Thomas Buck před 3 roky
rodič
revize
c95b10aad9

+ 2
- 1
README.md Zobrazit soubor

@@ -104,6 +104,7 @@ Create `A` and `AAAA` or `CNAME` records which point to your server's IP address
104 104
 * `iot.example.com` (for grafana)
105 105
 * `wiki.example.com` (for dokuwiki)
106 106
 * `jitsi.example.com` (for jitsi)
107
+* `kanboard.example.com` (for kanboard)
107 108
 
108 109
 #### Run the Ansible Playbooks
109 110
 
@@ -154,6 +155,6 @@ To access the gitea admin CLI, execute it like this:
154 155
 
155 156
 To re-new the LetsEncrypt certificates, for example after adding a new role that needs another subdomain, call:
156 157
 
157
-    sudo certbot -c /etc/letsencrypt/cli.conf --cert-name DOMAIN
158
+    sudo certbot delete -c /etc/letsencrypt/cli.conf --cert-name DOMAIN
158 159
 
159 160
 Then re-run the whole sovereign playbook, or at least the letsencrypt part of it.

+ 1
- 1
roles/dokuwiki/tasks/dokuwiki.yml Zobrazit soubor

@@ -26,7 +26,7 @@
26 26
 - name: Copy DokuWiki to web server directory
27 27
   shell: cp -R /root/dokuwiki/dokuwiki-release_{{ dokuwiki_version }}/. /var/www/dokuwiki/
28 28
 
29
-- name: Copy DokuWiki initial data to out data directory
29
+- name: Copy DokuWiki initial data to our data directory
30 30
   shell: cp -R /var/www/dokuwiki/data/. /data/dokuwiki/
31 31
 
32 32
 - name: Ensure proper DokuWiki data directory permissions

+ 9
- 0
roles/kanboard/DESIGN.md Zobrazit soubor

@@ -0,0 +1,9 @@
1
+# Design Description for Kanboard Role
2
+
3
+This role installs Kanboard using the official release packages.
4
+
5
+https://docs.kanboard.org/en/latest/admin_guide/requirements.html
6
+https://docs.kanboard.org/en/latest/admin_guide/installation.html
7
+https://docs.kanboard.org/en/latest/admin_guide/debian_installation.html
8
+https://docs.kanboard.org/en/latest/admin_guide/config_file.html
9
+https://docs.kanboard.org/en/latest/admin_guide/cronjob.html

+ 13
- 0
roles/kanboard/defaults/main.yml Zobrazit soubor

@@ -0,0 +1,13 @@
1
+kanboard_subdomain: "kanboard"
2
+kanboard_domain: "{{ kanboard_subdomain }}.{{ domain }}"
3
+
4
+kanboard_version: "1.2.20"
5
+kanboard_release: "https://github.com/kanboard/kanboard/archive/refs/tags/v{{ kanboard_version }}.tar.gz"
6
+
7
+kanboard_db_username: kanboarduser
8
+kanboard_db_password: "{{ lookup('password', secret + '/' + 'kanboard_db_password length=32') }}"
9
+kanboard_db_database: kanboard
10
+
11
+# must match values in roles/common
12
+db_admin_username: 'postgres'
13
+db_admin_password: "{{ lookup('password', secret + '/' + 'db_admin_password length=32') }}"

+ 2
- 0
roles/kanboard/handlers/main.yml Zobrazit soubor

@@ -0,0 +1,2 @@
1
+- name: restart apache
2
+  service: name=apache2 state=restarted

+ 92
- 0
roles/kanboard/tasks/kanboard.yml Zobrazit soubor

@@ -0,0 +1,92 @@
1
+- name: Install kanboard dependencies
2
+  apt:
3
+    name: "{{ packages }}"
4
+    state: present
5
+    update_cache: yes
6
+  vars:
7
+    packages:
8
+    - php-cli
9
+    - php-mbstring
10
+    - php-sqlite3
11
+    - php-opcache
12
+    - php-json
13
+    - php-ldap
14
+    - php-gd
15
+    - php-xml
16
+    - php-mysql
17
+    - php-pgsql
18
+    - php-curl
19
+    - php-zip
20
+  tags:
21
+    - dependencies
22
+
23
+- name: Create temporary kanboard directory
24
+  file: state=directory path=/root/kanboard
25
+
26
+- name: Download kanboard {{ kanboard_version }} release
27
+  get_url:
28
+    url="{{ kanboard_release }}"
29
+    dest=/root/kanboard/kanboard-{{ kanboard_version }}.tar.gz
30
+
31
+- name: Unpack kanboard {{ kanboard_version }} source
32
+  shell: tar xzvf /root/kanboard/kanboard-{{ kanboard_version }}.tar.gz
33
+  args:
34
+    chdir: /root/kanboard
35
+    creates: /root/kanboard/kanboard-{{ kanboard_version }}
36
+
37
+- name: Copy kanboard to web server directory
38
+  shell: cp -R /root/kanboard/kanboard-{{ kanboard_version }}/. /var/www/kanboard/
39
+
40
+- name: Add kanboard postgres user
41
+  postgresql_user:
42
+    login_host=localhost
43
+    login_user={{ db_admin_username }}
44
+    login_password="{{ db_admin_password }}"
45
+    name={{ kanboard_db_username }}
46
+    password="{{ kanboard_db_password }}"
47
+    encrypted=yes
48
+    state=present
49
+
50
+- name: Create kanboard database
51
+  postgresql_db:
52
+    login_host=localhost
53
+    login_user={{ db_admin_username }}
54
+    login_password="{{ db_admin_password }}"
55
+    name={{ kanboard_db_database }}
56
+    state=present
57
+    owner={{ kanboard_db_username }}
58
+
59
+- name: Copy kanboard config file
60
+  template:
61
+    src=var_www_kanboard_config.j2
62
+    dest=/var/www/kanboard/config.php
63
+    owner=root
64
+    group=root
65
+
66
+- name: Ensure proper directory rights for kanboard data
67
+  shell: chown -R www-data:www-data /var/www/kanboard/data
68
+
69
+- name: Ensure proper directory rights for kanboard plugins
70
+  shell: chown -R www-data:www-data /var/www/kanboard/plugins
71
+
72
+- name: Enable kanboard cron job
73
+  cron:
74
+    name: "kanboard"
75
+    minute: "0"
76
+    hour: "2"
77
+    user: www-data
78
+    job: "cd /var/www/kanboard && ./cli cronjob >/dev/null 2>&1"
79
+
80
+- name: Create the Apache kanboard sites config files
81
+  template:
82
+    src=etc_apache2_sites-available_kanboard.j2
83
+    dest=/etc/apache2/sites-available/kanboard_{{ item.name }}.conf
84
+    owner=root
85
+    group=root
86
+  notify: restart apache
87
+  with_items: "{{ virtual_domains }}"
88
+
89
+- name: Enable Apache sites (creates new sites-enabled symlinks)
90
+  command: a2ensite kanboard_{{ item }}.conf creates=/etc/apache2/sites-enabled/kanboard_{{ item }}.conf
91
+  notify: restart apache
92
+  with_items: "{{ virtual_domains | json_query('[*].name') }}"

+ 2
- 0
roles/kanboard/tasks/main.yml Zobrazit soubor

@@ -0,0 +1,2 @@
1
+---
2
+- include: kanboard.yml tags=kanboard

+ 33
- 0
roles/kanboard/templates/etc_apache2_sites-available_kanboard.j2 Zobrazit soubor

@@ -0,0 +1,33 @@
1
+<VirtualHost *:80>
2
+    ServerName {{ kanboard_subdomain }}.{{ item.name }}
3
+
4
+    Redirect temp / https://{{ kanboard_subdomain }}.{{ item.name }}/
5
+</VirtualHost>
6
+
7
+<VirtualHost *:443>
8
+    ServerName {{ kanboard_subdomain }}.{{ item.name }}
9
+
10
+    SSLEngine               On
11
+    DocumentRoot            "/var/www/kanboard"
12
+    DirectoryIndex          index.php
13
+    HostnameLookups         Off
14
+    LogLevel                warn
15
+    ErrorLog                /var/log/apache2/kanboard.info-error_log
16
+    CustomLog               /var/log/apache2/kanboard.info-access_log common
17
+
18
+    <Directory /var/www/kanboard>
19
+        Options -Indexes
20
+        AllowOverride All
21
+        Order allow,deny
22
+        Allow from all
23
+        Require all granted
24
+        DirectoryIndex index.php
25
+    </Directory>
26
+
27
+    <Directory /var/www/kanboard/data>
28
+        Options -Indexes
29
+        AllowOverride All
30
+        Order allow,deny
31
+        Allow from all
32
+    </Directory>
33
+</VirtualHost>

+ 275
- 0
roles/kanboard/templates/var_www_kanboard_config.j2 Zobrazit soubor

@@ -0,0 +1,275 @@
1
+<?php
2
+
3
+/*******************************************************************/
4
+/* Rename this file to config.php if you want to change the values */
5
+/*                                                                 */
6
+/* Make sure all paths are absolute by using __DIR__ where needed  */
7
+/*******************************************************************/
8
+
9
+// Data folder (must be writeable by the web server user and absolute)
10
+define('DATA_DIR', __DIR__.DIRECTORY_SEPARATOR.'data');
11
+
12
+// Enable/Disable debug
13
+define('DEBUG', false);
14
+
15
+// Available log drivers: syslog, stderr, stdout, system or file
16
+define('LOG_DRIVER', 'system');
17
+
18
+// Log filename if the log driver is "file"
19
+define('LOG_FILE', DATA_DIR.DIRECTORY_SEPARATOR.'debug.log');
20
+
21
+// Plugins directory
22
+define('PLUGINS_DIR', __DIR__.DIRECTORY_SEPARATOR.'plugins');
23
+
24
+// Plugins directory URL
25
+define('PLUGIN_API_URL', 'https://kanboard.org/plugins.json');
26
+
27
+// Enable/Disable plugin installer (Disabled by default for security reasons)
28
+// There is no code review or any approval process to submit a plugin.
29
+// This is up to the Kanboard instance owner to validate if a plugin is legit.
30
+define('PLUGIN_INSTALLER', true);
31
+
32
+// Available cache drivers are "file" and "memory"
33
+define('CACHE_DRIVER', 'memory');
34
+
35
+// Cache folder to use if cache driver is "file" (must be writeable by the web server user)
36
+define('CACHE_DIR', DATA_DIR.DIRECTORY_SEPARATOR.'cache');
37
+
38
+// Folder for uploaded files (must be writeable by the web server user)
39
+define('FILES_DIR', DATA_DIR.DIRECTORY_SEPARATOR.'files');
40
+
41
+// Enable/disable email configuration from the user interface
42
+define('MAIL_CONFIGURATION', true);
43
+
44
+// E-mail address used for the "From" header (notifications)
45
+define('MAIL_FROM', 'kanboard@{{ domain }}');
46
+
47
+// E-mail address used for the "Bcc" header to send a copy of all notifications
48
+define('MAIL_BCC', '');
49
+
50
+// Mail transport available: "smtp", "sendmail", "mail" (PHP mail function), "postmark", "mailgun", "sendgrid"
51
+define('MAIL_TRANSPORT', 'mail');
52
+
53
+// SMTP configuration to use when the "smtp" transport is chosen
54
+define('MAIL_SMTP_HOSTNAME', '');
55
+define('MAIL_SMTP_PORT', 25);
56
+define('MAIL_SMTP_USERNAME', '');
57
+define('MAIL_SMTP_PASSWORD', '');
58
+define('MAIL_SMTP_HELO_NAME', null); // valid: null (default), or FQDN
59
+define('MAIL_SMTP_ENCRYPTION', null); // Valid values are null (not a string "null"), "ssl" or "tls"
60
+
61
+// Sendmail command to use when the transport is "sendmail"
62
+define('MAIL_SENDMAIL_COMMAND', '/usr/sbin/sendmail -bs');
63
+
64
+// Run automatically database migrations
65
+// If set to false, you will have to run manually the SQL migrations from the CLI during the next Kanboard upgrade
66
+// Do not run the migrations from multiple processes at the same time (example: web page + background worker)
67
+define('DB_RUN_MIGRATIONS', true);
68
+
69
+// Database driver: sqlite, mysql or postgres (sqlite by default)
70
+define('DB_DRIVER', 'postgres');
71
+
72
+// Mysql/Postgres username
73
+define('DB_USERNAME', '{{ kanboard_db_username }}');
74
+
75
+// Mysql/Postgres password
76
+define('DB_PASSWORD', '{{ kanboard_db_password }}');
77
+
78
+// Mysql/Postgres hostname
79
+define('DB_HOSTNAME', 'localhost');
80
+
81
+// Mysql/Postgres database name
82
+define('DB_NAME', '{{ kanboard_db_database }}');
83
+
84
+// Mysql/Postgres custom port (null = default port)
85
+define('DB_PORT', null);
86
+
87
+// Mysql SSL key
88
+define('DB_SSL_KEY', null);
89
+
90
+// Mysql SSL certificate
91
+define('DB_SSL_CERT', null);
92
+
93
+// Mysql SSL CA
94
+define('DB_SSL_CA', null);
95
+
96
+// Mysql SSL server verification, set to false if you don't want the Mysql driver to validate the certificate CN
97
+define('DB_VERIFY_SERVER_CERT', null);
98
+
99
+// Timeout value for PDO attribute
100
+define('DB_TIMEOUT', null);
101
+
102
+// Enable LDAP authentication (false by default)
103
+define('LDAP_AUTH', false);
104
+
105
+// LDAP server protocol, hostname and port URL (ldap[s]://hostname:port)
106
+define('LDAP_SERVER', '');
107
+
108
+// By default, require certificate to be verified for ldaps:// style URL. Set to false to skip the verification
109
+define('LDAP_SSL_VERIFY', true);
110
+
111
+// Enable LDAP START_TLS
112
+define('LDAP_START_TLS', false);
113
+
114
+// By default Kanboard lowercase the ldap username to avoid duplicate users (the database is case sensitive)
115
+// Set to true if you want to preserve the case
116
+define('LDAP_USERNAME_CASE_SENSITIVE', false);
117
+
118
+// LDAP bind type: "anonymous", "user" or "proxy"
119
+define('LDAP_BIND_TYPE', 'anonymous');
120
+
121
+// LDAP username to use with proxy mode
122
+// LDAP username pattern to use with user mode
123
+define('LDAP_USERNAME', null);
124
+
125
+// LDAP password to use for proxy mode
126
+define('LDAP_PASSWORD', null);
127
+
128
+// LDAP DN for users
129
+// Example for ActiveDirectory: CN=Users,DC=kanboard,DC=local
130
+// Example for OpenLDAP: ou=People,dc=example,dc=com
131
+define('LDAP_USER_BASE_DN', '');
132
+
133
+// LDAP pattern to use when searching for a user account
134
+// Example for ActiveDirectory: '(&(objectClass=user)(sAMAccountName=%s))'
135
+// Example for OpenLDAP: 'uid=%s'
136
+define('LDAP_USER_FILTER', '');
137
+
138
+// LDAP attribute for username
139
+// Example for ActiveDirectory: 'sAMAccountName'
140
+// Example for OpenLDAP: 'uid'
141
+define('LDAP_USER_ATTRIBUTE_USERNAME', 'uid');
142
+
143
+// LDAP attribute for user full name
144
+// Example for ActiveDirectory: 'displayname'
145
+// Example for OpenLDAP: 'cn'
146
+define('LDAP_USER_ATTRIBUTE_FULLNAME', 'cn');
147
+
148
+// LDAP attribute for user email
149
+define('LDAP_USER_ATTRIBUTE_EMAIL', 'mail');
150
+
151
+// LDAP attribute to find groups in user profile
152
+define('LDAP_USER_ATTRIBUTE_GROUPS', 'memberof');
153
+
154
+// LDAP attribute for user avatar image: thumbnailPhoto or jpegPhoto
155
+define('LDAP_USER_ATTRIBUTE_PHOTO', '');
156
+
157
+// LDAP attribute for user language, example: 'preferredlanguage'
158
+// Put an empty string to disable language sync
159
+define('LDAP_USER_ATTRIBUTE_LANGUAGE', '');
160
+
161
+// Allow automatic LDAP user creation
162
+define('LDAP_USER_CREATION', true);
163
+
164
+// Set new user as Manager
165
+define('LDAP_USER_DEFAULT_ROLE_MANAGER', false);
166
+
167
+// LDAP DN for administrators
168
+// Example: CN=Kanboard-Admins,CN=Users,DC=kanboard,DC=local
169
+define('LDAP_GROUP_ADMIN_DN', '');
170
+
171
+// LDAP DN for managers
172
+// Example: CN=Kanboard Managers,CN=Users,DC=kanboard,DC=local
173
+define('LDAP_GROUP_MANAGER_DN', '');
174
+
175
+// Enable LDAP group provider for project permissions
176
+// The end-user will be able to browse LDAP groups from the user interface and allow access to specified projects
177
+define('LDAP_GROUP_PROVIDER', false);
178
+
179
+// LDAP Base DN for groups
180
+define('LDAP_GROUP_BASE_DN', '');
181
+
182
+// LDAP group filter
183
+// Example for ActiveDirectory: (&(objectClass=group)(sAMAccountName=%s*))
184
+define('LDAP_GROUP_FILTER', '');
185
+
186
+// LDAP user group filter
187
+// If this filter is configured, Kanboard will search user groups in LDAP_GROUP_BASE_DN with this filter
188
+// Example for OpenLDAP: (&(objectClass=posixGroup)(memberUid=%s))
189
+define('LDAP_GROUP_USER_FILTER', '');
190
+
191
+// LDAP attribute for the user in the group filter
192
+// 'username' or 'dn'
193
+define('LDAP_GROUP_USER_ATTRIBUTE', 'username');
194
+
195
+// LDAP attribute for the group name
196
+define('LDAP_GROUP_ATTRIBUTE_NAME', 'cn');
197
+
198
+// Enable/disable the reverse proxy authentication
199
+define('REVERSE_PROXY_AUTH', false);
200
+
201
+// Header name to use for the username
202
+define('REVERSE_PROXY_USER_HEADER', 'REMOTE_USER');
203
+
204
+// Username of the admin, by default blank
205
+define('REVERSE_PROXY_DEFAULT_ADMIN', '');
206
+
207
+// Header name to use for the username
208
+define('REVERSE_PROXY_EMAIL_HEADER', 'REMOTE_EMAIL');
209
+
210
+// Default domain to use for setting the email address
211
+define('REVERSE_PROXY_DEFAULT_DOMAIN', '');
212
+
213
+// Enable/disable remember me authentication
214
+define('REMEMBER_ME_AUTH', true);
215
+
216
+// Enable or disable "Strict-Transport-Security" HTTP header
217
+define('ENABLE_HSTS', true);
218
+
219
+// Enable or disable "X-Frame-Options: DENY" HTTP header
220
+define('ENABLE_XFRAME', true);
221
+
222
+// Escape html inside markdown text
223
+define('MARKDOWN_ESCAPE_HTML', true);
224
+
225
+// API alternative authentication header, the default is HTTP Basic Authentication defined in RFC2617
226
+define('API_AUTHENTICATION_HEADER', '');
227
+
228
+// Enable/disable url rewrite
229
+define('ENABLE_URL_REWRITE', true);
230
+
231
+// Hide login form, useful if all your users use Google/Github/ReverseProxy authentication
232
+define('HIDE_LOGIN_FORM', false);
233
+
234
+// Disabling logout (useful for external SSO authentication)
235
+define('DISABLE_LOGOUT', false);
236
+
237
+// Enable captcha after 3 authentication failure
238
+define('BRUTEFORCE_CAPTCHA', 3);
239
+
240
+// Lock the account after 6 authentication failure
241
+define('BRUTEFORCE_LOCKDOWN', 6);
242
+
243
+// Lock account duration in minute
244
+define('BRUTEFORCE_LOCKDOWN_DURATION', 15);
245
+
246
+// Session duration in second (0 = until the browser is closed)
247
+// See http://php.net/manual/en/session.configuration.php#ini.session.cookie-lifetime
248
+define('SESSION_DURATION', 0);
249
+
250
+// Session handler: db or php
251
+define('SESSION_HANDLER', 'db');
252
+
253
+// HTTP client proxy
254
+define('HTTP_PROXY_HOSTNAME', '');
255
+define('HTTP_PROXY_PORT', '3128');
256
+define('HTTP_PROXY_USERNAME', '');
257
+define('HTTP_PROXY_PASSWORD', '');
258
+define('HTTP_PROXY_EXCLUDE', 'localhost');
259
+
260
+// Set to false to allow self-signed certificates
261
+define('HTTP_VERIFY_SSL_CERTIFICATE', true);
262
+
263
+// TOTP (2FA) issuer name
264
+define('TOTP_ISSUER', 'Kanboard');
265
+
266
+// Comma separated list of fields to not synchronize when using external authentication providers
267
+define('EXTERNAL_AUTH_EXCLUDE_FIELDS', 'username');
268
+
269
+// Enable or disable displaying group-memberships in userlist (true by default)
270
+define('SHOW_GROUP_MEMBERSHIPS_IN_USERLIST', true);
271
+
272
+// Limit number of groups to display in userlist (The full list of group-memberships is always shown, ...
273
+// ... when hovering the mouse over the group-icon of a given user!)
274
+// If set to 0 ALL group-memberships will be listed (7 by default)
275
+define('SHOW_GROUP_MEMBERSHIPS_IN_USERLIST_WITH_LIMIT', 7);

+ 3
- 5
roles/sslletsencrypt/DESIGN.md Zobrazit soubor

@@ -1,10 +1,8 @@
1
-# Design Description for Common-SSL Role
2
-
3
-## Let's Encrypt Support
1
+# Design Description for SSL Let's Encrypt Role
4 2
 
5 3
 [Let's Encrypt](https://letsencrypt.org) (LE) is an automated certificate authority that provides free SSL certificates that are trusted by all major browsers.  LE certificates are used by Sovereign instead of purchased certificates from authorities like RapidSSL in order to reduce the out-of-pocket cost of deploying Sovereign and avoid end-user problems with self-signed certificates.
6 4
 
7
-### Design approach
5
+# Design approach
8 6
 
9 7
 The Let's Encrypt service uses DNS to look up domains being registered and then contact the client to verify. For this to work, DNS records must be configured before the playbook is run the first time.
10 8
 
@@ -15,4 +13,4 @@ Several packages need access to the private key. Not all are run as root. An exa
15 13
 Certificate renewal is done automatically using cron. The cron script must be aware of private key copies and update them as well. Services that depend on new keys must also be bounced. It is up to roles that rely on keys to modify the cron script (preferably using `lineinfile` or something similar) to accomplish this.
16 14
 
17 15
 If you changed something that requires new domains or subdomains to be considered when generating the certificates, do not just delete the files in /etc/letsencrypt/live!
18
-Instead, use /root/letsencrypt/letsencrypt-auto delete to remove the old certificates and then re-run the common role in this playbook.
16
+Instead, use 'sudo certbot delete -c /etc/letsencrypt/cli.conf --cert-name DOMAIN' to remove the old certificates and then re-run the sslletsencrypt role in this playbook.

+ 1
- 1
roles/sslletsencrypt/files/letsencrypt-gencert Zobrazit soubor

@@ -18,7 +18,7 @@ for domain in "$@"; do
18 18
 
19 19
   # subdomains - www.foo.com mail.foo.com ...
20 20
   # TODO includes servername (eddie / stage)!
21
-  for sub in stage www mail autoconfig stats news cloud git matrix status social comments iot wiki jitsi; do
21
+  for sub in stage www mail autoconfig stats news cloud git matrix status social comments iot wiki jitsi kanboard chat; do
22 22
     # only add if the DNS entry for the subdomain does actually exist
23 23
     if (getent hosts $sub.$domain > /dev/null); then
24 24
       if [ -z "$d" ]; then

Loading…
Zrušit
Uložit