commit b19bf2520ed8d486c421f2601c3f87ea415a527e Author: Christian Fraß Date: Mon Nov 20 02:07:08 2023 +0100 [ini] diff --git a/.editorconfig b/.editorconfig new file mode 100644 index 0000000..e82584a --- /dev/null +++ b/.editorconfig @@ -0,0 +1,27 @@ +# see https://EditorConfig.org + +root = true + +[*] +charset = utf-8 +end_of_line = lf +indent_size = tab +indent_style = tab +tab_width = 4 +insert_final_newline = true +max_line_length = 80 +trim_trailing_whitespace = true +curly_bracket_next_line = false +indent_brace_style = K&R +spaces_around_operators = true +spaces_around_brackets = false +quote_type = double + +[*.y{,a}ml{,lint}] +indent_style = space +indent_size = 2 + +[*.md] +indent_style = space +indent_size = 2 + diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..dfd500f --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.geany diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml new file mode 100644 index 0000000..108f165 --- /dev/null +++ b/.gitlab-ci.yml @@ -0,0 +1,5 @@ +syntaxcheck: + image: docker.io/library/alpine:3.18 + script: + - apk update && apk add bash python3 + - tools/check-json-syntax diff --git a/ansible/roles/acme-inwx/defaults/main.json b/ansible/roles/acme-inwx/defaults/main.json new file mode 100644 index 0000000..2c63c08 --- /dev/null +++ b/ansible/roles/acme-inwx/defaults/main.json @@ -0,0 +1,2 @@ +{ +} diff --git a/ansible/roles/acme-inwx/tasks/main.json b/ansible/roles/acme-inwx/tasks/main.json new file mode 100644 index 0000000..0d4f101 --- /dev/null +++ b/ansible/roles/acme-inwx/tasks/main.json @@ -0,0 +1,2 @@ +[ +] diff --git a/ansible/roles/acme/defaults/main.json b/ansible/roles/acme/defaults/main.json new file mode 100644 index 0000000..ed04c06 --- /dev/null +++ b/ansible/roles/acme/defaults/main.json @@ -0,0 +1,9 @@ +{ + "var_acme_domain_base": "REPLACE_ME", + "var_acme_domain_path": "REPLACE_ME", + "var_acme_acme_account_email": "REPLACE_ME", + "var_acme_inwx_username": "REPLACE_ME", + "var_acme_inwx_password": "REPLACE_ME", + "var_acme_ssl_directory": "/etc/ssl" +} + diff --git a/ansible/roles/acme/info.md b/ansible/roles/acme/info.md new file mode 100644 index 0000000..b7ef31e --- /dev/null +++ b/ansible/roles/acme/info.md @@ -0,0 +1,15 @@ +## Beschreibung + +- zum Erstellen von TLS-Zertifikaten mittels [Let's Encrypt](https://de.m.wikipedia.org/wiki/Let%E2%80%99s_Encrypt) + + +## Besonderheiten + +- derzeit nur für DNS-Challenge ausgelegt + + +## Verweise + +- https://letsencrypt.org/docs/client-options/ +- https://docs.ansible.com/ansible/latest/collections/community/crypto/openssl_csr_module.html +- https://docs.ansible.com/ansible/latest/collections/community/crypto/acme_certificate_module.html diff --git a/ansible/roles/acme/tasks/main.json b/ansible/roles/acme/tasks/main.json new file mode 100644 index 0000000..560c204 --- /dev/null +++ b/ansible/roles/acme/tasks/main.json @@ -0,0 +1,91 @@ +[ + { + "name": "packages", + "become": true, + "ansible.builtin.apt": { + "state": "present", + "pkg": [ + "openssl" + ] + } + }, + { + "name": "create signing request", + "community.crypto.openssl_csr": { + "state": "present", + "common_name": "{{var_acme_domain_path}}.{{var_acme_domain_base}}", + "path": "{{var_acme_ssl_directory}}/csr/{{var_acme_domain_path}}.{{var_acme_domain_base}}.pem" + } + }, + { + "name": "init", + "community.crypto.acme_certificate": { + "acme_version": 1, + "account_email": "{{var_acme_acme_account_email}}", + "path": "{{var_acme_ssl_directory}}/csr/{{var_acme_domain_path}}.{{var_acme_domain_base}}.pem", + "challenge": "dns-01", + "dest": "{{var_acme_ssl_directory}}/certs/{{var_acme_domain_path}}.{{var_acme_domain_base}}.pem", + "fullchain_dest": "{{var_acme_ssl_directory}}/fullchains/{{var_acme_domain_path}}.{{var_acme_domain_base}}.pem" + }, + "register": "temp_acme_data" + }, + { + "name": "dns challenge | login", + "ansible.builtin.uri": { + "url": "https://api.domrobot.com/jsonrpc/", + "method": "POST", + "headers": { + "Content-Type": "application/json" + }, + "body_format": "json", + "body": { + "method": "account.login", + "params": { + "user": "{{var_acme_inwx_username}}", + "pass": "{{var_acme_inwx_password}}" + } + } + }, + "register": "temp_inwx_login_result" + }, + { + "name": "dns challenge | execute", + "ansible.builtin.uri": { + "url": "https://api.domrobot.com/jsonrpc/", + "method": "POST", + "headers": { + "Content-Type": "application/json", + "Cookie": "{{var_acme_temp_inwx_login_result._accesstoken}}" + }, + "body_format": "json", + "body": { + "method": "nameserver.updateRecord", + "params": { + "domain": "{{var_acme_domain_base}}", + "name": "_acme_challenge.{{var_acme_domain_path}}", + "type": "TXT", + "content": "{{var_acme_temp_acme_data.challenge_data['sample.com']['dns-01'].record}}" + } + } + } + }, + { + "name": "dns challenge | wait", + "ansible.builtin.pause": { + "second": 60 + } + }, + { + "name": "finalize", + "community.crypto.acme_certificate": { + "data": "{{var_acme_temp_acme_data}}", + "acme_version": 1, + "account_email": "{{var_acme_acme_account_email}}", + "path": "{{var_acme_ssl_directory}}/csr/{{var_acme_domain_path}}.{{var_acme_domain_base}}.pem", + "challenge": "dns-01", + "dest": "{{var_acme_ssl_directory}}/certs/{{var_acme_domain_path}}.{{var_acme_domain_base}}.pem", + "fullchain_dest": "{{var_acme_ssl_directory}}/fullchains/{{var_acme_domain_path}}.{{var_acme_domain_base}}.pem" + } + } +] + diff --git a/ansible/roles/element-with-nginx/defaults/main.json b/ansible/roles/element-with-nginx/defaults/main.json new file mode 100644 index 0000000..c68e4d6 --- /dev/null +++ b/ansible/roles/element-with-nginx/defaults/main.json @@ -0,0 +1,4 @@ +{ + "var_element_with_nginx_domain": "element.example.org", + "var_element_with_nginx_path": "/opt/element" +} diff --git a/ansible/roles/element-with-nginx/tasks/main.json b/ansible/roles/element-with-nginx/tasks/main.json new file mode 100644 index 0000000..efaec23 --- /dev/null +++ b/ansible/roles/element-with-nginx/tasks/main.json @@ -0,0 +1,35 @@ +[ + { + "name": "deactivate default site", + "become": true, + "ansible.builtin.file": { + "state": "absent", + "dest": "/etc/nginx/sites-enabled/default" + } + }, + { + "name": "emplace configuration | data", + "become": true, + "ansible.builtin.template": { + "src": "conf.j2", + "dest": "/etc/nginx/sites-available/{{var_element_with_nginx_domain}}" + } + }, + { + "name": "emplace configuration | link", + "become": true, + "ansible.builtin.file": { + "state": "link", + "src": "/etc/nginx/sites-available/{{var_element_with_nginx_domain}}", + "dest": "/etc/nginx/sites-enabled/{{var_element_with_nginx_domain}}" + } + }, + { + "name": "restart nginx", + "become": true, + "ansible.builtin.systemd_service": { + "state": "restarted", + "name": "nginx" + } + } +] diff --git a/ansible/roles/element-with-nginx/templates/conf.j2 b/ansible/roles/element-with-nginx/templates/conf.j2 new file mode 100644 index 0000000..90b65ff --- /dev/null +++ b/ansible/roles/element-with-nginx/templates/conf.j2 @@ -0,0 +1,13 @@ +server { + listen 80; + listen [::]:80; + listen 443 ssl; + listen [::]:443 ssl; + + server_name {{var_element_with_nginx_domain}}; + + ssl_certificate /etc/ssl/certs/{{var_element_with_nginx_domain}}.pem; + ssl_certificate_key /etc/ssl/private/{{var_element_with_nginx_domain}}.pem; + + root {{var_element_with_nginx_path}}; +} diff --git a/ansible/roles/element/defaults/main.json b/ansible/roles/element/defaults/main.json new file mode 100644 index 0000000..cfc3f48 --- /dev/null +++ b/ansible/roles/element/defaults/main.json @@ -0,0 +1,6 @@ +{ + "var_element_version": "v1.11.47", + "var_element_path": "/opt/element", + "var_element_matrix_baseurl": "https://matrix.example.org", + "var_element_server_name": "REPLACE_ME" +} diff --git a/ansible/roles/element/tasks/main.json b/ansible/roles/element/tasks/main.json new file mode 100644 index 0000000..d6d4eca --- /dev/null +++ b/ansible/roles/element/tasks/main.json @@ -0,0 +1,50 @@ +[ + { + "name": "download", + "ansible.builtin.get_url": { + "url": "https://github.com/vector-im/element-web/releases/download/{{var_element_version}}/element-{{var_element_version}}.tar.gz", + "dest": "/tmp/element.tar.gz" + } + }, + { + "name": "unlock destination", + "become": true, + "ansible.builtin.file": { + "state": "directory", + "dest": "/opt", + "mode": "0777" + } + }, + { + "name": "unpack", + "ansible.builtin.unarchive": { + "remote_src": true, + "src": "/tmp/element.tar.gz", + "dest": "/opt" + } + }, + { + "name": "place configuration", + "ansible.builtin.template": { + "src": "config.json.j2", + "dest": "/opt/element-{{var_element_version}}/config.json" + } + }, + { + "name": "link", + "ansible.builtin.file": { + "state": "link", + "src": "/opt/element-{{var_element_version}}", + "dest": "{{var_element_path}}" + } + }, + { + "name": "lock destination", + "become": true, + "ansible.builtin.file": { + "state": "directory", + "dest": "/opt", + "mode": "0555" + } + } +] diff --git a/ansible/roles/element/templates/config.json.j2 b/ansible/roles/element/templates/config.json.j2 new file mode 100644 index 0000000..947b706 --- /dev/null +++ b/ansible/roles/element/templates/config.json.j2 @@ -0,0 +1,11 @@ +{ + "default_server_config": { + "m.homeserver": { + "base_url": "{{var_element_matrix_baseurl}}", + "server_name": "{{var_element_server_name}}" + } + }, + "defaultCountryCode": "DE", + "default_federate": false, + "default_theme": "dark" +} diff --git a/ansible/roles/hydra/defaults/main.json b/ansible/roles/hydra/defaults/main.json new file mode 100644 index 0000000..79c97a8 --- /dev/null +++ b/ansible/roles/hydra/defaults/main.json @@ -0,0 +1,5 @@ +{ + "var_hydra_directory": "/opt", + "var_hydra_name": "hydra", + "var_hydra_secrets_system": "REPLACE_ME" +} diff --git a/ansible/roles/hydra/tasks/main.json b/ansible/roles/hydra/tasks/main.json new file mode 100644 index 0000000..9fb0cb6 --- /dev/null +++ b/ansible/roles/hydra/tasks/main.json @@ -0,0 +1,53 @@ +[ + { + "name": "unlock destination", + "become": true, + "ansible.builtin.file": { + "state": "directory", + "dest": "{{var_hydra_directory}}", + "mode": "0777" + } + }, + { + "name": "prepare directory", + "ansible.builtin.file": { + "state": "directory", + "path": "{{var_hydra_directory}}/{{var_hydra_name}}" + } + }, + { + "name": "download", + "ansible.builtin.get_url": { + "url": "https://raw.githubusercontent.com/ory/meta/master/install.sh", + "dest": "{{var_hydra_directory}}/{{var_hydra_name}}/install.sh" + } + }, + { + "name": "user", + "ansible.builtin.command": { + "chdir": "{{var_hydra_directory}}/{{var_hydra_name}}", + "cmd": "bash install.sh hydra" + } + }, + { + "name": "lock destination", + "become": true, + "ansible.builtin.file": { + "state": "directory", + "dest": "{{var_hydra_directory}}", + "mode": "0555" + } + }, + { + "name": "initialize database", + "ansible.builtin.shell": { + "cmd": "{{var_hydra_directory}}/{{var_hydra_name}}/bin/hydra migrate sql $(cat /etc/hydra/database) --yes" + } + }, + { + "name": "generate secret", + "ansible.builtin.shell": { + "cmd": "export LC_CTYPE=C; cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1 > /etc/hydra/secrets_system" + } + } +] diff --git a/ansible/roles/lighttpd/defaults/main.json b/ansible/roles/lighttpd/defaults/main.json new file mode 100644 index 0000000..bfd870e --- /dev/null +++ b/ansible/roles/lighttpd/defaults/main.json @@ -0,0 +1,3 @@ +{ +} + diff --git a/ansible/roles/lighttpd/info.md b/ansible/roles/lighttpd/info.md new file mode 100644 index 0000000..2e8b440 --- /dev/null +++ b/ansible/roles/lighttpd/info.md @@ -0,0 +1,8 @@ +## Beschreibung + +- Einrichtung des Web-Servers [Lighttpd](https://www.lighttpd.net/) + + +## Verweise + +- [Wikipedia-Artikel](https://de.m.wikipedia.org/wiki/Lighttpd) diff --git a/ansible/roles/lighttpd/tasks/main.json b/ansible/roles/lighttpd/tasks/main.json new file mode 100644 index 0000000..5d8d887 --- /dev/null +++ b/ansible/roles/lighttpd/tasks/main.json @@ -0,0 +1,38 @@ +[ + { + "name": "install packages", + "become": true, + "ansible.builtin.apt": { + "pkg": [ + "lighttpd", + "lighttpd-mod-openssl" + ] + } + }, + { + "name": "activate openssl module | file", + "become": true, + "ansible.builtin.template": { + "src": "10-ssl-custom.conf.j2", + "dest": "/etc/lighttpd/conf-available/10-ssl-custom.conf" + } + }, + { + "name": "activate openssl module | link", + "become": true, + "ansible.builtin.file": { + "state": "link", + "src": "/etc/lighttpd/conf-available/10-ssl-custom.conf", + "dest": "/etc/lighttpd/conf-enabled/10-ssl-custom.conf" + } + }, + { + "name": "restart service", + "become": true, + "ansible.builtin.systemd_service": { + "state": "restarted", + "name": "lighttpd" + } + } +] + diff --git a/ansible/roles/lighttpd/templates/10-ssl-custom.conf.j2 b/ansible/roles/lighttpd/templates/10-ssl-custom.conf.j2 new file mode 100644 index 0000000..ef55d22 --- /dev/null +++ b/ansible/roles/lighttpd/templates/10-ssl-custom.conf.j2 @@ -0,0 +1 @@ +server.modules += ( "mod_openssl" ) diff --git a/ansible/roles/nginx/defaults/main.json b/ansible/roles/nginx/defaults/main.json new file mode 100644 index 0000000..bfd870e --- /dev/null +++ b/ansible/roles/nginx/defaults/main.json @@ -0,0 +1,3 @@ +{ +} + diff --git a/ansible/roles/nginx/tasks/main.json b/ansible/roles/nginx/tasks/main.json new file mode 100644 index 0000000..d39c1e2 --- /dev/null +++ b/ansible/roles/nginx/tasks/main.json @@ -0,0 +1,20 @@ +[ + { + "name": "install packages", + "become": true, + "ansible.builtin.apt": { + "pkg": [ + "nginx" + ] + } + }, + { + "name": "restart service", + "become": true, + "ansible.builtin.systemd_service": { + "state": "restarted", + "name": "nginx" + } + } +] + diff --git a/ansible/roles/postgresql-for-hydra/defaults/main.json b/ansible/roles/postgresql-for-hydra/defaults/main.json new file mode 100644 index 0000000..aa79bfd --- /dev/null +++ b/ansible/roles/postgresql-for-hydra/defaults/main.json @@ -0,0 +1,5 @@ +{ + "var_postgresql_for_hydra_username": "hydra_user", + "var_postgresql_for_hydra_password": "REPLACE_ME", + "var_postgresql_for_hydra_schema": "hydra" +} diff --git a/ansible/roles/postgresql-for-hydra/tasks/main.json b/ansible/roles/postgresql-for-hydra/tasks/main.json new file mode 100644 index 0000000..eacd2a0 --- /dev/null +++ b/ansible/roles/postgresql-for-hydra/tasks/main.json @@ -0,0 +1,61 @@ +[ + { + "name": "packages", + "become": true, + "ansible.builtin.apt": { + "pkg": [ + "acl" + ] + } + }, + { + "name": "user", + "become": true, + "become_user": "postgres", + "community.postgresql.postgresql_user": { + "state": "present", + "name": "{{var_postgresql_for_hydra_username}}", + "password": "{{var_postgresql_for_hydra_password}}" + } + }, + { + "name": "schema", + "become": true, + "become_user": "postgres", + "community.postgresql.postgresql_db": { + "state": "present", + "name": "{{var_postgresql_for_hydra_schema}}", + "owner": "{{var_postgresql_for_hydra_username}}", + "encoding": "UTF-8" + } + }, + { + "name": "rights", + "become": true, + "become_user": "postgres", + "community.postgresql.postgresql_privs": { + "state": "present", + "db": "{{var_postgresql_for_hydra_schema}}", + "objs": "ALL_IN_SCHEMA", + "roles": "{{var_postgresql_for_hydra_username}}", + "privs": "ALL", + "grant_option": true + } + }, + { + "name": "start script | prepare directory", + "become": true, + "ansible.builtin.file": { + "state": "directory", + "path": "/etc/hydra" + } + }, + { + "name": "start script | emplace", + "become": true, + "ansible.builtin.template": { + "src": "dsn.j2", + "dest": "/etc/hydra/dsn" + } + } +] diff --git a/ansible/roles/postgresql-for-hydra/templates/dsn.j2 b/ansible/roles/postgresql-for-hydra/templates/dsn.j2 new file mode 100644 index 0000000..98b5b27 --- /dev/null +++ b/ansible/roles/postgresql-for-hydra/templates/dsn.j2 @@ -0,0 +1 @@ +postgres://{{var_postgresql_for_hydra_username}}:{{var_postgresql_for_hydra_password}}@localhost:5432/{{var_postgresql_for_hydra_schema}}?sslmode=disable diff --git a/ansible/roles/postgresql/defaults/main.json b/ansible/roles/postgresql/defaults/main.json new file mode 100644 index 0000000..abd9af3 --- /dev/null +++ b/ansible/roles/postgresql/defaults/main.json @@ -0,0 +1,5 @@ +{ + "var_postgresql_listen_address": "localhost", + "var_postgresql_port": "5432" +} + diff --git a/ansible/roles/postgresql/info.md b/ansible/roles/postgresql/info.md new file mode 100644 index 0000000..319d278 --- /dev/null +++ b/ansible/roles/postgresql/info.md @@ -0,0 +1,10 @@ +## Beschreibung + +- zum Einrichten des Datenbank-Servers [PostgreSQL](https://www.postgresql.org/) + + +## Verweise + +- [Ansible-Modul](https://docs.ansible.com/ansible/latest/collections/community/postgresql/index.html) +- [ubuntuusers-Wiki-Eintrag](https://wiki.ubuntuusers.de/PostgreSQL/) + diff --git a/ansible/roles/postgresql/tasks/main.json b/ansible/roles/postgresql/tasks/main.json new file mode 100644 index 0000000..b5d7a50 --- /dev/null +++ b/ansible/roles/postgresql/tasks/main.json @@ -0,0 +1,35 @@ +[ + { + "name": "install packages", + "become": true, + "ansible.builtin.apt": { + "pkg": [ + "postgresql" + ] + } + }, + { + "name": "get version", + "ansible.builtin.command": { + "cmd": "ls /etc/postgresql" + }, + "register": "temp_version_output" + }, + { + "name": "set port", + "become": true, + "ansible.builtin.template": { + "src": "postgresql.conf.j2", + "dest": "/etc/postgresql/{{temp_version_output.stdout}}/main/postgresql.conf" + } + }, + { + "name": "restart service", + "become": true, + "ansible.builtin.systemd_service": { + "state": "restarted", + "name": "postgresql" + } + } +] + diff --git a/ansible/roles/postgresql/templates/postgresql.conf.j2 b/ansible/roles/postgresql/templates/postgresql.conf.j2 new file mode 100644 index 0000000..1b5c664 --- /dev/null +++ b/ansible/roles/postgresql/templates/postgresql.conf.j2 @@ -0,0 +1,815 @@ +# ----------------------------- +# PostgreSQL configuration file +# ----------------------------- +# +# This file consists of lines of the form: +# +# name = value +# +# (The "=" is optional.) Whitespace may be used. Comments are introduced with +# "#" anywhere on a line. The complete list of parameter names and allowed +# values can be found in the PostgreSQL documentation. +# +# The commented-out settings shown in this file represent the default values. +# Re-commenting a setting is NOT sufficient to revert it to the default value; +# you need to reload the server. +# +# This file is read on server startup and when the server receives a SIGHUP +# signal. If you edit the file on a running system, you have to SIGHUP the +# server for the changes to take effect, run "pg_ctl reload", or execute +# "SELECT pg_reload_conf()". Some parameters, which are marked below, +# require a server shutdown and restart to take effect. +# +# Any parameter can also be given as a command-line option to the server, e.g., +# "postgres -c log_connections=on". Some parameters can be changed at run time +# with the "SET" SQL command. +# +# Memory units: B = bytes Time units: us = microseconds +# kB = kilobytes ms = milliseconds +# MB = megabytes s = seconds +# GB = gigabytes min = minutes +# TB = terabytes h = hours +# d = days + + +#------------------------------------------------------------------------------ +# FILE LOCATIONS +#------------------------------------------------------------------------------ + +# The default values of these variables are driven from the -D command-line +# option or PGDATA environment variable, represented here as ConfigDir. + +data_directory = '/var/lib/postgresql/15/main' # use data in another directory + # (change requires restart) +hba_file = '/etc/postgresql/15/main/pg_hba.conf' # host-based authentication file + # (change requires restart) +ident_file = '/etc/postgresql/15/main/pg_ident.conf' # ident configuration file + # (change requires restart) + +# If external_pid_file is not explicitly set, no extra PID file is written. +external_pid_file = '/var/run/postgresql/15-main.pid' # write an extra PID file + # (change requires restart) + + +#------------------------------------------------------------------------------ +# CONNECTIONS AND AUTHENTICATION +#------------------------------------------------------------------------------ + +# - Connection Settings - + +listen_addresses = '{{var_postgresql_listen_address}}' # what IP address(es) to listen on; + # comma-separated list of addresses; + # defaults to 'localhost'; use '*' for all + # (change requires restart) +port = {{var_postgresql_port}} # (change requires restart) +max_connections = 100 # (change requires restart) +#superuser_reserved_connections = 3 # (change requires restart) +unix_socket_directories = '/var/run/postgresql' # comma-separated list of directories + # (change requires restart) +#unix_socket_group = '' # (change requires restart) +#unix_socket_permissions = 0777 # begin with 0 to use octal notation + # (change requires restart) +#bonjour = off # advertise server via Bonjour + # (change requires restart) +#bonjour_name = '' # defaults to the computer name + # (change requires restart) + +# - TCP settings - +# see "man tcp" for details + +#tcp_keepalives_idle = 0 # TCP_KEEPIDLE, in seconds; + # 0 selects the system default +#tcp_keepalives_interval = 0 # TCP_KEEPINTVL, in seconds; + # 0 selects the system default +#tcp_keepalives_count = 0 # TCP_KEEPCNT; + # 0 selects the system default +#tcp_user_timeout = 0 # TCP_USER_TIMEOUT, in milliseconds; + # 0 selects the system default + +#client_connection_check_interval = 0 # time between checks for client + # disconnection while running queries; + # 0 for never + +# - Authentication - + +#authentication_timeout = 1min # 1s-600s +#password_encryption = scram-sha-256 # scram-sha-256 or md5 +#db_user_namespace = off + +# GSSAPI using Kerberos +#krb_server_keyfile = 'FILE:${sysconfdir}/krb5.keytab' +#krb_caseins_users = off + +# - SSL - + +ssl = on +#ssl_ca_file = '' +ssl_cert_file = '/etc/ssl/certs/ssl-cert-snakeoil.pem' +#ssl_crl_file = '' +#ssl_crl_dir = '' +ssl_key_file = '/etc/ssl/private/ssl-cert-snakeoil.key' +#ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' # allowed SSL ciphers +#ssl_prefer_server_ciphers = on +#ssl_ecdh_curve = 'prime256v1' +#ssl_min_protocol_version = 'TLSv1.2' +#ssl_max_protocol_version = '' +#ssl_dh_params_file = '' +#ssl_passphrase_command = '' +#ssl_passphrase_command_supports_reload = off + + +#------------------------------------------------------------------------------ +# RESOURCE USAGE (except WAL) +#------------------------------------------------------------------------------ + +# - Memory - + +shared_buffers = 128MB # min 128kB + # (change requires restart) +#huge_pages = try # on, off, or try + # (change requires restart) +#huge_page_size = 0 # zero for system default + # (change requires restart) +#temp_buffers = 8MB # min 800kB +#max_prepared_transactions = 0 # zero disables the feature + # (change requires restart) +# Caution: it is not advisable to set max_prepared_transactions nonzero unless +# you actively intend to use prepared transactions. +#work_mem = 4MB # min 64kB +#hash_mem_multiplier = 2.0 # 1-1000.0 multiplier on hash table work_mem +#maintenance_work_mem = 64MB # min 1MB +#autovacuum_work_mem = -1 # min 1MB, or -1 to use maintenance_work_mem +#logical_decoding_work_mem = 64MB # min 64kB +#max_stack_depth = 2MB # min 100kB +#shared_memory_type = mmap # the default is the first option + # supported by the operating system: + # mmap + # sysv + # windows + # (change requires restart) +dynamic_shared_memory_type = posix # the default is usually the first option + # supported by the operating system: + # posix + # sysv + # windows + # mmap + # (change requires restart) +#min_dynamic_shared_memory = 0MB # (change requires restart) + +# - Disk - + +#temp_file_limit = -1 # limits per-process temp file space + # in kilobytes, or -1 for no limit + +# - Kernel Resources - + +#max_files_per_process = 1000 # min 64 + # (change requires restart) + +# - Cost-Based Vacuum Delay - + +#vacuum_cost_delay = 0 # 0-100 milliseconds (0 disables) +#vacuum_cost_page_hit = 1 # 0-10000 credits +#vacuum_cost_page_miss = 2 # 0-10000 credits +#vacuum_cost_page_dirty = 20 # 0-10000 credits +#vacuum_cost_limit = 200 # 1-10000 credits + +# - Background Writer - + +#bgwriter_delay = 200ms # 10-10000ms between rounds +#bgwriter_lru_maxpages = 100 # max buffers written/round, 0 disables +#bgwriter_lru_multiplier = 2.0 # 0-10.0 multiplier on buffers scanned/round +#bgwriter_flush_after = 512kB # measured in pages, 0 disables + +# - Asynchronous Behavior - + +#backend_flush_after = 0 # measured in pages, 0 disables +#effective_io_concurrency = 1 # 1-1000; 0 disables prefetching +#maintenance_io_concurrency = 10 # 1-1000; 0 disables prefetching +#max_worker_processes = 8 # (change requires restart) +#max_parallel_workers_per_gather = 2 # taken from max_parallel_workers +#max_parallel_maintenance_workers = 2 # taken from max_parallel_workers +#max_parallel_workers = 8 # maximum number of max_worker_processes that + # can be used in parallel operations +#parallel_leader_participation = on +#old_snapshot_threshold = -1 # 1min-60d; -1 disables; 0 is immediate + # (change requires restart) + + +#------------------------------------------------------------------------------ +# WRITE-AHEAD LOG +#------------------------------------------------------------------------------ + +# - Settings - + +#wal_level = replica # minimal, replica, or logical + # (change requires restart) +#fsync = on # flush data to disk for crash safety + # (turning this off can cause + # unrecoverable data corruption) +#synchronous_commit = on # synchronization level; + # off, local, remote_write, remote_apply, or on +#wal_sync_method = fsync # the default is the first option + # supported by the operating system: + # open_datasync + # fdatasync (default on Linux and FreeBSD) + # fsync + # fsync_writethrough + # open_sync +#full_page_writes = on # recover from partial page writes +#wal_log_hints = off # also do full page writes of non-critical updates + # (change requires restart) +#wal_compression = off # enables compression of full-page writes; + # off, pglz, lz4, zstd, or on +#wal_init_zero = on # zero-fill new WAL files +#wal_recycle = on # recycle WAL files +#wal_buffers = -1 # min 32kB, -1 sets based on shared_buffers + # (change requires restart) +#wal_writer_delay = 200ms # 1-10000 milliseconds +#wal_writer_flush_after = 1MB # measured in pages, 0 disables +#wal_skip_threshold = 2MB + +#commit_delay = 0 # range 0-100000, in microseconds +#commit_siblings = 5 # range 1-1000 + +# - Checkpoints - + +#checkpoint_timeout = 5min # range 30s-1d +#checkpoint_completion_target = 0.9 # checkpoint target duration, 0.0 - 1.0 +#checkpoint_flush_after = 256kB # measured in pages, 0 disables +#checkpoint_warning = 30s # 0 disables +max_wal_size = 1GB +min_wal_size = 80MB + +# - Prefetching during recovery - + +#recovery_prefetch = try # prefetch pages referenced in the WAL? +#wal_decode_buffer_size = 512kB # lookahead window used for prefetching + # (change requires restart) + +# - Archiving - + +#archive_mode = off # enables archiving; off, on, or always + # (change requires restart) +#archive_library = '' # library to use to archive a logfile segment + # (empty string indicates archive_command should + # be used) +#archive_command = '' # command to use to archive a logfile segment + # placeholders: %p = path of file to archive + # %f = file name only + # e.g. 'test ! -f /mnt/server/archivedir/%f && cp %p /mnt/server/archivedir/%f' +#archive_timeout = 0 # force a logfile segment switch after this + # number of seconds; 0 disables + +# - Archive Recovery - + +# These are only used in recovery mode. + +#restore_command = '' # command to use to restore an archived logfile segment + # placeholders: %p = path of file to restore + # %f = file name only + # e.g. 'cp /mnt/server/archivedir/%f %p' +#archive_cleanup_command = '' # command to execute at every restartpoint +#recovery_end_command = '' # command to execute at completion of recovery + +# - Recovery Target - + +# Set these only when performing a targeted recovery. + +#recovery_target = '' # 'immediate' to end recovery as soon as a + # consistent state is reached + # (change requires restart) +#recovery_target_name = '' # the named restore point to which recovery will proceed + # (change requires restart) +#recovery_target_time = '' # the time stamp up to which recovery will proceed + # (change requires restart) +#recovery_target_xid = '' # the transaction ID up to which recovery will proceed + # (change requires restart) +#recovery_target_lsn = '' # the WAL LSN up to which recovery will proceed + # (change requires restart) +#recovery_target_inclusive = on # Specifies whether to stop: + # just after the specified recovery target (on) + # just before the recovery target (off) + # (change requires restart) +#recovery_target_timeline = 'latest' # 'current', 'latest', or timeline ID + # (change requires restart) +#recovery_target_action = 'pause' # 'pause', 'promote', 'shutdown' + # (change requires restart) + + +#------------------------------------------------------------------------------ +# REPLICATION +#------------------------------------------------------------------------------ + +# - Sending Servers - + +# Set these on the primary and on any standby that will send replication data. + +#max_wal_senders = 10 # max number of walsender processes + # (change requires restart) +#max_replication_slots = 10 # max number of replication slots + # (change requires restart) +#wal_keep_size = 0 # in megabytes; 0 disables +#max_slot_wal_keep_size = -1 # in megabytes; -1 disables +#wal_sender_timeout = 60s # in milliseconds; 0 disables +#track_commit_timestamp = off # collect timestamp of transaction commit + # (change requires restart) + +# - Primary Server - + +# These settings are ignored on a standby server. + +#synchronous_standby_names = '' # standby servers that provide sync rep + # method to choose sync standbys, number of sync standbys, + # and comma-separated list of application_name + # from standby(s); '*' = all +#vacuum_defer_cleanup_age = 0 # number of xacts by which cleanup is delayed + +# - Standby Servers - + +# These settings are ignored on a primary server. + +#primary_conninfo = '' # connection string to sending server +#primary_slot_name = '' # replication slot on sending server +#promote_trigger_file = '' # file name whose presence ends recovery +#hot_standby = on # "off" disallows queries during recovery + # (change requires restart) +#max_standby_archive_delay = 30s # max delay before canceling queries + # when reading WAL from archive; + # -1 allows indefinite delay +#max_standby_streaming_delay = 30s # max delay before canceling queries + # when reading streaming WAL; + # -1 allows indefinite delay +#wal_receiver_create_temp_slot = off # create temp slot if primary_slot_name + # is not set +#wal_receiver_status_interval = 10s # send replies at least this often + # 0 disables +#hot_standby_feedback = off # send info from standby to prevent + # query conflicts +#wal_receiver_timeout = 60s # time that receiver waits for + # communication from primary + # in milliseconds; 0 disables +#wal_retrieve_retry_interval = 5s # time to wait before retrying to + # retrieve WAL after a failed attempt +#recovery_min_apply_delay = 0 # minimum delay for applying changes during recovery + +# - Subscribers - + +# These settings are ignored on a publisher. + +#max_logical_replication_workers = 4 # taken from max_worker_processes + # (change requires restart) +#max_sync_workers_per_subscription = 2 # taken from max_logical_replication_workers + + +#------------------------------------------------------------------------------ +# QUERY TUNING +#------------------------------------------------------------------------------ + +# - Planner Method Configuration - + +#enable_async_append = on +#enable_bitmapscan = on +#enable_gathermerge = on +#enable_hashagg = on +#enable_hashjoin = on +#enable_incremental_sort = on +#enable_indexscan = on +#enable_indexonlyscan = on +#enable_material = on +#enable_memoize = on +#enable_mergejoin = on +#enable_nestloop = on +#enable_parallel_append = on +#enable_parallel_hash = on +#enable_partition_pruning = on +#enable_partitionwise_join = off +#enable_partitionwise_aggregate = off +#enable_seqscan = on +#enable_sort = on +#enable_tidscan = on + +# - Planner Cost Constants - + +#seq_page_cost = 1.0 # measured on an arbitrary scale +#random_page_cost = 4.0 # same scale as above +#cpu_tuple_cost = 0.01 # same scale as above +#cpu_index_tuple_cost = 0.005 # same scale as above +#cpu_operator_cost = 0.0025 # same scale as above +#parallel_setup_cost = 1000.0 # same scale as above +#parallel_tuple_cost = 0.1 # same scale as above +#min_parallel_table_scan_size = 8MB +#min_parallel_index_scan_size = 512kB +#effective_cache_size = 4GB + +#jit_above_cost = 100000 # perform JIT compilation if available + # and query more expensive than this; + # -1 disables +#jit_inline_above_cost = 500000 # inline small functions if query is + # more expensive than this; -1 disables +#jit_optimize_above_cost = 500000 # use expensive JIT optimizations if + # query is more expensive than this; + # -1 disables + +# - Genetic Query Optimizer - + +#geqo = on +#geqo_threshold = 12 +#geqo_effort = 5 # range 1-10 +#geqo_pool_size = 0 # selects default based on effort +#geqo_generations = 0 # selects default based on effort +#geqo_selection_bias = 2.0 # range 1.5-2.0 +#geqo_seed = 0.0 # range 0.0-1.0 + +# - Other Planner Options - + +#default_statistics_target = 100 # range 1-10000 +#constraint_exclusion = partition # on, off, or partition +#cursor_tuple_fraction = 0.1 # range 0.0-1.0 +#from_collapse_limit = 8 +#jit = on # allow JIT compilation +#join_collapse_limit = 8 # 1 disables collapsing of explicit + # JOIN clauses +#plan_cache_mode = auto # auto, force_generic_plan or + # force_custom_plan +#recursive_worktable_factor = 10.0 # range 0.001-1000000 + + +#------------------------------------------------------------------------------ +# REPORTING AND LOGGING +#------------------------------------------------------------------------------ + +# - Where to Log - + +#log_destination = 'stderr' # Valid values are combinations of + # stderr, csvlog, jsonlog, syslog, and + # eventlog, depending on platform. + # csvlog and jsonlog require + # logging_collector to be on. + +# This is used when logging to stderr: +#logging_collector = off # Enable capturing of stderr, jsonlog, + # and csvlog into log files. Required + # to be on for csvlogs and jsonlogs. + # (change requires restart) + +# These are only used if logging_collector is on: +#log_directory = 'log' # directory where log files are written, + # can be absolute or relative to PGDATA +#log_filename = 'postgresql-%Y-%m-%d_%H%M%S.log' # log file name pattern, + # can include strftime() escapes +#log_file_mode = 0600 # creation mode for log files, + # begin with 0 to use octal notation +#log_rotation_age = 1d # Automatic rotation of logfiles will + # happen after that time. 0 disables. +#log_rotation_size = 10MB # Automatic rotation of logfiles will + # happen after that much log output. + # 0 disables. +#log_truncate_on_rotation = off # If on, an existing log file with the + # same name as the new log file will be + # truncated rather than appended to. + # But such truncation only occurs on + # time-driven rotation, not on restarts + # or size-driven rotation. Default is + # off, meaning append to existing files + # in all cases. + +# These are relevant when logging to syslog: +#syslog_facility = 'LOCAL0' +#syslog_ident = 'postgres' +#syslog_sequence_numbers = on +#syslog_split_messages = on + +# This is only relevant when logging to eventlog (Windows): +# (change requires restart) +#event_source = 'PostgreSQL' + +# - When to Log - + +#log_min_messages = warning # values in order of decreasing detail: + # debug5 + # debug4 + # debug3 + # debug2 + # debug1 + # info + # notice + # warning + # error + # log + # fatal + # panic + +#log_min_error_statement = error # values in order of decreasing detail: + # debug5 + # debug4 + # debug3 + # debug2 + # debug1 + # info + # notice + # warning + # error + # log + # fatal + # panic (effectively off) + +#log_min_duration_statement = -1 # -1 is disabled, 0 logs all statements + # and their durations, > 0 logs only + # statements running at least this number + # of milliseconds + +#log_min_duration_sample = -1 # -1 is disabled, 0 logs a sample of statements + # and their durations, > 0 logs only a sample of + # statements running at least this number + # of milliseconds; + # sample fraction is determined by log_statement_sample_rate + +#log_statement_sample_rate = 1.0 # fraction of logged statements exceeding + # log_min_duration_sample to be logged; + # 1.0 logs all such statements, 0.0 never logs + + +#log_transaction_sample_rate = 0.0 # fraction of transactions whose statements + # are logged regardless of their duration; 1.0 logs all + # statements from all transactions, 0.0 never logs + +#log_startup_progress_interval = 10s # Time between progress updates for + # long-running startup operations. + # 0 disables the feature, > 0 indicates + # the interval in milliseconds. + +# - What to Log - + +#debug_print_parse = off +#debug_print_rewritten = off +#debug_print_plan = off +#debug_pretty_print = on +#log_autovacuum_min_duration = 10min # log autovacuum activity; + # -1 disables, 0 logs all actions and + # their durations, > 0 logs only + # actions running at least this number + # of milliseconds. +#log_checkpoints = on +#log_connections = off +#log_disconnections = off +#log_duration = off +#log_error_verbosity = default # terse, default, or verbose messages +#log_hostname = off +log_line_prefix = '%m [%p] %q%u@%d ' # special values: + # %a = application name + # %u = user name + # %d = database name + # %r = remote host and port + # %h = remote host + # %b = backend type + # %p = process ID + # %P = process ID of parallel group leader + # %t = timestamp without milliseconds + # %m = timestamp with milliseconds + # %n = timestamp with milliseconds (as a Unix epoch) + # %Q = query ID (0 if none or not computed) + # %i = command tag + # %e = SQL state + # %c = session ID + # %l = session line number + # %s = session start timestamp + # %v = virtual transaction ID + # %x = transaction ID (0 if none) + # %q = stop here in non-session + # processes + # %% = '%' + # e.g. '<%u%%%d> ' +#log_lock_waits = off # log lock waits >= deadlock_timeout +#log_recovery_conflict_waits = off # log standby recovery conflict waits + # >= deadlock_timeout +#log_parameter_max_length = -1 # when logging statements, limit logged + # bind-parameter values to N bytes; + # -1 means print in full, 0 disables +#log_parameter_max_length_on_error = 0 # when logging an error, limit logged + # bind-parameter values to N bytes; + # -1 means print in full, 0 disables +#log_statement = 'none' # none, ddl, mod, all +#log_replication_commands = off +#log_temp_files = -1 # log temporary files equal or larger + # than the specified size in kilobytes; + # -1 disables, 0 logs all temp files +log_timezone = 'Etc/UTC' + + +#------------------------------------------------------------------------------ +# PROCESS TITLE +#------------------------------------------------------------------------------ + +cluster_name = '15/main' # added to process titles if nonempty + # (change requires restart) +#update_process_title = on + + +#------------------------------------------------------------------------------ +# STATISTICS +#------------------------------------------------------------------------------ + +# - Cumulative Query and Index Statistics - + +#track_activities = on +#track_activity_query_size = 1024 # (change requires restart) +#track_counts = on +#track_io_timing = off +#track_wal_io_timing = off +#track_functions = none # none, pl, all +#stats_fetch_consistency = cache + + +# - Monitoring - + +#compute_query_id = auto +#log_statement_stats = off +#log_parser_stats = off +#log_planner_stats = off +#log_executor_stats = off + + +#------------------------------------------------------------------------------ +# AUTOVACUUM +#------------------------------------------------------------------------------ + +#autovacuum = on # Enable autovacuum subprocess? 'on' + # requires track_counts to also be on. +#autovacuum_max_workers = 3 # max number of autovacuum subprocesses + # (change requires restart) +#autovacuum_naptime = 1min # time between autovacuum runs +#autovacuum_vacuum_threshold = 50 # min number of row updates before + # vacuum +#autovacuum_vacuum_insert_threshold = 1000 # min number of row inserts + # before vacuum; -1 disables insert + # vacuums +#autovacuum_analyze_threshold = 50 # min number of row updates before + # analyze +#autovacuum_vacuum_scale_factor = 0.2 # fraction of table size before vacuum +#autovacuum_vacuum_insert_scale_factor = 0.2 # fraction of inserts over table + # size before insert vacuum +#autovacuum_analyze_scale_factor = 0.1 # fraction of table size before analyze +#autovacuum_freeze_max_age = 200000000 # maximum XID age before forced vacuum + # (change requires restart) +#autovacuum_multixact_freeze_max_age = 400000000 # maximum multixact age + # before forced vacuum + # (change requires restart) +#autovacuum_vacuum_cost_delay = 2ms # default vacuum cost delay for + # autovacuum, in milliseconds; + # -1 means use vacuum_cost_delay +#autovacuum_vacuum_cost_limit = -1 # default vacuum cost limit for + # autovacuum, -1 means use + # vacuum_cost_limit + + +#------------------------------------------------------------------------------ +# CLIENT CONNECTION DEFAULTS +#------------------------------------------------------------------------------ + +# - Statement Behavior - + +#client_min_messages = notice # values in order of decreasing detail: + # debug5 + # debug4 + # debug3 + # debug2 + # debug1 + # log + # notice + # warning + # error +#search_path = '"$user", public' # schema names +#row_security = on +#default_table_access_method = 'heap' +#default_tablespace = '' # a tablespace name, '' uses the default +#default_toast_compression = 'pglz' # 'pglz' or 'lz4' +#temp_tablespaces = '' # a list of tablespace names, '' uses + # only default tablespace +#check_function_bodies = on +#default_transaction_isolation = 'read committed' +#default_transaction_read_only = off +#default_transaction_deferrable = off +#session_replication_role = 'origin' +#statement_timeout = 0 # in milliseconds, 0 is disabled +#lock_timeout = 0 # in milliseconds, 0 is disabled +#idle_in_transaction_session_timeout = 0 # in milliseconds, 0 is disabled +#idle_session_timeout = 0 # in milliseconds, 0 is disabled +#vacuum_freeze_table_age = 150000000 +#vacuum_freeze_min_age = 50000000 +#vacuum_failsafe_age = 1600000000 +#vacuum_multixact_freeze_table_age = 150000000 +#vacuum_multixact_freeze_min_age = 5000000 +#vacuum_multixact_failsafe_age = 1600000000 +#bytea_output = 'hex' # hex, escape +#xmlbinary = 'base64' +#xmloption = 'content' +#gin_pending_list_limit = 4MB + +# - Locale and Formatting - + +datestyle = 'iso, mdy' +#intervalstyle = 'postgres' +timezone = 'Etc/UTC' +#timezone_abbreviations = 'Default' # Select the set of available time zone + # abbreviations. Currently, there are + # Default + # Australia (historical usage) + # India + # You can create your own file in + # share/timezonesets/. +#extra_float_digits = 1 # min -15, max 3; any value >0 actually + # selects precise output mode +#client_encoding = sql_ascii # actually, defaults to database + # encoding + +# These settings are initialized by initdb, but they can be changed. +lc_messages = 'C' # locale for system error message + # strings +lc_monetary = 'C' # locale for monetary formatting +lc_numeric = 'C' # locale for number formatting +lc_time = 'C' # locale for time formatting + +# default configuration for text search +default_text_search_config = 'pg_catalog.english' + +# - Shared Library Preloading - + +#local_preload_libraries = '' +#session_preload_libraries = '' +#shared_preload_libraries = '' # (change requires restart) +#jit_provider = 'llvmjit' # JIT library to use + +# - Other Defaults - + +#dynamic_library_path = '$libdir' +#extension_destdir = '' # prepend path when loading extensions + # and shared objects (added by Debian) +#gin_fuzzy_search_limit = 0 + + +#------------------------------------------------------------------------------ +# LOCK MANAGEMENT +#------------------------------------------------------------------------------ + +#deadlock_timeout = 1s +#max_locks_per_transaction = 64 # min 10 + # (change requires restart) +#max_pred_locks_per_transaction = 64 # min 10 + # (change requires restart) +#max_pred_locks_per_relation = -2 # negative values mean + # (max_pred_locks_per_transaction + # / -max_pred_locks_per_relation) - 1 +#max_pred_locks_per_page = 2 # min 0 + + +#------------------------------------------------------------------------------ +# VERSION AND PLATFORM COMPATIBILITY +#------------------------------------------------------------------------------ + +# - Previous PostgreSQL Versions - + +#array_nulls = on +#backslash_quote = safe_encoding # on, off, or safe_encoding +#escape_string_warning = on +#lo_compat_privileges = off +#quote_all_identifiers = off +#standard_conforming_strings = on +#synchronize_seqscans = on + +# - Other Platforms and Clients - + +#transform_null_equals = off + + +#------------------------------------------------------------------------------ +# ERROR HANDLING +#------------------------------------------------------------------------------ + +#exit_on_error = off # terminate session on any error? +#restart_after_crash = on # reinitialize after backend crash? +#data_sync_retry = off # retry or panic on failure to fsync + # data? + # (change requires restart) +#recovery_init_sync_method = fsync # fsync, syncfs (Linux 5.8+) + + +#------------------------------------------------------------------------------ +# CONFIG FILE INCLUDES +#------------------------------------------------------------------------------ + +# These options allow settings to be loaded from files other than the +# default postgresql.conf. Note that these are directives, not variable +# assignments, so they can usefully be given more than once. + +include_dir = 'conf.d' # include files ending in '.conf' from + # a directory, e.g., 'conf.d' +#include_if_exists = '...' # include file only if it exists +#include = '...' # include file + + +#------------------------------------------------------------------------------ +# CUSTOMIZED OPTIONS +#------------------------------------------------------------------------------ + +# Add settings for extensions here diff --git a/ansible/roles/postgresql:client-for-synapse/defaults/main.json b/ansible/roles/postgresql:client-for-synapse/defaults/main.json new file mode 100644 index 0000000..e6aa567 --- /dev/null +++ b/ansible/roles/postgresql:client-for-synapse/defaults/main.json @@ -0,0 +1,7 @@ +{ + "var_postgresql_client_for_synapse_host": "localhost", + "var_postgresql_client_for_synapse_port": "5432", + "var_postgresql_client_for_synapse_username": "synapse_user", + "var_postgresql_client_for_synapse_password": "synapse_password", + "var_postgresql_client_for_synapse_schema": "synapse" +} diff --git a/ansible/roles/postgresql:client-for-synapse/info.md b/ansible/roles/postgresql:client-for-synapse/info.md new file mode 100644 index 0000000..60c6159 --- /dev/null +++ b/ansible/roles/postgresql:client-for-synapse/info.md @@ -0,0 +1,3 @@ +## Verweise + +- [Synapse-Dokumentation](https://matrix-org.github.io/synapse/latest/postgres.html#using-postgres) diff --git a/ansible/roles/postgresql:client-for-synapse/tasks/main.json b/ansible/roles/postgresql:client-for-synapse/tasks/main.json new file mode 100644 index 0000000..11d9e15 --- /dev/null +++ b/ansible/roles/postgresql:client-for-synapse/tasks/main.json @@ -0,0 +1,10 @@ +[ + { + "name": "emplace configuration file", + "become": true, + "ansible.builtin.template": { + "src": "database.yaml.j2", + "dest": "/etc/matrix-synapse/conf.d/database.yaml" + } + } +] diff --git a/ansible/roles/postgresql:client-for-synapse/templates/database.yaml.j2 b/ansible/roles/postgresql:client-for-synapse/templates/database.yaml.j2 new file mode 100644 index 0000000..60c4872 --- /dev/null +++ b/ansible/roles/postgresql:client-for-synapse/templates/database.yaml.j2 @@ -0,0 +1,10 @@ +database: + name: psycopg2 + args: + host: {{var_postgresql_client_for_synapse_host}} + port: {{var_postgresql_client_for_synapse_port}} + database: "{{var_postgresql_client_for_synapse_schema}}" + user: "{{var_postgresql_client_for_synapse_username}}" + password: "{{var_postgresql_client_for_synapse_password}}" + cp_min: 5 + cp_max: 10 diff --git a/ansible/roles/postgresql:server-for-synapse/defaults/main.json b/ansible/roles/postgresql:server-for-synapse/defaults/main.json new file mode 100644 index 0000000..794f33d --- /dev/null +++ b/ansible/roles/postgresql:server-for-synapse/defaults/main.json @@ -0,0 +1,5 @@ +{ + "var_postgresql_server_for_synapse_username": "synapse_user", + "var_postgresql_server_for_synapse_password": "synapse_password", + "var_postgresql_server_for_synapse_schema": "synapse" +} diff --git a/ansible/roles/postgresql:server-for-synapse/tasks/main.json b/ansible/roles/postgresql:server-for-synapse/tasks/main.json new file mode 100644 index 0000000..70d54ea --- /dev/null +++ b/ansible/roles/postgresql:server-for-synapse/tasks/main.json @@ -0,0 +1,49 @@ +[ + { + "name": "packages", + "become": true, + "ansible.builtin.apt": { + "pkg": [ + "acl", + "python3-psycopg2" + ] + } + }, + { + "name": "user", + "become": true, + "become_user": "postgres", + "community.postgresql.postgresql_user": { + "state": "present", + "name": "{{var_postgresql_server_for_synapse_username}}", + "password": "{{var_postgresql_server_for_synapse_password}}" + } + }, + { + "name": "schema", + "become": true, + "become_user": "postgres", + "community.postgresql.postgresql_db": { + "state": "present", + "template": "template0", + "name": "{{var_postgresql_server_for_synapse_schema}}", + "owner": "{{var_postgresql_server_for_synapse_username}}", + "encoding": "UTF-8", + "lc_collate": "C", + "lc_ctype": "C" + } + }, + { + "name": "rights", + "become": true, + "become_user": "postgres", + "community.postgresql.postgresql_privs": { + "state": "present", + "db": "{{var_postgresql_server_for_synapse_schema}}", + "objs": "ALL_IN_SCHEMA", + "roles": "{{var_postgresql_server_for_synapse_username}}", + "privs": "ALL", + "grant_option": true + } + } +] diff --git a/ansible/roles/synapse-with-lighttpd/defaults/main.json b/ansible/roles/synapse-with-lighttpd/defaults/main.json new file mode 100644 index 0000000..e5fd94b --- /dev/null +++ b/ansible/roles/synapse-with-lighttpd/defaults/main.json @@ -0,0 +1,3 @@ +{ + "var_synapse_with_lighttpd_domain": "REPLACE_ME" +} diff --git a/ansible/roles/synapse-with-lighttpd/info.md b/ansible/roles/synapse-with-lighttpd/info.md new file mode 100644 index 0000000..8ee3120 --- /dev/null +++ b/ansible/roles/synapse-with-lighttpd/info.md @@ -0,0 +1,8 @@ +## Beschreibung + +- zur Einrichtung von [Lighttpd](../lighttpd) als Reverse-Proxy für [Synapse](../synapse) + + +## Verweise + +- [Synapse-Dokumentation über die Nutzung von Reverse-Proxies](https://matrix-org.github.io/synapse/latest/reverse_proxy.html) diff --git a/ansible/roles/synapse-with-lighttpd/tasks/main.json b/ansible/roles/synapse-with-lighttpd/tasks/main.json new file mode 100644 index 0000000..34cbc47 --- /dev/null +++ b/ansible/roles/synapse-with-lighttpd/tasks/main.json @@ -0,0 +1,34 @@ +[ + { + "name": "activate proxy module", + "become": true, + "ansible.builtin.shell": { + "cmd": "lighttpd-enable-mod proxy || exit 0" + } + }, + { + "name": "emplace configuration | data", + "become": true, + "ansible.builtin.template": { + "src": "conf.j2", + "dest": "/etc/lighttpd/conf-available/{{var_synapse_with_lighttpd_domain}}.conf" + } + }, + { + "name": "emplace configuration | link", + "become": true, + "ansible.builtin.file": { + "state": "link", + "src": "/etc/lighttpd/conf-available/{{var_synapse_with_lighttpd_domain}}.conf", + "dest": "/etc/lighttpd/conf-enabled/{{var_synapse_with_lighttpd_domain}}.conf" + } + }, + { + "name": "restart lighttpd", + "become": true, + "ansible.builtin.systemd_service": { + "state": "restarted", + "name": "lighttpd" + } + } +] diff --git a/ansible/roles/synapse-with-lighttpd/templates/conf.j2 b/ansible/roles/synapse-with-lighttpd/templates/conf.j2 new file mode 100644 index 0000000..ee6a951 --- /dev/null +++ b/ansible/roles/synapse-with-lighttpd/templates/conf.j2 @@ -0,0 +1,29 @@ +$HTTP["host"] == "{{var_synapse_with_lighttpd_domain}}" { + server.name = "{{var_synapse_with_lighttpd_domain}}" + + ## alle Anfragen auf Port 443 + $SERVER["socket"] == ":443" { + ## mit dem SSL-Kram beglücken + # ssl.engine = "enable" + # ssl.pemfile = "/etc/ssl/certs/{{var_synapse_with_lighttpd_domain}}.pem" + # ssl.privkey = "/etc/ssl/keys/{{var_synapse_with_lighttpd_domain}}.pem" + # ssl.ca-file = "/etc/ssl/fullchains/{{var_synapse_with_lighttpd_domain}}.pem" + # ssl.use-sslv2 = "disable" + # ssl.use-sslv3 = "disable" + } + + ## alle HTTP-Anfragen + $SERVER["socket"] == ":80" { + ## auf HTTPS umleiten + # url.redirect = ("^/(.*)$" => "https://{{var_synapse_with_lighttpd_domain}}/$1") + } + + proxy.server = ( + "" => ( + "" => ( + "host" => "localhost", + "port" => 8008 + ) + ) + ) +} diff --git a/ansible/roles/synapse-with-nginx/defaults/main.json b/ansible/roles/synapse-with-nginx/defaults/main.json new file mode 100644 index 0000000..5d97e4b --- /dev/null +++ b/ansible/roles/synapse-with-nginx/defaults/main.json @@ -0,0 +1,3 @@ +{ + "var_synapse_with_nginx_domain": "REPLACE_ME" +} diff --git a/ansible/roles/synapse-with-nginx/info.md b/ansible/roles/synapse-with-nginx/info.md new file mode 100644 index 0000000..7d09e48 --- /dev/null +++ b/ansible/roles/synapse-with-nginx/info.md @@ -0,0 +1,8 @@ +## Beschreibung + +- zur Einrichtung von [nginx](../nginx) als Reverse-Proxy für [Synapse](../synapse) + + +## Verweise + +- [Synapse-Dokumentation über die Nutzung von Reverse-Proxies](https://matrix-org.github.io/synapse/latest/reverse_proxy.html) diff --git a/ansible/roles/synapse-with-nginx/tasks/main.json b/ansible/roles/synapse-with-nginx/tasks/main.json new file mode 100644 index 0000000..e3a2f94 --- /dev/null +++ b/ansible/roles/synapse-with-nginx/tasks/main.json @@ -0,0 +1,35 @@ +[ + { + "name": "deactivate default site", + "become": true, + "ansible.builtin.file": { + "state": "absent", + "dest": "/etc/nginx/sites-enabled/default" + } + }, + { + "name": "emplace configuration | data", + "become": true, + "ansible.builtin.template": { + "src": "conf.j2", + "dest": "/etc/nginx/sites-available/{{var_synapse_with_nginx_domain}}" + } + }, + { + "name": "emplace configuration | link", + "become": true, + "ansible.builtin.file": { + "state": "link", + "src": "/etc/nginx/sites-available/{{var_synapse_with_nginx_domain}}", + "dest": "/etc/nginx/sites-enabled/{{var_synapse_with_nginx_domain}}" + } + }, + { + "name": "restart nginx", + "become": true, + "ansible.builtin.systemd_service": { + "state": "restarted", + "name": "nginx" + } + } +] diff --git a/ansible/roles/synapse-with-nginx/templates/conf.j2 b/ansible/roles/synapse-with-nginx/templates/conf.j2 new file mode 100644 index 0000000..c2a3371 --- /dev/null +++ b/ansible/roles/synapse-with-nginx/templates/conf.j2 @@ -0,0 +1,26 @@ +server { + listen 80; + listen [::]:80; + listen 443 ssl; + listen [::]:443 ssl; + + ## For the federation port + listen 8448 ssl http2 default_server; + listen [::]:8448 ssl http2 default_server; + + server_name {{var_synapse_with_nginx_domain}}; + + ssl_certificate /etc/ssl/certs/{{var_synapse_with_nginx_domain}}.pem; + ssl_certificate_key /etc/ssl/private/{{var_synapse_with_nginx_domain}}.pem; + + location ~ ^(/_matrix|/_synapse/client) { + proxy_pass http://localhost:8008; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Host $host; + + client_max_body_size 50M; + + proxy_http_version 1.1; + } +} diff --git a/ansible/roles/synapse/defaults/main.json b/ansible/roles/synapse/defaults/main.json new file mode 100644 index 0000000..72fc7b1 --- /dev/null +++ b/ansible/roles/synapse/defaults/main.json @@ -0,0 +1,17 @@ +{ + "var_synapse_scheme": "https", + "var_synapse_domain": "matrix.example.org", + "var_synapse_element_url": "https://element.example.org", + "var_synapse_title": "Example | Matrix", + "var_synapse_federation_whitelist": "[]", + "var_synapse_password_strict_policy": "true", + "var_synapse_registration_shared_secret": "REPLACE_ME", + "var_synapse_smtp_host": "smtp.example.org", + "var_synapse_smtp_port": "587", + "var_synapse_smtp_username": "matrix@smtp.example.org", + "var_synapse_smtp_password": "REPLACE_ME", + "var_synapse_admin_user_define": true, + "var_synapse_admin_user_name": "admin", + "var_synapse_admin_user_password": "REPLACE_ME" +} + diff --git a/ansible/roles/synapse/files/sources-bullseye-backports.list b/ansible/roles/synapse/files/sources-bullseye-backports.list new file mode 100644 index 0000000..aac3a03 --- /dev/null +++ b/ansible/roles/synapse/files/sources-bullseye-backports.list @@ -0,0 +1,2 @@ +deb http://debian.inf.tu-dresden.de/debian bullseye-backports main contrib non-free +deb-src http://debian.inf.tu-dresden.de/debian bullseye-backports main contrib non-free diff --git a/ansible/roles/synapse/info.md b/ansible/roles/synapse/info.md new file mode 100644 index 0000000..b098a2c --- /dev/null +++ b/ansible/roles/synapse/info.md @@ -0,0 +1,10 @@ +## Beschreibung + + + +## Verweise + +- [matrix.org](https://matrix.org/) +- [ubuntuusers-Wiki-Eintrag](https://wiki.ubuntuusers.de/Matrix_synapse/) +- [GitHub-Repository](https://github.com/matrix-org/synapse) +- [Configuration Manual](https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html) diff --git a/ansible/roles/synapse/tasks/main.json b/ansible/roles/synapse/tasks/main.json new file mode 100644 index 0000000..bbd8a94 --- /dev/null +++ b/ansible/roles/synapse/tasks/main.json @@ -0,0 +1,64 @@ +[ + { + "name": "invoke required repositories", + "become": true, + "ansible.builtin.copy": { + "src": "sources-bullseye-backports.list", + "dest": "/etc/apt/sources.list.d/bullseye-backports-for-synapse.list" + } + }, + { + "name": "prepare package installation | server-name", + "become": true, + "ansible.builtin.debconf": { + "name": "matrix-synapse", + "question": "matrix-synapse/server-name", + "vtype": "string", + "value": "{{var_synapse_domain}}" + } + }, + { + "name": "prepare package installation | report-stats", + "become": true, + "ansible.builtin.debconf": { + "name": "matrix-synapse", + "question": "matrix-synapse/report-stats", + "vtype": "boolean", + "value": false + } + }, + { + "name": "install packages", + "become": true, + "ansible.builtin.apt": { + "update_cache": true, + "pkg": [ + "matrix-synapse" + ] + } + }, + { + "name": "emplace configuration", + "become": true, + "ansible.builtin.template": { + "src": "homeserver.yaml.j2", + "dest": "/etc/matrix-synapse/homeserver.yaml" + } + }, + { + "name": "restart service", + "become": true, + "ansible.builtin.systemd_service": { + "state": "restarted", + "name": "matrix-synapse" + } + }, + { + "name": "setup admin user", + "become": true, + "ansible.builtin.shell": { + "cmd": "synapse_register_new_matrix_user --config=/etc/matrix-synapse/homeserver.yaml --admin --user={{var_synapse_admin_user_name}} --password={{var_synapse_admin_user_password}} || true" + }, + "when": "var_synapse_admin_user_define" + } +] diff --git a/ansible/roles/synapse/templates/homeserver.yaml.j2 b/ansible/roles/synapse/templates/homeserver.yaml.j2 new file mode 100644 index 0000000..0dc29ce --- /dev/null +++ b/ansible/roles/synapse/templates/homeserver.yaml.j2 @@ -0,0 +1,139 @@ +no_tls: True + +tls_fingerprints: [] + +pid_file: "/var/run/matrix-synapse.pid" + +soft_file_limit: 0 + +web_client_location: {{var_synapse_element_url}} + +public_baseurl: {{var_synapse_scheme}}://{{var_synapse_domain}}/ + +listeners: + - port: 8008 + tls: false + bind_addresses: + - '::1' + - '127.0.0.1' + type: http + tls: false + x_forwarded: false + resources: + - names: [client] + compress: true + - names: [federation] + compress: false + +federation_domain_whitelist: {{var_synapse_federation_whitelist}} + +serve_server_wellknown: true + +event_cache_size: "10K" + +log_config: "/etc/matrix-synapse/log.yaml" + +media_store_path: "/var/lib/matrix-synapse/media" + +uploads_path: "/var/lib/matrix-synapse/uploads" + +max_upload_size: "100M" + +max_image_pixels: "32M" + +dynamic_thumbnails: false + +thumbnail_sizes: + - width: 32 + height: 32 + method: crop + - width: 96 + height: 96 + method: crop + - width: 320 + height: 240 + method: scale + - width: 640 + height: 480 + method: scale + - width: 800 + height: 600 + method: scale + +url_preview_enabled: false + +max_spider_size: "10M" + +enable_registration_captcha: false + +recaptcha_siteverify_api: "https://www.google.com/recaptcha/api/siteverify" + +enable_registration_without_verification: true + +enable_registration: true + +account_validity: + +bcrypt_rounds: 12 + +allow_guest_access: false + +trusted_third_party_id_servers: + - matrix.org + - vector.im + - riot.im + +enable_metrics: false + +app_service_config_files: + # - "/opt/mautrix-telegram/python-venv/registration.yaml" + # - "/opt/mautrix-signal/python-venv/registration.yaml" + # - "/opt/matrix-irc-bridge/appservice-registration-irc.yaml" + +expire_access_token: false + +signing_key_path: "/etc/matrix-synapse/homeserver.signing.key" + +old_signing_keys: {} + +key_refresh_interval: "1d" + +trusted_key_servers: + - server_name: "matrix.org" + +saml2_config: + user_mapping_provider: + config: + +oidc_config: + user_mapping_provider: + config: + # NOT an Ansible variable + localpart_template: "{{"{{"}} user.preferred_username {{"}}"}}" + +password_config: + enabled: true + policy: + enabled: {{var_synapse_password_strict_policy}} + +email: + smtp_host: "{{var_synapse_smtp_host}}" + smtp_port: {{var_synapse_smtp_port}} + smtp_user: "{{var_synapse_smtp_username}}" + smtp_pass: "{{var_synapse_smtp_password}}" + require_transport_security: true + notif_from: "%(app)s | {{var_synapse_title}}" + enable_notifs: true + notif_for_new_users: false + subjects: + password_reset: "[%(server_name)s] Passwort zurücksetzen" + email_validation: "[%(server_name)s] Nutzer-Konto-Freischaltung" + +spam_checker: + +enable_group_creation: true + +templates: + custom_templates_directory: "/etc/matrix-synapse/templates" + +registration_shared_secret: "{{var_synapse_registration_shared_secret}}" diff --git a/ansible/roles/tlscert_acme_inwx/defaults/main.json b/ansible/roles/tlscert_acme_inwx/defaults/main.json new file mode 100644 index 0000000..087172b --- /dev/null +++ b/ansible/roles/tlscert_acme_inwx/defaults/main.json @@ -0,0 +1,8 @@ +{ + "var_tlscert_acme_inwx_acme_account_email": "REPLACE_ME", + "var_tlscert_acme_inwx_inwx_account_username": "REPLACE_ME", + "var_tlscert_acme_inwx_inwx_account_password": "REPLACE_ME", + "var_tlscert_acme_inwx_domain_base": "example.org", + "var_tlscert_acme_inwx_domain_path": "foo", + "var_tlscert_acme_inwx_ssl_directory": "/etc/ssl" +} diff --git a/ansible/roles/tlscert_acme_inwx/info.md b/ansible/roles/tlscert_acme_inwx/info.md new file mode 100644 index 0000000..1859df9 --- /dev/null +++ b/ansible/roles/tlscert_acme_inwx/info.md @@ -0,0 +1,3 @@ +## ToDo + +- inwx-Skript von richtiger Quelle holen diff --git a/ansible/roles/tlscert_acme_inwx/tasks/main.json b/ansible/roles/tlscert_acme_inwx/tasks/main.json new file mode 100644 index 0000000..1456bed --- /dev/null +++ b/ansible/roles/tlscert_acme_inwx/tasks/main.json @@ -0,0 +1,97 @@ +[ + { + "name": "packages", + "become": true, + "ansible.builtin.apt": { + "pkg": [ + "openssl", + "certbot" + ] + } + }, + { + "name": "csr | setup private key directory", + "become": true, + "ansible.builtin.file": { + "state": "directory", + "path": "{{var_tlscert_acme_inwx_ssl_directory}}/private" + } + }, + { + "name": "csr | generate private key", + "become": true, + "community.crypto.openssl_privatekey": { + "path": "{{var_tlscert_acme_inwx_ssl_directory}}/private/{{var_tlscert_acme_inwx_domain_path}}.{{var_tlscert_acme_inwx_domain_base}}.pem" + } + }, + { + "name": "csr | setup csr directory", + "become": true, + "ansible.builtin.file": { + "state": "directory", + "path": "{{var_tlscert_acme_inwx_ssl_directory}}/csr" + } + }, + { + "name": "csr | execute", + "become": true, + "community.crypto.openssl_csr": { + "common_name": "{{var_tlscert_acme_inwx_domain_path}}.{{var_tlscert_acme_inwx_domain_base}}", + "privatekey_path": "{{var_tlscert_acme_inwx_ssl_directory}}/private/{{var_tlscert_acme_inwx_domain_path}}.{{var_tlscert_acme_inwx_domain_base}}.pem", + "path": "{{var_tlscert_acme_inwx_ssl_directory}}/csr/{{var_tlscert_acme_inwx_domain_path}}.{{var_tlscert_acme_inwx_domain_base}}.pem" + } + }, + { + "name": "acme | init", + "become": true, + "community.crypto.acme_certificate": { + "acme_version": 2, + "acme_directory": "https://acme-v02.api.letsencrypt.org/directory", + "account_email": "{{var_tlscert_acme_inwx_acme_account_email}}", + "account_key_src": "{{var_tlscert_acme_inwx_ssl_directory}}/private/{{var_tlscert_acme_inwx_domain_path}}.{{var_tlscert_acme_inwx_domain_base}}.pem", + "terms_agreed": true, + "csr": "{{var_tlscert_acme_inwx_ssl_directory}}/csr/{{var_tlscert_acme_inwx_domain_path}}.{{var_tlscert_acme_inwx_domain_base}}.pem", + "challenge": "dns-01", + "dest": "{{var_tlscert_acme_inwx_ssl_directory}}/certs/{{var_tlscert_acme_inwx_domain_path}}.{{var_tlscert_acme_inwx_domain_base}}.pem", + "fullchain_dest": "{{var_tlscert_acme_inwx_ssl_directory}}/fullchains/{{var_tlscert_acme_inwx_domain_path}}.{{var_tlscert_acme_inwx_domain_base}}.pem" + }, + "register": "temp_acme_data" + }, + { + "name": "dns challenge | place script", + "become": true, + "ansible.builtin.copy": { + "src": "/usr/local/bin/inwx", + "dest": "/usr/local/bin/inwx", + "mode": "a+x" + } + }, + { + "name": "dns challange | execute", + "ansible.builtin.command": { + "cmd": "/usr/local/bin/inwx --username={{var_tlscert_acme_inwx_inwx_account_username}} --password={{var_tlscert_acme_inwx_inwx_account_password}} save {{var_tlscert_acme_inwx_domain_base}} _acme-challenge.{{var_tlscert_acme_inwx_domain_path}} TXT {{temp_acme_data['challenge_data'][var_tlscert_acme_inwx_domain_path + '.' + var_tlscert_acme_inwx_domain_base]['dns-01']['resource_value']}}" + } + }, + { + "name": "dns challenge | wait", + "ansible.builtin.pause": { + "seconds": 60 + } + }, + { + "name": "acme | finalize", + "become": true, + "community.crypto.acme_certificate": { + "acme_version": 2, + "acme_directory": "https://acme-v02.api.letsencrypt.org/directory", + "account_email": "{{var_tlscert_acme_inwx_acme_account_email}}", + "account_key_src": "{{var_tlscert_acme_inwx_ssl_directory}}/private/{{var_tlscert_acme_inwx_domain_path}}.{{var_tlscert_acme_inwx_domain_base}}.pem", + "terms_agreed": true, + "csr": "{{var_tlscert_acme_inwx_ssl_directory}}/csr/{{var_tlscert_acme_inwx_domain_path}}.{{var_tlscert_acme_inwx_domain_base}}.pem", + "challenge": "dns-01", + "dest": "{{var_tlscert_acme_inwx_ssl_directory}}/certs/{{var_tlscert_acme_inwx_domain_path}}.{{var_tlscert_acme_inwx_domain_base}}.pem", + "fullchain_dest": "{{var_tlscert_acme_inwx_ssl_directory}}/fullchains/{{var_tlscert_acme_inwx_domain_path}}.{{var_tlscert_acme_inwx_domain_base}}.pem", + "data": "{{temp_acme_data}}" + } + } +] diff --git a/ansible/roles/tlscert_acme_netcup/defaults/main.json b/ansible/roles/tlscert_acme_netcup/defaults/main.json new file mode 100644 index 0000000..3364a26 --- /dev/null +++ b/ansible/roles/tlscert_acme_netcup/defaults/main.json @@ -0,0 +1,9 @@ +{ + "var_tlscert_acme_netcup_acme_account_email": "REPLACE_ME", + "var_tlscert_acme_netcup_netcup_customer_id": "REPLACE_ME", + "var_tlscert_acme_netcup_netcup_api_password": "REPLACE_ME", + "var_tlscert_acme_netcup_netcup_api_key": "REPLACE_ME", + "var_tlscert_acme_netcup_domain_base": "example.org", + "var_tlscert_acme_netcup_domain_path": "foo", + "var_tlscert_acme_netcup_ssl_directory": "/etc/ssl" +} diff --git a/ansible/roles/tlscert_acme_netcup/tasks/main.json b/ansible/roles/tlscert_acme_netcup/tasks/main.json new file mode 100644 index 0000000..0a2f60e --- /dev/null +++ b/ansible/roles/tlscert_acme_netcup/tasks/main.json @@ -0,0 +1,94 @@ +[ + { + "name": "packages", + "become": true, + "ansible.builtin.apt": { + "pkg": [ + "openssl", + "certbot" + ] + } + }, + { + "name": "csr | setup private key directory", + "become": true, + "ansible.builtin.file": { + "state": "directory", + "path": "{{var_tlscert_acme_netcup_ssl_directory}}/private" + } + }, + { + "name": "csr | generate private key", + "become": true, + "community.crypto.openssl_privatekey": { + "path": "{{var_tlscert_acme_netcup_ssl_directory}}/private/{{var_tlscert_acme_netcup_domain_path}}.{{var_tlscert_acme_netcup_domain_base}}.pem" + } + }, + { + "name": "csr | setup csr directory", + "become": true, + "ansible.builtin.file": { + "state": "directory", + "path": "{{var_tlscert_acme_netcup_ssl_directory}}/csr" + } + }, + { + "name": "csr | execute", + "become": true, + "community.crypto.openssl_csr": { + "common_name": "{{var_tlscert_acme_netcup_domain_path}}.{{var_tlscert_acme_netcup_domain_base}}", + "privatekey_path": "{{var_tlscert_acme_netcup_ssl_directory}}/private/{{var_tlscert_acme_netcup_domain_path}}.{{var_tlscert_acme_netcup_domain_base}}.pem", + "path": "{{var_tlscert_acme_netcup_ssl_directory}}/csr/{{var_tlscert_acme_netcup_domain_path}}.{{var_tlscert_acme_netcup_domain_base}}.pem" + } + }, + { + "name": "acme | init", + "become": true, + "community.crypto.acme_certificate": { + "acme_version": 2, + "acme_directory": "https://acme-v02.api.letsencrypt.org/directory", + "account_email": "{{var_tlscert_acme_netcup_acme_account_email}}", + "account_key_src": "{{var_tlscert_acme_netcup_ssl_directory}}/private/{{var_tlscert_acme_netcup_domain_path}}.{{var_tlscert_acme_netcup_domain_base}}.pem", + "terms_agreed": true, + "csr": "{{var_tlscert_acme_netcup_ssl_directory}}/csr/{{var_tlscert_acme_netcup_domain_path}}.{{var_tlscert_acme_netcup_domain_base}}.pem", + "challenge": "dns-01", + "dest": "{{var_tlscert_acme_netcup_ssl_directory}}/certs/{{var_tlscert_acme_netcup_domain_path}}.{{var_tlscert_acme_netcup_domain_base}}.pem", + "fullchain_dest": "{{var_tlscert_acme_netcup_ssl_directory}}/fullchains/{{var_tlscert_acme_netcup_domain_path}}.{{var_tlscert_acme_netcup_domain_base}}.pem" + }, + "register": "temp_acme_data" + }, + { + "name": "dns challenge | execute", + "community.general.netcup_dns": { + "customer_id": "{{var_tlscert_acme_netcup_netcup_customer_id}}", + "api_password": "{{var_tlscert_acme_netcup_netcup_api_password}}", + "api_key": "{{var_tlscert_acme_netcup_netcup_api_key}}", + "domain": "{{var_tlscert_acme_netcup_domain_base}}", + "record": "_acme_challenge.{{var_tlscert_acme_netcup_domain_path}}", + "type": "TXT", + "value": "{{temp_acme_data['challenge_data'][var_tlscert_acme_netcup_domain_path + '.' + var_tlscert_acme_netcup_domain_base]['dns-01']['resource_value']}}" + } + }, + { + "name": "dns challenge | wait", + "ansible.builtin.pause": { + "seconds": 60 + } + }, + { + "name": "acme | finalize", + "become": true, + "community.crypto.acme_certificate": { + "acme_version": 2, + "acme_directory": "https://acme-v02.api.letsencrypt.org/directory", + "account_email": "{{var_tlscert_acme_netcup_acme_account_email}}", + "account_key_src": "{{var_tlscert_acme_netcup_ssl_directory}}/private/{{var_tlscert_acme_netcup_domain_path}}.{{var_tlscert_acme_netcup_domain_base}}.pem", + "terms_agreed": true, + "csr": "{{var_tlscert_acme_netcup_ssl_directory}}/csr/{{var_tlscert_acme_netcup_domain_path}}.{{var_tlscert_acme_netcup_domain_base}}.pem", + "challenge": "dns-01", + "dest": "{{var_tlscert_acme_netcup_ssl_directory}}/certs/{{var_tlscert_acme_netcup_domain_path}}.{{var_tlscert_acme_netcup_domain_base}}.pem", + "fullchain_dest": "{{var_tlscert_acme_netcup_ssl_directory}}/fullchains/{{var_tlscert_acme_netcup_domain_path}}.{{var_tlscert_acme_netcup_domain_base}}.pem", + "data": "{{temp_acme_data}}" + } + } +] diff --git a/ansible/roles/tlscert_selfsigned/defaults/main.json b/ansible/roles/tlscert_selfsigned/defaults/main.json new file mode 100644 index 0000000..23e7808 --- /dev/null +++ b/ansible/roles/tlscert_selfsigned/defaults/main.json @@ -0,0 +1,5 @@ +{ + "var_tlscert_selfsigned_domain_base": "example.org", + "var_tlscert_selfsigned_domain_path": "foo", + "var_tlscert_selfsigned_ssl_directory": "/etc/ssl" +} diff --git a/ansible/roles/tlscert_selfsigned/tasks/main.json b/ansible/roles/tlscert_selfsigned/tasks/main.json new file mode 100644 index 0000000..4f24f17 --- /dev/null +++ b/ansible/roles/tlscert_selfsigned/tasks/main.json @@ -0,0 +1,27 @@ +[ + { + "name": "install packages", + "become": true, + "ansible.builtin.apt": { + "pkg": [ + "python3-cryptography" + ] + } + }, + { + "name": "generate key", + "become": true, + "community.crypto.openssl_privatekey": { + "path": "{{var_tlscert_selfsigned_ssl_directory}}/private/{{var_tlscert_selfsigned_domain_path}}.{{var_tlscert_selfsigned_domain_base}}.pem" + } + }, + { + "name": "generate certificate", + "become": true, + "community.crypto.x509_certificate": { + "privatekey_path": "{{var_tlscert_selfsigned_ssl_directory}}/private/{{var_tlscert_selfsigned_domain_path}}.{{var_tlscert_selfsigned_domain_base}}.pem", + "provider": "selfsigned", + "path": "{{var_tlscert_selfsigned_ssl_directory}}/certs/{{var_tlscert_selfsigned_domain_path}}.{{var_tlscert_selfsigned_domain_base}}.pem" + } + } +] diff --git a/readme.md b/readme.md new file mode 100644 index 0000000..dd42c58 --- /dev/null +++ b/readme.md @@ -0,0 +1,3 @@ +# Ansible Base + +Sammlung von allgemeinen, wiederverwendbaren Ansible-Rollen diff --git a/tools/check-json-syntax b/tools/check-json-syntax new file mode 100755 index 0000000..056264d --- /dev/null +++ b/tools/check-json-syntax @@ -0,0 +1,9 @@ +#!/usr/bin/env bash + +flaws=0 +for path in $(find ansible -name "*.json") +do + echo "-- ${path}" + python3 -m json.tool ${path} > /dev/null || ((flaws+=1)) +done +test ${flaws} -eq 0