redeployment forgejo + setup ldap (#1)

Reviewed-on: #1

.ansible-lint

@@ -12,15 +12,14 @@ exclude_paths:
   - .gitlab-ci.yml
   - friedhof/
   - playbooks/on-off
-  - roles/geerlingguy-ansible-role-pip
-  - roles/pyratlabs-ansible-role-k3s
-  - roles/robertdebock-ansible-role-bootstrap
-  - roles/gantsign-ansible-role-ctop
-  - roles/geerlingguy-ansible-role-docker
-  - roles/geerlingguy-ansible-role-helm
-  - roles/geerlingguy-ansible-role-nfs
-  - roles/hifis-net-ansible-role-unattended-upgrades
-  - roles/mrlesmithjr-ansible-manage-lvm
-  - roles/oefenweb-ansible-ufw
-  - roles/pandemonium1986-ansible-role-k9s
-  - roles/pyratlabs-ansible-role-gitea
+  - roles/ansible-role-pip
+  - roles/ansible-role-bootstrap
+  - roles/ansible_role_ctop
+  - roles/ansible-role-docker
+  - roles/ansible-role-helm
+  - roles/ansible-role-nfs
+  - roles/ansible-role-unattended-upgrades
+  - roles/ansible-manage-lvm
+  - roles/ansible-ufw
+  - roles/ansible_role_gitea
+  - roles/ansible-role-postgresql

.gitignore

@@ -2,17 +2,19 @@
 vault-pass.yml
 id_ed25519
 id_ed25519.pub
-roles/geerlingguy-ansible-role-pip
-roles/pyratlabs-ansible-role-k3s
-roles/robertdebock-ansible-role-bootstrap
-roles/gantsign-ansible-role-ctop
-roles/geerlingguy-ansible-role-docker
-roles/geerlingguy-ansible-role-helm
-roles/geerlingguy-ansible-role-nfs
-roles/hifis-net-ansible-role-unattended-upgrades
-roles/mrlesmithjr-ansible-manage-lvm
-roles/oefenweb-ansible-ufw
+roles/ansible-role-pip
+roles/ansible-role-k3s
+roles/ansible-role-bootstrap
+roles/ansible_role_ctop
+roles/ansible-role-docker
+roles/ansible-role-helm
+roles/ansible-role-nfs
+roles/ansible_role_gitea
+roles/ansible-role-unattended-upgrades
+roles/ansible-manage-lvm
+roles/ansible-ufw
 roles/pandemonium1986-ansible-role-k9s
-roles/pyratlabs-ansible-role-gitea
+roles/ansible_role_gitea
 collections/
 plugins/lookup/__pycache__/
+roles/ansible-role-postgresql

docker-compose/mail-relay/docker-compose.yml.j2

@@ -15,7 +15,7 @@ services:
       ALWAYS_ADD_MISSING_HEADERS: "no" # literal
       # LOG_SUBJECT: "yes" # literal
       INET_PROTOCOL: ipv4
-      SMTP_GENERIC_MAP: "/.*/ info@mgrote.net"
+      #SMTP_GENERIC_MAP: "/.*/ info@mgrote.net" # deactivated; dont overwrite sender
     networks:
       - mail-relay
     healthcheck:

docker-compose/munin/docker-compose.yml.j2

@@ -18,10 +18,11 @@ services:
         fileserver3.mgrote.net:fileserver3.mgrote.net
         ansible2.mgrote.net:ansible2.mgrote.net
         pve5.mgrote.net:pve5.mgrote.net
-        gitea.mgrote.net:gitea.mgrote.net
+        forgejo.mgrote.net:forgejo.mgrote.net
         docker10.mgrote.net:docker10.mgrote.net
         pbs.mgrote.net:pbs.mgrote.net
         blocky.mgrote.net:blocky.mgrote.net
+        ldap.mgrote.net:ldap.mgrote.net
       # z.B.
       # computer-test.mgrote.net.test:192.68.2.4
       # computer.mgrote.net:computer.mgrote.net

docker-compose/routeros-config-export/docker-compose.yml

@@ -15,7 +15,7 @@ services:
               hex.mgrote.net,routeros-config-backup,/key_hex
               crs305.mgrote.net,routeros-config-backup,/key_crs305
       GIT_REPO_BRANCH: "master"
-      GIT_REPO_URL: "ssh://gitea@gitea.mgrote.net:2222/mg/routeros-configs.git"
+      GIT_REPO_URL: "gitea@forgejo.mgrote.net:mg/routeros-configs.git"
       GIT_REPO_DEPLOY_KEY: "/deploy_token"
       GIT_USERNAME: oxidized-selfmade
       GIT_USER_MAIL: michael.grote@posteo.de

docker-compose/traefik/file-provider.yml

@@ -14,4 +14,4 @@ http:
     service_gitea:
       loadBalancer:
         servers:
-          - url: "http://gitea.mgrote.net:3000/"
+          - url: "http://forgejo.mgrote.net:3000/"

group_vars/all.yml

@@ -20,29 +20,6 @@ dotfiles_vim_vundle_repo_url: https://git.mgrote.net/mirrors/Vundle.vim.git
 ### mgrote_netplan
 netplan_configure: true
 
-### mgrote_restic
-restic_user: root
-restic_group: restic
-restic_conf_dir: /etc/restic
-restic_exclude: |
-      ._*
-      desktop.ini
-      .Trash-*
-      **/**cache***/**
-      **/**Cache***/**
-      **/**AppData***/**
-      # https://github.com/restic/restic/issues/1005
-      # https://forum.restic.net/t/exclude-syntax-confusion/1531/12
-restic_mount_timeout: "10 min"
-restic_failure_delay: "30 s"
-restic_schedule: "0/6:00" # alle 6 Stunden
-restic_folders_to_backup: "/" # --one-file-system ist gesetzt, also werden weitere Dateisysteme nicht eingeschlossen, es sei denn sie werden hier explizit angegeben; https://restic.readthedocs.io/en/latest/040_backup.html#excluding-files
-restic_repository: "//fileserver3.mgrote.net/restic"
-restic_repository_password: "{{ lookup('keepass', 'restic_repository_password', 'password') }}"
-restic_mount_user: restic
-restic_mount_password: "{{ lookup('keepass', 'fileserver_smb_user_restic', 'password') }}"
-restic_fail_mail: "{{ my_mail }}"
-
 ### mgrote_user
 users:
   - username: mg
@@ -219,16 +196,16 @@ munin_node_disabled_plugins:
   - name: timesync
 munin_node_plugins:
   - name: chrony
-    src: https://git.mgrote.net/Mirror/munin-contrib/raw/branch/master/plugins/chrony/chrony
+    src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/chrony/chrony
   - name: systemd_status
-    src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/systemd/systemd_status
+    src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/systemd/systemd_status
   - name: systemd_mem
-    src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/systemd/systemd_mem
+    src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/systemd/systemd_mem
     config: |
       [systemd_mem]
       env.all_services true
   - name: lvm_
-    src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/disk/lvm_
+    src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/disk/lvm_
     config: |
       [lvm_*]
       user root

group_vars/blocky.yml

@@ -24,13 +24,13 @@ apt_packages_extra:
   - libnet-dns-perl # für munin: dnsresponse_
 
 ### mgrote_user_setup
-dotfiles_vim_vundle_repo_url: http://192.168.2.44:3000/mirrors/Vundle.vim.git
+dotfiles_vim_vundle_repo_url: http://192.168.2.42:3000/mirrors/Vundle.vim.git
 dotfiles:
   - user: mg
     home: /home/mg
   - user: root
     home: /root
-dotfiles_repo_url: http://192.168.2.44:3000/mg/dotfiles
+dotfiles_repo_url: http://192.168.2.42:3000/mg/dotfiles
 
 ### mgrote_blocky
 blocky_version: v0.23
@@ -86,40 +86,40 @@ blocky_custom_lookups: # optional
     ip: 192.168.2.1
   - name: fritz.box
     ip: 192.168.5.1
+  - name: ldap.mgrote.net
+    ip: 192.168.2.47
 
-### mgrote_restic
-restic_repository: "//192.168.2.54/restic"
 
 ### mgrote_munin_node
 # kann git.mgrote.net nicht auflösen, deshalb hiermit IP
 munin_node_plugins:
   - name: chrony
-    src: http://192.168.2.44:3000/Mirror/munin-contrib/raw/branch/master/plugins/chrony/chrony
+    src: http://192.168.2.42:3000/mirrors/munin-contrib/raw/branch/master/plugins/chrony/chrony
   - name: systemd_status
-    src: http://192.168.2.44:3000/mg/mirror-munin-contrib/raw/branch/master/plugins/systemd/systemd_status
+    src: http://192.168.2.42:3000/mirrors/munin-contrib/raw/branch/master/plugins/systemd/systemd_status
   - name: systemd_mem
-    src: http://192.168.2.44:3000/mg/mirror-munin-contrib/raw/branch/master/plugins/systemd/systemd_mem
+    src: http://192.168.2.42:3000/mirrors/munin-contrib/raw/branch/master/plugins/systemd/systemd_mem
     config: |
       [systemd_mem]
       env.all_services true
   - name: lvm_
-    src: http://192.168.2.44:3000/mg/mirror-munin-contrib/raw/branch/master/plugins/disk/lvm_
+    src: http://192.168.2.42:3000/mirrors/munin-contrib/raw/branch/master/plugins/disk/lvm_
     config: |
       [lvm_*]
       user root
   - name: fail2ban
-    src: http://192.168.2.44:3000/mg/munin-plugins/raw/branch/master/extern/fail2ban
+    src: http://192.168.2.42:3000/mg/munin-plugins/raw/branch/master/extern/fail2ban
     config: |
       [fail2ban]
       env.client /usr/bin/fail2ban-client
       env.config_dir /etc/fail2ban
       user root
   - name: dnsresponse_192.168.2.1
-    src: http://192.168.2.44:3000/mg/mirror-munin-contrib/raw/branch/master/plugins/network/dns/dnsresponse_
+    src: http://192.168.2.42:3000/mirrors/munin-contrib/raw/branch/master/plugins/network/dns/dnsresponse_
   - name: dnsresponse_192.168.2.37
-    src: http://192.168.2.44:3000/mg/mirror-munin-contrib/raw/branch/master/plugins/network/dns/dnsresponse_
+    src: http://192.168.2.42:3000/mirrors/munin-contrib/raw/branch/master/plugins/network/dns/dnsresponse_
   - name: dnsresponse_127.0.0.1
-    src: http://192.168.2.44:3000/mg/mirror-munin-contrib/raw/branch/master/plugins/network/dns/dnsresponse_
+    src: http://192.168.2.42:3000/mirrors/munin-contrib/raw/branch/master/plugins/network/dns/dnsresponse_
     config: |
       [dnsresponse_*]
       env.site www.heise.de

group_vars/docker.yml

@@ -15,9 +15,6 @@ lvm_groups:
 manage_lvm: true
 pvresize_to_max: true
 
-### mgrote_restic
-restic_folders_to_backup: "/ /var/lib/docker" # --one-file-system ist gesetzt, also werden weitere Dateisysteme nicht eingeschlossen, es sei denn sie werden hier explizit angegeben; https://restic.readthedocs.io/en/latest/040_backup.html#excluding-files
-
 ### geerlingguy.pip
 pip_package: python3-pip
 pip_install_packages:
@@ -85,14 +82,14 @@ systemd_resolved_nameserver: 192.168.2.37
 munin_node_allowed_cidrs: [0.0.0.0/0] # weil der munin-server aus einem anderen subnet zugreift
 munin_node_plugins:
   - name: systemd_status
-    src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/systemd/systemd_status
+    src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/systemd/systemd_status
   - name: systemd_mem
-    src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/systemd/systemd_mem
+    src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/systemd/systemd_mem
     config: |
       [systemd_mem]
       env.all_services true
   - name: lvm_
-    src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/disk/lvm_
+    src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/disk/lvm_
     config: |
       [lvm_*]
       user root
@@ -104,23 +101,23 @@ munin_node_plugins:
       env.config_dir /etc/fail2ban
       user root
   - name: docker_containers
-    src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/docker/docker_
+    src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/docker/docker_
     config: |
       [docker_*]
       user root
       env.DOCKER_HOST unix://run/docker.sock
   - name: docker_cpu
-    src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/docker/docker_
+    src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/docker/docker_
   - name: docker_memory
-    src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/docker/docker_
+    src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/docker/docker_
   - name: docker_network
-    src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/docker/docker_
+    src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/docker/docker_
   - name: docker_volumes
-    src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/docker/docker_
+    src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/docker/docker_
   - name: docker_volumesize
-    src: https://git.mgrote.net/Mirror/munin-contrib/raw/branch/master/plugins/docker/docker_volumesize
+    src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/docker/docker_volumesize
   - name: chrony
-    src: https://git.mgrote.net/Mirror/munin-contrib/raw/branch/master/plugins/chrony/chrony
+    src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/chrony/chrony
 
 ### oefenweb.ufw
 ufw_rules:

group_vars/fileserver.yml

@@ -34,11 +34,11 @@ smb_enable_snapshots_shadow: true
 ### mgrote_munin_node
 munin_node_plugins:
   - name: chrony
-    src: https://git.mgrote.net/Mirror/munin-contrib/raw/branch/master/plugins/chrony/chrony
+    src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/chrony/chrony
   - name: systemd_status
-    src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/systemd/systemd_status
+    src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/systemd/systemd_status
   - name: systemd_mem
-    src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/systemd/systemd_mem
+    src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/systemd/systemd_mem
     config: |
       [systemd_mem]
       env.all_services true

group_vars/git.yml

@@ -0,0 +1,142 @@
+---
+### mrlesmithjr.ansible-manage-lvm
+lvm_groups:
+  - vgname: vg_data
+    disks:
+      - /dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi1
+    create: true
+    lvnames:
+      - lvname: lv_data
+        size: +100%FREE
+        create: true
+        filesystem: xfs
+        mount: true
+        mntp: /var/lib/gitea
+manage_lvm: true
+pvresize_to_max: true
+
+### mgrote_apt_manage_packages
+apt_packages_extra:
+  - fail2ban
+
+### geerlingguy_postgres
+postgresql_databases:
+  - name: "{{ gitea_db_name }}"
+postgresql_users:
+  - name: "{{ gitea_db_user }}"
+    password: "{{ gitea_db_password }}"
+
+### oefenweb.ufw
+ufw_rules:
+  - rule: allow
+    to_port: 22
+    protocol: tcp
+    comment: 'ssh'
+    from_ip: 0.0.0.0/0
+  - rule: allow
+    to_port: 4949
+    protocol: tcp
+    comment: 'munin'
+    from_ip: 192.168.2.0/24
+  - rule: allow
+    to_port: "{{ gitea_http_port }}"
+    protocol: tcp
+    comment: 'gitea'
+    from_ip: 0.0.0.0/0
+
+### ansible_role_gitea
+# https://git.mgrote.net/ansible-roles-mirrors/ansible_role_gitea
+gitea_fork: "forgejo"
+# gitea update
+gitea_version: "1.21.7-0" # alt zum renovate testen
+gitea_version_check: true
+gitea_backup_on_upgrade: false
+# gitea in the linux world
+gitea_group: "gitea"
+gitea_user: "gitea"
+gitea_home: "/var/lib/gitea"
+gitea_user_home: "{{ gitea_home }}"
+# config liegt in /etc/gitea/gitea.ini
+gitea_configuration_path: "/etc/gitea" # anpassen
+gitea_app_name: "forgejo"
+gitea_fqdn: "git.mgrote.net"
+# ssh
+gitea_ssh_port: 22 # assuming the host SSH server is running on port 22
+gitea_start_ssh: false # to not start the built-in SSH server
+gitea_shell: "/bin/bash"
+# Repository
+gitea_default_branch: "master"
+gitea_default_private: "public"
+gitea_repository_root: "{{ gitea_home }}/repos"
+# ui
+gitea_show_user_email: false
+# server
+gitea_protocol: "http"
+gitea_http_domain: "{{ gitea_fqdn }}"
+gitea_http_port: "3000"
+gitea_http_listen: "0.0.0.0"
+gitea_root_url: https://git.mgrote.net
+# database
+gitea_db_type: "postgres"
+gitea_db_host: "localhost"
+gitea_db_name: "gitea"
+gitea_db_user: "gitea"
+gitea_db_password: "{{ lookup('keepass', 'forgejo_db_password', 'password') }}"
+# indexer
+gitea_repo_indexer_enabled: true
+# security
+gitea_disable_webhooks: false
+gitea_password_check_pwn: false
+gitea_internal_token: "{{ lookup('keepass', 'forgejo_internal_token', 'password') }}"
+gitea_secret_key: "{{ lookup('keepass', 'forgejo_secret_key', 'password') }}"
+# service
+gitea_disable_registration: true
+gitea_register_email_confirm: true
+gitea_require_signin: false
+gitea_default_keep_mail_private: true
+gitea_enable_captcha: false
+gitea_show_registration_button: false
+gitea_enable_notify_mail: true
+gitea_default_user_visibility: "public"
+gitea_show_milestones_dashboard_page: false
+gitea_default_allow_create_organization: true
+gitea_default_org_visibility: "public"
+# Mailer
+gitea_mailer_enabled: true
+gitea_mailer_protocol: "smtp"
+gitea_mailer_smtp_addr: "docker10.mgrote.net"
+gitea_mailer_smtp_port: 1025
+gitea_mailer_from: "gitea@mgrote.net"
+gitea_subject_prefix: "git.mgrote.net - "
+# log
+gitea_log_systemd: true
+gitea_log_level: "Info"
+# Metrics
+gitea_metrics_enabled: false
+# Federation
+gitea_federation_enabled: false
+# Packages
+gitea_packages_enabled: false
+# actions
+gitea_actions_enabled: false
+gitea_extra_config: |
+  ; webhook: wird für drone benötigt, sonst wird der Webhook nicht "gesendet"
+  [webhook]
+  ALLOWED_HOST_LIST = *.mgrote.net
+  ; für Import/Migration aus anderen Git-Systemen
+  [migrations]
+  ALLOWED_DOMAINS = *
+# oauth2
+gitea_oauth2_jwt_secret: "{{ lookup('keepass', 'forgejo_oauth2_jwt_secret', 'password') }}"
+# Fail2Ban configuration
+gitea_fail2ban_enabled: true
+gitea_fail2ban_jail_maxretry: "3"
+gitea_fail2ban_jail_findtime: "300"
+gitea_fail2ban_jail_bantime: "600"
+gitea_fail2ban_jail_action: "iptables-allports"
+
+### mgrote_gitea_setup
+gitea_ldap_host: "ldap.mgrote.net"
+gitea_ldap_bind_pass: "{{ lookup('keepass', 'lldap_ldap_user_pass', 'password') }}"
+gitea_admin_user: "fadmin"
+gitea_admin_user_pass: "{{ lookup('keepass', 'forgejo_admin_user_pass', 'password') }}"

group_vars/gitea.yml

@@ -1,113 +0,0 @@
----
-### mrlesmithjr.ansible-manage-lvm
-lvm_groups:
-  - vgname: vg_gitea_data
-    disks:
-      - /dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi1
-    create: true
-    lvnames:
-      - lvname: lv_gitea_data
-        size: +100%FREE
-        create: true
-        filesystem: xfs
-        mount: true
-        mntp: /var/lib/gitea
-manage_lvm: true
-pvresize_to_max: true
-
-### mgrote_restic
-restic_folders_to_backup: "/ /var/lib/gitea" # --one-file-system ist gesetzt, also werden weitere Dateisysteme nicht eingeschlossen, es sei denn sie werden hier explizit angegeben; https://restic.readthedocs.io/en/latest/040_backup.html#excluding-files
-
-### mgrote_apt_manage_packages
-apt_packages_extra:
-  - fail2ban
-
-### oefenweb.ufw
-ufw_rules:
-  - rule: allow
-    to_port: 22
-    protocol: tcp
-    comment: 'ssh'
-    from_ip: 0.0.0.0/0
-  - rule: allow
-    to_port: 4949
-    protocol: tcp
-    comment: 'munin'
-    from_ip: 192.168.2.0/24
-  - rule: allow
-    to_port: "{{ gitea_http_port }}"
-    protocol: tcp
-    comment: 'gitea'
-    from_ip: 0.0.0.0/0
-  - rule: allow
-    to_port: "{{ gitea_ssh_port }}"
-    protocol: tcp
-    comment: 'gitea'
-    from_ip: 0.0.0.0/0
-
-### l3d.gitea
-# config liegt in /etc/gitea/gitea.ini
-gitea_version: "1.21.7-0"
-gitea_fork: "forgejo"
-gitea_app_name: "Gitea"
-gitea_user: "gitea"
-gitea_home: "/var/lib/gitea"
-gitea_repository_root: "{{ gitea_home }}"
-gitea_user_repo_limit: 300
-gitea_root_url: https://git.mgrote.net
-gitea_offline_mode: true
-gitea_lfs_server_enabled: false
-gitea_secret_key: "{{ lookup('keepass', 'gitea_secret_key', 'password') }}"
-gitea_internal_token: "{{ lookup('keepass', 'gitea_internal_token', 'password') }}"
-gitea_disable_git_hooks: false
-gitea_show_user_email: false
-gitea_disable_gravatar: true
-gitea_enable_captcha: true
-gitea_only_allow_external_registration: false
-gitea_enable_notify_mail: true
-gitea_autowatch_on_change: true
-gitea_force_private: false
-gitea_oauth2_enabled: true
-gitea_repo_indexer_enabled: true
-
-gitea_mailer_enabled: true
-gitea_mailer_protocol: smtp
-gitea_mailer_smtp_addr: docker10.mgrote.net
-gitea_mailer_smtp_port: 1025
-gitea_mailer_from: "gitea@mgrote.net"
-
-gitea_default_branch: 'master'
-
-gitea_db_type: sqlite3
-gitea_db_path: "{{ gitea_home }}/data/gitea.db" # for sqlite3
-
-gitea_ssh_listen: 0.0.0.0
-gitea_ssh_domain: gitea.mgrote.net
-gitea_ssh_port: 2222
-gitea_start_ssh: true
-
-gitea_http_domain: git.mgrote.net
-gitea_http_listen: 0.0.0.0
-gitea_http_port: 3000
-gitea_disable_http_git: false
-gitea_protocol: http
-
-gitea_show_registration_button: false
-gitea_require_signin: false
-gitea_disable_registration: true
-
-gitea_fail2ban_enabled: true
-gitea_fail2ban_jail_maxretry: 3
-gitea_fail2ban_jail_findtime: 300
-gitea_fail2ban_jail_bantime: 600
-# wird für drone benötigt, sonst wird der Webhook nicht "gesendet"
-gitea_extra_config: |
-  [webhook]
-  ALLOWED_HOST_LIST = *.mgrote.net
-
-gitea_backup_on_upgrade: false
-gitea_backup_location: "{{ gitea_home }}/backups/"
-
-submodules_versioncheck: true
-gitea_log_systemd: true
-gitea_log_level: "Info"

group_vars/ldap.yml

@@ -0,0 +1,58 @@
+---
+### geerlingguy_postgres
+postgresql_databases:
+  - name: "{{ lldap_db_name }}"
+postgresql_users:
+  - name: "{{ lldap_db_user }}"
+    password: "{{ lldap_db_pass }}"
+
+### oefenweb.ufw
+ufw_rules:
+  - rule: allow
+    to_port: 22
+    protocol: tcp
+    comment: 'ssh'
+    from_ip: 0.0.0.0/0
+  - rule: allow
+    to_port: 4949
+    protocol: tcp
+    comment: 'munin'
+    from_ip: 192.168.2.0/24
+  - rule: allow
+    to_port: "{{ lldap_http_port }}"
+    protocol: tcp
+    comment: 'lldap'
+    from_ip: 192.168.2.0/24
+  - rule: allow
+    to_port: 3890
+    protocol: tcp
+    comment: 'lldap'
+    from_ip: 192.168.2.0/24
+
+### mgrote_lldap
+lldap_package_url: "https://download.opensuse.org/repositories/home:/Masgalor:/LLDAP/xUbuntu_22.04/amd64/lldap_0.5.0-1+3.1_amd64.deb"
+lldap_logging_verbose: "true" # must be a string not a boolean
+lldap_http_port: 17170
+lldap_http_host: "0.0.0.0"
+lldap_ldap_host: "0.0.0.0"
+lldap_public_url: http://localhost
+lldap_jwt_secret: "{{ lookup('keepass', 'lldap_jwt_secret', 'password') }}"
+lldap_ldap_base_dn: "dc=mgrote,dc=net"
+lldap_admin_username: ladmin # only used on setup
+lldap_admin_password: "{{ lookup('keepass', 'lldap_ldap_user_pass', 'password') }}" # only used on setup; also bind-secret
+lldap_admin_mailaddress: lldap-admin@mgrote.net # only used on setup
+lldap_database_url: "postgres://{{ lldap_db_user }}:{{ lldap_db_pass }}@{{ lldap_db_host }}/{{ lldap_db_name }}"
+lldap_key_seed: "{{ lookup('keepass', 'lldap_key_seed', 'password') }}"
+lldap_smtp_from: "LLDAP Admin <info@mgrote.net>"
+lldap_smtp_reply_to: "Do not reply <info@mgrote.net>"
+lldap_smtp_server: "docker10.mgrote.net"
+lldap_smtp_port: "1025"
+lldap_smtp_smtp_encryption: "NONE"
+lldap_smtp_user: "info@mgrote.net"
+lldap_smtp_enable_password_reset: "true" # must be a string not a boolean
+# "meta vars"; daraus werden die db-url und die postgres-db abgeleitet
+lldap_db_name: "lldap"
+lldap_db_user: "lldap"
+lldap_db_pass: "{{ lookup('keepass', 'lldap_db_pass', 'password') }}"
+lldap_db_host: "localhost"
+...

group_vars/pbs.yml

@@ -5,9 +5,6 @@ netplan_configure: false
 ### mgrote_postfix
 postfix_erlaubte_netzwerke: "127.0.0.0/8 192.168.2.0/24 192.168.3.0/24"
 
-### mgrote_restic
-restic_folders_to_backup: "/ /etc/proxmox-backup"
-
 ### mgrote_user
 users:
   - username: root
@@ -37,11 +34,11 @@ users:
 ### mgrote_munin_node
 munin_node_plugins:
   - name: chrony
-    src: https://git.mgrote.net/Mirror/munin-contrib/raw/branch/master/plugins/chrony/chrony
+    src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/chrony/chrony
   - name: systemd_status
-    src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/systemd/systemd_status
+    src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/systemd/systemd_status
   - name: systemd_mem
-    src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/systemd/systemd_mem
+    src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/systemd/systemd_mem
     config: |
       [systemd_mem]
       env.all_services true
@@ -53,22 +50,22 @@ munin_node_plugins:
       env.config_dir /etc/fail2ban
       user root
   - name: zfs_arcstats
-    src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/zfs/zfs_arcstats
+    src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/zfs/zfs_arcstats
   - name: zfsonlinux_stats_
-    src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/zfs/zfsonlinux_stats_
+    src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/zfs/zfsonlinux_stats_
   - name: zpool_iostat
-    src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/zfs/zpool_iostat
+    src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/zfs/zpool_iostat
   - name: zfs_list
-    src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/zfs/zfs_list
+    src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/zfs/zfs_list
     config: |
       [zfs_list]
       env.ignore_datasets_pattern autodaily
   - name: zfs_count
-    src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/zfs/zfs_pool_dataset_count
+    src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/zfs/zfs_pool_dataset_count
   - name: zpool_iostat
-    src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/zfs/zpool_iostat
+    src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/zfs/zpool_iostat
   - name: zpool_capacity
-    src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/zfs/zpool_capacity
+    src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/zfs/zpool_capacity
 munin_node_disabled_plugins:
   - meminfo # zu hohe last
   - hddtemp2 # ersetzt durch hddtemp_smartctl

group_vars/pve.yml

@@ -2,9 +2,6 @@
 ### mgrote_netplan
 netplan_configure: false
 
-### mgrote_restic
-restic_folders_to_backup: "/ /etc/pve"
-
 ### mgrote_user
 users:
   - username: root
@@ -42,11 +39,11 @@ apt_packages_extra:
 ### mgrote_munin_node
 munin_node_plugins:
   - name: chrony
-    src: https://git.mgrote.net/Mirror/munin-contrib/raw/branch/master/plugins/chrony/chrony
+    src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/chrony/chrony
   - name: systemd_status
-    src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/systemd/systemd_status
+    src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/systemd/systemd_status
   - name: systemd_mem
-    src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/systemd/systemd_mem
+    src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/systemd/systemd_mem
     config: |
       [systemd_mem]
       env.all_services true
@@ -58,39 +55,39 @@ munin_node_plugins:
       env.config_dir /etc/fail2ban
       user root
   - name: zfs_arcstats
-    src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/zfs/zfs_arcstats
+    src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/zfs/zfs_arcstats
   - name: zfsonlinux_stats_
-    src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/zfs/zfsonlinux_stats_
+    src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/zfs/zfsonlinux_stats_
   - name: zpool_iostat
-    src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/zfs/zpool_iostat
+    src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/zfs/zpool_iostat
   - name: zfs_list
-    src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/zfs/zfs_list
+    src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/zfs/zfs_list
     config: |
       [zfs_list]
       env.ignore_datasets_pattern autodaily
   - name: zpool_capacity
-    src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/zfs/zpool_capacity
+    src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/zfs/zpool_capacity
   - name: kvm_mem
-    src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/libvirt/kvm_mem
+    src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/libvirt/kvm_mem
   - name: kvm_net
-    src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/libvirt/kvm_net
+    src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/libvirt/kvm_net
   - name: kvm_io
-    src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/libvirt/kvm_io
+    src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/libvirt/kvm_io
     config: |
       [kvm_io]
       user root
   - name: kvm_cpu
-    src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/libvirt/kvm_cpu
+    src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/libvirt/kvm_cpu
   - name: proxmox_count
-    src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/proxmox/proxmox_vm_count
+    src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/proxmox/proxmox_vm_count
     config: |
       [proxmox_count]
       user root
       group root
   - name: zfs_count
-    src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/zfs/zfs_pool_dataset_count
+    src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/zfs/zfs_pool_dataset_count
   - name: ksm_
-    src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/system/kernel_same_page_merging
+    src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/system/kernel_same_page_merging
 munin_node_disabled_plugins:
   - meminfo # zu hohe last
   - hddtemp2 # ersetzt durch hddtemp_smartctl

host_vars/docker10.mgrote.net.yml

@@ -15,11 +15,11 @@ lvm_groups:
 manage_lvm: true
 pvresize_to_max: true
 
-### mgrote_mount_cifs
+### mgrote_mount_cifs #  löschen
 cifs_mounts:
   - name: bilder
     type: cifs
-    state: present
+    state: absent
     dest: /mnt/fileserver3_photoprism_bilder_ro
     src: //fileserver3.mgrote.net/bilder
     user: photoprism
@@ -29,9 +29,6 @@ cifs_mounts:
     gid: 5000
     extra_opts: ",ro" # komma am Anfang ist notwendig weil die Option hinten angehangen wird
 
-### mgrote_restic
-restic_folders_to_backup: "/ /var/lib/docker /mnt/oci-registry" # --one-file-system ist gesetzt, also werden weitere Dateisysteme nicht eingeschlossen, es sei denn sie werden hier explizit angegeben
-
 ### mgrote_docker-compose-inline
 compose_owner: "docker-user"
 compose_group: "docker-user"
@@ -59,8 +56,6 @@ compose_files:
   - name: navidrome
     state: present
     network: traefik
-  - name: watchtower
-    state: absent
   - name: routeros-config-export
     state: present
   - name: mail-relay
@@ -72,8 +67,6 @@ compose_files:
   - name: wiki
     state: present
     network: traefik
-  - name: statping-ng
-    state: absent
 
 ### oefenweb.ufw
 ufw_rules:

host_vars/fileserver3.mgrote.net.yml

@@ -55,8 +55,6 @@ smb_users:
     password: "{{ lookup('keepass', 'fileserver_smb_user_pve', 'password') }}"
   - name: 'brother_ads2700w'
     password: "{{ lookup('keepass', 'fileserver_smb_user_brother_ads2700w', 'password') }}"
-  - name: 'photoprism'
-    password: "{{ lookup('keepass', 'fileserver_smb_user_photoprism', 'password') }}"
 
 smb_shares:
   - name: 'videos'
@@ -89,7 +87,7 @@ smb_shares:
     users_rw: 'kodi win10 michaelgrote'
   - name: 'bilder'
     path: '/shares_bilder'
-    users_ro: 'photoprism'
+    users_ro: ''
     users_rw: ' michaelgrote win10'
   - name: 'proxmox'
     path: '/shares_pve_backup'
@@ -98,7 +96,7 @@ smb_shares:
   - name: 'restic'
     path: '/shares_restic'
     users_ro: ''
-    users_rw: ' restic win10 michaelgrote'
+    users_rw: 'restic win10 michaelgrote'
   - name: 'buecher'
     path: '/shares_buecher'
     users_ro: ''

inventory

@@ -6,6 +6,9 @@ all:
     blocky:
       hosts:
         blocky.mgrote.net:
+    ldap:
+      hosts:
+        ldap.mgrote.net:
     lxc:
       hosts:
         fileserver3.mgrote.net:
@@ -32,19 +35,20 @@ all:
       hosts:
         pve5.mgrote.net:
         pbs.mgrote.net:
-    gitea:
+    git:
       hosts:
-        gitea.mgrote.net:
+        forgejo.mgrote.net:
 
     production:
       hosts:
         fileserver3.mgrote.net:
         ansible2.mgrote.net:
         pve5.mgrote.net:
-        gitea.mgrote.net:
+        forgejo.mgrote.net:
         docker10.mgrote.net:
         pbs.mgrote.net:
         blocky.mgrote.net:
+        ldap.mgrote.net:
     test:
       hosts:
         vm-test-2204.mgrote.net:

playbooks/1_bootstrap.yml

@@ -2,7 +2,7 @@
 - hosts: all
   gather_facts: false
   roles:
-    - role: robertdebock-ansible-role-bootstrap
+    - role: ansible-role-bootstrap
       tags: "bootstrap"
       become: true
     - role: mgrote_apt_manage_sources

playbooks/3_service/ansible.yml

@@ -1,4 +1,6 @@
 ---
 - hosts: ansible
   roles:
-    - { role: geerlingguy-ansible-role-pip, tags: "pip", become: true }
+    - role: ansible-role-pip
+      tags: "pip"
+      become: true

playbooks/3_service/blocky.yml

@@ -1,5 +1,7 @@
 ---
 - hosts: blocky
   roles:
-    - { role: mgrote_systemd_resolved, tags: "resolved" }
-    - { role: mgrote_blocky, tags: "blocky" }
+    - role: mgrote_systemd_resolved
+      tags: "resolved"
+    - role: mgrote_blocky
+      tags: "blocky"

playbooks/3_service/docker.yml

@@ -1,10 +1,21 @@
 ---
 - hosts: docker
   roles:
-    - { role: mgrote_systemd_resolved, tags: "dns", become: true }
-    - { role: mgrote_mount_cifs, tags: "cifs", become: true }
-    - { role: geerlingguy-ansible-role-pip, tags: "pip", become: true }
-    - { role: geerlingguy-ansible-role-docker, tags: "docker", become: true }
-    - { role: gantsign-ansible-role-ctop, tags: "ctop", become: true }
-    - { role: mgrote_set_permissions, tags: "perm", become: true }
-    - { role: mgrote_docker_compose_inline, tags: "compose", become: true }
+    - role: mgrote_systemd_resolved
+      tags: "dns"
+      become: true
+    - role: ansible-role-pip
+      tags: "pip"
+      become: true
+    - role: ansible-role-docker
+      tags: "docker"
+      become: true
+    - role: ansible_role_ctop
+      tags: "ctop"
+      become: true
+    - role: mgrote_set_permissions
+      tags: "perm"
+      become: true
+    - role: mgrote_docker_compose_inline
+      tags: "compose"
+      become: true

playbooks/3_service/fileserver.yml

@@ -6,6 +6,9 @@
 ---
 - hosts: fileserver
   roles:
-    - { role: mgrote_fileserver_smb, tags: "smb" }
-    - { role: mgrote_youtubedl, tags: "youtubedl" }
-    - { role: mgrote_disable_oom_killer, tags: "oom" }
+    - role: mgrote_fileserver_smb
+      tags: "smb"
+    - role: mgrote_youtubedl
+      tags: "youtubedl"
+    - role: mgrote_disable_oom_killer
+      tags: "oom"

playbooks/3_service/git.yml

@@ -0,0 +1,12 @@
+---
+- hosts: git
+  roles:
+    - role: ansible-role-postgresql
+      tags: "db"
+      become: true
+    - role: ansible_role_gitea
+      tags: "gitea"
+      become: true
+    - role: mgrote_gitea_setup
+      tags: "setup"
+      become: true

playbooks/3_service/gitea.yml

@@ -1,4 +0,0 @@
----
-- hosts: gitea
-  roles:
-    - { role: pyratlabs-ansible-role-gitea, tags: "gitea", become: true }

playbooks/3_service/lldap.yml

@@ -0,0 +1,9 @@
+---
+- hosts: ldap
+  roles:
+    - role: ansible-role-postgresql
+      tags: "db"
+      become: true
+    - role: mgrote_lldap
+      tags: "lldap"
+      become: true

playbooks/3_service/pbs.yml

@@ -1,12 +1,21 @@
 ---
 - hosts: pbs
   roles:
-    - { role: mgrote_zfs_packages, tags: "zfs_packages" }
-    - { role: mgrote_zfs_arc_mem, tags: "zfs_arc_mem" }
-    - { role: mgrote_zfs_manage_datasets, tags: "datasets" }
-    - { role: mgrote_zfs_scrub, tags: "zfs_scrub" }
-    - { role: mgrote_zfs_zed, tags: "zfs_zed" }
-    - { role: mgrote_zfs_sanoid, tags: "sanoid" }
-    - { role: mgrote_smart, tags: "smart" }
-    - { role: mgrote_pbs_users, tags: "pbs_users" }
-    - { role: mgrote_pbs_datastores, tags: "pbs_datastores" }
+    - role: mgrote_zfs_packages
+      tags: "zfs_packages"
+    - role: mgrote_zfs_arc_mem
+      tags: "zfs_arc_mem"
+    - role: mgrote_zfs_manage_datasets
+      tags: "datasets"
+    - role: mgrote_zfs_scrub
+      tags: "zfs_scrub"
+    - role: mgrote_zfs_zed
+      tags: "zfs_zed"
+    - role: mgrote_zfs_sanoid
+      tags: "sanoid"
+    - role: mgrote_smart
+      tags: "smart"
+    - role: mgrote_pbs_users
+      tags: "pbs_users"
+    - role: mgrote_pbs_datastores
+      tags: "pbs_datastores"

playbooks/3_service/pve.yml

@@ -1,14 +1,25 @@
 ---
 - hosts: pve
   roles:
-    - { role: mgrote_zfs_packages, tags: "zfs_packages" }
-    - { role: mgrote_zfs_arc_mem, tags: "zfs_arc_mem" }
-    - { role: mgrote_zfs_manage_datasets, tags: "datasets" }
-    - { role: mgrote_zfs_scrub, tags: "zfs_scrub" }
-    - { role: mgrote_zfs_zed, tags: "zfs_zed" }
-    - { role: mgrote_zfs_sanoid, tags: "sanoid" }
-    - { role: mgrote_smart, tags: "smart" }
-    - { role: mgrote_cv4pve_autosnap, tags: "cv4pve" }
-    - { role: mgrote_proxmox_bind_mounts, tags: "bindmounts" }
-    - { role: mgrote_proxmox_lxc_profiles, tags: "lxc-profile" }
-    - { role: mgrote_pbs_pve_integration, tags: "pbs" }
+    - role: mgrote_zfs_packages
+      tags: "zfs_packages"
+    - role: mgrote_zfs_arc_mem
+      tags: "zfs_arc_mem"
+    - role: mgrote_zfs_manage_datasets
+      tags: "datasets"
+    - role: mgrote_zfs_scrub
+      tags: "zfs_scrub"
+    - role: mgrote_zfs_zed
+      tags: "zfs_zed"
+    - role: mgrote_zfs_sanoid
+      tags: "sanoid"
+    - role: mgrote_smart
+      tags: "smart"
+    - role: mgrote_cv4pve_autosnap
+      tags: "cv4pve"
+    - role: mgrote_proxmox_bind_mounts
+      tags: "bindmounts"
+    - role: mgrote_proxmox_lxc_profiles
+      tags: "lxc-profile"
+    - role: mgrote_pbs_pve_integration
+      tags: "pbs"

playbooks/base/packages.yml

@@ -5,14 +5,12 @@
       tags: "apt_sources"
     - role: mgrote_apt_manage_packages
       tags: "install"
-    - role: mgrote_exa
-      tags: "exa"
     - role: mgrote_remove_snapd
       become: true
       tags: "snapd"
     - role: mgrote_apt_update_packages
       tags: "updates"
-    - role: hifis-net-ansible-role-unattended-upgrades
+    - role: ansible-role-unattended-upgrades
       become: true
       tags: unattended
       when: "ansible_facts['distribution'] == 'Ubuntu'"

playbooks/base/system.yml

@@ -13,11 +13,11 @@
       become: true
       tags: fwupd
       when: "ansible_facts['distribution'] == 'Ubuntu'"
-    - role: mrlesmithjr-ansible-manage-lvm
+    - role: ansible-manage-lvm
       tags: "lvm"
       become: true
       when: manage_lvm == true and manage_lvm is defined
-      # $manage_lvm gehört zu dieser Rolle, wird aber extra abgefragt um das PLaybook zu "aktivieren"
+      # $manage_lvm gehört zu dieser Rolle, wird aber extra abgefragt um das Playbook zu "aktivieren"
     - role: mgrote_ssh
       tags: "ssh"
     - role: mgrote_netplan

playbooks/base/ufw.yml

@@ -1,6 +1,6 @@
 ---
 - hosts: all:!pve:!pbs
   roles:
-    - { role: oefenweb-ansible-ufw, # Regeln werden in den Group/Host-Vars gesetzt
-        tags: "ufw",
-        become: true}
+    - role: ansible-ufw # Regeln werden in den Group/Host-Vars gesetzt
+      tags: ufw
+      become: true

playbooks/base/users.yml

@@ -2,9 +2,9 @@
 - hosts: all
   roles:
     - role: mgrote_users
-      tags: "user"
+      tags: users
       become: true
     - role: mgrote_user_setup
       tags:
-        - "user_setup"
+        - user_setup
         - dotfiles

requirements.yml

@@ -4,21 +4,23 @@ collections:
   - git+https://git.mgrote.net/ansible-collections-mirrors/ansible.posix
   - git+https://git.mgrote.net/ansible-collections-mirrors/community.docker
 roles:
-  - src: https://git.mgrote.net/ansible-roles-mirrors/robertdebock-ansible-role-bootstrap
+  - src: https://git.mgrote.net/ansible-roles-mirrors/ansible-role-bootstrap
     scm: git
-  - src: https://git.mgrote.net/ansible-roles-mirrors/oefenweb-ansible-ufw
+  - src: https://git.mgrote.net/ansible-roles-mirrors/ansible-ufw
     scm: git
-  - src: https://git.mgrote.net/ansible-roles-mirrors/mrlesmithjr-ansible-manage-lvm
+  - src: https://git.mgrote.net/ansible-roles-mirrors/ansible-manage-lvm
     scm: git
-  - src: https://git.mgrote.net/ansible-roles-mirrors/hifis-net-ansible-role-unattended-upgrades
+  - src: https://git.mgrote.net/ansible-roles-mirrors/ansible-role-unattended-upgrades
     scm: git
-  - src: https://git.mgrote.net/ansible-roles-mirrors/geerlingguy-ansible-role-pip
+  - src: https://git.mgrote.net/ansible-roles-mirrors/ansible-role-pip
     scm: git
-  - src: https://git.mgrote.net/ansible-roles-mirrors/geerlingguy-ansible-role-nfs
+  - src: https://git.mgrote.net/ansible-roles-mirrors/ansible-role-nfs
     scm: git
-  - src: https://git.mgrote.net/ansible-roles-mirrors/geerlingguy-ansible-role-docker
+  - src: https://git.mgrote.net/ansible-roles-mirrors/ansible-role-docker
     scm: git
-  - src: https://git.mgrote.net/ansible-roles-mirrors/gantsign-ansible-role-ctop
+  - src: https://git.mgrote.net/ansible-roles-mirrors/ansible_role_ctop
     scm: git
-  - src: https://git.mgrote.net/ansible-roles-mirrors/pyratlabs-ansible-role-gitea
+  - src: https://git.mgrote.net/ansible-roles-mirrors/ansible_role_gitea
+    scm: git
+  - src: https://git.mgrote.net/ansible-roles-mirrors/ansible-role-postgresql
     scm: git

roles/mgrote_gitea_setup/tasks/admin.yml

@@ -0,0 +1,22 @@
+---
+# die Variablen kommen aus
+# - https://docs.gitea.com/administration/command-line
+# - https://github.com/lldap/lldap/blob/main/example_configs/gitea.md
+# und
+# den jeweiligen group/host-Vars!
+- name: Ensure Admin-User exists
+  no_log: true
+  become_user: gitea
+  become: true
+  ansible.builtin.command: |
+    forgejo admin user create \
+      --config /etc/gitea/gitea.ini
+      --username "{{ gitea_admin_user }}" \
+      --password "{{ gitea_admin_user_pass }}" \
+      --email "{{ gitea_admin_user }}@mgrote.net" \
+      --admin
+  register: setup_admin
+  ignore_errors: true
+  failed_when: 'not "Command error: CreateUser: user already exists [name: mg]" in setup_admin.stderr' # fail Task wenn LDAP schon konfiguriert ist
+  changed_when: "setup_admin.rc == 0" # chnaged nur wenn Task rc 0 hat, sollte nur beim ersten lauf vorkommen; ungetestet
+...

roles/mgrote_gitea_setup/tasks/ldap.yml

@@ -0,0 +1,56 @@
+---
+# die Variablen kommen aus
+# - https://docs.gitea.com/administration/command-line
+# - https://github.com/lldap/lldap/blob/main/example_configs/gitea.md
+# und
+# den jeweiligen group/host-Vars!
+- name: Ensure LDAP config is set up
+  no_log: true
+  become_user: gitea
+  become: true
+  ansible.builtin.command: |
+    forgejo admin auth add-ldap \
+      --config "{{ gitea_configuration_path }}/gitea.ini" \
+      --name "lldap" \
+      --security-protocol "unencrypted" \
+      --host "{{ gitea_ldap_host }}" \
+      --port "3890" \
+      --bind-dn "uid=ladmin,ou=people,dc=mgrote,dc=net" \
+      --bind-password "{{ gitea_ldap_bind_pass }}" \
+      --user-search-base "ou=people,dc=mgrote,dc=net" \
+      --user-filter "(&(memberof=cn=gitea,ou=groups,dc=mgrote,dc=net)(|(uid=%[1]s)(mail=%[1]s)))" \
+      --username-attribute "uid" \
+      --email-attribute "mail" \
+      --firstname-attribute "givenName" \
+      --surname-attribute "sn" \
+      --avatar-attribute "jpegPhoto" \
+      --synchronize-users
+  register: setup
+  ignore_errors: true
+  failed_when: 'not "Command error: login source already exists [name: lldap]" in setup.stderr' # fail Task wenn LDAP schon konfiguriert ist
+  changed_when: "setup.rc == 0" # chnaged nur wenn Task rc 0 hat, sollte nur beim ersten lauf vorkommen; ungetestet
+
+- name: Modify LDAP config
+  no_log: true
+  become_user: gitea
+  become: true
+  ansible.builtin.command: |
+    forgejo admin auth update-ldap \
+      --config "{{ gitea_configuration_path }}/gitea.ini" \
+      --id "1" \
+      --security-protocol "unencrypted" \
+      --host "{{ gitea_ldap_host }}" \
+      --port "3890" \
+      --bind-dn "uid=ladmin,ou=people,dc=mgrote,dc=net" \
+      --bind-password "{{ gitea_ldap_bind_pass }}" \
+      --user-search-base "ou=people,dc=mgrote,dc=net" \
+      --user-filter "(&(memberof=cn=gitea,ou=groups,dc=mgrote,dc=net)(|(uid=%[1]s)(mail=%[1]s)))" \
+      --username-attribute "uid" \
+      --email-attribute "mail" \
+      --firstname-attribute "givenName" \
+      --surname-attribute "sn" \
+      --avatar-attribute "jpegPhoto" \
+      --synchronize-users
+  when: '"Command error: login source already exists [name: lldap]" in setup.stderr' # führe nur aus wenn erster Task fehlgeschlagen ist
+  changed_when: false # keine idee wie ich changed feststellen kann
+...

roles/mgrote_gitea_setup/tasks/main.yml

@@ -0,0 +1,7 @@
+---
+- name: Include LDAP tasks
+  ansible.builtin.include_tasks: ldap.yml
+
+- name: Include User tasks
+  ansible.builtin.include_tasks: admin.yml
+...

roles/mgrote_lldap/defaults/main.yml

@@ -0,0 +1,21 @@
+---
+lldap_package_url: "https://download.opensuse.org/repositories/home:/Masgalor:/LLDAP/xUbuntu_22.04/amd64/lldap_0.5.0-1+3.1_amd64.deb"
+lldap_logging_verbose: "false"
+lldap_http_port: "17170"
+lldap_http_host: "0.0.0.0"
+lldap_ldap_host: "0.0.0.0"
+lldap_public_url: http://localhost
+lldap_jwt_secret: supersecret
+lldap_ldap_base_dn: "dc=example,dc=com"
+lldap_admin_username: ladmin # only used on setup
+lldap_admin_password: supersecret # also bind-secret; only used on setup
+lldap_admin_mailaddress: lldap-admin@mgrote.net # only used on setup
+lldap_database_url: "postgres://postgres-user:password@postgres-server/my-database"
+lldap_key_seed: supersecretseed
+lldap_smtp_from: "LLDAP Admin <info@mgrote.net>"
+lldap_smtp_reply_to: "Do not reply <info@mgrote.net>"
+lldap_smtp_server: "mail.domain.net"
+lldap_smtp_port: "25"
+lldap_smtp_smtp_encryption: "NONE"
+lldap_smtp_user: "info@mgrote.net"
+lldap_smtp_enable_password_reset: "true"

roles/mgrote_lldap/handlers/main.yml

@@ -0,0 +1,9 @@
+---
+- name: Ensure services are enabled and started
+  become: true
+  ansible.builtin.systemd:
+    name: lldap.service
+    masked: false
+    enabled: true
+    state: started
+...

roles/mgrote_lldap/tasks/main.yml

@@ -0,0 +1,27 @@
+---
+- name: Ensure package is installed
+  ansible.builtin.apt:
+    deb: "{{ lldap_package_url }}"
+  notify: Ensure services are enabled and started
+
+- name: Ensure needed directories exist
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: directory
+    owner: lldap
+    group: lldap
+    mode: '0755'
+  loop:
+    - /usr/share/lldap/app/static/fonts
+    - /usr/share/lldap/app/static
+    - /usr/share/lldap/app/pkg
+
+- name: Ensure config is templated
+  ansible.builtin.template:
+    src: lldap_config.toml.j2
+    dest: /etc/lldap/lldap_config.toml
+    owner: lldap
+    group: lldap
+    mode: "0644"
+  notify: Ensure services are enabled and started
+...

roles/mgrote_lldap/templates/lldap_config.toml.j2

@@ -0,0 +1,144 @@
+{{ file_header | default () }}
+## Tune the logging to be more verbose by setting this to be true.
+## You can set it with the LLDAP_VERBOSE environment variable.
+verbose={{ lldap_logging_verbose }}
+
+## The host address that the LDAP server will be bound to.
+## To enable IPv6 support, simply switch "ldap_host" to "::":
+## To only allow connections from localhost (if you want to restrict to local self-hosted services),
+## change it to "127.0.0.1" ("::1" in case of IPv6)".
+ldap_host = "{{ lldap_ldap_host }}"
+
+## The port on which to have the LDAP server.
+#ldap_port = 3890
+
+## The host address that the HTTP server will be bound to.
+## To enable IPv6 support, simply switch "http_host" to "::".
+## To only allow connections from localhost (if you want to restrict to local self-hosted services),
+## change it to "127.0.0.1" ("::1" in case of IPv6)".
+http_host = "{{ lldap_http_host }}"
+
+## The port on which to have the HTTP server, for user login and
+## administration.
+http_port = {{ lldap_http_port }}
+
+## The public URL of the server, for password reset links.
+http_url = "{{ lldap_public_url }}"
+
+## Random secret for JWT signature.
+## This secret should be random, and should be shared with application
+## servers that need to consume the JWTs.
+## Changing this secret will invalidate all user sessions and require
+## them to re-login.
+## You should probably set it through the LLDAP_JWT_SECRET environment
+## variable from a secret ".env" file.
+## This can also be set from a file's contents by specifying the file path
+## in the LLDAP_JWT_SECRET_FILE environment variable
+## You can generate it with (on linux):
+## LC_ALL=C tr -dc 'A-Za-z0-9!#%&'\''()*+,-./:;<=>?@[\]^_{|}~' </dev/urandom | head -c 32; echo ''
+jwt_secret = "{{ lldap_jwt_secret }}"
+
+## Base DN for LDAP.
+## This is usually your domain name, and is used as a
+## namespace for your users. The choice is arbitrary, but will be needed
+## to configure the LDAP integration with other services.
+## The sample value is for "example.com", but you can extend it with as
+## many "dc" as you want, and you don't actually need to own the domain
+## name.
+ldap_base_dn = "{{ lldap_ldap_base_dn }}"
+
+## Admin username.
+## For the LDAP interface, a value of "admin" here will create the LDAP
+## user "cn=admin,ou=people,dc=example,dc=com" (with the base DN above).
+## For the administration interface, this is the username.
+ldap_user_dn = "{{ lldap_admin_username }}"
+
+## Admin email.
+## Email for the admin account. It is only used when initially creating
+## the admin user, and can safely be omitted.
+ldap_user_email = "{{ lldap_admin_mailaddress }}"
+
+## Admin password.
+## Password for the admin account, both for the LDAP bind and for the
+## administration interface. It is only used when initially creating
+## the admin user.
+## It should be minimum 8 characters long.
+## You can set it with the LLDAP_LDAP_USER_PASS environment variable.
+## This can also be set from a file's contents by specifying the file path
+## in the LLDAP_LDAP_USER_PASS_FILE environment variable
+## Note: you can create another admin user for user administration, this
+## is just the default one.
+ldap_user_pass = "{{ lldap_admin_password }}"
+
+## Database URL.
+## This encodes the type of database (SQlite, MySQL, or PostgreSQL)
+## , the path, the user, password, and sometimes the mode (when
+## relevant).
+## Note: SQlite should come with "?mode=rwc" to create the DB
+## if not present.
+## Example URLs:
+##  - "postgres://postgres-user:password@postgres-server/my-database"
+##  - "mysql://mysql-user:password@mysql-server/my-database"
+##
+## This can be overridden with the LLDAP_DATABASE_URL env variable.
+database_url = "{{ lldap_database_url }}"
+
+## Private key file.
+## Contains the secret private key used to store the passwords safely.
+## Note that even with a database dump and the private key, an attacker
+## would still have to perform an (expensive) brute force attack to find
+## each password.
+## Randomly generated on first run if it doesn't exist.
+## Alternatively, you can use key_seed to override this instead of relying on
+## a file.
+## Env variable: LLDAP_KEY_FILE
+key_file = "/var/lib/lldap/private_key"
+
+## Seed to generate the server private key, see key_file above.
+## This can be any random string, the recommendation is that it's at least 12
+## characters long.
+## Env variable: LLDAP_KEY_SEED
+key_seed = "{{ lldap_key_seed }}"
+
+## Ignored attributes.
+## Some services will request attributes that are not present in LLDAP. When it
+## is the case, LLDAP will warn about the attribute being unknown. If you want
+## to ignore the attribute and the service works without, you can add it to this
+## list to silence the warning.
+#ignored_user_attributes = [ "sAMAccountName" ]
+#ignored_group_attributes = [ "mail", "userPrincipalName" ]
+
+## Options to configure SMTP parameters, to send password reset emails.
+## To set these options from environment variables, use the following format
+## (example with "password"): LLDAP_SMTP_OPTIONS__PASSWORD
+[smtp_options]
+## Whether to enabled password reset via email, from LLDAP.
+enable_password_reset={{ lldap_smtp_enable_password_reset }}
+## The SMTP server.
+server="{{ lldap_smtp_server }}"
+## The SMTP port.
+port={{ lldap_smtp_port }}
+## How the connection is encrypted, either "NONE" (no encryption), "TLS" or "STARTTLS".
+smtp_encryption = "{{ lldap_smtp_smtp_encryption }}"
+## The SMTP user, usually your email address.
+user="{{ lldap_smtp_user }}"
+## The SMTP password.
+#password="password" #gitleaks:allow
+## The header field, optional: how the sender appears in the email. The first
+## is a free-form name, followed by an email between <>.
+from="{{ lldap_smtp_from }}"
+## Same for reply-to, optional.
+reply_to="{{ lldap_smtp_reply_to }}"
+
+## Options to configure LDAPS.
+## To set these options from environment variables, use the following format
+## (example with "port"): LLDAP_LDAPS_OPTIONS__PORT
+[ldaps_options]
+## Whether to enable LDAPS.
+#enabled=true
+## Port on which to listen.
+#port=6360
+## Certificate file.
+#cert_file="/data/cert.pem"
+## Certificate key file.
+#key_file="/data/key.pem"

roles/mgrote_munin_node/defaults/main.yml

@@ -22,7 +22,7 @@ munin_plugin_dest_path: /etc/munin/plugins/
 munin_plugin_conf_dest_path: /etc/munin/plugin-conf.d/
 #  munin_node_plugins: #plugins to install
 #    - name: docker_volumes # name
-#      src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/docker/docker_ #src
+#      src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/docker/docker_ #src
 #      config_file_name: /etc/munin/plugin-conf.d/docker # where to put plugin config
     # content of config
 #      config: |

roles/mgrote_netplan/templates/10_config.yml.j2

@@ -4,4 +4,4 @@ network:
   renderer: networkd
   ethernets:
     {{ ansible_default_ipv4.interface }}:
-      dhcp4: yes
+      dhcp4: true