├── .editorconfig ├── .gitattributes ├── .gitignore ├── .prettierrc ├── .travis.yml ├── LICENSE.md ├── README.md ├── Vagrantfile ├── fetched └── empty ├── filter_plugins ├── passlib_plugin.py └── passlib_plugin.pyc ├── meta └── main.yml ├── package.json ├── playbook.yml ├── roles ├── ansible │ ├── accelerated │ │ └── tasks │ │ │ └── main.yml │ ├── facts │ │ ├── tasks │ │ │ └── main.yml │ │ └── templates │ │ │ └── hostvars.j2 │ ├── fireball │ │ └── tasks │ │ │ └── main.yml │ └── setup │ │ └── tasks │ │ └── main.yml ├── database │ ├── beanstalkd │ │ ├── defaults │ │ │ └── main.yml │ │ ├── handlers │ │ │ └── main.yml │ │ ├── tasks │ │ │ ├── configure-init.yml │ │ │ ├── configure-supervisor.yml │ │ │ ├── location.yml │ │ │ └── main.yml │ │ └── templates │ │ │ ├── default_beanstalkd.j2 │ │ │ ├── init.d_beanstalkd.j2 │ │ │ └── supervisor_conf.d_beanstalkd.conf.j2 │ ├── mongo │ │ ├── defaults │ │ │ └── main.yml │ │ ├── handlers │ │ │ └── main.yml │ │ ├── tasks │ │ │ ├── configure-backup.yml │ │ │ ├── configure-supervisor.yml │ │ │ ├── configure-systemd.yml │ │ │ ├── configure-upstart.yml │ │ │ ├── configure.yml │ │ │ ├── install-arm.yml │ │ │ ├── install.yml │ │ │ ├── location.yml │ │ │ ├── main.yml │ │ │ └── mms.yml │ │ └── templates │ │ │ ├── cron.daily_automongobackup.j2 │ │ │ ├── default_automongobackup.j2 │ │ │ ├── init_mongod.conf.j2 │ │ │ ├── mongod.conf.j2 │ │ │ ├── mongod.service.j2 │ │ │ ├── php5_conf.d_mongo.ini.j2 │ │ │ ├── sbin_automongobackup.j2 │ │ │ └── supervisor_conf.d_mongod.conf.j2 │ ├── mongodb │ │ ├── defaults │ │ │ └── main.yml │ │ ├── files │ │ │ └── sbin_automongobackup │ │ ├── handlers │ │ │ └── main.yml │ │ ├── tasks │ │ │ ├── configure-backup.yml │ │ │ ├── configure-supervisor.yml │ │ │ ├── configure-upstart.yml │ │ │ ├── install-arm.yml │ │ │ ├── install-ubuntu.yml │ │ │ ├── location.yml │ │ │ ├── main.yml │ │ │ ├── mms.yml │ │ │ └── php5.yml │ │ └── templates │ │ │ ├── cron.daily_automongobackup.j2 │ │ │ ├── default_automongobackup.j2 │ │ │ ├── init.d_mongod.j2 │ │ │ ├── init_mongod.conf.j2 │ │ │ ├── mongod.conf.j2 │ │ │ ├── mongod.conf.orig │ │ │ ├── php5_conf.d_mongo.ini.j2 │ │ │ └── supervisor_conf.d_mongod.conf.j2 │ ├── mysql │ │ ├── defaults │ │ │ └── main.yml │ │ ├── handlers │ │ │ ├── main.yml │ │ │ ├── supervisor.yml │ │ │ └── upstart.yml │ │ ├── tasks │ │ │ ├── configure-supervisor.yml │ │ │ ├── configure-upstart.yml │ │ │ ├── location.yml │ │ │ ├── main.yml │ │ │ ├── password.yml │ │ │ └── security.yml │ │ └── templates │ │ │ ├── apparmor.d_usr.sbin.mysqld.j2 │ │ │ ├── mysql_my.cnf.j2 │ │ │ ├── mysql_seed.j2 │ │ │ ├── root_my.cnf.j2 │ │ │ └── supervisor_conf.d_mysqld.conf.j2 │ └── redis │ │ ├── defaults │ │ └── main.yml │ │ ├── files │ │ └── 14.04 │ │ │ └── redis_redis.conf │ │ ├── handlers │ │ └── main.yml │ │ ├── tasks │ │ ├── configure │ │ │ ├── configure-location.yml │ │ │ └── main.yml │ │ ├── install │ │ │ ├── install-arm.yml │ │ │ ├── install-trusty.yml │ │ │ ├── install-xenial.yml │ │ │ └── main.yml │ │ ├── main.yml │ │ └── service │ │ │ ├── main.yml │ │ │ ├── service-init.yml │ │ │ └── service-supervisor.yml │ │ └── templates │ │ ├── init.d_redis-server.j2 │ │ ├── redis_redis.conf.j2 │ │ └── supervisor_conf.d_redis-server.conf.j2 ├── multimedia │ ├── atom-shell │ │ ├── defaults │ │ │ └── main.yml │ │ └── tasks │ │ │ └── main.yml │ ├── chromium │ │ ├── defaults │ │ │ └── main.yml │ │ └── tasks │ │ │ └── main.yml │ ├── electron │ │ ├── defaults │ │ │ └── main.yml │ │ └── tasks │ │ │ └── main.yml │ ├── mplayer │ │ ├── defaults │ │ │ └── main.yml │ │ └── tasks │ │ │ └── main.yml │ ├── mpv │ │ ├── defaults │ │ │ └── main.yml │ │ └── tasks │ │ │ └── main.yml │ ├── nwjs │ │ ├── defaults │ │ │ └── main.yml │ │ └── tasks │ │ │ └── main.yml │ ├── vlc │ │ ├── defaults │ │ │ └── main.yml │ │ └── tasks │ │ │ └── main.yml │ └── youtube-dl │ │ ├── defaults │ │ └── main.yml │ │ └── tasks │ │ └── main.yml ├── networking │ ├── avahi │ │ ├── defaults │ │ │ └── main.yml │ │ ├── files │ │ │ └── 16.04 │ │ │ │ └── avahi_avahi-daemon.conf │ │ ├── handlers │ │ │ └── main.yml │ │ ├── tasks │ │ │ └── main.yml │ │ └── templates │ │ │ ├── avahi_avahi-daemon.conf.j2 │ │ │ ├── hosts.j2 │ │ │ ├── init.d_avahi-daemon.j2 │ │ │ └── supervisor_conf.d_avahi-daemon.conf.j2 │ ├── btsync │ │ ├── defaults │ │ │ └── main.yml │ │ ├── handlers │ │ │ └── main.yml │ │ ├── tasks │ │ │ ├── configure-supervisor.yml │ │ │ └── main.yml │ │ └── templates │ │ │ ├── btsync_debconf-default.conf.j2 │ │ │ ├── empty │ │ │ └── supervisor_conf.d_btsync.conf.j2 │ ├── cntlm │ │ ├── defaults │ │ │ └── main.yml │ │ ├── handlers │ │ │ └── main.yml │ │ ├── tasks │ │ │ └── main.yml │ │ └── templates │ │ │ └── cntlm.conf.j2 │ ├── interfaces │ │ ├── defaults │ │ │ └── main.yml │ │ ├── handlers │ │ │ └── main.yml │ │ ├── tasks │ │ │ └── main.yml │ │ └── templates │ │ │ └── network_interfaces.j2 │ ├── openvpn │ │ ├── defaults │ │ │ └── main.yml │ │ ├── handlers │ │ │ ├── init.yml │ │ │ ├── main.yml │ │ │ └── supervisor.yml │ │ ├── tasks │ │ │ ├── configure-client.yml │ │ │ ├── configure-monit.yml │ │ │ ├── configure-server.yml │ │ │ ├── configure-supervisor.yml │ │ │ ├── configure-systemd.yml │ │ │ ├── configure-upstart.yml │ │ │ ├── install-arm.yml │ │ │ ├── install-ubuntu.yml │ │ │ └── main.yml │ │ └── templates │ │ │ ├── client.conf.j2 │ │ │ ├── init.d_openvpn.j2 │ │ │ ├── init_openvpn.conf.j2 │ │ │ ├── logrotate.d_openvpn.j2 │ │ │ ├── monit_conf.d_openvpn.conf.j2 │ │ │ ├── openvpn_status.sh.j2 │ │ │ ├── server.conf.j2 │ │ │ ├── supervisor_conf.d_openvpn.conf.j2 │ │ │ ├── systemd_system_openvpn@.service.d_restart-always.conf.j2 │ │ │ ├── systemd_system_openvpn@.service.service.j2 │ │ │ └── vars.j2 │ ├── resolvconf │ │ ├── files │ │ │ └── 16.04 │ │ │ │ └── resolvconf_resolv.conf.d_head │ │ ├── tasks │ │ │ └── main.yml │ │ └── templates │ │ │ └── resolvconf_resolv.conf.d_head.j2 │ └── transmission │ │ ├── defaults │ │ └── main.yml │ │ ├── handlers │ │ └── main.yml │ │ ├── tasks │ │ ├── configure-supervisor.yml │ │ └── main.yml │ │ └── templates │ │ ├── supervisor_conf.d_transmission-daemon.conf.j2 │ │ └── transmission-daemon_settings.json.j2 ├── system │ ├── apcups │ │ ├── defaults │ │ │ └── main.yml │ │ ├── handlers │ │ │ └── main.yml │ │ ├── tasks │ │ │ └── main.yml │ │ └── templates │ │ │ ├── apcupsd_apcupsd.conf.j2 │ │ │ ├── apcupsd_doshutdown.j2 │ │ │ └── default_apcupsd.j2 │ ├── apt │ │ ├── defaults │ │ │ └── main.yml │ │ ├── files │ │ │ ├── 16.04 │ │ │ │ ├── apt_apt.conf.d_10periodic │ │ │ │ └── apt_sources.list │ │ │ └── 18.04 │ │ │ │ ├── apt_sources.list │ │ │ │ └── update-manager_release-upgrades │ │ ├── tasks │ │ │ └── main.yml │ │ └── templates │ │ │ ├── apt_apt.conf.d_01proxy.j2 │ │ │ ├── apt_apt.conf.d_10periodic.j2 │ │ │ ├── apt_apt.conf.d_50unattended-upgrades.j2 │ │ │ ├── apt_sources.list.j2 │ │ │ ├── apt_sources.list_arm.j2 │ │ │ ├── environment.j2 │ │ │ └── update-manager_release-upgrades.j2 │ ├── boot │ │ ├── defaults │ │ │ └── main.yml │ │ ├── tasks │ │ │ └── main.yml │ │ └── templates │ │ │ ├── default_grub.j2 │ │ │ └── default_rcS.j2 │ ├── clamav │ │ ├── defaults │ │ │ └── main.yml │ │ ├── tasks │ │ │ └── main.yml │ │ └── templates │ │ │ ├── apparmor.d_local_usr.sbin.clamd.j2 │ │ │ ├── clamscan_daily.j2 │ │ │ └── clamscan_hourly.j2 │ ├── docker │ │ ├── defaults │ │ │ └── main.yml │ │ ├── files │ │ │ ├── 14.04 │ │ │ │ └── default_docker │ │ │ ├── 16.04 │ │ │ │ └── default_docker │ │ │ └── 18.04 │ │ │ │ ├── etc_init_docker.conf │ │ │ │ ├── lib_systemd_system_docker.service │ │ │ │ └── lib_systemd_system_docker.socket │ │ ├── handlers │ │ │ └── main.yml │ │ ├── tasks │ │ │ ├── clean.yml │ │ │ ├── configure-systemd.yml │ │ │ ├── configure-upstart.yml │ │ │ ├── configure.yml │ │ │ ├── docker-compose.yml │ │ │ ├── docker-gen.yml │ │ │ ├── install.yml │ │ │ └── main.yml │ │ └── templates │ │ │ ├── default_docker.j2 │ │ │ ├── docker-gen.service.j2 │ │ │ ├── docker_daemon.json.j2 │ │ │ ├── hosts.j2 │ │ │ ├── init_docker-gen.conf.j2 │ │ │ ├── init_docker.conf.j2 │ │ │ ├── lib_systemd_system_docker.service.j2 │ │ │ └── lib_systemd_system_docker.socket.j2 │ ├── fail2ban │ │ ├── defaults │ │ │ └── main.yml │ │ ├── files │ │ │ └── 18.04 │ │ │ │ ├── fail2ban_fail2ban.conf │ │ │ │ └── fail2ban_jail.conf │ │ ├── handlers │ │ │ └── main.yml │ │ ├── tasks │ │ │ └── main.yml │ │ └── templates │ │ │ ├── 14.04 │ │ │ ├── fail2ban_fail2ban.conf.j2 │ │ │ └── fail2ban_jail.conf.j2 │ │ │ ├── 16.04 │ │ │ ├── fail2ban_fail2ban.conf.j2 │ │ │ └── fail2ban_jail.conf.j2 │ │ │ └── 18.04 │ │ │ ├── fail2ban_fail2ban.conf.j2 │ │ │ └── fail2ban_jail.conf.j2 │ ├── graphics │ │ ├── defaults │ │ │ └── main.yml │ │ ├── tasks │ │ │ ├── amd.yml │ │ │ ├── intel.yml │ │ │ ├── main.yml │ │ │ └── nvidia.yml │ │ └── templates │ │ │ ├── intel_X11_xorg.conf.j2 │ │ │ └── xorg.conf.d_20-intel.conf.j2 │ ├── journald │ │ ├── defaults │ │ │ └── main.yml │ │ ├── files │ │ │ └── 18.04 │ │ │ │ └── journald.conf │ │ ├── handlers │ │ │ └── main.yml │ │ ├── tasks │ │ │ └── main.yml │ │ └── templates │ │ │ └── systemd_journald.conf.j2 │ ├── kaspersky │ │ ├── defaults │ │ │ └── main.yml │ │ ├── handlers │ │ │ └── main.yml │ │ ├── tasks │ │ │ ├── install.yml │ │ │ ├── main.yml │ │ │ └── stats.yml │ │ └── templates │ │ │ ├── answers.txt.j2 │ │ │ ├── apparmor.d_local_usr.sbin.clamd.j2 │ │ │ ├── clamscan_daily.j2 │ │ │ └── clamscan_hourly.j2 │ ├── mediainfo │ │ └── tasks │ │ │ └── main.yml │ ├── metricbeat │ │ ├── defaults │ │ │ └── main.yml │ │ ├── files │ │ │ ├── metricbeat.template.json │ │ │ └── metricbeat_metricbeat.yml │ │ ├── handlers │ │ │ └── main.yml │ │ ├── tasks │ │ │ ├── configure-monit.yml │ │ │ └── main.yml │ │ └── templates │ │ │ ├── metricbeat_metricbeat.yml.j2 │ │ │ └── monit_conf.d_metricbeat.conf.j2 │ ├── ntp │ │ ├── handlers │ │ │ └── main.yml │ │ ├── tasks │ │ │ └── main.yml │ │ └── templates │ │ │ └── ntp.j2 │ ├── packetbeat │ │ ├── defaults │ │ │ └── main.yml │ │ ├── files │ │ │ └── packetbeat.template.json │ │ ├── handlers │ │ │ └── main.yml │ │ ├── tasks │ │ │ ├── configure-monit.yml │ │ │ └── main.yml │ │ └── templates │ │ │ ├── monit_conf.d_packetbeat.conf.j2 │ │ │ └── packetbeat_packetbeat.yml.j2 │ ├── ssh │ │ ├── defaults │ │ │ └── main.yml │ │ ├── files │ │ │ ├── 16.04 │ │ │ │ └── ssh_sshd_config │ │ │ └── 18.04 │ │ │ │ └── ssh_sshd_config │ │ ├── handlers │ │ │ └── main.yml │ │ ├── tasks │ │ │ └── main.yml │ │ └── templates │ │ │ ├── 16.04 │ │ │ └── ssh_sshd_config.j2 │ │ │ ├── 18.04 │ │ │ └── ssh_sshd_config.j2 │ │ │ └── authorized_keys.j2 │ ├── sudo │ │ ├── tasks │ │ │ └── main.yml │ │ └── templates │ │ │ └── sudoers.d_sudo.j2 │ ├── td-agent │ │ ├── defaults │ │ │ └── main.yml │ │ ├── files │ │ │ └── GPG-KEY-td-agent │ │ ├── handlers │ │ │ └── main.yml │ │ ├── tasks │ │ │ ├── configure-monit.yml │ │ │ └── main.yml │ │ └── templates │ │ │ ├── monit_conf.d_td-agent.conf.j2 │ │ │ ├── td-agent_td-agent.conf.j2 │ │ │ ├── td-agent_td-agent.conf.orig │ │ │ └── td-agent_td-agent.test.conf.j2 │ ├── telegraf │ │ ├── defaults │ │ │ └── main.yml │ │ ├── files │ │ │ ├── systemd_system_multi-user.target.wants_telegraf.service │ │ │ └── telegraf_telegraf.conf.dpkg-dist │ │ ├── handlers │ │ │ └── main.yml │ │ ├── tasks │ │ │ ├── configure.yml │ │ │ └── main.yml │ │ └── templates │ │ │ ├── sudoers.d_telegraf.j2 │ │ │ ├── telegraf_telegraf.conf.j2 │ │ │ ├── telegraf_telegraf.d_global_tags.conf.j2 │ │ │ ├── telegraf_telegraf.d_inputs_docker.conf.j2 │ │ │ ├── telegraf_telegraf.d_inputs_fail2ban.conf.j2 │ │ │ ├── telegraf_telegraf.d_inputs_http_response.conf.j2 │ │ │ ├── telegraf_telegraf.d_inputs_nginx.conf.j2 │ │ │ ├── telegraf_telegraf.d_inputs_ping.conf.j2 │ │ │ └── telegraf_telegraf.d_inputs_sensors.conf.j2 │ ├── ufw │ │ ├── defaults │ │ │ └── main.yml │ │ ├── handlers │ │ │ └── main.yml │ │ ├── tasks │ │ │ └── main.yml │ │ └── templates │ │ │ ├── authorized_keys.j2 │ │ │ └── ssh_sshd_config.j2 │ ├── vlc │ │ ├── defaults │ │ │ └── main.yml │ │ └── tasks │ │ │ └── main.yml │ └── watchdog │ │ ├── defaults │ │ └── main.yml │ │ ├── files │ │ ├── 14.04 │ │ │ └── watchdog.conf │ │ └── 16.04 │ │ │ ├── modprobe.d_blacklist-watchdog.conf │ │ │ ├── modprobe.d_blacklist.conf │ │ │ └── watchdog.conf │ │ ├── handlers │ │ └── main.yml │ │ ├── tasks │ │ ├── configure-softdog.yml │ │ ├── configure-tco.yml │ │ ├── configure.yml │ │ └── main.yml │ │ └── templates │ │ ├── default_watchdog.j2 │ │ ├── modprobe.d_blacklist-watchdog.conf.j2 │ │ ├── modprobe.d_blacklist.conf.j2 │ │ ├── modprobe.d_watchdog.conf.j2 │ │ ├── modules-load.d_watchdog.conf.j2 │ │ ├── systemd_system_watchdog.service.j2 │ │ └── watchdog.conf.j2 └── web │ ├── apache2 │ ├── defaults │ │ └── main.yml │ ├── handlers │ │ └── main.yml │ ├── tasks │ │ ├── location.yml │ │ └── main.yml │ └── templates │ │ ├── bp_cors.conf.j2 │ │ ├── bp_deflate.conf.j2 │ │ ├── bp_headers.conf.j2 │ │ ├── bp_mime.conf.j2 │ │ ├── bp_rewrite.conf.j2 │ │ ├── bp_security.conf.j2 │ │ ├── envvars.j2 │ │ └── ports.conf.j2 │ ├── iojs │ ├── defaults │ │ └── main.yml │ ├── handlers │ │ └── main.yml │ ├── tasks │ │ ├── configure-supervisor.yml │ │ ├── install-armv7l.yml │ │ ├── install-raspberry.yml │ │ ├── install-ubuntu.yml │ │ └── main.yml │ └── templates │ │ └── supervisor_conf.d_node.conf.j2 │ ├── nginx │ ├── defaults │ │ └── main.yml │ ├── files │ │ └── docker-gen_nginx.tmpl │ ├── handlers │ │ ├── init.yml │ │ ├── main.yml │ │ └── supervisor.yml │ ├── tasks │ │ ├── configure-docker-gen.yml │ │ ├── configure-init.yml │ │ ├── configure-supervisor.yml │ │ ├── location.yml │ │ └── main.yml │ └── templates │ │ ├── docker-gen_nginx.tmpl.j2 │ │ ├── init.d_nginx.j2 │ │ ├── nginx_nginx.base.conf.j2 │ │ ├── nginx_nginx.conf.j2 │ │ ├── nginx_sites-available_default-php5.j2 │ │ ├── nginx_sites-available_default.base.j2 │ │ ├── nginx_sites-available_no-default.j2 │ │ ├── nginx_sites-available_nodejs-webapp.j2 │ │ ├── supervisor_conf.d_docker-gen.conf.j2 │ │ └── supervisor_conf.d_nginx.conf.j2 │ ├── nodejs │ ├── defaults │ │ └── main.yml │ ├── handlers │ │ └── main.yml │ ├── tasks │ │ ├── configure-supervisor.yml │ │ ├── install-armv7l.yml │ │ ├── install-raspberry.yml │ │ ├── install-ubuntu.yml │ │ ├── install-yarn.yml │ │ └── main.yml │ └── templates │ │ └── supervisor_conf.d_node.conf.j2 │ ├── php5 │ ├── defaults │ │ └── main.yml │ ├── handlers │ │ └── main.yml │ ├── tasks │ │ ├── configure-apache.yml │ │ ├── configure-cli.yml │ │ ├── configure-fpm.yml │ │ ├── configure-supervisor.yml │ │ └── main.yml │ └── templates │ │ ├── apache2_php.ini.j2 │ │ ├── cli_php.ini.j2 │ │ ├── init_php5-fpm.conf.j2 │ │ ├── php5_fpm_php.ini.j2 │ │ ├── php5_fpm_pool.d_www.conf.j2 │ │ └── supervisor_conf.d_php5-fpm.conf.j2 │ └── varnish │ ├── defaults │ └── main.yml │ ├── handlers │ └── main.yml │ ├── tasks │ ├── configure-init.yml │ ├── configure-supervisor.yml │ ├── location.yml │ └── main.yml │ └── templates │ ├── default_varnish.j2 │ ├── docker-gen_nginx.tmpl.j2 │ ├── init.d_varnish.j2 │ ├── supervisor_conf.d_varnishd.conf.j2 │ └── varnish_default.vcl.j2 └── vagrant_inventory /.editorconfig: -------------------------------------------------------------------------------- 1 | # EditorConfig helps developers define and maintain consistent 2 | # coding styles between different editors and IDEs 3 | # editorconfig.org 4 | 5 | root = true 6 | 7 | 8 | [*] 9 | 10 | # Change these settings to your own preference 11 | indent_style = space 12 | indent_size = 2 13 | 14 | # We recommend you to keep these unchanged 15 | end_of_line = lf 16 | charset = utf-8 17 | trim_trailing_whitespace = true 18 | insert_final_newline = true 19 | 20 | [*.md] 21 | trim_trailing_whitespace = false 22 | -------------------------------------------------------------------------------- /.gitattributes: -------------------------------------------------------------------------------- 1 | * text=auto 2 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | .dev/ 2 | .tmp/ 3 | .vagrant/ 4 | group_vars/ 5 | fetched/ 6 | vars/ 7 | .DS_Store 8 | *.sublime-project 9 | *.sublime-workspace 10 | node_modules/ 11 | docker_inventory 12 | inventory 13 | inventories/ 14 | !.gitignore 15 | *.retry 16 | -------------------------------------------------------------------------------- /.prettierrc: -------------------------------------------------------------------------------- 1 | { 2 | "bracketSpacing": false, 3 | "printWidth": 120, 4 | "semi": true, 5 | "singleQuote": true 6 | } 7 | -------------------------------------------------------------------------------- /.travis.yml: -------------------------------------------------------------------------------- 1 | language: python 2 | python: "2.7" 3 | 4 | before_install: 5 | - sudo apt-get update -qq 6 | - sudo apt-get install -qq python-apt python-pycurl 7 | 8 | install: 9 | - pip install ansible 10 | 11 | before_script: 12 | - date --rfc-2822 13 | 14 | script: 15 | - echo 'default ansible_ssh_host=127.0.0.1' > travis_inventory 16 | - ansible-playbook --syntax-check -i travis_inventory playbook.yml 17 | -------------------------------------------------------------------------------- /LICENSE.md: -------------------------------------------------------------------------------- 1 | The MIT License 2 | 3 | Copyright (c) 2013-2014 Olivier Louvignes http://olouv.com 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in 13 | all copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN 21 | THE SOFTWARE. 22 | -------------------------------------------------------------------------------- /fetched/empty: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mgcrea/ansible-web-playbooks/4365076c2698d4b61b8f772b3557430e098ef8fd/fetched/empty -------------------------------------------------------------------------------- /filter_plugins/passlib_plugin.py: -------------------------------------------------------------------------------- 1 | # this ansible/jinja2 filter plugin allows you to use passlib's *_crypt functions 2 | # until ansible 2.0 comes out - see https://github.com/ansible/ansible/issues/11244. 3 | # 4 | # this filter depends on passlib being installed: 5 | # $ pip install passlib 6 | # 7 | # put this into your playbook's `filter_plugins` folder. 8 | # 9 | # usage example: 10 | # - name: create user 11 | # user: 12 | # name: username 13 | # password: "{{ user_password | passlib_hash('sha512', user_salt) }}" 14 | 15 | from ansible import errors 16 | 17 | try: 18 | import passlib 19 | except Exception, e: 20 | raise errors.AnsibleFilterError('passlib package is not installed') 21 | 22 | def passlib_hash(pw, alg = 'sha512', salt = None, rounds = None, implicit_rounds = None, relaxed = None): 23 | return crypt_method(alg).encrypt(pw, salt = salt, rounds = rounds, implicit_rounds = implicit_rounds, relaxed = relaxed) 24 | 25 | def crypt_method(alg): 26 | return getattr(passlib.hash, alg + '_crypt') 27 | 28 | class FilterModule(object): 29 | def filters(self): 30 | return { 31 | 'passlib_hash' : passlib_hash 32 | } 33 | -------------------------------------------------------------------------------- /filter_plugins/passlib_plugin.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mgcrea/ansible-web-playbooks/4365076c2698d4b61b8f772b3557430e098ef8fd/filter_plugins/passlib_plugin.pyc -------------------------------------------------------------------------------- /meta/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | galaxy_info: 3 | author: Olivier Louvignes 4 | description: Set of playbooks roles to orchestrate your web servers, powered by Ansible. 5 | license: MIT 6 | min_ansible_version: 1.2 7 | platforms: 8 | - name: Ubuntu 9 | versions: 10 | - precise 11 | - raring 12 | - saucy 13 | - trusty 14 | categories: 15 | - web 16 | - database 17 | - development 18 | - packaging 19 | - system 20 | dependencies: [] 21 | # List your role dependencies here, one per line. Only 22 | # dependencies available via galaxy should be listed here. 23 | # Be sure to remove the '[]' above if you add dependencies 24 | # to this list. 25 | 26 | -------------------------------------------------------------------------------- /package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "ansible-web-playbooks", 3 | "description": "Playbook roles for the web, modern server orchestration powered by Ansible", 4 | "version": "0.5.8", 5 | "keywords": [ 6 | "ansible", 7 | "playbook", 8 | "server", 9 | "web", 10 | "ubuntu", 11 | "bootstrap" 12 | ], 13 | "homepage": "http://mgcrea.github.io/ansible-web-playbooks", 14 | "bugs": "https://github.com/mgcrea/ansible-web-playbooks/issues", 15 | "author": { 16 | "name": "Olivier Louvignes", 17 | "email": "olivier@mg-crea.com", 18 | "url": "https://github.com/mgcrea" 19 | }, 20 | "repository": { 21 | "type": "git", 22 | "url": "https://github.com/mgcrea/ansible-web-playbooks.git" 23 | }, 24 | "licenses": [ 25 | { 26 | "type": "MIT" 27 | } 28 | ], 29 | "dependencies": {}, 30 | "devDependencies": {}, 31 | "engines": { 32 | "node": ">=0.8.0" 33 | }, 34 | "scripts": { 35 | "test": "ansible-playbook -i vagrant_ansible_inventory_default playbook.yml" 36 | } 37 | } 38 | -------------------------------------------------------------------------------- /roles/ansible/accelerated/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: task 4 | # Part: Ansible/Accelerated 5 | 6 | 7 | ## Install 8 | - name: Accelerated | Install required packages 9 | apt: name={{ item }} state=latest 10 | with_items: 11 | - python-software-properties 12 | - python-pip 13 | - name: Accelerated | Install keyczar 14 | pip: name=python-keyczar state=present 15 | when: ansible_distribution_release == 'precise' 16 | - name: Accelerated | Install keyczar pre 17 | pip: name=python-keyczar state=present extra_args=--pre 18 | when: ansible_distribution_release == 'trusty' 19 | - name: Accelerated | Open port for keyczar 20 | command: ufw allow 5099/tcp 21 | ignore_errors: True 22 | when: ansible_distribution == 'Ubuntu' 23 | -------------------------------------------------------------------------------- /roles/ansible/facts/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: task 4 | # Part: Ansible/Facts 5 | 6 | 7 | ## Fetch facts 8 | - name: Facts | Generate facts 9 | template: src=hostvars.j2 dest=/tmp/facts.json 10 | - name: Facts | Fetch facts 11 | fetch: src=/tmp/facts.json dest={{ ansible_fetched_base }}/facts.json flat=yes 12 | - name: Facts | Generate lspci 13 | shell: lspci > /tmp/lspci.txt 14 | ignore_errors: yes 15 | - name: Facts | Fetch lspci 16 | fetch: src=/tmp/lspci.txt dest={{ ansible_fetched_base }}/lspci.txt flat=yes 17 | ignore_errors: yes 18 | - name: Facts | Generate xrandr 19 | shell: DISPLAY=:0 xrandr > /tmp/xrandr.txt 20 | ignore_errors: yes 21 | - name: Facts | Fetch xrandr 22 | fetch: src=/tmp/xrandr.txt dest={{ ansible_fetched_base }}/xrandr.txt flat=yes 23 | ignore_errors: yes 24 | - name: Facts | Generate last 25 | shell: last -xF > /tmp/last.txt 26 | ignore_errors: yes 27 | - name: Facts | Fetch last 28 | fetch: src=/tmp/last.txt dest={{ ansible_fetched_base }}/last.txt flat=yes 29 | ignore_errors: yes 30 | - name: Facts | Fetch xorg 31 | fetch: src=/etc/X11/xorg.conf dest={{ ansible_fetched_base }}/xorg.conf flat=yes fail_on_missing=no 32 | ignore_errors: yes 33 | -------------------------------------------------------------------------------- /roles/ansible/facts/templates/hostvars.j2: -------------------------------------------------------------------------------- 1 | {{ hostvars[inventory_hostname] | to_nice_json | safe }} 2 | -------------------------------------------------------------------------------- /roles/ansible/fireball/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: task 4 | # Part: Ansible/Fireball 5 | 6 | 7 | ## Install 8 | - name: Fireball | Install required packages 9 | apt: name={{ item }} state=latest 10 | with_items: 11 | - python-software-properties 12 | - python-pip 13 | - name: Fireball | Install keyczar 14 | pip: name=python-keyczar state=present 15 | when: ansible_distribution_release == 'precise' 16 | - name: Fireball | Install keyczar pre 17 | pip: name=python-keyczar state=present extra_args=--pre 18 | when: ansible_distribution_release == 'trusty' 19 | 20 | ## Install ZeroMQ 21 | - name: Fireball | Install ZeroMQ ppa key 22 | apt_key: id=C7917B12 url=http://keyserver.ubuntu.com:11371/pks/lookup?op=get&search=0xB9316A7BC7917B12 state=present 23 | - name: Fireball | Install ZeroMQ ppa 24 | apt_repository: repo=ppa:chris-lea/zeromq state=present 25 | - name: Fireball | Install ZeroMQ 26 | apt: name={{ item }} state=latest 27 | with_items: 28 | - libzmq1 29 | - libzmq-dev 30 | - python-zmq 31 | - name: Fireball | Open port for ZeroMQ 32 | command: ufw allow 5099/tcp 33 | ignore_errors: True 34 | -------------------------------------------------------------------------------- /roles/ansible/setup/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: task 4 | # Part: Ansible/Setup 5 | 6 | 7 | ## Install 8 | - name: Setup | Update aptitude 9 | apt: update_cache=yes cache_valid_time=3600 10 | tags: apt_update 11 | 12 | - name: Setup | Install ansible required packages 13 | apt: name={{ item }} state=latest 14 | with_items: 15 | - libffi-dev 16 | - libssl-dev 17 | - python-apt 18 | - python-dev 19 | - python-pip 20 | - python-pycurl 21 | - python-software-properties 22 | - python-setuptools 23 | 24 | - name: Setup | Upgrade pip 25 | command: python -m pip install -U pip 26 | 27 | - name: Setup | Install SNI verification related python modules 28 | ignore_errors: True 29 | pip: name={{ item }} state=latest 30 | when: ansible_distribution == 'Ubuntu' and ansible_distribution_major_version|int == 14 31 | with_items: 32 | - setuptools 33 | - requests[security] 34 | 35 | - name: Setup | Install ansible locally 36 | ignore_errors: True 37 | pip: name={{ item }} state=latest 38 | # extra_args="--proxy http://{{ pip_proxy }}" 39 | with_items: 40 | - ansible 41 | 42 | - name: Setup | Install ansible locally 43 | shell: mkdir /etc/ansible; echo 'localhost ansible_connection=local' > /etc/ansible/hosts 44 | creates=/etc/ansible/hosts 45 | -------------------------------------------------------------------------------- /roles/database/beanstalkd/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: defaults 4 | # Part: Beanstalkd 5 | 6 | 7 | # Aptitude state 8 | beanstalkd_apt_state: "latest" 9 | 10 | # Network configuration 11 | beanstalkd_bind_address: "127.0.0.1" 12 | beanstalkd_port: 11300 13 | 14 | # User and group 15 | beanstalkd_user: "beanstalkd" 16 | beanstalkd_group: "beanstalkd" 17 | 18 | # Default base directory (without trailing '/') 19 | beanstalkd_path: "/var/lib/beanstalkd" 20 | -------------------------------------------------------------------------------- /roles/database/beanstalkd/handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: handler 4 | # Part: Beanstalkd 5 | 6 | 7 | - name: start beanstalkd 8 | service: name=beanstalkd state=started 9 | 10 | - name: restart beanstalkd 11 | service: name=beanstalkd state=restarted 12 | -------------------------------------------------------------------------------- /roles/database/beanstalkd/tasks/configure-init.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: Beanstalkd | Backup configuration 4 | shell: creates=/etc/default/beanstalkd.orig cp /etc/default/beanstalkd /etc/default/beanstalkd.orig 5 | register: result 6 | - fetch: src=/etc/default/beanstalkd.orig dest=fetched 7 | when: result|changed 8 | - name: Beanstalkd | Deploy configuration 9 | template: src=default_beanstalkd.j2 dest=/etc/default/beanstalkd owner=root mode=0644 backup=yes 10 | notify: restart beanstalkd 11 | register: result 12 | - fetch: src=/etc/default/beanstalkd dest=fetched 13 | when: result|changed 14 | 15 | - name: Beanstalkd | Check service daemon 16 | service: name=beanstalkd state=started 17 | -------------------------------------------------------------------------------- /roles/database/beanstalkd/tasks/configure-supervisor.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: configure-supervisor.yml 3 | # Type: task 4 | # Part: Beanstalkd 5 | 6 | - name: Beanstalkd | Deploy supervisor service configuration 7 | template: src=supervisor_conf.d_beanstalkd.conf.j2 dest=/etc/supervisor/conf.d/beanstalkd.conf owner=root group=root mode=0644 backup=no 8 | notify: restart beanstalkd 9 | register: result 10 | - name: Beanstalkd | Reread supervisor 11 | shell: supervisorctl reload 12 | when: result|changed 13 | 14 | - name: Beanstalkd | Check service daemon 15 | supervisorctl: name=program:beanstalkd state=started config=/etc/supervisor/supervisord.conf 16 | -------------------------------------------------------------------------------- /roles/database/beanstalkd/tasks/location.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: location.yml 3 | # Type: task 4 | # Part: Beanstalkd 5 | 6 | 7 | ## Setup custom location 8 | - name: Beanstalkd | Setup directory 9 | file: state=directory dest={{ beanstalkd_path }} mode=700 owner={{ beanstalkd_user }} group={{ beanstalkd_group }} 10 | - name: Beanstalkd | Move databases 11 | shell: service beanstalkd stop; cp -rf /var/lib/beanstalkd/* {{ beanstalkd_path }}; touch {{ beanstalkd_path }}/.ansible; chown -R {{ beanstalkd_user }}:{{ beanstalkd_group }} {{ beanstalkd_path }}; rm -rf /var/lib/beanstalkd 12 | creates={{ beanstalkd_path }}/.ansible 13 | - name: Beanstalkd | Link databases 14 | file: state=link src={{ beanstalkd_path }} path=/var/lib/beanstalkd force=yes 15 | notify: restart beanstalkd 16 | -------------------------------------------------------------------------------- /roles/database/beanstalkd/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: task 4 | # Part: Beanstalkd 5 | 6 | 7 | ## Install 8 | - name: Beanstalkd | Install package 9 | apt: name=beanstalkd state={{ beanstalkd_apt_state }} 10 | notify: restart beanstalkd 11 | 12 | ## Setup custom location 13 | - include: location.yml 14 | when: "'{{ beanstalkd_path }}' != '/var/lib/beanstalkd'" 15 | 16 | ## Configure service 17 | - include: configure-init.yml 18 | when: not docker 19 | - include: configure-supervisor.yml 20 | when: docker 21 | -------------------------------------------------------------------------------- /roles/database/beanstalkd/templates/default_beanstalkd.j2: -------------------------------------------------------------------------------- 1 | ## Defaults for the beanstalkd init script, /etc/init.d/beanstalkd on 2 | ## Debian systems. Append ``-b /var/lib/beanstalkd'' for persistent 3 | ## storage. 4 | BEANSTALKD_LISTEN_ADDR=0.0.0.0 5 | BEANSTALKD_LISTEN_PORT=11300 6 | DAEMON_OPTS="-l $BEANSTALKD_LISTEN_ADDR -p $BEANSTALKD_LISTEN_PORT -b /var/lib/beanstalkd" 7 | 8 | ## Uncomment to enable startup during boot. 9 | START=yes 10 | -------------------------------------------------------------------------------- /roles/database/beanstalkd/templates/supervisor_conf.d_beanstalkd.conf.j2: -------------------------------------------------------------------------------- 1 | [program:beanstalkd] 2 | command=/usr/bin/beanstalkd -l {{ beanstalkd_bind_address }} -p {{ beanstalkd_port }} 3 | environment=USER={{ beanstalkd_user }},HOME="{{ beanstalkd_path }}" 4 | user={{ beanstalkd_user }} 5 | -------------------------------------------------------------------------------- /roles/database/mongo/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: defaults 4 | # Part: MongoDB 5 | 6 | # Aptitude state 7 | mongodb_branch: "3.2" 8 | mongodb_apt_state: "latest" 9 | mongodb_apt_flavor: "org" # org|10gen 10 | mongodb_backup: False 11 | mongodb_service: "mongod" 12 | 13 | # Network configuration 14 | mongodb_bind_address: "0.0.0.0" 15 | mongodb_port: 27017 16 | 17 | # User and group 18 | mongodb_user: "mongodb" 19 | mongodb_group: "mongodb" 20 | 21 | # Default base directory (without trailing '/') 22 | mongodb_path: "/var/lib/mongodb" 23 | 24 | # MMS monitoring agent API key 25 | mms_version: "2.5.0.116-1" 26 | mms_sha256: "fe725989068d710059c8b4d2d3d58fd298f88e27c8dbfd85ca2e6eba8c5031e1" 27 | mms_api_key: "" 28 | -------------------------------------------------------------------------------- /roles/database/mongo/handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: handler 4 | # Part: MongoDB 5 | 6 | - name: start mongod 7 | service: name={{ mongodb_service }} state=started 8 | - name: reload mongod 9 | service: name={{ mongodb_service }} state=reloaded 10 | - name: restart mongod 11 | service: name={{ mongodb_service }} state=restarted 12 | -------------------------------------------------------------------------------- /roles/database/mongo/tasks/configure-backup.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: configure-backup.yml 3 | # Type: task 4 | # Part: MongoDB 5 | 6 | - name: MongoDB | Deploy backup crontab 7 | template: src=cron.daily_automongobackup.j2 dest=/etc/cron.daily/automongobackup owner=root group=root mode=0644 8 | - name: MongoDB | Deploy backup defaults 9 | template: src=default_automongobackup.j2 dest=/etc/default/automongobackup owner=root group=root mode=0644 10 | - name: MongoDB | Deploy backup script 11 | copy: src=sbin_automongobackup dest=/usr/sbin/automongobackup owner=root group=root mode=0755 12 | -------------------------------------------------------------------------------- /roles/database/mongo/tasks/configure-supervisor.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: configure-supervisor.yml 3 | # Type: task 4 | # Part: MongoDB 5 | 6 | - name: MongoDB | Deploy supervisor service configuration 7 | template: src=supervisor_conf.d_mongod.conf.j2 dest=/etc/supervisor/conf.d/{{ mongodb_service }}.conf owner=root group=root mode=0644 backup=no 8 | register: result 9 | - name: MongoDB | Reread supervisor 10 | shell: supervisorctl reload 11 | when: result|changed 12 | 13 | ## Check service 14 | - name: MongoDB | Check service daemon 15 | supervisorctl: name=program:mongod state=started config=/etc/supervisor/supervisord.conf 16 | -------------------------------------------------------------------------------- /roles/database/mongo/tasks/configure-systemd.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: configure-systemd.yml 3 | # Type: task 4 | # Part: MongoDB 5 | 6 | # - name: MongoDB | Backup service configuration 7 | # command: cp /lib/systemd/system/{{ mongodb_service }}.service /var/backups/{{ mongodb_service }}.service.bak 8 | # args: 9 | # creates: /var/backups/{{ mongodb_service }}.service.bak 10 | # register: result 11 | # - fetch: src=/var/backups/{{ mongodb_service }}.service.bak dest=fetched 12 | # when: result|changed 13 | - name: MongoDB | Deploy systemd service configuration 14 | template: src=mongod.service.j2 dest=/etc/systemd/system/{{ mongodb_service }}.service owner=root group=root mode=0644 backup=no 15 | notify: restart mongod 16 | register: result 17 | - fetch: src=/etc/systemd/system/{{ mongodb_service }}.service dest=fetched 18 | when: result|changed 19 | -------------------------------------------------------------------------------- /roles/database/mongo/tasks/configure-upstart.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: configure-upstart.yml 3 | # Type: task 4 | # Part: MongoDB 5 | 6 | - name: MongoDB | Backup service configuration 7 | command: cp /etc/init/{{ mongodb_service }}.conf /var/backups/{{ mongodb_service }}.conf.bak owner=root group=root mode=0644 8 | args: 9 | creates: /var/backups/{{ mongodb_service }}.conf.bak 10 | register: result 11 | - fetch: src=/var/backups/{{ mongodb_service }}.conf dest=fetched 12 | when: result|changed 13 | - name: MongoDB | Deploy upstart service configuration 14 | template: src=init_mongod.conf.j2 dest=/etc/init/{{ mongodb_service }}.conf owner=root group=root mode=0755 backup=no 15 | notify: restart mongod 16 | register: result 17 | - fetch: src=/etc/init/{{ mongodb_service }}.conf dest=fetched 18 | when: result|changed 19 | -------------------------------------------------------------------------------- /roles/database/mongo/tasks/configure.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: task 4 | # Part: MongoDB 5 | 6 | ## Backup 7 | - name: MongoDB | Backup configuration 8 | shell: cp /etc/{{ mongodb_service }}.conf /var/backups/{{ mongodb_service }}.conf.bak 9 | args: 10 | creates: /var/backups/{{ mongodb_service }}.conf.bak 11 | ignore_errors: True 12 | register: result 13 | - fetch: src=/var/backups/{{ mongodb_service }}.conf.bak dest={{ ansible_fetched_base }} 14 | when: result|changed 15 | 16 | ## Configure 17 | - name: MongoDB | Ensure log folder exists 18 | file: path=/var/log/mongodb state=directory owner={{ mongodb_user }} group={{ mongodb_group }} mode=0755 19 | - name: MongoDB | Deploy configuration 20 | template: src=mongod.conf.j2 dest=/etc/{{ mongodb_service }}.conf owner=root group=root mode=0644 21 | notify: restart mongod 22 | register: result 23 | - fetch: src=/etc/{{ mongodb_service }}.conf dest={{ ansible_fetched_base }} 24 | when: result|changed 25 | 26 | ## Setup custom location 27 | - include: location.yml 28 | when: "'{{ mongodb_path }}' != '/var/lib/mongodb'" 29 | -------------------------------------------------------------------------------- /roles/database/mongo/tasks/install-arm.yml: -------------------------------------------------------------------------------- 1 | 2 | - set_fact: mongodb_service="mongodb" 3 | - name: MongoDB | Install package 4 | apt: name=mongodb state={{ mongodb_apt_state }} force=yes 5 | notify: restart mongod 6 | -------------------------------------------------------------------------------- /roles/database/mongo/tasks/install.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: task 4 | # Part: MongoDB 5 | 6 | ## Install 7 | - name: MongoDB | Install ppa key 8 | apt_key: keyserver=keyserver.ubuntu.com id=EA312927 9 | - name: MongoDB | Install ppa 10 | apt_repository: repo='deb http://repo.mongodb.org/apt/ubuntu {{ ansible_distribution_release }}/mongodb-org/{{ mongodb_branch }} multiverse' state=present 11 | - name: MongoDB | Install package 12 | apt: name=mongodb-org state={{ mongodb_apt_state }} force=yes 13 | notify: restart mongod 14 | -------------------------------------------------------------------------------- /roles/database/mongo/tasks/location.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: location.yml 3 | # Type: task 4 | # Part: MongoDB 5 | 6 | ## Setup custom location 7 | - name: MongoDB | Setup directory 8 | file: state=directory dest={{ mongodb_path }} mode=700 owner={{ mongodb_user }} group={{ mongodb_group }} 9 | - name: MongoDB | Move databases 10 | shell: service mongodb stop; cp -rf /var/lib/mongodb/* {{ mongodb_path }}; touch {{ mongodb_path }}/.ansible; chown -R {{ mongodb_user }}:{{ mongodb_group }} {{ mongodb_path }}; rm -rf /var/lib/mongodb 11 | creates={{ mongodb_path }}/.ansible 12 | - name: MongoDB | Link databases 13 | file: state=link src={{ mongodb_path }} path=/var/lib/mongodb force=yes 14 | notify: restart mongod 15 | -------------------------------------------------------------------------------- /roles/database/mongo/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: task 4 | # Part: Mongo 5 | 6 | - name: MongoDB | Check system 7 | fail: msg="Only Ubuntu is supported" 8 | when: ansible_distribution != 'Ubuntu' or ansible_distribution_major_version|int < 14 9 | 10 | ## Install 11 | - include: install.yml 12 | when: ansible_architecture == "x86_64" 13 | - include: install-arm.yml 14 | when: "'arm' in ansible_architecture" 15 | 16 | ## Configure 17 | - include: configure.yml 18 | when: ansible_architecture == "x86_64" 19 | 20 | ## Configure service 21 | - include: configure-systemd.yml 22 | when: ansible_architecture == "x86_64" and not docker and ansible_distribution == 'Ubuntu' and ansible_distribution_major_version|int >= 16 23 | # - include: configure-upstart.yml 24 | # when: not docker and ansible_distribution == 'Ubuntu' and ansible_distribution_major_version|int <= 14 25 | # - include: configure-supervisor.yml 26 | # when: docker 27 | 28 | ## Check service 29 | - name: MongoDB | Check service daemon 30 | service: name={{ mongodb_service }} state=started enabled=yes 31 | -------------------------------------------------------------------------------- /roles/database/mongo/tasks/mms.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: mms.yml 3 | # Type: task 4 | # Part: MongoDB 5 | 6 | 7 | ## Install MMS monitoring 8 | - name: MongoDB | Monitoring | Fetch package 9 | action: get_url url=https://mms.mongodb.com/download/agent/monitoring/mongodb-mms-monitoring-agent_{{ mms_version }}_amd64.deb dest=/tmp 10 | sha256sum={{ mms_sha256 }} 11 | register: result 12 | - name: MongoDB | Monitoring | Install package 13 | shell: dpkg -i mongodb-mms-monitoring-agent_{{ mms_version }}_amd64.deb 14 | when: result|changed 15 | # - name: MongoDB | Monitoring | Deploy configuration 16 | # template: src=php5_conf.d_mongo.ini.j2 dest=/etc/php5/conf.d/20-mongo.ini owner=root mode=0644 17 | # notify: restart apache2 18 | 19 | -------------------------------------------------------------------------------- /roles/database/mongo/templates/cron.daily_automongobackup.j2: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | test -x /usr/sbin/automongobackup || exit 0 3 | /usr/sbin/automongobackup 4 | -------------------------------------------------------------------------------- /roles/database/mongo/templates/default_automongobackup.j2: -------------------------------------------------------------------------------- 1 | # Username to access the mongo server e.g. dbuser 2 | # Unnecessary if authentication is off 3 | USERNAME="" 4 | 5 | # Username to access the mongo server e.g. password 6 | # Unnecessary if authentication is off 7 | PASSWORD="" 8 | 9 | # Host name (or IP address) of mongo server e.g localhost 10 | DBHOST=127.0.0.1 11 | 12 | # Backup directory location e.g /backups 13 | BACKUPDIR="/srv/data/backups/mongodb" 14 | 15 | # Mail setup 16 | # What would you like to be mailed to you? 17 | # - log : send only log file 18 | # - files : send log file and sql files as attachments (see docs) 19 | # - stdout : will simply output the log to the screen if run manually. 20 | # - quiet : Only send logs if an error occurs to the MAILADDR. 21 | MAILCONTENT="log" 22 | 23 | # Set the maximum allowed email size in k. (4000 = approx 5MB email [see docs]) 24 | MAXATTSIZE="4000" 25 | 26 | # Email Address to send mail to? (user@domain.com) 27 | #MAILADDR=XXX 28 | 29 | 30 | # ============================================================ 31 | # === ADVANCED OPTIONS ( Read the doc's below for details )=== 32 | #============================================================= 33 | 34 | # Which day do you want weekly backups? (1 to 7 where 1 is Monday) 35 | DOWEEKLY=6 36 | 37 | # Command to run before backups (uncomment to use) 38 | #PREBACKUP="/etc/mongo-backup-pre" 39 | 40 | # Command run after backups (uncomment to use) 41 | #POSTBACKUP="/etc/mongo-backup-post" 42 | -------------------------------------------------------------------------------- /roles/database/mongo/templates/mongod.conf.j2: -------------------------------------------------------------------------------- 1 | # mongod.conf 2 | 3 | # for documentation of all options, see: 4 | # http://docs.mongodb.org/manual/reference/configuration-options/ 5 | 6 | # Where and how to store data. 7 | storage: 8 | dbPath: /var/lib/mongodb 9 | journal: 10 | enabled: true 11 | # engine: 12 | # mmapv1: 13 | # wiredTiger: 14 | 15 | # where to write logging data. 16 | systemLog: 17 | destination: file 18 | logAppend: true 19 | path: /var/log/mongodb/mongod.log 20 | 21 | # network interfaces 22 | net: 23 | port: 27017 24 | bindIp: 127.0.0.1 25 | 26 | 27 | #processManagement: 28 | 29 | #security: 30 | 31 | #operationProfiling: 32 | 33 | #replication: 34 | 35 | #sharding: 36 | 37 | ## Enterprise-Only Options: 38 | 39 | #auditLog: 40 | 41 | #snmp: 42 | -------------------------------------------------------------------------------- /roles/database/mongo/templates/mongod.service.j2: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=High-performance, schema-free document-oriented database 3 | After=network.target 4 | Documentation=https://docs.mongodb.org/manual 5 | 6 | [Service] 7 | User=mongodb 8 | Group=mongodb 9 | ExecStart=/usr/bin/mongod --quiet --config /etc/mongod.conf 10 | LimitFSIZE=infinity # file size 11 | LimitCPU=infinity # cpu time 12 | LimitAS=infinity # virtual memory size 13 | LimitNOFILE=64000 # open files 14 | LimitNPROC=64000 # processes/threads 15 | TasksMax=infinity # total threads (user+kernel) 16 | TasksAccounting=false 17 | # Recommended limits for for mongod as specified in 18 | # http://docs.mongodb.org/manual/reference/ulimit/#recommended-settings 19 | 20 | [Install] 21 | WantedBy=multi-user.target 22 | -------------------------------------------------------------------------------- /roles/database/mongo/templates/php5_conf.d_mongo.ini.j2: -------------------------------------------------------------------------------- 1 | ; Ansible managed 2 | 3 | extension=mongo.so 4 | -------------------------------------------------------------------------------- /roles/database/mongo/templates/supervisor_conf.d_mongod.conf.j2: -------------------------------------------------------------------------------- 1 | [program:mongod] 2 | command=/usr/bin/mongod --config /etc/{{ mongodb_service }}.conf 3 | environment=USER={{ mongodb_user }},HOME="{{ mongodb_path }}" 4 | user={{ mongodb_user }} 5 | -------------------------------------------------------------------------------- /roles/database/mongodb/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: defaults 4 | # Part: MongoDB 5 | 6 | # Aptitude state 7 | mongodb_apt_state: "latest" 8 | mongodb_apt_flavor: "org" # org|10gen 9 | mongodb_backup: False 10 | 11 | # Network configuration 12 | mongodb_bind_address: "0.0.0.0" 13 | mongodb_port: 27017 14 | 15 | # User and group 16 | mongodb_user: "mongodb" 17 | mongodb_group: "mongodb" 18 | 19 | # Default base directory (without trailing '/') 20 | mongodb_path: "/var/lib/mongodb" 21 | 22 | # MMS monitoring agent API key 23 | mms_version: "2.5.0.116-1" 24 | mms_sha256: "fe725989068d710059c8b4d2d3d58fd298f88e27c8dbfd85ca2e6eba8c5031e1" 25 | mms_api_key: "" 26 | -------------------------------------------------------------------------------- /roles/database/mongodb/handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: handler 4 | # Part: MongoDB 5 | 6 | - name: start mongod 7 | service: name={{ mongodb_service }} state=started 8 | - name: restart mongod 9 | service: name={{ mongodb_service }} state=restarted 10 | -------------------------------------------------------------------------------- /roles/database/mongodb/tasks/configure-backup.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: configure-backup.yml 3 | # Type: task 4 | # Part: MongoDB 5 | 6 | - name: MongoDB | Deploy backup crontab 7 | template: src=cron.daily_automongobackup.j2 dest=/etc/cron.daily/automongobackup owner=root group=root mode=0644 8 | - name: MongoDB | Deploy backup defaults 9 | template: src=default_automongobackup.j2 dest=/etc/default/automongobackup owner=root group=root mode=0644 10 | - name: MongoDB | Deploy backup script 11 | copy: src=sbin_automongobackup dest=/usr/sbin/automongobackup owner=root group=root mode=0755 12 | -------------------------------------------------------------------------------- /roles/database/mongodb/tasks/configure-supervisor.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: configure-supervisor.yml 3 | # Type: task 4 | # Part: MongoDB 5 | 6 | - name: MongoDB | Deploy supervisor service configuration 7 | template: src=supervisor_conf.d_mongod.conf.j2 dest=/etc/supervisor/conf.d/{{ mongodb_service }}.conf owner=root group=root mode=0644 backup=no 8 | register: result 9 | - name: MongoDB | Reread supervisor 10 | shell: supervisorctl reload 11 | when: result|changed 12 | 13 | ## Check service 14 | - name: MongoDB | Check service daemon 15 | supervisorctl: name=program:mongod state=started config=/etc/supervisor/supervisord.conf 16 | -------------------------------------------------------------------------------- /roles/database/mongodb/tasks/configure-upstart.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: configure-upstart.yml 3 | # Type: task 4 | # Part: MongoDB 5 | 6 | - name: MongoDB | Backup service configuration 7 | shell: creates=/etc/init/{{ mongodb_service }}.conf.orig.disabled cp /etc/init/{{ mongodb_service }}.conf /etc/init/{{ mongodb_service }}.conf.orig.disabled 8 | ignore_errors: True 9 | register: result 10 | - fetch: src=/etc/init/{{ mongodb_service }}.conf.orig.disabled dest={{ ansible_fetched_base }} 11 | when: result|changed 12 | - name: MongoDB | Deploy service configuration 13 | template: src=init.d_mongod.j2 dest=/etc/init.d/{{ mongodb_service }} owner=root group=root mode=0755 backup=no 14 | when: ansible_distribution == 'Debian' 15 | notify: restart mongod 16 | register: result 17 | - name: MongoDB | Deploy upstart service configuration 18 | template: src=init_mongod.conf.j2 dest=/etc/init/{{ mongodb_service }}.conf owner=root group=root mode=0755 backup=no 19 | when: ansible_distribution == 'Ubuntu' or ansible_distribution == 'Linaro' 20 | notify: restart mongod 21 | register: result 22 | - fetch: src=/etc/init/{{ mongodb_service }}.conf dest={{ ansible_fetched_base }} 23 | when: result|changed 24 | 25 | ## Check service 26 | - name: MongoDB | Check service daemon 27 | service: name={{ mongodb_service }} state=started enabled=yes 28 | -------------------------------------------------------------------------------- /roles/database/mongodb/tasks/install-arm.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: task 4 | # Part: MongoDB | ARM 5 | 6 | - name: MongoDB | ARM | Fetch package 7 | get_url: url=https://s3-eu-west-1.amazonaws.com/col-public-eu/mongodb-linux-armv7l-2.4.1.tgz dest=/opt 8 | sha256sum=c93fa070fa1df529428bb0685533db7bb649f1065025d8236c1d83ea9bd64d69 9 | register: result 10 | - name: MongoDB | ARM | Extract package 11 | shell: mkdir -p /opt/tmp/mongodb-linux-armv7l-2.4.1; tar -xzf /opt/mongodb-linux-armv7l-2.4.1.tgz -C /usr/local --strip-components 1 --exclude='GNU-AGPL-3.0' --exclude='README' --exclude='THIRD-PARTY-NOTICES' 12 | when: result|changed 13 | notify: restart mongodb 14 | # - name: MongoDB | Install package 15 | # apt: name=libc6-dev=2.17-7 state=present 16 | # when: ansible_distribution == 'Debian' 17 | -------------------------------------------------------------------------------- /roles/database/mongodb/tasks/install-ubuntu.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: task 4 | # Part: MongoDB | Default (Ubuntu) 5 | 6 | ## Install 7 | - name: MongoDB | Install ppa key 8 | apt_key: id=7F0CEB10 url=http://keyserver.ubuntu.com:11371/pks/lookup?op=get&search=0x9ECBEC467F0CEB10 state=present 9 | - name: MongoDB | Install ppa 10 | apt_repository: repo='deb http://downloads-distro.mongodb.org/repo/ubuntu-upstart dist 10gen' state=present 11 | - name: MongoDB | Install package 12 | apt: name=mongodb-{{ mongodb_apt_flavor }} state={{ mongodb_apt_state }} force=yes 13 | notify: restart mongod 14 | -------------------------------------------------------------------------------- /roles/database/mongodb/tasks/location.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: location.yml 3 | # Type: task 4 | # Part: MongoDB 5 | 6 | 7 | ## Setup custom location 8 | - name: MongoDB | Setup directory 9 | file: state=directory dest={{ mongodb_path }} mode=700 owner={{ mongodb_user }} group={{ mongodb_group }} 10 | - name: MongoDB | Move databases 11 | shell: service mongodb stop; cp -rf /var/lib/mongodb/* {{ mongodb_path }}; touch {{ mongodb_path }}/.ansible; chown -R {{ mongodb_user }}:{{ mongodb_group }} {{ mongodb_path }}; rm -rf /var/lib/mongodb 12 | creates={{ mongodb_path }}/.ansible 13 | - name: MongoDB | Link databases 14 | file: state=link src={{ mongodb_path }} path=/var/lib/mongodb force=yes 15 | notify: restart mongod 16 | -------------------------------------------------------------------------------- /roles/database/mongodb/tasks/mms.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: mms.yml 3 | # Type: task 4 | # Part: MongoDB 5 | 6 | 7 | ## Install MMS monitoring 8 | - name: MongoDB | Monitoring | Fetch package 9 | action: get_url url=https://mms.mongodb.com/download/agent/monitoring/mongodb-mms-monitoring-agent_{{ mms_version }}_amd64.deb dest=/tmp 10 | sha256sum={{ mms_sha256 }} 11 | register: result 12 | - name: MongoDB | Monitoring | Install package 13 | shell: dpkg -i mongodb-mms-monitoring-agent_{{ mms_version }}_amd64.deb 14 | when: result|changed 15 | # - name: MongoDB | Monitoring | Deploy configuration 16 | # template: src=php5_conf.d_mongo.ini.j2 dest=/etc/php5/conf.d/20-mongo.ini owner=root mode=0644 17 | # notify: restart apache2 18 | 19 | -------------------------------------------------------------------------------- /roles/database/mongodb/tasks/php5.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: php5.yml 3 | # Type: task 4 | # Part: MongoDB 5 | 6 | 7 | ## Install PECL extension 8 | # https://github.com/gaspaio/ansible-repository/blob/master/php/tasks/pecl.yml 9 | - name: MongoDB | PECL | Install extension 10 | shell: pecl list | grep -i 'mongo' 11 | register: result 12 | ignore_errors: yes 13 | - shell: yes "" | pecl install mongo 14 | when: result|failed 15 | - name: MongoDB | PECL | Deploy configuration 16 | template: src=php5_conf.d_mongo.ini.j2 dest=/etc/php5/conf.d/20-mongo.ini owner=root mode=0644 17 | notify: restart apache2 18 | -------------------------------------------------------------------------------- /roles/database/mongodb/templates/cron.daily_automongobackup.j2: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | test -x /usr/sbin/automongobackup || exit 0 3 | /usr/sbin/automongobackup 4 | -------------------------------------------------------------------------------- /roles/database/mongodb/templates/default_automongobackup.j2: -------------------------------------------------------------------------------- 1 | # Username to access the mongo server e.g. dbuser 2 | # Unnecessary if authentication is off 3 | USERNAME="" 4 | 5 | # Username to access the mongo server e.g. password 6 | # Unnecessary if authentication is off 7 | PASSWORD="" 8 | 9 | # Host name (or IP address) of mongo server e.g localhost 10 | DBHOST=127.0.0.1 11 | 12 | # Backup directory location e.g /backups 13 | BACKUPDIR="/srv/data/backups/mongodb" 14 | 15 | # Mail setup 16 | # What would you like to be mailed to you? 17 | # - log : send only log file 18 | # - files : send log file and sql files as attachments (see docs) 19 | # - stdout : will simply output the log to the screen if run manually. 20 | # - quiet : Only send logs if an error occurs to the MAILADDR. 21 | MAILCONTENT="log" 22 | 23 | # Set the maximum allowed email size in k. (4000 = approx 5MB email [see docs]) 24 | MAXATTSIZE="4000" 25 | 26 | # Email Address to send mail to? (user@domain.com) 27 | #MAILADDR=XXX 28 | 29 | 30 | # ============================================================ 31 | # === ADVANCED OPTIONS ( Read the doc's below for details )=== 32 | #============================================================= 33 | 34 | # Which day do you want weekly backups? (1 to 7 where 1 is Monday) 35 | DOWEEKLY=6 36 | 37 | # Command to run before backups (uncomment to use) 38 | #PREBACKUP="/etc/mongo-backup-pre" 39 | 40 | # Command run after backups (uncomment to use) 41 | #POSTBACKUP="/etc/mongo-backup-post" 42 | -------------------------------------------------------------------------------- /roles/database/mongodb/templates/init_mongod.conf.j2: -------------------------------------------------------------------------------- 1 | # Ansible managed 2 | 3 | # Ubuntu upstart file at /etc/init/mongod.conf 4 | 5 | # Recommended ulimit values for mongod or mongos 6 | # See http://docs.mongodb.org/manual/reference/ulimit/#recommended-settings 7 | # 8 | limit fsize unlimited unlimited 9 | limit cpu unlimited unlimited 10 | limit as unlimited unlimited 11 | limit nofile 64000 64000 12 | limit rss unlimited unlimited 13 | limit nproc 64000 64000 14 | 15 | kill timeout 300 # wait 300s between SIGTERM and SIGKILL. 16 | 17 | pre-start script 18 | mkdir -p /var/lib/mongodb/ 19 | mkdir -p /var/log/mongodb/ 20 | end script 21 | 22 | start on runlevel [2345] 23 | stop on runlevel [06] 24 | 25 | script 26 | ENABLE_MONGOD="yes" 27 | CONF=/etc/{{ mongodb_service }}.conf 28 | DAEMON=/usr/bin/mongod 29 | DAEMONUSER=${DAEMONUSER:-mongodb} 30 | 31 | if [ -f /etc/default/{{ mongodb_service }} ]; then . /etc/default/{{ mongodb_service }}; fi 32 | 33 | # Handle NUMA access to CPUs (SERVER-3574) 34 | # This verifies the existence of numactl as well as testing that the command works 35 | NUMACTL_ARGS="--interleave=all" 36 | if which numactl >/dev/null 2>/dev/null && numactl $NUMACTL_ARGS ls / >/dev/null 2>/dev/null 37 | then 38 | NUMACTL="$(which numactl) -- $NUMACTL_ARGS" 39 | DAEMON_OPTS=${DAEMON_OPTS:-"--config $CONF"} 40 | else 41 | NUMACTL="" 42 | DAEMON_OPTS="-- "${DAEMON_OPTS:-"--config $CONF"} 43 | fi 44 | 45 | if [ "x$ENABLE_MONGOD" = "xyes" ] 46 | then 47 | exec start-stop-daemon --start --chuid $DAEMONUSER --exec $NUMACTL $DAEMON $DAEMON_OPTS 48 | fi 49 | end script 50 | -------------------------------------------------------------------------------- /roles/database/mongodb/templates/php5_conf.d_mongo.ini.j2: -------------------------------------------------------------------------------- 1 | ; Ansible managed 2 | 3 | extension=mongo.so 4 | -------------------------------------------------------------------------------- /roles/database/mongodb/templates/supervisor_conf.d_mongod.conf.j2: -------------------------------------------------------------------------------- 1 | [program:mongod] 2 | command=/usr/bin/mongod --config /etc/{{ mongodb_service }}.conf 3 | environment=USER={{ mongodb_user }},HOME="{{ mongodb_path }}" 4 | user={{ mongodb_user }} 5 | -------------------------------------------------------------------------------- /roles/database/mysql/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: defaults 4 | # Part: MySQL 5 | 6 | # Aptitude state 7 | mysql_apt_state: "latest" 8 | 9 | # Network configuration 10 | mysql_bind_address: "127.0.0.1" 11 | mysql_port: 3306 12 | 13 | # User and group 14 | mysql_user: "mysql" 15 | mysql_group: "mysql" 16 | mysql_service: "mysql" 17 | 18 | # Default base directory (without trailing '/') 19 | mysql_path: "/var/lib/mysql" 20 | 21 | # Extra configuration 22 | mysql_max_allowed_packet: "128M" 23 | mysql_root_password: "GeneticLifeformAndDiskOperatingSystem" 24 | -------------------------------------------------------------------------------- /roles/database/mysql/handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: handler 4 | # Part: MySQL 5 | 6 | - include: upstart.yml 7 | when: not docker 8 | - include: supervisor.yml 9 | when: docker 10 | -------------------------------------------------------------------------------- /roles/database/mysql/handlers/supervisor.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # Type: handler 3 | # Part: MySQL 4 | 5 | - name: start mysql 6 | supervisorctl: name=program:mysqld state=started config=/etc/supervisor/supervisord.conf 7 | - name: restart mysql 8 | supervisorctl: name=program:mysqld state=restarted config=/etc/supervisor/supervisord.conf 9 | -------------------------------------------------------------------------------- /roles/database/mysql/handlers/upstart.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # Type: handler 3 | # Part: MySQL 4 | 5 | - name: start mysql 6 | service: name=mysql state=started 7 | - name: restart mysql 8 | service: name=mysql state=restarted 9 | -------------------------------------------------------------------------------- /roles/database/mysql/tasks/configure-supervisor.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: configure-supervisor.yml 3 | # Type: task 4 | # Part: MySQL 5 | 6 | - name: MySQL | Deploy supervisor service configuration 7 | template: src=supervisor_conf.d_mysqld.conf.j2 dest=/etc/supervisor/conf.d/{{ mysql_service }}.conf owner=root group=root mode=0644 backup=no 8 | notify: restart mysql 9 | register: result 10 | - name: MySQL | Reread supervisor 11 | shell: supervisorctl reload 12 | when: result|changed 13 | - name: MySQL | Deploy supervisor service configuration 14 | supervisorctl: name=program:mysqld state=started config=/etc/supervisor/supervisord.conf 15 | when: result|changed 16 | -------------------------------------------------------------------------------- /roles/database/mysql/tasks/configure-upstart.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: configure-upstart.yml 3 | # Type: task 4 | # Part: MySQL 5 | 6 | - name: MySQL | Backup service configuration 7 | shell: creates=/etc/init/{{ mysql_service }}.conf.orig.disabled cp /etc/init/{{ mysql_service }}.conf /etc/init/{{ mysql_service }}.conf.orig.disabled 8 | ignore_errors: True 9 | register: result 10 | - fetch: src=/etc/init/{{ mysql_service }}.conf.orig.disabled dest=fetched 11 | when: result|changed 12 | # - name: MySQL | Deploy service configuration 13 | # template: src=init.d_mongod.j2 dest=/etc/init.d/{{ mongodb_service }} owner=root group=root mode=0755 backup=no 14 | # when: ansible_distribution == 'Debian' 15 | # notify: restart mongod 16 | # register: result 17 | # - name: MySQL | Deploy upstart service configuration 18 | # template: src=init_mongod.conf.j2 dest=/etc/init/{{ mongodb_service }}.conf owner=root group=root mode=0755 backup=no 19 | # when: ansible_distribution == 'Ubuntu' or ansible_distribution == 'Linaro' 20 | # notify: restart mongod 21 | # register: result 22 | # - fetch: src=/etc/init/{{ mongodb_service }}.conf dest=fetched 23 | # when: result|changed 24 | -------------------------------------------------------------------------------- /roles/database/mysql/tasks/location.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: location.yml 3 | # Type: task 4 | # Part: MySQL 5 | 6 | 7 | ## Setup custom location 8 | - name: MySQL | Setup directory 9 | file: state=directory dest={{ mysql_path }} mode=700 owner={{ mysql_user }} group={{ mysql_group }} 10 | - name: MySQL | Move databases 11 | shell: service mysql stop; cp -rf /var/lib/mysql/* {{ mysql_path }}; touch {{ mysql_path }}/.ansible; chown -R {{ mysql_user }}:{{ mysql_group }} {{ mysql_path }}; rm -rf /var/lib/mysql 12 | creates={{ mysql_path }}/.ansible 13 | - name: MySQL | Link databases 14 | file: state=link src={{ mysql_path }} path=/var/lib/mysql force=yes 15 | notify: restart mysql 16 | 17 | ## Update apparmor profile 18 | - name: MySQL | Backup configuration 19 | shell: creates=/etc/apparmor.d/usr.sbin.mysqld.orig cp /etc/apparmor.d/usr.sbin.mysqld /etc/apparmor.d/usr.sbin.mysqld.orig 20 | register: result 21 | - fetch: src=/etc/apparmor.d/usr.sbin.mysqld.orig dest=fetched 22 | when: result|changed 23 | - name: MySQL | Deploy updated AppArmor profile 24 | template: src=apparmor.d_usr.sbin.mysqld.j2 dest=/etc/apparmor.d/usr.sbin.mysqld owner=root mode=0644 backup=yes 25 | notify: restart mysql 26 | register: result 27 | - fetch: src=/etc/apparmor.d/usr.sbin.mysqld dest=fetched 28 | when: result|changed 29 | -------------------------------------------------------------------------------- /roles/database/mysql/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: task 4 | # Part: MySQL 5 | 6 | 7 | ## Preseed install for root password 8 | - include: password.yml 9 | when: mysql_root_password is defined and mysql_root_password != "" 10 | 11 | ## Install 12 | - name: MySQL | Install package 13 | apt: name=mysql-server state={{ mysql_apt_state }} 14 | notify: restart mysql 15 | - name: MySQL | Setup MySQL password file 16 | when: mysql_root_password is defined and mysql_root_password != "" 17 | template: src=root_my.cnf.j2 dest=/root/.my.cnf 18 | 19 | ## Install ansible related packages 20 | - name: MySQL | Install python package 21 | apt: name=python-mysqldb state={{ mysql_apt_state }} 22 | 23 | ## Setup custom location 24 | - include: location.yml 25 | when: "'{{ mysql_path }}' != '/var/lib/mysql'" 26 | 27 | ## Configure 28 | - name: MySQL | Backup configuration 29 | shell: creates=/etc/mysql/my.cnf.orig cp /etc/mysql/my.cnf /etc/mysql/my.cnf.orig 30 | register: result 31 | - fetch: src=/etc/mysql/my.cnf.orig dest=fetched 32 | when: result|changed 33 | - name: MySQL | Deploy configuration 34 | template: src=mysql_my.cnf.j2 dest=/etc/mysql/my.cnf owner=root mode=0644 backup=yes 35 | notify: restart mysql 36 | register: result 37 | - fetch: src=/etc/mysql/my.cnf dest=fetched 38 | when: result|changed 39 | 40 | ## Configure service 41 | - include: configure-upstart.yml 42 | when: not docker 43 | - include: configure-supervisor.yml 44 | when: docker 45 | 46 | ## Secure installation 47 | - include: security.yml 48 | 49 | ## Check service 50 | - name: MySQL | Check service daemon 51 | service: name=mysql state=started 52 | -------------------------------------------------------------------------------- /roles/database/mysql/tasks/password.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: password.yml 3 | # Type: task 4 | # Part: MySQL 5 | 6 | - name: MySQL | Check for previous installation 7 | shell: "[ -f /usr/sbin/mysqld ]" 8 | when: mysql_root_password is defined 9 | register: mysqld_exists 10 | ignore_errors: True 11 | - name: MySQL | Preseed MySQL file 12 | template: src=mysql_seed.j2 dest=/root/mysql.seed 13 | when: mysqld_exists|failed 14 | - command: /usr/bin/debconf-set-selections /root/mysql.seed 15 | when: mysqld_exists|failed 16 | -------------------------------------------------------------------------------- /roles/database/mysql/tasks/security.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: security.yml 3 | # Type: task 4 | # Part: MySQL 5 | 6 | 7 | - name: MySQL | Remove empty password users 8 | mysql_user: name="" password="" host=localhost priv=*.*:USAGE state=absent login_user=root login_password={{ mysql_root_password }} 9 | when: mysql_root_password is defined and mysql_root_password != "" 10 | ignore_errors: True 11 | - name: MySQL | Remove empty password users 12 | mysql_user: name="" password="" host={{ ansible_fqdn }} priv=*.*:USAGE state=absent login_user=root login_password={{ mysql_root_password }} 13 | when: mysql_root_password is defined and mysql_root_password != "" 14 | ignore_errors: True 15 | - name: MySQL | Remove the MySQL test database 16 | mysql_db: db=test state=absent login_user=root login_password={{ mysql_root_password }} 17 | ignore_errors: True 18 | - name: MySQL | Remove the MySQL preseed file 19 | file: path=/root/mysql.seed state=absent 20 | -------------------------------------------------------------------------------- /roles/database/mysql/templates/apparmor.d_usr.sbin.mysqld.j2: -------------------------------------------------------------------------------- 1 | # Ansible managed 2 | 3 | # vim:syntax=apparmor 4 | # Last Modified: Tue Jun 19 17:37:30 2007 5 | #include 6 | 7 | /usr/sbin/mysqld { 8 | #include 9 | #include 10 | #include 11 | #include 12 | #include 13 | 14 | capability dac_override, 15 | capability sys_resource, 16 | capability setgid, 17 | capability setuid, 18 | 19 | network tcp, 20 | 21 | /etc/hosts.allow r, 22 | /etc/hosts.deny r, 23 | 24 | /etc/mysql/*.pem r, 25 | /etc/mysql/conf.d/ r, 26 | /etc/mysql/conf.d/* r, 27 | /etc/mysql/*.cnf r, 28 | /usr/lib/mysql/plugin/ r, 29 | /usr/lib/mysql/plugin/*.so* mr, 30 | /usr/sbin/mysqld mr, 31 | /usr/share/mysql/** r, 32 | /var/log/mysql.log rw, 33 | /var/log/mysql.err rw, 34 | /var/lib/mysql/ r, 35 | /var/lib/mysql/** rwk, 36 | {{ mysql_path }}/ r, 37 | {{ mysql_path }}/** rwk, 38 | /var/log/mysql/ r, 39 | /var/log/mysql/* rw, 40 | /var/run/mysqld/mysqld.pid rw, 41 | /var/run/mysqld/mysqld.sock w, 42 | /run/mysqld/mysqld.pid rw, 43 | /run/mysqld/mysqld.sock w, 44 | 45 | /sys/devices/system/cpu/ r, 46 | 47 | # Site-specific additions and overrides. See local/README for details. 48 | #include 49 | } 50 | -------------------------------------------------------------------------------- /roles/database/mysql/templates/mysql_seed.j2: -------------------------------------------------------------------------------- 1 | mysql-server mysql-server/root_password_again password {{ mysql_root_password }} 2 | mysql-server mysql-server/root_password password {{ mysql_root_password }} -------------------------------------------------------------------------------- /roles/database/mysql/templates/root_my.cnf.j2: -------------------------------------------------------------------------------- 1 | [client] 2 | user=root 3 | password={{ mysql_root_password }} 4 | 5 | [mysql] 6 | user=root 7 | password={{ mysql_root_password }} 8 | 9 | [mysqldump] 10 | user=root 11 | password={{ mysql_root_password }} 12 | 13 | [mysqldiff] 14 | user=root 15 | password={{ mysql_root_password }} 16 | -------------------------------------------------------------------------------- /roles/database/mysql/templates/supervisor_conf.d_mysqld.conf.j2: -------------------------------------------------------------------------------- 1 | [program:mysqld] 2 | command=/usr/bin/pidproxy /var/run/mysqld/mysqld.pid /usr/sbin/mysqld 3 | environment=USER={{ mysql_user }},HOME="{{ mysql_path }}" 4 | user={{ mysql_user }} 5 | -------------------------------------------------------------------------------- /roles/database/redis/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: defaults 4 | # Part: Redis 5 | 6 | # Aptitude state 7 | redis_apt_state: "latest" 8 | 9 | # Network configuration 10 | redis_bind_address: "127.0.0.1" 11 | redis_port: 6379 12 | 13 | # User and group 14 | redis_user: "redis" 15 | redis_group: "redis" 16 | 17 | # Default base directory (without trailing '/') 18 | redis_path: "/var/lib/redis" 19 | -------------------------------------------------------------------------------- /roles/database/redis/handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: handler 4 | # Part: Redis 5 | 6 | - name: start redis 7 | service: name=redis-server state=started 8 | 9 | - name: restart redis 10 | service: name=redis-server state=restarted 11 | -------------------------------------------------------------------------------- /roles/database/redis/tasks/configure/configure-location.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: location.yml 3 | # Type: task 4 | # Part: Redis 5 | 6 | ## Setup custom location 7 | - name: Redis | Setup directory 8 | file: state=directory dest={{ redis_path }} mode=700 owner={{ redis_user }} group={{ redis_group }} 9 | - name: Redis | Move databases 10 | shell: service redis-server stop; cp -rf /var/lib/redis/* {{ redis_path }}; touch {{ redis_path }}/.ansible; chown -R {{ redis_user }}:{{ redis_group }} {{ redis_path }}; rm -rf /var/lib/redis 11 | creates={{ redis_path }}/.ansible 12 | - name: Redis | Link databases 13 | file: state=link src={{ redis_path }} path=/var/lib/redis force=yes 14 | notify: restart redis 15 | -------------------------------------------------------------------------------- /roles/database/redis/tasks/configure/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: task 4 | # Part: Redis 5 | 6 | ## Setup custom location 7 | - include: configure-location.yml 8 | when: "'{{ redis_path }}' != '/var/lib/redis'" 9 | 10 | ## Configure user 11 | - name: Redis | Setup group 12 | group: name={{ redis_group }} 13 | - name: Redis | Setup user 14 | user: name={{ redis_user }} group={{ redis_group }} home="/var/lib/redis" shell="/bin/false" comment="Redis Server" 15 | 16 | ## Configure Redis 17 | # - name: Redis | Backup configuration 18 | # shell: creates=/etc/redis/redis.conf.orig cp /etc/redis/redis.conf /etc/redis/redis.conf.orig 19 | # ignore_errors: True 20 | # register: result 21 | # - fetch: src=/etc/redis/redis.conf.orig dest={{ ansible_fetched_base }} 22 | # when: result|changed 23 | - name: Redis | Ensure base folder exists 24 | file: path=/etc/redis state=directory owner=root group=root mode=0755 25 | - name: Redis | Ensure log folder exists 26 | file: path=/var/log/redis state=directory owner={{ redis_user }} group={{ redis_group }} mode=0755 27 | - name: Redis | Deploy configuration 28 | template: src=redis_redis.conf.j2 dest=/etc/redis/redis.conf owner=root group=root mode=0644 backup=yes 29 | notify: restart redis 30 | register: result 31 | - fetch: src=/etc/redis/redis.conf dest={{ ansible_fetched_base }} 32 | when: result|changed 33 | -------------------------------------------------------------------------------- /roles/database/redis/tasks/install/install-arm.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: task 4 | # Part: Redis | ARM 5 | 6 | - name: Redis | Install package 7 | apt: name=build-essential state=latest 8 | - name: Redis | ARM | Fetch package 9 | get_url: url=http://download.redis.io/releases/redis-2.8.6.tar.gz dest=/opt 10 | sha256sum=efd0c9cb8d2696db44d8cb8309fed96607f68b93bb126615e64bff364e716658 11 | register: result 12 | - name: Redis | ARM | Extract package 13 | shell: mkdir -p /opt/tmp/redis-2.8.6; tar -xzf /opt/redis-2.8.6.tar.gz -C /opt/tmp/redis-2.8.6 --strip-components 1 --exclude='LICENSE' --exclude='README.md' --exclude='ChangeLog' 14 | when: result|changed 15 | - name: Redis | ARM | Check version 16 | shell: redis-server --version | cut -c 16-20 17 | ignore_errors: True 18 | register: redis_version 19 | - name: Redis | ARM | Make package 20 | when: redis_version.stdout != '2.8.6' 21 | shell: cd /opt/tmp/redis-2.8.6; make distclean; make && make install 22 | notify: restart redis 23 | # creates=/usr/local/bin/redis-server 24 | -------------------------------------------------------------------------------- /roles/database/redis/tasks/install/install-trusty.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: task 4 | # Part: Redis | Default (Ubuntu) 5 | 6 | ## Install 7 | - name: Redis | Install ppa key 8 | apt_key: keyserver=keyserver.ubuntu.com id=136221EE520DDFAF0A905689B9316A7BC7917B12 9 | # apt_key: id=C7917B12 url=http://keyserver.ubuntu.com:11371/pks/lookup?op=get&search=0xB9316A7BC7917B12 state=present 10 | - name: Redis | Install ppa 11 | apt_repository: repo=ppa:chris-lea/redis-server state=present 12 | - name: Redis | Install package 13 | apt: name=redis-server state=latest 14 | notify: restart redis 15 | -------------------------------------------------------------------------------- /roles/database/redis/tasks/install/install-xenial.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: task 4 | # Part: Redis 5 | 6 | ## Install 7 | - name: Aptitude | Install base system deps 8 | when: ansible_distribution_version == "16.04" 9 | apt: name=redis-server 10 | -------------------------------------------------------------------------------- /roles/database/redis/tasks/install/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: task 4 | # Part: Redis 5 | 6 | - include: install-trusty.yml 7 | when: ansible_distribution == 'Ubuntu' and ansible_distribution_major_version|int <= 14 8 | - include: install-xenial.yml 9 | when: ansible_distribution == 'Ubuntu' and ansible_distribution_major_version|int >= 16 10 | -------------------------------------------------------------------------------- /roles/database/redis/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: task 4 | # Part: Redis 5 | 6 | ## Install 7 | - include: install/main.yml 8 | tags: [database_redis, database_redis_install] 9 | 10 | ## Configure 11 | - include: configure/main.yml 12 | tags: [database_redis, database_redis_configure] 13 | when: ansible_distribution == 'Ubuntu' and ansible_distribution_major_version|int <= 14 14 | 15 | ## Service 16 | - include: service/main.yml 17 | tags: [database_redis, database_redis_service] 18 | when: ansible_distribution == 'Ubuntu' and ansible_distribution_major_version|int <= 14 19 | -------------------------------------------------------------------------------- /roles/database/redis/tasks/service/main.yml: -------------------------------------------------------------------------------- 1 | ## Configure service 2 | - include: service-init.yml 3 | when: not docker 4 | - include: service-supervisor.yml 5 | when: docker 6 | 7 | ## Make sure service is running 8 | - name: Redis | Check daemon 9 | service: name=redis-server state=started enabled=yes 10 | -------------------------------------------------------------------------------- /roles/database/redis/tasks/service/service-init.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: task 4 | # Part: Redis | ARM 5 | 6 | # - name: Redis | Backup service configuration 7 | # shell: creates=/etc/init.d/redis-server.orig.disabled cp /etc/init.d/redis-server /etc/init.d/redis-server.orig.disabled 8 | # ignore_errors: True 9 | # register: result 10 | # - fetch: src=/etc/init.d/redis-server.orig.disabled dest=fetched 11 | # when: result|changed 12 | - name: Redis | Deploy service configuration 13 | template: src=init.d_redis-server.j2 dest=/etc/init.d/redis-server owner=root group=root mode=0755 backup=no 14 | notify: restart redis 15 | register: result 16 | - fetch: src=/etc/init.d/redis-server dest={{ ansible_fetched_base }} 17 | when: result|changed 18 | -------------------------------------------------------------------------------- /roles/database/redis/tasks/service/service-supervisor.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: task 4 | # Part: Redis | ARM 5 | 6 | - name: Redis | Stop init.d service 7 | service: name=redis-server state=stopped enabled=no 8 | - name: Redis | Deploy supervisor service configuration 9 | template: src=supervisor_conf.d_redis-server.conf.j2 dest=/etc/supervisor/conf.d/redis-server.conf owner=root group=root mode=0644 backup=no 10 | register: result 11 | - name: Redis | Reread supervisor 12 | shell: supervisorctl reload 13 | when: result|changed 14 | - name: Redis | Deploy supervisor service configuration 15 | supervisorctl: name=program:redis-server state=started config=/etc/supervisor/supervisord.conf 16 | when: result|changed 17 | - service: name=redis-server state=stopped enabled=no 18 | -------------------------------------------------------------------------------- /roles/database/redis/templates/supervisor_conf.d_redis-server.conf.j2: -------------------------------------------------------------------------------- 1 | [program:redis-server] 2 | command=/usr/bin/redis-server /etc/redis/redis.conf 3 | environment=USER={{ redis_user }},HOME="{{ redis_path }}" 4 | user={{ redis_user }} 5 | -------------------------------------------------------------------------------- /roles/multimedia/atom-shell/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: defaults 4 | # Part: AtomShell 5 | 6 | atom_shell_version: "v0.23.0" 7 | atom_shell_checksum_x64: "sha1:db17259a47eb360d6b2949b23aec5dca28309279" 8 | atom_shell_checksum_arm: "sha1:db17259a47eb360d6b2949b23aec5dca28309279" 9 | atom_shell_downlod_directory: "/opt/downloads" 10 | atom_shell_app_directory: "/opt/local/atom-shell" 11 | -------------------------------------------------------------------------------- /roles/multimedia/atom-shell/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: task 4 | # Part: AtomShell 5 | 6 | - name: AtomShell | Set branch 7 | set_fact: 8 | atom_shell_branch: "{{ (ansible_architecture == 'x86_64') | ternary('x64', 'arm') }}" 9 | 10 | - name: AtomShell | Create download directory 11 | file: name={{ atom_shell_downlod_directory }} state=directory owner=root group=root mode=0755 12 | 13 | - name: AtomShell | Fetch package 14 | action: get_url url=https://github.com/atom/atom-shell/releases/download/{{ atom_shell_version }}/atom-shell-{{ atom_shell_version }}-linux-x64.zip dest={{ atom_shell_downlod_directory }}/atom-shell-{{ atom_shell_version }}-linux-{{ atom_shell_branch }}.zip 15 | checksum={{ vars['atom_shell_checksum_' + atom_shell_branch] }} validate_certs=no 16 | register: result 17 | 18 | - name: AtomShell | Extract package 19 | shell: rm -rf {{ atom_shell_app_directory }}; mkdir -p {{ atom_shell_app_directory }}; unzip {{ atom_shell_downlod_directory }}/atom-shell-{{ atom_shell_version }}-linux-{{ atom_shell_branch }}.zip -d {{ atom_shell_app_directory }}; chmod -R og+r {{ atom_shell_app_directory }}; chmod +rx {{ atom_shell_app_directory }}/*.so {{ atom_shell_app_directory }}/atom; ln -fs {{ atom_shell_app_directory }}/atom /usr/bin/atom 20 | when: result | changed 21 | -------------------------------------------------------------------------------- /roles/multimedia/chromium/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: defaults 4 | # Part: Chromium 5 | 6 | chromium_apt_flavor: "stable" 7 | chromium_apt_state: "latest" 8 | -------------------------------------------------------------------------------- /roles/multimedia/chromium/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: task 4 | # Part: Chromium 5 | 6 | - name: Chromium | Install ppa key 7 | apt_key: id=DC058F40 url=http://keyserver.ubuntu.com:11371/pks/lookup?op=get&search=0xDC058F40 state=present 8 | 9 | - name: Chromium | Install ppa 10 | apt_repository: repo=ppa:saiarcot895/chromium-{{ chromium_apt_flavor }} state={{ 'absent' if chromium_apt_flavor == 'stable' else 'present' }} 11 | # sudo ppa-purge ppa:saiarcot895/chromium-dev 12 | 13 | - name: Chromium | Install package 14 | apt: name={{ item }} state={{ chromium_apt_state }} 15 | with_items: 16 | - chromium-browser 17 | - chromium-codecs-ffmpeg-extra 18 | 19 | - name: Chromium | Install flash player package 20 | apt: name=adobe-flashplugin state={{ chromium_apt_state }} 21 | when: ansible_architecture == 'x86_64' 22 | register: result 23 | 24 | # - name: Chromium | Install flash player package 25 | # shell: update-pepperflashplugin-nonfree --install --unverified {{ '' if chromium_apt_flavor == 'stable' else '--beta' }} 26 | # when: ansible_architecture == 'x86_64' and result|changed 27 | # ignore_errors: True 28 | -------------------------------------------------------------------------------- /roles/multimedia/electron/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: task 4 | # Part: Aptitude 5 | 6 | - name: Electron | Set branch 7 | set_fact: 8 | electron_branch: "{{ (ansible_architecture == 'x86_64') | ternary('x64', 'arm') }}" 9 | 10 | - name: Electron | Create download directory 11 | file: name={{ electron_downlod_directory }} state=directory owner=root group=root mode=0755 12 | 13 | - name: Electron | Fetch package 14 | action: get_url url={{ electron_mirror }}/{{ electron_mirror_base|default(electron_version) }}/electron-{{ electron_version }}-linux-{{ electron_branch }}.zip dest={{ electron_downlod_directory }}/electron-{{ electron_version }}-linux-{{ electron_branch }}.zip 15 | checksum={{ vars['electron_checksum_' + electron_branch] }} validate_certs=no use_proxy={{ electron_use_proxy }} 16 | register: result 17 | 18 | - name: Electron | Extract package 19 | shell: rm -rf {{ electron_app_directory }}; mkdir -p {{ electron_app_directory }}; unzip {{ electron_downlod_directory }}/electron-{{ electron_version }}-linux-{{ electron_branch }}.zip -d {{ electron_app_directory }}; chmod -R og+r {{ electron_app_directory }}; chmod +rx {{ electron_app_directory }}/*.so {{ electron_app_directory }}/electron; ln -fs {{ electron_app_directory }}/electron /usr/bin/electron 20 | when: electron_force_reinstall|bool or result|changed 21 | -------------------------------------------------------------------------------- /roles/multimedia/mplayer/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: defaults 4 | # Part: Mplayer 5 | 6 | mplayer_apt_state: "latest" 7 | -------------------------------------------------------------------------------- /roles/multimedia/mplayer/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: task 4 | # Part: Mplayer 5 | 6 | - name: Mplayer | Install ppa key 7 | apt_key: keyserver=keyserver.ubuntu.com id=8E51A6D660CD88D67D65221D90BD7EACED8E640A 8 | when: ansible_distribution_version == "14.04" 9 | 10 | - name: Mplayer | Install ppa 11 | apt_repository: repo=ppa:mc3man/trusty-media state=present 12 | when: ansible_distribution_version == "14.04" 13 | 14 | - name: Mplayer | Install packages 15 | apt: name=mplayer state={{ mplayer_apt_state }} 16 | -------------------------------------------------------------------------------- /roles/multimedia/mpv/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: defaults 4 | # Part: Mpv 5 | 6 | mpv_apt_state: "latest" 7 | -------------------------------------------------------------------------------- /roles/multimedia/mpv/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: task 4 | # Part: Mpv 5 | 6 | - name: Mpv | Install ppa key 7 | apt_key: keyserver=keyserver.ubuntu.com id=8E51A6D660CD88D67D65221D90BD7EACED8E640A 8 | 9 | - name: Mpv | Install ppa 10 | apt_repository: repo=ppa:mc3man/mpv-tests state=present 11 | 12 | - name: Mpv | Install packages 13 | apt: name=mpv state={{ mpv_apt_state }} force=true 14 | -------------------------------------------------------------------------------- /roles/multimedia/nwjs/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: defaults 4 | # Part: NwJS 5 | 6 | nwjs_version: "v0.15.0" 7 | nwjs_checksum: "sha1:88372043ce2734a0ee89343cd681e227bdb77c44" 8 | nwjs_downlod_directory: "/opt/downloads" 9 | nwjs_app_directory: "/opt/local/nwjs" 10 | -------------------------------------------------------------------------------- /roles/multimedia/nwjs/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: task 4 | # Part: NwJS 5 | 6 | - name: NwJS | Check prerequisites 7 | fail: msg="Only 'x86_64' architecture is supported for now." 8 | when: ansible_architecture != 'x86_64' 9 | 10 | - name: NwJS | Create download directory 11 | file: name={{ nwjs_downlod_directory }} state=directory owner=root group=root mode=0755 12 | 13 | - name: NwJS | Fetch package 14 | action: get_url url=http://dl.nwjs.io/{{ nwjs_version }}/nwjs-{{ nwjs_version }}-linux-x64.tar.gz dest={{ nwjs_downlod_directory }}/nwjs-{{ nwjs_version }}-linux-x64.tar.gz 15 | checksum={{ nwjs_checksum }} validate_certs=no 16 | register: result 17 | 18 | - name: NwJS | Extract package 19 | shell: rm -rf {{ nwjs_app_directory }}; mkdir -p {{ nwjs_app_directory }}; tar -xzf {{ nwjs_downlod_directory }}/nwjs-{{ nwjs_version }}-linux-x64.tar.gz -C {{ nwjs_app_directory }} --strip-components 1; ln -fs {{ nwjs_app_directory }}/nw /usr/bin/nw 20 | when: result | changed 21 | 22 | - name: NwJS | Fix permissions 23 | shell: chmod -R og+r {{ nwjs_app_directory }}; chmod +rx {{ nwjs_app_directory }}/nw {{ nwjs_app_directory }}/lib/*.so 24 | when: result | changed 25 | -------------------------------------------------------------------------------- /roles/multimedia/vlc/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: defaults 4 | # Part: Vlc 5 | 6 | vlc_apt_state: "latest" 7 | -------------------------------------------------------------------------------- /roles/multimedia/vlc/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: task 4 | # Part: Vlc 5 | 6 | - name: Vlc | Install ppa key 7 | apt_key: keyserver=keyserver.ubuntu.com id=8E51A6D660CD88D67D65221D90BD7EACED8E640A 8 | when: ansible_distribution_version == "14.04" 9 | 10 | - name: Vlc | Install ppa 11 | apt_repository: repo=ppa:mc3man/trusty-media state=present 12 | when: ansible_distribution_version == "14.04" 13 | 14 | # - name: Vlc | Install ppa key 15 | # apt_key: keyserver=keyserver.ubuntu.com id=3361E59FF5029E6B90A9A80D09589874801DF724 16 | # when: ansible_distribution_version == "16.04" 17 | # 18 | # - name: Vlc | Install ppa 19 | # apt_repository: repo=ppa:videolan/stable-daily state=present 20 | # when: ansible_distribution_version == "16.04" 21 | 22 | - name: Vlc | Install packages 23 | apt: name=vlc state={{ vlc_apt_state }} 24 | -------------------------------------------------------------------------------- /roles/multimedia/youtube-dl/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: defaults 4 | # Part: YoutubeDl 5 | 6 | youtube_dl_pip_state: "latest" 7 | -------------------------------------------------------------------------------- /roles/multimedia/youtube-dl/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: task 4 | # Part: YoutubeDl 5 | 6 | - name: Multimedia | Install python-pip 7 | apt: name=python-pip state=present 8 | 9 | - name: Multimedia | Install youtube-dl 10 | pip: name=youtube-dl state={{ youtube_dl_pip_state }} 11 | -------------------------------------------------------------------------------- /roles/networking/avahi/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: defaults 4 | # Part: Avahi 5 | 6 | avahi_hostname_prefix: "server" 7 | avahi_apt_state: "latest" 8 | 9 | avahi_user: "avahi" 10 | -------------------------------------------------------------------------------- /roles/networking/avahi/handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: handler 4 | # Part: Interfaces 5 | 6 | - name: start avahi-daemon 7 | service: name=avahi-daemon state=started 8 | 9 | - name: restart avahi-daemon 10 | service: name=avahi-daemon state=restarted 11 | -------------------------------------------------------------------------------- /roles/networking/avahi/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: task 4 | # Part: Avahi 5 | 6 | 7 | - debug: msg='{{ avahi_hostname_prefix }}-{{ ansible_default_ipv4.macaddress | md5 | regex_replace('^(.{4}).*$', '\\1') }}' 8 | - name: Avahi | Change hostname 9 | hostname: name='{{ avahi_hostname_prefix }}-{{ ansible_default_ipv4.macaddress | md5 | regex_replace('^(.{4}).*$', '\\1') }}' 10 | - name: Avahi | Setup hosts 11 | template: src=hosts.j2 dest=/etc/hosts 12 | - name: Avahi | Fetch hosts 13 | fetch: src=/etc/hosts dest={{ ansible_fetched_base }}/hosts flat=yes 14 | 15 | - name: Avahi | Install package 16 | apt: name=avahi-daemon state={{ avahi_apt_state }} 17 | - name: Avahi | Setup avahi 18 | template: src=avahi_avahi-daemon.conf.j2 dest=/etc/avahi/avahi-daemon.conf 19 | notify: restart avahi-daemon 20 | - name: Avahi | Fetch avahi 21 | fetch: src=/etc/avahi/avahi-daemon.conf dest={{ ansible_fetched_base }}/avahi-daemon.conf 22 | -------------------------------------------------------------------------------- /roles/networking/avahi/templates/hosts.j2: -------------------------------------------------------------------------------- 1 | 127.0.0.1 localhost 2 | 127.0.1.1 {{ avahi_hostname_prefix }}-{{ ansible_default_ipv4.macaddress | md5 | regex_replace('^(.{4}).*$', '\\1') }} 3 | {% if avahi_extra_hosts is defined %}{% for extra_host in avahi_extra_hosts -%} 4 | {{ extra_host }} 5 | {% endfor %}{%- endif %} 6 | 7 | # The following lines are desirable for IPv6 capable hosts 8 | ::1 ip6-localhost ip6-loopback 9 | fe00::0 ip6-localnet 10 | ff00::0 ip6-mcastprefix 11 | ff02::1 ip6-allnodes 12 | ff02::2 ip6-allrouters 13 | -------------------------------------------------------------------------------- /roles/networking/avahi/templates/supervisor_conf.d_avahi-daemon.conf.j2: -------------------------------------------------------------------------------- 1 | [program:avahi-daemon] 2 | command=/usr/sbin/avahi-daemon --no-rlimits 3 | environment=USER=root, 4 | user=root 5 | -------------------------------------------------------------------------------- /roles/networking/btsync/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: defaults 4 | # Part: BTSync 5 | 6 | # Aptitude state 7 | btsync_apt_state: "latest" 8 | 9 | # Network configuration 10 | btsync_bind_address: "127.0.0.1" 11 | btsync_port: 8888 12 | 13 | # User and group 14 | btsync_user: "btsync" 15 | btsync_group: "btsync" 16 | 17 | # Default base directory (without trailing '/') 18 | btsync_path: "/var/lib/btsync" 19 | -------------------------------------------------------------------------------- /roles/networking/btsync/handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: handler 4 | # Part: BTSync 5 | 6 | - name: start btsync 7 | service: name=btsync state=started 8 | 9 | - name: restart btsync 10 | service: name=btsync state=restarted 11 | -------------------------------------------------------------------------------- /roles/networking/btsync/tasks/configure-supervisor.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: configure-supervisor.yml 3 | # Type: task 4 | # Part: BTSync 5 | 6 | - name: BTSync | Deploy supervisor service configuration 7 | template: src=supervisor_conf.d_btsync.conf.j2 dest=/etc/supervisor/conf.d/btsync.conf owner=root group=root mode=0644 backup=no 8 | register: result 9 | - name: BTSync | Disable init service 10 | service: name=btsync state=stopped enabled=no 11 | - name: BTSync | Reread supervisor 12 | shell: supervisorctl reload 13 | when: result|changed 14 | - name: BTSync | Start service 15 | supervisorctl: name=program:btsync state=restarted config=/etc/supervisor/supervisord.conf 16 | -------------------------------------------------------------------------------- /roles/networking/btsync/templates/btsync_debconf-default.conf.j2: -------------------------------------------------------------------------------- 1 | //!/usr/lib/btsync/btsync-daemon --config 2 | // 3 | // Default instance automatically created by debconf 4 | // 5 | // DO NOT EDIT THIS FILE MANUALLY - SERIOUSLY!!! 6 | // 7 | // THIS FILE WILL BE OVERWRITTEN AT EVERY UPDATE 8 | // OR RECONFIGURATION SO DO NOT EVEN TRY IT 9 | // 10 | // USE dpkg-reconfigure btsync INSTEAD TO MODIFY 11 | // THE CONFIGURATION 12 | // 13 | // DAEMON_UID=btsync 14 | // DAEMON_GID=btsync 15 | { 16 | "storage_path" : "{{ btsync_path }}/", 17 | "check_for_updates" : true, 18 | "display_new_version": true, 19 | "disk_low_priority" : true, 20 | "lan_encrypt_data" : true, 21 | "rate_limit_local_peers" : false, 22 | "folder_rescan_interval" : 600, 23 | "folder_defaults.delete_to_trash" : true, 24 | "folder_defaults.use_dht" : false, 25 | "folder_defaults.use_lan_broadcast" : true, 26 | "folder_defaults.use_relay" : true, 27 | "folder_defaults.use_tracker" : true, 28 | "folder_defaults.known_hosts" : "", 29 | "webui" : 30 | { 31 | "listen" : "0.0.0.0:8888", 32 | "force_https" : false, 33 | "ssl_certificate" : "/etc/btsync/debconf-default.crt", 34 | "ssl_private_key" : "/etc/btsync/debconf-default.key" 35 | } 36 | } 37 | -------------------------------------------------------------------------------- /roles/networking/btsync/templates/empty: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mgcrea/ansible-web-playbooks/4365076c2698d4b61b8f772b3557430e098ef8fd/roles/networking/btsync/templates/empty -------------------------------------------------------------------------------- /roles/networking/btsync/templates/supervisor_conf.d_btsync.conf.j2: -------------------------------------------------------------------------------- 1 | [program:btsync-daemon] 2 | command=/usr/lib/btsync/btsync-daemon --nodaemon --log /var/log/btsync.log --config /etc/btsync/debconf-default.conf 3 | environment=USER={{ btsync_user }},HOME={{ btsync_path }}, 4 | user={{ btsync_user }} 5 | -------------------------------------------------------------------------------- /roles/networking/cntlm/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: defaults 4 | # Part: cntlm 5 | 6 | # Aptitude state 7 | cntlm_apt_state: "latest" 8 | 9 | # Service configuration 10 | # cntlm_username: "" 11 | # cntlm_domain: "" 12 | # cntlm_password: "" 13 | # cntlm_passNTLMv2: "" 14 | cntlm_proxies: 15 | - "10.0.0.41:8080" 16 | - "10.0.0.42:8080" 17 | cntlm_no_proxies: 18 | - "localhost, 127.0.0.*, 10.*, 192.168.*" 19 | cntlm_port: 3128 20 | 21 | # User and group 22 | cntlm_user: "cntlm" 23 | cntlm_group: "cntlm" 24 | 25 | # Default base directory (without trailing '/') 26 | cntlm_path: "/var/lib/cntlm" 27 | -------------------------------------------------------------------------------- /roles/networking/cntlm/handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: handler 4 | # Part: cntlm 5 | 6 | - name: start cntlm 7 | service: name=cntlm state=started 8 | 9 | - name: restart cntlm 10 | service: name=cntlm state=restarted 11 | -------------------------------------------------------------------------------- /roles/networking/cntlm/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: task 4 | # Part: cntlm 5 | 6 | ## Install 7 | - name: cntlm | Install package 8 | apt: name=cntlm state={{ cntlm_apt_state }} 9 | 10 | ## Configuration 11 | - name: cntlm | Deploy configuration 12 | template: src=cntlm.conf.j2 dest=/etc/cntlm.conf owner=root group=root mode=0600 13 | notify: restart cntlm 14 | -------------------------------------------------------------------------------- /roles/networking/interfaces/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: defaults 4 | # Part: Transmission 5 | 6 | # interfaces_eth0_inet: 7 | # - address: 198.27.67.71 8 | # - network: 198.27.67.0 9 | # - broadcast: 98.27.67.255 10 | # - gateway: 198.27.67.254 11 | 12 | # interfaces_eth0_inet_failovers: 13 | # - 198.27.78.69 14 | 15 | # interfaces_eth0_inet6: 16 | # - address: 2607:5300:60:1C47::1 17 | # - gateway: 2607:5300:60:1Cff:ff:ff:ff:ff 18 | -------------------------------------------------------------------------------- /roles/networking/interfaces/handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: handler 4 | # Part: Interfaces 5 | 6 | - name: start networking 7 | service: name=networking state=started 8 | 9 | - name: restart networking 10 | service: name=networking state=restarted 11 | -------------------------------------------------------------------------------- /roles/networking/interfaces/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: task 4 | # Part: Interfaces 5 | 6 | - name: Interfaces | Deploy configuration 7 | template: src=network_interfaces.j2 dest=/etc/network/interfaces owner=root group=root mode=0644 8 | notify: restart networking 9 | -------------------------------------------------------------------------------- /roles/networking/interfaces/templates/network_interfaces.j2: -------------------------------------------------------------------------------- 1 | # This file describes the network interfaces available on your system 2 | # and how to activate them. For more information, see interfaces(5). 3 | 4 | # The loopback network interface 5 | auto lo 6 | iface lo inet loopback 7 | 8 | auto eth0 9 | iface eth0 inet static 10 | address {{ interfaces_eth0_inet.address }} 11 | netmask 255.255.255.0 12 | network {{ interfaces_eth0_inet.network }} 13 | broadcast {{ interfaces_eth0_inet.broadcast }} 14 | gateway {{ interfaces_eth0_inet.gateway }} 15 | {% for key, ip_failover in interfaces_eth0_inet_failovers %} 16 | post-up /sbin/ifconfig eth0:{{ key }} {{ ip_failover }} netmask 255.255.255.255 broadcast {{ ip_failover }} 17 | post-down /sbin/ifconfig eth0:{{ key }} down 18 | {% endfor %} 19 | 20 | iface eth0 inet6 static 21 | address {{ interfaces_eth0_inet6.address }} 22 | netmask 64 23 | post-up /sbin/ip -f inet6 route add {{ interfaces_eth0_inet6.gateway }} dev eth0 24 | post-up /sbin/ip -f inet6 route add default via {{ interfaces_eth0_inet6.gateway }} 25 | pre-down /sbin/ip -f inet6 route del default via {{ interfaces_eth0_inet6.gateway }} 26 | pre-down /sbin/ip -f inet6 route del {{ interfaces_eth0_inet6.gateway }} dev eth0 27 | -------------------------------------------------------------------------------- /roles/networking/openvpn/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: defaults 4 | # Part: OpenVPN 5 | 6 | # Aptitude state 7 | openvpn_apt_state: "latest" 8 | openvpn_apt_version: "stable" 9 | openvpn_arm_version: "2.3.4" 10 | openvpn_arm_shasum: "af506d5f48568fa8d2f2435cb3fad35f9a9a8f263999ea6df3ba296960cec85a" 11 | openvpn_apt_use_mbedssl: false 12 | 13 | # Network configuration 14 | openvpn_bind_address: "127.0.0.1" 15 | openvpn_port: 9091 16 | 17 | # User and group 18 | openvpn_user: "nobody" 19 | openvpn_group: "nogroup" 20 | openvpn_service: "openvpn" 21 | openvpn_service_state: "started" 22 | openvpn_service_enabled: True 23 | 24 | openvpn_users: 25 | - client 26 | 27 | # Default base directory (without trailing '/') 28 | openvpn_path: "/etc/openvpn" 29 | openvpn_config_dir: "/etc/openvpn" 30 | openvpn_server_name: "server" 31 | openvpn_config_name: "server" 32 | openvpn_topology: "subnet" 33 | 34 | # Default easy rsa params 35 | easyrsa_req_country: "US" 36 | easyrsa_req_province: "California" 37 | easyrsa_req_city: "San Francisco" 38 | easyrsa_req_org: "Copyleft Certificate Co" 39 | easyrsa_req_email: "me@example.net" 40 | easyrsa_req_ou: "My Organizational Unit" 41 | easyrsa_key_size: 2048 42 | 43 | # Monit state 44 | openvpn_monit: false 45 | # Post-up script 46 | openvpn_script_security: false 47 | openvpn_config_to_remove: "" 48 | -------------------------------------------------------------------------------- /roles/networking/openvpn/handlers/init.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: handler 4 | # Part: OpenVPN 5 | 6 | - name: start openvpn 7 | service: name=openvpn state=started 8 | 9 | - name: restart openvpn 10 | service: name=openvpn state=restarted 11 | 12 | - name: restart monit 13 | service: name=monit state=restarted 14 | -------------------------------------------------------------------------------- /roles/networking/openvpn/handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: handler 4 | # Part: OpenVPN 5 | 6 | - include: init.yml 7 | when: not docker 8 | - include: supervisor.yml 9 | when: docker 10 | -------------------------------------------------------------------------------- /roles/networking/openvpn/handlers/supervisor.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: handler 4 | # Part: OpenVPN 5 | 6 | - name: start openvpn on docker 7 | supervisorctl: name=openvpn state=started 8 | 9 | - name: restart openvpn on docker 10 | supervisorctl: name=openvpn state=restarted 11 | -------------------------------------------------------------------------------- /roles/networking/openvpn/tasks/configure-monit.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | ## Configure monit 4 | - name: OpenVPN | Install monit 5 | apt: name=monit state=latest 6 | notify: restart monit 7 | - name: OpenVPN | Deploy monit configuration 8 | template: src=monit_conf.d_openvpn.conf.j2 dest=/etc/monit/conf.d/openvpn-{{ openvpn_config }}.conf owner=root group=root mode=0644 9 | when: openvpn_config is defined 10 | notify: restart monit 11 | - name: OpenVPN | Remove legacy monit configuration 12 | file: state=absent path=/etc/monit/conf.d/openvpn-{{ openvpn_config_to_remove }}.conf 13 | when: openvpn_config_to_remove != '' 14 | -------------------------------------------------------------------------------- /roles/networking/openvpn/tasks/configure-supervisor.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: configure-supervisor.yml 3 | # Type: task 4 | # Part: OpenVPN 5 | 6 | - name: OpenVPN | Setup dev folder 7 | file: state=directory dest=/dev/net 8 | - name: OpenVPN | Setup tun folder 9 | command: mknod /dev/net/tun c 10 200 10 | ignore_errors: yes 11 | - name: OpenVPN | Stop init.d service 12 | service: name=openvpn state=stopped enabled=no 13 | - name: OpenVPN | Deploy supervisor service configuration 14 | template: src=supervisor_conf.d_openvpn.conf.j2 dest=/etc/supervisor/conf.d/{{ openvpn_service }}.conf owner=root group=root mode=0644 backup=no 15 | notify: restart openvpn on docker 16 | register: result 17 | - name: OpenVPN | Reread supervisor 18 | shell: supervisorctl reload 19 | when: result|changed 20 | - name: OpenVPN | Check daemon 21 | supervisorctl: name=program:openvpn state=started config=/etc/supervisor/supervisord.conf 22 | -------------------------------------------------------------------------------- /roles/networking/openvpn/tasks/configure-systemd.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: configure-systemd.yml 3 | # Type: task 4 | # Part: OpenVPN 5 | 6 | - name: OpenVPN | Remove upstart service configuration 7 | file: path=/etc/init.d/openvpn state=absent 8 | notify: restart openvpn 9 | - name: OpenVPN | Deploy systemd service configuration 10 | template: src=systemd_system_openvpn@.service.service.j2 dest=/etc/systemd/system/openvpn@.service owner=root group=root mode=0644 backup=no 11 | notify: restart openvpn 12 | register: result 13 | - fetch: src=/etc/systemd/system/openvpn@.service dest={{ ansible_fetched_base }} 14 | when: result|changed 15 | - file: 16 | path: /etc/systemd/system/openvpn@.service.d 17 | state: directory 18 | owner: root 19 | group: root 20 | mode: 0755 21 | notify: restart openvpn 22 | - template: 23 | src: systemd_system_openvpn@.service.d_restart-always.conf.j2 24 | dest: /etc/systemd/system/openvpn@.service.d/restart-always.conf 25 | owner: root 26 | group: root 27 | mode: 0644 28 | notify: restart openvpn 29 | -------------------------------------------------------------------------------- /roles/networking/openvpn/tasks/configure-upstart.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: configure-upstart.yml 3 | # Type: task 4 | # Part: OpenVPN 5 | 6 | # @url http://ubuntuforums.org/showthread.php?t=1651444&p=10390974#post10390974 7 | - name: OpenVPN | Backup service configuration 8 | shell: creates=/etc/init.d/openvpn.orig.disabled cp /etc/init.d/openvpn /etc/init.d/openvpn.orig.disabled 9 | ignore_errors: True 10 | register: result 11 | - fetch: src=/etc/init.d/openvpn.orig.disabled dest="{{ ansible_fetched_base }}/openvpn.orig" flat=yes 12 | when: result|changed 13 | - name: OpenVPN | Deploy service configuration 14 | template: src=init.d_openvpn.j2 dest=/etc/init.d/openvpn owner=root group=root mode=0755 backup=no 15 | notify: restart openvpn 16 | register: result 17 | - fetch: src=/etc/init.d/openvpn dest={{ ansible_fetched_base }} 18 | when: result|changed 19 | - name: OpenVPN | Check daemon 20 | service: name=openvpn state={{ openvpn_service_state }} enabled={{ openvpn_service_enabled }} 21 | -------------------------------------------------------------------------------- /roles/networking/openvpn/tasks/install-arm.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: task 4 | # Part: OpenVPN | ARM 5 | 6 | - name: OpenVPN | Install required packages 7 | apt: name={{ item }} state=latest 8 | with_items: 9 | - liblzo2-dev 10 | - libpam0g-dev 11 | - libssl-dev 12 | - name: OpenVPN | ARM | Fetch package 13 | get_url: url=http://swupdate.openvpn.org/community/releases/openvpn-{{ openvpn_arm_version }}.tar.gz dest=/opt 14 | sha256sum={{ openvpn_arm_shasum }} 15 | register: result 16 | - name: OpenVPN | ARM | Extract package 17 | shell: mkdir -p /opt/tmp/openvpn-{{ openvpn_arm_version }}; tar -xzf /opt/openvpn-{{ openvpn_arm_version }}.tar.gz -C /opt/tmp/openvpn-{{ openvpn_arm_version }} --strip-components 1 18 | when: result|changed 19 | - name: OpenVPN | ARM | Check version 20 | shell: openvpn --version | head -n 1 | cut -c 9-13 21 | ignore_errors: True 22 | register: openvpn_version 23 | - name: OpenVPN | ARM | Configure package 24 | when: openvpn_version.stdout != '{{ openvpn_arm_version }}' 25 | shell: ./configure --host=arm-linux-gnueabihf --prefix=/usr/local 26 | chdir=/opt/tmp/openvpn-{{ openvpn_arm_version }} 27 | creates=/opt/tmp/openvpn-{{ openvpn_arm_version }}/config.status 28 | - name: OpenVPN | ARM | Make package 29 | when: openvpn_version.stdout != '{{ openvpn_arm_version }}' 30 | shell: make && make install 31 | chdir=/opt/tmp/openvpn-{{ openvpn_arm_version }} 32 | creates=/usr/local/bin/openvpn 33 | notify: restart openvpn 34 | - name: OpenVPN | ARM | Create base directories 35 | file: state=directory path=/etc/openvpn owner=root group=root 36 | -------------------------------------------------------------------------------- /roles/networking/openvpn/tasks/install-ubuntu.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: task 4 | # Part: OpenVPN | Default (Ubuntu) 5 | 6 | ## Install with OpenSSL 7 | - name: OpenVPN | Install ppa key 8 | apt_key: keyserver=keyserver.ubuntu.com id=8E6DA8B4E158C569 9 | when: not openvpn_apt_skip_ppa|bool and not openvpn_apt_use_mbedssl|bool 10 | - name: OpenVPN | Install ppa 11 | apt_repository: repo='deb http://build.openvpn.net/debian/openvpn/{{ openvpn_apt_version }} {{ ansible_distribution_release }} main' state=present 12 | when: not openvpn_apt_skip_ppa|bool and not openvpn_apt_use_mbedssl|bool 13 | 14 | ## Install with mbedTLS 15 | - name: OpenVPN with mbedTLS | Install ppa key 16 | apt_key: keyserver=keyserver.ubuntu.com id=C7917B12 17 | when: not openvpn_apt_skip_ppa|bool and openvpn_apt_use_mbedssl|bool 18 | - name: OpenVPN with mbedTLS | Install ppa 19 | apt_repository: repo=ppa:chris-lea/openvpn-mbedtls state=present 20 | when: not openvpn_apt_skip_ppa|bool and openvpn_apt_use_mbedssl|bool 21 | 22 | - name: OpenVPN | Install package 23 | apt: name=openvpn state={{ openvpn_apt_state }} 24 | notify: restart openvpn 25 | -------------------------------------------------------------------------------- /roles/networking/openvpn/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: task 4 | # Part: OpenVPN 5 | 6 | ## Install 7 | - include: install-arm.yml 8 | when: ansible_architecture == 'armv6l' or ansible_architecture == 'armv7l' 9 | - include: install-ubuntu.yml 10 | when: ansible_distribution == 'Ubuntu' 11 | 12 | # Configure client / server 13 | - debug: msg="Config is {{ openvpn_config }}" 14 | when: openvpn_config is defined 15 | - name: OpenVPN | Load configuration defaults 16 | include_vars: "vars/openvpn/{{ openvpn_config }}/main.yml" 17 | when: openvpn_config is defined 18 | - name: OpenVPN | Configure client 19 | include: configure-client.yml 20 | when: openvpn_config is defined and openvpn_type == 'client' 21 | - name: OpenVPN | Configure server 22 | include: configure-server.yml 23 | when: openvpn_config is defined and openvpn_type == 'server' 24 | 25 | ## Configure service 26 | - include: configure-systemd.yml 27 | when: not docker and ansible_distribution == 'Ubuntu' and ansible_distribution_major_version|int >= 16 28 | - include: configure-upstart.yml 29 | when: not docker and ansible_distribution == 'Ubuntu' and ansible_distribution_major_version|int <= 14 30 | - include: configure-supervisor.yml 31 | when: docker 32 | 33 | ## Configure monit 34 | - name: OpenVPN | Configure monit (useless since systemd) 35 | include: configure-monit.yml 36 | when: not docker and openvpn_monit and ansible_distribution == 'Ubuntu' and ansible_distribution_major_version|int <= 14 37 | -------------------------------------------------------------------------------- /roles/networking/openvpn/templates/init_openvpn.conf.j2: -------------------------------------------------------------------------------- 1 | # Xanview OpenVPN Upstart Script 2 | 3 | description "OpenVPN - virtual private network daemon(s)" 4 | author "Roman Gaufman " 5 | version "1.0.0" 6 | 7 | start on runlevel [2345] 8 | stop on runlevel [!2345] 9 | 10 | respawn 11 | 12 | exec /usr/sbin/openvpn --status /var/run/openvpn.client.status 10 --cd /etc/openvpn --config /etc/openvpn/client.conf --syslog openvpn 13 | -------------------------------------------------------------------------------- /roles/networking/openvpn/templates/logrotate.d_openvpn.j2: -------------------------------------------------------------------------------- 1 | /var/log/openvpn.log { 2 | weekly 3 | missingok 4 | rotate 52 5 | compress 6 | delaycompress 7 | notifempty 8 | create 640 root adm 9 | sharedscripts 10 | postrotate 11 | /etc/init.d/openvpn reload > /dev/null 12 | endscript 13 | } 14 | -------------------------------------------------------------------------------- /roles/networking/openvpn/templates/monit_conf.d_openvpn.conf.j2: -------------------------------------------------------------------------------- 1 | check process openvpn_{{ openvpn_config }} with pidfile /var/run/openvpn/{{ openvpn_config }}.pid 2 | start program = "/etc/init.d/openvpn start {{ openvpn_config }}" 3 | stop program = "/etc/init.d/openvpn stop {{ openvpn_config }}" 4 | -------------------------------------------------------------------------------- /roles/networking/openvpn/templates/openvpn_status.sh.j2: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | script="{{ openvpn_script_up }}" 4 | if [[ -e "$script" ]]; then 5 | /bin/bash "$script" $@ 6 | fi 7 | 8 | function finish { 9 | # Safely exit to preserve openvpn 10 | exit 0 11 | } 12 | trap finish EXIT 13 | -------------------------------------------------------------------------------- /roles/networking/openvpn/templates/supervisor_conf.d_openvpn.conf.j2: -------------------------------------------------------------------------------- 1 | [program:openvpn] 2 | command=/usr/sbin/openvpn --cd "{{ openvpn_config_dir }}" --config "{{ openvpn_path }}/server.conf" 3 | environment=USER=root,HOME="{{ openvpn_path }}" 4 | user=root 5 | -------------------------------------------------------------------------------- /roles/networking/openvpn/templates/systemd_system_openvpn@.service.d_restart-always.conf.j2: -------------------------------------------------------------------------------- 1 | [Service] 2 | Restart=always 3 | RestartSec=3 4 | -------------------------------------------------------------------------------- /roles/networking/openvpn/templates/systemd_system_openvpn@.service.service.j2: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=OpenVPN connection to %i 3 | PartOf=openvpn.service 4 | ReloadPropagatedFrom=openvpn.service 5 | Before=systemd-user-sessions.service 6 | Documentation=man:openvpn(8) 7 | Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage 8 | Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO 9 | 10 | [Service] 11 | PrivateTmp=true 12 | KillMode=mixed 13 | Type=forking 14 | ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --script-security 2 --config /etc/openvpn/%i.conf --writepid /run/openvpn/%i.pid 15 | PIDFile=/run/openvpn/%i.pid 16 | ExecReload=/bin/kill -HUP $MAINPID 17 | WorkingDirectory=/etc/openvpn 18 | ProtectSystem=yes 19 | CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_READ_SEARCH CAP_AUDIT_WRITE 20 | LimitNPROC=10 21 | DeviceAllow=/dev/null rw 22 | DeviceAllow=/dev/net/tun rw 23 | 24 | [Install] 25 | WantedBy=multi-user.target 26 | -------------------------------------------------------------------------------- /roles/networking/resolvconf/files/16.04/resolvconf_resolv.conf.d_head: -------------------------------------------------------------------------------- 1 | # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8) 2 | # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN 3 | -------------------------------------------------------------------------------- /roles/networking/resolvconf/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: task 4 | # Part: Resolvconf 5 | 6 | - name: Resolvconf | Setup resolv.conf 7 | template: src=resolvconf_resolv.conf.d_head.j2 dest=/etc/resolvconf/resolv.conf.d/head 8 | when: resolvconf_nameservers is defined 9 | register: result 10 | - name: Resolvconf | Regenerate resolv.conf 11 | command: resolvconf -u 12 | when: result|changed 13 | -------------------------------------------------------------------------------- /roles/networking/resolvconf/templates/resolvconf_resolv.conf.d_head.j2: -------------------------------------------------------------------------------- 1 | # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8) 2 | # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN 3 | {% if resolvconf_nameservers %} 4 | 5 | # Ansible managed 6 | {% for nameserver in resolvconf_nameservers -%} 7 | nameserver {{ nameserver }} 8 | {% endfor %} 9 | {%- endif %} 10 | -------------------------------------------------------------------------------- /roles/networking/transmission/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: defaults 4 | # Part: Transmission 5 | 6 | # Aptitude state 7 | transmission_apt_state: "latest" 8 | 9 | # Network configuration 10 | transmission_bind_address: "127.0.0.1" 11 | transmission_port: 9091 12 | 13 | # User and group 14 | transmission_user: "debian-transmission" 15 | transmission_group: "debian-transmission" 16 | 17 | # Default base directory (without trailing '/') 18 | transmission_path: "/var/lib/transmission-daemon" 19 | transmission_path_incompletes: "/var/lib/transmission-daemon/incompletes" 20 | -------------------------------------------------------------------------------- /roles/networking/transmission/handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: handler 4 | # Part: Transmission 5 | 6 | - name: start transmission-daemon 7 | service: name=transmission-daemon state=started 8 | 9 | - name: restart transmission-daemon 10 | service: name=transmission-daemon state=restarted 11 | -------------------------------------------------------------------------------- /roles/networking/transmission/tasks/configure-supervisor.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: configure-supervisor.yml 3 | # Type: task 4 | # Part: Transmission 5 | 6 | - name: Transmission | Deploy supervisor service configuration 7 | template: src=supervisor_conf.d_transmission-daemon.conf.j2 dest=/etc/supervisor/conf.d/transmission-daemon.conf owner=root group=root mode=0644 backup=no 8 | register: result 9 | - name: Transmission | Disable init service 10 | service: name=transmission-daemon state=stopped enabled=no 11 | - name: Transmission | Reread supervisor 12 | shell: supervisorctl reload 13 | when: result|changed 14 | - name: Transmission | Start service 15 | supervisorctl: name=program:transmission-daemon state=restarted config=/etc/supervisor/supervisord.conf 16 | -------------------------------------------------------------------------------- /roles/networking/transmission/templates/supervisor_conf.d_transmission-daemon.conf.j2: -------------------------------------------------------------------------------- 1 | [program:transmission-daemon] 2 | command=/usr/bin/transmission-daemon --foreground --logfile /var/log/transmission-daemon.log --config-dir /etc/transmission-daemon 3 | environment=USER={{ transmission_user }},HOME={{ transmission_path }}, 4 | user={{ transmission_user }} 5 | -------------------------------------------------------------------------------- /roles/system/apcups/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: defaults 4 | # Part: APCUPS 5 | 6 | # Aptitude state 7 | apcups_apt_name: "apcupsd" 8 | apcups_apt_state: "latest" 9 | 10 | apcups_upscable: "smart" 11 | apcups_upstype: "apcsmart" 12 | apcups_device: "/dev/ttyS0" 13 | apcups_batterylevel: 5 14 | apcups_timeout: 0 15 | apcups_is_configured: false 16 | -------------------------------------------------------------------------------- /roles/system/apcups/handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: handler 4 | # Part: APC UPS 5 | 6 | - name: start apcupsd 7 | service: name=apcupsd state=started 8 | 9 | - name: restart apcupsd 10 | service: name=apcupsd state=restarted 11 | -------------------------------------------------------------------------------- /roles/system/apcups/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: task 4 | # Part: APC UPS 5 | 6 | - name: APC UPS | Install package 7 | apt: name={{ apcups_apt_name }} state={{ apcups_apt_state }} 8 | 9 | - name: APC UPS | Deploy configuration 10 | template: src=apcupsd_apcupsd.conf.j2 dest=/etc/apcupsd/apcupsd.conf 11 | owner=root group=root mode=0644 backup=no 12 | notify: restart apcupsd 13 | 14 | - name: APC UPS | Deploy default configuration 15 | template: src=default_apcupsd.j2 dest=/etc/default/apcupsd 16 | owner=root group=root mode=0644 backup=no 17 | notify: restart apcupsd 18 | 19 | - name: APC UPS | Deploy default configuration 20 | template: src=apcupsd_doshutdown.j2 dest=/etc/apcupsd/doshutdown 21 | owner=root group=root mode=0755 backup=no 22 | notify: restart apcupsd 23 | 24 | - name: APC UPS | Check service daemon 25 | service: name=apcupsd state=started 26 | 27 | # Power failure on UPS player-2e9a. Running on batteries. 28 | -------------------------------------------------------------------------------- /roles/system/apcups/templates/apcupsd_doshutdown.j2: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | date > /root/.last_apc_doshutdown 4 | /etc/apcupsd/apccontrol killpower & /sbin/halt 5 | exit 99 6 | -------------------------------------------------------------------------------- /roles/system/apcups/templates/default_apcupsd.j2: -------------------------------------------------------------------------------- 1 | # Defaults for apcupsd initscript 2 | 3 | # Apcupsd-devel internal configuration 4 | APCACCESS=/sbin/apcaccess 5 | ISCONFIGURED={{ 'yes' if apcups_is_configured else 'no' }} 6 | -------------------------------------------------------------------------------- /roles/system/apt/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: defaults 4 | # Part: Aptitude 5 | 6 | apt_autoremove: false 7 | apt_clear_lists: false 8 | apt_dist_upgrade: false 9 | apt_enable_partner: false 10 | apt_install_python_apt: true 11 | apt_periodic_enable: true 12 | apt_periodic: true 13 | apt_release_upgrades_prompt: "lts" 14 | apt_remove_proxy: false 15 | apt_server: "archive.ubuntu.com" 16 | apt_update_cache: true 17 | apt_update_cache_force: false 18 | apt_hwe_stack: true 19 | apt_hwe_stack_edge: false 20 | -------------------------------------------------------------------------------- /roles/system/apt/files/16.04/apt_apt.conf.d_10periodic: -------------------------------------------------------------------------------- 1 | APT::Periodic::Enable "0"; 2 | APT::Periodic::Update-Package-Lists "1"; 3 | APT::Periodic::Download-Upgradeable-Packages "1"; 4 | APT::Periodic::AutocleanInterval "5"; 5 | APT::Periodic::Unattended-Upgrade "1"; 6 | APT::Periodic::RandomSleep "1800"; 7 | -------------------------------------------------------------------------------- /roles/system/apt/files/18.04/update-manager_release-upgrades: -------------------------------------------------------------------------------- 1 | # Default behavior for the release upgrader. 2 | 3 | [DEFAULT] 4 | # Default prompting behavior, valid options: 5 | # 6 | # never - Never check for a new release. 7 | # normal - Check to see if a new release is available. If more than one new 8 | # release is found, the release upgrader will attempt to upgrade to 9 | # the release that immediately succeeds the currently-running 10 | # release. 11 | # lts - Check to see if a new LTS release is available. The upgrader 12 | # will attempt to upgrade to the first LTS release available after 13 | # the currently-running one. Note that this option should not be 14 | # used if the currently-running release is not itself an LTS 15 | # release, since in that case the upgrader won't be able to 16 | # determine if a newer release is available. 17 | Prompt=lts 18 | -------------------------------------------------------------------------------- /roles/system/apt/templates/apt_apt.conf.d_01proxy.j2: -------------------------------------------------------------------------------- 1 | Acquire::http::proxy "http://{{ apt_proxy | regex_replace('^(http|https):\/\/(.*)$', '\\2') }}"; 2 | Acquire::https::proxy "https://{{ apt_proxy | regex_replace('^(http|https):\/\/(.*)$', '\\2') }}"; 3 | Acquire::socks::proxy "socks://{{ apt_proxy | regex_replace('^(http|https):\/\/(.*)$', '\\2') }}"; 4 | {{ apt_proxy_extra | default() }} 5 | -------------------------------------------------------------------------------- /roles/system/apt/templates/apt_apt.conf.d_10periodic.j2: -------------------------------------------------------------------------------- 1 | {% if apt_periodic_enable|bool %} 2 | APT::Periodic::Enable "1"; 3 | {% else %} 4 | APT::Periodic::Enable "0"; 5 | {% endif %} 6 | APT::Periodic::Update-Package-Lists "1"; 7 | APT::Periodic::Download-Upgradeable-Packages "1"; 8 | APT::Periodic::AutocleanInterval "5"; 9 | APT::Periodic::Unattended-Upgrade "1"; 10 | APT::Periodic::RandomSleep "1800"; 11 | -------------------------------------------------------------------------------- /roles/system/apt/templates/apt_sources.list_arm.j2: -------------------------------------------------------------------------------- 1 | deb http://ports.ubuntu.com/ xenial main restricted universe multiverse 2 | deb-src http://ports.ubuntu.com/ xenial main restricted universe multiverse 3 | 4 | deb http://ports.ubuntu.com/ xenial-updates main restricted universe multiverse 5 | deb-src http://ports.ubuntu.com/ xenial-updates main restricted universe multiverse 6 | 7 | deb http://ports.ubuntu.com/ xenial-security main restricted universe multiverse 8 | deb-src http://ports.ubuntu.com/ xenial-security main restricted universe multiverse 9 | 10 | deb http://ports.ubuntu.com/ xenial-backports main restricted universe multiverse 11 | deb-src http://ports.ubuntu.com/ xenial-backports main restricted universe multiverse 12 | -------------------------------------------------------------------------------- /roles/system/apt/templates/environment.j2: -------------------------------------------------------------------------------- 1 | {% if http_proxy is defined and http_proxy %} 2 | http_proxy="{{ http_proxy }}" 3 | HTTP_PROXY="{{ http_proxy }}" 4 | HTTPS_PROXY="{{ http_proxy }}" 5 | https_proxy="{{ http_proxy }}" 6 | {% endif %} 7 | PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games" 8 | -------------------------------------------------------------------------------- /roles/system/apt/templates/update-manager_release-upgrades.j2: -------------------------------------------------------------------------------- 1 | # Default behavior for the release upgrader. 2 | 3 | [DEFAULT] 4 | # Default prompting behavior, valid options: 5 | # 6 | # never - Never check for a new release. 7 | # normal - Check to see if a new release is available. If more than one new 8 | # release is found, the release upgrader will attempt to upgrade to 9 | # the release that immediately succeeds the currently-running 10 | # release. 11 | # lts - Check to see if a new LTS release is available. The upgrader 12 | # will attempt to upgrade to the first LTS release available after 13 | # the currently-running one. Note that this option should not be 14 | # used if the currently-running release is not itself an LTS 15 | # release, since in that case the upgrader won't be able to 16 | # determine if a newer release is available. 17 | Prompt={{ apt_release_upgrades_prompt }} 18 | -------------------------------------------------------------------------------- /roles/system/boot/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: defaults 4 | # Part: Boot 5 | -------------------------------------------------------------------------------- /roles/system/boot/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: task 4 | # Part: Boot 5 | 6 | ## Grub 7 | - name: Boot | Configure grub 8 | template: src=default_grub.j2 dest=/etc/default/grub 9 | owner=root group=root mode=0644 backup=no 10 | register: result 11 | - name: Boot | Configure grub 12 | shell: update-grub 13 | when: result|changed 14 | 15 | ## rcS 16 | - name: Boot | Configure rcS 17 | template: src=default_rcS.j2 dest=/etc/default/rcS 18 | owner=root group=root mode=0644 backup=no 19 | 20 | -------------------------------------------------------------------------------- /roles/system/boot/templates/default_grub.j2: -------------------------------------------------------------------------------- 1 | # If you change this file, run 'update-grub' afterwards to update 2 | # /boot/grub/grub.cfg. 3 | # For full documentation of the options in this file, see: 4 | # info -f grub -n 'Simple configuration' 5 | 6 | GRUB_DEFAULT=0 7 | GRUB_HIDDEN_TIMEOUT=0 8 | GRUB_HIDDEN_TIMEOUT_QUIET=true 9 | GRUB_RECORDFAIL_TIMEOUT=0 10 | GRUB_TIMEOUT=10 11 | GRUB_DISTRIBUTOR=`lsb_release -i -s 2> /dev/null || echo Debian` 12 | GRUB_CMDLINE_LINUX_DEFAULT="quiet splash" 13 | GRUB_CMDLINE_LINUX="" 14 | 15 | # Uncomment to enable BadRAM filtering, modify to suit your needs 16 | # This works with Linux (no patch required) and with any kernel that obtains 17 | # the memory map information from GRUB (GNU Mach, kernel of FreeBSD ...) 18 | #GRUB_BADRAM="0x01234567,0xfefefefe,0x89abcdef,0xefefefef" 19 | 20 | # Uncomment to disable graphical terminal (grub-pc only) 21 | #GRUB_TERMINAL=console 22 | 23 | # The resolution used on graphical terminal 24 | # note that you can use only modes which your graphic card supports via VBE 25 | # you can see them in real GRUB with the command `vbeinfo' 26 | #GRUB_GFXMODE=640x480 27 | 28 | # Uncomment if you don't want GRUB to pass "root=UUID=xxx" parameter to Linux 29 | #GRUB_DISABLE_LINUX_UUID=true 30 | 31 | # Uncomment to disable generation of recovery mode menu entries 32 | #GRUB_DISABLE_RECOVERY="true" 33 | 34 | # Uncomment to get a beep at grub start 35 | #GRUB_INIT_TUNE="480 440 1" 36 | -------------------------------------------------------------------------------- /roles/system/boot/templates/default_rcS.j2: -------------------------------------------------------------------------------- 1 | # 2 | # /etc/default/rcS 3 | # 4 | # Default settings for the scripts in /etc/rcS.d/ 5 | # 6 | # For information about these variables see the rcS(5) manual page. 7 | # 8 | # This file belongs to the "initscripts" package. 9 | 10 | # delete files in /tmp during boot older than x days. 11 | # '0' means always, -1 or 'infinite' disables the feature 12 | #TMPTIME=0 13 | 14 | # spawn sulogin during boot, continue normal boot if not used in 30 seconds 15 | #SULOGIN=no 16 | 17 | # do not allow users to log in until the boot has completed 18 | #DELAYLOGIN=no 19 | 20 | # assume that the BIOS clock is set to UTC time (recommended) 21 | UTC=yes 22 | 23 | # be more verbose during the boot process 24 | #VERBOSE=no 25 | 26 | # automatically repair filesystems with inconsistencies during boot 27 | FSCKFIX=yes 28 | -------------------------------------------------------------------------------- /roles/system/clamav/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: defaults 4 | # Part: ClamAV 5 | 6 | # Aptitude state 7 | clamav_apt_name: "clamav" 8 | clamav_apt_state: "latest" 9 | 10 | clamav_user: "clamav" 11 | clamav_group: "clamav" 12 | 13 | clamav_email: "me@domain.com" 14 | clamav_sendmail: "sendmail" 15 | clamav_quarantine: false 16 | -------------------------------------------------------------------------------- /roles/system/clamav/templates/apparmor.d_local_usr.sbin.clamd.j2: -------------------------------------------------------------------------------- 1 | # Site-specific additions and overrides for usr.sbin.clamd. 2 | # For more details, please see /etc/apparmor.d/local/README. 3 | 4 | /bin/** r, 5 | /srv/** r, 6 | /tmp/** r, 7 | -------------------------------------------------------------------------------- /roles/system/clamav/templates/clamscan_daily.j2: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # email subject 4 | SUBJECT="VIRUS DETECTED ON `hostname`!!!" 5 | # Email To ? 6 | EMAIL="{{ clamav_email }}" 7 | # Log location 8 | LOG=/var/log/clamav/scan.log 9 | 10 | check_scan () { 11 | 12 | # Check the last set of results. If there are any "Infected" counts that aren't zero, we have a problem. 13 | if [ `tail -n 12 ${LOG} | grep Infected | grep -v 0 | wc -l` != 0 ] 14 | then 15 | EMAILMESSAGE=`mktemp /tmp/virus-alert.XXXXX` 16 | echo "To: ${EMAIL}" >> ${EMAILMESSAGE} 17 | echo "From: alert@domain.com" >> ${EMAILMESSAGE} 18 | echo "Subject: ${SUBJECT}" >> ${EMAILMESSAGE} 19 | echo "Importance: High" >> ${EMAILMESSAGE} 20 | echo "X-Priority: 1" >> ${EMAILMESSAGE} 21 | echo "`tail -n 50 ${LOG}`" >> ${EMAILMESSAGE} 22 | {% if clamav_sendmail is defined -%} 23 | {{ clamav_sendmail }} < ${EMAILMESSAGE} >> ${LOG} 24 | {% else -%} 25 | sendmail -t < ${EMAILMESSAGE} >> ${LOG} 26 | {%- endif %} 27 | fi 28 | 29 | } 30 | 31 | echo `date +"%Y-%m-%dT%H:%M:%SZ"` - Starting daily scan... >> ${LOG} 32 | 33 | {% if clamav_quarantine -%} 34 | clamscan -r / --exclude-dir=/sys/ --exclude-dir={{ clamav_quarantine }}/ --quiet --infected --move="{{ clamav_quarantine }}" --log=${LOG} 35 | {% else -%} 36 | clamscan -r / --exclude-dir=/sys/ --quiet --infected --log=${LOG} 37 | {%- endif %} 38 | check_scan 39 | 40 | echo `date +"%Y-%m-%dT%H:%M:%SZ"` - Ended daily scan. >> ${LOG} 41 | -------------------------------------------------------------------------------- /roles/system/docker/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: defaults 4 | # Part: Docker 5 | 6 | # Aptitude state 7 | docker_apt_state: 'latest' 8 | docker_clean_legacy: false 9 | 10 | # User and group 11 | docker_user: 'www-data' 12 | docker_group: 'www-data' 13 | 14 | # Legacy Options 15 | docker_opts: '' 16 | # Options 17 | docker_bip: '' 18 | docker_log_driver: '' 19 | docker_storage_driver: 'overlay2' 20 | docker_default_address_pools: [] 21 | 22 | # DockerCompose 23 | docker_compose_install: true 24 | docker_compose_version: '1.23.2' 25 | docker_compose_checksum: 'sha1:feb579e16444d902261c580294622d583e4c05e1' 26 | 27 | # DockerGen 28 | docker_gen_install: false 29 | docker_gen_version: '0.7.4' 30 | docker_gen_checksum: 'sha1:a86be143ce2865cd28a9fe3f6cfd2b90bd9dff00' 31 | -------------------------------------------------------------------------------- /roles/system/docker/files/14.04/default_docker: -------------------------------------------------------------------------------- 1 | # Docker Upstart and SysVinit configuration file 2 | 3 | # 4 | # THIS FILE DOES NOT APPLY TO SYSTEMD 5 | # 6 | # Please see the documentation for "systemd drop-ins": 7 | # https://docs.docker.com/engine/admin/systemd/ 8 | # 9 | 10 | # Customize location of Docker binary (especially for development testing). 11 | #DOCKERD="/usr/local/bin/dockerd" 12 | 13 | # Use DOCKER_OPTS to modify the daemon startup options. 14 | #DOCKER_OPTS="--dns 8.8.8.8 --dns 8.8.4.4" 15 | 16 | # If you need Docker to use an HTTP proxy, it can also be specified here. 17 | #export http_proxy="http://127.0.0.1:3128/" 18 | 19 | # This is also a handy place to tweak where Docker's temporary files go. 20 | #export DOCKER_TMPDIR="/mnt/bigdrive/docker-tmp" 21 | -------------------------------------------------------------------------------- /roles/system/docker/files/16.04/default_docker: -------------------------------------------------------------------------------- 1 | # Docker Upstart and SysVinit configuration file 2 | 3 | # 4 | # THIS FILE DOES NOT APPLY TO SYSTEMD 5 | # 6 | # Please see the documentation for "systemd drop-ins": 7 | # https://docs.docker.com/engine/articles/systemd/ 8 | # 9 | 10 | # Customize location of Docker binary (especially for development testing). 11 | #DOCKERD="/usr/local/bin/dockerd" 12 | 13 | # Use DOCKER_OPTS to modify the daemon startup options. 14 | #DOCKER_OPTS="--dns 8.8.8.8 --dns 8.8.4.4" 15 | 16 | # If you need Docker to use an HTTP proxy, it can also be specified here. 17 | #export http_proxy="http://127.0.0.1:3128/" 18 | 19 | # This is also a handy place to tweak where Docker's temporary files go. 20 | #export DOCKER_TMPDIR="/mnt/bigdrive/docker-tmp" -------------------------------------------------------------------------------- /roles/system/docker/files/18.04/lib_systemd_system_docker.socket: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=Docker Socket for the API 3 | PartOf=docker.service 4 | 5 | [Socket] 6 | ListenStream=/var/run/docker.sock 7 | SocketMode=0660 8 | SocketUser=root 9 | SocketGroup=docker 10 | 11 | [Install] 12 | WantedBy=sockets.target 13 | -------------------------------------------------------------------------------- /roles/system/docker/handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: handler 4 | # Part: Docker 5 | 6 | - name: start docker 7 | service: name=docker state=started 8 | 9 | - name: restart docker 10 | service: name=docker state=restarted 11 | 12 | - name: start docker-gen 13 | service: name=docker-gen state=started 14 | 15 | - name: restart docker-gen 16 | service: name=docker-gen state=restarted 17 | -------------------------------------------------------------------------------- /roles/system/docker/tasks/clean.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: clean.yml 3 | # Type: task 4 | # Part: Docker 5 | 6 | ## Uninstall lxc-docker 7 | - name: Docker | Remove legacy package 8 | apt: name=lxc-docker state=absent 9 | - name: Docker | Remove legacy repository 10 | apt_repository: repo='deb https://get.docker.io/ubuntu docker main' state=absent 11 | - name: Docker | Remove legacy ppa file 12 | file: path=/etc/apt/sources.list.d/get_docker_io_ubuntu.list state=absent 13 | - name: Docker | Remove legacy ppa key 14 | apt_key: keyserver=keyserver.ubuntu.com id=A88D21E9 state=absent 15 | 16 | ## Uninstall docker-engine 17 | - name: Docker | Remove legacy package 18 | apt: name=docker-engine state=absent 19 | - name: Docker | Remove legacy repository 20 | apt_repository: repo='deb https://apt.dockerproject.org/repo ubuntu-{{ ansible_lsb.codename }} main' state=absent 21 | # file: path=/etc/apt/sources.list.d/apt_dockerproject_org_repo.list state=absent 22 | - name: Docker | Remove legacy ppa key 23 | apt_key: keyserver=keyserver.ubuntu.com id=2C52609D state=absent 24 | -------------------------------------------------------------------------------- /roles/system/docker/tasks/configure-systemd.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: configure-systemd.yml 3 | # Type: task 4 | # Part: Docker 5 | 6 | # legacy upstart config 7 | - name: Docker | Remove upstart service configuration 8 | file: path=/etc/init/docker.conf state=absent 9 | notify: restart docker 10 | 11 | # docker.socket 12 | - name: Docker | Deploy systemd docker.socket configuration 13 | template: src=lib_systemd_system_docker.socket.j2 dest=/lib/systemd/system/docker.socket owner=root group=root mode=0644 14 | notify: restart docker 15 | - name: Docker | Link systemd docker.socket configuration 16 | file: state=link src=/lib/systemd/system/docker.socket dest=/etc/systemd/system/sockets.target.wants/docker.socket 17 | notify: restart docker 18 | 19 | # docker.service 20 | - name: Docker | Deploy systemd docker.socket configuration 21 | template: src=lib_systemd_system_docker.service.j2 dest=/lib/systemd/system/docker.service owner=root group=root mode=0644 22 | notify: restart docker 23 | - name: Docker | Link systemd docker.socket configuration 24 | file: state=link src=/lib/systemd/system/docker.service dest=/etc/systemd/system/multi-user.target.wants/docker.service 25 | notify: restart docker 26 | -------------------------------------------------------------------------------- /roles/system/docker/tasks/configure-upstart.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: configure-upstart.yml 3 | # Type: task 4 | # Part: Docker 5 | 6 | - name: Docker | Deploy upstart service defaults 7 | template: src=default_docker.j2 dest=/etc/default/docker 8 | owner=root group=root mode=0644 backup=no 9 | notify: restart docker 10 | 11 | - name: Docker | Deploy upstart service configuration 12 | template: src=init_docker.conf.j2 dest=/etc/init/docker.conf owner=root group=root mode=0755 backup=no 13 | notify: restart docker 14 | register: result 15 | - fetch: src=/etc/init/docker.conf dest={{ ansible_fetched_base }} 16 | when: result|changed 17 | -------------------------------------------------------------------------------- /roles/system/docker/tasks/configure.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: task 4 | # Part: Docker 5 | 6 | - name: Docker | Create base directory 7 | file: state=directory path=/srv/docker owner=root group=root mode=0775 8 | 9 | - name: Docker | Deploy daemon defaults 10 | template: src=docker_daemon.json.j2 dest=/etc/docker/daemon.json 11 | owner=root group=root mode=0600 backup=no 12 | notify: restart docker 13 | 14 | # - name: Docker | Create legacy symlink 15 | # file: state=link path=/opt/docker src=/srv/docker 16 | 17 | -------------------------------------------------------------------------------- /roles/system/docker/tasks/docker-compose.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: docker-compose.yml 3 | # Type: task 4 | # Part: Docker 5 | 6 | - debug: 7 | msg: "Fetching docker-compose@{{ docker_compose_version }}" 8 | - name: DockerCompose | Fetch package 9 | get_url: url=https://github.com/docker/compose/releases/download/{{ docker_compose_version }}/docker-compose-Linux-{{ ansible_architecture }} 10 | dest=/usr/local/bin/docker-compose 11 | checksum={{ docker_compose_checksum }} 12 | 13 | - name: DockerCompose | Setup rights 14 | file: path=/usr/local/bin/docker-compose owner=root group=root mode=0755 15 | -------------------------------------------------------------------------------- /roles/system/docker/tasks/install.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: task 4 | # Part: Docker 5 | 6 | ## Kernel upgrade for 12.04 7 | - name: Docker | Upgrade 12.04 kernel 8 | apt: name={{ item }} state=latest 9 | with_items: 10 | - linux-image-generic-lts-trusty 11 | - linux-headers-generic-lts-trusty 12 | when: ansible_distribution == 'Ubuntu' and ansible_distribution_version == '12.04' 13 | register: kernel_updated 14 | - name: Docker | Reboot 15 | command: reboot 16 | when: kernel_updated | changed 17 | - name: Docker | Wait for SSH 18 | local_action: wait_for host={{ ansible_ssh_host }} port={{ ansible_ssh_port }} delay=30 timeout=900 state=started 19 | when: kernel_updated | changed 20 | 21 | ## Kernel upgrade for 14.04 22 | - name: Docker | Install recommended packages 23 | apt: name={{ item }} state=latest 24 | with_items: 25 | - linux-image-extra-{{ ansible_kernel }} 26 | - linux-image-extra-virtual 27 | when: ansible_distribution == 'Ubuntu' and ansible_distribution_version == '14.04' 28 | 29 | ## Install docker-ce 30 | - name: Docker | Install ppa key 31 | apt_key: keyserver=keyserver.ubuntu.com id=0EBFCD88 32 | - name: Docker | Install repository 33 | apt_repository: repo='deb [arch={{ docker_apt_architecture }}] https://download.docker.com/linux/ubuntu {{ ansible_lsb.codename }} stable' state=present 34 | - name: Docker | Install package 35 | apt: name=docker-ce state={{ docker_apt_state }} 36 | -------------------------------------------------------------------------------- /roles/system/docker/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: task 4 | # Part: Docker 5 | 6 | - name: Docker | Check Ubuntu release 7 | fail: msg="Docker only support Ubuntu from {{ ansible_distribution_version }}" 8 | when: ansible_distribution != 'Ubuntu' or ansible_lsb.major_release|int < 12 9 | - name: Docker | Check architecture 10 | fail: msg="Docker only support x86_64 architecture" 11 | when: ansible_architecture != 'x86_64' 12 | - name: Facts | Set docker_apt_architecture 13 | set_fact: docker_apt_architecture=amd64 14 | when: ansible_architecture == 'x86_64' 15 | 16 | ## Install 17 | - name: Docker | Clean legacy install 18 | include: clean.yml 19 | when: docker_clean_legacy|bool 20 | 21 | ## Install 22 | - name: Docker | Install 23 | include: install.yml 24 | 25 | ## Configure 26 | - name: Docker | Configure 27 | tags: system_docker_configure 28 | include: configure.yml 29 | 30 | ## Configure service 31 | - include: configure-systemd.yml 32 | when: not docker and ansible_distribution == 'Ubuntu' and ansible_distribution_major_version|int >= 16 33 | - include: configure-upstart.yml 34 | when: not docker and ansible_distribution == 'Ubuntu' and ansible_distribution_major_version|int <= 14 35 | 36 | ## DockerCompose 37 | - name: Docker | Install DockerCompose 38 | tags: system_docker-compose 39 | include: docker-compose.yml 40 | when: docker_compose_install 41 | 42 | ## DockerGen 43 | - name: Docker | Install DockerGen 44 | tags: system_docker-gen 45 | include: docker-gen.yml 46 | when: docker_gen_install 47 | 48 | ## Check service 49 | - name: Docker | Check service daemon 50 | service: name=docker state=started 51 | -------------------------------------------------------------------------------- /roles/system/docker/templates/default_docker.j2: -------------------------------------------------------------------------------- 1 | # Docker Upstart and SysVinit configuration file 2 | 3 | # 4 | # THIS FILE DOES NOT APPLY TO SYSTEMD 5 | # 6 | # Please see the documentation for "systemd drop-ins": 7 | # https://docs.docker.com/engine/articles/systemd/ 8 | # 9 | 10 | # Customize location of Docker binary (especially for development testing). 11 | #DOCKER="/usr/local/bin/docker" 12 | 13 | # Use DOCKER_OPTS to modify the daemon startup options. 14 | #DOCKER_OPTS="--dns 8.8.8.8 --dns 8.8.4.4" 15 | {% if docker_opts != "" %} 16 | DOCKER_OPTS="{{ docker_opts }}" 17 | {% endif %} 18 | 19 | # If you need Docker to use an HTTP proxy, it can also be specified here. 20 | #export http_proxy="http://127.0.0.1:3128/" 21 | 22 | # This is also a handy place to tweak where Docker's temporary files go. 23 | #export TMPDIR="/mnt/bigdrive/docker-tmp" 24 | -------------------------------------------------------------------------------- /roles/system/docker/templates/docker-gen.service.j2: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=DockerGen Service 3 | After=syslog.target 4 | After=network.target 5 | After=docker.service 6 | 7 | [Service] 8 | ExecStart=/usr/bin/docker-gen -only-exposed -watch /etc/docker/templates/hosts.tmpl /etc/hosts 9 | Restart=always 10 | StandardOutput=journal 11 | StandardError=journal 12 | SyslogIdentifier=docker-gen 13 | User=root 14 | Group=root 15 | WorkingDirectory=/etc/docker 16 | TimeoutStartSec=0 17 | Environment=PATH=/usr/bin:/usr/local/bin:/bin 18 | 19 | [Install] 20 | WantedBy=multi-user.target 21 | -------------------------------------------------------------------------------- /roles/system/docker/templates/docker_daemon.json.j2: -------------------------------------------------------------------------------- 1 | { 2 | {% if docker_bip != "" %} 3 | "bip": "{{ docker_bip }}", 4 | {% endif %} 5 | {% if docker_log_driver != "" %} 6 | "log-driver": "{{ docker_log_driver }}", 7 | {% endif %} 8 | {% if docker_default_address_pools|length > 0 %} 9 | "default-address-pools": {{ docker_default_address_pools | to_json }}, 10 | {% endif %} 11 | "storage-driver": "{{ docker_storage_driver }}" 12 | } 13 | -------------------------------------------------------------------------------- /roles/system/docker/templates/hosts.j2: -------------------------------------------------------------------------------- 1 | # Generated by docker-gen, do not edit 2 | 127.0.0.1 localhost 3 | 127.0.1.1 {{ ansible_hostname }} 4 | 5 | # Docker hosts genenerated by docker-gen 6 | {% raw %} 7 | {{ range $key, $value := . }} 8 | {{ $addrLen := len $value.Networks }} 9 | {{ if gt $addrLen 0 }} 10 | {{ with $address := index $value.Networks 0 }} 11 | {{ $address.IP }} {{ $value.Name }}.docker {% endraw %}{{ ansible_hostname }}{% raw %}.{{ $value.Name }} 12 | {{ end }} 13 | {{ end }} 14 | {{ end }} 15 | {% endraw %} 16 | 17 | # The following lines are desirable for IPv6 capable hosts 18 | ::1 ip6-localhost ip6-loopback 19 | fe00::0 ip6-localnet 20 | ff00::0 ip6-mcastprefix 21 | ff02::1 ip6-allnodes 22 | ff02::2 ip6-allrouters 23 | -------------------------------------------------------------------------------- /roles/system/docker/templates/init_docker-gen.conf.j2: -------------------------------------------------------------------------------- 1 | # Ansible managed 2 | 3 | description "DockerGen" 4 | author "Olivier Louvignes " 5 | 6 | start on filesystem and started docker 7 | stop on runlevel [!2345] 8 | 9 | respawn 10 | 11 | script 12 | /usr/bin/docker-gen -only-exposed -watch /etc/docker/templates/hosts.tmpl /etc/hosts 13 | end script 14 | -------------------------------------------------------------------------------- /roles/system/docker/templates/lib_systemd_system_docker.socket.j2: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=Docker Socket for the API 3 | PartOf=docker.service 4 | 5 | [Socket] 6 | ListenStream=/var/run/docker.sock 7 | SocketMode=0660 8 | SocketUser=root 9 | SocketGroup=docker 10 | 11 | [Install] 12 | WantedBy=sockets.target 13 | -------------------------------------------------------------------------------- /roles/system/fail2ban/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: defaults 4 | # Part: fail2ban 5 | 6 | ssh_port: "ssh" 7 | fail2ban_ignoreip: [] 8 | -------------------------------------------------------------------------------- /roles/system/fail2ban/handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: handler 4 | # Part: fail2ban 5 | 6 | - name: start fail2ban 7 | service: name=fail2ban state=started 8 | 9 | - name: restart fail2ban 10 | service: name=fail2ban state=restarted 11 | -------------------------------------------------------------------------------- /roles/system/fail2ban/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: task 4 | # Part: fail2ban 5 | 6 | - name: fail2ban | Install package 7 | apt: name=fail2ban state=latest 8 | 9 | - name: fail2ban | Deploy config 10 | template: src="{{ ansible_distribution_version }}/fail2ban_fail2ban.conf.j2" dest="/etc/fail2ban/fail2ban.conf" owner=root group=root mode=0644 11 | notify: restart fail2ban 12 | - name: fail2ban | Deploy jail config 13 | template: src="{{ ansible_distribution_version }}/fail2ban_jail.conf.j2" dest="/etc/fail2ban/jail.conf" owner=root group=root mode=0644 14 | notify: restart fail2ban 15 | -------------------------------------------------------------------------------- /roles/system/graphics/defaults/main.yml: -------------------------------------------------------------------------------- 1 | 2 | graphics_nvidia_apt_package: nvidia-384 3 | graphics_intel_xorg_dri3: false 4 | graphics_apt_upgrade: true 5 | -------------------------------------------------------------------------------- /roles/system/graphics/tasks/amd.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | # @url https://launchpad.net/~oibaf/+archive/ubuntu/graphics-drivers 4 | - name: Graphics | Oibaf Graphics Drivers | Install ppa key 5 | apt_key: 6 | keyserver: keyserver.ubuntu.com 7 | id: 5ABCE68FF4633EA42E219156957D2708A03A4626 8 | when: ansible_distribution == 'Ubuntu' and ansible_distribution_major_version|int >= 16 9 | - name: Graphics | Oibaf Graphics Drivers | Install ppa 10 | apt_repository: 11 | repo: 'ppa:oibaf/graphics-drivers' 12 | when: ansible_distribution == 'Ubuntu' and ansible_distribution_major_version|int >= 16 13 | 14 | - name: Graphics | Amd | Install extra packages 15 | apt: name={{ item }} state=latest 16 | with_items: 17 | - mesa-vdpau-drivers # This package enables support for VDPAU for some gallium drivers. 18 | 19 | - name: Graphics | Amd | Update graphics packages to the latest version 20 | apt: upgrade=dist 21 | -------------------------------------------------------------------------------- /roles/system/graphics/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: task 4 | # Part: Graphics 5 | 6 | - name: Graphics | Check Ubuntu release 7 | fail: msg="This role only support Ubuntu LTS versions after 14.04" 8 | when: ansible_distribution_major_version|int < 14 9 | - name: Graphics | Check architecture 10 | fail: msg="This role support x86_64 architecture" 11 | when: ansible_architecture != 'x86_64' 12 | 13 | - name: Graphics | Determine GPU Vendor 14 | shell: if [[ $(lspci | egrep VGA.+NVIDIA | wc -l) > 0 ]]; then echo 'nvidia'; else if [[ $(lspci | egrep VGA.+AMD | wc -l) > 0 ]]; then echo 'amd'; else echo 'intel'; fi; fi; 15 | args: 16 | executable: /bin/bash 17 | register: gpu_vendor_result 18 | - set_fact: 19 | gpu_vendor: "{{ gpu_vendor_result.stdout }}" 20 | - debug: msg="System gpu is {{ gpu_vendor }}" 21 | 22 | - include: nvidia.yml 23 | when: gpu_vendor == 'nvidia' 24 | - include: intel.yml 25 | when: gpu_vendor == 'intel' 26 | - include: amd.yml 27 | when: gpu_vendor == 'amd' 28 | -------------------------------------------------------------------------------- /roles/system/graphics/templates/intel_X11_xorg.conf.j2: -------------------------------------------------------------------------------- 1 | Section "Device" 2 | Identifier "Intel Graphics" 3 | Driver "intel" 4 | Option "AccelMethod" "sna" 5 | {% if ansible_distribution_version == "14.04" %} 6 | Option "TearFree" "true" 7 | {% endif %} 8 | {% if ansible_distribution_version == "16.04" %} 9 | {% if graphics_intel_xorg_dri3 %} 10 | Option "TearFree" "true" 11 | Option "DRI" "3" 12 | {% else %} 13 | Option "TearFree" "true" 14 | # Option "DRI" "3" 15 | {% endif %} 16 | {% endif %} 17 | EndSection 18 | -------------------------------------------------------------------------------- /roles/system/graphics/templates/xorg.conf.d_20-intel.conf.j2: -------------------------------------------------------------------------------- 1 | Section "Device" 2 | Identifier "Intel Graphics" 3 | Driver "intel" 4 | Option "AccelMethod" "sna" 5 | Option "TearFree" "true" 6 | Option "DRI" "3" 7 | EndSection 8 | -------------------------------------------------------------------------------- /roles/system/journald/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: defaults 4 | # Part: Aptitude 5 | 6 | journald_storage: "auto" 7 | journald_rate_limit_interval: "30s" 8 | journald_rate_limit_burst: "1000" -------------------------------------------------------------------------------- /roles/system/journald/files/18.04/journald.conf: -------------------------------------------------------------------------------- 1 | # This file is part of systemd. 2 | # 3 | # systemd is free software; you can redistribute it and/or modify it 4 | # under the terms of the GNU Lesser General Public License as published by 5 | # the Free Software Foundation; either version 2.1 of the License, or 6 | # (at your option) any later version. 7 | # 8 | # Entries in this file show the compile time defaults. 9 | # You can change settings by editing this file. 10 | # Defaults can be restored by simply deleting this file. 11 | # 12 | # See journald.conf(5) for details. 13 | 14 | [Journal] 15 | #Storage=auto 16 | #Compress=yes 17 | #Seal=yes 18 | #SplitMode=uid 19 | #SyncIntervalSec=5m 20 | #RateLimitIntervalSec=30s 21 | #RateLimitBurst=1000 22 | #SystemMaxUse= 23 | #SystemKeepFree= 24 | #SystemMaxFileSize= 25 | #SystemMaxFiles=100 26 | #RuntimeMaxUse= 27 | #RuntimeKeepFree= 28 | #RuntimeMaxFileSize= 29 | #RuntimeMaxFiles=100 30 | #MaxRetentionSec= 31 | #MaxFileSec=1month 32 | #ForwardToSyslog=yes 33 | #ForwardToKMsg=no 34 | #ForwardToConsole=no 35 | #ForwardToWall=yes 36 | #TTYPath=/dev/console 37 | #MaxLevelStore=debug 38 | #MaxLevelSyslog=debug 39 | #MaxLevelKMsg=notice 40 | #MaxLevelConsole=info 41 | #MaxLevelWall=emerg 42 | #LineMax=48K 43 | -------------------------------------------------------------------------------- /roles/system/journald/handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: handler 4 | # Part: Journald 5 | 6 | - name: start journald 7 | service: name=systemd-journald state=started 8 | 9 | - name: restart journald 10 | service: name=systemd-journald state=restarted 11 | -------------------------------------------------------------------------------- /roles/system/journald/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: task 4 | # Part: Journald 5 | 6 | - name: Aptitude | Deploy journald.conf 7 | template: src=systemd_journald.conf.j2 dest="/etc/systemd/journald.conf" owner=root group=root mode=0644 8 | notify: restart journald 9 | when: ansible_lsb.major_release|int >= 16 10 | -------------------------------------------------------------------------------- /roles/system/journald/templates/systemd_journald.conf.j2: -------------------------------------------------------------------------------- 1 | # This file is part of systemd. 2 | # 3 | # systemd is free software; you can redistribute it and/or modify it 4 | # under the terms of the GNU Lesser General Public License as published by 5 | # the Free Software Foundation; either version 2.1 of the License, or 6 | # (at your option) any later version. 7 | # 8 | # Entries in this file show the compile time defaults. 9 | # You can change settings by editing this file. 10 | # Defaults can be restored by simply deleting this file. 11 | # 12 | # See journald.conf(5) for details. 13 | 14 | [Journal] 15 | {% if journald_storage != "auto" %} 16 | Storage={{ journald_storage }} 17 | {% else %} 18 | #Storage=auto 19 | {% endif %} 20 | #Compress=yes 21 | #Seal=yes 22 | #SplitMode=uid 23 | #SyncIntervalSec=5m 24 | {% if journald_rate_limit_interval != "30s" %} 25 | RateLimitInterval={{ journald_rate_limit_interval }} 26 | {% else %} 27 | #RateLimitInterval=30s 28 | {% endif %} 29 | {% if journald_rate_limit_burst != "1000" %} 30 | RateLimitBurst={{ journald_rate_limit_burst }} 31 | {% else %} 32 | #RateLimitBurst=1000 33 | {% endif %} 34 | #SystemMaxUse= 35 | #SystemKeepFree= 36 | #SystemMaxFileSize= 37 | #SystemMaxFiles=100 38 | #RuntimeMaxUse= 39 | #RuntimeKeepFree= 40 | #RuntimeMaxFileSize= 41 | #RuntimeMaxFiles=100 42 | #MaxRetentionSec= 43 | #MaxFileSec=1month 44 | #ForwardToSyslog=yes 45 | #ForwardToKMsg=no 46 | #ForwardToConsole=no 47 | #ForwardToWall=yes 48 | #TTYPath=/dev/console 49 | #MaxLevelStore=debug 50 | #MaxLevelSyslog=debug 51 | #MaxLevelKMsg=notice 52 | #MaxLevelConsole=info 53 | #MaxLevelWall=emerg 54 | #LineMax=48K 55 | -------------------------------------------------------------------------------- /roles/system/kaspersky/handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: handler 4 | # Part: Kaspersky 5 | 6 | - name: start kes4lwks-supervisor 7 | service: name=kes4lwks-supervisor state=started 8 | 9 | - name: restart kes4lwks-supervisor 10 | service: name=kes4lwks-supervisor state=restarted 11 | -------------------------------------------------------------------------------- /roles/system/kaspersky/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: task 4 | # Part: Kaspersky 5 | 6 | ## Checks 7 | - name: Kaspersky | Check architecture 8 | fail: msg="Kaspersky only support x86_64 architecture" 9 | when: ansible_architecture != 'x86_64' 10 | 11 | ## Install 12 | - name: Kaspersky | Install 13 | include: install.yml 14 | when: not kaspersky_skip_install 15 | 16 | ## Stats 17 | - name: Kaspersky | Stats 18 | include: stats.yml 19 | when: kaspersky_fetch_stats 20 | 21 | ## Check service 22 | - name: Kaspersky | Check service daemon 23 | service: name=kes4lwks-supervisor state=started 24 | -------------------------------------------------------------------------------- /roles/system/kaspersky/tasks/stats.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: stats.yml 3 | # Type: task 4 | # Part: Kaspersky 5 | 6 | - name: Kaspersky | Generate info stats 7 | shell: kes4lwks-control --app-info --export-report /tmp/kes4lwks-info.csv --report-type csv 8 | - name: Kaspersky | Fetch kes4lwks-info.csv 9 | fetch: src=/tmp/kes4lwks-info.csv dest={{ ansible_fetched_base }}/kes4lwks-info.csv flat=yes fail_on_missing=no 10 | 11 | - name: Kaspersky | Generate update stats 12 | shell: kes4lwks-control --get-stat Update --from {{ kaspersky_fetch_stats_from }} --export-report /tmp/kes4lwks-update.csv --report-type csv 13 | - name: Kaspersky | Fetch kes4lwks-update.csv 14 | fetch: src=/tmp/kes4lwks-update.csv dest={{ ansible_fetched_base }}/kes4lwks-update.csv flat=yes fail_on_missing=no 15 | 16 | - name: Kaspersky | Generate application stats 17 | shell: kes4lwks-control --get-stat Application --from {{ kaspersky_fetch_stats_from }} --export-report /tmp/kes4lwks-application.csv --report-type csv 18 | - name: Kaspersky | Fetch kes4lwks-application.csv 19 | fetch: src=/tmp/kes4lwks-application.csv dest={{ ansible_fetched_base }}/kes4lwks-application.csv flat=yes fail_on_missing=no 20 | 21 | - name: Kaspersky | Generate viruses stats 22 | shell: kes4lwks-control --top-viruses {{ kaspersky_fetch_top_viruses }} --from {{ kaspersky_fetch_stats_from }} --export-report /tmp/kes4lwks-top-viruses.csv --report-type csv 23 | - name: Kaspersky | Fetch kes4lwks-top-viruses.csv 24 | fetch: src=/tmp/kes4lwks-top-viruses.csv dest={{ ansible_fetched_base }}/kes4lwks-top-viruses.csv flat=yes fail_on_missing=no 25 | -------------------------------------------------------------------------------- /roles/system/kaspersky/templates/answers.txt.j2: -------------------------------------------------------------------------------- 1 | # Ansible managed 2 | 3 | EULA_AGREED={{ kaspersky_eula_agreed }} 4 | SERVICE_LOCALE={{ kaspersky_service_locale }} 5 | INSTALL_KEY_FILE={{ kaspersky_install_key_file }} 6 | UPDATER_SOURCE={{ kaspersky_updater_source }} 7 | UPDATER_PROXY={{ kaspersky_updater_proxy }} 8 | UPDATER_EXECUTE={{ kaspersky_updater_execute }} 9 | UPDATER_ENABLE_AUTO={{ kaspersky_updater_enable_auto }} 10 | RTP_BUILD_KERNEL_MODULE={{ kaspersky_rtp_build_kernel_module }} 11 | RTP_BUILD_KERNEL_SRCS={{ kaspersky_rtp_build_kernel_srcs }} 12 | RTP_SAMBA_ENABLE={{ kaspersky_rtp_samba_enable }} 13 | {%if kaspersky_rtp_samba_conf != "" %} 14 | RTP_SAMBA_CONF={{ kaspersky_rtp_samba_conf }} 15 | {%endif%} 16 | {%if kaspersky_rtp_samba_vfs != "" %} 17 | RTP_SAMBA_VFS={{ kaspersky_rtp_samba_vfs }} 18 | {%endif%} 19 | {%if kaspersky_rtp_samba_vfs_module != "" %} 20 | RTP_SAMBA_VFS_MODULE={{ kaspersky_rtp_samba_vfs_module }} 21 | {%endif%} 22 | RTP_START={{ kaspersky_rtp_start }} 23 | GUI_ENABLE={{ kaspersky_gui_enable }} 24 | -------------------------------------------------------------------------------- /roles/system/kaspersky/templates/apparmor.d_local_usr.sbin.clamd.j2: -------------------------------------------------------------------------------- 1 | # Site-specific additions and overrides for usr.sbin.clamd. 2 | # For more details, please see /etc/apparmor.d/local/README. 3 | 4 | /bin/** r, 5 | /srv/** r, 6 | /tmp/** r, 7 | -------------------------------------------------------------------------------- /roles/system/kaspersky/templates/clamscan_daily.j2: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # email subject 4 | SUBJECT="VIRUS DETECTED ON `hostname`!!!" 5 | # Email To ? 6 | EMAIL="{{ clamav_email }}" 7 | # Log location 8 | LOG=/var/log/clamav/scan.log 9 | 10 | check_scan () { 11 | 12 | # Check the last set of results. If there are any "Infected" counts that aren't zero, we have a problem. 13 | if [ `tail -n 12 ${LOG} | grep Infected | grep -v 0 | wc -l` != 0 ] 14 | then 15 | EMAILMESSAGE=`mktemp /tmp/virus-alert.XXXXX` 16 | echo "To: ${EMAIL}" >> ${EMAILMESSAGE} 17 | echo "From: alert@domain.com" >> ${EMAILMESSAGE} 18 | echo "Subject: ${SUBJECT}" >> ${EMAILMESSAGE} 19 | echo "Importance: High" >> ${EMAILMESSAGE} 20 | echo "X-Priority: 1" >> ${EMAILMESSAGE} 21 | echo "`tail -n 50 ${LOG}`" >> ${EMAILMESSAGE} 22 | {% if clamav_sendmail is defined -%} 23 | {{ clamav_sendmail }} < ${EMAILMESSAGE} >> ${LOG} 24 | {% else -%} 25 | sendmail -t < ${EMAILMESSAGE} >> ${LOG} 26 | {%- endif %} 27 | fi 28 | 29 | } 30 | 31 | echo `date +"%Y-%m-%dT%H:%M:%SZ"` - Starting daily scan... >> ${LOG} 32 | 33 | {% if clamav_quarantine is defined -%} 34 | clamscan -r / --exclude-dir=/sys/ --quiet --infected --move="{{ clamav_quarantine }}" --log=${LOG} 35 | {% else -%} 36 | clamscan -r / --exclude-dir=/sys/ --quiet --infected --log=${LOG} 37 | {%- endif %} 38 | check_scan 39 | 40 | echo `date +"%Y-%m-%dT%H:%M:%SZ"` - Ended daily scan. >> ${LOG} 41 | -------------------------------------------------------------------------------- /roles/system/mediainfo/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | # - name: Mediainfo | Install ppa key 4 | # apt_key: keyserver=keyserver.ubuntu.com id=B34F70C93804BEA383522B2061260473F9D8BC54 5 | - name: Mediainfo | Install ppa 6 | apt_repository: repo="{{ item }}" validate_certs={{ nodejs_validate_certs }} 7 | with_items: 8 | - "deb https://mediaarea.net/repo/deb/ubuntu {{ ansible_distribution_release }} main" 9 | - name: Mediainfo | Install package 10 | apt: name=mediainfo state=latest 11 | 12 | -------------------------------------------------------------------------------- /roles/system/metricbeat/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: defaults 4 | # Part: beats 5 | 6 | # Aptitude state 7 | metricbeat_apt_state: "latest" 8 | 9 | metricbeat_module_system_enabled: true 10 | metricbeat_module_system_metricsets: [".*"] 11 | metricbeat_module_system_period: "10s" 12 | metricbeat_module_system_processes: [".*"] 13 | metricbeat_module_system_cpu_ticks: false 14 | 15 | metricbeat_module_redis_enabled: false 16 | metricbeat_module_redis_hosts: ["localhost"] 17 | metricbeat_module_redis_metricsets: [".*"] 18 | metricbeat_module_redis_period: "10s" 19 | 20 | metricbeat_module_mongodb_enabled: false 21 | metricbeat_module_mongodb_hosts: ["localhost"] 22 | metricbeat_module_mongodb_metricsets: [".*"] 23 | metricbeat_module_mongodb_period: "10s" 24 | 25 | metricbeat_service_enabled: true 26 | metricbeat_service_state: "started" 27 | 28 | metricbeat_output_protocol: "http" 29 | metricbeat_output_path: "" 30 | metricbeat_output_hosts: 31 | - "localhost:9000" 32 | metricbeat_output_username: "" 33 | metricbeat_output_password: "" 34 | -------------------------------------------------------------------------------- /roles/system/metricbeat/handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: handler 4 | # Part: beats 5 | 6 | - name: start metricbeat 7 | service: name=metricbeat state=started 8 | - name: restart metricbeat 9 | service: name=metricbeat state=restarted 10 | - name: restart monit 11 | service: name=monit state=restarted 12 | -------------------------------------------------------------------------------- /roles/system/metricbeat/tasks/configure-monit.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | ## Configure monit 4 | - name: metricbeat | Install monit 5 | apt: name=monit state=latest 6 | notify: restart monit 7 | - name: metricbeat | Deploy monit configuration 8 | template: src=monit_conf.d_metricbeat.conf.j2 dest=/etc/monit/conf.d/metricbeat.conf owner=root group=root mode=0644 9 | notify: restart monit 10 | -------------------------------------------------------------------------------- /roles/system/metricbeat/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: task 4 | # Part: beats 5 | 6 | ## Install 7 | - name: metricbeat | Install ppa key 8 | apt_key: keyserver=keyserver.ubuntu.com id=D88E42B4 9 | - name: metricbeat | Install ppa 10 | apt_repository: repo='deb https://artifacts.elastic.co/packages/5.x/apt stable main' state=present 11 | - name: metricbeat | Install packages 12 | apt: name=metricbeat state=latest 13 | 14 | ## Configure 15 | - name: metricbeat | Deploy config 16 | template: src=metricbeat_metricbeat.yml.j2 dest=/etc/metricbeat/metricbeat.yml 17 | notify: restart metricbeat 18 | - name: metricbeat | Check service daemon 19 | service: name=metricbeat state={{ metricbeat_service_state }} enabled={{ metricbeat_service_enabled }} 20 | 21 | ## Configure monit 22 | - name: beats | Configure monit 23 | include: configure-monit.yml 24 | -------------------------------------------------------------------------------- /roles/system/metricbeat/templates/monit_conf.d_metricbeat.conf.j2: -------------------------------------------------------------------------------- 1 | check process metricbeat with pidfile /var/run/metricbeat.pid 2 | start program = "/etc/init.d/metricbeat start" 3 | stop program = "/etc/init.d/metricbeat stop" 4 | if 5 restarts within 5 cycles then timeout 5 | {% if not metricbeat_service_enabled|bool %} 6 | mode passive 7 | {% endif %} -------------------------------------------------------------------------------- /roles/system/ntp/handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: handler 4 | # Part: NTP 5 | 6 | - name: start ntp 7 | service: name=ntp state=started 8 | 9 | - name: restart ntp 10 | service: name=ntp state=restarted 11 | -------------------------------------------------------------------------------- /roles/system/ntp/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: task 4 | # Part: NTP 5 | 6 | - name: NTP | Install package 7 | apt: name=ntp state=latest 8 | 9 | - name: NTP | Deploy config 10 | template: src=ntp.j2 dest="/etc/ntp.conf" owner=root group=root mode=0644 11 | notify: restart ntp 12 | -------------------------------------------------------------------------------- /roles/system/packetbeat/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: defaults 4 | # Part: beats 5 | 6 | # Aptitude state 7 | packetbeat_apt_state: "latest" 8 | packetbeat_flows_enabled: true 9 | 10 | packetbeat_hosts: 11 | - "localhost:9000" 12 | -------------------------------------------------------------------------------- /roles/system/packetbeat/handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: handler 4 | # Part: packetbeat 5 | 6 | - name: start packetbeat 7 | service: name=packetbeat state=started 8 | - name: restart packetbeat 9 | service: name=packetbeat state=restarted 10 | - name: restart monit 11 | service: name=monit state=restarted 12 | -------------------------------------------------------------------------------- /roles/system/packetbeat/tasks/configure-monit.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | ## Configure monit 4 | - name: packetbeat | Install monit 5 | apt: name=monit state=latest 6 | notify: restart monit 7 | - name: packetbeat | Deploy monit configuration 8 | template: src=monit_conf.d_packetbeat.conf.j2 dest=/etc/monit/conf.d/packetbeat.conf owner=root group=root mode=0644 9 | notify: restart monit 10 | -------------------------------------------------------------------------------- /roles/system/packetbeat/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: task 4 | # Part: packetbeat 5 | 6 | ## Install 7 | - name: packetbeat | Install ppa key 8 | apt_key: keyserver=keyserver.ubuntu.com id=D88E42B4 9 | - name: packetbeat | Install ppa 10 | apt_repository: repo='deb https://artifacts.elastic.co/packages/5.x/apt stable main' state=present 11 | - name: packetbeat | Install packages 12 | apt: name=packetbeat state=latest 13 | 14 | ## Configure 15 | - name: packetbeat | Deploy config 16 | template: src=packetbeat_packetbeat.yml.j2 dest=/etc/packetbeat/packetbeat.yml 17 | notify: restart packetbeat 18 | - name: packetbeat | Check service daemon 19 | service: name=packetbeat state=started enabled=yes 20 | 21 | ## Configure monit 22 | - name: packetbeat | Configure monit 23 | include: configure-monit.yml 24 | -------------------------------------------------------------------------------- /roles/system/packetbeat/templates/monit_conf.d_packetbeat.conf.j2: -------------------------------------------------------------------------------- 1 | check process packetbeat with pidfile /var/run/packetbeat.pid 2 | start program = "/etc/init.d/packetbeat start" 3 | stop program = "/etc/init.d/packetbeat stop" 4 | if 5 restarts within 5 cycles then timeout 5 | -------------------------------------------------------------------------------- /roles/system/ssh/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: defaults 4 | # Part: SSH 5 | 6 | ssh_port: 22 7 | ssh_protocol: 2 8 | ssh_permit_root_login: "no" 9 | # ssh_permit_root_login: "prohibit-password" 10 | ssh_allow_users: false 11 | # ssh_authorized_keys_file: ".ssh/authorized_keys .ssh/authorized_keys2" 12 | ssh_sftp_user: false 13 | ssh_sftp_group: false 14 | ssh_reconfigure_host_keys: false 15 | -------------------------------------------------------------------------------- /roles/system/ssh/handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: handler 4 | # Part: SSH 5 | 6 | - name: start ssh 7 | service: name=ssh state=started 8 | 9 | - name: restart ssh 10 | service: name=ssh state=restarted 11 | 12 | - name: start ufw 13 | service: name=ufw state=started 14 | 15 | - name: restart ufw 16 | service: name=ufw state=restarted 17 | -------------------------------------------------------------------------------- /roles/system/ssh/templates/authorized_keys.j2: -------------------------------------------------------------------------------- 1 | # Ansible managed 2 | 3 | {% for value in ssh_authorized_keys|default([]) %} 4 | {{ value }} 5 | {% endfor %} 6 | -------------------------------------------------------------------------------- /roles/system/sudo/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: task 4 | # Part: Sudo 5 | 6 | - name: System | Setup sudo 7 | template: src=sudoers.d_sudo.j2 dest=/etc/sudoers.d/sudo 8 | -------------------------------------------------------------------------------- /roles/system/sudo/templates/sudoers.d_sudo.j2: -------------------------------------------------------------------------------- 1 | # Keep forwardagent keys 2 | Defaults env_keep+=SSH_AUTH_SOCK 3 | # Allow members of group sudo to execute any command 4 | %sudo ALL = NOPASSWD: ALL 5 | -------------------------------------------------------------------------------- /roles/system/td-agent/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: defaults 4 | # Part: td-agent 5 | 6 | # Aptitude state 7 | td_agent_apt_state: "latest" 8 | 9 | td_agent_type: "forward" 10 | td_agent_host: "192.168.0.11" 11 | td_agent_match: "system.**" 12 | # td-agent_flush_interval: "3s" 13 | -------------------------------------------------------------------------------- /roles/system/td-agent/files/GPG-KEY-td-agent: -------------------------------------------------------------------------------- 1 | -----BEGIN PGP PUBLIC KEY BLOCK----- 2 | Version: GnuPG v1.4.5 (GNU/Linux) 3 | 4 | mQGiBFKuy6MRBACJccrkWHfYSKSbchD4ywYLGkIKITSLzEXrlpy4Sp6Mr9G1OGIv 5 | buIUIxksnev6h6wlFgbFYTLngpod+Jn4DpcGgXqzZ3lhOY1fvAaQ4SJ4RUELm1JJ 6 | SEWE0uYHuoI4+TrLtod3U02ETD+Lf6LWO3IfU1AYsA467tDYpVXR0GHeAwCgqU/V 7 | M+ypNOYFHVs1/aX83wdg0K8D+wf+tcvTHb/i2lND5DVfTWtC54WYNIG6QO8DgGdu 8 | EYregcMKRRNM4nSfUISzCgrjnpLGjvB9NKONCrimDiuz4TH7KDcEsKGA+zTzJLCy 9 | mcE6tKEHV5yS7cK0inim4nxAKFB70306CkhHyL2TrB42ppNFJwG1igO4BJ+55b9X 10 | Dd03A/9o6ONFle6khG+UE82WYTayy2pAshKTSLnOlB7CIxwt3SrzFXTuNosajVgZ 11 | S0EIB8c6SjFN6P1jHjd7PYOmBxd2xptERTg8CJMoTUI+P7LypWuvmagIdEwe571d 12 | ZMQ26HNuHg7/IMg+FQxhl/DFU6Aq+2CBJ3q8gO8Us4/UYc1PhrRUVHJlYXN1cmUg 13 | RGF0YSwgSW5jIChUcmVhc3VyZSBBZ2VudCBPZmZpY2lhbCBTaWduaW5nIGtleSkg 14 | PHN1cHBvcnRAdHJlYXN1cmUtZGF0YS5jb20+iGAEExECACAFAlKuy6MCGwMGCwkI 15 | BwMCBBUCCAMEFgIDAQIeAQIXgAAKCRAQk9tFoS4gb3HgAKCBCDNT/cWzkKRQxvnL 16 | LiGvPetVSACeLLKnt2twfiPc9ZEA/X8MKkPjWqc= 17 | =e5Fe 18 | -----END PGP PUBLIC KEY BLOCK----- 19 | -------------------------------------------------------------------------------- /roles/system/td-agent/handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: handler 4 | # Part: td-agent 5 | 6 | - name: start td-agent 7 | service: name=td-agent state=started 8 | - name: restart td-agent 9 | service: name=td-agent state=restarted 10 | - name: restart monit 11 | service: name=monit state=restarted 12 | -------------------------------------------------------------------------------- /roles/system/td-agent/tasks/configure-monit.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | ## Configure monit 4 | - name: td-agent | Install monit 5 | apt: name=monit state=latest 6 | notify: restart monit 7 | - name: td-agent | Deploy monit configuration 8 | template: src=monit_conf.d_td-agent.conf.j2 dest=/etc/monit/conf.d/td-agent.conf owner=root group=root mode=0644 9 | notify: restart monit 10 | -------------------------------------------------------------------------------- /roles/system/td-agent/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: task 4 | # Part: td-agent 5 | 6 | ## Install 7 | - name: td-agent | Install ppa key 8 | # apt_key: id=801DF724 url=https://packages.treasuredata.com/GPG-KEY-td-agent state=present validate_certs=no 9 | apt_key: data={{ lookup('file', 'files/GPG-KEY-td-agent') }} state=present 10 | - name: td-agent | Install ppa 11 | apt_repository: repo='deb [arch=amd64] http://packages.treasuredata.com/2/ubuntu/{{ ansible_lsb.codename }}/ {{ ansible_lsb.codename }} contrib' state=present 12 | - name: td-agent | Install package 13 | apt: name=td-agent state=latest 14 | 15 | - name: td-agent | Deploy config 16 | template: src=td-agent_td-agent.conf.j2 dest=/etc/td-agent/td-agent.conf 17 | notify: restart td-agent 18 | 19 | ## Check service 20 | - name: td-agent | Check service daemon 21 | service: name=td-agent state=started enabled=yes 22 | 23 | ## Configure monit 24 | - name: td-agent | Configure monit 25 | include: configure-monit.yml 26 | -------------------------------------------------------------------------------- /roles/system/td-agent/templates/monit_conf.d_td-agent.conf.j2: -------------------------------------------------------------------------------- 1 | check process td-agent with pidfile /var/run/td-agent/td-agent.pid 2 | start program = "/etc/init.d/td-agent start" 3 | stop program = "/etc/init.d/td-agent stop" 4 | if 5 restarts within 5 cycles then timeout 5 | -------------------------------------------------------------------------------- /roles/system/telegraf/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: defaults 4 | # Part: telegraf 5 | 6 | # Aptitude state 7 | telegraf_apt_state: "latest" 8 | telegraf_service_enabled: true 9 | telegraf_service_state: "started" 10 | 11 | telegraf_global_tags: 12 | 13 | telegraf_output_influxdb_urls: 14 | - "udp://localhost:8089" 15 | telegraf_output_influxdb_database: "telegraf" 16 | telegraf_output_influxdb_username: "" 17 | telegraf_output_influxdb_password: "" 18 | 19 | telegraf_inputs_docker_enabled: false 20 | telegraf_inputs_docker_endpoint: "unix:///var/run/docker.sock" 21 | 22 | telegraf_inputs_nginx_enabled: false 23 | telegraf_inputs_nginx_urls: 24 | - "http://localhost/server_status" 25 | 26 | telegraf_inputs_sensors_enabled: false 27 | telegraf_inputs_sensors_remove_numbers: false 28 | 29 | telegraf_inputs_ping_enabled: false 30 | telegraf_inputs_ping_urls: 31 | - "www.google.com" 32 | 33 | telegraf_inputs_fail2ban_enabled: false 34 | telegraf_inputs_fail2ban_use_sudo: false 35 | 36 | telegraf_inputs_http_response_enabled: false 37 | -------------------------------------------------------------------------------- /roles/system/telegraf/files/systemd_system_multi-user.target.wants_telegraf.service: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=The plugin-driven server agent for reporting metrics into InfluxDB 3 | Documentation=https://github.com/influxdata/telegraf 4 | After=network.target 5 | 6 | [Service] 7 | EnvironmentFile=-/etc/default/telegraf 8 | User=telegraf 9 | ExecStart=/usr/bin/telegraf -config /etc/telegraf/telegraf.conf -config-directory /etc/telegraf/telegraf.d $TELEGRAF_OPTS 10 | ExecReload=/bin/kill -HUP $MAINPID 11 | Restart=on-failure 12 | RestartForceExitStatus=SIGPIPE 13 | KillMode=control-group 14 | 15 | [Install] 16 | WantedBy=multi-user.target 17 | -------------------------------------------------------------------------------- /roles/system/telegraf/handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: handler 4 | # Part: telegraf 5 | 6 | - name: start telegraf 7 | service: name=telegraf state=started 8 | - name: restart telegraf 9 | service: name=telegraf state=restarted 10 | -------------------------------------------------------------------------------- /roles/system/telegraf/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: task 4 | # Part: telegraf 5 | 6 | ## Install 7 | - name: telegraf | Install ppa key 8 | apt_key: url=https://repos.influxdata.com/influxdb.key state=present 9 | - name: telegraf | Install ppa 10 | apt_repository: repo='deb https://repos.influxdata.com/{{ ansible_distribution | lower }} {{ ansible_distribution_release }} stable' state=present 11 | - name: telegraf | Install packages 12 | apt: name=telegraf state={{ telegraf_apt_state }} 13 | 14 | ## Configuration related install 15 | - name: telegraf | Configure docker group 16 | user: 17 | name: telegraf 18 | append: true 19 | groups: docker 20 | when: telegraf_inputs_docker_enabled|bool 21 | - name: telegraf | Install lm-sensors 22 | apt: name=lm-sensors state=latest 23 | when: telegraf_inputs_sensors_enabled|bool 24 | - name: telegraf | Install lm-sensors 25 | apt: name=lm-sensors state=latest 26 | when: telegraf_inputs_sensors_enabled|bool 27 | - name: telegraf | Configure sudoers for fail2ban 28 | template: src=sudoers.d_telegraf.j2 dest=/etc/sudoers.d/telegraf 29 | when: telegraf_inputs_fail2ban_enabled|bool 30 | 31 | ## Configure 32 | - name: Docker | Configure 33 | include: configure.yml 34 | tags: system_telegraf_configure 35 | 36 | - name: telegraf | Check service daemon 37 | service: name=telegraf state={{ telegraf_service_state }} enabled={{ telegraf_service_enabled }} 38 | 39 | ## Configure monit 40 | # - name: beats | Configure monit 41 | # include: configure-monit.yml 42 | -------------------------------------------------------------------------------- /roles/system/telegraf/templates/sudoers.d_telegraf.j2: -------------------------------------------------------------------------------- 1 | telegraf ALL=(root) NOEXEC: NOPASSWD: /usr/bin/fail2ban-client status, /usr/bin/fail2ban-client status * 2 | -------------------------------------------------------------------------------- /roles/system/telegraf/templates/telegraf_telegraf.d_global_tags.conf.j2: -------------------------------------------------------------------------------- 1 | # {{ ansible_managed }} 2 | 3 | [global_tags] 4 | # dc = "us-east-1" # will tag all metrics with dc=us-east-1 5 | # rack = "1a" 6 | ## Environment variables can be used as tags, and throughout the config file 7 | # user = "$USER" 8 | {% for tag in telegraf_global_tags %} 9 | {{ tag.key }} = "{{ tag.value }}" 10 | {% endfor %} -------------------------------------------------------------------------------- /roles/system/telegraf/templates/telegraf_telegraf.d_inputs_docker.conf.j2: -------------------------------------------------------------------------------- 1 | # {{ ansible_managed }} 2 | 3 | # Read metrics about docker containers 4 | [[inputs.docker]] 5 | ## Docker Endpoint 6 | ## To use TCP, set endpoint = "tcp://[ip]:[port]" 7 | ## To use environment variables (ie, docker-machine), set endpoint = "ENV" 8 | endpoint = "{{ telegraf_inputs_docker_endpoint }}" 9 | 10 | ## Only collect metrics for these containers, collect all if empty 11 | container_names = [] 12 | 13 | ## Containers to include and exclude. Globs accepted. 14 | ## Note that an empty array for both will include all containers 15 | container_name_include = [] 16 | container_name_exclude = [] 17 | 18 | ## Timeout for docker list, info, and stats commands 19 | timeout = "5s" 20 | 21 | ## Whether to report for each container per-device blkio (8:0, 8:1...) and 22 | ## network (eth0, eth1, ...) stats or not 23 | perdevice = true 24 | ## Whether to report for each container total blkio and network stats or not 25 | total = false 26 | ## Which environment variables should we use as a tag 27 | ##tag_env = ["JAVA_HOME", "HEAP_SIZE"] 28 | 29 | ## docker labels to include and exclude as tags. Globs accepted. 30 | ## Note that an empty array for both will include all labels as tags 31 | docker_label_include = [] 32 | docker_label_exclude = [] 33 | 34 | ## Optional SSL Config 35 | # ssl_ca = "/etc/telegraf/ca.pem" 36 | # ssl_cert = "/etc/telegraf/cert.pem" 37 | # ssl_key = "/etc/telegraf/key.pem" 38 | ## Use SSL but skip chain & host verification 39 | # insecure_skip_verify = false 40 | -------------------------------------------------------------------------------- /roles/system/telegraf/templates/telegraf_telegraf.d_inputs_fail2ban.conf.j2: -------------------------------------------------------------------------------- 1 | # {{ ansible_managed }} 2 | 3 | # Read metrics from fail2ban 4 | [[inputs.fail2ban]] 5 | ## Use sudo to run fail2ban-client 6 | use_sudo = {{ telegraf_inputs_fail2ban_use_sudo | to_json }} 7 | -------------------------------------------------------------------------------- /roles/system/telegraf/templates/telegraf_telegraf.d_inputs_http_response.conf.j2: -------------------------------------------------------------------------------- 1 | # {{ ansible_managed }} 2 | 3 | # HTTP/HTTPS request given an address a method and a timeout 4 | {% for config in telegraf_inputs_http_response_configs %} 5 | [[inputs.http_response]] 6 | ## Server address (default http://localhost) 7 | address = "{{ config.address | default("http://localhost") }}" 8 | 9 | ## Set response_timeout (default 5 seconds) 10 | response_timeout = "{{ config.response_timeout | default("5s") }}" 11 | 12 | ## HTTP Request Method 13 | method = "{{ config.method | default("GET") }}" 14 | 15 | ## Whether to follow redirects from the server (defaults to false) 16 | # follow_redirects = false 17 | 18 | ## Optional HTTP Request Body 19 | # body = ''' 20 | # {'fake':'data'} 21 | # ''' 22 | 23 | ## Optional substring or regex match in body of the response 24 | {% if config.response_string_match %} 25 | # response_string_match = "{{ config.response_string_match }}" 26 | {% endif %} 27 | 28 | ## Optional SSL Config 29 | # ssl_ca = "/etc/telegraf/ca.pem" 30 | # ssl_cert = "/etc/telegraf/cert.pem" 31 | # ssl_key = "/etc/telegraf/key.pem" 32 | ## Use SSL but skip chain & host verification 33 | # insecure_skip_verify = false 34 | 35 | ## HTTP Request Headers (all values must be strings) 36 | # [inputs.http_response.headers] 37 | # Host = "github.com" 38 | 39 | {% endfor %} 40 | -------------------------------------------------------------------------------- /roles/system/telegraf/templates/telegraf_telegraf.d_inputs_nginx.conf.j2: -------------------------------------------------------------------------------- 1 | # {{ ansible_managed }} 2 | 3 | # Read Nginx's basic status information (ngx_http_stub_status_module) 4 | [[inputs.nginx]] 5 | # An array of Nginx stub_status URI to gather stats. 6 | urls = {{ telegraf_inputs_nginx_urls | to_json }} 7 | 8 | # TLS/SSL configuration 9 | # ssl_ca = "/etc/telegraf/ca.pem" 10 | # ssl_cert = "/etc/telegraf/cert.cer" 11 | # ssl_key = "/etc/telegraf/key.key" 12 | # insecure_skip_verify = false 13 | 14 | # HTTP response timeout (default: 5s) 15 | response_timeout = "5s" 16 | -------------------------------------------------------------------------------- /roles/system/telegraf/templates/telegraf_telegraf.d_inputs_ping.conf.j2: -------------------------------------------------------------------------------- 1 | # {{ ansible_managed }} 2 | 3 | # Ping given url(s) and return statistics 4 | [[inputs.ping]] 5 | ## NOTE: this plugin forks the ping command. You may need to set capabilities 6 | ## via setcap cap_net_raw+p /bin/ping 7 | # 8 | ## List of urls to ping 9 | urls = {{ telegraf_inputs_ping_urls | to_json }} # required 10 | ## number of pings to send per collection (ping -c ) 11 | # count = 1 12 | ## interval, in s, at which to ping. 0 == default (ping -i ) 13 | # ping_interval = 1.0 14 | ## per-ping timeout, in s. 0 == no timeout (ping -W ) 15 | # timeout = 1.0 16 | ## interface to send ping from (ping -I ) 17 | # interface = "" 18 | -------------------------------------------------------------------------------- /roles/system/telegraf/templates/telegraf_telegraf.d_inputs_sensors.conf.j2: -------------------------------------------------------------------------------- 1 | # {{ ansible_managed }} 2 | 3 | # Monitor sensors, requires lm-sensors package 4 | [[inputs.sensors]] 5 | ## Remove numbers from field names. 6 | ## If true, a field name like 'temp1_input' will be changed to 'temp_input'. 7 | # remove_numbers = true 8 | -------------------------------------------------------------------------------- /roles/system/ufw/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: defaults 4 | # Part: ufw 5 | 6 | ssh_port: 22 7 | ufw_policies: 8 | - { direction: 'incoming', policy: 'deny' } 9 | - { direction: 'outgoing', policy: 'allow' } 10 | ufw_reset_rules: false 11 | ufw_rules: 12 | - { rule: 'allow', proto: 'tcp', port: 22 } 13 | -------------------------------------------------------------------------------- /roles/system/ufw/handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: handler 4 | # Part: ufw 5 | 6 | - name: start ufw 7 | service: name=ufw state=started 8 | 9 | - name: restart ufw 10 | service: name=ufw state=restarted 11 | -------------------------------------------------------------------------------- /roles/system/ufw/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: task 4 | # Part: ufw 5 | 6 | - name: System | Install package 7 | apt: name=ufw state=latest 8 | 9 | - name: System | Reset ufw rules 10 | command: echo "y" | ufw reset 11 | when: ufw_reset_rules|bool 12 | 13 | - name: System | Configure ufw policies 14 | ufw: direction={{ item.direction }} policy={{ item.policy }} 15 | with_items: "{{ ufw_policies }}" 16 | notify: restart ufw 17 | 18 | - name: System | Configure ufw rules 19 | ufw: rule={{ item.rule }} proto={{ item.proto }} port={{ item.port }} interface={{ item.interface | default('') }} direction={{ item.direction | default('in') }} 20 | with_items: "{{ ufw_rules }}" 21 | notify: restart ufw 22 | 23 | - name: System | Configure ufw logging 24 | ufw: logging=on 25 | notify: restart ufw 26 | 27 | - name: System | Enable ufw 28 | ufw: state=enabled 29 | 30 | - name: System | Check ufw daemon 31 | service: name=ufw state=started 32 | -------------------------------------------------------------------------------- /roles/system/ufw/templates/authorized_keys.j2: -------------------------------------------------------------------------------- 1 | # Ansible managed 2 | 3 | {% for value in ssh_authorized_keys|default([]) %} 4 | {{ value }} 5 | {% endfor %} 6 | -------------------------------------------------------------------------------- /roles/system/vlc/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: defaults 4 | # Part: VLC 5 | 6 | # Aptitude state 7 | vlc_apt_state: "latest" 8 | -------------------------------------------------------------------------------- /roles/system/vlc/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: task 4 | # Part: VLC 5 | 6 | ## Install 7 | - name: VLC | Install ppa key 8 | apt_key: id=801DF724 url=http://keyserver.ubuntu.com:11371/pks/lookup?op=get&search=0x3361E59FF5029E6B90A9A80D09589874801DF724 state=present 9 | - name: VLC | Install ppa 10 | apt_repository: repo=ppa:videolan/stable-daily state=present 11 | - name: VLC | Install package 12 | apt: name=vlc state={{ vlc_apt_state }} 13 | 14 | -------------------------------------------------------------------------------- /roles/system/watchdog/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: defaults 4 | # Part: Watchdog 5 | 6 | watchdog_device: "/dev/watchdog" 7 | watchdog_load_kernel_module: true 8 | watchdog_configure_kernel_module: false 9 | watchdog_log_dir: "" 10 | watchdog_logtick: "" 11 | watchdog_module: "" 12 | watchdog_service_enabled: "yes" 13 | watchdog_service_state: "started" 14 | watchdog_tco_heartbeat: 30 15 | watchdog_tco_nowayout: false 16 | watchdog_timeout: 60 17 | -------------------------------------------------------------------------------- /roles/system/watchdog/files/14.04/watchdog.conf: -------------------------------------------------------------------------------- 1 | #ping = 172.31.14.1 2 | #ping = 172.26.1.255 3 | #interface = eth0 4 | #file = /var/log/messages 5 | #change = 1407 6 | 7 | # Uncomment to enable test. Setting one of these values to '0' disables it. 8 | # These values will hopefully never reboot your machine during normal use 9 | # (if your machine is really hung, the loadavg will go much higher than 25) 10 | #max-load-1 = 24 11 | #max-load-5 = 18 12 | #max-load-15 = 12 13 | 14 | # Note that this is the number of pages! 15 | # To get the real size, check how large the pagesize is on your machine. 16 | #min-memory = 1 17 | 18 | #repair-binary = /usr/sbin/repair 19 | #repair-timeout = 20 | #test-binary = 21 | #test-timeout = 22 | 23 | #watchdog-device = /dev/watchdog 24 | 25 | # Defaults compiled into the binary 26 | #temperature-device = 27 | #max-temperature = 120 28 | 29 | # Defaults compiled into the binary 30 | #admin = root 31 | #interval = 1 32 | #logtick = 1 33 | #log-dir = /var/log/watchdog 34 | 35 | # This greatly decreases the chance that watchdog won't be scheduled before 36 | # your machine is really loaded 37 | realtime = yes 38 | priority = 1 39 | 40 | # Check if rsyslogd is still running by enabling the following line 41 | #pidfile = /var/run/rsyslogd.pid 42 | -------------------------------------------------------------------------------- /roles/system/watchdog/files/16.04/modprobe.d_blacklist-watchdog.conf: -------------------------------------------------------------------------------- 1 | # Watchdog drivers should not be loaded automatically, but only if a 2 | # watchdog daemon is installed. 3 | blacklist acquirewdt 4 | blacklist advantechwdt 5 | blacklist alim1535_wdt 6 | blacklist alim7101_wdt 7 | blacklist booke_wdt 8 | blacklist cpu5wdt 9 | blacklist eurotechwdt 10 | blacklist i6300esb 11 | blacklist i8xx_tco 12 | blacklist ib700wdt 13 | blacklist ibmasr 14 | blacklist indydog 15 | blacklist iTCO_wdt 16 | blacklist it8712f_wdt 17 | blacklist it87_wdt 18 | blacklist ixp2000_wdt 19 | blacklist ixp4xx_wdt 20 | blacklist machzwd 21 | blacklist mixcomwd 22 | blacklist mpc8xx_wdt 23 | blacklist mpcore_wdt 24 | blacklist mv64x60_wdt 25 | blacklist pc87413_wdt 26 | blacklist pcwd 27 | blacklist pcwd_pci 28 | blacklist pcwd_usb 29 | blacklist s3c2410_wdt 30 | blacklist sa1100_wdt 31 | blacklist sbc60xxwdt 32 | blacklist sbc7240_wdt 33 | blacklist sb8360 34 | blacklist sc1200wdt 35 | blacklist sc520_wdt 36 | blacklist sch311_wdt 37 | blacklist scx200_wdt 38 | blacklist shwdt 39 | blacklist smsc37b787_wdt 40 | blacklist softdog 41 | blacklist twl4030_wdt 42 | blacklist w83627hf_wdt 43 | blacklist w83697hf_wdt 44 | blacklist w83697ug_wdt 45 | blacklist w83877f_wdt 46 | blacklist w83977f_wdt 47 | blacklist wafer5823wdt 48 | blacklist wdt 49 | blacklist wdt_pci 50 | blacklist wm8350_wdt 51 | -------------------------------------------------------------------------------- /roles/system/watchdog/files/16.04/watchdog.conf: -------------------------------------------------------------------------------- 1 | #ping = 172.31.14.1 2 | #ping = 172.26.1.255 3 | #interface = eth0 4 | #file = /var/log/messages 5 | #change = 1407 6 | 7 | # Uncomment to enable test. Setting one of these values to '0' disables it. 8 | # These values will hopefully never reboot your machine during normal use 9 | # (if your machine is really hung, the loadavg will go much higher than 25) 10 | #max-load-1 = 24 11 | #max-load-5 = 18 12 | #max-load-15 = 12 13 | 14 | # Note that this is the number of pages! 15 | # To get the real size, check how large the pagesize is on your machine. 16 | #min-memory = 1 17 | #allocatable-memory = 1 18 | 19 | #repair-binary = /usr/sbin/repair 20 | #repair-timeout = 21 | #test-binary = 22 | #test-timeout = 23 | 24 | #watchdog-device = /dev/watchdog 25 | 26 | # Defaults compiled into the binary 27 | #temperature-device = 28 | #max-temperature = 120 29 | 30 | # Defaults compiled into the binary 31 | #admin = root 32 | #interval = 1 33 | #logtick = 1 34 | #log-dir = /var/log/watchdog 35 | 36 | # This greatly decreases the chance that watchdog won't be scheduled before 37 | # your machine is really loaded 38 | realtime = yes 39 | priority = 1 40 | 41 | # Check if rsyslogd is still running by enabling the following line 42 | #pidfile = /var/run/rsyslogd.pid 43 | -------------------------------------------------------------------------------- /roles/system/watchdog/handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: handler 4 | # Part: Journald 5 | 6 | - name: start watchdog 7 | service: name=watchdog state=started 8 | 9 | - name: restart watchdog 10 | service: name=watchdog state=restarted 11 | -------------------------------------------------------------------------------- /roles/system/watchdog/tasks/configure-softdog.yml: -------------------------------------------------------------------------------- 1 | 2 | - name: Watchdog | Activate TCO kernel modules 3 | modprobe: 4 | name: "{{ item }}" 5 | state: present 6 | with_items: 7 | - softdog 8 | -------------------------------------------------------------------------------- /roles/system/watchdog/tasks/configure-tco.yml: -------------------------------------------------------------------------------- 1 | 2 | - name: Watchdog | Unblacklist i2c-i801 3 | template: 4 | src: modprobe.d_blacklist.conf.j2 5 | dest: /etc/modprobe.d/blacklist.conf 6 | owner: root 7 | group: root 8 | mode: '0644' 9 | when: ansible_distribution_major_version|int == 16 10 | 11 | # - name: Watchdog | Unblacklist iTCO-wdt 12 | # template: 13 | # src: modprobe.d_blacklist-watchdog.conf.j2 14 | # dest: /etc/modprobe.d/blacklist-watchdog.conf 15 | # owner: root 16 | # group: root 17 | # mode: '0644' 18 | # when: ansible_distribution_major_version|int == 16 19 | 20 | - name: Watchdog | Activate TCO kernel modules 21 | modprobe: 22 | name: "{{ item }}" 23 | state: present 24 | with_items: 25 | - i2c-i801 26 | - i2c-smbus 27 | - iTCO-wdt 28 | -------------------------------------------------------------------------------- /roles/system/watchdog/tasks/configure.yml: -------------------------------------------------------------------------------- 1 | 2 | - name: Watchdog | Enable TCO kernel modules 3 | template: 4 | src: modules-load.d_watchdog.conf.j2 5 | dest: /etc/modules-load.d/watchdog.conf 6 | owner: root 7 | group: root 8 | mode: '0644' 9 | 10 | - name: Watchdog | Configure TCO kernel modules 11 | template: 12 | src: modprobe.d_watchdog.conf.j2 13 | dest: /etc/modprobe.d/watchdog.conf 14 | owner: root 15 | group: root 16 | mode: '0644' 17 | when: watchdog_configure_kernel_module|bool 18 | 19 | - name: Watchdog | Remove TCO kernel modules configuration 20 | file: 21 | path: /etc/modprobe.d/watchdog.conf 22 | state: absent 23 | when: not watchdog_configure_kernel_module|bool 24 | -------------------------------------------------------------------------------- /roles/system/watchdog/templates/default_watchdog.j2: -------------------------------------------------------------------------------- 1 | # Start watchdog at boot time? 0 or 1 2 | run_watchdog=1 3 | # Start wd_keepalive after stopping watchdog? 0 or 1 4 | run_wd_keepalive=1 5 | # Load module before starting watchdog 6 | watchdog_module="{{ watchdog_module }}" 7 | # Specify additional watchdog options here (see manpage). 8 | -------------------------------------------------------------------------------- /roles/system/watchdog/templates/modprobe.d_blacklist-watchdog.conf.j2: -------------------------------------------------------------------------------- 1 | # Watchdog drivers should not be loaded automatically, but only if a 2 | # watchdog daemon is installed. 3 | blacklist acquirewdt 4 | blacklist advantechwdt 5 | blacklist alim1535_wdt 6 | blacklist alim7101_wdt 7 | blacklist booke_wdt 8 | blacklist cpu5wdt 9 | blacklist eurotechwdt 10 | blacklist i6300esb 11 | blacklist i8xx_tco 12 | blacklist ib700wdt 13 | blacklist ibmasr 14 | blacklist indydog 15 | # blacklist iTCO_wdt 16 | blacklist it8712f_wdt 17 | blacklist it87_wdt 18 | blacklist ixp2000_wdt 19 | blacklist ixp4xx_wdt 20 | blacklist machzwd 21 | blacklist mixcomwd 22 | blacklist mpc8xx_wdt 23 | blacklist mpcore_wdt 24 | blacklist mv64x60_wdt 25 | blacklist pc87413_wdt 26 | blacklist pcwd 27 | blacklist pcwd_pci 28 | blacklist pcwd_usb 29 | blacklist s3c2410_wdt 30 | blacklist sa1100_wdt 31 | blacklist sbc60xxwdt 32 | blacklist sbc7240_wdt 33 | blacklist sb8360 34 | blacklist sc1200wdt 35 | blacklist sc520_wdt 36 | blacklist sch311_wdt 37 | blacklist scx200_wdt 38 | blacklist shwdt 39 | blacklist smsc37b787_wdt 40 | blacklist softdog 41 | blacklist twl4030_wdt 42 | blacklist w83627hf_wdt 43 | blacklist w83697hf_wdt 44 | blacklist w83697ug_wdt 45 | blacklist w83877f_wdt 46 | blacklist w83977f_wdt 47 | blacklist wafer5823wdt 48 | blacklist wdt 49 | blacklist wdt_pci 50 | blacklist wm8350_wdt 51 | -------------------------------------------------------------------------------- /roles/system/watchdog/templates/modprobe.d_watchdog.conf.j2: -------------------------------------------------------------------------------- 1 | # Hardware watchdog driver modules options 2 | options iTCO-wdt heartbeat={{ watchdog_tco_heartbeat|int }} nowayout={{ watchdog_tco_nowayout|int }} 3 | -------------------------------------------------------------------------------- /roles/system/watchdog/templates/modules-load.d_watchdog.conf.j2: -------------------------------------------------------------------------------- 1 | # Hardware watchdog driver modules loading 2 | i2c-i801 3 | i2c-smbus 4 | {% if watchdog_module != "" and watchdog_load_kernel_module|bool %} 5 | {{ watchdog_module }} 6 | {% endif %} 7 | -------------------------------------------------------------------------------- /roles/system/watchdog/templates/systemd_system_watchdog.service.j2: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=watchdog daemon 3 | Conflicts=wd_keepalive.service 4 | After=multi-user.target 5 | OnFailure=wd_keepalive.service 6 | 7 | [Service] 8 | Type=forking 9 | EnvironmentFile=/etc/default/watchdog 10 | ExecStartPre=/bin/sh -c '[ -z "${watchdog_module}" ] || [ "${watchdog_module}" = "none" ] || /sbin/modprobe $watchdog_module' 11 | ExecStart=/bin/sh -c '[ $run_watchdog != 1 ] || exec /usr/sbin/watchdog $watchdog_options' 12 | ExecStopPost=/bin/sh -c '[ $run_wd_keepalive != 1 ] || false' 13 | 14 | [Install] 15 | WantedBy=default.target 16 | -------------------------------------------------------------------------------- /roles/web/apache2/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: defaults 4 | # Part: Apache2 5 | 6 | 7 | # Aptitude state 8 | apache2_apt_state: "latest" 9 | 10 | # Network configuration 11 | apache2_bind_address: "*" 12 | apache2_port_http: 80 13 | apache2_port_https: 443 14 | 15 | # User and group 16 | apache2_user: "www-data" 17 | apache2_group: "www-data" 18 | 19 | # Default base directory (without trailing '/') 20 | apache2_path: "/var/www" 21 | 22 | # Thread management 23 | apache2_flavor: "prefork" 24 | 25 | # Aptitude modules 26 | apache2_apt_modules: 27 | - libapache2-mod-macro 28 | # - libapache2-mod-evasive 29 | 30 | # Apache modules 31 | apache2_modules: 32 | - deflate 33 | - expires 34 | - headers 35 | - macro 36 | - rewrite 37 | - ssl 38 | -------------------------------------------------------------------------------- /roles/web/apache2/handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: handler 4 | # Part: Apache2 5 | 6 | 7 | - name: start apache2 8 | service: name=apache2 start=started 9 | 10 | - name: restart apache2 11 | service: name=apache2 state=restarted 12 | 13 | - name: reload apache2 14 | service: name=apache2 state=reloaded 15 | -------------------------------------------------------------------------------- /roles/web/apache2/tasks/location.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: location.yml 3 | # Type: task 4 | # Part: Apache2 5 | 6 | 7 | ## Setup custom location 8 | - name: Apache2 | Setup directory 9 | file: state=directory dest={{ apache2_path }} mode=700 owner={{ apache2_user }} group={{ apache2_group }} 10 | - name: Apache2 | Move directory 11 | shell: service apache2 stop; cp -rf /var/www/* {{ apache2_path }}; touch {{ apache2_path }}/.ansible; chown -R {{ apache2_user }}:{{ apache2_group }} {{ apache2_path }}; rm -rf /var/www 12 | creates={{ apache2_path }}/.ansible 13 | - name: Apache2 | Link directories 14 | file: state=link src={{ apache2_path }} path=/var/www force=yes 15 | notify: restart apache2 16 | -------------------------------------------------------------------------------- /roles/web/apache2/templates/ports.conf.j2: -------------------------------------------------------------------------------- 1 | # Ansible managed 2 | 3 | # If you just change the port or add more ports here, you will likely also 4 | # have to change the VirtualHost statement in 5 | # /etc/apache2/sites-enabled/000-default 6 | 7 | NameVirtualHost {{ apache2_bind_address | default('*') }}:{{ apache_port_http | default('80') }} 8 | Listen {{ apache2_bind_address | default('*') }}:{{ apache_port_http | default('80') }} 9 | 10 | # ssl_module >= 13.10 11 | 12 | NameVirtualHost {{ apache2_bind_address | default('*') }}:{{ apache_port_https | default('443') }} 13 | Listen {{ apache2_bind_address | default('*') }}:{{ apache_port_https | default('443') }} 14 | 15 | 16 | 17 | NameVirtualHost {{ apache2_bind_address | default('*') }}:{{ apache_port_https | default('443') }} 18 | Listen {{ apache2_bind_address | default('*') }}:{{ apache_port_https | default('443') }} 19 | 20 | 21 | # vim: syntax=apache ts=4 sw=4 sts=4 sr noet 22 | -------------------------------------------------------------------------------- /roles/web/iojs/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: defaults 4 | # Part: ioJS 5 | 6 | # Aptitude state 7 | iojs_branch: "iojs_3.x" 8 | iojs_apt_state: "latest" 9 | 10 | # Network configuration 11 | iojs_bind_address: "0.0.0.0" 12 | iojs_port_http: 80 13 | iojs_port_https: 443 14 | 15 | # User and group 16 | iojs_user: "www-data" 17 | iojs_group: "www-data" 18 | 19 | # Default base directory (without trailing '/') 20 | iojs_path: "/var/www" 21 | iojs_args: "." 22 | 23 | # Npm modules 24 | iojs_npm_registry: "https://registry.npmjs.org/" 25 | # iojs_npm_modules: 26 | -------------------------------------------------------------------------------- /roles/web/iojs/handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: handler 4 | # Part: NodeJS 5 | 6 | - name: start nodejs 7 | service: name=nodejs state=started 8 | 9 | - name: restart nodejs 10 | service: name=nodejs state=restarted 11 | 12 | - name: reload supervisor 13 | shell: supervisorctl reload 14 | notify: ensure supervisor service 15 | 16 | - name: ensure supervisor service 17 | action: service name=supervisor state=started 18 | -------------------------------------------------------------------------------- /roles/web/iojs/tasks/configure-supervisor.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # Type: task 3 | # Part: ioJS 4 | 5 | - name: ioJS | Deploy supervisor service configuration 6 | template: src=supervisor_conf.d_node.conf.j2 dest=/etc/supervisor/conf.d/node.conf owner=root group=root mode=0644 backup=no 7 | notify: reload supervisor 8 | - name: ioJS | Start supervisor service 9 | supervisorctl: name=node state=started config=/etc/supervisor/supervisord.conf 10 | -------------------------------------------------------------------------------- /roles/web/iojs/tasks/install-armv7l.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: task 4 | # Part: NodeJS | Cubieboard 5 | 6 | - name: NodeJS | armv7l | Fetch package 7 | get_url: url=http://s3.armhf.com/debian/precise/node-v0.10.21-precise-armhf.tar.xz dest=/opt 8 | sha256sum=284710e6720aa808f788b59b6ce253739aa6a59f4a5f5e94dd84c5bf306b51d7 9 | register: result 10 | - name: NodeJS | armv7l | Install package 11 | command: tar -xJf /opt/node-v0.10.21-precise-armhf.tar.xz -C /usr/local --strip-components 1 12 | when: result|changed 13 | -------------------------------------------------------------------------------- /roles/web/iojs/tasks/install-raspberry.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: task 4 | # Part: NodeJS | Raspberry 5 | 6 | - name: NodeJS | Raspberry | Fetch package 7 | get_url: url=http://nodejs.org/dist/v0.10.21/node-v0.10.21-linux-arm-pi.tar.gz dest=/opt 8 | sha256sum=5a5c3b4a9c98fa850cc8c5f6fa06213b856f217e368452fc6ac5f5868044ff39 9 | register: result 10 | - name: NodeJS | Raspberry | Install package 11 | command: tar -xzf /opt/node-v0.10.21-linux-arm-pi.tar.gz -C /usr/local --strip-components 1 --exclude='LICENSE' --exclude='README.md' --exclude='ChangeLog' 12 | when: result|changed 13 | 14 | -------------------------------------------------------------------------------- /roles/web/iojs/tasks/install-ubuntu.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: task 4 | # Part: ioJS | Default (Ubuntu) 5 | 6 | ## Install 7 | - name: ioJS | Install ppa key 8 | apt_key: id=68576280 url=https://deb.nodesource.com/gpgkey/nodesource.gpg.key state=present 9 | - name: ioJS | Remove launchpad ppa 10 | apt_repository: repo=ppa:chris-lea/node.js state=absent 11 | - name: ioJS | Install ppa 12 | apt_repository: repo="{{ item }}" 13 | with_items: 14 | - "deb https://deb.nodesource.com/{{ iojs_branch }} {{ ansible_distribution_release }} main" 15 | - "deb-src https://deb.nodesource.com/{{ iojs_branch }} {{ ansible_distribution_release }} main" 16 | - name: ioJS | Install package 17 | apt: name=iojs state={{ iojs_apt_state }} 18 | -------------------------------------------------------------------------------- /roles/web/iojs/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: task 4 | # Part: ioJS 5 | 6 | ## Install 7 | - include: install-raspberry.yml 8 | when: ansible_architecture == 'armv6l' and ansible_distribution == 'Debian' 9 | - include: install-armv7l.yml 10 | when: ansible_architecture == 'armv7l' 11 | - include: install-ubuntu.yml 12 | when: ansible_distribution == 'Ubuntu' 13 | 14 | ## Install global packages 15 | - name: ioJS | NPM | Install global packages 16 | npm: name={{ item }} global=yes state={{ iojs_apt_state }} registry={{ iojs_npm_registry }} 17 | when: iojs_npm_modules is defined 18 | with_items: iojs_npm_modules 19 | 20 | ## Install supervisor service 21 | - include: configure-supervisor.yml 22 | tags: web_iojs_supervisor 23 | when: docker 24 | -------------------------------------------------------------------------------- /roles/web/iojs/templates/supervisor_conf.d_node.conf.j2: -------------------------------------------------------------------------------- 1 | [program:node] 2 | command=/usr/bin/node {{ iojs_args }} 3 | directory={{ iojs_chdir if iojs_chdir is defined else iojs_path }} 4 | environment=USER={{ iojs_user }},HOME={{ iojs_path }},NODE_ENV=production,NODE_PATH={{ iojs_path }} 5 | user={{ iojs_user }} 6 | -------------------------------------------------------------------------------- /roles/web/nginx/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: defaults 4 | # Part: Nginx 5 | 6 | 7 | # Aptitude state 8 | nginx_apt_state: "latest" 9 | nginx_apt_flavor: "nginx-devel" 10 | 11 | # Network configuration 12 | nginx_bind_address: "*" 13 | nginx_port_http: 80 14 | nginx_port_https: 443 15 | 16 | # User and group 17 | nginx_user: "www-data" 18 | nginx_group: "www-data" 19 | 20 | # Default base directory (without trailing '/') 21 | nginx_path: "/usr/share/nginx/www" 22 | nginx_access_log: "/var/log/nginx/access.log" 23 | nginx_error_log: "/var/log/nginx/error.log" 24 | 25 | # Configuration 26 | nginx_worker_processes: "auto" 27 | nginx_docker_proxy: False 28 | nginx_use_php5: False 29 | -------------------------------------------------------------------------------- /roles/web/nginx/handlers/init.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: handler 4 | # Part: Nginx 5 | 6 | - name: start nginx 7 | service: name=nginx start=started 8 | 9 | - name: restart nginx 10 | service: name=nginx state=restarted 11 | 12 | - name: reload nginx 13 | service: name=nginx state=reloaded 14 | -------------------------------------------------------------------------------- /roles/web/nginx/handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: handler 4 | # Part: Nginx 5 | 6 | - include: init.yml 7 | when: not docker 8 | - include: supervisor.yml 9 | when: docker 10 | -------------------------------------------------------------------------------- /roles/web/nginx/handlers/supervisor.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: handler 4 | # Part: Nginx 5 | 6 | - name: start nginx on docker 7 | supervisorctl: name=nginx state=started 8 | 9 | - name: restart nginx on docker 10 | supervisorctl: name=nginx state=restarted 11 | 12 | - name: reload nginx on docker 13 | supervisorctl: name=nginx state=reloaded 14 | 15 | - name: restart docker-gen 16 | supervisorctl: name=docker-gen state=restarted 17 | -------------------------------------------------------------------------------- /roles/web/nginx/tasks/configure-docker-gen.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # Type: task 3 | # Part: DockerGen 4 | 5 | - name: DockerGen | Check directory 6 | file: state=directory path=/etc/docker/templates owner=root group=root mode=0775 7 | - name: DockerGen | Deploy nginx template 8 | template: src=docker-gen_nginx.tmpl.j2 dest=/etc/docker/templates/nginx.tmpl owner=root group=root mode=0644 backup=no 9 | notify: 10 | - restart docker-gen 11 | - restart nginx on docker 12 | - name: DockerGen | Deploy supervisor service configuration 13 | template: src=supervisor_conf.d_docker-gen.conf.j2 dest=/etc/supervisor/conf.d/docker-gen.conf owner=root group=root mode=0644 backup=no 14 | register: result 15 | - name: DockerGen | Reload supervisor 16 | shell: supervisorctl reload 17 | when: result|changed 18 | - name: DockerGen | Check service 19 | supervisorctl: name=program:docker-gen state=started config=/etc/supervisor/supervisord.conf 20 | -------------------------------------------------------------------------------- /roles/web/nginx/tasks/configure-init.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: task 4 | # Part: Nginx 5 | 6 | - name: Nginx | Backup service configuration 7 | shell: creates=/etc/init.d/nginx.orig.disabled cp /etc/init.d/nginx /etc/init.d/nginx.orig.disabled 8 | ignore_errors: True 9 | register: result 10 | - fetch: src=/etc/init.d/nginx.orig.disabled dest=fetched 11 | when: result|changed 12 | - name: Nginx | Deploy service configuration 13 | template: src=init.d_nginx.j2 dest=/etc/init.d/nginx owner=root group=root mode=0755 backup=no 14 | notify: restart nginx 15 | register: result 16 | - fetch: src=/etc/init.d/nginx dest=fetched 17 | when: result|changed 18 | - name: Nginx | Check service daemon 19 | service: name=nginx state=started 20 | -------------------------------------------------------------------------------- /roles/web/nginx/tasks/configure-supervisor.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # Type: task 3 | # Part: Nginx 4 | 5 | - name: Nginx | Deploy supervisor service configuration 6 | template: src=supervisor_conf.d_nginx.conf.j2 dest=/etc/supervisor/conf.d/nginx.conf owner=root group=root mode=0644 backup=no 7 | register: result 8 | - name: Nginx | Start supervisor service 9 | supervisorctl: name=nginx state=started config=/etc/supervisor/supervisord.conf 10 | -------------------------------------------------------------------------------- /roles/web/nginx/tasks/location.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: location.yml 3 | # Type: task 4 | # Part: Nginx 5 | # Desc: Setup custom location 6 | 7 | - name: Nginx | Move directory 8 | shell: service nginx stop; cp -rf /var/www/* {{ nginx_path }}; touch {{ nginx_path }}/.ansible; chown -R {{ nginx_user }}:{{ nginx_group }} {{ nginx_path }}; rm -rf /var/www 9 | creates={{ nginx_path }}/.ansible 10 | - name: Nginx | Link directories 11 | file: state=link src={{ nginx_path }} path=/var/www force=yes 12 | notify: restart nginx 13 | -------------------------------------------------------------------------------- /roles/web/nginx/templates/nginx_sites-available_no-default.j2: -------------------------------------------------------------------------------- 1 | # Drop requests for unknown hosts 2 | # 3 | # If no default server is defined, nginx will use the first found server. 4 | # To prevent host header attacks, or other potential problems when an unknown 5 | # servername is used in a request, it's recommended to drop the request 6 | # returning 444 "no response". 7 | 8 | server { 9 | listen {{ nginx_bind_address }}:80 default_server; 10 | return 444; 11 | } 12 | -------------------------------------------------------------------------------- /roles/web/nginx/templates/supervisor_conf.d_docker-gen.conf.j2: -------------------------------------------------------------------------------- 1 | [program:docker-gen] 2 | command=/usr/bin/docker-gen -watch -notify "supervisorctl status nginx | sed \"s/.*[pid ]\([0-9]\+\)\,.*/\1/\" | xargs kill -HUP" /etc/docker/templates/nginx.tmpl /etc/nginx/sites-enabled/default 3 | environment=DOCKER_HOST="unix:///tmp/docker.sock" 4 | -------------------------------------------------------------------------------- /roles/web/nginx/templates/supervisor_conf.d_nginx.conf.j2: -------------------------------------------------------------------------------- 1 | [program:nginx] 2 | command=/usr/sbin/nginx 3 | directory={{ nginx_path }} 4 | environment=USER=root,HOME="{{ nginx_path }}" 5 | user=root 6 | -------------------------------------------------------------------------------- /roles/web/nodejs/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: defaults 4 | # Part: NodeJS 5 | 6 | # Aptitude state 7 | nodejs_branch: "node_6.x" 8 | nodejs_legacy_branch: "node_4.x" 9 | nodejs_apt_state: "latest" 10 | nodejs_validate_certs: yes 11 | 12 | nodejs_yarn_apt_state: "latest" 13 | nodejs_yarn_validate_certs: yes 14 | 15 | # Network configuration 16 | nodejs_bind_address: "0.0.0.0" 17 | nodejs_port_http: 80 18 | nodejs_port_https: 443 19 | 20 | # User and group 21 | nodejs_user: "www-data" 22 | nodejs_group: "www-data" 23 | 24 | # Default base directory (without trailing '/') 25 | nodejs_path: "/var/www" 26 | nodejs_args: "." 27 | 28 | # Npm modules 29 | nodejs_npm_registry: "https://registry.npmjs.org/" 30 | nodejs_distribution_release: false 31 | nodejs_npm_modules_install: true 32 | # nodejs_npm_modules: 33 | -------------------------------------------------------------------------------- /roles/web/nodejs/handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: handler 4 | # Part: NodeJS 5 | 6 | 7 | - name: start nodejs 8 | service: name=nodejs state=started 9 | 10 | - name: restart nodejs 11 | service: name=nodejs state=restarted 12 | 13 | - name: reload supervisor 14 | shell: supervisorctl reload 15 | notify: ensure supervisor service 16 | 17 | - name: ensure supervisor service 18 | action: service name=supervisor state=started 19 | -------------------------------------------------------------------------------- /roles/web/nodejs/tasks/configure-supervisor.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # Type: task 3 | # Part: NodeJS 4 | 5 | - name: NodeJS | Deploy supervisor service configuration 6 | template: src=supervisor_conf.d_node.conf.j2 dest=/etc/supervisor/conf.d/node.conf owner=root group=root mode=0644 backup=no 7 | notify: reload supervisor 8 | - name: NodeJS | Start supervisor service 9 | supervisorctl: name=node state=started config=/etc/supervisor/supervisord.conf 10 | -------------------------------------------------------------------------------- /roles/web/nodejs/tasks/install-armv7l.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: task 4 | # Part: NodeJS | Cubieboard 5 | 6 | - name: NodeJS | armv7l | Fetch package 7 | get_url: url=http://s3.armhf.com/debian/precise/node-v0.10.21-precise-armhf.tar.xz dest=/opt 8 | sha256sum=284710e6720aa808f788b59b6ce253739aa6a59f4a5f5e94dd84c5bf306b51d7 9 | register: result 10 | - name: NodeJS | armv7l | Install package 11 | command: tar -xJf /opt/node-v0.10.21-precise-armhf.tar.xz -C /usr/local --strip-components 1 12 | when: result|changed 13 | -------------------------------------------------------------------------------- /roles/web/nodejs/tasks/install-raspberry.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: task 4 | # Part: NodeJS | Raspberry 5 | 6 | - name: NodeJS | Raspberry | Fetch package 7 | get_url: url=http://nodejs.org/dist/v0.10.21/node-v0.10.21-linux-arm-pi.tar.gz dest=/opt 8 | sha256sum=5a5c3b4a9c98fa850cc8c5f6fa06213b856f217e368452fc6ac5f5868044ff39 9 | register: result 10 | - name: NodeJS | Raspberry | Install package 11 | command: tar -xzf /opt/node-v0.10.21-linux-arm-pi.tar.gz -C /usr/local --strip-components 1 --exclude='LICENSE' --exclude='README.md' --exclude='ChangeLog' 12 | when: result|changed 13 | 14 | -------------------------------------------------------------------------------- /roles/web/nodejs/tasks/install-ubuntu.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: task 4 | # Part: NodeJS | Default (Ubuntu) 5 | 6 | ## Install 7 | - name: NodeJS | Install ppa key 8 | apt_key: keyserver=keyserver.ubuntu.com id=0x1655A0AB68576280 validate_certs={{ nodejs_validate_certs }} 9 | # apt_key: id=68576280 url=https://deb.nodesource.com/gpgkey/nodesource.gpg.key state=present validate_certs={{ nodejs_validate_certs }} 10 | - name: NodeJS | Remove legacy chris-lea ppa 11 | apt_repository: repo=ppa:chris-lea/node.js state=absent 12 | - name: NodeJS | Remove previous branch ppa 13 | apt_repository: repo="{{ item }}" state=absent 14 | with_items: 15 | - "deb https://deb.nodesource.com/{{ nodejs_legacy_branch }} {{ nodejs_distribution_release or ansible_distribution_release }} main" 16 | - "deb-src https://deb.nodesource.com/{{ nodejs_legacy_branch }} {{ nodejs_distribution_release or ansible_distribution_release }} main" 17 | when: nodejs_legacy_branch and nodejs_legacy_branch != nodejs_branch 18 | - name: NodeJS | Install ppa 19 | apt_repository: repo="{{ item }}" validate_certs={{ nodejs_validate_certs }} 20 | with_items: 21 | - "deb https://deb.nodesource.com/{{ nodejs_branch }} {{ nodejs_distribution_release or ansible_distribution_release }} main" 22 | - "deb-src https://deb.nodesource.com/{{ nodejs_branch }} {{ nodejs_distribution_release or ansible_distribution_release }} main" 23 | - name: NodeJS | Install package 24 | apt: name=nodejs state={{ nodejs_apt_state }} 25 | -------------------------------------------------------------------------------- /roles/web/nodejs/tasks/install-yarn.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: task 4 | # Part: Yarn | Default (Ubuntu) 5 | 6 | ## Install 7 | - name: NodeJS yarn | Install ppa key 8 | apt_key: keyserver=keyserver.ubuntu.com id=0x1646B01B86E50310 validate_certs={{ nodejs_yarn_validate_certs }} 9 | # apt_key: id=68576280 url=https://deb.nodesource.com/gpgkey/nodesource.gpg.key state=present validate_certs={{ Yarn_validate_certs }} 10 | - name: NodeJS yarn | Install ppa 11 | apt_repository: repo="{{ item }}" validate_certs={{ nodejs_yarn_validate_certs }} 12 | with_items: 13 | - "deb https://dl.yarnpkg.com/debian/ stable main" 14 | - name: NodeJS yarn | Install package 15 | apt: name=yarn state={{ nodejs_yarn_apt_state }} install_recommends=no 16 | -------------------------------------------------------------------------------- /roles/web/nodejs/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: task 4 | # Part: NodeJS 5 | 6 | ## Install 7 | - include: install-raspberry.yml 8 | when: ansible_architecture == 'armv6l' and ansible_distribution == 'Debian' 9 | # - include: install-armv7l.yml 10 | # when: ansible_architecture == 'armv7l' 11 | - include: install-ubuntu.yml 12 | when: ansible_distribution == 'Ubuntu' 13 | 14 | ## Configure proxy 15 | - name: NodeJS | NPM | Configure proxy 16 | shell: npm config set proxy {{ npm_proxy }} 17 | when: npm_proxy is defined 18 | 19 | - name: NodeJS | NPM | Configure registry 20 | shell: npm config set registry {{ nodejs_npm_registry }} 21 | when: nodejs_npm_registry != "https://registry.npmjs.org/" 22 | 23 | ## Install yarn 24 | - include: install-yarn.yml 25 | tags: web_nodejs_yarn 26 | 27 | ## Install global packages 28 | - name: NodeJS | NPM | Install global packages 29 | npm: name={{ item }} global=yes state=present registry={{ nodejs_npm_registry }} 30 | with_items: "{{ nodejs_npm_modules }}" 31 | when: nodejs_npm_modules is defined and nodejs_npm_modules_install|bool 32 | 33 | ## Install supervisor service 34 | - include: configure-supervisor.yml 35 | tags: web_nodejs_supervisor 36 | when: docker 37 | -------------------------------------------------------------------------------- /roles/web/nodejs/templates/supervisor_conf.d_node.conf.j2: -------------------------------------------------------------------------------- 1 | [program:node] 2 | command=/usr/bin/node {{ nodejs_args }} 3 | directory={{ nodejs_chdir if nodejs_chdir is defined else nodejs_path }} 4 | environment=USER={{ nodejs_user }},HOME={{ nodejs_path }},NODE_ENV=production,NODE_PATH={{ nodejs_path }} 5 | user={{ nodejs_user }} 6 | -------------------------------------------------------------------------------- /roles/web/php5/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: defaults 4 | # Part: PHP5 5 | 6 | 7 | # Aptitude state 8 | php5_flavor: "php5-fpm" 9 | php5_apt_state: "latest" 10 | 11 | # User and group 12 | php5_user: "root" 13 | php5_group: "root" 14 | 15 | # Default base directory (without trailing '/') 16 | php5_path: "/srv/www" 17 | php5_pm_max_children: 20 18 | php5_pm_max_requests: 500 19 | 20 | # Aptitude modules 21 | php5_apt_modules: 22 | - libssh2-php 23 | - php-apc 24 | - php-pear 25 | - php5-curl 26 | - php5-gd 27 | - php5-imagick 28 | - php5-mcrypt 29 | - php5-mysql 30 | # - php5-redis 31 | - php5-json 32 | -------------------------------------------------------------------------------- /roles/web/php5/handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: handler 4 | # Part: Php5 5 | 6 | 7 | - name: start apache2 8 | service: name=apache2 start=started 9 | 10 | - name: restart apache2 11 | service: name=apache2 state=restarted 12 | 13 | - name: reload apache2 14 | service: name=apache2 state=reloaded 15 | -------------------------------------------------------------------------------- /roles/web/php5/tasks/configure-apache.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: PHP5 | Apache2 | Backup configuration 4 | shell: creates=/etc/php5/apache2/php.ini.orig cp /etc/php5/apache2/php.ini /etc/php5/apache2/php.ini.orig 5 | register: result 6 | - fetch: src=/etc/php5/apache2/php.ini.orig dest=fetched 7 | when: result|changed 8 | - name: PHP5 | Apache2 | Deploy configuration 9 | template: src=apache2_php.ini.j2 dest=/etc/php5/apache2/php.ini mode=0644 owner=root group=root backup=yes 10 | notify: restart apache2 11 | register: result 12 | - fetch: src=/etc/php5/apache2/php.ini dest=fetched 13 | when: result|changed 14 | -------------------------------------------------------------------------------- /roles/web/php5/tasks/configure-cli.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: PHP5 | CLI | Backup configuration 4 | shell: creates=/etc/php5/cli/php.ini.orig cp /etc/php5/cli/php.ini /etc/php5/cli/php.ini.orig 5 | register: result 6 | - fetch: src=/etc/php5/cli/php.ini.orig dest=fetched 7 | when: result|changed 8 | - name: PHP5 | CLI | Deploy configuration 9 | template: src=cli_php.ini.j2 dest=/etc/php5/cli/php.ini mode=0644 owner=root group=root backup=yes 10 | notify: restart apache2 11 | register: result 12 | - fetch: src=/etc/php5/cli/php.ini dest=fetched 13 | when: result|changed 14 | -------------------------------------------------------------------------------- /roles/web/php5/tasks/configure-fpm.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: PHP5 | FPM | Backup configuration 4 | shell: creates=/etc/php5/fpm/php.ini.orig cp /etc/php5/fpm/php.ini /etc/php5/fpm/php.ini.orig 5 | register: result 6 | - fetch: src=/etc/php5/fpm/php.ini.orig dest=fetched 7 | when: result|changed 8 | - name: PHP5 | FPM | Deploy configuration 9 | template: src=php5_fpm_php.ini.j2 dest=/etc/php5/fpm/php.ini mode=0644 owner=root group=root backup=yes 10 | register: result 11 | - fetch: src=/etc/php5/fpm/php.ini dest=fetched 12 | when: result|changed 13 | - name: PHP5 | FPM | Deploy pool configuration 14 | template: src=php5_fpm_pool.d_www.conf.j2 dest=/etc/php5/fpm/pool.d/www.conf mode=0644 owner=root group=root backup=yes 15 | register: result 16 | 17 | - include: configure-supervisor.yml 18 | when: docker 19 | -------------------------------------------------------------------------------- /roles/web/php5/tasks/configure-supervisor.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: PHP5 | Deploy supervisor service configuration 4 | template: src=supervisor_conf.d_php5-fpm.conf.j2 dest=/etc/supervisor/conf.d/php5-fpm.conf owner=root group=root mode=0644 backup=no 5 | register: result 6 | - name: PHP5 | Reread supervisor 7 | shell: supervisorctl reload 8 | when: result|changed 9 | 10 | ## Check service 11 | - name: PHP5 | Check service daemon 12 | supervisorctl: name=program:php5-fpm state=started config=/etc/supervisor/supervisord.conf 13 | -------------------------------------------------------------------------------- /roles/web/php5/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: task 4 | # Part: PHP5 5 | 6 | ## Install PHP5 7 | - name: PHP5 | Install package 8 | apt: name={{ php5_flavor }} state={{ php5_apt_state }} 9 | 10 | ## Install modules 11 | - name: PHP5 | Install PHP5 modules 12 | apt: name={{ item }} state={{ php5_apt_state }} 13 | with_items: php5_apt_modules 14 | when: php5_apt_modules is defined 15 | 16 | - include: configure-apache.yml 17 | when: php5_flavor == "php5" 18 | 19 | - include: configure-fpm.yml 20 | when: php5_flavor == "php5-fpm" 21 | 22 | # - include: configure-cli.yml 23 | 24 | ## PHP5 | CLI configuration 25 | -------------------------------------------------------------------------------- /roles/web/php5/templates/init_php5-fpm.conf.j2: -------------------------------------------------------------------------------- 1 | # php5-fpm - The PHP FastCGI Process Manager 2 | 3 | description "The PHP FastCGI Process Manager" 4 | author "Ondřej Surý " 5 | 6 | start on runlevel [2345] 7 | stop on runlevel [016] 8 | 9 | # Precise upstart does not support reload signal, and thus rejects the 10 | # job. We'd rather start the daemon, instead of forcing users to 11 | # reboot https://bugs.launchpad.net/ubuntu/+source/php5/+bug/1272788 12 | # 13 | # reload signal USR2 14 | 15 | pre-start exec /usr/lib/php5/php5-fpm-checkconf 16 | 17 | respawn 18 | exec /usr/sbin/php5-fpm --nodaemonize --fpm-config /etc/php5/fpm/php-fpm.conf 19 | -------------------------------------------------------------------------------- /roles/web/php5/templates/supervisor_conf.d_php5-fpm.conf.j2: -------------------------------------------------------------------------------- 1 | [program:php5-fpm] 2 | {% if ansible_lsb.major_release|int < 14 %} 3 | command=/usr/sbin/php5-fpm --fpm-config /etc/php5/fpm/php-fpm.conf 4 | {% else %} 5 | command=/usr/sbin/php5-fpm --nodaemonize --fpm-config /etc/php5/fpm/php-fpm.conf 6 | {% endif %} 7 | environment=USER={{ php5_user }},HOME="{{ php5_path }}" 8 | user={{ php5_user }} 9 | -------------------------------------------------------------------------------- /roles/web/varnish/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: defaults 4 | # Part: Varnish 5 | 6 | 7 | # Aptitude state 8 | varnish_apt_state: "latest" 9 | varnish_apt_flavor: "varnish-4.0" 10 | 11 | # Network configuration 12 | varnish_bind_address: "*" 13 | varnish_port_http: 80 14 | varnish_port_https: 443 15 | 16 | # User and group 17 | varnish_user: "root" 18 | varnish_group: "root" 19 | 20 | # Default base directory (without trailing '/') 21 | varnish_path: "/var/www" 22 | 23 | # Configuration 24 | varnish_ttl: 3600 # 120 25 | -------------------------------------------------------------------------------- /roles/web/varnish/handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: handler 4 | # Part: Varnish 5 | 6 | - name: start varnish 7 | service: name=varnish start=started 8 | when: not docker 9 | 10 | - name: restart varnish 11 | service: name=varnish state=restarted 12 | when: not docker 13 | 14 | - name: reload varnish 15 | service: name=varnish state=reloaded 16 | when: not docker 17 | 18 | - name: start varnish on docker 19 | supervisorctl: name=varnishd state=started 20 | when: docker 21 | 22 | - name: restart varnish on docker 23 | supervisorctl: name=varnishd state=restarted 24 | when: docker 25 | 26 | - name: reload varnish on docker 27 | supervisorctl: name=varnishd state=reloaded 28 | when: docker 29 | -------------------------------------------------------------------------------- /roles/web/varnish/tasks/configure-init.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: task 4 | # Part: Varnish | Configure Init 5 | 6 | - name: Varnish | Backup service configuration 7 | shell: creates=/etc/init.d/varnish.orig.disabled cp /etc/init.d/varnish /etc/init.d/varnish.orig.disabled 8 | ignore_errors: True 9 | register: result 10 | - fetch: src=/etc/init.d/varnish.orig.disabled dest=fetched 11 | when: result|changed 12 | - name: Varnish | Deploy service configuration 13 | template: src=init.d_varnish.j2 dest=/etc/init.d/varnish owner=root group=root mode=0755 backup=no 14 | notify: restart varnish 15 | register: result 16 | - fetch: src=/etc/init.d/varnish dest=fetched 17 | when: result|changed 18 | 19 | ## Check service 20 | - name: Varnish | Check service daemon 21 | service: name=varnish state=started 22 | -------------------------------------------------------------------------------- /roles/web/varnish/tasks/configure-supervisor.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # Type: task 3 | # Part: Varnish 4 | 5 | - name: Varnish | Deploy supervisor service configuration 6 | template: src=supervisor_conf.d_varnishd.conf.j2 dest=/etc/supervisor/conf.d/varnishd.conf owner=root group=root mode=0644 backup=no 7 | register: result 8 | - name: Varnish | Deploy supervisor service configuration 9 | supervisorctl: name=program:varnish state=started config=/etc/supervisor/supervisord.conf 10 | when: result|changed 11 | 12 | ## Check service 13 | - name: Varnish | Check service daemon 14 | supervisorctl: name=program:varnishd state=started config=/etc/supervisor/supervisord.conf 15 | - name: Varnish | Check log service daemon 16 | supervisorctl: name=program:varnishlog state=started config=/etc/supervisor/supervisord.conf 17 | -------------------------------------------------------------------------------- /roles/web/varnish/tasks/location.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: location.yml 3 | # Type: task 4 | # Part: Nginx 5 | 6 | 7 | ## Setup custom location 8 | - name: Nginx | Setup directory 9 | file: state=directory dest={{ nginx_path }} mode=700 owner={{ nginx_user }} group={{ nginx_group }} 10 | - name: Nginx | Move directory 11 | shell: service nginx stop; cp -rf /var/www/* {{ nginx_path }}; touch {{ nginx_path }}/.ansible; chown -R {{ nginx_user }}:{{ nginx_group }} {{ nginx_path }}; rm -rf /var/www 12 | creates={{ nginx_path }}/.ansible 13 | - name: Nginx | Link directories 14 | file: state=link src={{ nginx_path }} path=/var/www force=yes 15 | notify: restart nginx 16 | -------------------------------------------------------------------------------- /roles/web/varnish/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: main.yml 3 | # Type: task 4 | # Part: varnish 5 | 6 | - name: Varnish | Install required packages 7 | apt: name=apt-transport-https state=present 8 | 9 | ## Install 10 | - name: Varnish | Install ppa key 11 | apt_key: id=C4DEFFEB url=https://repo.varnish-cache.org/ubuntu/GPG-key.txt state=present 12 | - name: Varnish | Install ppa 13 | apt_repository: repo="deb https://repo.varnish-cache.org/ubuntu/ {{ ansible_distribution_release }} {{ varnish_apt_flavor }}" state=present 14 | - name: Varnish | Install package 15 | apt: name=varnish state={{ varnish_apt_state }} 16 | 17 | ## Configure 18 | - name: Varnish | Backup configuration 19 | shell: creates=/etc/default/varnish.orig cp /etc/default/varnish /etc/default/varnish.orig 20 | register: result 21 | - fetch: src=/etc/default/varnish.orig dest=fetched 22 | when: result|changed 23 | - name: Varnish | Deploy configuration 24 | template: src=default_varnish.j2 dest=/etc/default/varnish owner=root mode=0644 backup=yes 25 | notify: restart varnish 26 | register: result 27 | - fetch: src=/etc/default/varnish dest=fetched 28 | when: result|changed 29 | 30 | - name: Varnish | Deploy configuration 31 | template: src=varnish_default.vcl.j2 dest=/etc/varnish/default.vcl owner=root mode=0644 backup=yes 32 | notify: 33 | - restart varnish on docker 34 | - restart varnish 35 | 36 | ## Configure service 37 | - include: configure-init.yml 38 | when: not docker 39 | - include: configure-supervisor.yml 40 | when: docker 41 | -------------------------------------------------------------------------------- /roles/web/varnish/templates/docker-gen_nginx.tmpl.j2: -------------------------------------------------------------------------------- 1 | {{ range $host, $containers := groupByMulti $ "Env.VIRTUAL_HOST" "," }} 2 | backend {{ $host }} { 3 | {{ range $index, $value := $containers }} 4 | {{ $addrLen := len $value.Addresses }}{{ if gt $addrLen 0 }} 5 | {{ with $address := index $value.Addresses 0 }} 6 | .host = "{{ $address.IP }}"; 7 | .port = "{{ $address.Port }}"; 8 | {{ end }} 9 | {{ end }} 10 | {{ end }} 11 | } 12 | 13 | director lb round-robin { 14 | 15 | {{ range $index, $value := $containers }} 16 | {{ $addrLen := len $value.Addresses }}{{ if gt $addrLen 0 }} 17 | {{ with $address := index $value.Addresses 0 }} 18 | { 19 | .backend = {{ $host }}; 20 | } 21 | {{ end }} 22 | {{ end }} 23 | {{ end }} 24 | 25 | } 26 | 27 | sub vcl_recv { 28 | set req.backend = lb; 29 | } 30 | 31 | {{ end }} 32 | -------------------------------------------------------------------------------- /roles/web/varnish/templates/supervisor_conf.d_varnishd.conf.j2: -------------------------------------------------------------------------------- 1 | [program:varnishd] 2 | command=/usr/sbin/varnishd -F -a :6081 -T localhost:6082 -f /etc/varnish/default.vcl -S /etc/varnish/secret -s malloc,1G 3 | environment=USER={{ varnish_user }},HOME="{{ varnish_path }}" 4 | user={{ varnish_user }} 5 | 6 | [program:varnishlog] 7 | command=/usr/bin/varnishlog 8 | environment=USER={{ varnish_user }},HOME="{{ varnish_path }}" 9 | user={{ varnish_user }} 10 | -------------------------------------------------------------------------------- /roles/web/varnish/templates/varnish_default.vcl.j2: -------------------------------------------------------------------------------- 1 | # 2 | # This is an example VCL file for Varnish. 3 | # 4 | # It does not do anything by default, delegating control to the 5 | # builtin VCL. The builtin VCL is called when there is no explicit 6 | # return statement. 7 | # 8 | # See the VCL chapters in the Users Guide at https://www.varnish-cache.org/docs/ 9 | # and http://varnish-cache.org/trac/wiki/VCLExamples for more examples. 10 | 11 | # Marker to tell the VCL compiler that this VCL has been adapted to the 12 | # new 4.0 format. 13 | vcl 4.0; 14 | 15 | # Default backend definition. Set this to point to your content server. 16 | backend default { 17 | .host = "127.0.0.1"; 18 | .port = "8080"; 19 | } 20 | 21 | sub vcl_recv { 22 | # Happens before we check if we have this in cache already. 23 | # 24 | # Typically you clean up the request here, removing cookies you don't need, 25 | # rewriting the request, etc. 26 | } 27 | 28 | sub vcl_backend_response { 29 | # Happens after we have read the response headers from the backend. 30 | # 31 | # Here you clean the response headers, removing silly Set-Cookie headers 32 | # and other mistakes your backend does. 33 | } 34 | 35 | sub vcl_deliver { 36 | # Happens when we have all the pieces we need, and are about to send the 37 | # response to the client. 38 | # 39 | # You can do accounting or modifying the final object here. 40 | } 41 | -------------------------------------------------------------------------------- /vagrant_inventory: -------------------------------------------------------------------------------- 1 | # Generated by Vagrant 2 | 3 | default ansible_ssh_user=vagrant ansible_ssh_host=127.0.0.1 ansible_ssh_port=2222 4 | --------------------------------------------------------------------------------