@ -0,0 +1,9 @@ | |||
--- | |||
- name: Update everything | |||
hosts: '*' | |||
tasks: | |||
- yum: name='*' state=latest | |||
when: ansible_os_family == 'RedHat' | |||
- apt: name='*' state=latest | |||
when: ansible_os_family == 'Debian' | |||
@ -0,0 +1,42 @@ | |||
--- | |||
- name: Update Zabbix | |||
hosts: '*' | |||
tasks: | |||
- yum: | |||
name: | |||
- zabbix-agent | |||
- zabbix-agent-addons | |||
state: latest | |||
when: ansible_os_family == 'RedHat' | |||
notify: restart zabbix-agent | |||
- apt: | |||
name: | |||
- zabbix-agent | |||
update_cache: True | |||
state: latest | |||
when: ansible_os_family == 'Debian' | |||
notify: restart zabbix-agent | |||
- git: | |||
repo: https://git.fws.fr/fws/zabbix-agent-addons.git | |||
dest: /var/lib/zabbix/addons | |||
register: zabbix_agent_addons_git | |||
when: ansible_os_family == 'Debian' | |||
notify: restart zabbix-agent | |||
- shell: cp -af /var/lib/zabbix/addons/{{ item.src }}/* {{ item.dest }}/ | |||
with_items: | |||
- { src: zabbix_conf, dest: /etc/zabbix/zabbix_agentd.conf.d } | |||
- { src: zabbix_scripts, dest: /var/lib/zabbix/bin } | |||
- { src: lib, dest: /usr/local/lib/site_perl } | |||
when: | |||
- zabbix_agent_addons_git.changed | |||
- ansible_os_family == 'Debian' | |||
- shell: chmod +x /var/lib/zabbix/bin/* | |||
args: | |||
warn: False | |||
when: | |||
- zabbix_agent_addons_git.changed | |||
- ansible_os_family == 'Debian' | |||
handlers: | |||
- name: restart zabbix-agent | |||
service: name=zabbix-agent state=restarted |
@ -0,0 +1,94 @@ | |||
--- | |||
ampache_id: "1" | |||
ampache_manage_upgrade: True | |||
ampache_version: '4.1.1' | |||
ampache_config_version: 40 | |||
ampache_zip_url: https://github.com/ampache/ampache/archive/{{ ampache_version }}.zip | |||
ampache_zip_sha1: 744ff90039a268579551d50650ce1502ec89daf1 | |||
ampache_root_dir: /opt/ampache_{{ ampache_id }} | |||
ampache_php_user: php-ampache_{{ ampache_id }} | |||
ampache_php_version: 74 | |||
# If you prefer using a custom PHP FPM pool, set it's name. | |||
# You might need to adjust ampache_php_user | |||
# ampache_php_fpm_pool: php56 | |||
ampache_mysql_server: "{{ mysql_server | default('localhost') }}" | |||
# ampache_mysql_port: 3306 | |||
ampache_mysql_db: ampache_{{ ampache_id }} | |||
ampache_mysql_user: ampache_{{ ampache_id }} | |||
# If not defined, a random pass will be generated and stored in the meta directory | |||
# ampache_mysql_pass: ampache | |||
# ampache_alias: ampache | |||
# ampache_allowed_ip: | |||
# - 192.168.7.0/24 | |||
# - 10.2.0.0/24 | |||
ampache_local_web_path: "http://ampache.{{ ansible_domain }}/" | |||
ampache_auth_methods: | |||
- mysql | |||
ampache_ldap_url: "{{ ad_auth | default(False) | ternary('ldap://' + ad_realm | default(samba_realm) | lower,ldap_uri) }}" | |||
ampache_ldap_starttls: True | |||
ampache_ldap_search_dn: "{{ ad_auth | default(False) | ternary((ad_ldap_user_search_base is defined) | ternary(ad_ldap_user_search_base,'DC=' + ad_realm | default(samba_realm) | regex_replace('\\.',',DC=')), ldap_base) }}" | |||
ampache_ldap_username: "" | |||
ampache_ldap_password: "" | |||
ampache_ldap_objectclass: "{{ ad_auth | default(False) | ternary('user','inetOrgPerson') }}" | |||
ampache_ldap_filter: "{{ ad_auth | default(False) | ternary('(&(objectCategory=person)(objectClass=user)(primaryGroupId=513)(sAMAccountName=%v))','(uid=%v)') }}" | |||
ampache_ldap_email_field: mail | |||
ampache_ldap_name_field: cn | |||
ampache_admin_users: | |||
- admin | |||
#ampache_logout_redirect: https://sso.domain.org | |||
ampache_metadata_order: 'getID3,filename' | |||
ampache_lastfm_api_key: 697bad201ee93391630d845c7b3f9610 | |||
ampache_lastfm_api_secret: 5f5fe59aa2f9c60220f04e94aa59c209 | |||
ampache_max_bit_rate: 192 | |||
ampache_min_bit_rate: 64 | |||
# allowed, required or false | |||
ampache_transcode_m4a: required | |||
ampache_transcode_flac: required | |||
ampache_transcode_mpc: required | |||
ampache_transcode_ogg: required | |||
ampache_transcode_oga: required | |||
ampache_transcode_wav: required | |||
ampache_transcode_wma: required | |||
ampache_transcode_aif: required | |||
ampache_transcode_aiff: required | |||
ampache_transcode_ape: required | |||
ampache_transcode_shn: required | |||
ampache_transcode_mp3: allowed | |||
ampache_transcode_avi: required | |||
ampache_transcode_mkv: required | |||
ampache_transcode_mpg: required | |||
ampache_transcode_mpeg: required | |||
ampache_transcode_m4v: required | |||
ampache_transcode_mp4: required | |||
ampache_transcode_mov: required | |||
ampache_transcode_wmv: required | |||
ampache_transcode_ogv: required | |||
ampache_transcode_divx: required | |||
ampache_transcode_m2ts: required | |||
ampache_transcode_webm: required | |||
ampache_transcode_player_api_mp3: required | |||
ampache_encode_player_api_target: mp3 | |||
ampache_encode_player_webplayer: mp3 | |||
ampache_encode_target: mp3 | |||
ampache_encode_video_target: webm | |||
# If defined, will be printed on the login page. HTML can be used, eg | |||
# ampache_motd: '<a href="/sso.php">Use central authentication</a>' | |||
... |
@ -0,0 +1,4 @@ | |||
--- | |||
- include: ../httpd_common/handlers/main.yml | |||
- include: ../httpd_php/handlers/main.yml | |||
... |
@ -0,0 +1,6 @@ | |||
--- | |||
allow_duplicates: true | |||
dependencies: | |||
- role: repo_nux_dextop | |||
- role: httpd_php | |||
... |
@ -0,0 +1,218 @@ | |||
--- | |||
- name: Install needed tools | |||
yum: | |||
name: | |||
- unzip | |||
- MySQL-python | |||
- mariadb | |||
- acl | |||
- git | |||
- composer | |||
- patch | |||
- ffmpeg | |||
tags: ampache | |||
- import_tasks: ../includes/create_system_user.yml | |||
vars: | |||
- user: "{{ ampache_php_user }}" | |||
- comment: "PHP FPM for ampache {{ ampache_id }}" | |||
tags: ampache | |||
- import_tasks: ../includes/webapps_set_install_mode.yml | |||
vars: | |||
- root_dir: "{{ ampache_root_dir }}" | |||
- version: "{{ ampache_version }}" | |||
tags: ampache | |||
- set_fact: ampache_install_mode={{ (install_mode == 'upgrade' and not ampache_manage_upgrade) | ternary('none',install_mode) }} | |||
tags: ampache | |||
- set_fact: ampache_current_version={{ current_version | default('') }} | |||
tags: ampache | |||
- import_tasks: ../includes/webapps_archive.yml | |||
vars: | |||
- root_dir: "{{ ampache_root_dir }}" | |||
- version: "{{ ampache_current_version }}" | |||
- db_name: "{{ ampache_mysql_db }}" | |||
when: ampache_install_mode == 'upgrade' | |||
tags: ampache | |||
- name: Download Ampache | |||
get_url: | |||
url: "{{ ampache_zip_url }}" | |||
dest: "{{ ampache_root_dir }}/tmp/" | |||
checksum: "sha1:{{ ampache_zip_sha1 }}" | |||
when: ampache_install_mode != 'none' | |||
tags: ampache | |||
- name: Extract ampache archive | |||
unarchive: | |||
src: "{{ ampache_root_dir }}/tmp/ampache-{{ ampache_version }}.zip" | |||
dest: "{{ ampache_root_dir }}/tmp" | |||
remote_src: yes | |||
when: ampache_install_mode != 'none' | |||
tags: ampache | |||
- name: Create directory structure | |||
file: path={{ item }} state=directory | |||
with_items: | |||
- "{{ ampache_root_dir }}" | |||
- "{{ ampache_root_dir }}/web" | |||
- "{{ ampache_root_dir }}/tmp" | |||
- "{{ ampache_root_dir }}/sessions" | |||
- "{{ ampache_root_dir }}/meta" | |||
- "{{ ampache_root_dir }}/logs" | |||
- "{{ ampache_root_dir }}/data" | |||
- "{{ ampache_root_dir }}/data/metadata" | |||
- "{{ ampache_root_dir }}/data/music" | |||
- "{{ ampache_root_dir }}/data/video" | |||
- "{{ ampache_root_dir }}/db_dumps" | |||
tags: ampache | |||
- name: Move files to the correct directory | |||
synchronize: | |||
src: "{{ ampache_root_dir }}/tmp/ampache-{{ ampache_version }}/" | |||
dest: "{{ ampache_root_dir }}/web/" | |||
recursive: True | |||
delete: True | |||
delegate_to: "{{ inventory_hostname }}" | |||
when: ampache_install_mode != 'none' | |||
tags: ampache | |||
- name: Check if htaccess files needs to be moved | |||
stat: path={{ ampache_root_dir }}/web/{{ item }}/.htaccess.dist | |||
with_items: | |||
- channel | |||
- play | |||
- rest | |||
register: htaccess | |||
tags: ampache | |||
- name: Rename htaccess files | |||
command: mv -f {{ ampache_root_dir }}/web/{{ item.item }}/.htaccess.dist {{ ampache_root_dir }}/web/{{ item.item }}/.htaccess | |||
with_items: "{{ htaccess.results }}" | |||
when: item.stat.exists | |||
tags: ampache | |||
- name: Install libs using composer | |||
composer: command=install working_dir={{ ampache_root_dir }}/web executable={{ (ampache_php_version == '54') | ternary('/bin/php','/bin/php' ~ ampache_php_version ) }} | |||
tags: ampache | |||
- name: Remove temp files | |||
file: path={{ item }} state=absent | |||
with_items: | |||
- "{{ ampache_root_dir }}/tmp/ampache-{{ ampache_version }}.zip" | |||
- "{{ ampache_root_dir }}/tmp/ampache-{{ ampache_version }}" | |||
tags: ampache | |||
- import_tasks: ../includes/get_rand_pass.yml | |||
vars: | |||
- pass_file: "{{ ampache_root_dir }}/meta/key.txt" | |||
tags: ampache | |||
- set_fact: ampache_key={{ rand_pass }} | |||
tags: ampache | |||
- import_tasks: ../includes/get_rand_pass.yml | |||
vars: | |||
- pass_file: "{{ampache_root_dir }}/meta/ansible_dbpass" | |||
when: ampache_mysql_pass is not defined | |||
tags: ampache | |||
- set_fact: ampache_mysql_pass={{ rand_pass }} | |||
when: ampache_mysql_pass is not defined | |||
tags: ampache | |||
- import_tasks: ../includes/webapps_create_mysql_db.yml | |||
vars: | |||
- db_name: "{{ ampache_mysql_db }}" | |||
- db_user: "{{ ampache_mysql_user }}" | |||
- db_server: "{{ ampache_mysql_server }}" | |||
- db_pass: "{{ ampache_mysql_pass }}" | |||
tags: ampache | |||
- name: Inject SQL structure | |||
mysql_db: | |||
name: "{{ ampache_mysql_db }}" | |||
state: import | |||
target: "{{ ampache_root_dir }}/web/sql/ampache.sql" | |||
login_host: "{{ ampache_mysql_server }}" | |||
login_user: sqladmin | |||
login_password: "{{ mysql_admin_pass }}" | |||
when: ampache_install_mode == 'install' | |||
tags: ampache | |||
- name: Upgrade SQL database | |||
command: php{{ (ampache_php_version == '54') | ternary('', ampache_php_version) }} {{ ampache_root_dir }}/web/bin/install/update_db.inc | |||
become_user: "{{ ampache_php_user }}" | |||
when: ampache_install_mode == 'upgrade' | |||
tags: ampache | |||
- name: Grant admin privileges | |||
command: mysql --host={{ ampache_mysql_server }} --user=sqladmin --password={{ mysql_admin_pass }} {{ ampache_mysql_db }} -e "UPDATE `user` SET `access`='100' WHERE `username`='{{ item }}'" | |||
changed_when: False | |||
become_user: "{{ ampache_php_user }}" | |||
with_items: "{{ ampache_admin_users }}" | |||
tags: ampache | |||
- import_tasks: ../includes/webapps_webconf.yml | |||
vars: | |||
- app_id: ampache_{{ ampache_id }} | |||
- php_version: "{{ ampache_php_version }}" | |||
- php_fpm_pool: "{{ ampache_php_fpm_pool | default('') }}" | |||
tags: ampache | |||
- name: Deploy ampache configuration | |||
template: src=ampache.cfg.php.j2 dest={{ ampache_root_dir }}/web/config/ampache.cfg.php group={{ ampache_php_user }} mode=640 | |||
tags: ampache | |||
- name: Deploy motd | |||
template: src=motd.php.j2 dest={{ ampache_root_dir }}/web/config/motd.php | |||
when: ampache_motd is defined | |||
tags: ampache | |||
- name: Remove motd | |||
file: path={{ ampache_root_dir }}/web/config/motd.php state=absent | |||
when: ampache_motd is not defined | |||
tags: ampache | |||
- name: Deploy cron scripts | |||
template: src={{ item }}.j2 dest={{ ampache_root_dir }}/web/bin/{{ item }} | |||
with_items: | |||
- cron.sh | |||
tags: ampache | |||
- name: Enable cronjob | |||
cron: | |||
name: ampache_{{ ampache_id }} | |||
special_time: daily | |||
user: "{{ ampache_php_user }}" | |||
job: "/bin/sh {{ ampache_root_dir }}/web/bin/cron.sh" | |||
cron_file: ampache_{{ ampache_id }} | |||
tags: ampache | |||
- name: Deploy sso script | |||
template: src=sso.php.j2 dest={{ ampache_root_dir }}/web/sso.php | |||
tags: ampache | |||
- name: Deploy backup scripts | |||
template: src={{ item.script }}.j2 dest=/etc/backup/{{ item.type }}.d/ampache_{{ ampache_id }}_{{ item.script }} mode=750 | |||
with_items: | |||
- script: dump_db | |||
type: pre | |||
- script: rm_dump | |||
type: post | |||
tags: ampache | |||
- import_tasks: ../includes/webapps_compress_archive.yml | |||
vars: | |||
- root_dir: "{{ ampache_root_dir }}" | |||
- version: "{{ ampache_current_version }}" | |||
when: ampache_install_mode == 'upgrade' | |||
tags: ampache | |||
- import_tasks: ../includes/webapps_post.yml | |||
vars: | |||
- root_dir: "{{ ampache_root_dir }}" | |||
- version: "{{ ampache_version }}" | |||
tags: ampache | |||
... |
@ -0,0 +1,134 @@ | |||
config_version = {{ ampache_config_version }} | |||
{% if ampache_local_web_path is defined %} | |||
local_web_path = "{{ ampache_local_web_path }}" | |||
{% endif %} | |||
database_hostname = {{ ampache_mysql_server }} | |||
{% if ampache_mysql_port is defined %} | |||
database_port = "{{ ampache_mysql_port }}" | |||
{% endif %} | |||
database_name = "{{ ampache_mysql_db }}" | |||
database_username = "{{ ampache_mysql_user }}" | |||
database_password = "{{ ampache_mysql_pass }}" | |||
secret_key = "{{ ampache_key }}" | |||
session_length = 3600 | |||
stream_length = 7200 | |||
remember_length = 604800 | |||
session_name = ampache | |||
session_cookielife = 0 | |||
auth_methods = "{{ ampache_auth_methods | join(',') }}" | |||
{% if 'ldap' in ampache_auth_methods %} | |||
ldap_url = "{{ ampache_ldap_url }}" | |||
ldap_username = "{{ ampache_ldap_username }}" | |||
ldap_password = "{{ ampache_ldap_password }}" | |||
ldap_start_tls = "{{ ampache_ldap_starttls | ternary('true','false') }}" | |||
ldap_search_dn = "{{ ampache_ldap_search_dn }}" | |||
ldap_objectclass = "{{ ampache_ldap_objectclass }}" | |||
ldap_filter = "{{ ampache_ldap_filter }}" | |||
ldap_email_field = "{{ ampache_ldap_email_field }}" | |||
ldap_name_field = "{{ ampache_ldap_name_field }}" | |||
external_auto_update = "true" | |||
{% endif %} | |||
{% if ampache_logout_redirect is defined %} | |||
logout_redirect = "{{ ampache_logout_redirect }}" | |||
{% endif %} | |||
access_control = "true" | |||
require_session = "true" | |||
require_localnet_session = "true" | |||
metadata_order = "{{ ampache_metadata_order }}" | |||
getid3_tag_order = "id3v2,id3v1,vorbiscomment,quicktime,matroska,ape,asf,avi,mpeg,riff" | |||
deferred_ext_metadata = "false" | |||
additional_genre_delimiters = "[/]{2}|[/|\\\\|\|,|;]" | |||
catalog_file_pattern = "mp3|mpc|m4p|m4a|aac|ogg|oga|wav|aif|aiff|rm|wma|asf|flac|opus|spx|ra|ape|shn|wv" | |||
catalog_video_pattern = "avi|mpg|mpeg|flv|m4v|mp4|webm|mkv|wmv|ogv|mov|divx|m2ts" | |||
catalog_playlist_pattern = "m3u|m3u8|pls|asx|xspf" | |||
catalog_prefix_pattern = "The|An|A|Das|Ein|Eine|Les|Le|La" | |||
track_user_ip = "true" | |||
allow_zip_download = "true" | |||
allow_zip_types = "album" | |||
use_auth = "true" | |||
ratings = "false" | |||
userflags = "true" | |||
directplay = "true" | |||
sociable = "false" | |||
licensing = "false" | |||
memory_cache = "true" | |||
album_art_store_disk = "true" | |||
local_metadata_dir = "{{ ampache_root_dir }}/data/metadata" | |||
max_upload_size = 1048576 | |||
resize_images = "false" | |||
art_order = "db,tags,folder,musicbrainz,lastfm,google" | |||
lastfm_api_key = "{{ ampache_lastfm_api_key }}" | |||
lastfm_api_secret = "{{ ampache_lastfm_api_secret }}" | |||
channel = "false" | |||
live_stream = "false" | |||
refresh_limit = "60" | |||
show_footer_statistics = "false" | |||
debug = "true" | |||
debug_level = 5 | |||
log_path = "{{ ampache_root_dir }}/logs/" | |||
log_filename = "%name.%Y%m%d.log" | |||
site_charset = "UTF-8" | |||
{% if 'ldap' in ampache_auth_methods or 'http' in ampache_auth_methods %} | |||
auto_create = "true" | |||
auto_user = "user" | |||
{% endif %} | |||
allow_public_registration = "false" | |||
generate_video_preview = "true" | |||
max_bit_rate = {{ ampache_max_bit_rate }} | |||
min_bit_rate = {{ ampache_min_bit_rate }} | |||
transcode_m4a = {{ ampache_transcode_m4a }} | |||
transcode_flac = {{ ampache_transcode_flac }} | |||
transcode_mpc = {{ ampache_transcode_mpc }} | |||
transcode_ogg = {{ ampache_transcode_ogg }} | |||
transcode_oga = {{ ampache_transcode_oga }} | |||
transcode_wav = {{ ampache_transcode_wav }} | |||
transcode_wma = {{ ampache_transcode_wma }} | |||
transcode_aif = {{ ampache_transcode_aif }} | |||
transcode_aiff = {{ ampache_transcode_aiff }} | |||
transcode_ape = {{ ampache_transcode_ape }} | |||
transcode_shn = {{ ampache_transcode_shn }} | |||
transcode_mp3 = {{ ampache_transcode_mp3 }} | |||
transcode_avi = {{ ampache_transcode_avi }} | |||
transcode_mkv = {{ ampache_transcode_mkv }} | |||
transcode_mpg = {{ ampache_transcode_mpg }} | |||
transcode_mpeg = {{ ampache_transcode_mpeg }} | |||
transcode_m4v = {{ ampache_transcode_m4v }} | |||
transcode_mp4 = {{ ampache_transcode_mp4 }} | |||
transcode_mov = {{ ampache_transcode_mov }} | |||
transcode_wmv = {{ ampache_transcode_wmv }} | |||
transcode_ogv = {{ ampache_transcode_ogv }} | |||
transcode_divx = {{ ampache_transcode_divx }} | |||
transcode_m2ts = {{ ampache_transcode_m2ts }} | |||
transcode_webm = {{ ampache_transcode_webm }} | |||
encode_target = {{ ampache_encode_target }} | |||
encode_player_webplayer_target = {{ ampache_encode_player_webplayer }} | |||
transcode_player_api_mp3 = {{ ampache_transcode_player_api_mp3 }} | |||
encode_video_target = {{ ampache_encode_video_target }} | |||
transcode_player_customize = "true" | |||
transcode_cmd = "/bin/ffmpeg" | |||
transcode_input = "-i %FILE%" | |||
encode_args_mp3 = "-vn -b:a %BITRATE%K -c:a libmp3lame -f mp3 pipe:1" | |||
encode_args_ogg = "-vn -b:a %BITRATE%K -c:a libvorbis -f ogg pipe:1" | |||
encode_args_m4a = "-vn -b:a %BITRATE%K -c:a libfdk_aac -f adts pipe:1" | |||
encode_args_wav = "-vn -b:a %BITRATE%K -c:a pcm_s16le -f wav pipe:1" | |||
encode_args_opus = "-vn -b:a %BITRATE%K -c:a libopus -compression_level 10 -vsync 2 -f ogg pipe:1" | |||
encode_args_flv = "-b:a %BITRATE%K -ar 44100 -ac 2 -v 0 -f flv -c:v libx264 -preset superfast -threads 0 pipe:1" | |||
encode_args_webm = "-q %QUALITY% -f webm -c:v libvpx -maxrate %MAXBITRATE%k -preset superfast -threads 0 pipe:1" | |||
encode_args_ts = "-q %QUALITY% -s %RESOLUTION% -f mpegts -c:v libx264 -c:a libmp3lame -maxrate %MAXBITRATE%k -preset superfast -threads 0 pipe:1" | |||
encode_get_image = "-ss %TIME% -f image2 -vframes 1 pipe:1" | |||
encode_srt = "-vf \"subtitles='%SRTFILE%'\"" | |||
encode_ss_frame = "-ss %TIME%" | |||
encode_ss_duration = "-t %DURATION%" | |||
mail_type = "sendmail" | |||
mail_domain = "{{ ansible_domain }}" | |||
common_abbr = "divx,xvid,dvdrip,hdtv,lol,axxo,repack,xor,pdtv,real,vtv,caph,2hd,proper,fqm,uncut,topaz,tvt,notv,fpn,fov,orenji,0tv,omicron,dsr,ws,sys,crimson,wat,hiqt,internal,brrip,boheme,vost,vostfr,fastsub,addiction,x264,LOL,720p,1080p,YIFY,evolve,fihtv,first,bokutox,bluray,tvboom,info" | |||
force_ssl = "true" | |||
mail_enable = "true" | |||
mail_type = "sendmail" | |||
mail_domain = "{{ ansible_domain }}" | |||
{% if system_proxy is defined and system_proxy != '' %} | |||
proxy_host = "{{ system_proxy | urlsplit('hostname') }}" | |||
proxy_port = "{{ system_proxy | urlsplit('port') }}" | |||
proxy_user = "{{ system_proxy | urlsplit('username') }}" | |||
proxy_pass = "{{ system_proxy | urlsplit('password') }}" | |||
{% endif %} |
@ -0,0 +1,31 @@ | |||
#!/bin/sh | |||
# Rotate logs | |||
find {{ ampache_root_dir }}/logs -type f -mtime +7 -exec rm -f "{}" \; | |||
find {{ ampache_root_dir }}/logs -type f -mtime +1 -exec xz -T0 "{}" \; | |||
# Do we have a previous filelist to compare against ? | |||
PREV_HASH=$(cat {{ ampache_root_dir }}/tmp/data_hash.txt || echo 'none') | |||
# Now, compute a hash of the filelist | |||
NEW_HASH=$(find {{ ampache_root_dir }}/data/{music,video} | sha1sum | cut -d' ' -f1) | |||
# Write new hash so we can compare next time | |||
echo -n $NEW_HASH > {{ ampache_root_dir }}/tmp/data_hash.txt | |||
# If file list has changed since last time, then update the catalog | |||
if [ "$PREV_HASH" != "$NEW_HASH" ]; then | |||
# Clean (remove files which doesn't exists anymore) | |||
/bin/php{{ (ampache_php_version == '54') | ternary('',ampache_php_version) }} {{ ampache_root_dir }}/web/bin/catalog_update.inc -c > /dev/null 2>&1 | |||
# Add (files added) | |||
/bin/php{{ (ampache_php_version == '54') | ternary('',ampache_php_version) }} {{ ampache_root_dir }}/web/bin/catalog_update.inc -a > /dev/null 2>&1 | |||
# Update graphics | |||
/bin/php{{ (ampache_php_version == '54') | ternary('',ampache_php_version) }} {{ ampache_root_dir }}/web/bin/catalog_update.inc -g > /dev/null 2>&1 | |||
fi | |||
# Now check if files have changed recently. We can have the same file list, but metadata updates | |||
NEW_FILES=$(find {{ ampache_root_dir }}/data/{music,video} -type f -mtime -1 | wc -l) | |||
if [ "$NEW_FILES" -gt "0" ]; then | |||
# Verify (update metadata) | |||
/bin/php{{ (ampache_php_version == '54') | ternary('',ampache_php_version) }} {{ ampache_root_dir }}/web/bin/catalog_update.inc -v > /dev/null 2>&1 | |||
fi |
@ -0,0 +1,7 @@ | |||
#!/bin/sh | |||
/usr/bin/mysqldump --user={{ ampache_mysql_user }} \ | |||
--password={{ ampache_mysql_pass }} \ | |||
--host={{ ampache_mysql_server }} \ | |||
--quick --single-transaction \ | |||
--add-drop-table {{ ampache_mysql_db }} | lz4 -c > {{ ampache_root_dir }}/db_dumps/{{ ampache_mysql_db }}.sql.lz4 |
@ -0,0 +1,27 @@ | |||
{% if ampache_alias is defined %} | |||
Alias /{{ ampache_alias }} {{ ampache_root_dir }}/web | |||
{% else %} | |||
# No alias defined, create a vhost to access it | |||
{% endif %} | |||
RewriteEngine On | |||
<Directory {{ ampache_root_dir }}/web> | |||
AllowOverride All | |||
Options FollowSymLinks | |||
{% if ampache_allowed_ip is defined %} | |||
Require ip {{ ampache_src_ip | join(' ') }} | |||
{% else %} | |||
Require all granted | |||
{% endif %} | |||
<FilesMatch \.php$> | |||
SetHandler "proxy:unix:/run/php-fpm/{{ ampache_php_fpm_pool | default('ampache_' + ampache_id | string) }}.sock|fcgi://localhost" | |||
</FilesMatch> | |||
<FilesMatch "(.maintenance.*|.ansible.*|.t?git.*|.php_cs|.travis.*)"> | |||
Require all denied | |||
</FilesMatch> | |||
</Directory> | |||
<Directory {{ ampache_root_dir }}/web/config> | |||
Require all denied | |||
</Directory> | |||
@ -0,0 +1,3 @@ | |||
<?php | |||
echo '<a href="/sso.php">{{ ampache_motd }}</a>'; |
@ -0,0 +1,15 @@ | |||
#!/bin/sh | |||
restorecon -R {{ ampache_root_dir }} | |||
chown root:root {{ ampache_root_dir }} | |||
chmod 700 {{ ampache_root_dir }} | |||
setfacl -k -b {{ ampache_root_dir }} | |||
setfacl -m u:{{ ampache_php_user | default('apache') }}:rx,u:{{ httpd_user | default('apache') }}:rx {{ ampache_root_dir }} | |||
chown -R root:root {{ ampache_root_dir }}/web | |||
chown apache-ampache {{ ampache_root_dir }}/data | |||
chown -R {{ ampache_php_user }} {{ ampache_root_dir }}/{tmp,sessions,logs,data/metadata} | |||
chmod 700 {{ ampache_root_dir }}/{tmp,sessions,logs,data} | |||
find {{ ampache_root_dir }}/web -type f -exec chmod 644 "{}" \; | |||
find {{ ampache_root_dir }}/web -type d -exec chmod 755 "{}" \; | |||
chown :{{ ampache_php_user }} {{ ampache_root_dir }}/web/config/ampache.cfg.php | |||
chmod 640 {{ ampache_root_dir }}/web/config/ampache.cfg.php |
@ -0,0 +1,37 @@ | |||
; {{ ansible_managed }} | |||
[ampache_{{ ampache_id }}] | |||
listen.owner = root | |||
listen.group = {{ httpd_user | default('apache') }} | |||
listen.mode = 0660 | |||
listen = /run/php-fpm/ampache_{{ ampache_id }}.sock | |||
user = {{ ampache_php_user }} | |||
group = {{ ampache_php_user }} | |||
catch_workers_output = yes | |||
pm = dynamic | |||
pm.max_children = 15 | |||
pm.start_servers = 3 | |||
pm.min_spare_servers = 3 | |||
pm.max_spare_servers = 6 | |||
pm.max_requests = 5000 | |||
request_terminate_timeout = 60m | |||
php_flag[display_errors] = off | |||
php_admin_flag[log_errors] = on | |||
php_admin_value[error_log] = syslog | |||
php_admin_value[memory_limit] = 512M | |||
php_admin_value[session.save_path] = {{ ampache_root_dir }}/sessions | |||
php_admin_value[upload_tmp_dir] = {{ ampache_root_dir }}/tmp | |||
php_admin_value[sys_temp_dir] = {{ ampache_root_dir }}/tmp | |||
php_admin_value[post_max_size] = 5M | |||
php_admin_value[upload_max_filesize] = 5M | |||
php_admin_value[disable_functions] = system, show_source, symlink, exec, dl, shell_exec, passthru, phpinfo, escapeshellarg, escapeshellcmd | |||
php_admin_value[open_basedir] = {{ ampache_root_dir }} | |||
php_admin_value[max_execution_time] = 1800 | |||
php_admin_value[max_input_time] = 60 | |||
php_admin_flag[allow_url_include] = off | |||
php_admin_flag[allow_url_fopen] = on | |||
php_admin_flag[file_uploads] = on | |||
php_admin_flag[session.cookie_httponly] = on |
@ -0,0 +1,3 @@ | |||
#!/bin/sh | |||
rm -f {{ ampache_root_dir }}/db_dump/* |
@ -0,0 +1,6 @@ | |||
<?php | |||
# Just a dummy redirection so we can protect /sso.php with Lemonldap::NG | |||
header('Location: /'); | |||
?> |
@ -0,0 +1,36 @@ | |||
--- | |||
# The shell of the lbkp account | |||
backup_shell: '/bin/bash' | |||
# List of commands lbkp will be allowed to run as root, with sudo | |||
backup_sudo_base_commands: | |||
- /usr/bin/rsync | |||
- /usr/local/bin/pre-backup | |||
- /usr/local/bin/post-backup | |||
- /bin/tar | |||
- /bin/gtar | |||
backup_sudo_extra_commands: [] | |||
backup_sudo_commands: "{{ backup_sudo_base_commands + backup_sudo_extra_commands }}" | |||
# List of ssh public keys to deploy | |||
backup_ssh_keys: [] | |||
# Options to set for the ssh keys, to restrict what they can do | |||
backup_ssh_keys_options: | |||
- no-X11-forwarding | |||
- no-agent-forwarding | |||
- no-pty | |||
# List of IP address allowed to use the ssh keys | |||
# Empty list means no restriction | |||
backup_src_ip: [] | |||
# Custom pre / post script | |||
backup_pre_script: | | |||
#!/bin/bash -e | |||
# Nothing to do | |||
backup_post_script: | | |||
#!/bin/bash -e | |||
# Nothing to do | |||
... |
@ -0,0 +1,53 @@ | |||
#!/usr/bin/perl -w | |||
# This script will backup the config of MegaRAID based | |||
# RAID controllers. The saved config can be restored with | |||
# MegaCli -CfgRestore -f /home/lbkp/mega_0.bin for example | |||
# It also create a backup of the config as text, so you can | |||
# manually check how things were configured at a certain point in time | |||
# If MegaCli is not installed, then the script does nothing | |||
use strict; | |||
my $megacli = undef; | |||
if (-x '/opt/MegaRAID/MegaCli/MegaCli64'){ | |||
$megacli = '/opt/MegaRAID/MegaCli/MegaCli64'; | |||
} elsif (-x '/opt/MegaRAID/MegaCli/MegaCli'){ | |||
$megacli = '/opt/MegaRAID/MegaCli/MegaCli'; | |||
} | |||
exit (0) unless($megacli); | |||
my $adapters = 0; | |||
foreach (qx($megacli -adpCount -NoLog)) { | |||
if ( m/Controller Count:\s*(\d+)/ ) { | |||
$adapters = $1; | |||
last; | |||
} | |||
} | |||
foreach my $adp (0..$adapters-1){ | |||
my $hba = 0; | |||
my $failgrouplist = 0; | |||
foreach my $line (qx($megacli -CfgDsply -a$adp -NoLog)) { | |||
if ( $line =~ m/Failed to get Disk Group list/ ) { | |||
$failgrouplist = 1; | |||
} elsif ( $line =~ m/Product Name:.*(JBOD|HBA)/ ) { | |||
$hba = 1; | |||
} | |||
} | |||
# Skip adapter if in HBA mode | |||
next if ($hba && $failgrouplist); | |||
# Save the config in binary format | |||
qx($megacli -CfgSave -f /home/lbkp/megaraid/cfg_$adp.bin -a$adp -NoLog); | |||
die "Failed to backup conf for adapter $adp\n" unless ($? == 0); | |||
# Now also save in text representation | |||
open TXT, ">/home/lbkp/megaraid/cfg_$adp.txt"; | |||
print TXT foreach qx($megacli -CfgDsply -a$adp -NoLog); | |||
die "Failed to backup Cfg text description for adapter $adp\n" unless ($? == 0); | |||
close TXT; | |||
} |
@ -0,0 +1,3 @@ | |||
#!/bin/sh | |||
/bin/rpm -qa --qf "%{NAME}\t%{VERSION}\t%{RELEASE}\n" | grep -v gpg-pubkey | sort > /home/lbkp/rpms.list |
@ -0,0 +1,9 @@ | |||
#!/bin/bash | |||
if [ -d "/etc/backup/post.d" ]; then | |||
for H in $(find /etc/backup/post.d -type f -o -type l | sort); do | |||
[ -x $H ] && $H "$@" | |||
done | |||
fi | |||
# Remove the lock | |||
rm -f /var/lock/bkp.lock |
@ -0,0 +1,29 @@ | |||
#!/bin/bash | |||
set -e | |||
# 2 locks are needed. The first one ensure we don't run | |||
# The pre-backup script twice. It's an atomic lock. | |||
# Then we need a second lock which will last until the post-backup ran | |||
# This one doesn't need to be atomic (as we already checked this) | |||
PRELOCKFILE="/var/lock/pre-bkp.lock" | |||
exec 200>$PRELOCKFILE | |||
flock -n 200 || ( echo "Couldn't aquire pre-backup lock" && exit 1 ) | |||
PID=$$ | |||
echo $PID 1>&200 | |||
if [ -e /var/lock/bkp.lock ]; then | |||
# Consider the lock to be stale if it's older than 8 hours | |||
if [ "$(( $(date +"%s") - $(stat -c "%Y" /var/lock/bkp.lock) ))" -gt "28800" ]; then | |||
rm /var/lock/bkp.lock | |||
else | |||
echo "Another backup is running" | |||
exit 1 | |||
fi | |||
fi | |||
touch /var/lock/bkp.lock | |||
if [ -d "/etc/backup/pre.d" ]; then | |||
for H in $(find /etc/backup/pre.d -type f -o -type l | sort); do | |||
[ -x $H ] && $H "$@" | |||
done | |||
fi |
@ -0,0 +1,3 @@ | |||
#!/bin/bash -e | |||
rm -f /home/lbkp/megaraid/* |
@ -0,0 +1,84 @@ | |||
--- | |||
- name: Install backup tools | |||
yum: name=rsync | |||
when: ansible_os_family == 'RedHat' | |||
- name: Install backup tools | |||
apt: name=rsync | |||
when: ansible_os_family == 'Debian' | |||
- name: Create a local backup user account | |||
user: name=lbkp comment="Local backup account" system=yes shell={{ backup_shell }} | |||
tags: backup | |||
- name: Deploy sudo configuration | |||
template: src=sudo.j2 dest=/etc/sudoers.d/backup mode=400 | |||
tags: backup | |||
- name: Deploy SSH keys for the backup account | |||
authorized_key: | |||
user: lbkp | |||
key: "{{ backup_ssh_keys | join(\"\n\") }}" | |||
key_options: "{{ backup_ssh_keys_options | join(',') }}" | |||
exclusive: yes | |||
when: backup_src_ip is not defined or backup_src_ip | length < 1 | |||
tags: backup | |||
- name: Deploy SSH keys for the backup account (with source IP restriction) | |||
authorized_key: | |||
user: lbkp | |||
key: "{{ backup_ssh_keys | join(\"\n\") }}" | |||
key_options: "from=\"{{ backup_src_ip | join(',') }}\",{{ backup_ssh_keys_options | join(',') }}" | |||
exclusive: yes | |||
when: | |||
- backup_src_ip is defined | |||
- backup_src_ip | length > 0 | |||
tags: backup | |||
- name: Create pre and post backup hook dir | |||
file: path={{ item }} state=directory mode=750 | |||
with_items: | |||
- /etc/backup/pre.d | |||
- /etc/backup/post.d | |||
tags: backup | |||
- name: Deploy default pre/post backup hooks | |||
copy: | |||
content: "{{ item.content }}" | |||
dest: /etc/backup/{{ item.type }}.d/default | |||
mode: 755 | |||
loop: | |||
- type: pre | |||
content: "{{ backup_pre_script }}" | |||
- type: post | |||
content: "{{ backup_post_script }}" | |||
tags: backup | |||
- name: Copy pre-backup script | |||
copy: src={{ item }} dest=/usr/local/bin/{{ item }} mode=750 group=lbkp | |||
with_items: | |||
- pre-backup | |||
- post-backup | |||
tags: backup | |||
- name: Deploy rpm dump list script | |||
copy: src=dump-rpms-list dest=/etc/backup/pre.d/dump-rpms-list mode=755 | |||
when: ansible_os_family == 'RedHat' | |||
tags: backup | |||
- name: Create megaraid dump dir | |||
file: path=/home/lbkp/megaraid state=directory | |||
tags: backup | |||
- name: Deploy MegaCli backup scripts | |||
copy: src={{ item.script }} dest=/etc/backup/{{ item.type }}.d/{{ item.script }} mode=750 | |||
with_items: | |||
- script: dump-megaraid-cfg | |||
type: pre | |||
- script: rm-megaraid-cfg | |||
type: post | |||
when: lsi_controllers | default([]) | length > 0 | |||
tags: backup | |||
... |
@ -0,0 +1,2 @@ | |||
Defaults:lbkp !requiretty | |||
lbkp ALL=(root) NOPASSWD: {{ backup_sudo_commands | join(',') }} |
@ -0,0 +1,19 @@ | |||
--- | |||
# You can choose either 3 or 4 | |||
bpc_major_version: 3 | |||
# Auth to access BackupPC. Can be basic, lemonldap, lemonldap2 or none | |||
bpc_auth: basic | |||
# List of IP address allowed | |||
bpc_src_ip: [] | |||
# Should backuppc be started on boot ? | |||
# You might want to turn this off if for example you must unlock | |||
# the device on which you have your backup, and manually start backuppc after that | |||
bpc_enabled: True | |||
# Should /BackupPC aliases be added on the main vhost ? | |||
# You might want to, but you can also disable this and grant access only through a dedicated vhost | |||
bpc_alias_on_main_vhost: True |
@ -0,0 +1,5 @@ | |||
--- | |||
- include: ../httpd_common/handlers/main.yml | |||
... |
@ -0,0 +1,3 @@ | |||
--- | |||
dependencies: | |||
- { role: httpd_front } |
@ -0,0 +1,48 @@ | |||
--- | |||
- name: Install BackupPC 4 | |||
yum: | |||
name: | |||
- BackupPC4 | |||
- fuse-backuppcfs4 | |||
when: bpc_major_version == 4 | |||
tags: bpc | |||
- name: Install BackupPC 3 | |||
yum: | |||
name: | |||
- BackupPC | |||
- fuse-backuppcfs | |||
when: bpc_major_version != 4 | |||
tags: bpc | |||
- name: Install tools | |||
yum: | |||
name: | |||
- rsync | |||
- tar | |||
- samba-client | |||
- openssh-clients | |||
- BackupPC-server-scripts | |||
- fuse-chunkfs | |||
tags: bpc | |||
- name: Deploy httpd conf | |||
template: src=httpd.conf.j2 dest=/etc/httpd/ansible_conf.d/40-BackupPC.conf | |||
notify: reload httpd | |||
tags: bpc | |||
- name: Deploy sudo config | |||
template: src=sudoers.j2 dest=/etc/sudoers.d/backuppc mode=0400 | |||
tags: bpc | |||
- name: Create SSH Key | |||
user: | |||
name: backuppc | |||
generate_ssh_key: yes | |||
ssh_key_bits: 4096 | |||
tags: bpc | |||
- name: Start and enable the service | |||
service: name=backuppc state=started enabled={{ bpc_enabled }} | |||
tags: bpc |
@ -0,0 +1,25 @@ | |||
<Directory /usr/share/BackupPC/> | |||
SSLRequireSSL on | |||
{% if bpc_auth == "lemonldap" %} | |||
PerlHeaderParserHandler Lemonldap::NG::Handler | |||
{% elif bpc_auth == "lemonldap2" %} | |||
PerlHeaderParserHandler Lemonldap::NG::Handler::ApacheMP2 | |||
{% elif bpc_auth == "basic" %} | |||
AuthType Basic | |||
AuthUserFile /etc/BackupPC/apache.users | |||
AuthName "BackupPC" | |||
Require valid-user | |||
{% endif %} | |||
{% if bpc_src_ip | length < 1 %} | |||
Require all denied | |||
{% else %} | |||
Require ip {{ bpc_src_ip | join(' ') }} | |||
{% endif %} | |||
</Directory> | |||
{% if bpc_auth != False and bpc_auth != 'none' and bpc_alias_on_main_vhost == True %} | |||
Alias /BackupPC/images /usr/share/BackupPC/html/ | |||
ScriptAlias /BackupPC /usr/share/BackupPC/sbin/BackupPC_Admin | |||
ScriptAlias /backuppc /usr/share/BackupPC/sbin/BackupPC_Admin | |||
{% endif %} |
@ -0,0 +1,3 @@ | |||
Defaults:backuppc !requiretty | |||
Cmnd_Alias BACKUPPC = /usr/bin/rsync, /bin/tar, /bin/gtar, /usr/local/bin/pre-backup, /usr/local/bin/post-backup, /usr/bin/virt-backup | |||
backuppc ALL=(root) NOPASSWD: BACKUPPC |
@ -0,0 +1,45 @@ | |||
--- | |||
bitwarden_version: 1.14.2 | |||
bitwarden_archive_url: https://github.com/dani-garcia/bitwarden_rs/archive/{{ bitwarden_version }}.tar.gz | |||
bitwarden_archive_sha1: 1bb75b6ab11371ab60380ef19151ebd9410de4ef | |||
bitwarden_web_version: 2.13.2b | |||
bitwarden_web_archive_url: https://github.com/dani-garcia/bw_web_builds/releases/download/v{{ bitwarden_web_version }}/bw_web_v{{ bitwarden_web_version }}.tar.gz | |||
bitwarden_web_archive_sha1: df6f280731b852b31c3d938bfa1733140be9abb5 | |||
bitwarden_root_dir: /opt/bitwarden_rs | |||
bitwarden_user: bitwarden_rs | |||
# Database : can be sqlite or mysql | |||
bitwarden_db_engine: sqlite | |||
bitwarden_db_server: "{{ mysql_server | default('localhost') }}" | |||
bitwarden_db_port: 3306 | |||
bitwarden_db_name: bitwardenrs | |||
bitwarden_db_user: bitwardenrs | |||
# A random one will be created if not defined | |||
# bitwaren_db_pass: S3cr3t. | |||
# Port on which bitwarden will bind | |||
bitwarden_http_port: 8000 | |||
bitwarden_ws_port: 8001 | |||
# List of IP addresses (can be CIDR notation) which will be able to | |||
# access bitwarden ports | |||
bitwarden_src_ip: [] | |||
bitwarden_web_src_ip: [] | |||
# Public URL on which bitwarden will be accessible | |||
bitwarden_public_url: http://{{ inventory_hostname }}:{{ bitwarden_http_port }} | |||
# Should registration be enabled | |||
bitwarden_registration: False | |||
# List of domain names for which registration will be accepted | |||
# Thos domains will be accepted for registration even if bitwarden_registration is set to False | |||
bitwarden_domains_whitelist: | |||
- "{{ ansible_domain }}" | |||
# Admin Token to access /admin. A random one is created if not defined | |||
# bitwarden_admin_token: S3cr3t. | |||
# Or you can just disable the admin token. But you have to protect /admin yourself (eg, on a reverse proxy) | |||
bitwarden_disable_admin_token: False |
@ -0,0 +1,5 @@ | |||
--- | |||
- name: restart bitwarden_rs | |||
service: name=bitwarden_rs state=restarted | |||
when: not bitwarden_started.changed |
@ -0,0 +1,7 @@ | |||
--- | |||
dependencies: | |||
- role: rust | |||
- role: nginx | |||
- role: mysql_server | |||
when: bitwarden_db_engine == 'mysql' and (bitwarden_db_server == 'localhost' or bitwarden_db_server == '127.0.0.1') |
@ -0,0 +1,12 @@ | |||
--- | |||
- name: Compress previous version | |||
command: tar cJf {{ bitwarden_root_dir }}/archives/{{ bitwarden_current_version }}+{{ bitwarden_web_current_version }}.txz ./ | |||
args: | |||
warn: False | |||
chdir: "{{ bitwarden_root_dir }}/archives/{{ bitwarden_current_version }}+{{ bitwarden_web_current_version }}" | |||
tags: bitwarden | |||
- name: Remove archive dir | |||
file: path={{ bitwarden_root_dir }}/archives/{{ bitwarden_current_version }}+{{ bitwarden_web_current_version }} state=absent | |||
tags: bitwarden |
@ -0,0 +1,23 @@ | |||
--- | |||
- name: Create archive dir | |||
file: path={{ bitwarden_root_dir }}/archives/{{ bitwarden_current_version }}+{{ bitwarden_web_current_version }} state=directory | |||
tags: bitwarden | |||
- name: Stop bitwarden during upgrade | |||
service: name=bitwarden_rs state=stopped | |||
tags: bitwarden | |||
- name: Archive current version | |||
synchronize: | |||
src: "{{ bitwarden_root_dir }}/{{ item }}" | |||
dest: "{{ bitwarden_root_dir }}/archives/{{ bitwarden_current_version }}+{{ bitwarden_web_current_version }}/" | |||
recursive: True | |||
delete: True | |||
delegate_to: "{{ inventory_hostname }}" | |||
loop: | |||
- bitwarden_rs | |||
- data | |||
- etc | |||
- web-vault | |||
tags: bitwarden |
@ -0,0 +1,8 @@ | |||
--- | |||
- name: Remove temp files | |||
files: path={{ item }} state=absent | |||
loop: | |||
- "{{ bitwarden_root_dir }}/tmp/bitwarden_rs-{{ bitwarden_version }}" | |||
- "{{ bitwarden_root_dir }}/tmp/bitwarden_rs-{{ bitwarden_version }}.tar.gz" | |||
tags: bitwarden |
@ -0,0 +1,11 @@ | |||
--- | |||
- name: Deploy configuration | |||
template: src=bitwarden_rs.conf.j2 dest={{ bitwarden_root_dir }}/etc/bitwarden_rs.conf group={{ bitwarden_user }} mode=640 | |||
notify: restart bitwarden_rs | |||
tags: bitwarden | |||
- name: Deploy nginx configuration | |||
template: src=nginx.conf.j2 dest=/etc/nginx/ansible_conf.d/31-bitwarden.conf | |||
notify: reload nginx | |||
tags: bitwarden |
@ -0,0 +1,24 @@ | |||
--- | |||
- name: Create directories | |||
file: path={{ bitwarden_root_dir }}/{{ item.dir }} state=directory owner={{ item.owner | default(omit) }} group={{ item.group | default(omit) }} mode={{ item.mode | default(omit) }} | |||
loop: | |||
- dir: / | |||
mode: 755 | |||
- dir: etc | |||
group: "{{ bitwarden_user }}" | |||
mode: 750 | |||
- dir: tmp | |||
mode: 700 | |||
- dir: meta | |||
mode: 700 | |||
- dir: archives | |||
mode: 700 | |||
- dir: data | |||
owner: "{{ bitwarden_user }}" | |||
group: "{{ bitwarden_user }}" | |||
mode: 700 | |||
- dir: web-vault | |||
- dir: backup | |||
mode: 700 | |||
tags: bitwarden |
@ -0,0 +1,67 @@ | |||
--- | |||
- name: Set initial install modes | |||
block: | |||
- set_fact: bitwarden_install_mode='none' | |||
- set_fact: bitwarden_current_version='' | |||
- set_fact: bitwarden_web_install_mode='none' | |||
- set_fact: bitwarden_web_current_version='' | |||
tags: bitwarden | |||
- name: Check if server is installed | |||
stat: path={{ bitwarden_root_dir }}/meta/ansible_version | |||
register: bitwarden_version_file | |||
tags: bitwarden | |||
- when: bitwarden_version_file.stat.exists | |||
block: | |||
- name: Check installed version | |||
slurp: src={{ bitwarden_root_dir }}/meta/ansible_version | |||
register: bitwarden_current_version | |||
- set_fact: bitwarden_current_version={{ bitwarden_current_version.content | b64decode | trim }} | |||
- set_fact: bitwarden_install_mode='upgrade' | |||
when: bitwarden_current_version != bitwarden_version | |||
tags: bitwarden | |||
- when: not bitwarden_version_file.stat.exists | |||
block: | |||
- set_fact: bitwarden_install_mode='install' | |||
tags: bitwarden | |||
- name: Check if web vault is installed | |||
stat: path={{ bitwarden_root_dir }}/meta/ansible_web_version | |||
register: bitwarden_web_version_file | |||
tags: bitwarden | |||
- when: bitwarden_web_version_file.stat.exists | |||
block: | |||
- name: Check installed version | |||
slurp: src={{ bitwarden_root_dir }}/meta/ansible_web_version | |||
register: bitwarden_web_current_version | |||
- set_fact: bitwarden_web_current_version={{ bitwarden_web_current_version.content | b64decode | trim }} | |||
- set_fact: bitwarden_web_install_mode='upgrade' | |||
when: bitwarden_web_current_version != bitwarden_web_version | |||
tags: bitwarden | |||
- when: not bitwarden_web_version_file.stat.exists | |||
block: | |||
- set_fact: bitwarden_web_install_mode='install' | |||
tags: bitwarden | |||
- when: bitwarden_admin_token is not defined | |||
name: Generate a random admin token | |||
block: | |||
- import_tasks: ../includes/get_rand_pass.yml | |||
vars: | |||
- pass_file: "{{ bitwarden_root_dir }}/meta/ansible_admin_token" | |||
- set_fact: bitwarden_admin_token={{ rand_pass }} | |||
tags: bitwarden | |||
- when: bitwarden_db_pass is not defined | |||
tags: bitwarden | |||
block: | |||
- import_tasks: ../includes/get_rand_pass.yml | |||
vars: | |||
- pass_file: "{{ bitwarden_root_dir }}/meta/ansible_dbpass" | |||
- set_fact: bitwarden_db_pass={{ rand_pass }} | |||
@ -0,0 +1,97 @@ | |||
--- | |||
- name: Install needed packages | |||
yum: | |||
name: | |||
- openssl-devel | |||
- gcc | |||
- sqlite | |||
tags: bitwarden | |||
- name: Check if MariaDB version is set | |||
fail: msg="Need to define mysql_mariadb_version" | |||
when: | |||
- bitwarden_db_engine == 'mysql' | |||
- mysql_mariadb_version is not defined or mysql_mariadb_version == 'default' | |||
tags: bitwarden | |||
- name: Install MariaDB devel package | |||
yum: | |||
name: | |||
- MariaDB-devel | |||
- /usr/lib64/libmariadb.so | |||
when: bitwarden_db_engine == 'mysql' | |||
tags: bitwarden | |||
- when: bitwarden_install_mode != 'none' | |||
tags: bitwarden | |||
block: | |||
- name: Download bitwarden | |||
get_url: | |||
url: "{{ bitwarden_archive_url }}" | |||
dest: "{{ bitwarden_root_dir }}/tmp" | |||
checksum: sha1:{{ bitwarden_archive_sha1 }} | |||
- name: Extract bitwarden archive | |||
unarchive: | |||
src: "{{ bitwarden_root_dir }}/tmp/bitwarden_rs-{{ bitwarden_version }}.tar.gz" | |||
dest: "{{ bitwarden_root_dir }}/tmp" | |||
remote_src: True | |||
- name: Build bitwarden | |||
command: bash -lc 'cargo build --features={{ (bitwarden_db_engine == "mysql") | ternary("mysql","sqlite") }} --release' | |||
args: | |||
chdir: "{{ bitwarden_root_dir }}/tmp/bitwarden_rs-{{ bitwarden_version }}" | |||
- name: Install binary | |||
copy: src={{ bitwarden_root_dir }}/tmp/bitwarden_rs-{{ bitwarden_version }}/target/release/bitwarden_rs dest="{{ bitwarden_root_dir }}/" mode=755 remote_src=True | |||
notify: restart bitwarden_rs | |||
- when: bitwarden_web_install_mode != 'none' | |||
tags: bitwarden | |||
block: | |||
- name: Download bitwarden web vault | |||
get_url: | |||
url: "{{ bitwarden_web_archive_url }}" | |||
dest: "{{ bitwarden_root_dir }}/tmp" | |||
checksum: sha1:{{ bitwarden_web_archive_sha1 }} | |||
- name: Extract the archive | |||
unarchive: | |||
src: "{{ bitwarden_root_dir }}/tmp/bw_web_v{{ bitwarden_web_version }}.tar.gz" | |||
dest: "{{ bitwarden_root_dir }}/tmp" | |||
remote_src: True | |||
- name: Move files to their final location | |||
synchronize: | |||
src: "{{ bitwarden_root_dir }}/tmp/web-vault/" | |||
dest: "{{ bitwarden_root_dir }}/web-vault/" | |||
recursive: True | |||
delete: True | |||
delegate_to: "{{ inventory_hostname }}" | |||
- name: Install systemd unit | |||
template: src=bitwarden_rs.service.j2 dest=/etc/systemd/system/bitwarden_rs.service | |||
register: bitwarden_unit | |||
tags: bitwarden | |||
- name: Reload systemd | |||
systemd: daemon_reload=True | |||
when: bitwarden_unit.changed | |||
tags: bitwarden | |||
- name: Install pre/post backup hooks | |||
template: src={{ item }}-backup.sh.j2 dest=/etc/backup/{{ item }}.d/bitwarden_rs.sh mode=755 | |||
loop: | |||
- pre | |||
- post | |||
tags: bitwarden | |||
- import_tasks: ../includes/webapps_create_mysql_db.yml | |||
vars: | |||
- db_name: "{{ bitwarden_db_name }}" | |||
- db_user: "{{ bitwarden_db_user }}" | |||
- db_server: "{{ bitwarden_db_server }}" | |||
- db_pass: "{{ bitwarden_db_pass }}" | |||
when: bitwarden_db_engine == 'mysql' | |||
tags: bitwarden |
@ -0,0 +1,9 @@ | |||
--- | |||
- name: Handle bitwarden_rs ports in the firewall | |||
iptables_raw: | |||
name: bitwarden_rs | |||
state: "{{ (bitwarden_src_ip | length > 0) | ternary('present','absent') }}" | |||
rules: "-A INPUT -m state --state NEW -m multiport -p tcp --dports {{ bitwarden_http_port }},{{ bitwarden_ws_port }} -s {{ bitwarden_src_ip | join(',') }} -j ACCEPT" | |||
when: iptables_manage | default(True) | |||
tags: firewall,bitwarden |
@ -0,0 +1,14 @@ | |||
--- | |||
- include: user.yml | |||
- include: directories.yml | |||
- include: facts.yml | |||
- include: archive_pre.yml | |||
when: bitwarden_install_mode == 'upgrade' or bitwarden_web_install_mode == 'upgrade' | |||
- include: install.yml | |||
- include: conf.yml | |||
- include: iptables.yml | |||
- include: service.yml | |||
- include: write_version.yml | |||
- include: archive_post.yml | |||
when: bitwarden_install_mode == 'upgrade' or bitwarden_web_install_mode == 'upgrade' |
@ -0,0 +1,6 @@ | |||
--- | |||
- name: Start and enable the service | |||
service: name=bitwarden_rs state=started enabled=True | |||
register: bitwarden_started | |||
tags: bitwarden |
@ -0,0 +1,5 @@ | |||
--- | |||
- name: Create bitwarden_rs user | |||
user: name={{ bitwarden_user }} home={{ bitwarden_root_dir }} system=True | |||
tags: bitwarden |
@ -0,0 +1,10 @@ | |||
--- | |||
- name: Write versions | |||
copy: content={{ item.version }} dest={{ bitwarden_root_dir }}/meta/{{ item.file }} | |||
loop: | |||
- version: "{{ bitwarden_version }}" | |||
file: ansible_version | |||
- version: "{{ bitwarden_web_version }}" | |||
file: ansible_web_version | |||
tags: bitwarden |
@ -0,0 +1,25 @@ | |||
IP_HEADER=X-Forwarded-For | |||
SIGNUPS_VERIFY=true | |||
SIGNUPS_ALLOWED={{ bitwarden_registration | ternary('true','false') }} | |||
{% if bitwarden_domains_whitelist | length > 0 %} | |||
SIGNUPS_DOMAINS_WHITELIST={{ bitwarden_domains_whitelist | join(',') }} | |||
{% endif %} | |||
ADMIN_TOKEN={{ bitwarden_admin_token }} | |||
DISABLE_ADMIN_TOKEN={{ bitwarden_disable_admin_token | ternary('true','false') }} | |||
DOMAIN={{ bitwarden_public_url }} | |||
ROCKET_ENV=prod | |||
ROCKET_ADDRESS=0.0.0.0 | |||
ROCKET_PORT={{ bitwarden_http_port }} | |||
WEBSOCKET_ENABLED=true | |||
WEBSOCKET_PORT={{ bitwarden_ws_port }} | |||
SMTP_HOST=localhost | |||
SMTP_PORT=25 | |||
SMTP_SSL=false | |||
SMTP_FROM=bitwarden-rs-noreply@{{ ansible_domain }} | |||
{% if bitwarden_db_engine == 'mysql' %} | |||
DATABASE_URL=mysql://{{ bitwarden_db_user }}:{{ bitwarden_db_pass | urlencode | regex_replace('/','%2F') }}@{{ bitwarden_db_server }}:{{ bitwarden_db_port }}/{{ bitwarden_db_name }} | |||
ENABLE_DB_WAL=false | |||
{% else %} | |||
DATABASE_URL=data/db.sqlite3 | |||
{% endif %} | |||
# vim: syntax=ini |
@ -0,0 +1,27 @@ | |||
[Unit] | |||
Description=Bitwarden Server (Rust Edition) | |||
Documentation=https://github.com/dani-garcia/bitwarden_rs | |||
After=network.target | |||
{% if bitwarden_db_engine == 'mysql' and (bitwarden_db_server == 'localhost' or bitwarden_db_server == '127.0.0.1') %} | |||
After=mariadb.service | |||
Requires=mariadb.service | |||
{% endif %} | |||
[Service] | |||
User={{ bitwarden_user }} | |||
Group={{ bitwarden_user }} | |||
EnvironmentFile={{ bitwarden_root_dir }}/etc/bitwarden_rs.conf | |||
ExecStart={{ bitwarden_root_dir }}/bitwarden_rs | |||
PrivateTmp=true | |||
PrivateDevices=true | |||
ProtectHome=true | |||
ProtectSystem=full | |||
WorkingDirectory={{ bitwarden_root_dir }} | |||
ReadWriteDirectories={{ bitwarden_root_dir }}/data | |||
ReadOnlyDirectories={{ bitwarden_root_dir }}/etc {{ bitwarden_root_dir }}/web-vault | |||
Restart=on-failure | |||
StartLimitInterval=0 | |||
RestartSec=30 | |||
[Install] | |||
WantedBy=multi-user.target |
@ -0,0 +1,71 @@ | |||
server { | |||
listen 443 ssl http2; | |||
server_name {{ bitwarden_public_url | urlsplit('hostname') }}; | |||
include /etc/nginx/ansible_conf.d/acme.inc; | |||
{% if bitwarden_cert_path is defined and bitwarden_key_path is defined %} | |||
ssl_certificate {{ bitwarden_cert_path }}; | |||
ssl_certificate_key {{ bitwarden_key_path }}; | |||
{% elif bitwarden_letsencrypt_cert is defined and bitwarden_letsencrypt_cert == True %} | |||
ssl_certificate /var/lib/dehydrated/certificates/certs/{{ bitwarden_public_url | urlsplit('hostname') }}/fullchain.pem; | |||
ssl_certificate_key /var/lib/dehydrated/certificates/certs/{{ bitwarden_public_url | urlsplit('hostname') }}/privkey.pem; | |||
{% elif bitwarden_letsencrypt_cert is string %} | |||
ssl_certificate /var/lib/dehydrated/certificates/certs/{{ bitwarden_letsencrypt_cert }}/fullchain.pem; | |||
ssl_certificate_key /var/lib/dehydrated/certificates/certs/{{ bitwarden_letsencrypt_cert }}/privkey.pem; | |||
{% endif %} | |||
server_name {{ bitwarden_public_url | urlsplit('hostname') }}; | |||
root {{ bitwarden_root_dir }}/web-vault; | |||
client_max_body_size 512M; | |||
if ($request_method !~ ^(GET|POST|HEAD|PUT|DELETE)$ ) { | |||
return 405; | |||
} | |||
location /notifications/hub { | |||
proxy_pass http://localhost:{{ bitwarden_ws_port }}; | |||
proxy_set_header Upgrade $http_upgrade; | |||
proxy_set_header Connection "upgrade"; | |||
} | |||
location /notifications/hub/negotiate { | |||
proxy_pass http://localhost:{{ bitwarden_http_port }}; | |||
} | |||
location @proxy { | |||
proxy_pass http://localhost:{{ bitwarden_http_port }}; | |||
} | |||
location / { | |||
try_files $uri $uri/index.html @proxy; | |||
} | |||
add_header X-Frame-Options "DENY"; | |||
add_header X-Content-Type-Options "nosniff"; | |||
add_header X-XSS-Protection "1; mode=block"; | |||
add_header Strict-Transport-Security "$hsts_header"; | |||
# Send info about the original request to the backend | |||
proxy_set_header X-Forwarded-For "$proxy_add_x_forwarded_for"; | |||
proxy_set_header X-Real-IP "$remote_addr"; | |||
proxy_set_header X-Forwarded-Proto "$scheme"; | |||
proxy_set_header X-Forwarded-Host "$host"; | |||
proxy_set_header Host "$host"; | |||
# Set the timeout to read responses from the backend | |||
proxy_read_timeout 60s; | |||
# Enable Keep Alive to the backend | |||
proxy_socket_keepalive on; | |||
# Disable buffering large files | |||
proxy_max_temp_file_size 5m; | |||
allow 127.0.0.1; | |||
{% for ip in bitwarden_web_src_ip %} | |||
allow {{ ip }}; | |||
{% endfor %} | |||
deny all; | |||
} |
@ -0,0 +1,4 @@ | |||
#!/bin/bash -e | |||
rm -f {{ bitwarden_root_dir }}/backup/* | |||
umount /home/lbkp/bitwarden |
@ -0,0 +1,17 @@ | |||
#!/bin/bash -e | |||
mkdir -p /home/lbkp/bitwarden_rs/ | |||
cp {{ bitwarden_root_dir }}/data/rsa* {{ bitwarden_root_dir }}/backup/ | |||
{% if bitwarden_db_engine == 'mysql' %} | |||
/usr/bin/mysqldump \ | |||
{% if bitwarden_db_server != 'localhost' and bitwarden_db_server != '127.0.0.1' %} | |||
--user='{{ bitwarden_db_user }}' \ | |||
--password='{{ bitwarden_db_pass }}' \ | |||
--host='{{ bitwarden_db_server }}' \ | |||
{% endif %} | |||
--quick --single-transaction \ | |||
--add-drop-table {{ bitwarden_db_name }} | zstd -T0 -c > {{ bitwarden_root_dir }}/backup/{{ bitwarden_db_name }}.sql.zstd | |||
{% else %} | |||
sqlite3 {{ bitwarden_root_dir }}/data/db.sqlite3 ".backup '{{ bitwarden_root_dir }}/backup/db.sqlite3'" | |||
{% endif %} | |||
mount -o bind,ro {{ bitwarden_root_dir }}/backup/ /home/lbkp/bitwarden_rs/ |
@ -0,0 +1,117 @@ | |||
--- | |||
bm_http_ports: | |||
- 80 | |||
- 443 | |||
bm_http_src_ip: | |||
- 0.0.0.0/0 | |||
bm_imap_ports: | |||
- 143 | |||
- 993 | |||
bm_imap_src_ip: | |||
- 0.0.0.0/0 | |||
bm_pop_ports: | |||
- 110 | |||
- 995 | |||
bm_pop_src_ip: | |||
- 0.0.0.0/0 | |||
bm_smtp_ports: | |||
- 25 | |||
- 465 | |||
- 587 | |||
bm_smtp_src_ip: | |||
- 0.0.0.0/0 | |||
bm_milter_ports: | |||
- 2500 | |||
bm_milter_src:ip: [] | |||
bm_int_ports: | |||
- 24 | |||
- 144 | |||
- 1110 | |||
- 1143 | |||
- 2000 | |||
- 2400 | |||
- 2500 | |||
- 4444 | |||
- 5280 | |||
- 5290 | |||
- 5432 | |||
- '5701:5715' | |||
- 8021 | |||
- 8022 | |||
- 8079 | |||
- 8080 | |||
- 8082 | |||
- 8084 | |||
- 8087 | |||
- 9083 | |||
- 9086 | |||
- 9090 | |||
- 9099 | |||
- 9200 | |||
- 9300 | |||
bm_int_src_ip: [] | |||
# bm_letsencrypt_cert: bluemind.domain.tld | |||
bm_mem_alloc_base: | |||
bm-core: | |||
heap: 512 | |||
direct: 512 | |||
spare: 20 | |||
bm-node: | |||
heap: 128 | |||
direct: 128 | |||
spare: 0 | |||
bm-eas: | |||
heap: 256 | |||
direct: 128 | |||
spare: 2 | |||
bm-mapi: | |||
heap: 512 | |||
direct: 256 | |||
spare: 10 | |||
bm-ips: | |||
heap: 64 | |||
direct: 64 | |||
spare: 0 | |||
bm-hps: | |||
heap: 128 | |||
direct: 128 | |||
spare: 0 | |||
bm-lmtpd: | |||
heap: 128 | |||
direct: 128 | |||
spare: 0 | |||
bm-locator: | |||
heap: 64 | |||
direct: 64 | |||
spare: 0 | |||
bm-milter: | |||
heap: 64 | |||
direct: 64 | |||
spare: 0 | |||
bm-tika: | |||
heap: 128 | |||
direct: 128 | |||
spare: 0 | |||
bm-xmpp: | |||
heap: 32 | |||
direct: 32 | |||
spare: 0 | |||
bm-ysnp: | |||
heap: 64 | |||
direct: 64 | |||
spare: 0 | |||
bm-elasticsearch: | |||
heap: 512 | |||
direct: 512 | |||
spare: 20 | |||
bm_mem_alloc: {} | |||
bm_mem_alloc_rules: "{{ bm_mem_alloc_base | combine(bm_mem_alloc, recursive=True) }}" | |||
@ -0,0 +1,4 @@ | |||
--- | |||
- name: restart bluemind | |||
command: bmctl restart |
@ -0,0 +1,118 @@ | |||
--- | |||
- name: Install tools | |||
yum: | |||
name: | |||
- socat | |||
tags: bm | |||
- name: Create dehydrated hook dir | |||
file: path=/etc/dehydrated/hooks_deploy_cert.d state=directory | |||
tags: bm | |||
- name: Deploy dehydrated hook | |||
template: src=dehydrated_deploy_hook.j2 dest=/etc/dehydrated/hooks_deploy_cert.d/bluemind mode=755 | |||
tags: bm | |||
- name: Create local conf directory | |||
file: path=/etc/bm/local state=directory | |||
tags: bm | |||
- name: Configure proxy | |||
lineinfile: | |||
regex: '^PROXY_OPTS=.*' | |||
line: "PROXY_OPTS=\"{{ (system_proxy is defined and system_proxy != '') | ternary('-Dhttps.proxyHost=' ~ system_proxy | urlsplit('hostname') ~ ' -Dhttps.proxyPort=' ~ system_proxy | urlsplit('port') ~ ' -Dhttp.proxyHost=' ~ system_proxy | urlsplit('hostname') ~ ' -Dhttp.proxyPort=' ~ system_proxy | urlsplit('port'),'') }}\"" | |||
path: /etc/bm/local/{{ item }}.ini | |||
create: True | |||
loop: | |||
- bm-core | |||
- bm-webserver | |||
notify: restart bluemind | |||
tags: bm | |||
- name: Configure JVM options | |||
lineinfile: | |||
regex: '^JVM_OPTS=.*' | |||
line: "JVM_OPTS=\"${PROXY_OPTS}\"" | |||
path: /etc/bm/local/{{ item }}.ini | |||
insertafter: '^PROXY_OPTS=.*' | |||
loop: | |||
- bm-core | |||
- bm-webserver | |||
notify: restart bluemind | |||
tags: bm | |||
- name: Configure memory allocation rules | |||
template: src=rules.json.j2 dest=/etc/bm/local/rules.json | |||
notify: restart bluemind | |||
tags: bm | |||
- set_fact: | |||
bm_restart_services: "[ 'bm-elasticsearch', 'bm-mapi' ]" | |||
tags: bm | |||
- name: Create systemd unit snippet dirs | |||
file: path=/etc/systemd/system/{{ item }}.service.d state=directory | |||
loop: "{{ bm_restart_services }}" | |||
tags: bm | |||
- name: Configure systemd to restart services on failure | |||
copy: | |||
content: | | |||
[Service] | |||
TimeoutSec=60 | |||
StartLimitInterval=0 | |||
RestartSec=1 | |||
Restart=on-failure | |||
dest: /etc/systemd/system/{{ item }}.service.d/restart.conf | |||
loop: "{{ bm_restart_services }}" | |||
register: bm_units | |||
notify: restart bluemind | |||
tags: bm | |||
< |