README.md

 Ubuntu is no longer supported, simply because I just use Debian.
 
 I also added the ability for full-fledged user-management using OpenLDAP and FusionDirectory.
+It automatically creates E-Mail inboxes for LDAP users, as well as allowing login using LDAP credentials on most roles / services.
 This is optional, however.
 You can also use statically configured credentials, which is enough for single-user setups.
 
 
 Download this repository somewhere on your machine, either through `Clone or Download > Download ZIP` above, `wget`, or `git` as below.
 Also install the dependencies for password generation as well as ansible itself.
-    
+
     git clone https://github.com/xythobuz/sovereign.git
     cd sovereign
     sudo pip install -r ./requirements.txt
 To run the whole thing:
 
     ansible-playbook -i ./hosts --ask-sudo-pass --key-file KEY site.yml
-    
+
 If you chose to make a passwordless sudo deploy user, you can omit the `--ask-sudo-pass` argument.
 If you don't need to specify an ssh key to connect to the host, leave out `--key-file KEY` part, otherwise replace `KEY` with the path to the key you want to use.
 Append eg. `-l testing` to only run for the hosts in the testing group.

TODO.md

+# TODOs
+
+* Add apache2 access and error logs for installed servers to logrotate
+
+* Crawlers create large archives in gitea for repos.
+  These can be deleted in the gitea admin interface.
+  Add automated task to delete these (if required)?
+  https://github.com/go-gitea/gitea/issues/5292#issuecomment-769264637

roles/backup/tasks/main.yml

-- include: backup.yml tags=backup
+- include_tasks: backup.yml

roles/blog/tasks/main.yml

-- include: blog.yml tags=blog
-- include: fathom.yml tags=blog
-- include: commento.yml tags=blog
+- include_tasks: blog.yml
+- include_tasks: fathom.yml
+- include_tasks: commento.yml

roles/common/tasks/main.yml

 ---
 
-- include: basics.yml tags=basics
-- include: users.yml tags=users
-- include: apache.yml tags=apache
-- include: ufw.yml tags=ufw
-- include: security.yml tags=security
-- include: ntp.yml tags=ntp
-- include: postgres.yml
-- include: swap.yml
+- include_tasks: basics.yml
+- include_tasks: users.yml
+- include_tasks: apache.yml
+- include_tasks: ufw.yml
+- include_tasks: security.yml
+- include_tasks: ntp.yml
+- include_tasks: postgres.yml
+- include_tasks: swap.yml

roles/dokuwiki/tasks/main.yml

-- include: dokuwiki.yml tags=dokuwiki
+- include_tasks: dokuwiki.yml

roles/gitea/defaults/main.yml

 gitea_admin_username: "{{ main_user_name }}"
 gitea_admin_password: "{{ lookup('password', secret + '/' + 'gitea_admin_password length=32') }}"
 
+gitea_enable_ldap: false
+
 gitea_db_username: giteauser
 gitea_db_password: "{{ lookup('password', secret + '/' + 'gitea_db_password length=32') }}"
 gitea_db_database: gitea

roles/gitea/tasks/gitea.yml

     chdir: /data/gitea
   ignore_errors: True
 
+# check if ldap already enabled
+#gitea admin auth list
+
+# remove ldap auth if it exists
+#gitea admin auth delete
+
+# add ldap auth, if configured
+#gitea admin auth add-ldap --name customldap --security-protocol unencrypted --host localhost --port 389 --bind-dn "uid=admin,ou=people,dc=shagohod,dc=de" --bind-password "xS3Lbd.PuHdmEjAYxQn.JRmaXbuo_2-h" --user-search-base "ou=people,dc=shagohod,dc=de" --user-filter "uid=%s,ou=people,dc=shagohod,dc=de" --email-attribute mail
+
+# --admin-filter --username-attribute
+
 - name: Add fail2ban script for gitea
   copy:
     src=etc_fail2ban_filter.d_gitea.conf

roles/gitea/tasks/main.yml

-- include: gitea.yml tags=gitea
+- include_tasks: gitea.yml

roles/gpodder/tasks/main.yml

-- include: gpodder.yml tags=gpodder
+- include_tasks: gpodder.yml

roles/iot/tasks/influx.yml

   tags:
     - dependencies
 
-- name: Install InfluxDB and Telegraf from official repository
-  apt:
-    name: "{{ packages }}"
-    state: present
-    update_cache: yes
-  vars:
-    packages:
-    - influxdb
-    - telegraf
-  tags:
-    - dependencies
-
-- name: Configure InfluxDB
-  template:
-    src=etc_influxdb_influxdb.j2
-    dest=/etc/influxdb/influxdb.conf
-    owner=root
-    group=root
-  notify: restart influxdb
+# TODO can no longer run this!
+#- name: Install InfluxDB and Telegraf from official repository
+#  apt:
+#    name: "{{ packages }}"
+#    state: present
+#    update_cache: yes
+#  vars:
+#    packages:
+#    - influxdb
+#    - telegraf
+#  tags:
+#    - dependencies
+#
+#- name: Configure InfluxDB
+#  template:
+#    src=etc_influxdb_influxdb.j2
+#    dest=/etc/influxdb/influxdb.conf
+#    owner=root
+#    group=root
+#  notify: restart influxdb
 
 - name: Create InfluxDB data directories
   file: state=directory path={{ item }} owner=influxdb group=influxdb
     - 8088  # rpc
   tags: ufw
 
+# TODO influxdb should get following set in
+# /etc/systemd/system/influxdb.service.d/override.conf
+#
+# [Service]
+# TimeoutStartSec=60m
+
 - name: Register new InfluxDB and Telegraf service
   systemd: name={{ item }} daemon_reload=yes enabled=yes
   with_items:

roles/iot/tasks/main.yml

-- include: grafana.yml tags=iot
-- include: influx.yml tags=iot
-- include: mosquitto.yml tags=iot
-- include: mqtt_admin.yml tags=iot
-- include: nodered.yml tags=iot
-- include: lights.yml tags=iot
+- include_tasks: grafana.yml
+- include_tasks: influx.yml
+- include_tasks: mosquitto.yml
+- include_tasks: mqtt_admin.yml
+- include_tasks: nodered.yml
+- include_tasks: lights.yml

roles/iot/templates/etc_telegraf_telegraf.j2

 #     # unique_timestamp = "auto"
 
 
-# # Read metrics from MQTT topic(s)
-# [[inputs.mqtt_consumer]]
-#   ## MQTT broker URLs to be used. The format should be scheme://host:port,
-#   ## schema can be tcp, ssl, or ws.
-#   servers = ["tcp://localhost:1883"]
-#
-#   ## QoS policy for messages
-#   ##   0 = at most once
-#   ##   1 = at least once
-#   ##   2 = exactly once
-#   ##
-#   ## When using a QoS of 1 or 2, you should enable persistent_session to allow
-#   ## resuming unacknowledged messages.
-#   qos = 0
-#
-#   ## Connection timeout for initial connection in seconds
-#   connection_timeout = "30s"
-#
-#   ## Maximum messages to read from the broker that have not been written by an
-#   ## output.  For best throughput set based on the number of metrics within
-#   ## each message and the size of the output's metric_batch_size.
-#   ##
-#   ## For example, if each message from the queue contains 10 metrics and the
-#   ## output metric_batch_size is 1000, setting this to 100 will ensure that a
-#   ## full batch is collected and the write is triggered immediately without
-#   ## waiting until the next flush_interval.
-#   # max_undelivered_messages = 1000
-#
-#   ## Topics to subscribe to
-#   topics = [
-#     "telegraf/host01/cpu",
-#     "telegraf/+/mem",
-#     "sensors/#",
-#   ]
-#
-#   # if true, messages that can't be delivered while the subscriber is offline
-#   # will be delivered when it comes back (such as on service restart).
-#   # NOTE: if true, client_id MUST be set
-#   persistent_session = false
-#   # If empty, a random client ID will be generated.
-#   client_id = ""
-#
-#   ## username and password to connect MQTT server.
-#   # username = "telegraf"
-#   # password = "metricsmetricsmetricsmetrics"
-#
-#   ## Optional TLS Config
-#   # tls_ca = "/etc/telegraf/ca.pem"
-#   # tls_cert = "/etc/telegraf/cert.pem"
-#   # tls_key = "/etc/telegraf/key.pem"
-#   ## Use TLS but skip chain & host verification
-#   # insecure_skip_verify = false
-#
-#   ## Data format to consume.
-#   ## Each data format has its own unique set of configuration options, read
-#   ## more about them here:
-#   ## https://github.com/influxdata/telegraf/blob/master/docs/DATA_FORMATS_INPUT.md
-#   data_format = "influx"
+# Read metrics from MQTT topic(s)
+[[inputs.mqtt_consumer]]
+  ## MQTT broker URLs to be used. The format should be scheme://host:port,
+  ## schema can be tcp, ssl, or ws.
+  servers = ["tcp://{{ server_fqdn }}:1883"]
+
+  ## QoS policy for messages
+  ##   0 = at most once
+  ##   1 = at least once
+  ##   2 = exactly once
+  ##
+  ## When using a QoS of 1 or 2, you should enable persistent_session to allow
+  ## resuming unacknowledged messages.
+  qos = 0
+
+  ## Connection timeout for initial connection in seconds
+  connection_timeout = "30s"
+
+  ## Maximum messages to read from the broker that have not been written by an
+  ## output.  For best throughput set based on the number of metrics within
+  ## each message and the size of the output's metric_batch_size.
+  ##
+  ## For example, if each message from the queue contains 10 metrics and the
+  ## output metric_batch_size is 1000, setting this to 100 will ensure that a
+  ## full batch is collected and the write is triggered immediately without
+  ## waiting until the next flush_interval.
+  # max_undelivered_messages = 1000
+
+  ## Topics to subscribe to
+  ## matches tasmota "$room/$app/tele/STATE" and "$room/$app/tele/SENSOR"
+  topics = [
+    "+/+/tele/SENSOR",
+    "+/+/tele/STATE",
+  ]
+
+  # if true, messages that can't be delivered while the subscriber is offline
+  # will be delivered when it comes back (such as on service restart).
+  # NOTE: if true, client_id MUST be set
+  persistent_session = false
+  # If empty, a random client ID will be generated.
+  client_id = "iot-mqtt-bridge"
+
+  ## username and password to connect MQTT server.
+  username = "{{ lights_web_username }}"
+  password = "{{ lights_web_password }}"
+
+  ## Optional TLS Config
+  # tls_ca = "/etc/telegraf/ca.pem"
+  # tls_cert = "/etc/telegraf/cert.pem"
+  # tls_key = "/etc/telegraf/key.pem"
+  ## Use TLS but skip chain & host verification
+  # insecure_skip_verify = false
+
+  ## Data format to consume.
+  ## Each data format has its own unique set of configuration options, read
+  ## more about them here:
+  ## https://github.com/influxdata/telegraf/blob/master/docs/DATA_FORMATS_INPUT.md
+  data_format = "json"
 
 
 # # Read metrics from NATS subject(s)

roles/ircbouncer/tasks/main.yml

-- include: znc.yml tags=znc
+- include_tasks: znc.yml

roles/jitsi/tasks/main.yml

 ---
-- include: jitsi.yml tags=jitsi
+- include_tasks: jitsi.yml

roles/kanboard/tasks/main.yml

 ---
-- include: kanboard.yml tags=kanboard
+- include_tasks: kanboard.yml

roles/ldap/DESIGN.md

     Password: {{ slapd_admin_password }}
     Base DN: dc=DOMAIN,dc=TLD
 
-Dokuwiki, Jitsi and Kanboard can be configured to use LDAP automatically.
+For LimeSurvey, use these settings:
+
+
+
+Dokuwiki, Gitea, Jitsi and Kanboard can be configured to use LDAP automatically.
 See their defaults.
 
 ## ToDo

roles/ldap/tasks/main.yml

-- include: slapd.yml tags=ldap
-- include: fusiondirectory.yml tags=ldap
+- include_tasks: slapd.yml
+- include_tasks: fusiondirectory.yml

roles/limesurvey/tasks/main.yml

 ---
-- include: limesurvey.yml tags=limesurvey
+- include_tasks: limesurvey.yml

roles/mailserver/tasks/main.yml

 ---
 # Installs and configures the mail system.
 
-- include: postfix.yml
-  tags: postfix
-- include: dovecot.yml
-  tags: dovecot
-- include: rspamd.yml
-  tags: rspamd
-- include: solr.yml
-  tags: solr
-- include: checkrbl.yml
-  tags: checkrbl
-- include: z-push.yml
-  tags: zpush
-- include: autoconfig.yml
-  tags: autoconfig
+- include_tasks: postfix.yml
+- include_tasks: dovecot.yml
+- include_tasks: rspamd.yml
+- include_tasks: solr.yml
+- include_tasks: checkrbl.yml
+- include_tasks: z-push.yml
+- include_tasks: autoconfig.yml
 

roles/mastodon/tasks/main.yml

-- include: mastodon.yml tags=mastodon
+- include_tasks: mastodon.yml

roles/matrix/tasks/main.yml

 ---
 # Provides the Synapse Matrix homeserver and the Riot.im client
 #
-- include: riot.yml tags=matrix
-- include: synapse.yml tags=matrix
+- include_tasks: riot.yml
+- include_tasks: synapse.yml

roles/monitoring/tasks/main.yml

-- include: monit.yml tags=monit
-- include: logwatch.yml tags=logwatch
+- include_tasks: monit.yml
+- include_tasks: logwatch.yml

roles/news/tasks/main.yml

-- include: selfoss.yml tags=selfoss
+- include_tasks: selfoss.yml

roles/nextcloud/tasks/main.yml

-- include: nextcloud.yml tags=nextcloud
+- include_tasks: nextcloud.yml

roles/rocketchat/tasks/main.yml

 ---
-- include: rocketchat.yml tags=rocketchat
+- include_tasks: rocketchat.yml

roles/sslletsencrypt/tasks/main.yml

 ---
-- include: ssl.yml tags=ssl
-- include: letsencrypt.yml tags=letsencrypt
-- include: ufw.yml tags=ufw
+- include_tasks: ssl.yml
+- include_tasks: letsencrypt.yml
+- include_tasks: ufw.yml

roles/sslselfsigned/tasks/main.yml

 ---
 
-- include: ssl.yml tags=ssl
-- include: selfsigned.yml
-- include: ufw.yml tags=ufw
+- include_tasks: ssl.yml
+- include_tasks: selfsigned.yml
+- include_tasks: ufw.yml

roles/vpn/tasks/main.yml

-- include: openvpn.yml tags=openvpn
+- include_tasks: openvpn.yml

roles/webmail/tasks/main.yml

-- include: roundcube.yml tags=roundcube
+- include_tasks: roundcube.yml