Kaynağa Gözat

Merge remote-tracking branch 'upstream/master' into jp-readlater

Conflicts:
	README.textile
	site.yml
	vars/defaults.yml
Justin Plock 10 yıl önce
ebeveyn
işleme
8bd44ef965

+ 3
- 2
README.textile Dosyayı Görüntüle

@@ -50,6 +50,7 @@ What do you get if you point this thing at a VPS? All kinds of good stuff!
50 50
 * "RFC6238":http://tools.ietf.org/html/rfc6238 two-factor authentication compatible with "Google Authenticator":http://en.wikipedia.org/wiki/Google_Authenticator and various hardware tokens
51 51
 * Nightly backups to "Tarsnap":https://www.tarsnap.com/.
52 52
 * Git hosting via "cgit":http://git.zx2c4.com/cgit/about/ and "gitolite":https://github.com/sitaramc/gitolite.
53
+* "Newebe":http://newebe.org, a social network.
53 54
 * Read-it-later via "Wallabag":https://www.wallabag.org/
54 55
 * A bunch of nice-to-have tools like "mosh":http://mosh.mit.edu and "htop":http://htop.sourceforge.net that make life with a server a little easier.
55 56
 
@@ -99,7 +100,7 @@ If you haven't already, "download and install Tarsnap":https://www.tarsnap.com/d
99 100
 
100 101
 Create a new machine key for your server:
101 102
 
102
-bc. tarsnap-keygen --keyfile roles/tarsnap/files/root_tarsnap.key --user me@example.com --machine example.com
103
+bc. tarsnap-keygen --keyfile roles/tarsnap/files/decrypted_tarsnap.key --user me@example.com --machine example.com
103 104
 
104 105
 h3. 3. Prep the server
105 106
 
@@ -152,7 +153,7 @@ For git hosting, copy your public key into place. @cp ~/.ssh/id_rsa.pub roles/gi
152 153
 
153 154
 h3. 5. Run the Ansible Playbooks
154 155
 
155
-First, make sure you've "got Ansible installed":http://docs.ansible.com/intro_installation.html#getting-ansible.
156
+First, make sure you've "got Ansible 1.6+ installed":http://docs.ansible.com/intro_installation.html#getting-ansible.
156 157
 
157 158
 To run the whole dang thing:
158 159
 

+ 15
- 27
roles/common/tasks/ufw.yml Dosyayı Görüntüle

@@ -5,29 +5,21 @@
5 5
 - name: Install ufw
6 6
   apt: pkg=ufw state=present
7 7
 
8
-- name: Set firewall rules
9
-  command: ufw allow {{ item }}
10
-  register: ufw_result
11
-  changed_when: "ufw_result.stdout.startswith('Rule')"
12
-  with_items:
13
-    - smtp/tcp
14
-    - domain
15
-    - http/tcp
16
-    - https/tcp
17
-    - ssh/tcp
18
-    - ssmtp/tcp
19
-    - pop3s/tcp
20
-    - imaps/tcp
21
-    - 5222/tcp  # xmpp c2s
22
-    - 5269/tcp  # xmpp s2s
23
-    - 6697/tcp  # znc
24
-    - "{{ openvpn_port }}/{{ openvpn_protocol }}"
25
-    - 60000:61000/udp  # mosh udp packets
8
+- name: Deny everything and enable UFW
9
+  ufw: state=enabled policy=deny
26 10
 
27
-- name: Check status of ufw
28
-  command: ufw status
29
-  register: ufw_status
30
-  changed_when: False  # never report as "changed"
11
+- name: Set firewall rule for DNS
12
+  ufw: rule=allow port=domain
13
+
14
+- name: Set firewall rule for mosh
15
+  ufw: rule=allow port=60000:61000 proto=udp
16
+
17
+- name: Set firewall rules for web traffic and SSH
18
+  ufw: rule=allow port={{ item }} proto=tcp
19
+  with_items:
20
+    - ssh
21
+    - http
22
+    - https
31 23
 
32 24
 - name: Check config of ufw
33 25
   command: cat /etc/ufw/ufw.conf
@@ -35,9 +27,5 @@
35 27
   changed_when: False  # never report as "changed"
36 28
 
37 29
 - name: Disable logging (workaround for known bug in Debian 7)
38
-  command: ufw logging off
30
+  ufw: logging=off
39 31
   when: "ansible_lsb['codename'] == 'wheezy' and 'LOGLEVEL=off' not in ufw_config.stdout"
40
-
41
-- name: Enable ufw
42
-  command: ufw --force enable
43
-  when: "ufw_status.stdout.startswith('Status: inactive') or 'ENABLED=yes' not in ufw_config.stdout"

+ 6
- 1
roles/git/tasks/cgit.yml Dosyayı Görüntüle

@@ -4,6 +4,7 @@
4 4
   with_items:
5 5
     - groff
6 6
     - python-pip
7
+    - libssl-dev
7 8
 
8 9
 - name: Install cgit pip dependencies
9 10
   pip: name={{ item }}
@@ -38,10 +39,14 @@
38 39
             owner=www-data
39 40
   notify: restart apache
40 41
 
42
+- name: Enable Apache cgi module
43
+  command: a2enmod cgi creates=/etc/apache2/mods-enabled/cgi.load
44
+  notify: restart apache
45
+
41 46
 - name: Enable Apache rewrite module
42 47
   command: a2enmod rewrite creates=/etc/apache2/mods-enabled/rewrite.load
43 48
   notify: restart apache
44 49
 
45 50
 - name:  Enable cgit site
46 51
   command: a2ensite cgit creates=/etc/apache2/sites-enabled/cgit
47
-  notify: restart apache
52
+  notify: restart apache

+ 3
- 0
roles/ircbouncer/tasks/znc.yml Dosyayı Görüntüle

@@ -54,5 +54,8 @@
54 54
   template: src=var_lib_znc_configs_znc.conf.j2 dest=/var/lib/znc/configs/znc.conf owner=znc group=znc
55 55
   when: znc_config.rc != 0
56 56
 
57
+- name: Set firewall rule for znc
58
+  ufw: rule=allow port=6697 proto=tcp
59
+
57 60
 - name: Ensure znc is a system service
58 61
   service: name=znc state=started enabled=true

+ 6
- 0
roles/mailserver/tasks/dovecot.yml Dosyayı Görüntüle

@@ -48,3 +48,9 @@
48 48
   file: state=directory path=/etc/dovecot
49 49
           group=dovecot owner=vmail mode=770 recurse=yes
50 50
   notify: restart dovecot
51
+
52
+- name: Set firewall rules for dovecot
53
+  ufw: rule=allow port={{ item }} proto=tcp
54
+  with_items:
55
+    - pop3s
56
+    - imaps

+ 6
- 0
roles/mailserver/tasks/postfix.yml Dosyayı Görüntüle

@@ -49,3 +49,9 @@
49 49
     - pgsql-virtual-mailbox-maps.cf
50 50
     - pgsql-virtual-alias-maps.cf
51 51
   notify: restart postfix
52
+
53
+- name: Set firewall rules for postfix
54
+  ufw: rule=allow port={{ item }} proto=tcp
55
+  with_items:
56
+    - smtp
57
+    - ssmtp

+ 0
- 1
roles/mailserver/templates/etc_postfix_main.cf.j2 Dosyayı Görüntüle

@@ -106,7 +106,6 @@ postscreen_dnsbl_sites =
106 106
   bl.spamcop.net*2
107 107
   dnsbl.sorbs.net*1
108 108
   spam.spamrats.com*2
109
-  dnsbl.ahbl.org*2
110 109
 postscreen_dnsbl_threshold = 3
111 110
 postscreen_dnsbl_action = enforce
112 111
 postscreen_greet_action = enforce

+ 5
- 0
roles/newebe/files/newebe.conf Dosyayı Görüntüle

@@ -0,0 +1,5 @@
1
+[program:newebe]
2
+autorestart=false
3
+command=newebe_server.py --configfile=/usr/local/etc/newebe/config.yaml
4
+redirect_stderr=true
5
+user=newebe

+ 7
- 0
roles/newebe/files/supervisor.conf Dosyayı Görüntüle

@@ -0,0 +1,7 @@
1
+; supervisor config file
2
+
3
+[supervisord]
4
+nodaemon=true
5
+
6
+[include]
7
+files = /etc/supervisor/conf.d/*.conf

+ 0
- 0
roles/newebe/handlers/main.yml Dosyayı Görüntüle


+ 84
- 0
roles/newebe/tasks/main.yml Dosyayı Görüntüle

@@ -0,0 +1,84 @@
1
+- name: Install Python
2
+  apt: pkg=python,python-setuptools,python-pip,python-dev
3
+
4
+- name: Install Python tools
5
+  apt: pkg=python-imaging,python-pycurl
6
+
7
+- name: Install build tools
8
+  apt: pkg=build-essential,git
9
+
10
+- name: Install Python libs
11
+  apt: pkg=libxml2-dev,libxslt-dev,python-imaging
12
+
13
+- name: Install Supervisor
14
+  apt: pkg=supervisor
15
+
16
+- name: Install CouchDB
17
+  apt: pkg=couchdb
18
+
19
+- name: Install Newebe
20
+  pip: name='git+https://github.com/gelnior/newebe.git#egg=newebe'
21
+
22
+- name: Add group Newebe
23
+  group: name=newebe
24
+
25
+- name: Add user Newebe
26
+  user: name=newebe shell=/bin/bash groups=newebe
27
+
28
+- name: Create Newebe Config folder
29
+  file: path=/usr/local/etc/newebe/ 
30
+        owner=newebe 
31
+        group=newebe 
32
+        state=directory
33
+
34
+- name: Create Newebe folder
35
+  file: path=/usr/local/var/newebe/ 
36
+        owner=newebe 
37
+        group=newebe 
38
+        state=directory
39
+
40
+- name: Create Newebe log folder
41
+  file: path=/usr/local/var/log/newebe/ 
42
+        owner=newebe 
43
+        group=newebe 
44
+        state=directory
45
+
46
+- name: Set Newebe config file
47
+  template: src=usr_local_etc_newebe_config.j2
48
+            dest=/usr/local/etc/newebe/config.yaml 
49
+            owner=newebe 
50
+            group=newebe
51
+
52
+- name: Set Supervisor config file
53
+  copy: src=newebe.conf dest=/etc/supervisor/conf.d/newebe.conf
54
+
55
+- name: Set Newebe Supervisor config file
56
+  copy: src=supervisor.conf dest=/etc/supervisor/supervisor.conf
57
+
58
+- name: Reload Supervisor and start Newebe
59
+  command: /usr/bin/supervisorctl update
60
+
61
+- name: Ensure that newebe is started
62
+  supervisorctl: name=newebe state=started
63
+
64
+- name: Add mod_proxy module to Apache
65
+  raw: a2enmod proxy
66
+# When Ansible 1.6 will be available  
67
+# apache2_module: state=present name=proxy
68
+
69
+- name: Add proxy_http module to Apache
70
+  raw: a2enmod proxy_http
71
+# When Ansible 1.6 will be available  
72
+# apache2_module: state=present name=proxy_http
73
+#
74
+- name: Configure the Apache HTTP server for Newebe
75
+  template: src=etc_apache2_sites-available_newebe.j2
76
+            dest=/etc/apache2/sites-available/newebe
77
+            group=www-data
78
+            owner=www-data
79
+  notify: restart apache
80
+
81
+- name: Enable the site
82
+  command: a2ensite newebe
83
+           creates=/etc/apache2/sites-enabled/newebe
84
+  notify: restart apache

+ 27
- 0
roles/newebe/templates/etc_apache2_sites-available_newebe.j2 Dosyayı Görüntüle

@@ -0,0 +1,27 @@
1
+<VirtualHost *:80>
2
+    ServerName {{ newebe_domain }}
3
+
4
+    Redirect permanent / https://{{ newebe_domain }}/
5
+</VirtualHost>
6
+
7
+<VirtualHost *:443>
8
+
9
+    ServerName {{ newebe_domain }}
10
+    SSLEngine On
11
+
12
+    SSLProtocol ALL -SSLv2
13
+    SSLHonorCipherOrder On
14
+    SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5:!DSS
15
+    SSLCertificateFile /etc/ssl/certs/wildcard_public_cert.crt
16
+    SSLCertificateKeyFile /etc/ssl/private/wildcard_private.key
17
+    SSLCACertificateFile /etc/ssl/certs/wildcard_ca.pem
18
+    Header add Strict-Transport-Security "max-age=15768000; includeSubdomains"
19
+
20
+    ErrorLog /var/log/apache2/newebe.info-error_log
21
+    CustomLog /var/log/apache2/newebe.info-access_log common
22
+
23
+
24
+    ProxyPass / http://127.0.0.1:8282/
25
+    ProxyPassReverse / http://127.0.0.1:8282/
26
+
27
+</VirtualHost>

+ 7
- 0
roles/newebe/templates/usr_local_etc_newebe_config.j2 Dosyayı Görüntüle

@@ -0,0 +1,7 @@
1
+main:
2
+    port: 8282
3
+    debug: False
4
+    ssl: False
5
+    path: "/usr/local/var/newebe/"
6
+    logpath: "/usr/local/var/log/newebe"
7
+    timezone: {{ zpush_timezone }}

+ 1
- 1
roles/tarsnap/files/tarsnap.sh Dosyayı Görüntüle

@@ -25,7 +25,7 @@ MONTHLY_DAY=01
25 25
 TARSNAP="/usr/local/bin/tarsnap"
26 26
 
27 27
 # Extra flags to pass to tarsnap
28
-EXTRA_FLAGS="-C /"
28
+EXTRA_FLAGS="-L -C /"
29 29
 
30 30
 # end of config
31 31
 

+ 16
- 0
roles/tarsnap/tasks/tarsnap.yml Dosyayı Görüntüle

@@ -1,4 +1,11 @@
1
+- name: Check if tarsnap {{ tarsnap_version }} is installed
2
+  shell: tarsnap --version | grep {{ tarsnap_version }} --color=never
3
+  register: tarnsap_installed
4
+  changed_when: "tarnsap_installed.stderr != ''"
5
+  ignore_errors: yes
6
+
1 7
 - name: Install dependencies for Tarsnap
8
+  when: tarnsap_installed|failed
2 9
   apt: pkg={{ item }} state=installed
3 10
   with_items:
4 11
     - libssl-dev
@@ -6,45 +13,54 @@
6 13
     - e2fslibs-dev
7 14
 
8 15
 - name: Download the current tarsnap code signing key
16
+  when: tarnsap_installed|failed
9 17
   get_url:
10 18
     url=https://www.tarsnap.com/tarsnap-signing-key.asc
11 19
     dest=/root/tarsnap-signing-key.asc
12 20
 
13 21
 - name: Add the tarsnap code signing key to your list of keys
22
+  when: tarnsap_installed|failed
14 23
   command:
15 24
     gpg --import tarsnap-signing-key.asc
16 25
     chdir=/root/
17 26
 
18 27
 - name: Download tarsnap SHA file
28
+  when: tarnsap_installed|failed
19 29
   get_url:
20 30
     url="https://www.tarsnap.com/download/tarsnap-sigs-{{ tarsnap_version }}.asc"
21 31
     dest="/root/tarsnap-sigs-{{ tarsnap_version }}.asc"
22 32
 
23 33
 - name: Make the command that gets the current sha
34
+  when: tarnsap_installed|failed
24 35
   template:
25 36
     src=getSha.sh
26 37
     dest=/root/getSha.sh
27 38
     mode=0755
28 39
 
29 40
 - name: get the SHA256sum for this tarsnap release
41
+  when: tarnsap_installed|failed
30 42
   command:
31 43
     ./getSha.sh
32 44
     chdir=/root
33 45
   register: tarsnap_sha
34 46
 
35 47
 - name: Download Tarsnap source
48
+  when: tarnsap_installed|failed
36 49
   get_url:
37 50
     url="https://www.tarsnap.com/download/tarsnap-autoconf-{{ tarsnap_version }}.tgz"
38 51
     dest="/root/tarsnap-autoconf-{{ tarsnap_version }}.tgz"
39 52
     sha256sum={{ tarsnap_sha.stdout_lines[0] }}
40 53
 
41 54
 - name: Decompress Tarsnap source
55
+  when: tarnsap_installed|failed
42 56
   command: tar xzf /root/tarsnap-autoconf-{{ tarsnap_version }}.tgz chdir=/root creates=/root/tarsnap-autoconf-{{ tarsnap_version }}/COPYING
43 57
 
44 58
 - name: Configure Tarsnap for local build
59
+  when: tarnsap_installed|failed
45 60
   command: ./configure chdir=/root/tarsnap-autoconf-{{ tarsnap_version }} creates=/root/tarsnap-autoconf-{{ tarsnap_version }}/Makefile
46 61
 
47 62
 - name: Build and install Tarsnap
63
+  when: tarnsap_installed|failed
48 64
   command: make all install clean chdir=/root/tarsnap-autoconf-{{ tarsnap_version }} creates=/usr/local/bin/tarsnap
49 65
 
50 66
 - name: Copy Tarsnap key file into place

+ 3
- 0
roles/vpn/tasks/openvpn.yml Dosyayı Görüntüle

@@ -131,6 +131,9 @@
131 131
     - iptables -A FORWARD -j REJECT
132 132
     - iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o {{ ansible_default_ipv4.interface }} -j MASQUERADE
133 133
 
134
+- name: Allow OpenVPN through ufw
135
+  ufw: rule=allow port={{ openvpn_port }} proto={{ openvpn_protocol }}
136
+
134 137
 - name: Copy OpenVPN configuration file into place
135 138
   template: src=etc_openvpn_server.conf.j2 dest=/etc/openvpn/server.conf
136 139
   notify: restart openvpn

+ 6
- 0
roles/xmpp/tasks/prosody.yml Dosyayı Görüntüle

@@ -20,3 +20,9 @@
20 20
 - name: Create Prosody accounts
21 21
   command: prosodyctl register {{ item.name }} {{ prosody_virtual_domain }} "{{ item.password }}"
22 22
   with_items: prosody_accounts
23
+
24
+- name: Set firewall rules for Prosody
25
+  ufw: rule=allow port={{ item }} proto=tcp
26
+  with_items:
27
+    - 5222  # xmpp c2s
28
+    - 5269  # xmpp s2s

+ 1
- 0
site.yml Dosyayı Görüntüle

@@ -22,4 +22,5 @@
22 22
     - tarsnap
23 23
     - news
24 24
     - git
25
+    - newebe
25 26
     - readlater

+ 3
- 0
vars/defaults.yml Dosyayı Görüntüle

@@ -106,6 +106,9 @@ cgit_version: 0.10.1
106 106
 cgit_domain: "git.{{ domain }}"
107 107
 gitolite_version: 3.5.3.1
108 108
 
109
+# newebe
110
+newebe_domain: "newebe.{{ domain }}"
111
+
109 112
 # wallabag
110 113
 wallabag_version: 1.6.1b
111 114
 wallabag_domain: "read.{{ domain }}"

Loading…
İptal
Kaydet