@ -1,12 +1,46 @@ | |||
--- | |||
--- | |||
admin_ssh_keys: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDZXK3ufonx+zNQ1x6cSWuUWckB/xf9sKZ+mRgY5SPXzqrxSkqNSmr9JQ6xzvhxKEVcFWsi50op1WWtRo3HG3p3+EHKXeCyzt5QnczDlVOoQbB8kgI0byKcvXux1inL4/Q4DbVLUbDFnynD/C5aAyYMYePahMxR+AQr60DD+7Ty6pcEVih1wwHIlxWziY1EF6sEzQwz/PiTxWIZkKHl/WPGagS9Pp/5nQfdZy0AS/JqbzNyMEg51+XedADuqseV4GXDzrzDYLJXJFv1PFVJxRWLrjChKrUMqyszUySkZMr5YSPXlsV0bi+0xivYEsXvIkLORV96JTZosYbV+0aFKDPv root@debian | |||
default_packages_debian: htop | |||
description: machine test | |||
ntp_server1: 0.pool.ntp.org | |||
ntp_server2: 1.pool.ntp.org | |||
# NTP | |||
ntp_servers: | |||
- 0.pool.ntp.org | |||
- 1.pool.ntp.org | |||
- 2.pool.ntp.org | |||
disable_ipv6: true | |||
domain: test.net | |||
# MariaDB | |||
mariadb_version: 10.0 | |||
mysql_root_password: changeme | |||
mysql_host: localhost | |||
# ircbouncer | |||
znc_version: 1.4 | |||
irc_nick: (required) | |||
irc_ident: (required) | |||
irc_realname: (required) | |||
irc_quitmsg: (required) | |||
irc_password_hash: (required) | |||
irc_password_salt: (required) | |||
# xmpp | |||
prosody_admin: admin@test.net | |||
prosody_virtual_domain: test.net | |||
prosody_accounts: admin@test.net | |||
# wallabag | |||
wallabag_version: 1.8.1 | |||
wallabag_domain: "read.test.net" | |||
wallabag_salt: (required) | |||
wallabag_db_username: wallabag | |||
wallabag_db_password: (required) | |||
wallabag_db_database: wallabag | |||
# vim: set textwidth=0 ft=yaml: |
@ -0,0 +1,11 @@ | |||
--- | |||
- name: Deployer et configurer mariadb | |||
hosts: all | |||
user: root | |||
gather_facts: yes | |||
roles: | |||
- mariadb | |||
# vim: set textwidth=0 ft=yaml ts=2 sw=2 expandtab: |
@ -0,0 +1,14 @@ | |||
--- | |||
- name: Deployer et configurer un serveur ownCloud sous NGINX + PHP5-FPM + MariaDB | |||
hosts: all | |||
user: root | |||
gather_facts: yes | |||
roles: | |||
- common | |||
- mariadb | |||
- nginx | |||
- owncloud | |||
@ -0,0 +1,139 @@ | |||
#! /bin/sh | |||
### BEGIN INIT INFO | |||
# Provides: znc | |||
# Required-Start: $remote_fs $syslog | |||
# Required-Stop: $remote_fs $syslog | |||
# Default-Start: 2 3 4 5 | |||
# Default-Stop: 0 1 6 | |||
# Short-Description: ZNC IRC bouncer | |||
# Description: ZNC is an IRC bouncer | |||
### END INIT INFO | |||
PATH=/sbin:/usr/sbin:/bin:/usr/bin | |||
DESC="ZNC daemon" | |||
NAME=znc | |||
DAEMON=/usr/local/bin/$NAME | |||
DATADIR=/var/lib/znc | |||
DAEMON_ARGS="--datadir=$DATADIR" | |||
PIDDIR=/var/run/znc | |||
PIDFILE=$PIDDIR/$NAME.pid | |||
SCRIPTNAME=/etc/init.d/$NAME | |||
USER=znc | |||
GROUP=znc | |||
# Exit if the package is not installed | |||
[ -x "$DAEMON" ] || exit 0 | |||
# Read configuration variable file if it is present | |||
[ -r /etc/default/$NAME ] && . /etc/default/$NAME | |||
# Load the VERBOSE setting and other rcS variables | |||
. /lib/init/vars.sh | |||
# Define LSB log_* functions. | |||
# Depend on lsb-base (>= 3.2-14) to ensure that this file is present | |||
# and status_of_proc is working. | |||
. /lib/lsb/init-functions | |||
# | |||
# Function that starts the daemon/service | |||
# | |||
do_start() | |||
{ | |||
# Return | |||
# 0 if daemon has been started | |||
# 1 if daemon was already running | |||
# 2 if daemon could not be started | |||
if [ ! -d $PIDDIR ] | |||
then | |||
mkdir $PIDDIR | |||
fi | |||
chown $USER:$GROUP $PIDDIR | |||
start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON --test --chuid $USER > /dev/null || return 1 | |||
start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON --chuid $USER -- $DAEMON_ARGS > /dev/null || return 2 | |||
} | |||
# | |||
# Function that stops the daemon/service | |||
# | |||
do_stop() | |||
{ | |||
# Return | |||
# 0 if daemon has been stopped | |||
# 1 if daemon was already stopped | |||
# 2 if daemon could not be stopped | |||
# other if a failure occurred | |||
start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME --chuid $USER | |||
RETVAL="$?" | |||
[ "$RETVAL" = 2 ] && return 2 | |||
# Wait for children to finish too if this is a daemon that forks | |||
# and if the daemon is only ever run from this initscript. | |||
# If the above conditions are not satisfied then add some other code | |||
# that waits for the process to drop all resources that could be | |||
# needed by services started subsequently. A last resort is to | |||
# sleep for some time. | |||
start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON --chuid $USER | |||
[ "$?" = 2 ] && return 2 | |||
# Many daemons don't delete their pidfiles when they exit. | |||
rm -f $PIDFILE | |||
return "$RETVAL" | |||
} | |||
# | |||
# Function that sends a SIGHUP to the daemon/service | |||
# | |||
do_reload() { | |||
start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME --chuid $USER | |||
return 0 | |||
} | |||
case "$1" in | |||
start) | |||
[ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME" | |||
do_start | |||
case "$?" in | |||
0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; | |||
2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; | |||
esac | |||
;; | |||
stop) | |||
[ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME" | |||
do_stop | |||
case "$?" in | |||
0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; | |||
2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; | |||
esac | |||
;; | |||
status) | |||
status_of_proc -p $PIDFILE "$DAEMON" "$NAME" && exit 0 || exit $? | |||
;; | |||
reload) | |||
log_daemon_msg "Reloading $DESC" "$NAME" | |||
do_reload | |||
log_end_msg $? | |||
;; | |||
restart) | |||
log_daemon_msg "Restarting $DESC" "$NAME" | |||
do_stop | |||
case "$?" in | |||
0|1) | |||
do_start | |||
case "$?" in | |||
0) log_end_msg 0 ;; | |||
1) log_end_msg 1 ;; # Old process is still running | |||
*) log_end_msg 1 ;; # Failed to start | |||
esac | |||
;; | |||
*) | |||
# Failed to stop | |||
log_end_msg 1 | |||
;; | |||
esac | |||
;; | |||
*) | |||
echo "Usage: $SCRIPTNAME {status|start|stop|reload|restart}" >&2 | |||
exit 3 | |||
;; | |||
esac | |||
: |
@ -0,0 +1,2 @@ | |||
- name: restart znc | |||
service: name=znc state=restarted |
@ -0,0 +1 @@ | |||
- include: znc.yml tags=znc |
@ -0,0 +1,65 @@ | |||
# more or less as per http://wiki.znc.in/Running_ZNC_as_a_system_daemon | |||
- name: Install znc dependencies | |||
apt: pkg={{ item }} state=installed | |||
with_items: | |||
- automake | |||
- build-essential | |||
- checkinstall | |||
- g++ | |||
- libperl-dev | |||
- libsasl2-dev | |||
- libssl-dev | |||
- libtool | |||
- openssl | |||
- pkg-config | |||
- python3-dev | |||
- swig | |||
- name: Download znc release | |||
get_url: url=http://znc.in/releases/archive/znc-{{ znc_version }}.tar.gz dest=/root/znc-{{ znc_version }}.tar.gz | |||
- name: Decompress znc source | |||
command: tar xzf /root/znc-{{ znc_version }}.tar.gz chdir=/root creates=/root/znc-{{ znc_version }}/configure | |||
- name: Build and install znc | |||
shell: ./configure --enable-python && make && make install executable=/bin/bash chdir=/root/znc-{{ znc_version }} creates=/usr/local/bin/znc | |||
notify: restart znc | |||
- name: Create znc group | |||
group: name=znc state=present | |||
- name: Create znc user | |||
user: name=znc state=present home=/var/lib/znc system=yes group=znc shell=/usr/sbin/nologin | |||
- name: Copy znc init file into place | |||
copy: src=etc_init.d_znc dest=/etc/init.d/znc mode=0755 | |||
- name: Create a combined version of the private key with public cert and intermediate + root CAs | |||
shell: cat /etc/ssl/private/wildcard_private.key /etc/ssl/certs/wildcard_combined.pem > | |||
/var/lib/znc/znc.pem creates=/var/lib/znc/znc.pem | |||
notify: restart znc | |||
- name: Ensure znc user and group can read cert | |||
file: path=/var/lib/znc/znc.pem group=znc owner=znc mode=640 | |||
notify: restart znc | |||
- name: Check for existing config file | |||
command: cat /var/lib/znc/configs/znc.conf | |||
register: znc_config | |||
ignore_errors: True | |||
changed_when: False # never report as "changed" | |||
- name: Create znc config directory | |||
file: state=directory path=/var/lib/znc/configs group=znc owner=znc | |||
- name: Copy znc configuration file into place | |||
template: src=var_lib_znc_configs_znc.conf.j2 dest=/var/lib/znc/configs/znc.conf owner=znc group=znc | |||
when: znc_config.rc != 0 | |||
notify: restart znc | |||
- name: Set firewall rule for znc | |||
ufw: rule=allow port=6697 proto=tcp | |||
- name: Ensure znc is a system service | |||
service: name=znc state=started enabled=true |
@ -0,0 +1,84 @@ | |||
// WARNING | |||
// | |||
// Do NOT edit this file while ZNC is running! | |||
// Use webadmin or *controlpanel instead. | |||
// | |||
// Buf if you feel risky, you might want to read help on /znc saveconfig and /znc rehash. | |||
// Also check http://en.znc.in/wiki/Configuration | |||
AnonIPLimit = 10 | |||
ConnectDelay = 5 | |||
LoadModule = webadmin | |||
LoadModule = fail2ban | |||
LoadModule = lastseen | |||
LoadModule = partyline | |||
MaxBufferSize = 500 | |||
Motd = Connected to ZNC | |||
PidFile = /var/run/znc/znc.pid | |||
ProtectWebSessions = true | |||
SSLCertFile = /var/lib/znc/znc.pem | |||
ServerThrottle = 30 | |||
Skin = _default_ | |||
StatusPrefix = * | |||
Version = 1.0 | |||
<Listener listener0> | |||
AllowIRC = true | |||
AllowWeb = false | |||
IPv4 = true | |||
IPv6 = true | |||
Port = 6697 | |||
SSL = true | |||
</Listener> | |||
<Listener listener1> | |||
AllowIRC = false | |||
AllowWeb = true | |||
IPv4 = true | |||
IPv6 = true | |||
Port = 6643 | |||
SSL = false | |||
</Listener> | |||
<User {{ irc_nick }}> | |||
Admin = true | |||
Allow = * | |||
AltNick = {{ irc_nick }}_ | |||
AppendTimestamp = false | |||
AutoClearChanBuffer = true | |||
Buffer = 5000 | |||
ChanModes = +stn | |||
DenyLoadMod = false | |||
DenySetBindHost = false | |||
Ident = {{ irc_ident }} | |||
JoinTries = 10 | |||
LoadModule = controlpanel | |||
LoadModule = perform | |||
LoadModule = block_motd | |||
LoadModule = clientnotify | |||
MaxNetworks = 1 | |||
MultiClients = true | |||
Nick = {{ irc_nick }} | |||
PrependTimestamp = true | |||
QuitMsg = {{ irc_quitmsg }} | |||
RealName = {{ irc_realname }} | |||
TimestampFormat = [%H:%M:%S] | |||
Timezone = {{ irc_timezone }} | |||
<Pass password> | |||
Method = sha256 | |||
Hash = {{ irc_password_hash }} | |||
Salt = {{ irc_password_salt }} | |||
</Pass> | |||
<Network freenode> | |||
BindHost = 0.0.0.0 | |||
FloodBurst = 4 | |||
FloodRate = 1.00 | |||
IRCConnectEnabled = true | |||
LoadModule = kickrejoin | |||
LoadModule = nickserv | |||
LoadModule = savebuff | |||
Server = chat.freenode.net +6697 | |||
</Network> | |||
</User> |
@ -1,452 +0,0 @@ | |||
<?php | |||
/** | |||
* Postfix Admin | |||
* | |||
* LICENSE | |||
* This source file is subject to the GPL license that is bundled with | |||
* this package in the file LICENSE.TXT. | |||
* | |||
* Further details on the project are available at : | |||
* http://www.postfixadmin.com or http://postfixadmin.sf.net | |||
* | |||
* @version $Id: config.inc.php 935 2011-01-02 21:33:13Z christian_boltz $ | |||
* @license GNU GPL v2 or later. | |||
* | |||
* File: config.inc.php | |||
* Contains configuration options. | |||
*/ | |||
// This loads the automatic generated DB credentials from /etc/postfixadmin/dbconfig.inc.php | |||
require_once('dbconfig.inc.php'); | |||
if (!isset($dbserver) || empty($dbserver)) | |||
$dbserver='localhost'; | |||
/***************************************************************** | |||
* !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! | |||
* You have to set $CONF['configured'] = true; before the | |||
* application will run! | |||
* Doing this implies you have changed this file as required. | |||
* i.e. configuring database etc; specifying setup.php password etc. | |||
*/ | |||
$CONF['configured'] = true; | |||
// In order to setup Postfixadmin, you MUST specify a hashed password here. | |||
// To create the hash, visit setup.php in a browser and type a password into the field, | |||
// on submission it will be echoed out to you as a hashed value. | |||
$CONF['setup_password'] = '{{ dbpassword }}'; | |||
} | |||
} | |||
// Postfix Admin Path | |||
// Set the location of your Postfix Admin installation here. | |||
// YOU MUST ENTER THE COMPLETE URL e.g. http://domain.tld/postfixadmin | |||
$CONF['postfix_admin_url'] = '/postfixadmin'; | |||
// shouldn't need changing. | |||
$CONF['postfix_admin_path'] = dirname(__FILE__); | |||
// Language config | |||
// Language files are located in './languages', change as required.. | |||
$CONF['default_language'] = 'en'; | |||
// Database Config | |||
// mysql = MySQL 3.23 and 4.0, 4.1 or 5 | |||
// mysqli = MySQL 4.1+ | |||
// pgsql = PostgreSQL | |||
$CONF['database_type'] = $dbtype; | |||
$CONF['database_host'] = $dbserver; | |||
$CONF['database_user'] = $dbuser; | |||
$CONF['database_password'] = $dbpass; | |||
$CONF['database_name'] = $dbname; | |||
// If you need to specify a different port for a MYSQL database connection, use e.g. | |||
// $CONF['database_host'] = '172.30.33.66:3308'; | |||
// If you need to specify a different port for POSTGRESQL database connection | |||
// uncomment and change the following | |||
// $CONF['database_port'] = '5432'; | |||
// Here, if you need, you can customize table names. | |||
$CONF['database_prefix'] = ''; | |||
$CONF['database_tables'] = array ( | |||
'admin' => 'admin', | |||
'alias' => 'alias', | |||
'alias_domain' => 'alias_domain', | |||
'config' => 'config', | |||
'domain' => 'domain', | |||
'domain_admins' => 'domain_admins', | |||
'fetchmail' => 'fetchmail', | |||
'log' => 'log', | |||
'mailbox' => 'mailbox', | |||
'vacation' => 'vacation', | |||
'vacation_notification' => 'vacation_notification', | |||
'quota' => 'quota', | |||
'quota2' => 'quota2', | |||
); | |||
// Site Admin | |||
// Define the Site Admins email address below. | |||
// This will be used to send emails from to create mailboxes. | |||
$CONF['admin_email'] = 'postmaster@{{ domain }}'; | |||
// Mail Server | |||
// Hostname (FQDN) of your mail server. | |||
// This is used to send email to Postfix in order to create mailboxes. | |||
$CONF['smtp_server'] = 'localhost'; | |||
$CONF['smtp_port'] = '25'; | |||
// Encrypt | |||
// In what way do you want the passwords to be crypted? | |||
// md5crypt = internal postfix admin md5 | |||
// md5 = md5 sum of the password | |||
// system = whatever you have set as your PHP system default | |||
// cleartext = clear text passwords (ouch!) | |||
// mysql_encrypt = useful for PAM integration | |||
// authlib = support for courier-authlib style passwords | |||
// dovecot:CRYPT-METHOD = use dovecotpw -s 'CRYPT-METHOD'. Example: dovecot:CRAM-MD5 | |||
$CONF['encrypt'] = 'md5crypt'; | |||
// In what flavor should courier-authlib style passwords be enrypted? | |||
// md5 = {md5} + base64 encoded md5 hash | |||
// md5raw = {md5raw} + plain encoded md5 hash | |||
// SHA = {SHA} + base64-encoded sha1 hash | |||
// crypt = {crypt} + Standard UNIX DES-enrypted with 2-character salt | |||
$CONF['authlib_default_flavor'] = 'md5raw'; | |||
// If you use the dovecot encryption method: where is the dovecotpw binary located? | |||
$CONF['dovecotpw'] = "/usr/sbin/dovecotpw"; | |||
// Minimum length required for passwords. Postfixadmin will not | |||
// allow users to set passwords which are shorter than this value. | |||
$CONF['min_password_length'] = 5; | |||
// Generate Password | |||
// Generate a random password for a mailbox or admin and display it. | |||
// If you want to automagically generate paswords set this to 'YES'. | |||
$CONF['generate_password'] = 'NO'; | |||
// Show Password | |||
// Always show password after adding a mailbox or admin. | |||
// If you want to always see what password was set set this to 'YES'. | |||
$CONF['show_password'] = 'NO'; | |||
// Page Size | |||
// Set the number of entries that you would like to see | |||
// in one page. | |||
$CONF['page_size'] = '10'; | |||
// Default Aliases | |||
// The default aliases that need to be created for all domains. | |||
$CONF['default_aliases'] = array ( | |||
'abuse' => 'abuse@{{ domain }}', | |||
'hostmaster' => 'hostmaster@{{ domain }}', | |||
'postmaster' => 'postmaster@{{ domain }}', | |||
'webmaster' => 'webmaster@{{ domain }}' | |||
); | |||
// Mailboxes | |||
// If you want to store the mailboxes per domain set this to 'YES'. | |||
// Examples: | |||
// YES: /usr/local/virtual/domain.tld/username@domain.tld | |||
// NO: /usr/local/virtual/username@domain.tld | |||
$CONF['domain_path'] = 'NO'; | |||
// If you don't want to have the domain in your mailbox set this to 'NO'. | |||
// Examples: | |||
// YES: /usr/local/virtual/domain.tld/username@domain.tld | |||
// NO: /usr/local/virtual/domain.tld/username | |||
// Note: If $CONF['domain_path'] is set to NO, this setting will be forced to YES. | |||
$CONF['domain_in_mailbox'] = 'YES'; | |||
// If you want to define your own function to generate a maildir path set this to the name of the function. | |||
// Notes: | |||
// - this configuration directive will override both domain_path and domain_in_mailbox | |||
// - the maildir_name_hook() function example is present below, commented out | |||
// - if the function does not exist the program will default to the above domain_path and domain_in_mailbox settings | |||
$CONF['maildir_name_hook'] = 'NO'; | |||
/* | |||
maildir_name_hook example function | |||
Called by create-mailbox.php if $CONF['maildir_name_hook'] == '<name_of_the_function>' | |||
- allows for customized maildir paths determined by a custom function | |||
- the example below will prepend a single-character directory to the | |||
beginning of the maildir, splitting domains more or less evenly over | |||
36 directories for improved filesystem performance with large numbers | |||
of domains. | |||
Returns: maildir path | |||
ie. I/example.com/user/ | |||
*/ | |||
/* | |||
function maildir_name_hook($domain, $user) { | |||
$chars = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ"; | |||
$dir_index = hexdec(substr(md5($domain), 28)) % strlen($chars); | |||
$dir = substr($chars, $dir_index, 1); | |||
return sprintf("%s/%s/%s/", $dir, $domain, $user); | |||
} | |||
*/ | |||
// Default Domain Values | |||
// Specify your default values below. Quota in MB. | |||
$CONF['aliases'] = '10'; | |||
$CONF['mailboxes'] = '10'; | |||
$CONF['maxquota'] = '10'; | |||
// Quota | |||
// When you want to enforce quota for your mailbox users set this to 'YES'. | |||
$CONF['quota'] = 'NO'; | |||
// You can either use '1024000' or '1048576' | |||
$CONF['quota_multiplier'] = '1024000'; | |||
// Transport | |||
// If you want to define additional transport options for a domain set this to 'YES'. | |||
// Read the transport file of the Postfix documentation. | |||
$CONF['transport'] = 'NO'; | |||
// Transport options | |||
// If you want to define additional transport options put them in array below. | |||
$CONF['transport_options'] = array ( | |||
'virtual', // for virtual accounts | |||
'local', // for system accounts | |||
'relay' // for backup mx | |||
); | |||
// Transport default | |||
// You should define default transport. It must be in array above. | |||
$CONF['transport_default'] = 'virtual'; | |||
// Virtual Vacation | |||
// If you want to use virtual vacation for you mailbox users set this to 'YES'. | |||
// NOTE: Make sure that you install the vacation module. (See VIRTUAL-VACATION/) | |||
$CONF['vacation'] = 'NO'; | |||
// This is the autoreply domain that you will need to set in your Postfix | |||
// transport maps to handle virtual vacations. It does not need to be a | |||
// real domain (i.e. you don't need to setup DNS for it). | |||
$CONF['vacation_domain'] = 'autoreply.{{ domain }}'; | |||
// Vacation Control | |||
// If you want users to take control of vacation set this to 'YES'. | |||
$CONF['vacation_control'] ='YES'; | |||
// Vacation Control for admins | |||
// Set to 'YES' if your domain admins should be able to edit user vacation. | |||
$CONF['vacation_control_admin'] = 'YES'; | |||
// Alias Control | |||
// Postfix Admin inserts an alias in the alias table for every mailbox it creates. | |||
// The reason for this is that when you want catch-all and normal mailboxes | |||
// to work you need to have the mailbox replicated in the alias table. | |||
// If you want to take control of these aliases as well set this to 'YES'. | |||
// Alias control for superadmins | |||
$CONF['alias_control'] = 'NO'; | |||
// Alias Control for domain admins | |||
$CONF['alias_control_admin'] = 'NO'; | |||
// Special Alias Control | |||
// Set to 'NO' if your domain admins shouldn't be able to edit the default aliases | |||
// as defined in $CONF['default_aliases'] | |||
$CONF['special_alias_control'] = 'NO'; | |||
// Alias Goto Field Limit | |||
// Set the max number of entries that you would like to see | |||
// in one 'goto' field in overview, the rest will be hidden and "[and X more...]" will be added. | |||
// '0' means no limits. | |||
$CONF['alias_goto_limit'] = '0'; | |||
// Alias Domains | |||
// Alias domains allow to "mirror" aliases and mailboxes to another domain. This makes | |||
// configuration easier if you need the same set of aliases on multiple domains, but | |||
// also requires postfix to do more database queries. | |||
// Note: If you update from 2.2.x or earlier, you will have to update your postfix configuration. | |||
// Set to 'NO' to disable alias domains. | |||
$CONF['alias_domain'] = 'YES'; | |||
// Backup | |||
// If you don't want backup tab set this to 'NO'; | |||
$CONF['backup'] = 'YES'; | |||
// Send Mail | |||
// If you don't want sendmail tab set this to 'NO'; | |||
$CONF['sendmail'] = 'YES'; | |||
// Logging | |||
// If you don't want logging set this to 'NO'; | |||
$CONF['logging'] = 'YES'; | |||
// Fetchmail | |||
// If you don't want fetchmail tab set this to 'NO'; | |||
$CONF['fetchmail'] = 'YES'; | |||
// fetchmail_extra_options allows users to specify any fetchmail options and any MDA | |||
// (it will even accept 'rm -rf /' as MDA!) | |||
// This should be set to NO, except if you *really* trust *all* your users. | |||
$CONF['fetchmail_extra_options'] = 'NO'; | |||
// Header | |||
$CONF['show_header_text'] = 'NO'; | |||
$CONF['header_text'] = ':: Postfix Admin ::'; | |||
// link to display under 'Main' menu when logged in as a user. | |||
$CONF['user_footer_link'] = "http://{{ domain }}/main"; | |||
// Footer | |||
// Below information will be on all pages. | |||
// If you don't want the footer information to appear set this to 'NO'. | |||
$CONF['show_footer_text'] = 'YES'; | |||
$CONF['footer_text'] = 'Return to {{ domain }}'; | |||
$CONF['footer_link'] = 'http://{{ domain }}'; | |||
// Welcome Message | |||
// This message is send to every newly created mailbox. | |||
// Change the text between EOM. | |||
$CONF['welcome_text'] = <<<EOM | |||
Hi, | |||
Welcome to your new account. | |||
EOM; | |||
// When creating mailboxes or aliases, check that the domain-part of the | |||
// address is legal by performing a name server look-up. | |||
$CONF['emailcheck_resolve_domain']='YES'; | |||
// Optional: | |||
// Analyze alias gotos and display a colored block in the first column | |||
// indicating if an alias or mailbox appears to deliver to a non-existent | |||
// account. Also, display indications, for POP/IMAP mailboxes and | |||
// for custom destinations (such as mailboxes that forward to a UNIX shell | |||
// account or mail that is sent to a MS exchange server, or any other | |||
// domain or subdomain you use) | |||
// See http://www.w3schools.com/html/html_colornames.asp for a list of | |||
// color names available on most browsers | |||
//set to YES to enable this feature | |||
$CONF['show_status']='NO'; | |||
//display a guide to what these colors mean | |||
$CONF['show_status_key']='NO'; | |||
// 'show_status_text' will be displayed with the background colors | |||
// associated with each status, you can customize it here | |||
$CONF['show_status_text']=' '; | |||
// show_undeliverable is useful if most accounts are delivered to this | |||
// postfix system. If many aliases and mailboxes are forwarded | |||
// elsewhere, you will probably want to disable this. | |||
$CONF['show_undeliverable']='NO'; | |||
$CONF['show_undeliverable_color']='tomato'; | |||
// mails to these domains will never be flagged as undeliverable | |||
$CONF['show_undeliverable_exceptions']=array("unixmail.domain.ext","exchangeserver.domain.ext","gmail.com"); | |||
$CONF['show_popimap']='NO'; | |||
$CONF['show_popimap_color']='darkgrey'; | |||
// you can assign special colors to some domains. To do this, | |||
// - add the domain to show_custom_domains | |||
// - add the corresponding color to show_custom_colors | |||
$CONF['show_custom_domains']=array("subdomain.domain.ext","domain2.ext"); | |||
$CONF['show_custom_colors']=array("lightgreen","lightblue"); | |||
// If you use a recipient_delimiter in your postfix config, you can also honor it when aliases are checked. | |||
// Example: $CONF['recipient_delimiter'] = "+"; | |||
// Set to "" to disable this check. | |||
$CONF['recipient_delimiter'] = ""; | |||
// Optional: | |||
// Script to run after creation of mailboxes. | |||
// Note that this may fail if PHP is run in "safe mode", or if | |||
// operating system features (such as SELinux) or limitations | |||
// prevent the web-server from executing external scripts. | |||
// Parameters: (1) username (2) domain (3) maildir (4) quota | |||
// $CONF['mailbox_postcreation_script']='sudo -u courier /usr/local/bin/postfixadmin-mailbox-postcreation.sh'; | |||
// Optional: | |||
// Script to run after alteration of mailboxes. | |||
// Note that this may fail if PHP is run in "safe mode", or if | |||
// operating system features (such as SELinux) or limitations | |||
// prevent the web-server from executing external scripts. | |||
// Parameters: (1) username (2) domain (3) maildir (4) quota | |||
// $CONF['mailbox_postedit_script']='sudo -u courier /usr/local/bin/postfixadmin-mailbox-postedit.sh'; | |||
// Optional: | |||
// Script to run after deletion of mailboxes. | |||
// Note that this may fail if PHP is run in "safe mode", or if | |||
// operating system features (such as SELinux) or limitations | |||
// prevent the web-server from executing external scripts. | |||
// Parameters: (1) username (2) domain | |||
// $CONF['mailbox_postdeletion_script']='sudo -u courier /usr/local/bin/postfixadmin-mailbox-postdeletion.sh'; | |||
// Optional: | |||
// Script to run after creation of domains. | |||
// Note that this may fail if PHP is run in "safe mode", or if | |||
// operating system features (such as SELinux) or limitations | |||
// prevent the web-server from executing external scripts. | |||
// Parameters: (1) domain | |||
//$CONF['domain_postcreation_script']='sudo -u courier /usr/local/bin/postfixadmin-domain-postcreation.sh'; | |||
// Optional: | |||
// Script to run after deletion of domains. | |||
// Note that this may fail if PHP is run in "safe mode", or if | |||
// operating system features (such as SELinux) or limitations | |||
// prevent the web-server from executing external scripts. | |||
// Parameters: (1) domain | |||
// $CONF['domain_postdeletion_script']='sudo -u courier /usr/local/bin/postfixadmin-domain-postdeletion.sh'; | |||
// Optional: | |||
// Sub-folders which should automatically be created for new users. | |||
// The sub-folders will also be subscribed to automatically. | |||
// Will only work with IMAP server which implement sub-folders. | |||
// Will not work with POP3. | |||
// If you define create_mailbox_subdirs, then the | |||
// create_mailbox_subdirs_host must also be defined. | |||
// | |||
// $CONF['create_mailbox_subdirs']=array('Spam'); | |||
// $CONF['create_mailbox_subdirs_host']='localhost'; | |||
// | |||
// Specify '' for Dovecot and 'INBOX.' for Courier. | |||
$CONF['create_mailbox_subdirs_prefix']='INBOX.'; | |||
// Optional: | |||
// Show used quotas from Dovecot dictionary backend in virtual | |||
// mailbox listing. | |||
// See: DOCUMENTATION/DOVECOT.txt | |||
// http://wiki.dovecot.org/Quota/Dict | |||
// | |||
$CONF['used_quotas'] = 'NO'; | |||
// if you use dovecot >= 1.2, set this to yes. | |||
// Note about dovecot config: table "quota" is for 1.0 & 1.1, table "quota2" is for dovecot 1.2 and newer | |||
$CONF['new_quota_table'] = 'NO'; | |||
// | |||
// Normally, the TCP port number does not have to be specified. | |||
// $CONF['create_mailbox_subdirs_hostport']=143; | |||
// | |||
// If you have trouble connecting to the IMAP-server, then specify | |||
// a value for $CONF['create_mailbox_subdirs_hostoptions']. These | |||
// are some examples to experiment with: | |||
// $CONF['create_mailbox_subdirs_hostoptions']=array('notls'); | |||
// $CONF['create_mailbox_subdirs_hostoptions']=array('novalidate-cert','norsh'); | |||
// See also the "Optional flags for names" table at | |||
// http://www.php.net/manual/en/function.imap-open.php | |||
// Theme Config | |||
// Specify your own logo and CSS file | |||
$CONF['theme_logo'] = 'images/logo-default.png'; | |||
$CONF['theme_css'] = 'css/default.css'; | |||
// XMLRPC Interface. | |||
// This should be only of use if you wish to use e.g the | |||
// Postfixadmin-Squirrelmail package | |||
// change to boolean true to enable xmlrpc | |||
$CONF['xmlrpc_enabled'] = false; | |||
// If you want to keep most settings at default values and/or want to ensure | |||
// that future updates work without problems, you can use a separate config | |||
// file (config.local.php) instead of editing this file and override some | |||
// settings there. | |||
if (file_exists(dirname(__FILE__) . '/config.local.php')) { | |||
include(dirname(__FILE__) . '/config.local.php'); | |||
} | |||
// | |||
// END OF CONFIG FILE | |||
// | |||
/* vim: set expandtab softtabstop=4 tabstop=4 shiftwidth=4: */ |
@ -0,0 +1 @@ | |||
/etc/postfixadmin/config.inc.php |
@ -1,5 +1,5 @@ | |||
driver = mysql | |||
connect = host=127.0.0.1 dbname=postfix user=postfix password={{ dbpassword }} | |||
connect = host=127.0.0.1 dbname=postfix user=postfix password={{ dbpassword.stdout }} | |||
default_pass_scheme = MD5-CRYPT | |||
user_query = SELECT '/home/facteur/%d/%n' as home, 3000 AS uid, 3000 AS gid FROM mailbox WHERE username = '%u' | |||
password_query = SELECT password FROM mailbox WHERE username = '%u' |
@ -1,51 +1,49 @@ | |||
## Dovecot configuration file | |||
protocols = imap imaps pop3 pop3s managesieve | |||
log_timestamp = "%Y-%m-%d %H:%M:%S " | |||
mail_privileged_group = mail | |||
# 2.1.7: /etc/dovecot/dovecot.conf | |||
# OS: Linux 3.2.0-4-amd64 x86_64 Debian 7.7 ext4 | |||
!include conf.d/*.conf | |||
disable_plaintext_auth = no | |||
log_timestamp = "%Y-%m-%d %H:%M:%S " | |||
mail_location = maildir:/home/facteur/%d/%n:INDEX=/home/facteur/%d/%n/indexes | |||
protocol imap { | |||
} | |||
protocol pop3 { | |||
} | |||
protocol managesieve { | |||
listen = *:4190 | |||
login_executable = /usr/lib/dovecot/managesieve-login | |||
mail_executable = /usr/lib/dovecot/managesieve | |||
mail_privileged_group = mail | |||
passdb { | |||
args = /etc/dovecot/dovecot-mysql.conf | |||
driver = sql | |||
} | |||
protocol lda { | |||
postmaster_address = admin@{{ domain }} | |||
mail_plugin_dir = /usr/lib/dovecot/modules/lda | |||
auth_socket_path = /var/run/dovecot/auth-master | |||
mail_plugins = sieve quota | |||
plugin { | |||
sieve = /home/facteur/%d/%n/.dovecot.sieve | |||
sieve_dir = /home/facteur/%d/%n/sieve | |||
} | |||
auth default { | |||
userdb sql { | |||
args = /etc/dovecot/dovecot-mysql.conf | |||
} | |||
passdb sql { | |||
args = /etc/dovecot/dovecot-mysql.conf | |||
} | |||
socket listen { | |||
master { | |||
path = /var/run/dovecot/auth-master | |||
mode = 0600 | |||
user = facteur | |||
protocols = imap pop3 sieve | |||
service auth { | |||
unix_listener /var/spool/postfix/private/auth { | |||
group = postfix | |||
mode = 0660 | |||
user = postfix | |||
} | |||
client { | |||
path = /var/spool/postfix/private/auth | |||
mode = 0660 | |||
user = postfix | |||
group = postfix | |||
unix_listener auth-master { | |||
mode = 0600 | |||
user = facteur | |||
} | |||
} | |||
} | |||
dict { | |||
service managesieve-login { | |||
inet_listener sieve { | |||
port = 4190 | |||
} | |||
process_min_avail = 0 | |||
service_count = 1 | |||
vsz_limit = 64 M | |||
executable = /usr/lib/dovecot/managesieve-login | |||
} | |||
plugin { | |||
sieve_dir = /home/facteur/%d/%n/sieve | |||
sieve = /home/facteur/%d/%n/.dovecot.sieve | |||
service managesieve { | |||
executable = /usr/lib/dovecot/managesieve | |||
} | |||
userdb { | |||
args = /etc/dovecot/dovecot-mysql.conf | |||
driver = sql | |||
} | |||
protocol lda { | |||
auth_socket_path = /var/run/dovecot/auth-master | |||
mail_plugin_dir = /usr/lib/dovecot/modules | |||
mail_plugins = sieve quota | |||
postmaster_address = admin@{{ domain }} | |||
} |
@ -1,5 +1,5 @@ | |||
hosts = 127.0.0.1 | |||
user = postfix | |||
password = {{ dbpassword }} | |||
password = {{ dbpassword.stdout }} | |||
dbname = postfix | |||
query = SELECT domain FROM domain WHERE domain='%s' and backupmx = 1 |
@ -1,5 +1,5 @@ | |||
hosts = 127.0.0.1 | |||
user = postfix | |||
password = {{ dbpassword }} | |||
password = {{ dbpassword.stdout }} | |||
dbname = postfix | |||
query = SELECT goto FROM alias WHERE address='%s' AND active = 1 |
@ -1,5 +1,5 @@ | |||
hosts = 127.0.0.1 | |||
user = postfix | |||
password = {{ dbpassword }} | |||
password = {{ dbpassword.stdout }} | |||
dbname = postfix | |||
query = SELECT domain FROM domain WHERE domain='%s' and backupmx = 0 and active = 1 |
@ -1,5 +1,5 @@ | |||
hosts = 127.0.0.1 | |||
user = postfix | |||
password = {{ dbpassword }} | |||
password = {{ dbpassword.stdout }} | |||
dbname = postfix | |||
query = SELECT maildir FROM mailbox WHERE username='%s' AND active = 1 |
@ -1,4 +1,5 @@ | |||
DROP DATABASE IF EXISTS postfix; | |||
CREATE DATABASE postfix; | |||
GRANT ALL PRIVILEGES ON postfix.* TO 'postfix_admin'@'%' IDENTIFIED BY '{{ dbpassword.stdout }}'; | |||
GRANT ALL PRIVILEGES ON postfix.* TO 'postfix'@'%' IDENTIFIED BY '{{ dbpassword.stdout }}'; | |||
GRANT SELECT ON postfix.* TO 'postfix'@'%' IDENTIFIED BY '{{ dbpassword.stdout }}'; | |||
FLUSH PRIVILEGES; |
@ -0,0 +1,2 @@ | |||
pwcheck_method: saslauthd | |||
mech_list: PLAIN LOGIN |
@ -0,0 +1,37 @@ | |||
user www-data; | |||
worker_processes 4; | |||
worker_priority -10; | |||
pid /var/run/nginx.pid; | |||
worker_rlimit_nofile 65536; | |||
events { | |||
worker_connections 4096; | |||
use epoll; | |||
} | |||
http { | |||
sendfile on; | |||
tcp_nopush on; | |||
tcp_nodelay on; | |||
keepalive_timeout 8; | |||
types_hash_max_size 2048; | |||
server_tokens off; | |||
keepalive_requests 100000; | |||
open_file_cache max=200000 inactive=20s; | |||
open_file_cache_valid 30s; | |||
open_file_cache_min_uses 2; | |||
open_file_cache_errors on; | |||
include /etc/nginx/mime.types; | |||
default_type application/octet-stream; | |||
gzip on; | |||
gzip_disable "msie6"; | |||
#include /etc/nginx/naxsi_core.rules; | |||
include /etc/nginx/conf.d/*.conf; | |||
include /etc/nginx/sites-enabled/*; | |||
} |
@ -0,0 +1,26 @@ | |||
[www-data] | |||
prefix = /var/tmp | |||
user = www-data | |||
group = www-data | |||
listen = /var/run/php5-fpm-www-data.sock | |||
listen.backlog = 1024 | |||
pm = ondemand | |||
pm.max_children = 2 | |||
pm.process_idle_timeout = 30s; | |||
pm.max_requests = 800 | |||
pm.status_path = /status | |||
request_terminate_timeout = 120s | |||
chdir = / | |||
security.limit_extensions = .php .php3 .php4 .php5 | |||
env[TMP] = /tmp | |||
env[TMPDIR] = /tmp | |||
env[TEMP] = /tmp | |||
php_admin_value[memory_limit] = 128M |
@ -0,0 +1,13 @@ | |||
--- | |||
# handlers du role nginx | |||
- name: reload nginx | |||
service: name=nginx state=reloaded | |||
- name: restart nginx | |||
service: name=nginx state=restarted | |||
- name: start nginx | |||
service: name=nginx state=started | |||
- name: stop nginx | |||
service: name=nginx state=stopped | |||
# vim: set textwidth=0 ft=yaml ts=2 sw=2 expandtab: | |||
@ -0,0 +1,23 @@ | |||
--- | |||
- name: Install default packages Debian. | |||
apt: pkg={{item}} state=installed install_recommends=no | |||
with_items: | |||
- nginx | |||
- nginx-common | |||
- nginx-full | |||
- php5-fpm | |||
- name: Copy nginx.conf | |||
tags: nginx | |||
copy: src=etc-nginx-nginx.conf dest=/etc/nginx/nginx.conf | |||
- name: Copy php5/fpm/pool.d/www-data.conf | |||
tags: nginx | |||
copy: src=etc-php5-fpm-pool.d-www-data.conf dest=/etc/php5/fpm/pool.d/www-data.conf | |||
- name: Delete the www.conf template | |||
tags: nginx | |||
file: path=etc/php5/fpm/pool.d/www.conf state=absent | |||
notify: restart nginx | |||
# vim: set textwidth=0 ft=yaml ts=2 sw=2 expandtab: |
@ -0,0 +1,46 @@ | |||
--- | |||
packages: | |||
- nginx | |||
- php5-cli | |||
- php5-mysql | |||
- php5-fpm | |||
- php-apc | |||
- php5-mysql | |||
- php5-curl | |||
- libmime-lite-perl | |||
firewall_role_rules: | |||
- "-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT" | |||
sysctls: | |||
- name: net.ipv4.ip_local_port_range | |||
value: "'1024 65000'" | |||
- name: net.ipv4.tcp_tw_reuse | |||
value: 1 | |||
- name: net.ipv4.tcp_fin_timeout | |||
value: 15 | |||
- name: net.core.netdev_max_backlog | |||
value: 4096 | |||
- name: net.core.rmem_max | |||
value: 16777216 | |||
- name: net.core.somaxconn | |||
value: 4096 | |||
- name: net.core.wmem_max | |||
value: 16777216 | |||
- name: net.ipv4.tcp_max_syn_backlog | |||
value: 20480 | |||
- name: net.ipv4.tcp_max_tw_buckets | |||
value: 400000 | |||
- name: net.ipv4.tcp_no_metrics_save | |||
value: 1 | |||
- name: net.ipv4.tcp_rmem | |||
value: "'4096 87380 16777216'" | |||
- name: net.ipv4.tcp_syn_retries | |||
value: 2 | |||
- name: net.ipv4.tcp_synack_retries | |||
value: 2 | |||
- name: net.ipv4.tcp_wmem | |||
value: "'4096 65536 16777216'" | |||
# vim: set textwidth=0 ft=yaml ts=2 sw=2 expandtab: |
@ -0,0 +1,46 @@ | |||
--- | |||
# handlers du role common | |||
- name: update aliases | |||
command: newaliases | |||
- name: restart munin-node | |||
service: name=munin-node state=restarted | |||
- name: restart hobbit-client | |||
service: name=hobbit-client state=restarted | |||
- name: restart xymon-client | |||
service: name=xymon-client state=restarted | |||
- name: restart gwm | |||
service: name=gwm state=restarted | |||
- name: restart xend | |||
service: name=xend state=restarted | |||
- name: update-grub | |||
command: update-grub | |||
- name: restart collectd | |||
service: name=collectd state=restarted | |||
- name: restart ntp | |||
service: name=ntp state=restarted | |||
- name: restart xymon | |||
service: name=xymon state=restarted | |||
- name: update mysql_relay_domains map | |||
shell: postmap /etc/postfix/mysql_relay_domains.cf | |||
- name: restart postfix | |||
service: name=postfix state=restarted | |||
- name: restart nginx | |||
command: name=nginx state=restarted | |||
- name: restart php5-fpm | |||
shell: /etc/init.d/php5-fpm restart | |||
# vim: set textwidth=0 ft=yaml ts=2 sw=2 expandtab: | |||
@ -0,0 +1,78 @@ | |||
--- | |||
- name: Install ownCloud dependencies | |||
apt: pkg={{item}} state=installed update_cache=no | |||
tags: owncloud | |||
with_items: "{{ packages }}" | |||
ignore_errors: no | |||
- name: unlink default vhost nginx | |||
tags: owncloud | |||
shell: unlink /etc/nginx/sites-enabled/default | |||
ignore_errors: yes | |||
- name: Get ownCloud | |||
tags: | |||
- update | |||
- owncloud | |||
get_url: url=https://download.owncloud.org/community/owncloud-latest.tar.bz2 validate_certs=no dest=/root/owncloud-latest.tar.bz2 | |||
- name: Creation of the right folder | |||
tags: owncloud | |||
file: path=/etc/nginx/ssl/ state=directory recurse=yes | |||
- name: create self-signed SSL cert | |||
command: openssl req -new -nodes -x509 -subj "/C=FR/ST=SomeWhere/L=OverTheRainBow/O=OwnCloud/CN=owncloud.{{ domain }}" -days 3650 -keyout /etc/nginx/ssl/owncloud.key -out /etc/nginx/ssl/owncloud.crt -extensions v3_ca creates=/etc/nginx/ssl/owncloud.crt | |||
tags: owncloud | |||
notify: restart nginx | |||
- name: Creation of the right folder | |||
tags: owncloud | |||
file: path=/var/www/owncloud/ state=directory recurse=yes | |||
- name: Untar | |||
tags: | |||
- update | |||
- owncloud | |||
shell: tar xvf /root/owncloud-latest.tar.bz2 -C /var/www/owncloud/ | |||
ignore_errors: no | |||
- name: Chown | |||
tags: | |||
- update | |||
- owncloud | |||
shell: chown -R www-data. /var/www/ | |||
- name: Randomly generate an ownCloud database password | |||
shell: pwgen -y -B -s 80 1 | |||
tags: | |||
- owncloud | |||
register: dbpassword | |||
- name: Config nginx | |||
template: src=etc-nginx-sites-enabled-owncloud.j2 dest=/etc/nginx/sites-enabled/owncloud | |||
tags: owncloud | |||
notify: restart nginx | |||
- name: Config PHP5-fpm | |||
template: src=etc-php5-fpm-pool.d-www.conf.j2 dest=/etc/php5/fpm/pool.d/www.conf | |||
tags: owncloud | |||
notify: restart php5-fpm | |||
- name: Config PHP5-fpm ini file | |||
template: src=php.ini.j2 dest=/etc/php5/fpm/php.ini | |||
tags: owncloud | |||
notify: restart php5-fpm | |||
- name: Import database template | |||
tags: | |||
- owncloud | |||
template: src=root-ownclouddb.sql.j2 dest=/root/ownclouddb.sql | |||
- name: Import sql file for account and db creation | |||
tags: | |||
- owncloud | |||
shell: mysql < /root/ownclouddb.sql | |||
notify: restart php5-fpm | |||
#vim: set textwidth=0 ft=yaml ts=2 sw=2 expandtab: |
@ -0,0 +1,73 @@ | |||
server { | |||
listen 80; | |||
server_name owncloud.{{ domain }}; | |||
return 301 https://$server_name$request_uri; | |||
} | |||
server { | |||
listen 443 ssl; | |||
server_name owncloud.{{ domain }}; | |||
keepalive_timeout 70; | |||
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | |||
ssl_ciphers AES128-SHA:AES256-SHA:RC4-SHA:DES-CBC3-SHA:RC4-MD5; | |||
ssl_certificate /etc/nginx/ssl/owncloud.crt; | |||
ssl_certificate_key /etc/nginx/ssl/owncloud.key; | |||
root /var/www/owncloud/owncloud/; | |||
error_log /var/log/owncloud.error.log; | |||
access_log /var/log/owncloud.access.log; | |||
client_max_body_size 10G; | |||
fastcgi_buffers 64 4K; | |||
rewrite ^/caldav(.*)$ /remote.php/caldav$1 redirect; | |||
rewrite ^/carddav(.*)$ /remote.php/carddav$1 redirect; | |||
rewrite ^/webdav(.*)$ /remote.php/webdav$1 redirect; | |||
index index.php; | |||
error_page 403 /core/templates/403.php; | |||
error_page 404 /core/templates/404.php; | |||
location = /robots.txt { | |||
allow all; | |||
log_not_found off; | |||
access_log off; | |||
} | |||
location ~ ^/(data|config|\.ht|db_structure\.xml|README) { | |||
deny all; | |||
} | |||
location / { | |||
rewrite ^/.well-known/host-meta /public.php?service=host-meta last; | |||
rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last; | |||
rewrite ^/.well-known/carddav /remote.php/carddav/ redirect; | |||
rewrite ^/.well-known/caldav /remote.php/caldav/ redirect; | |||
rewrite ^(/core/doc/[^\/]+/)$ $1/index.html; | |||
try_files $uri $uri/ index.php; | |||
error_log /var/log/owncloud.error.log; | |||
access_log /var/log/owncloud.access.log; | |||
} | |||
location ~ ^(.+?\.php)(/.*)?$ { | |||
try_files $1 = 404; | |||
include fastcgi_params; | |||
fastcgi_param SCRIPT_FILENAME $document_root$1; | |||
fastcgi_param PATH_INFO $2; | |||
fastcgi_param HTTPS on; | |||
fastcgi_connect_timeout 60; | |||
fastcgi_send_timeout 180; | |||
fastcgi_param htaccessWorking true; | |||
fastcgi_read_timeout 360; | |||
fastcgi_pass unix:/var/run/php5-fpm-www-data.sock; | |||
error_log /var/log/owncloud.fpm.error.log; | |||
access_log /var/log/owncloud.fpm.access.log; | |||
} | |||
# Optional: set long EXPIRES header on static assets | |||
location ~* ^.+\.(jpg|jpeg|gif|bmp|ico|png|css|js|swf)$ { | |||
expires 30d; | |||
# Optional: Don't log access to assets | |||
access_log off; | |||
} | |||
} | |||
@ -0,0 +1,36 @@ | |||
[www-data] | |||
prefix = /var/tmp | |||
user = www-data | |||
group = www-data | |||
slowlog = /var/log/php-fpm/slowlog-site.log | |||
listen = /var/run/php5-fpm-www-data.sock | |||
listen.backlog = 1024 | |||
pm = dynamic | |||
pm.start_servers = 4 | |||
pm.min_spare_servers = 2 | |||
pm.max_spare_servers = 6 | |||
pm.max_children = 8 | |||
pm.process_idle_timeout = 30s; | |||
pm.max_requests = 800 | |||
pm.status_path = /status | |||
listen.backlog = -1 | |||
listen.owner = www-data | |||
listen.group = www-data | |||
listen.mode = 0666 | |||
request_terminate_timeout = 3600s | |||
catch_workers_output=no | |||
chdir = / | |||
rlimit_core = unlimited | |||
security.limit_extensions = .php .php3 .php4 .php5 | |||
env[TMP] = /tmp | |||
env[TMPDIR] = /tmp | |||
env[TEMP] = /tmp | |||
env[HOSTNAME] = $HOSTNAME | |||
php_admin_value[memory_limit] = 1G | |||
@ -0,0 +1,5 @@ | |||
CREATE USER 'owncloud'@'localhost' IDENTIFIED BY '{{ dbpassword.stdout }}'; | |||
GRANT USAGE ON * . * TO 'owncloud'@'localhost' IDENTIFIED BY '{{ dbpassword.stdout }}' WITH MAX_QUERIES_PER_HOUR 0 | |||
MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0 ; | |||
CREATE DATABASE IF NOT EXISTS `owncloud` ; | |||
GRANT ALL PRIVILEGES ON `owncloud` . * TO 'owncloud'@'localhost'; |
@ -0,0 +1,17 @@ | |||
packages: | |||
- php5 | |||
- php5-gd | |||
- php-xml-parser | |||
- php5-intl | |||
- php5-sqlite | |||
- php5-mysql | |||
- php5-pgsql | |||
- smbclient | |||
- php5-curl | |||
- php5-mcrypt | |||
- php5-fpm | |||
- pwgen | |||
- bzip2 | |||
- php5-ldap | |||
# vim: set textwidth=0 ft=yaml ts=2 sw=2 expandtab: | |||
@ -0,0 +1,2 @@ | |||
- name: restart prosody | |||
command: /etc/init.d/prosody restart |
@ -0,0 +1,4 @@ | |||
--- | |||
# Provides the Prosody Jabber/XMPP server. | |||
- include: prosody.yml tags=prosody |
@ -0,0 +1,29 @@ | |||
- name: Ensure repository key for Prosody is in place | |||
apt_key: url=https://prosody.im/files/prosody-debian-packages.key state=present | |||
# Prosody supplies repo for sid, squeeze, wheezy, jessie, trusty, saucy, raring, quantal, precise and lucid | |||
- name: Add Prosody Debian/Ubuntu repository | |||
apt_repository: repo="deb http://packages.prosody.im/debian {{ ansible_distribution_release }} main" | |||
- name: Install Prosody from official repository | |||
apt: pkg=prosody update_cache=yes | |||
- name: Add prosody user to ssl-cert group | |||
user: name=prosody groups=ssl-cert append=yes | |||
- name: Create Prosody data directory | |||
file: state=directory path=/decrypted/prosody owner=prosody group=prosody | |||
- name: Configure Prosody | |||
template: src=prosody.cfg.lua.j2 dest=/etc/prosody/prosody.cfg.lua group=root owner=root | |||
notify: restart prosody | |||
- name: Create Prosody accounts | |||
command: prosodyctl register {{ item.name }} {{ prosody_virtual_domain }} "{{ item.password }}" | |||
with_items: prosody_accounts | |||
- name: Set firewall rules for Prosody | |||
ufw: rule=allow port={{ item }} proto=tcp | |||
with_items: | |||
- 5222 # xmpp c2s | |||
- 5269 # xmpp s2s |
@ -0,0 +1,175 @@ | |||
-- Prosody XMPP Server Configuration | |||
-- | |||
-- Information on configuring Prosody can be found on our | |||
-- website at http://prosody.im/doc/configure | |||
-- | |||
-- Tip: You can check that the syntax of this file is correct | |||
-- when you have finished by running: luac -p prosody.cfg.lua | |||
-- If there are any errors, it will let you know what and where | |||
-- they are, otherwise it will keep quiet. | |||
-- | |||
-- Good luck, and happy Jabbering! | |||
---------- Server-wide settings ---------- | |||
-- Settings in this section apply to the whole server and are the default settings | |||
-- for any virtual hosts | |||
-- This is a (by default, empty) list of accounts that are admins | |||
-- for the server. Note that you must create the accounts separately | |||
-- (see http://prosody.im/doc/creating_accounts for info) | |||
-- Example: admins = { "user1@example.com", "user2@example.net" } | |||
admins = { "{{ prosody_admin }}" } | |||
-- Enable use of libevent for better performance under high load | |||
-- For more information see: http://prosody.im/doc/libevent | |||
--use_libevent = true; | |||
-- This is the list of modules Prosody will load on startup. | |||
-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too. | |||
-- Documentation on modules can be found at: http://prosody.im/doc/modules | |||
modules_enabled = { | |||
-- Generally required | |||
"roster"; -- Allow users to have a roster. Recommended ;) | |||
"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in. | |||
"tls"; -- Add support for secure TLS on c2s/s2s connections | |||
"dialback"; -- s2s dialback support | |||
"disco"; -- Service discovery | |||
"posix"; -- POSIX functionality, sends server to background, enables syslog, etc. | |||
-- Not essential, but recommended | |||
"private"; -- Private XML storage (for room bookmarks, etc.) | |||
"vcard"; -- Allow users to set vCards | |||
-- These are commented by default as they have a performance impact | |||
"privacy"; -- Support privacy lists | |||
--"compression"; -- Stream compression (requires the lua-zlib package installed) | |||
-- Nice to have | |||
"version"; -- Replies to server version requests | |||
"uptime"; -- Report how long server has been running | |||
"time"; -- Let others know the time here on this server | |||
"ping"; -- Replies to XMPP pings with pongs | |||
-- "pep"; -- Enables users to publish their mood, activity, playing music and more | |||
"register"; -- Allow users to register on this server using a client and change passwords | |||
-- Admin interfaces | |||
"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands | |||
--"admin_telnet"; -- Opens telnet console interface on localhost port 5582 | |||
-- HTTP modules | |||
--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP" | |||
--"http_files"; -- Serve static files from a directory over HTTP | |||
-- Other specific functionality | |||
--"groups"; -- Shared roster support | |||
--"announce"; -- Send announcement to all online users | |||
--"welcome"; -- Welcome users who register accounts | |||
--"watchregistrations"; -- Alert admins of registrations | |||
--"motd"; -- Send a message to users when they log in | |||
--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots. | |||
}; | |||
-- These modules are auto-loaded, but should you want | |||
-- to disable them then uncomment them here: | |||
modules_disabled = { | |||
-- "offline"; -- Store offline messages | |||
-- "c2s"; -- Handle client connections | |||
-- "s2s"; -- Handle server-to-server connections | |||
}; | |||
-- Disable account creation by default, for security | |||
-- For more information see http://prosody.im/doc/creating_accounts | |||
allow_registration = false; | |||
-- These are the SSL/TLS-related settings. If you don't want | |||
-- to use SSL/TLS, you may comment or remove this | |||
ssl = { | |||
key = "/etc/ssl/private/wildcard_private.key"; | |||
certificate = "/etc/ssl/certs/wildcard_public_cert.crt"; | |||
} | |||
-- Force clients to use encrypted connections? This option will | |||
-- prevent clients from authenticating unless they are using encryption. | |||
c2s_require_encryption = true | |||
-- Force certificate authentication for server-to-server connections? | |||
-- This provides ideal security, but requires servers you communicate | |||
-- with to support encryption AND present valid, trusted certificates. | |||
-- NOTE: Your version of LuaSec must support certificate verification! | |||
-- For more information see http://prosody.im/doc/s2s#security | |||
s2s_secure_auth = false | |||
-- Many servers don't support encryption or have invalid or self-signed | |||
-- certificates. You can list domains here that will not be required to | |||
-- authenticate using certificates. They will be authenticated using DNS. | |||
--s2s_insecure_domains = { "gmail.com" } | |||
-- Even if you leave s2s_secure_auth disabled, you can still require valid | |||
-- certificates for some domains by specifying a list here. | |||
--s2s_secure_domains = { "jabber.org" } | |||
-- Required for init scripts and prosodyctl | |||
pidfile = "/var/run/prosody/prosody.pid" | |||
-- Select the authentication backend to use. The 'internal' providers | |||
-- use Prosody's configured data storage to store the authentication data. | |||
-- To allow Prosody to offer secure authentication mechanisms to clients, the | |||
-- default provider stores passwords in plaintext. If you do not trust your | |||
-- server please see http://prosody.im/doc/modules/mod_auth_internal_hashed | |||
-- for information about using the hashed backend. | |||
authentication = "internal_plain" | |||
-- Select the storage backend to use. By default Prosody uses flat files | |||
-- in its configured data directory, but it also supports more backends | |||
-- through modules. An "sql" backend is included by default, but requires | |||
-- additional dependencies. See http://prosody.im/doc/storage for more info. | |||
--storage = "sql" -- Default is "internal" | |||
-- For the "sql" backend, you can uncomment *one* of the below to configure: | |||
--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename. | |||
--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" } | |||
--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" } | |||
-- Logging configuration | |||
-- For advanced logging see http://prosody.im/doc/logging | |||
log = { | |||
info = "/var/log/prosody/prosody.log"; -- Change 'info' to 'debug' for verbose logging | |||
error = "/var/log/prosody/prosody.err"; | |||
"*syslog"; | |||
} | |||
data_path = "/decrypted/prosody" | |||
----------- Virtual hosts ----------- | |||
-- You need to add a VirtualHost entry for each domain you wish Prosody to serve. | |||
-- Settings under each VirtualHost entry apply *only* to that host. | |||
VirtualHost "{{ prosody_virtual_domain }}" | |||
------ Components ------ | |||
-- You can specify components to add hosts that provide special services, | |||
-- like multi-user conferences, and transports. | |||
-- For more information on components, see http://prosody.im/doc/components | |||
---Set up a MUC (multi-user chat) room server on conference.example.com: | |||
--Component "conference.example.com" "muc" | |||
-- Set up a SOCKS5 bytestream proxy for server-proxied file tr3ansfers: | |||
--Component "proxy.example.com" "proxy65" | |||
---Set up an external component (default component port is 5347) | |||
-- | |||
-- External components allow adding various services, such as gateways/ | |||
-- transports to other networks like ICQ, MSN and Yahoo. For more info | |||
-- see: http://prosody.im/doc/components#adding_an_external_component | |||
-- | |||
--Component "gateway.example.com" | |||
-- component_secret = "password" |
@ -0,0 +1,10 @@ | |||
- name: import wallabag sql | |||
shell: PGPASSWORD='{{ wallabag_db_password }}' psql -h localhost -d {{ wallabag_db_database }} -U {{ wallabag_db_username }} -f /var/www/wallabag/install/postgres.sql --set ON_ERROR_STOP=1 | |||
notify: remove install folder | |||
#' | |||
- name: restart apache2 | |||
service: name=apache2 state=restarted | |||
- name: remove install folder | |||
file: path=/var/www/wallabag/install state=absent |
@ -0,0 +1 @@ | |||
- include: wallabag.yml tags=wallabag |
@ -0,0 +1,73 @@ | |||
- name: Determine whether wallabag is configured | |||
stat: path=/var/www/wallabag/inc/poche/config.inc.php | |||
register: wallabag_config | |||
- name: Clone wallabag | |||
git: repo=https://github.com/wallabag/wallabag.git | |||
dest=/var/www/wallabag | |||
version={{ wallabag_version }} | |||
accept_hostkey=yes | |||
- name: Remove wallabag 'install' directory if its configuration file is there | |||
file: name=/var/www/wallabag/install state=absent | |||
when: wallabag_config.stat.exists == True | |||
- name: Install wallabag dependencies | |||
apt: pkg={{ item }} state=present | |||
with_items: | |||
- php5 | |||
- php5-curl | |||
- php5-mcrypt | |||
- php5-pgsql | |||
- php5-tidy | |||
- name: Import database user template | |||
template: src=root-wallabag.sql.j2 dest=/root/wallabag.sql | |||
- name: Import sql file for account and db creation | |||
shell: mysql < /root/wallabag.sql | |||
- name: Import wallabag sql | |||
shell: mysql {{ wallabag_db_database }} < /var/www/wallabag/install/mysql.sql | |||
notify: remove install folder | |||
- name: Build Composer | |||
shell: curl -sS https://getcomposer.org/installer | php | |||
chdir=/root | |||
creates=/root/composer.phar | |||
- name: Initialize composer | |||
command: php /root/composer.phar install | |||
chdir=/var/www/wallabag | |||
creates=/var/www/wallabag/vendor/autoload.php | |||
- name: Set wallabag permissions | |||
file: owner=www-data | |||
group=www-data | |||
path=/var/www/wallabag | |||
recurse=yes | |||
state=directory | |||
- name: Create the configuration file | |||
template: src=var_www_wallabag_inc_poche_config.inc.php.j2 | |||
dest=/var/www/wallabag/inc/poche/config.inc.php | |||
owner=www-data | |||
group=www-data | |||
- name: Rename existing Apache wallabag virtualhost | |||
command: mv /etc/apache2/sites-available/wallabag /etc/apache2/sites-available/wallabag.conf removes=/etc/apache2/sites-available/wallabag | |||
- name: Remove old sites-enabled/wallabag symlink (new one will be created by a2ensite) | |||
command: rm /etc/apache2/sites-enabled/wallabag removes=/etc/apache2/sites-enabled/wallabag | |||
- name: Configure the Apache HTTP server for wallabag | |||
template: src=etc_apache2_sites-available_wallabag.j2 | |||
dest=/etc/apache2/sites-available/wallabag.conf | |||
owner=root | |||
group=root | |||
- name: Enable the wallabag site | |||
command: a2ensite wallabag.conf | |||
creates=/etc/apache2/sites-enabled/wallabag.conf | |||
notify: restart apache |
@ -0,0 +1,31 @@ | |||
<VirtualHost *:80> | |||
ServerName {{ wallabag_domain }} | |||
Redirect permanent / https://{{ wallabag_domain }}/ | |||
</VirtualHost> | |||
<VirtualHost *:443> | |||
ServerName {{ wallabag_domain }} | |||
SSLEngine on | |||
SSLProtocol ALL -SSLv2 -SSLv3 | |||
SSLHonorCipherOrder On | |||
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5:!DSS | |||
SSLCertificateFile /etc/ssl/certs/wildcard_public_cert.crt | |||
SSLCertificateKeyFile /etc/ssl/private/wildcard_private.key | |||
SSLCACertificateFile /etc/ssl/certs/wildcard_ca.pem | |||
Header add Strict-Transport-Security "max-age=15768000; includeSubdomains" | |||
DocumentRoot /var/www/wallabag | |||
Options -Indexes | |||
ErrorLog /var/log/apache2/wallabag.info-error_log | |||
CustomLog /var/log/apache2/wallabag.info-access_log common | |||
<Directory /var/www/wallabag> | |||
AllowOverride All | |||
Order allow,deny | |||
allow from all | |||
DirectoryIndex index.php | |||
</Directory> | |||
</VirtualHost> |
@ -0,0 +1,5 @@ | |||
CREATE USER 'wallabag'@'localhost' IDENTIFIED BY '{{ wallabag_db_password }}'; | |||
GRANT USAGE ON * . * TO 'wallabag'@'localhost' IDENTIFIED BY '{{ wallabag_db_password }}' WITH MAX_QUERIES_PER_HOUR 0 | |||
MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0 ; | |||
CREATE DATABASE IF NOT EXISTS `wallabag` ; | |||
GRANT ALL PRIVILEGES ON `wallabag` . * TO 'wallabag'@'localhost'; |
@ -0,0 +1,58 @@ | |||
<?php | |||
/** | |||
* wallabag, self hostable application allowing you to not miss any content anymore | |||
* | |||
* @category wallabag | |||
* @author Nicolas Lœuillet <nicolas@loeuillet.org> | |||
* @copyright 2013 | |||
* @license http://www.wtfpl.net/ see COPYING file | |||
*/ | |||
define ('SALT', '{{ wallabag_salt }}'); # put a strong string here | |||
define ('LANG', 'en_EN.utf8'); | |||
define ('STORAGE', 'postgres'); # postgres, mysql or sqlite | |||
define ('STORAGE_SQLITE', ROOT . '/db/poche.sqlite'); # if you are using sqlite, where the database file is located | |||
# only for postgres & mysql | |||
define ('STORAGE_SERVER', 'localhost'); | |||
define ('STORAGE_DB', '{{ wallabag_db_database }}'); | |||
define ('STORAGE_USER', '{{ wallabag_db_username }}'); | |||
define ('STORAGE_PASSWORD', '{{ wallabag_db_password }}'); | |||
################################################################################# | |||
# Do not trespass unless you know what you are doing | |||
################################################################################# | |||
// Change this if not using the standart port for SSL - i.e you server is behind sslh | |||
define ('SSL_PORT', 443); | |||
define ('MODE_DEMO', FALSE); | |||
define ('DEBUG_POCHE', FALSE); | |||
define ('DOWNLOAD_PICTURES', FALSE); | |||
define ('CONVERT_LINKS_FOOTNOTES', FALSE); | |||
define ('REVERT_FORCED_PARAGRAPH_ELEMENTS', FALSE); | |||
define ('SHARE_TWITTER', TRUE); | |||
define ('SHARE_MAIL', TRUE); | |||
define ('SHARE_SHAARLI', FALSE); | |||
define ('SHAARLI_URL', 'http://myshaarliurl.com'); | |||
define ('FLATTR', TRUE); | |||
define ('FLATTR_API', 'https://api.flattr.com/rest/v2/things/lookup/?url='); | |||
define ('NOT_FLATTRABLE', '0'); | |||
define ('FLATTRABLE', '1'); | |||
define ('FLATTRED', '2'); | |||
define ('ABS_PATH', 'assets/'); | |||
define ('DEFAULT_THEME', 'baggy'); | |||
define ('THEME', ROOT . '/themes'); | |||
define ('LOCALE', ROOT . '/locale'); | |||
define ('CACHE', ROOT . '/cache'); | |||
define ('PAGINATION', '10'); | |||
//limit for download of articles during import | |||
define ('IMPORT_LIMIT', 5); | |||
//delay between downloads (in sec) | |||
define ('IMPORT_DELAY', 5); |