diff options
Diffstat (limited to 'roles')
| -rw-r--r-- | roles/asterisk/README.md | 6 | ||||
| -rw-r--r-- | roles/asterisk/vars/main.yml | 5 | ||||
| -rw-r--r-- | roles/freeipa_server/README.md | 5 | ||||
| -rw-r--r-- | roles/freeipa_server/vars/main.yml | 7 | ||||
| -rw-r--r-- | roles/gathio/README.md | 52 | ||||
| -rw-r--r-- | roles/gathio/defaults/main.yml | 1 | ||||
| -rw-r--r-- | roles/gathio/vars/main.yml | 2 | ||||
| -rw-r--r-- | roles/getcert_request/README.md | 48 | ||||
| -rw-r--r-- | roles/gitolite/README.md | 54 | ||||
| -rw-r--r-- | roles/gitolite/defaults/main.yml | 1 | ||||
| -rw-r--r-- | roles/grub/README.md | 32 | ||||
| -rw-r--r-- | roles/gssproxy_client/README.md | 50 | ||||
| -rw-r--r-- | roles/hastebin/README.md | 52 | ||||
| -rw-r--r-- | roles/hastebin/defaults/main.yml | 5 | ||||
| -rw-r--r-- | roles/hastebin/vars/main.yml | 1 | ||||
| -rw-r--r-- | roles/hostname/README.md | 30 | ||||
| -rw-r--r-- | roles/hostname/defaults/main.yml | 2 | ||||
| -rw-r--r-- | roles/invidious/README.md | 74 | ||||
| -rw-r--r-- | roles/invidious/defaults/main.yml | 2 | ||||
| -rw-r--r-- | roles/invidious/templates/opt/invidious/invidious/config/config.yml.j2 | 3 | ||||
| -rw-r--r-- | roles/invidious/vars/main.yml | 1 |
21 files changed, 419 insertions, 14 deletions
diff --git a/roles/asterisk/README.md b/roles/asterisk/README.md index d6870c2..e3a03da 100644 --- a/roles/asterisk/README.md +++ b/roles/asterisk/README.md @@ -139,9 +139,9 @@ Key | Default | Description This role **exports** the following variables: -Variable | Description ---------------------|------------ -`asterisk_data_dir` | Path to asterisk data files (voicemails, etc) +Variable | Description +-------------------------|------------ +`asterisk_archive_shell` | Shell command for generating tarball of Asterisk data Usage diff --git a/roles/asterisk/vars/main.yml b/roles/asterisk/vars/main.yml index c4bf58a..4d99390 100644 --- a/roles/asterisk/vars/main.yml +++ b/roles/asterisk/vars/main.yml @@ -18,3 +18,8 @@ asterisk_https_certificate_key_path: /etc/pki/tls/private/asterisk-https.key asterisk_ca_file: /etc/pki/tls/certs/ca-bundle.crt asterisk_data_dir: /var/spool/asterisk + +asterisk_archive_shell: >- + TIMESTAMP=$(date +%Y%m%d%H%M%S); + tar czf "asterisk-${TIMESTAMP}.tar.gz" + --transform "s|^\.|asterisk-${TIMESTAMP}|" -C {{ asterisk_data_dir }} . diff --git a/roles/freeipa_server/README.md b/roles/freeipa_server/README.md index e4bb42f..99a436c 100644 --- a/roles/freeipa_server/README.md +++ b/roles/freeipa_server/README.md @@ -41,6 +41,11 @@ Variable | Default | Descripti `freeipa_admin_password_expiration` | 20310130235959 | Password expiration time for `admin` account (YYYYMMDDHHMMSS) `freeipa_default_login_shell` | `/bin/bash` | Default user login shell +This role **exports** the following variables: + +Variable | Description +------------------------|------------ +`freeipa_archive_shell` | Shell command to generate IPA backup tarball Usage ----- diff --git a/roles/freeipa_server/vars/main.yml b/roles/freeipa_server/vars/main.yml index 89657e7..392a7a0 100644 --- a/roles/freeipa_server/vars/main.yml +++ b/roles/freeipa_server/vars/main.yml @@ -63,3 +63,10 @@ freeipa_log_files: severity: error freeipa_custom_schema_dir: /usr/local/share/dirsrv/schema + +freeipa_archive_shell: >- + ipa-backup && + find {{ freeipa_backup_dir | quote }} -mindepth 1 -maxdepth 1 -type d + -exec cp --preserve=timestamps -vr {} . \; + -exec rm -vrf {} \; && + find . -mindepth 1 -type d -exec chmod -v 770 {} + diff --git a/roles/gathio/README.md b/roles/gathio/README.md new file mode 100644 index 0000000..16ac169 --- /dev/null +++ b/roles/gathio/README.md @@ -0,0 +1,52 @@ +Gathio +====== + +Description +----------- + +The `gathio` role installs and configures [Gathio](https://github.com/lowercasename/gathio), +a web application for managing public events. + +This role configures the NodeJS application only; it does not configure a reverse +proxy. + + +Variables +--------- + +This role **accepts** the following variables: + +Variable | Default | Description +----------------------|-------------------------------------|------------ +`gathio_version` | `master` | Git version to install +`gathio_port` | 8080 | Local listening port +`gathio_from_address` | `events-noreply@{{ email_domain }}` | Email `From:` address for event notifications +`gathio_server_name` | `{{ ansible_fqdn }}` | Canonical HTTP hostname +`gathio_site_name` | `gathio` | Site name used for page titles + +This role **exports** the following variables: + +Variable | Description +-----------------------|------------ +`gathio_apache_config` | Apache config block to configure a reverse proxy + +Usage +----- + +Example playbook: + +````yaml +- hosts: gathio_servers + roles: + - role: gathio + gathio_port: 8080 + gathio_from_address: events-noreply@example.com + gathio_site_name: Example Org Events + gathio_server_name: events.example.com + + - role: apache_vhost + apache_server_name: '{{ gathio_server_name }}' + apache_server_aliases: [] + apache_letsencrypt: yes + apache_config: '{{ gathio_apache_config }}' +```` diff --git a/roles/gathio/defaults/main.yml b/roles/gathio/defaults/main.yml index 5a6aa8c..fad7276 100644 --- a/roles/gathio/defaults/main.yml +++ b/roles/gathio/defaults/main.yml @@ -1,5 +1,4 @@ gathio_version: master -gathio_user: gathio gathio_port: 8080 gathio_from_address: 'events-noreply@{{ email_domain }}' gathio_server_name: '{{ ansible_fqdn }}' diff --git a/roles/gathio/vars/main.yml b/roles/gathio/vars/main.yml index 59854fd..5d2f6d6 100644 --- a/roles/gathio/vars/main.yml +++ b/roles/gathio/vars/main.yml @@ -10,6 +10,8 @@ gathio_git_repo: https://github.com/lowercasename/gathio gathio_home: /var/lib/gathio gathio_install_dir: '{{ gathio_home }}/gathio' +gathio_user: gathio + gathio_apache_config: | {{ apache_proxy_config }} ProxyPass / http://127.0.0.1:{{ gathio_port }}/ diff --git a/roles/getcert_request/README.md b/roles/getcert_request/README.md new file mode 100644 index 0000000..024527a --- /dev/null +++ b/roles/getcert_request/README.md @@ -0,0 +1,48 @@ +getcert-request +=============== + +Description +----------- + +The `getcert_request` role retrieves a TLS certificate from FreeIPA via the +`getcert` command. It uses [Certmonger](https://www.freeipa.org/page/Certmonger) +to track certificate renewals. + + +Variables +--------- + +This role **accepts** the following variables: + +Variable | Default | Description +-------------------------|-------------------------------------|------------ +`certificate_sans` | `{{ [ansible_fqdn] + cnames }}` | Subject Alternative Names +`certificate_service` | `HTTP` | FreeIPA service prinicpal to own certificate (will be created) +`certificate_type` | `rsa` | Either `ecdsa` or `rsa` +`certificate_size` | 2048 | RSA key size (bits) +`certificate_path` | | Path of store certificate file +`certificate_key_path` | | Path of certificate key file +`certificate_owner` | `root` | Owner of certificate files (or `owner:group`) +`certificate_mode` | 0400 | File mode of certificate files +`certificate_hook` | | Command to `exec` after certificate renewal +`certificate_resubmit` | no | Resubmit the certificate request, even if certificate file already exists +`certificate_hook_name` | `{{ certificate_path | basename }}` | Filename of generated hook script (you probably don't need to change this) + + +Usage +----- + +Example task: + +````yaml +- name: request internal TLS certificate + include_role: + name: getcert_request + vars: + certificate_sans: + - wiki1.ipa.example.com + - wiki.ipa.example.com + certificate_path: /etc/pki/tls/certs/wiki1.crt + certificate_key_path: /etc/pki/tls/private/wiki1.key + certificate_hook: systemctl reload httpd +```` diff --git a/roles/gitolite/README.md b/roles/gitolite/README.md new file mode 100644 index 0000000..ac7688f --- /dev/null +++ b/roles/gitolite/README.md @@ -0,0 +1,54 @@ +Gitolite +======== + +Description +----------- + +The `gitolite` role installs [Gitolite](https://gitolite.com/gitolite/index.html), +an access control layer for Git repositories. + +Users are able to authenticate to Git using Kerberos/GSSAPI over HTTP, or via +the SSH key associated with their FreeIPA user account. In addition, Git access +can be restricted based on FreeIPA group memberships. + +This role does not configure a webserver. Configuring Apache to support +HTTP-based clones alongside [cgit](../cgit/) is nontrivial; check out the +[git playbook](../../playbooks/git.yml) for how it's done. + + +Variables +--------- + +This role **accepts** the following variables: + +Variable | Default | Description +------------------------|-------------------|------------ +`gitolite_ssh_user` | `git` | Name of Git SSH user +`gitolite_admin_group` | `role-git-admin` | FreeIPA group allowed to modify `gitolite-admin` repo (will be created) +`gitolite_access_group` | `role-git-access` | FreeIPA group of users allowed to access Gitolite (will be created) +`gitolite_freeipa_user` | `s-gitolite` | FreeIPA user for Gitolite LDAP queries (will be created) +`gitolite_anon_user` | `nobody` | Gitolite username mapped to anonymous Git requests + +This role **exports** the following variables: + +Variable | Description +-------------------------|------------ +`gitolite_user` | Local Unix user that owns Gitolite directory +`gitolite_home` | Path to Gitolite directory +`gitolite_cgi_script` | Path to Gitolite CGI script +`gitolite_archive_shell` | Shell command to archive Giolite repositories + +Usage +----- + +Example playbook: + +````yaml +- hosts: git_servers + roles: + - role: gitolite + vars: + gitolite_ssh_user: git + gitolite_admin_group: git-admins + gitolite_access_group: git-users +```` diff --git a/roles/gitolite/defaults/main.yml b/roles/gitolite/defaults/main.yml index d653bcf..e61c44f 100644 --- a/roles/gitolite/defaults/main.yml +++ b/roles/gitolite/defaults/main.yml @@ -3,4 +3,3 @@ gitolite_admin_group: role-git-admin gitolite_access_group: role-git-access gitolite_anon_user: nobody gitolite_freeipa_user: s-gitolite -gitolite_uid: 1993 diff --git a/roles/grub/README.md b/roles/grub/README.md new file mode 100644 index 0000000..d8a9b36 --- /dev/null +++ b/roles/grub/README.md @@ -0,0 +1,32 @@ +Grub +==== + +Description +----------- + +The `grub` role sets the Grub prompt timeout and the default Linux kernel +command line. + +Variables +--------- + +This role **accepts** the following variables: + +Variable | Default | Description +---------------|---------|------------ +`grub_timeout` | 1 | Grub menu timeout (seconds) +`grub_cmdline` | | Kernel command line + +Usage +----- + +Example playbook: + +````yaml +- hosts: proxmox_instances + roles: + - role: grub + vars: + grub_timeout: 1 + grub_cmdline: console=ttyS0,115200n8 no_timer_check net.ifnames=0 +```` diff --git a/roles/gssproxy_client/README.md b/roles/gssproxy_client/README.md new file mode 100644 index 0000000..777664e --- /dev/null +++ b/roles/gssproxy_client/README.md @@ -0,0 +1,50 @@ +Gssproxy Client +=============== + +Description +----------- + +The `gssproxy_client` role configures a [gssproxy](https://github.com/gssapi/gssproxy) +service. `gssproxy` is a privileged middleware daemon that keeps track of +Kerberos keytabs and credential caches on behalf of unprivileged applications. + +When an application needs a keytab (either to provide Kerberized services or +act as a Kerberos client), we prefer to use `gssproxy` rather than give the +application direct access to the keytab. `gssproxy` provides an extra layer of +security by allowing applications to use the keytab for authentication without +reading its contents. + +Variables +--------- + +This role **accepts** the following variables: + +Variable | Default | Description +-------------------------|---------|------------ +`gssproxy_name` | | Config file name +`gssproxy_priority` | 50 | Config file priority +`gssproxy_section` | | INI section name within config file +`gssproxy_client_keytab` | | Path to client keytab +`gssproxy_keytab` | | Path to acceptor keytab +`gssproxy_euid` | | For client processes, match the given effective UID +`gssproxy_program` | | For client processes, match the given executable +`gssproxy_cred_usage` | both | Either `accept`, `initiate`, or `both` + + +Usage +----- + +Example task: + +````yaml +- name: configure gssproxy for kerberized HTTP + include_role: + name: gssproxy_client + vars: + gssproxy_name: httpd + gssproxy_section: service/HTTP + gssproxy_keytab: /var/lib/gssproxy/clients/apache.keytab + gssproxy_cred_usage: accept + gssproxy_euid: apache + gssproxy_program: /usr/sbin/httpd +```` diff --git a/roles/hastebin/README.md b/roles/hastebin/README.md new file mode 100644 index 0000000..7351679 --- /dev/null +++ b/roles/hastebin/README.md @@ -0,0 +1,52 @@ +Hastebin +======== + +Description +----------- + +The `hastebin` role installs and configures [Hastebin](https://github.com/toptal/haste-server), +an open source pastebin. + +This role configures the NodeJS application only; it does not configure a reverse +proxy. + + +Variables +--------- + +This role **accepts** the following variables: + +Variable | Default | Description +--------------------------|----------|------------ +`hastebin_version` | `master` | Git version to install +`hastebin_upload_cidrs` | `[]` | List of CIDRS from which to allow new pastes +`hastebin_port` | 8080 | Local listening port +`hastebin_expire_days` | 0 | Paste expiration time (days, 0 to disable) + +This role **exports** the following variables: + +Variable | Description +-------------------------|------------ +`hastebin_apache_config` | Apache config block to configure a reverse proxy +`hastebin_archive_shell` | Shell command to create tarball of hastebin data + +Usage +----- + +Example playbook: + +````yaml +- hosts: hastebin_servers + roles: + - role: hastebin + hastebin_port: 8080 + hastebin_upload_cidrs: + - 10.10.10.0/24 + hastebin_expire_days: 30 + + - role: apache_vhost + apache_server_name: hastebin.example.com + apache_server_aliases: [] + apache_letsencrypt: yes + apache_config: '{{ hastebin_apache_config }}' +```` diff --git a/roles/hastebin/defaults/main.yml b/roles/hastebin/defaults/main.yml index adbe279..56f2303 100644 --- a/roles/hastebin/defaults/main.yml +++ b/roles/hastebin/defaults/main.yml @@ -1,9 +1,4 @@ hastebin_version: master -hastebin_server_aliases: [] -hastebin_letsencrypt: no hastebin_upload_cidrs: [] hastebin_port: 8080 - hastebin_expire_days: 0 - -hastebin_user: hastebin diff --git a/roles/hastebin/vars/main.yml b/roles/hastebin/vars/main.yml index cfb474b..c931a87 100644 --- a/roles/hastebin/vars/main.yml +++ b/roles/hastebin/vars/main.yml @@ -2,6 +2,7 @@ hastebin_packages: - git - nodejs +hastebin_user: hastebin hastebin_home: /var/lib/hastebin hastebin_install_dir: '{{ hastebin_home }}/haste-server' hastebin_data_dir: '{{ hastebin_home }}/data' diff --git a/roles/hostname/README.md b/roles/hostname/README.md new file mode 100644 index 0000000..057bce0 --- /dev/null +++ b/roles/hostname/README.md @@ -0,0 +1,30 @@ +Hostname +======== + +Description +----------- + +The `hostname` role sets the local hostname and generates `/etc/hosts`. + +Variables +--------- + +This role **accepts** the following variables: + +Variable | Default | Description +-----------------|-----------------------------------------|------------ +`hostname_fqdn` | `{{ inventory_hostname }}.{{ domain }}` | Fully qualified domain name +`hostname_short` | `{{ inventory_hostname }}` | Short hostname +`hostname_ip` | `{{ ip }}` | IPv4 address + +Usage +----- + +Example playbook: + +````yaml +- name: set hostname + hosts: all + roles: + - hostname +```` diff --git a/roles/hostname/defaults/main.yml b/roles/hostname/defaults/main.yml index c884565..8fc7757 100644 --- a/roles/hostname/defaults/main.yml +++ b/roles/hostname/defaults/main.yml @@ -1,3 +1,3 @@ -hostname_fqdn: '{{ fqdn }}' +hostname_fqdn: '{{ inventory_hostname }}.{{ domain }}' hostname_short: '{{ inventory_hostname }}' hostname_ip: '{{ ip }}' diff --git a/roles/invidious/README.md b/roles/invidious/README.md new file mode 100644 index 0000000..8c593de --- /dev/null +++ b/roles/invidious/README.md @@ -0,0 +1,74 @@ +Invidious +========= + +Description +----------- + +The `invidious` role builds and configures the [Invidious](https://invidious.io/) +YouTube frontend. It also installs a script to automatically update Invidious +periodically. + +This role configures the application only; it does not configure a reverse +proxy. + + +Variables +--------- + +This role **accepts** the following variables: + +Variable | Default | Description +--------------------------------------|---------------------------------------|------------ +`invidious_version` | `master` | Git version to build +`invidious_crystal_version` | see [default vars](defaults/main.yml) | Crystal version to install +`invidious_server_name` | `{{ ansible_fqdn }}` | Canonical HTTP hostname +`invidious_port` | 8080 | Local listening port +`invidious_db_user` | `s-invidious` | Database user (will be created) +`invidious_db_password` | | Database password +`invidious_db_name` | `invidious` | Database name (will be created) +`invidious_db_host` | `{{ postgresql_host }}` | PostgreSQL host +`invidious_db_cleanup_on_calendar` | `weekly` | Systemd [calendar interval](https://www.freedesktop.org/software/systemd/man/systemd.time.html#Calendar%20Events) for pruning database +`invidious_update_on_calendar` | `weekly` | Systemd [calendar interval](https://www.freedesktop.org/software/systemd/man/systemd.time.html#Calendar%20Events) for updating Invidious +`invidious_channel_threads` | 1 | Number of threads to use when updating channels +`invidious_feed_threads` | 1 | Number of threads to use when updating RSS feeds +`invidious_registration_enabled` | yes | Enable new user registration +`invidious_popular_enabled` | no | Enable "Popular" page for this instance +`invidious_full_refresh` | no | Forcefully re-download entire channel when updating +`invidious_use_pubsub_feeds` | no | Subscribe to channel updates via PubSub (instance must be publicly reachable) +`invidious_hmac_key` | | PubSub HMAC key +`invidious_default_locale` | `en-US` | Default locale +`invidious_default_region` | `US` | Default region +`invidious_default_dark_mode` | `auto` | Default dark mode setting (either `dark`, `light`, or `auto`) +`invidious_default_autoplay` | no | Autoplay videos by default +`invidious_default_continue` | yes | Load next video by default +`invidious_default_continue_autoplay` | no | Autoplay next video by default +`invidious_default_local` | yes | Proxy videos through instance by default +`invidious_default_quality` | `dash` | Default video quality (either `dash`, `hd720`, `medium`, or `small`) +`invidious_default_quality_dash` | `1080p` | Default `dash` video quality (either `auto`, `best`, `worst`, `1440p`, `1080p`, etc) +`invidious_default_related_videos` | yes | Show related videos by default +`invidious_default_video_loop` | no | Loop videos by default +`invidious_default_player_style` | `invidious` | Default player style (either `invidious` or `youtube`) +`invidious_default_home` | `Subscriptions` | Default home page (either `Popular`, `Trending`, `Subscriptions`, or `Playlists`) +`invidious_feed_menu` | `['Subscriptions', 'Playlists']` | Feeds to show on the home page (choose from `Popular`, `Trending`, `Subscriptions`, and `Playlists`) + + +This role **exports** the following variables: + +Variable | Description +--------------------------|------------ +`invidious_apache_config` | Apache config block for reverse proxy + +Usage +----- + +Example playbook: + +````yaml +- hosts: invidious_servers + roles: + - role: invidious + vars: + invidious_db_host: postgres.ipa.example.com + invidious_db_password: s3cret + invidious_default_local: no +```` diff --git a/roles/invidious/defaults/main.yml b/roles/invidious/defaults/main.yml index 01ad9b1..a011158 100644 --- a/roles/invidious/defaults/main.yml +++ b/roles/invidious/defaults/main.yml @@ -3,7 +3,6 @@ invidious_crystal_version: 1.5.0-1 invidious_server_name: '{{ ansible_fqdn }}' invidious_port: 8080 -invidious_user: invidious invidious_db_user: s-invidious invidious_db_name: invidious invidious_db_host: '{{ postgresql_host }}' @@ -13,7 +12,6 @@ invidious_update_on_calendar: weekly invidious_channel_threads: 1 invidious_feed_threads: 1 -invidious_admin_email: 'root@{{ email_domain }}' invidious_registration_enabled: yes invidious_popular_enabled: no invidious_full_refresh: no diff --git a/roles/invidious/templates/opt/invidious/invidious/config/config.yml.j2 b/roles/invidious/templates/opt/invidious/invidious/config/config.yml.j2 index e74caee..d35a819 100644 --- a/roles/invidious/templates/opt/invidious/invidious/config/config.yml.j2 +++ b/roles/invidious/templates/opt/invidious/invidious/config/config.yml.j2 @@ -5,10 +5,11 @@ channel_threads: {{ invidious_channel_threads }} feed_threads: {{ invidious_channel_threads }} database_url: postgres://{{ invidious_db_user }}:{{ invidious_db_password}}@{{ invidious_db_host }}/{{ invidious_db_name }}?sslmode=verify-full use_pubsub_feeds: {{ invidious_use_pubsub_feeds }} +{% if invidious_use_pubsub_feeds %} hmac_key: {{ invidious_hmac_key }} +{% endif %} https_only: true registration_enabled: {{ invidious_registration_enabled }} -admin_email: {{ invidious_admin_email }} port: {{ invidious_port }} host_binding: 127.0.0.1 popular_enabled: {{ invidious_popular_enabled }} diff --git a/roles/invidious/vars/main.yml b/roles/invidious/vars/main.yml index 36ca643..0f1c322 100644 --- a/roles/invidious/vars/main.yml +++ b/roles/invidious/vars/main.yml @@ -13,6 +13,7 @@ invidious_packages: - git - python3-psycopg2 +invidious_user: invidious invidious_git_repo: https://github.com/iv-org/invidious invidious_home: /opt/invidious invidious_install_dir: '{{ invidious_home }}/invidious' |