From 52dbb3e6e03f226563bcbf6bdc390a17322ac6a5 Mon Sep 17 00:00:00 2001
From: Daniel Berteaud <daniel@firewall-services.com>
Date: Fri, 19 Feb 2021 15:00:08 +0100
Subject: [PATCH] Update to 2021-02-19 15:00

---
 roles/lemonldap_ng/defaults/main.yml               |   2 +
 roles/lemonldap_ng/files/logos/metabase.png        | Bin 0 -> 7672 bytes
 roles/lemonldap_ng/tasks/main.yml                  |  22 ++++---
 roles/lemonldap_ng/templates/lemonldap-ng.ini.j2   |   1 +
 .../lemonldap_ng/templates/llng-fastcgi-server.j2  |   9 +++
 .../templates/llng-fastcgi-server.service.j2       |  13 +----
 roles/metabase/defaults/.main.yml.swp              | Bin 0 -> 12288 bytes
 roles/metabase/defaults/main.yml                   |  65 +++++++++++++++++++++
 roles/metabase/handlers/main.yml                   |   4 ++
 roles/metabase/meta/main.yml                       |   5 ++
 roles/metabase/tasks/archive_post.yml              |  10 ++++
 roles/metabase/tasks/archive_pre.yml               |  36 ++++++++++++
 roles/metabase/tasks/cleanup.yml                   |   8 +++
 roles/metabase/tasks/conf.yml                      |   6 ++
 roles/metabase/tasks/directories.yml               |  23 ++++++++
 roles/metabase/tasks/facts.yml                     |  29 +++++++++
 roles/metabase/tasks/install.yml                   |  46 +++++++++++++++
 roles/metabase/tasks/iptables.yml                  |   8 +++
 roles/metabase/tasks/main.yml                      |  16 +++++
 roles/metabase/tasks/services.yml                  |   5 ++
 roles/metabase/tasks/user.yml                      |   5 ++
 roles/metabase/tasks/write_version.yml             |   5 ++
 roles/metabase/templates/env.j2                    |  43 ++++++++++++++
 roles/metabase/templates/metabase.service.j2       |  25 ++++++++
 roles/squid/files/acl/software_various.domains     |   1 +
 25 files changed, 368 insertions(+), 19 deletions(-)
 create mode 100644 roles/lemonldap_ng/files/logos/metabase.png
 create mode 100644 roles/lemonldap_ng/templates/llng-fastcgi-server.j2
 create mode 100644 roles/metabase/defaults/.main.yml.swp
 create mode 100644 roles/metabase/defaults/main.yml
 create mode 100644 roles/metabase/handlers/main.yml
 create mode 100644 roles/metabase/meta/main.yml
 create mode 100644 roles/metabase/tasks/archive_post.yml
 create mode 100644 roles/metabase/tasks/archive_pre.yml
 create mode 100644 roles/metabase/tasks/cleanup.yml
 create mode 100644 roles/metabase/tasks/conf.yml
 create mode 100644 roles/metabase/tasks/directories.yml
 create mode 100644 roles/metabase/tasks/facts.yml
 create mode 100644 roles/metabase/tasks/install.yml
 create mode 100644 roles/metabase/tasks/iptables.yml
 create mode 100644 roles/metabase/tasks/main.yml
 create mode 100644 roles/metabase/tasks/services.yml
 create mode 100644 roles/metabase/tasks/user.yml
 create mode 100644 roles/metabase/tasks/write_version.yml
 create mode 100644 roles/metabase/templates/env.j2
 create mode 100644 roles/metabase/templates/metabase.service.j2

diff --git a/roles/lemonldap_ng/defaults/main.yml b/roles/lemonldap_ng/defaults/main.yml
index ea2a90b..e4e8de7 100644
--- a/roles/lemonldap_ng/defaults/main.yml
+++ b/roles/lemonldap_ng/defaults/main.yml
@@ -62,3 +62,5 @@ llng_handler_db_user: lemonldapnghandler
 # llng_db_pass: s3cr3t.
 # llng_handler_db_pass
 
+# Number of llng-fastcgi-server workers. The upstream default is 7 which is often too much
+llng_fcgi_workers: 5
diff --git a/roles/lemonldap_ng/files/logos/metabase.png b/roles/lemonldap_ng/files/logos/metabase.png
new file mode 100644
index 0000000000000000000000000000000000000000..aa76ff24f0c41b7600b030fce78a6a423f962044
GIT binary patch
literal 7672
zcmeHMc|4SB-yc*YTMs&sG)4(!%nW82`)*>)*ve8EvoJD?Ss0Zzl$2I27$ZrGqDYA&
zN|Z_>g%a6SluDu~?=@4W^gic3&wD<f_x<nq+;h9G-}U`{f9rMK_ppoT>8dENDGz}_
z6mf1&-rzS>{E?FZcc+snw;+(Y_c!?Z^Snv1P&S7}qeoGpyf`)$N)^y)5QyOEW&eQU
z-iwM;g9e;g(X->Um}l-Pa;8k}Rvj50Oh39RY#(0n{%kuL#jf;E7q%3Ck`1;=yP4=_
zaX3w>!eMT$pH(0ETK?vC-4~^m&%Vx`-cp}AB)ijKU(<!@fs)qj(T~_rMRmfv7~-4B
zogb%i65}^-wv2c_><o+3o;+Tx{GRzGbX<ymmVff#%R-0D^;)O(;^OygN}5ue?46!9
zl$yM;g4-OlrK>%zbk^JVMYq<(pP48N%^8z=AjQR2DJR%(E^dxKbhjdxWBtT<ly!Wf
zWI$0*bjzc4qPHTIH9BdRt5?}EJjov=YY%>i<u@pg*6oOczm9Z6(4Vf#%73A{0DbJ)
z(3M0?x9U5O&u~Gw%*gAlo4P7@#Fo}#uUDhnNav`Q{NXE(HC?B4_cZV!%eYStttgzl
zsqZNWis{?E#75?(lE9kQv26F_jk|+e8MkV0hUHx{uTNRA@YCmziYo1zl~*o*tUFo&
zJ*xU(`@-$QO=NXQ(WcK{zB1V(<43z*Z431^3D@`EcV%xx6Z84MY~Rb5+^$ZJuFc3R
zQr^0Y9h-<~k=dpju!K=8YvI~by;ozxS1T<`xll@aQSPGs4`+|4Ucck{=9YGGd5d%D
zsT%<h*yp~vjcOs={2)a)w&+tPh^aO^7LrrcxGRhFvK>+kmaTHweAsGsN?NkMPfkX>
zlEpxpLHHr}!di7@&YorJhGl8qE8qp@Wnr<k+XFM#S0*h8ihRUbQ4n*Lplto|(b@23
z_X{@_ZLh29Dr&~1d7aK;=V{P{^oRAA>hH46K5ChB!g}hHhLSSO=C$k_AMv`hJks;P
z!6aVJjsmB_`Kw<nm8aR&&z@I<Q`zchd1JT^Ju7?`_QtTjlGpsjC-+D<T-?4;MWMO8
z?ql_vq-Qc1)#@!tnU)7kq&udiEp!{>?cb=DE+H;D$oSly3R_Cjcd@prCS375I<%*9
zREJQ<*s>U(rJ~VtjB%xDL$}3M%wC&IHJR{p!uJY;+L?j0b;`D(Lq){_XwhwCP^?;O
zbxSU5<Mg{Fdj^iq3rbRvd(-#y*fsO^+gh7l3iD+0-A+BZs}rcUj9=~7hbxX*8cx21
z<O-!Cmb4v8_WRnoj#0!a*oRn@hO9E_e|~#<)Lwgm*S!bx+ddx6+uCfoHYg~U-R&xf
zi7Z&0X5G4j7$GwqczM~a6q&_V1jU7}_>0+#<<1JyqJGzGAts*2HdF>_?~=Ep7wwH^
zyYZ8gn)~s`Yix|q>a@%r*t3HXfHGgLarJ5XP9L4OR;xa^-+8Ff*LcJ~XZa!>`5H(k
zIxbNzdgb*auiR1-2xcx0XS&}}RWwi*JudsTb#Sp4Mw*vA-jrZJtCOQ!F~2gINy9zA
zzl3@{PUXPhi6;g22ea?rBn)o#xTJT{OQ+E}KgPl^zpk0^`XSB0tcPb%*S)LO<+4Kc
z6AhvMv3jo!!LDw8mrFnFan9o*6xztNl;(rO73lPKc>2NAFv}owJ>=puu2&(a<}rNT
zMr+vvuJ^7%M2btvd{vJzSo#3f=Zsp1ftP~-PW})PZtKali^5RU6Cy_+`JFy;?MBJ=
zQu%f1QwY!Q9rc-40~>T@b{nh=MqG<GLy!5f<w#GrmDqR4?Z|!6gg^^B#?6)I2yh*{
zvi$Z9t7<<Pl2?d16zPwI#m!oDWL}~5ed5~%!!VmRB6^No?C0pMnJe%054di2{%~H-
z!vk{>%Q$MHN-m##cC)wh^>l~V{mU10H>RYzjFwgTyk=O=A=a%}Yo`+y>hqwZ|7lX1
zG;6wI!8-XZhaaEc`ToOZmCKoLH@}OI{&KJ=))MC)8(E4l+=a=kn&arubai`o1w}#N
zbfPxc@yQCF%ty}M;6*x1HO_gb1ea|q_)I%@D#|Y~amXNGo#FM%S-2MqObZ{Ttk^zj
zX<czL(?YxNOq)Twb1;UF=J-X1&0Tiu40EE9vbPNGGw9B?S$kwKQ;&AeTX^f#(A=DT
z&dGXO*Jo|l%z>>-M4vMs+h1=`8DGD9w-f2m@!=*Lsir;^KNQbNXqB5rdR<nmi!>WQ
zubKb3(=D<`&mDy{v@1-w$4^=NoczWz3U_nCt|(uM!LjI3Wnsf{*%sd&ZPJDpS37=9
z(JapGtkG0tz+M@a6>sG2UZxv=+1)Uq{#abhCd!=>!_8a6n-vn@IPe<|H=;xtd-GmK
zCl}_=EC1Kck-PbYJJlYJlp9+9j(UH>T<y?cx_Ogu;F4|jM2U8MspwN=<tOH~oiA@S
z^N!E=AEEvpqF=UR?w!DwqRaK_??Yf?CatfdEe6bGO9E!Ad-h5%cX_HhKE)Z#zF=Ba
zHTqypM*Ew?<(wOlc1>lfQ9G-5kVC6>o9i5PA#l3A-y>oUxd+4=hor9vUtgx%4L|!>
zCsXGceeH)V_0~#xtK3bG?YzARTJ1H8UliY49sca<r8}9`qH{o{d#EoSk^DCLeaM|V
z&)RUS6sB(!d^*trGd<b8{BV=cMi#R?+xeIZ=B`o=Qgc~qgVOP*9)ZZfRAg6Q&y}-}
ziaUmRb{R_hN6a7D291U1x*#adW|sT0cg8zS>&&1<K5#GWqQ;_JtNIKzr-@+q0Owfy
zz9TL5r&_dQq)LS2xsZd~W1qQ0?UpT$Jm_%yzD&*Pc`v<Plpo)5HQe)%yu9p{yX~T#
z6`X_?+pEb37B;P4#k5-|P1X&52H&_;!6pb2edy9~6KBq+^V-9s1=ag`B`Ho$jpcZg
z`BSsg^?k-RtlM9|<hS3TNtK7$oHb`ooo#u&a!T`jl1;nwlcPjgf2TpIdyh{IyRZet
zFV>VTRvi<h*W~Y=AOGU?ky~FLJ=}Bd;nSpTs52!<m*&fd?}n<Ujt9SLrOe7oO~X8b
ze0}n9Dt}c1lNU%<rw=q~Nx!OR-Osu5evSJl{nsT<?)rqHJI_9EbESuTa<_%T8%tge
zbuT#J@^Hn8Gba>mUslgKY0XxObJ4u9I<M~b^WO@g!rUPG#e9vYB>WMjd+T?qH<Ah(
zhzWZ1cbu$qTgJy$(Z5>ZRZPQc#|*EoW-OO`W2*SzRq3Ik7dO%-cGS>{$_=x!m-4iN
z1L`{G?K&5!#qc}%sw-61H%cGZd?{jTUYU_)<!3Avcj-_~<Zz>Em8Rv+Igl}-Q+7u5
zQ)4|}nT*suZLIJM(2iZFHhWyD4w&A5{(9wO^f)ha@A%Yb`8@~ND-5oc_)BL6EZ|((
zSHq+bl8X}Z8X_Ve=(V-Ft4!+DnPps%{u1-7f1A`^wqlTj?7gFYrU?^L!REgo+u;1+
ztIXrA6KEG6J`rtxq6;1cwOJ;Ji##p8AoT^S-~L_Qi;L5W{WMF+Sm74|1R|A4cXTA;
z93B67u>-Gj!uSK$Za3|;YD0YTU`9%>p*{O^UWMhHNzPrJBd6|A(3qcaCoiP&qz*1R
zT5at-rOhi>FJ3F;^V#aNZYZl@Fw32PGkCWJm*ae1_VyP+>`3&ul8UDKsQ~L}yJm(-
zmPhiFXZZ^SNm~&P3mw<ejv$xg40ww}#^1ghgWtMTo;}G;d{j{j$#%24r_ij|2^Dpg
zC^k&i%wK)buZP<ceF*M0RmZRG#WXk{oh{Npn!Jqbkt^~a4$VslxbrCabaHO~DWA&y
zWB&aWwE^cI`45Svl5SK~7T5DLZn}ldci#_nuvet|hU&VU^Gr!HeZ9PVV&~c_CwS6Y
zDuT1}xV&QVknD8A^NzrzJ9CW<jzKnrXbqBQ$qh^2FYn#7#L{zg)>~VdH5=MP7!Z@}
zldbK6ALJIc&4CxTXB5k>eFI4#?1;Ks*mv4MP5%0%M!b)b+;izK>w{SZ@j@Gj#w$a<
zjFy&kuJhgCk@s&Z8#=#QH@_N@&8Xs(mTFtlArR%=bnv3>kN3cmSqwOd!V06p1q?QL
z5r;smYz1r*c|DZ}4WowBnbxq8->YCyI>j2c#te_ZvmL1sbhiy0s?P>bU-E|aWD5$+
z)<)h+fCU5$DvtyeFrt`TtiT#3;l+ZnSZoY~N+7)T)-ZoO5$ed|P@$%9Q#iuNSwN3L
z!EEHARvZcq>+R(7odV3PVG%qY8*6MF8ygFcHG#7@;l@Y{3kzce${2+*0th2+9Fs>9
z7%{oJVv27ZPE;<LLud2oEGAUUNeW}}dDbu(SciTm2diXf0T6ySAf8L;xjc$74oplz
zJOE&fLLkhI5GW&*h4D;%u!_h3&}MSKXA$JnSU_SMBjE^R2IChEF3&mUr@cSb;QE5^
zJI3BrE{o40Q=Ma|OrGvcqwFX?ccx7~mns%X{Eni~jDb@U%QJOcad_en9dR1N=?u0+
zLyVq@q>z8$*nCcu1VbSkQ=_O1;0PBmBY(m3=(L{&`XwIm%D*`R%>Cg11^q|9B)&-U
zigjX<`C_9uCu^A4Uo3@1rc<zzA=w0hG$WyCMr0bw)W|f<jAUei#E^{06e@*=BB3xA
zW|$dNI3|}zVv?z1DnJgW10FLng+imD5Jm_p1_>y_&_?Da76>C#Gb9>~!Jte?Xz~mS
z0*4NE0x4>yS7Is(ph8p8B&4Yc%E%mP2B;_&G$V^J62{1cOe0f)$buARE};_F0c%gh
zS;J6p#7_w^io~O_I1Fo;2c5|m{9N#*GpIg1k~nEdG|~iP3K|h*iZDT&pnrl^Q#oAF
z<YG=F0**pSRw!hw3t%LHW}`Dm;Z$QbGhDJDE(;a}0}@LT?+w5#k%L&UjvOk9$Kv?1
zSW(t6v9C}urDRJ%t-fy-tOtuMQIvqG6!CuhzT+H7;l`4wmGNJJ|BcBff)&gB-|_r}
z{$R1^@M2k<^#l$fERss*{WZ^@fqyW0gR_py<HX_qLs0(>XZ5XJ-GDBO6F0-Y4>kJR
z?Aw79MVF)s3Y8oJSQ7bL`njYSDn(KPkjHOJ<OmWooC;3c?_2E;IsH%Cm}G8_K$}w0
zMkJJ}iIJ&k7zXSFGTO+@ghVr;n4mD`7_(p5xhxtlmc*gjhl3sfbp~5YQfH{Xr27nh
zMaM=^L659JAh8Gp>|1%ER>tB3^^fqZ#77PukDZwSEAf$p#fdx5htFn5(W#tY6Z1!-
z{13Pp`rn)KKdH}zebaVivE#s|jo=YtnSW{iPk`STJm_R9lgs)m*Jnb$rDeu*2l)I=
z2A*f&@o4<x`S`sp#5?Ez@#lNH{Xbd&)c+XyTlxJbUH_!(Z)M<bf&b~Qf7120GVr&+
z|8&>?S-RwZe#53R!HZrj`2MWPX6r&A(hG<lzRnZd{Jcc{gzR1~VUJf<F9BSlUa#yv
zSGEUadV0&2aW7#nF|*TK)a#c&ZM$W_Q`m|>(M1q-c^&U1WOw`Jw|ZywLLk$tGP>O|
z+VR3}Vosk|4j}CIOYiqc?+;0@_sr?TXZ3o5OV}5b{oGU7<Cov#ozdf&)kVna_7?UN
zM191}=lIMHpzA3d0uK0P4d6vx#LO;Q`ZQkD3oe4F8_0<wV7k|~Y8u=nuJ(ur0FVi$
zJ;dW;43HB=VEocAKcAS<M-;DiNdO>_9x*Jdo0tV+93hJO2${Xa?C&H5Q4ax(#p=C;
z%pRg>07!^Jzz+c5u3isOucz1|panc)u*4z&OH2TmL;_3zpT#_qyO$8e^&E`-QURb(
ztRf)+L5ZUS{)lONJVA64>k{T3@9ciyo|s4C6;J``1+frC-5z=Uo+6;t1+oefg$Ff~
z5c(V+BnUxb2Z%yoNF1p+1h53AqINMAh*w-t$tBVC%jqYALV&^nd3v{43%~{+eFcA=
zk>YuK`atXk+Q5HAAyQ%Pu1=8T*^Ax4WG>q+fD3`lQx$)tAQ{4iKq$+@;hkmsrBxO6
zrRSEn`T<c8&dJ`_{2n=Uq4xFm_C*)cN->`5DhAu-<pS-^LXMZ$EP^Kw|0_{m4Y^dQ
zd@cgtNksZ?)KSy0PrY?RE>dAHhBRBDO?qp&{p(a)^tD~?2nB(vLh$5Hw@PV<c@RQz
TzUV;$FayCkdpZ?5gl_*YTdr^W

literal 0
HcmV?d00001

diff --git a/roles/lemonldap_ng/tasks/main.yml b/roles/lemonldap_ng/tasks/main.yml
index 3401ed6..3230376 100644
--- a/roles/lemonldap_ng/tasks/main.yml
+++ b/roles/lemonldap_ng/tasks/main.yml
@@ -119,15 +119,19 @@
   when: llng_portal == True
   tags: web
 
-- name: Deploy custom llng-fastcgi-server unit
-  template: src=llng-fastcgi-server.service.j2 dest=/etc/systemd/system/llng-fastcgi-server.service
-  notify: restart llng-fastcgi-server
-  register: llng_fastcgi_unit
-  tags: web
-
-- name: Reload systemd
-  systemd: daemon_reload=True
-  when: llng_fastcgi_unit.changed
+- when: llng_server == 'nginx'
+  block:
+    - name: Deploy custom llng-fastcgi-server unit
+      template: src=llng-fastcgi-server.service.j2 dest=/etc/systemd/system/llng-fastcgi-server.service
+      notify: restart llng-fastcgi-server
+      register: llng_fastcgi_unit
+
+    - name: Reload systemd
+      systemd: daemon_reload=True
+
+    - name: Deploy llng-fastcgi-server config
+      template: src=llng-fastcgi-server.j2 dest=/etc/default/llng-fastcgi-server
+      notify: restart llng-fastcgi-server
   tags: web
 
 - name: Handle Fast CGI server
diff --git a/roles/lemonldap_ng/templates/lemonldap-ng.ini.j2 b/roles/lemonldap_ng/templates/lemonldap-ng.ini.j2
index deb30c6..3fbb511 100644
--- a/roles/lemonldap_ng/templates/lemonldap-ng.ini.j2
+++ b/roles/lemonldap_ng/templates/lemonldap-ng.ini.j2
@@ -2,6 +2,7 @@
 
 [all]
 logLevel                   = info
+logger                     = Lemonldap::NG::Common::Logger::Syslog
 {% if llng_conf_backend == 'file' %}
 globalStorage        = Apache::Session::File
 globalStorageOptions       = {                                                   \
diff --git a/roles/lemonldap_ng/templates/llng-fastcgi-server.j2 b/roles/lemonldap_ng/templates/llng-fastcgi-server.j2
new file mode 100644
index 0000000..bc24046
--- /dev/null
+++ b/roles/lemonldap_ng/templates/llng-fastcgi-server.j2
@@ -0,0 +1,9 @@
+USER=apache
+GROUP=apache
+NPROC={{ llng_fcgi_workers }}
+SOCKET=/run/llng-fastcgi-server/llng-fastcgi.sock
+PID=/run/llng-fastcgi-server/llng-fastcgi-server.pid
+PERL_LWP_ENV_PROXY={{ llng_reload_use_proxy | ternary('1','0') }}
+PM_MAX_REQUESTS=500
+PM_SIZECHECK_NUM_REQUESTS=100
+PM_MAX_SIZE=800000
diff --git a/roles/lemonldap_ng/templates/llng-fastcgi-server.service.j2 b/roles/lemonldap_ng/templates/llng-fastcgi-server.service.j2
index e08a753..d569f16 100644
--- a/roles/lemonldap_ng/templates/llng-fastcgi-server.service.j2
+++ b/roles/lemonldap_ng/templates/llng-fastcgi-server.service.j2
@@ -4,17 +4,10 @@ After=network.target
 
 [Service]
 Type=simple
-PIDFile=/var/run/llng-fastcgi-server/llng-fastcgi-server.pid
+EnvironmentFile=/etc/default/llng-fastcgi-server
+PIDFile=/run/llng-fastcgi-server/llng-fastcgi-server.pid
 User=apache
 Group=apache
-{% if ansible_os_family == 'RedHat' and ansible_distribution_major_version is version('8','<') %}
-Environment=PM_MAX_REQUESTS=5000
-Environment=PM_SIZECHECK_NUM_REQUESTS=100
-Environment=PM_MAX_SIZE=800000
-{% endif %}
-Environment=SOCKET=/var/run/llng-fastcgi-server/llng-fastcgi.sock
-Environment=PID=/var/run/llng-fastcgi-server/llng-fastcgi-server.pid
-Environment=PERL_LWP_ENV_PROXY={{ llng_reload_use_proxy | ternary('1','0') }}
 ExecStart=/usr/libexec/lemonldap-ng/sbin/llng-fastcgi-server \
              --foreground
 PrivateTmp=yes
@@ -22,7 +15,7 @@ PrivateDevices=yes
 ProtectSystem=full
 ProtectHome=yes
 NoNewPrivileges=yes
-MemoryLimit=3072M
+MemoryLimit={{ llng_fcgi_workers * 250 }}M
 Restart=on-failure
 StartLimitInterval=0
 RestartSec=1
diff --git a/roles/metabase/defaults/.main.yml.swp b/roles/metabase/defaults/.main.yml.swp
new file mode 100644
index 0000000000000000000000000000000000000000..52be59a7ef0e35d4053ca4bd4a9cf9bd13e08ecb
GIT binary patch
literal 12288
zcmeHNO^+ML5p7wHoyf6c#6KYI6(Eu@m!wE3q6loP&8}oDuq$mOtr8##Ce4{9*;3E+
zxTi;2LXv&))mI<<amgVU`{ILb_)i4L#Xbe_#r7pXAVGZatKkeeq^Tfq4*9?kc*|v1
zcXijRsyAG04?DN^4tT%SWq3W$*x&!y{{36*H&1N5`5X&Gq%Q4mAMRb-zudZZ{S}(B
z?lqP+6e^M}En;P~Y#BRVH}ADohwY&nx8-IMDmQ75l$J?5O{7iQG_jpnzb&Ff4Yh1r
zxJ}xjbYdtH*$(7Lq}pKw`?jW`UbkH}Rxwa9u*AT#tk*r;p`p_oFY*_DdbDJ%K2!`;
z3{(tM3{(tM3{(tM3{(tM4E%pH;NlbPb%gjt9_Dubeq!Z4|5&|M3{(tM3{(tM3{(tM
z3{(tM3{(tM3{(tM3{(vK4>BME#vb60|94K}@c93K@%R5XKVj@2z}LW^fKLDcTmeo2
z?>@)aYrrGm5cmaf2Kd{vjC~G#27Cy-2PohOxC!h4CxO5In6W<t9|L!QtH1$p0eA}d
z%QKAq0eAxlfCFFycoO*P6k}fk9{>Wl2=sv$fD-@%zW5PiuLI|SbHLAlPk+eR+kgeG
z0}r1@d`~g<KJX@R`~${5dJ?gL3*zH#;-q?24E%=}D6YGBIuNlpwkC}|y8bfY8xJ1v
zx(LdKL<;LqGCNlZ#|;_W$O*WJfWQ-}n>6@C?xc-`oj!hTvzU#^`7N9J6`>PZUR~SW
z*{boEXsVS$ho!lR2!~=eN-GK%`8^&lFmz*wELM)?F($@Z__AKReY;g_)|%wF(d0Fg
zZoNYBCQaHWi=QHIH29-O8*G^vx-#V9_7Gwl@cJ20lLuVd|GOd7&G3%&-HsMXvPCW$
z#fWfnZ0vL^#!Vy>HR`cdAvnv<vlncgKig~IsKxATJ*alq?D%lDqDH5zKdh%J*m|JN
zSVfN-b;PabpBn2zSd-c;wC|VM)usPEi9Mn#UTgDunlEQIMs5cDM$flB*J7(yig3Vp
zu5KOV*TS0Dj<&XA)C{Uf9*Z#6l76MzXe)k=b$JtIrA6Jb+B6HpL!Mfl#9Fy}EyhZu
z7Y#Pc3KeefQVn&v=&gUY5~bbiU(5<*wTuzXJqjr6?aW7NRq0gU*@DdFvrSCmA`wbz
zpnstQ{+;I4=DxJpWp+ES=<0RNDV(z&dL%p9fG5#PDl+>>*<!+2-ILK(M6qt3q$V10
z`nhagC}Nh%h3@2iZ|qD%)>_NN-n6M~=8H&aPV@cU?L)pz1(HbTR5VW5V(&N|YUO*V
zj{%=J7Z2KP$d8H;gM);4MM|It0~qF2NM(evHvIouY0X2Vj%#&S>M4&TWZM}&l*r<p
zG;uO$;)5?x?|f>~8s^8T<H})lqDbE%rYIelV{4A5JTOts(Nz92HaN`A$d9h?lUL}q
zKbaq-Rf<K6XguH}izU0W>y?~_QZbf%1Og-D)JXZlDHDN%Qa8%Tx6_!$y}NRXhD{-z
zi>}=p(ORMp6~ir_NG9YalKeh}jxc>33Q=ayssy}AFv#6RBGFFpKw0QC*u<8X=R0xi
zMDZYE2Q&EyK)S-Cif2B8!pZJ0OF<@~i@n4N>zszPWSK69lGz_CJDGJRJ4Grl<wBF)
zc`XLLnVU>yy5|?=GTS}xb8UQ~sX(y*jl8rnq7xYfs572bd$L$PvL^J37RV)UGXh<)
zo?fD--cmQByx{l>*32Abu4gWhiU`FsotMF44-teaDmEb{N~S2l&?}9@G4;h|>OyWt
zS)wxYa!~|BZ<WXGBKc&PXMZdsX_xaq&m9p;1;Ev;hVpMUi}PZa<$NreNDUzuIaf<2
z>c9c-^*TRa8ZL`)I89#F-fX1wRiZXeTrT6M`N8zYul9L>YNcm*x!kPpsd&JD`#UhU
zuh8TmZ10exop$ziuXCYENwaoeZcLBPw>VjT+D@knKZhh9CgS%es?^FeJ~j4`QRxKM
z80Ue(0dJew&2LbX8v#vAqd?lVp3s*nLZ@gggT+Bs$j;?!(Zle21je}VeUqZd9`E0#
z<zt2-g3fqpJhmc0&Pa#h>&C>SnuH;{1<ohX4lQ{;E8#D5XbW_OgkVHpQk&of5=z>k
zB1LLY1c9&1P)aiRCK{=6V_ttVr==M02<s&iadyDFLATfIq3A{zyZ+h!h5kAJoao37
zhP(a#uzNA+`hC&AfRkQ6jv+%xC9N#l0-hGsk=yx$BEgd)F!v*EM3A(K3T^o&Y~L$C
zC`i_!tMsgxPa?0Nd8X$h=}-g|*V1PBx&iOBdi_=h^Ka#zKve+6FjK}hH#gb0+6lZP

literal 0
HcmV?d00001

diff --git a/roles/metabase/defaults/main.yml b/roles/metabase/defaults/main.yml
new file mode 100644
index 0000000..def684a
--- /dev/null
+++ b/roles/metabase/defaults/main.yml
@@ -0,0 +1,65 @@
+---
+
+# Version to deploy
+metabase_version: 0.38.0
+# URL to fetch the jar
+metabase_jar_url: https://downloads.metabase.com/v{{ metabase_version }}/metabase.jar
+# Expected sha1 of the jar
+metabase_jar_sha1: 2d2333deff92c18784c4a0e0d23288b29d2c8a87
+# Should ansible handle upgrades ? If set to false, only the initial install (and the config) will be handled
+metabase_manage_upgrade: True
+
+# User account under which metabase will run
+# Will be created
+metabase_user: metabase
+# Path under which metabase will be installed
+metabase_root_dir: /opt/metabase
+
+# Port on which metabase will listen
+metabase_port: 3002
+# List of IP or CIDR allowed to reach metabase_port
+metabase_src_ip: []
+
+# MySQL database
+metabase_db_server: "{{ mysql_server | default('localhost') }}"
+metabase_db_port: 3306
+metabase_db_name: metabase
+metabase_db_user: metabase
+# A random pass will be generated and stored in the meta dir if not defined
+# metabase_db_pass: S3cr3t.
+
+# Email of the admins
+metabase_admin_email: "{{ system_admin_email }}"
+# From email for emails sent by metabase
+metabase_from_email: metabase-noreply@{{ ansible_domain }}
+# Settings for sending emails
+metabase_smtp_server: localhost
+metabase_smtp_port: 25
+# metabase_smtp_user: metabase@example.org
+# metabase_smtp_pass: S3cr3t.
+metabase_smtp_starttls: False
+
+# Encryption key to protect credentials stored in the DB
+# If not set, a random one will be created and store in the mata directory
+# metabase_encryption_key: SuperS3cr3t.
+
+# Default language for notifications
+metabase_lang: fr
+
+# Public URL to reach metabase.
+# Will most likely need to be adjusted, because you'll put it behind a reverse proxy don't you ?
+metabase_public_url: http://{{ inventory_hostname }}:{{ metabase_port }}/
+
+# LDAP Auth settings
+metabase_ldap: "{{ (ad_auth | default(False) or ldap_auth | default(False)) | ternary(True,False) }}"
+metabase_ldap_attr_email: mail
+metabase_ldap_attr_firstname: givenName
+metabase_ldap_attr_lastname: sn
+metabase_ldap_server: "{{ (ldap_uri is defined) | ternary(ldap_uri | urlsplit('hostname'), ad_auth | default(False) | ternary(ad_realm | default(samba_realm) | default(ansible_domain) | lower, ansible_domain)) }}"
+metabase_ldap_port: "{{ (ldap_auth is defined and ldap_auth | urlsplit('port') is search('\\d+')) | ternary(ldap_auth | urlsplit('port'), '389') }}"
+# metabase_ldap_user: CN=Metabase,OU=Apps,DC=example,DC=org
+# metabase_ldap_pass: S3cr3t.
+metabase_ldap_user_base: "{{ (ad_ldap_user_search_base is defined and ad_auth) | ternary(ad_ldap_user_search_base, ad_auth | default(False) | ternary('DC=' + ad_realm | default(samba_realm) | default(ansible_domain) | regex_replace('\\.',',DC='), 'ou=Users,' + ldap_base)) }}"
+metabase_ldap_user_filter: (&{{ ad_auth | default(False) | ternary('(objectClass=user)(objectCategory=person)(primaryGroupId=513)','(objectClass=inetOrgPerson)') }}(|(uid={login})(mail={login}))
+metabase_ldap_group_base: "{{ (ad_ldap_group_search_base is defined and ad_auth) | ternary(ad_ldap_group_search_base, ad_auth | default(False) | ternary('DC=' + ad_realm | default(samba_realm) | default(ansible_domain) | regex_replace('\\.',',DC='), 'ou=Groups,' + ldap_base)) }}"
+
diff --git a/roles/metabase/handlers/main.yml b/roles/metabase/handlers/main.yml
new file mode 100644
index 0000000..f81ef91
--- /dev/null
+++ b/roles/metabase/handlers/main.yml
@@ -0,0 +1,4 @@
+---
+
+- name: restart metabase
+  service: name=metabase state=restarted
diff --git a/roles/metabase/meta/main.yml b/roles/metabase/meta/main.yml
new file mode 100644
index 0000000..91d91ca
--- /dev/null
+++ b/roles/metabase/meta/main.yml
@@ -0,0 +1,5 @@
+---
+
+dependencies:
+  - role: mysql_server
+    when: metabase_db_server in ['localhost','127.0.0.1']
diff --git a/roles/metabase/tasks/archive_post.yml b/roles/metabase/tasks/archive_post.yml
new file mode 100644
index 0000000..dd24d66
--- /dev/null
+++ b/roles/metabase/tasks/archive_post.yml
@@ -0,0 +1,10 @@
+---
+
+- name: Compress previous version
+  command: tar cf {{ metabase_root_dir }}/archives/{{ metabase_current_version }}.tar.zst --use-compress-program=zstd ./
+  environment:
+    ZSTD_CLEVEL: 10
+  args:
+    chdir: "{{ metabase_root_dir }}/archives/{{ metabase_current_version }}"
+    warn: False
+  tags: metabase
diff --git a/roles/metabase/tasks/archive_pre.yml b/roles/metabase/tasks/archive_pre.yml
new file mode 100644
index 0000000..0b1a7c9
--- /dev/null
+++ b/roles/metabase/tasks/archive_pre.yml
@@ -0,0 +1,36 @@
+---
+
+- name: Create the archive dir
+  file:
+    path: "{{ metabase_root_dir }}/archives/{{ metabase_current_version }}"
+    state: directory
+  tags: metabase
+
+- name: Archive previous version
+  synchronize:
+    src: "{{ metabase_root_dir }}/{{ item }}"
+    dest: "{{ metabase_root_dir }}/archives/{{ metabase_current_version }}"
+    recursive: True
+    delete: True
+  loop:
+    - app
+    - plugins
+    - data
+    - etc
+  delegate_to: "{{ inventory_hostname }}"
+  tags: metabase
+
+- name: Dump the database
+  mysql_db:
+    state: dump
+    name: "{{ metabase_db_name }}"
+    target: "{{ metabase_root_dir }}/archives/{{ metabase_current_version }}/{{ metabase_db_name }}.sql.xz"
+    login_host: "{{ metabase_db_server }}"
+    login_port: "{{ metabase_db_port }}"
+    login_user: "{{ metabase_db_user }}"
+    login_password: "{{ metabase_db_pass }}"
+    quick: True
+    single_transaction: True
+  environment:
+    XZ_OPT: -T0
+  tags: metabase
diff --git a/roles/metabase/tasks/cleanup.yml b/roles/metabase/tasks/cleanup.yml
new file mode 100644
index 0000000..f6756ba
--- /dev/null
+++ b/roles/metabase/tasks/cleanup.yml
@@ -0,0 +1,8 @@
+---
+
+- name: Remove tmp and unused files
+  file: path={{ item }} state=absent
+  loop:
+    - "{{ metabase_root_dir }}/archives/{{ metabase_current_version }}"
+    - "{{ metabase_root_dir }}/tmp/metabase.jar"
+  tags: metabase
diff --git a/roles/metabase/tasks/conf.yml b/roles/metabase/tasks/conf.yml
new file mode 100644
index 0000000..4a5bede
--- /dev/null
+++ b/roles/metabase/tasks/conf.yml
@@ -0,0 +1,6 @@
+---
+
+- name: Deploy configuration
+  template: src=env.j2 dest={{ metabase_root_dir }}/etc/env group={{ metabase_user }} mode=640
+  notify: restart metabase
+  tags: metabase
diff --git a/roles/metabase/tasks/directories.yml b/roles/metabase/tasks/directories.yml
new file mode 100644
index 0000000..89bb87d
--- /dev/null
+++ b/roles/metabase/tasks/directories.yml
@@ -0,0 +1,23 @@
+---
+
+- name: Create needed directories
+  file: path={{ item.dir }} state=directory owner={{ item.owner | default(omit) }} group={{ item.group | default(omit) }} mode={{ item.mode | default(omit) }}
+  loop:
+    - dir: "{{ metabase_root_dir }}/app"
+    - dir: "{{ metabase_root_dir }}/tmp"
+    - dir: "{{ metabase_root_dir }}/data"
+      owner: "{{ metabase_user }}"
+      mode: 700
+    - dir: "{{ metabase_root_dir }}/etc"
+      group: "{{ metabase_user }}"
+      mode: 750
+    - dir: "{{ metabase_root_dir }}/plugins"
+      owner: "{{ metabase_user }}"
+    - dir: "{{ metabase_root_dir }}/archives"
+      mode: 700
+    - dir: "{{ metabase_root_dir }}/meta"
+      mode: 700
+    - dir: "{{ metabase_root_dir }}/backup"
+      mode: 700
+  tags: metabase
+
diff --git a/roles/metabase/tasks/facts.yml b/roles/metabase/tasks/facts.yml
new file mode 100644
index 0000000..bea274e
--- /dev/null
+++ b/roles/metabase/tasks/facts.yml
@@ -0,0 +1,29 @@
+---
+
+# Detect installed version (if any)
+- block:
+    - import_tasks: ../includes/webapps_set_install_mode.yml
+      vars:
+        - root_dir: "{{ metabase_root_dir }}"
+        - version: "{{ metabase_version }}"
+    - set_fact: metabase_install_mode={{ (install_mode == 'upgrade' and not metabase_manage_upgrade) | ternary('none',install_mode) }}
+    - set_fact: metabase_current_version={{ current_version | default('') }}
+  tags: metabase
+
+# Create a random pass for the DB if needed
+- block:
+    - import_tasks: ../includes/get_rand_pass.yml
+      vars:
+        - pass_file: "{{ metabase_root_dir }}/meta/ansible_dbpass"
+    - set_fact: metabase_db_pass={{ rand_pass }}
+  when: metabase_db_pass is not defined
+  tags: metabase
+
+# Create a random encryption key
+- block:
+    - import_tasks: ../includes/get_rand_pass.yml
+      vars:
+        - pass_file: "{{ metabase_root_dir }}/meta/ansible_encryption_key"
+    - set_fact: metabase_encryption_key={{ rand_pass }}
+  when: metabase_encryption_key is not defined
+  tags: metabase
diff --git a/roles/metabase/tasks/install.yml b/roles/metabase/tasks/install.yml
new file mode 100644
index 0000000..c44d423
--- /dev/null
+++ b/roles/metabase/tasks/install.yml
@@ -0,0 +1,46 @@
+---
+
+- name: Install dependencies
+  yum:
+    name:
+      - java-11-openjdk
+  tags: metabase
+
+- name: Stop the service during upgrades
+  service: name=metabase state=stopped
+  when: metabase_install_mode == 'upgrade'
+  tags: metabase
+
+- when: metabase_install_mode != 'none'
+  block:
+    - name: Download metabase JAR file
+      get_url:
+        url: "{{ metabase_jar_url }}"
+        dest: "{{ metabase_root_dir }}/tmp/"
+        checksum: sha1:{{ metabase_jar_sha1 }}
+
+    - name: Move the JAR to the app dir
+      copy: src={{ metabase_root_dir }}/tmp/metabase.jar dest={{ metabase_root_dir }}/app/ mode=644 remote_src=True
+      notify: restart metabase
+      
+  tags: metabase
+
+- name: Deploy systemd unit
+  template: src=metabase.service.j2 dest=/etc/systemd/system/metabase.service
+  register: metabase_unit
+  notify: restart metabase
+  tags: metabase
+
+- name: Reload systemd
+  systemd: daemon_reload=True
+  when: metabase_unit.changed
+  tags: metabase
+
+# Create the database
+- import_tasks: ../includes/webapps_create_mysql_db.yml
+  vars:
+    - db_name: "{{ metabase_db_name }}"
+    - db_user: "{{ metabase_db_user }}"
+    - db_server: "{{ metabase_db_server }}"
+    - db_pass: "{{ metabase_db_pass }}"
+  tags: metabase
diff --git a/roles/metabase/tasks/iptables.yml b/roles/metabase/tasks/iptables.yml
new file mode 100644
index 0000000..96af576
--- /dev/null
+++ b/roles/metabase/tasks/iptables.yml
@@ -0,0 +1,8 @@
+---
+
+- name:  Handle metabase port in the firewall
+  iptables_raw:
+    name: metabase_port
+    state: "{{ (metabase_src_ip | length > 0) | ternary('present','absent') }}"
+    rules: "-A INPUT -m state --state NEW -p tcp --dport {{ metabase_port }} -s {{ metabase_src_ip | join(',') }} -j ACCEPT"
+  tags: firewall,metabase
diff --git a/roles/metabase/tasks/main.yml b/roles/metabase/tasks/main.yml
new file mode 100644
index 0000000..a6c6732
--- /dev/null
+++ b/roles/metabase/tasks/main.yml
@@ -0,0 +1,16 @@
+---
+
+- include: user.yml
+- include: directories.yml
+- include: facts.yml
+- include: archive_pre.yml
+  when: metabase_install_mode == 'upgrade'
+- include: install.yml
+- include: conf.yml
+- include: iptables.yml
+  when: iptables_manage | default(True)
+- include: services.yml
+- include: write_version.yml
+- include: archive_post.yml
+  when: metabase_install_mode == 'upgrade'
+- include: cleanup.yml
diff --git a/roles/metabase/tasks/services.yml b/roles/metabase/tasks/services.yml
new file mode 100644
index 0000000..bbcc30b
--- /dev/null
+++ b/roles/metabase/tasks/services.yml
@@ -0,0 +1,5 @@
+---
+
+- name: Start and enable the service
+  service: name=metabase state=started enabled=True
+  tags: metabase
diff --git a/roles/metabase/tasks/user.yml b/roles/metabase/tasks/user.yml
new file mode 100644
index 0000000..c19344d
--- /dev/null
+++ b/roles/metabase/tasks/user.yml
@@ -0,0 +1,5 @@
+---
+
+- name: Create metabase user account
+  user: name={{ metabase_user }} home={{ metabase_root_dir }} system=True
+  tags: metabase
diff --git a/roles/metabase/tasks/write_version.yml b/roles/metabase/tasks/write_version.yml
new file mode 100644
index 0000000..44f1aa6
--- /dev/null
+++ b/roles/metabase/tasks/write_version.yml
@@ -0,0 +1,5 @@
+---
+
+- name: Write installed version
+  copy: content={{ metabase_version }} dest={{ metabase_root_dir }}/meta/ansible_version
+  tags: metabase
diff --git a/roles/metabase/templates/env.j2 b/roles/metabase/templates/env.j2
new file mode 100644
index 0000000..28f6d7d
--- /dev/null
+++ b/roles/metabase/templates/env.j2
@@ -0,0 +1,43 @@
+MB_ADMIN_EMAIL={{ metabase_admin_email }}
+MB_EMAIL_FROM_ADDRESS={{ metabase_from_email }}
+MB_EMAIL_SMTP_HOST={{metabase_smtp_server }}
+MB_EMAIL_SMTP_PORT={{ metabase_smtp_port }}
+{% if metabase_smtp_user is defined and metabase_smtp_pass is defined %}
+MB_EMAIL_SMTP_USERNAME={{ metabase_smtp_user }}
+MB_EMAIL_SMTP_PASSWORD={{ metabase_smtp_pass }}
+{% endif %}
+MB_EMAIL_SMTP_SECURITY={{ metabase_smtp_starttls | ternary('starttls','none') }}
+MB_ANON_TRACKING_ENABLED=false
+MB_DB_FILE={{ metabase_root_dir }}/data/metabase.db
+MB_DB_DBNAME={{ metabase_db_name }}
+MB_DB_HOST={{ metabase_db_server }}
+MB_DB_USER={{ metabase_db_user }}
+MB_DB_PASS={{ metabase_db_pass | quote }}
+MB_DB_PORT={{ metabase_db_port }}
+MB_DB_TYPE=mysql
+MB_ENABLE_QUERY_CACHING=true
+MB_ENABLE_PUBLIC_SHARING=true
+MB_ENABLE_EMBEDDING=true
+MB_ENCRYPTION_SECRET_KEY={{ metabase_encryption_key | quote }}
+MB_JETTY_HOST=0.0.0.0
+MB_JETTY_PORT={{ metabase_port }}
+MB_PLUGINS_DIR={{ metabase_root_dir }}/plugins
+MB_SITE_LOCALE={{ metabase_lang }}
+MB_SITE_URL={{ metabase_public_url }}
+{% if metabase_ldap %}
+MB_LDAP_ENABLED=true
+MB_LDAP_HOST={{ metabase_ldap_server }}
+MB_LDAP_PORT={{ metabase_ldap_port }}
+MB_LDAP_SECURITY=tls
+{% if metabase_ldap_user is defined and metabase_ldap_pass is defined %}
+MB_LDAP_BIND_DN={{ metabase_ldap_user | quote }}
+MB_LDAP_PASSWORD={{ metabase_ldap_pass | quote }}
+{% endif %}
+MB_LDAP_ATTRIBUTE_EMAIL={{ metabase_ldap_attr_email }}
+MB_LDAP_ATTRIBUTE_FIRSTNAME={{ metabase_ldap_attr_firstname }}
+MB_LDAP_ATTRIBUTE_LASTNAME={{ metabase_ldap_attr_lastname }}
+MB_LDAP_USER_BASE={{ metabase_ldap_user_base }}
+MB_LDAP_USER_FILTER={{ metabase_ldap_user_filter | quote }}
+MB_LDAP_GROUP_SYNC=true
+MB_LDAP_GROUP_BASE={{ metabase_ldap_group_base }}
+{% endif %}
diff --git a/roles/metabase/templates/metabase.service.j2 b/roles/metabase/templates/metabase.service.j2
new file mode 100644
index 0000000..f78f310
--- /dev/null
+++ b/roles/metabase/templates/metabase.service.j2
@@ -0,0 +1,25 @@
+[Unit]
+Description=Metabase opensource BI
+After=syslog.target network.target
+
+[Service]
+Type=simple
+User={{ metabase_user }}
+WorkingDirectory={{ metabase_root_dir }}/app
+EnvironmentFile={{ metabase_root_dir }}/etc/env
+ExecStart=/usr/bin/java -Djava.net.preferIPv4Stack=true \
+{% if system_proxy is defined and system_proxy != '' %}
+            -Dhttp.proxyHost={{ system_proxy | urlsplit('hostname') }} -Dhttp.proxyPort={{ system_proxy | urlsplit('port') }} \
+            -Dhttps.proxyHost={{ system_proxy | urlsplit('hostname') }} -Dhttps.proxyPort={{ system_proxy | urlsplit('port') }} \
+{% endif %}
+            -jar {{ metabase_root_dir }}/app/metabase.jar
+PrivateTmp=yes
+PrivateDevices=yes
+ProtectSystem=full
+ProtectHome=yes
+NoNewPrivileges=yes
+Restart=on-failure
+
+[Install]
+WantedBy=multi-user.target
+
diff --git a/roles/squid/files/acl/software_various.domains b/roles/squid/files/acl/software_various.domains
index 74a73f3..31e25a7 100644
--- a/roles/squid/files/acl/software_various.domains
+++ b/roles/squid/files/acl/software_various.domains
@@ -347,3 +347,4 @@ store.itophub.io
 # Crowdsec
 crowdsec-statics-assets.s3-eu-west-1.amazonaws.com
 api.crowdsec.com
+www.cloudflare.com