Merge branch 'master' into renovate/mariadb-11.x

2024-08-22 22:51:37 +02:00 · 2024-08-22 22:51:37 +02:00 · 5e883c42f6
commit 5e883c42f6
parent 853c590bef a5478ab2df
23 changed files with 159 additions and 111 deletions
--- a/.ansible-lint
+++ b/.ansible-lint
@ -27,3 +27,4 @@ exclude_paths:
  - roles/ansible_role_gitea
  - roles/ansible-role-postgresql
  - .woodpecker/
  - .gitea/
--- a/.gitea/workflows/ansible-lint.yaml
+++ b/.gitea/workflows/ansible-lint.yaml
@ -0,0 +1,21 @@
 name: ansible-lint
 on:
  push:
    branches: [ master ]
  pull_request:
 jobs:
  ansible-lint:
    steps:
      - name: Checkout code
        uses: actions/checkout@v3
      - name: write vault-pass
        run: echo ${{ secrets.VAULTPASS }} > ./vault-pass
      - name: run ansible-lint
        uses: docker://registry.mgrote.net/ansible-devspace:latest
        with:
          args: ansible-lint --force-color --format pep8 --show-relpath
 # VAULTPASS ist als Secrets auf Repo-Ebene angelegt
--- a/.gitea/workflows/gitleaks.yaml
+++ b/.gitea/workflows/gitleaks.yaml
@ -0,0 +1,16 @@
 name: gitleaks
 on:
  push:
    branches: [ master ]
  pull_request:
 jobs:
  gitleaks:
    steps:
      - name: Checkout code
        uses: actions/checkout@v3
      - name: Run Gitleaks
        uses: docker://zricethezav/gitleaks:v8.18.4
        with:
          args: detect --no-git --verbose --source ${{ github.workspace }}
--- a/.woodpecker/ansible-lint.yml
+++ b/.woodpecker/ansible-lint.yml
@ -1,20 +0,0 @@
 ---
 depends_on:
  - gitleaks
 steps:
  ansible-lint:
    image: registry.mgrote.net/ansible-devspace:latest
    commands:
      # Secrets
      - echo $${SSHKEY} | base64 -d > ./id_ed25519 # woodpecker verschluckt linebreaks, daher mit base64 -w0 "kodiert"
      - echo $${VAULTPASS} | base64 -d > ./vault-pass # Name des Secrets in Großschreibung
      - chmod 0400 ./id_ed25519
      # Doing
      - ansible-lint --force-color --format pep8 --show-relpath 
    # https://woodpecker-ci.org/docs/usage/secrets#use-secrets-in-commands
    secrets: [vaultpass]
    when:
      - event: [push, pull_request, cron, pull_request_closed, tag, release, manual]
        evaluate: 'CI_COMMIT_AUTHOR_EMAIL != "renovate@mgrote.net"'
 ...
--- a/.woodpecker/gitleaks.yml
+++ b/.woodpecker/gitleaks.yml
@ -1,10 +0,0 @@
 ---
 steps:
  gitleaks:
    image: zricethezav/gitleaks:v8.18.4
    commands:
      - gitleaks detect --no-git --verbose --source $CI_WORKSPACE
    when:
      - event: [push, pull_request, cron, pull_request_closed, tag, release, manual]
        evaluate: 'CI_COMMIT_AUTHOR_EMAIL != "renovate@mgrote.net"'
 ...
--- a/README.md
+++ b/README.md
@ -1,11 +1,9 @@
 # ansible_heimserver
 [![status-badge](https://ci.mgrote.net/api/badges/2/status.svg)](https://ci.mgrote.net/repos/2)
 ## ansible-devspace
 - Repository: https://git.mgrote.net/container-images/ansible-devspace
-  - dort mit Woodpecker-CI gebaut und in eigene Registry gepushed
+  - dort mit CI gebaut und in eigene Registry gepushed
 - ``devspace.sh`` pulled Image, prüft ob SSH-Key und ``vault-pass`` vorhanden sind
  - mountet git-Secrets
 - startet Container
--- a/docker-compose/act-runner/docker-compose.yml.j2
+++ b/docker-compose/act-runner/docker-compose.yml.j2
@ -0,0 +1,18 @@
 ---
 # https://gitea.com/gitea/act_runner/src/branch/main/examples/docker-compose
 version: "3.7"
 services:
  runner:
    container_name: act-runner
    image: gitea/act_runner
    restart: always
    volumes:
      - act_runner_data:/data
      - /var/run/docker.sock:/var/run/docker.sock
    environment:
      GITEA_INSTANCE_URL: https://git.mgrote.net
      GITEA_RUNNER_REGISTRATION_TOKEN: "{{ lookup('viczem.keepass.keepass', 'gitea_act_runner_token', 'password') }}" # only used on first start, https://git.mgrote.net/admin/actions/runners
      GITEA_RUNNER_NAME: "docker10-act-runner"
 volumes:
  act_runner_data:
--- a/docker-compose/nextcloud/docker-compose.yml.j2
+++ b/docker-compose/nextcloud/docker-compose.yml.j2
@ -2,7 +2,7 @@ version: '3.3'
 services:
 ######## Datenbank ########
  nextcloud-db:
-    image: "mariadb:11.5.2"
+    image: "mariadb:11.4.3"
    container_name: nextcloud-db
    command: --transaction-isolation=READ-COMMITTED --log-bin=ROW --innodb_read_only_compressed=OFF
    restart: unless-stopped
@ -67,7 +67,7 @@ services:
 ######## Nextcloud ########
  nextcloud-app:
-    image: "nextcloud:29.0.4"
+    image: "nextcloud:29.0.5"
    container_name: nextcloud-app
    restart: unless-stopped
    depends_on:
--- a/group_vars/blocky.yml
+++ b/group_vars/blocky.yml
@ -92,7 +92,7 @@ blocky_custom_lookups: # optional
  - name: ldap.mgrote.net
    ip: 192.168.2.47
  - name: munin.mgrote.net
-    ip: 192.168.2.41
+    ip: 192.168.2.40
 ### mgrote_munin_node
 # kann git.mgrote.net nicht auflösen, deshalb hiermit IP
--- a/group_vars/git.yml
+++ b/group_vars/git.yml
@ -55,7 +55,7 @@ ufw_rules:
 ### ansible_role_gitea
 gitea_fork: "forgejo"
 # gitea update
-gitea_version: "1.21.7-0" # alt zum renovate testen
+gitea_version: "1.21.11-2" # TODO renovate, wird das erkannt?
 gitea_version_check: true
 gitea_backup_on_upgrade: false
 # gitea in the linux world
@ -127,7 +127,7 @@ gitea_federation_enabled: false
 # Packages
 gitea_packages_enabled: false
 # actions
-gitea_actions_enabled: false
+gitea_actions_enabled: true
 gitea_extra_config: |
  ; webhook: wird für drone benötigt, sonst wird der Webhook nicht "gesendet"
  [webhook]
--- a/group_vars/munin.yml
+++ b/group_vars/munin.yml
@ -42,6 +42,7 @@ munin_node_bind_port: "4949"
 munin_node_allowed_cidrs: [127.0.0.1]
 ###  mgrote_munin_master
 munin_mode: cgi # or cron
 munin_mail_user: munin@mgrote.net
 munin_mail_server: "{{ postfix_smtp_server }}"
 munin_mail_port: "{{ 1025 }}"
--- a/host_vars/docker10.mgrote.net.yml
+++ b/host_vars/docker10.mgrote.net.yml
@ -67,6 +67,8 @@ compose_files:
    network: traefik
  - name: gramps
    state: present
  - name: act-runner
    state: present
 ### oefenweb.ufw
 ufw_rules:
--- a/host_vars/pbs.mgrote.net.yml
+++ b/host_vars/pbs.mgrote.net.yml
@ -68,6 +68,7 @@ zfs_extra_zfs_pools:
 ### mgrote_zfs_sanoid
 sanoid_snaps_enable: true
 ## syncoid
 sanoid_syncoid_destination_host: true
 sanoid_syncoid_ssh_privkey: "{{ lookup('viczem.keepass.keepass', 'sanoid_syncoid_private_key', 'notes') }}"
--- a/keepass_db.kdbx
+++ b/keepass_db.kdbx
--- a/roles/mgrote_munin_server/defaults/main.yml
+++ b/roles/mgrote_munin_server/defaults/main.yml
@ -6,20 +6,14 @@ munin_packages:
  - wget
  - libapache2-mod-fcgid
  - libcgi-fast-perl
  - ssmtp
  - perl
  - mailutils
  - curl
  - tzdata
  - munin-node
  - s-nail
  - libfile-readbackwards-perl
 munin_servername: "{{ ansible_fqdn }}.mgrote.net"
 munin_dirs:
  - /var/run/munin
  - /etc/munin/plugins
  - /var/cache/munin/www
  - /var/lib/munin
  - /var/cache/munin
 munin_server_plugins:
  - munin_stats
  - munin_update
@ -27,10 +21,6 @@ munin_cron_job: present
 munin_dbdir: "/var/lib/munin"
 munin_enable_alerts: false
 munin_mail_server: mail.server.com
 munin_mail_port: 25
 munin_mail_tls: false
 munin_alerts_to: nobody@nowhere.com
 munin_mode: cgi # or cron
--- a/roles/mgrote_munin_server/tasks/main.yml
+++ b/roles/mgrote_munin_server/tasks/main.yml
@ -7,21 +7,48 @@
 - name: Ensure needed dirs exists
  ansible.builtin.file:
-    path: "{{ item }}"
+    path: "{{ item.name }}"
    state: directory
-    mode: '0755'
+    mode: "{{ item.mode }}"
-    owner: munin
+    owner: "{{ item.owner }}"
-    group: munin
+    group: "{{ item.group }}"
-  loop: "{{ munin_dirs }}"
+    recurse: "{{ item.recurse }}"
-
+  loop:
- name: Ensure permissions are set
+    - name: /var/run/munin
-  ansible.builtin.file:
+      mode: '0755'
-    path: /var/lib/munin/cgi-tmp
+      owner: munin
-    mode: 'ugo+rw'
+      group: munin
-    state: directory
+      recurse: false
-    owner: munin
+    - name: /var/lib/munin-node/plugin-state
-    group: munin
+      mode: '0775'
-    recurse: true
+      owner: munin
      group: munin
      recurse: false
    - name: /etc/munin/plugins
      mode: '0755'
      owner: munin
      group: munin
      recurse: false
    - name: /var/cache/munin/www
      mode: '0755'
      owner: munin
      group: root
      recurse: false
    - name: /var/lib/munin
      mode: '0755'
      owner: munin
      group: munin
      recurse: false
    - name: /var/cache/munin
      mode: '0755'
      owner: root
      group: root
      recurse: false
    - name: /var/lib/munin/cgi-tmp # TODO, ist immer changed
      mode: "0775"
      owner: munin
      group: www-data
      recurse: true
 - name: Template apache config
  ansible.builtin.template:
@ -32,10 +59,17 @@
    group: root
  notify: "restart apache2"
- name: Enable fgcid
+- name: "apache2: enable rewrite"
  community.general.apache2_module:
    state: present
    name: rewrite
  notify: "restart apache2"
 - name: "apache2: enable rewrite"
  community.general.apache2_module:
    state: present
    name: fcgid
  notify: "restart apache2"
 - name: Template munin-server plugins
  ansible.builtin.template:
@ -61,6 +95,7 @@
    line: "*/5 * * * *     munin if [ -x /usr/bin/munin-cron ]; then /usr/bin/munin-cron; fi"
    create: true
    mode: '0644'
  notify: "restart munin"
 - name: check if munin has been run
  ansible.builtin.stat:
@ -75,12 +110,4 @@
    owner: munin
    group: munin
  when: not placeholder.stat.exists
 - name: Template ssmtp config
  ansible.builtin.template:
    src: ssmtp.conf
    dest: /etc/ssmtp/ssmtp.conf
    mode: '0644'
    owner: root
    group: root
 ...
--- a/roles/mgrote_munin_server/templates/apache.conf
+++ b/roles/mgrote_munin_server/templates/apache.conf
@ -1,24 +1,37 @@
 <VirtualHost *:80>
    ServerName {{ munin_servername }}
-    # Redirect requests without /munin to /munin
+    DocumentRoot /var/www
    RedirectMatch ^/$ /munin/
-    # Existing configuration for serving /munin
+    # Rewrite rules to serve traffic from the root instead of /munin-cgi
-    Alias /munin /var/cache/munin/www
+    RewriteEngine On
-    <Directory /var/cache/munin/www>
+    # Static files
-            Require all granted
+    RewriteRule ^/favicon.ico /var/cache/munin/www/static/favicon.ico [L]
-            Options None
+    RewriteRule ^/static/(.*) /var/cache/munin/www/static/$1          [L]
    # HTML
    RewriteRule ^(/.*\.html)?$ /munin-cgi/munin-cgi-html/$1 [PT]
    # Images
    RewriteRule ^/munin-cgi/munin-cgi-graph/(.*) /$1
    RewriteCond %{REQUEST_URI} !^/static
    RewriteRule ^/(.*.png)$ /munin-cgi/munin-cgi-graph/$1 [L,PT]
    ScriptAlias /munin-cgi/munin-cgi-graph /usr/lib/munin/cgi/munin-cgi-graph
    ScriptAlias /munin-cgi/munin-cgi-html /usr/lib/munin/cgi/munin-cgi-html
    <Directory /etc/munin/static>
        Require all granted
    </Directory>
-    ScriptAlias /munin-cgi/munin-cgi-graph /usr/lib/munin/cgi/munin-cgi-graph
+    <Directory /var/cache/munin/www/>
-    <Location /munin-cgi/munin-cgi-graph>
+        Require all granted
-            Require all granted
+    </Directory>
-            <IfModule mod_fcgid.c>
+
-                SetHandler fcgid-script
+    <Directory /usr/lib/munin/cgi>
-            </IfModule>
+        Require all granted
-            <IfModule !mod_fcgid.c>
+        <IfModule mod_fcgid.c>
-                SetHandler cgi-script
+            SetHandler fcgid-script
-            </IfModule>
+        </IfModule>
-    </Location>
+        <IfModule !mod_fcgid.c>
            SetHandler cgi-script
        </IfModule>
    </Directory>
 </VirtualHost>
--- a/roles/mgrote_munin_server/templates/munin.conf
+++ b/roles/mgrote_munin_server/templates/munin.conf
@ -91,7 +91,7 @@ html_strategy {{ munin_mode }}
 # something changes (OK -> WARNING, CRITICAL -> OK, etc)
 # test with: sudo -u munin /usr/share/munin/munin-limits --contact someuser --force
 {% if munin_enable_alerts is sameas true %}
-contact.someuser.command mail -aFROM:munin@mgrote.net -s "Munin ${var:worst}: ${var:group}::${var:host}::${var:plugin}" {{ munin_alerts_to }}
+contact.someuser.command s-nail --set=from='munin@mgrote.net' -s "Munin ${var:worst}: ${var:group}::${var:host}::${var:plugin}" {{ munin_alerts_to }}
 {% endif %}
 #contact.anotheruser.command mail -s "Munin ${var:worst}: ${var:group}::${var:host}::${var:plugin}" anotheruser@blibb.comm
 #
--- a/roles/mgrote_munin_server/templates/ssmtp.conf
+++ b/roles/mgrote_munin_server/templates/ssmtp.conf
@ -1,12 +0,0 @@
 # The user that gets all the mails (UID < 1000, usually the admin)
 root={{ munin_alerts_to }}
 # The mail server (where the mail is sent to), both port 465 or 587 should be acceptable
 # See also https://support.google.com/mail/answer/78799
 mailhub={{ munin_mail_server }}:{{ munin_mail_port }}
 # The full hostname. Must be correctly formed, fully qualified domain name or GMail will reject connection.
 hostname={{ munin_servername }}
 # Use implicit TLS (port 465). When using port 587, change UseSTARTTLS=Yes
 UseTLS={{ munin_mail_tls }}
--- a/roles/mgrote_users/tasks/main.yml
+++ b/roles/mgrote_users/tasks/main.yml
@ -1,7 +1,7 @@
 ---
 - name: set groups as list
  ansible.builtin.set_fact:
-    groups_as_list: "{{ (groups_as_list | default([]) + item.groups.split(',')) | map('trim') | list | sort | unique }}"
+    groups_as_list: "{{ (((((groups_as_list | default([]) + item.groups.split(','))) | map('trim')) | list) | sort) | unique }}"
  loop: '{{ users }}'
  when: item.groups is defined
--- a/roles/mgrote_zfs_sanoid/defaults/main.yml
+++ b/roles/mgrote_zfs_sanoid/defaults/main.yml
@ -3,8 +3,6 @@
 sanoid_timer: '*-*-* *:00/5'
 ### when should syncoid be run
 sanoid_syncoid_timer: '*-*-* *:00:00'
 ### where to download the package
 sanoid_deb_url: http://docker10.mgrote.net:3344/sanoid_3.0.0.deb
 #  ### "Default" Datasets
 #  sanoid_datasets: # dictionary
@ -31,7 +29,6 @@ sanoid_deb_url: http://docker10.mgrote.net:3344/sanoid_3.0.0.deb
 sanoid_user: sanoid
 sanoid_user_group: sanoid
 ### enable/disable features
 ## enable snapshotting
 # sanoid_snaps_enable: true
--- a/roles/mgrote_zfs_sanoid/tasks/main.yml
+++ b/roles/mgrote_zfs_sanoid/tasks/main.yml
@ -11,13 +11,18 @@
      - libcapture-tiny-perl
      - pv
      - libconfig-ini-perl
      - sanoid
    state: present
- name: install packages from self-build
+- name: Overwrite syncoid script from package
  become: true
-  ansible.builtin.apt:
+  ansible.builtin.get_url:
-    deb: "{{ sanoid_deb_url }}"
+    url: https://raw.githubusercontent.com/jimsalterjrs/sanoid/master/syncoid
-    state: present
+    dest: /usr/bin/syncoid
    mode: '0755'
    owner: root
    group: root
    force: true
 - name: create sanoid directories
  become: true
--- a/roles/mgrote_zfs_sanoid/templates/syncoid.sh.j2
+++ b/roles/mgrote_zfs_sanoid/templates/syncoid.sh.j2
@ -8,5 +8,5 @@
 # check if source host is reachable
 ping -c1 -W1 {{ item.source_host }} > /dev/null || {{ item.source_host }} not reachable!
 # syncoid
-export HOME=/root ; /usr/bin/syncoid --compress=zstd-fast --sshoption=StrictHostKeyChecking=no --delete-target-snapshots --use-hold --preserve-recordsize --sshkey "/etc/sanoid/.ssh/id_sanoid" --source-bwlimit {{ sanoid_syncoid_bwlimit }} {{ sanoid_user }}@{{ item.source_host }}:{{ item.source_dataset }} {{ item.destination_dataset }} 2> /dev/null
+export HOME=/root ; /usr/bin/syncoid --compress=zstd-fast --sshoption=StrictHostKeyChecking=no --delete-target-snapshots --use-hold --preserve-recordsize --sshkey "/etc/sanoid/.ssh/id_sanoid" --source-bwlimit {{ sanoid_syncoid_bwlimit }} {{ sanoid_user }}@{{ item.source_host }}:{{ item.source_dataset }} {{ item.destination_dataset }}
 {% endfor %}