bootstrap

README.md

@@ -3,7 +3,7 @@
 Playbooks pour installation via Ansible de services pour le Fuz.
 
 ## Deployment
-1. Edit the file `hosts.ini` and the variables in `matrix.yml`.
+1. Récupérer l'inventaire `hosts.ini` auprès d'un humain ou autre
 2. Install ansible: 
     ```bash
     sudo apt update
@@ -12,4 +12,4 @@ Playbooks pour installation via Ansible de services pour le Fuz.
     sudo apt install ansible
     ```
 <!-- 3. Install the roles: `ansible-galaxy install -r requirements.yml` -->
-3. Launch the playbook: `ansible-playbook setup.yml`
+1. Launch the playbook: `ansible-playbook main.yml -K --check`

adminsys-classique.yml

@@ -0,0 +1,14 @@
+---
+- hosts: all
+  pre_tasks:
+    - apt:
+        upgrade: yes
+  # roles:
+  # - geerlingguy.pip
+  tasks:
+    - apt:
+        name:
+        - python3-pip
+        - tmux
+        - bash-completion
+        # - zsh

main.yml

@@ -1,17 +1,18 @@
 ---
 - hosts:
-  - sonic-preprod
-  handlers:
-    - name: reboot
-      reboot:
-
+  # - sonic-preprod
+  - sonic
+  - octo.fuz.re
   pre_tasks:
     - apt:
         update_cache: yes
-    # - apt:
-    #     name: python-pip
-  # roles:
-  # - geerlingguy.pip
 
-# - import_playbook: nginx-certbot.yml
-- import_playbook: matrix.yml
+  import_playbook: 
+   - adminsys-classique.yml
+   - matrix.yml
+  # - import_playbook: nginx.yml
+  # - import_playbook: certbot.yml
+  # - import_playbook: matrix.yml
+  handlers:
+    - name: reboot
+      reboot:

matrix-telegram-bridge.yml

@@ -1,11 +0,0 @@
-# https://github.com/tulir/mautrix-telegram/wiki/Bridge-setup-with-Docker
-
-# version: "3.7"
-
-# services:
-#   mautrix-telegram:
-#     container_name: mautrix-telegram
-#     image: dock.mau.dev/tulir/mautrix-telegram:<version>
-#     restart: unless-stopped
-#     volumes:
-#     - .:/data

matrix.yml

@@ -1,41 +1,49 @@
 ---
-- hosts: synapse
-# todo: create user for synapse
-  vars:
-    matrix_synapse_version: "v1.5.1-py3"
-    # matrix_synapse_version: "v1.5.1"
-    matrix_server_name: matrix-sonic-beta.local
-    matrix_bind_address: "192.168.42.4"
+# - hosts: synapse
+# # todo: create user for synapse
+#   vars:
+#     matrix_synapse_version: "v1.5.1-py3"
+#     # matrix_synapse_version: "v1.5.1"
+#     matrix_server_name: matrix-sonic-beta.local
+#     matrix_bind_address: "192.168.42.4"
 
-    matrix_synapse_pg_host: synapse-postgres # does it need to be an IP?
-    matrix_synapse_db_name: psycopg2
-    matrix_synapse_pg_user: "synapse"
-    matrix_synapse_pg_pass: "pomme"
-    matrix_synapse_pg_db: "synapse"
-    matrix_registration_shared_secret: "xxxxx"
-    matrix_synapse_report_stats: false
-    matrix_synapse_config_path: "/etc/matrix-synapse/homeserver.yaml"
+#     matrix_synapse_pg_host: synapse-postgres # does it need to be an IP?
+#     matrix_synapse_db_name: psycopg2
+#     matrix_synapse_pg_user: "synapse"
+#     matrix_synapse_pg_pass: "pomme"
+#     matrix_synapse_pg_db: "synapse"
+#     matrix_registration_shared_secret: "xxxxx"
+#     matrix_synapse_report_stats: false
+#     matrix_synapse_config_path: "/etc/matrix-synapse/homeserver.yaml"
     
-    # to implement
-    #   matrix_no_tls: true
+#     # to implement
+#     #   matrix_no_tls: true
 
+#   tasks:
+#     # - docker_volume:
+#     #     name: synapse-data
+
+#     - template:
+#         src: templates/synapse_homeserver.yaml.j2
+#         dest: {{ matrix_synapse_config_path }}
+
+#     - template:
+#         src: templates/docker-compose-matrix.yml.j2
+#         dest: /etc/docker/docker-compose.yml
+
+#     - name: Create and start matrix services
+#       docker_compose:
+#         project_src: matrix
+#       register: output
+
+
+#       # uploads_path: "/var/lib/matrix-synapse/uploads"
+# # media_store_path: "/var/lib/matrix-synapse/media"
+# ---
+- hosts: octo.fuz.re
   tasks:
-    # - docker_volume:
-    #     name: synapse-data
-
-    - template:
-        src: templates/synapse_homeserver.yaml.j2
-        dest: {{ matrix_synapse_config_path }}
-
-    - template:
-        src: templates/docker-compose-matrix.yml.j2
-        dest: /etc/docker/docker-compose.yml
-
-    - name: Create and start matrix services
-      docker_compose:
-        project_src: matrix
-      register: output
-
-
-      # uploads_path: "/var/lib/matrix-synapse/uploads"
-# media_store_path: "/var/lib/matrix-synapse/media"
+  - name: synapse installé et upgradé
+    become: yes
+    apt:
+      name: matrix-synapse
+      update_cache: yes

server_name.yaml

@@ -0,0 +1,9 @@
+# This file is autogenerated, and will be recreated on upgrade if it is deleted.
+# Any changes you make will be preserved.
+
+# The domain name of the server, with optional explicit port.
+# This is used by remote servers to connect to this server,
+# e.g. matrix.org, localhost:8080, etc.
+# This is also the last part of your UserID.
+#
+server_name: matrix.fuz.re

site-statique.yml

@@ -0,0 +1 @@
+# lighttpd ou nginx ?

sonic/lighttpd.conf

@@ -0,0 +1,272 @@
+server.modules = (
+    "mod_access",
+    "mod_accesslog",
+    "mod_alias",
+    "mod_compress",
+    "mod_redirect",
+    "mod_setenv",
+    "mod_rewrite",
+    "mod_proxy",
+    "mod_cgi",
+    "mod_openssl",
+)
+
+server.document-root        = "/var/www/html"
+server.upload-dirs          = ( "/var/cache/lighttpd/uploads" )
+server.errorlog             = "/var/log/lighttpd/error.log"
+accesslog.filename          = "/var/log/lighttpd/access.log"
+server.pid-file             = "/var/run/lighttpd.pid"
+server.username             = "www-data"
+server.groupname            = "www-data"
+server.port                 = 80
+
+dir-listing.activate = "enable"
+dir-listing.encoding = "utf-8"
+
+index-file.names            = ( "index.php", "index.html", "index.lighttpd.html" )
+url.access-deny             = ( "~", ".inc" )
+static-file.exclude-extensions = ( ".php", ".pl", ".fcgi" )
+
+compress.cache-dir          = "/var/cache/lighttpd/compress/"
+compress.filetype           = ( "application/javascript", "text/css", "text/html", "text/plain" )
+
+# default listening port for IPv6 falls back to the IPv4 port
+include_shell "/usr/share/lighttpd/use-ipv6.pl " + server.port
+# not here anymore see next line : include_shell "/usr/share/lighttpd/create-mime.assign.pl"
+include_shell "/usr/share/lighttpd/create-mime.conf.pl"
+#include_shell "/usr/share/lighttpd/include-conf-enabled.pl"
+include "/etc/lighttpd/conf-enabled/*.conf"
+
+### FUZ.RE ###
+### Wiki pas encore hébergé ici ###
+$HTTP["host"] == "wiki.fuz.re" {
+    server.document-root = "/var/www/fuz.re/dokuwiki/"
+    $HTTP["scheme"] == "http" {
+        url.redirect = (".*" => "https://wiki.fuz.re$0")
+    }
+
+    $HTTP["scheme"] == "https" {
+        $HTTP["url"] =~ "^/" {
+          server.follow-symlink = "enable"
+        }
+
+        $HTTP["url"] =~ "/(\.|_)ht" {
+          url.access-deny = ( "" )
+        }
+        $HTTP["url"] =~ "^/(bin|data|inc|conf)" {
+          url.access-deny = ( "" )
+        }
+#        $SERVER["socket"] == ":443" {
+#                ssl.engine  = "enable"
+        #       ssl.ca-file = "/etc/letsencrypt/live/wiki.fuz.re/fullchain.pem"
+#                ssl.pemfile = "/etc/lighttpd/certs/wiki.fuz.re.pem"
+#        }
+    }
+}
+
+# Redirect www -> https without www
+$HTTP["host"] == "www.fuz.re" {
+    $HTTP["scheme"] == "http" {
+        url.redirect = (".*" => "https://fuz.re$0")
+    }
+}
+# Redirect http -> https without www
+$HTTP["host"] == "fuz.re" {
+    $HTTP["scheme"] == "http" {
+        url.redirect = (".*" => "https://fuz.re$0")
+    }
+    # HTTPS :
+    $HTTP["scheme"] == "https" {
+	server.document-root = "/var/www/fuz.re/newsite/public"
+        $SERVER["socket"] == ":443" {
+			ssl.engine  = "enable"
+			ssl.pemfile = "/etc/letsencrypt/live/fuz.re/fullchain.pem"
+			ssl.privkey = "/etc/letsencrypt/live/fuz.re/privkey.pem"
+		}
+    }
+}
+
+# Old Jack.tf
+$HTTP["host"] == "jack.fuz.re" {
+    server.document-root = "/var/www/fuz.re/jack/site"
+    $HTTP["scheme"] == "http" {
+         $HTTP["url"] !~ "^/.well-known/acme-challenge/" {
+         url.redirect = (".*" => "https://jack.fuz.re$0")
+         }
+    }
+    $HTTP["scheme"] == "https" {
+	$SERVER["socket"] == ":443" {
+             ssl.engine  = "enable"
+		ssl.pemfile = "/etc/letsencrypt/live/jack.fuz.re/fullchain.pem"
+		ssl.privkey = "/etc/letsencrypt/live/jack.fuz.re/privkey.pem"
+        }
+    }
+}
+
+
+$HTTP["host"] == "riot.fuz.re" {
+    server.document-root = "/var/www/fuz.re/riot/site"
+    $HTTP["scheme"] == "http" {
+		$HTTP["url"] !~ "^/.well-known/acme-challenge/" {
+	            url.redirect = (".*" => "https://riot.fuz.re$0")
+		}
+    }
+    $HTTP["scheme"] == "https" {
+        alias.url = (
+                "/rc" => "/var/www/fuz.re/riot/rc"
+        )
+
+	$SERVER["socket"] == ":443" {
+                ssl.engine  = "enable"
+		ssl.pemfile = "/etc/letsencrypt/live/riot.fuz.re/fullchain.pem"
+		ssl.privkey = "/etc/letsencrypt/live/riot.fuz.re/privkey.pem"
+        }
+    }
+}
+
+$HTTP["host"] == "matrix.fuz.re" {
+    server.document-root = "/var/www/fuz.re/matrix/site"
+    $HTTP["scheme"] == "http" {
+		$HTTP["url"] !~ "^/.well-known/acme-challenge/" {
+			url.redirect = (".*" => "https://matrix.fuz.re$0")
+		}
+    }
+    $SERVER["socket"] == ":443" {
+    	ssl.engine  = "enable"
+	ssl.pemfile = "/etc/letsencrypt/live/matrix.fuz.re/fullchain.pem"
+	ssl.privkey = "/etc/letsencrypt/live/matrix.fuz.re/privkey.pem"
+    	proxy.server = ( "" => (( "host" => "127.0.0.1", "port" => 8008 )))
+    	proxy.header = ( "map-host-request" => ( "-" => "matrix.fuz.re"),
+    			     "map-host-response" => ("-" => "-"))
+    }
+    $SERVER["socket"] == ":8448" {
+    	ssl.engine  = "enable"
+	ssl.pemfile = "/etc/letsencrypt/live/matrix.fuz.re/fullchain.pem"
+	ssl.privkey = "/etc/letsencrypt/live/matrix.fuz.re/privkey.pem"
+    	proxy.server = ( "" => (( "host" => "127.0.0.1", "port" => 8008 )))
+    	proxy.header = ( "map-host-request" => ( "-" => "matrix.fuz.re"),
+    			     "map-host-response" => ("-" => "-"))
+    }
+}
+
+$HTTP["host"] == "mumble.fuz.re" {
+    $HTTP["scheme"] == "http" {
+    	server.document-root = "/var/www/fuz.re/mumble/site"
+	$HTTP["url"] !~ "^/.well-known/acme-challenge/" {
+		url.redirect = (".*" => "https://mumble.fuz.re$0")
+	}
+    }
+
+    $SERVER["socket"] == ":443" {
+    	ssl.engine  = "enable"
+	ssl.pemfile = "/etc/letsencrypt/live/mumble.fuz.re/fullchain.pem"
+	ssl.privkey = "/etc/letsencrypt/live/mumble.fuz.re/privkey.pem"
+    	url.redirect-code = 302 # it's a workaround for retarded lighttpd unable to handle websockets, hence a temp 302 redirection -- Lomanic 20200606
+    	url.redirect = (".*" => "https://mumble.fuz.re:64737$0")
+    }
+}
+
+
+
+$HTTP["host"] == "presence.fuz.re" { # added by Lomanic 20200606
+    $HTTP["scheme"] == "http" {
+    	server.document-root = "/var/www/fuz.re/presence/site"
+		$HTTP["url"] !~ "^/.well-known/acme-challenge/" {
+			url.redirect = (".*" => "https://${url.authority}${url.path}${qsa}")
+		}
+    }
+
+	$SERVER["socket"] == ":443" {
+		ssl.engine  = "enable"
+		proxy.server = ( "" => (("host" => "127.0.0.1", "port" => 3000)) )
+		#ssl.ca-file = "/etc/letsencrypt/live/presence.fuz.re/chain.pem"
+		#ssl.pemfile = "/etc/lighttpd/certs/presence.fuz.re.pem"
+
+		ssl.pemfile = "/etc/letsencrypt/live/presence.fuz.re/fullchain.pem"
+		ssl.privkey = "/etc/letsencrypt/live/presence.fuz.re/privkey.pem"
+	}
+}
+$HTTP["host"] == "spaceapi.fuz.re" { # added by Lomanic 20201017
+	$HTTP["scheme"] == "http" {
+		server.document-root = "/var/www/fuz.re/spaceapi/site"
+		$HTTP["url"] !~ "^/.well-known/acme-challenge/" {
+			url.redirect = (".*" => "https://${url.authority}${url.path}${qsa}")
+		}
+	}
+
+	$SERVER["socket"] == ":443" {
+		ssl.engine  = "enable"
+		proxy.server = ( "" => (("host" => "127.0.0.1", "port" => 3001)) )
+		ssl.pemfile = "/etc/letsencrypt/live/spaceapi.fuz.re/fullchain.pem"
+		ssl.privkey = "/etc/letsencrypt/live/spaceapi.fuz.re/privkey.pem"
+	}
+}
+
+$HTTP["host"] == "sonic.fuz.re" {
+	server.document-root = "/var/www/sonic.fuz.re/"
+}
+
+### Mailman ###
+$HTTP["host"] == "liste.fuz.re" {
+	server.document-root = "/var/www/fuz.re/liste/site"
+	$HTTP["scheme"] == "http" {
+		$HTTP["url"] !~ "^/.well-known/acme-challenge/" {
+			url.redirect = (".*" => "https://liste.fuz.re$0")
+		}
+	}
+	$SERVER["socket"] == ":443" {
+		ssl.engine  = "enable"
+		#ssl.ca-file = "/etc/letsencrypt/live/liste.fuz.re/chain.pem"
+		#ssl.pemfile = "/etc/letsencrypt/live/liste.fuz.re/combined.pem"
+		ssl.pemfile = "/etc/letsencrypt/live/liste.fuz.re/fullchain.pem"
+		ssl.privkey = "/etc/letsencrypt/live/liste.fuz.re/privkey.pem"
+	}
+	alias.url = (
+        "/mailman/" => "/usr/lib/cgi-bin/mailman/",
+        "/cgi-bin/mailman/" => "/usr/lib/cgi-bin/mailman/",
+        "/images/mailman/" => "/usr/share/images/mailman/",
+        #"/pipermail/" => "/var/lib/mailman/archives/public/"
+    )
+    cgi.assign = (
+        "/admin" => "",
+        "/admindb" => "",
+        "/confirm" => "",
+        "/create" => "",
+        "/edithtml" => "",
+        "/listinfo" => "",
+        "/options" => "",
+        "/private" => "",
+        "/rmlist" => "",
+        "/roster" => "",
+        "/subscribe" => "")
+}
+
+## Datapaulette - Pas hébérgé ici non plus
+$HTTP["host"] =~ "www.datapaulette.org" {
+	url.redirect = (".*" => "http://datapaulette.org")
+}
+$HTTP["host"] =~ "datapaulette.org" {
+        server.error-handler-404 = "/index.php"
+        server.document-root = "/var/www/datapaulette.org/dp-wp"
+#        $SERVER["socket"] == ":443" {
+#                ssl.engine  = "enable"
+#                ssl.ca-file = "/etc/letsencrypt/live/datapaulette.org/fullchain.pem"
+#                ssl.pemfile = "/etc/lighttpd/certs/datapaulette.org.pem"
+#        }
+        #url.rewrite = (
+        #       "^/(.*)\.(.+)$" => "$0",
+        #       ###"^/(wp-admin|wp-includes|wp-content|gallery2)/(.*)" => "$0",
+        #       "^/(.+)/?$" => "/index.php/$1"
+        #)
+}
+
+### WOOTDEVICES.IO  - https à activer après copie des certs
+$HTTP["host"] == "wootdevices.io" {
+        server.document-root = "/var/www/wootdevices.io/site/"
+#        $SERVER["socket"] == ":443" {
+#                ssl.engine  = "enable"
+#                ssl.ca-file = "/etc/letsencrypt/live/wootdevices.io/fullchain.pem"
+#                ssl.pemfile = "/etc/lighttpd/certs/wootdevices.io.pem"
+#        }
+}
+

templates/docker-compose-matrix.yml.j2

@@ -1,48 +0,0 @@
-version: '3'
-
-services:
-# matrix_synapse_version: "v1.5.1-py3"
-    # matrix_synapse_version: "v1.5.1"
-
-
-  #matrix_synapse_pg_host: synapse-postgres
-
-  synapse:
-    # build:
-    #    context: ../..
-     #   dockerfile: docker/Dockerfile
-    image: "matrixdotorg/synapse:{{ matrix_synapse_version }}"
-    # Since synapse does not retry to connect to the database, restart upon
-    # failure
-    restart: unless-stopped
-    # See the readme for a full documentation of the environment settings
-    environment:
-      - SYNAPSE_REPORT_STATS={{ matrix_synapse_report_stats }}
-      - SYNAPSE_CONFIG_PATH={{ matrix_synapse_config_docker_path }}
-    volumes:
-      # You may either store all the files in a local folder
-      - {{ matrix_synapse_config_dir }}:{{ matrix_synapse_config_docker_dir }}
-      - ./files:/data
-      # .. or you may split this between different storage points
-      # - ./files:/data
-      # - /path/to/ssd:/data/uploads
-      # - /path/to/large_hdd:/data/media
-    depends_on:
-      - db
-    # In order to expose Synapse, remove one of the following, you might for
-    # instance expose the TLS port directly:
-    ports:
-      - 8008:8008/tcp
-    # labels:
- 
-  db:
-    image: docker.io/postgres:10-alpine
-    # Change that password, of course!
-    environment:
-      - POSTGRES_USER={{ matrix_synapse_db_name }}
-      - POSTGRES_PASSWORD={{ matrix_synapse_pg_pass }}
-    volumes:
-      # You may store the database tables in a local folder..
-      - ./schemas:/var/lib/postgresql/data
-      # .. or store them on some high performance storage for better results
-      # - /path/to/ssd/storage:/var/lib/postgresql/data

templates/homeserver.yaml.j2

@@ -1,5 +1,7 @@
 ## Server ##
 
+
+report_stats: {{ matrix_synapse_report_stats }}
 # The domain name of the server, with optional explicit port.
 # This is used by remote servers to connect to this server,
 # e.g. matrix.org, localhost:8080, etc.
@@ -385,7 +387,7 @@ log_config: "/etc/matrix-synapse/log.yaml"
 
 # Directory where uploaded images and attachments are stored.
 #
-media_store_path: "/var/lib/matrix-synapse/media"
+media_store_path: "{{  matrix_synapse_destination_media_store_path }}"
 
 # Media storage providers allow media to be stored in different
 # locations.
@@ -404,7 +406,7 @@ media_store_path: "/var/lib/matrix-synapse/media"
 
 # Directory where in-progress uploads are stored.
 #
-uploads_path: "/var/lib/matrix-synapse/uploads"
+uploads_path: "{{ matrix_synapse_destination_uploads_path }}"
 
 # The largest allowed upload size in bytes
 #