Update to 2020-04-14

playbooks/update_all.yml

@@ -0,0 +1,9 @@
+---
+- name: Update everything
+  hosts: '*'
+  tasks:
+    - yum: name='*' state=latest
+      when: ansible_os_family == 'RedHat'
+    - apt: name='*' state=latest
+      when: ansible_os_family == 'Debian'
+

playbooks/update_zabbix.yml

@@ -0,0 +1,42 @@
+---
+- name: Update Zabbix
+  hosts: '*'
+  tasks:
+    - yum:
+        name:
+          - zabbix-agent
+          - zabbix-agent-addons
+        state: latest
+      when: ansible_os_family == 'RedHat'
+      notify: restart zabbix-agent
+    - apt:
+        name:
+          - zabbix-agent
+        update_cache: True
+        state: latest
+      when: ansible_os_family == 'Debian'
+      notify: restart zabbix-agent
+    - git:
+        repo: https://git.fws.fr/fws/zabbix-agent-addons.git
+        dest: /var/lib/zabbix/addons
+      register: zabbix_agent_addons_git
+      when: ansible_os_family == 'Debian'
+      notify: restart zabbix-agent
+    - shell: cp -af /var/lib/zabbix/addons/{{ item.src }}/* {{ item.dest }}/
+      with_items:
+        - { src: zabbix_conf,    dest: /etc/zabbix/zabbix_agentd.conf.d }
+        - { src: zabbix_scripts, dest: /var/lib/zabbix/bin }
+        - { src: lib,            dest: /usr/local/lib/site_perl }
+      when:
+        - zabbix_agent_addons_git.changed
+        - ansible_os_family == 'Debian'
+    - shell: chmod +x /var/lib/zabbix/bin/*
+      args:
+        warn: False
+      when:
+        - zabbix_agent_addons_git.changed
+        - ansible_os_family == 'Debian'
+
+  handlers:
+    - name: restart zabbix-agent
+      service: name=zabbix-agent state=restarted

roles/ampache/defaults/main.yml

@@ -0,0 +1,94 @@
+---
+
+ampache_id: "1"
+ampache_manage_upgrade: True
+
+ampache_version: '4.1.1'
+ampache_config_version: 40
+ampache_zip_url: https://github.com/ampache/ampache/archive/{{ ampache_version }}.zip
+ampache_zip_sha1: 744ff90039a268579551d50650ce1502ec89daf1
+
+ampache_root_dir: /opt/ampache_{{ ampache_id }}
+
+ampache_php_user: php-ampache_{{ ampache_id }}
+ampache_php_version: 74
+
+# If you prefer using a custom PHP FPM pool, set it's name.
+# You might need to adjust ampache_php_user
+# ampache_php_fpm_pool: php56
+
+
+ampache_mysql_server: "{{ mysql_server | default('localhost') }}"
+# ampache_mysql_port: 3306
+ampache_mysql_db: ampache_{{ ampache_id }}
+ampache_mysql_user: ampache_{{ ampache_id }}
+# If not defined, a random pass will be generated and stored in the meta directory
+# ampache_mysql_pass: ampache
+
+# ampache_alias: ampache
+# ampache_allowed_ip:
+#   - 192.168.7.0/24
+#   - 10.2.0.0/24
+
+ampache_local_web_path: "http://ampache.{{ ansible_domain }}/"
+ampache_auth_methods:
+  - mysql
+
+ampache_ldap_url: "{{ ad_auth | default(False) | ternary('ldap://' + ad_realm | default(samba_realm) | lower,ldap_uri) }}"
+ampache_ldap_starttls: True
+ampache_ldap_search_dn: "{{ ad_auth | default(False) | ternary((ad_ldap_user_search_base is defined) | ternary(ad_ldap_user_search_base,'DC=' + ad_realm | default(samba_realm) | regex_replace('\\.',',DC=')), ldap_base) }}"
+ampache_ldap_username: ""
+ampache_ldap_password: ""
+ampache_ldap_objectclass: "{{ ad_auth | default(False) | ternary('user','inetOrgPerson') }}"
+ampache_ldap_filter: "{{ ad_auth | default(False) | ternary('(&(objectCategory=person)(objectClass=user)(primaryGroupId=513)(sAMAccountName=%v))','(uid=%v)') }}"
+ampache_ldap_email_field: mail
+ampache_ldap_name_field: cn
+
+ampache_admin_users:
+  - admin
+
+#ampache_logout_redirect: https://sso.domain.org
+
+ampache_metadata_order: 'getID3,filename'
+
+ampache_lastfm_api_key: 697bad201ee93391630d845c7b3f9610
+ampache_lastfm_api_secret: 5f5fe59aa2f9c60220f04e94aa59c209
+
+ampache_max_bit_rate: 192
+ampache_min_bit_rate: 64
+
+# allowed, required or false
+ampache_transcode_m4a: required
+ampache_transcode_flac: required
+ampache_transcode_mpc: required
+ampache_transcode_ogg: required
+ampache_transcode_oga: required
+ampache_transcode_wav: required
+ampache_transcode_wma: required
+ampache_transcode_aif: required
+ampache_transcode_aiff: required
+ampache_transcode_ape: required
+ampache_transcode_shn: required
+ampache_transcode_mp3: allowed
+ampache_transcode_avi: required
+ampache_transcode_mkv: required
+ampache_transcode_mpg: required
+ampache_transcode_mpeg: required
+ampache_transcode_m4v: required
+ampache_transcode_mp4: required
+ampache_transcode_mov: required
+ampache_transcode_wmv: required
+ampache_transcode_ogv: required
+ampache_transcode_divx: required
+ampache_transcode_m2ts: required
+ampache_transcode_webm: required
+ampache_transcode_player_api_mp3: required
+ampache_encode_player_api_target: mp3
+ampache_encode_player_webplayer: mp3
+ampache_encode_target: mp3
+ampache_encode_video_target: webm
+
+# If defined, will be printed on the login page. HTML can be used, eg
+# ampache_motd: '<a href="/sso.php">Use central authentication</a>'
+
+...

roles/ampache/handlers/main.yml

@@ -0,0 +1,4 @@
+---
+- include: ../httpd_common/handlers/main.yml
+- include: ../httpd_php/handlers/main.yml
+...

roles/ampache/meta/main.yml

@@ -0,0 +1,6 @@
+---
+allow_duplicates: true
+dependencies:
+  - role: repo_nux_dextop
+  - role: httpd_php
+...

roles/ampache/tasks/main.yml

@@ -0,0 +1,218 @@
+---
+
+- name: Install needed tools
+  yum:
+    name:
+      - unzip
+      - MySQL-python
+      - mariadb
+      - acl
+      - git
+      - composer
+      - patch
+      - ffmpeg
+  tags: ampache
+
+- import_tasks: ../includes/create_system_user.yml
+  vars:
+    - user: "{{ ampache_php_user }}"
+    - comment: "PHP FPM for ampache {{ ampache_id }}"
+  tags: ampache
+
+- import_tasks: ../includes/webapps_set_install_mode.yml
+  vars:
+    - root_dir: "{{ ampache_root_dir }}"
+    - version: "{{ ampache_version }}"
+  tags: ampache
+- set_fact: ampache_install_mode={{ (install_mode == 'upgrade' and not ampache_manage_upgrade) | ternary('none',install_mode) }}
+  tags: ampache
+- set_fact: ampache_current_version={{ current_version | default('') }}
+  tags: ampache
+
+- import_tasks: ../includes/webapps_archive.yml
+  vars:
+    - root_dir: "{{ ampache_root_dir }}"
+    - version: "{{ ampache_current_version }}"
+    - db_name: "{{ ampache_mysql_db }}"
+  when: ampache_install_mode == 'upgrade'
+  tags: ampache
+
+- name: Download Ampache
+  get_url:
+    url: "{{ ampache_zip_url }}"
+    dest: "{{ ampache_root_dir }}/tmp/"
+    checksum: "sha1:{{ ampache_zip_sha1 }}"
+  when: ampache_install_mode != 'none'
+  tags: ampache
+
+- name: Extract ampache archive
+  unarchive:
+    src: "{{ ampache_root_dir }}/tmp/ampache-{{ ampache_version }}.zip"
+    dest: "{{ ampache_root_dir }}/tmp"
+    remote_src: yes
+  when: ampache_install_mode != 'none'
+  tags: ampache
+
+- name: Create directory structure
+  file: path={{ item }} state=directory
+  with_items:
+    - "{{ ampache_root_dir }}"
+    - "{{ ampache_root_dir }}/web"
+    - "{{ ampache_root_dir }}/tmp"
+    - "{{ ampache_root_dir }}/sessions"
+    - "{{ ampache_root_dir }}/meta"
+    - "{{ ampache_root_dir }}/logs"
+    - "{{ ampache_root_dir }}/data"
+    - "{{ ampache_root_dir }}/data/metadata"
+    - "{{ ampache_root_dir }}/data/music"
+    - "{{ ampache_root_dir }}/data/video"
+    - "{{ ampache_root_dir }}/db_dumps"
+  tags: ampache
+
+
+- name: Move files to the correct directory
+  synchronize:
+    src: "{{ ampache_root_dir }}/tmp/ampache-{{ ampache_version }}/"
+    dest: "{{ ampache_root_dir }}/web/"
+    recursive: True
+    delete: True
+  delegate_to: "{{ inventory_hostname }}"
+  when: ampache_install_mode != 'none'
+  tags: ampache
+
+- name: Check if htaccess files needs to be moved
+  stat: path={{ ampache_root_dir }}/web/{{ item }}/.htaccess.dist
+  with_items:
+    - channel
+    - play
+    - rest
+  register: htaccess
+  tags: ampache
+
+- name: Rename htaccess files
+  command: mv -f {{ ampache_root_dir }}/web/{{ item.item }}/.htaccess.dist {{ ampache_root_dir }}/web/{{ item.item }}/.htaccess
+  with_items: "{{ htaccess.results }}"
+  when: item.stat.exists
+  tags: ampache
+
+- name: Install libs using composer
+  composer: command=install working_dir={{ ampache_root_dir }}/web executable={{ (ampache_php_version == '54') | ternary('/bin/php','/bin/php' ~ ampache_php_version ) }}
+  tags: ampache
+
+- name: Remove temp files
+  file: path={{ item }} state=absent
+  with_items:
+    - "{{ ampache_root_dir }}/tmp/ampache-{{ ampache_version }}.zip"
+    - "{{ ampache_root_dir }}/tmp/ampache-{{ ampache_version }}"
+  tags: ampache
+
+- import_tasks: ../includes/get_rand_pass.yml
+  vars:
+    - pass_file: "{{ ampache_root_dir }}/meta/key.txt"
+  tags: ampache
+- set_fact: ampache_key={{ rand_pass }}
+  tags: ampache
+
+- import_tasks: ../includes/get_rand_pass.yml
+  vars:
+    - pass_file: "{{ampache_root_dir }}/meta/ansible_dbpass"
+  when: ampache_mysql_pass is not defined
+  tags: ampache
+- set_fact: ampache_mysql_pass={{ rand_pass }}
+  when: ampache_mysql_pass is not defined
+  tags: ampache
+
+- import_tasks: ../includes/webapps_create_mysql_db.yml
+  vars:
+    - db_name: "{{ ampache_mysql_db }}"
+    - db_user: "{{ ampache_mysql_user }}"
+    - db_server: "{{ ampache_mysql_server }}"
+    - db_pass: "{{ ampache_mysql_pass }}"
+  tags: ampache
+
+- name: Inject SQL structure
+  mysql_db:
+    name: "{{ ampache_mysql_db }}"
+    state: import
+    target: "{{ ampache_root_dir }}/web/sql/ampache.sql"
+    login_host: "{{ ampache_mysql_server }}"
+    login_user: sqladmin
+    login_password: "{{ mysql_admin_pass }}"
+  when: ampache_install_mode == 'install'
+  tags: ampache
+
+- name: Upgrade SQL database
+  command: php{{ (ampache_php_version == '54') | ternary('', ampache_php_version) }} {{ ampache_root_dir }}/web/bin/install/update_db.inc
+  become_user: "{{ ampache_php_user }}"
+  when: ampache_install_mode == 'upgrade'
+  tags: ampache
+
+- name: Grant admin privileges
+  command: mysql --host={{ ampache_mysql_server }} --user=sqladmin --password={{ mysql_admin_pass }} {{ ampache_mysql_db }} -e "UPDATE `user` SET `access`='100' WHERE `username`='{{ item }}'"
+  changed_when: False
+  become_user: "{{ ampache_php_user }}"
+  with_items: "{{ ampache_admin_users }}"
+  tags: ampache
+
+- import_tasks: ../includes/webapps_webconf.yml
+  vars:
+    - app_id: ampache_{{ ampache_id }}
+    - php_version: "{{ ampache_php_version }}"
+    - php_fpm_pool: "{{ ampache_php_fpm_pool | default('') }}"
+  tags: ampache
+
+- name: Deploy ampache configuration
+  template: src=ampache.cfg.php.j2 dest={{ ampache_root_dir }}/web/config/ampache.cfg.php group={{ ampache_php_user }} mode=640
+  tags: ampache
+
+- name: Deploy motd
+  template: src=motd.php.j2 dest={{ ampache_root_dir }}/web/config/motd.php
+  when: ampache_motd is defined
+  tags: ampache
+
+- name: Remove motd
+  file: path={{ ampache_root_dir }}/web/config/motd.php state=absent
+  when: ampache_motd is not defined
+  tags: ampache
+
+- name: Deploy cron scripts
+  template: src={{ item }}.j2 dest={{ ampache_root_dir }}/web/bin/{{ item }}
+  with_items:
+    - cron.sh
+  tags: ampache
+
+- name: Enable cronjob
+  cron:
+    name: ampache_{{ ampache_id }}
+    special_time: daily
+    user: "{{ ampache_php_user }}"
+    job: "/bin/sh {{ ampache_root_dir }}/web/bin/cron.sh"
+    cron_file: ampache_{{ ampache_id }}
+  tags: ampache
+
+- name: Deploy sso script
+  template: src=sso.php.j2 dest={{ ampache_root_dir }}/web/sso.php
+  tags: ampache
+
+- name: Deploy backup scripts
+  template: src={{ item.script }}.j2 dest=/etc/backup/{{ item.type }}.d/ampache_{{ ampache_id }}_{{ item.script }} mode=750
+  with_items:
+    - script: dump_db
+      type: pre
+    - script: rm_dump
+      type: post
+  tags: ampache
+
+- import_tasks: ../includes/webapps_compress_archive.yml
+  vars:
+    - root_dir: "{{ ampache_root_dir }}"
+    - version: "{{ ampache_current_version }}"
+  when: ampache_install_mode == 'upgrade'
+  tags: ampache
+
+- import_tasks: ../includes/webapps_post.yml
+  vars:
+    - root_dir: "{{ ampache_root_dir }}"
+    - version: "{{ ampache_version }}"
+  tags: ampache
+...

roles/ampache/templates/ampache.cfg.php.j2

@@ -0,0 +1,134 @@
+config_version = {{ ampache_config_version }}
+{% if ampache_local_web_path is defined %}
+local_web_path = "{{ ampache_local_web_path }}"
+{% endif %}
+database_hostname = {{ ampache_mysql_server }}
+{% if ampache_mysql_port is defined %}
+database_port = "{{ ampache_mysql_port }}"
+{% endif %}
+database_name = "{{ ampache_mysql_db }}"
+database_username = "{{ ampache_mysql_user }}"
+database_password = "{{ ampache_mysql_pass }}"
+secret_key = "{{ ampache_key }}"
+session_length = 3600
+stream_length = 7200
+remember_length = 604800
+session_name = ampache
+session_cookielife = 0
+auth_methods = "{{ ampache_auth_methods | join(',') }}"
+{% if 'ldap' in ampache_auth_methods %}
+ldap_url = "{{ ampache_ldap_url }}"
+ldap_username = "{{ ampache_ldap_username }}"
+ldap_password = "{{ ampache_ldap_password }}"
+ldap_start_tls = "{{ ampache_ldap_starttls | ternary('true','false') }}"
+ldap_search_dn = "{{ ampache_ldap_search_dn }}"
+ldap_objectclass = "{{ ampache_ldap_objectclass }}"
+ldap_filter = "{{ ampache_ldap_filter }}"
+ldap_email_field = "{{ ampache_ldap_email_field }}"
+ldap_name_field  = "{{ ampache_ldap_name_field }}"
+external_auto_update = "true"
+{% endif %}
+{% if ampache_logout_redirect is defined %}
+logout_redirect = "{{ ampache_logout_redirect }}"
+{% endif %}
+access_control  = "true"
+require_session = "true"
+require_localnet_session = "true"
+metadata_order = "{{ ampache_metadata_order }}"
+getid3_tag_order = "id3v2,id3v1,vorbiscomment,quicktime,matroska,ape,asf,avi,mpeg,riff"
+deferred_ext_metadata = "false"
+additional_genre_delimiters = "[/]{2}|[/|\\\\|\|,|;]"
+catalog_file_pattern = "mp3|mpc|m4p|m4a|aac|ogg|oga|wav|aif|aiff|rm|wma|asf|flac|opus|spx|ra|ape|shn|wv"
+catalog_video_pattern = "avi|mpg|mpeg|flv|m4v|mp4|webm|mkv|wmv|ogv|mov|divx|m2ts"
+catalog_playlist_pattern = "m3u|m3u8|pls|asx|xspf"
+catalog_prefix_pattern = "The|An|A|Das|Ein|Eine|Les|Le|La"
+track_user_ip = "true"
+allow_zip_download = "true"
+allow_zip_types = "album"
+use_auth = "true"
+ratings = "false"
+userflags = "true"
+directplay = "true"
+sociable = "false"
+licensing = "false"
+memory_cache = "true"
+album_art_store_disk = "true"
+local_metadata_dir = "{{ ampache_root_dir }}/data/metadata"
+max_upload_size = 1048576
+resize_images = "false"
+art_order = "db,tags,folder,musicbrainz,lastfm,google"
+lastfm_api_key = "{{ ampache_lastfm_api_key }}"
+lastfm_api_secret = "{{ ampache_lastfm_api_secret }}"
+channel = "false"
+live_stream = "false"
+refresh_limit = "60"
+show_footer_statistics = "false"
+debug = "true"
+debug_level = 5
+log_path = "{{ ampache_root_dir }}/logs/"
+log_filename = "%name.%Y%m%d.log"
+site_charset = "UTF-8"
+{% if 'ldap' in ampache_auth_methods or 'http' in ampache_auth_methods %}
+auto_create = "true"
+auto_user = "user"
+{% endif %}
+allow_public_registration = "false"
+generate_video_preview = "true"
+max_bit_rate = {{ ampache_max_bit_rate }}
+min_bit_rate = {{ ampache_min_bit_rate }}
+transcode_m4a = {{ ampache_transcode_m4a }}
+transcode_flac = {{ ampache_transcode_flac }}
+transcode_mpc = {{ ampache_transcode_mpc }}
+transcode_ogg = {{ ampache_transcode_ogg }}
+transcode_oga = {{ ampache_transcode_oga }}
+transcode_wav = {{ ampache_transcode_wav }}
+transcode_wma = {{ ampache_transcode_wma }}
+transcode_aif = {{ ampache_transcode_aif }}
+transcode_aiff = {{ ampache_transcode_aiff }}
+transcode_ape = {{ ampache_transcode_ape }}
+transcode_shn = {{ ampache_transcode_shn }}
+transcode_mp3 = {{ ampache_transcode_mp3 }}
+transcode_avi = {{ ampache_transcode_avi }}
+transcode_mkv = {{ ampache_transcode_mkv }}
+transcode_mpg = {{ ampache_transcode_mpg }}
+transcode_mpeg = {{ ampache_transcode_mpeg }}
+transcode_m4v = {{ ampache_transcode_m4v }}
+transcode_mp4 = {{ ampache_transcode_mp4 }}
+transcode_mov = {{ ampache_transcode_mov }}
+transcode_wmv = {{ ampache_transcode_wmv }}
+transcode_ogv = {{ ampache_transcode_ogv }}
+transcode_divx = {{ ampache_transcode_divx }}
+transcode_m2ts = {{ ampache_transcode_m2ts }}
+transcode_webm = {{ ampache_transcode_webm }}
+encode_target = {{ ampache_encode_target }}
+encode_player_webplayer_target = {{ ampache_encode_player_webplayer }}
+transcode_player_api_mp3 = {{ ampache_transcode_player_api_mp3 }}
+encode_video_target = {{ ampache_encode_video_target }}
+transcode_player_customize = "true"
+transcode_cmd = "/bin/ffmpeg"
+transcode_input = "-i %FILE%"
+encode_args_mp3 = "-vn -b:a %BITRATE%K -c:a libmp3lame -f mp3 pipe:1"
+encode_args_ogg = "-vn -b:a %BITRATE%K -c:a libvorbis -f ogg pipe:1"
+encode_args_m4a = "-vn -b:a %BITRATE%K -c:a libfdk_aac -f adts pipe:1"
+encode_args_wav = "-vn -b:a %BITRATE%K -c:a pcm_s16le -f wav pipe:1"
+encode_args_opus = "-vn -b:a %BITRATE%K -c:a libopus -compression_level 10 -vsync 2 -f ogg pipe:1"
+encode_args_flv = "-b:a %BITRATE%K -ar 44100 -ac 2 -v 0 -f flv -c:v libx264 -preset superfast -threads 0 pipe:1"
+encode_args_webm = "-q %QUALITY% -f webm -c:v libvpx -maxrate %MAXBITRATE%k -preset superfast -threads 0 pipe:1"
+encode_args_ts = "-q %QUALITY% -s %RESOLUTION% -f mpegts -c:v libx264 -c:a libmp3lame -maxrate %MAXBITRATE%k -preset superfast -threads 0 pipe:1"
+encode_get_image = "-ss %TIME% -f image2 -vframes 1 pipe:1"
+encode_srt = "-vf \"subtitles='%SRTFILE%'\""
+encode_ss_frame = "-ss %TIME%"
+encode_ss_duration = "-t %DURATION%"
+mail_type = "sendmail"
+mail_domain = "{{ ansible_domain }}"
+common_abbr = "divx,xvid,dvdrip,hdtv,lol,axxo,repack,xor,pdtv,real,vtv,caph,2hd,proper,fqm,uncut,topaz,tvt,notv,fpn,fov,orenji,0tv,omicron,dsr,ws,sys,crimson,wat,hiqt,internal,brrip,boheme,vost,vostfr,fastsub,addiction,x264,LOL,720p,1080p,YIFY,evolve,fihtv,first,bokutox,bluray,tvboom,info"
+force_ssl = "true"
+mail_enable = "true"
+mail_type = "sendmail"
+mail_domain = "{{ ansible_domain }}"
+{% if system_proxy is defined and system_proxy != '' %}
+proxy_host = "{{ system_proxy | urlsplit('hostname') }}"
+proxy_port = "{{ system_proxy | urlsplit('port') }}"
+proxy_user = "{{ system_proxy | urlsplit('username') }}"
+proxy_pass = "{{ system_proxy | urlsplit('password') }}"
+{% endif %}

roles/ampache/templates/cron.sh.j2

@@ -0,0 +1,31 @@
+#!/bin/sh
+
+# Rotate logs
+find {{ ampache_root_dir }}/logs -type f -mtime +7 -exec rm -f "{}" \;
+find {{ ampache_root_dir }}/logs -type f -mtime +1 -exec xz -T0 "{}" \;
+
+# Do we have a previous filelist to compare against ?
+PREV_HASH=$(cat {{ ampache_root_dir }}/tmp/data_hash.txt || echo 'none')
+
+# Now, compute a hash of the filelist
+NEW_HASH=$(find {{ ampache_root_dir }}/data/{music,video} | sha1sum | cut -d' ' -f1)
+
+# Write new hash so we can compare next time
+echo -n $NEW_HASH > {{ ampache_root_dir }}/tmp/data_hash.txt
+
+# If file list has changed since last time, then update the catalog
+if [ "$PREV_HASH" != "$NEW_HASH" ]; then
+  # Clean (remove files which doesn't exists anymore)
+  /bin/php{{ (ampache_php_version == '54') | ternary('',ampache_php_version) }} {{ ampache_root_dir }}/web/bin/catalog_update.inc -c > /dev/null 2>&1
+  # Add (files added)
+  /bin/php{{ (ampache_php_version == '54') | ternary('',ampache_php_version) }} {{ ampache_root_dir }}/web/bin/catalog_update.inc -a > /dev/null 2>&1
+  # Update graphics
+  /bin/php{{ (ampache_php_version == '54') | ternary('',ampache_php_version) }} {{ ampache_root_dir }}/web/bin/catalog_update.inc -g > /dev/null 2>&1
+fi
+
+# Now check if files have changed recently. We can have the same file list, but metadata updates
+NEW_FILES=$(find {{ ampache_root_dir }}/data/{music,video} -type f -mtime -1 | wc -l)
+if [ "$NEW_FILES" -gt "0" ]; then
+  # Verify (update metadata)
+  /bin/php{{ (ampache_php_version == '54') | ternary('',ampache_php_version) }} {{ ampache_root_dir }}/web/bin/catalog_update.inc -v > /dev/null 2>&1
+fi

roles/ampache/templates/dump_db.j2

@@ -0,0 +1,7 @@
+#!/bin/sh
+
+/usr/bin/mysqldump --user={{ ampache_mysql_user }} \
+                   --password={{ ampache_mysql_pass }} \
+                   --host={{ ampache_mysql_server }} \
+                   --quick --single-transaction \
+                   --add-drop-table {{ ampache_mysql_db }} | lz4 -c > {{ ampache_root_dir }}/db_dumps/{{ ampache_mysql_db }}.sql.lz4

roles/ampache/templates/httpd.conf.j2

@@ -0,0 +1,27 @@
+{% if ampache_alias is defined %}
+Alias /{{ ampache_alias }} {{ ampache_root_dir }}/web
+{% else %}
+# No alias defined, create a vhost to access it
+{% endif %}
+
+RewriteEngine On
+<Directory {{ ampache_root_dir }}/web>
+  AllowOverride All
+  Options FollowSymLinks
+{% if ampache_allowed_ip is defined %}
+  Require ip {{ ampache_src_ip | join(' ') }}
+{% else %}
+  Require all granted
+{% endif %}
+  <FilesMatch \.php$>
+    SetHandler "proxy:unix:/run/php-fpm/{{ ampache_php_fpm_pool  | default('ampache_' + ampache_id | string) }}.sock|fcgi://localhost"
+  </FilesMatch>
+  <FilesMatch "(.maintenance.*|.ansible.*|.t?git.*|.php_cs|.travis.*)">
+    Require all denied
+  </FilesMatch>
+</Directory>
+
+<Directory {{ ampache_root_dir }}/web/config>
+  Require all denied
+</Directory>
+

roles/ampache/templates/motd.php.j2

@@ -0,0 +1,3 @@
+<?php
+
+echo '<a href="/sso.php">{{ ampache_motd }}</a>';

roles/ampache/templates/perms.sh.j2

@@ -0,0 +1,15 @@
+#!/bin/sh
+
+restorecon -R {{ ampache_root_dir }}
+chown root:root {{ ampache_root_dir }}
+chmod 700 {{ ampache_root_dir }}
+setfacl -k -b {{ ampache_root_dir }}
+setfacl -m u:{{ ampache_php_user | default('apache') }}:rx,u:{{ httpd_user | default('apache') }}:rx {{ ampache_root_dir }}
+chown -R root:root {{ ampache_root_dir }}/web
+chown apache-ampache {{ ampache_root_dir }}/data
+chown -R {{ ampache_php_user }} {{ ampache_root_dir }}/{tmp,sessions,logs,data/metadata}
+chmod 700 {{ ampache_root_dir }}/{tmp,sessions,logs,data}
+find {{ ampache_root_dir }}/web -type f -exec chmod 644 "{}" \;
+find {{ ampache_root_dir }}/web -type d -exec chmod 755 "{}" \;
+chown :{{ ampache_php_user }} {{ ampache_root_dir }}/web/config/ampache.cfg.php
+chmod 640 {{ ampache_root_dir }}/web/config/ampache.cfg.php

roles/ampache/templates/php.conf.j2

@@ -0,0 +1,37 @@
+; {{ ansible_managed }}
+
+[ampache_{{ ampache_id }}]
+
+listen.owner = root
+listen.group = {{ httpd_user | default('apache') }}
+listen.mode = 0660
+listen = /run/php-fpm/ampache_{{ ampache_id }}.sock
+user = {{ ampache_php_user }}
+group = {{ ampache_php_user }}
+catch_workers_output = yes
+
+pm = dynamic
+pm.max_children = 15
+pm.start_servers = 3
+pm.min_spare_servers = 3
+pm.max_spare_servers = 6
+pm.max_requests = 5000
+request_terminate_timeout = 60m
+
+php_flag[display_errors] = off
+php_admin_flag[log_errors] = on
+php_admin_value[error_log] = syslog
+php_admin_value[memory_limit] = 512M
+php_admin_value[session.save_path] = {{ ampache_root_dir }}/sessions
+php_admin_value[upload_tmp_dir] = {{ ampache_root_dir }}/tmp
+php_admin_value[sys_temp_dir] = {{ ampache_root_dir }}/tmp
+php_admin_value[post_max_size] = 5M
+php_admin_value[upload_max_filesize] = 5M
+php_admin_value[disable_functions] = system, show_source, symlink, exec, dl, shell_exec, passthru, phpinfo, escapeshellarg, escapeshellcmd
+php_admin_value[open_basedir] = {{ ampache_root_dir }}
+php_admin_value[max_execution_time] = 1800
+php_admin_value[max_input_time] = 60
+php_admin_flag[allow_url_include] = off
+php_admin_flag[allow_url_fopen] = on
+php_admin_flag[file_uploads] = on
+php_admin_flag[session.cookie_httponly] = on

roles/ampache/templates/rm_dump.j2

@@ -0,0 +1,3 @@
+#!/bin/sh
+
+rm -f {{ ampache_root_dir }}/db_dump/*

roles/ampache/templates/sso.php.j2

@@ -0,0 +1,6 @@
+<?php
+
+# Just a dummy redirection so we can protect /sso.php with Lemonldap::NG
+header('Location: /');
+
+?>

roles/backup/defaults/main.yml

@@ -0,0 +1,36 @@
+---
+
+# The shell of the lbkp account
+backup_shell: '/bin/bash'
+
+# List of commands lbkp will be allowed to run as root, with sudo
+backup_sudo_base_commands:
+  - /usr/bin/rsync
+  - /usr/local/bin/pre-backup
+  - /usr/local/bin/post-backup
+  - /bin/tar
+  - /bin/gtar
+backup_sudo_extra_commands: []
+backup_sudo_commands: "{{ backup_sudo_base_commands + backup_sudo_extra_commands }}"
+
+# List of ssh public keys to deploy
+backup_ssh_keys: []
+
+# Options to set for the ssh keys, to restrict what they can do
+backup_ssh_keys_options:
+  - no-X11-forwarding
+  - no-agent-forwarding
+  - no-pty
+
+# List of IP address allowed to use the ssh keys
+# Empty list means no restriction
+backup_src_ip: []
+
+# Custom pre / post script
+backup_pre_script: |
+  #!/bin/bash -e
+  # Nothing to do
+backup_post_script: |
+  #!/bin/bash -e
+  # Nothing to do
+...

roles/backup/files/dump-megaraid-cfg

@@ -0,0 +1,53 @@
+#!/usr/bin/perl -w
+
+# This script will backup the config of MegaRAID based
+# RAID controllers. The saved config can be restored with
+# MegaCli -CfgRestore -f /home/lbkp/mega_0.bin for example
+# It also create a backup of the config as text, so you can
+# manually check how things were configured at a certain point in time
+
+# If MegaCli is not installed, then the script does nothing
+
+use strict;
+
+my $megacli = undef;
+
+if (-x '/opt/MegaRAID/MegaCli/MegaCli64'){
+  $megacli = '/opt/MegaRAID/MegaCli/MegaCli64';
+} elsif (-x '/opt/MegaRAID/MegaCli/MegaCli'){
+  $megacli = '/opt/MegaRAID/MegaCli/MegaCli';
+}
+
+exit (0) unless($megacli);
+
+my $adapters = 0;
+foreach (qx($megacli -adpCount -NoLog)) {
+  if ( m/Controller Count:\s*(\d+)/ ) {
+    $adapters = $1;
+    last;
+  }
+}
+
+foreach my $adp (0..$adapters-1){
+  my $hba = 0;
+  my $failgrouplist = 0;
+  foreach my $line (qx($megacli -CfgDsply -a$adp -NoLog)) {
+    if ( $line =~ m/Failed to get Disk Group list/ ) {
+      $failgrouplist = 1;
+    } elsif ( $line =~ m/Product Name:.*(JBOD|HBA)/ ) {
+      $hba = 1;
+    }
+  }
+  # Skip adapter if in HBA mode
+  next if ($hba && $failgrouplist);
+
+  # Save the config in binary format
+  qx($megacli -CfgSave -f /home/lbkp/megaraid/cfg_$adp.bin -a$adp -NoLog);
+  die "Failed to backup conf for adapter $adp\n" unless ($? == 0);
+
+  # Now also save in text representation
+  open TXT, ">/home/lbkp/megaraid/cfg_$adp.txt";
+  print TXT foreach qx($megacli -CfgDsply -a$adp -NoLog);
+  die "Failed to backup Cfg text description for adapter $adp\n" unless ($? == 0);
+  close TXT;
+}

roles/backup/files/dump-rpms-list

@@ -0,0 +1,3 @@
+#!/bin/sh
+
+/bin/rpm -qa --qf "%{NAME}\t%{VERSION}\t%{RELEASE}\n" | grep -v gpg-pubkey | sort > /home/lbkp/rpms.list

roles/backup/files/post-backup

@@ -0,0 +1,9 @@
+#!/bin/bash
+
+if [ -d "/etc/backup/post.d" ]; then
+  for H in $(find /etc/backup/post.d -type f -o -type l | sort); do
+    [ -x $H ] && $H "$@"
+  done
+fi
+# Remove the lock
+rm -f /var/lock/bkp.lock

roles/backup/files/pre-backup

@@ -0,0 +1,29 @@
+#!/bin/bash
+
+set -e
+
+# 2 locks are needed. The first one ensure we don't run
+# The pre-backup script twice. It's an atomic lock.
+# Then we need a second lock which will last until the post-backup ran
+# This one doesn't need to be atomic (as we already checked this)
+PRELOCKFILE="/var/lock/pre-bkp.lock"
+exec 200>$PRELOCKFILE
+flock -n 200 || ( echo "Couldn't aquire pre-backup lock" && exit 1 )
+PID=$$
+echo $PID 1>&200
+
+if [ -e /var/lock/bkp.lock ]; then
+  # Consider the lock to be stale if it's older than 8 hours
+  if [ "$(( $(date +"%s") - $(stat -c "%Y" /var/lock/bkp.lock) ))" -gt "28800" ]; then
+    rm /var/lock/bkp.lock
+  else
+    echo "Another backup is running"
+    exit 1
+  fi
+fi
+touch /var/lock/bkp.lock
+if [ -d "/etc/backup/pre.d" ]; then
+  for H in $(find /etc/backup/pre.d -type f -o -type l | sort); do
+    [ -x $H ] && $H "$@"
+  done
+fi

roles/backup/files/rm-megaraid-cfg

@@ -0,0 +1,3 @@
+#!/bin/bash -e
+
+rm -f /home/lbkp/megaraid/*

roles/backup/tasks/main.yml

@@ -0,0 +1,84 @@
+---
+
+- name: Install backup tools
+  yum: name=rsync
+  when: ansible_os_family == 'RedHat'
+
+- name: Install backup tools
+  apt: name=rsync
+  when: ansible_os_family == 'Debian'
+
+- name: Create a local backup user account
+  user: name=lbkp comment="Local backup account" system=yes shell={{ backup_shell }}
+  tags: backup
+
+- name: Deploy sudo configuration
+  template: src=sudo.j2 dest=/etc/sudoers.d/backup mode=400
+  tags: backup
+
+- name: Deploy SSH keys for the backup account
+  authorized_key:
+    user: lbkp
+    key: "{{ backup_ssh_keys | join(\"\n\") }}"
+    key_options: "{{ backup_ssh_keys_options | join(',') }}"
+    exclusive: yes
+  when: backup_src_ip is not defined or backup_src_ip | length < 1
+  tags: backup
+
+- name: Deploy SSH keys for the backup account (with source IP restriction)
+  authorized_key:
+    user: lbkp
+    key: "{{ backup_ssh_keys | join(\"\n\") }}"
+    key_options: "from=\"{{ backup_src_ip | join(',') }}\",{{ backup_ssh_keys_options | join(',') }}"
+    exclusive: yes
+  when:
+    - backup_src_ip is defined
+    - backup_src_ip | length > 0
+  tags: backup
+
+- name: Create pre and post backup hook dir
+  file: path={{ item }} state=directory mode=750
+  with_items:
+    - /etc/backup/pre.d
+    - /etc/backup/post.d
+  tags: backup
+
+- name: Deploy default pre/post backup hooks
+  copy:
+    content: "{{ item.content }}"
+    dest: /etc/backup/{{ item.type }}.d/default
+    mode: 755
+  loop:
+    - type: pre
+      content: "{{ backup_pre_script }}"
+    - type: post
+      content: "{{ backup_post_script }}"
+  tags: backup
+
+- name: Copy pre-backup script
+  copy: src={{ item }} dest=/usr/local/bin/{{ item }} mode=750 group=lbkp
+  with_items:
+    - pre-backup
+    - post-backup
+  tags: backup
+
+- name: Deploy rpm dump list script
+  copy: src=dump-rpms-list dest=/etc/backup/pre.d/dump-rpms-list mode=755
+  when: ansible_os_family == 'RedHat'
+  tags: backup
+
+- name: Create megaraid dump dir
+  file: path=/home/lbkp/megaraid state=directory
+  tags: backup
+
+- name: Deploy MegaCli backup scripts
+  copy: src={{ item.script }} dest=/etc/backup/{{ item.type }}.d/{{ item.script }} mode=750
+  with_items:
+    - script: dump-megaraid-cfg
+      type: pre
+    - script: rm-megaraid-cfg
+      type: post
+  when: lsi_controllers | default([]) | length > 0
+  tags: backup
+
+...

roles/backup/templates/sudo.j2

@@ -0,0 +1,2 @@
+Defaults:lbkp !requiretty
+lbkp ALL=(root) NOPASSWD: {{ backup_sudo_commands | join(',') }}

roles/backuppc/defaults/main.yml

@@ -0,0 +1,19 @@
+---
+
+# You can choose either 3 or 4
+bpc_major_version: 3
+
+# Auth to access BackupPC. Can be basic, lemonldap, lemonldap2 or none
+bpc_auth: basic
+
+# List of IP address allowed
+bpc_src_ip: []
+
+# Should backuppc be started on boot ?
+# You might want to turn this off if for example you must unlock
+# the device on which you have your backup, and manually start backuppc after that
+bpc_enabled: True
+
+# Should /BackupPC aliases be added on the main vhost ?
+# You might want to, but you can also disable this and grant access only through a dedicated vhost
+bpc_alias_on_main_vhost: True

roles/backuppc/handlers/main.yml

@@ -0,0 +1,5 @@
+---
+
+- include: ../httpd_common/handlers/main.yml
+
+...

roles/backuppc/meta/main.yml

@@ -0,0 +1,3 @@
+---
+dependencies:
+  - { role: httpd_front }

roles/backuppc/tasks/main.yml

@@ -0,0 +1,48 @@
+---
+
+- name: Install BackupPC 4
+  yum:
+    name:
+      - BackupPC4
+      - fuse-backuppcfs4
+  when: bpc_major_version == 4
+  tags: bpc
+
+- name: Install BackupPC 3
+  yum:
+    name:
+      - BackupPC
+      - fuse-backuppcfs
+  when: bpc_major_version != 4
+  tags: bpc
+
+- name: Install tools
+  yum:
+    name:
+      - rsync
+      - tar
+      - samba-client
+      - openssh-clients
+      - BackupPC-server-scripts
+      - fuse-chunkfs
+  tags: bpc
+
+- name: Deploy httpd conf
+  template: src=httpd.conf.j2 dest=/etc/httpd/ansible_conf.d/40-BackupPC.conf
+  notify: reload httpd
+  tags: bpc
+
+- name: Deploy sudo config
+  template: src=sudoers.j2 dest=/etc/sudoers.d/backuppc mode=0400
+  tags: bpc
+
+- name: Create SSH Key
+  user:
+    name: backuppc
+    generate_ssh_key: yes
+    ssh_key_bits: 4096
+  tags: bpc
+
+- name: Start and enable the service
+  service: name=backuppc state=started enabled={{ bpc_enabled }}
+  tags: bpc

roles/backuppc/templates/httpd.conf.j2

@@ -0,0 +1,25 @@
+<Directory /usr/share/BackupPC/>
+  SSLRequireSSL on
+{% if bpc_auth == "lemonldap" %}
+  PerlHeaderParserHandler Lemonldap::NG::Handler
+{% elif bpc_auth == "lemonldap2" %}
+  PerlHeaderParserHandler Lemonldap::NG::Handler::ApacheMP2
+{% elif bpc_auth == "basic" %}
+  AuthType Basic
+  AuthUserFile /etc/BackupPC/apache.users
+  AuthName "BackupPC"
+  Require valid-user
+{% endif %}
+
+{% if bpc_src_ip | length < 1 %}
+  Require all denied
+{% else %}
+  Require ip {{ bpc_src_ip | join(' ') }}
+{% endif %}
+</Directory>
+
+{% if bpc_auth != False and bpc_auth != 'none' and bpc_alias_on_main_vhost == True %}
+Alias           /BackupPC/images        /usr/share/BackupPC/html/
+ScriptAlias     /BackupPC               /usr/share/BackupPC/sbin/BackupPC_Admin
+ScriptAlias     /backuppc               /usr/share/BackupPC/sbin/BackupPC_Admin
+{% endif %}

roles/backuppc/templates/sudoers.j2

@@ -0,0 +1,3 @@
+Defaults:backuppc !requiretty
+Cmnd_Alias BACKUPPC = /usr/bin/rsync, /bin/tar, /bin/gtar, /usr/local/bin/pre-backup, /usr/local/bin/post-backup, /usr/bin/virt-backup
+backuppc ALL=(root) NOPASSWD: BACKUPPC

roles/bitwarden_rs/defaults/main.yml

@@ -0,0 +1,45 @@
+---
+
+bitwarden_version: 1.14.2
+bitwarden_archive_url: https://github.com/dani-garcia/bitwarden_rs/archive/{{ bitwarden_version }}.tar.gz
+bitwarden_archive_sha1: 1bb75b6ab11371ab60380ef19151ebd9410de4ef
+
+bitwarden_web_version: 2.13.2b
+bitwarden_web_archive_url: https://github.com/dani-garcia/bw_web_builds/releases/download/v{{ bitwarden_web_version }}/bw_web_v{{ bitwarden_web_version }}.tar.gz
+bitwarden_web_archive_sha1: df6f280731b852b31c3d938bfa1733140be9abb5
+
+bitwarden_root_dir: /opt/bitwarden_rs
+bitwarden_user: bitwarden_rs
+
+# Database : can be sqlite or mysql
+bitwarden_db_engine: sqlite
+bitwarden_db_server: "{{ mysql_server | default('localhost') }}"
+bitwarden_db_port: 3306
+bitwarden_db_name: bitwardenrs
+bitwarden_db_user: bitwardenrs
+# A random one will be created if not defined
+# bitwaren_db_pass: S3cr3t.
+
+# Port on which bitwarden will bind
+bitwarden_http_port: 8000
+bitwarden_ws_port: 8001
+# List of IP addresses (can be CIDR notation) which will be able to
+# access bitwarden ports
+bitwarden_src_ip: []
+bitwarden_web_src_ip: []
+
+# Public URL on which bitwarden will be accessible
+bitwarden_public_url: http://{{ inventory_hostname }}:{{ bitwarden_http_port }}
+
+# Should registration be enabled
+bitwarden_registration: False
+# List of domain names for which registration will be accepted
+# Thos domains will be accepted for registration even if bitwarden_registration is set to False
+bitwarden_domains_whitelist:
+  - "{{ ansible_domain }}"
+
+# Admin Token to access /admin. A random one is created if not defined
+# bitwarden_admin_token: S3cr3t.
+
+# Or you can just disable the admin token. But you have to protect /admin yourself (eg, on a reverse proxy)
+bitwarden_disable_admin_token: False

roles/bitwarden_rs/handlers/main.yml

@@ -0,0 +1,5 @@
+---
+
+- name: restart bitwarden_rs
+  service: name=bitwarden_rs state=restarted
+  when: not bitwarden_started.changed

roles/bitwarden_rs/meta/main.yml

@@ -0,0 +1,7 @@
+---
+
+dependencies:
+  - role: rust
+  - role: nginx
+  - role: mysql_server
+    when: bitwarden_db_engine == 'mysql' and (bitwarden_db_server == 'localhost' or bitwarden_db_server == '127.0.0.1')

roles/bitwarden_rs/tasks/archive_post.yml

@@ -0,0 +1,12 @@
+---
+
+- name: Compress previous version
+  command: tar cJf {{ bitwarden_root_dir }}/archives/{{ bitwarden_current_version }}+{{ bitwarden_web_current_version }}.txz ./
+  args:
+    warn: False
+    chdir: "{{ bitwarden_root_dir }}/archives/{{ bitwarden_current_version }}+{{ bitwarden_web_current_version }}"
+  tags: bitwarden
+
+- name: Remove archive dir
+  file: path={{ bitwarden_root_dir }}/archives/{{ bitwarden_current_version }}+{{ bitwarden_web_current_version }} state=absent
+  tags: bitwarden

roles/bitwarden_rs/tasks/archive_pre.yml

@@ -0,0 +1,23 @@
+---
+
+- name: Create archive dir
+  file: path={{ bitwarden_root_dir }}/archives/{{ bitwarden_current_version }}+{{ bitwarden_web_current_version }} state=directory
+  tags: bitwarden
+
+- name: Stop bitwarden during upgrade
+  service: name=bitwarden_rs state=stopped
+  tags: bitwarden
+
+- name: Archive current version
+  synchronize:
+    src: "{{ bitwarden_root_dir }}/{{ item }}"
+    dest: "{{ bitwarden_root_dir }}/archives/{{ bitwarden_current_version }}+{{ bitwarden_web_current_version }}/"
+    recursive: True
+    delete: True
+  delegate_to: "{{ inventory_hostname }}"
+  loop:
+    - bitwarden_rs
+    - data
+    - etc
+    - web-vault
+  tags: bitwarden

roles/bitwarden_rs/tasks/cleanup.yml

@@ -0,0 +1,8 @@
+---
+
+- name: Remove temp files
+  files: path={{ item }} state=absent
+  loop:
+    - "{{ bitwarden_root_dir }}/tmp/bitwarden_rs-{{ bitwarden_version }}"
+    - "{{ bitwarden_root_dir }}/tmp/bitwarden_rs-{{ bitwarden_version }}.tar.gz"
+  tags: bitwarden

roles/bitwarden_rs/tasks/conf.yml

@@ -0,0 +1,11 @@
+---
+
+- name: Deploy configuration
+  template: src=bitwarden_rs.conf.j2 dest={{ bitwarden_root_dir }}/etc/bitwarden_rs.conf group={{ bitwarden_user }} mode=640
+  notify: restart bitwarden_rs
+  tags: bitwarden
+
+- name: Deploy nginx configuration
+  template: src=nginx.conf.j2 dest=/etc/nginx/ansible_conf.d/31-bitwarden.conf
+  notify: reload nginx
+  tags: bitwarden

roles/bitwarden_rs/tasks/directories.yml

@@ -0,0 +1,24 @@
+---
+
+- name: Create directories
+  file: path={{ bitwarden_root_dir }}/{{ item.dir }} state=directory owner={{ item.owner | default(omit) }} group={{ item.group | default(omit) }} mode={{ item.mode | default(omit) }}
+  loop:
+    - dir: /
+      mode: 755
+    - dir: etc
+      group: "{{ bitwarden_user }}"
+      mode: 750
+    - dir: tmp
+      mode: 700
+    - dir: meta
+      mode: 700
+    - dir: archives
+      mode: 700
+    - dir: data
+      owner: "{{ bitwarden_user }}"
+      group: "{{ bitwarden_user }}"
+      mode: 700
+    - dir: web-vault
+    - dir: backup
+      mode: 700
+  tags: bitwarden

roles/bitwarden_rs/tasks/facts.yml

@@ -0,0 +1,67 @@
+---
+
+- name: Set initial install modes
+  block:
+    - set_fact: bitwarden_install_mode='none'
+    - set_fact: bitwarden_current_version=''
+    - set_fact: bitwarden_web_install_mode='none'
+    - set_fact: bitwarden_web_current_version=''
+  tags: bitwarden
+
+- name: Check if server is installed
+  stat: path={{ bitwarden_root_dir }}/meta/ansible_version
+  register: bitwarden_version_file
+  tags: bitwarden
+
+- when: bitwarden_version_file.stat.exists
+  block:
+    - name: Check installed version
+      slurp: src={{ bitwarden_root_dir }}/meta/ansible_version
+      register: bitwarden_current_version
+    - set_fact: bitwarden_current_version={{ bitwarden_current_version.content | b64decode | trim }}
+    - set_fact: bitwarden_install_mode='upgrade'
+      when: bitwarden_current_version != bitwarden_version
+  tags: bitwarden
+
+- when: not bitwarden_version_file.stat.exists
+  block:
+    - set_fact: bitwarden_install_mode='install'
+  tags: bitwarden
+
+- name: Check if web vault is installed
+  stat: path={{ bitwarden_root_dir }}/meta/ansible_web_version
+  register: bitwarden_web_version_file
+  tags: bitwarden
+
+- when: bitwarden_web_version_file.stat.exists
+  block:
+    - name: Check installed version
+      slurp: src={{ bitwarden_root_dir }}/meta/ansible_web_version
+      register: bitwarden_web_current_version
+    - set_fact: bitwarden_web_current_version={{ bitwarden_web_current_version.content | b64decode | trim }}
+    - set_fact: bitwarden_web_install_mode='upgrade'
+      when: bitwarden_web_current_version != bitwarden_web_version
+  tags: bitwarden
+
+- when: not bitwarden_web_version_file.stat.exists
+  block:
+    - set_fact: bitwarden_web_install_mode='install'
+  tags: bitwarden
+
+- when: bitwarden_admin_token is not defined
+  name: Generate a random admin token
+  block:
+    - import_tasks: ../includes/get_rand_pass.yml
+      vars:
+        - pass_file: "{{ bitwarden_root_dir }}/meta/ansible_admin_token"
+    - set_fact: bitwarden_admin_token={{ rand_pass }}
+  tags: bitwarden
+
+- when: bitwarden_db_pass is not defined
+  tags: bitwarden
+  block:
+    - import_tasks: ../includes/get_rand_pass.yml
+      vars:
+        - pass_file: "{{ bitwarden_root_dir }}/meta/ansible_dbpass"
+    - set_fact: bitwarden_db_pass={{ rand_pass }}
+

roles/bitwarden_rs/tasks/install.yml

@@ -0,0 +1,97 @@
+---
+
+- name: Install needed packages
+  yum:
+    name:
+      - openssl-devel
+      - gcc
+      - sqlite
+  tags: bitwarden
+
+- name: Check if MariaDB version is set
+  fail: msg="Need to define mysql_mariadb_version"
+  when:
+    - bitwarden_db_engine == 'mysql'
+    - mysql_mariadb_version is not defined or mysql_mariadb_version == 'default'
+  tags: bitwarden
+
+- name: Install MariaDB devel package
+  yum:
+    name:
+      - MariaDB-devel
+      - /usr/lib64/libmariadb.so
+  when: bitwarden_db_engine == 'mysql'
+  tags: bitwarden
+
+- when: bitwarden_install_mode != 'none'
+  tags: bitwarden
+  block:
+    - name: Download bitwarden
+      get_url:
+        url: "{{ bitwarden_archive_url }}"
+        dest: "{{ bitwarden_root_dir }}/tmp"
+        checksum: sha1:{{ bitwarden_archive_sha1 }}
+
+    - name: Extract bitwarden archive
+      unarchive:
+        src: "{{ bitwarden_root_dir }}/tmp/bitwarden_rs-{{ bitwarden_version }}.tar.gz"
+        dest: "{{ bitwarden_root_dir }}/tmp"
+        remote_src: True
+  
+    - name: Build bitwarden
+      command: bash -lc 'cargo build --features={{ (bitwarden_db_engine == "mysql") | ternary("mysql","sqlite") }} --release'
+      args:
+        chdir: "{{ bitwarden_root_dir }}/tmp/bitwarden_rs-{{ bitwarden_version }}"
+
+    - name: Install binary
+      copy: src={{ bitwarden_root_dir }}/tmp/bitwarden_rs-{{ bitwarden_version }}/target/release/bitwarden_rs dest="{{ bitwarden_root_dir }}/" mode=755 remote_src=True
+      notify: restart bitwarden_rs
+
+- when: bitwarden_web_install_mode != 'none'
+  tags: bitwarden
+  block:
+    - name: Download bitwarden web vault
+      get_url:
+       url: "{{ bitwarden_web_archive_url }}"
+       dest: "{{ bitwarden_root_dir }}/tmp"
+       checksum: sha1:{{ bitwarden_web_archive_sha1 }}
+
+    - name: Extract the archive
+      unarchive:
+        src: "{{ bitwarden_root_dir }}/tmp/bw_web_v{{ bitwarden_web_version }}.tar.gz"
+        dest: "{{ bitwarden_root_dir }}/tmp"
+        remote_src: True
+
+    - name: Move files to their final location
+      synchronize:
+        src: "{{ bitwarden_root_dir }}/tmp/web-vault/"
+        dest: "{{ bitwarden_root_dir }}/web-vault/"
+        recursive: True
+        delete: True
+      delegate_to: "{{ inventory_hostname }}"
+
+- name: Install systemd unit
+  template: src=bitwarden_rs.service.j2 dest=/etc/systemd/system/bitwarden_rs.service
+  register: bitwarden_unit
+  tags: bitwarden
+
+- name: Reload systemd
+  systemd: daemon_reload=True
+  when: bitwarden_unit.changed
+  tags: bitwarden
+
+- name: Install pre/post backup hooks
+  template: src={{ item }}-backup.sh.j2 dest=/etc/backup/{{ item }}.d/bitwarden_rs.sh mode=755
+  loop:
+    - pre
+    - post
+  tags: bitwarden
+
+- import_tasks: ../includes/webapps_create_mysql_db.yml
+  vars:
+    - db_name: "{{ bitwarden_db_name }}"
+    - db_user: "{{ bitwarden_db_user }}"
+    - db_server: "{{ bitwarden_db_server }}"
+    - db_pass: "{{ bitwarden_db_pass }}"
+  when: bitwarden_db_engine == 'mysql'
+  tags: bitwarden

roles/bitwarden_rs/tasks/iptables.yml

@@ -0,0 +1,9 @@
+---
+
+- name: Handle bitwarden_rs ports in the firewall
+  iptables_raw:
+    name: bitwarden_rs
+    state: "{{ (bitwarden_src_ip | length > 0) | ternary('present','absent') }}"
+    rules: "-A INPUT -m state --state NEW -m multiport -p tcp --dports {{ bitwarden_http_port }},{{ bitwarden_ws_port }} -s {{ bitwarden_src_ip | join(',') }} -j ACCEPT"
+  when: iptables_manage | default(True)
+  tags: firewall,bitwarden

roles/bitwarden_rs/tasks/main.yml

@@ -0,0 +1,14 @@
+---
+
+- include: user.yml
+- include: directories.yml
+- include: facts.yml
+- include: archive_pre.yml
+  when: bitwarden_install_mode == 'upgrade' or bitwarden_web_install_mode == 'upgrade'
+- include: install.yml
+- include: conf.yml
+- include: iptables.yml
+- include: service.yml
+- include: write_version.yml
+- include: archive_post.yml
+  when: bitwarden_install_mode == 'upgrade' or bitwarden_web_install_mode == 'upgrade'

roles/bitwarden_rs/tasks/service.yml

@@ -0,0 +1,6 @@
+---
+
+- name: Start and enable the service
+  service: name=bitwarden_rs state=started enabled=True
+  register: bitwarden_started
+  tags: bitwarden

roles/bitwarden_rs/tasks/user.yml

@@ -0,0 +1,5 @@
+---
+
+- name: Create bitwarden_rs user
+  user: name={{ bitwarden_user }} home={{ bitwarden_root_dir }} system=True
+  tags: bitwarden

roles/bitwarden_rs/tasks/write_version.yml

@@ -0,0 +1,10 @@
+---
+
+- name: Write versions
+  copy: content={{ item.version }} dest={{ bitwarden_root_dir }}/meta/{{ item.file }}
+  loop:
+    - version: "{{ bitwarden_version }}"
+      file: ansible_version
+    - version: "{{ bitwarden_web_version }}"
+      file: ansible_web_version
+  tags: bitwarden

roles/bitwarden_rs/templates/bitwarden_rs.conf.j2

@@ -0,0 +1,25 @@
+IP_HEADER=X-Forwarded-For
+SIGNUPS_VERIFY=true
+SIGNUPS_ALLOWED={{ bitwarden_registration | ternary('true','false') }}
+{% if bitwarden_domains_whitelist | length > 0 %}
+SIGNUPS_DOMAINS_WHITELIST={{ bitwarden_domains_whitelist | join(',') }}
+{% endif %}
+ADMIN_TOKEN={{ bitwarden_admin_token }}
+DISABLE_ADMIN_TOKEN={{ bitwarden_disable_admin_token | ternary('true','false') }}
+DOMAIN={{ bitwarden_public_url }}
+ROCKET_ENV=prod
+ROCKET_ADDRESS=0.0.0.0
+ROCKET_PORT={{ bitwarden_http_port }}
+WEBSOCKET_ENABLED=true
+WEBSOCKET_PORT={{ bitwarden_ws_port }}
+SMTP_HOST=localhost
+SMTP_PORT=25
+SMTP_SSL=false
+SMTP_FROM=bitwarden-rs-noreply@{{ ansible_domain }}
+{% if bitwarden_db_engine == 'mysql' %}
+DATABASE_URL=mysql://{{ bitwarden_db_user }}:{{ bitwarden_db_pass | urlencode | regex_replace('/','%2F') }}@{{ bitwarden_db_server }}:{{ bitwarden_db_port }}/{{ bitwarden_db_name }}
+ENABLE_DB_WAL=false
+{% else %}
+DATABASE_URL=data/db.sqlite3
+{% endif %}
+# vim: syntax=ini

roles/bitwarden_rs/templates/bitwarden_rs.service.j2

@@ -0,0 +1,27 @@
+[Unit]
+Description=Bitwarden Server (Rust Edition)
+Documentation=https://github.com/dani-garcia/bitwarden_rs
+After=network.target
+{% if bitwarden_db_engine == 'mysql' and (bitwarden_db_server == 'localhost' or bitwarden_db_server == '127.0.0.1') %}
+After=mariadb.service
+Requires=mariadb.service
+{% endif %}
+
+[Service]
+User={{ bitwarden_user }}
+Group={{ bitwarden_user }}
+EnvironmentFile={{ bitwarden_root_dir }}/etc/bitwarden_rs.conf
+ExecStart={{ bitwarden_root_dir }}/bitwarden_rs
+PrivateTmp=true
+PrivateDevices=true
+ProtectHome=true
+ProtectSystem=full
+WorkingDirectory={{ bitwarden_root_dir }}
+ReadWriteDirectories={{ bitwarden_root_dir }}/data
+ReadOnlyDirectories={{ bitwarden_root_dir }}/etc {{ bitwarden_root_dir }}/web-vault
+Restart=on-failure
+StartLimitInterval=0
+RestartSec=30
+
+[Install]
+WantedBy=multi-user.target

roles/bitwarden_rs/templates/nginx.conf.j2

@@ -0,0 +1,71 @@
+server {
+  listen 443 ssl http2;
+  server_name {{ bitwarden_public_url | urlsplit('hostname') }};
+
+  include /etc/nginx/ansible_conf.d/acme.inc;
+
+{% if bitwarden_cert_path is defined and bitwarden_key_path is defined %}
+  ssl_certificate     {{ bitwarden_cert_path }};
+  ssl_certificate_key {{ bitwarden_key_path }};
+{% elif bitwarden_letsencrypt_cert is defined and bitwarden_letsencrypt_cert == True %}
+  ssl_certificate     /var/lib/dehydrated/certificates/certs/{{ bitwarden_public_url | urlsplit('hostname') }}/fullchain.pem;
+  ssl_certificate_key /var/lib/dehydrated/certificates/certs/{{ bitwarden_public_url | urlsplit('hostname') }}/privkey.pem;
+{% elif bitwarden_letsencrypt_cert is string %}
+  ssl_certificate     /var/lib/dehydrated/certificates/certs/{{ bitwarden_letsencrypt_cert }}/fullchain.pem;
+  ssl_certificate_key /var/lib/dehydrated/certificates/certs/{{ bitwarden_letsencrypt_cert }}/privkey.pem;
+{% endif %}
+
+  server_name {{ bitwarden_public_url | urlsplit('hostname') }};
+
+  root {{ bitwarden_root_dir }}/web-vault;
+
+  client_max_body_size 512M;
+
+  if ($request_method !~ ^(GET|POST|HEAD|PUT|DELETE)$ ) {
+    return 405;
+  }
+
+  location /notifications/hub {
+    proxy_pass http://localhost:{{ bitwarden_ws_port }};
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection "upgrade";
+  }
+  location /notifications/hub/negotiate {
+    proxy_pass http://localhost:{{ bitwarden_http_port }};
+  }
+
+  location @proxy {
+    proxy_pass http://localhost:{{ bitwarden_http_port }};
+  }
+
+  location / {
+    try_files $uri $uri/index.html @proxy;
+  }
+
+  add_header X-Frame-Options "DENY";
+  add_header X-Content-Type-Options "nosniff";
+  add_header X-XSS-Protection "1; mode=block";
+  add_header Strict-Transport-Security "$hsts_header";
+
+  # Send info about the original request to the backend
+  proxy_set_header X-Forwarded-For "$proxy_add_x_forwarded_for";
+  proxy_set_header X-Real-IP "$remote_addr";
+  proxy_set_header X-Forwarded-Proto "$scheme";
+  proxy_set_header X-Forwarded-Host "$host";
+  proxy_set_header Host "$host";
+
+  # Set the timeout to read responses from the backend
+  proxy_read_timeout 60s;
+
+  # Enable Keep Alive to the backend
+  proxy_socket_keepalive on;
+
+  # Disable buffering large files
+  proxy_max_temp_file_size 5m;
+
+  allow 127.0.0.1;
+{% for ip in bitwarden_web_src_ip %}
+  allow {{ ip }};
+{% endfor %}
+  deny all;
+}

roles/bitwarden_rs/templates/post-backup.sh.j2

@@ -0,0 +1,4 @@
+#!/bin/bash -e
+
+rm -f {{ bitwarden_root_dir }}/backup/*
+umount /home/lbkp/bitwarden

roles/bitwarden_rs/templates/pre-backup.sh.j2

@@ -0,0 +1,17 @@
+#!/bin/bash -e
+
+mkdir -p /home/lbkp/bitwarden_rs/
+cp {{ bitwarden_root_dir }}/data/rsa* {{ bitwarden_root_dir }}/backup/
+{% if bitwarden_db_engine == 'mysql' %}
+/usr/bin/mysqldump \
+{% if bitwarden_db_server != 'localhost' and bitwarden_db_server != '127.0.0.1' %}
+	--user='{{ bitwarden_db_user }}' \
+        --password='{{ bitwarden_db_pass }}' \
+        --host='{{ bitwarden_db_server }}' \
+{% endif %}
+        --quick --single-transaction \
+        --add-drop-table {{ bitwarden_db_name }} | zstd -T0 -c > {{ bitwarden_root_dir }}/backup/{{ bitwarden_db_name }}.sql.zstd
+{% else %}
+sqlite3 {{ bitwarden_root_dir }}/data/db.sqlite3 ".backup '{{ bitwarden_root_dir }}/backup/db.sqlite3'"
+{% endif %}
+mount -o bind,ro {{ bitwarden_root_dir }}/backup/ /home/lbkp/bitwarden_rs/

roles/bluemind/defaults/main.yml

@@ -0,0 +1,117 @@
+---
+
+bm_http_ports:
+  - 80
+  - 443
+bm_http_src_ip:
+  - 0.0.0.0/0
+
+bm_imap_ports:
+  - 143
+  - 993
+bm_imap_src_ip:
+  - 0.0.0.0/0
+
+bm_pop_ports:
+  - 110
+  - 995
+bm_pop_src_ip:
+  - 0.0.0.0/0
+
+bm_smtp_ports:
+  - 25
+  - 465
+  - 587
+bm_smtp_src_ip:
+  - 0.0.0.0/0
+
+bm_milter_ports:
+  - 2500
+bm_milter_src:ip: []
+
+bm_int_ports:
+  - 24
+  - 144
+  - 1110
+  - 1143
+  - 2000
+  - 2400
+  - 2500
+  - 4444
+  - 5280
+  - 5290
+  - 5432
+  - '5701:5715'
+  - 8021
+  - 8022
+  - 8079
+  - 8080
+  - 8082
+  - 8084
+  - 8087
+  - 9083
+  - 9086
+  - 9090
+  - 9099
+  - 9200
+  - 9300
+bm_int_src_ip: []
+
+# bm_letsencrypt_cert: bluemind.domain.tld
+
+bm_mem_alloc_base:
+  bm-core:
+    heap: 512
+    direct: 512
+    spare: 20
+  bm-node:
+    heap: 128
+    direct: 128
+    spare: 0
+  bm-eas:
+    heap: 256
+    direct: 128
+    spare: 2
+  bm-mapi:
+    heap: 512
+    direct: 256
+    spare: 10
+  bm-ips:
+    heap: 64
+    direct: 64
+    spare: 0
+  bm-hps:
+    heap: 128
+    direct: 128
+    spare: 0
+  bm-lmtpd:
+    heap: 128
+    direct: 128
+    spare: 0
+  bm-locator:
+    heap: 64
+    direct: 64
+    spare: 0
+  bm-milter:
+    heap: 64
+    direct: 64
+    spare: 0
+  bm-tika:
+    heap: 128
+    direct: 128
+    spare: 0
+  bm-xmpp:
+    heap: 32
+    direct: 32
+    spare: 0
+  bm-ysnp:
+    heap: 64
+    direct: 64
+    spare: 0
+  bm-elasticsearch:
+    heap: 512
+    direct: 512
+    spare: 20
+bm_mem_alloc: {}
+bm_mem_alloc_rules: "{{ bm_mem_alloc_base | combine(bm_mem_alloc, recursive=True) }}"
+

roles/bluemind/handlers/main.yml

@@ -0,0 +1,4 @@
+---
+
+- name: restart bluemind
+  command: bmctl restart

roles/bluemind/tasks/main.yml

@@ -0,0 +1,118 @@
+---
+
+- name: Install tools
+  yum:
+    name:
+      - socat
+  tags: bm
+
+- name: Create dehydrated hook dir
+  file: path=/etc/dehydrated/hooks_deploy_cert.d state=directory
+  tags: bm
+
+- name: Deploy dehydrated hook
+  template: src=dehydrated_deploy_hook.j2 dest=/etc/dehydrated/hooks_deploy_cert.d/bluemind mode=755
+  tags: bm
+
+- name: Create local conf directory
+  file: path=/etc/bm/local state=directory
+  tags: bm
+
+- name: Configure proxy
+  lineinfile:
+    regex: '^PROXY_OPTS=.*'
+    line: "PROXY_OPTS=\"{{ (system_proxy is defined and system_proxy != '') | ternary('-Dhttps.proxyHost=' ~ system_proxy | urlsplit('hostname') ~ ' -Dhttps.proxyPort=' ~ system_proxy | urlsplit('port') ~ ' -Dhttp.proxyHost=' ~ system_proxy | urlsplit('hostname') ~ ' -Dhttp.proxyPort=' ~ system_proxy | urlsplit('port'),'') }}\""
+    path: /etc/bm/local/{{ item }}.ini
+    create: True
+  loop:
+    - bm-core
+    - bm-webserver
+  notify: restart bluemind
+  tags: bm
+
+- name: Configure JVM options
+  lineinfile:
+    regex: '^JVM_OPTS=.*'
+    line: "JVM_OPTS=\"${PROXY_OPTS}\""
+    path: /etc/bm/local/{{ item }}.ini
+    insertafter: '^PROXY_OPTS=.*'
+  loop:
+    - bm-core
+    - bm-webserver
+  notify: restart bluemind
+  tags: bm
+
+- name: Configure memory allocation rules
+  template: src=rules.json.j2 dest=/etc/bm/local/rules.json
+  notify: restart bluemind
+  tags: bm
+
+- set_fact:
+    bm_restart_services: "[ 'bm-elasticsearch', 'bm-mapi' ]"
+  tags: bm
+
+- name: Create systemd unit snippet dirs
+  file: path=/etc/systemd/system/{{ item }}.service.d state=directory
+  loop: "{{ bm_restart_services }}"
+  tags: bm
+
+- name: Configure systemd to restart services on failure
+  copy:
+    content: |
+      [Service]
+      TimeoutSec=60
+      StartLimitInterval=0
+      RestartSec=1
+      Restart=on-failure
+    dest: /etc/systemd/system/{{ item }}.service.d/restart.conf
+  loop: "{{ bm_restart_services }}"
+  register: bm_units
+  notify: restart bluemind
+  tags: bm
+