Compare commits

...

7 Commits

14 changed files with 129 additions and 45 deletions

View File

@ -4,5 +4,5 @@ dl_server_root: /var/www/dl
dl_access_log: /var/log/nginx/dl.access.log dl_access_log: /var/log/nginx/dl.access.log
dl_error_log: /var/log/nginx/dl.error.log dl_error_log: /var/log/nginx/dl.error.log
dl_ssl_enabled: false dl_ssl_enabled: false
dl_ssl_certificate: "/etc/letsencrypt/live/{{ dl_server_name }}/fullchain.pem" dl_ssl_certificate: "/var/lib/lego/certificates/{{ dl_server_name }}.crt"
dl_ssl_certificate_key: "/etc/letsencrypt/live/{{ dl_server_name }}/privkey.pem" dl_ssl_certificate_key: "/var/lib/lego/certificates/{{ dl_server_name }}.key"

View File

@ -53,6 +53,8 @@ gitea_config:
colorize: no colorize: no
service: service:
register_manual_confirm: true register_manual_confirm: true
metrics:
enabled: true
gitea_var_tree: gitea_var_tree:
- "{{ gitea_var_path }}" - "{{ gitea_var_path }}"
@ -62,6 +64,6 @@ gitea_var_tree:
- "{{ gitea_var_path }}/backup" - "{{ gitea_var_path }}/backup"
gitea_ssl_enabled: yes gitea_ssl_enabled: yes
gitea_ssl_certificate: "/etc/letsencrypt/live/{{ gitea_domain }}/fullchain.pem" gitea_ssl_certificate: "/var/lib/lego/certificates/{{ gitea_domain }}.crt"
gitea_ssl_certificate_key: "/etc/letsencrypt/live/{{ gitea_domain }}/privkey.pem" gitea_ssl_certificate_key: "/var/lib/lego/certificates/{{ gitea_domain }}.key"
#gitea_ssl_dhparam: "/etc/letsencrypt/ssl-dhparams.pem" #gitea_ssl_dhparam: "/etc/letsencrypt/ssl-dhparams.pem"

View File

@ -26,8 +26,8 @@ grafana_config:
http_port: "{{ grafana_port }}" http_port: "{{ grafana_port }}"
grafana_ssl_enabled: true grafana_ssl_enabled: true
grafana_ssl_certificate: "/etc/letsencrypt/live/{{ grafana_domain }}/fullchain.pem" grafana_ssl_certificate: "/var/lib/lego/certificates/{{ grafana_domain }}.crt"
grafana_ssl_certificate_key: "/etc/letsencrypt/live/{{ grafana_domain }}/privkey.pem" grafana_ssl_certificate_key: "/var/lib/lego/certificates/{{ grafana_domain }}.key"
# grafana_ssl_dhparam: "/etc/letsencrypt/ssl-dhparams.pem" # grafana_ssl_dhparam: "/etc/letsencrypt/ssl-dhparams.pem"

View File

@ -11,8 +11,8 @@ minecraft_port: 25565
minecraft_user: minecraft minecraft_user: minecraft
minecraft_group: minecraft minecraft_group: minecraft
minecraft_jar_url: https://launcher.mojang.com/v1/objects/e00c4052dac1d59a1188b2aa9d5a87113aaf1122/server.jar minecraft_jar_url: https://piston-data.mojang.com/v1/objects/84194a2f286ef7c14ed7ce0090dba59902951553/server.jar
minecraft_jar_checksum: sha256:deefd056f0cf89c3d7fd48d03f56a8a73943586e8c061fdabd0fd92d32ced2b2 minecraft_jar_checksum: sha256:3af73a9dc5a102e38147946360dd27d4d70bae7055bf91cf2151cd5d121b79e0
minecraft_opt_path: /opt/minecraft minecraft_opt_path: /opt/minecraft
minecraft_var_path: /var/opt/minecraft minecraft_var_path: /var/opt/minecraft

View File

@ -44,6 +44,19 @@
mode: 0644 mode: 0644
notify: reload nginx notify: reload nginx
- name: configure htpasswd files
ansible.builtin.copy:
dest: "{{ nginx_etc_path }}/{{ item.key }}.htpasswd"
owner: root
group: nginx
mode: 0640
content: |
{% for u, h in item.value.items() %}
{{ u }}:{{ h }}
{% endfor %}
loop: "{{ nginx_htpasswd_files | dict2items }}"
notify: reload nginx
- name: configure virtual hosts - name: configure virtual hosts
ansible.builtin.include_tasks: vhost.yaml ansible.builtin.include_tasks: vhost.yaml
loop: "{{ nginx_vhosts | dict2items }}" loop: "{{ nginx_vhosts | dict2items }}"

View File

@ -3,11 +3,11 @@
block: block:
- name: create webroot - name: create webroot
file: file:
path: "{{ vhost.root }}" path: "{{ server.root }}"
state: directory state: directory
loop: "{{ item.value }}" loop: "{{ item.value.server }}"
loop_control: loop_control:
loop_var: vhost loop_var: server
- name: configure virtual host - name: configure virtual host
template: template:

View File

@ -1,33 +1,59 @@
# {{ ansible_managed }} # {{ ansible_managed }}
{% for vhost in item.value %} {% if item.value.upstream is defined %}
{% for upstream in item.value.upstream %}
upstream {{ upstream.name }} {
{% for server in upstream.server %}
server {{ server }};
{% endfor %}
}
{% endfor %}
{% endif %}
{% if item.value.map is defined %}
{% for map in item.value.map %}
map {{ map.name }} {{ map.variable }} {
{% for k, v in map.content.items() %}
{% if k is string and k == "" %}
"" {{ v }};
{% else %}
{{ k }} {{ v }};
{% endif %}
{% endfor %}
}
{% endfor %}
{% endif %}
{% for server in item.value.server %}
server { server {
{% if vhost.listen is defined %} {% if server.listen is defined %}
{% for listen in vhost.listen %} {% for listen in server.listen %}
listen {{ listen }}; listen {{ listen }};
{% endfor %} {% endfor %}
{% if vhost.server_name is defined %}
server_name {{ vhost.server_name }};
{% endif %}
{% endif %}
access_log {{ vhost.access_log | default(nginx_var_log_path + '/' + vhost.server_name + '.access.log main') }};
error_log {{ vhost.error_log | default(nginx_var_log_path + '/' + vhost.server_name + '.error.log warn') }};
{% if vhost.root is defined %}
root {{ vhost.root }};
{% endif %} {% endif %}
index {{ vhost.index | default('index.html index.htm') }}; http2 {{ server.http2 | default("on") }};
{% if vhost.ssl_certificate is defined %} {% if server.server_name is defined %}
ssl_certificate {{ vhost.ssl_certificate }}; server_name {{ server.server_name }};
{% endif %} {% endif %}
{% if vhost.ssl_certificate_key is defined %} access_log {{ server.access_log | default(nginx_var_log_path + '/' + server.server_name + '.access.log main') }};
ssl_certificate_key {{ vhost.ssl_certificate_key }}; error_log {{ server.error_log | default(nginx_var_log_path + '/' + server.server_name + '.error.log warn') }};
{% if server.root is defined %}
root {{ server.root }};
{% endif %} {% endif %}
{% if vhost.ssl_dhparam is defined %}
ssl_dhparam {{ vhost.ssl_dhparam }}; index {{ server.index | default('index.html index.htm') }};
{% if server.ssl_certificate is defined %}
ssl_certificate {{ server.ssl_certificate }};
{% endif %}
{% if server.ssl_certificate_key is defined %}
ssl_certificate_key {{ server.ssl_certificate_key }};
{% endif %}
{% if server.ssl_dhparam is defined %}
ssl_dhparam {{ server.ssl_dhparam }};
{% endif %} {% endif %}
location /.well-known/acme-challenge/ { location /.well-known/acme-challenge/ {
@ -35,8 +61,8 @@ server {
try_files $uri =404; try_files $uri =404;
} }
{% if vhost.raw is defined %} {% if server.raw is defined %}
{{ vhost.raw | indent(4) }} {{ server.raw | indent(4) }}
{% endif %} {% endif %}
} }
{% endfor %} {% endfor %}

View File

@ -39,8 +39,8 @@ prometheus_bin_path: /usr/local/bin
prometheus_ssl_enabled: true prometheus_ssl_enabled: true
prometheus_hostname: "{{ prometheus_web_external_url | urlsplit('hostname') }}" prometheus_hostname: "{{ prometheus_web_external_url | urlsplit('hostname') }}"
prometheus_ssl_certificate: "/etc/letsencrypt/live/{{ prometheus_hostname }}/fullchain.pem" prometheus_ssl_certificate: "/var/lib/lego/certificates/{{ prometheus_hostname }}.crt"
prometheus_ssl_certificate_key: "/etc/letsencrypt/live/{{ prometheus_hostname }}/privkey.pem" prometheus_ssl_certificate_key: "/var/lib/lego/certificates/{{ prometheus_hostname }}.key"
prometheus_alertmanager_enabled: true prometheus_alertmanager_enabled: true

View File

@ -23,6 +23,14 @@
group: "{{ prometheus_etc_group }}" group: "{{ prometheus_etc_group }}"
mode: "{{ prometheus_etc_mode }}" mode: "{{ prometheus_etc_mode }}"
- name: create file_sd_config.d path
file:
path: "{{ prometheus_etc_path }}/file_sd_config.d"
state: directory
owner: "{{ prometheus_etc_owner }}"
group: "{{ prometheus_etc_group }}"
mode: "{{ prometheus_etc_mode }}"
- name: create var path - name: create var path
file: file:
path: "{{ prometheus_var_path }}" path: "{{ prometheus_var_path }}"
@ -49,6 +57,15 @@
mode: 0444 mode: 0444
notify: reload prometheus notify: reload prometheus
- name: configure file_sd_config.d
copy:
dest: "{{ prometheus_etc_path }}/file_sd_config.d/{{ item.name }}"
content: "{{ (item.targets | default([])) | to_json }}"
owner: root
group: root
mode: 0444
loop: "{{ prometheus_file_sd_config_d_files | default([]) }}"
- name: configure systemd template - name: configure systemd template
template: template:
src: prometheus.service.j2 src: prometheus.service.j2

View File

@ -33,3 +33,9 @@ rsyslog_default_rules_state: file
rsyslog_default_rules: [] rsyslog_default_rules: []
rsyslog_rules: [] rsyslog_rules: []
rsyslog_archival_format_enabled: false rsyslog_archival_format_enabled: false
rsyslog_etc_path: /etc/rsyslog.d
rsyslog_config_path: /etc/rsyslog.conf
rsyslog_d:
[]

View File

@ -50,7 +50,7 @@
- name: configure archival format - name: configure archival format
template: template:
src: archival.conf.j2 src: archival.conf.j2
dest: /etc/rsyslog.d/10-archival.conf dest: "{{ rsyslog_etc_path }}/10-archival.conf"
owner: root owner: root
group: root group: root
mode: 0644 mode: 0644
@ -59,7 +59,7 @@
- name: manage archive rules - name: manage archive rules
file: file:
path: /etc/rsyslog.d/10-archival.conf path: "{{ rsyslog_etc_path }}/10-archival.conf"
state: "{{ rsyslog_archival_format_enabled | ternary('file', 'absent') }}" state: "{{ rsyslog_archival_format_enabled | ternary('file', 'absent') }}"
- name: compress log cron job - name: compress log cron job

View File

@ -14,7 +14,7 @@
- name: configure - name: configure
template: template:
src: rsyslog.conf.j2 src: rsyslog.conf.j2
dest: /etc/rsyslog.conf dest: "{{ rsyslog_config_path }}"
owner: root owner: root
group: root group: root
mode: 0644 mode: 0644
@ -26,7 +26,7 @@
- name: configure default rules - name: configure default rules
template: template:
src: default.conf.j2 src: default.conf.j2
dest: /etc/rsyslog.d/50-default.conf dest: "{{ rsyslog_etc_path }}/50-default.conf"
owner: root owner: root
group: root group: root
mode: 0644 mode: 0644
@ -35,8 +35,19 @@
- name: manage default rules - name: manage default rules
file: file:
path: /etc/rsyslog.d/50-default.conf path: "{{ rsyslog_etc_path }}/50-default.conf"
state: "{{ rsyslog_default_rules_state }}" state: "{{ rsyslog_default_rules_state }}"
notify: restart rsyslog
- name: configure rsyslog.d rules
ansible.builtin.copy:
dest: "{{ rsyslog_etc_path }}/{{ item.priority }}-{{ item.name }}.conf"
owner: root
group: root
mode: 0644
content: "{{ item.content }}"
loop: "{{ rsyslog_d | default([]) }}"
notify: restart rsyslog
- name: manage service - name: manage service
service: service:

View File

@ -21,10 +21,10 @@ unattended_upgrades_unattended_upgrade: true
unattended_upgrades_allowed_origins: unattended_upgrades_allowed_origins:
- "${distro_id}:${distro_codename}" - "${distro_id}:${distro_codename}"
- "${distro_id}:${distro_codename}-security" - "${distro_id}:${distro_codename}-security"
- "${distro_id}ESM:${distro_codename}" - "${distro_id}:${distro_codename}-updates"
# - "${distro_id}:${distro_codename}-updates"
# - "${distro_id}:${distro_codename}-proposed"
# - "${distro_id}:${distro_codename}-backports" # - "${distro_id}:${distro_codename}-backports"
# - "${distro_id}:${distro_codename}-proposed"
# - "${distro_id}ESM:${distro_codename}"
# List of packages to not update (regexp are supported) # List of packages to not update (regexp are supported)
# unattended_upgrades_package_blacklist: [] # unattended_upgrades_package_blacklist: []

View File

@ -15,6 +15,9 @@ Address = {{ address }}
{% if "listen_port" in i %} {% if "listen_port" in i %}
ListenPort = {{ i.listen_port }} ListenPort = {{ i.listen_port }}
{% endif %} {% endif %}
{% if "table" in i %}
Table = {{ i.table }}
{% endif %}
{% endmacro -%} {% endmacro -%}
{%- macro render_peer(p) %} {%- macro render_peer(p) %}
@ -35,6 +38,12 @@ AllowedIPs = {{ p.allowed_ips }}
AllowedIPs = {{ p.allowed_ips | join(', ') }} AllowedIPs = {{ p.allowed_ips | join(', ') }}
{% endif %} {% endif %}
{% endif %} {% endif %}
{% if "preshared_key" in p %}
PresharedKey = {{ p.preshared_key }}
{% endif %}
{% if "persistent_keepalive" in p %}
PersistentKeepalive = {{ p.persistent_keepalive }}
{% endif %}
{% endmacro -%} {% endmacro -%}
{% if wireguard_interfaces[_wireguard_interface] and {% if wireguard_interfaces[_wireguard_interface] and