redeployment forgejo + setup ldap #1
46 changed files with 694 additions and 301 deletions
|
@ -12,15 +12,14 @@ exclude_paths:
|
||||||
- .gitlab-ci.yml
|
- .gitlab-ci.yml
|
||||||
- friedhof/
|
- friedhof/
|
||||||
- playbooks/on-off
|
- playbooks/on-off
|
||||||
- roles/geerlingguy-ansible-role-pip
|
- roles/ansible-role-pip
|
||||||
- roles/pyratlabs-ansible-role-k3s
|
- roles/ansible-role-bootstrap
|
||||||
- roles/robertdebock-ansible-role-bootstrap
|
- roles/ansible_role_ctop
|
||||||
- roles/gantsign-ansible-role-ctop
|
- roles/ansible-role-docker
|
||||||
- roles/geerlingguy-ansible-role-docker
|
- roles/ansible-role-helm
|
||||||
- roles/geerlingguy-ansible-role-helm
|
- roles/ansible-role-nfs
|
||||||
- roles/geerlingguy-ansible-role-nfs
|
- roles/ansible-role-unattended-upgrades
|
||||||
- roles/hifis-net-ansible-role-unattended-upgrades
|
- roles/ansible-manage-lvm
|
||||||
- roles/mrlesmithjr-ansible-manage-lvm
|
- roles/ansible-ufw
|
||||||
- roles/oefenweb-ansible-ufw
|
- roles/ansible_role_gitea
|
||||||
- roles/pandemonium1986-ansible-role-k9s
|
- roles/ansible-role-postgresql
|
||||||
- roles/pyratlabs-ansible-role-gitea
|
|
||||||
|
|
24
.gitignore
vendored
24
.gitignore
vendored
|
@ -2,17 +2,19 @@
|
||||||
vault-pass.yml
|
vault-pass.yml
|
||||||
id_ed25519
|
id_ed25519
|
||||||
id_ed25519.pub
|
id_ed25519.pub
|
||||||
roles/geerlingguy-ansible-role-pip
|
roles/ansible-role-pip
|
||||||
roles/pyratlabs-ansible-role-k3s
|
roles/ansible-role-k3s
|
||||||
roles/robertdebock-ansible-role-bootstrap
|
roles/ansible-role-bootstrap
|
||||||
roles/gantsign-ansible-role-ctop
|
roles/ansible_role_ctop
|
||||||
roles/geerlingguy-ansible-role-docker
|
roles/ansible-role-docker
|
||||||
roles/geerlingguy-ansible-role-helm
|
roles/ansible-role-helm
|
||||||
roles/geerlingguy-ansible-role-nfs
|
roles/ansible-role-nfs
|
||||||
roles/hifis-net-ansible-role-unattended-upgrades
|
roles/ansible_role_gitea
|
||||||
roles/mrlesmithjr-ansible-manage-lvm
|
roles/ansible-role-unattended-upgrades
|
||||||
roles/oefenweb-ansible-ufw
|
roles/ansible-manage-lvm
|
||||||
|
roles/ansible-ufw
|
||||||
roles/pandemonium1986-ansible-role-k9s
|
roles/pandemonium1986-ansible-role-k9s
|
||||||
roles/pyratlabs-ansible-role-gitea
|
roles/ansible_role_gitea
|
||||||
collections/
|
collections/
|
||||||
plugins/lookup/__pycache__/
|
plugins/lookup/__pycache__/
|
||||||
|
roles/ansible-role-postgresql
|
||||||
|
|
|
@ -15,7 +15,7 @@ services:
|
||||||
ALWAYS_ADD_MISSING_HEADERS: "no" # literal
|
ALWAYS_ADD_MISSING_HEADERS: "no" # literal
|
||||||
# LOG_SUBJECT: "yes" # literal
|
# LOG_SUBJECT: "yes" # literal
|
||||||
INET_PROTOCOL: ipv4
|
INET_PROTOCOL: ipv4
|
||||||
SMTP_GENERIC_MAP: "/.*/ info@mgrote.net"
|
#SMTP_GENERIC_MAP: "/.*/ info@mgrote.net" # deactivated; dont overwrite sender
|
||||||
networks:
|
networks:
|
||||||
- mail-relay
|
- mail-relay
|
||||||
healthcheck:
|
healthcheck:
|
||||||
|
|
|
@ -18,10 +18,11 @@ services:
|
||||||
fileserver3.mgrote.net:fileserver3.mgrote.net
|
fileserver3.mgrote.net:fileserver3.mgrote.net
|
||||||
ansible2.mgrote.net:ansible2.mgrote.net
|
ansible2.mgrote.net:ansible2.mgrote.net
|
||||||
pve5.mgrote.net:pve5.mgrote.net
|
pve5.mgrote.net:pve5.mgrote.net
|
||||||
gitea.mgrote.net:gitea.mgrote.net
|
forgejo.mgrote.net:forgejo.mgrote.net
|
||||||
docker10.mgrote.net:docker10.mgrote.net
|
docker10.mgrote.net:docker10.mgrote.net
|
||||||
pbs.mgrote.net:pbs.mgrote.net
|
pbs.mgrote.net:pbs.mgrote.net
|
||||||
blocky.mgrote.net:blocky.mgrote.net
|
blocky.mgrote.net:blocky.mgrote.net
|
||||||
|
ldap.mgrote.net:ldap.mgrote.net
|
||||||
# z.B.
|
# z.B.
|
||||||
# computer-test.mgrote.net.test:192.68.2.4
|
# computer-test.mgrote.net.test:192.68.2.4
|
||||||
# computer.mgrote.net:computer.mgrote.net
|
# computer.mgrote.net:computer.mgrote.net
|
||||||
|
|
|
@ -15,7 +15,7 @@ services:
|
||||||
hex.mgrote.net,routeros-config-backup,/key_hex
|
hex.mgrote.net,routeros-config-backup,/key_hex
|
||||||
crs305.mgrote.net,routeros-config-backup,/key_crs305
|
crs305.mgrote.net,routeros-config-backup,/key_crs305
|
||||||
GIT_REPO_BRANCH: "master"
|
GIT_REPO_BRANCH: "master"
|
||||||
GIT_REPO_URL: "ssh://gitea@gitea.mgrote.net:2222/mg/routeros-configs.git"
|
GIT_REPO_URL: "gitea@forgejo.mgrote.net:mg/routeros-configs.git"
|
||||||
GIT_REPO_DEPLOY_KEY: "/deploy_token"
|
GIT_REPO_DEPLOY_KEY: "/deploy_token"
|
||||||
GIT_USERNAME: oxidized-selfmade
|
GIT_USERNAME: oxidized-selfmade
|
||||||
GIT_USER_MAIL: michael.grote@posteo.de
|
GIT_USER_MAIL: michael.grote@posteo.de
|
||||||
|
|
|
@ -14,4 +14,4 @@ http:
|
||||||
service_gitea:
|
service_gitea:
|
||||||
loadBalancer:
|
loadBalancer:
|
||||||
servers:
|
servers:
|
||||||
- url: "http://gitea.mgrote.net:3000/"
|
- url: "http://forgejo.mgrote.net:3000/"
|
||||||
|
|
|
@ -20,29 +20,6 @@ dotfiles_vim_vundle_repo_url: https://git.mgrote.net/mirrors/Vundle.vim.git
|
||||||
### mgrote_netplan
|
### mgrote_netplan
|
||||||
netplan_configure: true
|
netplan_configure: true
|
||||||
|
|
||||||
### mgrote_restic
|
|
||||||
restic_user: root
|
|
||||||
restic_group: restic
|
|
||||||
restic_conf_dir: /etc/restic
|
|
||||||
restic_exclude: |
|
|
||||||
._*
|
|
||||||
desktop.ini
|
|
||||||
.Trash-*
|
|
||||||
**/**cache***/**
|
|
||||||
**/**Cache***/**
|
|
||||||
**/**AppData***/**
|
|
||||||
# https://github.com/restic/restic/issues/1005
|
|
||||||
# https://forum.restic.net/t/exclude-syntax-confusion/1531/12
|
|
||||||
restic_mount_timeout: "10 min"
|
|
||||||
restic_failure_delay: "30 s"
|
|
||||||
restic_schedule: "0/6:00" # alle 6 Stunden
|
|
||||||
restic_folders_to_backup: "/" # --one-file-system ist gesetzt, also werden weitere Dateisysteme nicht eingeschlossen, es sei denn sie werden hier explizit angegeben; https://restic.readthedocs.io/en/latest/040_backup.html#excluding-files
|
|
||||||
restic_repository: "//fileserver3.mgrote.net/restic"
|
|
||||||
restic_repository_password: "{{ lookup('keepass', 'restic_repository_password', 'password') }}"
|
|
||||||
restic_mount_user: restic
|
|
||||||
restic_mount_password: "{{ lookup('keepass', 'fileserver_smb_user_restic', 'password') }}"
|
|
||||||
restic_fail_mail: "{{ my_mail }}"
|
|
||||||
|
|
||||||
### mgrote_user
|
### mgrote_user
|
||||||
users:
|
users:
|
||||||
- username: mg
|
- username: mg
|
||||||
|
@ -219,16 +196,16 @@ munin_node_disabled_plugins:
|
||||||
- name: timesync
|
- name: timesync
|
||||||
munin_node_plugins:
|
munin_node_plugins:
|
||||||
- name: chrony
|
- name: chrony
|
||||||
src: https://git.mgrote.net/Mirror/munin-contrib/raw/branch/master/plugins/chrony/chrony
|
src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/chrony/chrony
|
||||||
- name: systemd_status
|
- name: systemd_status
|
||||||
src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/systemd/systemd_status
|
src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/systemd/systemd_status
|
||||||
- name: systemd_mem
|
- name: systemd_mem
|
||||||
src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/systemd/systemd_mem
|
src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/systemd/systemd_mem
|
||||||
config: |
|
config: |
|
||||||
[systemd_mem]
|
[systemd_mem]
|
||||||
env.all_services true
|
env.all_services true
|
||||||
- name: lvm_
|
- name: lvm_
|
||||||
src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/disk/lvm_
|
src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/disk/lvm_
|
||||||
config: |
|
config: |
|
||||||
[lvm_*]
|
[lvm_*]
|
||||||
user root
|
user root
|
||||||
|
|
|
@ -24,13 +24,13 @@ apt_packages_extra:
|
||||||
- libnet-dns-perl # für munin: dnsresponse_
|
- libnet-dns-perl # für munin: dnsresponse_
|
||||||
|
|
||||||
### mgrote_user_setup
|
### mgrote_user_setup
|
||||||
dotfiles_vim_vundle_repo_url: http://192.168.2.44:3000/mirrors/Vundle.vim.git
|
dotfiles_vim_vundle_repo_url: http://192.168.2.42:3000/mirrors/Vundle.vim.git
|
||||||
dotfiles:
|
dotfiles:
|
||||||
- user: mg
|
- user: mg
|
||||||
home: /home/mg
|
home: /home/mg
|
||||||
- user: root
|
- user: root
|
||||||
home: /root
|
home: /root
|
||||||
dotfiles_repo_url: http://192.168.2.44:3000/mg/dotfiles
|
dotfiles_repo_url: http://192.168.2.42:3000/mg/dotfiles
|
||||||
|
|
||||||
### mgrote_blocky
|
### mgrote_blocky
|
||||||
blocky_version: v0.23
|
blocky_version: v0.23
|
||||||
|
@ -86,40 +86,40 @@ blocky_custom_lookups: # optional
|
||||||
ip: 192.168.2.1
|
ip: 192.168.2.1
|
||||||
- name: fritz.box
|
- name: fritz.box
|
||||||
ip: 192.168.5.1
|
ip: 192.168.5.1
|
||||||
|
- name: ldap.mgrote.net
|
||||||
|
ip: 192.168.2.47
|
||||||
|
|
||||||
### mgrote_restic
|
|
||||||
restic_repository: "//192.168.2.54/restic"
|
|
||||||
|
|
||||||
### mgrote_munin_node
|
### mgrote_munin_node
|
||||||
# kann git.mgrote.net nicht auflösen, deshalb hiermit IP
|
# kann git.mgrote.net nicht auflösen, deshalb hiermit IP
|
||||||
munin_node_plugins:
|
munin_node_plugins:
|
||||||
- name: chrony
|
- name: chrony
|
||||||
src: http://192.168.2.44:3000/Mirror/munin-contrib/raw/branch/master/plugins/chrony/chrony
|
src: http://192.168.2.42:3000/mirrors/munin-contrib/raw/branch/master/plugins/chrony/chrony
|
||||||
- name: systemd_status
|
- name: systemd_status
|
||||||
src: http://192.168.2.44:3000/mg/mirror-munin-contrib/raw/branch/master/plugins/systemd/systemd_status
|
src: http://192.168.2.42:3000/mirrors/munin-contrib/raw/branch/master/plugins/systemd/systemd_status
|
||||||
- name: systemd_mem
|
- name: systemd_mem
|
||||||
src: http://192.168.2.44:3000/mg/mirror-munin-contrib/raw/branch/master/plugins/systemd/systemd_mem
|
src: http://192.168.2.42:3000/mirrors/munin-contrib/raw/branch/master/plugins/systemd/systemd_mem
|
||||||
config: |
|
config: |
|
||||||
[systemd_mem]
|
[systemd_mem]
|
||||||
env.all_services true
|
env.all_services true
|
||||||
- name: lvm_
|
- name: lvm_
|
||||||
src: http://192.168.2.44:3000/mg/mirror-munin-contrib/raw/branch/master/plugins/disk/lvm_
|
src: http://192.168.2.42:3000/mirrors/munin-contrib/raw/branch/master/plugins/disk/lvm_
|
||||||
config: |
|
config: |
|
||||||
[lvm_*]
|
[lvm_*]
|
||||||
user root
|
user root
|
||||||
- name: fail2ban
|
- name: fail2ban
|
||||||
src: http://192.168.2.44:3000/mg/munin-plugins/raw/branch/master/extern/fail2ban
|
src: http://192.168.2.42:3000/mg/munin-plugins/raw/branch/master/extern/fail2ban
|
||||||
config: |
|
config: |
|
||||||
[fail2ban]
|
[fail2ban]
|
||||||
env.client /usr/bin/fail2ban-client
|
env.client /usr/bin/fail2ban-client
|
||||||
env.config_dir /etc/fail2ban
|
env.config_dir /etc/fail2ban
|
||||||
user root
|
user root
|
||||||
- name: dnsresponse_192.168.2.1
|
- name: dnsresponse_192.168.2.1
|
||||||
src: http://192.168.2.44:3000/mg/mirror-munin-contrib/raw/branch/master/plugins/network/dns/dnsresponse_
|
src: http://192.168.2.42:3000/mirrors/munin-contrib/raw/branch/master/plugins/network/dns/dnsresponse_
|
||||||
- name: dnsresponse_192.168.2.37
|
- name: dnsresponse_192.168.2.37
|
||||||
src: http://192.168.2.44:3000/mg/mirror-munin-contrib/raw/branch/master/plugins/network/dns/dnsresponse_
|
src: http://192.168.2.42:3000/mirrors/munin-contrib/raw/branch/master/plugins/network/dns/dnsresponse_
|
||||||
- name: dnsresponse_127.0.0.1
|
- name: dnsresponse_127.0.0.1
|
||||||
src: http://192.168.2.44:3000/mg/mirror-munin-contrib/raw/branch/master/plugins/network/dns/dnsresponse_
|
src: http://192.168.2.42:3000/mirrors/munin-contrib/raw/branch/master/plugins/network/dns/dnsresponse_
|
||||||
config: |
|
config: |
|
||||||
[dnsresponse_*]
|
[dnsresponse_*]
|
||||||
env.site www.heise.de
|
env.site www.heise.de
|
||||||
|
|
|
@ -15,9 +15,6 @@ lvm_groups:
|
||||||
manage_lvm: true
|
manage_lvm: true
|
||||||
pvresize_to_max: true
|
pvresize_to_max: true
|
||||||
|
|
||||||
### mgrote_restic
|
|
||||||
restic_folders_to_backup: "/ /var/lib/docker" # --one-file-system ist gesetzt, also werden weitere Dateisysteme nicht eingeschlossen, es sei denn sie werden hier explizit angegeben; https://restic.readthedocs.io/en/latest/040_backup.html#excluding-files
|
|
||||||
|
|
||||||
### geerlingguy.pip
|
### geerlingguy.pip
|
||||||
pip_package: python3-pip
|
pip_package: python3-pip
|
||||||
pip_install_packages:
|
pip_install_packages:
|
||||||
|
@ -85,14 +82,14 @@ systemd_resolved_nameserver: 192.168.2.37
|
||||||
munin_node_allowed_cidrs: [0.0.0.0/0] # weil der munin-server aus einem anderen subnet zugreift
|
munin_node_allowed_cidrs: [0.0.0.0/0] # weil der munin-server aus einem anderen subnet zugreift
|
||||||
munin_node_plugins:
|
munin_node_plugins:
|
||||||
- name: systemd_status
|
- name: systemd_status
|
||||||
src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/systemd/systemd_status
|
src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/systemd/systemd_status
|
||||||
- name: systemd_mem
|
- name: systemd_mem
|
||||||
src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/systemd/systemd_mem
|
src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/systemd/systemd_mem
|
||||||
config: |
|
config: |
|
||||||
[systemd_mem]
|
[systemd_mem]
|
||||||
env.all_services true
|
env.all_services true
|
||||||
- name: lvm_
|
- name: lvm_
|
||||||
src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/disk/lvm_
|
src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/disk/lvm_
|
||||||
config: |
|
config: |
|
||||||
[lvm_*]
|
[lvm_*]
|
||||||
user root
|
user root
|
||||||
|
@ -104,23 +101,23 @@ munin_node_plugins:
|
||||||
env.config_dir /etc/fail2ban
|
env.config_dir /etc/fail2ban
|
||||||
user root
|
user root
|
||||||
- name: docker_containers
|
- name: docker_containers
|
||||||
src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/docker/docker_
|
src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/docker/docker_
|
||||||
config: |
|
config: |
|
||||||
[docker_*]
|
[docker_*]
|
||||||
user root
|
user root
|
||||||
env.DOCKER_HOST unix://run/docker.sock
|
env.DOCKER_HOST unix://run/docker.sock
|
||||||
- name: docker_cpu
|
- name: docker_cpu
|
||||||
src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/docker/docker_
|
src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/docker/docker_
|
||||||
- name: docker_memory
|
- name: docker_memory
|
||||||
src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/docker/docker_
|
src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/docker/docker_
|
||||||
- name: docker_network
|
- name: docker_network
|
||||||
src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/docker/docker_
|
src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/docker/docker_
|
||||||
- name: docker_volumes
|
- name: docker_volumes
|
||||||
src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/docker/docker_
|
src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/docker/docker_
|
||||||
- name: docker_volumesize
|
- name: docker_volumesize
|
||||||
src: https://git.mgrote.net/Mirror/munin-contrib/raw/branch/master/plugins/docker/docker_volumesize
|
src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/docker/docker_volumesize
|
||||||
- name: chrony
|
- name: chrony
|
||||||
src: https://git.mgrote.net/Mirror/munin-contrib/raw/branch/master/plugins/chrony/chrony
|
src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/chrony/chrony
|
||||||
|
|
||||||
### oefenweb.ufw
|
### oefenweb.ufw
|
||||||
ufw_rules:
|
ufw_rules:
|
||||||
|
|
|
@ -34,11 +34,11 @@ smb_enable_snapshots_shadow: true
|
||||||
### mgrote_munin_node
|
### mgrote_munin_node
|
||||||
munin_node_plugins:
|
munin_node_plugins:
|
||||||
- name: chrony
|
- name: chrony
|
||||||
src: https://git.mgrote.net/Mirror/munin-contrib/raw/branch/master/plugins/chrony/chrony
|
src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/chrony/chrony
|
||||||
- name: systemd_status
|
- name: systemd_status
|
||||||
src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/systemd/systemd_status
|
src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/systemd/systemd_status
|
||||||
- name: systemd_mem
|
- name: systemd_mem
|
||||||
src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/systemd/systemd_mem
|
src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/systemd/systemd_mem
|
||||||
config: |
|
config: |
|
||||||
[systemd_mem]
|
[systemd_mem]
|
||||||
env.all_services true
|
env.all_services true
|
||||||
|
|
142
group_vars/git.yml
Normal file
142
group_vars/git.yml
Normal file
|
@ -0,0 +1,142 @@
|
||||||
|
---
|
||||||
|
### mrlesmithjr.ansible-manage-lvm
|
||||||
|
lvm_groups:
|
||||||
|
- vgname: vg_data
|
||||||
|
disks:
|
||||||
|
- /dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi1
|
||||||
|
create: true
|
||||||
|
lvnames:
|
||||||
|
- lvname: lv_data
|
||||||
|
size: +100%FREE
|
||||||
|
create: true
|
||||||
|
filesystem: xfs
|
||||||
|
mount: true
|
||||||
|
mntp: /var/lib/gitea
|
||||||
|
manage_lvm: true
|
||||||
|
pvresize_to_max: true
|
||||||
|
|
||||||
|
### mgrote_apt_manage_packages
|
||||||
|
apt_packages_extra:
|
||||||
|
- fail2ban
|
||||||
|
|
||||||
|
### geerlingguy_postgres
|
||||||
|
postgresql_databases:
|
||||||
|
- name: "{{ gitea_db_name }}"
|
||||||
|
postgresql_users:
|
||||||
|
- name: "{{ gitea_db_user }}"
|
||||||
|
password: "{{ gitea_db_password }}"
|
||||||
|
|
||||||
|
### oefenweb.ufw
|
||||||
|
ufw_rules:
|
||||||
|
- rule: allow
|
||||||
|
to_port: 22
|
||||||
|
protocol: tcp
|
||||||
|
comment: 'ssh'
|
||||||
|
from_ip: 0.0.0.0/0
|
||||||
|
- rule: allow
|
||||||
|
to_port: 4949
|
||||||
|
protocol: tcp
|
||||||
|
comment: 'munin'
|
||||||
|
from_ip: 192.168.2.0/24
|
||||||
|
- rule: allow
|
||||||
|
to_port: "{{ gitea_http_port }}"
|
||||||
|
protocol: tcp
|
||||||
|
comment: 'gitea'
|
||||||
|
from_ip: 0.0.0.0/0
|
||||||
|
|
||||||
|
### ansible_role_gitea
|
||||||
|
# https://git.mgrote.net/ansible-roles-mirrors/ansible_role_gitea
|
||||||
|
gitea_fork: "forgejo"
|
||||||
|
# gitea update
|
||||||
|
gitea_version: "1.21.7-0" # alt zum renovate testen
|
||||||
|
gitea_version_check: true
|
||||||
|
gitea_backup_on_upgrade: false
|
||||||
|
# gitea in the linux world
|
||||||
|
gitea_group: "gitea"
|
||||||
|
gitea_user: "gitea"
|
||||||
|
gitea_home: "/var/lib/gitea"
|
||||||
|
gitea_user_home: "{{ gitea_home }}"
|
||||||
|
# config liegt in /etc/gitea/gitea.ini
|
||||||
|
gitea_configuration_path: "/etc/gitea" # anpassen
|
||||||
|
gitea_app_name: "forgejo"
|
||||||
|
gitea_fqdn: "git.mgrote.net"
|
||||||
|
# ssh
|
||||||
|
gitea_ssh_port: 22 # assuming the host SSH server is running on port 22
|
||||||
|
gitea_start_ssh: false # to not start the built-in SSH server
|
||||||
|
gitea_shell: "/bin/bash"
|
||||||
|
# Repository
|
||||||
|
gitea_default_branch: "master"
|
||||||
|
gitea_default_private: "public"
|
||||||
|
gitea_repository_root: "{{ gitea_home }}/repos"
|
||||||
|
# ui
|
||||||
|
gitea_show_user_email: false
|
||||||
|
# server
|
||||||
|
gitea_protocol: "http"
|
||||||
|
gitea_http_domain: "{{ gitea_fqdn }}"
|
||||||
|
gitea_http_port: "3000"
|
||||||
|
gitea_http_listen: "0.0.0.0"
|
||||||
|
gitea_root_url: https://git.mgrote.net
|
||||||
|
# database
|
||||||
|
gitea_db_type: "postgres"
|
||||||
|
gitea_db_host: "localhost"
|
||||||
|
gitea_db_name: "gitea"
|
||||||
|
gitea_db_user: "gitea"
|
||||||
|
gitea_db_password: "{{ lookup('keepass', 'forgejo_db_password', 'password') }}"
|
||||||
|
# indexer
|
||||||
|
gitea_repo_indexer_enabled: true
|
||||||
|
# security
|
||||||
|
gitea_disable_webhooks: false
|
||||||
|
gitea_password_check_pwn: false
|
||||||
|
gitea_internal_token: "{{ lookup('keepass', 'forgejo_internal_token', 'password') }}"
|
||||||
|
gitea_secret_key: "{{ lookup('keepass', 'forgejo_secret_key', 'password') }}"
|
||||||
|
# service
|
||||||
|
gitea_disable_registration: true
|
||||||
|
gitea_register_email_confirm: true
|
||||||
|
gitea_require_signin: false
|
||||||
|
gitea_default_keep_mail_private: true
|
||||||
|
gitea_enable_captcha: false
|
||||||
|
gitea_show_registration_button: false
|
||||||
|
gitea_enable_notify_mail: true
|
||||||
|
gitea_default_user_visibility: "public"
|
||||||
|
gitea_show_milestones_dashboard_page: false
|
||||||
|
gitea_default_allow_create_organization: true
|
||||||
|
gitea_default_org_visibility: "public"
|
||||||
|
# Mailer
|
||||||
|
gitea_mailer_enabled: true
|
||||||
|
gitea_mailer_protocol: "smtp"
|
||||||
|
gitea_mailer_smtp_addr: "docker10.mgrote.net"
|
||||||
|
gitea_mailer_smtp_port: 1025
|
||||||
|
gitea_mailer_from: "gitea@mgrote.net"
|
||||||
|
gitea_subject_prefix: "git.mgrote.net - "
|
||||||
|
# log
|
||||||
|
gitea_log_systemd: true
|
||||||
|
gitea_log_level: "Info"
|
||||||
|
# Metrics
|
||||||
|
gitea_metrics_enabled: false
|
||||||
|
# Federation
|
||||||
|
gitea_federation_enabled: false
|
||||||
|
# Packages
|
||||||
|
gitea_packages_enabled: false
|
||||||
|
# actions
|
||||||
|
gitea_actions_enabled: false
|
||||||
|
gitea_extra_config: |
|
||||||
|
; webhook: wird für drone benötigt, sonst wird der Webhook nicht "gesendet"
|
||||||
|
[webhook]
|
||||||
|
ALLOWED_HOST_LIST = *.mgrote.net
|
||||||
|
; für Import/Migration aus anderen Git-Systemen
|
||||||
|
[migrations]
|
||||||
|
ALLOWED_DOMAINS = *
|
||||||
|
# oauth2
|
||||||
|
gitea_oauth2_jwt_secret: "{{ lookup('keepass', 'forgejo_oauth2_jwt_secret', 'password') }}"
|
||||||
|
# Fail2Ban configuration
|
||||||
|
gitea_fail2ban_enabled: true
|
||||||
|
gitea_fail2ban_jail_maxretry: "3"
|
||||||
|
gitea_fail2ban_jail_findtime: "300"
|
||||||
|
gitea_fail2ban_jail_bantime: "600"
|
||||||
|
gitea_fail2ban_jail_action: "iptables-allports"
|
||||||
|
|
||||||
|
### mgrote_gitea_setup
|
||||||
|
gitea_ldap_host: "ldap.mgrote.net"
|
||||||
|
gitea_ldap_bind_pass: "{{ lookup('keepass', 'lldap_ldap_user_pass', 'password') }}"
|
||||||
|
gitea_admin_user: "fadmin"
|
||||||
|
gitea_admin_user_pass: "{{ lookup('keepass', 'forgejo_admin_user_pass', 'password') }}"
|
|
@ -1,113 +0,0 @@
|
||||||
---
|
|
||||||
### mrlesmithjr.ansible-manage-lvm
|
|
||||||
lvm_groups:
|
|
||||||
- vgname: vg_gitea_data
|
|
||||||
disks:
|
|
||||||
- /dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi1
|
|
||||||
create: true
|
|
||||||
lvnames:
|
|
||||||
- lvname: lv_gitea_data
|
|
||||||
size: +100%FREE
|
|
||||||
create: true
|
|
||||||
filesystem: xfs
|
|
||||||
mount: true
|
|
||||||
mntp: /var/lib/gitea
|
|
||||||
manage_lvm: true
|
|
||||||
pvresize_to_max: true
|
|
||||||
|
|
||||||
### mgrote_restic
|
|
||||||
restic_folders_to_backup: "/ /var/lib/gitea" # --one-file-system ist gesetzt, also werden weitere Dateisysteme nicht eingeschlossen, es sei denn sie werden hier explizit angegeben; https://restic.readthedocs.io/en/latest/040_backup.html#excluding-files
|
|
||||||
|
|
||||||
### mgrote_apt_manage_packages
|
|
||||||
apt_packages_extra:
|
|
||||||
- fail2ban
|
|
||||||
|
|
||||||
### oefenweb.ufw
|
|
||||||
ufw_rules:
|
|
||||||
- rule: allow
|
|
||||||
to_port: 22
|
|
||||||
protocol: tcp
|
|
||||||
comment: 'ssh'
|
|
||||||
from_ip: 0.0.0.0/0
|
|
||||||
- rule: allow
|
|
||||||
to_port: 4949
|
|
||||||
protocol: tcp
|
|
||||||
comment: 'munin'
|
|
||||||
from_ip: 192.168.2.0/24
|
|
||||||
- rule: allow
|
|
||||||
to_port: "{{ gitea_http_port }}"
|
|
||||||
protocol: tcp
|
|
||||||
comment: 'gitea'
|
|
||||||
from_ip: 0.0.0.0/0
|
|
||||||
- rule: allow
|
|
||||||
to_port: "{{ gitea_ssh_port }}"
|
|
||||||
protocol: tcp
|
|
||||||
comment: 'gitea'
|
|
||||||
from_ip: 0.0.0.0/0
|
|
||||||
|
|
||||||
### l3d.gitea
|
|
||||||
# config liegt in /etc/gitea/gitea.ini
|
|
||||||
gitea_version: "1.21.7-0"
|
|
||||||
gitea_fork: "forgejo"
|
|
||||||
gitea_app_name: "Gitea"
|
|
||||||
gitea_user: "gitea"
|
|
||||||
gitea_home: "/var/lib/gitea"
|
|
||||||
gitea_repository_root: "{{ gitea_home }}"
|
|
||||||
gitea_user_repo_limit: 300
|
|
||||||
gitea_root_url: https://git.mgrote.net
|
|
||||||
gitea_offline_mode: true
|
|
||||||
gitea_lfs_server_enabled: false
|
|
||||||
gitea_secret_key: "{{ lookup('keepass', 'gitea_secret_key', 'password') }}"
|
|
||||||
gitea_internal_token: "{{ lookup('keepass', 'gitea_internal_token', 'password') }}"
|
|
||||||
gitea_disable_git_hooks: false
|
|
||||||
gitea_show_user_email: false
|
|
||||||
gitea_disable_gravatar: true
|
|
||||||
gitea_enable_captcha: true
|
|
||||||
gitea_only_allow_external_registration: false
|
|
||||||
gitea_enable_notify_mail: true
|
|
||||||
gitea_autowatch_on_change: true
|
|
||||||
gitea_force_private: false
|
|
||||||
gitea_oauth2_enabled: true
|
|
||||||
gitea_repo_indexer_enabled: true
|
|
||||||
|
|
||||||
gitea_mailer_enabled: true
|
|
||||||
gitea_mailer_protocol: smtp
|
|
||||||
gitea_mailer_smtp_addr: docker10.mgrote.net
|
|
||||||
gitea_mailer_smtp_port: 1025
|
|
||||||
gitea_mailer_from: "gitea@mgrote.net"
|
|
||||||
|
|
||||||
gitea_default_branch: 'master'
|
|
||||||
|
|
||||||
gitea_db_type: sqlite3
|
|
||||||
gitea_db_path: "{{ gitea_home }}/data/gitea.db" # for sqlite3
|
|
||||||
|
|
||||||
gitea_ssh_listen: 0.0.0.0
|
|
||||||
gitea_ssh_domain: gitea.mgrote.net
|
|
||||||
gitea_ssh_port: 2222
|
|
||||||
gitea_start_ssh: true
|
|
||||||
|
|
||||||
gitea_http_domain: git.mgrote.net
|
|
||||||
gitea_http_listen: 0.0.0.0
|
|
||||||
gitea_http_port: 3000
|
|
||||||
gitea_disable_http_git: false
|
|
||||||
gitea_protocol: http
|
|
||||||
|
|
||||||
gitea_show_registration_button: false
|
|
||||||
gitea_require_signin: false
|
|
||||||
gitea_disable_registration: true
|
|
||||||
|
|
||||||
gitea_fail2ban_enabled: true
|
|
||||||
gitea_fail2ban_jail_maxretry: 3
|
|
||||||
gitea_fail2ban_jail_findtime: 300
|
|
||||||
gitea_fail2ban_jail_bantime: 600
|
|
||||||
# wird für drone benötigt, sonst wird der Webhook nicht "gesendet"
|
|
||||||
gitea_extra_config: |
|
|
||||||
[webhook]
|
|
||||||
ALLOWED_HOST_LIST = *.mgrote.net
|
|
||||||
|
|
||||||
gitea_backup_on_upgrade: false
|
|
||||||
gitea_backup_location: "{{ gitea_home }}/backups/"
|
|
||||||
|
|
||||||
submodules_versioncheck: true
|
|
||||||
gitea_log_systemd: true
|
|
||||||
gitea_log_level: "Info"
|
|
58
group_vars/ldap.yml
Normal file
58
group_vars/ldap.yml
Normal file
|
@ -0,0 +1,58 @@
|
||||||
|
---
|
||||||
|
### geerlingguy_postgres
|
||||||
|
postgresql_databases:
|
||||||
|
- name: "{{ lldap_db_name }}"
|
||||||
|
postgresql_users:
|
||||||
|
- name: "{{ lldap_db_user }}"
|
||||||
|
password: "{{ lldap_db_pass }}"
|
||||||
|
|
||||||
|
### oefenweb.ufw
|
||||||
|
ufw_rules:
|
||||||
|
- rule: allow
|
||||||
|
to_port: 22
|
||||||
|
protocol: tcp
|
||||||
|
comment: 'ssh'
|
||||||
|
from_ip: 0.0.0.0/0
|
||||||
|
- rule: allow
|
||||||
|
to_port: 4949
|
||||||
|
protocol: tcp
|
||||||
|
comment: 'munin'
|
||||||
|
from_ip: 192.168.2.0/24
|
||||||
|
- rule: allow
|
||||||
|
to_port: "{{ lldap_http_port }}"
|
||||||
|
protocol: tcp
|
||||||
|
comment: 'lldap'
|
||||||
|
from_ip: 192.168.2.0/24
|
||||||
|
- rule: allow
|
||||||
|
to_port: 3890
|
||||||
|
protocol: tcp
|
||||||
|
comment: 'lldap'
|
||||||
|
from_ip: 192.168.2.0/24
|
||||||
|
|
||||||
|
### mgrote_lldap
|
||||||
|
lldap_package_url: "https://download.opensuse.org/repositories/home:/Masgalor:/LLDAP/xUbuntu_22.04/amd64/lldap_0.5.0-1+3.1_amd64.deb"
|
||||||
|
lldap_logging_verbose: "true" # must be a string not a boolean
|
||||||
|
lldap_http_port: 17170
|
||||||
|
lldap_http_host: "0.0.0.0"
|
||||||
|
lldap_ldap_host: "0.0.0.0"
|
||||||
|
lldap_public_url: http://localhost
|
||||||
|
lldap_jwt_secret: "{{ lookup('keepass', 'lldap_jwt_secret', 'password') }}"
|
||||||
|
lldap_ldap_base_dn: "dc=mgrote,dc=net"
|
||||||
|
lldap_admin_username: ladmin # only used on setup
|
||||||
|
lldap_admin_password: "{{ lookup('keepass', 'lldap_ldap_user_pass', 'password') }}" # only used on setup; also bind-secret
|
||||||
|
lldap_admin_mailaddress: lldap-admin@mgrote.net # only used on setup
|
||||||
|
lldap_database_url: "postgres://{{ lldap_db_user }}:{{ lldap_db_pass }}@{{ lldap_db_host }}/{{ lldap_db_name }}"
|
||||||
|
lldap_key_seed: "{{ lookup('keepass', 'lldap_key_seed', 'password') }}"
|
||||||
|
lldap_smtp_from: "LLDAP Admin <info@mgrote.net>"
|
||||||
|
lldap_smtp_reply_to: "Do not reply <info@mgrote.net>"
|
||||||
|
lldap_smtp_server: "docker10.mgrote.net"
|
||||||
|
lldap_smtp_port: "1025"
|
||||||
|
lldap_smtp_smtp_encryption: "NONE"
|
||||||
|
lldap_smtp_user: "info@mgrote.net"
|
||||||
|
lldap_smtp_enable_password_reset: "true" # must be a string not a boolean
|
||||||
|
# "meta vars"; daraus werden die db-url und die postgres-db abgeleitet
|
||||||
|
lldap_db_name: "lldap"
|
||||||
|
lldap_db_user: "lldap"
|
||||||
|
lldap_db_pass: "{{ lookup('keepass', 'lldap_db_pass', 'password') }}"
|
||||||
|
lldap_db_host: "localhost"
|
||||||
|
...
|
|
@ -5,9 +5,6 @@ netplan_configure: false
|
||||||
### mgrote_postfix
|
### mgrote_postfix
|
||||||
postfix_erlaubte_netzwerke: "127.0.0.0/8 192.168.2.0/24 192.168.3.0/24"
|
postfix_erlaubte_netzwerke: "127.0.0.0/8 192.168.2.0/24 192.168.3.0/24"
|
||||||
|
|
||||||
### mgrote_restic
|
|
||||||
restic_folders_to_backup: "/ /etc/proxmox-backup"
|
|
||||||
|
|
||||||
### mgrote_user
|
### mgrote_user
|
||||||
users:
|
users:
|
||||||
- username: root
|
- username: root
|
||||||
|
@ -37,11 +34,11 @@ users:
|
||||||
### mgrote_munin_node
|
### mgrote_munin_node
|
||||||
munin_node_plugins:
|
munin_node_plugins:
|
||||||
- name: chrony
|
- name: chrony
|
||||||
src: https://git.mgrote.net/Mirror/munin-contrib/raw/branch/master/plugins/chrony/chrony
|
src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/chrony/chrony
|
||||||
- name: systemd_status
|
- name: systemd_status
|
||||||
src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/systemd/systemd_status
|
src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/systemd/systemd_status
|
||||||
- name: systemd_mem
|
- name: systemd_mem
|
||||||
src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/systemd/systemd_mem
|
src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/systemd/systemd_mem
|
||||||
config: |
|
config: |
|
||||||
[systemd_mem]
|
[systemd_mem]
|
||||||
env.all_services true
|
env.all_services true
|
||||||
|
@ -53,22 +50,22 @@ munin_node_plugins:
|
||||||
env.config_dir /etc/fail2ban
|
env.config_dir /etc/fail2ban
|
||||||
user root
|
user root
|
||||||
- name: zfs_arcstats
|
- name: zfs_arcstats
|
||||||
src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/zfs/zfs_arcstats
|
src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/zfs/zfs_arcstats
|
||||||
- name: zfsonlinux_stats_
|
- name: zfsonlinux_stats_
|
||||||
src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/zfs/zfsonlinux_stats_
|
src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/zfs/zfsonlinux_stats_
|
||||||
- name: zpool_iostat
|
- name: zpool_iostat
|
||||||
src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/zfs/zpool_iostat
|
src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/zfs/zpool_iostat
|
||||||
- name: zfs_list
|
- name: zfs_list
|
||||||
src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/zfs/zfs_list
|
src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/zfs/zfs_list
|
||||||
config: |
|
config: |
|
||||||
[zfs_list]
|
[zfs_list]
|
||||||
env.ignore_datasets_pattern autodaily
|
env.ignore_datasets_pattern autodaily
|
||||||
- name: zfs_count
|
- name: zfs_count
|
||||||
src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/zfs/zfs_pool_dataset_count
|
src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/zfs/zfs_pool_dataset_count
|
||||||
- name: zpool_iostat
|
- name: zpool_iostat
|
||||||
src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/zfs/zpool_iostat
|
src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/zfs/zpool_iostat
|
||||||
- name: zpool_capacity
|
- name: zpool_capacity
|
||||||
src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/zfs/zpool_capacity
|
src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/zfs/zpool_capacity
|
||||||
munin_node_disabled_plugins:
|
munin_node_disabled_plugins:
|
||||||
- meminfo # zu hohe last
|
- meminfo # zu hohe last
|
||||||
- hddtemp2 # ersetzt durch hddtemp_smartctl
|
- hddtemp2 # ersetzt durch hddtemp_smartctl
|
||||||
|
|
|
@ -2,9 +2,6 @@
|
||||||
### mgrote_netplan
|
### mgrote_netplan
|
||||||
netplan_configure: false
|
netplan_configure: false
|
||||||
|
|
||||||
### mgrote_restic
|
|
||||||
restic_folders_to_backup: "/ /etc/pve"
|
|
||||||
|
|
||||||
### mgrote_user
|
### mgrote_user
|
||||||
users:
|
users:
|
||||||
- username: root
|
- username: root
|
||||||
|
@ -42,11 +39,11 @@ apt_packages_extra:
|
||||||
### mgrote_munin_node
|
### mgrote_munin_node
|
||||||
munin_node_plugins:
|
munin_node_plugins:
|
||||||
- name: chrony
|
- name: chrony
|
||||||
src: https://git.mgrote.net/Mirror/munin-contrib/raw/branch/master/plugins/chrony/chrony
|
src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/chrony/chrony
|
||||||
- name: systemd_status
|
- name: systemd_status
|
||||||
src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/systemd/systemd_status
|
src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/systemd/systemd_status
|
||||||
- name: systemd_mem
|
- name: systemd_mem
|
||||||
src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/systemd/systemd_mem
|
src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/systemd/systemd_mem
|
||||||
config: |
|
config: |
|
||||||
[systemd_mem]
|
[systemd_mem]
|
||||||
env.all_services true
|
env.all_services true
|
||||||
|
@ -58,39 +55,39 @@ munin_node_plugins:
|
||||||
env.config_dir /etc/fail2ban
|
env.config_dir /etc/fail2ban
|
||||||
user root
|
user root
|
||||||
- name: zfs_arcstats
|
- name: zfs_arcstats
|
||||||
src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/zfs/zfs_arcstats
|
src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/zfs/zfs_arcstats
|
||||||
- name: zfsonlinux_stats_
|
- name: zfsonlinux_stats_
|
||||||
src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/zfs/zfsonlinux_stats_
|
src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/zfs/zfsonlinux_stats_
|
||||||
- name: zpool_iostat
|
- name: zpool_iostat
|
||||||
src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/zfs/zpool_iostat
|
src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/zfs/zpool_iostat
|
||||||
- name: zfs_list
|
- name: zfs_list
|
||||||
src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/zfs/zfs_list
|
src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/zfs/zfs_list
|
||||||
config: |
|
config: |
|
||||||
[zfs_list]
|
[zfs_list]
|
||||||
env.ignore_datasets_pattern autodaily
|
env.ignore_datasets_pattern autodaily
|
||||||
- name: zpool_capacity
|
- name: zpool_capacity
|
||||||
src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/zfs/zpool_capacity
|
src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/zfs/zpool_capacity
|
||||||
- name: kvm_mem
|
- name: kvm_mem
|
||||||
src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/libvirt/kvm_mem
|
src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/libvirt/kvm_mem
|
||||||
- name: kvm_net
|
- name: kvm_net
|
||||||
src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/libvirt/kvm_net
|
src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/libvirt/kvm_net
|
||||||
- name: kvm_io
|
- name: kvm_io
|
||||||
src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/libvirt/kvm_io
|
src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/libvirt/kvm_io
|
||||||
config: |
|
config: |
|
||||||
[kvm_io]
|
[kvm_io]
|
||||||
user root
|
user root
|
||||||
- name: kvm_cpu
|
- name: kvm_cpu
|
||||||
src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/libvirt/kvm_cpu
|
src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/libvirt/kvm_cpu
|
||||||
- name: proxmox_count
|
- name: proxmox_count
|
||||||
src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/proxmox/proxmox_vm_count
|
src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/proxmox/proxmox_vm_count
|
||||||
config: |
|
config: |
|
||||||
[proxmox_count]
|
[proxmox_count]
|
||||||
user root
|
user root
|
||||||
group root
|
group root
|
||||||
- name: zfs_count
|
- name: zfs_count
|
||||||
src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/zfs/zfs_pool_dataset_count
|
src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/zfs/zfs_pool_dataset_count
|
||||||
- name: ksm_
|
- name: ksm_
|
||||||
src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/system/kernel_same_page_merging
|
src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/system/kernel_same_page_merging
|
||||||
munin_node_disabled_plugins:
|
munin_node_disabled_plugins:
|
||||||
- meminfo # zu hohe last
|
- meminfo # zu hohe last
|
||||||
- hddtemp2 # ersetzt durch hddtemp_smartctl
|
- hddtemp2 # ersetzt durch hddtemp_smartctl
|
||||||
|
|
|
@ -15,11 +15,11 @@ lvm_groups:
|
||||||
manage_lvm: true
|
manage_lvm: true
|
||||||
pvresize_to_max: true
|
pvresize_to_max: true
|
||||||
|
|
||||||
### mgrote_mount_cifs
|
### mgrote_mount_cifs # löschen
|
||||||
cifs_mounts:
|
cifs_mounts:
|
||||||
- name: bilder
|
- name: bilder
|
||||||
type: cifs
|
type: cifs
|
||||||
state: present
|
state: absent
|
||||||
dest: /mnt/fileserver3_photoprism_bilder_ro
|
dest: /mnt/fileserver3_photoprism_bilder_ro
|
||||||
src: //fileserver3.mgrote.net/bilder
|
src: //fileserver3.mgrote.net/bilder
|
||||||
user: photoprism
|
user: photoprism
|
||||||
|
@ -29,9 +29,6 @@ cifs_mounts:
|
||||||
gid: 5000
|
gid: 5000
|
||||||
extra_opts: ",ro" # komma am Anfang ist notwendig weil die Option hinten angehangen wird
|
extra_opts: ",ro" # komma am Anfang ist notwendig weil die Option hinten angehangen wird
|
||||||
|
|
||||||
### mgrote_restic
|
|
||||||
restic_folders_to_backup: "/ /var/lib/docker /mnt/oci-registry" # --one-file-system ist gesetzt, also werden weitere Dateisysteme nicht eingeschlossen, es sei denn sie werden hier explizit angegeben
|
|
||||||
|
|
||||||
### mgrote_docker-compose-inline
|
### mgrote_docker-compose-inline
|
||||||
compose_owner: "docker-user"
|
compose_owner: "docker-user"
|
||||||
compose_group: "docker-user"
|
compose_group: "docker-user"
|
||||||
|
@ -59,8 +56,6 @@ compose_files:
|
||||||
- name: navidrome
|
- name: navidrome
|
||||||
state: present
|
state: present
|
||||||
network: traefik
|
network: traefik
|
||||||
- name: watchtower
|
|
||||||
state: absent
|
|
||||||
- name: routeros-config-export
|
- name: routeros-config-export
|
||||||
state: present
|
state: present
|
||||||
- name: mail-relay
|
- name: mail-relay
|
||||||
|
@ -72,8 +67,6 @@ compose_files:
|
||||||
- name: wiki
|
- name: wiki
|
||||||
state: present
|
state: present
|
||||||
network: traefik
|
network: traefik
|
||||||
- name: statping-ng
|
|
||||||
state: absent
|
|
||||||
|
|
||||||
### oefenweb.ufw
|
### oefenweb.ufw
|
||||||
ufw_rules:
|
ufw_rules:
|
||||||
|
|
|
@ -55,8 +55,6 @@ smb_users:
|
||||||
password: "{{ lookup('keepass', 'fileserver_smb_user_pve', 'password') }}"
|
password: "{{ lookup('keepass', 'fileserver_smb_user_pve', 'password') }}"
|
||||||
- name: 'brother_ads2700w'
|
- name: 'brother_ads2700w'
|
||||||
password: "{{ lookup('keepass', 'fileserver_smb_user_brother_ads2700w', 'password') }}"
|
password: "{{ lookup('keepass', 'fileserver_smb_user_brother_ads2700w', 'password') }}"
|
||||||
- name: 'photoprism'
|
|
||||||
password: "{{ lookup('keepass', 'fileserver_smb_user_photoprism', 'password') }}"
|
|
||||||
|
|
||||||
smb_shares:
|
smb_shares:
|
||||||
- name: 'videos'
|
- name: 'videos'
|
||||||
|
@ -89,7 +87,7 @@ smb_shares:
|
||||||
users_rw: 'kodi win10 michaelgrote'
|
users_rw: 'kodi win10 michaelgrote'
|
||||||
- name: 'bilder'
|
- name: 'bilder'
|
||||||
path: '/shares_bilder'
|
path: '/shares_bilder'
|
||||||
users_ro: 'photoprism'
|
users_ro: ''
|
||||||
users_rw: ' michaelgrote win10'
|
users_rw: ' michaelgrote win10'
|
||||||
- name: 'proxmox'
|
- name: 'proxmox'
|
||||||
path: '/shares_pve_backup'
|
path: '/shares_pve_backup'
|
||||||
|
@ -98,7 +96,7 @@ smb_shares:
|
||||||
- name: 'restic'
|
- name: 'restic'
|
||||||
path: '/shares_restic'
|
path: '/shares_restic'
|
||||||
users_ro: ''
|
users_ro: ''
|
||||||
users_rw: ' restic win10 michaelgrote'
|
users_rw: 'restic win10 michaelgrote'
|
||||||
- name: 'buecher'
|
- name: 'buecher'
|
||||||
path: '/shares_buecher'
|
path: '/shares_buecher'
|
||||||
users_ro: ''
|
users_ro: ''
|
||||||
|
|
10
inventory
10
inventory
|
@ -6,6 +6,9 @@ all:
|
||||||
blocky:
|
blocky:
|
||||||
hosts:
|
hosts:
|
||||||
blocky.mgrote.net:
|
blocky.mgrote.net:
|
||||||
|
ldap:
|
||||||
|
hosts:
|
||||||
|
ldap.mgrote.net:
|
||||||
lxc:
|
lxc:
|
||||||
hosts:
|
hosts:
|
||||||
fileserver3.mgrote.net:
|
fileserver3.mgrote.net:
|
||||||
|
@ -32,19 +35,20 @@ all:
|
||||||
hosts:
|
hosts:
|
||||||
pve5.mgrote.net:
|
pve5.mgrote.net:
|
||||||
pbs.mgrote.net:
|
pbs.mgrote.net:
|
||||||
gitea:
|
git:
|
||||||
hosts:
|
hosts:
|
||||||
gitea.mgrote.net:
|
forgejo.mgrote.net:
|
||||||
|
|
||||||
production:
|
production:
|
||||||
hosts:
|
hosts:
|
||||||
fileserver3.mgrote.net:
|
fileserver3.mgrote.net:
|
||||||
ansible2.mgrote.net:
|
ansible2.mgrote.net:
|
||||||
pve5.mgrote.net:
|
pve5.mgrote.net:
|
||||||
gitea.mgrote.net:
|
forgejo.mgrote.net:
|
||||||
docker10.mgrote.net:
|
docker10.mgrote.net:
|
||||||
pbs.mgrote.net:
|
pbs.mgrote.net:
|
||||||
blocky.mgrote.net:
|
blocky.mgrote.net:
|
||||||
|
ldap.mgrote.net:
|
||||||
test:
|
test:
|
||||||
hosts:
|
hosts:
|
||||||
vm-test-2204.mgrote.net:
|
vm-test-2204.mgrote.net:
|
||||||
|
|
BIN
keepass_db.kdbx
BIN
keepass_db.kdbx
Binary file not shown.
|
@ -2,7 +2,7 @@
|
||||||
- hosts: all
|
- hosts: all
|
||||||
gather_facts: false
|
gather_facts: false
|
||||||
roles:
|
roles:
|
||||||
- role: robertdebock-ansible-role-bootstrap
|
- role: ansible-role-bootstrap
|
||||||
tags: "bootstrap"
|
tags: "bootstrap"
|
||||||
become: true
|
become: true
|
||||||
- role: mgrote_apt_manage_sources
|
- role: mgrote_apt_manage_sources
|
||||||
|
|
|
@ -1,4 +1,6 @@
|
||||||
---
|
---
|
||||||
- hosts: ansible
|
- hosts: ansible
|
||||||
roles:
|
roles:
|
||||||
- { role: geerlingguy-ansible-role-pip, tags: "pip", become: true }
|
- role: ansible-role-pip
|
||||||
|
tags: "pip"
|
||||||
|
become: true
|
||||||
|
|
|
@ -1,5 +1,7 @@
|
||||||
---
|
---
|
||||||
- hosts: blocky
|
- hosts: blocky
|
||||||
roles:
|
roles:
|
||||||
- { role: mgrote_systemd_resolved, tags: "resolved" }
|
- role: mgrote_systemd_resolved
|
||||||
- { role: mgrote_blocky, tags: "blocky" }
|
tags: "resolved"
|
||||||
|
- role: mgrote_blocky
|
||||||
|
tags: "blocky"
|
||||||
|
|
|
@ -1,10 +1,21 @@
|
||||||
---
|
---
|
||||||
- hosts: docker
|
- hosts: docker
|
||||||
roles:
|
roles:
|
||||||
- { role: mgrote_systemd_resolved, tags: "dns", become: true }
|
- role: mgrote_systemd_resolved
|
||||||
- { role: mgrote_mount_cifs, tags: "cifs", become: true }
|
tags: "dns"
|
||||||
- { role: geerlingguy-ansible-role-pip, tags: "pip", become: true }
|
become: true
|
||||||
- { role: geerlingguy-ansible-role-docker, tags: "docker", become: true }
|
- role: ansible-role-pip
|
||||||
- { role: gantsign-ansible-role-ctop, tags: "ctop", become: true }
|
tags: "pip"
|
||||||
- { role: mgrote_set_permissions, tags: "perm", become: true }
|
become: true
|
||||||
- { role: mgrote_docker_compose_inline, tags: "compose", become: true }
|
- role: ansible-role-docker
|
||||||
|
tags: "docker"
|
||||||
|
become: true
|
||||||
|
- role: ansible_role_ctop
|
||||||
|
tags: "ctop"
|
||||||
|
become: true
|
||||||
|
- role: mgrote_set_permissions
|
||||||
|
tags: "perm"
|
||||||
|
become: true
|
||||||
|
- role: mgrote_docker_compose_inline
|
||||||
|
tags: "compose"
|
||||||
|
become: true
|
||||||
|
|
|
@ -6,6 +6,9 @@
|
||||||
---
|
---
|
||||||
- hosts: fileserver
|
- hosts: fileserver
|
||||||
roles:
|
roles:
|
||||||
- { role: mgrote_fileserver_smb, tags: "smb" }
|
- role: mgrote_fileserver_smb
|
||||||
- { role: mgrote_youtubedl, tags: "youtubedl" }
|
tags: "smb"
|
||||||
- { role: mgrote_disable_oom_killer, tags: "oom" }
|
- role: mgrote_youtubedl
|
||||||
|
tags: "youtubedl"
|
||||||
|
- role: mgrote_disable_oom_killer
|
||||||
|
tags: "oom"
|
||||||
|
|
12
playbooks/3_service/git.yml
Normal file
12
playbooks/3_service/git.yml
Normal file
|
@ -0,0 +1,12 @@
|
||||||
|
---
|
||||||
|
- hosts: git
|
||||||
|
roles:
|
||||||
|
- role: ansible-role-postgresql
|
||||||
|
tags: "db"
|
||||||
|
become: true
|
||||||
|
- role: ansible_role_gitea
|
||||||
|
tags: "gitea"
|
||||||
|
become: true
|
||||||
|
- role: mgrote_gitea_setup
|
||||||
|
tags: "setup"
|
||||||
|
become: true
|
|
@ -1,4 +0,0 @@
|
||||||
---
|
|
||||||
- hosts: gitea
|
|
||||||
roles:
|
|
||||||
- { role: pyratlabs-ansible-role-gitea, tags: "gitea", become: true }
|
|
9
playbooks/3_service/lldap.yml
Normal file
9
playbooks/3_service/lldap.yml
Normal file
|
@ -0,0 +1,9 @@
|
||||||
|
---
|
||||||
|
- hosts: ldap
|
||||||
|
roles:
|
||||||
|
- role: ansible-role-postgresql
|
||||||
|
tags: "db"
|
||||||
|
become: true
|
||||||
|
- role: mgrote_lldap
|
||||||
|
tags: "lldap"
|
||||||
|
become: true
|
|
@ -1,12 +1,21 @@
|
||||||
---
|
---
|
||||||
- hosts: pbs
|
- hosts: pbs
|
||||||
roles:
|
roles:
|
||||||
- { role: mgrote_zfs_packages, tags: "zfs_packages" }
|
- role: mgrote_zfs_packages
|
||||||
- { role: mgrote_zfs_arc_mem, tags: "zfs_arc_mem" }
|
tags: "zfs_packages"
|
||||||
- { role: mgrote_zfs_manage_datasets, tags: "datasets" }
|
- role: mgrote_zfs_arc_mem
|
||||||
- { role: mgrote_zfs_scrub, tags: "zfs_scrub" }
|
tags: "zfs_arc_mem"
|
||||||
- { role: mgrote_zfs_zed, tags: "zfs_zed" }
|
- role: mgrote_zfs_manage_datasets
|
||||||
- { role: mgrote_zfs_sanoid, tags: "sanoid" }
|
tags: "datasets"
|
||||||
- { role: mgrote_smart, tags: "smart" }
|
- role: mgrote_zfs_scrub
|
||||||
- { role: mgrote_pbs_users, tags: "pbs_users" }
|
tags: "zfs_scrub"
|
||||||
- { role: mgrote_pbs_datastores, tags: "pbs_datastores" }
|
- role: mgrote_zfs_zed
|
||||||
|
tags: "zfs_zed"
|
||||||
|
- role: mgrote_zfs_sanoid
|
||||||
|
tags: "sanoid"
|
||||||
|
- role: mgrote_smart
|
||||||
|
tags: "smart"
|
||||||
|
- role: mgrote_pbs_users
|
||||||
|
tags: "pbs_users"
|
||||||
|
- role: mgrote_pbs_datastores
|
||||||
|
tags: "pbs_datastores"
|
||||||
|
|
|
@ -1,14 +1,25 @@
|
||||||
---
|
---
|
||||||
- hosts: pve
|
- hosts: pve
|
||||||
roles:
|
roles:
|
||||||
- { role: mgrote_zfs_packages, tags: "zfs_packages" }
|
- role: mgrote_zfs_packages
|
||||||
- { role: mgrote_zfs_arc_mem, tags: "zfs_arc_mem" }
|
tags: "zfs_packages"
|
||||||
- { role: mgrote_zfs_manage_datasets, tags: "datasets" }
|
- role: mgrote_zfs_arc_mem
|
||||||
- { role: mgrote_zfs_scrub, tags: "zfs_scrub" }
|
tags: "zfs_arc_mem"
|
||||||
- { role: mgrote_zfs_zed, tags: "zfs_zed" }
|
- role: mgrote_zfs_manage_datasets
|
||||||
- { role: mgrote_zfs_sanoid, tags: "sanoid" }
|
tags: "datasets"
|
||||||
- { role: mgrote_smart, tags: "smart" }
|
- role: mgrote_zfs_scrub
|
||||||
- { role: mgrote_cv4pve_autosnap, tags: "cv4pve" }
|
tags: "zfs_scrub"
|
||||||
- { role: mgrote_proxmox_bind_mounts, tags: "bindmounts" }
|
- role: mgrote_zfs_zed
|
||||||
- { role: mgrote_proxmox_lxc_profiles, tags: "lxc-profile" }
|
tags: "zfs_zed"
|
||||||
- { role: mgrote_pbs_pve_integration, tags: "pbs" }
|
- role: mgrote_zfs_sanoid
|
||||||
|
tags: "sanoid"
|
||||||
|
- role: mgrote_smart
|
||||||
|
tags: "smart"
|
||||||
|
- role: mgrote_cv4pve_autosnap
|
||||||
|
tags: "cv4pve"
|
||||||
|
- role: mgrote_proxmox_bind_mounts
|
||||||
|
tags: "bindmounts"
|
||||||
|
- role: mgrote_proxmox_lxc_profiles
|
||||||
|
tags: "lxc-profile"
|
||||||
|
- role: mgrote_pbs_pve_integration
|
||||||
|
tags: "pbs"
|
||||||
|
|
|
@ -5,14 +5,12 @@
|
||||||
tags: "apt_sources"
|
tags: "apt_sources"
|
||||||
- role: mgrote_apt_manage_packages
|
- role: mgrote_apt_manage_packages
|
||||||
tags: "install"
|
tags: "install"
|
||||||
- role: mgrote_exa
|
|
||||||
tags: "exa"
|
|
||||||
- role: mgrote_remove_snapd
|
- role: mgrote_remove_snapd
|
||||||
become: true
|
become: true
|
||||||
tags: "snapd"
|
tags: "snapd"
|
||||||
- role: mgrote_apt_update_packages
|
- role: mgrote_apt_update_packages
|
||||||
tags: "updates"
|
tags: "updates"
|
||||||
- role: hifis-net-ansible-role-unattended-upgrades
|
- role: ansible-role-unattended-upgrades
|
||||||
become: true
|
become: true
|
||||||
tags: unattended
|
tags: unattended
|
||||||
when: "ansible_facts['distribution'] == 'Ubuntu'"
|
when: "ansible_facts['distribution'] == 'Ubuntu'"
|
||||||
|
|
|
@ -13,11 +13,11 @@
|
||||||
become: true
|
become: true
|
||||||
tags: fwupd
|
tags: fwupd
|
||||||
when: "ansible_facts['distribution'] == 'Ubuntu'"
|
when: "ansible_facts['distribution'] == 'Ubuntu'"
|
||||||
- role: mrlesmithjr-ansible-manage-lvm
|
- role: ansible-manage-lvm
|
||||||
tags: "lvm"
|
tags: "lvm"
|
||||||
become: true
|
become: true
|
||||||
when: manage_lvm == true and manage_lvm is defined
|
when: manage_lvm == true and manage_lvm is defined
|
||||||
# $manage_lvm gehört zu dieser Rolle, wird aber extra abgefragt um das PLaybook zu "aktivieren"
|
# $manage_lvm gehört zu dieser Rolle, wird aber extra abgefragt um das Playbook zu "aktivieren"
|
||||||
- role: mgrote_ssh
|
- role: mgrote_ssh
|
||||||
tags: "ssh"
|
tags: "ssh"
|
||||||
- role: mgrote_netplan
|
- role: mgrote_netplan
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
---
|
---
|
||||||
- hosts: all:!pve:!pbs
|
- hosts: all:!pve:!pbs
|
||||||
roles:
|
roles:
|
||||||
- { role: oefenweb-ansible-ufw, # Regeln werden in den Group/Host-Vars gesetzt
|
- role: ansible-ufw # Regeln werden in den Group/Host-Vars gesetzt
|
||||||
tags: "ufw",
|
tags: ufw
|
||||||
become: true}
|
become: true
|
||||||
|
|
|
@ -2,9 +2,9 @@
|
||||||
- hosts: all
|
- hosts: all
|
||||||
roles:
|
roles:
|
||||||
- role: mgrote_users
|
- role: mgrote_users
|
||||||
tags: "user"
|
tags: users
|
||||||
become: true
|
become: true
|
||||||
- role: mgrote_user_setup
|
- role: mgrote_user_setup
|
||||||
tags:
|
tags:
|
||||||
- "user_setup"
|
- user_setup
|
||||||
- dotfiles
|
- dotfiles
|
||||||
|
|
|
@ -4,21 +4,23 @@ collections:
|
||||||
- git+https://git.mgrote.net/ansible-collections-mirrors/ansible.posix
|
- git+https://git.mgrote.net/ansible-collections-mirrors/ansible.posix
|
||||||
- git+https://git.mgrote.net/ansible-collections-mirrors/community.docker
|
- git+https://git.mgrote.net/ansible-collections-mirrors/community.docker
|
||||||
roles:
|
roles:
|
||||||
- src: https://git.mgrote.net/ansible-roles-mirrors/robertdebock-ansible-role-bootstrap
|
- src: https://git.mgrote.net/ansible-roles-mirrors/ansible-role-bootstrap
|
||||||
scm: git
|
scm: git
|
||||||
- src: https://git.mgrote.net/ansible-roles-mirrors/oefenweb-ansible-ufw
|
- src: https://git.mgrote.net/ansible-roles-mirrors/ansible-ufw
|
||||||
scm: git
|
scm: git
|
||||||
- src: https://git.mgrote.net/ansible-roles-mirrors/mrlesmithjr-ansible-manage-lvm
|
- src: https://git.mgrote.net/ansible-roles-mirrors/ansible-manage-lvm
|
||||||
scm: git
|
scm: git
|
||||||
- src: https://git.mgrote.net/ansible-roles-mirrors/hifis-net-ansible-role-unattended-upgrades
|
- src: https://git.mgrote.net/ansible-roles-mirrors/ansible-role-unattended-upgrades
|
||||||
scm: git
|
scm: git
|
||||||
- src: https://git.mgrote.net/ansible-roles-mirrors/geerlingguy-ansible-role-pip
|
- src: https://git.mgrote.net/ansible-roles-mirrors/ansible-role-pip
|
||||||
scm: git
|
scm: git
|
||||||
- src: https://git.mgrote.net/ansible-roles-mirrors/geerlingguy-ansible-role-nfs
|
- src: https://git.mgrote.net/ansible-roles-mirrors/ansible-role-nfs
|
||||||
scm: git
|
scm: git
|
||||||
- src: https://git.mgrote.net/ansible-roles-mirrors/geerlingguy-ansible-role-docker
|
- src: https://git.mgrote.net/ansible-roles-mirrors/ansible-role-docker
|
||||||
scm: git
|
scm: git
|
||||||
- src: https://git.mgrote.net/ansible-roles-mirrors/gantsign-ansible-role-ctop
|
- src: https://git.mgrote.net/ansible-roles-mirrors/ansible_role_ctop
|
||||||
scm: git
|
scm: git
|
||||||
- src: https://git.mgrote.net/ansible-roles-mirrors/pyratlabs-ansible-role-gitea
|
- src: https://git.mgrote.net/ansible-roles-mirrors/ansible_role_gitea
|
||||||
|
scm: git
|
||||||
|
- src: https://git.mgrote.net/ansible-roles-mirrors/ansible-role-postgresql
|
||||||
scm: git
|
scm: git
|
||||||
|
|
22
roles/mgrote_gitea_setup/tasks/admin.yml
Normal file
22
roles/mgrote_gitea_setup/tasks/admin.yml
Normal file
|
@ -0,0 +1,22 @@
|
||||||
|
---
|
||||||
|
# die Variablen kommen aus
|
||||||
|
# - https://docs.gitea.com/administration/command-line
|
||||||
|
# - https://github.com/lldap/lldap/blob/main/example_configs/gitea.md
|
||||||
|
# und
|
||||||
|
# den jeweiligen group/host-Vars!
|
||||||
|
- name: Ensure Admin-User exists
|
||||||
|
no_log: true
|
||||||
|
become_user: gitea
|
||||||
|
become: true
|
||||||
|
ansible.builtin.command: |
|
||||||
|
forgejo admin user create \
|
||||||
|
--config /etc/gitea/gitea.ini
|
||||||
|
--username "{{ gitea_admin_user }}" \
|
||||||
|
--password "{{ gitea_admin_user_pass }}" \
|
||||||
|
--email "{{ gitea_admin_user }}@mgrote.net" \
|
||||||
|
--admin
|
||||||
|
register: setup_admin
|
||||||
|
ignore_errors: true
|
||||||
|
failed_when: 'not "Command error: CreateUser: user already exists [name: mg]" in setup_admin.stderr' # fail Task wenn LDAP schon konfiguriert ist
|
||||||
|
changed_when: "setup_admin.rc == 0" # chnaged nur wenn Task rc 0 hat, sollte nur beim ersten lauf vorkommen; ungetestet
|
||||||
|
...
|
56
roles/mgrote_gitea_setup/tasks/ldap.yml
Normal file
56
roles/mgrote_gitea_setup/tasks/ldap.yml
Normal file
|
@ -0,0 +1,56 @@
|
||||||
|
---
|
||||||
|
# die Variablen kommen aus
|
||||||
|
# - https://docs.gitea.com/administration/command-line
|
||||||
|
# - https://github.com/lldap/lldap/blob/main/example_configs/gitea.md
|
||||||
|
# und
|
||||||
|
# den jeweiligen group/host-Vars!
|
||||||
|
- name: Ensure LDAP config is set up
|
||||||
|
no_log: true
|
||||||
|
become_user: gitea
|
||||||
|
become: true
|
||||||
|
ansible.builtin.command: |
|
||||||
|
forgejo admin auth add-ldap \
|
||||||
|
--config "{{ gitea_configuration_path }}/gitea.ini" \
|
||||||
|
--name "lldap" \
|
||||||
|
--security-protocol "unencrypted" \
|
||||||
|
--host "{{ gitea_ldap_host }}" \
|
||||||
|
--port "3890" \
|
||||||
|
--bind-dn "uid=ladmin,ou=people,dc=mgrote,dc=net" \
|
||||||
|
--bind-password "{{ gitea_ldap_bind_pass }}" \
|
||||||
|
--user-search-base "ou=people,dc=mgrote,dc=net" \
|
||||||
|
--user-filter "(&(memberof=cn=gitea,ou=groups,dc=mgrote,dc=net)(|(uid=%[1]s)(mail=%[1]s)))" \
|
||||||
|
--username-attribute "uid" \
|
||||||
|
--email-attribute "mail" \
|
||||||
|
--firstname-attribute "givenName" \
|
||||||
|
--surname-attribute "sn" \
|
||||||
|
--avatar-attribute "jpegPhoto" \
|
||||||
|
--synchronize-users
|
||||||
|
register: setup
|
||||||
|
ignore_errors: true
|
||||||
|
failed_when: 'not "Command error: login source already exists [name: lldap]" in setup.stderr' # fail Task wenn LDAP schon konfiguriert ist
|
||||||
|
changed_when: "setup.rc == 0" # chnaged nur wenn Task rc 0 hat, sollte nur beim ersten lauf vorkommen; ungetestet
|
||||||
|
|
||||||
|
- name: Modify LDAP config
|
||||||
|
no_log: true
|
||||||
|
become_user: gitea
|
||||||
|
become: true
|
||||||
|
ansible.builtin.command: |
|
||||||
|
forgejo admin auth update-ldap \
|
||||||
|
--config "{{ gitea_configuration_path }}/gitea.ini" \
|
||||||
|
--id "1" \
|
||||||
|
--security-protocol "unencrypted" \
|
||||||
|
--host "{{ gitea_ldap_host }}" \
|
||||||
|
--port "3890" \
|
||||||
|
--bind-dn "uid=ladmin,ou=people,dc=mgrote,dc=net" \
|
||||||
|
--bind-password "{{ gitea_ldap_bind_pass }}" \
|
||||||
|
--user-search-base "ou=people,dc=mgrote,dc=net" \
|
||||||
|
--user-filter "(&(memberof=cn=gitea,ou=groups,dc=mgrote,dc=net)(|(uid=%[1]s)(mail=%[1]s)))" \
|
||||||
|
--username-attribute "uid" \
|
||||||
|
--email-attribute "mail" \
|
||||||
|
--firstname-attribute "givenName" \
|
||||||
|
--surname-attribute "sn" \
|
||||||
|
--avatar-attribute "jpegPhoto" \
|
||||||
|
--synchronize-users
|
||||||
|
when: '"Command error: login source already exists [name: lldap]" in setup.stderr' # führe nur aus wenn erster Task fehlgeschlagen ist
|
||||||
|
changed_when: false # keine idee wie ich changed feststellen kann
|
||||||
|
...
|
7
roles/mgrote_gitea_setup/tasks/main.yml
Normal file
7
roles/mgrote_gitea_setup/tasks/main.yml
Normal file
|
@ -0,0 +1,7 @@
|
||||||
|
---
|
||||||
|
- name: Include LDAP tasks
|
||||||
|
ansible.builtin.include_tasks: ldap.yml
|
||||||
|
|
||||||
|
- name: Include User tasks
|
||||||
|
ansible.builtin.include_tasks: admin.yml
|
||||||
|
...
|
21
roles/mgrote_lldap/defaults/main.yml
Normal file
21
roles/mgrote_lldap/defaults/main.yml
Normal file
|
@ -0,0 +1,21 @@
|
||||||
|
---
|
||||||
|
lldap_package_url: "https://download.opensuse.org/repositories/home:/Masgalor:/LLDAP/xUbuntu_22.04/amd64/lldap_0.5.0-1+3.1_amd64.deb"
|
||||||
|
lldap_logging_verbose: "false"
|
||||||
|
lldap_http_port: "17170"
|
||||||
|
lldap_http_host: "0.0.0.0"
|
||||||
|
lldap_ldap_host: "0.0.0.0"
|
||||||
|
lldap_public_url: http://localhost
|
||||||
|
lldap_jwt_secret: supersecret
|
||||||
|
lldap_ldap_base_dn: "dc=example,dc=com"
|
||||||
|
lldap_admin_username: ladmin # only used on setup
|
||||||
|
lldap_admin_password: supersecret # also bind-secret; only used on setup
|
||||||
|
lldap_admin_mailaddress: lldap-admin@mgrote.net # only used on setup
|
||||||
|
lldap_database_url: "postgres://postgres-user:password@postgres-server/my-database"
|
||||||
|
lldap_key_seed: supersecretseed
|
||||||
|
lldap_smtp_from: "LLDAP Admin <info@mgrote.net>"
|
||||||
|
lldap_smtp_reply_to: "Do not reply <info@mgrote.net>"
|
||||||
|
lldap_smtp_server: "mail.domain.net"
|
||||||
|
lldap_smtp_port: "25"
|
||||||
|
lldap_smtp_smtp_encryption: "NONE"
|
||||||
|
lldap_smtp_user: "info@mgrote.net"
|
||||||
|
lldap_smtp_enable_password_reset: "true"
|
9
roles/mgrote_lldap/handlers/main.yml
Normal file
9
roles/mgrote_lldap/handlers/main.yml
Normal file
|
@ -0,0 +1,9 @@
|
||||||
|
---
|
||||||
|
- name: Ensure services are enabled and started
|
||||||
|
become: true
|
||||||
|
ansible.builtin.systemd:
|
||||||
|
name: lldap.service
|
||||||
|
masked: false
|
||||||
|
enabled: true
|
||||||
|
state: started
|
||||||
|
...
|
27
roles/mgrote_lldap/tasks/main.yml
Normal file
27
roles/mgrote_lldap/tasks/main.yml
Normal file
|
@ -0,0 +1,27 @@
|
||||||
|
---
|
||||||
|
- name: Ensure package is installed
|
||||||
|
ansible.builtin.apt:
|
||||||
|
deb: "{{ lldap_package_url }}"
|
||||||
|
notify: Ensure services are enabled and started
|
||||||
|
|
||||||
|
- name: Ensure needed directories exist
|
||||||
|
ansible.builtin.file:
|
||||||
|
path: "{{ item }}"
|
||||||
|
state: directory
|
||||||
|
owner: lldap
|
||||||
|
group: lldap
|
||||||
|
mode: '0755'
|
||||||
|
loop:
|
||||||
|
- /usr/share/lldap/app/static/fonts
|
||||||
|
- /usr/share/lldap/app/static
|
||||||
|
- /usr/share/lldap/app/pkg
|
||||||
|
|
||||||
|
- name: Ensure config is templated
|
||||||
|
ansible.builtin.template:
|
||||||
|
src: lldap_config.toml.j2
|
||||||
|
dest: /etc/lldap/lldap_config.toml
|
||||||
|
owner: lldap
|
||||||
|
group: lldap
|
||||||
|
mode: "0644"
|
||||||
|
notify: Ensure services are enabled and started
|
||||||
|
...
|
144
roles/mgrote_lldap/templates/lldap_config.toml.j2
Normal file
144
roles/mgrote_lldap/templates/lldap_config.toml.j2
Normal file
|
@ -0,0 +1,144 @@
|
||||||
|
{{ file_header | default () }}
|
||||||
|
## Tune the logging to be more verbose by setting this to be true.
|
||||||
|
## You can set it with the LLDAP_VERBOSE environment variable.
|
||||||
|
verbose={{ lldap_logging_verbose }}
|
||||||
|
|
||||||
|
## The host address that the LDAP server will be bound to.
|
||||||
|
## To enable IPv6 support, simply switch "ldap_host" to "::":
|
||||||
|
## To only allow connections from localhost (if you want to restrict to local self-hosted services),
|
||||||
|
## change it to "127.0.0.1" ("::1" in case of IPv6)".
|
||||||
|
ldap_host = "{{ lldap_ldap_host }}"
|
||||||
|
|
||||||
|
## The port on which to have the LDAP server.
|
||||||
|
#ldap_port = 3890
|
||||||
|
|
||||||
|
## The host address that the HTTP server will be bound to.
|
||||||
|
## To enable IPv6 support, simply switch "http_host" to "::".
|
||||||
|
## To only allow connections from localhost (if you want to restrict to local self-hosted services),
|
||||||
|
## change it to "127.0.0.1" ("::1" in case of IPv6)".
|
||||||
|
http_host = "{{ lldap_http_host }}"
|
||||||
|
|
||||||
|
## The port on which to have the HTTP server, for user login and
|
||||||
|
## administration.
|
||||||
|
http_port = {{ lldap_http_port }}
|
||||||
|
|
||||||
|
## The public URL of the server, for password reset links.
|
||||||
|
http_url = "{{ lldap_public_url }}"
|
||||||
|
|
||||||
|
## Random secret for JWT signature.
|
||||||
|
## This secret should be random, and should be shared with application
|
||||||
|
## servers that need to consume the JWTs.
|
||||||
|
## Changing this secret will invalidate all user sessions and require
|
||||||
|
## them to re-login.
|
||||||
|
## You should probably set it through the LLDAP_JWT_SECRET environment
|
||||||
|
## variable from a secret ".env" file.
|
||||||
|
## This can also be set from a file's contents by specifying the file path
|
||||||
|
## in the LLDAP_JWT_SECRET_FILE environment variable
|
||||||
|
## You can generate it with (on linux):
|
||||||
|
## LC_ALL=C tr -dc 'A-Za-z0-9!#%&'\''()*+,-./:;<=>?@[\]^_{|}~' </dev/urandom | head -c 32; echo ''
|
||||||
|
jwt_secret = "{{ lldap_jwt_secret }}"
|
||||||
|
|
||||||
|
## Base DN for LDAP.
|
||||||
|
## This is usually your domain name, and is used as a
|
||||||
|
## namespace for your users. The choice is arbitrary, but will be needed
|
||||||
|
## to configure the LDAP integration with other services.
|
||||||
|
## The sample value is for "example.com", but you can extend it with as
|
||||||
|
## many "dc" as you want, and you don't actually need to own the domain
|
||||||
|
## name.
|
||||||
|
ldap_base_dn = "{{ lldap_ldap_base_dn }}"
|
||||||
|
|
||||||
|
## Admin username.
|
||||||
|
## For the LDAP interface, a value of "admin" here will create the LDAP
|
||||||
|
## user "cn=admin,ou=people,dc=example,dc=com" (with the base DN above).
|
||||||
|
## For the administration interface, this is the username.
|
||||||
|
ldap_user_dn = "{{ lldap_admin_username }}"
|
||||||
|
|
||||||
|
## Admin email.
|
||||||
|
## Email for the admin account. It is only used when initially creating
|
||||||
|
## the admin user, and can safely be omitted.
|
||||||
|
ldap_user_email = "{{ lldap_admin_mailaddress }}"
|
||||||
|
|
||||||
|
## Admin password.
|
||||||
|
## Password for the admin account, both for the LDAP bind and for the
|
||||||
|
## administration interface. It is only used when initially creating
|
||||||
|
## the admin user.
|
||||||
|
## It should be minimum 8 characters long.
|
||||||
|
## You can set it with the LLDAP_LDAP_USER_PASS environment variable.
|
||||||
|
## This can also be set from a file's contents by specifying the file path
|
||||||
|
## in the LLDAP_LDAP_USER_PASS_FILE environment variable
|
||||||
|
## Note: you can create another admin user for user administration, this
|
||||||
|
## is just the default one.
|
||||||
|
ldap_user_pass = "{{ lldap_admin_password }}"
|
||||||
|
|
||||||
|
## Database URL.
|
||||||
|
## This encodes the type of database (SQlite, MySQL, or PostgreSQL)
|
||||||
|
## , the path, the user, password, and sometimes the mode (when
|
||||||
|
## relevant).
|
||||||
|
## Note: SQlite should come with "?mode=rwc" to create the DB
|
||||||
|
## if not present.
|
||||||
|
## Example URLs:
|
||||||
|
## - "postgres://postgres-user:password@postgres-server/my-database"
|
||||||
|
## - "mysql://mysql-user:password@mysql-server/my-database"
|
||||||
|
##
|
||||||
|
## This can be overridden with the LLDAP_DATABASE_URL env variable.
|
||||||
|
database_url = "{{ lldap_database_url }}"
|
||||||
|
|
||||||
|
## Private key file.
|
||||||
|
## Contains the secret private key used to store the passwords safely.
|
||||||
|
## Note that even with a database dump and the private key, an attacker
|
||||||
|
## would still have to perform an (expensive) brute force attack to find
|
||||||
|
## each password.
|
||||||
|
## Randomly generated on first run if it doesn't exist.
|
||||||
|
## Alternatively, you can use key_seed to override this instead of relying on
|
||||||
|
## a file.
|
||||||
|
## Env variable: LLDAP_KEY_FILE
|
||||||
|
key_file = "/var/lib/lldap/private_key"
|
||||||
|
|
||||||
|
## Seed to generate the server private key, see key_file above.
|
||||||
|
## This can be any random string, the recommendation is that it's at least 12
|
||||||
|
## characters long.
|
||||||
|
## Env variable: LLDAP_KEY_SEED
|
||||||
|
key_seed = "{{ lldap_key_seed }}"
|
||||||
|
|
||||||
|
## Ignored attributes.
|
||||||
|
## Some services will request attributes that are not present in LLDAP. When it
|
||||||
|
## is the case, LLDAP will warn about the attribute being unknown. If you want
|
||||||
|
## to ignore the attribute and the service works without, you can add it to this
|
||||||
|
## list to silence the warning.
|
||||||
|
#ignored_user_attributes = [ "sAMAccountName" ]
|
||||||
|
#ignored_group_attributes = [ "mail", "userPrincipalName" ]
|
||||||
|
|
||||||
|
## Options to configure SMTP parameters, to send password reset emails.
|
||||||
|
## To set these options from environment variables, use the following format
|
||||||
|
## (example with "password"): LLDAP_SMTP_OPTIONS__PASSWORD
|
||||||
|
[smtp_options]
|
||||||
|
## Whether to enabled password reset via email, from LLDAP.
|
||||||
|
enable_password_reset={{ lldap_smtp_enable_password_reset }}
|
||||||
|
## The SMTP server.
|
||||||
|
server="{{ lldap_smtp_server }}"
|
||||||
|
## The SMTP port.
|
||||||
|
port={{ lldap_smtp_port }}
|
||||||
|
## How the connection is encrypted, either "NONE" (no encryption), "TLS" or "STARTTLS".
|
||||||
|
smtp_encryption = "{{ lldap_smtp_smtp_encryption }}"
|
||||||
|
## The SMTP user, usually your email address.
|
||||||
|
user="{{ lldap_smtp_user }}"
|
||||||
|
## The SMTP password.
|
||||||
|
#password="password" #gitleaks:allow
|
||||||
|
## The header field, optional: how the sender appears in the email. The first
|
||||||
|
## is a free-form name, followed by an email between <>.
|
||||||
|
from="{{ lldap_smtp_from }}"
|
||||||
|
## Same for reply-to, optional.
|
||||||
|
reply_to="{{ lldap_smtp_reply_to }}"
|
||||||
|
|
||||||
|
## Options to configure LDAPS.
|
||||||
|
## To set these options from environment variables, use the following format
|
||||||
|
## (example with "port"): LLDAP_LDAPS_OPTIONS__PORT
|
||||||
|
[ldaps_options]
|
||||||
|
## Whether to enable LDAPS.
|
||||||
|
#enabled=true
|
||||||
|
## Port on which to listen.
|
||||||
|
#port=6360
|
||||||
|
## Certificate file.
|
||||||
|
#cert_file="/data/cert.pem"
|
||||||
|
## Certificate key file.
|
||||||
|
#key_file="/data/key.pem"
|
|
@ -22,7 +22,7 @@ munin_plugin_dest_path: /etc/munin/plugins/
|
||||||
munin_plugin_conf_dest_path: /etc/munin/plugin-conf.d/
|
munin_plugin_conf_dest_path: /etc/munin/plugin-conf.d/
|
||||||
# munin_node_plugins: #plugins to install
|
# munin_node_plugins: #plugins to install
|
||||||
# - name: docker_volumes # name
|
# - name: docker_volumes # name
|
||||||
# src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/docker/docker_ #src
|
# src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/docker/docker_ #src
|
||||||
# config_file_name: /etc/munin/plugin-conf.d/docker # where to put plugin config
|
# config_file_name: /etc/munin/plugin-conf.d/docker # where to put plugin config
|
||||||
# content of config
|
# content of config
|
||||||
# config: |
|
# config: |
|
||||||
|
|
|
@ -4,4 +4,4 @@ network:
|
||||||
renderer: networkd
|
renderer: networkd
|
||||||
ethernets:
|
ethernets:
|
||||||
{{ ansible_default_ipv4.interface }}:
|
{{ ansible_default_ipv4.interface }}:
|
||||||
dhcp4: yes
|
dhcp4: true
|
||||||
|
|
Loading…
Reference in a new issue