├── .gitignore ├── README.md ├── bootstrap.sh ├── bootstrap.yml ├── example.yml └── roles ├── ansible ├── defaults │ └── main.yml ├── meta │ └── main.yml ├── tasks │ └── main.yml ├── templates │ └── ansible.cfg └── vars │ └── main.yml ├── clamav ├── handlers │ └── main.yml ├── meta │ └── main.yml └── tasks │ └── main.yml ├── common-debian ├── defaults │ └── main.yml ├── handlers │ └── main.yml ├── tasks │ └── main.yml ├── templates │ ├── hostname │ └── sshd_config └── vars │ └── main.yml ├── common ├── defaults │ └── main.yml ├── handlers │ └── main.yml ├── tasks │ ├── home_dataset.yml │ └── main.yml ├── templates │ ├── inputrc │ ├── sshd_config │ └── useradd └── vars │ └── main.yml ├── dhcpdns └── templates │ ├── dhcpd.conf │ ├── dnsmasq.conf │ ├── powerdns-recursor.conf │ └── unbound.conf ├── ghost ├── defaults │ └── main.yml ├── handlers │ └── main.yml ├── meta │ └── main.yml ├── tasks │ └── main.yml ├── templates │ ├── config.json │ └── ghost-smf.xml └── vars │ └── main.yml ├── git ├── defaults │ └── main.yml ├── meta │ └── main.yml ├── tasks │ └── main.yml └── vars │ └── main.yml ├── minecraft ├── defaults │ └── main.yml ├── handlers │ └── main.yml ├── meta │ └── main.yml ├── tasks │ ├── main.yml │ ├── server-mojang.yml │ └── server-paper.yml ├── templates │ ├── eula.txt │ ├── minecraft-smf.xml │ └── server.properties └── vars │ └── main.yml ├── mysql ├── handlers │ └── main.yml ├── meta │ └── main.yml ├── tasks │ └── main.yml ├── templates │ ├── my.cnf │ └── system-my.cnf └── vars │ └── main.yml ├── neo4j ├── defaults │ └── main.yml ├── handlers │ └── main.yml ├── meta │ └── main.yml ├── tasks │ └── main.yml ├── templates │ ├── neo4j-smf.xml │ └── neo4j.conf └── vars │ └── main.yml ├── plex ├── defaults │ └── main.yml ├── handlers │ └── main.yml ├── meta │ └── main.yml ├── tasks │ └── main.yml └── vars │ └── main.yml ├── postgresql ├── defaults │ └── main.yml ├── handlers │ └── main.yml ├── meta │ └── main.yml ├── tasks │ └── main.yml └── templates │ ├── pg_hba.conf │ ├── pg_ident.conf │ └── postgresql.conf ├── redis ├── defaults │ └── main.yml ├── handlers │ └── main.yml ├── meta │ └── main.yml ├── tasks │ └── main.yml ├── templates │ └── redis.conf └── vars │ └── main.yml ├── router └── templates │ └── ipnat.conf ├── samba ├── handlers │ └── main.yml ├── meta │ └── main.yml ├── tasks │ └── main.yml ├── templates │ └── smb.conf └── vars │ └── main.yml └── tor ├── handlers └── main.yml ├── meta └── main.yml ├── tasks └── main.yml └── templates └── torrc /.gitignore: -------------------------------------------------------------------------------- 1 | !bootstrap.yml 2 | !example.yml 3 | *.retry 4 | /*.yml 5 | .*.swp 6 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Ansible SmartOS Tricks 2 | 3 | This collection of Ansible roles is the companion piece to my blog, [Stupid SmartOS Tricks](https://blog.brianewell.com/). 4 | 5 | ## Installation 6 | 7 | Clone this repository and optionally run `ansible-bootstrap.sh` to have it bootstrap Ansible within your local environment (assuming SmartOS): 8 | 9 | ``` 10 | # pkgin -y install git 11 | # git clone https://github.com/brianewell/ansible-smartos-tricks 12 | # cd ansible-smartos-tricks 13 | # ./ansible-bootstrap.sh 14 | ``` 15 | 16 | ## Common Role 17 | 18 | The common role performs the configuration and decrufting steps for a base SmartOS zone that I use in all other roles. It is inherited into those other roles by default, but is also available for direct use. 19 | 20 | ### Configuration Variables 21 | 22 | * **ansible_python_intrepreter**: String that can override the SmartOS default of `/opt/local/bin/python` 23 | * **home_dataset**: Boolean that determines if a home dataset should be configured if delegated_dataset is configured in the zone manifest. 24 | * **inputrc.config**: Dictionary that can be merged with existing inputrc configuration parameters 25 | * **inputrc.bindings**: Dictionary that can be merged with existing inputrc key-bindings 26 | * **sshd.key_types**: List that can override the default of dsa, ecdsa, ed25519 and rsa 27 | * **sshd.config**: Dictionary of sshd configuration parameters can be merged with default sshd configuration parameters 28 | * **sshd.match**: Dictionary of sshd match strings (as keys) and dictionaries (as values) of configuration parameters to use in sshd configuration. 29 | 30 | ## Ansible Role 31 | 32 | The ansible role installs and configures a base SmartOS zone to act as an Ansible host to run this, and any other playbooks, templates and modules. 33 | 34 | ### Configuration Variables 35 | 36 | * **ansible.config.{section name}**: Dictionary that can be merged with existing ansible configuration parameters 37 | 38 | ## MySQL Role 39 | 40 | The mysql role installs and configures MySQL on a base SmartOS zone 41 | 42 | ### Configuration Variables 43 | 44 | * **mysql.server**: Specify a specific fork of the MySQL server (default: mariadb, options: mariadb | mysql | percona ) 45 | * **mysql.recordsize**: Specify the recordsize of the underlying ZFS filesystem that the database is installed on (default: 16k) 46 | 47 | ## Neo4j Role 48 | 49 | The neo4j role installs and configures Neo4j on a base SmartOS zone 50 | 51 | ### Configuration Variables 52 | 53 | * **neo4j.user**: Specify the name of the user 54 | * **neo4j.group**: Specify the name of the group 55 | * **neo4j.project**: Specify the name of the project 56 | * **neo4j.path**: Specify the path in which to install the database software 57 | * **neo4j.conf_path**: Specify the path in which to store configuration data 58 | * **neo4j.data_path**: Specify the path in which to install the database cluster 59 | * **neo4j.recordsize**: Specify the recordsize of the underlying ZFS filesystem that the database is installed on (default: 16k) 60 | * **neo4j.version**: Specify the version of Neo4j to install into the system (default: latest) 61 | 62 | ## PostgreSQL Role 63 | 64 | The postgresql role installs and configures PostgreSQL on a base SmartOS zone 65 | 66 | ### Configuration Variables 67 | 68 | * **postgresql.server**: Specify the version of PostgreSQL to install 69 | * **postgresql.locale**: Specify the default locale 70 | * **postgresql.max_connections**: Specify the maximum connection count 71 | * **postgresql.shared_buffers**: Specify the shared buffer size 72 | * **postgresql.recordsize**: Specify the ZFS filesystem recordsize 73 | -------------------------------------------------------------------------------- /bootstrap.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # For now, install py39-pip and core ansible dependencies 4 | /opt/local/bin/pkgin -y install py38-cryptography py38-jinja2 py38-pip py38-pyparsing 5 | 6 | # Install ansible directly via pip 7 | /opt/local/bin/pip install ansible 8 | 9 | # Use Ansible to update ansible 10 | /opt/local/bin/ansible-playbook bootstrap.yml 11 | -------------------------------------------------------------------------------- /bootstrap.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: 'Bootstrap Ansible' 3 | hosts: 127.0.0.1 4 | connection: local 5 | roles: 6 | - ansible 7 | -------------------------------------------------------------------------------- /example.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # 3 | # The common role performs the common configuration and decrufting steps for a base SmartOS zone 4 | # 5 | # - hosts: common 6 | # roles: 7 | # - common 8 | # vars: 9 | # ansible_python_interpreter: /opt/local/bin/python # specify a python intrepreter other than the SmartOS default 10 | # home_dataset: false # specify if a home dataset should be established 11 | # inputrc: 12 | # config: {} # specify additional inputrc configuration parameters 13 | # bindings: {} # specify additional inputrc key-bindings 14 | # sshd: 15 | # config: {} # specify additional sshd configuration parameters 16 | # key_types: [dsa, ecdsa, ed25519, rsa ] # specify sshd host key types 17 | # vim: 18 | # colorscheme: '' # specify a custom colorscheme in /root/.vimrc 19 | # 20 | # 21 | # The ansible role installs and configures a base SmartOS zone to act as an Ansible host to run this, and any other playbooks, templates and modules. 22 | # 23 | # - hosts: ansible 24 | # roles: 25 | # - ansible 26 | # vars: 27 | # ansible: 28 | # config: 29 | # default: {} # specify additional default configuration parameters 30 | # 31 | # 32 | # The git role installsand configures a base SmartOS zone to serve as a get repository 33 | # 34 | # - hosts: test 35 | # roles: 36 | # - git 37 | # vars: 38 | # git: 39 | # users: # specify a set of users to create with git-shell configured 40 | # - user1 41 | # - user2 42 | # - ... 43 | # 44 | # 45 | # The mysql role installs and configures MySQL on a base SmartOS zone 46 | # 47 | # - hosts: mysql 48 | # roles: 49 | # - mysql 50 | # vars: 51 | # mysql: 52 | # server: mariadb # specify a specific MySQL fork ( mariadb | mysql | percona ) 53 | # recordsize: 16k # specify the ZFS filesystem recordsize 54 | # 55 | # 56 | # The neo4j role installs and configures Neo4j on a base SmartOS zone 57 | # 58 | # - hosts: neo4j 59 | # roles: 60 | # - neo4j 61 | # vars: 62 | # neo4j: 63 | # user: neo4j # specify the user name to use 64 | # group: neo4j # specify the group name to use 65 | # project: neo4j # specify the project name to use 66 | # path: /opt/local/neo4j # specify the install path 67 | # conf_path: /opt/local/etc/neo4j # specify the configuration path 68 | # data_path: /var/db/neo4j # specify the data path 69 | # recordsize: 16k # specify the ZFS filesystem recordsize 70 | # version: '3.5.8' # specify the version of Neo4j to install 71 | # 72 | # 73 | # The postgresql role installs and configures PostgreSQL on a base SmartOS zone 74 | # 75 | # - hosts: postgresql 76 | # roles: 77 | # - postgresql 78 | # vars: 79 | # postgresql: 80 | # server: postgresql11-server # specify the version of PostgreSQL to install 81 | # locale: C # specify the default locale 82 | # max_connections: 100 # specify the maximum connection count 83 | # shared_buffers: 128MB # specify the shared buffer size 84 | # recordsize: 16k # specify the ZFS filesystem recordsize 85 | # 86 | # 87 | # The redis role installs and configures Redis on a base SmartOS zone 88 | # 89 | #- hosts: redis 90 | # roles: 91 | # - redis 92 | # vars: 93 | # redis: 94 | # config: {} # specify additional redis configuration parameters 95 | -------------------------------------------------------------------------------- /roles/ansible/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | ansible: {} 3 | ansible_passed_redis_variables_that_ansible_apparently_cant_figure_out_on_its_own: 4 | config: 5 | databases: 2 6 | maxmemory: 1mb 7 | maxmemory-policy: volatile-ttl 8 | -------------------------------------------------------------------------------- /roles/ansible/meta/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | dependencies: 3 | - role: redis 4 | vars: 5 | redis: '{{ ansible_passed_redis_variables_that_ansible_apparently_cant_figure_out_on_its_own }}' 6 | -------------------------------------------------------------------------------- /roles/ansible/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: ensure that pkgin managed software has been installed 3 | pkgin: 4 | name: 5 | - git 6 | - py38-cryptography 7 | - py38-jinja2 8 | - py38-pip 9 | - py38-pyparsing 10 | # - libyaml 11 | # - py38-bcrypt 12 | # - py38-nacl 13 | 14 | - name: ensure that pip has been updated to its latest version 15 | pip: 16 | name: pip 17 | state: latest 18 | 19 | - name: ensure that ansible has been updated to its latest version 20 | pip: 21 | name: 22 | - ansible 23 | # - netaddr 24 | - redis 25 | state: latest 26 | 27 | - name: ensure existance of ansible configuration directory 28 | file: 29 | path: /etc/ansible 30 | state: directory 31 | owner: root 32 | group: root 33 | mode: 0755 34 | 35 | - name: ensure that ansible has been configured 36 | template: 37 | src: ansible.cfg 38 | dest: /etc/ansible/ansible.cfg 39 | owner: root 40 | group: root 41 | mode: 0644 42 | 43 | - name: ensure that an OpenSSH ed25519 keypair exists for root 44 | openssh_keypair: 45 | path: /root/.ssh/id_ed25519 46 | type: ed25519 47 | owner: root 48 | group: root 49 | comment: Ansible 50 | -------------------------------------------------------------------------------- /roles/ansible/templates/ansible.cfg: -------------------------------------------------------------------------------- 1 | {{ configuration_header }} 2 | {% for section,parameters in (default_ansible|combine(ansible, recursive=True)).config|dictsort %} 3 | 4 | [{{ section }}] 5 | {% for key,value in parameters|dictsort %} 6 | {{ key }} = {{ value }} 7 | {% endfor %} 8 | {% endfor %} 9 | -------------------------------------------------------------------------------- /roles/ansible/vars/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | default_ansible: 3 | config: 4 | defaults: 5 | gathering: smart 6 | fact_caching: redis 7 | fact_caching_timeout: 3600 8 | fact_caching_connection: localhost:6379:0 9 | ssh_connection: 10 | pipelining: true 11 | -------------------------------------------------------------------------------- /roles/clamav/handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: restart clamav 3 | when: not clamav_enabled.changed 4 | service: 5 | name: 'svc:/pkgsrc/clamav:freshclamd svc:/pkgsrc/clamav:clamd' 6 | state: restarted 7 | -------------------------------------------------------------------------------- /roles/clamav/meta/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | dependencies: 3 | - role: common 4 | -------------------------------------------------------------------------------- /roles/clamav/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: ensure that clamav has been installed 3 | notify: restart clamav 4 | pkgin: 5 | name: clamav 6 | 7 | - name: ensure that clamav has been enabled 8 | register: clamav_enabled 9 | service: 10 | name: 'svc:/pkgsrc/clamav:freshclamd svc:/pkgsrc/clamav:clamd' 11 | enabled: true 12 | -------------------------------------------------------------------------------- /roles/common-debian/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | sshd: {} 3 | -------------------------------------------------------------------------------- /roles/common-debian/handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: remove delegated mountpoint 3 | file: 4 | path: '/zones' 5 | state: absent 6 | 7 | - name: restart sshd 8 | service: 9 | name: ssh 10 | state: restarted 11 | -------------------------------------------------------------------------------- /roles/common-debian/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: fail when not Debian or Ubuntu 3 | when: ansible_distribution != 'Debian' and ansible_distribution != 'Ubuntu' 4 | fail: 5 | msg: This role is intended to only be used on Debian or Ubuntu distributions 6 | 7 | - name: ensure that /native is available in the $PATH variable 8 | when: ansible_distribution == 'Debian' 9 | lineinfile: 10 | path: /etc/profile 11 | regex: PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" 12 | line: PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/native/usr/sbin:/native/usr/bin:/native/bin" 13 | 14 | - name: ensure that the hostname has been set 15 | when: hostname is defined 16 | hostname: 17 | name: "{{ hostname }}" 18 | 19 | # Apparently Ansible does not respect PATH variables defined on the remote side. Lovely 20 | - name: determine the zone uuid 21 | command: /native/usr/bin/zonename 22 | register: zonename_command 23 | 24 | - name: set the zone dataset fact 25 | set_fact: 26 | zone_dataset: 'zones/{{ zonename_command.stdout }}/data' 27 | 28 | - name: ensure that the delegated ZFS filesystem is unmounted 29 | ignore_errors: true 30 | notify: remove delegated mountpoint 31 | register: delegate_dataset 32 | environment: 33 | PATH: "{{ ansible_env.PATH }}:/native/usr/sbin" 34 | zfs: 35 | name: '{{ zone_dataset }}' 36 | state: present 37 | extra_zfs_properties: 38 | mountpoint: none 39 | 40 | - name: ensure that all packages have been upgraded 41 | apt: 42 | update_cache: true 43 | upgrade: full 44 | 45 | - name: ensure that sshd is securely configured 46 | notify: restart sshd 47 | template: 48 | src: sshd_config 49 | dest: /etc/ssh/sshd_config 50 | owner: root 51 | group: root 52 | mode: 0644 53 | -------------------------------------------------------------------------------- /roles/common-debian/templates/hostname: -------------------------------------------------------------------------------- 1 | {{ ( default_plex | combine( plex, recursive=True )).hostname }} 2 | -------------------------------------------------------------------------------- /roles/common-debian/templates/sshd_config: -------------------------------------------------------------------------------- 1 | {{ configuration_header }} 2 | 3 | {% for key,value in (default_sshd|combine(sshd, recursive=True)).config|dictsort %} 4 | {{ key }} {{ value }} 5 | {% endfor %} 6 | 7 | {% for key_type in (default_sshd|combine(sshd, recursive=True)).key_types|sort %} 8 | HostKey /etc/ssh/ssh_host_{{ key_type }}_key 9 | {% endfor %} 10 | 11 | {% for match,parameters in (default_sshd|combine(sshd, recursive=True)).match|default({})|dictsort %} 12 | Match {{ match }} 13 | {% for key,value in parameters|dictsort %} 14 | {{ key }} {{ value }} 15 | {% endfor %} 16 | {% endfor %} 17 | -------------------------------------------------------------------------------- /roles/common-debian/vars/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | configuration_header: '# Configuration generated by Ansible SmartOS Tricks' 3 | 4 | default_sshd: 5 | key_types: [] 6 | config: 7 | ChallengeResponseAuthentication: 'no' 8 | PasswordAuthentication: 'no' 9 | PrintMotd: 'no' 10 | Subsystem: 'sftp /usr/lib/openssh/sftp-server' 11 | UsePrivilegeSeparation: 'yes' 12 | -------------------------------------------------------------------------------- /roles/common/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | ansible_python_interpreter: /opt/local/bin/python3 3 | home_dataset: false 4 | inputrc: {} 5 | sshd: {} 6 | -------------------------------------------------------------------------------- /roles/common/handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: remove delegated mountpoint 3 | file: 4 | path: '/zones' 5 | state: absent 6 | 7 | - name: restart sshd 8 | service: 9 | name: 'svc:/network/ssh:default' 10 | state: restarted 11 | -------------------------------------------------------------------------------- /roles/common/tasks/home_dataset.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: determine if a dataset exists at /home 3 | ignore_errors: true 4 | register: delegate_home_dataset 5 | zfs_facts: 6 | name: '{{ zone_dataset }}/home' 7 | type: filesystem 8 | 9 | - name: move existing /home to /home_tmp 10 | when: delegate_home_dataset is failed 11 | command: 'mv -n /home /home_tmp' 12 | ignore_errors: true 13 | 14 | - name: ensure that the delegated home ZFS dataset exists 15 | zfs: 16 | name: '{{ zone_dataset }}/home' 17 | state: present 18 | extra_zfs_properties: 19 | mountpoint: /home 20 | 21 | - name: determine home directorys to re-create in /home 22 | register: home_tmp 23 | find: 24 | paths: /home_tmp 25 | file_type: directory 26 | 27 | - name: ensure that delegated home ZFS datasets exist for each temporary home directory 28 | with_items: '{{ home_tmp.files }}' 29 | zfs: 30 | name: '{{ zone_dataset }}/home/{{ item.path | basename }}' 31 | state: present 32 | 33 | - name: ensure that delegated home ZFS datasets have the proper permissions 34 | with_items: '{{ home_tmp.files }}' 35 | file: 36 | path: '/home/{{ item.path | basename }}' 37 | mode: '{{ item.mode }}' 38 | state: directory 39 | owner: '{{ item.uid }}' 40 | group: '{{ item.gid }}' 41 | 42 | - name: return contents of temporary home directories 43 | ignore_errors: true 44 | with_items: '{{ home_tmp.files }}' 45 | shell: 46 | cmd: 'mv {{ item.path }}/* {{ item.path }}/.??* /home/{{ item.path | basename }}' 47 | 48 | - name: ensure temporary home directory is absent 49 | file: 50 | path: '/home_tmp' 51 | state: absent 52 | -------------------------------------------------------------------------------- /roles/common/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: fail when not SmartOS 3 | when: ansible_distribution != 'SmartOS' 4 | fail: 5 | msg: This role is intended to only be used on SmartOS distributions 6 | 7 | - name: determine the zone uuid 8 | command: sysinfo 9 | register: sysinfo_command 10 | 11 | - name: set the zone dataset fact 12 | set_fact: 13 | zone_dataset: 'zones/{{ (sysinfo_command.stdout | from_json).UUID }}/data' 14 | 15 | - name: ensure that unnecessary default services are disabled 16 | service: 17 | name: 'svc:/network/inetd:default svc:/system/sac:default' 18 | enabled: false 19 | 20 | - name: ensure that the delegated ZFS filesystem is unmounted 21 | ignore_errors: true 22 | notify: remove delegated mountpoint 23 | register: delegate_dataset 24 | zfs: 25 | name: '{{ zone_dataset }}' 26 | state: present 27 | extra_zfs_properties: 28 | mountpoint: none 29 | 30 | - name: ensure that the home ZFS dataset exists 31 | when: home_dataset and delegate_dataset is succeeded 32 | include_tasks: home_dataset.yml 33 | 34 | - name: ensure that all packages have been upgraded 35 | pkgin: 36 | clean: true 37 | full_upgrade: true 38 | update_cache: true 39 | 40 | - name: ensure that useradd is properly configured 41 | template: 42 | src: useradd 43 | dest: /etc/default/useradd 44 | owner: root 45 | group: root 46 | mode: 0644 47 | 48 | - name: ensure that inputrc is properly configured 49 | template: 50 | src: inputrc 51 | dest: /etc/inputrc 52 | owner: root 53 | group: root 54 | mode: 0644 55 | 56 | - name: ensure that sshd is securely configured 57 | notify: restart sshd 58 | template: 59 | src: sshd_config 60 | dest: /etc/ssh/sshd_config 61 | owner: root 62 | group: root 63 | mode: 0644 64 | 65 | - name: ensure that the root home directory is secured 66 | file: 67 | path: /root 68 | state: directory 69 | owner: root 70 | group: root 71 | mode: 0750 72 | 73 | - name: ensure that vim colorscheme is set 74 | when: vim.colorscheme is defined 75 | lineinfile: 76 | path: /root/.vimrc 77 | line: colorscheme {{ vim.colorscheme }} 78 | -------------------------------------------------------------------------------- /roles/common/templates/inputrc: -------------------------------------------------------------------------------- 1 | {{ configuration_header }} 2 | 3 | {% for key,value in (default_inputrc|combine(inputrc, recursive=True)).config|dictsort %} 4 | set {{ key }} {{ value }} 5 | {% endfor %} 6 | 7 | {% for key,value in (default_inputrc|combine(inputrc, recursive=True)).bindings|dictsort %} 8 | "{{ key }}": {{ value }} 9 | {% endfor %} 10 | -------------------------------------------------------------------------------- /roles/common/templates/sshd_config: -------------------------------------------------------------------------------- 1 | {{ configuration_header }} 2 | 3 | {% for key,value in (default_sshd|combine(sshd, recursive=True)).config|dictsort %} 4 | {{ key }} {{ value }} 5 | {% endfor %} 6 | 7 | {% for key_type in (default_sshd|combine(sshd, recursive=True)).key_types|sort %} 8 | HostKey /var/ssh/ssh_host_{{ key_type }}_key 9 | {% endfor %} 10 | 11 | {% for match,parameters in (default_sshd|combine(sshd, recursive=True)).match|default({})|dictsort %} 12 | Match {{ match }} 13 | {% for key,value in parameters|dictsort %} 14 | {{ key }} {{ value }} 15 | {% endfor %} 16 | {% endfor %} 17 | -------------------------------------------------------------------------------- /roles/common/templates/useradd: -------------------------------------------------------------------------------- 1 | {{ configuration_header }} 2 | 3 | EXCEED_TRAD=silent 4 | {% if home_dataset and delegate_dataset is succeeded %} 5 | MANAGE_ZFS=yes 6 | {% endif %} 7 | -------------------------------------------------------------------------------- /roles/common/vars/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | configuration_header: '# Configuration generated by Ansible SmartOS Tricks' 3 | 4 | default_inputrc: 5 | config: {} 6 | bindings: 7 | \e[1~: beginning-of-line 8 | \e[4~: end-of-line 9 | \eOC: forward-word 10 | \eOD: backward-word 11 | \e[5~: history-search-backward 12 | \e[6~: history-search-forward 13 | \e[3~: delete-char 14 | 15 | default_sshd: 16 | key_types: 17 | - dsa 18 | - ecdsa 19 | - ed25519 20 | - rsa 21 | config: 22 | ChallengeResponseAuthentication: 'no' 23 | GSSAPIAuthentication: 'no' 24 | GSSAPIKeyExchange: 'no' 25 | GatewayPorts: 'no' 26 | IgnoreRhosts: 'yes' 27 | KeepAlive: 'yes' 28 | ListenAddress: '::' 29 | LogLevel: 'info' 30 | LoginGraceTime: 600 31 | MaxAuthTries: 6 32 | PasswordAuthentication: 'no' 33 | PermitEmptyPasswords: 'no' 34 | PermitRootLogin: 'without-password' 35 | PermitUserEnvironment: 'yes' 36 | Port: 22 37 | PrintMotd: 'no' 38 | Protocol: 2 39 | PubKeyPlugin: 'libsmartsshd.so' 40 | StrictModes: 'yes' 41 | Subsystem: 'sftp internal-sftp' 42 | SyslogFacility: 'auth' 43 | X11DisplayOffset: 10 44 | X11Forwarding: 'yes' 45 | X11UseLocalhost: 'yes' 46 | XAuthLocation: '/opt/local/bin/xauth' 47 | -------------------------------------------------------------------------------- /roles/dhcpdns/templates/dhcpd.conf: -------------------------------------------------------------------------------- 1 | {{ configuration_header }} 2 | 3 | # option definitions common to all supported networks... 4 | option domain-name "example.org"; 5 | option domain-name-servers ns1.example.org, ns2.example.org; 6 | 7 | default-lease-time 600; 8 | max-lease-time 7200; 9 | 10 | # Use this to enble / disable dynamic dns updates globally. 11 | #ddns-update-style none; 12 | 13 | # If this DHCP server is the official DHCP server for the local 14 | # network, the authoritative directive should be uncommented. 15 | #authoritative; 16 | 17 | # Use this to send dhcp log messages to a different log file (you also 18 | # have to hack syslog.conf to complete the redirection). 19 | log-facility local7; 20 | 21 | # No service will be given on this subnet, but declaring it helps the 22 | # DHCP server to understand the network topology. 23 | 24 | subnet 10.152.187.0 netmask 255.255.255.0 { 25 | } 26 | 27 | # This is a very basic subnet declaration. 28 | 29 | subnet 10.254.239.0 netmask 255.255.255.224 { 30 | range 10.254.239.10 10.254.239.20; 31 | option routers rtr-239-0-1.example.org, rtr-239-0-2.example.org; 32 | } 33 | 34 | # This declaration allows BOOTP clients to get dynamic addresses, 35 | # which we don't really recommend. 36 | 37 | subnet 10.254.239.32 netmask 255.255.255.224 { 38 | range dynamic-bootp 10.254.239.40 10.254.239.60; 39 | option broadcast-address 10.254.239.31; 40 | option routers rtr-239-32-1.example.org; 41 | } 42 | 43 | # A slightly different configuration for an internal subnet. 44 | subnet 10.5.5.0 netmask 255.255.255.224 { 45 | range 10.5.5.26 10.5.5.30; 46 | option domain-name-servers ns1.internal.example.org; 47 | option domain-name "internal.example.org"; 48 | option routers 10.5.5.1; 49 | option broadcast-address 10.5.5.31; 50 | default-lease-time 600; 51 | max-lease-time 7200; 52 | } 53 | 54 | # Hosts which require special configuration options can be listed in 55 | # host statements. If no address is specified, the address will be 56 | # allocated dynamically (if possible), but the host-specific information 57 | # will still come from the host declaration. 58 | 59 | host passacaglia { 60 | hardware ethernet 0:0:c0:5d:bd:95; 61 | filename "vmunix.passacaglia"; 62 | server-name "toccata.example.com"; 63 | } 64 | 65 | # Fixed IP addresses can also be specified for hosts. These addresses 66 | # should not also be listed as being available for dynamic assignment. 67 | # Hosts for which fixed IP addresses have been specified can boot using 68 | # BOOTP or DHCP. Hosts for which no fixed address is specified can only 69 | # be booted with DHCP, unless there is an address range on the subnet 70 | # to which a BOOTP client is connected which has the dynamic-bootp flag 71 | # set. 72 | host fantasia { 73 | hardware ethernet 08:00:07:26:c0:a5; 74 | fixed-address fantasia.example.com; 75 | } 76 | 77 | # You can declare a class of clients and then do address allocation 78 | # based on that. The example below shows a case where all clients 79 | # in a certain class get addresses on the 10.17.224/24 subnet, and all 80 | # other clients get addresses on the 10.0.29/24 subnet. 81 | 82 | class "foo" { 83 | match if substring (option vendor-class-identifier, 0, 4) = "SUNW"; 84 | } 85 | 86 | shared-network 224-29 { 87 | subnet 10.17.224.0 netmask 255.255.255.0 { 88 | option routers rtr-224.example.org; 89 | } 90 | subnet 10.0.29.0 netmask 255.255.255.0 { 91 | option routers rtr-29.example.org; 92 | } 93 | pool { 94 | allow members of "foo"; 95 | range 10.17.224.10 10.17.224.250; 96 | } 97 | pool { 98 | deny members of "foo"; 99 | range 10.0.29.10 10.0.29.230; 100 | } 101 | } 102 | -------------------------------------------------------------------------------- /roles/dhcpdns/templates/dnsmasq.conf: -------------------------------------------------------------------------------- 1 | #{{ configuration_header }} 2 | 3 | {% if dns.provider == 'dnsmasq' %} 4 | # DNS specific configuration 5 | 6 | {% if dns.port is defined %} 7 | # Set listening DNS port to {{ dns.port }} 8 | port={{ dns.port }} 9 | 10 | {% endif %} 11 | {% if dns.cache_size is defined %} 12 | # Set DNS cache size 13 | cache-size={{ dns.cache_size }} 14 | 15 | {% endif %} 16 | # Never forward plain names (without a dot or domain part) 17 | domain-needed 18 | 19 | # Never forward addresses in the non-routed address spaces. 20 | bogus-priv 21 | 22 | # We don't want dnsmasq to poll /etc/resolv.conf or other resolv files for changes, we will manually tell it to do so with a refresh 23 | no-poll 24 | {% else %} 25 | # DNS is disabled 26 | port=0 27 | {% endif %} 28 | 29 | # Shared configuration 30 | 31 | # Interfaces used for DHCP & DNS 32 | {% for net in private %} 33 | interface={{ net.interface }} 34 | {% endfor %} 35 | 36 | {% if dhcp.provider == 'dnsmasq' %} 37 | # DHCP specific configuration 38 | 39 | {% for net in private %} 40 | # DHCP range for {{ net.interface }}: {{ net.dhcp.min }}-{{ net.dhcp.max }} 41 | dhcp-range={{ net.dhcp.min }},{{ net.dhcp.max }},{{ net.dhcp.ttl }} 42 | 43 | {% endfor %} 44 | # Read /etc/ethers for static allocation map 45 | read-ethers 46 | 47 | {% if ntp.address is defined %} 48 | # Set the NTP time server addresses to {{ ntp.address }} 49 | dhcp-option=option:ntp-server,{{ ntp.address }} 50 | 51 | {% endif %} 52 | # This should be the authoritative DHCP server on the network 53 | dhcp-authoritative 54 | {% else %} 55 | # DHCP is disabled 56 | {% endif %} 57 | -------------------------------------------------------------------------------- /roles/dhcpdns/templates/powerdns-recursor.conf: -------------------------------------------------------------------------------- 1 | {{ configuration_header }} 2 | 3 | # Autogenerated configuration file template 4 | ################################# 5 | # allow-from If set, only allow these comma separated netmasks to recurse 6 | # 7 | # allow-from=127.0.0.0/8, 10.0.0.0/8, 100.64.0.0/10, 169.254.0.0/16, 192.168.0.0/16, 172.16.0.0/12, ::1/128, fc00::/7, fe80::/10 8 | 9 | ################################# 10 | # allow-from-file If set, load allowed netmasks from this file 11 | # 12 | # allow-from-file= 13 | 14 | ################################# 15 | # any-to-tcp Answer ANY queries with tc=1, shunting to TCP 16 | # 17 | # any-to-tcp=no 18 | 19 | ################################# 20 | # api-config-dir Directory where REST API stores config and zones 21 | # 22 | # api-config-dir= 23 | 24 | ################################# 25 | # api-key Static pre-shared authentication key for access to the REST API 26 | # 27 | # api-key= 28 | 29 | ################################# 30 | # api-logfile Location of the server logfile (used by the REST API) 31 | # 32 | # api-logfile=/var/log/pdns.log 33 | 34 | ################################# 35 | # api-readonly Disallow data modification through the REST API when set 36 | # 37 | # api-readonly=no 38 | 39 | ################################# 40 | # auth-zones Zones for which we have authoritative data, comma separated domain=file pairs 41 | # 42 | # auth-zones= 43 | 44 | ################################# 45 | # carbon-interval Number of seconds between carbon (graphite) updates 46 | # 47 | # carbon-interval=30 48 | 49 | ################################# 50 | # carbon-ourname If set, overrides our reported hostname for carbon stats 51 | # 52 | # carbon-ourname= 53 | 54 | ################################# 55 | # carbon-server If set, send metrics in carbon (graphite) format to this server IP address 56 | # 57 | # carbon-server= 58 | 59 | ################################# 60 | # chroot switch to chroot jail 61 | # 62 | # chroot= 63 | 64 | ################################# 65 | # client-tcp-timeout Timeout in seconds when talking to TCP clients 66 | # 67 | # client-tcp-timeout=2 68 | 69 | ################################# 70 | # config-dir Location of configuration directory (recursor.conf) 71 | # 72 | # config-dir=/opt/local/etc 73 | 74 | ################################# 75 | # config-name Name of this virtual configuration - will rename the binary image 76 | # 77 | # config-name= 78 | 79 | ################################# 80 | # cpu-map Thread to CPU mapping, space separated thread-id=cpu1,cpu2..cpuN pairs 81 | # 82 | # cpu-map= 83 | 84 | ################################# 85 | # daemon Operate as a daemon 86 | # 87 | # daemon=no 88 | 89 | ################################# 90 | # delegation-only Which domains we only accept delegations from 91 | # 92 | # delegation-only= 93 | 94 | ################################# 95 | # disable-packetcache Disable packetcache 96 | # 97 | # disable-packetcache=no 98 | 99 | ################################# 100 | # disable-syslog Disable logging to syslog, useful when running inside a supervisor that logs stdout 101 | # 102 | # disable-syslog=no 103 | 104 | ################################# 105 | # distribution-load-factor The load factor used when PowerDNS is distributing queries to worker threads 106 | # 107 | # distribution-load-factor=0.0 108 | 109 | ################################# 110 | # dnssec DNSSEC mode: off/process-no-validate (default)/process/log-fail/validate 111 | # 112 | # dnssec=process-no-validate 113 | 114 | ################################# 115 | # dnssec-log-bogus Log DNSSEC bogus validations 116 | # 117 | # dnssec-log-bogus=no 118 | 119 | ################################# 120 | # dont-query If set, do not query these netmasks for DNS data 121 | # 122 | # dont-query=127.0.0.0/8, 10.0.0.0/8, 100.64.0.0/10, 169.254.0.0/16, 192.168.0.0/16, 172.16.0.0/12, ::1/128, fc00::/7, fe80::/10, 0.0.0.0/8, 192.0.0.0/24, 192.0.2.0/24, 198.51.100.0/24, 203.0.113.0/24, 240.0.0.0/4, ::/96, ::ffff:0:0/96, 100::/64, 2001:db8::/32 123 | 124 | ################################# 125 | # ecs-cache-limit-ttl Minimum TTL to cache ECS response 126 | # 127 | # ecs-cache-limit-ttl=0 128 | 129 | ################################# 130 | # ecs-ipv4-bits Number of bits of IPv4 address to pass for EDNS Client Subnet 131 | # 132 | # ecs-ipv4-bits=24 133 | 134 | ################################# 135 | # ecs-ipv4-cache-bits Maximum number of bits of IPv4 mask to cache ECS response 136 | # 137 | # ecs-ipv4-cache-bits=24 138 | 139 | ################################# 140 | # ecs-ipv6-bits Number of bits of IPv6 address to pass for EDNS Client Subnet 141 | # 142 | # ecs-ipv6-bits=56 143 | 144 | ################################# 145 | # ecs-ipv6-cache-bits Maximum number of bits of IPv6 mask to cache ECS response 146 | # 147 | # ecs-ipv6-cache-bits=56 148 | 149 | ################################# 150 | # ecs-scope-zero-address Address to send to whitelisted authoritative servers for incoming queries with ECS prefix-length source of 0 151 | # 152 | # ecs-scope-zero-address= 153 | 154 | ################################# 155 | # edns-outgoing-bufsize Outgoing EDNS buffer size 156 | # 157 | # edns-outgoing-bufsize=1680 158 | 159 | ################################# 160 | # edns-subnet-whitelist List of netmasks and domains that we should enable EDNS subnet for 161 | # 162 | # edns-subnet-whitelist= 163 | 164 | ################################# 165 | # entropy-source If set, read entropy from this file 166 | # 167 | # entropy-source=/dev/urandom 168 | 169 | ################################# 170 | # etc-hosts-file Path to 'hosts' file 171 | # 172 | # etc-hosts-file=/etc/hosts 173 | 174 | ################################# 175 | # export-etc-hosts If we should serve up contents from /etc/hosts 176 | # 177 | # export-etc-hosts=off 178 | 179 | ################################# 180 | # export-etc-hosts-search-suffix Also serve up the contents of /etc/hosts with this suffix 181 | # 182 | # export-etc-hosts-search-suffix= 183 | 184 | ################################# 185 | # forward-zones Zones for which we forward queries, comma separated domain=ip pairs 186 | # 187 | # forward-zones= 188 | 189 | ################################# 190 | # forward-zones-file File with (+)domain=ip pairs for forwarding 191 | # 192 | # forward-zones-file= 193 | 194 | ################################# 195 | # forward-zones-recurse Zones for which we forward queries with recursion bit, comma separated domain=ip pairs 196 | # 197 | # forward-zones-recurse= 198 | 199 | ################################# 200 | # gettag-needs-edns-options If EDNS Options should be extracted before calling the gettag() hook 201 | # 202 | # gettag-needs-edns-options=no 203 | 204 | ################################# 205 | # hint-file If set, load root hints from this file 206 | # 207 | # hint-file= 208 | 209 | ################################# 210 | # include-dir Include *.conf files from this directory 211 | # 212 | # include-dir= 213 | 214 | ################################# 215 | # latency-statistic-size Number of latency values to calculate the qa-latency average 216 | # 217 | # latency-statistic-size=10000 218 | 219 | ################################# 220 | # local-address IP addresses to listen on, separated by spaces or commas. Also accepts ports. 221 | # 222 | # local-address=127.0.0.1 223 | 224 | ################################# 225 | # local-port port to listen on 226 | # 227 | # local-port=53 228 | 229 | ################################# 230 | # log-common-errors If we should log rather common errors 231 | # 232 | # log-common-errors=no 233 | 234 | ################################# 235 | # log-rpz-changes Log additions and removals to RPZ zones at Info level 236 | # 237 | # log-rpz-changes=no 238 | 239 | ################################# 240 | # log-timestamp Print timestamps in log lines, useful to disable when running with a tool that timestamps stdout already 241 | # 242 | # log-timestamp=yes 243 | 244 | ################################# 245 | # logging-facility Facility to log messages as. 0 corresponds to local0 246 | # 247 | # logging-facility= 248 | 249 | ################################# 250 | # loglevel Amount of logging. Higher is more. Do not set below 3 251 | # 252 | # loglevel=6 253 | 254 | ################################# 255 | # lowercase-outgoing Force outgoing questions to lowercase 256 | # 257 | # lowercase-outgoing=no 258 | 259 | ################################# 260 | # lua-config-file More powerful configuration options 261 | # 262 | # lua-config-file= 263 | 264 | ################################# 265 | # lua-dns-script Filename containing an optional 'lua' script that will be used to modify dns answers 266 | # 267 | # lua-dns-script= 268 | 269 | ################################# 270 | # max-cache-entries If set, maximum number of entries in the main cache 271 | # 272 | # max-cache-entries=1000000 273 | 274 | ################################# 275 | # max-cache-ttl maximum number of seconds to keep a cached entry in memory 276 | # 277 | # max-cache-ttl=86400 278 | 279 | ################################# 280 | # max-mthreads Maximum number of simultaneous Mtasker threads 281 | # 282 | # max-mthreads=2048 283 | 284 | ################################# 285 | # max-negative-ttl maximum number of seconds to keep a negative cached entry in memory 286 | # 287 | # max-negative-ttl=3600 288 | 289 | ################################# 290 | # max-packetcache-entries maximum number of entries to keep in the packetcache 291 | # 292 | # max-packetcache-entries=500000 293 | 294 | ################################# 295 | # max-qperq Maximum outgoing queries per query 296 | # 297 | # max-qperq=50 298 | 299 | ################################# 300 | # max-recursion-depth Maximum number of internal recursion calls per query, 0 for unlimited 301 | # 302 | # max-recursion-depth=40 303 | 304 | ################################# 305 | # max-tcp-clients Maximum number of simultaneous TCP clients 306 | # 307 | # max-tcp-clients=128 308 | 309 | ################################# 310 | # max-tcp-per-client If set, maximum number of TCP sessions per client (IP address) 311 | # 312 | # max-tcp-per-client=0 313 | 314 | ################################# 315 | # max-tcp-queries-per-connection If set, maximum number of TCP queries in a TCP connection 316 | # 317 | # max-tcp-queries-per-connection=0 318 | 319 | ################################# 320 | # max-total-msec Maximum total wall-clock time per query in milliseconds, 0 for unlimited 321 | # 322 | # max-total-msec=7000 323 | 324 | ################################# 325 | # max-udp-queries-per-round Maximum number of UDP queries processed per recvmsg() round, before returning back to normal processing 326 | # 327 | # max-udp-queries-per-round=10000 328 | 329 | ################################# 330 | # minimum-ttl-override Set under adverse conditions, a minimum TTL 331 | # 332 | # minimum-ttl-override=0 333 | 334 | ################################# 335 | # network-timeout Wait this number of milliseconds for network i/o 336 | # 337 | # network-timeout=1500 338 | 339 | ################################# 340 | # no-shuffle Don't change 341 | # 342 | # no-shuffle=off 343 | 344 | ################################# 345 | # non-local-bind Enable binding to non-local addresses by using FREEBIND / BINDANY socket options 346 | # 347 | # non-local-bind=no 348 | 349 | ################################# 350 | # nsec3-max-iterations Maximum number of iterations allowed for an NSEC3 record 351 | # 352 | # nsec3-max-iterations=2500 353 | 354 | ################################# 355 | # packetcache-servfail-ttl maximum number of seconds to keep a cached servfail entry in packetcache 356 | # 357 | # packetcache-servfail-ttl=60 358 | 359 | ################################# 360 | # packetcache-ttl maximum number of seconds to keep a cached entry in packetcache 361 | # 362 | # packetcache-ttl=3600 363 | 364 | ################################# 365 | # pdns-distributes-queries If PowerDNS itself should distribute queries over threads 366 | # 367 | # pdns-distributes-queries=yes 368 | 369 | ################################# 370 | # processes Launch this number of processes (EXPERIMENTAL, DO NOT CHANGE) 371 | # 372 | # processes=1 373 | 374 | ################################# 375 | # query-local-address Source IP address for sending queries 376 | # 377 | # query-local-address=0.0.0.0 378 | 379 | ################################# 380 | # query-local-address6 Source IPv6 address for sending queries. IF UNSET, IPv6 WILL NOT BE USED FOR OUTGOING QUERIES 381 | # 382 | # query-local-address6= 383 | 384 | ################################# 385 | # quiet Suppress logging of questions and answers 386 | # 387 | # quiet= 388 | 389 | ################################# 390 | # reuseport Enable SO_REUSEPORT allowing multiple recursors processes to listen to 1 address 391 | # 392 | # reuseport=no 393 | 394 | ################################# 395 | # root-nx-trust If set, believe that an NXDOMAIN from the root means the TLD does not exist 396 | # 397 | # root-nx-trust=yes 398 | 399 | ################################# 400 | # security-poll-suffix Domain name from which to query security update notifications 401 | # 402 | # security-poll-suffix=secpoll.powerdns.com. 403 | 404 | ################################# 405 | # serve-rfc1918 If we should be authoritative for RFC 1918 private IP space 406 | # 407 | # serve-rfc1918=yes 408 | 409 | ################################# 410 | # server-down-max-fails Maximum number of consecutive timeouts (and unreachables) to mark a server as down ( 0 => disabled ) 411 | # 412 | # server-down-max-fails=64 413 | 414 | ################################# 415 | # server-down-throttle-time Number of seconds to throttle all queries to a server after being marked as down 416 | # 417 | # server-down-throttle-time=60 418 | 419 | ################################# 420 | # server-id Returned when queried for 'id.server' TXT or NSID, defaults to hostname 421 | # 422 | # server-id= 423 | 424 | ################################# 425 | # setgid If set, change group id to this gid for more security 426 | # 427 | # setgid= 428 | 429 | ################################# 430 | # setuid If set, change user id to this uid for more security 431 | # 432 | # setuid= 433 | 434 | ################################# 435 | # signature-inception-skew Allow the signture inception to be off by this number of seconds 436 | # 437 | # signature-inception-skew=0 438 | 439 | ################################# 440 | # single-socket If set, only use a single socket for outgoing queries 441 | # 442 | # single-socket=off 443 | 444 | ################################# 445 | # snmp-agent If set, register as an SNMP agent 446 | # 447 | # snmp-agent=no 448 | 449 | ################################# 450 | # snmp-master-socket If set and snmp-agent is set, the socket to use to register to the SNMP master 451 | # 452 | # snmp-master-socket= 453 | 454 | ################################# 455 | # soa-minimum-ttl Don't change 456 | # 457 | # soa-minimum-ttl=0 458 | 459 | ################################# 460 | # socket-dir Where the controlsocket will live, /var/run when unset and not chrooted 461 | # 462 | # socket-dir= 463 | 464 | ################################# 465 | # socket-group Group of socket 466 | # 467 | # socket-group= 468 | 469 | ################################# 470 | # socket-mode Permissions for socket 471 | # 472 | # socket-mode= 473 | 474 | ################################# 475 | # socket-owner Owner of socket 476 | # 477 | # socket-owner= 478 | 479 | ################################# 480 | # spoof-nearmiss-max If non-zero, assume spoofing after this many near misses 481 | # 482 | # spoof-nearmiss-max=20 483 | 484 | ################################# 485 | # stack-size stack size per mthread 486 | # 487 | # stack-size=200000 488 | 489 | ################################# 490 | # statistics-interval Number of seconds between printing of recursor statistics, 0 to disable 491 | # 492 | # statistics-interval=1800 493 | 494 | ################################# 495 | # stats-ringbuffer-entries maximum number of packets to store statistics for 496 | # 497 | # stats-ringbuffer-entries=10000 498 | 499 | ################################# 500 | # tcp-fast-open Enable TCP Fast Open support on the listening sockets, using the supplied numerical value as the queue size 501 | # 502 | # tcp-fast-open=0 503 | 504 | ################################# 505 | # threads Launch this number of threads 506 | # 507 | # threads=2 508 | 509 | ################################# 510 | # trace if we should output heaps of logging. set to 'fail' to only log failing domains 511 | # 512 | # trace=off 513 | 514 | ################################# 515 | # udp-truncation-threshold Maximum UDP response size before we truncate 516 | # 517 | # udp-truncation-threshold=1680 518 | 519 | ################################# 520 | # use-incoming-edns-subnet Pass along received EDNS Client Subnet information 521 | # 522 | # use-incoming-edns-subnet=no 523 | 524 | ################################# 525 | # version-string string reported on version.pdns or version.bind 526 | # 527 | # version-string=PowerDNS Recursor 4.1.12 (built Jul 1 2019 23:30:39 by pbulk@pkgsrc-pbulk-2014Q4-1.local.) 528 | 529 | ################################# 530 | # webserver Start a webserver (for REST API) 531 | # 532 | # webserver=no 533 | 534 | ################################# 535 | # webserver-address IP Address of webserver to listen on 536 | # 537 | # webserver-address=127.0.0.1 538 | 539 | ################################# 540 | # webserver-allow-from Webserver access is only allowed from these subnets 541 | # 542 | # webserver-allow-from=127.0.0.1,::1 543 | 544 | ################################# 545 | # webserver-password Password required for accessing the webserver 546 | # 547 | # webserver-password= 548 | 549 | ################################# 550 | # webserver-port Port of webserver to listen on 551 | # 552 | # webserver-port=8082 553 | 554 | ################################# 555 | # write-pid Write a PID file 556 | # 557 | # write-pid=yes 558 | 559 | 560 | -------------------------------------------------------------------------------- /roles/dhcpdns/templates/unbound.conf: -------------------------------------------------------------------------------- 1 | {{ configuration_header }} 2 | # See unbound.conf(5) man page, version 1.10.0. 3 | 4 | server: 5 | # verbosity number, 0 is least verbose. 1 is default. 6 | verbosity: 1 7 | 8 | # print statistics to the log (for every thread) every N seconds. 9 | # Set to "" or 0 to disable. Default is disabled. 10 | # statistics-interval: 0 11 | 12 | # enable shm for stats, default no. if you enable also enable 13 | # statistics-interval, every time it also writes stats to the 14 | # shared memory segment keyed with shm-key. 15 | # shm-enable: no 16 | 17 | # shm for stats uses this key, and key+1 for the shared mem segment. 18 | # shm-key: 11777 19 | 20 | # enable cumulative statistics, without clearing them after printing. 21 | # statistics-cumulative: no 22 | 23 | # enable extended statistics (query types, answer codes, status) 24 | # printed from unbound-control. default off, because of speed. 25 | # extended-statistics: no 26 | 27 | # number of threads to create. 1 disables threading. 28 | # num-threads: 1 29 | 30 | # specify the interfaces to answer queries from by ip-address. 31 | # The default is to listen to localhost (127.0.0.1 and ::1). 32 | # specify 0.0.0.0 and ::0 to bind to all available interfaces. 33 | # specify every interface[@port] on a new 'interface:' labelled line. 34 | # The listen interfaces are not changed on reload, only on restart. 35 | # interface: 192.0.2.153 36 | # interface: 192.0.2.154 37 | # interface: 192.0.2.154@5003 38 | # interface: 2001:DB8::5 39 | 40 | # enable this feature to copy the source address of queries to reply. 41 | # Socket options are not supported on all platforms. experimental. 42 | # interface-automatic: no 43 | 44 | # port to answer queries from 45 | # port: 53 46 | 47 | # specify the interfaces to send outgoing queries to authoritative 48 | # server from by ip-address. If none, the default (all) interface 49 | # is used. Specify every interface on a 'outgoing-interface:' line. 50 | # outgoing-interface: 192.0.2.153 51 | # outgoing-interface: 2001:DB8::5 52 | # outgoing-interface: 2001:DB8::6 53 | 54 | # Specify a netblock to use remainder 64 bits as random bits for 55 | # upstream queries. Uses freebind option (Linux). 56 | # outgoing-interface: 2001:DB8::/64 57 | # Also (Linux:) ip -6 addr add 2001:db8::/64 dev lo 58 | # And: ip -6 route add local 2001:db8::/64 dev lo 59 | # And set prefer-ip6: yes to use the ip6 randomness from a netblock. 60 | # Set this to yes to prefer ipv6 upstream servers over ipv4. 61 | # prefer-ip6: no 62 | 63 | # number of ports to allocate per thread, determines the size of the 64 | # port range that can be open simultaneously. About double the 65 | # num-queries-per-thread, or, use as many as the OS will allow you. 66 | # outgoing-range: 4096 67 | 68 | # permit unbound to use this port number or port range for 69 | # making outgoing queries, using an outgoing interface. 70 | # outgoing-port-permit: 32768 71 | 72 | # deny unbound the use this of port number or port range for 73 | # making outgoing queries, using an outgoing interface. 74 | # Use this to make sure unbound does not grab a UDP port that some 75 | # other server on this computer needs. The default is to avoid 76 | # IANA-assigned port numbers. 77 | # If multiple outgoing-port-permit and outgoing-port-avoid options 78 | # are present, they are processed in order. 79 | # outgoing-port-avoid: "3200-3208" 80 | 81 | # number of outgoing simultaneous tcp buffers to hold per thread. 82 | # outgoing-num-tcp: 10 83 | 84 | # number of incoming simultaneous tcp buffers to hold per thread. 85 | # incoming-num-tcp: 10 86 | 87 | # buffer size for UDP port 53 incoming (SO_RCVBUF socket option). 88 | # 0 is system default. Use 4m to catch query spikes for busy servers. 89 | # so-rcvbuf: 0 90 | 91 | # buffer size for UDP port 53 outgoing (SO_SNDBUF socket option). 92 | # 0 is system default. Use 4m to handle spikes on very busy servers. 93 | # so-sndbuf: 0 94 | 95 | # use SO_REUSEPORT to distribute queries over threads. 96 | # at extreme load it could be better to turn it off to distribute even. 97 | # so-reuseport: yes 98 | 99 | # use IP_TRANSPARENT so the interface: addresses can be non-local 100 | # and you can config non-existing IPs that are going to work later on 101 | # (uses IP_BINDANY on FreeBSD). 102 | # ip-transparent: no 103 | 104 | # use IP_FREEBIND so the interface: addresses can be non-local 105 | # and you can bind to nonexisting IPs and interfaces that are down. 106 | # Linux only. On Linux you also have ip-transparent that is similar. 107 | # ip-freebind: no 108 | 109 | # EDNS reassembly buffer to advertise to UDP peers (the actual buffer 110 | # is set with msg-buffer-size). 1472 can solve fragmentation (timeouts) 111 | # edns-buffer-size: 4096 112 | 113 | # Maximum UDP response size (not applied to TCP response). 114 | # Suggested values are 512 to 4096. Default is 4096. 65536 disables it. 115 | # max-udp-size: 4096 116 | 117 | # max memory to use for stream(tcp and tls) waiting result buffers. 118 | # stream-wait-size: 4m 119 | 120 | # buffer size for handling DNS data. No messages larger than this 121 | # size can be sent or received, by UDP or TCP. In bytes. 122 | # msg-buffer-size: 65552 123 | 124 | # the amount of memory to use for the message cache. 125 | # plain value in bytes or you can append k, m or G. default is "4Mb". 126 | # msg-cache-size: 4m 127 | 128 | # the number of slabs to use for the message cache. 129 | # the number of slabs must be a power of 2. 130 | # more slabs reduce lock contention, but fragment memory usage. 131 | # msg-cache-slabs: 4 132 | 133 | # the number of queries that a thread gets to service. 134 | # num-queries-per-thread: 1024 135 | 136 | # if very busy, 50% queries run to completion, 50% get timeout in msec 137 | # jostle-timeout: 200 138 | 139 | # msec to wait before close of port on timeout UDP. 0 disables. 140 | # delay-close: 0 141 | 142 | # msec for waiting for an unknown server to reply. Increase if you 143 | # are behind a slow satellite link, to eg. 1128. 144 | # unknown-server-time-limit: 376 145 | 146 | # the amount of memory to use for the RRset cache. 147 | # plain value in bytes or you can append k, m or G. default is "4Mb". 148 | # rrset-cache-size: 4m 149 | 150 | # the number of slabs to use for the RRset cache. 151 | # the number of slabs must be a power of 2. 152 | # more slabs reduce lock contention, but fragment memory usage. 153 | # rrset-cache-slabs: 4 154 | 155 | # the time to live (TTL) value lower bound, in seconds. Default 0. 156 | # If more than an hour could easily give trouble due to stale data. 157 | # cache-min-ttl: 0 158 | 159 | # the time to live (TTL) value cap for RRsets and messages in the 160 | # cache. Items are not cached for longer. In seconds. 161 | # cache-max-ttl: 86400 162 | 163 | # the time to live (TTL) value cap for negative responses in the cache 164 | # cache-max-negative-ttl: 3600 165 | 166 | # the time to live (TTL) value for cached roundtrip times, lameness and 167 | # EDNS version information for hosts. In seconds. 168 | # infra-host-ttl: 900 169 | 170 | # minimum wait time for responses, increase if uplink is long. In msec. 171 | # infra-cache-min-rtt: 50 172 | 173 | # the number of slabs to use for the Infrastructure cache. 174 | # the number of slabs must be a power of 2. 175 | # more slabs reduce lock contention, but fragment memory usage. 176 | # infra-cache-slabs: 4 177 | 178 | # the maximum number of hosts that are cached (roundtrip, EDNS, lame). 179 | # infra-cache-numhosts: 10000 180 | 181 | # define a number of tags here, use with local-zone, access-control. 182 | # repeat the define-tag statement to add additional tags. 183 | # define-tag: "tag1 tag2 tag3" 184 | 185 | # Enable IPv4, "yes" or "no". 186 | # do-ip4: yes 187 | 188 | # Enable IPv6, "yes" or "no". 189 | # do-ip6: yes 190 | 191 | # Enable UDP, "yes" or "no". 192 | # do-udp: yes 193 | 194 | # Enable TCP, "yes" or "no". 195 | # do-tcp: yes 196 | 197 | # upstream connections use TCP only (and no UDP), "yes" or "no" 198 | # useful for tunneling scenarios, default no. 199 | # tcp-upstream: no 200 | 201 | # upstream connections also use UDP (even if do-udp is no). 202 | # useful if if you want UDP upstream, but don't provide UDP downstream. 203 | # udp-upstream-without-downstream: no 204 | 205 | # Maximum segment size (MSS) of TCP socket on which the server 206 | # responds to queries. Default is 0, system default MSS. 207 | # tcp-mss: 0 208 | 209 | # Maximum segment size (MSS) of TCP socket for outgoing queries. 210 | # Default is 0, system default MSS. 211 | # outgoing-tcp-mss: 0 212 | 213 | # Idle TCP timeout, connection closed in milliseconds 214 | # tcp-idle-timeout: 30000 215 | 216 | # Enable EDNS TCP keepalive option. 217 | # edns-tcp-keepalive: no 218 | 219 | # Timeout for EDNS TCP keepalive, in msec. 220 | # edns-tcp-keepalive-timeout: 120000 221 | 222 | # Use systemd socket activation for UDP, TCP, and control sockets. 223 | # use-systemd: no 224 | 225 | # Detach from the terminal, run in background, "yes" or "no". 226 | # Set the value to "no" when unbound runs as systemd service. 227 | # do-daemonize: yes 228 | 229 | # control which clients are allowed to make (recursive) queries 230 | # to this server. Specify classless netblocks with /size and action. 231 | # By default everything is refused, except for localhost. 232 | # Choose deny (drop message), refuse (polite error reply), 233 | # allow (recursive ok), allow_setrd (recursive ok, rd bit is forced on), 234 | # allow_snoop (recursive and nonrecursive ok) 235 | # deny_non_local (drop queries unless can be answered from local-data) 236 | # refuse_non_local (like deny_non_local but polite error reply). 237 | # access-control: 0.0.0.0/0 refuse 238 | # access-control: 127.0.0.0/8 allow 239 | # access-control: ::0/0 refuse 240 | # access-control: ::1 allow 241 | # access-control: ::ffff:127.0.0.1 allow 242 | 243 | # tag access-control with list of tags (in "" with spaces between) 244 | # Clients using this access control element use localzones that 245 | # are tagged with one of these tags. 246 | # access-control-tag: 192.0.2.0/24 "tag2 tag3" 247 | 248 | # set action for particular tag for given access control element 249 | # if you have multiple tag values, the tag used to lookup the action 250 | # is the first tag match between access-control-tag and local-zone-tag 251 | # where "first" comes from the order of the define-tag values. 252 | # access-control-tag-action: 192.0.2.0/24 tag3 refuse 253 | 254 | # set redirect data for particular tag for access control element 255 | # access-control-tag-data: 192.0.2.0/24 tag2 "A 127.0.0.1" 256 | 257 | # Set view for access control element 258 | # access-control-view: 192.0.2.0/24 viewname 259 | 260 | # if given, a chroot(2) is done to the given directory. 261 | # i.e. you can chroot to the working directory, for example, 262 | # for extra security, but make sure all files are in that directory. 263 | # 264 | # If chroot is enabled, you should pass the configfile (from the 265 | # commandline) as a full path from the original root. After the 266 | # chroot has been performed the now defunct portion of the config 267 | # file path is removed to be able to reread the config after a reload. 268 | # 269 | # All other file paths (working dir, logfile, roothints, and 270 | # key files) can be specified in several ways: 271 | # o as an absolute path relative to the new root. 272 | # o as a relative path to the working directory. 273 | # o as an absolute path relative to the original root. 274 | # In the last case the path is adjusted to remove the unused portion. 275 | # 276 | # The pid file can be absolute and outside of the chroot, it is 277 | # written just prior to performing the chroot and dropping permissions. 278 | # 279 | # Additionally, unbound may need to access /dev/urandom (for entropy). 280 | # How to do this is specific to your OS. 281 | # 282 | # If you give "" no chroot is performed. The path must not end in a /. 283 | # chroot: "/opt/local/etc/unbound" 284 | 285 | # if given, user privileges are dropped (after binding port), 286 | # and the given username is assumed. Default is user "unbound". 287 | # If you give "" no privileges are dropped. 288 | # username: "unbound" 289 | 290 | # the working directory. The relative files in this config are 291 | # relative to this directory. If you give "" the working directory 292 | # is not changed. 293 | # If you give a server: directory: dir before include: file statements 294 | # then those includes can be relative to the working directory. 295 | # directory: "/opt/local/etc/unbound" 296 | 297 | # the log file, "" means log to stderr. 298 | # Use of this option sets use-syslog to "no". 299 | # logfile: "" 300 | 301 | # Log to syslog(3) if yes. The log facility LOG_DAEMON is used to 302 | # log to. If yes, it overrides the logfile. 303 | # use-syslog: yes 304 | 305 | # Log identity to report. if empty, defaults to the name of argv[0] 306 | # (usually "unbound"). 307 | # log-identity: "" 308 | 309 | # print UTC timestamp in ascii to logfile, default is epoch in seconds. 310 | # log-time-ascii: no 311 | 312 | # print one line with time, IP, name, type, class for every query. 313 | # log-queries: no 314 | 315 | # print one line per reply, with time, IP, name, type, class, rcode, 316 | # timetoresolve, fromcache and responsesize. 317 | # log-replies: no 318 | 319 | # log with tag 'query' and 'reply' instead of 'info' for 320 | # filtering log-queries and log-replies from the log. 321 | # log-tag-queryreply: no 322 | 323 | # log the local-zone actions, like local-zone type inform is enabled 324 | # also for the other local zone types. 325 | # log-local-actions: no 326 | 327 | # print log lines that say why queries return SERVFAIL to clients. 328 | # log-servfail: no 329 | 330 | # the pid file. Can be an absolute path outside of chroot/work dir. 331 | # pidfile: "/var/run/unbound/unbound.pid" 332 | 333 | # file to read root hints from. 334 | # get one from https://www.internic.net/domain/named.cache 335 | # root-hints: "" 336 | 337 | # enable to not answer id.server and hostname.bind queries. 338 | # hide-identity: no 339 | 340 | # enable to not answer version.server and version.bind queries. 341 | # hide-version: no 342 | 343 | # enable to not answer trustanchor.unbound queries. 344 | # hide-trustanchor: no 345 | 346 | # the identity to report. Leave "" or default to return hostname. 347 | # identity: "" 348 | 349 | # the version to report. Leave "" or default to return package version. 350 | # version: "" 351 | 352 | # the target fetch policy. 353 | # series of integers describing the policy per dependency depth. 354 | # The number of values in the list determines the maximum dependency 355 | # depth the recursor will pursue before giving up. Each integer means: 356 | # -1 : fetch all targets opportunistically, 357 | # 0: fetch on demand, 358 | # positive value: fetch that many targets opportunistically. 359 | # Enclose the list of numbers between quotes (""). 360 | # target-fetch-policy: "3 2 1 0 0" 361 | 362 | # Harden against very small EDNS buffer sizes. 363 | # harden-short-bufsize: no 364 | 365 | # Harden against unseemly large queries. 366 | # harden-large-queries: no 367 | 368 | # Harden against out of zone rrsets, to avoid spoofing attempts. 369 | # harden-glue: yes 370 | 371 | # Harden against receiving dnssec-stripped data. If you turn it 372 | # off, failing to validate dnskey data for a trustanchor will 373 | # trigger insecure mode for that zone (like without a trustanchor). 374 | # Default on, which insists on dnssec data for trust-anchored zones. 375 | # harden-dnssec-stripped: yes 376 | 377 | # Harden against queries that fall under dnssec-signed nxdomain names. 378 | # harden-below-nxdomain: yes 379 | 380 | # Harden the referral path by performing additional queries for 381 | # infrastructure data. Validates the replies (if possible). 382 | # Default off, because the lookups burden the server. Experimental 383 | # implementation of draft-wijngaards-dnsext-resolver-side-mitigation. 384 | # harden-referral-path: no 385 | 386 | # Harden against algorithm downgrade when multiple algorithms are 387 | # advertised in the DS record. If no, allows the weakest algorithm 388 | # to validate the zone. 389 | # harden-algo-downgrade: no 390 | 391 | # Sent minimum amount of information to upstream servers to enhance 392 | # privacy. Only sent minimum required labels of the QNAME and set QTYPE 393 | # to A when possible. 394 | # qname-minimisation: yes 395 | 396 | # QNAME minimisation in strict mode. Do not fall-back to sending full 397 | # QNAME to potentially broken nameservers. A lot of domains will not be 398 | # resolvable when this option in enabled. 399 | # This option only has effect when qname-minimisation is enabled. 400 | # qname-minimisation-strict: no 401 | 402 | # Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDOMAIN 403 | # and other denials, using information from previous NXDOMAINs answers. 404 | # aggressive-nsec: no 405 | 406 | # Use 0x20-encoded random bits in the query to foil spoof attempts. 407 | # This feature is an experimental implementation of draft dns-0x20. 408 | # use-caps-for-id: no 409 | 410 | # Domains (and domains in them) without support for dns-0x20 and 411 | # the fallback fails because they keep sending different answers. 412 | # caps-whitelist: "licdn.com" 413 | # caps-whitelist: "senderbase.org" 414 | 415 | # Enforce privacy of these addresses. Strips them away from answers. 416 | # It may cause DNSSEC validation to additionally mark it as bogus. 417 | # Protects against 'DNS Rebinding' (uses browser as network proxy). 418 | # Only 'private-domain' and 'local-data' names are allowed to have 419 | # these private addresses. No default. 420 | # private-address: 10.0.0.0/8 421 | # private-address: 172.16.0.0/12 422 | # private-address: 192.168.0.0/16 423 | # private-address: 169.254.0.0/16 424 | # private-address: fd00::/8 425 | # private-address: fe80::/10 426 | # private-address: ::ffff:0:0/96 427 | 428 | # Allow the domain (and its subdomains) to contain private addresses. 429 | # local-data statements are allowed to contain private addresses too. 430 | # private-domain: "example.com" 431 | 432 | # If nonzero, unwanted replies are not only reported in statistics, 433 | # but also a running total is kept per thread. If it reaches the 434 | # threshold, a warning is printed and a defensive action is taken, 435 | # the cache is cleared to flush potential poison out of it. 436 | # A suggested value is 10000000, the default is 0 (turned off). 437 | # unwanted-reply-threshold: 0 438 | 439 | # Do not query the following addresses. No DNS queries are sent there. 440 | # List one address per entry. List classless netblocks with /size, 441 | # do-not-query-address: 127.0.0.1/8 442 | # do-not-query-address: ::1 443 | 444 | # if yes, the above default do-not-query-address entries are present. 445 | # if no, localhost can be queried (for testing and debugging). 446 | # do-not-query-localhost: yes 447 | 448 | # if yes, perform prefetching of almost expired message cache entries. 449 | # prefetch: no 450 | 451 | # if yes, perform key lookups adjacent to normal lookups. 452 | # prefetch-key: no 453 | 454 | # deny queries of type ANY with an empty response. 455 | # deny-any: no 456 | 457 | # if yes, Unbound rotates RRSet order in response. 458 | # rrset-roundrobin: no 459 | 460 | # if yes, Unbound doesn't insert authority/additional sections 461 | # into response messages when those sections are not required. 462 | # minimal-responses: yes 463 | 464 | # true to disable DNSSEC lameness check in iterator. 465 | # disable-dnssec-lame-check: no 466 | 467 | # module configuration of the server. A string with identifiers 468 | # separated by spaces. Syntax: "[dns64] [validator] iterator" 469 | # most modules have to be listed at the beginning of the line, 470 | # except cachedb(just before iterator), and python (at the beginning, 471 | # or, just before the iterator). 472 | # module-config: "validator iterator" 473 | 474 | # File with trusted keys, kept uptodate using RFC5011 probes, 475 | # initial file like trust-anchor-file, then it stores metadata. 476 | # Use several entries, one per domain name, to track multiple zones. 477 | # 478 | # If you want to perform DNSSEC validation, run unbound-anchor before 479 | # you start unbound (i.e. in the system boot scripts). And enable: 480 | # Please note usage of unbound-anchor root anchor is at your own risk 481 | # and under the terms of our LICENSE (see that file in the source). 482 | # auto-trust-anchor-file: "/opt/local/etc/unbound/root.key" 483 | 484 | # trust anchor signaling sends a RFC8145 key tag query after priming. 485 | # trust-anchor-signaling: yes 486 | 487 | # Root key trust anchor sentinel (draft-ietf-dnsop-kskroll-sentinel) 488 | # root-key-sentinel: yes 489 | 490 | # File with DLV trusted keys. Same format as trust-anchor-file. 491 | # There can be only one DLV configured, it is trusted from root down. 492 | # DLV is going to be decommissioned. Please do not use it any more. 493 | # dlv-anchor-file: "dlv.isc.org.key" 494 | 495 | # File with trusted keys for validation. Specify more than one file 496 | # with several entries, one file per entry. 497 | # Zone file format, with DS and DNSKEY entries. 498 | # Note this gets out of date, use auto-trust-anchor-file please. 499 | # trust-anchor-file: "" 500 | 501 | # Trusted key for validation. DS or DNSKEY. specify the RR on a 502 | # single line, surrounded by "". TTL is ignored. class is IN default. 503 | # Note this gets out of date, use auto-trust-anchor-file please. 504 | # (These examples are from August 2007 and may not be valid anymore). 505 | # trust-anchor: "nlnetlabs.nl. DNSKEY 257 3 5 AQPzzTWMz8qSWIQlfRnPckx2BiVmkVN6LPupO3mbz7FhLSnm26n6iG9N Lby97Ji453aWZY3M5/xJBSOS2vWtco2t8C0+xeO1bc/d6ZTy32DHchpW 6rDH1vp86Ll+ha0tmwyy9QP7y2bVw5zSbFCrefk8qCUBgfHm9bHzMG1U BYtEIQ==" 506 | # trust-anchor: "jelte.nlnetlabs.nl. DS 42860 5 1 14D739EB566D2B1A5E216A0BA4D17FA9B038BE4A" 507 | 508 | # File with trusted keys for validation. Specify more than one file 509 | # with several entries, one file per entry. Like trust-anchor-file 510 | # but has a different file format. Format is BIND-9 style format, 511 | # the trusted-keys { name flag proto algo "key"; }; clauses are read. 512 | # you need external update procedures to track changes in keys. 513 | # trusted-keys-file: "" 514 | 515 | # Ignore chain of trust. Domain is treated as insecure. 516 | # domain-insecure: "example.com" 517 | 518 | # Override the date for validation with a specific fixed date. 519 | # Do not set this unless you are debugging signature inception 520 | # and expiration. "" or "0" turns the feature off. -1 ignores date. 521 | # val-override-date: "" 522 | 523 | # The time to live for bogus data, rrsets and messages. This avoids 524 | # some of the revalidation, until the time interval expires. in secs. 525 | # val-bogus-ttl: 60 526 | 527 | # The signature inception and expiration dates are allowed to be off 528 | # by 10% of the signature lifetime (expir-incep) from our local clock. 529 | # This leeway is capped with a minimum and a maximum. In seconds. 530 | # val-sig-skew-min: 3600 531 | # val-sig-skew-max: 86400 532 | 533 | # Should additional section of secure message also be kept clean of 534 | # unsecure data. Useful to shield the users of this validator from 535 | # potential bogus data in the additional section. All unsigned data 536 | # in the additional section is removed from secure messages. 537 | # val-clean-additional: yes 538 | 539 | # Turn permissive mode on to permit bogus messages. Thus, messages 540 | # for which security checks failed will be returned to clients, 541 | # instead of SERVFAIL. It still performs the security checks, which 542 | # result in interesting log files and possibly the AD bit in 543 | # replies if the message is found secure. The default is off. 544 | # val-permissive-mode: no 545 | 546 | # Ignore the CD flag in incoming queries and refuse them bogus data. 547 | # Enable it if the only clients of unbound are legacy servers (w2008) 548 | # that set CD but cannot validate themselves. 549 | # ignore-cd-flag: no 550 | 551 | # Serve expired responses from cache, with serve-expired-reply-ttl in 552 | # the response, and then attempt to fetch the data afresh. 553 | # serve-expired: no 554 | # 555 | # Limit serving of expired responses to configured seconds after 556 | # expiration. 0 disables the limit. 557 | # serve-expired-ttl: 0 558 | # 559 | # Set the TTL of expired records to the serve-expired-ttl value after a 560 | # failed attempt to retrieve the record from upstream. This makes sure 561 | # that the expired records will be served as long as there are queries 562 | # for it. 563 | # serve-expired-ttl-reset: no 564 | # 565 | # TTL value to use when replying with expired data. 566 | # serve-expired-reply-ttl: 30 567 | # 568 | # Time in milliseconds before replying to the client with expired data. 569 | # This essentially enables the serve-stale behavior as specified in 570 | # draft-ietf-dnsop-serve-stale-10 that first tries to resolve before 571 | # immediately responding with expired data. 0 disables this behavior. 572 | # A recommended value is 1800. 573 | # serve-expired-client-timeout: 0 574 | 575 | # Have the validator log failed validations for your diagnosis. 576 | # 0: off. 1: A line per failed user query. 2: With reason and bad IP. 577 | # val-log-level: 0 578 | 579 | # It is possible to configure NSEC3 maximum iteration counts per 580 | # keysize. Keep this table very short, as linear search is done. 581 | # A message with an NSEC3 with larger count is marked insecure. 582 | # List in ascending order the keysize and count values. 583 | # val-nsec3-keysize-iterations: "1024 150 2048 500 4096 2500" 584 | 585 | # instruct the auto-trust-anchor-file probing to add anchors after ttl. 586 | # add-holddown: 2592000 # 30 days 587 | 588 | # instruct the auto-trust-anchor-file probing to del anchors after ttl. 589 | # del-holddown: 2592000 # 30 days 590 | 591 | # auto-trust-anchor-file probing removes missing anchors after ttl. 592 | # If the value 0 is given, missing anchors are not removed. 593 | # keep-missing: 31622400 # 366 days 594 | 595 | # debug option that allows very small holddown times for key rollover, 596 | # otherwise the RFC mandates probe intervals must be at least 1 hour. 597 | # permit-small-holddown: no 598 | 599 | # the amount of memory to use for the key cache. 600 | # plain value in bytes or you can append k, m or G. default is "4Mb". 601 | # key-cache-size: 4m 602 | 603 | # the number of slabs to use for the key cache. 604 | # the number of slabs must be a power of 2. 605 | # more slabs reduce lock contention, but fragment memory usage. 606 | # key-cache-slabs: 4 607 | 608 | # the amount of memory to use for the negative cache (used for DLV). 609 | # plain value in bytes or you can append k, m or G. default is "1Mb". 610 | # neg-cache-size: 1m 611 | 612 | # By default, for a number of zones a small default 'nothing here' 613 | # reply is built-in. Query traffic is thus blocked. If you 614 | # wish to serve such zone you can unblock them by uncommenting one 615 | # of the nodefault statements below. 616 | # You may also have to use domain-insecure: zone to make DNSSEC work, 617 | # unless you have your own trust anchors for this zone. 618 | # local-zone: "localhost." nodefault 619 | # local-zone: "127.in-addr.arpa." nodefault 620 | # local-zone: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa." nodefault 621 | # local-zone: "onion." nodefault 622 | # local-zone: "test." nodefault 623 | # local-zone: "invalid." nodefault 624 | # local-zone: "10.in-addr.arpa." nodefault 625 | # local-zone: "16.172.in-addr.arpa." nodefault 626 | # local-zone: "17.172.in-addr.arpa." nodefault 627 | # local-zone: "18.172.in-addr.arpa." nodefault 628 | # local-zone: "19.172.in-addr.arpa." nodefault 629 | # local-zone: "20.172.in-addr.arpa." nodefault 630 | # local-zone: "21.172.in-addr.arpa." nodefault 631 | # local-zone: "22.172.in-addr.arpa." nodefault 632 | # local-zone: "23.172.in-addr.arpa." nodefault 633 | # local-zone: "24.172.in-addr.arpa." nodefault 634 | # local-zone: "25.172.in-addr.arpa." nodefault 635 | # local-zone: "26.172.in-addr.arpa." nodefault 636 | # local-zone: "27.172.in-addr.arpa." nodefault 637 | # local-zone: "28.172.in-addr.arpa." nodefault 638 | # local-zone: "29.172.in-addr.arpa." nodefault 639 | # local-zone: "30.172.in-addr.arpa." nodefault 640 | # local-zone: "31.172.in-addr.arpa." nodefault 641 | # local-zone: "168.192.in-addr.arpa." nodefault 642 | # local-zone: "0.in-addr.arpa." nodefault 643 | # local-zone: "254.169.in-addr.arpa." nodefault 644 | # local-zone: "2.0.192.in-addr.arpa." nodefault 645 | # local-zone: "100.51.198.in-addr.arpa." nodefault 646 | # local-zone: "113.0.203.in-addr.arpa." nodefault 647 | # local-zone: "255.255.255.255.in-addr.arpa." nodefault 648 | # local-zone: "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa." nodefault 649 | # local-zone: "d.f.ip6.arpa." nodefault 650 | # local-zone: "8.e.f.ip6.arpa." nodefault 651 | # local-zone: "9.e.f.ip6.arpa." nodefault 652 | # local-zone: "a.e.f.ip6.arpa." nodefault 653 | # local-zone: "b.e.f.ip6.arpa." nodefault 654 | # local-zone: "8.b.d.0.1.0.0.2.ip6.arpa." nodefault 655 | # And for 64.100.in-addr.arpa. to 127.100.in-addr.arpa. 656 | 657 | # Add example.com into ipset 658 | # local-zone: "example.com" ipset 659 | 660 | # If unbound is running service for the local host then it is useful 661 | # to perform lan-wide lookups to the upstream, and unblock the 662 | # long list of local-zones above. If this unbound is a dns server 663 | # for a network of computers, disabled is better and stops information 664 | # leakage of local lan information. 665 | # unblock-lan-zones: no 666 | 667 | # The insecure-lan-zones option disables validation for 668 | # these zones, as if they were all listed as domain-insecure. 669 | # insecure-lan-zones: no 670 | 671 | # a number of locally served zones can be configured. 672 | # local-zone: 673 | # local-data: "" 674 | # o deny serves local data (if any), else, drops queries. 675 | # o refuse serves local data (if any), else, replies with error. 676 | # o static serves local data, else, nxdomain or nodata answer. 677 | # o transparent gives local data, but resolves normally for other names 678 | # o redirect serves the zone data for any subdomain in the zone. 679 | # o nodefault can be used to normally resolve AS112 zones. 680 | # o typetransparent resolves normally for other types and other names 681 | # o inform acts like transparent, but logs client IP address 682 | # o inform_deny drops queries and logs client IP address 683 | # o inform_redirect redirects queries and logs client IP address 684 | # o always_transparent, always_refuse, always_nxdomain, resolve in 685 | # that way but ignore local data for that name 686 | # o noview breaks out of that view towards global local-zones. 687 | # 688 | # defaults are localhost address, reverse for 127.0.0.1 and ::1 689 | # and nxdomain for AS112 zones. If you configure one of these zones 690 | # the default content is omitted, or you can omit it with 'nodefault'. 691 | # 692 | # If you configure local-data without specifying local-zone, by 693 | # default a transparent local-zone is created for the data. 694 | # 695 | # You can add locally served data with 696 | # local-zone: "local." static 697 | # local-data: "mycomputer.local. IN A 192.0.2.51" 698 | # local-data: 'mytext.local TXT "content of text record"' 699 | # 700 | # You can override certain queries with 701 | # local-data: "adserver.example.com A 127.0.0.1" 702 | # 703 | # You can redirect a domain to a fixed address with 704 | # (this makes example.com, www.example.com, etc, all go to 192.0.2.3) 705 | # local-zone: "example.com" redirect 706 | # local-data: "example.com A 192.0.2.3" 707 | # 708 | # Shorthand to make PTR records, "IPv4 name" or "IPv6 name". 709 | # You can also add PTR records using local-data directly, but then 710 | # you need to do the reverse notation yourself. 711 | # local-data-ptr: "192.0.2.3 www.example.com" 712 | 713 | # tag a localzone with a list of tag names (in "" with spaces between) 714 | # local-zone-tag: "example.com" "tag2 tag3" 715 | 716 | # add a netblock specific override to a localzone, with zone type 717 | # local-zone-override: "example.com" 192.0.2.0/24 refuse 718 | 719 | # service clients over TLS (on the TCP sockets), with plain DNS inside 720 | # the TLS stream. Give the certificate to use and private key. 721 | # default is "" (disabled). requires restart to take effect. 722 | # tls-service-key: "path/to/privatekeyfile.key" 723 | # tls-service-pem: "path/to/publiccertfile.pem" 724 | # tls-port: 853 725 | 726 | # cipher setting for TLSv1.2 727 | # tls-ciphers: "DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256" 728 | # cipher setting for TLSv1.3 729 | # tls-ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256" 730 | 731 | # Add the secret file for TLS Session Ticket. 732 | # Secret file must be 80 bytes of random data. 733 | # First key use to encrypt and decrypt TLS session tickets. 734 | # Other keys use to decrypt only. 735 | # requires restart to take effect. 736 | # tls-session-ticket-keys: "path/to/secret_file1" 737 | # tls-session-ticket-keys: "path/to/secret_file2" 738 | 739 | # request upstream over TLS (with plain DNS inside the TLS stream). 740 | # Default is no. Can be turned on and off with unbound-control. 741 | # tls-upstream: no 742 | 743 | # Certificates used to authenticate connections made upstream. 744 | # tls-cert-bundle: "" 745 | 746 | # Add system certs to the cert bundle, from the Windows Cert Store 747 | # tls-win-cert: no 748 | 749 | # Also serve tls on these port numbers (eg. 443, ...), by listing 750 | # tls-additional-port: portno for each of the port numbers. 751 | 752 | # DNS64 prefix. Must be specified when DNS64 is use. 753 | # Enable dns64 in module-config. Used to synthesize IPv6 from IPv4. 754 | # dns64-prefix: 64:ff9b::0/96 755 | 756 | # DNS64 ignore AAAA records for these domains and use A instead. 757 | # dns64-ignore-aaaa: "example.com" 758 | 759 | # ratelimit for uncached, new queries, this limits recursion effort. 760 | # ratelimiting is experimental, and may help against randomqueryflood. 761 | # if 0(default) it is disabled, otherwise state qps allowed per zone. 762 | # ratelimit: 0 763 | 764 | # ratelimits are tracked in a cache, size in bytes of cache (or k,m). 765 | # ratelimit-size: 4m 766 | # ratelimit cache slabs, reduces lock contention if equal to cpucount. 767 | # ratelimit-slabs: 4 768 | 769 | # 0 blocks when ratelimited, otherwise let 1/xth traffic through 770 | # ratelimit-factor: 10 771 | 772 | # override the ratelimit for a specific domain name. 773 | # give this setting multiple times to have multiple overrides. 774 | # ratelimit-for-domain: example.com 1000 775 | # override the ratelimits for all domains below a domain name 776 | # can give this multiple times, the name closest to the zone is used. 777 | # ratelimit-below-domain: com 1000 778 | 779 | # global query ratelimit for all ip addresses. 780 | # feature is experimental. 781 | # if 0(default) it is disabled, otherwise states qps allowed per ip address 782 | # ip-ratelimit: 0 783 | 784 | # ip ratelimits are tracked in a cache, size in bytes of cache (or k,m). 785 | # ip-ratelimit-size: 4m 786 | # ip ratelimit cache slabs, reduces lock contention if equal to cpucount. 787 | # ip-ratelimit-slabs: 4 788 | 789 | # 0 blocks when ip is ratelimited, otherwise let 1/xth traffic through 790 | # ip-ratelimit-factor: 10 791 | 792 | # Limit the number of connections simultaneous from a netblock 793 | # tcp-connection-limit: 192.0.2.0/24 12 794 | 795 | # select from the fastest servers this many times out of 1000. 0 means 796 | # the fast server select is disabled. prefetches are not sped up. 797 | # fast-server-permil: 0 798 | # the number of servers that will be used in the fast server selection. 799 | # fast-server-num: 3 800 | 801 | # Specific options for ipsecmod. unbound needs to be configured with 802 | # --enable-ipsecmod for these to take effect. 803 | # 804 | # Enable or disable ipsecmod (it still needs to be defined in 805 | # module-config above). Can be used when ipsecmod needs to be 806 | # enabled/disabled via remote-control(below). 807 | # ipsecmod-enabled: yes 808 | # 809 | # Path to executable external hook. It must be defined when ipsecmod is 810 | # listed in module-config (above). 811 | # ipsecmod-hook: "./my_executable" 812 | # 813 | # When enabled unbound will reply with SERVFAIL if the return value of 814 | # the ipsecmod-hook is not 0. 815 | # ipsecmod-strict: no 816 | # 817 | # Maximum time to live (TTL) for cached A/AAAA records with IPSECKEY. 818 | # ipsecmod-max-ttl: 3600 819 | # 820 | # Reply with A/AAAA even if the relevant IPSECKEY is bogus. Mainly used for 821 | # testing. 822 | # ipsecmod-ignore-bogus: no 823 | # 824 | # Domains for which ipsecmod will be triggered. If not defined (default) 825 | # all domains are treated as being whitelisted. 826 | # ipsecmod-whitelist: "example.com" 827 | # ipsecmod-whitelist: "nlnetlabs.nl" 828 | 829 | 830 | # Python config section. To enable: 831 | # o use --with-pythonmodule to configure before compiling. 832 | # o list python in the module-config string (above) to enable. 833 | # It can be at the start, it gets validated results, or just before 834 | # the iterator and process before DNSSEC validation. 835 | # o and give a python-script to run. 836 | python: 837 | # Script file to load 838 | # python-script: "/opt/local/etc/unbound/ubmodule-tst.py" 839 | 840 | # Remote control config section. 841 | remote-control: 842 | # Enable remote control with unbound-control(8) here. 843 | # set up the keys and certificates with unbound-control-setup. 844 | # control-enable: no 845 | 846 | # what interfaces are listened to for remote control. 847 | # give 0.0.0.0 and ::0 to listen to all interfaces. 848 | # set to an absolute path to use a unix local name pipe, certificates 849 | # are not used for that, so key and cert files need not be present. 850 | # control-interface: 127.0.0.1 851 | # control-interface: ::1 852 | 853 | # port number for remote control operations. 854 | # control-port: 8953 855 | 856 | # for localhost, you can disable use of TLS by setting this to "no" 857 | # For local sockets this option is ignored, and TLS is not used. 858 | # control-use-cert: "yes" 859 | 860 | # unbound server key file. 861 | # server-key-file: "/opt/local/etc/unbound/unbound_server.key" 862 | 863 | # unbound server certificate file. 864 | # server-cert-file: "/opt/local/etc/unbound/unbound_server.pem" 865 | 866 | # unbound-control key file. 867 | # control-key-file: "/opt/local/etc/unbound/unbound_control.key" 868 | 869 | # unbound-control certificate file. 870 | # control-cert-file: "/opt/local/etc/unbound/unbound_control.pem" 871 | 872 | # Stub zones. 873 | # Create entries like below, to make all queries for 'example.com' and 874 | # 'example.org' go to the given list of nameservers. list zero or more 875 | # nameservers by hostname or by ipaddress. If you set stub-prime to yes, 876 | # the list is treated as priming hints (default is no). 877 | # With stub-first yes, it attempts without the stub if it fails. 878 | # Consider adding domain-insecure: name and local-zone: name nodefault 879 | # to the server: section if the stub is a locally served zone. 880 | # stub-zone: 881 | # name: "example.com" 882 | # stub-addr: 192.0.2.68 883 | # stub-prime: no 884 | # stub-first: no 885 | # stub-tls-upstream: no 886 | # stub-no-cache: no 887 | # stub-zone: 888 | # name: "example.org" 889 | # stub-host: ns.example.com. 890 | 891 | # Forward zones 892 | # Create entries like below, to make all queries for 'example.com' and 893 | # 'example.org' go to the given list of servers. These servers have to handle 894 | # recursion to other nameservers. List zero or more nameservers by hostname 895 | # or by ipaddress. Use an entry with name "." to forward all queries. 896 | # If you enable forward-first, it attempts without the forward if it fails. 897 | # forward-zone: 898 | # name: "example.com" 899 | # forward-addr: 192.0.2.68 900 | # forward-addr: 192.0.2.73@5355 # forward to port 5355. 901 | # forward-first: no 902 | # forward-tls-upstream: no 903 | # forward-no-cache: no 904 | # forward-zone: 905 | # name: "example.org" 906 | # forward-host: fwd.example.com 907 | 908 | # Authority zones 909 | # The data for these zones is kept locally, from a file or downloaded. 910 | # The data can be served to downstream clients, or used instead of the 911 | # upstream (which saves a lookup to the upstream). The first example 912 | # has a copy of the root for local usage. The second serves example.org 913 | # authoritatively. zonefile: reads from file (and writes to it if you also 914 | # download it), master: fetches with AXFR and IXFR, or url to zonefile. 915 | # With allow-notify: you can give additional (apart from masters) sources of 916 | # notifies. 917 | # auth-zone: 918 | # name: "." 919 | # master: 199.9.14.201 # b.root-servers.net 920 | # master: 192.33.4.12 # c.root-servers.net 921 | # master: 199.7.91.13 # d.root-servers.net 922 | # master: 192.5.5.241 # f.root-servers.net 923 | # master: 192.112.36.4 # g.root-servers.net 924 | # master: 193.0.14.129 # k.root-servers.net 925 | # master: 192.0.47.132 # xfr.cjr.dns.icann.org 926 | # master: 192.0.32.132 # xfr.lax.dns.icann.org 927 | # master: 2001:500:200::b # b.root-servers.net 928 | # master: 2001:500:2::c # c.root-servers.net 929 | # master: 2001:500:2d::d # d.root-servers.net 930 | # master: 2001:500:2f::f # f.root-servers.net 931 | # master: 2001:500:12::d0d # g.root-servers.net 932 | # master: 2001:7fd::1 # k.root-servers.net 933 | # master: 2620:0:2830:202::132 # xfr.cjr.dns.icann.org 934 | # master: 2620:0:2d0:202::132 # xfr.lax.dns.icann.org 935 | # fallback-enabled: yes 936 | # for-downstream: no 937 | # for-upstream: yes 938 | # auth-zone: 939 | # name: "example.org" 940 | # for-downstream: yes 941 | # for-upstream: yes 942 | # zonefile: "example.org.zone" 943 | 944 | # Views 945 | # Create named views. Name must be unique. Map views to requests using 946 | # the access-control-view option. Views can contain zero or more local-zone 947 | # and local-data options. Options from matching views will override global 948 | # options. Global options will be used if no matching view is found. 949 | # With view-first yes, it will try to answer using the global local-zone and 950 | # local-data elements if there is no view specific match. 951 | # view: 952 | # name: "viewname" 953 | # local-zone: "example.com" redirect 954 | # local-data: "example.com A 192.0.2.3" 955 | # local-data-ptr: "192.0.2.3 www.example.com" 956 | # view-first: no 957 | # view: 958 | # name: "anotherview" 959 | # local-zone: "example.com" refuse 960 | 961 | # DNSCrypt 962 | # Caveats: 963 | # 1. the keys/certs cannot be produced by unbound. You can use dnscrypt-wrapper 964 | # for this: https://github.com/cofyc/dnscrypt-wrapper/blob/master/README.md#usage 965 | # 2. dnscrypt channel attaches to an interface. you MUST set interfaces to 966 | # listen on `dnscrypt-port` with the follo0wing snippet: 967 | # server: 968 | # interface: 0.0.0.0@443 969 | # interface: ::0@443 970 | # 971 | # Finally, `dnscrypt` config has its own section. 972 | # dnscrypt: 973 | # dnscrypt-enable: yes 974 | # dnscrypt-port: 443 975 | # dnscrypt-provider: 2.dnscrypt-cert.example.com. 976 | # dnscrypt-secret-key: /path/unbound-conf/keys1/1.key 977 | # dnscrypt-secret-key: /path/unbound-conf/keys2/1.key 978 | # dnscrypt-provider-cert: /path/unbound-conf/keys1/1.cert 979 | # dnscrypt-provider-cert: /path/unbound-conf/keys2/1.cert 980 | 981 | # CacheDB 982 | # Enable external backend DB as auxiliary cache. Specify the backend name 983 | # (default is "testframe", which has no use other than for debugging and 984 | # testing) and backend-specific options. The 'cachedb' module must be 985 | # included in module-config, just before the iterator module. 986 | # cachedb: 987 | # backend: "testframe" 988 | # # secret seed string to calculate hashed keys 989 | # secret-seed: "default" 990 | # 991 | # # For "redis" backend: 992 | # # redis server's IP address or host name 993 | # redis-server-host: 127.0.0.1 994 | # # redis server's TCP port 995 | # redis-server-port: 6379 996 | # # timeout (in ms) for communication with the redis server 997 | # redis-timeout: 100 998 | 999 | # IPSet 1000 | # Add specify domain into set via ipset. 1001 | # Note: To enable ipset needs run unbound as root user. 1002 | # ipset: 1003 | # # set name for ip v4 addresses 1004 | # name-v4: "list-v4" 1005 | # # set name for ip v6 addresses 1006 | # name-v6: "list-v6" 1007 | # 1008 | 1009 | # Response Policy Zones 1010 | # RPZ policies. Applied in order of configuration. QNAME and Response IP 1011 | # Address trigger are the only supported triggers. Supported actions are: 1012 | # NXDOMAIN, NODATA, PASSTHRU, DROP and Local Data. Policies can be loaded from 1013 | # file, using zone transfer, or using HTTP. The respip module needs to be added 1014 | # to the module-config, e.g.: module-config: "respip validator iterator". 1015 | # rpz: 1016 | # name: "rpz.example.com" 1017 | # zonefile: "rpz.example.com" 1018 | # master: 192.0.2.0 1019 | # allow-notify: 192.0.2.0/32 1020 | # url: http://www.example.com/rpz.example.org.zone 1021 | # rpz-action-override: cname 1022 | # rpz-cname-override: www.example.org 1023 | # rpz-log: yes 1024 | # rpz-log-name: "example policy" 1025 | # tags: "example" 1026 | -------------------------------------------------------------------------------- /roles/ghost/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | ghost: {} 3 | -------------------------------------------------------------------------------- /roles/ghost/handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: restart ghost 3 | when: not ghost_enabled.changed 4 | service: 5 | name: 'svc:/ghost:default' 6 | state: restarted 7 | -------------------------------------------------------------------------------- /roles/ghost/meta/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | dependencies: 3 | - role: mysql 4 | -------------------------------------------------------------------------------- /roles/ghost/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: ensure that nodejs and npm are installed 3 | pkgin: 4 | name: 5 | - nodejs 6 | - npm 7 | 8 | - name: ensure that ghost-cli is installed 9 | npm: 10 | name: ghost-cli 11 | global: true 12 | 13 | - name: ensure the existence of ghost ZFS dataset at {{ (default_ghost|combine(ghost, recursive=True)).path }} 14 | when: delegate_dataset is succeeded 15 | zfs: 16 | name: '{{ zone_dataset }}/{{ (default_ghost|combine(ghost, recursive=True)).dataset }}' 17 | state: present 18 | extra_zfs_properties: 19 | mountpoint: '{{ (default_ghost|combine(ghost, recursive=True)).path }}' 20 | 21 | - name: ensure presence of {{ (default_ghost|combine(ghost, recursive=True)).group }} group 22 | group: 23 | name: '{{ (default_ghost|combine(ghost, recursive=True)).group }}' 24 | 25 | - name: ensure presence of {{ (default_ghost|combine(ghost, recursive=True)).user }} user 26 | user: 27 | name: '{{ (default_ghost|combine(ghost, recursive=True)).user }}' 28 | home: '{{ (default_ghost|combine(ghost, recursive=True)).path }}' 29 | group: '{{ (default_ghost|combine(ghost, recursive=True)).group }}' 30 | 31 | - name: ensure presence of {{ (default_ghost|combine(ghost, recursive=True)).project }} project 32 | command: projadd -U {{ (default_ghost|combine(ghost, recursive=True)).user }} -G {{ (default_ghost|combine(ghost, recursive=True)).group }} -c "Ghost server" -K "process.max-file-descriptor=(basic,65536,deny)" {{ (default_ghost|combine(ghost, recursive=True)).project }} 33 | ignore_errors: true 34 | 35 | - name: ensure correct permissions of {{ (default_ghost|combine(ghost, recursive=True)).path }} 36 | file: 37 | path: '{{ (default_ghost|combine(ghost, recursive=True)).path }}' 38 | state: directory 39 | owner: '{{ (default_ghost|combine(ghost, recursive=True)).user }}' 40 | group: '{{ (default_ghost|combine(ghost, recursive=True)).group }}' 41 | mode: 0755 42 | 43 | - name: ensure a randomized password for the Ghost MySQL user 44 | set_fact: 45 | ghost_db_pass: "{{ lookup( 'password', '/dev/null' ) }}" 46 | 47 | - name: ensure the existence of MySQL database {{ (default_ghost|combine(ghost, recursive=True)).db_name }} 48 | mysql_db: 49 | name: '{{ (default_ghost|combine(ghost, recursive=True)).db_name }}' 50 | 51 | - name: ensure the existence of MySQL user {{ (default_ghost|combine(ghost, recursive=True)).db_user }} 52 | mysql_user: 53 | host: '{{ (default_ghost|combine(ghost, recursive=True)).db_host }}' 54 | name: '{{ (default_ghost|combine(ghost, recursive=True)).db_user }}' 55 | password: '{{ ghost_db_pass }}' 56 | priv: '{{ (default_ghost|combine(ghost, recursive=True)).db_name }}.*:ALL' 57 | 58 | # Attempt to update Ghost before installing. This will avoid performing both operations 59 | - name: ensure that ghost is up to date 60 | notify: restart ghost 61 | become: true 62 | become_user: '{{ (default_ghost|combine(ghost, recursive=True)).user }}' 63 | command: ghost update 64 | args: 65 | chdir: '{{ (default_ghost|combine(ghost, recursive=True)).path }}' 66 | removes: '{{ (default_ghost|combine(ghost, recursive=True)).path }}/*' 67 | 68 | - name: ensure that ghost is installed 69 | notify: restart ghost 70 | become: true 71 | become_user: '{{ (default_ghost|combine(ghost, recursive=True)).user }}' 72 | command: ghost install local --no-stack --no-setup --no-check-mem --no-start --no-enable 73 | args: 74 | chdir: '{{ (default_ghost|combine(ghost, recursive=True)).path }}' 75 | creates: '{{ (default_ghost|combine(ghost, recursive=True)).path }}/*' 76 | 77 | - name: ensure that ghost is configured {{ (default_ghost|combine(ghost, recursive=True)).url }} 78 | notify: restart ghost 79 | template: 80 | src: config.json 81 | dest: '{{ (default_ghost|combine(ghost, recursive=True)).path }}/config.{{ (default_ghost|combine(ghost, recursive=True)).env }}.json' 82 | owner: '{{ (default_ghost|combine(ghost, recursive=True)).user }}' 83 | group: '{{ (default_ghost|combine(ghost, recursive=True)).group }}' 84 | mode: 0644 85 | 86 | - name: ensure presence of Ghost SMF manifest 87 | template: 88 | src: ghost-smf.xml 89 | dest: /tmp/ghost-smf.xml 90 | owner: root 91 | group: root 92 | mode: 0644 93 | 94 | - name: ensure that Ghost SMF manifest has been imported 95 | command: svccfg import /tmp/ghost-smf.xml 96 | 97 | - name: ensure that ghost is enabled 98 | register: ghost_enabled 99 | service: 100 | name: 'svc:/ghost:default' 101 | enabled: true 102 | -------------------------------------------------------------------------------- /roles/ghost/templates/config.json: -------------------------------------------------------------------------------- 1 | { 2 | "url": "{{ (default_ghost|combine(ghost, recursive=True)).url }}", 3 | 4 | "database": { 5 | "client": "mysql", 6 | "connection": { 7 | "host": "{{ (default_ghost|combine(ghost, recursive=True)).db_host }}", 8 | "user": "{{ (default_ghost|combine(ghost, recursive=True)).db_user }}", 9 | "password": "{{ ghost_db_pass }}", 10 | "database": "{{ (default_ghost|combine(ghost, recursive=True)).db_name }}" 11 | } 12 | }, 13 | 14 | "mail": { 15 | "transport": "Direct" 16 | }, 17 | 18 | "server": { 19 | {% if (default_ghost|combine(ghost, recursive=True)).http_host is defined and (default_ghost|combine(ghost, recursive=True)).http_port is defined %} 20 | "host": "{{ (default_ghost|combine(ghost, recursive=True)).http_host }}", 21 | "port": {{ (default_ghost|combine(ghost, recursive=True)).http_port }} 22 | {% elif (default_ghost|combine(ghost, recursive=True)).socket is defined %} 23 | "socket": "{{ (default_ghost|combine(ghost, recursive=True)).socket }}" 24 | {% endif %} 25 | }, 26 | 27 | "logging": { "transports": [ "stdout" ] } 28 | } 29 | -------------------------------------------------------------------------------- /roles/ghost/templates/ghost-smf.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 33 | 34 | 35 | -------------------------------------------------------------------------------- /roles/ghost/vars/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | default_ghost: 3 | env: production 4 | url: 'http://localhost/' 5 | path: /var/www/ghost 6 | user: ghost 7 | group: ghost 8 | project: ghost 9 | dataset: ghost 10 | db_host: '127.0.0.1' 11 | db_name: ghost 12 | db_user: ghost 13 | socket: /var/www/ghost/app.sock 14 | -------------------------------------------------------------------------------- /roles/git/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | git: 3 | users: [] 4 | -------------------------------------------------------------------------------- /roles/git/meta/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | dependencies: 3 | - role: common 4 | -------------------------------------------------------------------------------- /roles/git/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: ensure that git has been installed 3 | pkgin: 4 | name: git 5 | 6 | - name: ensure that git-shell is a valid shell 7 | lineinfile: 8 | path: /etc/shells 9 | line: /opt/local/bin/git-shell 10 | 11 | - name: ensure that git repository users exist 12 | loop: '{{ git.users }}' 13 | user: 14 | name: '{{ item }}' 15 | shell: /opt/local/bin/git-shell 16 | 17 | - name: ensure that git repository users can login 18 | loop: '{{ git.users }}' 19 | command: passwd -N {{ item }} 20 | -------------------------------------------------------------------------------- /roles/git/vars/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | home_dataset: true 3 | sshd: 4 | match: 5 | 'Group other': 6 | DisableForwarding: 'yes' 7 | PermitTTY: 'no' 8 | -------------------------------------------------------------------------------- /roles/minecraft/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | minecraft: 3 | server: mojang 4 | version: 1.16.1 5 | path: /var/games/minecraft 6 | eula: true 7 | user: minecraft 8 | group: minecraft 9 | project: minecraft 10 | openjdk: 8 11 | quota: none 12 | parameters: 13 | - Xms2G 14 | - Xmx2G 15 | - XX:+UseG1GC 16 | - XX:+UnlockExperimentalVMOptions 17 | - XX:MaxGCPauseMillis=100 18 | - XX:+DisableExplicitGC 19 | - XX:TargetSurvivorRatio=90 20 | - XX:G1NewSizePercent=50 21 | - XX:G1MaxNewSizePercent=80 22 | - XX:G1MixedGCLiveThresholdPercent=35 23 | - XX:+AlwaysPreTouch 24 | - XX:+ParallelRefProcEnabled 25 | - XX:+UseLargePages 26 | - XX:+UseLargePagesInMetaspace 27 | - showversion 28 | properties: 29 | allow_flight: false 30 | allow_nether: true 31 | broadcast_console_to_ops: true 32 | broadcast_rcon_to_ops: true 33 | difficulty: easy 34 | enable_command_block: false 35 | enable_query: false 36 | enable_rcon: false 37 | enforce_whitelist: false 38 | force_gamemode: false 39 | function_permission_level: 2 40 | gamemode: survival 41 | generate_structures: true 42 | generator_settings: 43 | hardcore: false 44 | level_name: world 45 | level_seed: 46 | level_type: default 47 | max_build_height: 256 48 | max_players: 20 49 | max_tick_time: 60000 50 | max_world_size: 29999984 51 | motd: A Minecraft Server 52 | network_compression_threshold: 256 53 | online_mode: true 54 | op_permission_level: 4 55 | player_idle_timeout: 0 56 | prevent_proxy_connections: false 57 | pvp: true 58 | query_port: 25565 59 | rcon_password: 60 | rcon_port: 25575 61 | resource_pack_sha1: 62 | resource_pack: 63 | server_ip: 64 | server_port: 25565 65 | snooper_enabled: true 66 | spawn_animals: true 67 | spawn_monsters: true 68 | spawn_npcs: true 69 | spawn_protection: 16 70 | use_native_transport: true 71 | view_distance: 10 72 | white_list: false 73 | -------------------------------------------------------------------------------- /roles/minecraft/handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: restart minecraft 3 | when: not minecraft_enabled.changed 4 | service: 5 | name: 'svc:/minecraft:default' 6 | state: restarted 7 | -------------------------------------------------------------------------------- /roles/minecraft/meta/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | dependencies: 3 | - role: common 4 | -------------------------------------------------------------------------------- /roles/minecraft/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: ensure that OpenJDK{{ minecraft.openjdk }} is present 3 | pkgin: 4 | name: openjdk{{ minecraft.openjdk }} 5 | 6 | - name: ensure that authorization description exists for Minecraft Service State Management 7 | lineinfile: 8 | path: /etc/security/auth_attr 9 | insertafter: ^solaris.smf.manage.mdns 10 | line: 'solaris.smf.manage.minecraft:::Manage Minecraft Service States::' 11 | 12 | - name: ensure that authorization description exists for Minecraft Service Properties Management 13 | lineinfile: 14 | path: /etc/security/auth_attr 15 | insertafter: ^solaris.smf.value.mdns 16 | line: 'solaris.smf.value.minecraft:::Change Values of Minecraft Service Properties::' 17 | 18 | - name: ensure presence of {{ minecraft.group }} group 19 | group: 20 | gid: 900 21 | name: '{{ minecraft.group }}' 22 | 23 | - name: ensure presence of {{ minecraft.user }} user 24 | user: 25 | uid: 900 26 | name: '{{ minecraft.user }}' 27 | group: '{{ minecraft.group }}' 28 | home: '{{ minecraft.path }}' 29 | create_home: false 30 | shell: /bin/bash 31 | comment: Minecraft User 32 | 33 | - name: ensure presence of {{ minecraft.project }} project 34 | command: projadd -U {{ minecraft.user }} -G {{ minecraft.group }} -c "Minecraft server" -K "process.max-file-descriptor=(basic,65536,deny)" {{ minecraft.project }} 35 | ignore_errors: true 36 | 37 | - name: ensure presence of Minecraft ZFS dataset at {{ minecraft.path }} 38 | when: delegate_dataset is succeeded 39 | zfs: 40 | name: '{{ zone_dataset }}/minecraft' 41 | state: present 42 | extra_zfs_properties: 43 | mountpoint: '{{ minecraft.path }}' 44 | quota: '{{ minecraft.quota }}' 45 | 46 | - name: ensure correct permissions on Minecraft path at {{ minecraft.path }} 47 | file: 48 | path: '{{ minecraft.path }}' 49 | state: directory 50 | owner: '{{ minecraft.user }}' 51 | group: '{{ minecraft.group }}' 52 | mode: 0750 53 | 54 | # Download and symlink the specified minecraft server 55 | 56 | - import_tasks: server-mojang.yml 57 | when: minecraft.server|lower == 'mojang' 58 | - import_tasks: server-paper.yml 59 | when: minecraft.server|lower == 'paper' 60 | 61 | - name: ensure presence of symlink server.jar -> server-{{ minecraft.server }}-{{ minecraft.version }}.jar 62 | file: 63 | src: 'server-{{ minecraft.server }}-{{ minecraft.version }}.jar' 64 | dest: '{{ minecraft.path }}/server.jar' 65 | state: link 66 | 67 | - name: ensure that the EULA file is present 68 | template: 69 | src: eula.txt 70 | dest: '{{ minecraft.path }}/eula.txt' 71 | owner: root 72 | group: root 73 | mode: 0644 74 | 75 | - name: ensure that Minecraft server.properties have been configured 76 | template: 77 | src: server.properties 78 | dest: '{{ minecraft.path }}/server.properties' 79 | owner: root 80 | group: root 81 | mode: 0644 82 | 83 | - name: ensure presence of Minecraft SMF manifest 84 | template: 85 | src: minecraft-smf.xml 86 | dest: /tmp/minecraft-smf.xml 87 | owner: root 88 | group: root 89 | mode: 0644 90 | 91 | - name: ensure that Minecraft SMF manifest has been imported 92 | command: svccfg import /tmp/minecraft-smf.xml 93 | 94 | - name: ensure that Minecraft is enabled 95 | register: minecraft_enabled 96 | service: 97 | name: 'svc:/minecraft:default' 98 | enabled: true 99 | -------------------------------------------------------------------------------- /roles/minecraft/tasks/server-mojang.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: ensure that server-{{ minecraft.server }}-{{ minecraft.version }}.jar has been downloaded 3 | get_url: 4 | url: 'https://launcher.mojang.com/v1/objects/{{ mojang_checksum[minecraft.version|string].split(":")[1] }}/server.jar' 5 | dest: '{{ minecraft.path }}/server-{{ minecraft.server }}-{{ minecraft.version }}.jar' 6 | checksum: '{{ mojang_checksum[minecraft.version|string] }}' 7 | -------------------------------------------------------------------------------- /roles/minecraft/tasks/server-paper.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: ensure that server-{{ minecraft.server }}-{{ minecraft.version }}.jar has been downloaded 3 | get_url: 4 | url: 'https://papermc.io/api/v1/paper/{{ minecraft.version.replace("-","/") }}/download' 5 | dest: '{{ minecraft.path }}/server-{{ minecraft.server }}-{{ minecraft.version }}.jar' 6 | -------------------------------------------------------------------------------- /roles/minecraft/templates/eula.txt: -------------------------------------------------------------------------------- 1 | eula={{ minecraft.eula }} 2 | -------------------------------------------------------------------------------- /roles/minecraft/templates/minecraft-smf.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | {% for parameter in minecraft.parameters %} 32 | 33 | {% endfor %} 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 54 | 55 | 56 | -------------------------------------------------------------------------------- /roles/minecraft/templates/server.properties: -------------------------------------------------------------------------------- 1 | allow-flight={{ minecraft.properties.allow_flight }} 2 | allow-nether={{ minecraft.properties.allow_nether }} 3 | broadcast-console-to-ops={{ minecraft.properties.broadcast_console_to_ops }} 4 | broadcast-rcon-to-ops={{ minecraft.properties.broadcast_rcon_to_ops }} 5 | difficulty={{ minecraft.properties.difficulty }} 6 | enable-command-block={{ minecraft.properties.enable_command_block }} 7 | enable-query={{ minecraft.properties.enable_query }} 8 | enable-rcon={{ minecraft.properties.enable_rcon }} 9 | enforce-whitelist={{ minecraft.properties.enforce_whitelist }} 10 | force-gamemode={{ minecraft.properties.force_gamemode }} 11 | function-permission-level={{ minecraft.properties.function_permission_level }} 12 | gamemode={{ minecraft.properties.gamemode }} 13 | generate-structures={{ minecraft.properties.generate_structures }} 14 | generator-settings={{ minecraft.properties.generator_settings }} 15 | hardcore={{ minecraft.properties.hardcore }} 16 | level-name={{ minecraft.properties.level_name }} 17 | level-seed={{ minecraft.properties.level_seed }} 18 | level-type={{ minecraft.properties.level_type }} 19 | max-build-height={{ minecraft.properties.max_build_height }} 20 | max-players={{ minecraft.properties.max_players }} 21 | max-tick-time={{ minecraft.properties.max_tick_time }} 22 | max-world-size={{ minecraft.properties.max_world_size }} 23 | motd={{ minecraft.properties.motd }} 24 | network-compression-threshold={{ minecraft.properties.network_compression_threshold }} 25 | online-mode={{ minecraft.properties.online_mode }} 26 | op-permission-level={{ minecraft.properties.op_permission_level }} 27 | player-idle-timeout={{ minecraft.properties.player_idle_timeout }} 28 | prevent-proxy-connections={{ minecraft.properties.prevent_proxy_connections }} 29 | pvp={{ minecraft.properties.pvp }} 30 | query.port={{ minecraft.properties.query_port }} 31 | rcon.password={{ minecraft.properties.rcon_password }} 32 | rcon.port={{ minecraft.properties.rcon_port }} 33 | resource-pack-sha1={{ minecraft.properties.resource_pack_sha1 }} 34 | resource-pack={{ minecraft.properties.resource_pack }} 35 | server-ip={{ minecraft.properties.server_ip }} 36 | server-port={{ minecraft.properties.server_port }} 37 | snooper-enabled={{ minecraft.properties.snooper_enabled }} 38 | spawn-animals={{ minecraft.properties.spawn_animals }} 39 | spawn-monsters={{ minecraft.properties.spawn_monsters }} 40 | spawn-npcs={{ minecraft.properties.spawn_npcs }} 41 | spawn-protection={{ minecraft.properties.spawn_protection }} 42 | use-native-transport={{ minecraft.properties.use_native_transport }} 43 | view-distance={{ minecraft.properties.view_distance }} 44 | white-list={{ minecraft.properties.white_list }} 45 | -------------------------------------------------------------------------------- /roles/minecraft/vars/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | mojang_checksum: 3 | '1.2.4': 'sha1:d8321edc9470e56b8ad5c67bbd16beba25843336' 4 | '1.2.5': 'sha1:d8321edc9470e56b8ad5c67bbd16beba25843336' 5 | '1.3': 'sha1:cb21a9aaaf599c94dd7fa1b777b2f0cc37a776c7' 6 | '1.3.1': 'sha1:82563ce498bfc1fc8a2cb5bf236f7da86a390646' 7 | '1.3.2': 'sha1:3de2ae6c488135596e073a9589842800c9f53bfe' 8 | '1.4': 'sha1:9470a2bb0fcb8a426328441a01dba164fbbe52c9' 9 | '1.4.1': 'sha1:baa4e4a7adc3dc9fbfc5ea36f0777b68c9eb7f4a' 10 | '1.4.2': 'sha1:5be700523a729bb78ef99206fb480a63dcd09825' 11 | '1.4.3': 'sha1:9be68adf6e80721975df12f2445fa24617328d18' 12 | '1.4.4': 'sha1:4215dcadb706508bf9d6d64209a0080b9cee9e71' 13 | '1.4.5': 'sha1:c12fd88a8233d2c517dbc8196ba2ae855f4d36ea' 14 | '1.4.6': 'sha1:a0aeb5709af5f2c3058c1cf0dc6b110a7a61278c' 15 | '1.4.7': 'sha1:2f0ec8efddd2f2c674c77be9ddb370b727dec676' 16 | '1.5': 'sha1:aedad5159ef56d69c5bcf77ed141f53430af43c3' 17 | '1.5.1': 'sha1:d07c71ee2767dabb79fb32dad8162e1b854d5324' 18 | '1.5.2': 'sha1:f9ae3f651319151ce99a0bfad6b34fa16eb6775f' 19 | '1.6': 'sha1:ee6d5161ac28eef285df571dc1235d48f03c3e88' 20 | '1.6.1': 'sha1:0252918a5f9d47e3c6eb1dfec02134d1374a89b4' 21 | '1.6.2': 'sha1:01b6ea555c6978e6713e2a2dfd7fe19b1449ca54' 22 | '1.6.3': 'sha1:5a4c69bdf7c4a9aa9580096805d8497ba7721e05' 23 | '1.6.4': 'sha1:050f93c1f3fe9e2052398f7bd6aca10c63d64a87' 24 | '1.7': 'sha1:3f031ab8b9cafedeb822febe89d271b72565712c' 25 | '1.7.1': 'sha1:d26d79675147253b7a35dd32dc5dbba0af1be7e2' 26 | '1.7.2': 'sha1:3716cac82982e7c2eb09f83028b555e9ea606002' 27 | '1.7.3': 'sha1:707857a7bc7bf54fe60d557cca71004c34aa07bb' 28 | '1.7.4': 'sha1:61220311cef80aecc4cd8afecd5f18ca6b9461ff' 29 | '1.7.5': 'sha1:e1d557b2e31ea881404e41b05ec15c810415e060' 30 | '1.7.6': 'sha1:41ea7757d4d7f74b95fc1ac20f919a8e521e910c' 31 | '1.7.7': 'sha1:a6ffc1624da980986c6cc12a1ddc79ab1b025c62' 32 | '1.7.8': 'sha1:c69ebfb84c2577661770371c4accdd5f87b8b21d' 33 | '1.7.9': 'sha1:4cec86a928ec171fdc0c6b40de2de102f21601b5' 34 | '1.7.10': 'sha1:952438ac4e01b4d115c5fc38f891710c4941df29' 35 | '1.8': 'sha1:a028f00e678ee5c6aef0e29656dca091b5df11c7' 36 | '1.8.1': 'sha1:68bfb524888f7c0ab939025e07e5de08843dac0f' 37 | '1.8.2': 'sha1:a37bdd5210137354ed1bfe3dac0a5b77fe08fe2e' 38 | '1.8.3': 'sha1:163ba351cb86f6390450bb2a67fafeb92b6c0f2f' 39 | '1.8.4': 'sha1:dd4b5eba1c79500390e0b0f45162fa70d38f8a3d' 40 | '1.8.5': 'sha1:ea6dd23658b167dbc0877015d1072cac21ab6eee' 41 | '1.8.6': 'sha1:2bd44b53198f143fb278f8bec3a505dad0beacd2' 42 | '1.8.7': 'sha1:35c59e16d1f3b751cd20b76b9b8a19045de363a9' 43 | '1.8.8': 'sha1:5fafba3f58c40dc51b5c3ca72a98f62dfdae1db7' 44 | '1.8.9': 'sha1:b58b2ceb36e01bcd8dbf49c8fb66c55a9f0676cd' 45 | '1.9': 'sha1:b4d449cf2918e0f3bd8aa18954b916a4d1880f0d' 46 | '1.9.1': 'sha1:bf95d9118d9b4b827f524c878efd275125b56181' 47 | '1.9.2': 'sha1:2b95cc7b136017e064c46d04a5825fe4cfa1be30' 48 | '1.9.3': 'sha1:8e897b6b6d784f745332644f4d104f7a6e737ccf' 49 | '1.9.4': 'sha1:edbb7b1758af33d365bf835eb9d13de005b1e274' 50 | '1.10': 'sha1:a96617ffdf5dabbb718ab11a9a68e50545fc5bee' 51 | '1.10.1': 'sha1:cb4c6f9f51a845b09a8861cdbe0eea3ff6996dee' 52 | '1.10.2': 'sha1:3d501b23df53c548254f5e3f66492d178a48db63' 53 | '1.11': 'sha1:48820c84cb1ed502cb5b2fe23b8153d5e4fa61c0' 54 | '1.11.1': 'sha1:1f97bd101e508d7b52b3d6a7879223b000b5eba0' 55 | '1.11.2': 'sha1:f00c294a1576e03fddcac777c3cf4c7d404c4ba4' 56 | '1.12': 'sha1:8494e844e911ea0d63878f64da9dcc21f53a3463' 57 | '1.12.1': 'sha1:561c7b2d54bae80cc06b05d950633a9ac95da816' 58 | '1.12.2': 'sha1:886945bfb2b978778c3a0288fd7fab09d315b25f' 59 | '1.13': 'sha1:d0caafb8438ebd206f99930cfaecfa6c9a13dca0' 60 | '1.13.1': 'sha1:fe123682e9cb30031eae351764f653500b7396c9' 61 | '1.13.2': 'sha1:3737db93722a9e39eeada7c27e7aca28b144ffa7' 62 | '1.14': 'sha1:f1a0073671057f01aa843443fef34330281333ce' 63 | '1.14.1': 'sha1:ed76d597a44c5266be2a7fcd77a8270f1f0bc118' 64 | '1.14.2': 'sha1:808be3869e2ca6b62378f9f4b33c946621620019' 65 | '1.14.3': 'sha1:d0d0fe2b1dc6ab4c65554cb734270872b72dadd6' 66 | '1.14.4': 'sha1:3dc3d84a581f14691199cf6831b71ed1296a9fdf' 67 | '1.15': 'sha1:e9f105b3c5c7e85c7b445249a93362a22f62442d' 68 | '1.15.1': 'sha1:4d1826eebac84847c71a77f9349cc22afd0cf0a1' 69 | '1.15.2': 'sha1:bb2b6b1aefcd70dfd1892149ac3a215f6c636b07' 70 | '1.16': 'sha1:a0d03225615ba897619220e256a266cb33a44b6b' 71 | '1.16.1': 'sha1:a412fd69db1f81db3f511c1463fd304675244077' 72 | -------------------------------------------------------------------------------- /roles/mysql/handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: restart mysql-server 3 | when: not mysql_enabled.changed 4 | service: 5 | name: 'svc:/pkgsrc/{{ (default_mysql|combine(mysql, recursive=True)).server }}:default' 6 | state: restarted 7 | -------------------------------------------------------------------------------- /roles/mysql/meta/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | dependencies: 3 | - role: common 4 | -------------------------------------------------------------------------------- /roles/mysql/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: ensure presence of mysql ZFS filesystem 3 | when: delegate_dataset is succeeded 4 | zfs: 5 | name: '{{ zone_dataset }}/mysql' 6 | state: present 7 | extra_zfs_properties: 8 | mountpoint: '{{ (default_mysql|combine(mysql, recursive=True)).config.mysqld.datadir }}' 9 | recordsize: '{{ (default_mysql|combine(mysql, recursive=True)).recordsize }}' 10 | 11 | - name: ensure presence of {{ (default_mysql|combine(mysql, recursive=True)).server }}-server and pymysql (for ansible configuration of {{ (default_mysql|combine(mysql, recursive=True)).server }}) 12 | notify: restart mysql-server 13 | pkgin: 14 | name: 15 | - '{{ (default_mysql|combine(mysql, recursive=True)).server }}-server' 16 | - py38-pymysql 17 | 18 | - name: determine if {{ (default_mysql|combine(mysql, recursive=True)).server }}-server database cluster has been properly initialized 19 | register: mysql_cluster 20 | command: ls {{ (default_mysql|combine(mysql, recursive=True)).config.mysqld.datadir }} 21 | 22 | - name: ensure that {{ (default_mysql|combine(mysql, recursive=True)).server }}-server database cluster has been properly initialized 23 | when: mysql_cluster.stdout == "" 24 | command: /opt/local/bin/mysql_install_db --user={{ (default_mysql|combine(mysql, recursive=True)).config.mysqld.user }} --group={{ (default_mysql|combine(mysql, recursive=True)).config.mysqld.user }} --basedir={{ (default_mysql|combine(mysql, recursive=True)).config.mysqld.basedir }} --datadir={{ (default_mysql|combine(mysql, recursive=True)).config.mysqld.datadir }} 25 | 26 | - name: ensure secure permissions on mysql ZFS mountpoint 27 | file: 28 | path: '{{ (default_mysql|combine(mysql, recursive=True)).config.mysqld.datadir }}' 29 | state: directory 30 | owner: '{{ (default_mysql|combine(mysql, recursive=True)).config.mysqld.user }}' 31 | group: '{{ (default_mysql|combine(mysql, recursive=True)).config.mysqld.group }}' 32 | mode: 0750 33 | 34 | # Configuring MySQL is apparently off the table 35 | # - name: ensure that {{ (default_mysql|combine(mysql, recursive=True)).server }}-server is properly configured 36 | # notify: restart mysql-server 37 | # template: 38 | # src: system-my.cnf 39 | # dest: /opt/local/etc/my.cnf 40 | # owner: root 41 | # group: root 42 | # mode: 0644 43 | 44 | - name: ensure that {{ (default_mysql|combine(mysql, recursive=True)).server }}-server is enabled 45 | register: mysql_enabled 46 | service: 47 | name: 'svc:/pkgsrc/{{ (default_mysql|combine(mysql, recursive=True)).server }}:default' 48 | enabled: true 49 | 50 | - name: generate a randomized password for the database root user 51 | set_fact: 52 | mysql_root_password: "{{ lookup( 'password', '/dev/null' ) }}" 53 | 54 | - name: ensure that database root password is set to the previously generated password 55 | mysql_user: 56 | check_implicit_admin: true 57 | name: root 58 | host_all: true 59 | password: '{{ mysql_root_password }}' 60 | 61 | - name: ensure that .my.cnf exists with root credentials 62 | template: 63 | src: my.cnf 64 | dest: /root/.my.cnf 65 | owner: root 66 | group: root 67 | mode: 0640 68 | -------------------------------------------------------------------------------- /roles/mysql/templates/my.cnf: -------------------------------------------------------------------------------- 1 | {{ configuration_header }} 2 | 3 | [client] 4 | user=root 5 | password={{ mysql_root_password }} 6 | -------------------------------------------------------------------------------- /roles/mysql/templates/system-my.cnf: -------------------------------------------------------------------------------- 1 | {{ configuration_header }} 2 | 3 | # Complete documentation is available at the following URL: 4 | # https://mariadb.com/kb/en/configuring-mariadb-with-option-files/ 5 | 6 | {% for key,options in (default_mysql|combine(mysql, recursive=True)).config|dictsort %} 7 | [{{ key }}] 8 | {% for option_key,option_value in options|dictsort %} 9 | {% if option_value is none %} 10 | {{ option_key }} 11 | {% else %} 12 | {{ option_key }} = {{ option_value }} 13 | {% endif %} 14 | {% endfor %} 15 | 16 | {% endfor %} 17 | -------------------------------------------------------------------------------- /roles/mysql/vars/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | default_mysql: 3 | server: mysql 4 | recordsize: 16k 5 | config: 6 | client: 7 | port: 3306 8 | socket: /tmp/mysql.sock 9 | default-character-set: utf8mb4 10 | mysql: 11 | no-auto-rehash: 12 | mysqlhotcopy: 13 | interactive-timeout: 14 | mysqldump: 15 | quick: 16 | max_allowed_packet: 16M 17 | myisamchk: 18 | key_buffer_size: 128M 19 | sort_buffer_size: 128M 20 | read_buffer: 2M 21 | write_buffer: 2M 22 | mysqld: 23 | #------------------ 24 | # General Settings 25 | #------------------ 26 | user: mysql 27 | group: mysql 28 | port: 3306 29 | basedir: /opt/local 30 | datadir: /var/mysql 31 | socket: /tmp/mysql.sock 32 | bind-address: '127.0.0.1' 33 | default-storage-engine: innodb 34 | character-set-server: utf8 35 | skip-external-locking: 36 | log_warnings: 37 | skip_name_resolve: 38 | server-id: 1 39 | 40 | #----------------- 41 | # MyISAM Settings 42 | #----------------- 43 | key_buffer_size: 16M 44 | sort_buffer_size: 1M 45 | read_buffer_size: 1M 46 | read_rnd_buffer_size: 4M 47 | myisam_sort_buffer_size: 64M 48 | 49 | #----------------- 50 | # InnoDB Settings 51 | #----------------- 52 | innodb_data_home_dir: /var/mysql 53 | innodb_log_group_home_dir: /var/mysql 54 | innodb_data_file_path: ibdata1:100M:autoextend 55 | innodb_buffer_pool_size: 16M 56 | innodb_log_file_size: 400M 57 | innodb_log_buffer_size: 8M 58 | innodb_flush_log_at_trx_commit: 2 59 | innodb_lock_wait_timeout: 50 60 | innodb_file_per_table: 61 | innodb_doublewrite: 0 62 | innodb_io_capacity: 1500 63 | innodb_read_io_threads: 8 64 | innodb_write_io_threads: 8 65 | 66 | #------------------------- 67 | # Slow Query Log Settings 68 | #------------------------- 69 | # use_global_long_query_time: 1 70 | # long_query_time: 0.5 71 | slow_query_log_file: /var/log/mysql/slowquery.log 72 | slow_query_log: 1 73 | 74 | #------------------------------ 75 | # Other General MySQL Settings 76 | #------------------------------ 77 | table_open_cache: 512 78 | thread_cache_size: 1000 79 | # query_cache_size: 16M 80 | # query_cache_strip_comments: 81 | query_cache_type: 0 82 | back_log: 64 83 | thread_concurrency: 32 84 | tmpdir: /tmp 85 | max_connections: 1000 86 | max_allowed_packet: 24M 87 | max_join_size: 4294967295 88 | net_buffer_length: 2K 89 | thread_stack: 256K 90 | tmp_table_size: 64M 91 | max_heap_table_size: 64M 92 | 93 | #------------------------------------------------------------- 94 | # Replication Settings (master to slave, disabled by default) 95 | # See: http://wiki.joyent.com/wiki/display/jpc2/Replication 96 | #------------------------------------------------------------- 97 | binlog_format: mixed 98 | log-bin: /var/log/mysql/bin.log 99 | # log-bin-index: /var/log/mysql/log-bin.index 100 | log-error: /var/log/mysql/error.log 101 | # report-host: percona 102 | # relay_log_purge: 1 103 | expire_logs_days: 7 104 | # slave-skip-errors: 1062 105 | # binlog-ignore-db: mysql 106 | -------------------------------------------------------------------------------- /roles/neo4j/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | neo4j: 3 | user: neo4j 4 | group: neo4j 5 | project: neo4j 6 | path: /opt/local/neo4j 7 | conf_path: /opt/local/etc/neo4j 8 | data_path: /var/db/neo4j 9 | recordsize: 16k 10 | version: '4.2.2' 11 | openjdk: 11 12 | config: 13 | #----------------------- 14 | # General Configuration 15 | #----------------------- 16 | # dbms.default_database: neo4j 17 | # dbms.directories.data: data 18 | # dbms.directories.plugins: plugins 19 | # dbms.directories.certificates: certificates 20 | # dbms.directories.logs: logs 21 | # dbms.directories.lib: lib 22 | # dbms.directories.run: run 23 | dbms.directories.import: import 24 | # dbms.security.auth_enabled: false 25 | # dbms.allow_upgrade: true 26 | # dbms.memory.heap.initial_size: 512m 27 | # dbms.memory.heap.max_size: 512m 28 | # dbms.memory.pagecache.size: 10g 29 | # 30 | #--------------------------------- 31 | # Network Connector Configuration 32 | #--------------------------------- 33 | dbms.connectors.default_listen_address: '0.0.0.0' 34 | # dbms.connectors.default_advertised_address: localhost 35 | dbms.connector.bolt.enabled: true 36 | # dbms.connector.bolt.tls_level: DISABLED 37 | # dbms.connector.bolt.listen_address: :7687 38 | dbms.connector.http.enabled: true 39 | # dbms.connector.http.listen_address: :7474 40 | dbms.connector.https.enabled: false 41 | # dbms.connector.https.listen_address: :7473 42 | # dbms.threads.worker_count: 43 | # 44 | #-------------------------- 45 | # SSL Policy Configuration 46 | #-------------------------- 47 | # dbms.ssl.policy.bolt.enabled: true 48 | # dbms.ssl.policy.bolt.base_directory: certificates/bolt 49 | # dbms.ssl.policy.bolt.private_key: private.key 50 | # dbms.ssl.policy.bolt.public_certificate: public.crt 51 | # dbms.ssl.policy.https.enabled: true 52 | # dbms.ssl.policy.https.base_directory: certificates/https 53 | # dbms.ssl.policy.https.private_key: private.key 54 | # dbms.ssl.policy.https.public_certificate: public.crt 55 | # dbms.ssl.policy.cluster.enabled: true 56 | # dbms.ssl.policy.cluster.base_directory: certificates/cluster 57 | # dbms.ssl.policy.cluster.private_key: private.key 58 | # dbms.ssl.policy.cluster.public_certificate: public.crt 59 | # dbms.ssl.policy.backup.enabled: true 60 | # dbms.ssl.policy.backup.base_directory: certificates/backup 61 | # dbms.ssl.policy.backup.private_key: private.key 62 | # dbms.ssl.policy.backup.public_certificate: public.crt 63 | # 64 | #----------------------- 65 | # Logging Configuration 66 | #----------------------- 67 | # dbms.logs.http.enabled: true 68 | # dbms.logs.http.rotation.keep_number: 5 69 | # dbms.logs.http.rotation.size: 20m 70 | # dbms.logs.gc.enabled: true 71 | # dbms.logs.gc.options: -Xlog:gc*,safepoint,age*=trace 72 | # dbms.logs.gc.rotation.keep_number: 5 73 | # dbms.logs.gc.rotation.size: 20m 74 | # dbms.logs.debug.level: INFO 75 | # dbms.logs.debug.rotation.size: 20m 76 | # dbms.logs.debug.rotation.keep_number: 7 77 | # dbms.logs.query.threshold: 2s 78 | # 79 | #----------------------------- 80 | # Miscellaneous Configuration 81 | #----------------------------- 82 | # cypher.default_language_version: 3.5 83 | # dbms.security.allow_csv_import_from_file_urls: true 84 | # dbms.security.http_access_control_allow_origin: * 85 | # dbms.security.http_strict_transport_security: 86 | dbms.tx_log.rotation.retention_policy: 1 days 87 | # dbms.read_only: false 88 | # dbms.unmanaged_extension_classes: org.neo4j.examples.server.unmanaged=/examples/unmanaged 89 | # dbms.security.procedures.unrestricted: my.extensions.example,my.procedures.* 90 | # dbms.security.procedures.whitelist: apoc.coll.*,apoc.load.* 91 | # 92 | #---------------- 93 | # JVM Parameters 94 | #---------------- 95 | dbms.jvm.additional: 96 | - -XX:+UseG1GC 97 | - -XX:-OmitStackTraceInFastThrow 98 | - -XX:+AlwaysPreTouch 99 | - -XX:+UnlockExperimentalVMOptions 100 | - -XX:+TrustFinalNonStaticFields 101 | - -XX:+DisableExplicitGC 102 | - -Djdk.nio.maxCachedBufferSize=262144 103 | - -Dio.netty.tryReflectionSetAccessible=true 104 | # - -XX:+ExitOnOutOfMemoryError 105 | # - -Dcom.sun.management.jmxremote.port=3637 106 | # - -Dcom.sun.management.jmxremote.authenticate=true 107 | # - -Dcom.sun.management.jmxremote.ssl=false 108 | # - -Dcom.sun.management.jmxremote.password.file=/absolute/path/to/conf/jmx.password 109 | # - -Dcom.sun.management.jmxremote.access.file=/absolute/path/to/conf/jmx.access 110 | # - -Djava.rmi.server.hostname=$THE_NEO4J_SERVER_HOSTNAME 111 | - -Djdk.tls.ephemeralDHKeySize=2048 112 | - -Djdk.tls.rejectClientInitiatedRenegotiation=true 113 | # - -agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=*:5005 114 | # - -Djdk.serialFilter=java.**;org.neo4j.**;com.neo4j.**;com.hazelcast.**;net.sf.ehcache.Element;com.sun.proxy.*;org.openjdk.jmh.**;!* 115 | -------------------------------------------------------------------------------- /roles/neo4j/handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: restart neo4j 3 | when: not neo4j_enabled.changed 4 | service: 5 | name: 'svc:/neo4j:default' 6 | state: restarted 7 | -------------------------------------------------------------------------------- /roles/neo4j/meta/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | dependencies: 3 | - role: common 4 | -------------------------------------------------------------------------------- /roles/neo4j/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: ensure that OpenJDK{{ neo4j.openjdk }} is present 3 | pkgin: 4 | name: openjdk{{ neo4j.openjdk }} 5 | 6 | - name: ensure presence of {{ neo4j.group }} group 7 | group: 8 | gid: 814 9 | name: '{{ neo4j.group }}' 10 | 11 | - name: ensure presence of {{ neo4j.user }} user 12 | user: 13 | uid: 814 14 | name: '{{ neo4j.user }}' 15 | group: '{{ neo4j.group }}' 16 | home: /nonexistent 17 | create_home: false 18 | shell: /usr/bin/false 19 | comment: Neo4j daemon user 20 | 21 | - name: ensure precence of {{ neo4j.project }} project 22 | command: projadd -U {{ neo4j.user }} -G {{ neo4j.group }} -c "Neo4j server" -K "process.max-file-descriptor=(basic,65536,deny)" {{ neo4j.project }} 23 | ignore_errors: true 24 | 25 | - name: ensure presence of neo4j ZFS filesystem at {{ neo4j.data_path }} 26 | when: delegate_dataset is succeeded 27 | zfs: 28 | name: '{{ zone_dataset }}/neo4j' 29 | state: present 30 | extra_zfs_properties: 31 | mountpoint: '{{ neo4j.data_path }}' 32 | recordsize: '{{ neo4j.recordsize }}' 33 | 34 | - name: ensure that root owned Neo4j directories exist and have the proper permissions 35 | file: 36 | path: '{{ item }}' 37 | state: directory 38 | owner: root 39 | group: root 40 | mode: 0755 41 | loop: 42 | - '{{ neo4j.path }}' 43 | - '{{ neo4j.conf_path }}' 44 | 45 | - name: ensure that Neo4j {{ neo4j.version }} has been downloaded 46 | get_url: 47 | url: 'https://neo4j.com/artifact.php?name=neo4j-community-{{ neo4j.version }}-unix.tar.gz' 48 | dest: '/tmp/neo4j-community-{{ neo4j.version }}-unix.tar.gz' 49 | checksum: '{{ neo4j_checksum[neo4j.version] }}' 50 | timeout: 30 51 | 52 | - name: ensure that Neo4j {{ neo4j.version }} has been installed 53 | unarchive: 54 | src: '/tmp/neo4j-community-{{ neo4j.version }}-unix.tar.gz' 55 | dest: '{{ neo4j.path }}' 56 | owner: root 57 | group: root 58 | mode: 0755 59 | remote_src: true 60 | extra_opts: 61 | - '--strip-components=1' 62 | 63 | - name: ensure that unnecessary files are absent 64 | file: 65 | path: '{{ neo4j.path }}/{{ item }}' 66 | state: absent 67 | loop: 68 | - LICENSE.txt 69 | - LICENSES.txt 70 | - NOTICE.txt 71 | - README.txt 72 | - UPGRADE.txt 73 | - data 74 | - conf 75 | 76 | - name: ensure presence of required symlinks 77 | file: 78 | src: '{{ item.src }}' 79 | path: '{{ item.path }}' 80 | state: link 81 | force: true 82 | loop: 83 | - src: '{{ neo4j.conf_path }}' 84 | path: '{{ neo4j.path }}/conf' 85 | - src: '{{ neo4j.data_path }}' 86 | path: '{{ neo4j.path }}/data' 87 | 88 | - name: ensure that neo4j owned directories exist and have the proper permissions 89 | file: 90 | path: '{{ item }}' 91 | state: directory 92 | owner: '{{ neo4j.user }}' 93 | group: '{{ neo4j.group }}' 94 | mode: 0700 95 | loop: 96 | - '{{ neo4j.data_path }}' 97 | - '{{ neo4j.path }}/certificates' 98 | - '{{ neo4j.path }}/logs' 99 | - '{{ neo4j.path }}/run' 100 | 101 | - name: ensure that Neo4j has been properly configured 102 | template: 103 | src: neo4j.conf 104 | dest: /opt/local/etc/neo4j/neo4j.conf 105 | owner: root 106 | group: root 107 | mode: 0644 108 | notify: restart neo4j 109 | 110 | - name: ensure presence of Neo4j SMF manifest 111 | template: 112 | src: neo4j-smf.xml 113 | dest: /tmp/neo4j-smf.xml 114 | owner: root 115 | group: root 116 | mode: 0644 117 | 118 | - name: ensure that Neo4j SMF manifest has been imported 119 | command: svccfg import /tmp/neo4j-smf.xml 120 | 121 | - name: ensure that Neo4j is enabled 122 | register: neo4j_enabled 123 | service: 124 | name: 'svc:/neo4j:default' 125 | enabled: true 126 | -------------------------------------------------------------------------------- /roles/neo4j/templates/neo4j-smf.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 39 | 40 | 41 | -------------------------------------------------------------------------------- /roles/neo4j/templates/neo4j.conf: -------------------------------------------------------------------------------- 1 | {{ configuration_header }} 2 | 3 | # Complete documentation is available at the following URL: 4 | # https://neo4j.com/docs/operations-manual/current/configuration/ 5 | 6 | {% for key,value in neo4j.config|dictsort %} 7 | {% if value is iterable and value is not mapping and value is not string %} 8 | {% for row in value %} 9 | {{ key }}={{ row }} 10 | {% endfor %} 11 | {% else %} 12 | {{ key }}={{ value }} 13 | {% endif %} 14 | {% endfor %} 15 | -------------------------------------------------------------------------------- /roles/neo4j/vars/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | neo4j_checksum: 3 | '3.2.0': 'sha256:77c0c142343ea834852d237828f1ddd8cb2d4b7be9131a00b4ec4e3c48d6f6d0' 4 | '3.2.1': 'sha256:24fd6a704e0d80c4b4f9a3d17ce0db23f258a8cdcfa1eb28d7803b7d1811ee96' 5 | '3.2.2': 'sha256:de607436b9708ee708447be367439a4c8c30bd97ca77e84e3a081b8b6d378d95' 6 | '3.2.3': 'sha256:65e1de8a025eae4ba42ad3947b7ecbf758a11cf41f266e8e47a83cd93c1d83d2' 7 | '3.2.5': 'sha256:2e3854dbd0fe4db1c4fd870f02a90e62eca64ea515cf229b9b9df3509b2aa423' 8 | '3.2.6': 'sha256:6d68363595c9288dc734301de6d8f935b7a0febcb59b88ff77676b95cd0a8950' 9 | '3.2.7': 'sha256:7f347196a1f2026f8daa9ee045d3fbb404d961dd81b3a8363132aaaf60cf316f' 10 | '3.2.8': 'sha256:d2615c97d55e5ee08098b85dbd004eb6c83eff5d054c6f13d47c4dd007b8ca47' 11 | '3.2.9': 'sha256:6bcf88935e262b9ffa62ce7bf3c8b0887a19abbe6a5b615e4bcc724942e140fa' 12 | '3.2.10': 'sha256:7095457c7f27ee3653f66504ae67b5c3a18c51e6a96b986341850897d45696d5' 13 | '3.2.11': 'sha256:c634bfdc8c3c1d879c1af1db31496745afcdb70a34674c9f1f8c3bedd5628c4a' 14 | '3.2.12': 'sha256:fd1d7a5464a4528f63df93b1dae9d272bfcd37cf3730b45f2ac9bca458cb68a8' 15 | '3.2.13': 'sha256:ab3f57ec86fd99f980dbcbdc7d0f8dc0e609138231470c4ab4e343038246efe0' 16 | '3.2.14': 'sha256:530abde4c84da78503b7b1fe2dcc932d14048a855cf6a561b8b912bacca24f2f' 17 | '3.3.0': 'sha256:dbbc65683d65018c48fc14d82ee7691ca75f8f6ea79823b21291970638de5d88' 18 | '3.3.1': 'sha256:0e5c6492cd274edf06c5f10d2b64711bd559aaff37c646e03bfa65e613994174' 19 | '3.3.2': 'sha256:8a2a74f1270944d9b72f2af2c15cb350718e697af6e3800e67cb32a5d1605f6e' 20 | '3.3.3': 'sha256:a57be049906cc871b59d7a8283d265485b2c31de47b208ef18636901859232f9' 21 | '3.3.4': 'sha256:cc2fda6ededfc4678d1fc9be9dc1c5c2902fe2bc184125b59ae6f9183a98571c' 22 | '3.3.5': 'sha256:c603da37a6102252d91328aec4b018ccff417588c29b6888d7260a0840135a3b' 23 | '3.3.6': 'sha256:e6d3c28621eaac7306c706fb22d8336d150d2b37218ca89f5ed5d15fd1676d26' 24 | '3.3.7': 'sha256:8fbd688ad05b02860310d5b1f4ffc172f6a966a597b7d5b3ef1609d1d0125003' 25 | '3.3.8': 'sha256:1a6bc266806823b1fc2b3ec55e2f21b19a81617fffb45781d20a69f8a98e30be' 26 | '3.3.9': 'sha256:e7a02a2b6c1965dbfb60f498b5675e1d10d35422e9ec72eedfffa4206af7ad0a' 27 | '3.4.0': 'sha256:ea04207536c91e83e1889b04ae3276876d1a9612e7fba69dbf188bb3d5e08cdd' 28 | '3.4.1': 'sha256:57ae9e512705b7c2f09067b6bc1c4d1727334e0081d01ce6bded65f0eb7cf7c1' 29 | '3.4.4': 'sha256:0cde1e638cf17900d4039d853e8017562b767853eb26f643134fc8e732db27b4' 30 | '3.4.5': 'sha256:af53823776645e11d04436a513368e7e417b515572d6228da6b2977c8490ffbb' 31 | '3.4.6': 'sha256:8302c45ba4efa14ee5019120a6dd9f8cd1ff61c2b6b0012e7dfebe73b5207e2d' 32 | '3.4.7': 'sha256:f2a2eda7a4313216a99a9400001fef6de1a3aa399602dd1a57f552a5f73cf349' 33 | '3.4.8': 'sha256:5bf8f530e8e9584e2a3810d18e44c7f8ba956239e9a047094986fd5ebcc3bdd5' 34 | '3.4.9': 'sha256:2715282a71d805cbc547ed174c8a3e09ea4bda678fc110c7e30c452c486ee04d' 35 | '3.4.10': 'sha256:59a6fe8e0ae31baf03b6be07e2350d8666ed4752ea98affee0084c6eade6ac73' 36 | '3.4.11': 'sha256:f174210cd2791912fcf8e272f948097a00d6aaccca34e96f856dba3bc21f15c9' 37 | '3.4.12': 'sha256:dd7f201b973d10e3b8a6133a7487ababa5cf397da458c12738a8a2b8d60f7816' 38 | '3.4.13': 'sha256:ac2a30eb72bacbac1e5ec4aeed82cab13a96732a49e1350389785d4f5dbd4203' 39 | '3.4.14': 'sha256:fcbdd7abc28a50cca76daed96d60a6d7d03a4db5bbbfdfb8e520ee1984698461' 40 | '3.4.15': 'sha256:7e230753e2c53c912829f1ed2df963fbacc3892acd3501a84892118317fbccda' 41 | '3.4.16': 'sha256:8c42ebe3455d92deedb09417dc02bcd37f5e0f13eb3f3faa5f1a5b9d4a781c7b' 42 | '3.4.17': 'sha256:fbb03e85a09e1e8a77c496ad61e8094ef94185268098634a4aaf1d1a01b841a6' 43 | '3.5.0': 'sha256:a33df85dbdd22297d5bc9962bd42f7e70c3703ba3067b1adeaf5c18240944f37' 44 | '3.5.1': 'sha256:abec3a53d8c04cb5caf76194199017a41901159d47c57b888ebf37f29a905400' 45 | '3.5.2': 'sha256:c1dec66aaf4d97b2e538ec0068de172ef454de101cce37196c8b8865f4db6644' 46 | '3.5.3': 'sha256:d4b6e48327d5283131e9a38db25d722119e21ef5420b3cc393b9263aa37313ea' 47 | '3.5.4': 'sha256:70c944ce8c089506c8812c6ab85d7569b5800a772381c98e120b97fcc01c173b' 48 | '3.5.5': 'sha256:b89ea38ef315ed3466aa51fb6af1d496fa78b54a8c654b4e6f0722e87b78f0b6' 49 | '3.5.6': 'sha256:f536224565ce27b95947c91a37d52b9ba9e80247d8d3262075b24b8d47f8532a' 50 | '3.5.7': 'sha256:31c8f398df9342928502a7321f045eb8f2b96ec4ded26f9f057dc6f6fa10c60c' 51 | '3.5.8': 'sha256:ef714d0e7067d437649e52b6727d258c46a144db2ce567dc4d13b62ee916494e' 52 | '3.5.9': 'sha256:cf0e6c6e9733cda11922a4a060e53269ac05b6e55cb7817c55621e005928f6cf' 53 | '3.5.10': 'sha256:57dbeb858dd327f907d3f11cfb3239b3f537668c00e087e59ebad0e2bc7c135b' 54 | '3.5.11': 'sha256:4dd4f2b6c32e216b42ab8d2235f10c4d992d567d36927df93d2d9fb1763e6376' 55 | '3.5.12': 'sha256:3b82b72a211d1b628b64f18f4af9f10b12ed6e2fd0ad94910e11b7fef5d0d86c' 56 | '3.5.13': 'sha256:2fdb29816bc72894b10f082b5d542fdaa0cf5d9cfdb899d9aac1e34bc2006250' 57 | '3.5.14': 'sha256:fb435b11494cde475f748f057a192bcbd8580c7445b380afe9ff52311f334bfe' 58 | '3.5.15': 'sha256:32ed30e81aed0fc32d7ca8245b4a25e7aa1c08b89770ea33da1f4b427f1f7664' 59 | '3.5.16': 'sha256:3eded9065de1ddd39d519b05845da2f572b5ddb4e6440b93555927f329eaf222' 60 | '3.5.17': 'sha256:1c8b6ac0ffd346f0707fe1af713ef74f1c6ce1ea6feb5e9a0bd170e7a8a34a10' 61 | '3.5.18': 'sha256:ed6c2c52faf048919cea6da8f214071b57e3cdcfae4527957d25948a35c6c75a' 62 | '3.5.19': 'sha256:c0b514af785fb5649963706d98864cc690397e14b3ff3942ec8dabf02c2f768a' 63 | '3.5.20': 'sha256:01406d4e6a9e89340637aac779adb189db9af66e9c615804ad1ccc17346c7c0b' 64 | '3.5.21': 'sha256:b166846e1e247ca809e5036a1efee852a9df36eeabbbccc8e7b74138399f894c' 65 | '3.5.22': 'sha256:fa1d88c7b560cc40598323618d002cbdfa1191d3abb8aa83929a61e3a2ef642c' 66 | '3.5.23': 'sha256:6fb21b6487a0663168e103c948968ea3f9d9760bb91a1fb2f3879b36ad62a413' 67 | '3.5.24': 'sha256:7cddfdccc75c493ee110cf27e17e2521218741e2b6adb4c67cadc8774ac12907' 68 | '3.5.25': 'sha256:3a1241ae118fb89d1db17f05a9e8a9a71c2a53ee15f574f21acbd507e3fa9b50' 69 | '3.5.26': 'sha256:7e5bc2ccd0dd5ac4cf845843dd05e5d7d43bbfc57604a1ff855b0e1ed4092071' 70 | '4.0.0': 'sha256:63c85ee709916f9f5fa2fac7274f1a55bdd44d6ab353cbdd05f050aed9532e82' 71 | '4.0.1': 'sha256:623c807ec23ed5c5e8db665a36bcdcb03a11ca2179ce24b61b220ecac60ace90' 72 | '4.0.2': 'sha256:e189f557a41835170fae42ee8d2dea9a94a3c790cfc73f0d9eb28be21b806830' 73 | '4.0.3': 'sha256:34db8c51899eced35ca5b9ba764649419f160b944b81abc52ed3587492c07085' 74 | '4.0.4': 'sha256:e467b30f483132e62be0288f7db337148cea25221a80e23dba8af995a03b60a3' 75 | '4.0.5': 'sha256:7f3c17b4d33d0cbda0d2bce2e48ee0ede06d948ed0fd1b7bf64b6a00d858c93f' 76 | '4.0.6': 'sha256:47a7edfe0f673517c7c21b33b5f124377cbfa1763081475ba1013caa6ad2340e' 77 | '4.0.7': 'sha256:975476bdd11c466769e5cd34e6bac85b43a29f1ccda8a5da8b764a71d752641c' 78 | '4.0.8': 'sha256:1731957124dd0cecf7c096ba5d09e6eed07ea587ffb1c0f11e3699f4d00d6a08' 79 | '4.0.9': 'sha256:d04e8e26bfb32267f33ac46fe51ffe0d677246328c94c61f3f3483f9c2e03e4d' 80 | '4.0.10': 'sha256:1ebe1fe8760b34811cc0d610f69133da67cf376c74b0b29f8ca9a6176092c9ea' 81 | '4.0.11': 'sha256:913ab0acce7a8020213ce1cb0d4414a31ead29e3e31d4358c5553d3ade340241' 82 | '4.1.0': 'sha256:b598edeb3401e5ec40fb7bc3370307addfcaa21565f731016c9c7f8e70af659a' 83 | '4.1.1': 'sha256:4f663a520bec40dfd0b1972feb3cf93af321c230b448adb6dc917717e67a1271' 84 | '4.1.2': 'sha256:c4917a1f16da0ab214de9fa04e4db351efbd0b92a7f2314d27501c1d82293a6f' 85 | '4.1.3': 'sha256:6da059f04f86e1a74221eb0103da38a1f645969cbbfe1b37c9de48bf55acabdc' 86 | '4.1.4': 'sha256:c6e555e35fd08ab1129f57c4346450b1bc3793488a270fa9b2271a41b5b39455' 87 | '4.1.5': 'sha256:f636596c6b7ba49a61e3cfbdbf0daf420892be68d187371edaae3157bad8ed29' 88 | '4.2.0': 'sha256:188cfb1f36c5aa4228d9c7f921eac489e1bcaa5a53e301568cea4b650152e075' 89 | '4.2.1': 'sha256:0f074e2d84c265fbb066ad648b52c62c623d1f1b18b9d4d04356d46726853c96' 90 | '4.2.2': 'sha256:6bbd385fea4b23f4447926209168499b361774f1cadae71ad4a960e648821359' 91 | -------------------------------------------------------------------------------- /roles/plex/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | plex: {} 3 | -------------------------------------------------------------------------------- /roles/plex/handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: restart plexmediaserver 3 | when: not plexmediaserver_enabled.changed 4 | service: 5 | name: plexmediaserver 6 | state: restarted 7 | -------------------------------------------------------------------------------- /roles/plex/meta/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | dependencies: 3 | - role: common-debian 4 | -------------------------------------------------------------------------------- /roles/plex/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: ensure that the Plex package signing key has been added 3 | apt_key: 4 | url: https://downloads.plex.tv/plex-keys/PlexSign.key 5 | 6 | - name: ensure that the Plex repository has been added to the sources list 7 | apt_repository: 8 | filename: plexmediaserver 9 | repo: deb https://downloads.plex.tv/repo/deb public main 10 | 11 | - name: ensure presence of ZFS dataset at /var/lib/plexmediaserver 12 | environment: 13 | PATH: "{{ ansible_env.PATH }}:/native/usr/sbin" 14 | zfs: 15 | name: '{{ zone_dataset }}/plex' 16 | state: present 17 | extra_zfs_properties: 18 | mountpoint: /var/lib/plexmediaserver 19 | 20 | - name: ensure presence of ZFS dataset at /var/lib/plexmediaserver/Library/Application Support/Plex Media Server/Plug-in Support/Databases 21 | environment: 22 | PATH: "{{ ansible_env.PATH }}:/native/usr/sbin" 23 | zfs: 24 | name: '{{ zone_dataset }}/plex/database' 25 | state: present 26 | extra_zfs_properties: 27 | recordsize: 16k 28 | mountpoint: /var/lib/plexmediaserver/Library/Application Support/Plex Media Server/Plug-in Support/Databases 29 | 30 | - name: ensure ownership of /var/lib/plexmediaserver is 999:999 31 | file: 32 | state: directory 33 | path: /var/lib/plexmediaserver 34 | mode: 0755 35 | owner: '999' 36 | group: '999' 37 | recurse: true 38 | 39 | - name: ensure that Plex Media Server has been installed 40 | notify: restart plexmediaserver 41 | apt: 42 | name: plexmediaserver 43 | 44 | - name: ensure that Plex Media Server is enabled 45 | register: plexmediaserver_enabled 46 | service: 47 | name: plexmediaserver 48 | enabled: true 49 | 50 | - name: ensure that system will update all packages automatically 51 | cron: 52 | name: apt autoupdate 53 | minute: '15' 54 | hour: '0,12' 55 | user: root 56 | job: apt update && apt full-upgrade 57 | -------------------------------------------------------------------------------- /roles/plex/vars/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | default_plex: {} 3 | -------------------------------------------------------------------------------- /roles/postgresql/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | postgresql: 3 | server: postgresql12-server 4 | recordsize: 16k 5 | config: 6 | #------------------------------------------------------------------------------ 7 | # FILE LOCATIONS 8 | #------------------------------------------------------------------------------ 9 | 10 | # The default values of these variables are driven from the -D command-line 11 | # option or PGDATA environment variable, represented here as ConfigDir. 12 | # 13 | #data_directory = 'ConfigDir' # use data in another directory 14 | # # (change requires restart) 15 | #hba_file = 'ConfigDir/pg_hba.conf' # host-based authentication file 16 | # # (change requires restart) 17 | #ident_file = 'ConfigDir/pg_ident.conf' # ident configuration file 18 | # # (change requires restart) 19 | # 20 | # If external_pid_file is not explicitly set, no extra PID file is written. 21 | #external_pid_file = '' # write an extra PID file 22 | # # (change requires restart) 23 | 24 | #------------------------------------------------------------------------------ 25 | # CONNECTIONS AND AUTHENTICATION 26 | #------------------------------------------------------------------------------ 27 | 28 | # - Connection Settings - 29 | 30 | #listen_addresses = 'localhost' # what IP address(es) to listen on; 31 | # # comma-separated list of addresses; 32 | # # defaults to 'localhost'; use '*' for all 33 | # # (change requires restart) 34 | #port = 5432 # (change requires restart) 35 | max_connections: 100 36 | #superuser_reserved_connections = 3 # (change requires restart) 37 | #unix_socket_directories = '/tmp' # comma-separated list of directories 38 | # # (change requires restart) 39 | #unix_socket_group = '' # (change requires restart) 40 | #unix_socket_permissions = 0777 # begin with 0 to use octal notation 41 | # # (change requires restart) 42 | #bonjour = off # advertise server via Bonjour 43 | # # (change requires restart) 44 | #bonjour_name = '' # defaults to the computer name 45 | # # (change requires restart) 46 | 47 | # - TCP settings - 48 | # see "man tcp" for details 49 | 50 | #tcp_keepalives_idle = 0 # TCP_KEEPIDLE, in seconds; 51 | # # 0 selects the system default 52 | #tcp_keepalives_interval = 0 # TCP_KEEPINTVL, in seconds; 53 | # # 0 selects the system default 54 | #tcp_keepalives_count = 0 # TCP_KEEPCNT; 55 | # # 0 selects the system default 56 | #tcp_user_timeout = 0 # TCP_USER_TIMEOUT, in milliseconds; 57 | # # 0 selects the system default 58 | 59 | # - Authentication - 60 | 61 | #authentication_timeout = 1min # 1s-600s 62 | #password_encryption = md5 # md5 or scram-sha-256 63 | #db_user_namespace = off 64 | 65 | # GSSAPI using Kerberos 66 | #krb_server_keyfile = '' 67 | #krb_caseins_users = off 68 | 69 | # - SSL - 70 | 71 | #ssl = off 72 | #ssl_ca_file = '' 73 | #ssl_cert_file = 'server.crt' 74 | #ssl_crl_file = '' 75 | #ssl_key_file = 'server.key' 76 | #ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' # allowed SSL ciphers 77 | #ssl_prefer_server_ciphers = on 78 | #ssl_ecdh_curve = 'prime256v1' 79 | #ssl_min_protocol_version = 'TLSv1.2' 80 | #ssl_max_protocol_version = '' 81 | #ssl_dh_params_file = '' 82 | #ssl_passphrase_command = '' 83 | #ssl_passphrase_command_supports_reload = off 84 | 85 | 86 | #------------------------------------------------------------------------------ 87 | # RESOURCE USAGE (except WAL) 88 | #------------------------------------------------------------------------------ 89 | 90 | # - Memory - 91 | shared_buffers: 128MB 92 | # # (change requires restart) 93 | #huge_pages = try # on, off, or try 94 | # # (change requires restart) 95 | #temp_buffers = 8MB # min 800kB 96 | #max_prepared_transactions = 0 # zero disables the feature 97 | # # (change requires restart) 98 | # Caution: it is not advisable to set max_prepared_transactions nonzero unless 99 | # you actively intend to use prepared transactions. 100 | #work_mem = 4MB # min 64kB 101 | #hash_mem_multiplier = 1.0 # 1-1000.0 multiplier on hash table work_mem 102 | #maintenance_work_mem = 64MB # min 1MB 103 | #autovacuum_work_mem = -1 # min 1MB, or -1 to use maintenance_work_mem 104 | #logical_decoding_work_mem = 64MB # min 64kB 105 | #max_stack_depth = 2MB # min 100kB 106 | #shared_memory_type = mmap # the default is the first option 107 | # # supported by the operating system: 108 | # # mmap 109 | # # sysv 110 | # # windows 111 | # # (change requires restart) 112 | dynamic_shared_memory_type: posix 113 | # # supported by the operating system: 114 | # # posix 115 | # # sysv 116 | # # windows 117 | # # mmap 118 | # # (change requires restart) 119 | 120 | # - Disk - 121 | 122 | #temp_file_limit = -1 # limits per-process temp file space 123 | # # in kilobytes, or -1 for no limit 124 | 125 | # - Kernel Resources - 126 | 127 | #max_files_per_process = 1000 # min 64 128 | # # (change requires restart) 129 | 130 | # - Cost-Based Vacuum Delay - 131 | 132 | #vacuum_cost_delay = 0 # 0-100 milliseconds (0 disables) 133 | #vacuum_cost_page_hit = 1 # 0-10000 credits 134 | #vacuum_cost_page_miss = 10 # 0-10000 credits 135 | #vacuum_cost_page_dirty = 20 # 0-10000 credits 136 | #vacuum_cost_limit = 200 # 1-10000 credits 137 | 138 | # - Background Writer - 139 | 140 | #bgwriter_delay = 200ms # 10-10000ms between rounds 141 | #bgwriter_lru_maxpages = 100 # max buffers written/round, 0 disables 142 | #bgwriter_lru_multiplier = 2.0 # 0-10.0 multiplier on buffers scanned/round 143 | #bgwriter_flush_after = 0 # measured in pages, 0 disables 144 | 145 | # - Asynchronous Behavior - 146 | 147 | #effective_io_concurrency = 0 # 1-1000; 0 disables prefetching 148 | #maintenance_io_concurrency = 10 # 1-1000; 0 disables prefetching 149 | #max_worker_processes = 8 # (change requires restart) 150 | #max_parallel_maintenance_workers = 2 # taken from max_parallel_workers 151 | #max_parallel_workers_per_gather = 2 # taken from max_parallel_workers 152 | #parallel_leader_participation = on 153 | #max_parallel_workers = 8 # maximum number of max_worker_processes that 154 | # # can be used in parallel operations 155 | #old_snapshot_threshold = -1 # 1min-60d; -1 disables; 0 is immediate 156 | # # (change requires restart) 157 | #backend_flush_after = 0 # measured in pages, 0 disables 158 | 159 | 160 | #------------------------------------------------------------------------------ 161 | # WRITE-AHEAD LOG 162 | #------------------------------------------------------------------------------ 163 | 164 | # - Settings - 165 | 166 | #wal_level = replica # minimal, replica, or logical 167 | # # (change requires restart) 168 | #fsync = on # flush data to disk for crash safety 169 | # # (turning this off can cause 170 | # # unrecoverable data corruption) 171 | #synchronous_commit = on # synchronization level; 172 | # # off, local, remote_write, remote_apply, or on 173 | #wal_sync_method = fsync # the default is the first option 174 | # # supported by the operating system: 175 | # # open_datasync 176 | # # fdatasync (default on Linux) 177 | # # fsync 178 | # # fsync_writethrough 179 | # # open_sync 180 | full_page_writes: "off" 181 | #wal_compression = off # enable compression of full-page writes 182 | #wal_log_hints = off # also do full page writes of non-critical updates 183 | # # (change requires restart) 184 | #wal_init_zero = on # zero-fill new WAL files 185 | #wal_recycle = on # recycle WAL files 186 | #wal_buffers = -1 # min 32kB, -1 sets based on shared_buffers 187 | # # (change requires restart) 188 | #wal_writer_delay = 200ms # 1-10000 milliseconds 189 | #wal_writer_flush_after = 1MB # measured in pages, 0 disables 190 | #wal_skip_threshold = 2MB 191 | 192 | #commit_delay = 0 # range 0-100000, in microseconds 193 | #commit_siblings = 5 # range 1-1000 194 | 195 | # - Checkpoints - 196 | 197 | #checkpoint_timeout = 5min # range 30s-1d 198 | max_wal_size: 1GB 199 | min_wal_size: 80MB 200 | #checkpoint_completion_target = 0.5 # checkpoint target duration, 0.0 - 1.0 201 | #checkpoint_flush_after = 0 # measured in pages, 0 disables 202 | #checkpoint_warning = 30s # 0 disables 203 | 204 | # - Archiving - 205 | 206 | #archive_mode = off # enables archiving; off, on, or always 207 | # # (change requires restart) 208 | #archive_command = '' # command to use to archive a logfile segment 209 | # # placeholders: %p = path of file to archive 210 | # # %f = file name only 211 | # # e.g. 'test ! -f /mnt/server/archivedir/%f && cp %p /mnt/server/archivedir/%f' 212 | #archive_timeout = 0 # force a logfile segment switch after this 213 | # # number of seconds; 0 disables 214 | 215 | # - Archive Recovery - 216 | 217 | # These are only used in recovery mode. 218 | 219 | #restore_command = '' # command to use to restore an archived logfile segment 220 | # # placeholders: %p = path of file to restore 221 | # # %f = file name only 222 | # # e.g. 'cp /mnt/server/archivedir/%f %p' 223 | # # (change requires restart) 224 | #archive_cleanup_command = '' # command to execute at every restartpoint 225 | #recovery_end_command = '' # command to execute at completion of recovery 226 | 227 | # - Recovery Target - 228 | 229 | # Set these only when performing a targeted recovery. 230 | 231 | #recovery_target = '' # 'immediate' to end recovery as soon as a 232 | # # consistent state is reached 233 | # # (change requires restart) 234 | #recovery_target_name = '' # the named restore point to which recovery will proceed 235 | # # (change requires restart) 236 | #recovery_target_time = '' # the time stamp up to which recovery will proceed 237 | # # (change requires restart) 238 | #recovery_target_xid = '' # the transaction ID up to which recovery will proceed 239 | # # (change requires restart) 240 | #recovery_target_lsn = '' # the WAL LSN up to which recovery will proceed 241 | # # (change requires restart) 242 | #recovery_target_inclusive = on # Specifies whether to stop: 243 | # # just after the specified recovery target (on) 244 | # # just before the recovery target (off) 245 | # # (change requires restart) 246 | #recovery_target_timeline = 'latest' # 'current', 'latest', or timeline ID 247 | # # (change requires restart) 248 | #recovery_target_action = 'pause' # 'pause', 'promote', 'shutdown' 249 | # # (change requires restart) 250 | 251 | 252 | #------------------------------------------------------------------------------ 253 | # REPLICATION 254 | #------------------------------------------------------------------------------ 255 | 256 | # - Sending Servers - 257 | 258 | # Set these on the master and on any standby that will send replication data. 259 | 260 | #max_wal_senders = 10 # max number of walsender processes 261 | # # (change requires restart) 262 | #wal_keep_size = 0 # in megabytes; 0 disables 263 | #max_slot_wal_keep_size = -1 # in megabytes; -1 disables 264 | #wal_sender_timeout = 60s # in milliseconds; 0 disables 265 | 266 | #max_replication_slots = 10 # max number of replication slots 267 | # # (change requires restart) 268 | #track_commit_timestamp = off # collect timestamp of transaction commit 269 | # # (change requires restart) 270 | 271 | # - Master Server - 272 | 273 | # These settings are ignored on a standby server. 274 | 275 | #synchronous_standby_names = '' # standby servers that provide sync rep 276 | # # method to choose sync standbys, number of sync standbys, 277 | # # and comma-separated list of application_name 278 | # # from standby(s); '*' = all 279 | #vacuum_defer_cleanup_age = 0 # number of xacts by which cleanup is delayed 280 | 281 | # - Standby Servers - 282 | 283 | # These settings are ignored on a master server. 284 | 285 | #primary_conninfo = '' # connection string to sending server 286 | #primary_slot_name = '' # replication slot on sending server 287 | #promote_trigger_file = '' # file name whose presence ends recovery 288 | #hot_standby = on # "off" disallows queries during recovery 289 | # # (change requires restart) 290 | #max_standby_archive_delay = 30s # max delay before canceling queries 291 | # # when reading WAL from archive; 292 | # # -1 allows indefinite delay 293 | #max_standby_streaming_delay = 30s # max delay before canceling queries 294 | # # when reading streaming WAL; 295 | # # -1 allows indefinite delay 296 | #wal_receiver_create_temp_slot = off # create temp slot if primary_slot_name 297 | # # is not set 298 | #wal_receiver_status_interval = 10s # send replies at least this often 299 | # # 0 disables 300 | #hot_standby_feedback = off # send info from standby to prevent 301 | # # query conflicts 302 | #wal_receiver_timeout = 60s # time that receiver waits for 303 | # # communication from master 304 | # # in milliseconds; 0 disables 305 | #wal_retrieve_retry_interval = 5s # time to wait before retrying to 306 | # # retrieve WAL after a failed attempt 307 | #recovery_min_apply_delay = 0 # minimum delay for applying changes during recovery 308 | 309 | # - Subscribers - 310 | 311 | # These settings are ignored on a publisher. 312 | 313 | #max_logical_replication_workers = 4 # taken from max_worker_processes 314 | # # (change requires restart) 315 | #max_sync_workers_per_subscription = 2 # taken from max_logical_replication_workers 316 | 317 | 318 | #------------------------------------------------------------------------------ 319 | # QUERY TUNING 320 | #------------------------------------------------------------------------------ 321 | 322 | # - Planner Method Configuration - 323 | 324 | #enable_bitmapscan = on 325 | #enable_hashagg = on 326 | #enable_hashjoin = on 327 | #enable_indexscan = on 328 | #enable_indexonlyscan = on 329 | #enable_material = on 330 | #enable_mergejoin = on 331 | #enable_nestloop = on 332 | #enable_parallel_append = on 333 | #enable_seqscan = on 334 | #enable_sort = on 335 | #enable_incremental_sort = on 336 | #enable_tidscan = on 337 | #enable_partitionwise_join = off 338 | #enable_partitionwise_aggregate = off 339 | #enable_parallel_hash = on 340 | #enable_partition_pruning = on 341 | 342 | # - Planner Cost Constants - 343 | 344 | #seq_page_cost = 1.0 # measured on an arbitrary scale 345 | #random_page_cost = 4.0 # same scale as above 346 | #cpu_tuple_cost = 0.01 # same scale as above 347 | #cpu_index_tuple_cost = 0.005 # same scale as above 348 | #cpu_operator_cost = 0.0025 # same scale as above 349 | #parallel_tuple_cost = 0.1 # same scale as above 350 | #parallel_setup_cost = 1000.0 # same scale as above 351 | 352 | #jit_above_cost = 100000 # perform JIT compilation if available 353 | # # and query more expensive than this; 354 | # # -1 disables 355 | #jit_inline_above_cost = 500000 # inline small functions if query is 356 | # # more expensive than this; -1 disables 357 | #jit_optimize_above_cost = 500000 # use expensive JIT optimizations if 358 | # # query is more expensive than this; 359 | # # -1 disables 360 | 361 | #min_parallel_table_scan_size = 8MB 362 | #min_parallel_index_scan_size = 512kB 363 | #effective_cache_size = 4GB 364 | 365 | # - Genetic Query Optimizer - 366 | 367 | #geqo = on 368 | #geqo_threshold = 12 369 | #geqo_effort = 5 # range 1-10 370 | #geqo_pool_size = 0 # selects default based on effort 371 | #geqo_generations = 0 # selects default based on effort 372 | #geqo_selection_bias = 2.0 # range 1.5-2.0 373 | #geqo_seed = 0.0 # range 0.0-1.0 374 | 375 | # - Other Planner Options - 376 | 377 | #default_statistics_target = 100 # range 1-10000 378 | #constraint_exclusion = partition # on, off, or partition 379 | #cursor_tuple_fraction = 0.1 # range 0.0-1.0 380 | #from_collapse_limit = 8 381 | #join_collapse_limit = 8 # 1 disables collapsing of explicit 382 | # # JOIN clauses 383 | #force_parallel_mode = off 384 | #jit = on # allow JIT compilation 385 | #plan_cache_mode = auto # auto, force_generic_plan or 386 | # # force_custom_plan 387 | 388 | 389 | #------------------------------------------------------------------------------ 390 | # REPORTING AND LOGGING 391 | #------------------------------------------------------------------------------ 392 | 393 | # - Where to Log - 394 | 395 | #log_destination = 'stderr' # Valid values are combinations of 396 | # # stderr, csvlog, syslog, and eventlog, 397 | # # depending on platform. csvlog 398 | # # requires logging_collector to be on. 399 | 400 | # This is used when logging to stderr: 401 | #logging_collector = off # Enable capturing of stderr and csvlog 402 | # # into log files. Required to be on for 403 | # # csvlogs. 404 | # # (change requires restart) 405 | 406 | # These are only used if logging_collector is on: 407 | #log_directory = 'log' # directory where log files are written, 408 | # # can be absolute or relative to PGDATA 409 | #log_filename = 'postgresql-%Y-%m-%d_%H%M%S.log' # log file name pattern, 410 | # # can include strftime() escapes 411 | #log_file_mode = 0600 # creation mode for log files, 412 | # # begin with 0 to use octal notation 413 | #log_truncate_on_rotation = off # If on, an existing log file with the 414 | # # same name as the new log file will be 415 | # # truncated rather than appended to. 416 | # # But such truncation only occurs on 417 | # # time-driven rotation, not on restarts 418 | # # or size-driven rotation. Default is 419 | # # off, meaning append to existing files 420 | # # in all cases. 421 | #log_rotation_age = 1d # Automatic rotation of logfiles will 422 | # # happen after that time. 0 disables. 423 | #log_rotation_size = 10MB # Automatic rotation of logfiles will 424 | # # happen after that much log output. 425 | # # 0 disables. 426 | 427 | # These are relevant when logging to syslog: 428 | #syslog_facility = 'LOCAL0' 429 | #syslog_ident = 'postgres' 430 | #syslog_sequence_numbers = on 431 | #syslog_split_messages = on 432 | 433 | # This is only relevant when logging to eventlog (win32): 434 | # (change requires restart) 435 | #event_source = 'PostgreSQL' 436 | 437 | # - When to Log - 438 | 439 | #log_min_messages = warning # values in order of decreasing detail: 440 | # # debug5 441 | # # debug4 442 | # # debug3 443 | # # debug2 444 | # # debug1 445 | # # info 446 | # # notice 447 | # # warning 448 | # # error 449 | # # log 450 | # # fatal 451 | # # panic 452 | 453 | #log_min_error_statement = error # values in order of decreasing detail: 454 | # # debug5 455 | # # debug4 456 | # # debug3 457 | # # debug2 458 | # # debug1 459 | # # info 460 | # # notice 461 | # # warning 462 | # # error 463 | # # log 464 | # # fatal 465 | # # panic (effectively off) 466 | 467 | #log_min_duration_statement = -1 # -1 is disabled, 0 logs all statements 468 | # # and their durations, > 0 logs only 469 | # # statements running at least this number 470 | # # of milliseconds 471 | 472 | #log_min_duration_sample = -1 # -1 is disabled, 0 logs a sample of statements 473 | # # and their durations, > 0 logs only a sample of 474 | # # statements running at least this number 475 | # # of milliseconds; 476 | # # sample fraction is determined by log_statement_sample_rate 477 | 478 | #log_statement_sample_rate = 1.0 # fraction of logged statements exceeding 479 | # # log_min_duration_sample to be logged; 480 | # # 1.0 logs all such statements, 0.0 never logs 481 | 482 | 483 | #log_transaction_sample_rate = 0.0 # fraction of transactions whose statements 484 | # # are logged regardless of their duration; 1.0 logs all 485 | # # statements from all transactions, 0.0 never logs 486 | 487 | # - What to Log - 488 | 489 | #debug_print_parse = off 490 | #debug_print_rewritten = off 491 | #debug_print_plan = off 492 | #debug_pretty_print = on 493 | #log_checkpoints = off 494 | #log_connections = off 495 | #log_disconnections = off 496 | #log_duration = off 497 | #log_error_verbosity = default # terse, default, or verbose messages 498 | #log_hostname = off 499 | #log_line_prefix = '%m [%p] ' # special values: 500 | # # %a = application name 501 | # # %u = user name 502 | # # %d = database name 503 | # # %r = remote host and port 504 | # # %h = remote host 505 | # # %b = backend type 506 | # # %p = process ID 507 | # # %t = timestamp without milliseconds 508 | # # %m = timestamp with milliseconds 509 | # # %n = timestamp with milliseconds (as a Unix epoch) 510 | # # %i = command tag 511 | # # %e = SQL state 512 | # # %c = session ID 513 | # # %l = session line number 514 | # # %s = session start timestamp 515 | # # %v = virtual transaction ID 516 | # # %x = transaction ID (0 if none) 517 | # # %q = stop here in non-session 518 | # # processes 519 | # # %% = '%' 520 | # # e.g. '<%u%%%d> ' 521 | #log_lock_waits = off # log lock waits >= deadlock_timeout 522 | #log_parameter_max_length = -1 # when logging statements, limit logged 523 | # # bind-parameter values to N bytes; 524 | # # -1 means print in full, 0 disables 525 | #log_parameter_max_length_on_error = 0 # when logging an error, limit logged 526 | # # bind-parameter values to N bytes; 527 | # # -1 means print in full, 0 disables 528 | #log_statement = 'none' # none, ddl, mod, all 529 | #log_replication_commands = off 530 | #log_temp_files = -1 # log temporary files equal or larger 531 | # # than the specified size in kilobytes; 532 | # # -1 disables, 0 logs all temp files 533 | log_timezone: 'UTC' 534 | 535 | #------------------------------------------------------------------------------ 536 | # PROCESS TITLE 537 | #------------------------------------------------------------------------------ 538 | 539 | #cluster_name = '' # added to process titles if nonempty 540 | # # (change requires restart) 541 | #update_process_title = on 542 | 543 | 544 | #------------------------------------------------------------------------------ 545 | # STATISTICS 546 | #------------------------------------------------------------------------------ 547 | 548 | # - Query and Index Statistics Collector - 549 | 550 | #track_activities = on 551 | #track_counts = on 552 | #track_io_timing = off 553 | #track_functions = none # none, pl, all 554 | #track_activity_query_size = 1024 # (change requires restart) 555 | #stats_temp_directory = 'pg_stat_tmp' 556 | 557 | 558 | # - Monitoring - 559 | 560 | #log_parser_stats = off 561 | #log_planner_stats = off 562 | #log_executor_stats = off 563 | #log_statement_stats = off 564 | 565 | 566 | #------------------------------------------------------------------------------ 567 | # AUTOVACUUM 568 | #------------------------------------------------------------------------------ 569 | 570 | #autovacuum = on # Enable autovacuum subprocess? 'on' 571 | # # requires track_counts to also be on. 572 | #log_autovacuum_min_duration = -1 # -1 disables, 0 logs all actions and 573 | # # their durations, > 0 logs only 574 | # # actions running at least this number 575 | # # of milliseconds. 576 | #autovacuum_max_workers = 3 # max number of autovacuum subprocesses 577 | # # (change requires restart) 578 | #autovacuum_naptime = 1min # time between autovacuum runs 579 | #autovacuum_vacuum_threshold = 50 # min number of row updates before 580 | # # vacuum 581 | #autovacuum_vacuum_insert_threshold = 1000 # min number of row inserts 582 | # # before vacuum; -1 disables insert 583 | # # vacuums 584 | #autovacuum_analyze_threshold = 50 # min number of row updates before 585 | # # analyze 586 | #autovacuum_vacuum_scale_factor = 0.2 # fraction of table size before vacuum 587 | #autovacuum_vacuum_insert_scale_factor = 0.2 # fraction of inserts over table 588 | # # size before insert vacuum 589 | #autovacuum_analyze_scale_factor = 0.1 # fraction of table size before analyze 590 | #autovacuum_freeze_max_age = 200000000 # maximum XID age before forced vacuum 591 | # # (change requires restart) 592 | #autovacuum_multixact_freeze_max_age = 400000000 # maximum multixact age 593 | # # before forced vacuum 594 | # # (change requires restart) 595 | #autovacuum_vacuum_cost_delay = 2ms # default vacuum cost delay for 596 | # # autovacuum, in milliseconds; 597 | # # -1 means use vacuum_cost_delay 598 | #autovacuum_vacuum_cost_limit = -1 # default vacuum cost limit for 599 | # # autovacuum, -1 means use 600 | # # vacuum_cost_limit 601 | 602 | 603 | #------------------------------------------------------------------------------ 604 | # CLIENT CONNECTION DEFAULTS 605 | #------------------------------------------------------------------------------ 606 | 607 | # - Statement Behavior - 608 | 609 | #client_min_messages = notice # values in order of decreasing detail: 610 | # # debug5 611 | # # debug4 612 | # # debug3 613 | # # debug2 614 | # # debug1 615 | # # log 616 | # # notice 617 | # # warning 618 | # # error 619 | #search_path = '"$user", public' # schema names 620 | #row_security = on 621 | #default_tablespace = '' # a tablespace name, '' uses the default 622 | #temp_tablespaces = '' # a list of tablespace names, '' uses 623 | # # only default tablespace 624 | #default_table_access_method = 'heap' 625 | #check_function_bodies = on 626 | #default_transaction_isolation = 'read committed' 627 | #default_transaction_read_only = off 628 | #default_transaction_deferrable = off 629 | #session_replication_role = 'origin' 630 | #statement_timeout = 0 # in milliseconds, 0 is disabled 631 | #lock_timeout = 0 # in milliseconds, 0 is disabled 632 | #idle_in_transaction_session_timeout = 0 # in milliseconds, 0 is disabled 633 | #vacuum_freeze_min_age = 50000000 634 | #vacuum_freeze_table_age = 150000000 635 | #vacuum_multixact_freeze_min_age = 5000000 636 | #vacuum_multixact_freeze_table_age = 150000000 637 | #vacuum_cleanup_index_scale_factor = 0.1 # fraction of total number of tuples 638 | # # before index cleanup, 0 always performs 639 | # # index cleanup 640 | #bytea_output = 'hex' # hex, escape 641 | #xmlbinary = 'base64' 642 | #xmloption = 'content' 643 | #gin_fuzzy_search_limit = 0 644 | #gin_pending_list_limit = 4MB 645 | 646 | # - Locale and Formatting - 647 | 648 | datestyle: "'iso, mdy'" 649 | #intervalstyle = 'postgres' 650 | timezone: "'UTC'" 651 | #timezone_abbreviations = 'Default' # Select the set of available time zone 652 | # # abbreviations. Currently, there are 653 | # # Default 654 | # # Australia (historical usage) 655 | # # India 656 | # # You can create your own file in 657 | # # share/timezonesets/. 658 | #extra_float_digits = 1 # min -15, max 3; any value >0 actually 659 | # # selects precise output mode 660 | #client_encoding = sql_ascii # actually, defaults to database 661 | # # encoding 662 | 663 | # These settings are initialized by initdb, but they can be changed. 664 | lc_messages: "'en_US.UTF-8'" 665 | lc_monetary: "'en_US.UTF-8'" 666 | lc_numeric: "'en_US.UTF-8'" 667 | lc_time: "'en_US.UTF-8'" 668 | 669 | # default configuration for text search 670 | default_text_search_config: "'pg_catalog.english'" 671 | 672 | # - Shared Library Preloading - 673 | 674 | #shared_preload_libraries = '' # (change requires restart) 675 | #local_preload_libraries = '' 676 | #session_preload_libraries = '' 677 | #jit_provider = 'llvmjit' # JIT library to use 678 | 679 | # - Other Defaults - 680 | 681 | #dynamic_library_path = '$libdir' 682 | 683 | 684 | #------------------------------------------------------------------------------ 685 | # LOCK MANAGEMENT 686 | #------------------------------------------------------------------------------ 687 | 688 | #deadlock_timeout = 1s 689 | #max_locks_per_transaction = 64 # min 10 690 | # # (change requires restart) 691 | #max_pred_locks_per_transaction = 64 # min 10 692 | # # (change requires restart) 693 | #max_pred_locks_per_relation = -2 # negative values mean 694 | # # (max_pred_locks_per_transaction 695 | # # / -max_pred_locks_per_relation) - 1 696 | #max_pred_locks_per_page = 2 # min 0 697 | 698 | 699 | #------------------------------------------------------------------------------ 700 | # VERSION AND PLATFORM COMPATIBILITY 701 | #------------------------------------------------------------------------------ 702 | 703 | # - Previous PostgreSQL Versions - 704 | 705 | #array_nulls = on 706 | #backslash_quote = safe_encoding # on, off, or safe_encoding 707 | #escape_string_warning = on 708 | #lo_compat_privileges = off 709 | #operator_precedence_warning = off 710 | #quote_all_identifiers = off 711 | #standard_conforming_strings = on 712 | #synchronize_seqscans = on 713 | 714 | # - Other Platforms and Clients - 715 | 716 | #transform_null_equals = off 717 | 718 | 719 | #------------------------------------------------------------------------------ 720 | # ERROR HANDLING 721 | #------------------------------------------------------------------------------ 722 | 723 | #exit_on_error = off # terminate session on any error? 724 | #restart_after_crash = on # reinitialize after backend crash? 725 | #data_sync_retry = off # retry or panic on failure to fsync 726 | # # data? 727 | # # (change requires restart) 728 | hba: 729 | - type: local 730 | database: all 731 | user: postgres 732 | method: peer 733 | options: map=postgres-user 734 | - type: local 735 | database: all 736 | user: all 737 | method: scram-sha-256 738 | ident: 739 | - mapname: postgres-user 740 | system_username: root 741 | postgres_username: postgres 742 | - mapname: postgres-user 743 | system_username: postgres 744 | postgres_username: postgres 745 | -------------------------------------------------------------------------------- /roles/postgresql/handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: restart postgresql-server 3 | when: not postgresql_enabled.changed 4 | service: 5 | name: 'svc:/pkgsrc/postgresql:default' 6 | state: restarted 7 | -------------------------------------------------------------------------------- /roles/postgresql/meta/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | dependencies: 3 | - role: common 4 | -------------------------------------------------------------------------------- /roles/postgresql/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: ensure presence of postgresql ZFS dataset 3 | when: delegate_dataset is succeeded 4 | zfs: 5 | name: '{{ zone_dataset }}/pgsql' 6 | state: present 7 | extra_zfs_properties: 8 | mountpoint: /var/pgsql 9 | recordsize: '{{ postgresql.recordsize }}' 10 | 11 | - name: ensure secure permissions on postgresql ZFS mountpoint 12 | file: 13 | path: /var/pgsql 14 | state: directory 15 | owner: 907 16 | group: 907 17 | mode: 0700 18 | 19 | - name: ensure presence of {{ postgresql.server }} 20 | notify: restart postgresql-server 21 | pkgin: 22 | name: '{{ postgresql.server }}' 23 | 24 | - name: ensure that postgresql-server is properly configured 25 | notify: restart postgresql-server 26 | loop: 27 | - postgresql.conf 28 | - pg_hba.conf 29 | - pg_ident.conf 30 | template: 31 | src: '{{ item }}' 32 | dest: '/var/pgsql/data/{{ item }}' 33 | owner: postgres 34 | group: postgres 35 | mode: 0600 36 | 37 | - name: ensure that postgresql-server is enabled 38 | register: postgresql_enabled 39 | service: 40 | name: 'svc:/pkgsrc/postgresql:default' 41 | enabled: true 42 | -------------------------------------------------------------------------------- /roles/postgresql/templates/pg_hba.conf: -------------------------------------------------------------------------------- 1 | {{ configuration_header }} 2 | 3 | # Complete documentation is available at the following URL: 4 | # https://www.postgresql.org/docs/current/auth-pg-hba-conf.html 5 | 6 | {% for row in postgresql.hba | default({}) %} 7 | {{ row.type }} {{ row.database }} {{ row.user }} {{ row.address | default('') }} {{ row.method }} {{ row.options | default('') }} 8 | {% endfor %} 9 | -------------------------------------------------------------------------------- /roles/postgresql/templates/pg_ident.conf: -------------------------------------------------------------------------------- 1 | {{ configuration_header }} 2 | 3 | # Complete documentation is available at the following URL: 4 | # https://www.postgresql.org/docs/current/auth-username-maps.html 5 | 6 | {% for row in postgresql.ident | default([]) %} 7 | {{ row.mapname }} {{ row.system_username }} {{ row.postgres_username }} 8 | {% endfor %} 9 | -------------------------------------------------------------------------------- /roles/postgresql/templates/postgresql.conf: -------------------------------------------------------------------------------- 1 | {{ configuration_header }} 2 | 3 | # Complete documentation is available at the following URL: 4 | # https://www.postgresql.org/docs/current/runtime-config.html 5 | 6 | {% for key,value in postgresql.config|dictsort %} 7 | {{ key }} = {{ value }} 8 | {% endfor %} 9 | -------------------------------------------------------------------------------- /roles/redis/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | redis: {} 3 | -------------------------------------------------------------------------------- /roles/redis/handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: restart redis 3 | when: not redis_enabled.changed 4 | service: 5 | name: 'svc:/pkgsrc/redis:default' 6 | state: restarted 7 | -------------------------------------------------------------------------------- /roles/redis/meta/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | dependencies: 3 | - role: common 4 | -------------------------------------------------------------------------------- /roles/redis/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: ensure presence of redis ZFS dataset 3 | when: delegate_dataset is succeeded 4 | zfs: 5 | name: '{{ zone_dataset }}/redis' 6 | state: present 7 | extra_zfs_properties: 8 | mountpoint: '{{ (default_redis|combine(redis, recursive=True)).config.dir }}' 9 | 10 | - name: ensure that redis has been installed 11 | notify: restart redis 12 | pkgin: 13 | name: redis 14 | 15 | - name: ensure that redis has been configured 16 | notify: restart redis 17 | template: 18 | src: redis.conf 19 | dest: /opt/local/etc/redis.conf 20 | owner: root 21 | group: root 22 | mode: 0644 23 | 24 | - name: ensure that redis has been enabled 25 | register: redis_enabled 26 | service: 27 | name: 'svc:/pkgsrc/redis:default' 28 | enabled: true 29 | -------------------------------------------------------------------------------- /roles/redis/templates/redis.conf: -------------------------------------------------------------------------------- 1 | {{ configuration_header }} 2 | 3 | {% for key,value in (default_redis|combine(redis, recursive=True)).config|dictsort %} 4 | {% if value is number or value is string %} 5 | {{ key }} {{ value }} 6 | {% elif value is iterable %} 7 | {% for v in value|sort %} 8 | {{ key }} {{ v }} 9 | {% endfor %} 10 | {% endif %} 11 | {% endfor %} 12 | -------------------------------------------------------------------------------- /roles/redis/vars/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | default_redis: 3 | config: 4 | #--------- 5 | # Network 6 | # -------- 7 | bind: '::1 127.0.0.1' # The address or addresses to bind to (IPv4|IPv6) 8 | protected-mode: 'yes' # Protects the redis instance from unauthenticated requests from other hosts 9 | port: 6379 # port to listen to, 0 disables TCP 10 | tcp-backlog: 511 # TCP listen() backlog 11 | unixsocket: /tmp/redis.sock # listening UNIX socket 12 | unixsocketperm: 700 # Permissions of listening UNIX socket 13 | timeout: 0 # Close the connection after timeout seconds (0 to disable) 14 | tcp-keepalive: 300 # If non-zero, uses SO_KEEPALIVE to send TCP ACKs to clients in absence of communication 15 | 16 | #--------- 17 | # General 18 | #--------- 19 | daemonize: 'yes' # Run as a daemon (SMF assumes this) 20 | supervised: 'no' # Controls Redis interactions with the supervisor (Redis doesn't talk to SMF) 21 | pidfile: /var/db/redis/redis.pid # Specify the pid file name 22 | loglevel: notice # Specify the server verbosity level ( warning | notice | verbose | debug ) 23 | logfile: /var/log/redis/redis.log # Specify the log file name 24 | # syslog-enabled: 'yes' # Enable logging to the system logger 25 | # syslog-ident: redis # Specify the syslog identity 26 | # syslog-facility: local0 # Specify the syslog facility 27 | databases: 16 # Set the number of databases 28 | always-show-logo: 'no' # We're boring, we don't need logos in our logs 29 | 30 | #-------------- 31 | # Snapshotting 32 | #-------------- 33 | save: # : will save the DB if both the given number of seconds and the given number of write operations have occurred 34 | - 900 1 35 | - 300 10 36 | - 60 10000 37 | stop-writes-on-bgsave-error: 'yes' # Ensure that redis doesn't blindly accept writes if it's unable to persist them to the filesystem 38 | rdbcompression: 'yes' # Compress string objects when persisting the database to the filesystem, may be unnecessary with ZFS compression 39 | rdbchecksum: 'yes' # Appends a CRC64 checksum to the end of the file, may be unnecessary with ZFS checksumming 40 | dbfilename: dump.rdb # The RDB database filename 41 | dir: /var/db/redis # Directory where RDB and AOF data will be stored 42 | 43 | #------------- 44 | # Replication 45 | #------------- 46 | # replicaof: # Master server to replicate from 47 | # masterauth: # Must match the "requirepass" configuration option on the master server 48 | replica-serve-stale-data: 'yes' # Will allow replica to serve data while resynchronization is in progress with master 49 | replica-read-only: 'yes' # If clients are allowed to write data to the replica. This data will be overwritten after resync with the master 50 | repl-diskless-sync: 'no' # Determines the replication strategy on the master. diskless sync uses a socket and is quicker, but doesn't scale as well and is also experimental 51 | repl-diskless-sync-delay: 5 # Delay the master waits in order to spawn the child that transfers the RDB via socket to the replicas 52 | # repl-ping-replica-period: 10 # Interval between pings sent from the replicas to the master 53 | # repl-timeout: 60 # Replication timeout for bulk transfers during sync, master timeout from the replica's PoV, replica timeout from the PoV of the master 54 | repl-disable-tcp-nodelay: 'no' # Disable TCP_NODELAY 55 | # repl-backlog-size: 1mb # Sets the replication backlog size 56 | # repl-backlog-ttl: 3600 # Number of seconds that the backlog buffer will be freed after the last replica disconnects 57 | replica-priority: 100 # Used by Redis Sentinel to select a replica to promote to master if master is no longer available, lower is better for promotion, 0 disables promotion 58 | # min-replicas-to-write: 3 # Determines the minimum number of connected replicas for a master to accept a write from a client 59 | # min-replicas-max-lag: 10 # Determines the maximum number of seconds to wait for replication to a replica to complete 60 | # replica-announce-ip: 5.5.5.5 # Overrides the master announced replica IP address 61 | # replica-announce-port: 1234 # Overrides the master announced replica port 62 | # 63 | #---------- 64 | # Security 65 | #---------- 66 | # requirepass: # Requires clients to issue AUTH before processing any other commands 67 | # rename-command: # Renames commands to prevent dangerous commands from being available in a shared environment 68 | # - # Disable a command by renaming it to an empty string 69 | # 70 | #--------- 71 | # Clients 72 | #--------- 73 | # maxclients: 10000 # Set the maximum number of simultaneously connected clients 74 | # 75 | #------------------- 76 | # Memory Management 77 | #------------------- 78 | # maxmemory: # Set a memory usage limit in bytes 79 | # maxmemory-policy: noeviction # How redis will resolve reaching maxmemory (volatile-lru|allkeys-lru|volatile-lfu|allkeys-lfu|volatile-random|allkeys-random|volatile-ttl|noeviction) 80 | # maxmemory-samples: 5 # Number of key samples redis will check to perform its evictions 81 | # replica-ignore-maxmemory: 'yes' # Max memory settings will be ignored by replicas, but apply if they're promoted to master 82 | # 83 | #-------------- 84 | # Lazy Freeing 85 | #-------------- 86 | lazyfree-lazy-eviction: 'no' # Use non-blocking deletion to evict data due to maxmemory being met 87 | lazyfree-lazy-expire: 'no' # Use non-blocking deletion to expire data that has exceeded its TTL 88 | lazyfree-lazy-server-del: 'no' # Use non-blocking deletion to delete key overwrites (such as key renames overwriting another key) 89 | replica-lazy-flush: 'no' # Use non-blocking deletion to delete data that has been flushed due to master resynchronization 90 | 91 | #------------------ 92 | # Append Only Mode 93 | #------------------ 94 | appendonly: 'no' # Write out an Append Only File (AOF) to the disk. This acts much like the WAL or ZIL of other databases and filesystems 95 | appendfilename: "appendonly.aof" # The AOF database filename 96 | # appendfsync: always # Fsync after every write to the append only log. Good idea if you have a fast SLOG on your ZFS pool 97 | # appendfsync: everysec # Fsync once per second. Sane compromise for most situations 98 | appendfsync: 'no' # Disable fsync calls. Reasonable approach for ZFS which should commit a transaction group every 5 seconds 99 | no-appendfsync-on-rewrite: 'no' # If you have latency problems with appendfsync set to always or everysec, turn this on 100 | auto-aof-rewrite-percentage: 100 # Triggers an AOF automatic rewrite (by file size as a percentage) 101 | auto-aof-rewrite-min-size: 64mb # Triggers an AOF automatic rewrite (by absolute file size) 102 | aof-load-truncated: 'yes' # Allows redis to start and recover an obviously truncated AOF file (corruption in the middle of the file will still result in a startup error) 103 | aof-use-rdb-preamble: 'yes' # Load the most recent RDB file, and then recover the remainder of the data from the AOF file 104 | 105 | #--------------- 106 | # Lua Scripting 107 | #--------------- 108 | lua-time-limit: 5000 # Maximum execution time of a Lua script in milliseconds 109 | 110 | #--------------- 111 | # Redis Cluster 112 | #--------------- 113 | # cluster-enabled: 'yes' # Start this redis instance as a cluster member 114 | # cluster-config-file: nodes-6379.conf # Unique machine edited cluster configuration file 115 | # cluster-node-timeout: 15000 # Timeout in milliseconds a node must be unreachable for it to be considered in the failure state 116 | # cluster-replica-validity-factor: 10 # Cluster replicas will disqualify their data for use to regenerate the master if it hasn't interacted with the previous master for this value * the cluster-node-timeout 117 | # cluster-migration-barrier: 1 # Minimum number of replicas to leave on a previous master if a replica is going to migrate to an orphaned master (a master with no replicas) 118 | # cluster-require-full-coverage: 'yes' # Will cause the cluster to stop accepting queries if it detects at least one unserved hash-slot. Set to 'no' if you want the cluster to continue regardless 119 | # cluster-replica-no-failover: 'yes' # Will prevent replicas from trying to failover its master during master failures. Master can still manually failover to this replica 120 | # 121 | #---------------------------- 122 | # Cluster Docker/NAT Support 123 | #---------------------------- 124 | # cluster-announce-ip: 10.1.1.5 # IP address that this node will announce to the rest of the cluster 125 | # cluster-announce-port: 6379 # Client port that this node will announce to the rest of the cluster 126 | # cluster-announce-bus-port: 6380 # Cluster message bus port that this node will announce to the rest of the cluster 127 | # 128 | #---------- 129 | # Slow Log 130 | #---------- 131 | slowlog-log-slower-than: 10000 # Logs queries that exceed this number of microseconds 132 | slowlog-max-len: 128 # Limit the slow query log to this number of entries. Old ones will be removed from the end 133 | 134 | #----------------- 135 | # Latency Monitor 136 | #----------------- 137 | latency-monitor-threshold: 0 # Set the minimum trigger latency of operations for the latency monitor, accessible through the LATENCY command 138 | 139 | #-------------------- 140 | # Event Notification 141 | #-------------------- 142 | notify-keyspace-events: '""' # Sets the key space notifications Redis will push to interested parties via Pub/Sub. Read more at http://redis.io/topics/notifications 143 | 144 | #------------------------ 145 | # Advanced Configuration 146 | #------------------------ 147 | # If you're editing these, you should already know what they do. 148 | hash-max-ziplist-entries: 512 149 | hash-max-ziplist-value: 64 150 | list-max-ziplist-size: -2 151 | list-compress-depth: 0 152 | set-max-intset-entries: 512 153 | zset-max-ziplist-entries: 128 154 | zset-max-ziplist-value: 64 155 | hll-sparse-max-bytes: 3000 156 | stream-node-max-bytes: 4096 157 | stream-node-max-entries: 100 158 | activerehashing: 'yes' 159 | client-output-buffer-limit: 160 | - normal 0 0 0 161 | - replica 256mb 64mb 60 162 | - pubsub 32mb 8mb 60 163 | hz: 10 164 | dynamic-hz: 'yes' 165 | aof-rewrite-incremental-fsync: 'yes' 166 | rdb-save-incremental-fsync: 'yes' 167 | -------------------------------------------------------------------------------- /roles/router/templates/ipnat.conf: -------------------------------------------------------------------------------- 1 | {{ configuration_header }} 2 | 3 | {% for net in private %} 4 | {% set net_mask = ansible_facts[net.interface].ipv4.0.network ~ '/' ~ ansible_facts[net.interface].ipv4.0.netmask %} 5 | # NAT for {{ net_mask | ipaddr('net') }} 6 | map {{ public.interface }} {{ net_mask | ipaddr('net') }} -> 0/32 proxy port ftp ftp/tcp 7 | map {{ public.interface }} {{ net_mask | ipaddr('net') }} -> 0/32 portmap tcp/udp auto 8 | map {{ public.interface }} {{ net_mask | ipaddr('net') }} -> 0/32 9 | 10 | {% endfor %} 11 | {% for redirect in redirects %} 12 | # {{ redirect.desc }} 13 | rdr {{ public.interface }} {{ ansible_facts[public.interface].ipv4.0.address }}/32 port {{ redirect.src }} -> {{ redirect.ip }} port {{ redirect.dst }} {{ redirect.type | default('') }} 14 | 15 | {% endfor %} 16 | -------------------------------------------------------------------------------- /roles/samba/handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: restart samba 3 | when: not samba_enabled.changed 4 | service: 5 | name: 'svc:/pkgsrc/samba:smbd svc:/pkgsrc/samba:nmbd' 6 | state: restarted 7 | -------------------------------------------------------------------------------- /roles/samba/meta/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | dependencies: 3 | - role: common 4 | vars: 5 | home_dataset: true 6 | -------------------------------------------------------------------------------- /roles/samba/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: ensure that samba has been installed 3 | notify: restart samba 4 | pkgin: 5 | name: samba 6 | 7 | - name: ensure that samba has been configured 8 | notify: restart samba 9 | template: 10 | src: smb.conf 11 | dest: /opt/local/etc/samba/smb.conf 12 | mode: 0644 13 | owner: root 14 | group: root 15 | 16 | - name: ensure that the log directory ({{ (default_samba|combine(samba, recursive=True)).global["log file"] | dirname }}) exists 17 | when: (default_samba|combine(samba, recursive=True)).global['log file'] is defined 18 | file: 19 | path: '{{ (default_samba|combine(samba, recursive=True)).global["log file"] | dirname }}' 20 | state: directory 21 | owner: root 22 | group: root 23 | mode: 0750 24 | 25 | - name: ensure that samba has been enabled 26 | register: samba_enabled 27 | service: 28 | name: 'svc:/pkgsrc/samba:smbd svc:/pkgsrc/samba:nmbd' 29 | enabled: true 30 | -------------------------------------------------------------------------------- /roles/samba/templates/smb.conf: -------------------------------------------------------------------------------- 1 | {{ configuration_header }} 2 | # Example configuration available at /opt/local/share/examples/samba/smb.conf.default 3 | 4 | {% for section,parameters in default_samba|combine(samba, recursive=True)|dictsort %} 5 | [{{ section }}] 6 | {% for key,value in parameters|dictsort %} 7 | {{ key }} = {{ value }} 8 | {% endfor %} 9 | {% endfor %} 10 | -------------------------------------------------------------------------------- /roles/samba/vars/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | default_samba: 3 | global: 4 | 'workgroup': 'MYGROUP' 5 | 'server string': 'Samba %v (%h)' 6 | 'server role': 'standalone server' 7 | 'log file': '/var/log/samba/log.%m' 8 | 'max log size': 50 9 | 'dns proxy': 'no' 10 | homes: 11 | 'comment': 'Home Directories' 12 | 'browseable': 'no' 13 | 'writable': 'yes' 14 | printers: 15 | 'comment': 'All Printers' 16 | 'path': '/var/spool/samba' 17 | 'browseable': 'no' 18 | 'guest ok': 'no' 19 | 'writable': 'no' 20 | 'printable': 'yes' 21 | -------------------------------------------------------------------------------- /roles/tor/handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: restart tor 3 | when: not tor_enabled.changed 4 | service: 5 | name: 'svc:/pkgsrc/tor:default' 6 | state: restarted 7 | -------------------------------------------------------------------------------- /roles/tor/meta/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | dependencies: 3 | - role: common 4 | -------------------------------------------------------------------------------- /roles/tor/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: ensure presence of tor 3 | notify: restart tor 4 | pkgin: 5 | name: 6 | - tor 7 | - nyx 8 | - py37-curses 9 | 10 | - name: ensure that tor is properly configured 11 | notify: restart tor 12 | template: 13 | src: torrc 14 | dest: /opt/local/etc/tor/torrc 15 | mode: 0644 16 | owner: root 17 | group: root 18 | 19 | - name: ensure that tor is executed with ASLR 20 | command: 'svccfg -s tor setprop method_context/security_flags = astring: aslr' 21 | 22 | - name: ensure that tor is allowed to lock memory and bind to ports under 1024 and can't snoop on other processes 23 | command: 'svccfg -s tor setprop method_context/privileges = astring: "basic,net_privaddr,!proc_chroot,!proc_info,proc_lock_memory,!proc_session"' 24 | 25 | - name: refresh tor:default configuration 26 | command: 'svccfg -s tor:default refresh' 27 | 28 | - name: ensure that tor has been enabled 29 | register: tor_enabled 30 | service: 31 | name: 'svc:/pkgsrc/tor:default' 32 | enabled: true 33 | -------------------------------------------------------------------------------- /roles/tor/templates/torrc: -------------------------------------------------------------------------------- 1 | {{ configuration_header }} 2 | 3 | {% for key,value in tor|dictsort %} 4 | {% if value is iterable and value is not string %} 5 | {% for v in value %} 6 | {{ key }} {{ v }} 7 | {% endfor %} 8 | {% else %} 9 | {{ key }} {{ value }} 10 | {% endif %} 11 | {% endfor %} 12 | --------------------------------------------------------------------------------