diff --git a/README.md b/README.md index c3d9e7f..6538f68 100644 --- a/README.md +++ b/README.md @@ -28,6 +28,9 @@ A questo punto lanciando `./ansible-playbook test_playbook.yml` tutti i server s Un ruolo ansible quindi non è nient'altro che una lista di operazioni. +Per poter eseguire solo alcuni ruoli di alto livello possiamo usare i tag: +`ansible-playbook --tags radicale infra.yml`. + #### Password / Keys Per le informazioni sensibili (password del database, dell'account di admin, una chiave ssh) viene usato [passwordstore](https://www.passwordstore.org/), il path usato è specificato nell'inventory con la variabile `passwordstore_path`. diff --git a/infra.yml b/infra.yml index 61600c6..842cd8f 100644 --- a/infra.yml +++ b/infra.yml @@ -28,6 +28,13 @@ roles: ['stable/common', 'stable/gancio'] vars_files: vars/gancio.yml +# RADICALE +- name: Radicale + hosts: radicale + tags: radicale + roles: ['stable/common', 'staging/radicale'] + vars_files: vars/gancio.yml + # TEST - name: Test hosts: test diff --git a/inventory.yml b/inventory.yml index d1b3f80..f7d3dbc 100644 --- a/inventory.yml +++ b/inventory.yml @@ -13,6 +13,9 @@ farma: frontend: hosts: cisti.frontend +radicale: + hosts: radicale.cose.belle + test: hosts: cisti.jolly vars: diff --git a/roles/staging/radicale/tasks/main.yml b/roles/staging/radicale/tasks/main.yml new file mode 100644 index 0000000..445e983 --- /dev/null +++ b/roles/staging/radicale/tasks/main.yml @@ -0,0 +1,46 @@ +--- + +- name: Install pip + apt: + pkg: + - python3-pip + - apache2-utils # yes, we need htpasswd + +- name: check for radicale user + user: + name: "radicale" + home: "/srv/radicale" + system: true + state: present + +- name: Installa radicale + pip: + name: radicale + +- name: Copy settings + template: + src: config.j2 + dest: /srv/radicale/config + owner: radicale + group: radicale + mode: 0660 + +- name: Copy service + template: + src: radicale.service.j2 + dest: /etc/systemd/system/radicale.service + owner: radicale + group: radicale + mode: 0660 + +- name: Enable radicale + ansible.builtin.systemd: + name: radicale + enabled: yes + masked: no + +- name: Make sure radicale is running + ansible.builtin.systemd: + state: restarted + daemon_reload: yes + name: radicale diff --git a/roles/staging/radicale/templates/config.j2 b/roles/staging/radicale/templates/config.j2 new file mode 100644 index 0000000..8beae50 --- /dev/null +++ b/roles/staging/radicale/templates/config.j2 @@ -0,0 +1,120 @@ +# -*- mode: conf -*- +# vim:ft=cfg + +# Config file for Radicale - A simple calendar server +# +# Place it into /etc/radicale/config (global) +# or ~/.config/radicale/config (user) +# +# The current values are the default ones + + +[server] + +# CalDAV server hostnames separated by a comma +# IPv4 syntax: address:port +# IPv6 syntax: [address]:port +# For example: 0.0.0.0:9999, [::]:9999 +hosts = radicale.cose.belle:5232 + +# Max parallel connections +#max_connections = 8 + +# Max size of request body (bytes) +#max_content_length = 100000000 + +# Socket timeout (seconds) +#timeout = 30 + +# SSL flag, enable HTTPS protocol +#ssl = False + +# SSL certificate path +#certificate = /etc/ssl/radicale.cert.pem + +# SSL private key +#key = /etc/ssl/radicale.key.pem + +# CA certificate for validating clients. This can be used to secure +# TCP traffic between Radicale and a reverse proxy +#certificate_authority = + + +[encoding] + +# Encoding for responding requests +#request = utf-8 + +# Encoding for storing local collections +#stock = utf-8 + + +[auth] + +# Authentication method +# Value: none | htpasswd | remote_user | http_x_remote_user +type = htpasswd + +# Htpasswd filename +htpasswd_filename = /srv/radicale/users + +# Htpasswd encryption method +# Value: plain | bcrypt | md5 +# bcrypt requires the installation of radicale[bcrypt]. +htpasswd_encryption = bcrypt + +# Incorrect authentication delay (seconds) +#delay = 1 + +# Message displayed in the client when a password is needed +#realm = Radicale - Password Required + + +[rights] + +# Rights backend +# Value: none | authenticated | owner_only | owner_write | from_file +#type = owner_only + +# File for rights management from_file +#file = /etc/radicale/rights + + +[storage] + +# Storage backend +# Value: multifilesystem +#type = multifilesystem + +# Folder for storing local collections, created if not present +filesystem_folder = /srv/radicale/storage + +# Delete sync token that are older (seconds) +#max_sync_token_age = 2592000 + +# Command that is run after changes to storage +# Example: ([ -d .git ] || git init) && git add -A && (git diff --cached --quiet || git commit -m "Changes by "%(user)s) +#hook = + + +[web] + +# Web interface backend +# Value: none | internal +type = internal + + +[logging] + +# Threshold for the logger +# Value: debug | info | warning | error | critical +#level = warning + +# Don't include passwords in logs +#mask_passwords = True + + +[headers] + +# Additional HTTP headers +#Access-Control-Allow-Origin = * diff --git a/roles/staging/radicale/templates/radicale.service.j2 b/roles/staging/radicale/templates/radicale.service.j2 new file mode 100644 index 0000000..1765318 --- /dev/null +++ b/roles/staging/radicale/templates/radicale.service.j2 @@ -0,0 +1,25 @@ +[Unit] +Description=A simple CalDAV (calendar) and CardDAV (contact) server +After=network.target +Requires=network.target + +[Service] +ExecStart=env python3 -m radicale --config /srv/radicale/config +Restart=on-failure +StartLimitInterval=30 +User=radicale +UMask=0027 + +# Optional security settings +PrivateTmp=true +ProtectSystem=strict +ProtectHome=true +PrivateDevices=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectControlGroups=true +NoNewPrivileges=true +ReadWritePaths=/srv/radicale + +[Install] +WantedBy=multi-user.target