├── TODO
├── requirements.txt
├── roles
├── blog
│ ├── handlers
│ │ └── main.yml
│ ├── tasks
│ │ ├── main.yml
│ │ └── blog.yml
│ └── templates
│ │ └── etc_apache2_sites-available_blog.j2
├── newebe
│ ├── handlers
│ │ └── main.yml
│ ├── files
│ │ ├── supervisor.conf
│ │ └── newebe.conf
│ ├── templates
│ │ ├── usr_local_etc_newebe_config.j2
│ │ └── etc_apache2_sites-available_newebe.j2
│ └── tasks
│ │ └── main.yml
├── owncloud
│ ├── handlers
│ │ └── main.yml
│ ├── tasks
│ │ ├── main.yml
│ │ └── owncloud.yml
│ └── templates
│ │ └── etc_apache2_sites-available_owncloud.j2
├── common
│ ├── templates
│ │ ├── fqdn.j2
│ │ ├── apticron.conf.j2
│ │ ├── etc_fail2ban_jail.local.j2
│ │ └── ntp.conf.j2
│ ├── tasks
│ │ ├── users.yml
│ │ ├── ntp.yml
│ │ ├── security.yml
│ │ ├── ufw.yml
│ │ ├── ssl.yml
│ │ ├── encfs.yml
│ │ ├── main.yml
│ │ └── google_auth.yml
│ ├── files
│ │ ├── etc_fail2ban_filter.d_dovecot-pop3imap.conf
│ │ ├── wildcard_ca.pem
│ │ ├── wildcard_public_cert.crt
│ │ └── wildcard_private.key
│ └── handlers
│ │ └── main.yml
├── ircbouncer
│ ├── tasks
│ │ ├── main.yml
│ │ └── znc.yml
│ ├── handlers
│ │ └── main.yml
│ ├── templates
│ │ └── var_lib_znc_configs_znc.conf.j2
│ └── files
│ │ └── etc_init.d_znc
├── news
│ ├── tasks
│ │ ├── main.yml
│ │ └── selfoss.yml
│ └── templates
│ │ ├── var_www_selfoss_config.ini.j2
│ │ └── etc_apache2_sites-available_selfoss.j2
├── tarsnap
│ ├── tasks
│ │ ├── main.yml
│ │ └── tarsnap.yml
│ ├── files
│ │ ├── decrypted_tarsnap.key
│ │ ├── tarsnaprc
│ │ └── tarsnap.sh
│ └── templates
│ │ └── getSha.sh
├── vpn
│ ├── tasks
│ │ ├── main.yml
│ │ └── openvpn.yml
│ ├── files
│ │ └── etc_pam.d_openvpn
│ ├── handlers
│ │ └── main.yml
│ └── templates
│ │ ├── etc_rc.local
│ │ ├── client.cnf.j2
│ │ ├── openssl-server-certificate.cnf.j2
│ │ └── etc_openvpn_server.conf.j2
├── readlater
│ ├── tasks
│ │ ├── main.yml
│ │ └── wallabag.yml
│ ├── handlers
│ │ └── main.yml
│ └── templates
│ │ ├── etc_apache2_sites-available_wallabag.j2
│ │ └── var_www_wallabag_inc_poche_config.inc.php.j2
├── webmail
│ ├── tasks
│ │ ├── main.yml
│ │ └── roundcube.yml
│ ├── files
│ │ ├── usr_share_roundcube_plugins_twofactor_gauthenticator_config.inc.php
│ │ ├── etc_roundcube_global.sieve
│ │ ├── usr_share_roundcube_plugins_managesieve_config.inc.php
│ │ └── usr_share_roundcube_plugins_carddav_config.inc.php
│ ├── handlers
│ │ └── main.yml
│ └── templates
│ │ ├── etc_roundcube_debian-db.php.j2
│ │ ├── etc_apache2_sites-available_roundcube.j2
│ │ └── etc_dbconfig-common_roundcube.conf.j2
├── git
│ ├── tasks
│ │ ├── main.yml
│ │ ├── gitolite.yml
│ │ └── cgit.yml
│ ├── templates
│ │ ├── etc_apache2_sites-available_cgit.j2
│ │ └── etc_cgitrc.j2
│ └── files
│ │ └── home_git_.gitolite.rc
├── monitoring
│ ├── handlers
│ │ └── main.yml
│ ├── tasks
│ │ ├── main.yml
│ │ ├── monit.yml
│ │ └── logwatch.yml
│ ├── templates
│ │ └── etc_logwatch_conf_logwatch.conf.j2
│ └── files
│ │ ├── etc_monit_conf.d_sshd
│ │ ├── etc_monit_conf.d_postfix
│ │ ├── etc_monit_conf.d_pgsql
│ │ ├── etc_monit_conf.d_apache2
│ │ ├── etc_monit_conf.d_znc
│ │ ├── etc_monit_conf.d_tomcat
│ │ ├── etc_monit_conf.d_dovecot
│ │ └── etc_monit_monitrc
├── xmpp
│ ├── handlers
│ │ └── main.yml
│ ├── tasks
│ │ ├── main.yml
│ │ └── prosody.yml
│ └── templates
│ │ └── prosody.cfg.lua.j2
└── mailserver
│ ├── files
│ ├── etc_postfix_dspam_filter_access
│ ├── etc_logrotate_z-push
│ ├── etc_postfix_maps_smtp_header_checks.pcre
│ ├── etc_apache2_conf.d_z-push.conf
│ ├── etc_opendkim.conf
│ ├── etc_dovecot_conf.d_auth-sql.conf.ext
│ ├── etc_dovecot_conf.d_90-plugin.conf
│ ├── etc_dspam_default.prefs
│ ├── etc_dovecot_conf.d_10-ssl.conf
│ ├── etc_dovecot_conf.d_20-imap.conf
│ ├── solr-schema.xml
│ ├── etc_dovecot_conf.d_10-master.conf
│ ├── etc_dovecot_dovecot.conf
│ ├── etc_dovecot_conf.d_10-auth.conf
│ ├── etc_postfix_master.cf
│ └── etc_tomcat6_server.xml
│ ├── templates
│ ├── etc_opendkim_SigningTable.j2
│ ├── etc_opendkim_KeyTable.j2
│ ├── etc_postfix_mysql-virtual-mailbox-maps.cf.j2
│ ├── etc_postfix_pgsql-virtual-mailbox-maps.cf.j2
│ ├── etc_postfix_mysql-virtual-mailbox-domains.cf.j2
│ ├── etc_postfix_pgsql-virtual-mailbox-domains.cf.j2
│ ├── etc_postfix_mysql-virtual-alias-maps.cf.j2
│ ├── etc_postfix_pgsql-virtual-alias-maps.cf.j2
│ ├── etc_opendkim_TrustedHosts.j2
│ ├── etc_dovecot_conf.d_15-lda.conf.j2
│ ├── mailserver.sql.j2
│ ├── etc_postfix_main.cf.j2
│ └── etc_dovecot_dovecot-sql.conf.ext.j2
│ ├── tasks
│ ├── main.yml
│ ├── checkrbl.yml
│ ├── solr.yml
│ ├── dspam.yml
│ ├── z-push.yml
│ ├── opendkim.yml
│ ├── dovecot.yml
│ └── postfix.yml
│ └── handlers
│ └── main.yml
├── hosts
├── .gitignore
├── .travis.yml
├── site.yml
├── Vagrantfile
└── vars
├── user.yml
├── testing.yml
└── defaults.yml
/TODO:
--------------------------------------------------------------------------------
1 | - ensure log rotation
--------------------------------------------------------------------------------
/requirements.txt:
--------------------------------------------------------------------------------
1 | ansible==1.3
--------------------------------------------------------------------------------
/roles/blog/handlers/main.yml:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/roles/newebe/handlers/main.yml:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/roles/owncloud/handlers/main.yml:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/hosts:
--------------------------------------------------------------------------------
1 | [TODO]
2 | TODO # put your host's IP here
--------------------------------------------------------------------------------
/roles/blog/tasks/main.yml:
--------------------------------------------------------------------------------
1 | - include: blog.yml tags=blog
--------------------------------------------------------------------------------
/roles/common/templates/fqdn.j2:
--------------------------------------------------------------------------------
1 | ServerName {{ domain }}
2 |
--------------------------------------------------------------------------------
/roles/ircbouncer/tasks/main.yml:
--------------------------------------------------------------------------------
1 | - include: znc.yml tags=znc
--------------------------------------------------------------------------------
/roles/news/tasks/main.yml:
--------------------------------------------------------------------------------
1 | - include: selfoss.yml tags=selfoss
--------------------------------------------------------------------------------
/roles/tarsnap/tasks/main.yml:
--------------------------------------------------------------------------------
1 | - include: tarsnap.yml tags=tarsnap
--------------------------------------------------------------------------------
/roles/vpn/tasks/main.yml:
--------------------------------------------------------------------------------
1 | - include: openvpn.yml tags=openvpn
--------------------------------------------------------------------------------
/roles/readlater/tasks/main.yml:
--------------------------------------------------------------------------------
1 | - include: wallabag.yml tags=wallabag
--------------------------------------------------------------------------------
/roles/webmail/tasks/main.yml:
--------------------------------------------------------------------------------
1 | - include: roundcube.yml tags=roundcube
2 |
--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | .vagrant
2 | vagrant_ansible_inventory_default
3 | tests.pyc
4 |
--------------------------------------------------------------------------------
/roles/owncloud/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | - include: owncloud.yml tags=owncloud
--------------------------------------------------------------------------------
/roles/vpn/files/etc_pam.d_openvpn:
--------------------------------------------------------------------------------
1 | auth required pam_google_authenticator.so
2 |
--------------------------------------------------------------------------------
/roles/ircbouncer/handlers/main.yml:
--------------------------------------------------------------------------------
1 | - name: restart znc
2 | service: name=znc state=restarted
--------------------------------------------------------------------------------
/roles/git/tasks/main.yml:
--------------------------------------------------------------------------------
1 | - include: gitolite.yml tags=gitolite
2 | - include: cgit.yml tags=cgit
--------------------------------------------------------------------------------
/roles/monitoring/handlers/main.yml:
--------------------------------------------------------------------------------
1 | - name: restart monit
2 | service: name=monit state=restarted
--------------------------------------------------------------------------------
/roles/xmpp/handlers/main.yml:
--------------------------------------------------------------------------------
1 | - name: restart prosody
2 | command: /etc/init.d/prosody restart
--------------------------------------------------------------------------------
/roles/mailserver/files/etc_postfix_dspam_filter_access:
--------------------------------------------------------------------------------
1 | /./ FILTER dspam:unix:/run/dspam/dspam.sock
--------------------------------------------------------------------------------
/roles/monitoring/tasks/main.yml:
--------------------------------------------------------------------------------
1 | - include: monit.yml tags=monit
2 | - include: logwatch.yml tags=logwatch
3 |
--------------------------------------------------------------------------------
/roles/tarsnap/files/decrypted_tarsnap.key:
--------------------------------------------------------------------------------
1 | # START OF TARSNAP KEY FILE
2 | TODO
3 | # END OF TARSNAP KEY FILE
4 |
--------------------------------------------------------------------------------
/roles/common/templates/apticron.conf.j2:
--------------------------------------------------------------------------------
1 | EMAIL="root"
2 |
3 | NOTIFY_NO_UPDATE="0"
4 |
5 | NOTIFY_NEW="0"
6 |
7 |
--------------------------------------------------------------------------------
/roles/xmpp/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # Provides the Prosody Jabber/XMPP server.
3 |
4 | - include: prosody.yml tags=prosody
5 |
--------------------------------------------------------------------------------
/roles/monitoring/templates/etc_logwatch_conf_logwatch.conf.j2:
--------------------------------------------------------------------------------
1 | Detail = High
2 | Output = mail
3 | Range = between -7 days and -1 days
4 |
--------------------------------------------------------------------------------
/roles/tarsnap/files/tarsnaprc:
--------------------------------------------------------------------------------
1 | keyfile /decrypted/tarsnap.key
2 | cachedir /usr/tarsnap-cache
3 | exclude /usr/tarsnap-cache
4 | humanize-numbers
5 |
--------------------------------------------------------------------------------
/.travis.yml:
--------------------------------------------------------------------------------
1 | language: python
2 | python: "2.7"
3 | install:
4 | - pip install ansible
5 | script:
6 | - ansible-playbook --syntax-check -i hosts site.yml
7 |
--------------------------------------------------------------------------------
/roles/common/tasks/users.yml:
--------------------------------------------------------------------------------
1 | - name: Create main user account
2 | user: name={{ main_user_name }} state=present shell={{ main_user_shell }} groups=sudo,fuse
3 |
--------------------------------------------------------------------------------
/roles/newebe/files/supervisor.conf:
--------------------------------------------------------------------------------
1 | ; supervisor config file
2 |
3 | [supervisord]
4 | nodaemon=true
5 |
6 | [include]
7 | files = /etc/supervisor/conf.d/*.conf
8 |
--------------------------------------------------------------------------------
/roles/mailserver/templates/etc_opendkim_SigningTable.j2:
--------------------------------------------------------------------------------
1 | {% for domain in mail_virtual_domains %}
2 | *@{{ domain.name }} default._domainkey.{{ domain.name }}
3 | {% endfor %}
4 |
--------------------------------------------------------------------------------
/roles/vpn/handlers/main.yml:
--------------------------------------------------------------------------------
1 | - name: restart dnsmasq
2 | service: name=dnsmasq state=restarted
3 |
4 | - name: restart openvpn
5 | service: name=openvpn state=restarted
6 |
--------------------------------------------------------------------------------
/roles/newebe/files/newebe.conf:
--------------------------------------------------------------------------------
1 | [program:newebe]
2 | autorestart=false
3 | command=newebe_server.py --configfile=/usr/local/etc/newebe/config.yaml
4 | redirect_stderr=true
5 | user=newebe
6 |
--------------------------------------------------------------------------------
/roles/tarsnap/templates/getSha.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | gpgResult=`gpg --decrypt tarsnap-sigs-{{ tarsnap_version }}.asc`
3 | sha=${gpgResult#*=}
4 | echo $sha > /root/tarsnapSha
5 | echo $sha
6 |
--------------------------------------------------------------------------------
/roles/webmail/files/usr_share_roundcube_plugins_twofactor_gauthenticator_config.inc.php:
--------------------------------------------------------------------------------
1 | \S*),.*
3 | ignoreregex =
--------------------------------------------------------------------------------
/roles/mailserver/templates/etc_opendkim_TrustedHosts.j2:
--------------------------------------------------------------------------------
1 | 127.0.0.1
2 | {{ ansible_default_ipv4.address }}
3 | {% for domain in mail_virtual_domains %}
4 | {{ domain.name }}
5 | {% endfor %}
6 | {% for domain in mail_virtual_domains %}
7 | mail.{{ domain.name }}
8 | {% endfor %}
--------------------------------------------------------------------------------
/roles/mailserver/files/etc_postfix_maps_smtp_header_checks.pcre:
--------------------------------------------------------------------------------
1 | /^\s*(Received: from)[^\n]*(.*)/ REPLACE $1 [127.0.0.1] (localhost [127.0.0.1])$2
2 | /^\s*User-Agent/ IGNORE
3 | /^\s*X-Enigmail/ IGNORE
4 | /^\s*X-Mailer/ IGNORE
5 | /^\s*X-Originating-IP/ IGNORE
6 |
--------------------------------------------------------------------------------
/roles/monitoring/files/etc_monit_conf.d_sshd:
--------------------------------------------------------------------------------
1 | check process sshd with pidfile /var/run/sshd.pid
2 | start program "/etc/init.d/ssh start"
3 | stop program "/etc/init.d/ssh stop"
4 | if failed host 127.0.0.1 port 22 protocol ssh then restart
5 | if 5 restarts within 5 cycles then timeout
--------------------------------------------------------------------------------
/roles/mailserver/tasks/main.yml:
--------------------------------------------------------------------------------
1 | - include: postfix.yml tags=postfix
2 | - include: dovecot.yml tags=dovecot
3 | - include: opendkim.yml tags=opendkim
4 | - include: dspam.yml tags=dspam
5 | - include: solr.yml tags=solr
6 | - include: checkrbl.yml tags=checkrbl
7 | - include: z-push.yml tags=zpush
--------------------------------------------------------------------------------
/roles/monitoring/files/etc_monit_conf.d_postfix:
--------------------------------------------------------------------------------
1 | check process postfix with pidfile /var/spool/postfix/pid/master.pid
2 | group mail
3 | start program = "/etc/init.d/postfix start"
4 | stop program = "/etc/init.d/postfix stop"
5 | if failed port 25 protocol smtp then restart
6 | if 5 restarts within 5 cycles then timeout
--------------------------------------------------------------------------------
/roles/mailserver/tasks/checkrbl.yml:
--------------------------------------------------------------------------------
1 | - name: Download check-rbl
2 | get_url: url=https://raw.github.com/lukecyca/check-rbl/f6b222b0ca/check-rbl.pl dest=/opt/check-rbl.pl
3 |
4 | - name: Install nightly check-rbl cronjob
5 | cron: name="check-rbl" hour="2" minute="0" job="perl /opt/check-rbl.pl -i {{ ansible_default_ipv4.address }}"
6 |
--------------------------------------------------------------------------------
/roles/mailserver/files/etc_apache2_conf.d_z-push.conf:
--------------------------------------------------------------------------------
1 | Alias /Microsoft-Server-ActiveSync /usr/share/z-push/index.php
2 |
3 | php_flag magic_quotes_gpc off
4 | php_flag register_globals off
5 | php_flag magic_quotes_runtime off
6 | php_flag short_open_tag on
7 |
--------------------------------------------------------------------------------
/roles/monitoring/files/etc_monit_conf.d_pgsql:
--------------------------------------------------------------------------------
1 | check process postgres with pidfile /var/run/postgresql/9.1-main.pid
2 | group database
3 | start program = "/etc/init.d/postgresql start"
4 | stop program = "/etc/init.d/postgresql stop"
5 | if failed host localhost port 5432 protocol pgsql then restart
6 | if 5 restarts within 5 cycles then timeout
7 |
--------------------------------------------------------------------------------
/roles/monitoring/files/etc_monit_conf.d_apache2:
--------------------------------------------------------------------------------
1 | check process apache2 with pidfile /var/run/apache2.pid
2 | group www
3 | start program = "/etc/init.d/apache2 start"
4 | stop program = "/etc/init.d/apache2 stop"
5 | if failed host localhost port 80 protocol http
6 | with timeout 10 seconds
7 | then restart
8 | if 5 restarts within 5 cycles then timeout
--------------------------------------------------------------------------------
/roles/monitoring/files/etc_monit_conf.d_znc:
--------------------------------------------------------------------------------
1 | check process znc with pidfile /var/run/znc/znc.pid
2 | group irc
3 | start program = "/etc/init.d/znc start"
4 | stop program = "/etc/init.d/znc stop"
5 | if failed host localhost port 6697 type tcpSSL protocol http
6 | with timeout 10 seconds
7 | then restart
8 | if 5 restarts within 5 cycles then timeout
--------------------------------------------------------------------------------
/roles/monitoring/files/etc_monit_conf.d_tomcat:
--------------------------------------------------------------------------------
1 | check process tomcat with pidfile "/var/run/tomcat6.pid"
2 | group mail
3 | start program = "/etc/init.d/tomcat6 start"
4 | as uid tomcat6 gid tomcat6
5 | stop program = "/etc/init.d/tomcat6 stop"
6 | as uid tomcat6 gid tomcat6
7 | if failed port 8080 then alert
8 | if failed port 8080 for 5 cycles then restart
9 |
--------------------------------------------------------------------------------
/roles/readlater/handlers/main.yml:
--------------------------------------------------------------------------------
1 | - name: import wallabag sql
2 | shell: PGPASSWORD='{{ wallabag_db_password }}' psql -h localhost -d {{ wallabag_db_database }} -U {{ wallabag_db_username }} -f /var/www/wallabag/install/postgres.sql --set ON_ERROR_STOP=1
3 | notify: remove install folder
4 |
5 | - name: remove install folder
6 | file: path=/var/www/wallabag/install state=absent
7 |
--------------------------------------------------------------------------------
/roles/common/tasks/ntp.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # Defines tasks applicable for NTP (Network Time Protocol)
3 |
4 | - name: Install ntp
5 | apt: pkg=ntp state=installed
6 |
7 | - name: Configure ntp
8 | template: src=ntp.conf.j2 dest=/etc/ntp.conf
9 | notify:
10 | - restart ntp
11 |
12 | - name: Ensure ntpd is running and enabled
13 | service: name=ntp state=started enabled=yes
14 |
15 |
--------------------------------------------------------------------------------
/roles/common/handlers/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # Defines handlers applicable across all machines in the infrastructure.
3 |
4 | - name: restart ntp
5 | service: name=ntp state=restarted
6 |
7 | - name: restart apache
8 | service: name=apache2 state=restarted
9 |
10 | - name: restart fail2ban
11 | service: name=fail2ban state=restarted
12 |
13 | - name: restart ssh
14 | service: name=ssh state=restarted
15 |
--------------------------------------------------------------------------------
/roles/monitoring/files/etc_monit_conf.d_dovecot:
--------------------------------------------------------------------------------
1 | check process dovecot with pidfile /var/run/dovecot/master.pid
2 | group mail
3 | start program = "/etc/init.d/dovecot start"
4 | stop program = "/etc/init.d/dovecot stop"
5 | if failed port 993 type tcpssl sslauto protocol imap for 5 cycles then restart
6 | if failed port 995 type tcpssl sslauto protocol pop for 5 cycles then restart
7 | if 3 restarts within 5 cycles then timeout
8 |
--------------------------------------------------------------------------------
/roles/webmail/files/etc_roundcube_global.sieve:
--------------------------------------------------------------------------------
1 | require ["regex", "fileinto", "imap4flags"];
2 | # Catch mail tagged as Spam, except Spam retrained and delivered to the mailbox
3 | if allof (header :regex "X-DSPAM-Result" "^(Spam|Virus|Bl[ao]cklisted)$",
4 | not header :contains "X-DSPAM-Reclassified" "Innocent") {
5 | # Mark as read
6 | setflag "\\Seen";
7 | # Move into the Junk folder
8 | fileinto "Spam";
9 | # Stop processing here
10 | stop;
11 | }
12 |
--------------------------------------------------------------------------------
/roles/webmail/handlers/main.yml:
--------------------------------------------------------------------------------
1 | - name: set roundcube password
2 | command: sudo -u {{ db_admin_username }} psql -d {{ webmail_db_database }} -c "ALTER USER {{ webmail_db_username }} with password '{{ webmail_db_password }}';"
3 | notify: import sql carddav
4 |
5 | - name: import sql carddav
6 | action: shell PGPASSWORD='{{ webmail_db_password }}' psql -h localhost -d {{ webmail_db_database }} -U {{ webmail_db_username }} -f /usr/share/roundcube/plugins/carddav/dbinit/postgres.sql
7 |
--------------------------------------------------------------------------------
/roles/monitoring/tasks/monit.yml:
--------------------------------------------------------------------------------
1 | - name: Install monit
2 | apt: pkg=monit state=installed
3 |
4 | - name: Copy monit master config file into place
5 | copy: src=etc_monit_monitrc dest=/etc/monit/monitrc
6 |
7 | - name: Copy monit service config files into place
8 | copy: src=etc_monit_conf.d_{{ item }} dest=/etc/monit/conf.d/{{ item }}
9 | with_items:
10 | - apache2
11 | - pgsql
12 | - dovecot
13 | - postfix
14 | - sshd
15 | - tomcat
16 | - znc
17 | notify: restart monit
18 |
--------------------------------------------------------------------------------
/roles/blog/tasks/blog.yml:
--------------------------------------------------------------------------------
1 | - name: Create directory for blog HTML
2 | file: state=directory path=/var/www/{{ domain }} group=www-data owner=www-data
3 |
4 | - name: Configure the Apache HTTP server for the blog
5 | template: src=etc_apache2_sites-available_blog.j2 dest=/etc/apache2/sites-available/{{ domain }} group=www-data owner=www-data
6 | notify: restart apache
7 |
8 | - name: Enable blog site
9 | command: a2ensite {{ domain }} creates=/etc/apache2/sites-enabled/{{ domain }}
10 | notify: restart apache
11 |
12 |
--------------------------------------------------------------------------------
/roles/monitoring/tasks/logwatch.yml:
--------------------------------------------------------------------------------
1 | - name: Install logwatch
2 | apt: pkg={{ item }} state=installed
3 | with_items:
4 | - logwatch
5 | - libdate-manip-perl
6 |
7 | - name: Configure logwatch
8 | template: src=etc_logwatch_conf_logwatch.conf.j2 dest=/etc/logwatch/conf/logwatch.conf
9 |
10 | - name: Remove logwatch's dist cronjob
11 | file: state=absent path=/etc/cron.daily/00logwatch
12 |
13 | - name: Configure weekly logwatch cronjob
14 | cron: special_time=weekly job=/usr/sbin/logwatch name=logwatch
15 |
--------------------------------------------------------------------------------
/site.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # This is the top-level playbook that defines our entire infrastructure.
3 |
4 | - hosts: all
5 | user: deploy
6 | sudo: True
7 | gather_facts: True
8 | vars_files:
9 | - vars/defaults.yml
10 | - vars/{{ 'testing' if testing is defined else 'user' }}.yml
11 |
12 | roles:
13 | - common
14 | - mailserver
15 | - webmail
16 | - blog
17 | - ircbouncer
18 | - xmpp
19 | - monitoring
20 | - owncloud
21 | - vpn
22 | - tarsnap
23 | - news
24 | - git
25 | - newebe
26 | - readlater
27 |
--------------------------------------------------------------------------------
/roles/mailserver/handlers/main.yml:
--------------------------------------------------------------------------------
1 | - name: restart postfix
2 | service: name=postfix state=restarted
3 |
4 | - name: restart dovecot
5 | service: name=dovecot state=restarted
6 |
7 | - name: restart opendkim
8 | service: name=opendkim state=restarted
9 |
10 | - name: restart solr
11 | service: name=tomcat6 state=restarted
12 |
13 | - name: import sql postfix
14 | action: shell PGPASSWORD='{{ mail_db_password }}' psql -h localhost -d {{ mail_db_database }} -U {{ mail_db_username }} -f /etc/postfix/import.sql --set ON_ERROR_STOP=1
15 | notify: restart postfix
16 |
--------------------------------------------------------------------------------
/roles/vpn/templates/etc_rc.local:
--------------------------------------------------------------------------------
1 | #!/bin/sh -e
2 | #
3 | # rc.local
4 | #
5 | # This script is executed at the end of each multiuser runlevel.
6 | # Make sure that the script will "exit 0" on success or any other
7 | # value on error.
8 | #
9 | # In order to enable or disable this script just change the execution
10 | # bits.
11 | #
12 |
13 | iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
14 | iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
15 | iptables -A FORWARD -j REJECT
16 | iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o {{ ansible_default_ipv4.interface }} -j MASQUERADE
17 |
18 | /etc/init.d/dnsmasq restart
19 |
20 | exit 0
21 |
--------------------------------------------------------------------------------
/roles/webmail/templates/etc_roundcube_debian-db.php.j2:
--------------------------------------------------------------------------------
1 |
21 | {{ openvpn_ca_contents.stdout }}
22 |
23 |
24 |
25 | {{ item[1].stdout }}
26 |
27 |
28 |
29 | {{ item[2].stdout }}
30 |
31 |
32 |
33 | {{ openvpn_hmac_firewall_contents.stdout }}
34 |
35 |
--------------------------------------------------------------------------------
/roles/mailserver/files/etc_opendkim.conf:
--------------------------------------------------------------------------------
1 | ##
2 | ## opendkim.conf -- configuration file for OpenDKIM filter
3 | ##
4 | Canonicalization relaxed/relaxed
5 | ExternalIgnoreList refile:/etc/opendkim/TrustedHosts
6 | InternalHosts refile:/etc/opendkim/TrustedHosts
7 | KeyTable refile:/etc/opendkim/KeyTable
8 | LogWhy Yes
9 | MinimumKeyBits 1024
10 | Mode sv
11 | PidFile /var/run/opendkim/opendkim.pid
12 | SigningTable refile:/etc/opendkim/SigningTable
13 | Socket inet:8891@localhost
14 | Syslog Yes
15 | SyslogSuccess Yes
16 | TemporaryDirectory /var/tmp
17 | UMask 022
18 | UserID opendkim:opendkim
19 |
--------------------------------------------------------------------------------
/roles/news/templates/var_www_selfoss_config.ini.j2:
--------------------------------------------------------------------------------
1 | ; see https://github.com/SSilence/selfoss/wiki/Configuration for more information about the configuration parameters
2 | [globals]
3 | db_type=pgsql
4 | db_database={{selfoss_db_database}}
5 | db_username={{selfoss_db_username}}
6 | db_password={{selfoss_db_password}}
7 | db_port=5432
8 | db_prefix=
9 | logger_level=DEBUG
10 | items_perpage=50
11 | items_lifetime=30
12 | base_url=
13 | username={{selfoss_username}}
14 | password={{selfoss_password_hash}}
15 | salt=
16 | public=0
17 | rss_title=selfoss feed
18 | rss_max_items=1000
19 | rss_mark_as_read=0
20 | homepage=unread
21 | language=0
22 | auto_mark_as_read=1
23 | anonymizer=
24 | use_system_font=1
25 | readability=
26 | share=gtfprde
27 | allow_public_update_access=0
28 | unread_order=
29 |
--------------------------------------------------------------------------------
/roles/common/templates/etc_fail2ban_jail.local.j2:
--------------------------------------------------------------------------------
1 | [DEFAULT]
2 | ignoreip = 127.0.0.1 {{ ansible_default_ipv4.address }} {{ ' '.join(friendly_networks) }}
3 | bantime = 86400
4 | destemail = {{ admin_email }}
5 | banaction = iptables-multiport
6 | action = %(action_)s
7 |
8 | # JAILS
9 | [ssh]
10 | enabled = true
11 | maxretry = 3
12 |
13 | [pam-generic]
14 | enabled = true
15 | banaction = iptables-allports
16 |
17 | [ssh-ddos]
18 | enabled = true
19 |
20 | [apache]
21 | enabled = true
22 |
23 | [postfix]
24 | enabled = true
25 | maxretry = 1
26 |
27 | [dovecot-pop3imap]
28 | enabled = true
29 | filter = dovecot-pop3imap
30 | action = iptables-multiport[name=dovecot-pop3imap, port="pop3,imap,993,995", protocol=tcp]
31 | logpath = /var/log/maillog
32 | maxretry = 20
33 | findtime = 1200
34 | bantime = 1200
35 |
--------------------------------------------------------------------------------
/roles/mailserver/tasks/solr.yml:
--------------------------------------------------------------------------------
1 | - name: Install Solr and related packages
2 | apt: pkg={{ item }} state=installed
3 | with_items:
4 | - solr-tomcat
5 | - dovecot-solr
6 |
7 | - name: Work around Debian bug and copy Solr schema file into place
8 | copy: src=solr-schema.xml dest=/etc/solr/conf/schema.xml group=root owner=root
9 |
10 | - name: Copy tweaked Tomcat config file into place
11 | copy: src=etc_tomcat6_server.xml dest=/etc/tomcat6/server.xml group=tomcat6 owner=root
12 | notify: restart solr
13 |
14 | - name: Copy tweaked Solr config file into place
15 | copy: src=etc_solr_conf_solrconfig.xml dest=/etc/solr/conf/solrconfig.xml group=root owner=root
16 | notify: restart solr
17 |
18 | - name: Create Solr index directory
19 | file: state=directory path=/decrypted/solr group=tomcat6 owner=tomcat6
20 | notify: restart solr
21 |
--------------------------------------------------------------------------------
/roles/mailserver/files/etc_dovecot_conf.d_auth-sql.conf.ext:
--------------------------------------------------------------------------------
1 | # Authentication for SQL users. Included from auth.conf.
2 | #
3 | #
4 |
5 | passdb {
6 | driver = sql
7 |
8 | # Path for SQL configuration file, see example-config/dovecot-sql.conf.ext
9 | args = /etc/dovecot/dovecot-sql.conf.ext
10 | }
11 |
12 | # "prefetch" user database means that the passdb already provided the
13 | # needed information and there's no need to do a separate userdb lookup.
14 | #
15 | #userdb {
16 | # driver = prefetch
17 | #}
18 |
19 | userdb {
20 | driver = static
21 | args = uid=vmail gid=vmail home=/decrypted/%d/%n
22 | }
23 |
24 | # If you don't have any user-specific settings, you can avoid the user_query
25 | # by using userdb static instead of userdb sql, for example:
26 | #
27 | #userdb {
28 | #driver = static
29 | #args = uid=vmail gid=vmail home=/var/vmail/%u
30 | #}
31 |
--------------------------------------------------------------------------------
/roles/common/tasks/ufw.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # Installs and configures ufw, which in turn uses iptables for firewall management
3 |
4 | # ufw includes sensible icmp defaults
5 | - name: Install ufw
6 | apt: pkg=ufw state=present
7 |
8 | - name: Deny everything and enable UFW
9 | ufw: state=enabled policy=deny
10 |
11 | - name: Set firewall rule for DNS
12 | ufw: rule=allow port=domain
13 |
14 | - name: Set firewall rule for mosh
15 | ufw: rule=allow port=60000:61000 proto=udp
16 |
17 | - name: Set firewall rules for web traffic and SSH
18 | ufw: rule=allow port={{ item }} proto=tcp
19 | with_items:
20 | - ssh
21 | - http
22 | - https
23 |
24 | - name: Check config of ufw
25 | command: cat /etc/ufw/ufw.conf
26 | register: ufw_config
27 | changed_when: False # never report as "changed"
28 |
29 | - name: Disable logging (workaround for known bug in Debian 7)
30 | ufw: logging=off
31 | when: "ansible_lsb['codename'] == 'wheezy' and 'LOGLEVEL=off' not in ufw_config.stdout"
32 |
--------------------------------------------------------------------------------
/roles/newebe/templates/etc_apache2_sites-available_newebe.j2:
--------------------------------------------------------------------------------
1 |
2 | ServerName {{ newebe_domain }}
3 |
4 | Redirect permanent / https://{{ newebe_domain }}/
5 |
6 |
7 |
8 |
9 | ServerName {{ newebe_domain }}
10 | SSLEngine On
11 |
12 | SSLProtocol ALL -SSLv2
13 | SSLHonorCipherOrder On
14 | SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5:!DSS
15 | SSLCertificateFile /etc/ssl/certs/wildcard_public_cert.crt
16 | SSLCertificateKeyFile /etc/ssl/private/wildcard_private.key
17 | SSLCACertificateFile /etc/ssl/certs/wildcard_ca.pem
18 | Header add Strict-Transport-Security "max-age=15768000; includeSubdomains"
19 |
20 | ErrorLog /var/log/apache2/newebe.info-error_log
21 | CustomLog /var/log/apache2/newebe.info-access_log common
22 |
23 |
24 | ProxyPass / http://127.0.0.1:8282/
25 | ProxyPassReverse / http://127.0.0.1:8282/
26 |
27 |
28 |
--------------------------------------------------------------------------------
/roles/blog/templates/etc_apache2_sites-available_blog.j2:
--------------------------------------------------------------------------------
1 |
2 | ServerName {{ domain }}
3 | ServerAlias www.{{ domain }}
4 |
5 | Redirect permanent / https://{{ domain }}/
6 |
7 |
8 |
9 |
10 | ServerName {{ domain }}
11 | ServerAlias www.{{ domain }}
12 |
13 | SSLEngine on
14 | SSLProtocol ALL -SSLv2
15 | SSLHonorCipherOrder On
16 | SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5:!DSS
17 | SSLCertificateFile /etc/ssl/certs/wildcard_public_cert.crt
18 | SSLCertificateKeyFile /etc/ssl/private/wildcard_private.key
19 | SSLCACertificateFile /etc/ssl/certs/wildcard_ca.pem
20 | Header add Strict-Transport-Security "max-age=15768000; includeSubdomains"
21 |
22 | DocumentRoot "/var/www/{{ domain }}"
23 | DirectoryIndex index.html
24 | Options -Indexes
25 |
26 | HostnameLookups Off
27 |
28 |
--------------------------------------------------------------------------------
/roles/mailserver/tasks/dspam.yml:
--------------------------------------------------------------------------------
1 | - name: Install dspam and related packages
2 | apt: pkg={{ item }} state=installed
3 | with_items:
4 | - dspam
5 | - dovecot-antispam
6 | - postfix-pcre
7 | - dovecot-sieve
8 |
9 | - name: Create dspam directory
10 | file: state=directory path=/decrypted/dspam group=dspam owner=dspam
11 |
12 | - name: Put dspam configuration files in place
13 | copy: src=etc_dspam_{{ item }} dest=/etc/dspam/{{ item }} owner=dspam group=dspam
14 | with_items:
15 | - default.prefs
16 | - dspam.conf
17 | notify:
18 | - restart postfix
19 | - restart dovecot
20 |
21 | - name: Put dspam postfix configuration in place
22 | copy: src=etc_postfix_dspam_filter_access dest=/etc/postfix/dspam_filter_access owner=root group=root
23 | notify: restart postfix
24 |
25 | - name: Put dspam dovecot configuration in place
26 | copy: src=etc_dovecot_conf.d_{{ item }} dest=/etc/dovecot/conf.d/{{ item }} owner=vmail group=dovecot
27 | with_items:
28 | - 20-imap.conf
29 | - 90-plugin.conf
30 | notify: restart dovecot
31 |
32 |
--------------------------------------------------------------------------------
/roles/xmpp/tasks/prosody.yml:
--------------------------------------------------------------------------------
1 | - name: Ensure repository key for Prosody is in place
2 | apt_key: url=https://prosody.im/files/prosody-debian-packages.key state=present
3 |
4 | - name: Add Prosody repository
5 | apt_repository: repo='deb http://packages.prosody.im/debian wheezy main'
6 |
7 | - name: Install Prosody from official repository
8 | apt: pkg=prosody update_cache=yes
9 |
10 | - name: Add prosody user to ssl-cert group
11 | user: name=prosody groups=ssl-cert append=yes
12 |
13 | - name: Create Prosody data directory
14 | file: state=directory path=/decrypted/prosody owner=prosody group=prosody
15 |
16 | - name: Configure Prosody
17 | template: src=prosody.cfg.lua.j2 dest=/etc/prosody/prosody.cfg.lua group=root owner=root
18 | notify: restart prosody
19 |
20 | - name: Create Prosody accounts
21 | command: prosodyctl register {{ item.name }} {{ prosody_virtual_domain }} "{{ item.password }}"
22 | with_items: prosody_accounts
23 |
24 | - name: Set firewall rules for Prosody
25 | ufw: rule=allow port={{ item }} proto=tcp
26 | with_items:
27 | - 5222 # xmpp c2s
28 | - 5269 # xmpp s2s
29 |
--------------------------------------------------------------------------------
/roles/common/tasks/ssl.yml:
--------------------------------------------------------------------------------
1 | - name: Copy SSL private key into place
2 | copy: src=wildcard_private.key dest=/etc/ssl/private/wildcard_private.key group=ssl-cert owner=root mode=640
3 |
4 | - name: Copy SSL public certificate into place
5 | copy: src=wildcard_public_cert.crt dest=/etc/ssl/certs/wildcard_public_cert.crt group=root owner=root mode=644
6 |
7 | - name: Copy CA combined certificate into place
8 | copy: src=wildcard_ca.pem dest=/etc/ssl/certs/wildcard_ca.pem group=root owner=root mode=644
9 |
10 | - name: Create a combined version of the public cert with intermediate and root CAs
11 | shell: cat /etc/ssl/certs/wildcard_public_cert.crt /etc/ssl/certs/wildcard_ca.pem >
12 | /etc/ssl/certs/wildcard_combined.pem creates=/etc/ssl/certs/wildcard_combined.pem
13 |
14 | - name: Set permissions on combined public cert
15 | file: name=/etc/ssl/certs/wildcard_combined.pem mode=644
16 |
17 | - name: Enable Apache SSL module
18 | command: a2enmod ssl creates=/etc/apache2/mods-enabled/ssl.load
19 |
20 | - name: Enable NameVirtualHost for HTTPS
21 | lineinfile: dest=/etc/apache2/ports.conf regexp='^ NameVirtualHost \*:443' insertafter='^' line=' NameVirtualHost *:443'
22 |
--------------------------------------------------------------------------------
/roles/news/templates/etc_apache2_sites-available_selfoss.j2:
--------------------------------------------------------------------------------
1 |
2 | ServerName {{ selfoss_domain }}
3 |
4 | Redirect permanent / https://{{ selfoss_domain }}/
5 |
6 |
7 |
8 | ServerName {{ selfoss_domain }}
9 |
10 | SSLEngine on
11 | SSLProtocol ALL -SSLv2
12 | SSLHonorCipherOrder On
13 | SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5:!DSS
14 | SSLCertificateFile /etc/ssl/certs/wildcard_public_cert.crt
15 | SSLCertificateKeyFile /etc/ssl/private/wildcard_private.key
16 | SSLCACertificateFile /etc/ssl/certs/wildcard_ca.pem
17 | Header add Strict-Transport-Security "max-age=15768000; includeSubdomains"
18 |
19 | DocumentRoot /var/www/selfoss
20 | Options -Indexes
21 |
22 | ErrorLog /var/log/apache2/selfoss.info-error_log
23 | CustomLog /var/log/apache2/selfoss.info-access_log common
24 |
25 |
26 | AllowOverride All
27 | Order allow,deny
28 | allow from all
29 | DirectoryIndex index.php
30 |
31 |
32 |
--------------------------------------------------------------------------------
/roles/readlater/templates/etc_apache2_sites-available_wallabag.j2:
--------------------------------------------------------------------------------
1 |
2 | ServerName {{ wallabag_domain }}
3 |
4 | Redirect permanent / https://{{ wallabag_domain }}/
5 |
6 |
7 |
8 | ServerName {{ wallabag_domain }}
9 |
10 | SSLEngine on
11 | SSLProtocol ALL -SSLv2
12 | SSLHonorCipherOrder On
13 | SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5:!DSS
14 | SSLCertificateFile /etc/ssl/certs/wildcard_public_cert.crt
15 | SSLCertificateKeyFile /etc/ssl/private/wildcard_private.key
16 | SSLCACertificateFile /etc/ssl/certs/wildcard_ca.pem
17 | Header add Strict-Transport-Security "max-age=15768000; includeSubdomains"
18 |
19 | DocumentRoot /var/www/wallabag
20 | Options -Indexes
21 |
22 | ErrorLog /var/log/apache2/wallabag.info-error_log
23 | CustomLog /var/log/apache2/wallabag.info-access_log common
24 |
25 |
26 | AllowOverride All
27 | Order allow,deny
28 | allow from all
29 | DirectoryIndex index.php
30 |
31 |
32 |
--------------------------------------------------------------------------------
/roles/common/files/wildcard_ca.pem:
--------------------------------------------------------------------------------
1 | -----BEGIN CERTIFICATE-----
2 | MIIDPjCCAiYCCQDcHVzv6JwhEzANBgkqhkiG9w0BAQUFADBhMQswCQYDVQQGEwJB
3 | VTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0
4 | cyBQdHkgTHRkMRowGAYDVQQDFBEqLnNvdmVyZWlnbi5sb2NhbDAeFw0xMzExMDIx
5 | OTI4NDlaFw0xNDExMDIxOTI4NDlaMGExCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpT
6 | b21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxGjAY
7 | BgNVBAMUESouc292ZXJlaWduLmxvY2FsMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
8 | MIIBCgKCAQEArpXru3ZQKl+OVlBar2yziN5ZiVSbt6QYuJtTUmMAfAtGsPobueyI
9 | 6XLG6QcFNCWNqUd3fa15GPYluFA5Ot7bPAoo3UQXJvM9n/tQ2YWPjPgxaV4sCKrI
10 | yw7UF+f2NwtUVdj1wHB0x7bh9asNv+ZDC5O2ze8dn09CS7Puh13bsVFm1iapngrr
11 | C6ctethJF67A/mRa7UzqHzesAznkgaWfhDLyygNX0PzI5ywVAKbgvxUWndPx3oY6
12 | yx5jrfk+opMUUnDu9AqhthTPaKK1s3JXJBOW2R/rlgYokfO7VBDkRv/ty3B1BnmS
13 | xdOV/01f5JJdgfLlR6PNd2FMmMoCesg9YwIDAQABMA0GCSqGSIb3DQEBBQUAA4IB
14 | AQAX5KZYIYcMuHRdsd/EKwee+pzp0irs1dqbNwYJIj3HS8Zx/qd+LET4irQbY72N
15 | 9Z2s0UTSngy4axlyItKrn+k26FUnSW80W8GMb/dEIyKg5Vnu+zLKnKj85dGUBSAP
16 | AzhNyqkwiY5BFFy/tvuFBvjxle9vkBNZrmtsh/PktzaW3BNrYaE9xDMYesT9xi73
17 | aKFMIryVZWzZKmMaJhcMcMarWzAvLftV+0VfJV3EWtzpEbjEu3mIsoBZvD0uGqbU
18 | Llt1yeYyBrcdIbDQZgeRHhrJjC8yx0iqvj5WmnEp8hk6YtqdwGGTJxkpUtxFT/dO
19 | +0vEpa88MmGGUdXZ4NWI2IYe
20 | -----END CERTIFICATE-----
21 |
--------------------------------------------------------------------------------
/roles/common/files/wildcard_public_cert.crt:
--------------------------------------------------------------------------------
1 | -----BEGIN CERTIFICATE-----
2 | MIIDPjCCAiYCCQDcHVzv6JwhEzANBgkqhkiG9w0BAQUFADBhMQswCQYDVQQGEwJB
3 | VTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0
4 | cyBQdHkgTHRkMRowGAYDVQQDFBEqLnNvdmVyZWlnbi5sb2NhbDAeFw0xMzExMDIx
5 | OTI4NDlaFw0xNDExMDIxOTI4NDlaMGExCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpT
6 | b21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxGjAY
7 | BgNVBAMUESouc292ZXJlaWduLmxvY2FsMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
8 | MIIBCgKCAQEArpXru3ZQKl+OVlBar2yziN5ZiVSbt6QYuJtTUmMAfAtGsPobueyI
9 | 6XLG6QcFNCWNqUd3fa15GPYluFA5Ot7bPAoo3UQXJvM9n/tQ2YWPjPgxaV4sCKrI
10 | yw7UF+f2NwtUVdj1wHB0x7bh9asNv+ZDC5O2ze8dn09CS7Puh13bsVFm1iapngrr
11 | C6ctethJF67A/mRa7UzqHzesAznkgaWfhDLyygNX0PzI5ywVAKbgvxUWndPx3oY6
12 | yx5jrfk+opMUUnDu9AqhthTPaKK1s3JXJBOW2R/rlgYokfO7VBDkRv/ty3B1BnmS
13 | xdOV/01f5JJdgfLlR6PNd2FMmMoCesg9YwIDAQABMA0GCSqGSIb3DQEBBQUAA4IB
14 | AQAX5KZYIYcMuHRdsd/EKwee+pzp0irs1dqbNwYJIj3HS8Zx/qd+LET4irQbY72N
15 | 9Z2s0UTSngy4axlyItKrn+k26FUnSW80W8GMb/dEIyKg5Vnu+zLKnKj85dGUBSAP
16 | AzhNyqkwiY5BFFy/tvuFBvjxle9vkBNZrmtsh/PktzaW3BNrYaE9xDMYesT9xi73
17 | aKFMIryVZWzZKmMaJhcMcMarWzAvLftV+0VfJV3EWtzpEbjEu3mIsoBZvD0uGqbU
18 | Llt1yeYyBrcdIbDQZgeRHhrJjC8yx0iqvj5WmnEp8hk6YtqdwGGTJxkpUtxFT/dO
19 | +0vEpa88MmGGUdXZ4NWI2IYe
20 | -----END CERTIFICATE-----
21 |
--------------------------------------------------------------------------------
/roles/common/tasks/encfs.yml:
--------------------------------------------------------------------------------
1 | - name: Install encfs & fuse
2 | apt: pkg={{ item }} state=installed
3 | with_items:
4 | - encfs
5 | - libfuse-dev
6 | - fuse-utils
7 |
8 | - name: Create encrypted directory
9 | file: state=directory path=/encrypted
10 |
11 | - name: Create decrypted directory
12 | file: state=directory path=/decrypted
13 |
14 | - name: Add mail user to fuse group
15 | user: name=mail append=yes groups=fuse
16 |
17 | # Check if the /encrypted directory is empty
18 | - name: Check for existing encfs
19 | shell: ls /encrypted/*
20 | ignore_errors: True
21 | changed_when: False # never report as "changed"
22 | register: encfs_check
23 |
24 | # If it is empty, we need to create the encfs
25 | - name: Create encfs
26 | shell: printf "p\n{{ encfs_password }}" | encfs /encrypted /decrypted --public --stdinpass && touch /decrypted/test
27 | when: encfs_check.rc > 0
28 |
29 | # If it isn't empty, we simply need to mount it (but only if /decrypted/test doesn't exist)
30 | - name: Mount encfs
31 | shell: printf "{{ encfs_password }}" | encfs /encrypted /decrypted --public --stdinpass creates="/decrypted/test"
32 | when: encfs_check.rc == 0
33 |
34 | - name: Set decrypted directory permissions
35 | file: state=directory path=/decrypted group=mail mode=775
36 |
--------------------------------------------------------------------------------
/roles/git/tasks/gitolite.yml:
--------------------------------------------------------------------------------
1 | - name: Create gitolite group
2 | group: name=git state=present
3 |
4 | - name: Create gitolite user
5 | user: name=git state=present home=/home/git system=yes group=git
6 |
7 | - name: Add www-data to the git group
8 | user: name=www-data groups=git append=yes
9 |
10 | - name: Download gitolite release
11 | git: repo=git://github.com/sitaramc/gitolite
12 | dest=/home/git/gitolite
13 | version=v{{ gitolite_version }}
14 |
15 | - name: Give git user file permissions
16 | file: path=/home/git/gitolite
17 | state=directory
18 | recurse=yes
19 | owner=git
20 | group=git
21 |
22 | - name: Install gitolite
23 | command: ./gitolite/install -ln /usr/local/bin
24 | chdir=/home/git
25 | creates=/usr/local/bin/gitolite
26 |
27 | - name: Copy .gitolite.rc file
28 | copy: src=home_git_.gitolite.rc
29 | dest=/home/git/.gitolite.rc
30 | group=git
31 | owner=git
32 | mode=0644
33 |
34 | - name: Copy SSH public key to server
35 | copy: src=gitolite.pub
36 | dest=/home/git/{{ main_user_name }}.pub
37 | group=git
38 | owner=git
39 | mode=0644
40 |
41 | - name: Setup gitolite
42 | command: su - git -c 'gitolite setup -pk {{ main_user_name }}.pub'
43 | chdir=/home/git
--------------------------------------------------------------------------------
/Vagrantfile:
--------------------------------------------------------------------------------
1 | # If you're having issues, upgrade to Vagrant 1.3.x. It generates an inventory automatically:
2 | # https://github.com/mitchellh/vagrant/blob/master/CHANGELOG.md#130-september-5-2013
3 |
4 | Vagrant.configure('2') do |config|
5 |
6 | config.vm.provider :virtualbox do |vbox, override|
7 | override.vm.box = 'wheezy64'
8 | override.vm.box_url = 'https://sovereign.lukecyca.com/vagrant/wheezy64.box'
9 | vbox.customize ["modifyvm", :id, "--memory", 512]
10 | end
11 |
12 | config.vm.provider :vmware_fusion do |vbox, override|
13 | override.vm.box = 'wheezy64'
14 | # source: https://github.com/misheska/basebox-packer
15 | override.vm.box_url = 'https://dl.dropboxusercontent.com/s/g8djjlz1x5tz30j/debian72.box?token_hash=AAH1_-tgqx5PabhxLXD-X7hFEZ9x_-a899fMAYI_Kgd4Bg&dl=1'
16 | vbox.customize ["modifyvm", :id, "--memory", 512]
17 | end
18 |
19 | config.vm.hostname = 'sovereign.local'
20 |
21 | config.vm.network "private_network", ip: "172.16.100.2"
22 |
23 | config.vm.provision :ansible do |ansible|
24 | ansible.playbook = 'site.yml'
25 | ansible.host_key_checking = false
26 | ansible.extra_vars = { ansible_ssh_user: 'vagrant', testing: true }
27 |
28 | # ansible.tags = ['blog']
29 | # ansible.skip_tags = ['openvpn']
30 | # ansible.verbose = 'vvvv'
31 | end
32 |
33 | end
34 |
--------------------------------------------------------------------------------
/roles/mailserver/files/etc_dovecot_conf.d_90-plugin.conf:
--------------------------------------------------------------------------------
1 | ##
2 | ## Plugin settings
3 | ##
4 |
5 | # All wanted plugins must be listed in mail_plugins setting before any of the
6 | # settings take effect. See for list of plugins and
7 | # their configuration. Note that %variable expansion is done for all values.
8 |
9 | plugin {
10 | # Antispam (DSPAM)
11 | antispam_backend = dspam
12 | antispam_allow_append_to_spam = YES
13 | antispam_spam = Spam;Junk
14 | antispam_trash = trash;Trash
15 | antispam_signature = X-DSPAM-Signature
16 | antispam_signature_missing = error
17 | antispam_dspam_binary = /usr/bin/dspam
18 | antispam_dspam_args = --user;%u;--deliver=;--source=error
19 | antispam_dspam_spam = --class=spam
20 | antispam_dspam_notspam = --class=innocent
21 | antispam_dspam_result_header = X-DSPAM-Result
22 |
23 | # FTS (full text search with Solr)
24 | fts = solr
25 | fts_solr = break-imap-search url=http://localhost:8080/solr/
26 |
27 | # Autocreate (specify mailboxes that must always exist for all users)
28 | autocreate = Drafts
29 | autocreate2 = Sent
30 | autocreate3 = Junk
31 | autocreate4 = Trash
32 | autocreate5 = Archive
33 | autosubscribe = Drafts
34 | autosubscribe2 = Sent
35 | autosubscribe3 = Junk
36 | autosubscribe4 = Trash
37 | autosubscribe5 = Archive
38 | }
39 |
--------------------------------------------------------------------------------
/roles/git/templates/etc_apache2_sites-available_cgit.j2:
--------------------------------------------------------------------------------
1 |
2 | ServerName {{ cgit_domain }}
3 |
4 | Redirect permanent / https://{{ cgit_domain }}/
5 |
6 |
7 |
8 | ServerName {{ cgit_domain }}
9 |
10 | SSLEngine on
11 | SSLProtocol ALL -SSLv2
12 | SSLHonorCipherOrder On
13 | SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5:!DSS
14 | SSLCertificateFile /etc/ssl/certs/wildcard_public_cert.crt
15 | SSLCertificateKeyFile /etc/ssl/private/wildcard_private.key
16 | SSLCACertificateFile /etc/ssl/certs/wildcard_ca.pem
17 | Header add Strict-Transport-Security "max-age=15768000; includeSubdomains"
18 |
19 | DocumentRoot /var/www/htdocs/cgit/
20 |
21 |
22 | AllowOverride None
23 | Options +ExecCGI
24 | Order allow,deny
25 | Allow from all
26 |
27 |
28 | Alias /cgit.png /var/www/htdocs/cgit/cgit.png
29 | Alias /cgit.css /var/www/htdocs/cgit/cgit.css
30 | Alias /favicon.ico /var/www/htdocs/cgit/favicon.ico
31 | Alias /robots.txt /var/www/htdocs/cgit/robots.txt
32 | ScriptAlias / /var/www/htdocs/cgit/cgit.cgi/
33 |
34 | CustomLog /var/log/apache2/cgit_access.log combined
35 | ErrorLog /var/log/apache2/cgit_error.log
36 |
37 |
--------------------------------------------------------------------------------
/roles/mailserver/tasks/z-push.yml:
--------------------------------------------------------------------------------
1 | - name: Install required packages for z-push
2 | apt: pkg={{ item }} state=installed
3 | with_items:
4 | - php5
5 | - php5-cli
6 | - php-soap
7 | - php5-imap
8 |
9 | - name: Download z-push release
10 | get_url:
11 | url=http://download.z-push.org/final/2.1/z-push-{{ zpush_version }}.tar.gz
12 | dest=/root/z-push-{{ zpush_version }}.tar.gz
13 |
14 | - name: Decompress z-push source
15 | command: tar xzf z-push-{{ zpush_version }}.tar.gz chdir=/root creates=/root/z-push-{{ zpush_version }}
16 |
17 | - name: Create /usr/share/z-push
18 | file: state=directory path=/usr/share/z-push
19 |
20 | - name: Copy z-push source files to /usr/share/z-push
21 | shell: cp -R z-push-{{ zpush_version }}/* /usr/share/z-push/ chdir=/root
22 |
23 | - name: Remove downloaded, temporary z-push source files
24 | shell: rm -rf z-push* chdir=/root
25 |
26 | - name: Ensure z-push state and log directories are in place
27 | file: state=directory path={{ item }} owner=www-data group=www-data mode=755
28 | with_items:
29 | - /decrypted/zpush-state
30 | - /var/log/z-push
31 | notify: restart apache
32 |
33 | - name: Copy z-push's config.php into place
34 | template: src=usr_share_z-push_config.php.j2 dest=/usr/share/z-push/config.php
35 |
36 | - name: Configure z-push apache alias and php settings
37 | copy: src=etc_apache2_conf.d_z-push.conf dest=/etc/apache2/conf.d/z-push.conf
38 | notify: restart apache
39 |
40 | - name: Configure z-push logrotate
41 | copy: src=etc_logrotate_z-push dest=/etc/logrotate.d/z-push owner=root group=root mode=0644
42 |
--------------------------------------------------------------------------------
/roles/mailserver/tasks/opendkim.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # Handy reference: http://stevejenkins.com/blog/2010/09/how-to-get-dkim-domainkeys-identified-mail-working-on-centos-5-5-and-postfix-using-opendkim/
3 |
4 | - name: Install OpenDKIM and related packages
5 | apt: pkg={{ item }} state=installed
6 | with_items:
7 | - opendkim
8 | - opendkim-tools
9 |
10 | - name: Create OpenDKIM config directory
11 | file: state=directory path=/etc/opendkim group=opendkim owner=opendkim
12 |
13 | - name: Create OpenDKIM key directories
14 | file: state=directory path=/etc/opendkim/keys/{{ item.name }} group=opendkim owner=opendkim
15 | with_items: mail_virtual_domains
16 |
17 | - name: Generate OpenDKIM keys
18 | command: opendkim-genkey -r -d {{ item.name }} -D /etc/opendkim/keys/{{ item.name }}/ creates=/etc/opendkim/keys/{{ item.name }}/default.private
19 | with_items: mail_virtual_domains
20 |
21 | - name: Put opendkim.conf into place
22 | copy: src=etc_opendkim.conf dest=/etc/opendkim.conf owner=opendkim group=opendkim
23 | notify:
24 | - restart opendkim
25 | - restart postfix
26 |
27 | - name: Put additional OpenDKIM configuration files into place
28 | template: src=etc_opendkim_{{ item }}.j2 dest=/etc/opendkim/{{ item }} owner=opendkim group=opendkim
29 | with_items:
30 | - KeyTable
31 | - SigningTable
32 | - TrustedHosts
33 | notify:
34 | - restart opendkim
35 | - restart postfix
36 |
37 | - name: Set OpenDKIM config directory permissions
38 | file: state=directory path=/etc/opendkim
39 | group=opendkim owner=opendkim mode=700 recurse=yes
40 | notify:
41 | - restart opendkim
42 | - restart postfix
43 |
--------------------------------------------------------------------------------
/roles/mailserver/files/etc_dspam_default.prefs:
--------------------------------------------------------------------------------
1 | # $Id: default.prefs,v 1.2 2011/04/19 07:17:03 sbajic Exp $
2 | # default.prefs v3.2
3 | # Default preferences for DSPAM
4 |
5 | # This file serves two purposes. First, it sets the default preferences each
6 | # user will see when using the preferences section of the DSPAM Control
7 | # Center. Second, it may be symbolically linked (or copied) into DSPAM_HOME to
8 | # set the system-wide default preferences, overriding any commandline or
9 | # dspam.conf parameters. If symlinked, an administrator can edit these options
10 | # in the DSPAM Administrative Suite.
11 |
12 | # Training Mode: TEFT, TOE, TUM, NOTRAIN
13 | trainingMode=TEFT
14 |
15 | # Spam Action: quarantine, tag, deliver
16 | spamAction=deliver # { quarantine | tag | deliver } -> default:quarantine
17 |
18 | # Spam Subject: the text to be prepended onto the subject line of tagged spams
19 | spamSubject=[SPAM]
20 |
21 | # Bayesian Noise Reduction: on/off
22 | enableBNR=on
23 |
24 | # Automatic Whitelisting: on/off
25 | enableWhitelist=on
26 |
27 | # Statistical Sedation: 0-10
28 | statisticalSedation=5
29 |
30 | # Signature Location: message, headers, attachment
31 | signatureLocation=headers
32 |
33 | # Whitelist Threshold: the minimum number of innocent hits from a recipient to
34 | # be automatically whitelisted. Do not set this value too low!
35 | whitelistThreshold=10
36 |
37 | # showFactors: when set to on, the determining factors for each message will
38 | # be added to a X-DSPAM-Factors message header.
39 | showFactors=on
40 |
41 | # optIn/optOut: Depending on the opt mode set, you can also use one of these.
42 | #optIn=on
43 | #optOut=off
44 |
--------------------------------------------------------------------------------
/roles/common/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # Defines tasks applicable across all machines in the infrastructure.
3 |
4 | - name: Update apt cache
5 | apt: update_cache=yes
6 |
7 | - name: Upgrade all safe packages
8 | apt: upgrade=safe
9 |
10 | - name: Install necessities and nice-to-haves
11 | apt: pkg={{ item }} state=installed
12 | with_items:
13 | - sudo
14 | - vim
15 | - htop
16 | - iftop
17 | - iotop
18 | - mosh
19 | - zsh
20 | - git
21 | - ruby1.9.3
22 | - screen
23 | - apache2
24 | - build-essential
25 | - apticron
26 | - update-notifier-common
27 | - debian-goodies
28 | - apt-transport-https
29 | - python-software-properties
30 |
31 | - name: Install unattended upgrades (Debian/Ubuntu only)
32 | apt: pkg=unattended-upgrades state=installed
33 | when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu'
34 |
35 | - name: Apticron email configuration
36 | template: src=apticron.conf.j2 dest=/etc/apticron/apticron.conf
37 |
38 | - name: Disable default Apache site
39 | command: a2dissite 000-default removes=/etc/apache2/sites-enabled/000-default
40 | notify: restart apache
41 |
42 | - name: Enable Apache headers module
43 | command: a2enmod headers creates=/etc/apache2/mods-enabled/headers.load
44 | notify: restart apache
45 |
46 | - name: Set ServerName for Apache
47 | template: src=fqdn.j2 dest=/etc/apache2/conf.d/fqdn
48 | notify: restart apache
49 |
50 | - include: encfs.yml tags=encfs
51 | - include: users.yml tags=users
52 | - include: ssl.yml tags=ssl
53 | - include: ufw.yml tags=ufw
54 | - include: security.yml tags=security
55 | - include: ntp.yml tags=ntp
56 | - include: google_auth.yml tags=google_auth
57 |
--------------------------------------------------------------------------------
/roles/git/tasks/cgit.yml:
--------------------------------------------------------------------------------
1 |
2 | - name: Install cgit dependencies
3 | apt: pkg={{ item }} state=installed
4 | with_items:
5 | - groff
6 | - python-pip
7 | - libssl-dev
8 |
9 | - name: Install cgit pip dependencies
10 | pip: name={{ item }}
11 | with_items:
12 | - pygments
13 | - docutils
14 |
15 | - name: Download cgit release
16 | get_url: url=http://git.zx2c4.com/cgit/snapshot/cgit-{{ cgit_version }}.tar.xz
17 | dest=/root/cgit-{{ cgit_version }}.tar.xz
18 |
19 | - name: Decompress cgit source
20 | command: tar xvfJ /root/cgit-{{ cgit_version }}.tar.xz
21 | chdir=/root
22 | creates=/root/cgit-{{ cgit_version }}/configure
23 |
24 | - name: Build and install cgit
25 | shell: make get-git ; make ; make install
26 | executable=/bin/bash
27 | chdir=/root/cgit-{{ cgit_version }}
28 | creates=/var/www/htdocs/cgit/cgit.cgi
29 |
30 | - name: Copy cgitrc
31 | template: src=etc_cgitrc.j2 dest=/etc/cgitrc
32 | group=www-data
33 | owner=www-data
34 |
35 | - name: Configure the Apache HTTP server for cgit
36 | template: src=etc_apache2_sites-available_cgit.j2
37 | dest=/etc/apache2/sites-available/cgit
38 | group=www-data
39 | owner=www-data
40 | notify: restart apache
41 |
42 | - name: Enable Apache cgi module
43 | command: a2enmod cgi creates=/etc/apache2/mods-enabled/cgi.load
44 | notify: restart apache
45 |
46 | - name: Enable Apache rewrite module
47 | command: a2enmod rewrite creates=/etc/apache2/mods-enabled/rewrite.load
48 | notify: restart apache
49 |
50 | - name: Enable cgit site
51 | command: a2ensite cgit creates=/etc/apache2/sites-enabled/cgit
52 | notify: restart apache
53 |
--------------------------------------------------------------------------------
/roles/common/files/wildcard_private.key:
--------------------------------------------------------------------------------
1 | -----BEGIN RSA PRIVATE KEY-----
2 | MIIEpAIBAAKCAQEArpXru3ZQKl+OVlBar2yziN5ZiVSbt6QYuJtTUmMAfAtGsPob
3 | ueyI6XLG6QcFNCWNqUd3fa15GPYluFA5Ot7bPAoo3UQXJvM9n/tQ2YWPjPgxaV4s
4 | CKrIyw7UF+f2NwtUVdj1wHB0x7bh9asNv+ZDC5O2ze8dn09CS7Puh13bsVFm1iap
5 | ngrrC6ctethJF67A/mRa7UzqHzesAznkgaWfhDLyygNX0PzI5ywVAKbgvxUWndPx
6 | 3oY6yx5jrfk+opMUUnDu9AqhthTPaKK1s3JXJBOW2R/rlgYokfO7VBDkRv/ty3B1
7 | BnmSxdOV/01f5JJdgfLlR6PNd2FMmMoCesg9YwIDAQABAoIBADm/oYAavJ2nif+H
8 | CNgqDqDhW6CPegqenwbBaihAUzK00CdOM8mmMgt2SdFe3xvGqDssRpwtu3bEROnY
9 | r3WHreEIQ0gdc8MQhnvat32cLkWk+0MtQUeEpnJ0bzeRJOJEPxs+btu+1wIQvmFy
10 | uVOWqOq1a6xmwdemcfl0hRwFsdvO00MefOWgJpmBGBTBKuvhg1rUPP8xkHlD98ga
11 | +vpxG0vS5d2vHKa5FxcbbMaV9kxqjsc1Sm79zWlomwdmE5u0dUIIfNV1+VOmPqW2
12 | tjeD+JDieyX3uOKFpRTk7/5rOJd5hzHukIeUpl0n9mC/mY8lvoFAttszeTEwjkv0
13 | EhRBjaECgYEA3Rz8AoWJLDC63wfz3mUhtXzFxrxok85cNT35ohT9btnKyLKykvAE
14 | BCfHeYg8cwFFv0oUXpK9HWOqoJhsYN79+WYA1QE9n0XXAGl1K1/FlKsoAH3h5GAf
15 | CHGLsq6rEY3ixBmqEiKCWjNXgKeoMg9V/gjTNudWYqLvcsgMoD9vJbkCgYEAyiGi
16 | QZUa7pGFSa3+kPJo9wx6FylsAVnBluQETZpPdXSB43cTnfUlGj50OHAwFKwD4MP1
17 | Z+3mTW3+iedpEo3BWs47onanI9DSe6XcUUMXreP+aStJYOkQ3Sl5wr5A61NFF/yr
18 | +bdKEzXNXB5My5hbFLuSUtsXNVmVr6B7pz2wyfsCgYEAiXKyCVM/IPQtxeSoqM+O
19 | 88VbIB4QmAjIcuRSoHmRzO2fy8ChlwuSQ48Cxb51bTwWQkHnhZ6L5pAFCg2WGWWk
20 | 1Pqee8popvCAJSZpCoxfQvpeRGf8Gr3RrKsAnxNLDf94PlSBzwIaq72MoFIYEP5N
21 | gzuzKEcIAQqt9Fj82ER2cCkCgYEAnaEFC+ffjNRnAUJzF04zlRVh0NY4qAT691Ty
22 | FiKUfKBS+rRN1Azs1j6GG81BcZ2DmLC4nEfmJdP1gE26nwF1G/9geh3V0hRzUIHU
23 | Ansz6CO4rwNWwgB/ajmB/uCnd90EMOSWqLLLTZfTglcOxGcYAF8WiQ7aVnx6Qu//
24 | /jgZuikCgYB10Gf8Wl/TcWVBTwbDbA50VqZpUWXkcF+oo/w4FfI2f74TEQVkIs9m
25 | 4SVhrtSAz3z2tuBEDB8SM2Uwe00/JSrbuOTvGcVTq64LDgH5fL38Hw8+7IvAZEOx
26 | 26mAS685K1pq0HvvCuwzSIAjpo55tso3phG/YxC+DD11DglhL1SpBA==
27 | -----END RSA PRIVATE KEY-----
28 |
--------------------------------------------------------------------------------
/roles/ircbouncer/templates/var_lib_znc_configs_znc.conf.j2:
--------------------------------------------------------------------------------
1 | // WARNING
2 | //
3 | // Do NOT edit this file while ZNC is running!
4 | // Use webadmin or *controlpanel instead.
5 | //
6 | // Buf if you feel risky, you might want to read help on /znc saveconfig and /znc rehash.
7 | // Also check http://en.znc.in/wiki/Configuration
8 |
9 | AnonIPLimit = 10
10 | ConnectDelay = 5
11 | LoadModule = webadmin
12 | LoadModule = fail2ban
13 | LoadModule = lastseen
14 | LoadModule = partyline
15 | MaxBufferSize = 500
16 | Motd = Connected to ZNC
17 | PidFile = /var/run/znc/znc.pid
18 | ProtectWebSessions = true
19 | SSLCertFile = /var/lib/znc/znc.pem
20 | ServerThrottle = 30
21 | Skin = _default_
22 | StatusPrefix = *
23 | Version = 1.0
24 |
25 |
26 | AllowIRC = true
27 | AllowWeb = true
28 | IPv4 = true
29 | IPv6 = false
30 | Port = 6697
31 | SSL = true
32 |
33 |
34 |
35 | Admin = true
36 | Allow = *
37 | AltNick = {{ irc_nick }}_
38 | AppendTimestamp = false
39 | AutoClearChanBuffer = true
40 | Buffer = 5000
41 | ChanModes = +stn
42 | DenyLoadMod = false
43 | DenySetBindHost = false
44 | Ident = {{ irc_ident }}
45 | JoinTries = 10
46 | LoadModule = controlpanel
47 | LoadModule = perform
48 | LoadModule = block_motd
49 | LoadModule = clientnotify
50 | MaxNetworks = 1
51 | MultiClients = true
52 | Nick = {{ irc_nick }}
53 | PrependTimestamp = true
54 | QuitMsg = {{ irc_quitmsg }}
55 | RealName = {{ irc_realname }}
56 | TimestampFormat = [%H:%M:%S]
57 |
58 |
59 | FloodBurst = 4
60 | FloodRate = 1.00
61 | IRCConnectEnabled = true
62 | LoadModule = kickrejoin
63 | LoadModule = nickserv
64 | LoadModule = savebuff
65 | Server = chat.freenode.net +6697
66 |
67 |
68 | Pass = {{ irc_password_hash }}
69 |
70 |
--------------------------------------------------------------------------------
/roles/mailserver/templates/etc_dovecot_conf.d_15-lda.conf.j2:
--------------------------------------------------------------------------------
1 | ##
2 | ## LDA specific settings (also used by LMTP)
3 | ##
4 |
5 | # Address to use when sending rejection mails.
6 | # Default is postmaster@.
7 | postmaster_address = postmaster@{{domain}}
8 |
9 | # Hostname to use in various parts of sent mails, eg. in Message-Id.
10 | # Default is the system's real hostname.
11 | hostname = {{ mail_server_hostname }}
12 |
13 | # If user is over quota, return with temporary failure instead of
14 | # bouncing the mail.
15 | #quota_full_tempfail = no
16 |
17 | # Binary to use for sending mails.
18 | #sendmail_path = /usr/sbin/sendmail
19 |
20 | # If non-empty, send mails via this SMTP host[:port] instead of sendmail.
21 | #submission_host =
22 |
23 | # Subject: header to use for rejection mails. You can use the same variables
24 | # as for rejection_reason below.
25 | #rejection_subject = Rejected: %s
26 |
27 | # Human readable error message for rejection mails. You can use variables:
28 | # %n = CRLF, %r = reason, %s = original subject, %t = recipient
29 | #rejection_reason = Your message to <%t> was automatically rejected:%n%r
30 |
31 | # Delimiter character between local-part and detail in email address.
32 | #recipient_delimiter = +
33 |
34 | # Header where the original recipient address (SMTP's RCPT TO: address) is taken
35 | # from if not available elsewhere. With dovecot-lda -a parameter overrides this.
36 | # A commonly used header for this is X-Original-To.
37 | #lda_original_recipient_header =
38 |
39 | # Should saving a mail to a nonexistent mailbox automatically create it?
40 | #lda_mailbox_autocreate = no
41 |
42 | # Should automatically created mailboxes be also automatically subscribed?
43 | #lda_mailbox_autosubscribe = no
44 |
45 | protocol lda {
46 | # Space separated list of plugins to load (default is global mail_plugins).
47 | mail_plugins = $mail_plugins sieve
48 | }
49 |
--------------------------------------------------------------------------------
/roles/common/templates/ntp.conf.j2:
--------------------------------------------------------------------------------
1 | # /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
2 |
3 | driftfile /var/lib/ntp/ntp.drift
4 |
5 | # Enable this if you want statistics to be logged.
6 | #statsdir /var/log/ntpstats/
7 |
8 | statistics loopstats peerstats clockstats
9 | filegen loopstats file loopstats type day enable
10 | filegen peerstats file peerstats type day enable
11 | filegen clockstats file clockstats type day enable
12 |
13 | # Use servers configured via Ansible
14 | {% for server in ntp_servers %}
15 | server {{ server }}
16 | {% endfor %}
17 |
18 | # fallback
19 | server tick.usno.navy.mil
20 |
21 | # Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for
22 | # details. The web page
23 | # might also be helpful.
24 | #
25 | # Note that "restrict" applies to both servers and clients, so a configuration
26 | # that might be intended to block requests from certain clients could also end
27 | # up blocking replies from your own upstream servers.
28 |
29 | # By default, exchange time with everybody, but don't allow configuration.
30 | restrict -4 default kod notrap nomodify nopeer noquery
31 | restrict -6 default kod notrap nomodify nopeer noquery
32 |
33 | # Local users may interrogate the ntp server more closely.
34 | restrict 127.0.0.1
35 | restrict ::1
36 |
37 | # Clients from this (example!) subnet have unlimited access, but only if
38 | # cryptographically authenticated.
39 | #restrict 192.168.123.0 mask 255.255.255.0 notrust
40 |
41 | # If you want to provide time to your local subnet, change the next line.
42 | # (Again, the address is an example only.)
43 | #broadcast 192.168.123.255
44 |
45 | # If you want to listen to time broadcasts on your local subnet, de-comment the
46 | # next lines. Please do this only if you trust everybody on the network!
47 | #disable auth
48 | #broadcastclient
49 |
--------------------------------------------------------------------------------
/roles/news/tasks/selfoss.yml:
--------------------------------------------------------------------------------
1 | - name: Clone Selfoss
2 | git: repo=https://github.com/SSilence/selfoss.git
3 | dest=/var/www/selfoss
4 |
5 | - name: Set selfoss permissions
6 | action: file owner=www-data group=www-data path=/var/www/selfoss recurse=yes state=directory
7 |
8 | - name: Create database user for selfoss
9 | postgresql_user: login_host=localhost login_user={{ db_admin_username }} login_password="{{ db_admin_password }}" name={{ selfoss_db_username }} password="{{ selfoss_db_password }}" state=present
10 |
11 | - name: Create database for selfoss
12 | postgresql_db: login_host=localhost login_user={{ db_admin_username }} login_password="{{ db_admin_password }}" name={{ selfoss_db_database }} state=present owner={{ selfoss_db_username }}
13 |
14 | - name: Install selfoss config.ini
15 | template: src=var_www_selfoss_config.ini.j2 dest=/var/www/selfoss/config.ini group=www-data owner=www-data
16 |
17 | - name: Enable Apache rewrite module
18 | command: a2enmod rewrite creates=/etc/apache2/mods-enabled/rewrite.load
19 | notify: restart apache
20 |
21 | - name: Enable Apache headers module
22 | command: a2enmod headers creates=/etc/apache2/mods-enabled/headers.load
23 | notify: restart apache
24 |
25 | - name: Enable Apache expires module
26 | command: a2enmod expires creates=/etc/apache2/mods-enabled/expires.load
27 | notify: restart apache
28 |
29 | - name: Configure the Apache HTTP server for selfoss
30 | template: src=etc_apache2_sites-available_selfoss.j2 dest=/etc/apache2/sites-available/selfoss group=www-data owner=www-data
31 | notify: restart apache
32 |
33 | - name: Enable the selfoss site
34 | command: a2ensite selfoss creates=/etc/apache2/sites-enabled/selfoss
35 | notify: restart apache
36 |
37 | - name: Install selfoss cronjob
38 | cron: name="selfoss" user="www-data" minute="*/5" job="curl --silent --show-error -k 'https://{{ selfoss_domain }}/update' > /dev/null"
39 |
--------------------------------------------------------------------------------
/roles/vpn/templates/openssl-server-certificate.cnf.j2:
--------------------------------------------------------------------------------
1 | [ ca ]
2 | default_ca = CA_default
3 |
4 | [ CA_default ]
5 |
6 | dir = {{ openvpn_path }}
7 | certs = $dir
8 | crl_dir = $dir
9 | database = $dir/index.txt
10 | new_certs_dir = $dir
11 |
12 | certificate = {{ openvpn_ca }}.crt
13 | serial = $dir/serial
14 | crl = $dir/crl.pem
15 | private_key = {{ openvpn_ca }}.key
16 | RANDFILE = $dir/.rand
17 |
18 | x509_extensions = server
19 |
20 | default_days = {{ openvpn_days_valid }}
21 | default_crl_days= 30
22 | default_md = sha256
23 | preserve = no
24 |
25 | policy = policy_anything
26 |
27 | [ policy_anything ]
28 | countryName = optional
29 | stateOrProvinceName = optional
30 | localityName = optional
31 | organizationName = optional
32 | organizationalUnitName = optional
33 | commonName = supplied
34 | name = optional
35 | emailAddress = optional
36 |
37 | [ req ]
38 | distinguished_name = req_distinguished_name
39 |
40 | [ req_distinguished_name ]
41 | countryName = Country Name (2 letter code)
42 | countryName_default = {{ openvpn_key_country }}
43 |
44 | stateOrProvinceName = State or Province Name (full name)
45 | stateOrProvinceName_default = {{ openvpn_key_province }}
46 |
47 | localityName = Locality Name (eg, city)
48 | localityName_default = {{ openvpn_key_city }}
49 |
50 | 0.organizationName = Organization Name (eg, company)
51 | 0.organizationName_default = {{ openvpn_key_org }}
52 |
53 | organizationalUnitName = Organizational Unit Name (eg, section)
54 | organizationalUnitName_default = {{ openvpn_key_ou }}
55 |
56 | commonName = Common Name (eg, your name or your server\'s hostname)
57 | commonName_default = server
58 |
59 | [ server ]
60 | basicConstraints=CA:FALSE
61 | nsCertType = server
62 | nsComment = "Ansible Generated Server Certificate"
63 | subjectKeyIdentifier=hash
64 | authorityKeyIdentifier=keyid,issuer:always
65 | extendedKeyUsage=serverAuth
66 | keyUsage = digitalSignature, keyEncipherment
67 |
--------------------------------------------------------------------------------
/roles/owncloud/templates/etc_apache2_sites-available_owncloud.j2:
--------------------------------------------------------------------------------
1 |
2 | ServerName {{ owncloud_domain }}
3 |
4 | Redirect permanent / https://{{ owncloud_domain }}/
5 |
6 |
7 |
8 | ServerName {{ owncloud_domain }}
9 |
10 | SSLEngine on
11 | SSLProtocol ALL -SSLv2
12 | SSLHonorCipherOrder On
13 | SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5:!DSS
14 | SSLCertificateFile /etc/ssl/certs/wildcard_public_cert.crt
15 | SSLCertificateKeyFile /etc/ssl/private/wildcard_private.key
16 | SSLCACertificateFile /etc/ssl/certs/wildcard_ca.pem
17 | Header add Strict-Transport-Security "max-age=15768000; includeSubdomains"
18 |
19 | DocumentRoot /var/www/owncloud
20 | Options -Indexes
21 |
22 | ErrorLog /var/log/apache2/owncloud.info-error_log
23 | CustomLog /var/log/apache2/owncloud.info-access_log common
24 |
25 | php_value session_cache_limiter "public"
26 |
27 |
28 | AllowOverride All
29 | Order allow,deny
30 | allow from all
31 | DirectoryIndex index.php
32 |
33 | SetOutputFilter DEFLATE
34 |
35 | ExpiresActive On
36 | ExpiresDefault "access plus 2 weeks"
37 | ExpiresByType text/css "access plus 2 weeks"
38 | ExpiresByType image/svg+xml "access plus 2 weeks"
39 | ExpiresByType image/png "access plus 2 weeks"
40 | ExpiresByType text/javascript "access plus 2 weeks"
41 | ExpiresByType application/x-javascript "access plus 2 weeks"
42 | ExpiresByType application/javascript "access plus 2 weeks"
43 | ExpiresByType application/x-icon "access plus 2 weeks"
44 |
45 | Header set Cache-Control "public"
46 |
47 |
48 |
--------------------------------------------------------------------------------
/roles/mailserver/tasks/dovecot.yml:
--------------------------------------------------------------------------------
1 | - name: Install Dovecot and related packages
2 | apt: pkg={{ item }} state=installed
3 | with_items:
4 | - dovecot-core
5 | - dovecot-imapd
6 | - dovecot-pop3d
7 | - dovecot-lmtpd
8 | - dovecot-managesieved
9 | - postgresql-9.1
10 | - dovecot-pgsql
11 |
12 | - name: Create vmail group
13 | group: name=vmail state=present gid=5000
14 |
15 | - name: Create vmail user
16 | user: name=vmail group=vmail state=present uid=5000 home=/decrypted
17 |
18 | - name: Ensure mail domain directories are in place
19 | file: state=directory path=/decrypted/{{ item.name }} owner=vmail group=dovecot mode=770
20 | with_items: mail_virtual_domains
21 |
22 | - name: Ensure mail directories are in place
23 | file: state=directory path=/decrypted/{{ item.domain }}/{{ item.account }} owner=vmail group=dovecot
24 | with_items: mail_virtual_users
25 |
26 | - name: Copy dovecot.conf into place
27 | copy: src=etc_dovecot_dovecot.conf dest=/etc/dovecot/dovecot.conf
28 |
29 | - name: Copy additional Dovecot configuration files in place
30 | copy: src=etc_dovecot_conf.d_{{ item }} dest=/etc/dovecot/conf.d/{{ item }}
31 | with_items:
32 | - 10-mail.conf
33 | - 10-auth.conf
34 | - auth-sql.conf.ext
35 | - 10-master.conf
36 | - 10-ssl.conf
37 | notify: restart dovecot
38 |
39 | - name: Template 15-lda.conf
40 | template: src=etc_dovecot_conf.d_15-lda.conf.j2 dest=/etc/dovecot/conf.d/15-lda.conf
41 | notify: restart dovecot
42 |
43 | - name: Template dovecot-sql.conf.ext
44 | template: src=etc_dovecot_dovecot-sql.conf.ext.j2 dest=/etc/dovecot/dovecot-sql.conf.ext
45 | notify: restart dovecot
46 |
47 | - name: Ensure correct permissions on Dovecot config directory
48 | file: state=directory path=/etc/dovecot
49 | group=dovecot owner=vmail mode=770 recurse=yes
50 | notify: restart dovecot
51 |
52 | - name: Set firewall rules for dovecot
53 | ufw: rule=allow port={{ item }} proto=tcp
54 | with_items:
55 | - pop3s
56 | - imaps
57 |
--------------------------------------------------------------------------------
/roles/mailserver/templates/mailserver.sql.j2:
--------------------------------------------------------------------------------
1 | -- If tables are not dropped, have to truncate before insert or use "insert or replace" (not postgres compatible)
2 |
3 | DROP TABLE IF EXISTS "virtual_users";
4 | DROP TABLE IF EXISTS "virtual_aliases";
5 | DROP TABLE IF EXISTS "virtual_domains";
6 |
7 | CREATE TABLE IF NOT EXISTS "virtual_domains" (
8 | "id" SERIAL,
9 | "name" TEXT NOT NULL,
10 | PRIMARY KEY ("id")
11 | );
12 |
13 | CREATE UNIQUE INDEX name_idx ON virtual_domains (name);
14 |
15 | CREATE TABLE IF NOT EXISTS "virtual_users" (
16 | "id" SERIAL,
17 | "domain_id" int NOT NULL,
18 | "password" TEXT NOT NULL,
19 | "email" TEXT NOT NULL UNIQUE,
20 | PRIMARY KEY ("id"),
21 | FOREIGN KEY (domain_id) REFERENCES virtual_domains(id) ON DELETE CASCADE
22 | );
23 |
24 |
25 | CREATE UNIQUE INDEX email_idx ON virtual_users (email);
26 |
27 | CREATE TABLE IF NOT EXISTS "virtual_aliases" (
28 | "id" SERIAL,
29 | "domain_id" int NOT NULL,
30 | "source" TEXT NOT NULL,
31 | "destination" TEXT NOT NULL,
32 | PRIMARY KEY ("id"),
33 | FOREIGN KEY (domain_id) REFERENCES virtual_domains(id) ON DELETE CASCADE
34 | );
35 |
36 | CREATE INDEX source_idx ON virtual_aliases (source);
37 |
38 | {% for virtual_domain in mail_virtual_domains %}
39 | INSERT INTO "virtual_domains" ("id", "name")
40 | VALUES ('{{ virtual_domain.pk_id }}', '{{ virtual_domain.name }}');
41 | {% endfor %}
42 |
43 | {% for virtual_user in mail_virtual_users %}
44 | INSERT INTO "virtual_users" ("domain_id", "password" , "email")
45 | VALUES (
46 | '{{ virtual_user.domain_pk_id }}',
47 | '{{ virtual_user.password_hash }}',
48 | '{{ virtual_user.account }}@{{ virtual_user.domain }}'
49 | );
50 | {% endfor %}
51 |
52 | {% if mail_virtual_aliases is defined %}
53 | {% for virtual_alias in mail_virtual_aliases %}
54 | INSERT INTO "virtual_aliases" ("domain_id", "source", "destination")
55 | VALUES ('{{ virtual_alias.domain_pk_id }}', '{{ virtual_alias.source }}', '{{virtual_alias.destination }}');
56 | {% endfor %}
57 | {% endif %}
58 |
--------------------------------------------------------------------------------
/roles/mailserver/files/etc_dovecot_conf.d_10-ssl.conf:
--------------------------------------------------------------------------------
1 | ##
2 | ## SSL settings
3 | ##
4 |
5 | # SSL/TLS support: yes, no, required.
6 | ssl = required
7 |
8 | # PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
9 | # dropping root privileges, so keep the key file unreadable by anyone but
10 | # root. Included doc/mkcert.sh can be used to easily generate self-signed
11 | # certificate, just make sure to update the domains in dovecot-openssl.cnf
12 | ssl_cert =
7 | * @copyright 2013
8 | * @license http://www.wtfpl.net/ see COPYING file
9 | */
10 |
11 | define ('SALT', '{{ wallabag_salt }}'); # put a strong string here
12 | define ('LANG', 'en_EN.utf8');
13 |
14 | define ('STORAGE', 'postgres'); # postgres, mysql or sqlite
15 |
16 | define ('STORAGE_SQLITE', ROOT . '/db/poche.sqlite'); # if you are using sqlite, where the database file is located
17 |
18 | # only for postgres & mysql
19 | define ('STORAGE_SERVER', 'localhost');
20 | define ('STORAGE_DB', '{{ wallabag_db_database }}');
21 | define ('STORAGE_USER', '{{ wallabag_db_username }}');
22 | define ('STORAGE_PASSWORD', '{{ wallabag_db_password }}');
23 |
24 | #################################################################################
25 | # Do not trespass unless you know what you are doing
26 | #################################################################################
27 |
28 | // Change this if not using the standart port for SSL - i.e you server is behind sslh
29 | define ('SSL_PORT', 443);
30 |
31 | define ('MODE_DEMO', FALSE);
32 | define ('DEBUG_POCHE', FALSE);
33 | define ('DOWNLOAD_PICTURES', FALSE);
34 | define ('CONVERT_LINKS_FOOTNOTES', FALSE);
35 | define ('REVERT_FORCED_PARAGRAPH_ELEMENTS', FALSE);
36 | define ('SHARE_TWITTER', TRUE);
37 | define ('SHARE_MAIL', TRUE);
38 | define ('SHARE_SHAARLI', FALSE);
39 | define ('SHAARLI_URL', 'http://myshaarliurl.com');
40 | define ('FLATTR', TRUE);
41 | define ('FLATTR_API', 'https://api.flattr.com/rest/v2/things/lookup/?url=');
42 | define ('NOT_FLATTRABLE', '0');
43 | define ('FLATTRABLE', '1');
44 | define ('FLATTRED', '2');
45 | define ('ABS_PATH', 'assets/');
46 |
47 | define ('DEFAULT_THEME', 'baggy');
48 |
49 | define ('THEME', ROOT . '/themes');
50 | define ('LOCALE', ROOT . '/locale');
51 | define ('CACHE', ROOT . '/cache');
52 |
53 | define ('PAGINATION', '10');
54 |
55 | //limit for download of articles during import
56 | define ('IMPORT_LIMIT', 5);
57 | //delay between downloads (in sec)
58 | define ('IMPORT_DELAY', 5);
59 |
--------------------------------------------------------------------------------
/vars/user.yml:
--------------------------------------------------------------------------------
1 | ---
2 | ###############################################################################
3 | # Set your variables here.
4 | # For a complete reference look at the `vars/defaults.yml` file.
5 | ###############################################################################
6 |
7 | # common
8 | domain: TODO.com
9 | main_user_name: TODO
10 | encfs_password: TODO
11 |
12 | # database
13 | db_admin_username: postgres
14 | db_admin_password: TODO
15 |
16 | # ircbouncer
17 | irc_nick: TODO
18 | irc_ident: TODO
19 | irc_realname: TODO
20 | irc_quitmsg: TODO
21 | irc_password_hash: TODO
22 |
23 | # mailserver
24 | mail_db_password: TODO
25 | mail_virtual_domains:
26 | - name: "{{ domain }}"
27 | pk_id: 1
28 | # - name: TODO.com
29 | # pk_id: 2
30 | mail_virtual_users:
31 | - account: "{{ main_user_name }}"
32 | domain: "{{ domain }}"
33 | password_hash: TODO
34 | domain_pk_id: 1
35 | # - account: "{{ TODO }}"
36 | # domain: "{{ domain }}"
37 | # password_hash: TODO
38 | # domain_pk_id: 2
39 | mail_virtual_aliases:
40 | - source: "root@{{ domain }}"
41 | destination: "{{ admin_email }}"
42 | domain_pk_id: 1
43 | - source: "postmaster@{{ domain }}"
44 | destination: "{{ admin_email }}"
45 | domain_pk_id: 1
46 | - source: "webmaster@{{ domain }}"
47 | destination: "{{ admin_email }}"
48 | domain_pk_id: 1
49 | mail_header_privacy: 1
50 |
51 | # z-push
52 | zpush_timezone: "TODO" #Example: "America/New_York"
53 |
54 | # owncloud
55 | owncloud_db_password: TODO
56 |
57 | # vpn
58 | openvpn_key_country: "US"
59 | openvpn_key_province: "California"
60 | openvpn_key_city: "Beverly Hills"
61 | openvpn_key_org: "ACME CORPORATION"
62 | openvpn_key_ou: "Anvil Department"
63 | openvpn_clients:
64 | - laptop
65 | - phone
66 | - tablet
67 |
68 | # webmail
69 | webmail_db_password: TODO
70 |
71 | # xmpp
72 | prosody_admin: "{{ admin_email }}"
73 | prosody_virtual_domain: "{{ domain }}"
74 | prosody_accounts:
75 | - name: "{{ main_user_name }}"
76 | password: TODO
77 |
78 | # selfoss
79 | selfoss_db_password: "TODO"
80 | selfoss_username: "{{ main_user_name }}"
81 | # this is the sha512 hash of the desired password
82 | selfoss_password_hash: "TODO"
83 |
84 | # wallabag
85 | wallabag_salt: TODO
86 | wallabag_db_password: TODO
87 |
--------------------------------------------------------------------------------
/roles/ircbouncer/tasks/znc.yml:
--------------------------------------------------------------------------------
1 | # more or less as per http://wiki.znc.in/Running_ZNC_as_a_system_daemon
2 |
3 | - name: Install znc dependencies
4 | apt: pkg={{ item }} state=installed
5 | with_items:
6 | - build-essential
7 | - libssl-dev
8 | - openssl
9 | - swig
10 | - automake
11 | - libtool
12 | - libsasl2-dev
13 | - checkinstall
14 | - g++
15 | - pkg-config
16 | - python3-dev
17 | - libperl-dev
18 |
19 | - name: Download znc release
20 | get_url: url=http://znc.in/releases/archive/znc-{{ znc_version }}.tar.gz dest=/root/znc-{{ znc_version }}.tar.gz
21 |
22 | - name: Decompress znc source
23 | command: tar xzf /root/znc-{{ znc_version }}.tar.gz chdir=/root creates=/root/znc-{{ znc_version }}/configure
24 |
25 | - name: Build and install znc
26 | shell: ./configure --enable-python ; make ; make install executable=/bin/bash chdir=/root/znc-{{ znc_version }} creates=/usr/local/bin/znc
27 |
28 | - name: Create znc group
29 | group: name=znc state=present
30 |
31 | - name: Create znc user
32 | user: name=znc state=present home=/var/lib/znc system=yes group=znc
33 |
34 | - name: Copy znc init file into place
35 | copy: src=etc_init.d_znc dest=/etc/init.d/znc mode=0755
36 |
37 | - name: Create a combined version of the private key with public cert and intermediate + root CAs
38 | shell: cat /etc/ssl/private/wildcard_private.key /etc/ssl/certs/wildcard_combined.pem >
39 | /var/lib/znc/znc.pem creates=/var/lib/znc/znc.pem
40 |
41 | - name: Ensure znc user and group can read cert
42 | file: path=/var/lib/znc/znc.pem group=znc owner=znc mode=640
43 |
44 | - name: Check for existing config file
45 | command: cat /var/lib/znc/configs/znc.conf
46 | register: znc_config
47 | ignore_errors: True
48 | changed_when: False # never report as "changed"
49 |
50 | - name: Create znc config directory
51 | file: state=directory path=/var/lib/znc/configs group=znc owner=znc
52 |
53 | - name: Copy znc configuration file into place
54 | template: src=var_lib_znc_configs_znc.conf.j2 dest=/var/lib/znc/configs/znc.conf owner=znc group=znc
55 | when: znc_config.rc != 0
56 |
57 | - name: Set firewall rule for znc
58 | ufw: rule=allow port=6697 proto=tcp
59 |
60 | - name: Ensure znc is a system service
61 | service: name=znc state=started enabled=true
62 |
--------------------------------------------------------------------------------
/roles/readlater/tasks/wallabag.yml:
--------------------------------------------------------------------------------
1 | - name: Clone wallabag
2 | git: repo=https://github.com/wallabag/wallabag.git
3 | dest=/var/www/wallabag
4 | version={{ wallabag_version }}
5 |
6 | - name: Install wallabag dependencies
7 | apt: pkg={{ item }} state=present
8 | with_items:
9 | - php5
10 | - php5-mcrypt
11 | - php5-tidy
12 | - php5-curl
13 | - php5-pgsql
14 |
15 | - name: Create database user for wallabag
16 | postgresql_user: login_host=localhost
17 | login_user={{ db_admin_username }}
18 | login_password="{{ db_admin_password }}"
19 | name={{ wallabag_db_username }}
20 | password="{{ wallabag_db_password }}"
21 | state=present
22 |
23 | - name: Create database for wallabag
24 | postgresql_db: login_host=localhost
25 | login_user={{ db_admin_username }}
26 | login_password="{{ db_admin_password }}"
27 | name={{ wallabag_db_database }}
28 | state=present
29 | owner={{ wallabag_db_username }}
30 | notify: import wallabag sql
31 |
32 | - name: Build Composer
33 | shell: curl -sS https://getcomposer.org/installer | php
34 | chdir=/root
35 | creates=/root/composer.phar
36 |
37 | - name: Initialize composer
38 | command: php /root/composer.phar install
39 | chdir=/var/www/wallabag
40 | creates=/var/www/wallabag/vendor/autoload.php
41 |
42 | - name: Set wallabag permissions
43 | file: owner=www-data
44 | group=www-data
45 | path=/var/www/wallabag
46 | recurse=yes
47 | state=directory
48 |
49 | - name: Create the configuration file
50 | template: src=var_www_wallabag_inc_poche_config.inc.php.j2
51 | dest=/var/www/wallabag/inc/poche/config.inc.php
52 | owner=www-data
53 | group=www-data
54 |
55 | - name: Configure the Apache HTTP server for wallabag
56 | template: src=etc_apache2_sites-available_wallabag.j2
57 | dest=/etc/apache2/sites-available/wallabag
58 | owner=www-data
59 | group=www-data
60 | notify: restart apache
61 |
62 | - name: Enable the wallabag site
63 | command: a2ensite wallabag
64 | creates=/etc/apache2/sites-enabled/wallabag
65 | notify: restart apache
66 |
--------------------------------------------------------------------------------
/roles/mailserver/tasks/postfix.yml:
--------------------------------------------------------------------------------
1 | - name: Install Postfix and related packages
2 | apt: pkg={{ item }} state=installed
3 | with_items:
4 | - postfix
5 | - libsasl2-modules
6 | - sasl2-bin
7 | - postgrey
8 | - postgresql-9.1
9 | - postfix-pgsql
10 | - python-psycopg2
11 | - postfix-pcre
12 |
13 | - name: Set postgres password
14 | command: sudo -u {{ db_admin_username }} psql -d {{ db_admin_username }} -c "ALTER USER postgres with password '{{ db_admin_password }}';"
15 | notify: import sql postfix
16 |
17 | - name: Create database user for mail server
18 | postgresql_user: login_host=localhost login_user={{ db_admin_username }} login_password="{{ db_admin_password }}" name={{ mail_db_username }} password="{{ mail_db_password }}" state=present
19 | notify: import sql postfix
20 |
21 | - name: Create database for mail server
22 | postgresql_db: login_host=localhost login_user={{ db_admin_username }} login_password="{{ db_admin_password }}" name={{ mail_db_database }} state=present owner={{ mail_db_username }}
23 | notify: import sql postfix
24 |
25 | - name: Copy import.sql
26 | template: src=mailserver.sql.j2 dest=/etc/postfix/import.sql owner=root group=root mode=0600
27 | notify: import sql postfix
28 |
29 | - name: Create postfix maps directory
30 | file: path=/etc/postfix/maps state=directory owner=root group=root
31 | when: mail_header_privacy == 1
32 |
33 | - name: Copy smtp_header_checks.pcre
34 | copy: src=etc_postfix_maps_smtp_header_checks.pcre dest=/etc/postfix/maps/smtp_header_checks.pcre owner=root group=root
35 | when: mail_header_privacy == 1
36 |
37 | - name: Copy main.cf
38 | template: src=etc_postfix_main.cf.j2 dest=/etc/postfix/main.cf owner=root group=root
39 | notify: restart postfix
40 |
41 | - name: Copy master.cf
42 | copy: src=etc_postfix_master.cf dest=/etc/postfix/master.cf owner=root group=root
43 | notify: restart postfix
44 |
45 | - name: Copy additional postfix configuration files
46 | template: src=etc_postfix_{{ item }}.j2 dest=/etc/postfix/{{ item }} owner=root group=root
47 | with_items:
48 | - pgsql-virtual-mailbox-domains.cf
49 | - pgsql-virtual-mailbox-maps.cf
50 | - pgsql-virtual-alias-maps.cf
51 | notify: restart postfix
52 |
53 | - name: Set firewall rules for postfix
54 | ufw: rule=allow port={{ item }} proto=tcp
55 | with_items:
56 | - smtp
57 | - ssmtp
58 |
--------------------------------------------------------------------------------
/roles/owncloud/tasks/owncloud.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # Installs the ownCloud personal cloud software
3 | # as per http://www.debiantutorials.com/how-to-install-owncloud-on-wheezy/
4 |
5 | - name: Create database user for ownCloud
6 | postgresql_user: login_host=localhost login_user={{ db_admin_username }} login_password="{{ db_admin_password }}" name={{ owncloud_db_username }} password="{{ owncloud_db_password }}" state=present
7 |
8 | - name: Create database for ownCloud
9 | postgresql_db: login_host=localhost login_user={{ db_admin_username }} login_password="{{ db_admin_password }}" name={{ owncloud_db_database }} state=present owner={{ owncloud_db_username }}
10 |
11 | - name: Ensure repository key for ownCloud is in place
12 | apt_key: url=http://download.opensuse.org/repositories/isv:ownCloud:community/Debian_7.0/Release.key state=present
13 |
14 | - name: Add ownCloud OpenSuSE repository
15 | apt_repository: repo='deb http://download.opensuse.org/repositories/isv:ownCloud:community/Debian_7.0/ /'
16 |
17 | - name: Install ownCloud from OpenSuSE repository
18 | apt: pkg=owncloud update_cache=yes
19 |
20 | - name: Install PHP-APC
21 | apt: pkg=php-apc
22 |
23 | - name: Store ownCloud data securely
24 | command: mv /var/www/owncloud/data /decrypted/owncloud-data creates=/decrypted/owncloud-data
25 | - file: src=/decrypted/owncloud-data dest=/var/www/owncloud/data owner=www-data group=www-data state=link
26 |
27 | - name: Enable Apache rewrite module
28 | command: a2enmod rewrite creates=/etc/apache2/mods-enabled/rewrite.load
29 | notify: restart apache
30 |
31 | - name: Enable Apache headers module
32 | command: a2enmod headers creates=/etc/apache2/mods-enabled/headers.load
33 | notify: restart apache
34 |
35 | - name: Enable Apache expires module
36 | command: a2enmod expires creates=/etc/apache2/mods-enabled/expires.load
37 | notify: restart apache
38 |
39 | - name: Configure the Apache HTTP server for ownCloud
40 | template: src=etc_apache2_sites-available_owncloud.j2 dest=/etc/apache2/sites-available/owncloud group=www-data owner=www-data
41 | notify: restart apache
42 |
43 | - name: Enable the owncloud site
44 | command: a2ensite owncloud creates=/etc/apache2/sites-enabled/owncloud
45 | notify: restart apache
46 |
47 | - name: Install ownCloud cronjob
48 | cron: name="ownCloud" user="www-data" minute="*/5" job="php -f /var/www/owncloud/cron.php > /dev/null"
49 |
--------------------------------------------------------------------------------
/roles/webmail/templates/etc_apache2_sites-available_roundcube.j2:
--------------------------------------------------------------------------------
1 |
2 | ServerName {{ webmail_domain }}
3 |
4 | Redirect permanent / https://{{ webmail_domain }}/
5 |
6 |
7 |
8 | ServerName {{ webmail_domain }}
9 |
10 | SSLEngine on
11 | SSLProtocol ALL -SSLv2
12 | SSLHonorCipherOrder On
13 | SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5:!DSS
14 | SSLCertificateFile /etc/ssl/certs/wildcard_public_cert.crt
15 | SSLCertificateKeyFile /etc/ssl/private/wildcard_private.key
16 | SSLCACertificateFile /etc/ssl/certs/wildcard_ca.pem
17 | Header add Strict-Transport-Security "max-age=15768000; includeSubdomains"
18 |
19 | # Those aliases do not work properly with several hosts on your apache server
20 | # Uncomment them to use it or adapt them to your configuration
21 | # Alias /roundcube/program/js/tiny_mce/ /usr/share/tinymce/www/
22 | # Alias /roundcube /var/lib/roundcube
23 |
24 | # Access to tinymce files
25 | DocumentRoot /var/lib/roundcube
26 |
27 | Options Indexes MultiViews FollowSymLinks
28 | AllowOverride None
29 | Order allow,deny
30 | allow from all
31 |
32 |
33 |
34 | Options +FollowSymLinks
35 | # This is needed to parse /var/lib/roundcube/.htaccess. See its
36 | # content before setting AllowOverride to None.
37 | AllowOverride All
38 | order allow,deny
39 | allow from all
40 |
41 |
42 | # Protecting basic directories:
43 |
44 | Options -FollowSymLinks
45 | AllowOverride None
46 |
47 |
48 |
49 | Options -FollowSymLinks
50 | AllowOverride None
51 | Order allow,deny
52 | Deny from all
53 |
54 |
55 |
56 | Options -FollowSymLinks
57 | AllowOverride None
58 | Order allow,deny
59 | Deny from all
60 |
61 |
62 | CustomLog /var/log/apache2/webmail_access.log combined
63 | ErrorLog /var/log/apache2/webmail_error.log
64 |
65 |
66 |
--------------------------------------------------------------------------------
/roles/common/tasks/google_auth.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # Defines tasks applicable for Google Authenticator
3 |
4 | - name: Ensure required packages are installed
5 | apt: pkg={{ item }} state=present
6 | with_items:
7 | - libqrencode3
8 | - libpam0g-dev
9 | #- libpam-google-authenticator wasn't available in wheezy
10 |
11 | - name: Download Google authenticator pam module
12 | get_url: url=https://google-authenticator.googlecode.com/files/libpam-google-authenticator-{{ google_auth_version }}-source.tar.bz2
13 | dest=/root/libpam-google-authenticator-{{ google_auth_version }}-source.tar.bz2
14 |
15 | - name: Extract Google authenticator
16 | command: tar xjf libpam-google-authenticator-{{ google_auth_version }}-source.tar.bz2
17 | chdir=/root creates=/root/libpam-google-authenticator-{{ google_auth_version }}
18 |
19 | - name: Install Google authenticator
20 | command: make install
21 | chdir=/root/libpam-google-authenticator-{{ google_auth_version }}
22 | creates=/usr/local/bin/google-authenticator
23 |
24 | - name: Update sshd config to enable challenge responses
25 | lineinfile: dest=/etc/ssh/sshd_config
26 | regexp=^ChallengeResponseAuthentication
27 | line="ChallengeResponseAuthentication yes"
28 | state=present
29 | notify: restart ssh
30 |
31 | - name: Add Google authenticator to PAM
32 | lineinfile: dest=/etc/pam.d/sshd
33 | line="auth required pam_google_authenticator.so"
34 | insertbefore=BOF
35 | state=present
36 |
37 | - name: Generate a timed-based, no reuse, rate-limited (3 logins per 30 seconds) with one concurrently valid code for default user
38 | command: /usr/local/bin/google-authenticator -t -f -d --label="{{ main_user_name }}@{{ domain }}" --qr-mode=ANSI -r 3 -R 30 -w 1 --secret=/home/{{ main_user_name }}/.google_authenticator
39 | creates=/home/{{ main_user_name }}/.google_authenticator
40 | sudo: yes
41 | sudo_user: "{{ main_user_name }}"
42 | when: ansible_ssh_user != "vagrant"
43 |
44 | - name: Retrieve generated keys from server
45 | fetch: src=/home/{{ main_user_name }}/.google_authenticator
46 | dest=/tmp/sovereign-google-auth-files
47 | when: ansible_ssh_user != "vagrant"
48 |
49 | - pause: seconds=5
50 | prompt="Your Google Authentication keys are in /tmp/sovereign-google-auth-files. Press any key to continue..."
51 | when: ansible_ssh_user != "vagrant"
52 |
--------------------------------------------------------------------------------
/roles/tarsnap/files/tarsnap.sh:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 |
3 | # Tarsnap backup script
4 | # Written by Tim Bishop, 2009.
5 |
6 | # Directories to backup (relative to /)
7 | DIRS="home root decrypted var/www var/lib/postgresql/9.1/main"
8 |
9 | # Number of daily backups to keep
10 | DAILY=7
11 |
12 | # Number of weekly backups to keep
13 | WEEKLY=3
14 | # Which day to do weekly backups on
15 | # 1-7, Monday = 1
16 | WEEKLY_DAY=5
17 |
18 | # Number of monthly backups to keep
19 | MONTHLY=1
20 | # Which day to do monthly backups on
21 | # 01-31 (leading 0 is important)
22 | MONTHLY_DAY=01
23 |
24 | # Path to tarsnap
25 | TARSNAP="/usr/local/bin/tarsnap"
26 |
27 | # Extra flags to pass to tarsnap
28 | EXTRA_FLAGS="-L -C /"
29 |
30 | # end of config
31 |
32 | set -e
33 |
34 | # day of week: 1-7, monday = 1
35 | DOW=`date +%u`
36 | # day of month: 01-31
37 | DOM=`date +%d`
38 | # month of year: 01-12
39 | MOY=`date +%m`
40 | # year
41 | YEAR=`date +%Y`
42 | # time
43 | TIME=`date +%H%M%S`
44 |
45 | # Backup name
46 | if [ X"$DOM" = X"$MONTHLY_DAY" ]; then
47 | # monthly backup
48 | BACKUP="$YEAR$MOY$DOM-$TIME-monthly"
49 | elif [ X"$DOW" = X"$WEEKLY_DAY" ]; then
50 | # weekly backup
51 | BACKUP="$YEAR$MOY$DOM-$TIME-weekly"
52 | else
53 | # daily backup
54 | BACKUP="$YEAR$MOY$DOM-$TIME-daily"
55 | fi
56 |
57 | # Stop postgres
58 | monit stop postgres
59 |
60 | # Do backups
61 | for dir in $DIRS; do
62 | echo "==> create $BACKUP-$dir"
63 | $TARSNAP $EXTRA_FLAGS -c -f $BACKUP-$dir $dir
64 | done
65 |
66 | # Start postgres
67 | monit start postgres
68 |
69 | # Backups done, time for cleaning up old archives
70 |
71 | # using tail to find archives to delete, but its
72 | # +n syntax is out by one from what we want to do
73 | # (also +0 == +1, so we're safe :-)
74 | DAILY=`expr $DAILY + 1`
75 | WEEKLY=`expr $WEEKLY + 1`
76 | MONTHLY=`expr $MONTHLY + 1`
77 |
78 | # Do deletes
79 | TMPFILE=/tmp/tarsnap.archives.$$
80 | $TARSNAP --list-archives > $TMPFILE
81 | for dir in $DIRS; do
82 | for i in `grep -E "^[[:digit:]]{8}-[[:digit:]]{6}-daily-$dir" $TMPFILE | sort -rn | tail -n +$DAILY`; do
83 | echo "==> delete $i"
84 | $TARSNAP -d -f $i
85 | done
86 | for i in `grep -E "^[[:digit:]]{8}-[[:digit:]]{6}-weekly-$dir" $TMPFILE | sort -rn | tail -n +$WEEKLY`; do
87 | echo "==> delete $i"
88 | $TARSNAP -d -f $i
89 | done
90 | for i in `grep -E "^[[:digit:]]{8}-[[:digit:]]{6}-monthly-$dir" $TMPFILE | sort -rn | tail -n +$MONTHLY`; do
91 | echo "==> delete $i"
92 | $TARSNAP -d -f $i
93 | done
94 | done
95 | rm $TMPFILE
96 |
--------------------------------------------------------------------------------
/vars/testing.yml:
--------------------------------------------------------------------------------
1 | ---
2 | ###############################################################################
3 | # Variables used when testing with Vagrant
4 | # For a complete reference look at the `vars/defaults.yml` file.
5 | ###############################################################################
6 |
7 | # common
8 | domain: sovereign.local
9 | main_user_name: sovereign
10 | encfs_password: testPassword
11 | friendly_networks:
12 | - "172.16.100.0/24"
13 |
14 | db_admin_username: postgres
15 | db_admin_password: postgres
16 |
17 | # ircbouncer
18 | irc_nick: sovereign
19 | irc_ident: sovereign
20 | irc_realname: Mr. Sovereign
21 | irc_quitmsg: Bye
22 | irc_password_hash: "sha256#4bfc209c5e19874337fd89c80675ad194836efea5efd4189b7f73cd9e0a6094f#,i*Msa0B;w9yR23nm1ZB#" #foo
23 |
24 | # mailserver
25 | mail_db_password: testPassword
26 | mail_virtual_domains:
27 | - name: "{{ domain }}"
28 | pk_id: 1
29 | mail_virtual_users:
30 | - account: "{{ main_user_name }}"
31 | domain: "{{ domain }}"
32 | password_hash: "$6$IYJfaF3jvmbAzlSe$1HBkbIdrOTWA31WYon7VSE2xAcFzYSZuVb8d3I0NDWzPxXBaqkHqKs4rLeNO9CVQEKv7wA15QctCyXbdRqFDy." #foo
33 | domain_pk_id: 1
34 | mail_virtual_aliases:
35 | - source: "root@{{ domain }}"
36 | destination: "{{ admin_email }}"
37 | domain_pk_id: 1
38 | - source: "postmaster@{{ domain }}"
39 | destination: "{{ admin_email }}"
40 | domain_pk_id: 1
41 | - source: "webmaster@{{ domain }}"
42 | destination: "{{ admin_email }}"
43 | domain_pk_id: 1
44 | mail_header_privacy: 1
45 |
46 | # z-push
47 | zpush_timezone: "America/New_York" #Example: "America/New_York"
48 |
49 | # owncloud
50 | owncloud_db_password: testPassword
51 |
52 | # vpn
53 | openvpn_key_country: "US"
54 | openvpn_key_province: "California"
55 | openvpn_key_city: "Beverly Hills"
56 | openvpn_key_org: "ACME CORPORATION"
57 | openvpn_key_ou: "Anvil Department"
58 | openvpn_clients:
59 | - laptop
60 | - phone
61 | - tablet
62 |
63 | # webmail
64 | webmail_db_password: testPassword
65 |
66 | # xmpp
67 | prosody_accounts:
68 | - name: "{{ main_user_name }}"
69 | password: foo
70 |
71 | # selfoss
72 | selfoss_db_password: testPassword
73 | selfoss_username: "{{ main_user_name }}"
74 | # this is the sha512 hash of the desired password
75 | selfoss_password_hash: "f7fbba6e0636f890e56fbbf3283e524c6fa3204ae298382d624741d0dc6638326e282c41be5e4254d8820772c5518a2c5a8c0c7f7eda19594a7eb539453e1ed7"
76 | # foo
77 |
78 | # wallabag
79 | wallabag_salt: testing
80 | wallabag_db_password: testPassword
81 |
--------------------------------------------------------------------------------
/roles/newebe/tasks/main.yml:
--------------------------------------------------------------------------------
1 | - name: Install Python
2 | apt: pkg=python,python-setuptools,python-pip,python-dev
3 |
4 | - name: Install Python tools
5 | apt: pkg=python-imaging,python-pycurl
6 |
7 | - name: Install build tools
8 | apt: pkg=build-essential,git
9 |
10 | - name: Install Python libs
11 | apt: pkg=libxml2-dev,libxslt-dev,python-imaging
12 |
13 | - name: Install Supervisor
14 | apt: pkg=supervisor
15 |
16 | - name: Install CouchDB
17 | apt: pkg=couchdb
18 |
19 | - name: Install Newebe
20 | pip: name='git+https://github.com/gelnior/newebe.git#egg=newebe'
21 |
22 | - name: Add group Newebe
23 | group: name=newebe
24 |
25 | - name: Add user Newebe
26 | user: name=newebe shell=/bin/bash groups=newebe
27 |
28 | - name: Create Newebe Config folder
29 | file: path=/usr/local/etc/newebe/
30 | owner=newebe
31 | group=newebe
32 | state=directory
33 |
34 | - name: Create Newebe folder
35 | file: path=/usr/local/var/newebe/
36 | owner=newebe
37 | group=newebe
38 | state=directory
39 |
40 | - name: Create Newebe log folder
41 | file: path=/usr/local/var/log/newebe/
42 | owner=newebe
43 | group=newebe
44 | state=directory
45 |
46 | - name: Set Newebe config file
47 | template: src=usr_local_etc_newebe_config.j2
48 | dest=/usr/local/etc/newebe/config.yaml
49 | owner=newebe
50 | group=newebe
51 |
52 | - name: Set Supervisor config file
53 | copy: src=newebe.conf dest=/etc/supervisor/conf.d/newebe.conf
54 |
55 | - name: Set Newebe Supervisor config file
56 | copy: src=supervisor.conf dest=/etc/supervisor/supervisor.conf
57 |
58 | - name: Reload Supervisor and start Newebe
59 | command: /usr/bin/supervisorctl update
60 |
61 | - name: Ensure that newebe is started
62 | supervisorctl: name=newebe state=started
63 |
64 | - name: Add mod_proxy module to Apache
65 | raw: a2enmod proxy
66 | # When Ansible 1.6 will be available
67 | # apache2_module: state=present name=proxy
68 |
69 | - name: Add proxy_http module to Apache
70 | raw: a2enmod proxy_http
71 | # When Ansible 1.6 will be available
72 | # apache2_module: state=present name=proxy_http
73 | #
74 | - name: Configure the Apache HTTP server for Newebe
75 | template: src=etc_apache2_sites-available_newebe.j2
76 | dest=/etc/apache2/sites-available/newebe
77 | group=www-data
78 | owner=www-data
79 | notify: restart apache
80 |
81 | - name: Enable the site
82 | command: a2ensite newebe
83 | creates=/etc/apache2/sites-enabled/newebe
84 | notify: restart apache
85 |
--------------------------------------------------------------------------------
/roles/webmail/templates/etc_dbconfig-common_roundcube.conf.j2:
--------------------------------------------------------------------------------
1 | # automatically generated by the maintainer scripts of roundcube
2 | # any changes you make will be preserved, though your comments
3 | # will be lost! to change your settings you should edit this
4 | # file and then run "dpkg-reconfigure roundcube"
5 |
6 | # dbc_install: configure database with dbconfig-common?
7 | # set to anything but "true" to opt out of assistance
8 | dbc_install='true'
9 |
10 | # dbc_upgrade: upgrade database with dbconfig-common?
11 | # set to anything but "true" to opt out of assistance
12 | dbc_upgrade='true'
13 |
14 | # dbc_remove: deconfigure database with dbconfig-common?
15 | # set to anything but "true" to opt out of assistance
16 | dbc_remove=''
17 |
18 | # dbc_dbtype: type of underlying database to use
19 | # this exists primarily to let dbconfig-common know what database
20 | # type to use when a package supports multiple database types.
21 | # don't change this value unless you know for certain that this
22 | # package supports multiple database types
23 | dbc_dbtype='pgsql'
24 |
25 | # dbc_dbuser: database user
26 | # the name of the user who we will use to connect to the database.
27 | dbc_dbuser='{{ webmail_db_username }}'
28 |
29 | # dbc_dbpass: database user password
30 | # the password to use with the above username when connecting
31 | # to a database, if one is required
32 | dbc_dbpass='{{ webmail_db_password }}'
33 |
34 | # dbc_dbserver: database host.
35 | # leave unset to use localhost (or a more efficient local method
36 | # if it exists).
37 | dbc_dbserver=''
38 |
39 | # dbc_dbport: remote database port
40 | # leave unset to use the default. only applicable if you are
41 | # using a remote database.
42 | dbc_dbport=''
43 |
44 | # dbc_dbname: name of database
45 | # this is the name of your application's database.
46 | dbc_dbname='{{ webmail_db_database }}'
47 |
48 | # dbc_dbadmin: name of the administrative user
49 | # this is the administrative user that is used to create all of the above
50 | dbc_dbadmin='{{ db_admin_username }}'
51 |
52 | # dbc_basepath: base directory to hold database files
53 | # leave unset to use the default. only applicable if you are
54 | # using a local (filesystem based) database.
55 | dbc_basepath=''
56 |
57 | ##
58 | ## postgresql specific settings. if you don't use postgresql,
59 | ## you can safely ignore all of these
60 | ##
61 |
62 | # dbc_ssl: should we require ssl?
63 | # set to "true" to require that connections use ssl
64 | dbc_ssl=''
65 |
66 | # dbc_authmethod_admin: authentication method for admin
67 | # dbc_authmethod_user: authentication method for dbuser
68 | # see the section titled "AUTHENTICATION METHODS" in
69 | # /usr/share/doc/dbconfig-common/README.pgsql for more info
70 | dbc_authmethod_admin=''
71 | dbc_authmethod_user=''
72 |
73 | ##
74 | ## end postgresql specific settings
75 | ##
76 |
77 |
--------------------------------------------------------------------------------
/roles/mailserver/files/etc_dovecot_conf.d_20-imap.conf:
--------------------------------------------------------------------------------
1 | ##
2 | ## IMAP specific settings
3 | ##
4 |
5 | protocol imap {
6 | # Maximum IMAP command line length. Some clients generate very long command
7 | # lines with huge mailboxes, so you may need to raise this if you get
8 | # "Too long argument" or "IMAP command line too large" errors often.
9 | #imap_max_line_length = 64k
10 |
11 | # Maximum number of IMAP connections allowed for a user from each IP address.
12 | # NOTE: The username is compared case-sensitively.
13 | #mail_max_userip_connections = 10
14 |
15 | # Space separated list of plugins to load (default is global mail_plugins).
16 | mail_plugins = $mail_plugins antispam fts fts_solr autocreate
17 |
18 | # IMAP logout format string:
19 | # %i - total number of bytes read from client
20 | # %o - total number of bytes sent to client
21 | #imap_logout_format = bytes=%i/%o
22 |
23 | # Override the IMAP CAPABILITY response. If the value begins with '+',
24 | # add the given capabilities on top of the defaults (e.g. +XFOO XBAR).
25 | #imap_capability =
26 |
27 | # How long to wait between "OK Still here" notifications when client is
28 | # IDLEing.
29 | #imap_idle_notify_interval = 2 mins
30 |
31 | # ID field names and values to send to clients. Using * as the value makes
32 | # Dovecot use the default value. The following fields have default values
33 | # currently: name, version, os, os-version, support-url, support-email.
34 | #imap_id_send =
35 |
36 | # ID fields sent by client to log. * means everything.
37 | #imap_id_log =
38 |
39 | # Workarounds for various client bugs:
40 | # delay-newmail:
41 | # Send EXISTS/RECENT new mail notifications only when replying to NOOP
42 | # and CHECK commands. Some clients ignore them otherwise, for example OSX
43 | # Mail (
2 |
3 |
9 |
10 |
11 |
12 |
13 |
14 |
15 |
16 |
17 |
18 |
19 |
20 |
21 |
22 |
23 |
24 |
25 |
26 |
27 |
28 |
29 |
30 |
31 |
32 |
33 |
34 |
35 |
36 |
37 |
38 |
39 |
40 |
41 |
42 |
43 |
44 |
45 |
46 |
47 |
48 |
49 |
50 |
51 |
52 |
53 |
54 |
55 |
56 | id
57 | body
58 |
59 |
60 |
--------------------------------------------------------------------------------
/roles/webmail/files/usr_share_roundcube_plugins_managesieve_config.inc.php:
--------------------------------------------------------------------------------
1 | /sieve
54 | $rcmail_config['managesieve_debug'] = false;
55 |
56 | // Enables features described in http://wiki.kolab.org/KEP:14
57 | $rcmail_config['managesieve_kolab_master'] = false;
58 |
59 | // Script name extension used for scripts including. Dovecot uses '.sieve',
60 | // Cyrus uses '.siv'. Doesn't matter if you have managesieve_kolab_master disabled.
61 | $rcmail_config['managesieve_filename_extension'] = '.sieve';
62 |
63 | // List of reserved script names (without extension).
64 | // Scripts listed here will be not presented to the user.
65 | $rcmail_config['managesieve_filename_exceptions'] = array();
66 |
67 | ?>
--------------------------------------------------------------------------------
/roles/git/templates/etc_cgitrc.j2:
--------------------------------------------------------------------------------
1 | # Enable caching of up to 1000 output entries
2 | cache-size=1000
3 |
4 |
5 | # Specify some default clone urls using macro expansion
6 | clone-url=git@{{ domain }}:$CGIT_REPO_URL
7 |
8 |
9 | # Specify the css url
10 | # css=/css/cgit.css
11 |
12 |
13 | # Show owner on index page
14 | enable-index-owner=1
15 |
16 |
17 | # Allow http transport git clone
18 | enable-http-clone=0
19 |
20 |
21 | # Show extra links for each repository on the index page
22 | enable-index-links=1
23 |
24 |
25 | # Enable ASCII art commit history graph on the log pages
26 | enable-commit-graph=1
27 |
28 |
29 | # Show number of affected files per commit on the log pages
30 | enable-log-filecount=1
31 |
32 |
33 | # Show number of added/removed lines per commit on the log pages
34 | enable-log-linecount=1
35 |
36 |
37 | # Sort branches by date
38 | branch-sort=age
39 |
40 |
41 | # Add a cgit favicon
42 | # favicon=/favicon.ico
43 |
44 |
45 | # Use a custom logo
46 | # logo=/img/mylogo.png
47 |
48 |
49 | # Enable statistics per week, month and quarter
50 | max-stats=quarter
51 |
52 |
53 | # Set the title and heading of the repository index page
54 | root-title={{ domain }} git repository
55 |
56 |
57 | # Set a subheading for the repository index page
58 | # root-desc=tracking the foobar development
59 |
60 |
61 | # Include some more info about example.com on the index page
62 | # root-readme=/var/www/htdocs/about.html
63 |
64 |
65 | # Allow download of tar.gz, tar.bz2 and zip-files
66 | snapshots=tar.gz tar.bz2 zip
67 |
68 |
69 | ##
70 | ## List of common mimetypes
71 | ##
72 |
73 | mimetype.gif=image/gif
74 | mimetype.html=text/html
75 | mimetype.jpg=image/jpeg
76 | mimetype.jpeg=image/jpeg
77 | mimetype.pdf=application/pdf
78 | mimetype.png=image/png
79 | mimetype.svg=image/svg+xml
80 |
81 |
82 | # Highlight source code with python pygments-based highlighter
83 | source-filter=/usr/local/lib/cgit/filters/syntax-highlighting.py
84 |
85 | # Format markdown, restructuredtext, manpages, text files, and html files
86 | # through the right converters
87 | about-filter=/usr/local/lib/cgit/filters/about-formatting.sh
88 |
89 | ##
90 | ## Search for these files in the root of the default branch of repositories
91 | ## for coming up with the about page:
92 | ##
93 | readme=:README.md
94 | readme=:readme.md
95 | readme=:README.mkd
96 | readme=:readme.mkd
97 | readme=:README.rst
98 | readme=:readme.rst
99 | readme=:README.html
100 | readme=:readme.html
101 | readme=:README.htm
102 | readme=:readme.htm
103 | readme=:README.txt
104 | readme=:readme.txt
105 | readme=:README
106 | readme=:readme
107 | readme=:INSTALL.md
108 | readme=:install.md
109 | readme=:INSTALL.mkd
110 | readme=:install.mkd
111 | readme=:INSTALL.rst
112 | readme=:install.rst
113 | readme=:INSTALL.html
114 | readme=:install.html
115 | readme=:INSTALL.htm
116 | readme=:install.htm
117 | readme=:INSTALL.txt
118 | readme=:install.txt
119 | readme=:INSTALL
120 | readme=:install
121 |
122 |
123 | # Allow cgit to use git config to set any repo specific settings
124 | enable-git-config=1
125 |
126 |
127 | # Removes .git suffix for the url and name
128 | remove-suffix=1
129 |
130 |
131 | # A list of subdirectories inside of scan-path
132 | # that should loaded as git repositories
133 | project-list=/home/git/projects.list
134 |
135 |
136 | # A path which will be scanned for repositories
137 | scan-path=/home/git/repositories
--------------------------------------------------------------------------------
/vars/defaults.yml:
--------------------------------------------------------------------------------
1 | ---
2 | ###############################################################################
3 | # DO NOT EDIT. Set your variables in `vars/user.yml` instead.
4 | # This is a reference of all the variables.
5 | ###############################################################################
6 |
7 | # # common
8 | # domain: (required)
9 | # main_user_name: (required)
10 | admin_email: "{{ main_user_name }}@{{ domain }}"
11 | main_user_shell: "/bin/bash"
12 | # encfs_password: (required)
13 | friendly_networks:
14 | - ""
15 |
16 | # ntp
17 | ntp_servers:
18 | # use nearby ntp servers by default
19 | - 0.pool.ntp.org
20 | - 1.pool.ntp.org
21 | - 2.pool.ntp.org
22 | - 3.pool.ntp.org
23 | # use servers tailored to the server location
24 | # See http://www.pool.ntp.org/en/use.html
25 | # - 0.north-america.pool.ntp.org
26 | # - 1.north-america.pool.ntp.org
27 | # - 2.north-america.pool.ntp.org
28 | # - 3.north-america.pool.ntp.org
29 |
30 | # google authenticator
31 | google_auth_version: 1.0
32 |
33 | # database
34 | db_admin_username: 'postgres'
35 | # db_admin_password: (required)
36 |
37 | # ircbouncer
38 | znc_version: 1.2
39 | # irc_nick: (required)
40 | # irc_ident: (required)
41 | # irc_realname: (required)
42 | # irc_quitmsg: (required)
43 | # irc_password_hash: (required)
44 |
45 | # mailserver
46 | mail_server_hostname: "mail.{{ domain }}"
47 | mail_db_username: mailuser
48 | # mail_db_password: (required)
49 | mail_db_database: mailserver
50 | # mail_virtual_domains: (required)
51 | # mail_virtual_users: (required)
52 | # mail_virtual_aliases: (required)
53 |
54 | # z-push
55 | zpush_version: 2.1.1-1788
56 |
57 | # owncloud
58 | owncloud_domain: "cloud.{{ domain }}"
59 | owncloud_db_username: owncloud
60 | # owncloud_db_password: (required)
61 | owncloud_db_database: owncloud
62 |
63 | # tarsnap
64 | tarsnap_version: 1.0.35
65 |
66 | # vpn
67 | # openvpn_key_country: (required)
68 | # openvpn_key_province: (required)
69 | # openvpn_key_city: (required)
70 | # openvpn_key_org: (required)
71 | # openvpn_key_ou: (required)
72 | openvpn_days_valid: "1825"
73 | openssl_request_subject: "/C={{ openvpn_key_country }}/ST={{ openvpn_key_province }}/L={{ openvpn_key_city }}/O={{ openvpn_key_org }}/OU={{ openvpn_key_ou }}"
74 | openvpn_key_size: "2048"
75 | openvpn_cipher: "BF-CBC"
76 | openvpn_auth_digest: "SHA1"
77 | openvpn_path: "/etc/openvpn"
78 | openvpn_ca: "{{ openvpn_path }}/ca"
79 | openvpn_dhparam: "{{ openvpn_path }}/dh{{ openvpn_key_size }}.pem"
80 | openvpn_hmac_firewall: "{{ openvpn_path }}/ta.key"
81 | openvpn_server: "{{ domain }}"
82 | openvpn_port: "1194"
83 | openvpn_protocol: "udp"
84 | # openvpn_clients: (required)
85 |
86 | # webmail
87 | webmail_domain: "mail.{{ domain }}"
88 | webmail_db_username: "roundcube"
89 | # webmail_db_password: (required)
90 | webmail_db_database: "roundcube"
91 | carddav_version: "0.9.2"
92 |
93 | # xmpp
94 | prosody_admin: "{{ admin_email }}"
95 | prosody_virtual_domain: "{{ domain }}"
96 | # prosody_accounts: (required)
97 |
98 | # news
99 | selfoss_domain: "news.{{ domain }}"
100 | selfoss_db_username: selfoss
101 | # selfoss_db_password: (required)
102 | selfoss_db_database: selfoss
103 |
104 | # git
105 | cgit_version: 0.10.1
106 | cgit_domain: "git.{{ domain }}"
107 | gitolite_version: 3.5.3.1
108 |
109 | # newebe
110 | newebe_domain: "newebe.{{ domain }}"
111 |
112 | # wallabag
113 | wallabag_version: 1.6.1b
114 | wallabag_domain: "read.{{ domain }}"
115 | # wallabag_salt: (required)
116 | wallabag_db_username: wallabag
117 | # wallabag_db_password: (required)
118 | wallabag_db_database: wallabag
119 |
--------------------------------------------------------------------------------
/roles/mailserver/files/etc_dovecot_conf.d_10-master.conf:
--------------------------------------------------------------------------------
1 | #default_process_limit = 100
2 | #default_client_limit = 1000
3 |
4 | # Default VSZ (virtual memory size) limit for service processes. This is mainly
5 | # intended to catch and kill processes that leak memory before they eat up
6 | # everything.
7 | #default_vsz_limit = 256M
8 |
9 | # Login user is internally used by login processes. This is the most untrusted
10 | # user in Dovecot system. It shouldn't have access to anything at all.
11 | #default_login_user = dovenull
12 |
13 | # Internal user is used by unprivileged processes. It should be separate from
14 | # login user, so that login processes can't disturb other processes.
15 | default_internal_user = vmail
16 |
17 | service imap-login {
18 | inet_listener imap {
19 | port = 0
20 | }
21 |
22 | inet_listener imaps {
23 | #port = 993
24 | #ssl = yes
25 | }
26 |
27 | # Number of connections to handle before starting a new process. Typically
28 | # the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0
29 | # is faster.
30 | #service_count = 1
31 |
32 | # Number of processes to always keep waiting for more connections.
33 | #process_min_avail = 0
34 |
35 | # If you set service_count=0, you probably need to grow this.
36 | #vsz_limit = $default_vsz_limit
37 | }
38 |
39 | service pop3-login {
40 | inet_listener pop3 {
41 | port = 0
42 | }
43 |
44 | inet_listener pop3s {
45 | #port = 995
46 | #ssl = yes
47 | }
48 | }
49 |
50 | service lmtp {
51 | unix_listener /var/spool/postfix/private/dovecot-lmtp {
52 | mode = 0666
53 | group = postfix
54 | user = postfix
55 | }
56 |
57 | # Create inet listener only if you can't use the above UNIX socket
58 | #inet_listener lmtp {
59 | # Avoid making LMTP visible for the entire internet
60 | #address =
61 | #port =
62 | #}
63 |
64 | user = vmail
65 | }
66 |
67 | service imap {
68 | # Most of the memory goes to mmap()ing files. You may need to increase this
69 | # limit if you have huge mailboxes.
70 | #vsz_limit = $default_vsz_limit
71 |
72 | # Max. number of IMAP processes (connections)
73 | #process_limit = 1024
74 | }
75 |
76 | service pop3 {
77 | # Max. number of POP3 processes (connections)
78 | #process_limit = 1024
79 | }
80 |
81 | service auth {
82 | # auth_socket_path points to this userdb socket by default. It's typically
83 | # used by dovecot-lda, doveadm, possibly imap process, etc. Its default
84 | # permissions make it readable only by root, but you may need to relax these
85 | # permissions. Users that have access to this socket are able to get a list
86 | # of all usernames and get results of everyone's userdb lookups.
87 | unix_listener /var/spool/postfix/private/auth {
88 | mode = 0666
89 | user = postfix
90 | group = postfix
91 | }
92 |
93 | unix_listener auth-userdb {
94 | mode = 0660
95 | user = vmail
96 | group = vmail
97 | }
98 |
99 | # Postfix smtp-auth
100 | #unix_listener /var/spool/postfix/private/auth {
101 | # mode = 0666
102 | #}
103 |
104 | # Auth process is run as this user.
105 | user = vmail
106 | }
107 |
108 | service auth-worker {
109 | # Auth worker process is run as root by default, so that it can access
110 | # /etc/shadow. If this isn't necessary, the user should be changed to
111 | # $default_internal_user.
112 | #user = vmail
113 |
114 | unix_listener auth-worker {
115 | user = vmail # same as above, mode and group are supported too
116 | }
117 | }
118 |
119 | service dict {
120 | # If dict proxy is used, mail processes should have access to its socket.
121 | # For example: mode=0660, group=vmail and global mail_access_groups=vmail
122 | unix_listener dict {
123 | #mode = 0600
124 | #user =
125 | #group =
126 | }
127 | }
128 |
--------------------------------------------------------------------------------
/roles/mailserver/templates/etc_postfix_main.cf.j2:
--------------------------------------------------------------------------------
1 | # See /usr/share/postfix/main.cf.dist for a commented, more complete version
2 | # Modified as per http://sealedabstract.com/code/nsa-proof-your-e-mail-in-2-hours/
3 |
4 | smtpd_banner = $myhostname ESMTP $mail_name
5 | biff = no
6 |
7 | # Accept messages up to 50MB
8 | message_size_limit = 51200000
9 |
10 | # appending .domain is the MUA's job.
11 | append_dot_mydomain = no
12 |
13 | # Uncomment the next line to generate "delayed mail" warnings
14 | #delay_warning_time = 4h
15 |
16 | readme_directory = no
17 |
18 | # antispam
19 | smtpd_helo_required = yes
20 | smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname
21 | smtpd_sender_restrictions = reject_unknown_address
22 | disable_vrfy_command = yes
23 | strict_rfc821_envelopes = yes
24 | invalid_hostname_reject_code = 554
25 | multi_recipient_bounce_reject_code = 554
26 | non_fqdn_reject_code = 554
27 | relay_domains_reject_code = 554
28 | unknown_address_reject_code = 554
29 | unknown_client_reject_code = 554
30 | unknown_hostname_reject_code = 554
31 | unknown_local_recipient_reject_code = 554
32 | unknown_relay_recipient_reject_code = 554
33 | unknown_virtual_alias_reject_code = 554
34 | unknown_virtual_mailbox_reject_code = 554
35 | unverified_recipient_reject_code = 554
36 | unverified_sender_reject_code = 554
37 |
38 | # TLS parameters
39 | smtpd_tls_cert_file=/etc/ssl/certs/wildcard_combined.pem
40 | smtpd_tls_key_file=/etc/ssl/private/wildcard_private.key
41 | smtpd_use_tls=yes
42 | smtpd_tls_auth_only = yes
43 | smtp_tls_security_level = may
44 | smtp_tls_loglevel = 2
45 | smtpd_tls_received_header = yes
46 | smtp_tls_note_starttls_offer = yes
47 | smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
48 |
49 | smtpd_sasl_type = dovecot
50 | smtpd_sasl_path = private/auth
51 | smtpd_sasl_auth_enable = yes
52 | broken_sasl_auth_clients = yes
53 | smtpd_sasl_security_options = noanonymous
54 |
55 | smtpd_recipient_restrictions =
56 | permit_sasl_authenticated,
57 | permit_mynetworks,
58 | reject_unauth_pipelining,
59 | reject_unauth_destination,
60 | reject_invalid_hostname,
61 | reject_non_fqdn_hostname,
62 | reject_non_fqdn_recipient,
63 | reject_unknown_recipient_domain,
64 | check_policy_service inet:127.0.0.1:10023,
65 | permit
66 |
67 | # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
68 | # information on enabling SSL in the smtp client.
69 |
70 | myhostname = {{ mail_server_hostname }}
71 | myorigin = $mydomain
72 | alias_maps = hash:/etc/aliases
73 | alias_database = hash:/etc/aliases
74 | mydestination = localhost
75 | relayhost =
76 | mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 {{ ' '.join(friendly_networks) }}
77 | #mailbox_command = procmail -a "$EXTENSION"
78 | mailbox_size_limit = 0
79 | recipient_delimiter = +
80 | inet_interfaces = all
81 |
82 | # dovecot db
83 | virtual_transport = dovecot
84 | dovecot_destination_recipient_limit = 1
85 | virtual_mailbox_domains = pgsql:/etc/postfix/pgsql-virtual-mailbox-domains.cf
86 | virtual_mailbox_maps = pgsql:/etc/postfix/pgsql-virtual-mailbox-maps.cf
87 | virtual_alias_maps = pgsql:/etc/postfix/pgsql-virtual-alias-maps.cf
88 | local_recipient_maps = $virtual_mailbox_maps
89 |
90 | # OpenDKIM
91 | smtpd_milters = inet:127.0.0.1:8891
92 | non_smtpd_milters = $smtpd_milters
93 | milter_default_action = accept
94 |
95 | # new settings for dspam: only scan one mail at a time, localhost doesn't get scanned, everything else does
96 | dspam_destination_recipient_limit = 1
97 | smtpd_client_restrictions =
98 | permit_sasl_authenticated
99 | check_client_access pcre:/etc/postfix/dspam_filter_access
100 |
101 | # Postscreen
102 | postscreen_access_list = permit_mynetworks
103 | postscreen_dnsbl_sites =
104 | sbl-xbl.spamhaus.org*2
105 | cbl.abuseat.org*2
106 | bl.spamcop.net*2
107 | dnsbl.sorbs.net*1
108 | spam.spamrats.com*2
109 | postscreen_dnsbl_threshold = 3
110 | postscreen_dnsbl_action = enforce
111 | postscreen_greet_action = enforce
112 |
113 | {% if mail_header_privacy == 1 %}
114 | # Remove local client IP from headers
115 | smtp_header_checks = pcre:/etc/postfix/maps/smtp_header_checks.pcre
116 | {% endif %}
117 |
--------------------------------------------------------------------------------
/roles/ircbouncer/files/etc_init.d_znc:
--------------------------------------------------------------------------------
1 | #! /bin/sh
2 | ### BEGIN INIT INFO
3 | # Provides: znc
4 | # Required-Start: $remote_fs $syslog
5 | # Required-Stop: $remote_fs $syslog
6 | # Default-Start: 2 3 4 5
7 | # Default-Stop: 0 1 6
8 | # Short-Description: ZNC IRC bouncer
9 | # Description: ZNC is an IRC bouncer
10 | ### END INIT INFO
11 |
12 | PATH=/sbin:/usr/sbin:/bin:/usr/bin
13 | DESC="ZNC daemon"
14 | NAME=znc
15 | DAEMON=/usr/local/bin/$NAME
16 | DATADIR=/var/lib/znc
17 | DAEMON_ARGS="--datadir=$DATADIR"
18 | PIDDIR=/var/run/znc
19 | PIDFILE=$PIDDIR/$NAME.pid
20 | SCRIPTNAME=/etc/init.d/$NAME
21 | USER=znc
22 | GROUP=znc
23 |
24 | # Exit if the package is not installed
25 | [ -x "$DAEMON" ] || exit 0
26 |
27 | # Read configuration variable file if it is present
28 | [ -r /etc/default/$NAME ] && . /etc/default/$NAME
29 |
30 | # Load the VERBOSE setting and other rcS variables
31 | . /lib/init/vars.sh
32 |
33 | # Define LSB log_* functions.
34 | # Depend on lsb-base (>= 3.2-14) to ensure that this file is present
35 | # and status_of_proc is working.
36 | . /lib/lsb/init-functions
37 |
38 | #
39 | # Function that starts the daemon/service
40 | #
41 | do_start()
42 | {
43 | # Return
44 | # 0 if daemon has been started
45 | # 1 if daemon was already running
46 | # 2 if daemon could not be started
47 | if [ ! -d $PIDDIR ]
48 | then
49 | mkdir $PIDDIR
50 | fi
51 | chown $USER:$GROUP $PIDDIR
52 | start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON --test --chuid $USER > /dev/null || return 1
53 | start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON --chuid $USER -- $DAEMON_ARGS > /dev/null || return 2
54 | }
55 |
56 | #
57 | # Function that stops the daemon/service
58 | #
59 | do_stop()
60 | {
61 | # Return
62 | # 0 if daemon has been stopped
63 | # 1 if daemon was already stopped
64 | # 2 if daemon could not be stopped
65 | # other if a failure occurred
66 | start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME --chuid $USER
67 | RETVAL="$?"
68 | [ "$RETVAL" = 2 ] && return 2
69 | # Wait for children to finish too if this is a daemon that forks
70 | # and if the daemon is only ever run from this initscript.
71 | # If the above conditions are not satisfied then add some other code
72 | # that waits for the process to drop all resources that could be
73 | # needed by services started subsequently. A last resort is to
74 | # sleep for some time.
75 | start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON --chuid $USER
76 | [ "$?" = 2 ] && return 2
77 | # Many daemons don't delete their pidfiles when they exit.
78 | rm -f $PIDFILE
79 | return "$RETVAL"
80 | }
81 |
82 | #
83 | # Function that sends a SIGHUP to the daemon/service
84 | #
85 | do_reload() {
86 | start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME --chuid $USER
87 | return 0
88 | }
89 |
90 | case "$1" in
91 | start)
92 | [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
93 | do_start
94 | case "$?" in
95 | 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
96 | 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
97 | esac
98 | ;;
99 | stop)
100 | [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
101 | do_stop
102 | case "$?" in
103 | 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
104 | 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
105 | esac
106 | ;;
107 | status)
108 | status_of_proc -p $PIDFILE "$DAEMON" "$NAME" && exit 0 || exit $?
109 | ;;
110 | reload)
111 | log_daemon_msg "Reloading $DESC" "$NAME"
112 | do_reload
113 | log_end_msg $?
114 | ;;
115 | restart)
116 | log_daemon_msg "Restarting $DESC" "$NAME"
117 | do_stop
118 | case "$?" in
119 | 0|1)
120 | do_start
121 | case "$?" in
122 | 0) log_end_msg 0 ;;
123 | 1) log_end_msg 1 ;; # Old process is still running
124 | *) log_end_msg 1 ;; # Failed to start
125 | esac
126 | ;;
127 | *)
128 | # Failed to stop
129 | log_end_msg 1
130 | ;;
131 | esac
132 | ;;
133 | *)
134 | echo "Usage: $SCRIPTNAME {status|start|stop|reload|restart}" >&2
135 | exit 3
136 | ;;
137 | esac
138 |
139 | :
--------------------------------------------------------------------------------
/roles/mailserver/files/etc_dovecot_dovecot.conf:
--------------------------------------------------------------------------------
1 | ## Dovecot configuration file
2 |
3 | # If you're in a hurry, see http://wiki2.dovecot.org/QuickConfiguration
4 |
5 | # "doveconf -n" command gives a clean output of the changed settings. Use it
6 | # instead of copy&pasting files when posting to the Dovecot mailing list.
7 |
8 | # '#' character and everything after it is treated as comments. Extra spaces
9 | # and tabs are ignored. If you want to use either of these explicitly, put the
10 | # value inside quotes, eg.: key = "# char and trailing whitespace "
11 |
12 | # Default values are shown for each setting, it's not required to uncomment
13 | # those. These are exceptions to this though: No sections (e.g. namespace {})
14 | # or plugin settings are added by default, they're listed only as examples.
15 | # Paths are also just examples with the real defaults being based on configure
16 | # options. The paths listed here are for configure --prefix=/usr
17 | # --sysconfdir=/etc --localstatedir=/var
18 |
19 | # Enable installed protocols
20 | !include_try /usr/share/dovecot/protocols.d/*.protocol
21 |
22 | # A comma separated list of IPs or hosts where to listen in for connections.
23 | # "*" listens in all IPv4 interfaces, "::" listens in all IPv6 interfaces.
24 | # If you want to specify non-default ports or anything more complex,
25 | # edit conf.d/master.conf.
26 | #listen = *, ::
27 |
28 | # Base directory where to store runtime data.
29 | #base_dir = /var/run/dovecot/
30 |
31 | # Name of this instance. In multi-instance setup doveadm and other commands
32 | # can use -i to select which instance is used (an alternative
33 | # to -c ). The instance name is also added to Dovecot processes
34 | # in ps output.
35 | #instance_name = dovecot
36 |
37 | # Greeting message for clients.
38 | #login_greeting = Dovecot ready.
39 |
40 | # Space separated list of trusted network ranges. Connections from these
41 | # IPs are allowed to override their IP addresses and ports (for logging and
42 | # for authentication checks). disable_plaintext_auth is also ignored for
43 | # these networks. Typically you'd specify your IMAP proxy servers here.
44 | #login_trusted_networks =
45 |
46 | # Sepace separated list of login access check sockets (e.g. tcpwrap)
47 | #login_access_sockets =
48 |
49 | # With proxy_maybe=yes if proxy destination matches any of these IPs, don't do
50 | # proxying. This isn't necessary normally, but may be useful if the destination
51 | # IP is e.g. a load balancer's IP.
52 | #auth_proxy_self =
53 |
54 | # Show more verbose process titles (in ps). Currently shows user name and
55 | # IP address. Useful for seeing who are actually using the IMAP processes
56 | # (eg. shared mailboxes or if same uid is used for multiple accounts).
57 | #verbose_proctitle = no
58 |
59 | # Should all processes be killed when Dovecot master process shuts down.
60 | # Setting this to "no" means that Dovecot can be upgraded without
61 | # forcing existing client connections to close (although that could also be
62 | # a problem if the upgrade is e.g. because of a security fix).
63 | #shutdown_clients = yes
64 |
65 | # If non-zero, run mail commands via this many connections to doveadm server,
66 | # instead of running them directly in the same process.
67 | #doveadm_worker_count = 0
68 | # UNIX socket or host:port used for connecting to doveadm server
69 | #doveadm_socket_path = doveadm-server
70 |
71 | # Space separated list of environment variables that are preserved on Dovecot
72 | # startup and passed down to all of its child processes. You can also give
73 | # key=value pairs to always set specific settings.
74 | #import_environment = TZ
75 |
76 | ##
77 | ## Dictionary server settings
78 | ##
79 |
80 | # Dictionary can be used to store key=value lists. This is used by several
81 | # plugins. The dictionary can be accessed either directly or though a
82 | # dictionary server. The following dict block maps dictionary names to URIs
83 | # when the server is used. These can then be referenced using URIs in format
84 | # "proxy::".
85 |
86 | dict {
87 | #quota = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext
88 | #expire = sqlite:/etc/dovecot/dovecot-dict-sql.conf.ext
89 | }
90 |
91 | # Most of the actual configuration gets included below. The filenames are
92 | # first sorted by their ASCII value and parsed in that order. The 00-prefixes
93 | # in filenames are intended to make it easier to understand the ordering.
94 | !include conf.d/*.conf
95 |
96 | # A config file can also tried to be included without giving an error if
97 | # it's not found:
98 | !include_try /usr/share/dovecot/protocols.d/*.protocol
99 | protocols = imap lmtp sieve pop3
100 |
--------------------------------------------------------------------------------
/roles/mailserver/files/etc_dovecot_conf.d_10-auth.conf:
--------------------------------------------------------------------------------
1 | ##
2 | ## Authentication processes
3 | ##
4 |
5 | # Disable LOGIN command and all other plaintext authentications unless
6 | # SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP
7 | # matches the local IP (ie. you're connecting from the same computer), the
8 | # connection is considered secure and plaintext authentication is allowed.
9 | disable_plaintext_auth = yes
10 |
11 | # Authentication cache size (e.g. 10M). 0 means it's disabled. Note that
12 | # bsdauth, PAM and vpopmail require cache_key to be set for caching to be used.
13 | #auth_cache_size = 0
14 | # Time to live for cached data. After TTL expires the cached record is no
15 | # longer used, *except* if the main database lookup returns internal failure.
16 | # We also try to handle password changes automatically: If user's previous
17 | # authentication was successful, but this one wasn't, the cache isn't used.
18 | # For now this works only with plaintext authentication.
19 | #auth_cache_ttl = 1 hour
20 | # TTL for negative hits (user not found, password mismatch).
21 | # 0 disables caching them completely.
22 | #auth_cache_negative_ttl = 1 hour
23 |
24 | # Space separated list of realms for SASL authentication mechanisms that need
25 | # them. You can leave it empty if you don't want to support multiple realms.
26 | # Many clients simply use the first one listed here, so keep the default realm
27 | # first.
28 | #auth_realms =
29 |
30 | # Default realm/domain to use if none was specified. This is used for both
31 | # SASL realms and appending @domain to username in plaintext logins.
32 | #auth_default_realm =
33 |
34 | # List of allowed characters in username. If the user-given username contains
35 | # a character not listed in here, the login automatically fails. This is just
36 | # an extra check to make sure user can't exploit any potential quote escaping
37 | # vulnerabilities with SQL/LDAP databases. If you want to allow all characters,
38 | # set this value to empty.
39 | #auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@
40 |
41 | # Username character translations before it's looked up from databases. The
42 | # value contains series of from -> to characters. For example "#@/@" means
43 | # that '#' and '/' characters are translated to '@'.
44 | #auth_username_translation =
45 |
46 | # Username formatting before it's looked up from databases. You can use
47 | # the standard variables here, eg. %Lu would lowercase the username, %n would
48 | # drop away the domain if it was given, or "%n-AT-%d" would change the '@' into
49 | # "-AT-". This translation is done after auth_username_translation changes.
50 | #auth_username_format = %Lu
51 |
52 | # If you want to allow master users to log in by specifying the master
53 | # username within the normal username string (ie. not using SASL mechanism's
54 | # support for it), you can specify the separator character here. The format
55 | # is then . UW-IMAP uses "*" as the
56 | # separator, so that could be a good choice.
57 | #auth_master_user_separator =
58 |
59 | # Username to use for users logging in with ANONYMOUS SASL mechanism
60 | #auth_anonymous_username = anonymous
61 |
62 | # Maximum number of dovecot-auth worker processes. They're used to execute
63 | # blocking passdb and userdb queries (eg. MySQL and PAM). They're
64 | # automatically created and destroyed as needed.
65 | #auth_worker_max_count = 30
66 |
67 | # Host name to use in GSSAPI principal names. The default is to use the
68 | # name returned by gethostname(). Use "$ALL" (with quotes) to allow all keytab
69 | # entries.
70 | #auth_gssapi_hostname =
71 |
72 | # Kerberos keytab to use for the GSSAPI mechanism. Will use the system
73 | # default (usually /etc/krb5.keytab) if not specified. You may need to change
74 | # the auth service to run as root to be able to read this file.
75 | #auth_krb5_keytab =
76 |
77 | # Do NTLM and GSS-SPNEGO authentication using Samba's winbind daemon and
78 | # ntlm_auth helper.
79 | #auth_use_winbind = no
80 |
81 | # Path for Samba's ntlm_auth helper binary.
82 | #auth_winbind_helper_path = /usr/bin/ntlm_auth
83 |
84 | # Time to delay before replying to failed authentications.
85 | #auth_failure_delay = 2 secs
86 |
87 | # Require a valid SSL client certificate or the authentication fails.
88 | #auth_ssl_require_client_cert = no
89 |
90 | # Take the username from client's SSL certificate, using
91 | # X509_NAME_get_text_by_NID() which returns the subject's DN's
92 | # CommonName.
93 | #auth_ssl_username_from_cert = no
94 |
95 | # Space separated list of wanted authentication mechanisms:
96 | # plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp skey
97 | # gss-spnego
98 | # NOTE: See also disable_plaintext_auth setting.
99 | auth_mechanisms = plain login
100 |
101 | ##
102 | ## Password and user databases
103 | ##
104 |
105 | #
106 | # Password database is used to verify user's password (and nothing more).
107 | # You can have multiple passdbs and userdbs. This is useful if you want to
108 | # allow both system users (/etc/passwd) and virtual users to login without
109 | # duplicating the system users into virtual database.
110 | #
111 | #
112 | #
113 | # User database specifies where mails are located and what user/group IDs
114 | # own them. For single-UID configuration use "static" userdb.
115 | #
116 | #
117 |
118 | #!include auth-deny.conf.ext
119 | #!include auth-master.conf.ext
120 |
121 | #!include auth-system.conf.ext
122 | !include auth-sql.conf.ext
123 | #!include auth-ldap.conf.ext
124 | #!include auth-passwdfile.conf.ext
125 | #!include auth-checkpassword.conf.ext
126 | #!include auth-vpopmail.conf.ext
127 | #!include auth-static.conf.ext
128 |
--------------------------------------------------------------------------------
/roles/mailserver/templates/etc_dovecot_dovecot-sql.conf.ext.j2:
--------------------------------------------------------------------------------
1 | # This file is opened as root, so it should be owned by root and mode 0600.
2 | #
3 | # http://wiki2.dovecot.org/AuthDatabase/SQL
4 | #
5 | # For the sql passdb module, you'll need a database with a table that
6 | # contains fields for at least the username and password. If you want to
7 | # use the user@domain syntax, you might want to have a separate domain
8 | # field as well.
9 | #
10 | # If your users all have the same uig/gid, and have predictable home
11 | # directories, you can use the static userdb module to generate the home
12 | # dir based on the username and domain. In this case, you won't need fields
13 | # for home, uid, or gid in the database.
14 | #
15 | # If you prefer to use the sql userdb module, you'll want to add fields
16 | # for home, uid, and gid. Here is an example table:
17 | #
18 | # CREATE TABLE users (
19 | # username VARCHAR(128) NOT NULL,
20 | # domain VARCHAR(128) NOT NULL,
21 | # password VARCHAR(64) NOT NULL,
22 | # home VARCHAR(255) NOT NULL,
23 | # uid INTEGER NOT NULL,
24 | # gid INTEGER NOT NULL,
25 | # active CHAR(1) DEFAULT 'Y' NOT NULL
26 | # );
27 |
28 | # Database driver: mysql, pgsql, sqlite
29 | driver = pgsql
30 |
31 | # Database connection string. This is driver-specific setting.
32 | #
33 | # HA / round-robin load-balancing is supported by giving multiple host
34 | # settings, like: host=sql1.host.org host=sql2.host.org
35 | #
36 | # pgsql:
37 | # For available options, see the PostgreSQL documention for the
38 | # PQconnectdb function of libpq.
39 | # Use maxconns=n (default 5) to change how many connections Dovecot can
40 | # create to pgsql.
41 | #
42 | # mysql:
43 | # Basic options emulate PostgreSQL option names:
44 | # host, port, user, password, dbname
45 | #
46 | # But also adds some new settings:
47 | # client_flags - See MySQL manual
48 | # ssl_ca, ssl_ca_path - Set either one or both to enable SSL
49 | # ssl_cert, ssl_key - For sending client-side certificates to server
50 | # ssl_cipher - Set minimum allowed cipher security (default: HIGH)
51 | # option_file - Read options from the given file instead of
52 | # the default my.cnf location
53 | # option_group - Read options from the given group (default: client)
54 | #
55 | # You can connect to UNIX sockets by using host: host=/var/run/mysql.sock
56 | # Note that currently you can't use spaces in parameters.
57 | #
58 | # sqlite:
59 | # The path to the database file.
60 | #
61 | # Examples:
62 | # connect = host=192.168.1.1 dbname=users
63 | # connect = host=sql.example.com dbname=virtual user=virtual password=blarg
64 | # connect = /etc/dovecot/authdb.sqlite
65 | #
66 | connect = "host=127.0.0.1 dbname={{ mail_db_database }} user={{ mail_db_username }} password='{{ mail_db_password }}'"
67 |
68 | # Default password scheme.
69 | #
70 | # List of supported schemes is in
71 | # http://wiki2.dovecot.org/Authentication/PasswordSchemes
72 | #
73 | default_pass_scheme = SHA512-CRYPT
74 |
75 | # passdb query to retrieve the password. It can return fields:
76 | # password - The user's password. This field must be returned.
77 | # user - user@domain from the database. Needed with case-insensitive lookups.
78 | # username and domain - An alternative way to represent the "user" field.
79 | #
80 | # The "user" field is often necessary with case-insensitive lookups to avoid
81 | # e.g. "name" and "nAme" logins creating two different mail directories. If
82 | # your user and domain names are in separate fields, you can return "username"
83 | # and "domain" fields instead of "user".
84 | #
85 | # The query can also return other fields which have a special meaning, see
86 | # http://wiki2.dovecot.org/PasswordDatabase/ExtraFields
87 | #
88 | # Commonly used available substitutions (see http://wiki2.dovecot.org/Variables
89 | # for full list):
90 | # %u = entire user@domain
91 | # %n = user part of user@domain
92 | # %d = domain part of user@domain
93 | #
94 | # Note that these can be used only as input to SQL query. If the query outputs
95 | # any of these substitutions, they're not touched. Otherwise it would be
96 | # difficult to have eg. usernames containing '%' characters.
97 | #
98 | # Example:
99 | # password_query = SELECT userid AS user, pw AS password \
100 | # FROM users WHERE userid = '%u' AND active = 'Y'
101 | #
102 | #password_query = \
103 | # SELECT username, domain, password \
104 | # FROM users WHERE username = '%n' AND domain = '%d'
105 |
106 | password_query = SELECT email AS user, password FROM virtual_users WHERE email = '%u';
107 |
108 | # userdb query to retrieve the user information. It can return fields:
109 | # uid - System UID (overrides mail_uid setting)
110 | # gid - System GID (overrides mail_gid setting)
111 | # home - Home directory
112 | # mail - Mail location (overrides mail_location setting)
113 | #
114 | # None of these are strictly required. If you use a single UID and GID, and
115 | # home or mail directory fits to a template string, you could use userdb static
116 | # instead. For a list of all fields that can be returned, see
117 | # http://wiki2.dovecot.org/UserDatabase/ExtraFields
118 | #
119 | # Examples:
120 | # user_query = SELECT home, uid, gid FROM users WHERE userid = '%u'
121 | # user_query = SELECT dir AS home, user AS uid, group AS gid FROM users where userid = '%u'
122 | # user_query = SELECT home, 501 AS uid, 501 AS gid FROM users WHERE userid = '%u'
123 | #
124 | #user_query = \
125 | # SELECT home, uid, gid \
126 | # FROM users WHERE username = '%n' AND domain = '%d'
127 |
128 | # If you wish to avoid two SQL lookups (passdb + userdb), you can use
129 | # userdb prefetch instead of userdb sql in dovecot.conf. In that case you'll
130 | # also have to return userdb fields in password_query prefixed with "userdb_"
131 | # string. For example:
132 | #password_query = \
133 | # SELECT userid AS user, password, \
134 | # home AS userdb_home, uid AS userdb_uid, gid AS userdb_gid \
135 | # FROM users WHERE userid = '%u'
136 |
137 | # Query to get a list of all usernames.
138 | #iterate_query = SELECT username AS user FROM users
139 |
--------------------------------------------------------------------------------
/roles/git/files/home_git_.gitolite.rc:
--------------------------------------------------------------------------------
1 | # configuration variables for gitolite
2 |
3 | # This file is in perl syntax. But you do NOT need to know perl to edit it --
4 | # just mind the commas, use single quotes unless you know what you're doing,
5 | # and make sure the brackets and braces stay matched up!
6 |
7 | # (Tip: perl allows a comma after the last item in a list also!)
8 |
9 | # HELP for commands can be had by running the command with "-h".
10 |
11 | # HELP for all the other FEATURES can be found in the documentation (look for
12 | # "list of non-core programs shipped with gitolite" in the master index) or
13 | # directly in the corresponding source file.
14 |
15 | %RC = (
16 |
17 | # ------------------------------------------------------------------
18 |
19 | # default umask gives you perms of '0700'; see the rc file docs for
20 | # how/why you might change this
21 | UMASK => 0027,
22 |
23 | # look for "git-config" in the documentation
24 | GIT_CONFIG_KEYS => 'gitweb\.(owner|description|category)',
25 |
26 | # comment out if you don't need all the extra detail in the logfile
27 | LOG_EXTRA => 1,
28 |
29 | # roles. add more roles (like MANAGER, TESTER, ...) here.
30 | # WARNING: if you make changes to this hash, you MUST run 'gitolite
31 | # compile' afterward, and possibly also 'gitolite trigger POST_COMPILE'
32 | ROLES => {
33 | READERS => 1,
34 | WRITERS => 1,
35 | },
36 |
37 | # ------------------------------------------------------------------
38 |
39 | # rc variables used by various features
40 |
41 | # the 'info' command prints this as additional info, if it is set
42 | # SITE_INFO => 'Please see http://blahblah/gitolite for more help',
43 |
44 | # the 'desc' command uses this
45 | # WRITER_CAN_UPDATE_DESC => 1,
46 |
47 | # the CpuTime feature uses these
48 | # display user, system, and elapsed times to user after each git operation
49 | # DISPLAY_CPU_TIME => 1,
50 | # display a warning if total CPU times (u, s, cu, cs) crosses this limit
51 | # CPU_TIME_WARN_LIMIT => 0.1,
52 |
53 | # the Mirroring feature needs this
54 | # HOSTNAME => "foo",
55 |
56 | # if you enabled 'Shell', you need this
57 | # SHELL_USERS_LIST => "$ENV{HOME}/.gitolite.shell-users",
58 |
59 | # ------------------------------------------------------------------
60 |
61 | # suggested locations for site-local gitolite code (see cust.html)
62 |
63 | # this one is managed directly on the server
64 | # LOCAL_CODE => "$ENV{HOME}/local",
65 |
66 | # or you can use this, which lets you put everything in a subdirectory
67 | # called "local" in your gitolite-admin repo. For a SECURITY WARNING
68 | # on this, see http://gitolite.com/gitolite/cust.html#pushcode
69 | # LOCAL_CODE => "$rc{GL_ADMIN_BASE}/local",
70 |
71 | # ------------------------------------------------------------------
72 |
73 | # List of commands and features to enable
74 |
75 | ENABLE => [
76 |
77 | # COMMANDS
78 |
79 | # These are the commands enabled by default
80 | 'help',
81 | 'desc',
82 | 'info',
83 | 'perms',
84 | 'writable',
85 |
86 | # Uncomment or add new commands here.
87 | # 'create',
88 | # 'fork',
89 | # 'mirror',
90 | # 'sskm',
91 | # 'D',
92 |
93 | # These FEATURES are enabled by default.
94 |
95 | # essential (unless you're using smart-http mode)
96 | 'ssh-authkeys',
97 |
98 | # creates git-config enties from gitolite.conf file entries like 'config foo.bar = baz'
99 | 'git-config',
100 |
101 | # creates git-daemon-export-ok files; if you don't use git-daemon, comment this out
102 | 'daemon',
103 |
104 | # creates projects.list file; if you don't use gitweb, comment this out
105 | 'gitweb',
106 |
107 | # These FEATURES are disabled by default; uncomment to enable. If you
108 | # need to add new ones, ask on the mailing list :-)
109 |
110 | # user-visible behaviour
111 |
112 | # prevent wild repos auto-create on fetch/clone
113 | # 'no-create-on-read',
114 | # no auto-create at all (don't forget to enable the 'create' command!)
115 | # 'no-auto-create',
116 |
117 | # access a repo by another (possibly legacy) name
118 | # 'Alias',
119 |
120 | # give some users direct shell access
121 | # 'Shell',
122 |
123 | # set default roles from lines like 'option default.roles-1 = ...', etc.
124 | # 'set-default-roles',
125 |
126 | # system admin stuff
127 |
128 | # enable mirroring (don't forget to set the HOSTNAME too!)
129 | # 'Mirroring',
130 |
131 | # allow people to submit pub files with more than one key in them
132 | # 'ssh-authkeys-split',
133 |
134 | # selective read control hack
135 | # 'partial-copy',
136 |
137 | # manage local, gitolite-controlled, copies of read-only upstream repos
138 | # 'upstream',
139 |
140 | # updates 'description' file instead of 'gitweb.description' config item
141 | # 'cgit',
142 |
143 | # allow repo-specific hooks to be added
144 | # 'repo-specific-hooks',
145 |
146 | # performance, logging, monitoring...
147 |
148 | # be nice
149 | # 'renice 10',
150 |
151 | # log CPU times (user, system, cumulative user, cumulative system)
152 | # 'CpuTime',
153 |
154 | # syntactic_sugar for gitolite.conf and included files
155 |
156 | # allow backslash-escaped continuation lines in gitolite.conf
157 | # 'continuation-lines',
158 |
159 | # create implicit user groups from directory names in keydir/
160 | # 'keysubdirs-as-groups',
161 |
162 | # allow simple line-oriented macros
163 | # 'macros',
164 |
165 | ],
166 |
167 | );
168 |
169 | # ------------------------------------------------------------------------------
170 | # per perl rules, this should be the last line in such a file:
171 | 1;
172 |
173 | # Local variables:
174 | # mode: perl
175 | # End:
176 | # vim: set syn=perl:
177 |
--------------------------------------------------------------------------------
/roles/mailserver/files/etc_postfix_master.cf:
--------------------------------------------------------------------------------
1 | #
2 | # Postfix master process configuration file. For details on the format
3 | # of the file, see the master(5) manual page (command: "man 5 master").
4 | #
5 | # Do not forget to execute "postfix reload" after editing this file.
6 | #
7 | # ==========================================================================
8 | # service type private unpriv chroot wakeup maxproc command + args
9 | # (yes) (yes) (yes) (never) (100)
10 | # ==========================================================================
11 | #smtp inet n - - - - smtpd
12 | smtp inet n - - - 1 postscreen
13 | smtpd pass - - - - - smtpd
14 | dnsblog unix - - - - 0 dnsblog
15 | tlsproxy unix - - - - 0 tlsproxy
16 | #submission inet n - - - - smtpd
17 | # -o syslog_name=postfix/submission
18 | # -o smtpd_tls_security_level=encrypt
19 | # -o smtpd_sasl_auth_enable=yes
20 | # -o smtpd_enforce_tls=yes
21 | # -o smtpd_etrn_restrictions=reject
22 | # -o smtpd_client_restrictions=permit_sasl_authenticated,reject
23 | # -o milter_macro_daemon_name=ORIGINATING
24 | #smtps inet n - - - - smtpd
25 | # -o syslog_name=postfix/smtps
26 | # -o smtpd_tls_wrappermode=yes
27 | # -o smtpd_sasl_auth_enable=yes
28 | # -o smtpd_client_restrictions=permit_sasl_authenticated,reject
29 | # -o milter_macro_daemon_name=ORIGINATING
30 |
31 | # SMTP over SSL on port 465.
32 | smtps inet n - - - - smtpd
33 | -o syslog_name=postfix/smtps
34 | -o smtpd_tls_wrappermode=yes
35 | -o smtpd_sasl_auth_enable=yes
36 | -o smtpd_tls_auth_only=yes
37 | -o smtpd_client_restrictions=permit_sasl_authenticated,reject_unauth_destination,reject
38 | -o smtpd_sasl_security_options=noanonymous,noplaintext
39 | -o smtpd_sasl_tls_security_options=noanonymous
40 |
41 |
42 | #628 inet n - - - - qmqpd
43 | pickup fifo n - - 60 1 pickup
44 | cleanup unix n - - - 0 cleanup
45 | qmgr fifo n - n 300 1 qmgr
46 | #qmgr fifo n - n 300 1 oqmgr
47 | tlsmgr unix - - - 1000? 1 tlsmgr
48 | rewrite unix - - - - - trivial-rewrite
49 | bounce unix - - - - 0 bounce
50 | defer unix - - - - 0 bounce
51 | trace unix - - - - 0 bounce
52 | verify unix - - - - 1 verify
53 | flush unix n - - 1000? 0 flush
54 | proxymap unix - - n - - proxymap
55 | proxywrite unix - - n - 1 proxymap
56 | smtp unix - - - - - smtp
57 | relay unix - - - - - smtp
58 | # -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
59 | showq unix n - - - - showq
60 | error unix - - - - - error
61 | retry unix - - - - - error
62 | discard unix - - - - - discard
63 | local unix - n n - - local
64 | virtual unix - n n - - virtual
65 | lmtp unix - - - - - lmtp
66 | anvil unix - - - - 1 anvil
67 | scache unix - - - - 1 scache
68 | #
69 | # ====================================================================
70 | # Interfaces to non-Postfix software. Be sure to examine the manual
71 | # pages of the non-Postfix software to find out what options it wants.
72 | #
73 | # Many of the following services use the Postfix pipe(8) delivery
74 | # agent. See the pipe(8) man page for information about ${recipient}
75 | # and other message envelope options.
76 | # ====================================================================
77 | #
78 | # maildrop. See the Postfix MAILDROP_README file for details.
79 | # Also specify in main.cf: maildrop_destination_recipient_limit=1
80 | #
81 | maildrop unix - n n - - pipe
82 | flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
83 | #
84 | # ====================================================================
85 | #
86 | # Recent Cyrus versions can use the existing "lmtp" master.cf entry.
87 | #
88 | # Specify in cyrus.conf:
89 | # lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
90 | #
91 | # Specify in main.cf one or more of the following:
92 | # mailbox_transport = lmtp:inet:localhost
93 | # virtual_transport = lmtp:inet:localhost
94 | #
95 | # ====================================================================
96 | #
97 | # Cyrus 2.1.5 (Amos Gouaux)
98 | # Also specify in main.cf: cyrus_destination_recipient_limit=1
99 | #
100 | #cyrus unix - n n - - pipe
101 | # user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
102 | #
103 | # ====================================================================
104 | # Old example of delivery via Cyrus.
105 | #
106 | #old-cyrus unix - n n - - pipe
107 | # flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
108 | #
109 | # ====================================================================
110 | #
111 | # See the Postfix UUCP_README file for configuration details.
112 | #
113 | uucp unix - n n - - pipe
114 | flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
115 | #
116 | # Other external delivery methods.
117 | #
118 | ifmail unix - n n - - pipe
119 | flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
120 | bsmtp unix - n n - - pipe
121 | flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
122 | scalemail-backend unix - n n - 2 pipe
123 | flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
124 | mailman unix - n n - - pipe
125 | flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
126 | ${nexthop} ${user}
127 | # spam protection
128 | dspam unix - n n - 10 pipe
129 | flags=Ru user=dspam argv=/usr/bin/dspam --deliver=innocent,spam --user ${user}@${nexthop} -i -f $sender -- $recipient
130 | dovecot unix - n n - - pipe
131 | flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/dovecot-lda -f ${sender} -d ${user}@${nexthop}
132 |
--------------------------------------------------------------------------------
/roles/vpn/tasks/openvpn.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # Installs the OpenVPN virtual private network server.
3 | # ref: https://library.linode.com/networking/openvpn/debian-6-squeeze
4 |
5 | - name: Install OpenVPN and dependencies from apt
6 | apt: pkg={{ item }} state=installed
7 | with_items:
8 | - openvpn
9 | - udev
10 | - dnsmasq
11 |
12 | - name: Generate RSA keys for the CA and Server
13 | command: openssl genrsa -out {{ item }}.key {{ openvpn_key_size }}
14 | chdir={{ openvpn_path }}
15 | creates={{ item }}.key
16 | with_items:
17 | - ca
18 | - server
19 |
20 | - name: Create directories for clients
21 | file: path={{ openvpn_path}}/{{ item }} state=directory
22 | with_items: openvpn_clients
23 |
24 | - name: Generate RSA keys for the clients
25 | command: openssl genrsa -out client.key {{ openvpn_key_size }}
26 | chdir={{ openvpn_path }}/{{ item }}
27 | creates=client.key
28 | with_items: openvpn_clients
29 |
30 | - name: Set the proper permissions on all RSA keys
31 | file: path={{ openvpn_path }}
32 | recurse=yes
33 | state=directory
34 | owner=root
35 | group=root
36 | mode=600
37 |
38 | - name: Generate CA certificate
39 | command: openssl req -nodes -batch -new -x509 -key {{ openvpn_ca }}.key -out {{ openvpn_ca }}.crt -days {{ openvpn_days_valid }} -subj "{{ openssl_request_subject }}/CN=ca-certificate"
40 | creates={{ openvpn_ca }}.crt
41 |
42 | - name: Generate the OpenSSL configuration that will be used for the Server certificate's req and ca commands
43 | # Properly sets the attributes that are described here:
44 | # openvpn.net/index.php/open-source/documentation/howto.html#mitm
45 | #
46 | # This is required in order for the 'ns-cert-type server' option to
47 | # work, which is enabled by default in most standard client.conf
48 | # files.
49 | template: src=openssl-server-certificate.cnf.j2
50 | dest={{ openvpn_path }}/openssl-server-certificate.cnf
51 |
52 | - name: Seed a blank database file that will be used when generating the Server's certificate
53 | command: touch {{ openvpn_path }}/index.txt
54 | creates={{ openvpn_path }}/index.txt
55 |
56 | - name: Seed a serial file that will be used when generating the Server's certificate
57 | shell: echo 01 > {{ openvpn_path }}/serial
58 | creates={{ openvpn_path }}/serial
59 |
60 | - name: Generate CSR for the Server
61 | command: openssl req -batch -extensions server -new -key server.key -out server.csr -config {{ openvpn_path }}/openssl-server-certificate.cnf
62 | chdir={{ openvpn_path }}
63 | creates=server.csr
64 |
65 | - name: Generate certificate for the Server
66 | command: openssl ca -batch -extensions server -in server.csr -out server.crt -config openssl-server-certificate.cnf
67 | chdir={{ openvpn_path }}
68 | creates=server.crt
69 |
70 | - name: Generate CSRs for the clients
71 | command: openssl req -new -key client.key -out client.csr -subj "{{ openssl_request_subject }}/CN={{ item }}"
72 | chdir={{ openvpn_path }}/{{ item }}
73 | creates=client.csr
74 | with_items: openvpn_clients
75 |
76 | - name: Generate certificates for the clients
77 | command: openssl x509 -CA {{ openvpn_ca }}.crt -CAkey {{ openvpn_ca }}.key -CAcreateserial -req -days {{ openvpn_days_valid }} -in client.csr -out client.crt
78 | chdir={{ openvpn_path }}/{{ item }}
79 | creates=client.crt
80 | with_items: openvpn_clients
81 |
82 | - name: Generate HMAC firewall key
83 | command: openvpn --genkey --secret {{ openvpn_hmac_firewall }}
84 | creates={{ openvpn_hmac_firewall }}
85 |
86 | - name: Register CA certificate contents
87 | command: cat ca.crt
88 | chdir={{ openvpn_path }}
89 | register: openvpn_ca_contents
90 |
91 | - name: Register client certificate contents
92 | command: cat client.crt
93 | chdir={{ openvpn_path }}/{{ item }}
94 | with_items: openvpn_clients
95 | register: openvpn_client_certificates
96 |
97 | - name: Register client key contents
98 | command: cat client.key
99 | chdir={{ openvpn_path }}/{{ item }}
100 | with_items: openvpn_clients
101 | register: openvpn_client_keys
102 |
103 | - name: Register HMAC firewall contents
104 | command: cat ta.key
105 | chdir={{ openvpn_path }}
106 | register: openvpn_hmac_firewall_contents
107 |
108 | - name: Create the client configs
109 | template: src=client.cnf.j2
110 | dest={{ openvpn_path }}/{{ item[0] }}/{{ openvpn_server }}.ovpn
111 | with_together:
112 | - openvpn_clients
113 | - openvpn_client_certificates.results
114 | - openvpn_client_keys.results
115 |
116 | - name: Generate Diffie-Hellman parameters (this will take a while)
117 | command: openssl dhparam -out {{ openvpn_dhparam }} {{ openvpn_key_size }}
118 | creates={{ openvpn_dhparam }}
119 |
120 | - name: Copy rc.local with firewall and dnsmasq rules into place
121 | template: src=etc_rc.local dest=/etc/rc.local
122 |
123 | - name: Enable IPv4 traffic forwarding
124 | sysctl: name=net.ipv4.ip_forward value=1
125 |
126 | - name: Allow OpenVPN through the firewall
127 | command: "{{ item }}"
128 | with_items:
129 | - iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
130 | - iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
131 | - iptables -A FORWARD -j REJECT
132 | - iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o {{ ansible_default_ipv4.interface }} -j MASQUERADE
133 |
134 | - name: Allow OpenVPN through ufw
135 | ufw: rule=allow port={{ openvpn_port }} proto={{ openvpn_protocol }}
136 |
137 | - name: Copy OpenVPN configuration file into place
138 | template: src=etc_openvpn_server.conf.j2 dest=/etc/openvpn/server.conf
139 | notify: restart openvpn
140 |
141 | # OpenVPN must restart first so the 10.8.0.0 interface is available
142 | # to dnsmasq
143 | - meta: flush_handlers
144 |
145 | - name: Copy dnsmasq configuration file into place
146 | copy: src=etc_dnsmasq.conf dest=/etc/dnsmasq.conf
147 | notify: restart dnsmasq
148 |
149 | - name: Copy OpenVPN PAM configuration file into place
150 | copy: src=etc_pam.d_openvpn dest=/etc/pam.d/openvpn
151 | notify: restart openvpn
152 |
153 | - name: Copy the ca.crt and ta.key files that clients will need in order to connect to the OpenVPN server
154 | command: cp {{ openvpn_path }}/{{ item[1] }} {{ openvpn_path }}/{{ item[0] }}
155 | with_nested:
156 | - openvpn_clients
157 | - ["ca.crt", "ta.key"]
158 |
159 | - name: Retrieve the files that clients will need in order to connect to the OpenVPN server
160 | fetch: src={{ openvpn_path }}/{{ item[0] }}/{{ item[1] }}
161 | dest=/tmp/sovereign-openvpn-files
162 | with_nested:
163 | - openvpn_clients
164 | - ["client.crt", "client.key", "ca.crt", "ta.key", "{{ openvpn_server }}.ovpn"]
165 |
166 | - pause: seconds=5
167 | prompt="You are ready to set up your OpenVPN clients. The files that you need are in /tmp/sovereign-openvpn-files. Make sure LZO compression is enabled and that you provide the ta.key file for the TLS-Auth option with a direction of '1'. Press any key to continue..."
168 |
--------------------------------------------------------------------------------
/roles/mailserver/files/etc_tomcat6_server.xml:
--------------------------------------------------------------------------------
1 |
2 |
18 |
22 |
23 |
24 |
25 |
28 |
29 |
30 |
31 |
32 |
33 |
34 |
35 |
36 |
39 |
40 |
43 |
48 |
49 |
50 |
55 |
56 |
57 |
58 |
62 |
63 |
64 |
71 |
75 |
76 |
82 |
86 |
91 |
92 |
93 |
96 |
97 |
98 |
103 |
104 |
107 |
108 |
109 |
112 |
115 |
116 |
119 |
122 |
123 |
127 |
129 |
130 |
133 |
136 |
137 |
139 |
142 |
143 |
145 |
149 |
150 |
151 |
152 |
153 |
154 |
--------------------------------------------------------------------------------
/roles/xmpp/templates/prosody.cfg.lua.j2:
--------------------------------------------------------------------------------
1 | -- Prosody XMPP Server Configuration
2 | --
3 | -- Information on configuring Prosody can be found on our
4 | -- website at http://prosody.im/doc/configure
5 | --
6 | -- Tip: You can check that the syntax of this file is correct
7 | -- when you have finished by running: luac -p prosody.cfg.lua
8 | -- If there are any errors, it will let you know what and where
9 | -- they are, otherwise it will keep quiet.
10 | --
11 | -- Good luck, and happy Jabbering!
12 |
13 |
14 | ---------- Server-wide settings ----------
15 | -- Settings in this section apply to the whole server and are the default settings
16 | -- for any virtual hosts
17 |
18 | -- This is a (by default, empty) list of accounts that are admins
19 | -- for the server. Note that you must create the accounts separately
20 | -- (see http://prosody.im/doc/creating_accounts for info)
21 | -- Example: admins = { "user1@example.com", "user2@example.net" }
22 | admins = { "{{ prosody_admin }}" }
23 |
24 | -- Enable use of libevent for better performance under high load
25 | -- For more information see: http://prosody.im/doc/libevent
26 | --use_libevent = true;
27 |
28 | -- This is the list of modules Prosody will load on startup.
29 | -- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
30 | -- Documentation on modules can be found at: http://prosody.im/doc/modules
31 | modules_enabled = {
32 |
33 | -- Generally required
34 | "roster"; -- Allow users to have a roster. Recommended ;)
35 | "saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
36 | "tls"; -- Add support for secure TLS on c2s/s2s connections
37 | "dialback"; -- s2s dialback support
38 | "disco"; -- Service discovery
39 | "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
40 |
41 | -- Not essential, but recommended
42 | "private"; -- Private XML storage (for room bookmarks, etc.)
43 | "vcard"; -- Allow users to set vCards
44 |
45 | -- These are commented by default as they have a performance impact
46 | "privacy"; -- Support privacy lists
47 | --"compression"; -- Stream compression (requires the lua-zlib package installed)
48 |
49 | -- Nice to have
50 | "version"; -- Replies to server version requests
51 | "uptime"; -- Report how long server has been running
52 | "time"; -- Let others know the time here on this server
53 | "ping"; -- Replies to XMPP pings with pongs
54 | -- "pep"; -- Enables users to publish their mood, activity, playing music and more
55 | "register"; -- Allow users to register on this server using a client and change passwords
56 |
57 | -- Admin interfaces
58 | "admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
59 | --"admin_telnet"; -- Opens telnet console interface on localhost port 5582
60 |
61 | -- HTTP modules
62 | --"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
63 | --"http_files"; -- Serve static files from a directory over HTTP
64 |
65 | -- Other specific functionality
66 | --"groups"; -- Shared roster support
67 | --"announce"; -- Send announcement to all online users
68 | --"welcome"; -- Welcome users who register accounts
69 | --"watchregistrations"; -- Alert admins of registrations
70 | --"motd"; -- Send a message to users when they log in
71 | --"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
72 | };
73 |
74 | -- These modules are auto-loaded, but should you want
75 | -- to disable them then uncomment them here:
76 | modules_disabled = {
77 | -- "offline"; -- Store offline messages
78 | -- "c2s"; -- Handle client connections
79 | -- "s2s"; -- Handle server-to-server connections
80 | };
81 |
82 | -- Disable account creation by default, for security
83 | -- For more information see http://prosody.im/doc/creating_accounts
84 | allow_registration = false;
85 |
86 | -- These are the SSL/TLS-related settings. If you don't want
87 | -- to use SSL/TLS, you may comment or remove this
88 | ssl = {
89 | key = "/etc/ssl/private/wildcard_private.key";
90 | certificate = "/etc/ssl/certs/wildcard_public_cert.crt";
91 | }
92 |
93 | -- Force clients to use encrypted connections? This option will
94 | -- prevent clients from authenticating unless they are using encryption.
95 |
96 | c2s_require_encryption = true
97 |
98 | -- Force certificate authentication for server-to-server connections?
99 | -- This provides ideal security, but requires servers you communicate
100 | -- with to support encryption AND present valid, trusted certificates.
101 | -- NOTE: Your version of LuaSec must support certificate verification!
102 | -- For more information see http://prosody.im/doc/s2s#security
103 |
104 | s2s_secure_auth = false
105 |
106 | -- Many servers don't support encryption or have invalid or self-signed
107 | -- certificates. You can list domains here that will not be required to
108 | -- authenticate using certificates. They will be authenticated using DNS.
109 |
110 | --s2s_insecure_domains = { "gmail.com" }
111 |
112 | -- Even if you leave s2s_secure_auth disabled, you can still require valid
113 | -- certificates for some domains by specifying a list here.
114 |
115 | --s2s_secure_domains = { "jabber.org" }
116 |
117 | -- Required for init scripts and prosodyctl
118 | pidfile = "/var/run/prosody/prosody.pid"
119 |
120 | -- Select the authentication backend to use. The 'internal' providers
121 | -- use Prosody's configured data storage to store the authentication data.
122 | -- To allow Prosody to offer secure authentication mechanisms to clients, the
123 | -- default provider stores passwords in plaintext. If you do not trust your
124 | -- server please see http://prosody.im/doc/modules/mod_auth_internal_hashed
125 | -- for information about using the hashed backend.
126 |
127 | authentication = "internal_plain"
128 |
129 | -- Select the storage backend to use. By default Prosody uses flat files
130 | -- in its configured data directory, but it also supports more backends
131 | -- through modules. An "sql" backend is included by default, but requires
132 | -- additional dependencies. See http://prosody.im/doc/storage for more info.
133 |
134 | --storage = "sql" -- Default is "internal"
135 |
136 | -- For the "sql" backend, you can uncomment *one* of the below to configure:
137 | --sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
138 | --sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
139 | --sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
140 |
141 | -- Logging configuration
142 | -- For advanced logging see http://prosody.im/doc/logging
143 | log = {
144 | info = "/var/log/prosody/prosody.log"; -- Change 'info' to 'debug' for verbose logging
145 | error = "/var/log/prosody/prosody.err";
146 | "*syslog";
147 | }
148 |
149 | data_path = "/decrypted/prosody"
150 |
151 | ----------- Virtual hosts -----------
152 | -- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
153 | -- Settings under each VirtualHost entry apply *only* to that host.
154 |
155 | VirtualHost "{{ prosody_virtual_domain }}"
156 |
157 | ------ Components ------
158 | -- You can specify components to add hosts that provide special services,
159 | -- like multi-user conferences, and transports.
160 | -- For more information on components, see http://prosody.im/doc/components
161 |
162 | ---Set up a MUC (multi-user chat) room server on conference.example.com:
163 | --Component "conference.example.com" "muc"
164 |
165 | -- Set up a SOCKS5 bytestream proxy for server-proxied file tr3ansfers:
166 | --Component "proxy.example.com" "proxy65"
167 |
168 | ---Set up an external component (default component port is 5347)
169 | --
170 | -- External components allow adding various services, such as gateways/
171 | -- transports to other networks like ICQ, MSN and Yahoo. For more info
172 | -- see: http://prosody.im/doc/components#adding_an_external_component
173 | --
174 | --Component "gateway.example.com"
175 | -- component_secret = "password"
176 |
--------------------------------------------------------------------------------
/roles/webmail/files/usr_share_roundcube_plugins_carddav_config.inc.php:
--------------------------------------------------------------------------------
1 | '] = array(
34 | // required attributes
35 | 'name' => '',
36 | 'username' => '',
37 | 'password' => '',
38 | 'url' => '',
39 |
40 | // optional attributes
41 | 'active' => ,
42 | 'readonly' => ,
43 | 'refresh_time' => '',
44 | 'preemptive_auth' => <1 or 0>,
45 |
46 | // attributes that are fixed (i.e., not editable by the user) and
47 | // auto-updated for this preset
48 | 'fixed' => array( < 0 or more of the other attribute keys > ),
49 |
50 | // hide this preset from CalDAV preferences section so users can't even
51 | // see it
52 | 'hide' => ,
53 | );
54 | */
55 |
56 | // All values in angle brackets have to be substituted.
57 | //
58 | // The meaning of the different parameters is as follows:
59 | //
60 | // : Unique preset name, must not be '_GLOBAL'. The presetname is
61 | // not user visible and only used for an internal mapping between
62 | // addressbooks created from a preset and the preset itself. You
63 | // should never change this throughout its lifetime.
64 | //
65 | // The following parameters are REQUIRED and need to be specified for any preset.
66 | //
67 | // name: User-visible name of the addressbook. If the server provides
68 | // an additional display name for the addressbooks found for the
69 | // preset, it will be appended in brackets to this name, except
70 | // if carddav_name_only is true (see below).
71 | //
72 | // username: CardDAV username to access the addressbook. Set this setting
73 | // to '%u' to use the roundcube username.
74 | //
75 | // password: CardDAV password to access the addressbook. Set this setting
76 | // to '%p' to use the roundcube password. The password will not
77 | // be stored in the database when using %p.
78 | //
79 | // url: URL where to find the CardDAV addressbook(s). If the given URL
80 | // refers directly to an addressbook, only this single
81 | // addressbook will be added. If the URL points somewhere in the
82 | // CardDAV space, but _not_ to the location of a particular
83 | // addressbook, the server will be queried for the available
84 | // addressbooks and all of them will be added. You can use %u
85 | // within the URL as a placeholder for the CardDAV username.
86 | //
87 | // The following parameters are OPTIONAL and need to be specified only if the default
88 | // value is not acceptable.
89 | //
90 | // active: If this parameter is false, the addressbook is not used by roundcube
91 | // unless the user changes this setting.
92 | // Default: true
93 | //
94 | // carddav_name_only:
95 | // If this parameter is true, only the server provided displayname
96 | // is used for addressbooks created from this preset, except if
97 | // the server does not provide a display name.
98 | // Default: false
99 | //
100 | // readonly: If this parameter is true, the addressbook will only be
101 | // accessible in read-only mode, i.e., the user will not be able
102 | // to add, modify or delete contacts in the addressbook.
103 | // Default: false
104 | //
105 | // refresh_time: Time interval for that cached versions of the addressbook
106 | // entries should be used, in hours. After this time interval has
107 | // passed since the last pull from the server, it will be
108 | // refreshed when the addressbook is accessed the next time.
109 | // Default: 01:00:00
110 | //
111 | // preemptive_auth:
112 | // If this parameter is 1, the authentication headers will be sent
113 | // automatically with every request, regardless of the server
114 | // requesting them or not.
115 | // This must be set for ownCloud to work correctly.
116 | // Default: 0
117 | //
118 | // fixed: Array of parameter keys that must not be changed by the user.
119 | // Note that only fixed parameters will be automatically updated
120 | // for existing addressbooks created from presets. Otherwise the
121 | // user may already have changed the setting, and his change
122 | // would be lost. You can add any of the above keys, but it the
123 | // setting only affects parameters that can be changed via the
124 | // settings pane (e.g., readonly cannot be changed by the user
125 | // anyway). Still only parameters listed as fixed will
126 | // automatically updated if the preset is changed.
127 | // Default: empty, all settings modifiable by user
128 | //
129 | // !!! WARNING: Only add 'url' to the list of fixed addressbooks
130 | // if it _directly_ points to an address book collection.
131 | // Otherwise, the plugin will initially lookup the URLs for the
132 | // collections on the server, and at the next login overwrite it
133 | // with the fixed value stored here. Therefore, if you change the
134 | // URL, you have two options:
135 | // 1) If the new URL is a variation of the old one (e.g. hostname
136 | // change), you can run an SQL UPDATE query directly in the
137 | // database to adopt all addressbooks.
138 | // 2) If the new URL is not easily derivable from the old one,
139 | // change the key of the preset and change the URL. Addressbooks
140 | // belonging to the old preset will be deleted upon the next
141 | // login of the user and freshly created.
142 | //
143 | // hide: Whether this preset should be hidden from the CalDAV listing
144 | // on the preferences page.
145 |
146 |
147 | // How Preset Updates work
148 | //
149 | // Preset addressbooks are created for a user as she logs in.
150 |
151 | //// ** ADDRESSBOOK PRESETS - EXAMPLE: Two Addressbook Presets
152 |
153 | //// Preset 1: Personal
154 | /*
155 | $prefs['Personal'] = array(
156 | // required attributes
157 | 'name' => 'Personal',
158 | // will be substituted for the roundcube username
159 | 'username' => '%u',
160 | // will be substituted for the roundcube password
161 | 'password' => '%p',
162 | // %u will be substituted for the CardDAV username
163 | 'url' => 'https://ical.example.org/caldav.php/%u/Personal',
164 |
165 | 'active' => true,
166 | 'readonly' => false,
167 | 'refresh_time' => '02:00:00',
168 |
169 | 'fixed' => array( 'username' ),
170 | 'hide' => false,
171 | );
172 | */
173 |
174 | //// Preset 2: Corporate
175 | /*
176 | $prefs['Work'] = array(
177 | 'name' => 'Corporate',
178 | 'username' => 'CorpUser',
179 | 'password' => 'C0rpPasswo2d',
180 | 'url' => 'https://ical.example.org/caldav.php/%u/Corporate',
181 |
182 | 'fixed' => array( 'name', 'username', 'password' ),
183 | 'hide' => true,
184 | );
185 | */
186 |
--------------------------------------------------------------------------------
/roles/monitoring/files/etc_monit_monitrc:
--------------------------------------------------------------------------------
1 | ###############################################################################
2 | ## Monit control file
3 | ###############################################################################
4 | ##
5 | ## Comments begin with a '#' and extend through the end of the line. Keywords
6 | ## are case insensitive. All path's MUST BE FULLY QUALIFIED, starting with '/'.
7 | ##
8 | ## Below you will find examples of some frequently used statements. For
9 | ## information about the control file and a complete list of statements and
10 | ## options, please have a look in the Monit manual.
11 | ##
12 | ##
13 | ###############################################################################
14 | ## Global section
15 | ###############################################################################
16 | ##
17 | ## Start Monit in the background (run as a daemon):
18 | #
19 | set daemon 120 # check services at 2-minute intervals
20 | # with start delay 240 # optional: delay the first check by 4-minutes (by
21 | # # default Monit check immediately after Monit start)
22 | #
23 | #
24 | ## Set syslog logging with the 'daemon' facility. If the FACILITY option is
25 | ## omitted, Monit will use 'user' facility by default. If you want to log to
26 | ## a standalone log file instead, specify the full path to the log file
27 | #
28 | # set logfile syslog facility log_daemon
29 | set logfile /var/log/monit.log
30 | #
31 | #
32 | ## Set the location of the Monit id file which stores the unique id for the
33 | ## Monit instance. The id is generated and stored on first Monit start. By
34 | ## default the file is placed in $HOME/.monit.id.
35 | #
36 | # set idfile /var/.monit.id
37 | set idfile /var/lib/monit/id
38 | #
39 | ## Set the location of the Monit state file which saves monitoring states
40 | ## on each cycle. By default the file is placed in $HOME/.monit.state. If
41 | ## the state file is stored on a persistent filesystem, Monit will recover
42 | ## the monitoring state across reboots. If it is on temporary filesystem, the
43 | ## state will be lost on reboot which may be convenient in some situations.
44 | #
45 | set statefile /var/lib/monit/state
46 | #
47 | ## Set the list of mail servers for alert delivery. Multiple servers may be
48 | ## specified using a comma separator. If the first mail server fails, Monit
49 | # will use the second mail server in the list and so on. By default Monit uses
50 | # port 25 - it is possible to override this with the PORT option.
51 | #
52 | # set mailserver mail.bar.baz, # primary mailserver
53 | # backup.bar.baz port 10025, # backup mailserver on port 10025
54 | # localhost # fallback relay
55 | #
56 |
57 | set mailserver localhost
58 |
59 | ## By default Monit will drop alert events if no mail servers are available.
60 | ## If you want to keep the alerts for later delivery retry, you can use the
61 | ## EVENTQUEUE statement. The base directory where undelivered alerts will be
62 | ## stored is specified by the BASEDIR option. You can limit the maximal queue
63 | ## size using the SLOTS option (if omitted, the queue is limited by space
64 | ## available in the back end filesystem).
65 | #
66 | set eventqueue
67 | basedir /var/lib/monit/events # set the base directory where events will be stored
68 | slots 100 # optionally limit the queue size
69 | #
70 | #
71 | ## Send status and events to M/Monit (for more informations about M/Monit
72 | ## see http://mmonit.com/). By default Monit registers credentials with
73 | ## M/Monit so M/Monit can smoothly communicate back to Monit and you don't
74 | ## have to register Monit credentials manually in M/Monit. It is possible to
75 | ## disable credential registration using the commented out option below.
76 | ## Though, if safety is a concern we recommend instead using https when
77 | ## communicating with M/Monit and send credentials encrypted.
78 | #
79 | # set mmonit http://monit:monit@192.168.1.10:8080/collector
80 | # # and register without credentials # Don't register credentials
81 | #
82 | #
83 | ## Monit by default uses the following format for alerts if the the mail-format
84 | ## statement is missing::
85 | ## --8<--
86 | ## set mail-format {
87 | ## from: monit@$HOST
88 | ## subject: monit alert -- $EVENT $SERVICE
89 | ## message: $EVENT Service $SERVICE
90 | ## Date: $DATE
91 | ## Action: $ACTION
92 | ## Host: $HOST
93 | ## Description: $DESCRIPTION
94 | ##
95 | ## Your faithful employee,
96 | ## Monit
97 | ## }
98 | ## --8<--
99 | ##
100 | ## You can override this message format or parts of it, such as subject
101 | ## or sender using the MAIL-FORMAT statement. Macros such as $DATE, etc.
102 | ## are expanded at runtime. For example, to override the sender, use:
103 | #
104 | # set mail-format { from: monit@foo.bar }
105 | #
106 | #
107 | ## You can set alert recipients whom will receive alerts if/when a
108 | ## service defined in this file has errors. Alerts may be restricted on
109 | ## events by using a filter as in the second example below.
110 | #
111 | # set alert sysadm@foo.bar # receive all alerts
112 | # set alert manager@foo.bar only on { timeout } # receive just service-
113 | # # timeout alert
114 | #
115 | #
116 | ## Monit has an embedded web server which can be used to view status of
117 | ## services monitored and manage services from a web interface. See the
118 | ## Monit Wiki if you want to enable SSL for the web server.
119 | #
120 | set httpd port 2812 and
121 | use address localhost # only accept connection from localhost
122 | allow localhost # allow localhost to connect to the server and
123 | allow admin:monit # require user 'admin' with password 'monit'
124 | # allow @monit # allow users of group 'monit' to connect (rw)
125 | # allow @users readonly # allow users of group 'users' to connect readonly
126 | #
127 | ###############################################################################
128 | ## Services
129 | ###############################################################################
130 | ##
131 | ## Check general system resources such as load average, cpu and memory
132 | ## usage. Each test specifies a resource, conditions and the action to be
133 | ## performed should a test fail.
134 | #
135 | # check system myhost.mydomain.tld
136 | # if loadavg (1min) > 4 then alert
137 | # if loadavg (5min) > 2 then alert
138 | # if memory usage > 75% then alert
139 | # if swap usage > 25% then alert
140 | # if cpu usage (user) > 70% then alert
141 | # if cpu usage (system) > 30% then alert
142 | # if cpu usage (wait) > 20% then alert
143 | #
144 | #
145 | ## Check if a file exists, checksum, permissions, uid and gid. In addition
146 | ## to alert recipients in the global section, customized alert can be sent to
147 | ## additional recipients by specifying a local alert handler. The service may
148 | ## be grouped using the GROUP option. More than one group can be specified by
149 | ## repeating the 'group name' statement.
150 | #
151 | # check file apache_bin with path /usr/local/apache/bin/httpd
152 | # if failed checksum and
153 | # expect the sum 8f7f419955cefa0b33a2ba316cba3659 then unmonitor
154 | # if failed permission 755 then unmonitor
155 | # if failed uid root then unmonitor
156 | # if failed gid root then unmonitor
157 | # alert security@foo.bar on {
158 | # checksum, permission, uid, gid, unmonitor
159 | # } with the mail-format { subject: Alarm! }
160 | # group server
161 | #
162 | #
163 | ## Check that a process is running, in this case Apache, and that it respond
164 | ## to HTTP and HTTPS requests. Check its resource usage such as cpu and memory,
165 | ## and number of children. If the process is not running, Monit will restart
166 | ## it by default. In case the service is restarted very often and the
167 | ## problem remains, it is possible to disable monitoring using the TIMEOUT
168 | ## statement. This service depends on another service (apache_bin) which
169 | ## is defined above.
170 | #
171 | # check process apache with pidfile /usr/local/apache/logs/httpd.pid
172 | # start program = "/etc/init.d/httpd start" with timeout 60 seconds
173 | # stop program = "/etc/init.d/httpd stop"
174 | # if cpu > 60% for 2 cycles then alert
175 | # if cpu > 80% for 5 cycles then restart
176 | # if totalmem > 200.0 MB for 5 cycles then restart
177 | # if children > 250 then restart
178 | # if loadavg(5min) greater than 10 for 8 cycles then stop
179 | # if failed host www.tildeslash.com port 80 protocol http
180 | # and request "/somefile.html"
181 | # then restart
182 | # if failed port 443 type tcpssl protocol http
183 | # with timeout 15 seconds
184 | # then restart
185 | # if 3 restarts within 5 cycles then timeout
186 | # depends on apache_bin
187 | # group server
188 | #
189 | #
190 | ## Check filesystem permissions, uid, gid, space and inode usage. Other services,
191 | ## such as databases, may depend on this resource and an automatically graceful
192 | ## stop may be cascaded to them before the filesystem will become full and data
193 | ## lost.
194 | #
195 | # check filesystem datafs with path /dev/sdb1
196 | # start program = "/bin/mount /data"
197 | # stop program = "/bin/umount /data"
198 | # if failed permission 660 then unmonitor
199 | # if failed uid root then unmonitor
200 | # if failed gid disk then unmonitor
201 | # if space usage > 80% for 5 times within 15 cycles then alert
202 | # if space usage > 99% then stop
203 | # if inode usage > 30000 then alert
204 | # if inode usage > 99% then stop
205 | # group server
206 | #
207 | #
208 | ## Check a file's timestamp. In this example, we test if a file is older
209 | ## than 15 minutes and assume something is wrong if its not updated. Also,
210 | ## if the file size exceed a given limit, execute a script
211 | #
212 | # check file database with path /data/mydatabase.db
213 | # if failed permission 700 then alert
214 | # if failed uid data then alert
215 | # if failed gid data then alert
216 | # if timestamp > 15 minutes then alert
217 | # if size > 100 MB then exec "/my/cleanup/script" as uid dba and gid dba
218 | #
219 | #
220 | ## Check directory permission, uid and gid. An event is triggered if the
221 | ## directory does not belong to the user with uid 0 and gid 0. In addition,
222 | ## the permissions have to match the octal description of 755 (see chmod(1)).
223 | #
224 | # check directory bin with path /bin
225 | # if failed permission 755 then unmonitor
226 | # if failed uid 0 then unmonitor
227 | # if failed gid 0 then unmonitor
228 | #
229 | #
230 | ## Check a remote host availability by issuing a ping test and check the
231 | ## content of a response from a web server. Up to three pings are sent and
232 | ## connection to a port and an application level network check is performed.
233 | #
234 | # check host myserver with address 192.168.1.1
235 | # if failed icmp type echo count 3 with timeout 3 seconds then alert
236 | # if failed port 3306 protocol mysql with timeout 15 seconds then alert
237 | # if failed url http://user:password@www.foo.bar:8080/?querystring
238 | # and content == 'action="j_security_check"'
239 | # then alert
240 | #
241 | #
242 | ###############################################################################
243 | ## Includes
244 | ###############################################################################
245 | ##
246 | ## It is possible to include additional configuration parts from other files or
247 | ## directories.
248 | #
249 | include /etc/monit/conf.d/*
250 |
251 |
--------------------------------------------------------------------------------
/roles/vpn/templates/etc_openvpn_server.conf.j2:
--------------------------------------------------------------------------------
1 | #################################################
2 | # Sample OpenVPN 2.0 config file for #
3 | # multi-client server. #
4 | # #
5 | # This file is for the server side #
6 | # of a many-clients <-> one-server #
7 | # OpenVPN configuration. #
8 | # #
9 | # OpenVPN also supports #
10 | # single-machine <-> single-machine #
11 | # configurations (See the Examples page #
12 | # on the web site for more info). #
13 | # #
14 | # This config should work on Windows #
15 | # or Linux/BSD systems. Remember on #
16 | # Windows to quote pathnames and use #
17 | # double backslashes, e.g.: #
18 | # "C:\\Program Files\\OpenVPN\\config\\foo.key" #
19 | # #
20 | # Comments are preceded with '#' or ';' #
21 | #################################################
22 |
23 | # Which local IP address should OpenVPN
24 | # listen on? (optional)
25 | ;local a.b.c.d
26 |
27 | # Which TCP/UDP port should OpenVPN listen on?
28 | # If you want to run multiple OpenVPN instances
29 | # on the same machine, use a different port
30 | # number for each one. You will need to
31 | # open up this port on your firewall.
32 | port {{ openvpn_port }}
33 |
34 | # Uncomment the following line if you wish to enable PAM support for 2FA
35 | ;plugin /usr/lib/openvpn/openvpn-auth-pam.so openvpn
36 |
37 | # TCP or UDP server?
38 | ;proto tcp
39 | proto {{ openvpn_protocol }}
40 |
41 | # "dev tun" will create a routed IP tunnel,
42 | # "dev tap" will create an ethernet tunnel.
43 | # Use "dev tap0" if you are ethernet bridging
44 | # and have precreated a tap0 virtual interface
45 | # and bridged it with your ethernet interface.
46 | # If you want to control access policies
47 | # over the VPN, you must create firewall
48 | # rules for the the TUN/TAP interface.
49 | # On non-Windows systems, you can give
50 | # an explicit unit number, such as tun0.
51 | # On Windows, use "dev-node" for this.
52 | # On most systems, the VPN will not function
53 | # unless you partially or fully disable
54 | # the firewall for the TUN/TAP interface.
55 | ;dev tap
56 | dev tun
57 |
58 | # Windows needs the TAP-Win32 adapter name
59 | # from the Network Connections panel if you
60 | # have more than one. On XP SP2 or higher,
61 | # you may need to selectively disable the
62 | # Windows firewall for the TAP adapter.
63 | # Non-Windows systems usually don't need this.
64 | ;dev-node MyTap
65 |
66 | # SSL/TLS root certificate (ca), certificate
67 | # (cert), and private key (key). Each client
68 | # and the server must have their own cert and
69 | # key file. The server and all clients will
70 | # use the same ca file.
71 | #
72 | # See the "easy-rsa" directory for a series
73 | # of scripts for generating RSA certificates
74 | # and private keys. Remember to use
75 | # a unique Common Name for the server
76 | # and each of the client certificates.
77 | #
78 | # Any X509 key management system can be used.
79 | # OpenVPN can also use a PKCS #12 formatted key file
80 | # (see "pkcs12" directive in man page).
81 | ca ca.crt
82 | cert server.crt
83 | key server.key # This file should be kept secret
84 |
85 | # Diffie hellman parameters.
86 | # Generate your own with:
87 | # openssl dhparam -out dh1024.pem 1024
88 | # Substitute 2048 for 1024 if you are using
89 | # 2048 bit keys.
90 | dh dh{{ openvpn_key_size }}.pem
91 |
92 | # Configure server mode and supply a VPN subnet
93 | # for OpenVPN to draw client addresses from.
94 | # The server will take 10.8.0.1 for itself,
95 | # the rest will be made available to clients.
96 | # Each client will be able to reach the server
97 | # on 10.8.0.1. Comment this line out if you are
98 | # ethernet bridging. See the man page for more info.
99 | server 10.8.0.0 255.255.255.0
100 |
101 | # Maintain a record of client <-> virtual IP address
102 | # associations in this file. If OpenVPN goes down or
103 | # is restarted, reconnecting clients can be assigned
104 | # the same virtual IP address from the pool that was
105 | # previously assigned.
106 | ifconfig-pool-persist ipp.txt
107 |
108 | # Configure server mode for ethernet bridging.
109 | # You must first use your OS's bridging capability
110 | # to bridge the TAP interface with the ethernet
111 | # NIC interface. Then you must manually set the
112 | # IP/netmask on the bridge interface, here we
113 | # assume 10.8.0.4/255.255.255.0. Finally we
114 | # must set aside an IP range in this subnet
115 | # (start=10.8.0.50 end=10.8.0.100) to allocate
116 | # to connecting clients. Leave this line commented
117 | # out unless you are ethernet bridging.
118 | ;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
119 |
120 | # Configure server mode for ethernet bridging
121 | # using a DHCP-proxy, where clients talk
122 | # to the OpenVPN server-side DHCP server
123 | # to receive their IP address allocation
124 | # and DNS server addresses. You must first use
125 | # your OS's bridging capability to bridge the TAP
126 | # interface with the ethernet NIC interface.
127 | # Note: this mode only works on clients (such as
128 | # Windows), where the client-side TAP adapter is
129 | # bound to a DHCP client.
130 | ;server-bridge
131 |
132 | # Push routes to the client to allow it
133 | # to reach other private subnets behind
134 | # the server. Remember that these
135 | # private subnets will also need
136 | # to know to route the OpenVPN client
137 | # address pool (10.8.0.0/255.255.255.0)
138 | # back to the OpenVPN server.
139 | ;push "route 192.168.10.0 255.255.255.0"
140 | ;push "route 192.168.20.0 255.255.255.0"
141 |
142 | # To assign specific IP addresses to specific
143 | # clients or if a connecting client has a private
144 | # subnet behind it that should also have VPN access,
145 | # use the subdirectory "ccd" for client-specific
146 | # configuration files (see man page for more info).
147 |
148 | # EXAMPLE: Suppose the client
149 | # having the certificate common name "Thelonious"
150 | # also has a small subnet behind his connecting
151 | # machine, such as 192.168.40.128/255.255.255.248.
152 | # First, uncomment out these lines:
153 | ;client-config-dir ccd
154 | ;route 192.168.40.128 255.255.255.248
155 | # Then create a file ccd/Thelonious with this line:
156 | # iroute 192.168.40.128 255.255.255.248
157 | # This will allow Thelonious' private subnet to
158 | # access the VPN. This example will only work
159 | # if you are routing, not bridging, i.e. you are
160 | # using "dev tun" and "server" directives.
161 |
162 | # EXAMPLE: Suppose you want to give
163 | # Thelonious a fixed VPN IP address of 10.9.0.1.
164 | # First uncomment out these lines:
165 | ;client-config-dir ccd
166 | ;route 10.9.0.0 255.255.255.252
167 | # Then add this line to ccd/Thelonious:
168 | # ifconfig-push 10.9.0.1 10.9.0.2
169 |
170 | # Suppose that you want to enable different
171 | # firewall access policies for different groups
172 | # of clients. There are two methods:
173 | # (1) Run multiple OpenVPN daemons, one for each
174 | # group, and firewall the TUN/TAP interface
175 | # for each group/daemon appropriately.
176 | # (2) (Advanced) Create a script to dynamically
177 | # modify the firewall in response to access
178 | # from different clients. See man
179 | # page for more info on learn-address script.
180 | ;learn-address ./script
181 |
182 | # If enabled, this directive will configure
183 | # all clients to redirect their default
184 | # network gateway through the VPN, causing
185 | # all IP traffic such as web browsing and
186 | # and DNS lookups to go through the VPN
187 | # (The OpenVPN server machine may need to NAT
188 | # or bridge the TUN/TAP interface to the internet
189 | # in order for this to work properly).
190 | ;push "redirect-gateway def1 bypass-dhcp"
191 | push "redirect-gateway def1"
192 | push "dhcp-option DNS 10.8.0.1"
193 |
194 | # Certain Windows-specific network settings
195 | # can be pushed to clients, such as DNS
196 | # or WINS server addresses. CAVEAT:
197 | # http://openvpn.net/faq.html#dhcpcaveats
198 | # The addresses below refer to the public
199 | # DNS servers provided by opendns.com.
200 | ;push "dhcp-option DNS 208.67.222.222"
201 | ;push "dhcp-option DNS 208.67.220.220"
202 |
203 | # Uncomment this directive to allow different
204 | # clients to be able to "see" each other.
205 | # By default, clients will only see the server.
206 | # To force clients to only see the server, you
207 | # will also need to appropriately firewall the
208 | # server's TUN/TAP interface.
209 | client-to-client
210 |
211 | # Uncomment this directive if multiple clients
212 | # might connect with the same certificate/key
213 | # files or common names. This is recommended
214 | # only for testing purposes. For production use,
215 | # each client should have its own certificate/key
216 | # pair.
217 | #
218 | # IF YOU HAVE NOT GENERATED INDIVIDUAL
219 | # CERTIFICATE/KEY PAIRS FOR EACH CLIENT,
220 | # EACH HAVING ITS OWN UNIQUE "COMMON NAME",
221 | # UNCOMMENT THIS LINE OUT.
222 | ;duplicate-cn
223 |
224 | # The keepalive directive causes ping-like
225 | # messages to be sent back and forth over
226 | # the link so that each side knows when
227 | # the other side has gone down.
228 | # Ping every 10 seconds, assume that remote
229 | # peer is down if no ping received during
230 | # a 120 second time period.
231 | keepalive 10 120
232 |
233 | # For extra security beyond that provided
234 | # by SSL/TLS, create an "HMAC firewall"
235 | # to help block DoS attacks and UDP port flooding.
236 | #
237 | # Generate with:
238 | # openvpn --genkey --secret ta.key
239 | #
240 | # The server and each client must have
241 | # a copy of this key.
242 | # The second parameter should be '0'
243 | # on the server and '1' on the clients.
244 | tls-auth ta.key 0 # This file is secret
245 |
246 | # Select a cryptographic cipher.
247 | # This config item must be copied to
248 | # the client config file as well.
249 | ;cipher BF-CBC # Blowfish (default)
250 | ;cipher AES-128-CBC # AES
251 | ;cipher DES-EDE3-CBC # Triple-DES
252 | cipher {{ openvpn_cipher }}
253 | auth {{ openvpn_auth_digest }}
254 |
255 | # Enable compression on the VPN link.
256 | # If you enable it here, you must also
257 | # enable it in the client config file.
258 | comp-lzo
259 |
260 | # The maximum number of concurrently connected
261 | # clients we want to allow.
262 | ;max-clients 100
263 |
264 | # It's a good idea to reduce the OpenVPN
265 | # daemon's privileges after initialization.
266 | #
267 | # You can uncomment this out on
268 | # non-Windows systems.
269 | user nobody
270 | group nogroup
271 |
272 | # The persist options will try to avoid
273 | # accessing certain resources on restart
274 | # that may no longer be accessible because
275 | # of the privilege downgrade.
276 | persist-key
277 | persist-tun
278 |
279 | # Output a short status file showing
280 | # current connections, truncated
281 | # and rewritten every minute.
282 | status openvpn-status.log
283 |
284 | # By default, log messages will go to the syslog (or
285 | # on Windows, if running as a service, they will go to
286 | # the "\Program Files\OpenVPN\log" directory).
287 | # Use log or log-append to override this default.
288 | # "log" will truncate the log file on OpenVPN startup,
289 | # while "log-append" will append to it. Use one
290 | # or the other (but not both).
291 | ;log openvpn.log
292 | ;log-append openvpn.log
293 |
294 | # Set the appropriate level of log
295 | # file verbosity.
296 | #
297 | # 0 is silent, except for fatal errors
298 | # 4 is reasonable for general usage
299 | # 5 and 6 can help to debug connection problems
300 | # 9 is extremely verbose
301 | verb 3
302 |
303 | # Silence repeating messages. At most 20
304 | # sequential messages of the same message
305 | # category will be output to the log.
306 | ;mute 20
307 |
--------------------------------------------------------------------------------