
- host: 'jabber.ccchb.de'
addr: '2a01:4f8:150:926f::13'
- host: 'matrix.ccchb.de'
addr: '2a01:4f8:150:926f::13'
- host: 'auth.ccchb.de'
addr: '2a01:4f8:150:926f::11'
- host: 'kasse.ccchb.de'
addr: '2a01:4f8:150:926f::19'
- host: 'element.ccchb.de'
addr: '2a01:4f8:150:926f::13'
haproxy_sni:
- host: 'ccchb.de'
@ -61,12 +60,14 @@ haproxy_sni:
addr: '2a01:4f8:150:926f::11'
- host: 'kasse.z1.ccchb.de'
addr: '2a01:4f8:150:926f::11'
- host: 'kasse.zweigstelle.space'
addr: '2a01:4f8:150:926f::11'
- host: 'jabber.ccchb.de'
addr: '2a01:4f8:150:926f::13'
- host: 'auth.ccchb.de'
addr: '2a01:4f8:150:926f::11'
- host: 'kasse.ccchb.de'
addr: '2a01:4f8:150:926f::19'
- host: 'matrix.ccchb.de'
addr: '2a01:4f8:150:926f::13'
- host: 'element.ccchb.de'
addr: '2a01:4f8:150:926f::13'
bhyve_ipv4: 10.0.0.0
bhyve_ipv6: 2a01:4f8:150:926f::4
@ -96,7 +97,7 @@ bhyve_guests:
- name: dn42
index: 1
enabled: false
enabled: true
ram: 1G
cpus: 1
image: debian-10.5.0-amd64-netinst.iso
@ -114,6 +115,7 @@ bhyve_guests:
enabled: true
ram: 1G
cpus: 1
password: foobar
image: debian-10.5.0-amd64-netinst.iso
order:
- DISKS
@ -126,9 +128,10 @@ bhyve_guests:
- name: geno-playground
index: 3
enabled: false
enabled: true
ram: 4G
cpus: 4
password: foobar
image: manjaro-architect-20.0.3-200607-linux56.iso
order:
- DISKS
@ -172,9 +175,10 @@ bhyve_guests:
- name: wiki
index: 6
enabled: true
ram: 2G
ram: 1G
cpus: 1
image: debian-10.5.0-amd64-netinst.iso
password: foobar
order:
- DISKS
disks:
@ -190,6 +194,7 @@ bhyve_guests:
ram: 1G
cpus: 1
image: debian-10.5.0-amd64-netinst.iso
password: foobar
order:
- DISKS
disks:
@ -205,37 +210,6 @@ bhyve_guests:
ram: 1G
cpus: 1
image: debian-10.5.0-amd64-netinst.iso
order:
- DISKS
disks:
- name: disk
properties:
volsize: 128g
volblocksize: 64k
primarycache: metadata
- name: frab
index: 9
enabled: false
ram: 1G
cpus: 1
image: ubuntu-22.04.1-live-server-amd64.iso
password: foobar
order:
- DISKS
disks:
- name: disk
properties:
volsize: 128g
volblocksize: 64k
primarycache: metadata
- name: verein
index: 10
enabled: true
ram: 2G
cpus: 2
image: debian-12.6.0-amd64-netinst.iso
password: foobar
order:
- DISKS

15
host_vars/frab.emma.ccchb.de.yml
View file

@ -1,15 +0,0 @@
vm_index: 9
user_mgmt:
crest:
state: present
groups: sudo
fritz:
state: present
groups: sudo
humm:
state: present
groups: sudo
blazr:
state: present
groups: sudo

10
host_vars/gitea.emma.ccchb.de.yml
View file

@ -1,6 +1,6 @@
vm_index: 2
gitea_version: "1.21.2"
gitea_version: "1.13.0"
gitea_app_name: "dev.ccchb.de"
# technical:
@ -14,7 +14,7 @@ gitea_systemd_cap_net_bind_service: true
gitea_http_letsencrypt_mail: "webmaster@ccchb.de"
gitea_ssh_domain: "dev.ccchb.de"
gitea_ssh_listen: "::"
gitea_ssh_listen: "[::]"
gitea_ssh_port: 2222
gitea_start_ssh: true
@ -29,9 +29,6 @@ gitea_require_signin: false
gitea_register_email_confirm: true
gitea_enable_captcha: true
gitea_disable_registration: false
gitea_only_allow_external_registration: true
# privacy:
gitea_offline_mode: true
gitea_disable_gravatar: true
@ -48,6 +45,3 @@ user_mgmt:
humm:
state: present
groups: sudo
fritz:
state: present
groups: sudo

2
hosts/00_brunn
View file

@ -1,2 +0,0 @@
[brunn]
brunn.ccchb.de

2
hosts/10_frab
View file

@ -1,2 +0,0 @@
[frab]
frab.emma.ccchb.de

9
jabber.yml
View file

@ -1,9 +0,0 @@
---
- name: Deploy XMPP server
hosts:
- jabber
become: true
tags: [jabber]
roles:
- certbot
- prosody

2
library/sysrc
View file

@ -1,4 +1,4 @@
#!/usr/local/bin/python3
#!/usr/local/bin/python3.7
# -*- coding: utf-8 -*-
#
# (c) 2014, David Lundgren <dlundgren@syberisle.net>

30
mail.yml
View file

@ -1,24 +1,22 @@
---
- name: Install passlib
hosts:
- hosts:
- localhost
become: true
become: yes
tasks:
- name: Install passlib
ansible.builtin.package:
name: security/py-passlib
package:
name: py38-passlib
state: present
- name: Deploy mail servers
hosts:
- hosts:
- mail
become: true
become: yes
roles:
- role: dovecot
tags: [dovecot]
- role: rspamd
tags: [rspamd]
- role: postfix
tags: [postfix]
- role: mlmmj
tags: [mlmmj]
- dovecot
- rspamd
- postfix
- mlmmj

5
nextcloud.yml
View file

@ -1,6 +1,5 @@
---
- name: Deploy NextCloud
hosts: nextcloud
become: true
- hosts: nextcloud
become: yes
roles:
- nextcloud

7
ntp.yml
View file

@ -1,7 +1,8 @@
---
- name: Deploy local NTP server
hosts:
- hosts:
- mail
become: true
become: yes
roles:
- openntpd

7
restic.yml
View file

@ -1,7 +1,8 @@
---
- name: Deploy restic
hosts:
- hosts:
- mail
become: true
become: yes
roles:
- restic

4
roles/bhyve-network/tasks/main.yml
View file

@ -10,13 +10,13 @@
- name: Set host IPv4 addresses
sysrc:
name: 'ifconfig_vmnet{{ item.index }}'
value: 'inet {{ bhyve_ipv4 | ansible.utils.ipmath(2 * item.index)}}/31'
value: 'inet {{ bhyve_ipv4 | ipmath(2 * item.index)}}/31'
with_items: '{{ bhyve_guests }}'
- name: Set host IPv6 addresses
sysrc:
name: 'ifconfig_vmnet{{ item.index }}_ipv6'
value: 'inet6 {{ bhyve_ipv6 | ansible.utils.ipmath(2 * item.index)}}/127'
value: 'inet6 {{ bhyve_ipv6 | ipmath(2 * item.index)}}/127'
with_items: '{{ bhyve_guests }}'
- name: Add guest interfaces

64
roles/debian/tasks/main.yml
View file

@ -1,4 +1,39 @@
---
- name: Install defaults
package:
name:
- zsh
- name: Download .zshrc from grml
get_url:
url: https://raw.githubusercontent.com/grml/grml-etc-core/v0.12.5/etc/zsh/zshrc
dest: /etc/zsh/zshrc
checksum: sha256:ad88c76951693c2f9c38773ed2602a9fd5c74431615c4a23aaff679b295919ce
validate_certs: false
- name: Update SSH configuration
notify: reload sshd
replace:
dest: /etc/ssh/sshd_config
regexp: '^([\#\s]*)?{{ item.key }}\s+([\w_-]+)'
replace: "{{item.key}} {{item.value}}"
with_items:
- key: PermitRootLogin
value: without-password
- key: PasswordAuthentication
value: 'no'
- key: ChallengeResponseAuthentication
value: 'no'
- key: PrintLastLog
value: 'yes'
- key: UseDNS
value: 'no'
- name: Change shell of user root
user:
name: root
shell: /usr/bin/zsh
- name: Enable sshd
systemd:
name: sshd
@ -9,7 +44,32 @@
notify: restart network
when: ipv4 is defined or ipv6 is defined
template:
src: interfaces.j2
dest: /etc/network/interfaces
src: systemd.network
dest: /etc/systemd/network/main.network
owner: root
mode: 644
- name: enable systemd-networkd
notify: restart network
systemd:
name: systemd-networkd
state: started
enabled: yes
- name: disable networking
systemd:
name: networking
enabled: no
- name: start systemd-resolved
systemd:
name: systemd-resolved
state: started
enabled: yes
- name: symling /etc/resolve
file:
src: /run/systemd/resolve/stub-resolv.conf
dest: /etc/resolv.conf
state: link
force: yes

16
roles/debian/templates/interfaces.j2
View file

@ -1,16 +0,0 @@
# The primary network interface
allow-hotplug enp0s3
{% if ipv4 is defined %}
iface enp0s3 inet static
address {{ipv4}}/31
gateway {{ipv4route}}
# dns-* options are implemented by the resolvconf package, if installed
dns-nameservers {{ipv4route}}
dns-search emma.ccchb.de
{% endif %}
{% if ipv6 is defined %}
iface enp0s3 inet6 static
address {{ipv6}}/127
gateway {{ipv6route}}
{% endif %}

0
roles/debian_docker/defaults/main.yml
View file

3
roles/debian_docker/files/daemon.json
View file

@ -1,3 +0,0 @@
{
"log-driver": "journald"
}

5
roles/debian_docker/handlers/main.yml
View file

@ -1,5 +0,0 @@
---
- name: Restart docker
ansible.builtin.service:
name: docker
state: restarted

33
roles/debian_docker/tasks/main.yml
View file

@ -1,33 +0,0 @@
---
- name: Install Docker's GPG key in apt's keyring
ansible.builtin.apt_key:
url: https://download.docker.com/linux/debian/gpg
state: present
tags: docker install
- name: Setup Docker's apt repository
ansible.builtin.apt_repository:
repo: deb https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable
state: present
filename: docker
tags: docker install
- name: Install Docker
ansible.builtin.package:
name:
- docker-ce
- docker-ce-cli
- containerd.io
- docker-compose-plugin
state: present
tags: docker install
notify:
- Restart docker
- name: Configure Docker daemon
ansible.builtin.file:
src: daemon.json
dest: /etc/docker/daemon.json
owner: root
group: root
mode: '0644'

2
roles/gitea

@ -1 +1 @@
Subproject commit 751d0d724ba63c6251fafad9e80a480d6bc5043f
Subproject commit 1aa082a2101c69f8cfc13a31604991b0c3dfa8e5

172
roles/gitea-ccchb/files/templates/base/head.tmpl Normal file
View file

@ -0,0 +1,172 @@
<!DOCTYPE html>
<html lang="{{.Language}}" class="theme-{{.SignedUser.Theme}}">
<head data-suburl="{{AppSubUrl}}">
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta http-equiv="x-ua-compatible" content="ie=edge">
<title>{{if .Title}}{{.Title | RenderEmojiPlain}} - {{end}} {{if .Repository.Name}}{{.Repository.Name}} - {{end}}{{AppName}} </title>
<link rel="manifest" href="{{AppSubUrl}}/manifest.json" crossorigin="use-credentials">
<meta name="theme-color" content="{{ThemeColorMetaTag}}">
<meta name="author" content="{{if .Repository}}{{.Owner.Name}}{{else}}{{MetaAuthor}}{{end}}" />
<meta name="description" content="{{if .Repository}}{{.Repository.Name}}{{if .Repository.Description}} - {{.Repository.Description}}{{end}}{{else}}{{MetaDescription}}{{end}}" />
<meta name="keywords" content="{{MetaKeywords}}">
<meta name="referrer" content="no-referrer" />
<meta name="_csrf" content="{{.CsrfToken}}" />
{{if .IsSigned}}
<meta name="_uid" content="{{.SignedUser.ID}}" />
{{end}}
{{if .ContextUser}}
<meta name="_context_uid" content="{{.ContextUser.ID}}" />
{{end}}
{{if .SearchLimit}}
<meta name="_search_limit" content="{{.SearchLimit}}" />
{{end}}
{{if .GoGetImport}}
<meta name="go-import" content="{{.GoGetImport}} git {{.CloneLink.HTTPS}}">
<meta name="go-source" content="{{.GoGetImport}} _ {{.GoDocDirectory}} {{.GoDocFile}}">
{{end}}
<script>
{{SafeJS `/*
@licstart The following is the entire license notice for the
JavaScript code in this page.
Copyright (c) 2016 The Gitea Authors
Copyright (c) 2015 The Gogs Authors
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in
all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
THE SOFTWARE.
---
Licensing information for additional javascript libraries can be found at:
{{StaticUrlPrefix}}/vendor/librejs.html
@licend The above is the entire license notice
for the JavaScript code in this page.
*/`}}
</script>
<script>
window.config = {
AppVer: '{{AppVer}}',
AppSubUrl: '{{AppSubUrl}}',
StaticUrlPrefix: '{{StaticUrlPrefix}}',
UseServiceWorker: {{UseServiceWorker}},
csrf: '{{.CsrfToken}}',
HighlightJS: {{if .RequireHighlightJS}}true{{else}}false{{end}},
Minicolors: {{if .RequireMinicolors}}true{{else}}false{{end}},
SimpleMDE: {{if .RequireSimpleMDE}}true{{else}}false{{end}},
Tribute: {{if .RequireTribute}}true{{else}}false{{end}},
U2F: {{if .RequireU2F}}true{{else}}false{{end}},
Heatmap: {{if .EnableHeatmap}}true{{else}}false{{end}},
heatmapUser: {{if .HeatmapUser}}'{{.HeatmapUser}}'{{else}}null{{end}},
NotificationSettings: {
MinTimeout: {{NotificationSettings.MinTimeout}},
TimeoutStep: {{NotificationSettings.TimeoutStep}},
MaxTimeout: {{NotificationSettings.MaxTimeout}},
EventSourceUpdateTime: {{NotificationSettings.EventSourceUpdateTime}},
},
{{if .RequireTribute}}
tributeValues: [
{{ range .Assignees }}
{key: '{{.Name}} {{.FullName}}', value: '{{.Name}}',
name: '{{.Name}}', fullname: '{{.FullName}}', avatar: '{{.RelAvatarLink}}'},
{{ end }}
],
{{end}}
};
</script>
<link rel="shortcut icon" href="{{StaticUrlPrefix}}/img/favicon.png">
<link rel="mask-icon" href="{{StaticUrlPrefix}}/img/gitea-safari.svg" color="#609926">
<link rel="fluid-icon" href="{{StaticUrlPrefix}}/img/gitea-lg.png" title="{{AppName}}">
<link rel="stylesheet" href="{{StaticUrlPrefix}}/vendor/assets/font-awesome/css/font-awesome.min.css">
{{if .RequireSimpleMDE}}
<link rel="stylesheet" href="{{StaticUrlPrefix}}/vendor/plugins/simplemde/simplemde.min.css">
{{end}}
{{if .RequireTribute}}
<link rel="stylesheet" href="{{StaticUrlPrefix}}/vendor/plugins/tribute/tribute.css">
{{end}}
<link rel="stylesheet" href="{{StaticUrlPrefix}}/fomantic/semantic.min.css?v={{MD5 AppVer}}">
<link rel="stylesheet" href="{{StaticUrlPrefix}}/css/index.css?v={{MD5 AppVer}}">
<noscript>
<style>
.dropdown:hover > .menu { display: block; }
.ui.secondary.menu .dropdown.item > .menu { margin-top: 0; }
</style>
</noscript>
{{if .RequireMinicolors}}
<link rel="stylesheet" href="{{StaticUrlPrefix}}/vendor/plugins/jquery.minicolors/jquery.minicolors.css">
{{end}}
<style class="list-search-style"></style>
{{if .PageIsUserProfile}}
<meta property="og:title" content="{{.Owner.Name}}" />
<meta property="og:type" content="profile" />
<meta property="og:image" content="{{.Owner.AvatarLink}}" />
<meta property="og:url" content="{{.Owner.HTMLURL}}" />
{{if .Owner.Description}}
<meta property="og:description" content="{{.Owner.Description}}">
{{end}}
{{else if .Repository}}
{{if .Issue}}
<meta property="og:title" content="{{.Issue.Title}}" />
<meta property="og:url" content="{{.Issue.HTMLURL}}" />
{{if .Issue.Content}}
<meta property="og:description" content="{{.Issue.Content}}" />
{{end}}
{{else}}
<meta property="og:title" content="{{.Repository.Name}}" />
<meta property="og:url" content="{{.Repository.HTMLURL}}" />
{{if .Repository.Description}}
<meta property="og:description" content="{{.Repository.Description}}" />
{{end}}
{{end}}
<meta property="og:type" content="object" />
<meta property="og:image" content="{{.Repository.Owner.AvatarLink}}" />
{{else}}
<meta property="og:title" content="{{AppName}}">
<meta property="og:type" content="website" />
<meta property="og:image" content="{{StaticUrlPrefix}}/img/gitea-lg.png" />
<meta property="og:url" content="{{AppUrl}}" />
<meta property="og:description" content="{{MetaDescription}}">
{{end}}
<meta property="og:site_name" content="{{AppName}}" />
{{if .IsSigned }}
{{ if ne .SignedUser.Theme "gitea" }}
<link rel="stylesheet" href="{{StaticUrlPrefix}}/css/theme-{{.SignedUser.Theme}}.css?v={{MD5 AppVer}}">
{{end}}
{{else if ne DefaultTheme "gitea"}}
<link rel="stylesheet" href="{{StaticUrlPrefix}}/css/theme-{{DefaultTheme}}.css?v={{MD5 AppVer}}">
{{end}}
{{template "custom/header" .}}
</head>
<body>
{{template "custom/body_outer_pre" .}}
<div class="full height">
<noscript>{{.i18n.Tr "enable_javascript"}}</noscript>
{{template "custom/body_inner_pre" .}}
{{if not .PageIsInstall}}
<div class="ui top secondary stackable main menu following bar light inverted">
{{template "base/head_navbar" .}}
</div><!-- end bar -->
{{end}}
{{/*
</div>
</body>
</html>
*/}}

10
roles/postfix/handlers/main.yml
View file

@ -1,20 +1,20 @@
---
- name: Reload s6-rc
ansible.builtin.service:
service:
name: s6-rc
state: reloaded
- name: Restart Postfix
ansible.builtin.command: s6-svc -wU -T 5000 -ru {{ s6_scan_dir }}/postfix
command: s6-svc -wU -T 5000 -ru {{ s6_scan_dir }}/postfix
- name: Restart Postfix log
ansible.builtin.command: s6-svc -wU -T 5000 -ru {{ s6_scan_dir }}/postfix-log
command: s6-svc -wU -T 5000 -ru {{ s6_scan_dir }}/postfix-log
- name: Reload Postfix
ansible.builtin.command: s6-svc -h {{ s6_scan_dir }}/postfix
command: s6-svc -h {{ s6_scan_dir }}/postfix
- name: Rebuild Postfix maps
ansible.builtin.command: 'postmap {{ item.type }}:{{ item.name }}'
command: 'postmap {{ item.type }}:{{ item.name }}'
args:
chdir: /usr/local/etc/postfix
when: item.type in postfix_rebuild_types

48
roles/postfix/tasks/main.yml
View file

@ -1,27 +1,27 @@
---
- name: Install Postfix
ansible.builtin.package:
package:
name: postfix
state: present
notify:
- Restart Postfix
- name: Create /usr/local/etc/mail
ansible.builtin.file:
file:
path: /usr/local/etc/mail
state: directory
owner: root
group: wheel
mode: '0755'
mode: 0755
- name: Install Postfix mailer.conf
ansible.builtin.copy:
copy:
dest: /usr/local/etc/mail/mailer.conf
src: /usr/local/share/postfix/mailer.conf.postfix
remote_src: true
remote_src: yes
owner: root
group: wheel
mode: '0644'
mode: 0644
- name: Disable sendmail
sysrc:
@ -29,22 +29,22 @@
value: NONE
- name: Make sure sendmail is stopped
ansible.builtin.service:
service:
name: sendmail
state: stopped
- name: Disable sendmail periodic tasks
ansible.builtin.lineinfile:
lineinfile:
path: /etc/periodic.conf
owner: root
group: wheel
mode: '0444'
mode: 0444
regexp: '^{{ item }}='
line: '{{ item }}="NO"'
with_items: '{{ sendmail_periodic }}'
- name: Add /var/log/postfix to fstab
ansible.posix.mount:
mount:
path: /var/log/postfix
src: tmpfs
fstype: tmpfs
@ -52,19 +52,19 @@
state: mounted
- name: Create Postfix service directories
ansible.builtin.file:
file:
path: '{{ s6_etc_dir }}/service/{{ item }}'
state: directory
owner: root
group: wheel
mode: '0755'
mode: 0755
with_items: '{{ postfix_service_dirs }}'
- name: Generate Postfix service scripts
ansible.builtin.template:
template:
dest: '{{ s6_etc_dir }}/service/{{ item }}'
src: '{{ item }}.j2'
mode: '0555'
mode: 0555
owner: root
group: wheel
with_items: '{{ postfix_service_scripts }}'
@ -73,24 +73,24 @@
- Restart Postfix
- name: Generate Postfix service configuration
ansible.builtin.copy:
copy:
dest: '{{ s6_etc_dir }}/service/{{ item.name }}'
content: '{{ item.content }}'
mode: '0444'
mode: 0444
owner: root
group: wheel
loop_control:
label: '{{ item.name }} = {{ item.content }}'
label: '{{ item.name }} = {{ item.content }}'
notify:
- Reload s6-rc
- Restart Postfix
with_items: '{{ postfix_service_config }}'
- name: Generate Postfix maps
ansible.builtin.template:
template:
dest: '/usr/local/etc/postfix/{{ item.name }}'
src: '{{ item.name }}.j2'
mode: '0444'
mode: 0444
owner: root
group: wheel
with_items: '{{ postfix_maps }}'
@ -108,7 +108,7 @@
- Reload Postfix
- name: Configure Postfix services
ansible.builtin.lineinfile:
lineinfile:
path: /usr/local/etc/postfix/master.cf
regexp: '^{{ item.name }} +{{ item.type }}'
value: '{{ item.value }}'
@ -126,15 +126,15 @@
- Restart Postfix
- name: Flush handlers
ansible.builtin.meta: flush_handlers
meta: flush_handlers
- name: Start Postfix
ansible.builtin.command: fdmove -c 2 1 s6-rc -l {{ s6_live_dir }} -u -v 2 change postfix
command: fdmove -c 2 1 s6-rc -l {{ s6_live_dir }} -u -v 2 change postfix
register: change
changed_when: change.stdout | length > 0
- name: Enable Postfix
ansible.builtin.lineinfile:
lineinfile:
path: '{{ s6_etc_dir }}/service/enabled/contents'
regexp: "^postfix$"
line: "postfix"
@ -142,4 +142,4 @@
- Reload s6-rc
- name: Flush handlers (again)
ansible.builtin.meta: flush_handlers
meta: flush_handlers

14
roles/postfix/vars/main.yml
View file

@ -63,7 +63,6 @@ postfix_virtual_aliases:
- hostmaster@ccchb.de crest@ccchb.de
- thoddi@ccchb.de mail@thoddi.de
- docloc@ccchb.de docloc@posteo.net
- fritz@ccchb.de fritz@grimpen.net
- root@lists.ccchb.de crest@ccchb.de
- crest@lists.ccchb.de crest@ccchb.de
@ -73,8 +72,6 @@ postfix_virtual_aliases:
- postmaster@lists.ccchb.de crest@ccchb.de
- hostmaster@lists.ccchb.de crest@ccchb.de
- reddit@ccchb.de crest@ccchb.de
postfix_service_dirs:
- postfix
- postfix/env
@ -355,14 +352,6 @@ postfix_config:
value: 'aNULL'
state: present
- name: smtpd_tls_mandatory_protocols
value: 'TLSv1.2 TLSv1.3'
state: present
- name: smtpd_tls_protocols
value: 'TLSv1.2 TLSv1.3'
state: present
- name: smtpd_tls_received_header
value: 'yes'
state: present
@ -380,8 +369,7 @@ postfix_config:
state: present
- name: tls_high_cipherlist
value: |-
ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
value: 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA'
state: present
- name: tls_ssl_options

44
roles/prosody/defaults/main.yml
View file

@ -1,12 +1,44 @@
---
prosody_domain: "jabber.ccchb.de"
prosody_ssl_cert: "/etc/prosody/certs/fullchain.pem"
prosody_ssl_key: "/etc/prosody/certs/privkey.pem"
prosody_ssl_cert: "/etc/letsencrypt/live/{{ prosody_domain }}/fullchain.pem"
prosody_ssl_key: "/etc/letsencrypt/live/{{ prosody_domain }}/privkey.pem"
prosody_allow_registration: false
prosody_http_url: "https://jabber.ccchb.de/"
prosody_turn_server: "einstein.cskreie.de"
prosody_turn_secret: "gabbagabbahey"
prosody_modules:
- roster
- saslauth
- tls
- dialback
- disco
- private
- bookmarks
- vcard
- proxy65
- legacyauth
- version
- uptime
- time
- ping
- pep
- register
- adhoc
- admin_adhoc
- posix
- bosh
- websocket
- groups
- announce
- watchregistrations
- blocking
- smacks
- carbons
- cloud_notify
- csi
- mam
- filter_chatstates
- throttle_presence
- http_upload
- turncredentials
- vcard_legacy
prosody_nginx_install: true
prosody_nginx_conf: |

2
roles/prosody/tasks/main.yml
View file

@ -16,6 +16,6 @@
- name: Configure prosody
template:
src: prosody.cfg.lua.j2
dest: /etc/prosody/prosody.cfg.lua
dest: /etc/prosody/prosody_test.cfg.lua
...

4
roles/prosody/templates/nginx.j2
View file

@ -15,8 +15,4 @@ server {
proxy_set_header Host {{ prosody_domain }};
proxy_pass http://127.0.0.1:5280/upload;
}
location /file_share {
proxy_pass http://127.0.0.1:5280/file_share;
}
}

188
roles/prosody/templates/prosody.cfg.lua.j2
View file

@ -1,73 +1,126 @@
-- Prosody XMPP Server Configuration
-- {{ ansible_managed }}
---------- Server-wide settings ----------
-- Settings in this section apply to the whole server and are the default settings
-- for any virtual hosts
-- This is a (by default, empty) list of accounts that are admins
-- for the server. Note that you must create the accounts separately
-- (see http://prosody.im/doc/creating_accounts for info)
-- Example: admins = { "user1@example.com", "user2@example.net" }
admins = { "deelkar@jabber.ccchb.de", "freak@jabber.ccchb.de", "jali@jabber.ccchb.de" }
use_libevent = true;
-- Enable use of libevent for better performance under high load
-- For more information see: http://prosody.im/doc/libevent
use_libevent = false;
plugin_paths = { "/opt/prosody-modules" }
-- This is the list of modules Prosody will load on startup.
-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
-- Documentation on modules can be found at: http://prosody.im/doc/modules
modules_enabled = {
-- Generally required
"roster";
"saslauth";
"tls";
"dialback";
"disco";
"posix";
"private";
-- Nice to have
"version";
"uptime";
"time";
"ping";
"pep";
"register";
-- Admin interfaces
"admin_adhoc";
"admin_shell";
-- HTTP modules
"bosh";
"http_files";
"http_file_share";
-- Other specific functionality
"groups";
"watchregistrations";
"turn_external";
"carbons";
"blocklist";
"mam";
"csi_simple";
"vcard_legacy";
"proxy65";
{% for module in prosody_modules %}
"{{ module }}";
{% endfor %}
};
allow_registration = {% if prosody_allow_registration then "True" else "False" %};
-- These modules are auto-loaded, should you
-- (for some mad reason) want to disable
-- them then uncomment them below
modules_disabled = {
-- "presence"; -- Route user/contact status information
-- "message"; -- Route messages
-- "iq"; -- Route info queries
-- "offline"; -- Store offline messages
};
c2s_require_encryption = true
s2s_secure_auth = false
-- Disable account creation by default, for security
-- For more information see http://prosody.im/doc/creating_accounts
allow_registration = {{ prosody_allow_registration }};
-- PID file, necessary for prosodyctl
pidfile = "/var/run/prosody/prosody.pid"
-- These are the SSL/TLS-related settings. If you don't want
-- to use SSL/TLS, you may comment or remove this
-- *** DUMMY CERT *** DO NOT CHANGE *** SET CERT IN HOST SECTION ***
ssl = {
protocol = "sslv23";
key = "{{ prosody_ssl_key }}";
certificate = "{{ prosody_ssl_cert }}";
dhparam = "/etc/prosody/certs/dh-2048.pem";
options = { "no_sslv2", "no_sslv3", "no_ticket", "no_compression", "cipher_server_preference", "single_dh_use", "single_ecdh_use" };
ciphers = "ECDH:DH:HIGH+kEDH:HIGH+kEECDH:HIGH:!CAMELLIA128:!3DES:!MD5:!RC4:!aNULL:!NULL:!EXPORT:!LOW:!MEDIUM";
}
legacy_ssl_ports = { 5223 }
http_external_url = "https://{{ prosody_domain }}/"
-- Only allow encrypted streams? Encryption is already used when
-- available. These options will cause Prosody to deny connections that
-- are not encrypted. Note that some servers do not support s2s
-- encryption or have it disabled, including gmail.com and Google Apps
-- domains.
--c2s_require_encryption = false
--s2s_require_encryption = false
-- Select the authentication backend to use. The 'internal' providers
-- use Prosody's configured data storage to store the authentication data.
-- To allow Prosody to offer secure authentication mechanisms to clients, the
-- default provider stores passwords in plaintext. If you do not trust your
-- server please see http://prosody.im/doc/modules/mod_auth_internal_hashed
-- for information about using the hashed backend.
authentication = "internal_hashed"
-- Select the storage backend to use. By default Prosody uses flat files
-- in its configured data directory, but it also supports more backends
-- through modules. An "sql" backend is included by default, but requires
-- additional dependencies. See http://prosody.im/doc/storage for more info.
--storage = "sql" -- Default is "internal"
-- For the "sql" backend, you can uncomment *one* of the below to configure:
--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
-- STUN/TURN
--turncredentials_host = "jabber.emma.ccchb.de"
turncredentials_host = "einstein.cskreie.de"
turncredentials_secret = "gabbagabbahey"
-- HTTP-UPLOAD
http_upload_file_size_limit = 10485760 -- 10M
http_max_content_size = 20971520 -- 20M
http_upload_quota = 104857600 -- 100M
http_upload_expire_after = 2592000 -- 30d
-- Logging configuration
-- For advanced logging see http://prosody.im/doc/logging
-- Hint: If you create a new log file or rename them, don't forget
-- to update the logrotate config at /etc/logrotate.d/prosody
log = {
-- Log all error messages to prosody.err
error = "/var/log/prosody/prosody.err";
-- Log everything of level "info" and higher (that is, all except "debug" messages)
-- to prosody.log
-- info = "/var/log/prosody/prosody.log"; -- Change 'info' to 'debug' for more verbose logging
-- debug = "/var/log/prosody/prosody.log"; -- Change 'info' to 'debug' for more verbose logging
--"*syslog"; -- Uncomment this for logging to syslog
}
-- TODO: Fix escaping
http_external_url = "{{ prosody_http_url }}"
trusted_proxies = { "127.0.0.1", "::1", "192.168.1.1", }
-- TURN Server
turn_external_host = "{{ prosody_turn_server }}"
turn_external_secret = "{{ prosody_turn_secret }}"
-- Pidfile, used by prosodyctl and the init.d script
pidfile = "/var/run/prosody/prosody.pid";
----------- Virtual hosts -----------
-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
-- Settings under each VirtualHost entry apply *only* to that host.
VirtualHost "localhost"
VirtualHost "jabber.ccchb.de"
VirtualHost "{{ prosody_domain }}"
enabled = true -- Remove this line to enable this host
-- Assign this host a certificate for TLS, otherwise it would use the one
@ -75,18 +128,33 @@ VirtualHost "jabber.ccchb.de"
-- Note that old-style SSL on port 5223 only supports one certificate, and will always
-- use the global one.
ssl = {
protocol = "tlsv1_2+";
protocol = "sslv23";
key = "{{ prosody_ssl_key }}";
certificate = "{{ prosody_ssl_cert }}";
dhparam = "/etc/prosody/certs/dh-2048.pem";
-- TODO: Evaluate allowed ciphers
ciphers = "ECDH:DH:HIGH+kEDH:HIGH+kEECDH:HIGH:!CAMELLIA128:!3DES:!MD5:!RC4:!aNULL:!NULL:!EXPORT:!LOW:!MEDIUM";
dhparam = "/etc/prosody/certs/dh-2048.pem";
options = { "no_sslv2", "no_sslv3", "no_ticket", "no_compression", "cipher_server_preference", "single_dh_use", "single_ecdh_use" };
ciphers = "ECDH:DH:HIGH+kEDH:HIGH+kEECDH:HIGH:!CAMELLIA128:!3DES:!MD5:!RC4:!aNULL:!NULL:!EXPORT:!LOW:!MEDIUM";
}
Component "muc.jabber.ccchb.de" "muc"
modules_enabled = {
"vcard_muc",
"muc_mam"
}
------ Components ------
-- You can specify components to add hosts that provide special services,
-- like multi-user conferences, and transports.
-- For more information on components, see http://prosody.im/doc/components
---Set up a MUC (multi-user chat) room server on conference.example.com:
Component "muc.{{ prosody_domain }}" "muc"
modules_enabled = {
"vcard_muc", "muc_mam",
}
-- Set up a SOCKS5 bytestream proxy for server-proxied file transfers:
--Component "proxy.example.com" "proxy65"
---Set up an external component (default component port is 5347)
--
-- External components allow adding various services, such as gateways/
-- transports to other networks like ICQ, MSN and Yahoo. For more info
-- see: http://prosody.im/doc/components#adding_an_external_component
--
--Component "gateway.example.com"
-- component_secret = "password"
Component "upload.jabber.ccchb.de" "http_file_share"

4
roles/s6-rc/templates/s6-rc.j2
View file

@ -16,9 +16,9 @@ EX_CONFIG=78
export PATH="$PATH:/usr/local/bin:/usr/local/sbin"
name=s6_rc
name=s6-rc
rcvar=s6_rc_enable
extra_commands="reload status"
extra_commands="reload"
start_cmd="s6_rc_start &"
stop_cmd="s6_rc_stop"

7
s6.yml
View file

@ -1,7 +1,8 @@
---
- name: Deploy s6 on FreeBSD
hosts:
- hosts:
- emma
become: true
become: yes
roles:
- s6-rc

1
site.yml
View file

@ -7,4 +7,3 @@
- import_playbook: mail.yml
- import_playbook: restic.yml
- import_playbook: wiki.yml
- import_playbook: users.yml

7
users.yml
View file

@ -1,7 +0,0 @@
---
- name: Perform user management
hosts: debian frab brunn
become: true
tags: [user_mgmt]
roles:
- user_mgmt

5
wiki.yml
View file

@ -1,8 +1,7 @@
---
- name: Deploy MediaWiki
hosts:
- hosts:
- wiki
become: true
become: yes
roles:
- mediawiki
- certbot