cisti/infra
3
0
Fork 1
Code Issues Pull requests Releases Activity

Compare commits

base: cisti:master
Branches Tags
cisti:master
cisti:feat/koha
..
compare: six:master
Branches Tags
six:master
cisti:master
cisti:feat/koha

2 commits
master ... master

Author SHA1 Message Date
six
f0d65afd45 comment on debian-frotend/tasks/nginx.yml 2021-02-20 14:03:56 +01:00
six
db06f882d6 add debian-base and debian-frotend roles 2021-02-20 13:46:16 +01:00
40 changed files with 326 additions and 650 deletions
Show stats Expand all files Collapse all files

72
README.md
View file

@ -2,36 +2,13 @@
Un angolo ragionato per facilitare la messa in opera di servizi autogestiti di prossimità.
#### Come si usa
Silicone è una raccolta di ruoli [ansible](https://docs.ansible.com/ansible/latest/index.html) fatti a modino e basati su debian stable, un tentativo di fissare alcune scelte tecniche ragionate e poterle ridiscutere in un posto comodo.
È molto utile anche per chi vuole tirare su un pad o gancio o altro senza dover necessariamente mettere le mani troppo nella marmellata dei file di configurazione di nginx, ricordarsi di aggiungere il cron per certbot, capire quale versione di nodejs bisogna usare per installare etherpad o trovare un sistema per fare i backup di tutto questo. Qui dentro abbiamo fatto delle scelte.
```bash
ansible-galaxy collection install community.general
ansible-galaxy collection install community.postgresql
ansible-galaxy install nginxinc.nginx
ansible-galaxy install nginxinc.nginx_config
```
Silicone è una raccolta di ruoli
[ansible](https://docs.ansible.com/ansible/latest/index.html) fatti a
modino e basati su debian stable, un tentativo di fissare alcune scelte
tecniche ragionate e poterle ridiscutere in un posto comodo. È molto utile
anche per chi vuole tirare su un pad o gancio o altro senza dover
necessariamente mettere le mani troppo nella marmellata dei file di
configurazione di nginx, ricordarsi di aggiungere il cron per certbot,
capire quale versione di nodejs bisogna usare per installare etherpad o
trovare un sistema per fare i backup di tutto questo. Qui dentro abbiamo
fatto delle scelte.
Per usarlo velocemente e conoscendo un minimo ansible, imposta il tuo
inventory ([inventory.yml](./inventory.yml)) il tuo playbook
([infra.yml](./infra.yml)) e lancia `ansible-playbook`.
Per usarlo velocemente e conoscendo un minimo ansible, imposta il tuo inventory ([inventory.yml](./inventory.yml)) il tuo playbook ([infra.yml](./infra.yml)) e lancia `ansible-playbook`.
#### Ansible in breve
Ansible è uno strumento a cui si fornisce una lista di macchine da gestire
(specificate dentro un file inventory) e si descrive quali ruoli assegnare
ad ogni macchina. Ad esempio, diciamo che su ogni server/vm che gestiamo
vogliamo installare 3 pacchetti (git, sudo e python3), ecco bisognerà
scrivere nel playbook qualcosa come:
Ansible è uno strumento a cui si fornisce una lista di macchine da gestire (specificate dentro un file inventory) e si descrive quali ruoli assegnare ad ogni macchina. Ad esempio, diciamo che su ogni server/vm che gestiamo vogliamo installare 3 pacchetti (git, sudo e python3), ecco bisognerà scrivere nel playbook qualcosa come:
```yaml
# test_playbook.yml
@ -47,55 +24,28 @@ scrivere nel playbook qualcosa come:
- python3
```
A questo punto lanciando `./ansible-playbook test_playbook.yml` tutti i
server specificati nel file di inventory verranno contattati da ansible via
ssh che provvederà ad eseguire le operazioni descritte nel task.
A questo punto lanciando `./ansible-playbook test_playbook.yml` tutti i server specificati nel file di inventory verranno contattati da ansible via ssh che provvederà ad eseguire le operazioni descritte nel task.
Un ruolo ansible quindi non è nient'altro che una lista di operazioni.
Per poter eseguire solo alcuni ruoli di alto livello possiamo usare i tag:
`ansible-playbook --tags radicale infra.yml`.
Nello sviluppo può essere molto comodo usare la flag `--start-at-task`:
```shell
ansible-playbook -i inventory.yml -i hosts --tags fdroid --start-at-task \
"Link repo into public dir" infra.yml
```
C'è anche un tool abbastanza comodo per fare dei controlli su quello che
stai scrivendo, si chiama
[ansible-lint](https://ansible-lint.readthedocs.io/en/latest/)
#### Password / Keys
Per le informazioni sensibili (password del database, dell'account di
admin, una chiave ssh) viene usato
[passwordstore](https://www.passwordstore.org/), il path usato è
specificato nell'inventory con la variabile `passwordstore_path`.
Per le informazioni sensibili (password del database, dell'account di admin, una chiave ssh) viene usato [passwordstore](https://www.passwordstore.org/), il path usato è specificato nell'inventory con la variabile `passwordstore_path`.
#### Backup
Per i backup usiamo [restic](https://restic.net/). ogni servizio che vuole
supportare i backup deve controllare la variabile `with_backup` e
specificare di quali database e directory fare i backup (`restic_databases`
e `restic_folders`). Le configurazioni sono dentro l'inventory (che le
cerca dentro il passwordstore).
Per i backup usiamo [restic](https://restic.net/).
ogni servizio che vuole supportare i backup deve controllare la variabile `with_backup` e specificare di quali database e directory fare i backup (`restic_databases` e `restic_folders`). Le configurazioni sono dentro l'inventory (che le cerca dentro il passwordstore).
#### Monitoring
#### Creare nuovi ruoli e testarne di vecchi
#### Creare nuovi ruoli e testarne di vecchi:
Ci sono varie possibilità, si può usare docker o vagrant, sono dentro `dev/`, per Docker c'e' un [README](./dev/README.md)
Ci sono varie possibilità, si può usare docker o vagrant, sono dentro
`dev/`, per Docker c'e' un [README](./dev/README.md)
### Servizi
I servizi di alto livello dipendono dai ruoli base, ad esempio etherpad
dipende tra gli altri da nodejs, postgresql e opzionalmente anche da nginx
e restic. Le dipendenze di un ruolo sono specificate dentro `meta/main.yml`
alla voce `dependencies` (vedi le dipendenze del ruolo etherpad come
esempio [qui](./roles/stable/etherpad/meta/main.yml))
I servizi di alto livello dipendono dai ruoli base, ad esempio etherpad dipende tra gli altri da nodejs, postgresql e opzionalmente anche da nginx e restic. Le dipendenze di un ruolo sono specificate dentro `meta/main.yml` alla voce `dependencies` (vedi le dipendenze del ruolo etherpad come esempio [qui](./roles/stable/etherpad/meta/main.yml))
<!--
#### [Etherpad](https://etherpad.org/)

18
backup.yml
View file

@ -1,19 +1,9 @@
---
- name: Mastodon backup
## FRONTEND
- name: Test backup
hosts: mastodon
roles: ['stable/restic']
vars:
restic_dump_compression_enabled: true
restic_databases:
- {name: 'mastodon', dump_command: sudo -Hiu postgres pg_dump -Z0 -Fc mastodon}
restic_folders: ['/var/lib/redis/dump.rdb','/home/mastodon/live/.env.production']
- name: Stereodon Backup
hosts: stereodon
roles: ['stable/restic']
vars:
restic_dump_compression_enabled: true
restic_databases:
- {name: 'stereodon', dump_command: sudo -Hiu postgres pg_dump -Z0 -Fc mastodon}
restic_folders: ['/var/lib/redis/dump.rdb','/home/mastodon/live/.env.production']
- {name: 'mastodon', dump_command: sudo -Hiu postgres pg_dump -Fc mastodon}
restic_folders: ['/var/lib/redis/dump.rdb','/home/mastodon/live/.env.production']

7
frontend.yml
View file

@ -1,7 +0,0 @@
---
## FRONTEND
- name: Frontend
hosts: frontend2
roles: ['stable/common', 'stable/nginx']
vars_files: vars/frontend.yml
tags: frontend

10
infra.yml
View file

@ -1,7 +1,7 @@
---
## FRONTEND
- name: Frontend
hosts: frontend2
hosts: frontend
roles: ['stable/common', 'stable/nginx']
vars_files: vars/frontend.yml
tags: frontend
@ -20,6 +20,7 @@
tags: cicles
roles: ['stable/common', 'stable/goploader']
# GANCIO
- name: Gancio
hosts: gancio
@ -32,12 +33,7 @@
hosts: radicale
tags: radicale
roles: ['stable/common', 'staging/radicale']
- name: Fdroid
hosts: fdroid
tags: fdroid
roles: [ 'stable/common', 'staging/fdroid' ]
vars_files: vars/fdroid.yml
vars_files: vars/gancio.yml
# TEST
- name: Test

11
inventory.yml
View file

@ -13,23 +13,14 @@ cicles:
mastodon:
hosts: cisti.mastodon
stereodon:
hosts: cisti.stereodon
farma:
hosts: cisti.farma
frontend:
hosts: cisti.frontend
frontend2:
hosts: cisti.frontend2
radicale:
hosts: cisti.cal
fdroid:
hosts: fdroid.cose.belle
hosts: radicale.cose.belle
test:
hosts: cisti.jolly

8
koha.yml
View file

@ -1,8 +0,0 @@
---
## KOHA
- name: Koha
hosts: localhost
roles: ['stable/common', 'koha']
vars_files: vars/koha.yml
tags: koha

84
roles/koha/tasks/main.yml
View file

@ -1,84 +0,0 @@
---
## Based on
## https://wiki.koha-community.org/wiki/Debian
- name: Add an Apt signing key, will not download if present
become: yes
apt_key:
url: https://debian.koha-community.org/koha/gpg.asc
state: present
keyring: /usr/share/keyrings/koha-community-archive-keyring.gpg
- name: Add Koha package repository
become: yes
apt_repository:
filename: koha.list
repo: "deb [signed-by=/usr/share/keyrings/koha-community-archive-keyring.gpg] http://debian.koha-community.org/koha stable main"
update_cache: yes
- name: Install koha and mariadb
become: yes
apt:
pkg:
- koha-common
- mariadb-server
- name: Configure the defaults
become: yes
template:
src: koha-sites.conf.j2
dest: /etc/koha/koha-sites.conf
- name: Enable the Apache2 module rewrite
become: yes
apache2_module:
state: present
name: rewrite
- name: Enable the Apache2 module cgi
become: yes
apache2_module:
state: present
name: cgi
- name: Make sure apache2 is restarted
become: yes
systemd:
state: restarted
name: apache2
- name: Create koha instance
become: yes
command:
cmd: koha-create --create-db "{{library_name}}"
- name: Enable the Apache2 module cgi
become: yes
apache2_module:
state: present
name: headers
- name: Enable the Apache2 module cgi
become: yes
apache2_module:
state: present
name: proxy_http
- name: Enable plack
become: yes
command:
cmd: koha-plack --enable "{{library_name}}"
- name: Start plack
become: yes
command:
cmd: koha-plack --start "{{library_name}}"
- name: Make sure apache2 is restarted
become: yes
systemd:
state: restarted
name: apache2

52
roles/koha/templates/koha-sites.conf.j2
View file

@ -1,52 +0,0 @@
# NOTE: for a complete list of valid options please read koha-create(8)
## Apache virtual hosts creation variables
#
# Please note that the URLs are built like this:
# OPAC: http://<OPACPREFIX><INSTANCE NAME><OPACSUFFIX><DOMAIN>:<OPACPORT>
# STAFF: http://<INTRAPREFIX><INSTANCE NAME><INTRASUFFIX><DOMAIN>:<INTRAPORT>
DOMAIN=".{{domain}}"
INTRAPORT="80"
INTRAPREFIX=""
INTRASUFFIX="-intra"
OPACPORT="80"
OPACPREFIX=""
OPACSUFFIX=""
## Default data to be loaded
#
# DEFAULTSQL: filename
# Specify an SQL file with default data to load during instance creation
# The SQL file can be optionally compressed with gzip
# default: (empty)
DEFAULTSQL=""
## Zebra global configuration variables
#
# ZEBRA_MARC_FORMAT: 'marc21' | 'unimarc'
# Specifies the MARC records format for indexing
# default: 'marc21'
ZEBRA_MARC_FORMAT="marc21"
# ZEBRA_LANGUAGE: 'cs' | 'el' | 'en' | 'es' | 'fr' | 'nb' | 'ru' | 'uk'
# Primary language for Zebra indexing
# default: 'en'
ZEBRA_LANGUAGE="en"
## Memcached global configuration variables
#
# USE_MEMCACHED: 'yes' | 'no'
# Make the created instance use memcached. Can be altered later.
# default: 'yes'
USE_MEMCACHED="yes"
# MEMCACHED_SERVERS: comma separated list of memcached servers (ip:port)
# Specify a list of memcached servers for the Koha instance
# default: '127.0.0.1:11211'
MEMCACHED_SERVERS="127.0.0.1:11211"
# MEMCACHED_PREFIX:
# Specify a string to be used as prefix for defining the memcached namespace
# for the created instance.
# default: 'koha_'
MEMCACHED_PREFIX="koha_"

3
roles/requiremets.yml
View file

@ -1,3 +0,0 @@
---
- name: nginxinc.nginx
- name: nginxinc.nginx_config

4
roles/stable/debian-base/files/sources.list Normal file
View file

@ -0,0 +1,4 @@
deb http://deb.debian.org/debian buster main contrib non-free
deb http://deb.debian.org/debian-security/ buster/updates main contrib non-free
deb http://deb.debian.org/debian buster-updates main contrib non-free
deb http://deb.debian.org/debian buster-backports main contrib non-free

45
roles/stable/debian-base/tasks/main.yml Normal file
View file

@ -0,0 +1,45 @@
- name: debian-base - Copia apt/sources.list completo
copy:
src: sources.list
dest: /etc/apt/sources.list
- name: debian-base - Aggiorna indici apt-get
apt:
update_cache: yes
#- name: Aggiorna distro
# apt:
# upgrade: dist
- name: debian-base - Installa pacchetti sistema base
apt:
name: "{{ item }}"
state: latest
with_items:
- amd64-microcode
- bmon
- bzip2
- ca-certificates
- console-data
- curl
# - etckeeper
- git
- htop
- intel-microcode
- less
- lnav
- openssh-server
- rar
- screen
- sudo
- tree
- unzip
- unar
- unrar
- unattended-upgrades
- vim
- wget
- zip
- zsh

1
roles/stable/debian-frontend/files/apt-nginx.list Normal file
View file

@ -0,0 +1 @@
deb http://nginx.org/packages/debian/ buster nginx

4
roles/stable/debian-frontend/files/sources-debian.list Normal file
View file

@ -0,0 +1,4 @@
deb http://deb.debian.org/debian buster main contrib non-free
deb http://deb.debian.org/debian-security/ buster/updates main contrib non-free
deb http://deb.debian.org/debian buster-updates main contrib non-free
deb http://deb.debian.org/debian buster-backports main contrib non-free

71
roles/stable/debian-frontend/tasks/main.yml Normal file
View file

@ -0,0 +1,71 @@
---
- debug:
msg: "Distro: {{ hostvars[inventory_hostname].ansible_distribution }} {{ hostvars[inventory_hostname].ansible_distribution_version }}"
- name: Copia apt/sources.list (Debian)
when: ansible_distribution == "Debian"
become: true
copy:
src: sources-debian.list
dest: /etc/apt/sources.list
- name: Aggiorna indici apt-get
become: true
apt:
update_cache: yes
- name: Installa pacchetti base dalla distro
apt:
name: [
'amd64-microcode',
'bmon',
'bzip2',
'ca-certificates',
'console-data',
'curl',
'git',
'htop',
'intel-microcode',
'less',
'lnav',
'rar',
'screen',
'sudo',
'tree',
'unzip',
'unar',
'unrar',
'unattended-upgrades',
'vim',
'wget',
'zip',
'zsh',
]
state: latest
update_cache: yes
#TODO
- name: Installa pacchetti webserver
apt:
name: [
'apt-transport-https',
'curl',
'ca-certificates',
'clamav',
'clamav-freshclam',
'gnupg2',
'imagemagick',
'jpegoptim',
'libapache2-mod-rpaf',
'optipng',
'pngquant',
'python3-pip',
]
default_release: ascii-backports
state: latest
default_release: ascii-backports
- include: nginx.yml

57
roles/stable/debian-frontend/tasks/nginx.yml Normal file
View file

@ -0,0 +1,57 @@
---
- name: Copia apt-nginx.list
copy:
src: apt-nginx.list
dest: /etc/apt/sources.list.d/nginx.list
- name: Importa chiave gpg nginx.org
apt_key:
#id: ABF5BD827BD9BF62
#id: 573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62
url: https://nginx.org/keys/nginx_signing.key
state: present
- name: Installa nginx.org
apt:
name: nginx
state: latest
install_recommends: yes
update_cache: yes
- name: Installa certbot per nginx
apt:
name: python3-certbot-nginx
state: latest
install_recommends: yes
# TODO: importa o crea certificati letsencrypt, forse ridondante con roles/stable/nginx
#- name: Copia file configurazione nginx
# copy:
# src: "{{ item.origin }}"
# dest: "/etc/nginx/{{ item.dest }}"
# owner: root
# group: root
# mode: 0644
# backup: yes
# with_items:
# - { origin: 'nginx/nginx.conf', dest: 'nginx.conf' }
# - { origin: 'nginx/deny.conf', dest: 'deny.conf' }
#- name: Disabilita sito di default Nginx
# file:
# path: /etc/nginx/sites-enabled/default
# state: absent
#- name: Crea directory per il sito
# file:
# path: /var/www/websites/
# state: directory
# mode: 0755
#- name: Abilita Nginx al boot, ma non avviarlo ancora (altrimenti crasha perchè mancano i certificati SSL)
# service:
# name: nginx
# state: stopped
# enabled: yes

2
roles/stable/etherpad/defaults/main.yml
View file

@ -7,7 +7,7 @@ log_level: "INFO"
database_password: "{{lookup('community.general.passwordstore', '{{passwordstore_path}}/etherpad_{{ansible_hostname}}/db_password create=True nosymbols=true')}}"
pad_admin_password: "{{lookup('community.general.passwordstore', '{{passwordstore_path}}/etherpad_{{ansible_hostname}}/admin_password create=True nosymbols=true')}}"
plugins: ['ep_headings2', 'ep_table_of_contents', 'ep_comments_page', 'ep_align']
plugins: ['ep_headings2', 'ep_table_of_contents', 'ep_comments_page', 'ep_align', 'ep_delete_after_delay_lite']
pad_lang: 'it-IT'

12
roles/stable/etherpad/tasks/main.yml
View file

@ -20,22 +20,20 @@
git:
repo: "https://github.com/ether/etherpad-lite"
dest: "/srv/etherpad/etherpad"
version: "1.8.14"
version: "1.8.7"
force: true
become: true
become_user: "etherpad"
register: repository
- name: ensure etherpad service is latest
- name: ensure etherpad init.d is latest
become: yes
template:
src: etherpad.service.j2
src: etherpad.service.j2
dest: /etc/systemd/system/etherpad.service
src: etherpad.initd.j2
dest: /etc/init.d/etherpad
owner: root
group: root
mode: 0644
notify: systemd reload
mode: 0500
- name: copy etherpad settings.json
become: yes

77
roles/stable/etherpad/templates/etherpad.initd.j2 Normal file
View file

@ -0,0 +1,77 @@
#!/bin/sh
### BEGIN INIT INFO
# Provides: etherpad-lite
# Required-Start: $local_fs $remote_fs $network $syslog
# Required-Stop: $local_fs $remote_fs $network $syslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: starts etherpad lite
# Description: starts etherpad lite using start-stop-daemon
### END INIT INFO
PATH="/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/opt/node/bin"
LOGFILE="/srv/etherpad/etherpad/etherpad-lite.log"
EPLITE_DIR="/srv/etherpad/etherpad"
EPLITE_BIN="bin/safeRun.sh"
USER="etherpad"
GROUP="etherpad"
DESC="Etherpad Lite"
NAME="etherpad-lite"
set -e
. /lib/lsb/init-functions
start() {
echo "Starting $DESC... "
start-stop-daemon --start --chuid "$USER:$GROUP" --background --make-pidfile --pidfile /var/run/$NAME.pid --exec $EPLITE_DIR/$EPLITE_BIN -- $LOGFILE || true
echo "done"
}
#We need this function to ensure the whole process tree will be killed
killtree() {
local _pid=$1
local _sig=${2-TERM}
for _child in $(ps -o pid --no-headers --ppid ${_pid}); do
killtree ${_child} ${_sig}
done
kill -${_sig} ${_pid}
}
stop() {
echo "Stopping $DESC... "
while test -d /proc/$(cat /var/run/$NAME.pid); do
killtree $(cat /var/run/$NAME.pid) 15
sleep 0.5
done
rm /var/run/$NAME.pid
echo "done"
}
status() {
status_of_proc -p /var/run/$NAME.pid "" "etherpad-lite" && exit 0 || exit $?
}
case "$1" in
start)
start
;;
stop)
stop
;;
restart)
stop
start
;;
status)
status
;;
*)
echo "Usage: $NAME {start|stop|restart|status}" >&2
exit 1
;;
esac
exit 0

8
roles/stable/etherpad/templates/settings.json.j2
View file

@ -545,6 +545,14 @@
]
},
"ep_delete_after_delay_lite": {
"delay": 86400, // one day, in seconds
"loop": true,
"loopDelay": 3600, // one hour, in seconds
"deleteAtStart": true,
"text": "{{pad_default_text|replace("\n","\\n")}}"
},
"ep_toc": {
"disable_by_default": true
}

10
roles/stable/mumble/tasks/mumble-web.yml
View file

@ -23,13 +23,13 @@
- name: copy mumble-web unit file
template:
src: mumble-web-proxy.service.j2
dest: /etc/systemd/system/mumble-web-proxy.service
src: mumble-web.service.j2
dest: /etc/systemd/system/mumble-web.service
owner: root
group: root
mode: 0644
register: servicefile
notify: restart mumble-web-proxy
notify: restart mumble-web
- name: Allow to python to inherit socket binding capability
capabilities:
@ -47,7 +47,7 @@
- name: enable and start mumble-web
systemd:
name: mumble-web-proxy
name: mumble-web
daemon-reload: yes
enabled: True
state: started
state: started

32
roles/stable/mumble/templates/mumle-web.service.j2
View file

@ -1,15 +1,27 @@
[Unit]
Description=Mumble Web Proxy
After=network.target auditd.service
Description=Mumble-web
[Service]
Type=simple
ExecStart=/usr/bin/mumble-web-proxy --listen-ws 64737 --server farma.cisti.org:64738 --ice-port-min 20000 --ice-port-max 21000 --ice-ipv4 185.105.3.28
Restart=on-failure
PIDFile=/tmp/mumble-web-proxy.pid
User=mumble-server
WorkingDirectory=/var/lib/mumble-server
SyslogIdentifier=mumble-web
ExecStart=/usr/bin/python2.7 /usr/bin/python2-websockify \
{% if mumble_web_ssl_activated %}
--cert={{ murmur_sslcert }} --key={{ murmur_sslkey }} --ssl-only \
{% endif %}
{% if mumble_web_ssl_target %}
--ssl-target \
{% endif %}
--web={{ mumble_web_path }}/dist {{ mumble_web_listen }} localhost:{{ murmur_port }}
DynamicUser=true
; we need access to the certs
{% if mumble_web_supplementary_groups is defined %}
SupplementaryGroups={{ mumble_web_supplementary_groups }}
{% endif %}
; The following additional security directives only work with systemd v229 or later.
AmbientCapabilities=CAP_NET_BIND_SERVICE
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
NoNewPrivileges=true
; Always run
Restart=always
[Install]
WantedBy=multi-user.target
WantedBy=multi-user.target

2
roles/stable/nginx/tasks/certbot.yml
View file

@ -17,7 +17,7 @@
- name: Generate certificate if needed
become: yes
command: /snap/bin/certbot --nginx --non-interactive --agree-tos --expand
command: /snap/bin/certbot --nginx --non-interactive --agree-tos
--domains {{ fpm_services | items2dict(key_name='server_name', value_name='server_name') | join(',') }}
{{ reverse_services | items2dict(key_name='server_name', value_name='server_name') | join(',') }}
--email {{certbot_email}}

1
roles/stable/restic/defaults/main.yml
View file

@ -33,6 +33,5 @@ restic_password: "{{lookup('community.general.passwordstore', '{{passwordstore_p
restic_repository_name: "{{ansible_hostname | default('restic') }}"
restic_ssh_private_key: "{{lookup('community.general.passwordstore', '{{passwordstore_path}}/restic/ssh_private returnall=true')}}"
restic_ssh_hostname: "{{lookup('community.general.passwordstore', '{{passwordstore_path}}/restic/ssh_hostname')}}"
restic_ssh_host_fingerprint: "{{lookup('community.general.passwordstore', '{{passwordstore_path}}/restic/ssh_host_fingerprint')}}"
restic_ssh_user: "{{lookup('community.general.passwordstore', '{{passwordstore_path}}/restic/ssh_user')}}"
restic_ssh_port: "{{lookup('community.general.passwordstore', '{{passwordstore_path}}/restic/ssh_port') | default(22)}}"

8
roles/stable/restic/tasks/main.yml
View file

@ -26,14 +26,6 @@
mode: '0600'
when: restic_ssh_private_key is defined and restic_ssh_enabled
- name: Add backup server host fingerprint
become: yes
known_hosts:
name: '[{{ restic_ssh_hostname }}]:{{ restic_ssh_port }}'
key: '{{ restic_ssh_host_fingerprint }}'
path: '{{ restic_user_home }}/.ssh/known_hosts'
state: present
- name: Add restic_env in home folder
become: yes
template:

6
roles/stable/restic/templates/restic-backup.service.j2
View file

@ -7,10 +7,6 @@ User={{ restic_user }}
CPUQuota={{ 25 * ansible_processor_vcpus }}%
Nice=19
IOSchedulingClass=best-effort
IOSchedulingPriority=7
{% if restic_ssh_enabled %}
Environment="RESTIC_REPOSITORY=sftp:{{ restic_ssh_host }}:{{ restic_repository_name }}"
{% else %}
@ -32,7 +28,7 @@ ExecStart={{ restic_path }} backup --verbose {{ folder }}
{% endfor -%}
{% for database in restic_databases %}
ExecStart=/bin/sh -c "{{ database.dump_command }} {{ '| pigz --rsyncable |' if restic_dump_compression_enabled else '|' }} {{ restic_path }} backup --verbose --stdin --stdin-filename {{ database.name }}{{ '.sql.gz' if restic_dump_compression_enabled else '.sql' }}"
ExecStart=/bin/sh -c "{{ database.dump_command }} {{ '| pigz |' if restic_dump_compression_enabled else '|' }} {{ restic_path }} backup --verbose --stdin --stdin-filename {{ database.name }}{{ '.sql.gz' if restic_dump_compression_enabled else '.sql' }}"
{% endfor -%}
{% if restic_forget %}

13
roles/staging/fdroid/defaults/main.yml
View file

@ -1,13 +0,0 @@
---
fdroid_user: "fdroid"
fdroid_base_dir: "/srv/fdroid"
fdroid_android_dir: "{{ fdroid_base_dir }}/androidtools"
fdroid_repo_dir: "{{ fdroid_base_dir }}/repository"
fdroid_utils_dir: "{{ fdroid_base_dir }}/utils"
fdroid_html_dir: "{{ fdroid_base_dir }}/html"
fdroid_keystore_pass: ""
fdroid_gplaycli_gmail_address: "{{lookup('community.general.passwordstore', '{{passwordstore_path}}/fdroid/gplaycli/address')}}"
fdroid_gplaycli_gmail_password: "{{lookup('community.general.passwordstore', '{{passwordstore_path}}/fdroid/gplaycli/password')}}"

8
roles/staging/fdroid/files/apk-dl
View file

@ -1,8 +0,0 @@
#!/bin/sh
while IFS= read -r line
do
gplaycli -c "$3" -d "$line" -f "$2"
done < "$1"
fdroid update --create-metadata --pretty --clean

16
roles/staging/fdroid/files/applist
View file

@ -1,16 +0,0 @@
org.mozilla.firefox
org.thoughtcrime.securesms
com.whatsapp
com.lynxspa.prontotreno
com.shazam.android
me.bgregos.brighttask
com.spotify.music
com.generalmagic.magicearth
org.dslul.openboard.inputmethod.latin
com.chimbori.hermitcrab
com.fineco.it
ch.protonmail.android
com.skype.m2
posteitaliane.posteapp.appposteid
com.smartlifedigital.autodialer

BIN
roles/staging/fdroid/files/cisti.png
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 1,020 KiB

16
roles/staging/fdroid/files/gplaylist
View file

@ -1,16 +0,0 @@
#!/bin/sh
export ANDROID_HOME=/home/bic/workspace/android/Sdk
if [ "$1" = "-d" ]; then
while IFS= read -r line
do
echo "$line"
gplaycli -d "$line" -f repo
done < applist
fi
fdroid update --create-metadata --use-date-from-apk --pretty --clean --verbose
fdroid deploy

43
roles/staging/fdroid/meta/main.yml
View file

@ -1,43 +0,0 @@
---
galaxy_info:
role_name: fdroid
author: hacklab underscore
description: install an fdroid server and gplaycli tool
company: cisti.org
min_ansible_version: 1.2
platforms:
- name: Debian
versions:
- buster
dependencies:
- role: nginxinc.nginx
- role: nginxinc.nginx_config
vars:
nginx_config_http_template_enable: true
nginx_config_http_template:
app:
template_file: http/default.conf.j2
conf_file_name: default.conf
conf_file_location: /etc/nginx/conf.d/
servers:
server1:
listen:
listen_localhost:
port: 80
server_name: localhost
web_server:
locations:
main_site:
location: /
html_file_location: "{{ fdroid_html_dir }}"
autoindex: true
- role: stable/restic
when: with_backup | bool
vars:
restic_folders: ['{{ fdroid_repo_dir }}']

133
roles/staging/fdroid/tasks/main.yml
View file

@ -1,133 +0,0 @@
---
- name: Install fdroid server
become: yes
register: install_fdroid
apt:
pkg:
- python3-pip
- fdroidserver
- name: Install gplaycli
become: yes
register: install_gplaycli
pip:
name: gplaycli
- name: check for fdroid user
user:
name: "{{ fdroid_user }}"
home: "{{ fdroid_base_dir }}"
state: present
- name: Create directories
file:
path: "{{ item }}"
state: directory
owner: "{{ fdroid_user }}"
mode: 0775
with_items:
- "{{ fdroid_base_dir }}"
- "{{ fdroid_android_dir }}"
- "{{ fdroid_repo_dir }}"
- "{{ fdroid_utils_dir }}"
- "{{ fdroid_repo_dir }}/repo"
- "{{ fdroid_html_dir }}"
- name: Unarchive android sdk
become: yes
become_user: "{{ fdroid_user }}"
register: download_sdk
ansible.builtin.unarchive:
src: https://dl.google.com/android/repository/commandlinetools-linux-6858069_latest.zip
dest: "{{ fdroid_android_dir }}"
remote_src: yes
- name: Initialize android sdk
become: yes
become_user: "{{ fdroid_user }}"
register: download_build_tools
shell: 'yes | {{ fdroid_android_dir }}/cmdline-tools/bin/sdkmanager --sdk_root="$ANDROID_HOME" platform-tools "build-tools;30.0.3"'
environment:
ANDROID_HOME: "{{ fdroid_android_dir }}/android-sdk-linux"
tags: ['skip_ansible_lint']
- name: Upload gplaycli conf
template:
src: gplaycli.conf.j2
dest: "{{ fdroid_base_dir }}/gplaycli.conf"
owner: "{{ fdroid_user }}"
mode: 0600
- name: Upload settings
template:
src: config.py.j2
dest: "{{ fdroid_repo_dir }}/config.py"
owner: "{{ fdroid_user }}"
mode: 0600
- name: Upload cisti img
copy:
src: files/cisti.png
dest: "{{ fdroid_repo_dir }}/cisti.png"
owner: "{{ fdroid_user }}"
mode: 0660
- name: Local decrypt keystore
delegate_to: localhost
shell: "pass show cisti.org/ansible/fdroid/keystore > /tmp/cisti.keystore"
tags: ['skip_ansible_lint']
- name: Upload keystore
copy:
src: /tmp/cisti.keystore
dest: "{{ fdroid_repo_dir }}/cisti.keystore"
owner: "{{ fdroid_user }}"
mode: 0600
- name: Remove file (delete file)
delegate_to: localhost
file:
path: /tmp/cisti.keystore
state: absent
- name: Upload apk list
copy:
src: files/applist
dest: "{{ fdroid_base_dir }}/apklist"
owner: "{{ fdroid_user }}"
mode: 0660
- name: Upload apk-dl
copy:
src: files/apk-dl
dest: "{{ fdroid_utils_dir }}/apk-dl"
owner: "{{ fdroid_user }}"
mode: 0700
- name: Upload service for apk poller
template:
src: fdroid.service.j2
dest: /etc/systemd/system/fdroid.service
owner: "{{ fdroid_user }}"
mode: 0660
- name: Upload timer for apk poller
template:
src: fdroid.timer.j2
dest: /etc/systemd/system/fdroid.timer
owner: "{{ fdroid_user }}"
mode: 0660
- name: Make sure apk poller is running
systemd:
state: restarted
daemon_reload: yes
name: fdroid
- name: Link repo into public dir
file:
src: "{{ fdroid_repo_dir }}/repo"
path: "{{ fdroid_html_dir }}/repo"
state: link
owner: "{{ fdroid_user }}"

39
roles/staging/fdroid/templates/config.py.j2
View file

@ -1,39 +0,0 @@
#!/usr/bin/env python3
sdk_path = "{{ fdroid_android_dir }}/android-sdk-linux"
build_tools = "30.0.3"
repo_url = "https://fdroid.cisti.org/repo"
repo_name = "Cisti.org"
repo_icon = "cisti.png"
repo_description = """
Questo archivio contiene applicazioni scaricate dal play store di google su
richiesta degli utenti di cisti.org
"""
# `fdroid update` will create a link to the current version of a given app.
# This provides a static path to the current APK. To disable the creation of
# this link, uncomment this:
make_current_version_link = False
# The key (from the keystore defined below) to be used for signing the
# repository itself. This is the same name you would give to keytool or
# jarsigner using -alias. (Not needed in an unsigned repository).
repo_keyalias = "cisti"
keystore = "cisti.keystore"
# The password for the keystore (at least 6 characters). If this password is
# different than the keypass below, it can be OK to store the password in this
# file for real use. But in general, sensitive passwords should not be stored
# in text files!
keystorepass = "{{ fdroid_keystore_pass }}"
# The password for keys - the same is used for each auto-generated key as well
# as for the repository key. You should not normally store this password in a
# file since it is a sensitive password.
keypass = "{{ fdroid_keystore_pass }}"
# The distinguished name used for all keys.
keydname = "CN=cisti, OU=Unknown, O=cisti.org, L=Unknown, ST=Unknown, C=Unknown"

24
roles/staging/fdroid/templates/fdroid.service.j2
View file

@ -1,24 +0,0 @@
[Unit]
Description=A simple apk downloader
After=network.target
Requires=network.target
[Service]
Type=oneshot
ExecStart={{ fdroid_utils_dir }}/apk-dl {{ fdroid_base_dir }}/apklist {{ fdroid_repo_dir }}/repo {{ fdroid_base_dir }}/gplaycli.conf
WorkingDirectory={{ fdroid_repo_dir }}
User={{ fdroid_user }}
# Optional security settings
PrivateTmp=true
ProtectSystem=strict
ProtectHome=true
PrivateDevices=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
NoNewPrivileges=true
ReadWritePaths={{ fdroid_repo_dir }}
[Install]
WantedBy=multi-user.target

9
roles/staging/fdroid/templates/fdroid.timer.j2
View file

@ -1,9 +0,0 @@
[Unit]
Description=Google Play store poller timer
[Timer]
OnCalendar=daily
Unit=fdroid.service
[Install]
WantedBy=timers.target

4
roles/staging/fdroid/templates/gplaycli.conf.j2
View file

@ -1,4 +0,0 @@
[Credentials]
token=False
gmail_address={{ fdroid_gplaycli_gmail_address }}
gmail_password={{ fdroid_gplaycli_gmail_password }}

2
roles/staging/radicale/templates/config.j2
View file

@ -15,7 +15,7 @@
# IPv4 syntax: address:port
# IPv6 syntax: [address]:port
# For example: 0.0.0.0:9999, [::]:9999
hosts = 0.0.0.0:5232, [::]:5232
hosts = radicale.cose.belle:5232
# Max parallel connections
#max_connections = 8

5
vars/fdroid.yml
View file

@ -1,5 +0,0 @@
---
with_backup: true
# fdroid_repo_dir: "{{ fdroid_base_dir }}/cisti"
fdroid_keystore_pass: "{{lookup('community.general.passwordstore', '{{passwordstore_path}}/fdroid/keystore/pass')}}"

55
vars/frontend.yml
View file

@ -1,57 +1,10 @@
---
with_certbot: true
certbot_email: info@cisti.org
reverse_services:
- pad:
server_name: pad.cisti.org
proxy_pass: http://192.168.200.12:8001
- gancio:
server_name: gancio.cisti.org
proxy_pass: http://192.168.200.14:13120
custom_config: |
sendfile on;
client_max_body_size 10m;
- mastodon:
server_name: mastodon.cisti.org
proxy_pass: http://192.168.200.13:80
custom_config: |
sendfile on;
client_max_body_size 10m;
- stereodon:
server_name: stereodon.social
proxy_pass: http://192.168.200.18:80
custom_config: |
sendfile on;
client_max_body_size 10m;
servers:
- cicles:
server_name: cicles.cisti.org
proxy_pass: http://192.168.200.15:8080
server_name: antani.cisti.org
proxy_pass: http://localhost:8001
custom_config: |
sendfile on;
client_max_body_size 1000m;
## WEB STATICO
- cisti:
server_name: cisti.org
proxy_pass: http://192.168.200.10
- facciamo:
server_name: facciamo.cisti.org
proxy_pass: http://192.168.200.10
- farma:
server_name: farma.cisti.org
proxy_pass: http://192.168.200.10
- hackrocchio:
server_name: hackrocchio.org
proxy_pass: http://192.168.200.10
- autogestione:
server_name: autogestione.social
proxy_pass: http://192.168.200.10
client_max_body_size 500m;

4
vars/koha.yml
View file

@ -1,4 +0,0 @@
---
domain: cisti.org
library_name: goliarda