Update to 2020-04-14

6 months ago · 460a3fc863
--- a/library/iptables_raw.py
+++ b/library/iptables_raw.py
--- a/playbooks/update_all.yml
+++ b/playbooks/update_all.yml
@@ -0,0 +1,9 @@
 ---
 - name: Update everything
  hosts: '*'
  tasks:
    - yum: name='*' state=latest
      when: ansible_os_family == 'RedHat'
    - apt: name='*' state=latest
      when: ansible_os_family == 'Debian'

--- a/playbooks/update_zabbix.yml
+++ b/playbooks/update_zabbix.yml
@@ -0,0 +1,42 @@
 ---
 - name: Update Zabbix
  hosts: '*'
  tasks:
    - yum:
        name:
          - zabbix-agent
          - zabbix-agent-addons
        state: latest
      when: ansible_os_family == 'RedHat'
      notify: restart zabbix-agent
    - apt:
        name:
          - zabbix-agent
        update_cache: True
        state: latest
      when: ansible_os_family == 'Debian'
      notify: restart zabbix-agent
    - git:
        repo: https://git.fws.fr/fws/zabbix-agent-addons.git
        dest: /var/lib/zabbix/addons
      register: zabbix_agent_addons_git
      when: ansible_os_family == 'Debian'
      notify: restart zabbix-agent
    - shell: cp -af /var/lib/zabbix/addons/{{ item.src }}/* {{ item.dest }}/
      with_items:
        - { src: zabbix_conf,    dest: /etc/zabbix/zabbix_agentd.conf.d }
        - { src: zabbix_scripts, dest: /var/lib/zabbix/bin }
        - { src: lib,            dest: /usr/local/lib/site_perl }
      when:
        - zabbix_agent_addons_git.changed
        - ansible_os_family == 'Debian'
    - shell: chmod +x /var/lib/zabbix/bin/*
      args:
        warn: False
      when:
        - zabbix_agent_addons_git.changed
        - ansible_os_family == 'Debian'

  handlers:
    - name: restart zabbix-agent
      service: name=zabbix-agent state=restarted
--- a/roles/ampache/defaults/main.yml
+++ b/roles/ampache/defaults/main.yml
@@ -0,0 +1,94 @@
 ---

 ampache_id: "1"
 ampache_manage_upgrade: True

 ampache_version: '4.1.1'
 ampache_config_version: 40
 ampache_zip_url: https://github.com/ampache/ampache/archive/{{ ampache_version }}.zip
 ampache_zip_sha1: 744ff90039a268579551d50650ce1502ec89daf1

 ampache_root_dir: /opt/ampache_{{ ampache_id }}

 ampache_php_user: php-ampache_{{ ampache_id }}
 ampache_php_version: 74

 # If you prefer using a custom PHP FPM pool, set it's name.
 # You might need to adjust ampache_php_user
 # ampache_php_fpm_pool: php56


 ampache_mysql_server: "{{ mysql_server | default('localhost') }}"
 # ampache_mysql_port: 3306
 ampache_mysql_db: ampache_{{ ampache_id }}
 ampache_mysql_user: ampache_{{ ampache_id }}
 # If not defined, a random pass will be generated and stored in the meta directory
 # ampache_mysql_pass: ampache

 # ampache_alias: ampache
 # ampache_allowed_ip:
 #   - 192.168.7.0/24
 #   - 10.2.0.0/24

 ampache_local_web_path: "http://ampache.{{ ansible_domain }}/"
 ampache_auth_methods:
  - mysql

 ampache_ldap_url: "{{ ad_auth | default(False) | ternary('ldap://' + ad_realm | default(samba_realm) | lower,ldap_uri) }}"
 ampache_ldap_starttls: True
 ampache_ldap_search_dn: "{{ ad_auth | default(False) | ternary((ad_ldap_user_search_base is defined) | ternary(ad_ldap_user_search_base,'DC=' + ad_realm | default(samba_realm) | regex_replace('\\.',',DC=')), ldap_base) }}"
 ampache_ldap_username: ""
 ampache_ldap_password: ""
 ampache_ldap_objectclass: "{{ ad_auth | default(False) | ternary('user','inetOrgPerson') }}"
 ampache_ldap_filter: "{{ ad_auth | default(False) | ternary('(&(objectCategory=person)(objectClass=user)(primaryGroupId=513)(sAMAccountName=%v))','(uid=%v)') }}"
 ampache_ldap_email_field: mail
 ampache_ldap_name_field: cn

 ampache_admin_users:
  - admin

 #ampache_logout_redirect: https://sso.domain.org

 ampache_metadata_order: 'getID3,filename'

 ampache_lastfm_api_key: 697bad201ee93391630d845c7b3f9610
 ampache_lastfm_api_secret: 5f5fe59aa2f9c60220f04e94aa59c209

 ampache_max_bit_rate: 192
 ampache_min_bit_rate: 64

 # allowed, required or false
 ampache_transcode_m4a: required
 ampache_transcode_flac: required
 ampache_transcode_mpc: required
 ampache_transcode_ogg: required
 ampache_transcode_oga: required
 ampache_transcode_wav: required
 ampache_transcode_wma: required
 ampache_transcode_aif: required
 ampache_transcode_aiff: required
 ampache_transcode_ape: required
 ampache_transcode_shn: required
 ampache_transcode_mp3: allowed
 ampache_transcode_avi: required
 ampache_transcode_mkv: required
 ampache_transcode_mpg: required
 ampache_transcode_mpeg: required
 ampache_transcode_m4v: required
 ampache_transcode_mp4: required
 ampache_transcode_mov: required
 ampache_transcode_wmv: required
 ampache_transcode_ogv: required
 ampache_transcode_divx: required
 ampache_transcode_m2ts: required
 ampache_transcode_webm: required
 ampache_transcode_player_api_mp3: required
 ampache_encode_player_api_target: mp3
 ampache_encode_player_webplayer: mp3
 ampache_encode_target: mp3
 ampache_encode_video_target: webm

 # If defined, will be printed on the login page. HTML can be used, eg
 # ampache_motd: '<a href="/sso.php">Use central authentication</a>'

 ...
--- a/roles/ampache/handlers/main.yml
+++ b/roles/ampache/handlers/main.yml
@@ -0,0 +1,4 @@
 ---
 - include: ../httpd_common/handlers/main.yml
 - include: ../httpd_php/handlers/main.yml
 ...
--- a/roles/ampache/meta/main.yml
+++ b/roles/ampache/meta/main.yml
@@ -0,0 +1,6 @@
 ---
 allow_duplicates: true
 dependencies:
  - role: repo_nux_dextop
  - role: httpd_php
 ...
--- a/roles/ampache/tasks/main.yml
+++ b/roles/ampache/tasks/main.yml
@@ -0,0 +1,218 @@
 ---

 - name: Install needed tools
  yum:
    name:
      - unzip
      - MySQL-python
      - mariadb
      - acl
      - git
      - composer
      - patch
      - ffmpeg
  tags: ampache

 - import_tasks: ../includes/create_system_user.yml
  vars:
    - user: "{{ ampache_php_user }}"
    - comment: "PHP FPM for ampache {{ ampache_id }}"
  tags: ampache

 - import_tasks: ../includes/webapps_set_install_mode.yml
  vars:
    - root_dir: "{{ ampache_root_dir }}"
    - version: "{{ ampache_version }}"
  tags: ampache
 - set_fact: ampache_install_mode={{ (install_mode == 'upgrade' and not ampache_manage_upgrade) | ternary('none',install_mode) }}
  tags: ampache
 - set_fact: ampache_current_version={{ current_version | default('') }}
  tags: ampache

 - import_tasks: ../includes/webapps_archive.yml
  vars:
    - root_dir: "{{ ampache_root_dir }}"
    - version: "{{ ampache_current_version }}"
    - db_name: "{{ ampache_mysql_db }}"
  when: ampache_install_mode == 'upgrade'
  tags: ampache

 - name: Download Ampache
  get_url:
    url: "{{ ampache_zip_url }}"
    dest: "{{ ampache_root_dir }}/tmp/"
    checksum: "sha1:{{ ampache_zip_sha1 }}"
  when: ampache_install_mode != 'none'
  tags: ampache

 - name: Extract ampache archive
  unarchive:
    src: "{{ ampache_root_dir }}/tmp/ampache-{{ ampache_version }}.zip"
    dest: "{{ ampache_root_dir }}/tmp"
    remote_src: yes
  when: ampache_install_mode != 'none'
  tags: ampache

 - name: Create directory structure
  file: path={{ item }} state=directory
  with_items:
    - "{{ ampache_root_dir }}"
    - "{{ ampache_root_dir }}/web"
    - "{{ ampache_root_dir }}/tmp"
    - "{{ ampache_root_dir }}/sessions"
    - "{{ ampache_root_dir }}/meta"
    - "{{ ampache_root_dir }}/logs"
    - "{{ ampache_root_dir }}/data"
    - "{{ ampache_root_dir }}/data/metadata"
    - "{{ ampache_root_dir }}/data/music"
    - "{{ ampache_root_dir }}/data/video"
    - "{{ ampache_root_dir }}/db_dumps"
  tags: ampache


 - name: Move files to the correct directory
  synchronize:
    src: "{{ ampache_root_dir }}/tmp/ampache-{{ ampache_version }}/"
    dest: "{{ ampache_root_dir }}/web/"
    recursive: True
    delete: True
  delegate_to: "{{ inventory_hostname }}"
  when: ampache_install_mode != 'none'
  tags: ampache

 - name: Check if htaccess files needs to be moved
  stat: path={{ ampache_root_dir }}/web/{{ item }}/.htaccess.dist
  with_items:
    - channel
    - play
    - rest
  register: htaccess
  tags: ampache

 - name: Rename htaccess files
  command: mv -f {{ ampache_root_dir }}/web/{{ item.item }}/.htaccess.dist {{ ampache_root_dir }}/web/{{ item.item }}/.htaccess
  with_items: "{{ htaccess.results }}"
  when: item.stat.exists
  tags: ampache

 - name: Install libs using composer
  composer: command=install working_dir={{ ampache_root_dir }}/web executable={{ (ampache_php_version == '54') | ternary('/bin/php','/bin/php' ~ ampache_php_version ) }}
  tags: ampache

 - name: Remove temp files
  file: path={{ item }} state=absent
  with_items:
    - "{{ ampache_root_dir }}/tmp/ampache-{{ ampache_version }}.zip"
    - "{{ ampache_root_dir }}/tmp/ampache-{{ ampache_version }}"
  tags: ampache

 - import_tasks: ../includes/get_rand_pass.yml
  vars:
    - pass_file: "{{ ampache_root_dir }}/meta/key.txt"
  tags: ampache
 - set_fact: ampache_key={{ rand_pass }}
  tags: ampache

 - import_tasks: ../includes/get_rand_pass.yml
  vars:
    - pass_file: "{{ampache_root_dir }}/meta/ansible_dbpass"
  when: ampache_mysql_pass is not defined
  tags: ampache
 - set_fact: ampache_mysql_pass={{ rand_pass }}
  when: ampache_mysql_pass is not defined
  tags: ampache

 - import_tasks: ../includes/webapps_create_mysql_db.yml
  vars:
    - db_name: "{{ ampache_mysql_db }}"
    - db_user: "{{ ampache_mysql_user }}"
    - db_server: "{{ ampache_mysql_server }}"
    - db_pass: "{{ ampache_mysql_pass }}"
  tags: ampache

 - name: Inject SQL structure
  mysql_db:
    name: "{{ ampache_mysql_db }}"
    state: import
    target: "{{ ampache_root_dir }}/web/sql/ampache.sql"
    login_host: "{{ ampache_mysql_server }}"
    login_user: sqladmin
    login_password: "{{ mysql_admin_pass }}"
  when: ampache_install_mode == 'install'
  tags: ampache

 - name: Upgrade SQL database
  command: php{{ (ampache_php_version == '54') | ternary('', ampache_php_version) }} {{ ampache_root_dir }}/web/bin/install/update_db.inc
  become_user: "{{ ampache_php_user }}"
  when: ampache_install_mode == 'upgrade'
  tags: ampache

 - name: Grant admin privileges
  command: mysql --host={{ ampache_mysql_server }} --user=sqladmin --password={{ mysql_admin_pass }} {{ ampache_mysql_db }} -e "UPDATE `user` SET `access`='100' WHERE `username`='{{ item }}'"
  changed_when: False
  become_user: "{{ ampache_php_user }}"
  with_items: "{{ ampache_admin_users }}"
  tags: ampache

 - import_tasks: ../includes/webapps_webconf.yml
  vars:
    - app_id: ampache_{{ ampache_id }}
    - php_version: "{{ ampache_php_version }}"
    - php_fpm_pool: "{{ ampache_php_fpm_pool | default('') }}"
  tags: ampache

 - name: Deploy ampache configuration
  template: src=ampache.cfg.php.j2 dest={{ ampache_root_dir }}/web/config/ampache.cfg.php group={{ ampache_php_user }} mode=640
  tags: ampache

 - name: Deploy motd
  template: src=motd.php.j2 dest={{ ampache_root_dir }}/web/config/motd.php
  when: ampache_motd is defined
  tags: ampache

 - name: Remove motd
  file: path={{ ampache_root_dir }}/web/config/motd.php state=absent
  when: ampache_motd is not defined
  tags: ampache

 - name: Deploy cron scripts
  template: src={{ item }}.j2 dest={{ ampache_root_dir }}/web/bin/{{ item }}
  with_items:
    - cron.sh
  tags: ampache

 - name: Enable cronjob
  cron:
    name: ampache_{{ ampache_id }}
    special_time: daily
    user: "{{ ampache_php_user }}"
    job: "/bin/sh {{ ampache_root_dir }}/web/bin/cron.sh"
    cron_file: ampache_{{ ampache_id }}
  tags: ampache

 - name: Deploy sso script
  template: src=sso.php.j2 dest={{ ampache_root_dir }}/web/sso.php
  tags: ampache

 - name: Deploy backup scripts
  template: src={{ item.script }}.j2 dest=/etc/backup/{{ item.type }}.d/ampache_{{ ampache_id }}_{{ item.script }} mode=750
  with_items:
    - script: dump_db
      type: pre
    - script: rm_dump
      type: post
  tags: ampache

 - import_tasks: ../includes/webapps_compress_archive.yml
  vars:
    - root_dir: "{{ ampache_root_dir }}"
    - version: "{{ ampache_current_version }}"
  when: ampache_install_mode == 'upgrade'
  tags: ampache

 - import_tasks: ../includes/webapps_post.yml
  vars:
    - root_dir: "{{ ampache_root_dir }}"
    - version: "{{ ampache_version }}"
  tags: ampache
 ...
--- a/roles/ampache/templates/ampache.cfg.php.j2
+++ b/roles/ampache/templates/ampache.cfg.php.j2
@@ -0,0 +1,134 @@
 config_version = {{ ampache_config_version }}
 {% if ampache_local_web_path is defined %}
 local_web_path = "{{ ampache_local_web_path }}"
 {% endif %}
 database_hostname = {{ ampache_mysql_server }}
 {% if ampache_mysql_port is defined %}
 database_port = "{{ ampache_mysql_port }}"
 {% endif %}
 database_name = "{{ ampache_mysql_db }}"
 database_username = "{{ ampache_mysql_user }}"
 database_password = "{{ ampache_mysql_pass }}"
 secret_key = "{{ ampache_key }}"
 session_length = 3600
 stream_length = 7200
 remember_length = 604800
 session_name = ampache
 session_cookielife = 0
 auth_methods = "{{ ampache_auth_methods | join(',') }}"
 {% if 'ldap' in ampache_auth_methods %}
 ldap_url = "{{ ampache_ldap_url }}"
 ldap_username = "{{ ampache_ldap_username }}"
 ldap_password = "{{ ampache_ldap_password }}"
 ldap_start_tls = "{{ ampache_ldap_starttls | ternary('true','false') }}"
 ldap_search_dn = "{{ ampache_ldap_search_dn }}"
 ldap_objectclass = "{{ ampache_ldap_objectclass }}"
 ldap_filter = "{{ ampache_ldap_filter }}"
 ldap_email_field = "{{ ampache_ldap_email_field }}"
 ldap_name_field  = "{{ ampache_ldap_name_field }}"
 external_auto_update = "true"
 {% endif %}
 {% if ampache_logout_redirect is defined %}
 logout_redirect = "{{ ampache_logout_redirect }}"
 {% endif %}
 access_control  = "true"
 require_session = "true"
 require_localnet_session = "true"
 metadata_order = "{{ ampache_metadata_order }}"
 getid3_tag_order = "id3v2,id3v1,vorbiscomment,quicktime,matroska,ape,asf,avi,mpeg,riff"
 deferred_ext_metadata = "false"
 additional_genre_delimiters = "[/]{2}|[/|\\\\|\|,|;]"
 catalog_file_pattern = "mp3|mpc|m4p|m4a|aac|ogg|oga|wav|aif|aiff|rm|wma|asf|flac|opus|spx|ra|ape|shn|wv"
 catalog_video_pattern = "avi|mpg|mpeg|flv|m4v|mp4|webm|mkv|wmv|ogv|mov|divx|m2ts"
 catalog_playlist_pattern = "m3u|m3u8|pls|asx|xspf"
 catalog_prefix_pattern = "The|An|A|Das|Ein|Eine|Les|Le|La"
 track_user_ip = "true"
 allow_zip_download = "true"
 allow_zip_types = "album"
 use_auth = "true"
 ratings = "false"
 userflags = "true"
 directplay = "true"
 sociable = "false"
 licensing = "false"
 memory_cache = "true"
 album_art_store_disk = "true"
 local_metadata_dir = "{{ ampache_root_dir }}/data/metadata"
 max_upload_size = 1048576
 resize_images = "false"
 art_order = "db,tags,folder,musicbrainz,lastfm,google"
 lastfm_api_key = "{{ ampache_lastfm_api_key }}"
 lastfm_api_secret = "{{ ampache_lastfm_api_secret }}"
 channel = "false"
 live_stream = "false"
 refresh_limit = "60"
 show_footer_statistics = "false"
 debug = "true"
 debug_level = 5
 log_path = "{{ ampache_root_dir }}/logs/"
 log_filename = "%name.%Y%m%d.log"
 site_charset = "UTF-8"
 {% if 'ldap' in ampache_auth_methods or 'http' in ampache_auth_methods %}
 auto_create = "true"
 auto_user = "user"
 {% endif %}
 allow_public_registration = "false"
 generate_video_preview = "true"
 max_bit_rate = {{ ampache_max_bit_rate }}
 min_bit_rate = {{ ampache_min_bit_rate }}
 transcode_m4a = {{ ampache_transcode_m4a }}
 transcode_flac = {{ ampache_transcode_flac }}
 transcode_mpc = {{ ampache_transcode_mpc }}
 transcode_ogg = {{ ampache_transcode_ogg }}
 transcode_oga = {{ ampache_transcode_oga }}
 transcode_wav = {{ ampache_transcode_wav }}
 transcode_wma = {{ ampache_transcode_wma }}
 transcode_aif = {{ ampache_transcode_aif }}
 transcode_aiff = {{ ampache_transcode_aiff }}
 transcode_ape = {{ ampache_transcode_ape }}
 transcode_shn = {{ ampache_transcode_shn }}
 transcode_mp3 = {{ ampache_transcode_mp3 }}
 transcode_avi = {{ ampache_transcode_avi }}
 transcode_mkv = {{ ampache_transcode_mkv }}
 transcode_mpg = {{ ampache_transcode_mpg }}
 transcode_mpeg = {{ ampache_transcode_mpeg }}
 transcode_m4v = {{ ampache_transcode_m4v }}
 transcode_mp4 = {{ ampache_transcode_mp4 }}
 transcode_mov = {{ ampache_transcode_mov }}
 transcode_wmv = {{ ampache_transcode_wmv }}
 transcode_ogv = {{ ampache_transcode_ogv }}
 transcode_divx = {{ ampache_transcode_divx }}
 transcode_m2ts = {{ ampache_transcode_m2ts }}
 transcode_webm = {{ ampache_transcode_webm }}
 encode_target = {{ ampache_encode_target }}
 encode_player_webplayer_target = {{ ampache_encode_player_webplayer }}
 transcode_player_api_mp3 = {{ ampache_transcode_player_api_mp3 }}
 encode_video_target = {{ ampache_encode_video_target }}
 transcode_player_customize = "true"
 transcode_cmd = "/bin/ffmpeg"
 transcode_input = "-i %FILE%"
 encode_args_mp3 = "-vn -b:a %BITRATE%K -c:a libmp3lame -f mp3 pipe:1"
 encode_args_ogg = "-vn -b:a %BITRATE%K -c:a libvorbis -f ogg pipe:1"
 encode_args_m4a = "-vn -b:a %BITRATE%K -c:a libfdk_aac -f adts pipe:1"
 encode_args_wav = "-vn -b:a %BITRATE%K -c:a pcm_s16le -f wav pipe:1"
 encode_args_opus = "-vn -b:a %BITRATE%K -c:a libopus -compression_level 10 -vsync 2 -f ogg pipe:1"
 encode_args_flv = "-b:a %BITRATE%K -ar 44100 -ac 2 -v 0 -f flv -c:v libx264 -preset superfast -threads 0 pipe:1"
 encode_args_webm = "-q %QUALITY% -f webm -c:v libvpx -maxrate %MAXBITRATE%k -preset superfast -threads 0 pipe:1"
 encode_args_ts = "-q %QUALITY% -s %RESOLUTION% -f mpegts -c:v libx264 -c:a libmp3lame -maxrate %MAXBITRATE%k -preset superfast -threads 0 pipe:1"
 encode_get_image = "-ss %TIME% -f image2 -vframes 1 pipe:1"
 encode_srt = "-vf \"subtitles='%SRTFILE%'\""
 encode_ss_frame = "-ss %TIME%"
 encode_ss_duration = "-t %DURATION%"
 mail_type = "sendmail"
 mail_domain = "{{ ansible_domain }}"
 common_abbr = "divx,xvid,dvdrip,hdtv,lol,axxo,repack,xor,pdtv,real,vtv,caph,2hd,proper,fqm,uncut,topaz,tvt,notv,fpn,fov,orenji,0tv,omicron,dsr,ws,sys,crimson,wat,hiqt,internal,brrip,boheme,vost,vostfr,fastsub,addiction,x264,LOL,720p,1080p,YIFY,evolve,fihtv,first,bokutox,bluray,tvboom,info"
 force_ssl = "true"
 mail_enable = "true"
 mail_type = "sendmail"
 mail_domain = "{{ ansible_domain }}"
 {% if system_proxy is defined and system_proxy != '' %}
 proxy_host = "{{ system_proxy | urlsplit('hostname') }}"
 proxy_port = "{{ system_proxy | urlsplit('port') }}"
 proxy_user = "{{ system_proxy | urlsplit('username') }}"
 proxy_pass = "{{ system_proxy | urlsplit('password') }}"
 {% endif %}
--- a/roles/ampache/templates/cron.sh.j2
+++ b/roles/ampache/templates/cron.sh.j2
@@ -0,0 +1,31 @@
 #!/bin/sh

 # Rotate logs
 find {{ ampache_root_dir }}/logs -type f -mtime +7 -exec rm -f "{}" \;
 find {{ ampache_root_dir }}/logs -type f -mtime +1 -exec xz -T0 "{}" \;

 # Do we have a previous filelist to compare against ?
 PREV_HASH=$(cat {{ ampache_root_dir }}/tmp/data_hash.txt || echo 'none')

 # Now, compute a hash of the filelist
 NEW_HASH=$(find {{ ampache_root_dir }}/data/{music,video} | sha1sum | cut -d' ' -f1)

 # Write new hash so we can compare next time
 echo -n $NEW_HASH > {{ ampache_root_dir }}/tmp/data_hash.txt

 # If file list has changed since last time, then update the catalog
 if [ "$PREV_HASH" != "$NEW_HASH" ]; then
  # Clean (remove files which doesn't exists anymore)
  /bin/php{{ (ampache_php_version == '54') | ternary('',ampache_php_version) }} {{ ampache_root_dir }}/web/bin/catalog_update.inc -c > /dev/null 2>&1
  # Add (files added)
  /bin/php{{ (ampache_php_version == '54') | ternary('',ampache_php_version) }} {{ ampache_root_dir }}/web/bin/catalog_update.inc -a > /dev/null 2>&1
  # Update graphics
  /bin/php{{ (ampache_php_version == '54') | ternary('',ampache_php_version) }} {{ ampache_root_dir }}/web/bin/catalog_update.inc -g > /dev/null 2>&1
 fi

 # Now check if files have changed recently. We can have the same file list, but metadata updates
 NEW_FILES=$(find {{ ampache_root_dir }}/data/{music,video} -type f -mtime -1 | wc -l)
 if [ "$NEW_FILES" -gt "0" ]; then
  # Verify (update metadata)
  /bin/php{{ (ampache_php_version == '54') | ternary('',ampache_php_version) }} {{ ampache_root_dir }}/web/bin/catalog_update.inc -v > /dev/null 2>&1
 fi
--- a/roles/ampache/templates/dump_db.j2
+++ b/roles/ampache/templates/dump_db.j2
@@ -0,0 +1,7 @@
 #!/bin/sh

 /usr/bin/mysqldump --user={{ ampache_mysql_user }} \
                   --password={{ ampache_mysql_pass }} \
                   --host={{ ampache_mysql_server }} \
                   --quick --single-transaction \
                   --add-drop-table {{ ampache_mysql_db }} | lz4 -c > {{ ampache_root_dir }}/db_dumps/{{ ampache_mysql_db }}.sql.lz4
--- a/roles/ampache/templates/httpd.conf.j2
+++ b/roles/ampache/templates/httpd.conf.j2
@@ -0,0 +1,27 @@
 {% if ampache_alias is defined %}
 Alias /{{ ampache_alias }} {{ ampache_root_dir }}/web
 {% else %}
 # No alias defined, create a vhost to access it
 {% endif %}

 RewriteEngine On
 <Directory {{ ampache_root_dir }}/web>
  AllowOverride All
  Options FollowSymLinks
 {% if ampache_allowed_ip is defined %}
  Require ip {{ ampache_src_ip | join(' ') }}
 {% else %}
  Require all granted
 {% endif %}
  <FilesMatch \.php$>
    SetHandler "proxy:unix:/run/php-fpm/{{ ampache_php_fpm_pool  | default('ampache_' + ampache_id | string) }}.sock|fcgi://localhost"
  </FilesMatch>
  <FilesMatch "(.maintenance.*|.ansible.*|.t?git.*|.php_cs|.travis.*)">
    Require all denied
  </FilesMatch>
 </Directory>

 <Directory {{ ampache_root_dir }}/web/config>
  Require all denied
 </Directory>

--- a/roles/ampache/templates/motd.php.j2
+++ b/roles/ampache/templates/motd.php.j2
@@ -0,0 +1,3 @@
 <?php

 echo '<a href="/sso.php">{{ ampache_motd }}</a>';
--- a/roles/ampache/templates/perms.sh.j2
+++ b/roles/ampache/templates/perms.sh.j2
@@ -0,0 +1,15 @@
 #!/bin/sh

 restorecon -R {{ ampache_root_dir }}
 chown root:root {{ ampache_root_dir }}
 chmod 700 {{ ampache_root_dir }}
 setfacl -k -b {{ ampache_root_dir }}
 setfacl -m u:{{ ampache_php_user | default('apache') }}:rx,u:{{ httpd_user | default('apache') }}:rx {{ ampache_root_dir }}
 chown -R root:root {{ ampache_root_dir }}/web
 chown apache-ampache {{ ampache_root_dir }}/data
 chown -R {{ ampache_php_user }} {{ ampache_root_dir }}/{tmp,sessions,logs,data/metadata}
 chmod 700 {{ ampache_root_dir }}/{tmp,sessions,logs,data}
 find {{ ampache_root_dir }}/web -type f -exec chmod 644 "{}" \;
 find {{ ampache_root_dir }}/web -type d -exec chmod 755 "{}" \;
 chown :{{ ampache_php_user }} {{ ampache_root_dir }}/web/config/ampache.cfg.php
 chmod 640 {{ ampache_root_dir }}/web/config/ampache.cfg.php
--- a/roles/ampache/templates/php.conf.j2
+++ b/roles/ampache/templates/php.conf.j2
@@ -0,0 +1,37 @@
 ; {{ ansible_managed }}

 [ampache_{{ ampache_id }}]

 listen.owner = root
 listen.group = {{ httpd_user | default('apache') }}
 listen.mode = 0660
 listen = /run/php-fpm/ampache_{{ ampache_id }}.sock
 user = {{ ampache_php_user }}
 group = {{ ampache_php_user }}
 catch_workers_output = yes

 pm = dynamic
 pm.max_children = 15
 pm.start_servers = 3
 pm.min_spare_servers = 3
 pm.max_spare_servers = 6
 pm.max_requests = 5000
 request_terminate_timeout = 60m

 php_flag[display_errors] = off
 php_admin_flag[log_errors] = on
 php_admin_value[error_log] = syslog
 php_admin_value[memory_limit] = 512M
 php_admin_value[session.save_path] = {{ ampache_root_dir }}/sessions
 php_admin_value[upload_tmp_dir] = {{ ampache_root_dir }}/tmp
 php_admin_value[sys_temp_dir] = {{ ampache_root_dir }}/tmp
 php_admin_value[post_max_size] = 5M
 php_admin_value[upload_max_filesize] = 5M
 php_admin_value[disable_functions] = system, show_source, symlink, exec, dl, shell_exec, passthru, phpinfo, escapeshellarg, escapeshellcmd
 php_admin_value[open_basedir] = {{ ampache_root_dir }}
 php_admin_value[max_execution_time] = 1800
 php_admin_value[max_input_time] = 60
 php_admin_flag[allow_url_include] = off
 php_admin_flag[allow_url_fopen] = on
 php_admin_flag[file_uploads] = on
 php_admin_flag[session.cookie_httponly] = on
--- a/roles/ampache/templates/rm_dump.j2
+++ b/roles/ampache/templates/rm_dump.j2
@@ -0,0 +1,3 @@
 #!/bin/sh

 rm -f {{ ampache_root_dir }}/db_dump/*
--- a/roles/ampache/templates/sso.php.j2
+++ b/roles/ampache/templates/sso.php.j2
@@ -0,0 +1,6 @@
 <?php

 # Just a dummy redirection so we can protect /sso.php with Lemonldap::NG
 header('Location: /');

 ?>
--- a/roles/backup/defaults/main.yml
+++ b/roles/backup/defaults/main.yml
@@ -0,0 +1,36 @@
 ---

 # The shell of the lbkp account
 backup_shell: '/bin/bash'

 # List of commands lbkp will be allowed to run as root, with sudo
 backup_sudo_base_commands:
  - /usr/bin/rsync
  - /usr/local/bin/pre-backup
  - /usr/local/bin/post-backup
  - /bin/tar
  - /bin/gtar
 backup_sudo_extra_commands: []
 backup_sudo_commands: "{{ backup_sudo_base_commands + backup_sudo_extra_commands }}"

 # List of ssh public keys to deploy
 backup_ssh_keys: []

 # Options to set for the ssh keys, to restrict what they can do
 backup_ssh_keys_options:
  - no-X11-forwarding
  - no-agent-forwarding
  - no-pty

 # List of IP address allowed to use the ssh keys
 # Empty list means no restriction
 backup_src_ip: []

 # Custom pre / post script
 backup_pre_script: |
  #!/bin/bash -e
  # Nothing to do
 backup_post_script: |
  #!/bin/bash -e
  # Nothing to do
 ...
--- a/roles/backup/files/dump-megaraid-cfg
+++ b/roles/backup/files/dump-megaraid-cfg
@@ -0,0 +1,53 @@
 #!/usr/bin/perl -w

 # This script will backup the config of MegaRAID based
 # RAID controllers. The saved config can be restored with
 # MegaCli -CfgRestore -f /home/lbkp/mega_0.bin for example
 # It also create a backup of the config as text, so you can
 # manually check how things were configured at a certain point in time

 # If MegaCli is not installed, then the script does nothing

 use strict;

 my $megacli = undef;

 if (-x '/opt/MegaRAID/MegaCli/MegaCli64'){
  $megacli = '/opt/MegaRAID/MegaCli/MegaCli64';
 } elsif (-x '/opt/MegaRAID/MegaCli/MegaCli'){
  $megacli = '/opt/MegaRAID/MegaCli/MegaCli';
 }

 exit (0) unless($megacli);

 my $adapters = 0;
 foreach (qx($megacli -adpCount -NoLog)) {
  if ( m/Controller Count:\s*(\d+)/ ) {
    $adapters = $1;
    last;
  }
 }

 foreach my $adp (0..$adapters-1){
  my $hba = 0;
  my $failgrouplist = 0;
  foreach my $line (qx($megacli -CfgDsply -a$adp -NoLog)) {
    if ( $line =~ m/Failed to get Disk Group list/ ) {
      $failgrouplist = 1;
    } elsif ( $line =~ m/Product Name:.*(JBOD|HBA)/ ) {
      $hba = 1;
    }
  }
  # Skip adapter if in HBA mode
  next if ($hba && $failgrouplist);

  # Save the config in binary format
  qx($megacli -CfgSave -f /home/lbkp/megaraid/cfg_$adp.bin -a$adp -NoLog);
  die "Failed to backup conf for adapter $adp\n" unless ($? == 0);

  # Now also save in text representation
  open TXT, ">/home/lbkp/megaraid/cfg_$adp.txt";
  print TXT foreach qx($megacli -CfgDsply -a$adp -NoLog);
  die "Failed to backup Cfg text description for adapter $adp\n" unless ($? == 0);
  close TXT;
 }
--- a/roles/backup/files/dump-rpms-list
+++ b/roles/backup/files/dump-rpms-list
@@ -0,0 +1,3 @@
 #!/bin/sh

 /bin/rpm -qa --qf "%{NAME}\t%{VERSION}\t%{RELEASE}\n" | grep -v gpg-pubkey | sort > /home/lbkp/rpms.list
--- a/roles/backup/files/post-backup
+++ b/roles/backup/files/post-backup
@@ -0,0 +1,9 @@
 #!/bin/bash

 if [ -d "/etc/backup/post.d" ]; then
  for H in $(find /etc/backup/post.d -type f -o -type l | sort); do
    [ -x $H ] && $H "$@"
  done
 fi
 # Remove the lock
 rm -f /var/lock/bkp.lock
--- a/roles/backup/files/pre-backup
+++ b/roles/backup/files/pre-backup
@@ -0,0 +1,29 @@
 #!/bin/bash

 set -e

 # 2 locks are needed. The first one ensure we don't run
 # The pre-backup script twice. It's an atomic lock.
 # Then we need a second lock which will last until the post-backup ran
 # This one doesn't need to be atomic (as we already checked this)
 PRELOCKFILE="/var/lock/pre-bkp.lock"
 exec 200>$PRELOCKFILE
 flock -n 200 || ( echo "Couldn't aquire pre-backup lock" && exit 1 )
 PID=$$
 echo $PID 1>&200

 if [ -e /var/lock/bkp.lock ]; then
  # Consider the lock to be stale if it's older than 8 hours
  if [ "$(( $(date +"%s") - $(stat -c "%Y" /var/lock/bkp.lock) ))" -gt "28800" ]; then
    rm /var/lock/bkp.lock
  else
    echo "Another backup is running"
    exit 1
  fi
 fi
 touch /var/lock/bkp.lock
 if [ -d "/etc/backup/pre.d" ]; then
  for H in $(find /etc/backup/pre.d -type f -o -type l | sort); do
    [ -x $H ] && $H "$@"
  done
 fi
--- a/roles/backup/files/rm-megaraid-cfg
+++ b/roles/backup/files/rm-megaraid-cfg
@@ -0,0 +1,3 @@
 #!/bin/bash -e

 rm -f /home/lbkp/megaraid/*
--- a/roles/backup/tasks/main.yml
+++ b/roles/backup/tasks/main.yml
@@ -0,0 +1,84 @@
 ---

 - name: Install backup tools
  yum: name=rsync
  when: ansible_os_family == 'RedHat'

 - name: Install backup tools
  apt: name=rsync
  when: ansible_os_family == 'Debian'

 - name: Create a local backup user account
  user: name=lbkp comment="Local backup account" system=yes shell={{ backup_shell }}
  tags: backup

 - name: Deploy sudo configuration
  template: src=sudo.j2 dest=/etc/sudoers.d/backup mode=400
  tags: backup

 - name: Deploy SSH keys for the backup account
  authorized_key:
    user: lbkp
    key: "{{ backup_ssh_keys | join(\"\n\") }}"
    key_options: "{{ backup_ssh_keys_options | join(',') }}"
    exclusive: yes
  when: backup_src_ip is not defined or backup_src_ip | length < 1
  tags: backup

 - name: Deploy SSH keys for the backup account (with source IP restriction)
  authorized_key:
    user: lbkp
    key: "{{ backup_ssh_keys | join(\"\n\") }}"
    key_options: "from=\"{{ backup_src_ip | join(',') }}\",{{ backup_ssh_keys_options | join(',') }}"
    exclusive: yes
  when:
    - backup_src_ip is defined
    - backup_src_ip | length > 0
  tags: backup

 - name: Create pre and post backup hook dir
  file: path={{ item }} state=directory mode=750
  with_items:
    - /etc/backup/pre.d
    - /etc/backup/post.d
  tags: backup

 - name: Deploy default pre/post backup hooks
  copy:
    content: "{{ item.content }}"
    dest: /etc/backup/{{ item.type }}.d/default
    mode: 755
  loop:
    - type: pre
      content: "{{ backup_pre_script }}"
    - type: post
      content: "{{ backup_post_script }}"
  tags: backup

 - name: Copy pre-backup script
  copy: src={{ item }} dest=/usr/local/bin/{{ item }} mode=750 group=lbkp
  with_items:
    - pre-backup
    - post-backup
  tags: backup

 - name: Deploy rpm dump list script
  copy: src=dump-rpms-list dest=/etc/backup/pre.d/dump-rpms-list mode=755
  when: ansible_os_family == 'RedHat'
  tags: backup

 - name: Create megaraid dump dir
  file: path=/home/lbkp/megaraid state=directory
  tags: backup

 - name: Deploy MegaCli backup scripts
  copy: src={{ item.script }} dest=/etc/backup/{{ item.type }}.d/{{ item.script }} mode=750
  with_items:
    - script: dump-megaraid-cfg
      type: pre
    - script: rm-megaraid-cfg
      type: post
  when: lsi_controllers | default([]) | length > 0
  tags: backup

 ...
--- a/roles/backup/templates/sudo.j2
+++ b/roles/backup/templates/sudo.j2
@@ -0,0 +1,2 @@
 Defaults:lbkp !requiretty
 lbkp ALL=(root) NOPASSWD: {{ backup_sudo_commands | join(',') }}
--- a/roles/backuppc/defaults/main.yml
+++ b/roles/backuppc/defaults/main.yml
@@ -0,0 +1,19 @@
 ---

 # You can choose either 3 or 4
 bpc_major_version: 3

 # Auth to access BackupPC. Can be basic, lemonldap, lemonldap2 or none
 bpc_auth: basic

 # List of IP address allowed
 bpc_src_ip: []

 # Should backuppc be started on boot ?
 # You might want to turn this off if for example you must unlock
 # the device on which you have your backup, and manually start backuppc after that
 bpc_enabled: True

 # Should /BackupPC aliases be added on the main vhost ?
 # You might want to, but you can also disable this and grant access only through a dedicated vhost
 bpc_alias_on_main_vhost: True
--- a/roles/backuppc/handlers/main.yml
+++ b/roles/backuppc/handlers/main.yml
@@ -0,0 +1,5 @@
 ---

 - include: ../httpd_common/handlers/main.yml

 ...
--- a/roles/backuppc/meta/main.yml
+++ b/roles/backuppc/meta/main.yml
@@ -0,0 +1,3 @@
 ---
 dependencies:
  - { role: httpd_front }
--- a/roles/backuppc/tasks/main.yml
+++ b/roles/backuppc/tasks/main.yml
@@ -0,0 +1,48 @@
 ---

 - name: Install BackupPC 4
  yum:
    name:
      - BackupPC4
      - fuse-backuppcfs4
  when: bpc_major_version == 4
  tags: bpc

 - name: Install BackupPC 3
  yum:
    name:
      - BackupPC
      - fuse-backuppcfs
  when: bpc_major_version != 4
  tags: bpc

 - name: Install tools
  yum:
    name:
      - rsync
      - tar
      - samba-client
      - openssh-clients
      - BackupPC-server-scripts
      - fuse-chunkfs
  tags: bpc

 - name: Deploy httpd conf
  template: src=httpd.conf.j2 dest=/etc/httpd/ansible_conf.d/40-BackupPC.conf
  notify: reload httpd
  tags: bpc

 - name: Deploy sudo config
  template: src=sudoers.j2 dest=/etc/sudoers.d/backuppc mode=0400
  tags: bpc

 - name: Create SSH Key
  user:
    name: backuppc
    generate_ssh_key: yes
    ssh_key_bits: 4096
  tags: bpc

 - name: Start and enable the service
  service: name=backuppc state=started enabled={{ bpc_enabled }}
  tags: bpc
--- a/roles/backuppc/templates/httpd.conf.j2
+++ b/roles/backuppc/templates/httpd.conf.j2
@@ -0,0 +1,25 @@
 <Directory /usr/share/BackupPC/>
  SSLRequireSSL on
 {% if bpc_auth == "lemonldap" %}
  PerlHeaderParserHandler Lemonldap::NG::Handler
 {% elif bpc_auth == "lemonldap2" %}
  PerlHeaderParserHandler Lemonldap::NG::Handler::ApacheMP2
 {% elif bpc_auth == "basic" %}
  AuthType Basic
  AuthUserFile /etc/BackupPC/apache.users
  AuthName "BackupPC"
  Require valid-user
 {% endif %}

 {% if bpc_src_ip | length < 1 %}
  Require all denied
 {% else %}
  Require ip {{ bpc_src_ip | join(' ') }}
 {% endif %}
 </Directory>

 {% if bpc_auth != False and bpc_auth != 'none' and bpc_alias_on_main_vhost == True %}
 Alias           /BackupPC/images        /usr/share/BackupPC/html/
 ScriptAlias     /BackupPC               /usr/share/BackupPC/sbin/BackupPC_Admin
 ScriptAlias     /backuppc               /usr/share/BackupPC/sbin/BackupPC_Admin
 {% endif %}
--- a/roles/backuppc/templates/sudoers.j2
+++ b/roles/backuppc/templates/sudoers.j2
@@ -0,0 +1,3 @@
 Defaults:backuppc !requiretty
 Cmnd_Alias BACKUPPC = /usr/bin/rsync, /bin/tar, /bin/gtar, /usr/local/bin/pre-backup, /usr/local/bin/post-backup, /usr/bin/virt-backup
 backuppc ALL=(root) NOPASSWD: BACKUPPC
--- a/roles/bitwarden_rs/defaults/main.yml
+++ b/roles/bitwarden_rs/defaults/main.yml
@@ -0,0 +1,45 @@
 ---

 bitwarden_version: 1.14.2
 bitwarden_archive_url: https://github.com/dani-garcia/bitwarden_rs/archive/{{ bitwarden_version }}.tar.gz
 bitwarden_archive_sha1: 1bb75b6ab11371ab60380ef19151ebd9410de4ef

 bitwarden_web_version: 2.13.2b
 bitwarden_web_archive_url: https://github.com/dani-garcia/bw_web_builds/releases/download/v{{ bitwarden_web_version }}/bw_web_v{{ bitwarden_web_version }}.tar.gz
 bitwarden_web_archive_sha1: df6f280731b852b31c3d938bfa1733140be9abb5

 bitwarden_root_dir: /opt/bitwarden_rs
 bitwarden_user: bitwarden_rs

 # Database : can be sqlite or mysql
 bitwarden_db_engine: sqlite
 bitwarden_db_server: "{{ mysql_server | default('localhost') }}"
 bitwarden_db_port: 3306
 bitwarden_db_name: bitwardenrs
 bitwarden_db_user: bitwardenrs
 # A random one will be created if not defined
 # bitwaren_db_pass: S3cr3t.

 # Port on which bitwarden will bind
 bitwarden_http_port: 8000
 bitwarden_ws_port: 8001
 # List of IP addresses (can be CIDR notation) which will be able to
 # access bitwarden ports
 bitwarden_src_ip: []
 bitwarden_web_src_ip: []

 # Public URL on which bitwarden will be accessible
 bitwarden_public_url: http://{{ inventory_hostname }}:{{ bitwarden_http_port }}

 # Should registration be enabled
 bitwarden_registration: False
 # List of domain names for which registration will be accepted
 # Thos domains will be accepted for registration even if bitwarden_registration is set to False
 bitwarden_domains_whitelist:
  - "{{ ansible_domain }}"

 # Admin Token to access /admin. A random one is created if not defined
 # bitwarden_admin_token: S3cr3t.

 # Or you can just disable the admin token. But you have to protect /admin yourself (eg, on a reverse proxy)
 bitwarden_disable_admin_token: False
--- a/roles/bitwarden_rs/handlers/main.yml
+++ b/roles/bitwarden_rs/handlers/main.yml
@@ -0,0 +1,5 @@
 ---

 - name: restart bitwarden_rs
  service: name=bitwarden_rs state=restarted
  when: not bitwarden_started.changed
--- a/roles/bitwarden_rs/meta/main.yml
+++ b/roles/bitwarden_rs/meta/main.yml
@@ -0,0 +1,7 @@
 ---

 dependencies:
  - role: rust
  - role: nginx
  - role: mysql_server
    when: bitwarden_db_engine == 'mysql' and (bitwarden_db_server == 'localhost' or bitwarden_db_server == '127.0.0.1')
--- a/roles/bitwarden_rs/tasks/archive_post.yml
+++ b/roles/bitwarden_rs/tasks/archive_post.yml
@@ -0,0 +1,12 @@
 ---

 - name: Compress previous version
  command: tar cJf {{ bitwarden_root_dir }}/archives/{{ bitwarden_current_version }}+{{ bitwarden_web_current_version }}.txz ./
  args:
    warn: False
    chdir: "{{ bitwarden_root_dir }}/archives/{{ bitwarden_current_version }}+{{ bitwarden_web_current_version }}"
  tags: bitwarden

 - name: Remove archive dir
  file: path={{ bitwarden_root_dir }}/archives/{{ bitwarden_current_version }}+{{ bitwarden_web_current_version }} state=absent
  tags: bitwarden
--- a/roles/bitwarden_rs/tasks/archive_pre.yml
+++ b/roles/bitwarden_rs/tasks/archive_pre.yml
@@ -0,0 +1,23 @@
 ---

 - name: Create archive dir
  file: path={{ bitwarden_root_dir }}/archives/{{ bitwarden_current_version }}+{{ bitwarden_web_current_version }} state=directory
  tags: bitwarden

 - name: Stop bitwarden during upgrade
  service: name=bitwarden_rs state=stopped
  tags: bitwarden

 - name: Archive current version
  synchronize:
    src: "{{ bitwarden_root_dir }}/{{ item }}"
    dest: "{{ bitwarden_root_dir }}/archives/{{ bitwarden_current_version }}+{{ bitwarden_web_current_version }}/"
    recursive: True
    delete: True
  delegate_to: "{{ inventory_hostname }}"
  loop:
    - bitwarden_rs
    - data
    - etc
    - web-vault
  tags: bitwarden
--- a/roles/bitwarden_rs/tasks/cleanup.yml
+++ b/roles/bitwarden_rs/tasks/cleanup.yml
@@ -0,0 +1,8 @@
 ---

 - name: Remove temp files
  files: path={{ item }} state=absent
  loop:
    - "{{ bitwarden_root_dir }}/tmp/bitwarden_rs-{{ bitwarden_version }}"
    - "{{ bitwarden_root_dir }}/tmp/bitwarden_rs-{{ bitwarden_version }}.tar.gz"
  tags: bitwarden
--- a/roles/bitwarden_rs/tasks/conf.yml
+++ b/roles/bitwarden_rs/tasks/conf.yml
@@ -0,0 +1,11 @@
 ---

 - name: Deploy configuration
  template: src=bitwarden_rs.conf.j2 dest={{ bitwarden_root_dir }}/etc/bitwarden_rs.conf group={{ bitwarden_user }} mode=640
  notify: restart bitwarden_rs
  tags: bitwarden

 - name: Deploy nginx configuration
  template: src=nginx.conf.j2 dest=/etc/nginx/ansible_conf.d/31-bitwarden.conf
  notify: reload nginx
  tags: bitwarden
--- a/roles/bitwarden_rs/tasks/directories.yml
+++ b/roles/bitwarden_rs/tasks/directories.yml
@@ -0,0 +1,24 @@
 ---

 - name: Create directories
  file: path={{ bitwarden_root_dir }}/{{ item.dir }} state=directory owner={{ item.owner | default(omit) }} group={{ item.group | default(omit) }} mode={{ item.mode | default(omit) }}
  loop:
    - dir: /
      mode: 755
    - dir: etc
      group: "{{ bitwarden_user }}"
      mode: 750
    - dir: tmp
      mode: 700
    - dir: meta
      mode: 700
    - dir: archives
      mode: 700
    - dir: data
      owner: "{{ bitwarden_user }}"
      group: "{{ bitwarden_user }}"
      mode: 700
    - dir: web-vault
    - dir: backup
      mode: 700
  tags: bitwarden
--- a/roles/bitwarden_rs/tasks/facts.yml
+++ b/roles/bitwarden_rs/tasks/facts.yml
@@ -0,0 +1,67 @@
 ---

 - name: Set initial install modes
  block:
    - set_fact: bitwarden_install_mode='none'
    - set_fact: bitwarden_current_version=''
    - set_fact: bitwarden_web_install_mode='none'
    - set_fact: bitwarden_web_current_version=''
  tags: bitwarden

 - name: Check if server is installed
  stat: path={{ bitwarden_root_dir }}/meta/ansible_version
  register: bitwarden_version_file
  tags: bitwarden

 - when: bitwarden_version_file.stat.exists
  block:
    - name: Check installed version
      slurp: src={{ bitwarden_root_dir }}/meta/ansible_version
      register: bitwarden_current_version
    - set_fact: bitwarden_current_version={{ bitwarden_current_version.content | b64decode | trim }}
    - set_fact: bitwarden_install_mode='upgrade'
      when: bitwarden_current_version != bitwarden_version
  tags: bitwarden

 - when: not bitwarden_version_file.stat.exists
  block:
    - set_fact: bitwarden_install_mode='install'
  tags: bitwarden

 - name: Check if web vault is installed
  stat: path={{ bitwarden_root_dir }}/meta/ansible_web_version
  register: bitwarden_web_version_file
  tags: bitwarden

 - when: bitwarden_web_version_file.stat.exists
  block:
    - name: Check installed version
      slurp: src={{ bitwarden_root_dir }}/meta/ansible_web_version
      register: bitwarden_web_current_version
    - set_fact: bitwarden_web_current_version={{ bitwarden_web_current_version.content | b64decode | trim }}
    - set_fact: bitwarden_web_install_mode='upgrade'
      when: bitwarden_web_current_version != bitwarden_web_version
  tags: bitwarden

 - when: not bitwarden_web_version_file.stat.exists
  block:
    - set_fact: bitwarden_web_install_mode='install'
  tags: bitwarden

 - when: bitwarden_admin_token is not defined
  name: Generate a random admin token
  block:
    - import_tasks: ../includes/get_rand_pass.yml
      vars:
        - pass_file: "{{ bitwarden_root_dir }}/meta/ansible_admin_token"
    - set_fact: bitwarden_admin_token={{ rand_pass }}
  tags: bitwarden

 - when: bitwarden_db_pass is not defined
  tags: bitwarden
  block:
    - import_tasks: ../includes/get_rand_pass.yml
      vars:
        - pass_file: "{{ bitwarden_root_dir }}/meta/ansible_dbpass"
    - set_fact: bitwarden_db_pass={{ rand_pass }}

--- a/roles/bitwarden_rs/tasks/install.yml
+++ b/roles/bitwarden_rs/tasks/install.yml
@@ -0,0 +1,97 @@
 ---

 - name: Install needed packages
  yum:
    name:
      - openssl-devel
      - gcc
      - sqlite
  tags: bitwarden

 - name: Check if MariaDB version is set
  fail: msg="Need to define mysql_mariadb_version"
  when:
    - bitwarden_db_engine == 'mysql'
    - mysql_mariadb_version is not defined or mysql_mariadb_version == 'default'
  tags: bitwarden

 - name: Install MariaDB devel package
  yum:
    name:
      - MariaDB-devel
      - /usr/lib64/libmariadb.so
  when: bitwarden_db_engine == 'mysql'
  tags: bitwarden

 - when: bitwarden_install_mode != 'none'
  tags: bitwarden
  block:
    - name: Download bitwarden
      get_url:
        url: "{{ bitwarden_archive_url }}"
        dest: "{{ bitwarden_root_dir }}/tmp"
        checksum: sha1:{{ bitwarden_archive_sha1 }}

    - name: Extract bitwarden archive
      unarchive:
        src: "{{ bitwarden_root_dir }}/tmp/bitwarden_rs-{{ bitwarden_version }}.tar.gz"
        dest: "{{ bitwarden_root_dir }}/tmp"
        remote_src: True
  
    - name: Build bitwarden
      command: bash -lc 'cargo build --features={{ (bitwarden_db_engine == "mysql") | ternary("mysql","sqlite") }} --release'
      args:
        chdir: "{{ bitwarden_root_dir }}/tmp/bitwarden_rs-{{ bitwarden_version }}"

    - name: Install binary
      copy: src={{ bitwarden_root_dir }}/tmp/bitwarden_rs-{{ bitwarden_version }}/target/release/bitwarden_rs dest="{{ bitwarden_root_dir }}/" mode=755 remote_src=True
      notify: restart bitwarden_rs

 - when: bitwarden_web_install_mode != 'none'
  tags: bitwarden
  block:
    - name: Download bitwarden web vault
      get_url:
       url: "{{ bitwarden_web_archive_url }}"
       dest: "{{ bitwarden_root_dir }}/tmp"
       checksum: sha1:{{ bitwarden_web_archive_sha1 }}

    - name: Extract the archive
      unarchive:
        src: "{{ bitwarden_root_dir }}/tmp/bw_web_v{{ bitwarden_web_version }}.tar.gz"
        dest: "{{ bitwarden_root_dir }}/tmp"
        remote_src: True

    - name: Move files to their final location
      synchronize:
        src: "{{ bitwarden_root_dir }}/tmp/web-vault/"
        dest: "{{ bitwarden_root_dir }}/web-vault/"
        recursive: True
        delete: True
      delegate_to: "{{ inventory_hostname }}"

 - name: Install systemd unit
  template: src=bitwarden_rs.service.j2 dest=/etc/systemd/system/bitwarden_rs.service
  register: bitwarden_unit
  tags: bitwarden

 - name: Reload systemd
  systemd: daemon_reload=True
  when: bitwarden_unit.changed
  tags: bitwarden

 - name: Install pre/post backup hooks
  template: src={{ item }}-backup.sh.j2 dest=/etc/backup/{{ item }}.d/bitwarden_rs.sh mode=755
  loop:
    - pre
    - post
  tags: bitwarden

 - import_tasks: ../includes/webapps_create_mysql_db.yml
  vars:
    - db_name: "{{ bitwarden_db_name }}"
    - db_user: "{{ bitwarden_db_user }}"
    - db_server: "{{ bitwarden_db_server }}"
    - db_pass: "{{ bitwarden_db_pass }}"
  when: bitwarden_db_engine == 'mysql'
  tags: bitwarden
--- a/roles/bitwarden_rs/tasks/iptables.yml
+++ b/roles/bitwarden_rs/tasks/iptables.yml
@@ -0,0 +1,9 @@
 ---

 - name: Handle bitwarden_rs ports in the firewall
  iptables_raw:
    name: bitwarden_rs
    state: "{{ (bitwarden_src_ip | length > 0) | ternary('present','absent') }}"
    rules: "-A INPUT -m state --state NEW -m multiport -p tcp --dports {{ bitwarden_http_port }},{{ bitwarden_ws_port }} -s {{ bitwarden_src_ip | join(',') }} -j ACCEPT"
  when: iptables_manage | default(True)
  tags: firewall,bitwarden
--- a/roles/bitwarden_rs/tasks/main.yml
+++ b/roles/bitwarden_rs/tasks/main.yml
@@ -0,0 +1,14 @@
 ---

 - include: user.yml
 - include: directories.yml
 - include: facts.yml
 - include: archive_pre.yml
  when: bitwarden_install_mode == 'upgrade' or bitwarden_web_install_mode == 'upgrade'
 - include: install.yml
 - include: conf.yml
 - include: iptables.yml
 - include: service.yml
 - include: write_version.yml
 - include: archive_post.yml
  when: bitwarden_install_mode == 'upgrade' or bitwarden_web_install_mode == 'upgrade'
--- a/roles/bitwarden_rs/tasks/service.yml
+++ b/roles/bitwarden_rs/tasks/service.yml
@@ -0,0 +1,6 @@
 ---

 - name: Start and enable the service
  service: name=bitwarden_rs state=started enabled=True
  register: bitwarden_started
  tags: bitwarden
--- a/roles/bitwarden_rs/tasks/user.yml
+++ b/roles/bitwarden_rs/tasks/user.yml
@@ -0,0 +1,5 @@
 ---

 - name: Create bitwarden_rs user
  user: name={{ bitwarden_user }} home={{ bitwarden_root_dir }} system=True
  tags: bitwarden
--- a/roles/bitwarden_rs/tasks/write_version.yml
+++ b/roles/bitwarden_rs/tasks/write_version.yml
@@ -0,0 +1,10 @@
 ---

 - name: Write versions
  copy: content={{ item.version }} dest={{ bitwarden_root_dir }}/meta/{{ item.file }}
  loop:
    - version: "{{ bitwarden_version }}"
      file: ansible_version
    - version: "{{ bitwarden_web_version }}"
      file: ansible_web_version
  tags: bitwarden
--- a/roles/bitwarden_rs/templates/bitwarden_rs.conf.j2
+++ b/roles/bitwarden_rs/templates/bitwarden_rs.conf.j2
@@ -0,0 +1,25 @@
 IP_HEADER=X-Forwarded-For
 SIGNUPS_VERIFY=true
 SIGNUPS_ALLOWED={{ bitwarden_registration | ternary('true','false') }}
 {% if bitwarden_domains_whitelist | length > 0 %}
 SIGNUPS_DOMAINS_WHITELIST={{ bitwarden_domains_whitelist | join(',') }}
 {% endif %}
 ADMIN_TOKEN={{ bitwarden_admin_token }}
 DISABLE_ADMIN_TOKEN={{ bitwarden_disable_admin_token | ternary('true','false') }}
 DOMAIN={{ bitwarden_public_url }}
 ROCKET_ENV=prod
 ROCKET_ADDRESS=0.0.0.0
 ROCKET_PORT={{ bitwarden_http_port }}
 WEBSOCKET_ENABLED=true
 WEBSOCKET_PORT={{ bitwarden_ws_port }}
 SMTP_HOST=localhost
 SMTP_PORT=25
 SMTP_SSL=false
 SMTP_FROM=bitwarden-rs-noreply@{{ ansible_domain }}
 {% if bitwarden_db_engine == 'mysql' %}
 DATABASE_URL=mysql://{{ bitwarden_db_user }}:{{ bitwarden_db_pass | urlencode | regex_replace('/','%2F') }}@{{ bitwarden_db_server }}:{{ bitwarden_db_port }}/{{ bitwarden_db_name }}
 ENABLE_DB_WAL=false
 {% else %}
 DATABASE_URL=data/db.sqlite3
 {% endif %}
 # vim: syntax=ini
--- a/roles/bitwarden_rs/templates/bitwarden_rs.service.j2
+++ b/roles/bitwarden_rs/templates/bitwarden_rs.service.j2
@@ -0,0 +1,27 @@
 [Unit]
 Description=Bitwarden Server (Rust Edition)
 Documentation=https://github.com/dani-garcia/bitwarden_rs
 After=network.target
 {% if bitwarden_db_engine == 'mysql' and (bitwarden_db_server == 'localhost' or bitwarden_db_server == '127.0.0.1') %}
 After=mariadb.service
 Requires=mariadb.service
 {% endif %}

 [Service]
 User={{ bitwarden_user }}
 Group={{ bitwarden_user }}
 EnvironmentFile={{ bitwarden_root_dir }}/etc/bitwarden_rs.conf
 ExecStart={{ bitwarden_root_dir }}/bitwarden_rs
 PrivateTmp=true
 PrivateDevices=true
 ProtectHome=true
 ProtectSystem=full
 WorkingDirectory={{ bitwarden_root_dir }}
 ReadWriteDirectories={{ bitwarden_root_dir }}/data
 ReadOnlyDirectories={{ bitwarden_root_dir }}/etc {{ bitwarden_root_dir }}/web-vault
 Restart=on-failure
 StartLimitInterval=0
 RestartSec=30

 [Install]
 WantedBy=multi-user.target
--- a/roles/bitwarden_rs/templates/nginx.conf.j2
+++ b/roles/bitwarden_rs/templates/nginx.conf.j2
@@ -0,0 +1,71 @@
 server {
  listen 443 ssl http2;
  server_name {{ bitwarden_public_url | urlsplit('hostname') }};

  include /etc/nginx/ansible_conf.d/acme.inc;

 {% if bitwarden_cert_path is defined and bitwarden_key_path is defined %}
  ssl_certificate     {{ bitwarden_cert_path }};
  ssl_certificate_key {{ bitwarden_key_path }};
 {% elif bitwarden_letsencrypt_cert is defined and bitwarden_letsencrypt_cert == True %}
  ssl_certificate     /var/lib/dehydrated/certificates/certs/{{ bitwarden_public_url | urlsplit('hostname') }}/fullchain.pem;
  ssl_certificate_key /var/lib/dehydrated/certificates/certs/{{ bitwarden_public_url | urlsplit('hostname') }}/privkey.pem;
 {% elif bitwarden_letsencrypt_cert is string %}
  ssl_certificate     /var/lib/dehydrated/certificates/certs/{{ bitwarden_letsencrypt_cert }}/fullchain.pem;
  ssl_certificate_key /var/lib/dehydrated/certificates/certs/{{ bitwarden_letsencrypt_cert }}/privkey.pem;
 {% endif %}

  server_name {{ bitwarden_public_url | urlsplit('hostname') }};

  root {{ bitwarden_root_dir }}/web-vault;

  client_max_body_size 512M;

  if ($request_method !~ ^(GET|POST|HEAD|PUT|DELETE)$ ) {
    return 405;
  }

  location /notifications/hub {
    proxy_pass http://localhost:{{ bitwarden_ws_port }};
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
  }
  location /notifications/hub/negotiate {
    proxy_pass http://localhost:{{ bitwarden_http_port }};
  }

  location @proxy {
    proxy_pass http://localhost:{{ bitwarden_http_port }};
  }

  location / {
    try_files $uri $uri/index.html @proxy;
  }

  add_header X-Frame-Options "DENY";
  add_header X-Content-Type-Options "nosniff";
  add_header X-XSS-Protection "1; mode=block";
  add_header Strict-Transport-Security "$hsts_header";

  # Send info about the original request to the backend
  proxy_set_header X-Forwarded-For "$proxy_add_x_forwarded_for";
  proxy_set_header X-Real-IP "$remote_addr";
  proxy_set_header X-Forwarded-Proto "$scheme";
  proxy_set_header X-Forwarded-Host "$host";
  proxy_set_header Host "$host";

  # Set the timeout to read responses from the backend
  proxy_read_timeout 60s;

  # Enable Keep Alive to the backend
  proxy_socket_keepalive on;

  # Disable buffering large files
  proxy_max_temp_file_size 5m;

  allow 127.0.0.1;
 {% for ip in bitwarden_web_src_ip %}
  allow {{ ip }};
 {% endfor %}
  deny all;
 }
--- a/roles/bitwarden_rs/templates/post-backup.sh.j2
+++ b/roles/bitwarden_rs/templates/post-backup.sh.j2
@@ -0,0 +1,4 @@
 #!/bin/bash -e

 rm -f {{ bitwarden_root_dir }}/backup/*
 umount /home/lbkp/bitwarden
--- a/roles/bitwarden_rs/templates/pre-backup.sh.j2
+++ b/roles/bitwarden_rs/templates/pre-backup.sh.j2
@@ -0,0 +1,17 @@
 #!/bin/bash -e

 mkdir -p /home/lbkp/bitwarden_rs/
 cp {{ bitwarden_root_dir }}/data/rsa* {{ bitwarden_root_dir }}/backup/
 {% if bitwarden_db_engine == 'mysql' %}
 /usr/bin/mysqldump \
 {% if bitwarden_db_server != 'localhost' and bitwarden_db_server != '127.0.0.1' %}
 	--user='{{ bitwarden_db_user }}' \
        --password='{{ bitwarden_db_pass }}' \
        --host='{{ bitwarden_db_server }}' \
 {% endif %}
        --quick --single-transaction \
        --add-drop-table {{ bitwarden_db_name }} | zstd -T0 -c > {{ bitwarden_root_dir }}/backup/{{ bitwarden_db_name }}.sql.zstd
 {% else %}
 sqlite3 {{ bitwarden_root_dir }}/data/db.sqlite3 ".backup '{{ bitwarden_root_dir }}/backup/db.sqlite3'"
 {% endif %}
 mount -o bind,ro {{ bitwarden_root_dir }}/backup/ /home/lbkp/bitwarden_rs/
--- a/roles/bluemind/defaults/main.yml
+++ b/roles/bluemind/defaults/main.yml
@@ -0,0 +1,117 @@
 ---

 bm_http_ports:
  - 80
  - 443
 bm_http_src_ip:
  - 0.0.0.0/0

 bm_imap_ports:
  - 143
  - 993
 bm_imap_src_ip:
  - 0.0.0.0/0

 bm_pop_ports:
  - 110
  - 995
 bm_pop_src_ip:
  - 0.0.0.0/0

 bm_smtp_ports:
  - 25
  - 465
  - 587
 bm_smtp_src_ip:
  - 0.0.0.0/0

 bm_milter_ports:
  - 2500
 bm_milter_src:ip: []

 bm_int_ports:
  - 24
  - 144
  - 1110
  - 1143
  - 2000
  - 2400
  - 2500
  - 4444
  - 5280
  - 5290
  - 5432
  - '5701:5715'
  - 8021
  - 8022
  - 8079
  - 8080
  - 8082
  - 8084
  - 8087
  - 9083
  - 9086
  - 9090
  - 9099
  - 9200
  - 9300
 bm_int_src_ip: []

 # bm_letsencrypt_cert: bluemind.domain.tld

 bm_mem_alloc_base:
  bm-core:
    heap: 512
    direct: 512
    spare: 20
  bm-node:
    heap: 128
    direct: 128
    spare: 0
  bm-eas:
    heap: 256
    direct: 128
    spare: 2
  bm-mapi:
    heap: 512
    direct: 256
    spare: 10
  bm-ips:
    heap: 64
    direct: 64
    spare: 0
  bm-hps:
    heap: 128
    direct: 128
    spare: 0
  bm-lmtpd:
    heap: 128
    direct: 128
    spare: 0
  bm-locator:
    heap: 64
    direct: 64
    spare: 0
  bm-milter:
    heap: 64
    direct: 64
    spare: 0
  bm-tika:
    heap: 128
    direct: 128
    spare: 0
  bm-xmpp:
    heap: 32
    direct: 32
    spare: 0
  bm-ysnp:
    heap: 64
    direct: 64
    spare: 0
  bm-elasticsearch:
    heap: 512
    direct: 512
    spare: 20
 bm_mem_alloc: {}
 bm_mem_alloc_rules: "{{ bm_mem_alloc_base | combine(bm_mem_alloc, recursive=True) }}"

--- a/roles/bluemind/handlers/main.yml
+++ b/roles/bluemind/handlers/main.yml
@@ -0,0 +1,4 @@
 ---

 - name: restart bluemind
  command: bmctl restart
--- a/roles/bluemind/tasks/main.yml
+++ b/roles/bluemind/tasks/main.yml
@@ -0,0 +1,118 @@
 ---

 - name: Install tools
  yum:
    name:
      - socat
  tags: bm

 - name: Create dehydrated hook dir
  file: path=/etc/dehydrated/hooks_deploy_cert.d state=directory
  tags: bm

 - name: Deploy dehydrated hook
  template: src=dehydrated_deploy_hook.j2 dest=/etc/dehydrated/hooks_deploy_cert.d/bluemind mode=755
  tags: bm

 - name: Create local conf directory
  file: path=/etc/bm/local state=directory
  tags: bm

 - name: Configure proxy
  lineinfile:
    regex: '^PROXY_OPTS=.*'
    line: "PROXY_OPTS=\"{{ (system_proxy is defined and system_proxy != '') | ternary('-Dhttps.proxyHost=' ~ system_proxy | urlsplit('hostname') ~ ' -Dhttps.proxyPort=' ~ system_proxy | urlsplit('port') ~ ' -Dhttp.proxyHost=' ~ system_proxy | urlsplit('hostname') ~ ' -Dhttp.proxyPort=' ~ system_proxy | urlsplit('port'),'') }}\""
    path: /etc/bm/local/{{ item }}.ini
    create: True
  loop:
    - bm-core
    - bm-webserver
  notify: restart bluemind
  tags: bm

 - name: Configure JVM options
  lineinfile:
    regex: '^JVM_OPTS=.*'
    line: "JVM_OPTS=\"${PROXY_OPTS}\""
    path: /etc/bm/local/{{ item }}.ini
    insertafter: '^PROXY_OPTS=.*'
  loop:
    - bm-core
    - bm-webserver
  notify: restart bluemind
  tags: bm

 - name: Configure memory allocation rules
  template: src=rules.json.j2 dest=/etc/bm/local/rules.json
  notify: restart bluemind
  tags: bm

 - set_fact:
    bm_restart_services: "[ 'bm-elasticsearch', 'bm-mapi' ]"
  tags: bm

 - name: Create systemd unit snippet dirs
  file: path=/etc/systemd/system/{{ item }}.service.d state=directory
  loop: "{{ bm_restart_services }}"
  tags: bm

 - name: Configure systemd to restart services on failure
  copy:
    content: |
      [Service]
      TimeoutSec=60
      StartLimitInterval=0
      RestartSec=1
      Restart=on-failure
    dest: /etc/systemd/system/{{ item }}.service.d/restart.conf
  loop: "{{ bm_restart_services }}"
  register: bm_units
  notify: restart bluemind
  tags: bm

 - name: Reload systemd
  systemd: daemon_reload=True
  when: bm_units.results | selectattr('changed','equalto',True) | list | length > 0
  tags: bm

 - name: Handle firewall ports
  iptables_raw:
    name: "{{ item.name }}"
    state: "{{ (item.src | length > 0) | ternary('present','absent') }}"
    rules: "{% if 'tcp' in item.proto | default(['tcp']) or item.proto | default('tcp') == 'tcp' %}-A INPUT -m state --state NEW -p tcp -m multiport --dports {{ item.ports | join(',') }} -s {{ item.src | join(',') }} -j ACCEPT\n{% endif %}
            {% if 'udp' in item.proto | default(['tcp']) or item.proto | default('tcp') == 'udp' %}-A INPUT -m state --state NEW -p udp -m multiport --dports {{ item.ports | join(',') }} -s {{ item.src | join(',') }} -j ACCEPT{% endif %}"
  when: iptables_manage | default(True)
  with_items:
    - ports: "{{ bm_http_ports }}"
      name: bm_http_ports
      src: "{{ bm_http_src_ip }}"
    - ports: "{{ bm_imap_ports }}"
      name: bm_imap_ports
      src: "{{ bm_imap_src_ip }}"
    - ports: "{{ bm_pop_ports }}"
      name: bm_pop_ports
      src: "{{ bm_pop_src_ip }}"
    - ports: "{{ bm_smtp_ports }}"
      name: bm_smtp_ports
      src: "{{ bm_smtp_src_ip }}"
    - ports: "{{ bm_milter_ports }}"
      name: bm_milter_ports
      src: "{{ bm_milter_src_ip }}"
    - ports: "{{ bm_int_ports }}"
      name: bm_int_ports
      src: "{{ bm_int_src_ip }}"
  tags: bm,firewall

 - name: Create pre/post backup hook dir
  file: path=/etc/backup/{{ item }}.d state=directory mode=750
  loop:
    - pre
    - post
  tags: bm

 - name: Deploy pre and post backup script
  template: src={{ item }}-backup.j2 dest=/etc/backup/{{ item }}.d/bluemind mode=755
  loop:
    - pre
    - post
  tags: bm
--- a/roles/bluemind/templates/bm-core.log.xml.j2
+++ b/roles/bluemind/templates/bm-core.log.xml.j2
@@ -0,0 +1,53 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <configuration>
  <appender name="CORE" class="ch.qos.logback.classic.net.SyslogAppender">
    <syslogHost>localhost</syslogHost>
    <port>10514</port>
    <facility>DAEMON</facility>
    <suffixPattern>bm-core - [%thread] %c{1} %p - %m\n</suffixPattern>
  </appender>
  <logger name="org.apache.directory.shared" level="ERROR" />
  <root level="INFO">
    <appender-ref ref="CORE" />
  </root>

  <appender name="XMPP" class="ch.qos.logback.classic.net.SyslogAppender">
    <syslogHost>localhost</syslogHost>
    <port>10514</port>
    <facility>DAEMON</facility>
    <suffixPattern>bm-xmpp - [%thread] %c{1} %p - %m\n</suffixPattern>
  </appender>
  <logger name="net.bluemind.xmpp" level="INFO" additivity="false" />
    <appender-ref ref="XMPP" />
  </logger>

  <appender name="MAILINDEX" class="ch.qos.logback.classic.net.SyslogAppender">
    <syslogHost>localhost</syslogHost>
    <port>10514</port>
    <facility>DAEMON</facility>
    <suffixPattern>bm-mailindex - [%thread] %c{1} %p - %m\n</suffixPattern>
  </appender>
  <logger name="net.bluemind.index.mail" level="INFO" additivity="false" />
    <appender-ref ref="MAILINDEX" />
  </logger>

  <appender name="SLOWRESTCALL" class="ch.qos.logback.classic.net.SyslogAppender">
    <syslogHost>localhost</syslogHost>
    <port>10514</port>
    <facility>DAEMON</facility>
    <suffixPattern>bm-slowrestcall - [%thread] %c{1} %p - %m\n</suffixPattern>
  </appender>
  <logger name="net.bluemind.core.rest.log.CallLogger" level="WARN" additivity="false" />
    <appender-ref ref="SLOWRESTCALL" />
  </logger>

  <appender name="RESTSOCKJSPROXYHANDLER" class="ch.qos.logback.classic.net.SyslogAppender">
    <syslogHost>localhost</syslogHost>
    <port>10514</port>
    <facility>DAEMON</facility>
    <suffixPattern>bm-js - [%thread] %c{1} %p - %m\n</suffixPattern>
  </appender>
  <logger name="net.bluemind.core.rest.sockjs.vertx.RestSockJsProxyHandler" level="INFO" additivity="false" />
    <appender-ref ref="RESTSOCKJSPROXYHANDLER" />
  </logger>
 </configuration>
--- a/roles/bluemind/templates/bm-eas.log.xml.j2
+++ b/roles/bluemind/templates/bm-eas.log.xml.j2
@@ -0,0 +1,59 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <configuration>
  <appender name="ALL" class="ch.qos.logback.classic.net.SyslogAppender">
    <syslogHost>localhost</syslogHost>
    <port>10514</port>
    <facility>DAEMON</facility>
    <suffixPattern>bm-eas - [%thread] %c{1} %p - %m\n</suffixPattern>
  </appender>

  <appender name="REQUESTS" class="ch.qos.logback.classic.net.SyslogAppender">
    <syslogHost>localhost</syslogHost>
    <port>10514</port>
    <facility>DAEMON</facility>
    <suffixPattern>bm-eas-requests - [%thread] %c{1} %p - %m\n</suffixPattern>
  </appender>

  <appender name="SIFT" class="ch.qos.logback.classic.sift.SiftingAppender">
    <!-- in the absence of the class attribute, it is assumed that the
         desired discriminator type is
         ch.qos.logback.classic.sift.MDCBasedDiscriminator -->
    <discriminator>
      <key>user</key>
      <defaultValue>anonymous</defaultValue>
    </discriminator>
    <sift>
      <appender name="FILE-${user}" class="ch.qos.logback.core.rolling.RollingFileAppender">
        <file>/var/log/bm-eas/user-eas-${user}.log</file>
        <rollingPolicy class="ch.qos.logback.core.rolling.FixedWindowRollingPolicy">
          <maxIndex>10</maxIndex>
          <FileNamePattern>/var/log/bm-eas/user-eas-${user}.log.%i.gz</FileNamePattern>
        </rollingPolicy>
        <triggeringPolicy class="ch.qos.logback.core.rolling.SizeBasedTriggeringPolicy">
          <MaxFileSize>5000KB</MaxFileSize>
        </triggeringPolicy>
        <encoder>
          <pattern>%d [%thread] %c{1} %p - %m\n</pattern>
        </encoder>
      </appender>
    </sift>
  </appender>

  <appender name="ASYNC_SIFT" class="ch.qos.logback.classic.AsyncAppender">
    <queueSize>500</queueSize>
    <discardingThreshold>0</discardingThreshold>
    <appender-ref ref="SIFT" />
  </appender>

  <logger name="org.apache.directory.shared.asn1.ber" level="ERROR">
    <appender-ref ref="ALL"/>
  </logger>
  <logger name="net.bluemind.vertx.common.request.impl.WrappedResponse" level="INFO" additivity="true">
    <appender-ref ref="REQUESTS"/>
  </logger>

  <root level="INFO">
    <appender-ref ref="ALL"/>
    <appender-ref ref="ASYNC_SIFT"/>
  </root>
 </configuration>
--- a/roles/bluemind/templates/bm-hps.log.xml.j2
+++ b/roles/bluemind/templates/bm-hps.log.xml.j2
@@ -0,0 +1,12 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <configuration>
  <appender name="SYSLOG" class="ch.qos.logback.classic.net.SyslogAppender">
    <syslogHost>localhost</syslogHost>
    <port>10514</port>
    <facility>DAEMON</facility>
    <suffixPattern>bm-hps - [%thread] %c{1} %p - %m\n</suffixPattern>
  </appender>
  <root level="INFO">
    <appender-ref ref="SYSLOG" />
  </root>
 </configuration>
--- a/roles/bluemind/templates/bm-ips.log.xml.j2
+++ b/roles/bluemind/templates/bm-ips.log.xml.j2
@@ -0,0 +1,12 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <configuration>
  <appender name="SYSLOG" class="ch.qos.logback.classic.net.SyslogAppender">
    <syslogHost>localhost</syslogHost>
    <port>10514</port>
    <facility>DAEMON</facility>
    <suffixPattern>bm-ips - [%thread] %c{1} %p - %m\n</suffixPattern>
  </appender>
  <root level="INFO">
    <appender-ref ref="SYSLOG" />
  </root>
 </configuration>
--- a/roles/bluemind/templates/bm-lmtp.log.xml.j2
+++ b/roles/bluemind/templates/bm-lmtp.log.xml.j2
@@ -0,0 +1,12 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <configuration>
  <appender name="SYSLOG" class="ch.qos.logback.classic.net.SyslogAppender">
    <syslogHost>localhost</syslogHost>
    <port>10514</port>
    <facility>DAEMON</facility>
    <suffixPattern>bm-lmtp - [%thread] %c{1} %p - %m\n</suffixPattern>
  </appender>
  <root level="INFO">
    <appender-ref ref="SYSLOG" />
  </root>
 </configuration>
--- a/roles/bluemind/templates/bm-locator.log.xml.j2
+++ b/roles/bluemind/templates/bm-locator.log.xml.j2
@@ -0,0 +1,13 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <configuration>
  <appender name="SYSLOG" class="ch.qos.logback.classic.net.SyslogAppender">
    <syslogHost>localhost</syslogHost>
    <port>10514</port>
    <facility>DAEMON</facility>
    <suffixPattern>bm-locator - [%thread] %c{1} %p - %m\n</suffixPattern>
  </appender>
  <logger name="org.apache.directory.shared.asn1.ber" level="ERROR" />
  <root level="INFO">
    <appender-ref ref="SYSLOG" />
  </root>
 </configuration>
--- a/roles/bluemind/templates/bm-milter.log.xml.j2
+++ b/roles/bluemind/templates/bm-milter.log.xml.j2
@@ -0,0 +1,12 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <configuration>
  <appender name="SYSLOG" class="ch.qos.logback.classic.net.SyslogAppender">
    <syslogHost>localhost</syslogHost>
    <port>10514</port>
    <facility>DAEMON</facility>
    <suffixPattern>bm-milter - [%thread] %c{1} %p - %m\n</suffixPattern>
  </appender>
  <root level="INFO">
    <appender-ref ref="SYSLOG" />
  </root>
 </configuration>
--- a/roles/bluemind/templates/bm-node.log.xml.j2
+++ b/roles/bluemind/templates/bm-node.log.xml.j2
@@ -0,0 +1,13 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <configuration>
  <appender name="SYSLOG" class="ch.qos.logback.classic.net.SyslogAppender">
    <syslogHost>localhost</syslogHost>
    <port>10514</port>
    <facility>DAEMON</facility>
    <suffixPattern>bm-node - [%thread] %c{1} %p - %m\n</suffixPattern>
  </appender>
  <logger name="org.apache.sshd.server" level="WARN" />
  <root level="INFO">
    <appender-ref ref="SYSLOG" />
  </root>
 </configuration>
--- a/roles/bluemind/templates/bm-syslog.service.j2
+++ b/roles/bluemind/templates/bm-syslog.service.j2
@@ -0,0 +1,19 @@
 [Unit]
 Description=Bluemind syslog daemon
 After=syslog.target

 [Service]
 Type=simple
 ExecStart=/bin/socat -t0 -T0 -u -s udp4-recv:10514 stdout
 User=bm-syslog
 Group=bm-syslog
 Restart=always
 PrivateTmp=yes
 PrivateDevices=yes
 ProtectSystem=full
 ProtectHome=yes
 NoNewPrivileges=yes

 [Install]
 WantedBy=multi-user.target

--- a/roles/bluemind/templates/bm-tika.log.xml.j2
+++ b/roles/bluemind/templates/bm-tika.log.xml.j2