From 3a1f322cd556db8499cbbefabf03028a618e69c3 Mon Sep 17 00:00:00 2001 From: Hadrien Date: Tue, 14 Jun 2022 22:33:48 +0200 Subject: [PATCH] bootstrap --- README.md | 4 +- adminsys-classique.yml | 14 ++ main.yml | 23 ++- matrix-telegram-bridge.yml | 11 - matrix.yml | 80 ++++---- server_name.yaml | 9 + site-statique.yml | 1 + sonic/lighttpd.conf | 272 +++++++++++++++++++++++++ templates/docker-compose-matrix.yml.j2 | 48 ----- templates/homeserver.yaml.j2 | 6 +- 10 files changed, 358 insertions(+), 110 deletions(-) create mode 100644 adminsys-classique.yml delete mode 100644 matrix-telegram-bridge.yml create mode 100644 server_name.yaml create mode 100644 site-statique.yml create mode 100644 sonic/lighttpd.conf delete mode 100644 templates/docker-compose-matrix.yml.j2 diff --git a/README.md b/README.md index 4b92c6a..3a41858 100644 --- a/README.md +++ b/README.md @@ -3,7 +3,7 @@ Playbooks pour installation via Ansible de services pour le Fuz. ## Deployment -1. Edit the file `hosts.ini` and the variables in `matrix.yml`. +1. Récupérer l'inventaire `hosts.ini` auprès d'un humain ou autre 2. Install ansible: ```bash sudo apt update @@ -12,4 +12,4 @@ Playbooks pour installation via Ansible de services pour le Fuz. sudo apt install ansible ``` -3. Launch the playbook: `ansible-playbook setup.yml` \ No newline at end of file +1. Launch the playbook: `ansible-playbook main.yml -K --check` \ No newline at end of file diff --git a/adminsys-classique.yml b/adminsys-classique.yml new file mode 100644 index 0000000..52715e6 --- /dev/null +++ b/adminsys-classique.yml @@ -0,0 +1,14 @@ +--- +- hosts: all + pre_tasks: + - apt: + upgrade: yes + # roles: + # - geerlingguy.pip + tasks: + - apt: + name: + - python3-pip + - tmux + - bash-completion + # - zsh \ No newline at end of file diff --git a/main.yml b/main.yml index 7ada3ff..79159df 100644 --- a/main.yml +++ b/main.yml @@ -1,17 +1,18 @@ --- - hosts: - - sonic-preprod - handlers: - - name: reboot - reboot: - + # - sonic-preprod + - sonic + - octo.fuz.re pre_tasks: - apt: update_cache: yes - # - apt: - # name: python-pip - # roles: - # - geerlingguy.pip -# - import_playbook: nginx-certbot.yml -- import_playbook: matrix.yml \ No newline at end of file + import_playbook: + - adminsys-classique.yml + - matrix.yml + # - import_playbook: nginx.yml + # - import_playbook: certbot.yml + # - import_playbook: matrix.yml + handlers: + - name: reboot + reboot: \ No newline at end of file diff --git a/matrix-telegram-bridge.yml b/matrix-telegram-bridge.yml deleted file mode 100644 index 5f1800e..0000000 --- a/matrix-telegram-bridge.yml +++ /dev/null @@ -1,11 +0,0 @@ -# https://github.com/tulir/mautrix-telegram/wiki/Bridge-setup-with-Docker - -# version: "3.7" - -# services: -# mautrix-telegram: -# container_name: mautrix-telegram -# image: dock.mau.dev/tulir/mautrix-telegram: -# restart: unless-stopped -# volumes: -# - .:/data \ No newline at end of file diff --git a/matrix.yml b/matrix.yml index c54f53e..558ccaa 100644 --- a/matrix.yml +++ b/matrix.yml @@ -1,41 +1,49 @@ --- -- hosts: synapse -# todo: create user for synapse - vars: - matrix_synapse_version: "v1.5.1-py3" - # matrix_synapse_version: "v1.5.1" - matrix_server_name: matrix-sonic-beta.local - matrix_bind_address: "192.168.42.4" +# - hosts: synapse +# # todo: create user for synapse +# vars: +# matrix_synapse_version: "v1.5.1-py3" +# # matrix_synapse_version: "v1.5.1" +# matrix_server_name: matrix-sonic-beta.local +# matrix_bind_address: "192.168.42.4" - matrix_synapse_pg_host: synapse-postgres # does it need to be an IP? - matrix_synapse_db_name: psycopg2 - matrix_synapse_pg_user: "synapse" - matrix_synapse_pg_pass: "pomme" - matrix_synapse_pg_db: "synapse" - matrix_registration_shared_secret: "xxxxx" - matrix_synapse_report_stats: false - matrix_synapse_config_path: "/etc/matrix-synapse/homeserver.yaml" +# matrix_synapse_pg_host: synapse-postgres # does it need to be an IP? +# matrix_synapse_db_name: psycopg2 +# matrix_synapse_pg_user: "synapse" +# matrix_synapse_pg_pass: "pomme" +# matrix_synapse_pg_db: "synapse" +# matrix_registration_shared_secret: "xxxxx" +# matrix_synapse_report_stats: false +# matrix_synapse_config_path: "/etc/matrix-synapse/homeserver.yaml" - # to implement - # matrix_no_tls: true +# # to implement +# # matrix_no_tls: true +# tasks: +# # - docker_volume: +# # name: synapse-data + +# - template: +# src: templates/synapse_homeserver.yaml.j2 +# dest: {{ matrix_synapse_config_path }} + +# - template: +# src: templates/docker-compose-matrix.yml.j2 +# dest: /etc/docker/docker-compose.yml + +# - name: Create and start matrix services +# docker_compose: +# project_src: matrix +# register: output + + +# # uploads_path: "/var/lib/matrix-synapse/uploads" +# # media_store_path: "/var/lib/matrix-synapse/media" +# --- +- hosts: octo.fuz.re tasks: - # - docker_volume: - # name: synapse-data - - - template: - src: templates/synapse_homeserver.yaml.j2 - dest: {{ matrix_synapse_config_path }} - - - template: - src: templates/docker-compose-matrix.yml.j2 - dest: /etc/docker/docker-compose.yml - - - name: Create and start matrix services - docker_compose: - project_src: matrix - register: output - - - # uploads_path: "/var/lib/matrix-synapse/uploads" -# media_store_path: "/var/lib/matrix-synapse/media" + - name: synapse installé et upgradé + become: yes + apt: + name: matrix-synapse + update_cache: yes diff --git a/server_name.yaml b/server_name.yaml new file mode 100644 index 0000000..9aa07d7 --- /dev/null +++ b/server_name.yaml @@ -0,0 +1,9 @@ +# This file is autogenerated, and will be recreated on upgrade if it is deleted. +# Any changes you make will be preserved. + +# The domain name of the server, with optional explicit port. +# This is used by remote servers to connect to this server, +# e.g. matrix.org, localhost:8080, etc. +# This is also the last part of your UserID. +# +server_name: matrix.fuz.re diff --git a/site-statique.yml b/site-statique.yml new file mode 100644 index 0000000..94df68e --- /dev/null +++ b/site-statique.yml @@ -0,0 +1 @@ +# lighttpd ou nginx ? \ No newline at end of file diff --git a/sonic/lighttpd.conf b/sonic/lighttpd.conf new file mode 100644 index 0000000..1bef6ab --- /dev/null +++ b/sonic/lighttpd.conf @@ -0,0 +1,272 @@ +server.modules = ( + "mod_access", + "mod_accesslog", + "mod_alias", + "mod_compress", + "mod_redirect", + "mod_setenv", + "mod_rewrite", + "mod_proxy", + "mod_cgi", + "mod_openssl", +) + +server.document-root = "/var/www/html" +server.upload-dirs = ( "/var/cache/lighttpd/uploads" ) +server.errorlog = "/var/log/lighttpd/error.log" +accesslog.filename = "/var/log/lighttpd/access.log" +server.pid-file = "/var/run/lighttpd.pid" +server.username = "www-data" +server.groupname = "www-data" +server.port = 80 + +dir-listing.activate = "enable" +dir-listing.encoding = "utf-8" + +index-file.names = ( "index.php", "index.html", "index.lighttpd.html" ) +url.access-deny = ( "~", ".inc" ) +static-file.exclude-extensions = ( ".php", ".pl", ".fcgi" ) + +compress.cache-dir = "/var/cache/lighttpd/compress/" +compress.filetype = ( "application/javascript", "text/css", "text/html", "text/plain" ) + +# default listening port for IPv6 falls back to the IPv4 port +include_shell "/usr/share/lighttpd/use-ipv6.pl " + server.port +# not here anymore see next line : include_shell "/usr/share/lighttpd/create-mime.assign.pl" +include_shell "/usr/share/lighttpd/create-mime.conf.pl" +#include_shell "/usr/share/lighttpd/include-conf-enabled.pl" +include "/etc/lighttpd/conf-enabled/*.conf" + +### FUZ.RE ### +### Wiki pas encore hébergé ici ### +$HTTP["host"] == "wiki.fuz.re" { + server.document-root = "/var/www/fuz.re/dokuwiki/" + $HTTP["scheme"] == "http" { + url.redirect = (".*" => "https://wiki.fuz.re$0") + } + + $HTTP["scheme"] == "https" { + $HTTP["url"] =~ "^/" { + server.follow-symlink = "enable" + } + + $HTTP["url"] =~ "/(\.|_)ht" { + url.access-deny = ( "" ) + } + $HTTP["url"] =~ "^/(bin|data|inc|conf)" { + url.access-deny = ( "" ) + } +# $SERVER["socket"] == ":443" { +# ssl.engine = "enable" + # ssl.ca-file = "/etc/letsencrypt/live/wiki.fuz.re/fullchain.pem" +# ssl.pemfile = "/etc/lighttpd/certs/wiki.fuz.re.pem" +# } + } +} + +# Redirect www -> https without www +$HTTP["host"] == "www.fuz.re" { + $HTTP["scheme"] == "http" { + url.redirect = (".*" => "https://fuz.re$0") + } +} +# Redirect http -> https without www +$HTTP["host"] == "fuz.re" { + $HTTP["scheme"] == "http" { + url.redirect = (".*" => "https://fuz.re$0") + } + # HTTPS : + $HTTP["scheme"] == "https" { + server.document-root = "/var/www/fuz.re/newsite/public" + $SERVER["socket"] == ":443" { + ssl.engine = "enable" + ssl.pemfile = "/etc/letsencrypt/live/fuz.re/fullchain.pem" + ssl.privkey = "/etc/letsencrypt/live/fuz.re/privkey.pem" + } + } +} + +# Old Jack.tf +$HTTP["host"] == "jack.fuz.re" { + server.document-root = "/var/www/fuz.re/jack/site" + $HTTP["scheme"] == "http" { + $HTTP["url"] !~ "^/.well-known/acme-challenge/" { + url.redirect = (".*" => "https://jack.fuz.re$0") + } + } + $HTTP["scheme"] == "https" { + $SERVER["socket"] == ":443" { + ssl.engine = "enable" + ssl.pemfile = "/etc/letsencrypt/live/jack.fuz.re/fullchain.pem" + ssl.privkey = "/etc/letsencrypt/live/jack.fuz.re/privkey.pem" + } + } +} + + +$HTTP["host"] == "riot.fuz.re" { + server.document-root = "/var/www/fuz.re/riot/site" + $HTTP["scheme"] == "http" { + $HTTP["url"] !~ "^/.well-known/acme-challenge/" { + url.redirect = (".*" => "https://riot.fuz.re$0") + } + } + $HTTP["scheme"] == "https" { + alias.url = ( + "/rc" => "/var/www/fuz.re/riot/rc" + ) + + $SERVER["socket"] == ":443" { + ssl.engine = "enable" + ssl.pemfile = "/etc/letsencrypt/live/riot.fuz.re/fullchain.pem" + ssl.privkey = "/etc/letsencrypt/live/riot.fuz.re/privkey.pem" + } + } +} + +$HTTP["host"] == "matrix.fuz.re" { + server.document-root = "/var/www/fuz.re/matrix/site" + $HTTP["scheme"] == "http" { + $HTTP["url"] !~ "^/.well-known/acme-challenge/" { + url.redirect = (".*" => "https://matrix.fuz.re$0") + } + } + $SERVER["socket"] == ":443" { + ssl.engine = "enable" + ssl.pemfile = "/etc/letsencrypt/live/matrix.fuz.re/fullchain.pem" + ssl.privkey = "/etc/letsencrypt/live/matrix.fuz.re/privkey.pem" + proxy.server = ( "" => (( "host" => "127.0.0.1", "port" => 8008 ))) + proxy.header = ( "map-host-request" => ( "-" => "matrix.fuz.re"), + "map-host-response" => ("-" => "-")) + } + $SERVER["socket"] == ":8448" { + ssl.engine = "enable" + ssl.pemfile = "/etc/letsencrypt/live/matrix.fuz.re/fullchain.pem" + ssl.privkey = "/etc/letsencrypt/live/matrix.fuz.re/privkey.pem" + proxy.server = ( "" => (( "host" => "127.0.0.1", "port" => 8008 ))) + proxy.header = ( "map-host-request" => ( "-" => "matrix.fuz.re"), + "map-host-response" => ("-" => "-")) + } +} + +$HTTP["host"] == "mumble.fuz.re" { + $HTTP["scheme"] == "http" { + server.document-root = "/var/www/fuz.re/mumble/site" + $HTTP["url"] !~ "^/.well-known/acme-challenge/" { + url.redirect = (".*" => "https://mumble.fuz.re$0") + } + } + + $SERVER["socket"] == ":443" { + ssl.engine = "enable" + ssl.pemfile = "/etc/letsencrypt/live/mumble.fuz.re/fullchain.pem" + ssl.privkey = "/etc/letsencrypt/live/mumble.fuz.re/privkey.pem" + url.redirect-code = 302 # it's a workaround for retarded lighttpd unable to handle websockets, hence a temp 302 redirection -- Lomanic 20200606 + url.redirect = (".*" => "https://mumble.fuz.re:64737$0") + } +} + + + +$HTTP["host"] == "presence.fuz.re" { # added by Lomanic 20200606 + $HTTP["scheme"] == "http" { + server.document-root = "/var/www/fuz.re/presence/site" + $HTTP["url"] !~ "^/.well-known/acme-challenge/" { + url.redirect = (".*" => "https://${url.authority}${url.path}${qsa}") + } + } + + $SERVER["socket"] == ":443" { + ssl.engine = "enable" + proxy.server = ( "" => (("host" => "127.0.0.1", "port" => 3000)) ) + #ssl.ca-file = "/etc/letsencrypt/live/presence.fuz.re/chain.pem" + #ssl.pemfile = "/etc/lighttpd/certs/presence.fuz.re.pem" + + ssl.pemfile = "/etc/letsencrypt/live/presence.fuz.re/fullchain.pem" + ssl.privkey = "/etc/letsencrypt/live/presence.fuz.re/privkey.pem" + } +} +$HTTP["host"] == "spaceapi.fuz.re" { # added by Lomanic 20201017 + $HTTP["scheme"] == "http" { + server.document-root = "/var/www/fuz.re/spaceapi/site" + $HTTP["url"] !~ "^/.well-known/acme-challenge/" { + url.redirect = (".*" => "https://${url.authority}${url.path}${qsa}") + } + } + + $SERVER["socket"] == ":443" { + ssl.engine = "enable" + proxy.server = ( "" => (("host" => "127.0.0.1", "port" => 3001)) ) + ssl.pemfile = "/etc/letsencrypt/live/spaceapi.fuz.re/fullchain.pem" + ssl.privkey = "/etc/letsencrypt/live/spaceapi.fuz.re/privkey.pem" + } +} + +$HTTP["host"] == "sonic.fuz.re" { + server.document-root = "/var/www/sonic.fuz.re/" +} + +### Mailman ### +$HTTP["host"] == "liste.fuz.re" { + server.document-root = "/var/www/fuz.re/liste/site" + $HTTP["scheme"] == "http" { + $HTTP["url"] !~ "^/.well-known/acme-challenge/" { + url.redirect = (".*" => "https://liste.fuz.re$0") + } + } + $SERVER["socket"] == ":443" { + ssl.engine = "enable" + #ssl.ca-file = "/etc/letsencrypt/live/liste.fuz.re/chain.pem" + #ssl.pemfile = "/etc/letsencrypt/live/liste.fuz.re/combined.pem" + ssl.pemfile = "/etc/letsencrypt/live/liste.fuz.re/fullchain.pem" + ssl.privkey = "/etc/letsencrypt/live/liste.fuz.re/privkey.pem" + } + alias.url = ( + "/mailman/" => "/usr/lib/cgi-bin/mailman/", + "/cgi-bin/mailman/" => "/usr/lib/cgi-bin/mailman/", + "/images/mailman/" => "/usr/share/images/mailman/", + #"/pipermail/" => "/var/lib/mailman/archives/public/" + ) + cgi.assign = ( + "/admin" => "", + "/admindb" => "", + "/confirm" => "", + "/create" => "", + "/edithtml" => "", + "/listinfo" => "", + "/options" => "", + "/private" => "", + "/rmlist" => "", + "/roster" => "", + "/subscribe" => "") +} + +## Datapaulette - Pas hébérgé ici non plus +$HTTP["host"] =~ "www.datapaulette.org" { + url.redirect = (".*" => "http://datapaulette.org") +} +$HTTP["host"] =~ "datapaulette.org" { + server.error-handler-404 = "/index.php" + server.document-root = "/var/www/datapaulette.org/dp-wp" +# $SERVER["socket"] == ":443" { +# ssl.engine = "enable" +# ssl.ca-file = "/etc/letsencrypt/live/datapaulette.org/fullchain.pem" +# ssl.pemfile = "/etc/lighttpd/certs/datapaulette.org.pem" +# } + #url.rewrite = ( + # "^/(.*)\.(.+)$" => "$0", + # ###"^/(wp-admin|wp-includes|wp-content|gallery2)/(.*)" => "$0", + # "^/(.+)/?$" => "/index.php/$1" + #) +} + +### WOOTDEVICES.IO - https à activer après copie des certs +$HTTP["host"] == "wootdevices.io" { + server.document-root = "/var/www/wootdevices.io/site/" +# $SERVER["socket"] == ":443" { +# ssl.engine = "enable" +# ssl.ca-file = "/etc/letsencrypt/live/wootdevices.io/fullchain.pem" +# ssl.pemfile = "/etc/lighttpd/certs/wootdevices.io.pem" +# } +} + diff --git a/templates/docker-compose-matrix.yml.j2 b/templates/docker-compose-matrix.yml.j2 deleted file mode 100644 index 10c04f0..0000000 --- a/templates/docker-compose-matrix.yml.j2 +++ /dev/null @@ -1,48 +0,0 @@ -version: '3' - -services: -# matrix_synapse_version: "v1.5.1-py3" - # matrix_synapse_version: "v1.5.1" - - - #matrix_synapse_pg_host: synapse-postgres - - synapse: - # build: - # context: ../.. - # dockerfile: docker/Dockerfile - image: "matrixdotorg/synapse:{{ matrix_synapse_version }}" - # Since synapse does not retry to connect to the database, restart upon - # failure - restart: unless-stopped - # See the readme for a full documentation of the environment settings - environment: - - SYNAPSE_REPORT_STATS={{ matrix_synapse_report_stats }} - - SYNAPSE_CONFIG_PATH={{ matrix_synapse_config_docker_path }} - volumes: - # You may either store all the files in a local folder - - {{ matrix_synapse_config_dir }}:{{ matrix_synapse_config_docker_dir }} - - ./files:/data - # .. or you may split this between different storage points - # - ./files:/data - # - /path/to/ssd:/data/uploads - # - /path/to/large_hdd:/data/media - depends_on: - - db - # In order to expose Synapse, remove one of the following, you might for - # instance expose the TLS port directly: - ports: - - 8008:8008/tcp - # labels: - - db: - image: docker.io/postgres:10-alpine - # Change that password, of course! - environment: - - POSTGRES_USER={{ matrix_synapse_db_name }} - - POSTGRES_PASSWORD={{ matrix_synapse_pg_pass }} - volumes: - # You may store the database tables in a local folder.. - - ./schemas:/var/lib/postgresql/data - # .. or store them on some high performance storage for better results - # - /path/to/ssd/storage:/var/lib/postgresql/data diff --git a/templates/homeserver.yaml.j2 b/templates/homeserver.yaml.j2 index 4358596..660a6c3 100644 --- a/templates/homeserver.yaml.j2 +++ b/templates/homeserver.yaml.j2 @@ -1,5 +1,7 @@ ## Server ## + +report_stats: {{ matrix_synapse_report_stats }} # The domain name of the server, with optional explicit port. # This is used by remote servers to connect to this server, # e.g. matrix.org, localhost:8080, etc. @@ -385,7 +387,7 @@ log_config: "/etc/matrix-synapse/log.yaml" # Directory where uploaded images and attachments are stored. # -media_store_path: "/var/lib/matrix-synapse/media" +media_store_path: "{{  matrix_synapse_destination_media_store_path }}" # Media storage providers allow media to be stored in different # locations. @@ -404,7 +406,7 @@ media_store_path: "/var/lib/matrix-synapse/media" # Directory where in-progress uploads are stored. # -uploads_path: "/var/lib/matrix-synapse/uploads" +uploads_path: "{{ matrix_synapse_destination_uploads_path }}" # The largest allowed upload size in bytes #