├── basic
├── exim4-smarthost
│ ├── files
│ │ └── etc
│ │ │ ├── exim4.conf.localmacros
│ │ │ └── exim4
│ │ │ ├── passwd.client
│ │ │ ├── conf.d
│ │ │ ├── transport
│ │ │ │ ├── 30_exim4-config_address_reply
│ │ │ │ ├── 30_exim4-config_maildrop_pipe
│ │ │ │ ├── 30_exim4-config_procmail_pipe
│ │ │ │ ├── 30_exim4-config_address_file
│ │ │ │ ├── 30_exim4-config_address_pipe
│ │ │ │ ├── 30_exim4-config_mail_spool
│ │ │ │ ├── 35_exim4-config_address_directory
│ │ │ │ ├── 00_exim4-config_header
│ │ │ │ ├── 10_exim4-config_transport-macros
│ │ │ │ ├── 30_exim4-config_remote_smtp
│ │ │ │ ├── 30_exim4-config_remote_smtp_smarthost
│ │ │ │ └── 30_exim4-config_maildir_home
│ │ │ ├── retry
│ │ │ │ ├── 00_exim4-config_header
│ │ │ │ └── 30_exim4-config
│ │ │ ├── rewrite
│ │ │ │ ├── 00_exim4-config_header
│ │ │ │ └── 31_exim4-config_rewriting
│ │ │ ├── auth
│ │ │ │ └── 00_exim4-config_header
│ │ │ ├── main
│ │ │ │ └── 90_exim4-config_log_selector
│ │ │ ├── acl
│ │ │ │ ├── 00_exim4-config_header
│ │ │ │ ├── 30_exim4-config_check_mail
│ │ │ │ └── 20_exim4-config_local_deny_exceptions
│ │ │ └── router
│ │ │ │ ├── 800_exim4-config_maildrop
│ │ │ │ ├── 700_exim4-config_procmail
│ │ │ │ ├── 900_exim4-config_local_user
│ │ │ │ ├── mmm_mail4root
│ │ │ │ ├── 00_exim4-config_header
│ │ │ │ ├── 150_exim4-config_hubbed_hosts
│ │ │ │ ├── 300_exim4-config_real_local
│ │ │ │ ├── 100_exim4-config_domain_literal
│ │ │ │ ├── 500_exim4-config_hubuser
│ │ │ │ ├── 850_exim4-config_lowuid
│ │ │ │ ├── 400_exim4-config_system_aliases
│ │ │ │ └── 600_exim4-config_userforward
│ │ │ └── update-exim4.conf.conf
│ ├── templates
│ │ ├── spf.j2
│ │ └── docker-compose.yml.j2
│ ├── handlers
│ │ └── main.yml
│ ├── defaults
│ │ └── main.yml
│ └── tasks
│ │ └── main.yml
├── ssh-user
│ ├── templates
│ │ └── sudo_template
│ ├── handlers
│ │ └── main.yml
│ ├── defaults
│ │ └── main.yml
│ └── README.md
├── common
│ ├── files
│ │ └── etc
│ │ │ └── profile.d
│ │ │ └── bash_history.sh
│ ├── handlers
│ │ └── main.yml
│ ├── tasks
│ │ ├── 50_datetime.yml
│ │ ├── 60_envsettings.yml
│ │ ├── 30_locales.yml
│ │ ├── 40_alternatives.yml
│ │ ├── 10_hostname.yml
│ │ ├── 20_packages-debian.yml
│ │ ├── main.yml
│ │ └── 20_packages-ubuntu.yml
│ ├── defaults
│ │ └── main.yml
│ └── README.md
├── git-autocommit
│ ├── templates
│ │ ├── root
│ │ │ └── .gitconfig.j2
│ │ └── etc
│ │ │ └── cron.d
│ │ │ └── nxs-git-autocommit.j2
│ ├── defaults
│ │ └── main.yml
│ └── README.md
├── git
│ ├── defaults
│ │ └── main.yml
│ ├── tasks
│ │ └── main.yml
│ └── README.md
├── ssh
│ ├── handlers
│ │ └── main.yml
│ ├── defaults
│ │ └── main.yml
│ └── README.md
└── sysctl
│ ├── tasks
│ └── main.yml
│ ├── defaults
│ └── main.yml
│ └── README.md
├── monitoring
└── prometheus-stack
│ ├── requirements.yml
│ ├── tasks
│ ├── node_exporter.yml
│ ├── main.yml
│ ├── alertmanager.yml
│ ├── docker.yml
│ ├── prometheus.yml
│ └── grafana.yml
│ └── templates
│ ├── prometheus
│ └── prometheus.yml.j2
│ ├── alertmanager
│ └── config.yml.j2
│ └── grafana
│ └── grafana.ini.j2
├── databases
├── mariadb
│ ├── server
│ │ ├── templates
│ │ │ ├── root
│ │ │ │ └── .my.cnf.j2
│ │ │ └── docker-compose.yml.j2
│ │ ├── handlers
│ │ │ └── main.yml
│ │ ├── tasks
│ │ │ ├── main.yml
│ │ │ ├── docker.yml
│ │ │ └── host.yml
│ │ └── defaults
│ │ │ └── main.yml
│ └── galera_cluster
│ │ ├── templates
│ │ ├── root
│ │ │ └── .my.cnf.j2
│ │ ├── galera.cnf.j2
│ │ └── docker-compose.yml.j2
│ │ ├── handlers
│ │ └── main.yml
│ │ ├── tasks
│ │ ├── main.yml
│ │ └── docker.yml
│ │ └── defaults
│ │ └── main.yml
├── mysql
│ ├── percona_server
│ │ ├── templates
│ │ │ └── root
│ │ │ │ └── .my.cnf.j2
│ │ ├── handlers
│ │ │ └── main.yml
│ │ └── tasks
│ │ │ ├── main.yml
│ │ │ └── docker.yml
│ ├── percona_xtradb_cluster
│ │ ├── templates
│ │ │ ├── root
│ │ │ │ └── .my.cnf.j2
│ │ │ └── docker-compose-percona-cluster.yml.j2
│ │ ├── handlers
│ │ │ └── main.yml
│ │ └── tasks
│ │ │ └── main.yml
│ └── galera_cluster_with_arbitrator
│ │ ├── templates
│ │ ├── galera.pref.j2
│ │ ├── mysql_config.j2
│ │ ├── galera_arbitrator.conf.j2
│ │ └── galera_config.j2
│ │ ├── handlers
│ │ └── main.yml
│ │ ├── tasks
│ │ ├── galera_arbitrator.yml
│ │ └── main.yml
│ │ └── defaults
│ │ └── main.yml
├── memcached
│ ├── tasks
│ │ ├── host.yml
│ │ ├── docker_standalone.yml
│ │ ├── host_standalone.yml
│ │ ├── docker.yml
│ │ └── main.yml
│ ├── handlers
│ │ └── main.yml
│ ├── templates
│ │ ├── docker-compose-standalone.yml.j2
│ │ ├── memcached.service.j2
│ │ └── memcached.conf.j2
│ └── defaults
│ │ └── main.yml
└── redis
│ ├── standalone
│ ├── handlers
│ │ └── main.yml
│ ├── templates
│ │ └── docker-compose.yml.j2
│ ├── tasks
│ │ ├── main.yml
│ │ └── host.yml
│ └── defaults
│ │ └── main.yml
│ ├── redis-cluster
│ ├── handlers
│ │ └── main.yml
│ ├── templates
│ │ ├── redis.service.j2
│ │ └── docker-compose.yml.j2
│ └── tasks
│ │ ├── main.yml
│ │ ├── redis_cluster_nodes.yml
│ │ ├── host.yml
│ │ └── redis_cluster.yml
│ └── redis-sentinel
│ ├── handlers
│ └── main.yml
│ ├── templates
│ ├── redis.service.j2
│ ├── sentinel.conf.j2
│ ├── docker-compose-sentinel.yml.j2
│ └── docker-compose.yml.j2
│ ├── tasks
│ ├── redis_sentinel.yml
│ ├── main.yml
│ └── host.yml
│ └── defaults
│ └── main.yml
├── web-servers
├── lets-encrypt
│ ├── handlers
│ │ └── main.yml
│ ├── templates
│ │ ├── etc
│ │ │ └── logrotate.d
│ │ │ │ └── getssl.j2
│ │ ├── acmesh-docker-compose.yml.j2
│ │ ├── getssl-docker-compose.yml.j2
│ │ ├── certbot-docker-compose.yml.j2
│ │ ├── getssl-dockerfile.j2
│ │ ├── acmesh-dockerfile.j2
│ │ └── getssl_domain.cfg.j2
│ ├── tasks
│ │ ├── host.yml
│ │ ├── certbot-docker.yml
│ │ ├── main.yml
│ │ ├── certbot.yml
│ │ ├── acmesh.yml
│ │ ├── docker.yml
│ │ └── acmesh-docker.yml
│ └── defaults
│ │ └── main.yml
├── apache2
│ ├── files
│ │ └── etc
│ │ │ ├── apache2
│ │ │ ├── mods-available
│ │ │ │ ├── remoteip.conf
│ │ │ │ ├── mpm_prefork_astra.conf
│ │ │ │ └── mpm_prefork.conf
│ │ │ ├── sites-available
│ │ │ │ └── 000-default.conf
│ │ │ └── conf-available
│ │ │ │ └── security.conf
│ │ │ └── logrotate.d
│ │ │ └── apache2_vhosts
│ ├── handlers
│ │ └── main.yml
│ ├── templates
│ │ ├── etc
│ │ │ └── apache2
│ │ │ │ ├── ports.conf.j2
│ │ │ │ └── mods-available
│ │ │ │ └── status.conf.j2
│ │ └── docker-compose.yml.j2
│ ├── defaults
│ │ └── main.yml
│ └── tasks
│ │ └── main.yml
├── nginx
│ ├── handlers
│ │ └── main.yml
│ ├── files
│ │ └── etc
│ │ │ └── logrotate.d
│ │ │ └── nginx_vhosts
│ ├── templates
│ │ ├── etc
│ │ │ └── nginx
│ │ │ │ ├── conf.d
│ │ │ │ └── ssl.conf.j2
│ │ │ │ ├── sites-available
│ │ │ │ └── default.j2
│ │ │ │ └── nginx.conf.j2
│ │ └── docker-compose.yml.j2
│ ├── defaults
│ │ └── main.yml
│ └── tasks
│ │ ├── main.yml
│ │ ├── nginx-ubuntu.yml
│ │ └── nginx-debian.yml
└── haproxy
│ ├── handlers
│ └── main.yml
│ ├── defaults
│ └── main.yml
│ ├── templates
│ ├── docker-compose.yml.j2
│ └── etc
│ │ └── haproxy
│ │ └── haproxy.cfg.j2
│ └── tasks
│ ├── main.yml
│ ├── host.yml
│ └── docker.yml
├── dev_tools
└── java
│ ├── defaults
│ └── main.yml
│ ├── tasks
│ └── main.yml
│ └── README.md
├── container_engines
├── docker
│ ├── handlers
│ │ └── main.yml
│ ├── defaults
│ │ └── main.yml
│ ├── tasks
│ │ ├── docker-debian.yml
│ │ ├── docker-ubuntu.yml
│ │ └── main.yml
│ └── README.md
└── containerd+nerdctl
│ └── README.md
├── other
└── powerdns
│ └── README.md
├── security
└── keycloak
│ └── README.md
├── git_platforms
└── gitlab-ce
│ └── README.md
├── mail_servers
└── exim4-full
│ └── README.md
├── recovery
└── nxs-backup
│ └── README.md
├── search_engines
└── sphinx
│ └── README.md
├── network_filesystem_tools
└── nfs-client
│ └── README.md
├── logging
└── vector
│ ├── handlers
│ └── main.yml
│ ├── tasks
│ ├── host.yml
│ ├── main.yml
│ ├── configure.yml
│ └── docker.yml
│ ├── templates
│ ├── vector_aggregator.yaml.j2
│ ├── vector_agent.yaml.j2
│ └── vector_hybrid.yaml.j2
│ └── defaults
│ └── main.yml
└── message_brokers
└── rabbitmq
└── standalone
├── handlers
└── main.yml
├── tasks
├── configure.yml
├── main.yml
└── docker.yml
├── defaults
└── main.yml
└── templates
└── rabbitmq.config.j2
/basic/exim4-smarthost/files/etc/exim4.conf.localmacros:
--------------------------------------------------------------------------------
1 | MAIN_TLS_ENABLE = yes
--------------------------------------------------------------------------------
/basic/ssh-user/templates/sudo_template:
--------------------------------------------------------------------------------
1 | {{ item.username }} ALL=(ALL) NOPASSWD: ALL
2 |
--------------------------------------------------------------------------------
/basic/exim4-smarthost/templates/spf.j2:
--------------------------------------------------------------------------------
1 | v=spf1 +a +mx ip4:{{ ansible_default_ipv4.address }} ~all
--------------------------------------------------------------------------------
/monitoring/prometheus-stack/requirements.yml:
--------------------------------------------------------------------------------
1 | ---
2 | collections:
3 | - name: community.grafana
4 |
--------------------------------------------------------------------------------
/basic/ssh-user/handlers/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: Restart SSH
3 | service: name=ssh state=restarted
4 |
--------------------------------------------------------------------------------
/basic/common/files/etc/profile.d/bash_history.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | export HISTTIMEFORMAT='[%h %d %H:%M:%S] '
4 |
--------------------------------------------------------------------------------
/basic/exim4-smarthost/handlers/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | - name: Restart Exim4
4 | service: name=exim4 state=restarted
5 |
--------------------------------------------------------------------------------
/basic/git-autocommit/templates/root/.gitconfig.j2:
--------------------------------------------------------------------------------
1 | [user]
2 | name = root
3 | email = root@{{ inventory_hostname }}
4 |
--------------------------------------------------------------------------------
/basic/git/defaults/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | # Ansible version
4 | ansible_major_version: 2
5 | ansible_minor_version: 14
6 |
--------------------------------------------------------------------------------
/databases/mariadb/server/templates/root/.my.cnf.j2:
--------------------------------------------------------------------------------
1 | [client]
2 | user = root
3 | password = {{ mariadb_root_password }}
4 |
--------------------------------------------------------------------------------
/databases/mariadb/galera_cluster/templates/root/.my.cnf.j2:
--------------------------------------------------------------------------------
1 | [client]
2 | user=root
3 | password={{ mariadb_root_password }}
4 |
--------------------------------------------------------------------------------
/databases/mysql/percona_server/templates/root/.my.cnf.j2:
--------------------------------------------------------------------------------
1 | [client]
2 | user = root
3 | password = {{ mysql_root_password }}
4 |
--------------------------------------------------------------------------------
/web-servers/lets-encrypt/handlers/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | - name: Restart Nginx
4 | service: name=nginx state=reloaded
5 |
6 |
--------------------------------------------------------------------------------
/basic/git-autocommit/defaults/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | # Ansible version
4 | ansible_major_version: 2
5 | ansible_minor_version: 14
6 |
--------------------------------------------------------------------------------
/databases/mysql/percona_xtradb_cluster/templates/root/.my.cnf.j2:
--------------------------------------------------------------------------------
1 | [client]
2 | user = root
3 | password = {{ mysql_xtradb_root_password }}
4 |
--------------------------------------------------------------------------------
/dev_tools/java/defaults/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | ansible_major_version: 2
3 | ansible_minor_version: 14
4 |
5 | java_openjdk_version: 19
6 |
7 |
8 |
9 |
--------------------------------------------------------------------------------
/basic/ssh/handlers/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | - name: Start SSH
4 | service: name=ssh state=started
5 |
6 | - name: Restart SSH
7 | service: name=ssh state=restarted
8 |
--------------------------------------------------------------------------------
/container_engines/docker/handlers/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | - name: Restart docker
4 | systemd:
5 | name: docker
6 | daemon_reload: yes
7 | state: restarted
8 |
--------------------------------------------------------------------------------
/databases/mysql/galera_cluster_with_arbitrator/templates/galera.pref.j2:
--------------------------------------------------------------------------------
1 | # Prefer Codership repository
2 | Package: *
3 | Pin: origin releases.galeracluster.com
4 | Pin-Priority: 1001
5 |
--------------------------------------------------------------------------------
/other/powerdns/README.md:
--------------------------------------------------------------------------------
1 | ######## **Contact us on Telegram chat for information on this role** #######
2 |
3 | ############### https://t.me/nxs_marketplace_ansible ###############
4 |
--------------------------------------------------------------------------------
/security/keycloak/README.md:
--------------------------------------------------------------------------------
1 | ######## **Contact us on Telegram chat for information on this role** #######
2 |
3 | ############### https://t.me/nxs_marketplace_ansible ###############
4 |
--------------------------------------------------------------------------------
/web-servers/apache2/files/etc/apache2/mods-available/remoteip.conf:
--------------------------------------------------------------------------------
1 |
2 | RemoteIPHeader X-Forwarded-For
3 | RemoteIPInternalProxy 127.0.0.1
4 |
5 |
--------------------------------------------------------------------------------
/web-servers/nginx/handlers/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | - name: Start Nginx
4 | service: name=nginx state=started
5 |
6 | - name: Restart Nginx
7 | service: name=nginx state=restarted
8 |
--------------------------------------------------------------------------------
/basic/ssh/defaults/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | ssh_permit_root_login: no
4 |
5 | allow_users: []
6 |
7 | # Ansible version
8 | ansible_major_version: 2
9 | ansible_minor_version: 14
10 |
--------------------------------------------------------------------------------
/databases/mariadb/server/handlers/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: Daemon reload
3 | command: systemctl daemon-reload
4 |
5 | - name: Restart MariaDB
6 | service: name=mariadb state=restarted
7 |
--------------------------------------------------------------------------------
/git_platforms/gitlab-ce/README.md:
--------------------------------------------------------------------------------
1 | ######## **Contact us on Telegram chat for information on this role** #######
2 |
3 | ############### https://t.me/nxs_marketplace_ansible ###############
4 |
--------------------------------------------------------------------------------
/mail_servers/exim4-full/README.md:
--------------------------------------------------------------------------------
1 | ######## **Contact us on Telegram chat for information on this role** #######
2 |
3 | ############### https://t.me/nxs_marketplace_ansible ###############
4 |
--------------------------------------------------------------------------------
/recovery/nxs-backup/README.md:
--------------------------------------------------------------------------------
1 | ######## **Contact us on Telegram chat for information on this role** #######
2 |
3 | ############### https://t.me/nxs_marketplace_ansible ###############
4 |
--------------------------------------------------------------------------------
/search_engines/sphinx/README.md:
--------------------------------------------------------------------------------
1 | ######## **Contact us on Telegram chat for information on this role** #######
2 |
3 | ############### https://t.me/nxs_marketplace_ansible ###############
4 |
--------------------------------------------------------------------------------
/web-servers/apache2/handlers/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | - name: Start Apache2
4 | service: name=apache2 state=started
5 |
6 | - name: Restart Apache2
7 | service: name=apache2 state=restarted
8 |
--------------------------------------------------------------------------------
/databases/mysql/galera_cluster_with_arbitrator/templates/mysql_config.j2:
--------------------------------------------------------------------------------
1 | [mysqld]
2 |
3 | {% for param_name, param_value in mysql_params.items() %}
4 | {{ param_name }}={{ param_value }}
5 | {% endfor %}
--------------------------------------------------------------------------------
/databases/mysql/percona_server/handlers/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: Daemon reload
3 | command: systemctl daemon-reload
4 |
5 | - name: Restart percona-server
6 | service: name=mysql state=restarted
7 |
--------------------------------------------------------------------------------
/web-servers/haproxy/handlers/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | - name: Restart HAProxy
4 | service: name=haproxy state=restarted
5 |
6 | - name: Restart Rsyslog
7 | service: name=rsyslog state=restarted
8 |
--------------------------------------------------------------------------------
/container_engines/containerd+nerdctl/README.md:
--------------------------------------------------------------------------------
1 | ######## **Contact us on Telegram chat for information on this role** #######
2 |
3 | ############### https://t.me/nxs_marketplace_ansible ###############
4 |
--------------------------------------------------------------------------------
/databases/mysql/percona_xtradb_cluster/handlers/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: Daemon reload
3 | command: systemctl daemon-reload
4 |
5 | - name: Restart percona-server
6 | service: name=mysql state=restarted
--------------------------------------------------------------------------------
/network_filesystem_tools/nfs-client/README.md:
--------------------------------------------------------------------------------
1 | ######## **Contact us on Telegram chat for information on this role** #######
2 |
3 | ############### https://t.me/nxs_marketplace_ansible ###############
4 |
--------------------------------------------------------------------------------
/databases/mariadb/galera_cluster/handlers/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: Restart MariaDB
3 | systemd:
4 | name: mariadb
5 | state: restarted
6 | listen: "Restart MySQL"
7 | when: new_cluster == false
8 |
--------------------------------------------------------------------------------
/basic/git-autocommit/templates/etc/cron.d/nxs-git-autocommit.j2:
--------------------------------------------------------------------------------
1 | * * * * * root /usr/bin/dpkg -l > /etc/package_list
2 | * * * * * root sleep 10;cd / && git add -A && git commit -m "Autocommit @system" > /dev/null
3 |
4 |
--------------------------------------------------------------------------------
/databases/mysql/galera_cluster_with_arbitrator/handlers/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | - name: Restart MySQL
4 | systemd:
5 | name: mysql
6 | state: restarted
7 | listen: "Restart MySQL"
8 | when: new_cluster == false
--------------------------------------------------------------------------------
/basic/common/handlers/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | - name: Restart rsyslog
4 | service:
5 | name: rsyslog
6 | state: restarted
7 |
8 | - name: Restart cron
9 | service:
10 | name: cron
11 | state: restarted
--------------------------------------------------------------------------------
/container_engines/docker/defaults/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | docker_version: '23.0'
4 | docker_package_epoch: 5
5 | docker_iptables: true
6 |
7 | # Ansible version
8 | ansible_major_version: 2
9 | ansible_minor_version: 14
10 |
--------------------------------------------------------------------------------
/web-servers/lets-encrypt/templates/etc/logrotate.d/getssl.j2:
--------------------------------------------------------------------------------
1 | /var/log/getssl/*.log {
2 | create 600 getssl getssl
3 | rotate 6
4 | monthly
5 | missingok
6 | notifempty
7 | compress
8 | delaycompress
9 | }
--------------------------------------------------------------------------------
/basic/common/tasks/50_datetime.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | - name: Set timezone
4 | timezone:
5 | name: '{{ timezone }}'
6 | notify:
7 | - Restart rsyslog
8 | - Restart cron
9 |
10 | - name: Enable timesync
11 | command: timedatectl set-ntp true
12 |
--------------------------------------------------------------------------------
/basic/common/tasks/60_envsettings.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | - name: Set default /etc/profile.d/bash_history.sh
4 | copy:
5 | src: etc/profile.d/bash_history.sh
6 | dest: /etc/profile.d/bash_history.sh
7 | owner: root
8 | group: root
9 | mode: 0700
10 |
--------------------------------------------------------------------------------
/basic/exim4-smarthost/files/etc/exim4/passwd.client:
--------------------------------------------------------------------------------
1 | # password file used when the local exim is authenticating to a remote
2 | # host as a client.
3 | #
4 | # see exim4_passwd_client(5) for more documentation
5 | #
6 | # Example:
7 | ### target.mail.server.example:login:password
8 |
--------------------------------------------------------------------------------
/basic/common/defaults/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | timezone: 'UTC'
4 | domain: '{{ inventory_hostname }}'
5 |
6 | dist_upgrade: false
7 |
8 | locale_default: 'en_US.UTF-8'
9 | locale_keymap: 'us'
10 |
11 | # Ansible version
12 | ansible_major_version: 2
13 | ansible_minor_version: 14
14 |
--------------------------------------------------------------------------------
/web-servers/apache2/files/etc/apache2/sites-available/000-default.conf:
--------------------------------------------------------------------------------
1 |
2 | ServerName default
3 | ServerAdmin webmaster@localhost
4 | DocumentRoot /usr/share/apache2/default-site
5 |
6 | ErrorLog ${APACHE_LOG_DIR}/error.log
7 | CustomLog ${APACHE_LOG_DIR}/access.log combined
8 |
9 |
--------------------------------------------------------------------------------
/basic/exim4-smarthost/files/etc/exim4/conf.d/transport/30_exim4-config_address_reply:
--------------------------------------------------------------------------------
1 |
2 | # This transport is used for handling autoreplies generated by the filtering
3 | # option of the userforward router.
4 | #
5 | address_reply:
6 | debug_print = "T: autoreply for $local_part@$domain"
7 | driver = autoreply
8 |
9 |
--------------------------------------------------------------------------------
/basic/common/tasks/30_locales.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | - name: Set default locale
4 | shell: localectl set-locale 'LANG={{ locale_default }}'
5 |
6 | - name: Set keymap
7 | shell: localectl set-keymap '{{ locale_keymap }}'
8 | when: (ansible_distribution_major_version|int != 12) and (ansible_distribution_major_version|int != 22)
9 |
--------------------------------------------------------------------------------
/basic/exim4-smarthost/files/etc/exim4/conf.d/retry/00_exim4-config_header:
--------------------------------------------------------------------------------
1 |
2 | ######################################################################
3 | # RETRY CONFIGURATION #
4 | ######################################################################
5 |
6 | begin retry
7 |
8 |
--------------------------------------------------------------------------------
/basic/exim4-smarthost/files/etc/exim4/conf.d/rewrite/00_exim4-config_header:
--------------------------------------------------------------------------------
1 |
2 | ######################################################################
3 | # REWRITE CONFIGURATION #
4 | ######################################################################
5 |
6 | begin rewrite
7 |
8 |
--------------------------------------------------------------------------------
/basic/exim4-smarthost/files/etc/exim4/conf.d/auth/00_exim4-config_header:
--------------------------------------------------------------------------------
1 |
2 | ######################################################################
3 | # AUTHENTICATION CONFIGURATION #
4 | ######################################################################
5 |
6 | begin authenticators
7 |
8 |
9 |
--------------------------------------------------------------------------------
/databases/mysql/galera_cluster_with_arbitrator/templates/galera_arbitrator.conf.j2:
--------------------------------------------------------------------------------
1 | # garbd config file
2 | daemon=1
3 | address="gcomm://{% for host in ansible_play_hosts_all %}{{ hostvars[host].ansible_default_ipv4.address }}{% if not loop.last %},{% endif %}{% endfor %}"
4 | group="{{ cluster_name }}"
5 | log="/var/log/galera_arbitrator.log"
6 |
--------------------------------------------------------------------------------
/basic/exim4-smarthost/files/etc/exim4/conf.d/transport/30_exim4-config_maildrop_pipe:
--------------------------------------------------------------------------------
1 |
2 | maildrop_pipe:
3 | debug_print = "T: maildrop_pipe for $local_part@$domain"
4 | driver = pipe
5 | path = "/bin:/usr/bin:/usr/local/bin"
6 | command = "/usr/bin/maildrop"
7 | return_path_add
8 | delivery_date_add
9 | envelope_to_add
10 |
11 |
--------------------------------------------------------------------------------
/basic/exim4-smarthost/files/etc/exim4/conf.d/transport/30_exim4-config_procmail_pipe:
--------------------------------------------------------------------------------
1 |
2 | procmail_pipe:
3 | debug_print = "T: procmail_pipe for $local_part@$domain"
4 | driver = pipe
5 | path = "/bin:/usr/bin:/usr/local/bin"
6 | command = "/usr/bin/procmail"
7 | return_path_add
8 | delivery_date_add
9 | envelope_to_add
10 |
11 |
--------------------------------------------------------------------------------
/logging/vector/handlers/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: Restart Vector service
3 | ansible.builtin.service:
4 | name: vector
5 | state: started
6 | when: deploy_method == 'host'
7 |
8 | - name: Restart Vector container
9 | community.docker.docker_container:
10 | name: vector
11 | state: started
12 | when: deploy_method == 'docker'
--------------------------------------------------------------------------------
/web-servers/lets-encrypt/templates/acmesh-docker-compose.yml.j2:
--------------------------------------------------------------------------------
1 | version: '{{ docker_compose_file_version }}'
2 | services:
3 | acmesh:
4 | build: ./build/acmesh
5 | container_name: acmesh
6 | volumes:
7 | - /etc/letsencrypt/acme:/etc/letsencrypt/acme
8 | tty: true
9 | restart: always
10 | network_mode: host
--------------------------------------------------------------------------------
/logging/vector/tasks/host.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: Run Vector setup script
3 | ansible.builtin.shell:
4 | cmd: bash -c "$(curl -L https://setup.vector.dev)"
5 | creates: /etc/apt/sources.list.d/vector.list
6 |
7 |
8 | - name: Install Vector package
9 | ansible.builtin.package:
10 | name: vector
11 | state: present
12 |
13 |
14 |
--------------------------------------------------------------------------------
/basic/exim4-smarthost/files/etc/exim4/conf.d/main/90_exim4-config_log_selector:
--------------------------------------------------------------------------------
1 |
2 | ### main/90_exim4-config_log_selector
3 | #################################
4 |
5 | # uncomment this for debugging
6 | # MAIN_LOG_SELECTOR == MAIN_LOG_SELECTOR +all -subject -arguments
7 |
8 | .ifdef MAIN_LOG_SELECTOR
9 | log_selector = MAIN_LOG_SELECTOR
10 | .endif
11 |
--------------------------------------------------------------------------------
/databases/memcached/tasks/host.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: "Install general packages"
3 | apt:
4 | pkg:
5 | - lsb-release
6 | - net-tools
7 | - telnet
8 | state: latest
9 | update_cache: true
10 |
11 | - name: "Setup Memcached Standalone"
12 | include_tasks: host_standalone.yml
13 | when: memcached_deploy_method == "host"
14 |
--------------------------------------------------------------------------------
/basic/exim4-smarthost/files/etc/exim4/conf.d/acl/00_exim4-config_header:
--------------------------------------------------------------------------------
1 |
2 | ######################################################################
3 | # ACL CONFIGURATION #
4 | # Specifies access control lists for incoming SMTP mail #
5 | ######################################################################
6 | begin acl
7 |
8 |
9 |
--------------------------------------------------------------------------------
/databases/redis/standalone/handlers/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: Start Redis
3 | systemd: name={{ redis_daemon }} state=started
4 |
5 | - name: Enable Redis
6 | systemd: name={{ redis_daemon }} enabled=yes
7 |
8 | - name: Restart Redis
9 | systemd: name={{ redis_daemon }} state=restarted
10 |
11 | - name: Stop Redis
12 | systemd: name={{ redis_daemon }} state=stopped
13 |
14 |
15 |
--------------------------------------------------------------------------------
/message_brokers/rabbitmq/standalone/handlers/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: Restart RabbitMQ service
3 | ansible.builtin.service:
4 | name: rabbitmq-server
5 | state: started
6 | when: deploy_method == 'host'
7 |
8 | - name: Restart RabbitMQ container
9 | community.docker.docker_container:
10 | name: rabbitmq
11 | state: started
12 | when: deploy_method == 'docker'
13 |
--------------------------------------------------------------------------------
/basic/exim4-smarthost/files/etc/exim4/conf.d/transport/30_exim4-config_address_file:
--------------------------------------------------------------------------------
1 |
2 | # This transport is used for handling deliveries directly to files that are
3 | # generated by aliasing or forwarding.
4 | #
5 | address_file:
6 | debug_print = "T: address_file for $local_part@$domain"
7 | driver = appendfile
8 | delivery_date_add
9 | envelope_to_add
10 | return_path_add
11 |
12 |
--------------------------------------------------------------------------------
/databases/redis/redis-cluster/handlers/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: Start Redis
3 | systemd: name={{ redis_daemon }} state=started
4 |
5 | - name: Enable Redis
6 | systemd: name={{ redis_daemon }} enabled=yes
7 |
8 | - name: Restart Redis
9 | systemd: name={{ redis_daemon }} state=restarted
10 |
11 | - name: Stop Redis
12 | systemd: name={{ redis_daemon }} state=stopped
13 |
14 |
15 |
--------------------------------------------------------------------------------
/databases/redis/redis-sentinel/handlers/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: Start Redis
3 | systemd: name={{ redis_daemon }} state=started
4 |
5 | - name: Enable Redis
6 | systemd: name={{ redis_daemon }} enabled=yes
7 |
8 | - name: Restart Redis
9 | systemd: name={{ redis_daemon }} state=restarted
10 |
11 | - name: Stop Redis
12 | systemd: name={{ redis_daemon }} state=stopped
13 |
14 |
15 |
--------------------------------------------------------------------------------
/web-servers/apache2/files/etc/logrotate.d/apache2_vhosts:
--------------------------------------------------------------------------------
1 | /var/www/*/log/apache2/*.log {
2 | daily
3 | missingok
4 | rotate 30
5 | compress
6 | delaycompress
7 | notifempty
8 | create 644 www-data adm
9 | sharedscripts
10 | postrotate
11 | /etc/init.d/apache2 reload > /dev/null
12 | endscript
13 | }
14 |
--------------------------------------------------------------------------------
/databases/redis/redis-cluster/templates/redis.service.j2:
--------------------------------------------------------------------------------
1 | [Unit]
2 | Description=Redis key-value database
3 | After=network.target
4 |
5 | [Service]
6 | ExecStart=/usr/bin/redis-server /etc/redis/{{ redis_cluster_config }}
7 | ExecStop=/usr/libexec/redis-shutdown
8 | Type=notify
9 | User=redis
10 | Group=redis
11 | RuntimeDirectory=redis
12 | RuntimeDirectoryMode=0755
13 | LimitNOFILE=65535
14 | [Install]
15 | WantedBy=multi-user.target
16 |
--------------------------------------------------------------------------------
/databases/redis/redis-sentinel/templates/redis.service.j2:
--------------------------------------------------------------------------------
1 | [Unit]
2 | Description=Redis key-value database
3 | After=network.target
4 |
5 | [Service]
6 | ExecStart=/usr/bin/redis-server /etc/redis/{{ redis_cluster_config }}
7 | ExecStop=/usr/libexec/redis-shutdown
8 | Type=notify
9 | User=redis
10 | Group=redis
11 | RuntimeDirectory=redis
12 | RuntimeDirectoryMode=0755
13 | LimitNOFILE=65535
14 | [Install]
15 | WantedBy=multi-user.target
16 |
--------------------------------------------------------------------------------
/web-servers/apache2/templates/etc/apache2/ports.conf.j2:
--------------------------------------------------------------------------------
1 | # If you just change the port or add more ports here, you will likely also
2 | # have to change the VirtualHost statement in
3 | # /etc/apache2/sites-enabled/000-default.conf
4 |
5 | Listen 81
6 |
7 |
8 | Listen 443
9 |
10 |
11 |
12 | Listen 443
13 |
14 |
15 | # vim: syntax=apache ts=4 sw=4 sts=4 sr noet
16 |
--------------------------------------------------------------------------------
/basic/exim4-smarthost/files/etc/exim4/conf.d/router/800_exim4-config_maildrop:
--------------------------------------------------------------------------------
1 |
2 | ### router/800_exim4-config_maildrop
3 | #################################
4 |
5 | maildrop:
6 | debug_print = "R: maildrop for $local_part@$domain"
7 | driver = accept
8 | domains = +local_domains
9 | check_local_user
10 | transport = maildrop_pipe
11 | require_files = ${local_part}:${home}/.mailfilter:+/usr/bin/maildrop
12 | no_verify
13 | no_expn
14 |
15 |
--------------------------------------------------------------------------------
/basic/exim4-smarthost/files/etc/exim4/conf.d/transport/30_exim4-config_address_pipe:
--------------------------------------------------------------------------------
1 |
2 | # This transport is used for handling pipe deliveries generated by
3 | # .forward files. If the commands fails and produces any output on standard
4 | # output or standard error streams, the output is returned to the sender
5 | # of the message as a delivery error.
6 | address_pipe:
7 | debug_print = "T: address_pipe for $local_part@$domain"
8 | driver = pipe
9 | return_fail_output
10 |
11 |
--------------------------------------------------------------------------------
/web-servers/nginx/files/etc/logrotate.d/nginx_vhosts:
--------------------------------------------------------------------------------
1 | /var/www/*/log/nginx/*.log {
2 | daily
3 | missingok
4 | rotate 30
5 | compress
6 | delaycompress
7 | notifempty
8 | create 0644 www-data adm
9 | sharedscripts
10 | prerotate
11 | if [ -d /etc/logrotate.d/httpd-prerotate ]; then \
12 | run-parts /etc/logrotate.d/httpd-prerotate; \
13 | fi; \
14 | endscript
15 | postrotate
16 | [ ! -f /var/run/nginx.pid ] || kill -USR1 `cat /var/run/nginx.pid`
17 | endscript
18 | }
19 |
20 |
--------------------------------------------------------------------------------
/basic/common/tasks/40_alternatives.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | - name: Set alternatives (editor)
4 | alternatives:
5 | link={{ item.link }}
6 | name={{ item.name }}
7 | path={{ item.path }}
8 | with_items:
9 | - { link: '/usr/bin/editor', name: 'editor', path: '/usr/bin/mcedit' }
10 |
11 | - name: Set mcedit as default in mc for root
12 | lineinfile:
13 | dest: /root/.selected_editor
14 | regexp: '^[#\s]*SELECTED_EDITOR='
15 | line: 'SELECTED_EDITOR="/usr/bin/mcedit"'
16 | create: yes
17 |
--------------------------------------------------------------------------------
/basic/exim4-smarthost/files/etc/exim4/conf.d/transport/30_exim4-config_mail_spool:
--------------------------------------------------------------------------------
1 |
2 | ### transport/30_exim4-config_mail_spool
3 |
4 | # This transport is used for local delivery to user mailboxes in traditional
5 | # BSD mailbox format.
6 | #
7 | mail_spool:
8 | debug_print = "T: appendfile for $local_part@$domain"
9 | driver = appendfile
10 | file = /var/mail/$local_part
11 | delivery_date_add
12 | envelope_to_add
13 | return_path_add
14 | group = mail
15 | mode = 0660
16 | mode_fail_narrower = false
17 |
18 |
--------------------------------------------------------------------------------
/web-servers/nginx/templates/etc/nginx/conf.d/ssl.conf.j2:
--------------------------------------------------------------------------------
1 | {% if nginx_ssl_dhparam %}
2 | ssl_dhparam {% if nginx_ssl_dhparam is string %}{{ nginx_ssl_dhparam }}{% else %}/etc/nginx/ssl/dhparam.pem{% endif %};
3 | {% endif %}
4 | ssl_prefer_server_ciphers {{ nginx_ssl_prefer_server_ciphers | ternary('on', 'off') }};
5 | {% if nginx_ssl_protocols is sequence %}
6 | ssl_protocols {{ nginx_ssl_protocols | join(' ') }};
7 | {% endif %}
8 | {% if nginx_ssl_ciphers is string %}
9 | ssl_ciphers {{ nginx_ssl_ciphers }};
10 | {% endif %}
11 |
--------------------------------------------------------------------------------
/databases/mysql/galera_cluster_with_arbitrator/templates/galera_config.j2:
--------------------------------------------------------------------------------
1 | [mysqld]
2 |
3 | wsrep_on=ON
4 | wsrep_provider=/usr/lib/galera/libgalera_smm.so
5 | wsrep_cluster_address=gcomm://{% for host in ansible_play_hosts_all %}{{ hostvars[host].ansible_default_ipv4.address }}{% if not loop.last %},{% endif %}{% endfor %}
6 | wsrep_node_name="{{ inventory_hostname }}"
7 | wsrep_node_address="{{ ansible_host }}"
8 |
9 | {% for param_name, param_value in galera_params.items() %}
10 | {{ param_name }}={{ param_value }}
11 | {% endfor %}
--------------------------------------------------------------------------------
/web-servers/apache2/defaults/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | apache2_domain: '{{ domain | default(inventory_hostname) }}'
4 | apache2_security: '/etc/apache2/conf-available/security.conf'
5 | apache2_default_virtualhost: '/etc/apache2/sites-available/000-default.conf'
6 |
7 | apache2_deploy_method: host
8 |
9 | # Docker
10 | apache2_docker_version: 8.2.6-apache-bullseye
11 |
12 | apache2_docker_subnet: 172.18.1.0/24
13 | apache2_docker_ip: 172.18.1.14
14 |
15 | # Ansible version
16 | ansible_major_version: 2
17 | ansible_minor_version: 14
18 |
--------------------------------------------------------------------------------
/basic/exim4-smarthost/files/etc/exim4/conf.d/router/700_exim4-config_procmail:
--------------------------------------------------------------------------------
1 |
2 | procmail:
3 | debug_print = "R: procmail for $local_part@$domain"
4 | driver = accept
5 | domains = +local_domains
6 | check_local_user
7 | transport = procmail_pipe
8 | # emulate OR with "if exists"-expansion
9 | require_files = ${local_part}:\
10 | ${if exists{/etc/procmailrc}\
11 | {/etc/procmailrc}{${home}/.procmailrc}}:\
12 | +/usr/bin/procmail
13 | no_verify
14 | no_expn
15 |
16 |
--------------------------------------------------------------------------------
/basic/exim4-smarthost/files/etc/exim4/conf.d/router/900_exim4-config_local_user:
--------------------------------------------------------------------------------
1 |
2 | ### router/900_exim4-config_local_user
3 | #################################
4 |
5 | # This router matches local user mailboxes. If the router fails, the error
6 | # message is "Unknown user".
7 |
8 | local_user:
9 | debug_print = "R: local_user for $local_part@$domain"
10 | driver = accept
11 | domains = +local_domains
12 | check_local_user
13 | local_parts = ! root
14 | transport = LOCAL_DELIVERY
15 | cannot_route_message = Unknown user
16 |
--------------------------------------------------------------------------------
/basic/common/tasks/10_hostname.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | - name: Set hostname
4 | hostname:
5 | name: '{{ inventory_hostname }}'
6 |
7 | - name: Set /etc/hosts
8 | lineinfile:
9 | dest: /etc/hosts
10 | regexp: '.*{{ inventory_hostname }}$'
11 | line: "{{ ansible_default_ipv4.address }}\t{{ inventory_hostname }}"
12 | state: present
13 | insertbefore: BOF
14 |
15 | - name: Set /etc/mailname
16 | copy:
17 | content: "{{ domain }}\n"
18 | dest: /etc/mailname
19 | owner: root
20 | group: root
21 | mode: 0644
22 |
--------------------------------------------------------------------------------
/databases/memcached/handlers/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: Start Memcached
3 | systemd_service:
4 | name: "{{ memcached_daemon }}"
5 | state: started
6 |
7 | - name: Enable Memcached
8 | systemd_service:
9 | name: "{{ memcached_daemon }}"
10 | enabled: true
11 |
12 | - name: Restart Memcached
13 | systemd_service:
14 | name: "{{ memcached_daemon }}"
15 | state: restarted
16 | daemon_reload: true
17 |
18 | - name: Stop Memcached
19 | systemd_service:
20 | name: "{{ memcached_daemon }}"
21 | state: stopped
22 |
--------------------------------------------------------------------------------
/basic/exim4-smarthost/files/etc/exim4/conf.d/acl/30_exim4-config_check_mail:
--------------------------------------------------------------------------------
1 |
2 | ### acl/30_exim4-config_check_mail
3 | #################################
4 |
5 | # This access control list is used for every MAIL command in an incoming
6 | # SMTP message. The tests are run in order until the address is either
7 | # accepted or denied.
8 | #
9 | acl_check_mail:
10 | .ifdef CHECK_MAIL_HELO_ISSUED
11 | deny
12 | message = no HELO given before MAIL command
13 | condition = ${if def:sender_helo_name {no}{yes}}
14 | .endif
15 |
16 | accept
17 |
--------------------------------------------------------------------------------
/basic/exim4-smarthost/files/etc/exim4/conf.d/transport/35_exim4-config_address_directory:
--------------------------------------------------------------------------------
1 | # This transport is used for handling file addresses generated by alias
2 | # or .forward files if the path ends in "/", which causes it to be treated
3 | # as a directory name rather than a file name.
4 |
5 | address_directory:
6 | debug_print = "T: address_directory for $local_part@$domain"
7 | driver = appendfile
8 | delivery_date_add
9 | envelope_to_add
10 | return_path_add
11 | check_string = ""
12 | escape_string = ""
13 | maildir_format
14 |
15 |
--------------------------------------------------------------------------------
/message_brokers/rabbitmq/standalone/tasks/configure.yml:
--------------------------------------------------------------------------------
1 | - name: Template RabbitMQ configuration file for host deployment
2 | template:
3 | src: rabbitmq.config.j2
4 | dest: /etc/rabbitmq/rabbitmq.config
5 | when: deploy_method == 'host'
6 | notify:
7 | - "Restart RabbitMQ service"
8 |
9 | - name: Template RabbitMQ configuration file for Docker deployment
10 | template:
11 | src: rabbitmq.config.j2
12 | dest: /etc/rabbitmq/rabbitmq.config
13 | when: deploy_method == 'docker'
14 | notify:
15 | - "Restart RabbitMQ container"
16 |
--------------------------------------------------------------------------------
/basic/exim4-smarthost/files/etc/exim4/conf.d/router/mmm_mail4root:
--------------------------------------------------------------------------------
1 |
2 | ### router/mmm_mail4root
3 | #################################
4 | # deliver mail addressed to root to /var/mail/mail as user mail:mail
5 | # if it was not redirected in /etc/aliases or by other means
6 | # Exim cannot deliver as root since 4.24 (FIXED_NEVER_USERS)
7 |
8 | mail4root:
9 | debug_print = "R: mail4root for $local_part@$domain"
10 | driver = redirect
11 | domains = +local_domains
12 | data = /var/mail/mail
13 | file_transport = address_file
14 | local_parts = root
15 | user = mail
16 | group = mail
17 |
18 |
--------------------------------------------------------------------------------
/databases/redis/redis-cluster/templates/docker-compose.yml.j2:
--------------------------------------------------------------------------------
1 | version: '{{ docker_compose_file_version }}'
2 | services:
3 | redis-{{ redis_cluster_role }}:
4 | container_name: redis-{{ redis_cluster_role }}
5 | image: redis:{{ redis_docker_version }}
6 | command: /usr/local/etc/redis/redis.conf
7 | network_mode: 'host'
8 | volumes:
9 | - /var/apps/redis-{{ redis_cluster_role }}/volumes/conf:/usr/local/etc/redis
10 | - /var/apps/redis-{{ redis_cluster_role }}/volumes/data:{{ redis_cluster_dir }}
11 | - /var/apps/redis-{{ redis_cluster_role }}/volumes/logs:/var/log/redis
12 |
13 |
--------------------------------------------------------------------------------
/basic/exim4-smarthost/files/etc/exim4/conf.d/router/00_exim4-config_header:
--------------------------------------------------------------------------------
1 |
2 | ######################################################################
3 | # ROUTERS CONFIGURATION #
4 | # Specifies how addresses are handled #
5 | ######################################################################
6 | # THE ORDER IN WHICH THE ROUTERS ARE DEFINED IS IMPORTANT! #
7 | # An address is passed to each router in turn until it is accepted. #
8 | ######################################################################
9 |
10 | begin routers
11 |
12 |
--------------------------------------------------------------------------------
/databases/memcached/tasks/docker_standalone.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: "Create Docker Compose directory"
3 | file:
4 | path: "{{ memcached_docker_dir }}"
5 | state: directory
6 | owner: root
7 | group: root
8 | mode: 0751
9 |
10 | - name: "Add docker-compose.yml"
11 | template:
12 | src: "{{ memcached_compose_standalone }}.j2"
13 | dest: "{{ memcached_docker_dir }}/{{ memcached_compose_standalone }}"
14 | owner: root
15 | group: root
16 | mode: 0751
17 |
18 | - name: "Run Docker Compose"
19 | shell: "{{ docker_command }} -f {{ memcached_docker_dir }}/{{ memcached_compose_standalone }} up -d"
20 |
--------------------------------------------------------------------------------
/web-servers/apache2/files/etc/apache2/mods-available/mpm_prefork_astra.conf:
--------------------------------------------------------------------------------
1 | # prefork MPM
2 | # StartServers: number of server processes to start
3 | # MinSpareServers: minimum number of server processes which are kept spare
4 | # MaxSpareServers: maximum number of server processes which are kept spare
5 | # MaxRequestWorkers: maximum number of server processes allowed to start
6 | # MaxConnectionsPerChild: maximum number of requests a server process serves
7 |
8 |
9 | StartServers 5
10 | MinSpareServers 3
11 | MaxSpareServers 10
12 | MaxRequestWorkers 50
13 | MaxConnectionsPerChild 2000
14 |
15 |
--------------------------------------------------------------------------------
/web-servers/lets-encrypt/tasks/host.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | # Install dependency
4 | - name: Ensure apt cache is updated
5 | apt:
6 | update_cache: yes
7 | changed_when: false
8 |
9 | - name: Ensure needed packeges are installed.
10 | apt:
11 | pkg:
12 | - wget
13 | - gnupg2
14 | - curl
15 | - dnsutils
16 | state: present
17 |
18 | # Include
19 | - include_tasks: certbot.yml
20 | when: lets_encrypt_acme_client == 'certbot'
21 |
22 | - include_tasks: getssl.yml
23 | when: lets_encrypt_acme_client == 'getssl'
24 |
25 | - include_tasks: acmesh.yml
26 | when: lets_encrypt_acme_client == 'acmesh'
27 |
--------------------------------------------------------------------------------
/basic/exim4-smarthost/files/etc/exim4/conf.d/transport/00_exim4-config_header:
--------------------------------------------------------------------------------
1 |
2 | ######################################################################
3 | # TRANSPORTS CONFIGURATION #
4 | ######################################################################
5 | # ORDER DOES NOT MATTER #
6 | # Only one appropriate transport is called for each delivery. #
7 | ######################################################################
8 |
9 | # A transport is used only when referenced from a router that successfully
10 | # handles an address.
11 |
12 | begin transports
13 |
14 |
--------------------------------------------------------------------------------
/web-servers/haproxy/defaults/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | #haproxy_listen:
4 | # - name: 'test'
5 | # bind:
6 | # - ':80'
7 | # mode: 'http'
8 | # option:
9 | # - 'httpchk'
10 | # servers:
11 | # - name: 'test2'
12 | # ip: '127.0.0.1'
13 | # port: '80'
14 | # options: 'check'
15 | # http_request: 'redirect scheme https unless { ssl_fc }'
16 |
17 | haproxy_listen: []
18 |
19 | haproxy_deploy_method: host
20 |
21 | # Docker
22 | haproxy_docker_version: 2.9.4
23 |
24 | haproxy_docker_subnet: 172.18.1.0/24
25 | haproxy_docker_ip: 172.18.1.9
26 |
27 | # Ansible version
28 | ansible_major_version: 2
29 | ansible_minor_version: 14
30 |
--------------------------------------------------------------------------------
/basic/exim4-smarthost/files/etc/exim4/conf.d/transport/10_exim4-config_transport-macros:
--------------------------------------------------------------------------------
1 |
2 | ### transport/10_exim4-config_transport-macros
3 | #################################
4 |
5 | .ifdef HIDE_MAILNAME
6 | REMOTE_SMTP_HEADERS_REWRITE=*@+local_domains $1@DCreadhost frs : *@ETC_MAILNAME $1@DCreadhost frs
7 | REMOTE_SMTP_RETURN_PATH=${if match_domain{$sender_address_domain}{+local_domains}{${sender_address_local_part}@DCreadhost}{${if match_domain{$sender_address_domain}{ETC_MAILNAME}{${sender_address_local_part}@DCreadhost}fail}}}
8 | .endif
9 |
10 | .ifdef REMOTE_SMTP_HELO_FROM_DNS
11 | REMOTE_SMTP_HELO_DATA=${lookup dnsdb {ptr=$sending_ip_address}{$value}{$primary_hostname}}
12 | .endif
13 |
--------------------------------------------------------------------------------
/databases/memcached/tasks/host_standalone.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: "Install Memcached packages"
3 | apt:
4 | pkg:
5 | - memcached
6 | - libmemcached-tools
7 | state: latest
8 | notify:
9 | - Start Memcached
10 | - Enable Memcached
11 |
12 | - name: "Set Memcached service"
13 | template:
14 | src: memcached.service.j2
15 | dest: "{{ memcached_service }}"
16 | owner: root
17 | group: root
18 | mode: 0644
19 |
20 | - name: "Set Memcached configuration"
21 | template:
22 | src: memcached.conf.j2
23 | dest: "{{ memcached_conf_file }}"
24 | owner: root
25 | group: root
26 | mode: 0644
27 | notify:
28 | - Restart Memcached
29 |
--------------------------------------------------------------------------------
/web-servers/apache2/files/etc/apache2/mods-available/mpm_prefork.conf:
--------------------------------------------------------------------------------
1 | # prefork MPM
2 | # StartServers: number of server processes to start
3 | # MinSpareServers: minimum number of server processes which are kept spare
4 | # MaxSpareServers: maximum number of server processes which are kept spare
5 | # MaxRequestWorkers: maximum number of server processes allowed to start
6 | # MaxConnectionsPerChild: maximum number of requests a server process serves
7 |
8 |
9 | StartServers 5
10 | MinSpareServers 3
11 | MaxSpareServers 10
12 | MaxRequestWorkers 50
13 | MaxConnectionsPerChild 2000
14 | LimitUIDRange 0 65535
15 | LimitGIDRange 0 65535
16 |
17 |
--------------------------------------------------------------------------------
/basic/exim4-smarthost/files/etc/exim4/conf.d/rewrite/31_exim4-config_rewriting:
--------------------------------------------------------------------------------
1 |
2 | ### rewrite/31_exim4-config_rewriting
3 | #################################
4 |
5 | # This rewriting rule is particularily useful for dialup users who
6 | # don't have their own domain, but could be useful for anyone.
7 | # It looks up the real address of all local users in a file
8 | .ifndef NO_EAA_REWRITE_REWRITE
9 | *@+local_domains "${lookup{${local_part}}lsearch{/etc/email-addresses}\
10 | {$value}fail}" Ffrs
11 | # identical rewriting rule for /etc/mailname
12 | *@ETC_MAILNAME "${lookup{${local_part}}lsearch{/etc/email-addresses}\
13 | {$value}fail}" Ffrs
14 | .endif
15 |
16 |
17 |
--------------------------------------------------------------------------------
/basic/exim4-smarthost/files/etc/exim4/conf.d/router/150_exim4-config_hubbed_hosts:
--------------------------------------------------------------------------------
1 |
2 | # router/150_exim4-config_hubbed_hosts
3 | #################################
4 |
5 | # route specific domains manually.
6 | #
7 | # see exim4-config_files(5) and spec.txt chapter 20.3 through 20.7 for
8 | # more detailed documentation.
9 |
10 | hubbed_hosts:
11 | debug_print = "R: hubbed_hosts for $domain"
12 | driver = manualroute
13 | domains = "${if exists{CONFDIR/hubbed_hosts}\
14 | {partial-lsearch;CONFDIR/hubbed_hosts}\
15 | fail}"
16 | same_domain_copy_routing = yes
17 | route_data = ${lookup{$domain}partial-lsearch{CONFDIR/hubbed_hosts}}
18 | transport = remote_smtp
19 |
--------------------------------------------------------------------------------
/web-servers/lets-encrypt/templates/getssl-docker-compose.yml.j2:
--------------------------------------------------------------------------------
1 | version: '{{ docker_compose_file_version }}'
2 | services:
3 | getssl:
4 | build: ./build/getssl
5 | container_name: getssl
6 | volumes:
7 | - ./volumes/usr/local/scripts/getssl/.getssl/getssl.cfg:/usr/local/scripts/getssl/.getssl/getssl.cfg
8 | {% for domain in lets_encrypt_domains %}
9 | - ./volumes/usr/local/scripts/getssl/.getssl/{{ domain }}/:/usr/local/scripts/getssl/.getssl/{{ domain }}/
10 | {% endfor %}
11 | - /etc/letsencrypt/getssl:/etc/letsencrypt/getssl
12 | - {{ lets_encrypt_webroot }}:{{ lets_encrypt_webroot }}
13 | tty: true
14 | restart: always
15 | network_mode: host
--------------------------------------------------------------------------------
/logging/vector/templates/vector_aggregator.yaml.j2:
--------------------------------------------------------------------------------
1 | data_dir: "{{ vector_data_dir }}"
2 |
3 | sources:
4 | aggregator_source:
5 | type: {{ vector_aggregator_source_type }}
6 |
7 | transforms:
8 | aggregator_transform:
9 | type: {{ vector_aggregator_transform_type }}
10 | inputs: {{ vector_aggregator_transform_inputs }}
11 | source: {{ vector_aggregator_transform_source }}
12 |
13 | sinks:
14 | aggregator_sink:
15 | type: {{ vector_aggregator_sink_type }}
16 | inputs: {{ vector_aggregator_sink_inputs }}
17 | encoding:
18 | codec: {{ vector_aggregator_sink_encoding_codec }}
19 |
20 | api:
21 | enabled: {{ vector_api_enabled }}
22 | address: {{ vector_api_address }}
23 |
--------------------------------------------------------------------------------
/basic/exim4-smarthost/files/etc/exim4/conf.d/transport/30_exim4-config_remote_smtp:
--------------------------------------------------------------------------------
1 |
2 | ### transport/30_exim4-config_remote_smtp
3 | #################################
4 | # This transport is used for delivering messages over SMTP connections.
5 |
6 | remote_smtp:
7 | debug_print = "T: remote_smtp for $local_part@$domain"
8 | driver = smtp
9 | .ifdef REMOTE_SMTP_HOSTS_AVOID_TLS
10 | hosts_avoid_tls = REMOTE_SMTP_HOSTS_AVOID_TLS
11 | .endif
12 | .ifdef REMOTE_SMTP_HEADERS_REWRITE
13 | headers_rewrite = REMOTE_SMTP_HEADERS_REWRITE
14 | .endif
15 | .ifdef REMOTE_SMTP_RETURN_PATH
16 | return_path = REMOTE_SMTP_RETURN_PATH
17 | .endif
18 | .ifdef REMOTE_SMTP_HELO_FROM_DNS
19 | helo_data=REMOTE_SMTP_HELO_DATA
20 | .endif
21 |
--------------------------------------------------------------------------------
/databases/redis/redis-sentinel/templates/sentinel.conf.j2:
--------------------------------------------------------------------------------
1 | protected-mode no
2 | port {{ redis_sentinel_port }}
3 | daemonize no
4 | {% if redis_deploy_method == 'host' %}
5 | pidfile {{ redis_sentinel_pid }}
6 | loglevel notice
7 | logfile {{ redis_sentinel_logfile }}
8 | {% endif %}
9 | dir {{ redis_sentinel_dir }}
10 |
11 | sentinel monitor mymaster {{ redis_sentinel_master }} 2
12 | sentinel down-after-milliseconds mymaster 30000
13 | acllog-max-len 128
14 | sentinel parallel-syncs mymaster 1
15 | sentinel failover-timeout mymaster 180000
16 | sentinel deny-scripts-reconfig yes
17 |
18 | SENTINEL resolve-hostnames no
19 | SENTINEL announce-hostnames no
20 | SENTINEL master-reboot-down-after-period mymaster 0
21 |
--------------------------------------------------------------------------------
/web-servers/nginx/defaults/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | nginx_version: '1.22' # or 1.23
4 |
5 | nginx_worker_processes: 'auto'
6 | nginx_worker_connections: 1024
7 |
8 | nginx_ssl_dhparam: no # no (do not add line to config) / yes (autogenerate) / path to file
9 | nginx_ssl_prefer_server_ciphers: no
10 | nginx_ssl_protocols: no # or list of protocols (sequence)
11 | nginx_ssl_ciphers: no # or ciphers string in OpenSSL library format
12 |
13 | nginx_site_default_type: default # or error404
14 | nginx_site_default_ssl: no
15 |
16 | nginx_deploy_method: host
17 |
18 | # Docker
19 | nginx_docker_subnet: 172.18.1.0/24
20 | nginx_docker_ip: 172.18.1.2
21 |
22 | # Ansible version
23 | ansible_major_version: 2
24 | ansible_minor_version: 14
25 |
--------------------------------------------------------------------------------
/logging/vector/templates/vector_agent.yaml.j2:
--------------------------------------------------------------------------------
1 | data_dir: "{{ vector_data_dir }}"
2 |
3 | sources:
4 | dummy_logs:
5 | type: {{ vector_agent_source_type }}
6 | format: {{ vector_agent_source_format }}
7 | interval: {{ vector_agent_source_interval }}
8 |
9 | transforms:
10 | parse_logs:
11 | type: {{ vector_agent_transform_type }}
12 | inputs: {{ vector_agent_transform_inputs }}
13 | source: {{ vector_agent_transform_source }}
14 |
15 | sinks:
16 | print:
17 | type: {{ vector_agent_sink_type }}
18 | inputs: {{ vector_agent_sink_inputs }}
19 | encoding:
20 | codec: {{ vector_agent_sink_encoding_codec }}
21 |
22 | api:
23 | enabled: {{ vector_api_enabled }}
24 | address: {{ vector_api_address }}
25 |
26 |
27 |
--------------------------------------------------------------------------------
/web-servers/lets-encrypt/templates/certbot-docker-compose.yml.j2:
--------------------------------------------------------------------------------
1 | version: '{{ docker_compose_file_version }}'
2 | services:
3 | certbot:
4 | image: certbot/certbot
5 | container_name: certbot
6 | volumes:
7 | - /etc/letsencrypt:/etc/letsencrypt
8 | - {{ lets_encrypt_webroot }}:{{ lets_encrypt_webroot }}
9 | - ./volumes/var/log/letsencrypt/letsencrypt.log:var/log/letsencrypt/letsencrypt.log
10 | command: >-
11 | certonly
12 | {{ '--dry-run' if lets_encrypt_dry_run else '' }}
13 | --noninteractive --agree-tos
14 | --email {{ lets_encrypt_email }}
15 | --webroot -w {{ lets_encrypt_webroot }}
16 | --expand -d {{ lets_encrypt_domains | join(' -d ') }}
17 | network_mode: host
18 | tty: true
--------------------------------------------------------------------------------
/databases/mariadb/galera_cluster/templates/galera.cnf.j2:
--------------------------------------------------------------------------------
1 | [mysqld]
2 | binlog_format=ROW
3 | default-storage-engine=innodb
4 | innodb_autoinc_lock_mode=2
5 | bind-address=0.0.0.0
6 |
7 | # Galera Provider Configuration
8 | wsrep_on=ON
9 | wsrep_provider=/usr/lib/galera/libgalera_smm.so
10 |
11 | # Galera Cluster Configuration
12 | wsrep_cluster_name="GaleraCluster"
13 | wsrep_cluster_address=gcomm://{% for host in ansible_play_hosts_all %}{{ hostvars[host].ansible_default_ipv4.address }}:{{ wsrep_port }}{% if not loop.last %},{% endif %}{% endfor %}
14 |
15 | # Galera Synchronization Configuration
16 | wsrep_sst_method=rsync
17 |
18 | # Galera Node Configuration
19 | wsrep_node_address={{ ansible_default_ipv4.address }}
20 | wsrep_node_name={{ ansible_hostname }}
21 |
--------------------------------------------------------------------------------
/basic/exim4-smarthost/files/etc/exim4/conf.d/router/300_exim4-config_real_local:
--------------------------------------------------------------------------------
1 |
2 | ### router/300_exim4-config_real_local
3 | #################################
4 |
5 | # This router allows reaching a local user while avoiding local
6 | # processing. This can be used to inform a user of a broken .forward
7 | # file, for example. The userforward router does this.
8 |
9 | COND_LOCAL_SUBMITTER = "\
10 | ${if match_ip{$sender_host_address}{:@[]}\
11 | {1}{0}\
12 | }"
13 |
14 | real_local:
15 | debug_print = "R: real_local for $local_part@$domain"
16 | driver = accept
17 | domains = +local_domains
18 | condition = COND_LOCAL_SUBMITTER
19 | local_part_prefix = real-
20 | check_local_user
21 | transport = LOCAL_DELIVERY
22 |
23 |
--------------------------------------------------------------------------------
/logging/vector/templates/vector_hybrid.yaml.j2:
--------------------------------------------------------------------------------
1 | data_dir: "{{ vector_data_dir }}"
2 |
3 | sources:
4 | hybrid_source:
5 | type: {{ vector_hybrid_source_type }}
6 | format: {{ vector_hybrid_source_format }}
7 | interval: {{ vector_hybrid_source_interval }}
8 |
9 | transforms:
10 | hybrid_transform:
11 | type: {{ vector_hybrid_transform_type }}
12 | inputs: {{ vector_hybrid_transform_inputs }}
13 | source: {{ vector_hybrid_transform_source }}
14 |
15 | sinks:
16 | hybrid_sink:
17 | type: {{ vector_hybrid_sink_type }}
18 | inputs: {{ vector_hybrid_sink_inputs }}
19 | encoding:
20 | codec: {{ vector_hybrid_sink_encoding_codec }}
21 |
22 | api:
23 | enabled: {{ vector_api_enabled }}
24 | address: {{ vector_api_address }}
25 |
--------------------------------------------------------------------------------
/web-servers/haproxy/templates/docker-compose.yml.j2:
--------------------------------------------------------------------------------
1 | version: '{{ docker_compose_file_version }}'
2 | services:
3 | haproxy:
4 | container_name: haproxy
5 | image: haproxy:{{ haproxy_docker_version }}
6 | volumes:
7 | - /var/apps/haproxy/volumes/conf:/usr/local/etc/haproxy
8 | ports:
9 | {% for listen in haproxy_listen %}
10 | {% for bind in listen.bind %}
11 | - {{ ansible_ssh_host | default(ansible_host) }}:{{ bind.split(':')[1] }}:{{ bind.split(':')[1] }}
12 | {% endfor %}
13 | {% endfor %}
14 | networks:
15 | vm_net:
16 | ipv4_address: {{ haproxy_docker_ip }}
17 | restart: always
18 | networks:
19 | vm_net:
20 | driver: bridge
21 | ipam:
22 | config:
23 | - subnet: {{ haproxy_docker_subnet }}
24 |
--------------------------------------------------------------------------------
/databases/redis/redis-sentinel/templates/docker-compose-sentinel.yml.j2:
--------------------------------------------------------------------------------
1 | version: '{{ docker_compose_file_version }}'
2 | services:
3 | redis-sentinel:
4 | container_name: redis-sentinel
5 | image: redis:{{ redis_docker_version }}
6 | command: redis-sentinel /usr/local/etc/redis/redis.conf
7 | volumes:
8 | - /var/apps/redis-sentinel/volumes/conf:/usr/local/etc/redis
9 | ports:
10 | - {{ ansible_ssh_host | default(ansible_host) }}:{{ redis_sentinel_port }}:{{ redis_sentinel_port }}
11 | networks:
12 | vm_net:
13 | ipv4_address: {{ redis_sentinel_docker_ip }}
14 | restart: always
15 | networks:
16 | vm_net:
17 | driver: bridge
18 | ipam:
19 | config:
20 | - subnet: {{ redis_sentinel_docker_subnet }}
21 |
--------------------------------------------------------------------------------
/databases/mysql/galera_cluster_with_arbitrator/tasks/galera_arbitrator.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | - name: Installing Galera Arbitrator
4 | apt:
5 | pkg: "{{ item }}"
6 | state: present
7 | update_cache: true
8 | with_items:
9 | - galera-arbitrator-{{ galera_version }}
10 | environment:
11 | DEBIAN_FRONTEND: noninteractive
12 |
13 | - name: Create Galera Arbitrator config
14 | template:
15 | src: galera_arbitrator.conf.j2
16 | dest: /etc/galera_arbitrator.conf
17 |
18 | - name: Check if Galera Arbitrator is already running
19 | shell: ps aux | grep -v grep | grep "garbd --cfg /etc/galera_arbitrator.conf"
20 | register: garbd_process
21 |
22 | - name: Run Galera Arbitrator
23 | command: garbd --cfg /etc/galera_arbitrator.conf
24 | when: garbd_process.rc != 0
--------------------------------------------------------------------------------
/web-servers/apache2/templates/docker-compose.yml.j2:
--------------------------------------------------------------------------------
1 | version: '{{ docker_compose_file_version }}'
2 | services:
3 | apache2:
4 | container_name: apache2
5 | image: php:{{ apache2_docker_version }}
6 | volumes:
7 | - /var/apps/apache2/volumes/conf/apache2.conf:/etc/apache2/apache2.conf
8 | - /var/apps/apache2/volumes/conf/ports.conf:/etc/apache2/ports.conf
9 | - /var/apps/apache2/volumes/conf/sites-enabled:/etc/apache2/sites-enabled
10 | ports:
11 | - {{ ansible_ssh_host | default(ansible_host) }}:81:81
12 | networks:
13 | vm_net:
14 | ipv4_address: {{ apache2_docker_ip }}
15 | restart: always
16 | networks:
17 | vm_net:
18 | driver: bridge
19 | ipam:
20 | config:
21 | - subnet: {{ apache2_docker_subnet }}
22 |
--------------------------------------------------------------------------------
/basic/exim4-smarthost/files/etc/exim4/conf.d/router/100_exim4-config_domain_literal:
--------------------------------------------------------------------------------
1 |
2 | ### router/100_exim4-config_domain_literal
3 | #################################
4 |
5 | # This router handles e-mail addresses in "domain literal" form like
6 | # . The RFCs require this facility, but it is disabled
7 | # in the default config since it is seldomly used and frequently abused.
8 | # Domain literal support also needs to be enabled in the main config,
9 | # which is automatically done if you use the enable macro
10 | # MAIN_ALLOW_DOMAIN_LITERALS.
11 |
12 | .ifdef MAIN_ALLOW_DOMAIN_LITERALS
13 | domain_literal:
14 | debug_print = "R: domain_literal for $local_part@$domain"
15 | driver = ipliteral
16 | domains = ! +local_domains
17 | transport = remote_smtp
18 | .endif
19 |
--------------------------------------------------------------------------------
/databases/redis/redis-sentinel/templates/docker-compose.yml.j2:
--------------------------------------------------------------------------------
1 | version: '{{ docker_compose_file_version }}'
2 | services:
3 | redis:
4 | container_name: redis
5 | image: redis:{{ redis_docker_version }}
6 | command: /usr/local/etc/redis/redis.conf
7 | volumes:
8 | - /var/apps/redis/volumes/conf:/usr/local/etc/redis
9 | - /var/apps/redis/volumes/data:{{ redis_dir }}
10 | - /var/apps/redis/volumes/logs:/var/log/redis
11 | ports:
12 | - {{ ansible_ssh_host | default(ansible_host) }}:{{ redis_port }}:{{ redis_port }}
13 | networks:
14 | vm_net:
15 | ipv4_address: {{ redis_docker_ip }}
16 | restart: always
17 | networks:
18 | vm_net:
19 | driver: bridge
20 | ipam:
21 | config:
22 | - subnet: {{ redis_docker_subnet }}
23 |
24 |
--------------------------------------------------------------------------------
/databases/redis/standalone/templates/docker-compose.yml.j2:
--------------------------------------------------------------------------------
1 | version: '{{ docker_compose_file_version }}'
2 | services:
3 | redis:
4 | container_name: redis
5 | image: redis:{{ redis_docker_version }}
6 | command: /usr/local/etc/redis/redis.conf
7 | volumes:
8 | - /var/apps/redis/volumes/conf:/usr/local/etc/redis
9 | - /var/apps/redis/volumes/data:{{ redis_dir }}
10 | - /var/apps/redis/volumes/logs:/var/log/redis
11 | ports:
12 | - {{ ansible_ssh_host | default(ansible_host) }}:{{ redis_port }}:{{ redis_port }}
13 | networks:
14 | vm_net:
15 | ipv4_address: {{ redis_docker_ip }}
16 | restart: always
17 | networks:
18 | vm_net:
19 | driver: bridge
20 | ipam:
21 | config:
22 | - subnet: {{ redis_docker_subnet }}
23 |
24 |
--------------------------------------------------------------------------------
/databases/memcached/templates/docker-compose-standalone.yml.j2:
--------------------------------------------------------------------------------
1 | services:
2 | memcached:
3 | image: {{ memcached_docker_image }}
4 | container_name: memcached
5 | restart: always
6 | environment:
7 | - MEMCACHED_LISTEN_ADDRESS={{ memcached_docker_ip }}
8 | - MEMCACHED_PORT_NUMBER={{ memcached_listen_port }}
9 | - MEMCACHED_CACHE_SIZE={{ memcached_memory_limit }}
10 | - MEMCACHED_USERNAME={{ memcached_user }}
11 | - MEMCACHED_MAX_CONNECTIONS={{ memcached_max_connections }}
12 | ports:
13 | - 11211:{{ memcached_listen_port }}
14 | networks:
15 | memcached:
16 | ipv4_address: {{ memcached_docker_ip }}
17 |
18 | networks:
19 | memcached:
20 | driver: bridge
21 | ipam:
22 | config:
23 | - subnet: {{ memcached_docker_subnet }}
24 |
--------------------------------------------------------------------------------
/monitoring/prometheus-stack/tasks/node_exporter.yml:
--------------------------------------------------------------------------------
1 | - name: Run Node Exporter in Docker
2 | docker_container:
3 | image: "quay.io/prometheus/node-exporter:latest"
4 | name: "node_exporter"
5 | network_mode: "host"
6 | restart_policy: "unless-stopped"
7 | state: "started"
8 | command:
9 | - '--path.rootfs=/host'
10 | privileged: "true"
11 | volumes:
12 | - "/:/host:ro,rslave"
13 |
14 | - name: Import Grafana dashboard node-exporter
15 | community.grafana.grafana_dashboard:
16 | grafana_url: "{{ grafana_url }}"
17 | url_username: "{{ grafana_admin_user }}"
18 | url_password: "{{ grafana_admin_password }}"
19 | state: present
20 | commit_message: Updated by ansible
21 | overwrite: true
22 | path: https://grafana.com/api/dashboards/1860/revisions/36/download
--------------------------------------------------------------------------------
/basic/exim4-smarthost/files/etc/exim4/conf.d/retry/30_exim4-config:
--------------------------------------------------------------------------------
1 |
2 | ### retry/30_exim4-config
3 | #################################
4 |
5 | # This single retry rule applies to all domains and all errors. It specifies
6 | # retries every 15 minutes for 2 hours, then increasing retry intervals,
7 | # starting at 1 hour and increasing each time by a factor of 1.5, up to 16
8 | # hours, then retries every 6 hours until 4 days have passed since the first
9 | # failed delivery.
10 |
11 | # Please note that these rules only limit the frequenzy of retries, the
12 | # effective retry-time depends on the frequenzy of queue-running, too.
13 | # See QUEUEINTERVAL in /etc/default/exim4.
14 |
15 | # Address or Domain Error Retries
16 | # ----------------- ----- -------
17 |
18 | * * F,2h,15m; G,16h,1h,1.5; F,4d,6h
19 |
20 |
--------------------------------------------------------------------------------
/web-servers/lets-encrypt/tasks/certbot-docker.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | - name: Create directory
4 | file:
5 | path: /var/apps/{{ lets_encrypt_acme_client }}
6 | state: directory
7 | mode: '0751'
8 | owner: root
9 | group: root
10 |
11 | - name: Create volumes directory
12 | file:
13 | path: /var/apps/{{ lets_encrypt_acme_client }}/volumes/var/log/letsencrypt/letsencrypt.log
14 | state: directory
15 | mode: '0751'
16 | owner: root
17 | group: root
18 |
19 | # Setup Docker-compose
20 | - name: Add docker-compose.yml
21 | template:
22 | src: 'certbot-docker-compose.yml.j2'
23 | dest: '/var/apps/{{ lets_encrypt_acme_client }}/docker-compose.yml'
24 |
25 | - name: Docker-compose up
26 | shell:
27 | cmd: "{{ docker_command }} -f /var/apps/{{ lets_encrypt_acme_client }}/docker-compose.yml up -d"
28 |
--------------------------------------------------------------------------------
/monitoring/prometheus-stack/templates/prometheus/prometheus.yml.j2:
--------------------------------------------------------------------------------
1 | rule_files:
2 | - '{{ prometheus_rule_files_path }}'
3 |
4 | global:
5 | scrape_interval: '{{ prometheus_scrape_interval }}'
6 | evaluation_interval: '{{ prometheus_evaluation_interval }}'
7 | scrape_timeout: '{{ prometheus_scrape_timeout }}'
8 | external_labels:
9 | monitor: '{{ prometheus_external_monitor_label }}'
10 |
11 | scrape_configs:
12 | - job_name: '{{ prometheus_job_name }}'
13 | static_configs:
14 | - targets: {{ prometheus_targets }}
15 |
16 | alerting:
17 | alertmanagers:
18 | - scheme: '{{ prometheus_alertmanagers_scheme }}'
19 | static_configs:
20 | - targets:
21 | - {{ prometheus_alertmanagers_targets }}
22 |
23 | remote_write:
24 | - url: '{{ prometheus_remote_write_url }}'
25 |
26 | remote_read:
27 | - url: '{{ prometheus_remote_read_url }}'
--------------------------------------------------------------------------------
/basic/exim4-smarthost/templates/docker-compose.yml.j2:
--------------------------------------------------------------------------------
1 | version: '{{ docker_compose_file_version }}'
2 | services:
3 | exim4_smarthost:
4 | container_name: exim4_smarthost
5 | image: tianon/exim4:{{ exim4_smarthost_docker_version }}
6 | volumes:
7 | - /var/apps/exim4_smarthost/volumes/conf:/etc/exim4
8 | ports:
9 | - {{ exim4_smarthost_docker_listen_interface }}:{{ exim4_smarthost_smtp_port }}:25
10 | - {{ exim4_smarthost_docker_listen_interface }}:{{ exim4_smarthost_smtps_port }}:465
11 | - {{ exim4_smarthost_docker_listen_interface }}:{{ exim4_smarthost_smtp_submission_port }}:587
12 | networks:
13 | vm_net:
14 | ipv4_address: {{ exim4_smarthost_docker_ip }}
15 | restart: always
16 | networks:
17 | vm_net:
18 | driver: bridge
19 | ipam:
20 | config:
21 | - subnet: {{ exim4_smarthost_docker_subnet }}
22 |
--------------------------------------------------------------------------------
/monitoring/prometheus-stack/templates/alertmanager/config.yml.j2:
--------------------------------------------------------------------------------
1 | route:
2 | group_by: ['alertname', 'job']
3 |
4 | group_wait: '{{ alertmanager_group_wait }}'
5 | group_interval: '{{ alertmanager_group_interval }}'
6 | repeat_interval: '{{ alertmanager_repeat_interval }}'
7 |
8 | receiver: '{{ alertmanager_receiver }}'
9 |
10 | receivers:
11 | - name: '{{ alertmanager_receiver }}'
12 | {% if alertmanager_receiver == 'discord' %}
13 | discord_configs:
14 | - webhook_url: '{{ alertmanager_discord_webhook_url }}'
15 | {% elif alertmanager_receiver == 'slack' %}
16 | slack_configs:
17 | - api_url: '{{ alertmanager_slack_api_url }}'
18 | channel: '{{ alertmanager_slack_channel }}'
19 | {% elif alertmanager_receiver == 'mm' %}
20 | mattermost_configs:
21 | - api_url: '{{ alertmanager_mm_api_url }}'
22 | channel: '{{ alertmanager_mm_channel }}'
23 | {% endif %}
--------------------------------------------------------------------------------
/message_brokers/rabbitmq/standalone/defaults/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | ansible_major_version: 2
3 | ansible_minor_version: 14
4 | timezone: "Europe/Moscow"
5 | deploy_method: docker # Options: 'host', 'docker'
6 |
7 | # Rabbitmq variables
8 | rabbitmq_default_user: "guest"
9 | rabbitmq_default_pass: "guest"
10 | rabbitmq_default_vhost: "/"
11 | rabbitmq_ip: "0.0.0.0"
12 | rabbitmq_port: 5672
13 | loopback_users: ["guest"]
14 | disk_free_limit_mem_relative: 1.0
15 | hipe_compile: false
16 | vm_memory_high_watermark: 0.4
17 | connection_log_level: info
18 | mirroring_log_level: info
19 | cluster_partition_handling: ignore
20 | rabbitmq_queue_master_locator: "min-masters"
21 | inet_dist_listen_min: 25672
22 | inet_dist_listen_max: 25672
23 |
24 |
25 | # Docker variables
26 | rabbitmq_image: "rabbitmq:latest"
27 | rabbitmq_container_name: "rabbitmq"
28 | rabbitmq_ports:
29 | - "5672:5672"
30 | - "15672:15672"
31 | rabbitmq_config_dir: /etc/rabbitmq
--------------------------------------------------------------------------------
/databases/redis/redis-sentinel/tasks/redis_sentinel.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: "Install Redis packages"
3 | apt:
4 | name: '{{ item }}=*{{ redis_version | default("*") }}*'
5 | state: present
6 | update_cache: yes
7 | become: true
8 | with_items:
9 | - redis-server
10 | - redis-tools
11 | - redis-sentinel
12 | notify:
13 | - Start Redis
14 | - Enable Redis
15 |
16 | - name: "Set Redis configuration"
17 | template:
18 | src: "{{ item }}"
19 | dest: "{{ redis_conf_file }}"
20 | owner: root
21 | group: root
22 | mode: 0644
23 | with_items:
24 | - redis.conf.j2
25 | notify:
26 | - Restart Redis
27 |
28 | - name: "Set Redis Sentinel configuration"
29 | template:
30 | src: "{{ item }}"
31 | dest: "{{ redis_sentinel_conf_file }}"
32 | owner: redis
33 | group: redis
34 | mode: 0644
35 | with_items:
36 | - sentinel.conf.j2
37 | notify:
38 | - Restart Redis
--------------------------------------------------------------------------------
/web-servers/lets-encrypt/defaults/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | lets_encrypt_acme_client: certbot # certbot, acmesh, getssl
4 | lets_encrypt_deploy_method: host
5 |
6 |
7 | lets_encrypt_dry_run: true
8 | lets_encrypt_webroot: /var/www/getssl
9 | lets_encrypt_email: example@nixys.io
10 | lets_encrypt_domains:
11 | - example.com
12 | - www.example.com
13 | lets_encrypt_auto_renew: true
14 | lets_encrypt_cron_hour: "3"
15 | lets_encrypt_cron_minute: "30"
16 |
17 | # Certbot auto-renew cron job configuration (for certificate renewals).
18 | lets_encrypt_certbot_auto_renew_user: "{{ lets_encrypt_domains | first }}"
19 | lets_encrypt_certbot_auto_renew_options: "--quiet"
20 |
21 | lets_encrypt_dns_function: dns_hetzner # Only for acme.sh. Full list - https://github.com/Neilpang/acme.sh/tree/master/dnsapi
22 |
23 | # Docker
24 | lets_encrypt_docker_version: 2.8.0
25 |
26 | # Ansible version
27 | ansible_major_version: 2
28 | ansible_minor_version: 14
29 |
--------------------------------------------------------------------------------
/container_engines/docker/tasks/docker-debian.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | # Install packages
4 | - name: Install Docker Repository key
5 | apt_key:
6 | url: https://download.docker.com/linux/debian/gpg
7 |
8 | - name: Add Docker Repository
9 | apt_repository:
10 | repo: deb [arch=amd64] https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable
11 | state: present
12 | update_cache: yes
13 | filename: docker
14 |
15 | - name: Install docker-ce package
16 | apt:
17 | name: "{{ item }}"
18 | state: present
19 | allow_downgrade: true
20 | with_items:
21 | - docker-ce={{ docker_package_epoch }}:{{ docker_version | default([]) }}*
22 | - docker-ce-cli={{ docker_package_epoch }}:{{ docker_version | default([]) }}*
23 | - docker-ce-rootless-extras={{ docker_package_epoch }}:{{ docker_version | default([]) }}*
24 | - containerd.io
25 | - docker-compose-plugin
26 | notify:
27 | - Restart docker
28 |
--------------------------------------------------------------------------------
/container_engines/docker/tasks/docker-ubuntu.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | # Install packages
4 | - name: Install Docker Repository key
5 | apt_key:
6 | url: https://download.docker.com/linux/ubuntu/gpg
7 |
8 | - name: Add Docker Repository
9 | apt_repository:
10 | repo: deb [arch=amd64] https://download.docker.com/linux/ubuntu {{ ansible_distribution_release }} stable
11 | state: present
12 | update_cache: yes
13 | filename: docker
14 |
15 | - name: Install docker-ce package
16 | apt:
17 | name: "{{ item }}"
18 | state: present
19 | allow_downgrade: true
20 | with_items:
21 | - docker-ce={{ docker_package_epoch }}:{{ docker_version | default([]) }}*
22 | - docker-ce-cli={{ docker_package_epoch }}:{{ docker_version | default([]) }}*
23 | - docker-ce-rootless-extras={{ docker_package_epoch }}:{{ docker_version | default([]) }}*
24 | - containerd.io
25 | - docker-compose-plugin
26 | notify:
27 | - Restart docker
28 |
--------------------------------------------------------------------------------
/basic/git/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | # Check environment
4 | - name: "Check Ansible version"
5 | assert:
6 | msg: "Ansible {{ ansible_version.full }} is not supported. You should have at least Ansible {{ ansible_major_version }}.{{ ansible_minor_version }}.*"
7 | that:
8 | - ansible_version.major >= {{ ansible_major_version }} and ansible_version.minor >= {{ ansible_minor_version }}
9 |
10 | - name: Check OS family and version
11 | fail: msg='The operating system ({{ ansible_distribution }} {{ ansible_distribution_version }}) is not supported'
12 | when: ((ansible_distribution != 'Debian' or (ansible_distribution_major_version|int < 11 or ansible_distribution_major_version|int > 12))) and
13 | ((ansible_distribution != 'Ubuntu' or (ansible_distribution_major_version|int < 20 or ansible_distribution_major_version|int > 22)))
14 |
15 | # Install packages
16 | - name: Install Git
17 | apt:
18 | pkg: ['git']
19 | update_cache: true
20 |
--------------------------------------------------------------------------------
/databases/memcached/defaults/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # Deploy
3 | memcached_deploy_method: docker
4 | memcached_mode: standalone
5 |
6 | # General configuration
7 | memcached_user: memcache
8 | memcached_listen_port: 11211
9 | memcached_listen_ip: 127.0.0.1
10 | memcached_memory_limit: 64
11 | memcached_max_connections: 1024
12 |
13 | # Standalone
14 | memcached_conf_file: "/etc/memcached.conf"
15 | memcached_pid_file: "/run/memcached/memcached.pid"
16 | memcached_log_file: "/var/log/memcached.log"
17 | memcached_service: "/lib/systemd/system/memcached.service"
18 | memcached_verbosity_level: "-v"
19 | memcached_daemon: memcached.service
20 |
21 | # Docker Compose
22 | memcached_compose_standalone: "docker-compose-standalone.yml"
23 | memcached_docker_dir: "/var/apps/memcached"
24 | memcached_docker_image: bitnami/memcached:1.6.28
25 | memcached_docker_subnet: 172.18.0.0/16
26 | memcached_docker_ip: 172.18.0.11
27 |
28 | # Ansible
29 | ansible_version_major: 2
30 | ansible_version_minor: 14
31 |
--------------------------------------------------------------------------------
/databases/mysql/percona_xtradb_cluster/templates/docker-compose-percona-cluster.yml.j2:
--------------------------------------------------------------------------------
1 | version: '3'
2 | services:
3 | percona:
4 | container_name: {{ mysql_docker_container_name }}
5 | image: percona/percona-xtradb-cluster:{{ mysql_xtradb_docker_version }}
6 | network_mode: host
7 | environment:
8 | MYSQL_ROOT_PASSWORD: {{ mysql_xtradb_root_password }}
9 | CLUSTER_NAME: {{ mysql_xtradb_cluster_name }}
10 | {% if percona_bootstrap|default(false) == false %}
11 | CLUSTER_JOIN: "{% for item in groups['xtradb_nodes_group'] -%} {{ hostvars[item]['ansible_host'] }}:4567{% if not loop.last %},{% endif %}{%- endfor %}"
12 | {% endif %}
13 | volumes:
14 | - db_data:/var/lib/mysql
15 | {% if mysql_xtradb_host_version|default(80) == 80 %}
16 | - /var/apps/percona/volumes/conf:/etc/mysql/mysql.conf.d/
17 | {% endif %}
18 | {% if mysql_xtradb_host_version|default(80) == 57 %}
19 | - /var/apps/percona/volumes/conf:/etc/mysql/percona-xtradb-cluster.conf.d/
20 | {% endif %}
21 | volumes:
22 | db_data:
23 |
--------------------------------------------------------------------------------
/databases/mariadb/server/templates/docker-compose.yml.j2:
--------------------------------------------------------------------------------
1 | version: '3'
2 | services:
3 | {{ mariadb_docker_container_name }}:
4 | container_name: {{ mariadb_docker_container_name }}
5 | image: mariadb:{{ mariadb_docker_version }}
6 | environment:
7 | MARIADB_ROOT_PASSWORD: {{ mariadb_root_password }}
8 | volumes:
9 | - {{ mariadb_docker_directory_for_volumes }}/{{ mariadb_docker_container_name }}/volumes/conf/my.cnf:/etc/my.cnf
10 | - {{ mariadb_docker_directory_for_volumes }}/{{ mariadb_docker_container_name }}/volumes/data:/var/lib/mysql
11 | - {{ mariadb_docker_directory_for_volumes }}/{{ mariadb_docker_container_name }}/volumes/logs:/var/log/mysql
12 | ports:
13 | - {{ mariadb_port }}:3306
14 | networks:
15 | {{ mariadb_docker_network_name }}:
16 | ipv4_address: {{ mariadb_docker_ip }}
17 | restart: always
18 |
19 | networks:
20 | {{ mariadb_docker_network_name }}:
21 | ipam:
22 | driver: default
23 | config:
24 | - subnet: {{ mariadb_docker_subnet }}
25 |
--------------------------------------------------------------------------------
/logging/vector/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: Check Ansible version
3 | assert:
4 | msg: "Ansible {{ ansible_version.full }} is not supported. You should have at least Ansible {{ ansible_major_version }}.{{ ansible_minor_version }}.*"
5 | that:
6 | - ansible_version.major >= {{ ansible_major_version }} and ansible_version.minor >= {{ ansible_minor_version }}
7 |
8 | - name: Check OS family and version
9 | fail:
10 | msg: "The operating system ({{ ansible_distribution }} {{ ansible_distribution_version }}) is not supported"
11 | when:
12 | - ansible_distribution == "Debian" and (ansible_distribution_major_version|int < 11 or ansible_distribution_major_version|int > 12)
13 | - ansible_distribution == "Ubuntu" and (ansible_distribution_major_version|int < 20 or ansible_distribution_major_version|int > 22)
14 |
15 | - include_tasks: host.yml
16 | when: deploy_method == 'host'
17 |
18 | - include_tasks: docker.yml
19 | when: deploy_method == 'docker'
20 |
21 | - include_tasks: configure.yml
22 |
23 | - meta: flush_handlers
--------------------------------------------------------------------------------
/monitoring/prometheus-stack/tasks/main.yml:
--------------------------------------------------------------------------------
1 | #Check environment
2 | - name: Check Ansible version
3 | assert:
4 | msg: "Ansible {{ ansible_version.full }} is not supported. You should have at least Ansible {{ ansible_major_version }}.{{ ansible_minor_version }}.*"
5 | that:
6 | - ansible_version.major >= {{ ansible_major_version }} and ansible_version.minor >= {{ ansible_minor_version }}
7 |
8 | - name: Check OS family and version
9 | fail: msg="The operating system ({{ ansible_distribution }} {{ ansible_distribution_version }}) is not supported"
10 | when: ((ansible_distribution != "Debian" or (ansible_distribution_major_version|int < 11 or ansible_distribution_major_version|int > 12))) and
11 | ((ansible_distribution != "Ubuntu" or (ansible_distribution_major_version|int < 20 or ansible_distribution_major_version|int > 22)))
12 |
13 |
14 | - include_tasks: docker.yml
15 |
16 | - include_tasks: prometheus.yml
17 |
18 | - include_tasks: grafana.yml
19 |
20 | - include_tasks: alertmanager.yml
21 |
22 | - include_tasks: node_exporter.yml
--------------------------------------------------------------------------------
/web-servers/apache2/templates/etc/apache2/mods-available/status.conf.j2:
--------------------------------------------------------------------------------
1 |
2 | #
3 | # Allow server status reports generated by mod_status,
4 | # with the URL of http://servername/server-status
5 | # Uncomment and change the "192.0.2.0/24" to allow access from other hosts.
6 | #
7 | Alias /apache-status /var/www
8 |
9 | SetHandler server-status
10 | {% if ansible_distribution_version|truncate(1,true,'') >= '8' %}
11 | Require local
12 | {% else %}
13 | Order deny,allow
14 | Deny from all
15 | Allow from 127.0.0.1 ::1
16 | {% endif %}
17 |
18 |
19 | # Keep track of extended status information for each request
20 | ExtendedStatus On
21 |
22 | # Determine if mod_status displays the first 63 characters of a request or
23 | # the last 63, assuming the request itself is greater than 63 chars.
24 | # Default: Off
25 | #SeeRequestTail On
26 |
27 |
28 |
29 | # Show Proxy LoadBalancer status in mod_status
30 | ProxyStatus On
31 |
32 |
33 |
34 |
35 |
--------------------------------------------------------------------------------
/web-servers/lets-encrypt/templates/getssl-dockerfile.j2:
--------------------------------------------------------------------------------
1 | FROM debian:stable-slim
2 |
3 | RUN apt-get update \
4 | && apt-get install -y sudo wget curl dnsutils \
5 | && groupadd -g {{ docker_group_id }} getssl \
6 | && useradd -g {{ docker_group_id }} -u {{ docker_user_id }} -s /bin/bash -d /usr/local/scripts/getssl getssl \
7 | && mkdir -p /usr/local/scripts/getssl \
8 | && chmod o+x /usr/local/scripts \
9 | && chown -R getssl: /usr/local/scripts/getssl/ \
10 | && chmod 750 /usr/local/scripts/getssl \
11 | && cd /usr/local/scripts/getssl \
12 | && sudo -u getssl sh -c 'wget -O /usr/local/scripts/getssl/getssl https://raw.githubusercontent.com/srvrco/getssl/master/getssl -P /usr/local/scripts/getssl' \
13 | && chmod 700 /usr/local/scripts/getssl/getssl \
14 | && sudo -u getssl sh -c '/usr/local/scripts/getssl/getssl' \
15 | {% for domain in lets_encrypt_domains %}
16 | && sudo -u getssl sh -c '/usr/local/scripts/getssl/getssl -c {{ domain }}' \
17 | {% endfor %}
18 |
19 |
20 | WORKDIR /usr/local/scripts/getssl
21 |
22 | CMD ["sh"]
--------------------------------------------------------------------------------
/databases/mariadb/server/tasks/main.yml:
--------------------------------------------------------------------------------
1 | #Check environment
2 | - name: Check Ansible version
3 | assert:
4 | msg: "Ansible {{ ansible_version.full }} is not supported. You should have at least Ansible {{ ansible_major_version }}.{{ ansible_minor_version }}.*"
5 | that:
6 | - ansible_version.major >= {{ ansible_major_version }} and ansible_version.minor >= {{ ansible_minor_version }}
7 |
8 | - name: Check OS family and version
9 | fail: msg="The operating system ({{ ansible_distribution }} {{ ansible_distribution_version }}) is not supported"
10 | when: ((ansible_distribution != "Debian" or (ansible_distribution_major_version|int < 11 or ansible_distribution_major_version|int > 12))) and
11 | ((ansible_distribution != "Ubuntu" or (ansible_distribution_major_version|int < 20 or ansible_distribution_major_version|int > 22)))
12 |
13 | #Include tasks for hosts
14 | - include_tasks: host.yml
15 | when: mariadb_deploy_method == 'host'
16 |
17 | #Include tasks for docker
18 | - include_tasks: docker.yml
19 | when: mariadb_deploy_method == 'docker'
20 |
--------------------------------------------------------------------------------
/web-servers/nginx/templates/docker-compose.yml.j2:
--------------------------------------------------------------------------------
1 | version: '{{ docker_compose_file_version }}'
2 | services:
3 | nginx:
4 | container_name: nginx
5 | image: nginx:{{ nginx_version }}
6 | volumes:
7 | - /var/apps/nginx/volumes/conf/auth:/etc/nginx/auth
8 | - /var/apps/nginx/volumes/conf/conf.d:/etc/nginx/conf.d
9 | - /var/apps/nginx/volumes/conf/nginx.conf:/etc/nginx/nginx.conf
10 | - /var/apps/nginx/volumes/conf/sites-available:/etc/nginx/sites-available
11 | - /var/apps/nginx/volumes/conf/sites-enabled:/etc/nginx/sites-enabled
12 | - /var/apps/nginx/volumes/conf/ssl:/etc/nginx/ssl
13 | - /var/apps/nginx/volumes/logs:/var/log/nginx
14 | ports:
15 | - {{ ansible_ssh_host | default(ansible_host) }}:80:80
16 | - {{ ansible_ssh_host | default(ansible_host) }}:443:443
17 | networks:
18 | vm_net:
19 | ipv4_address: {{ nginx_docker_ip }}
20 | restart: always
21 | networks:
22 | vm_net:
23 | driver: bridge
24 | ipam:
25 | config:
26 | - subnet: {{ nginx_docker_subnet }}
27 |
--------------------------------------------------------------------------------
/basic/common/tasks/20_packages-debian.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | # Upgrade packages
4 | - name: Upgrade packages (Debian)
5 | when: dist_upgrade == true
6 | apt:
7 | upgrade: dist
8 | update_cache: true
9 | environment:
10 | DEBIAN_FRONTEND: noninteractive
11 |
12 | # Install packages
13 | - name: Install common packages (Debian)
14 | apt:
15 | pkg: ['mc','gpg','iotop','htop','telnet','tcpdump','nmap','curl','locales-all','hexedit','sudo','zip','unzip',
16 | 'patch','pwgen','vim','less','parted','subversion','ntp','bzip2','lsof','strace','mutt','ncdu',
17 | 'smartmontools','net-tools','nano','pigz','wget','tree','rsyslog','dnsutils','logrotate',
18 | 'apt-transport-https','gnupg2','gnupg','ca-certificates','software-properties-common','dbus','console-setup','console-data','lvm2','cron']
19 | state: present
20 | update_cache: true
21 | environment:
22 | DEBIAN_FRONTEND: noninteractive
23 |
24 | - name: Install NTP (Debian)
25 | apt:
26 | pkg: ['systemd-timesyncd']
27 | state: present
28 | update_cache: true
29 |
--------------------------------------------------------------------------------
/basic/exim4-smarthost/files/etc/exim4/conf.d/router/500_exim4-config_hubuser:
--------------------------------------------------------------------------------
1 |
2 | ### router/500_exim4-config_hubuser
3 | #################################
4 |
5 | .ifdef DCconfig_satellite
6 | # This router is only used for configtype=satellite.
7 | # It takes care to route all mail targetted to
8 | # to the host where we read our mail
9 | #
10 | hub_user:
11 | debug_print = "R: hub_user for $local_part@$domain"
12 | driver = redirect
13 | domains = +local_domains
14 | data = ${local_part}@DCreadhost
15 | check_local_user
16 |
17 | # Grab the redirected mail and deliver it.
18 | # This is a duplicate of the smarthost router, needed because
19 | # DCreadhost might end up as part of +local_domains
20 | hub_user_smarthost:
21 | debug_print = "R: hub_user_smarthost for $local_part@$domain"
22 | driver = manualroute
23 | domains = DCreadhost
24 | transport = remote_smtp_smarthost
25 | route_list = * DCsmarthost byname
26 | host_find_failed = defer
27 | same_domain_copy_routing = yes
28 | check_local_user
29 | .endif
30 |
31 |
32 |
--------------------------------------------------------------------------------
/basic/exim4-smarthost/files/etc/exim4/conf.d/router/850_exim4-config_lowuid:
--------------------------------------------------------------------------------
1 |
2 | ### router/850_exim4-config_lowuid
3 | #################################
4 |
5 | .ifndef FIRST_USER_ACCOUNT_UID
6 | FIRST_USER_ACCOUNT_UID = 0
7 | .endif
8 |
9 | .ifndef DEFAULT_SYSTEM_ACCOUNT_ALIAS
10 | DEFAULT_SYSTEM_ACCOUNT_ALIAS = :fail: no mail to system accounts
11 | .endif
12 |
13 | COND_SYSTEM_USER_AND_REMOTE_SUBMITTER = "\
14 | ${if and{{! match_ip{$sender_host_address}{:@[]}}\
15 | {<{$local_user_uid}{FIRST_USER_ACCOUNT_UID}}}\
16 | {1}{0}\
17 | }"
18 |
19 | lowuid_aliases:
20 | debug_print = "R: lowuid_aliases for $local_part@$domain (UID $local_user_uid)"
21 | check_local_user
22 | driver = redirect
23 | allow_fail
24 | domains = +local_domains
25 | condition = COND_SYSTEM_USER_AND_REMOTE_SUBMITTER
26 | data = ${if exists{/etc/exim4/lowuid-aliases}\
27 | {${lookup{$local_part}lsearch{/etc/exim4/lowuid-aliases}\
28 | {$value}{DEFAULT_SYSTEM_ACCOUNT_ALIAS}}}{DEFAULT_SYSTEM_ACCOUNT_ALIAS}}
29 |
--------------------------------------------------------------------------------
/databases/mariadb/galera_cluster/tasks/main.yml:
--------------------------------------------------------------------------------
1 | #Check environment
2 | - name: Check Ansible version
3 | assert:
4 | msg: "Ansible {{ ansible_version.full }} is not supported. You should have at least Ansible {{ ansible_major_version }}.{{ ansible_minor_version }}.*"
5 | that:
6 | - ansible_version.major >= {{ ansible_major_version }} and ansible_version.minor >= {{ ansible_minor_version }}
7 |
8 | - name: Check OS family and version
9 | fail: msg="The operating system ({{ ansible_distribution }} {{ ansible_distribution_version }}) is not supported"
10 | when: ((ansible_distribution != "Debian" or (ansible_distribution_major_version|int < 11 or ansible_distribution_major_version|int > 12))) and
11 | ((ansible_distribution != "Ubuntu" or (ansible_distribution_major_version|int < 20 or ansible_distribution_major_version|int > 22)))
12 |
13 | #Include tasks for hosts
14 | - include_tasks: host.yml
15 | when: mariadb_deploy_method == 'host'
16 |
17 | #Include tasks for docker
18 | - include_tasks: docker.yml
19 | when: mariadb_deploy_method == 'docker'
20 |
--------------------------------------------------------------------------------
/databases/memcached/templates/memcached.service.j2:
--------------------------------------------------------------------------------
1 | [Unit]
2 | Description=memcached daemon
3 | After=network.target
4 | Documentation=man:memcached(1)
5 |
6 | [Service]
7 | ExecStart=/usr/share/memcached/scripts/systemd-memcached-wrapper {{ memcached_conf_file }}
8 | PrivateTmp=true
9 | ProtectSystem=full
10 | NoNewPrivileges=true
11 | PrivateDevices=true
12 | CapabilityBoundingSet=CAP_SETGID CAP_SETUID CAP_SYS_RESOURCE
13 | RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
14 | {% if ansible_distribution_release == 'jammy' %}
15 | MemoryDenyWriteExecute=true
16 | ProtectKernelModules=true
17 | ProtectKernelTunables=true
18 | ProtectControlGroups=true
19 | RestrictRealtime=true
20 | RestrictNamespaces=true
21 | {% else %}
22 | ##safer##MemoryDenyWriteExecute=true
23 | ##safer##ProtectKernelModules=true
24 | ##safer##ProtectKernelTunables=true
25 | ##safer##ProtectControlGroups=true
26 | ##safer##RestrictRealtime=true
27 | ##safer##RestrictNamespaces=true
28 | {% endif %}
29 | PIDFile={{ memcached_pid_file }}
30 | Restart=always
31 |
32 | [Install]
33 | WantedBy=multi-user.target
34 |
--------------------------------------------------------------------------------
/message_brokers/rabbitmq/standalone/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: Check Ansible version
3 | assert:
4 | msg: "Ansible {{ ansible_version.full }} is not supported. You should have at least Ansible {{ ansible_major_version }}.{{ ansible_minor_version }}.*"
5 | that:
6 | - ansible_version.major >= {{ ansible_major_version }} and ansible_version.minor >= {{ ansible_minor_version }}
7 |
8 | - name: Check OS family and version
9 | fail:
10 | msg: "The operating system ({{ ansible_distribution }} {{ ansible_distribution_version }}) is not supported"
11 | when:
12 | - ansible_distribution == "Debian" and (ansible_distribution_major_version|int < 11 or ansible_distribution_major_version|int > 12)
13 | - ansible_distribution == "Ubuntu" and (ansible_distribution_major_version|int < 20 or ansible_distribution_major_version|int > 22)
14 |
15 | - include_tasks: host.yml
16 | when: deploy_method == 'host'
17 |
18 | - include_tasks: docker.yml
19 | when: deploy_method == 'docker'
20 |
21 | - include_tasks: configure.yml
22 |
23 | - meta: flush_handlers
24 |
--------------------------------------------------------------------------------
/databases/mysql/percona_server/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | #Check environment
3 | - name: Check Ansible version
4 | assert:
5 | msg: "Ansible {{ ansible_version.full }} is not supported. You should have at least Ansible {{ ansible_major_version }}.{{ ansible_minor_version }}.*"
6 | that:
7 | - ansible_version.major >= {{ ansible_major_version }} and ansible_version.minor >= {{ ansible_minor_version }}
8 |
9 | - name: Check OS family and version
10 | fail: msg="The operating system ({{ ansible_distribution }} {{ ansible_distribution_version }}) is not supported"
11 | when: ((ansible_distribution != "Debian" or (ansible_distribution_major_version|int < 11 or ansible_distribution_major_version|int > 12))) and
12 | ((ansible_distribution != "Ubuntu" or (ansible_distribution_major_version|int < 20 or ansible_distribution_major_version|int > 22)))
13 |
14 | #Include tasks for hosts
15 | - include_tasks: host.yml
16 | when: mysql_deploy_method == 'host'
17 |
18 | #Include tasks for docker
19 | - include_tasks: docker.yml
20 | when: mysql_deploy_method == 'docker'
21 |
--------------------------------------------------------------------------------
/message_brokers/rabbitmq/standalone/templates/rabbitmq.config.j2:
--------------------------------------------------------------------------------
1 | [
2 | { rabbit, [
3 | { loopback_users, <%= @loopback_users %> },
4 | { tcp_listeners, [
5 | {<%= @rabbitmq_ip %>, <%= @rabbitmq_port %>}
6 | ]},
7 | { default_user, <<"{{ rabbitmq_default_user }}">> },
8 | { default_pass, <<"{{ rabbitmq_default_pass }}">> },
9 | { default_vhost, <<"{{ rabbitmq_default_vhost }}">> },
10 | { disk_free_limit, {mem_relative, <%= @disk_free_limit_mem_relative %>} },
11 | { hipe_compile, <%= @hipe_compile %> },
12 | { vm_memory_high_watermark, <%= @vm_memory_high_watermark %> },
13 | { log_levels, [
14 | { connection, <%= @connection_log_level %> },
15 | { mirroring, <%= @mirroring_log_level %> }
16 | ]},
17 | { cluster_partition_handling, <%= @cluster_partition_handling %> },
18 | { queue_master_locator, <<"{{ rabbitmq_queue_master_locator }}">> }
19 | ]},
20 | { kernel, [
21 | { inet_dist_listen_min, <%= @inet_dist_listen_min %> },
22 | { inet_dist_listen_max, <%= @inet_dist_listen_max %> }
23 | ]}
24 | ].
25 |
--------------------------------------------------------------------------------
/web-servers/nginx/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | # Check environment
4 | - name: "Check Ansible version"
5 | assert:
6 | msg: "Ansible {{ ansible_version.full }} is not supported. You should have at least Ansible {{ ansible_major_version }}.{{ ansible_minor_version }}.*"
7 | that:
8 | - ansible_version.major >= {{ ansible_major_version }} and ansible_version.minor >= {{ ansible_minor_version }}
9 |
10 | - name: Check OS family and version
11 | fail: msg='The operating system ({{ ansible_distribution }} {{ ansible_distribution_version }}) is not supported'
12 | when: ((ansible_distribution != 'Debian' or (ansible_distribution_major_version|int < 11 or ansible_distribution_major_version|int > 12))) and
13 | ((ansible_distribution != 'Ubuntu' or (ansible_distribution_major_version|int < 20 or ansible_distribution_major_version|int > 22)))
14 |
15 | # Include tasks for hosts.
16 | - include_tasks: host.yml
17 | when: nginx_deploy_method == 'host'
18 |
19 | # Include tasks for docker.
20 | - include_tasks: docker.yml
21 | when: nginx_deploy_method == 'docker'
22 |
--------------------------------------------------------------------------------
/web-servers/apache2/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | # Check environment
4 | - name: "Check Ansible version"
5 | assert:
6 | msg: "Ansible {{ ansible_version.full }} is not supported. You should have at least Ansible {{ ansible_major_version }}.{{ ansible_minor_version }}.*"
7 | that:
8 | - ansible_version.major >= {{ ansible_major_version }} and ansible_version.minor >= {{ ansible_minor_version }}
9 |
10 | - name: Check OS family and version
11 | fail: msg='The operating system ({{ ansible_distribution }} {{ ansible_distribution_version }}) is not supported'
12 | when: ((ansible_distribution != 'Debian' or (ansible_distribution_major_version|int < 11 or ansible_distribution_major_version|int > 12))) and
13 | ((ansible_distribution != 'Ubuntu' or (ansible_distribution_major_version|int < 20 or ansible_distribution_major_version|int > 22)))
14 |
15 | # Include tasks for hosts.
16 | - include_tasks: host.yml
17 | when: apache2_deploy_method == 'host'
18 |
19 | # Include tasks for docker.
20 | - include_tasks: docker.yml
21 | when: apache2_deploy_method == 'docker'
22 |
--------------------------------------------------------------------------------
/web-servers/haproxy/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | # Check environment
4 | - name: "Check Ansible version"
5 | assert:
6 | msg: "Ansible {{ ansible_version.full }} is not supported. You should have at least Ansible {{ ansible_major_version }}.{{ ansible_minor_version }}.*"
7 | that:
8 | - ansible_version.major >= {{ ansible_major_version }} and ansible_version.minor >= {{ ansible_minor_version }}
9 |
10 | - name: Check OS family and version
11 | fail: msg='The operating system ({{ ansible_distribution }} {{ ansible_distribution_version }}) is not supported'
12 | when: ((ansible_distribution != 'Debian' or (ansible_distribution_major_version|int < 11 or ansible_distribution_major_version|int > 12))) and
13 | ((ansible_distribution != 'Ubuntu' or (ansible_distribution_major_version|int < 20 or ansible_distribution_major_version|int > 22)))
14 |
15 | # Include tasks for hosts.
16 | - include_tasks: host.yml
17 | when: haproxy_deploy_method == 'host'
18 |
19 | # Include tasks for docker.
20 | - include_tasks: docker.yml
21 | when: haproxy_deploy_method == 'docker'
22 |
--------------------------------------------------------------------------------
/web-servers/lets-encrypt/templates/acmesh-dockerfile.j2:
--------------------------------------------------------------------------------
1 | FROM debian:stable-slim
2 |
3 | RUN apt-get update \
4 | && apt-get install -y sudo wget cron \
5 | && groupadd -g {{ docker_group_id }} acme \
6 | && useradd -g {{ docker_group_id }} -u {{ docker_user_id }} -s /bin/bash -d /usr/local/scripts/acme acme \
7 | && mkdir -p /usr/local/scripts/acme \
8 | && chmod o+x /usr/local/scripts \
9 | && chown -R acme: /usr/local/scripts/acme/ \
10 | && chmod 750 /usr/local/scripts/acme \
11 | && cd /usr/local/scripts/acme \
12 | && sudo -u acme sh -c 'wget -O /usr/local/scripts/acme/acme.sh https://get.acme.sh -P /usr/local/scripts/acme' \
13 | && chmod 700 /usr/local/scripts/acme/acme.sh \
14 | && sudo -u acme sh -c '/usr/local/scripts/acme/acme.sh' \
15 | && echo "SAVED_SL_Key='API_KEY'" >> /usr/local/scripts/acme/.acme.sh/account.conf \
16 | && echo "USER_PATH='/usr/local/bin:/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/sbin:/usr/local/scripts/acme/bin'" >> /usr/local/scripts/acme/.acme.sh/account.conf
17 |
18 | WORKDIR /usr/local/scripts/acme
19 |
20 | CMD ["sh"]
--------------------------------------------------------------------------------
/databases/mysql/percona_xtradb_cluster/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | #Check environment
3 | - name: Check Ansible version
4 | assert:
5 | msg: "Ansible {{ ansible_version.full }} is not supported. You should have at least Ansible {{ ansible_major_version }}.{{ ansible_minor_version }}.*"
6 | that:
7 | - ansible_version.major >= {{ ansible_major_version }} and ansible_version.minor >= {{ ansible_minor_version }}
8 |
9 | - name: Check OS family and version
10 | fail: msg="The operating system ({{ ansible_distribution }} {{ ansible_distribution_version }}) is not supported"
11 | when: ((ansible_distribution != "Debian" or (ansible_distribution_major_version|int < 11 or ansible_distribution_major_version|int > 12))) and
12 | ((ansible_distribution != "Ubuntu" or (ansible_distribution_major_version|int < 20 or ansible_distribution_major_version|int > 22)))
13 |
14 | #Include tasks for hosts
15 | - include_tasks: host.yml
16 | when: mysql_xtradb_deploy_method == 'host'
17 |
18 | #Include tasks for docker
19 | - include_tasks: docker.yml
20 | when: mysql_xtradb_deploy_method == 'docker'
--------------------------------------------------------------------------------
/web-servers/lets-encrypt/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | # Check environment
4 | - name: "Check Ansible version"
5 | assert:
6 | msg: "Ansible {{ ansible_version.full }} is not supported. You should have at least Ansible {{ ansible_major_version }}.{{ ansible_minor_version }}.*"
7 | that:
8 | - ansible_version.major >= {{ ansible_major_version }} and ansible_version.minor >= {{ ansible_minor_version }}
9 |
10 | - name: Check OS family and version
11 | fail: msg='The operating system ({{ ansible_distribution }} {{ ansible_distribution_version }}) is not supported'
12 | when: ((ansible_distribution != 'Debian' or (ansible_distribution_major_version|int < 11 or ansible_distribution_major_version|int > 12))) and
13 | ((ansible_distribution != 'Ubuntu' or (ansible_distribution_major_version|int < 20 or ansible_distribution_major_version|int > 22)))
14 |
15 | # Include tasks for hosts.
16 | - include_tasks: host.yml
17 | when: lets_encrypt_deploy_method == 'host'
18 |
19 | # Include tasks for docker.
20 | - include_tasks: docker.yml
21 | when: lets_encrypt_deploy_method == 'docker'
22 |
--------------------------------------------------------------------------------
/basic/exim4-smarthost/defaults/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | exim4_smarthost_primary_hostname: '{{ domain | default(inventory_hostname) }}'
4 | exim4_smarthost_qualify_domain: '{{ domain | default(inventory_hostname) }}'
5 | exim4_smarthost_admin_mail: '{{ admin_mail | default("client-tech@nixys.io") }}'
6 |
7 | exim4_smarthost_local_interfaces: '127.0.0.1 : {{ ansible_default_ipv4.address }}'
8 | exim4_smarthost_relay_nets: '127.0.0.1 : {{ ansible_default_ipv4.address }}'
9 | exim4_smarthost_block_private_networks: yes
10 |
11 | exim4_smarthost_smtp_port: 2525
12 | exim4_smarthost_smtps_port: 4654
13 | exim4_smarthost_smtp_submission_port: 5875
14 |
15 | exim4_smarthost_dkim_selector: 'mail'
16 | exim4_smarthost_dkim_domain: '{{ domain | default(inventory_hostname) }}'
17 |
18 | exim4_smarthost_deploy_method: host
19 |
20 | # Docker
21 | exim4_smarthost_docker_version: latest
22 | exim4_smarthost_docker_subnet: 172.18.1.0/24
23 | exim4_smarthost_docker_ip: 172.18.1.14
24 | exim4_smarthost_docker_listen_interface: 127.0.0.1
25 |
26 | # Ansible version
27 | ansible_major_version: 2
28 | ansible_minor_version: 14
29 |
--------------------------------------------------------------------------------
/basic/exim4-smarthost/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | # Check environment
4 | - name: "Check Ansible version"
5 | assert:
6 | msg: "Ansible {{ ansible_version.full }} is not supported. You should have at least Ansible {{ ansible_major_version }}.{{ ansible_minor_version }}.*"
7 | that:
8 | - ansible_version.major >= {{ ansible_major_version }} and ansible_version.minor >= {{ ansible_minor_version }}
9 |
10 | - name: Check OS family and version
11 | fail: msg='The operating system ({{ ansible_distribution }} {{ ansible_distribution_version }}) is not supported'
12 | when: ((ansible_distribution != 'Debian' or (ansible_distribution_major_version|int < 11 or ansible_distribution_major_version|int > 12))) and
13 | ((ansible_distribution != 'Ubuntu' or (ansible_distribution_major_version|int < 20 or ansible_distribution_major_version|int > 22)))
14 |
15 | # Include tasks for hosts.
16 | - include_tasks: host.yml
17 | when: exim4_smarthost_deploy_method == 'host'
18 |
19 | # Include tasks for docker.
20 | - include_tasks: docker.yml
21 | when: exim4_smarthost_deploy_method == 'docker'
22 |
--------------------------------------------------------------------------------
/web-servers/haproxy/templates/etc/haproxy/haproxy.cfg.j2:
--------------------------------------------------------------------------------
1 | {% if haproxy_deploy_method == 'host' %}
2 | global
3 | log /dev/log local0
4 | log /dev/log local1 notice
5 | chroot /var/lib/haproxy
6 | stats socket /run/haproxy/admin.sock mode 660 level admin
7 | stats timeout 30s
8 | user haproxy
9 | group haproxy
10 | daemon
11 | {% endif %}
12 |
13 | defaults
14 | log global
15 | mode http
16 | option httplog
17 | option dontlognull
18 | timeout connect 5000
19 | timeout client 50000
20 | timeout server 50000
21 |
22 | {% for listen in haproxy_listen %}
23 | listen {{ listen.name }}
24 | {% for bind in listen.bind %}
25 | bind {{ bind }}
26 | {% endfor %}
27 |
28 | {% if listen.http_request is defined %}
29 | http-request {{ listen.http_request }}
30 | {% endif %}
31 |
32 | mode {{ listen.mode }}
33 | {% for option in listen.option %}
34 | option {{ option }}
35 | {% endfor %}
36 |
37 | balance roundrobin
38 | {% for server in listen.servers %}
39 | server {{ server.name }} {{ server.ip }}:{{ server.port }} {{ server.options }}
40 | {% endfor %}
41 |
42 | {% endfor %}
43 |
--------------------------------------------------------------------------------
/basic/exim4-smarthost/files/etc/exim4/conf.d/transport/30_exim4-config_remote_smtp_smarthost:
--------------------------------------------------------------------------------
1 |
2 | ### transport/30_exim4-config_remote_smtp_smarthost
3 | #################################
4 |
5 | # This transport is used for delivering messages over SMTP connections
6 | # to a smarthost. The local host tries to authenticate.
7 | # This transport is used for smarthost and satellite configurations.
8 |
9 | remote_smtp_smarthost:
10 | debug_print = "T: remote_smtp_smarthost for $local_part@$domain"
11 | driver = smtp
12 | hosts_try_auth = <; ${if exists{CONFDIR/passwd.client} \
13 | {\
14 | ${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$host_address}}\
15 | }\
16 | {} \
17 | }
18 | .ifdef REMOTE_SMTP_SMARTHOST_HOSTS_AVOID_TLS
19 | hosts_avoid_tls = REMOTE_SMTP_SMARTHOST_HOSTS_AVOID_TLS
20 | .endif
21 | .ifdef REMOTE_SMTP_HEADERS_REWRITE
22 | headers_rewrite = REMOTE_SMTP_HEADERS_REWRITE
23 | .endif
24 | .ifdef REMOTE_SMTP_RETURN_PATH
25 | return_path = REMOTE_SMTP_RETURN_PATH
26 | .endif
27 | .ifdef REMOTE_SMTP_HELO_FROM_DNS
28 | helo_data=REMOTE_SMTP_HELO_DATA
29 | .endif
30 |
--------------------------------------------------------------------------------
/web-servers/haproxy/tasks/host.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | # Install packages
4 | - name: Install HAProxy
5 | apt:
6 | pkg: ['haproxy']
7 | update_cache: true
8 |
9 | # Configuration
10 | - name: Add haproxy.cfg config
11 | template: src=etc/haproxy/haproxy.cfg.j2 dest=/etc/haproxy/haproxy.cfg owner=root group=root
12 | notify:
13 | - Restart HAProxy
14 |
15 | - name: Create dirs for certs
16 | file: path=/etc/haproxy/ssl state=directory
17 |
18 | - name: Replace rsyslog config
19 | replace: dest=/etc/rsyslog.d/49-haproxy.conf regexp='^(.*)/var/log/haproxy\.log(.*)$' replace='\1/var/log/haproxy/haproxy.log\2'
20 | notify:
21 | - Restart Rsyslog
22 | - Restart HAProxy
23 |
24 | - name: Replace logrotate config
25 | replace: dest=/etc/logrotate.d/haproxy regexp='^(.*)/var/log/haproxy\.log(.*)$' replace='\1/var/log/haproxy/haproxy.log\2'
26 |
27 | # Security
28 | - name: Set permissions for configurations files
29 | file: path='{{ item.path }}' owner=root group=root mode='{{ item.mode }}'
30 | with_items:
31 | - { path: '/etc/haproxy', mode: '0750' }
32 | - { path: '/etc/haproxy/ssl', mode: '0700' }
33 |
--------------------------------------------------------------------------------
/dev_tools/java/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | #Check environment
3 | - name: Check Ansible version
4 | assert:
5 | msg: "Ansible {{ ansible_version.full }} is not supported. You should have at least Ansible {{ ansible_major_version }}.{{ ansible_minor_version }}.*"
6 | that:
7 | - ansible_version.major >= {{ ansible_major_version }} and ansible_version.minor >= {{ ansible_minor_version }}
8 |
9 | - name: Check OS family and version
10 | fail: msg="The operating system ({{ ansible_distribution }} {{ ansible_distribution_version }}) is not supported"
11 | when: ((ansible_distribution != "Debian" or (ansible_distribution_major_version|int < 11 or ansible_distribution_major_version|int > 12))) and
12 | ((ansible_distribution != "Ubuntu" or (ansible_distribution_major_version|int < 20 or ansible_distribution_major_version|int > 22)))
13 |
14 | - name: Update and upgrade apt packages
15 | become: true
16 | ansible.builtin.apt:
17 | update_cache: yes
18 |
19 | - name: Install java-openjdk
20 | become: true
21 | ansible.builtin.apt:
22 | name: openjdk-{{ java_openjdk_version }}-jdk
23 | state: present
24 |
25 |
26 |
--------------------------------------------------------------------------------
/web-servers/nginx/templates/etc/nginx/sites-available/default.j2:
--------------------------------------------------------------------------------
1 | # Default server configuration
2 | #
3 | server {
4 | listen 80 default_server;
5 | listen [::]:80 default_server;
6 | {% if nginx_site_default_ssl %}
7 | listen 443 ssl default_server;
8 | listen [::]:443 ssl default_server;
9 | {% elif not (ansible_os_family == 'Debian' and ansible_distribution_release == 'wheezy') %}
10 | # listen 443 ssl default_server;
11 | # listen [::]:443 ssl default_server;
12 | {% endif %}
13 | server_name _;
14 |
15 | {% if nginx_site_default_ssl %}
16 | ssl_certificate /etc/nginx/ssl/default.crt;
17 | ssl_certificate_key /etc/nginx/ssl/default.key;
18 |
19 | {% endif %}
20 | {% if not (ansible_os_family == 'Debian' and ansible_distribution_release == 'wheezy') %}
21 | # Self signed certs generated by the ssl-cert package
22 | # Don't use them in a production server!
23 | #
24 | # include snippets/snakeoil.conf;
25 |
26 | {% endif %}
27 | root /usr/share/nginx/html;
28 | index index.html;
29 |
30 | location / {
31 | {% if nginx_site_default_type == 'error404' %}
32 | return 404;
33 | {% else %}
34 | try_files $uri $uri/ =404;
35 | {% endif %}
36 | }
37 | }
38 |
--------------------------------------------------------------------------------
/databases/redis/standalone/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: "Check Ansible version:"
3 | assert:
4 | msg: "Ansible {{ ansible_version.full }} is not supported. You should have at least Ansible {{ ansible_major_version }}.{{ ansible_minor_version }}.*"
5 | that:
6 | - ansible_version.major >= {{ ansible_major_version }} and ansible_version.minor >= {{ ansible_minor_version }}
7 | tags:
8 | - setup_redis
9 | - install_redis
10 |
11 | - name: "Check OS family and version:"
12 | fail: msg="The operating system ({{ ansible_distribution }} {{ ansible_distribution_version }}) is not supported"
13 | when: ((ansible_distribution != "Debian" or (ansible_distribution_major_version|int < 11 or ansible_distribution_major_version|int > 12))) and
14 | ((ansible_distribution != "Ubuntu" or (ansible_distribution_major_version|int < 20 or ansible_distribution_major_version|int > 22)))
15 | tags:
16 | - setup_redis
17 | - install_redis
18 |
19 | # Include tasks for hosts.
20 | - include_tasks: host.yml
21 | when: redis_deploy_method == 'host'
22 |
23 | # Include tasks for docker.
24 | - include_tasks: docker.yml
25 | when: redis_deploy_method == 'docker'
26 |
--------------------------------------------------------------------------------
/databases/redis/redis-cluster/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: "Check Ansible version:"
3 | assert:
4 | msg: "Ansible {{ ansible_version.full }} is not supported. You should have at least Ansible {{ ansible_major_version }}.{{ ansible_minor_version }}.*"
5 | that:
6 | - ansible_version.major >= {{ ansible_major_version }} and ansible_version.minor >= {{ ansible_minor_version }}
7 | tags:
8 | - setup_redis
9 | - install_redis
10 |
11 | - name: "Check OS family and version:"
12 | fail: msg="The operating system ({{ ansible_distribution }} {{ ansible_distribution_version }}) is not supported"
13 | when: ((ansible_distribution != "Debian" or (ansible_distribution_major_version|int < 11 or ansible_distribution_major_version|int > 12))) and
14 | ((ansible_distribution != "Ubuntu" or (ansible_distribution_major_version|int < 20 or ansible_distribution_major_version|int > 22)))
15 | tags:
16 | - setup_redis
17 | - install_redis
18 |
19 | # Include tasks for hosts.
20 | - include_tasks: host.yml
21 | when: redis_deploy_method == 'host'
22 |
23 | # Include tasks for docker.
24 | - include_tasks: docker.yml
25 | when: redis_deploy_method == 'docker'
26 |
--------------------------------------------------------------------------------
/databases/redis/redis-sentinel/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: "Check Ansible version:"
3 | assert:
4 | msg: "Ansible {{ ansible_version.full }} is not supported. You should have at least Ansible {{ ansible_major_version }}.{{ ansible_minor_version }}.*"
5 | that:
6 | - ansible_version.major >= {{ ansible_major_version }} and ansible_version.minor >= {{ ansible_minor_version }}
7 | tags:
8 | - setup_redis
9 | - install_redis
10 |
11 | - name: "Check OS family and version:"
12 | fail: msg="The operating system ({{ ansible_distribution }} {{ ansible_distribution_version }}) is not supported"
13 | when: ((ansible_distribution != "Debian" or (ansible_distribution_major_version|int < 11 or ansible_distribution_major_version|int > 12))) and
14 | ((ansible_distribution != "Ubuntu" or (ansible_distribution_major_version|int < 20 or ansible_distribution_major_version|int > 22)))
15 | tags:
16 | - setup_redis
17 | - install_redis
18 |
19 | # Include tasks for hosts.
20 | - include_tasks: host.yml
21 | when: redis_deploy_method == 'host'
22 |
23 | # Include tasks for docker.
24 | - include_tasks: docker.yml
25 | when: redis_deploy_method == 'docker'
26 |
--------------------------------------------------------------------------------
/basic/sysctl/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | # Check environment
4 | - name: "Check Ansible version"
5 | assert:
6 | msg: "Ansible {{ ansible_version.full }} is not supported. You should have at least Ansible {{ ansible_major_version }}.{{ ansible_minor_version }}.*"
7 | that:
8 | - ansible_version.major >= {{ ansible_major_version }} and ansible_version.minor >= {{ ansible_minor_version }}
9 |
10 | - name: Check OS family and version
11 | fail: msg='The operating system ({{ ansible_distribution }} {{ ansible_distribution_version }}) is not supported'
12 | when: ((ansible_distribution != 'Debian' or (ansible_distribution_major_version|int < 11 or ansible_distribution_major_version|int > 12))) and
13 | ((ansible_distribution != 'Ubuntu' or (ansible_distribution_major_version|int < 20 or ansible_distribution_major_version|int > 22)))
14 |
15 | # Configuration
16 | - name: Set default sysctl values
17 | sysctl:
18 | name: '{{ item.name }}'
19 | value: '{{ item.value }}'
20 | sysctl_set: yes
21 | state: present
22 | reload: yes
23 | with_items:
24 | - '{{ sysctl_values }}'
25 |
26 | - name: Set permissions
27 | file: path=/etc/sysctl.conf owner=root group=root mode=640
28 |
--------------------------------------------------------------------------------
/databases/memcached/tasks/docker.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # Install python3-apt needed for check packages
3 | - name: "Ensure python3-apt libraries are installed"
4 | apt:
5 | name: python3-apt
6 | state: latest
7 | update_cache: true
8 |
9 | # Check packages is installed
10 | - name: "Check installed packages"
11 | package_facts:
12 | manager: auto
13 |
14 | # Docker role
15 | - include_role:
16 | name: docker
17 | when: "'docker-ce' not in ansible_facts.packages"
18 |
19 | # Check Docker Compose installation
20 | - name: "Check installed Docker Compose"
21 | shell: command -v docker compose > /dev/null 2>&1
22 | register: is_docker_compose_install
23 | ignore_errors: true
24 |
25 | - name: "Choose 'docker compose' command"
26 | when: is_docker_compose_install.rc == 0
27 | set_fact:
28 | docker_command: "docker compose"
29 | ignore_errors: true
30 |
31 | - name: "Choose 'docker-compose' command"
32 | when: is_docker_compose_install.rc != 0
33 | set_fact:
34 | docker_command: "docker-compose"
35 | ignore_errors: true
36 |
37 | # Memcached Standalone
38 | - name: "Setup Memcached Standalone"
39 | include_tasks: docker_standalone.yml
40 | when: memcached_mode == 'standalone'
41 |
--------------------------------------------------------------------------------
/basic/exim4-smarthost/files/etc/exim4/update-exim4.conf.conf:
--------------------------------------------------------------------------------
1 | # /etc/exim4/update-exim4.conf.conf
2 | #
3 | # Edit this file and /etc/mailname by hand and execute update-exim4.conf
4 | # yourself or use 'dpkg-reconfigure exim4-config'
5 | #
6 | # Please note that this is _not_ a dpkg-conffile and that automatic changes
7 | # to this file might happen. The code handling this will honor your local
8 | # changes, so this is usually fine, but will break local schemes that mess
9 | # around with multiple versions of the file.
10 | #
11 | # update-exim4.conf uses this file to determine variable values to generate
12 | # exim configuration macros for the configuration file.
13 | #
14 | # Most settings found in here do have corresponding questions in the
15 | # Debconf configuration, but not all of them.
16 | #
17 | # This is a Debian specific file
18 |
19 | dc_eximconfig_configtype='internet'
20 | dc_other_hostnames=''
21 | dc_local_interfaces='127.0.0.1 : EXTERNAL_IP'
22 | dc_readhost=''
23 | dc_relay_domains=''
24 | dc_minimaldns='false'
25 | dc_relay_nets='127.0.0.1 : RELAY_FROM_HOST_IPs'
26 | dc_smarthost=''
27 | CFILEMODE='644'
28 | dc_use_split_config='false'
29 | dc_hide_mailname=''
30 | dc_mailname_in_oh='true'
31 | dc_localdelivery='mail_spool'
32 |
--------------------------------------------------------------------------------
/databases/mariadb/server/defaults/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | ansible_major_version: 2
3 | ansible_minor_version: 14
4 |
5 | mariadb_deploy_method: host
6 | mariadb_host_version: '11.4'
7 | mariadb_docker_version: '10.3.32-focal'
8 |
9 | # Basic settings
10 | mariadb_port: 3306
11 | mariadb_bind_address: 0.0.0.0
12 | mariadb_root_password: 'Xs2tF2FXU9'
13 |
14 | #Docker Settings
15 | mariadb_docker_network_name: mariadb-network
16 | mariadb_docker_container_name: mariadb
17 | mariadb_docker_subnet: 172.18.4.0/24
18 | mariadb_docker_ip: 172.18.4.2
19 | mariadb_docker_directory_for_volumes: /var/apps
20 |
21 | #Fine Tuning
22 | mariadb_max_allowed_packet: 32M
23 | mariadb_thread_stack: 512K
24 | mariadb_thread_cache_size: 64
25 | mariadb_max_connections: 100
26 | mariadb_open_files_limit: 8192
27 | mariadb_sql_mode: '"ONLY_FULL_GROUP_BY,STRICT_TRANS_TABLES,NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION"'
28 | mariadb_character_set_server: 'utf8mb4'
29 | mariadb_collation_server: 'utf8mb4_unicode_ci'
30 |
31 | #InnoDB
32 | mariadb_innodb_buffer_pool_size: 2G
33 | mariadb_innodb_file_per_table: yes
34 | mariadb_innodb_flush_log_at_trx_commit: no
35 | mariadb_innodb_flush_method: no
36 | mariadb_transaction_isolation: no
37 |
38 |
--------------------------------------------------------------------------------
/databases/redis/redis-cluster/tasks/redis_cluster_nodes.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: "Create lib directory for instance:"
3 | file:
4 | path: "{{ redis_cluster_dir }}"
5 | state: directory
6 | owner: redis
7 | group: redis
8 | mode: 0755
9 | tags:
10 | - setup_redis
11 | - create_nodes
12 |
13 | - name: "Set Redis configuration:"
14 | template:
15 | src: redis.conf_cluster.j2
16 | dest: "/etc/redis/{{ redis_cluster_config }}"
17 | owner: redis
18 | group: redis
19 | mode: 0640
20 | tags:
21 | - setup_redis
22 | - create_nodes
23 |
24 | - name: "Set redis service"
25 | template:
26 | src: redis.service.j2
27 | dest: "/etc/systemd/system/redis-cluster-{{ redis_cluster_role }}.service"
28 | mode: '0644'
29 | owner: root
30 | group: root
31 |
32 | - name: Reload Systemd
33 | command: systemctl daemon-reload
34 | tags:
35 | - setup_redis
36 | - create_nodes
37 |
38 | - name: Start Redis
39 | service:
40 | name: redis-cluster-{{ redis_cluster_role }}
41 | state: restarted
42 | tags:
43 | - setup_redis
44 | - create_nodes
45 |
46 | - name: Enable Redis
47 | service:
48 | name: redis-cluster-{{ redis_cluster_role }}
49 | enabled: yes
50 | tags:
51 | - setup_redis
52 | - create_nodes
53 |
--------------------------------------------------------------------------------
/basic/common/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | - name: "Check Ansible version"
4 | assert:
5 | msg: "Ansible {{ ansible_version.full }} is not supported. You should have at least Ansible {{ ansible_major_version }}.{{ ansible_minor_version }}.*"
6 | that:
7 | - ansible_version.major >= {{ ansible_major_version }} and ansible_version.minor >= {{ ansible_minor_version }}
8 |
9 | - name: Check OS family and version
10 | fail: msg='The operating system ({{ ansible_distribution }} {{ ansible_distribution_version }}) is not supported'
11 | when: ((ansible_distribution != 'Debian' or (ansible_distribution_major_version|int < 11 or ansible_distribution_major_version|int > 12))) and
12 | ((ansible_distribution != 'Ubuntu' or (ansible_distribution_major_version|int < 20 or ansible_distribution_major_version|int > 22)))
13 |
14 | # Hostname
15 | - import_tasks: 10_hostname.yml
16 |
17 | # Packages
18 | - import_tasks: 20_packages-debian.yml
19 | when: ansible_distribution == 'Debian'
20 |
21 | - import_tasks: 20_packages-ubuntu.yml
22 | when: ansible_distribution == 'Ubuntu'
23 |
24 | # Locales
25 | - import_tasks: 30_locales.yml
26 |
27 | # Alternatives
28 | - import_tasks: 40_alternatives.yml
29 |
30 | # Datetime
31 | - import_tasks: 50_datetime.yml
32 |
33 | # Environment settings
34 | - import_tasks: 60_envsettings.yml
35 |
--------------------------------------------------------------------------------
/basic/ssh-user/defaults/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # Create a group for every user and make that their primary group
3 | users_create_per_user_group: true
4 |
5 | # If we're not creating a per-user group, then this is the group all users
6 | # belong to
7 | users_group: users
8 |
9 | # The default shell for a user if none is specified
10 | users_default_shell: /bin/bash
11 |
12 | # Create home dirs for new users? Set this to false if you manage home
13 | # directories in some other way.
14 | users_create_homedirs: true
15 |
16 | # Lists of users to create and delete
17 | # Example:
18 | # users:
19 | # - username: test-user
20 | # group: users
21 | # groups: developers
22 | # append: true
23 | # shell: /bin/bash
24 | # name: Support
25 | # uid: 1001
26 | # home: /home/test-user
27 | # generate_ssh_key: true
28 | # update_password: on_create
29 | users: []
30 |
31 | # Example:
32 | # users_deleted:
33 | # - username: test-user
34 | # uid: 1001
35 | # remove: yes
36 | # force: yes
37 | users_deleted: []
38 |
39 | # List of groups to create
40 | # Example:
41 | # groups_to_create:
42 | # - name: developers
43 | # gid: 10000
44 | groups_to_create:
45 | - name: developers
46 | gid: 10000
47 |
48 | # Ansible version
49 | ansible_major_version: 2
50 | ansible_minor_version: 14
51 |
--------------------------------------------------------------------------------
/basic/common/tasks/20_packages-ubuntu.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | # Upgrade packages
4 | - name: Upgrade packages (Ubuntu)
5 | when: dist_upgrade == true
6 | apt:
7 | upgrade: dist
8 | update_cache: true
9 | environment:
10 | DEBIAN_FRONTEND: noninteractive
11 |
12 | - name: Disable unattended-upgrades (Ubuntu)
13 | replace:
14 | path: /etc/apt/apt.conf.d/20auto-upgrades
15 | regexp: '1'
16 | replace: "0"
17 |
18 | - name: Reconfigure (Ubuntu)
19 | command:
20 | cmd: dpkg-reconfigure -f noninteractive unattended-upgrades
21 |
22 | # Install packages
23 | - name: Install common packages (Ubuntu)
24 | apt:
25 | pkg: ['mc','gpg','iotop','htop','telnet','tcpdump','nmap','curl','locales-all','hexedit','sudo','zip','unzip',
26 | 'patch','pwgen','vim','less','parted','subversion','ntp','bzip2','lsof','strace','mutt','ncdu',
27 | 'smartmontools','net-tools','nano','pigz','wget','tree','rsyslog','dnsutils','logrotate',
28 | 'apt-transport-https','gnupg2','gnupg','ca-certificates','software-properties-common','dbus','console-setup','console-data','lvm2','cron']
29 | state: present
30 | update_cache: true
31 | environment:
32 | DEBIAN_FRONTEND: noninteractive
33 |
34 | - name: Install NTP (Ubuntu)
35 | apt:
36 | pkg: ['systemd-timesyncd']
37 | state: present
38 | update_cache: true
--------------------------------------------------------------------------------
/databases/mariadb/galera_cluster/defaults/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | ansible_major_version: 2
3 | ansible_minor_version: 14
4 |
5 | mariadb_deploy_method: docker
6 | mariadb_host_version: '11.4'
7 | mariadb_docker_version: '10.3.32-focal'
8 |
9 | # Basic settings
10 | mariadb_port: 3306
11 | wsrep_port: 4567
12 | rsync_port: 4444
13 | mariadb_bind_address: 0.0.0.0
14 | mariadb_root_password: 'Xs2tF2FXU9'
15 | empty_root_pass: true
16 |
17 | #Docker Settings
18 | mariadb_docker_network_name: mariadb-network
19 | mariadb_docker_container_name: mariadb
20 | mariadb_docker_subnet: 172.18.4.0/24
21 | mariadb_docker_ip: 172.18.4.2
22 | mariadb_docker_directory_for_volumes: /var/apps
23 |
24 | #Fine Tuning
25 | mariadb_max_allowed_packet: 32M
26 | mariadb_thread_stack: 512K
27 | mariadb_thread_cache_size: 64
28 | mariadb_max_connections: 100
29 | mariadb_open_files_limit: 8192
30 | mariadb_sql_mode: '"ONLY_FULL_GROUP_BY,STRICT_TRANS_TABLES,NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION"'
31 | mariadb_character_set_server: 'utf8mb4'
32 | mariadb_collation_server: 'utf8mb4_unicode_ci'
33 |
34 | #InnoDB
35 | mariadb_innodb_buffer_pool_size: 2G
36 | mariadb_innodb_file_per_table: yes
37 | mariadb_innodb_flush_log_at_trx_commit: no
38 | mariadb_innodb_flush_method: no
39 | mariadb_transaction_isolation: no
40 |
41 | new_cluster: true
42 |
--------------------------------------------------------------------------------
/databases/memcached/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: "Check Ansible version"
3 | assert:
4 | success_msg: "Ansible {{ ansible_version.full }} is supported"
5 | fail_msg: "Ansible {{ ansible_version.full }} is not supported. You should have at least Ansible {{ ansible_version_major }}.{{ ansible_version_minor }}.*"
6 | that: "{{ ansible_version.major }} >= {{ ansible_version_major }} and {{ ansible_version.minor }} >= {{ ansible_version_minor }}"
7 | quiet: true
8 |
9 | - name: "Check OS family and version"
10 | assert:
11 | success_msg: "The operating system {{ ansible_distribution }}:{{ ansible_distribution_release }} is supported"
12 | fail_msg: "The operating system ({{ ansible_distribution }}:{{ ansible_distribution_release }}) is not supported"
13 | that: "(ansible_distribution == 'Ubuntu' and (ansible_distribution_release == 'jammy' or ansible_distribution_release == 'focal')) or \
14 | (ansible_distribution == 'Debian' and (ansible_distribution_release == 'bullseye' or ansible_distribution_release == 'buster'))"
15 | quiet: true
16 |
17 | # Include tasks for hosts
18 | - name: "Include deploy tasks"
19 | include_tasks: host.yml
20 | when: memcached_deploy_method == 'host'
21 |
22 | # Include tasks for docker
23 | - name: "Include deploy tasks"
24 | include_tasks: docker.yml
25 | when: memcached_deploy_method == 'docker'
26 |
--------------------------------------------------------------------------------
/monitoring/prometheus-stack/templates/grafana/grafana.ini.j2:
--------------------------------------------------------------------------------
1 | [paths]
2 | data = {{ grafana_data_path }}
3 | logs = {{ grafana_logs_path }}
4 | plugins = {{ grafana_plugins_path }}
5 | provisioning = {{ grafana_provisioning_path }}
6 |
7 | [server]
8 | http_port = {{ grafana_http_port }}
9 | domain = {{ grafana_domain }}
10 | root_url = {{ grafana_root_url }}
11 | serve_from_sub_path = {{ grafana_serve_from_sub_path }}
12 | enable_gzip = {{ grafana_enable_gzip }}
13 | protocol = {{ grafana_protocol }}
14 | cert_file = {{ grafana_cert_file }}
15 | cert_key_file = {{ grafana_cert_key_file }}
16 |
17 | [security]
18 | admin_user = {{ grafana_admin_user }}
19 | admin_password = {{ grafana_admin_password }}
20 | disable_gravatar = {{ grafana_disable_gravatar }}
21 |
22 | [auth.anonymous]
23 | enabled = {{ grafana_anonymous_enabled }}
24 |
25 | [auth.basic]
26 | enabled = {{ grafana_basic_auth_enabled }}
27 |
28 | [users]
29 | allow_sign_up = {{ grafana_allow_sign_up }}
30 | auto_assign_org = {{ grafana_auto_assign_org }}
31 |
32 | [smtp]
33 | enabled = {{ grafana_smtp_enabled }}
34 | host = {{ grafana_smtp_host }}
35 | user = {{ grafana_smtp_user }}
36 | password = {{ grafana_smtp_password }}
37 | from_address = {{ grafana_smtp_from_address }}
38 |
39 | [alerting]
40 | enabled = {{ grafana_alerting_enabled }}
41 |
42 | [dashboard]
43 | default_home_dashboard_path = {{ grafana_default_home_dashboard_path }}
--------------------------------------------------------------------------------
/databases/redis/redis-cluster/tasks/host.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | - name: "Install packages:"
4 | apt:
5 | pkg: ["apt-utils", "gpg"]
6 | update_cache: true
7 | tags:
8 | - setup_redis
9 | - install_redis
10 | register: package_res
11 | retries: 5
12 | until: package_res is success
13 |
14 | - name: "Import a Redis GPK key from a URL:"
15 | apt_key:
16 | url: "{{ redis_package_link }}"
17 | keyring: "{{ redis_package_gpg }}"
18 | become: true
19 | tags:
20 | - setup_redis
21 | - install_redis
22 |
23 | - name: "Add Redis repository for Debian:"
24 | apt_repository:
25 | repo: "{{ redis_repository }}"
26 | state: present
27 | when: ansible_distribution == "Debian"
28 | tags:
29 | - setup_redis
30 | - install_redis
31 |
32 | - name: "Add Redis repository for Ubuntu:"
33 | apt_repository:
34 | filename: redis
35 | repo: "{{ redis_repository }}"
36 | state: present
37 | update_cache: false
38 | become: true
39 | when: ansible_distribution == "Ubuntu"
40 | tags:
41 | - setup_redis
42 | - install_redis
43 |
44 | - name: "Setup Redis Cluster"
45 | include_tasks: redis_cluster.yml
46 | tags:
47 | - setup_redis
48 | - cluster_mode
49 |
50 | - name: "Redis ACL"
51 | command: redis-cli ACL SETUSER {{ item.name }} on {{ item.password }} {{ item.rules }}
52 | loop:
53 | "{{ redis_ACL_rules }}"
54 | tags:
55 | - create_acl
56 |
--------------------------------------------------------------------------------
/databases/mariadb/galera_cluster/templates/docker-compose.yml.j2:
--------------------------------------------------------------------------------
1 | version: '3'
2 | services:
3 | {{ mariadb_docker_container_name }}:
4 | container_name: {{ mariadb_docker_container_name }}
5 | image: mariadb:{{ mariadb_docker_version }}
6 | {% if inventory_hostname == groups['mariadb'][0] %}
7 | command: mysqld --wsrep-new-cluster
8 | {% endif %}
9 | environment:
10 | MARIADB_ROOT_PASSWORD: {{ mariadb_root_password }}
11 | volumes:
12 | - {{ mariadb_docker_directory_for_volumes }}/{{ mariadb_docker_container_name }}/volumes/conf/my.cnf:/etc/my.cnf
13 | - {{ mariadb_docker_directory_for_volumes }}/{{ mariadb_docker_container_name }}/volumes/conf/galera.cnf:/etc/mysql/conf.d/galera.cnf
14 | - {{ mariadb_docker_directory_for_volumes }}/{{ mariadb_docker_container_name }}/volumes/data:/var/lib/mysql
15 | - {{ mariadb_docker_directory_for_volumes }}/{{ mariadb_docker_container_name }}/volumes/logs:/var/log/mysql
16 | ports:
17 | - {{ mariadb_port }}:3306
18 | - {{ wsrep_port }}:4567
19 | - {{ rsync_port }}:4444
20 | networks:
21 | {{ mariadb_docker_network_name }}:
22 | ipv4_address: {{ mariadb_docker_ip }}
23 | restart: always
24 |
25 | networks:
26 | {{ mariadb_docker_network_name }}:
27 | ipam:
28 | driver: default
29 | config:
30 | - subnet: {{ mariadb_docker_subnet }}
31 |
--------------------------------------------------------------------------------
/databases/redis/redis-sentinel/tasks/host.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | - name: "Install packages:"
4 | apt:
5 | pkg: ["apt-utils", "gpg"]
6 | update_cache: true
7 | tags:
8 | - setup_redis
9 | - install_redis
10 | register: package_res
11 | retries: 5
12 | until: package_res is success
13 |
14 | - name: "Import a Redis GPK key from a URL:"
15 | apt_key:
16 | url: "{{ redis_package_link }}"
17 | keyring: "{{ redis_package_gpg }}"
18 | become: true
19 | tags:
20 | - setup_redis
21 | - install_redis
22 |
23 | - name: "Add Redis repository for Debian:"
24 | apt_repository:
25 | repo: "{{ redis_repository }}"
26 | state: present
27 | when: ansible_distribution == "Debian"
28 | tags:
29 | - setup_redis
30 | - install_redis
31 |
32 | - name: "Add Redis repository for Ubuntu:"
33 | apt_repository:
34 | filename: redis
35 | repo: "{{ redis_repository }}"
36 | state: present
37 | update_cache: false
38 | become: true
39 | when: ansible_distribution == "Ubuntu"
40 | tags:
41 | - setup_redis
42 | - install_redis
43 |
44 | - name: "Setup Redis Sentinel"
45 | include_tasks: redis_sentinel.yml
46 | tags:
47 | - setup_redis
48 | - sentinel_mode
49 |
50 | - name: "Redis ACL"
51 | command: redis-cli ACL SETUSER {{ item.name }} on {{ item.password }} {{ item.rules }}
52 | loop:
53 | "{{ redis_ACL_rules }}"
54 | tags:
55 | - create_acl
56 |
--------------------------------------------------------------------------------
/basic/exim4-smarthost/files/etc/exim4/conf.d/transport/30_exim4-config_maildir_home:
--------------------------------------------------------------------------------
1 |
2 | ### transport/30_exim4-config_maildir_home
3 | #################################
4 |
5 | # Use this instead of mail_spool if you want to to deliver to Maildir in
6 | # home-directory - change the definition of LOCAL_DELIVERY
7 | #
8 | maildir_home:
9 | debug_print = "T: maildir_home for $local_part@$domain"
10 | driver = appendfile
11 | .ifdef MAILDIR_HOME_MAILDIR_LOCATION
12 | directory = MAILDIR_HOME_MAILDIR_LOCATION
13 | .else
14 | directory = $home/Maildir
15 | .endif
16 | .ifdef MAILDIR_HOME_CREATE_DIRECTORY
17 | create_directory
18 | .endif
19 | .ifdef MAILDIR_HOME_CREATE_FILE
20 | create_file = MAILDIR_HOME_CREATE_FILE
21 | .endif
22 | delivery_date_add
23 | envelope_to_add
24 | return_path_add
25 | maildir_format
26 | .ifdef MAILDIR_HOME_DIRECTORY_MODE
27 | directory_mode = MAILDIR_HOME_DIRECTORY_MODE
28 | .else
29 | directory_mode = 0700
30 | .endif
31 | .ifdef MAILDIR_HOME_MODE
32 | mode = MAILDIR_HOME_MODE
33 | .else
34 | mode = 0600
35 | .endif
36 | mode_fail_narrower = false
37 | # This transport always chdirs to $home before trying to deliver. If
38 | # $home is not accessible, this chdir fails and prevents delivery.
39 | # If you are in a setup where home directories might not be
40 | # accessible, uncomment the current_directory line below.
41 | # current_directory = /
42 |
--------------------------------------------------------------------------------
/basic/sysctl/defaults/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | # Example:
4 | # sysctl_values:
5 | # - name: 'net.ipv4.tcp_syncookies'
6 | # value: 1
7 | # - name: 'net.ipv4.conf.all.rp_filter'
8 | # value: 1
9 | # - name: 'net.ipv4.icmp_echo_ignore_broadcasts'
10 | # value: 1
11 | # - name: 'net.ipv4.tcp_timestamps'
12 | # value: 0
13 | # - name: 'net.ipv4.tcp_ecn'
14 | # value: 1
15 | # - name: 'net.ipv4.ip_default_ttl'
16 | # value: 128
17 | sysctl_values: []
18 |
19 | # Ansible version
20 | ansible_major_version: 2
21 | ansible_minor_version: 14
22 |
23 | #Отключение ответов на ICMP эхо-запросы (ping):
24 | # name: net.ipv4.icmp_echo_ignore_all
25 | # value: 1
26 | #Защита от отражательных атак (IP-подделка):
27 | # name: net.ipv4.conf.all.rp_filter
28 | # value: 1
29 | #Ограничение использования TCP-сокетов:
30 | # name: net.ipv4.tcp_max_syn_backlog
31 | # value: 2048
32 | #Уменьшение времени ожидания закрытия TCP-соединений:
33 | # name: net.ipv4.tcp_fin_timeout
34 | # value: 15
35 | #Защита от атак на отказ в обслуживании (DDoS):
36 | # name: net.ipv4.tcp_syncookies
37 | # value: 1
38 | #Увеличение количества максимально возможных открытых файлов:
39 | # name: fs.file-max
40 | # value: 65536
41 | #Ограничение количества одновременных открытых соединений:
42 | # name: net.ipv4.ip_local_port_range
43 | # value: "1024 65000"
44 | #Управление максимальным количеством PID процессов:
45 | # name: kernel.pid_max
46 | # value: 65536
--------------------------------------------------------------------------------
/databases/mysql/galera_cluster_with_arbitrator/defaults/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | debian_pre_req_packages: ['software-properties-common', 'gpg']
4 | ubuntu_pre_req_packages: ['software-properties-common', 'gpg']
5 |
6 | codership_repo_keyserver: keyserver.ubuntu.com
7 | codership_repo_key: 8DA84635
8 |
9 | mysql_wsrep_version: 8.0
10 | galera_version: 4
11 |
12 | empty_root_pass: true
13 | mysql_root_pass: iAAJ1yaGevT2PKj
14 |
15 | mysql_sst_user: sst_user
16 | mysql_sst_user_pass: dlglt9pg27WzaaU
17 |
18 | # MySQL configuration
19 | mysql_params:
20 | innodb_buffer_pool_size: "2G"
21 | max_connections: "1000"
22 | innodb_flush_log_at_trx_commit: "0"
23 | innodb_flush_method: "O_DIRECT"
24 | innodb_log_file_size: "6G"
25 | max_prepared_stmt_count: "49146"
26 | sort_buffer_size: "4M"
27 | bulk_insert_buffer_size: "16M"
28 | max_heap_table_size: "32M"
29 | read_buffer_size: "2M"
30 | read_rnd_buffer_size: "1M"
31 |
32 | # Galera configuration
33 | galera_params:
34 | bind_address: "0.0.0.0"
35 | wsrep_cluster_name: "galera-cluster"
36 | wsrep_sst_method: "rsync"
37 | wsrep_sst_auth: "{{ mysql_sst_user }}:{{ mysql_sst_user_pass }}"
38 | wsrep_provider_options: "gcache.size = 1G"
39 | binlog_format: "row"
40 | default_storage_engine: "InnoDB"
41 | innodb_autoinc_lock_mode: "2"
42 |
43 | new_cluster: true
44 |
45 | cluster_name: "galera-cluster"
46 |
47 | # Ansible version
48 | ansible_major_version: 2
49 | ansible_minor_version: 14
50 |
--------------------------------------------------------------------------------
/web-servers/nginx/tasks/nginx-ubuntu.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | - name: Install the prerequisites
4 | apt:
5 | pkg: ['curl','gnupg2','ca-certificates','lsb-release','ubuntu-keyring']
6 | update_cache: true
7 |
8 | - name: Import an official nginx signing key
9 | apt_key:
10 | url: https://nginx.org/keys/nginx_signing.key
11 | keyring: /usr/share/keyrings/nginx-archive-keyring.gpg
12 |
13 | - name: Set up the apt repository for stable nginx packages
14 | apt_repository:
15 | repo: deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] http://nginx.org/packages/ubuntu {{ ansible_distribution_release }} nginx
16 | state: present
17 | filename: nginx
18 | update_cache: yes
19 | when: nginx_version == '1.22'
20 |
21 | - name: Set up the apt repository for mainline nginx packages
22 | apt_repository:
23 | repo: deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] http://nginx.org/packages/mainline/ubuntu {{ ansible_distribution_release }} nginx
24 | state: present
25 | filename: nginx
26 | update_cache: yes
27 | when: nginx_version == '1.23'
28 |
29 | - name: Set up repository priority
30 | shell: |
31 | touch /etc/apt/preferences.d/99nginx
32 | echo "Package: *" >> /etc/apt/preferences.d/99nginx
33 | echo "Pin: origin nginx.org" >> /etc/apt/preferences.d/99nginx
34 | echo "Pin: release o=nginx" >> /etc/apt/preferences.d/99nginx
35 | echo "Pin-Priority: 900" >> /etc/apt/preferences.d/99nginx
36 |
--------------------------------------------------------------------------------
/web-servers/lets-encrypt/tasks/certbot.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | # Install packages
4 | - name: Install certbot and python3-pip
5 | apt:
6 | pkg: ['certbot', 'python3-pip']
7 | update_cache: true
8 |
9 | - name: Install urllib3==1.26.15
10 | pip:
11 | name: urllib3==1.26.15
12 |
13 | # Configuration
14 | - name: Check if certificate already exists.
15 | stat:
16 | path: /etc/letsencrypt/live/{{ lets_encrypt_domains | first }}/cert.pem
17 | register: letsencrypt_cert
18 |
19 | - name: Create webroot directory if it doesn't exist yet
20 | file:
21 | path: "{{ lets_encrypt_webroot }}"
22 | state: directory
23 |
24 | # Generate certificate
25 | - name: Generate new certificate if one doesn't exist.
26 | command: >-
27 | certbot certonly
28 | {{ '--dry-run' if lets_encrypt_dry_run else '' }}
29 | --noninteractive --agree-tos
30 | --email {{ lets_encrypt_email }}
31 | --webroot -w {{ lets_encrypt_webroot }}
32 | -d {{ lets_encrypt_domains | join(' -d ') }}
33 | when: not letsencrypt_cert.stat.exists
34 | notify:
35 | - Reload Nginx
36 |
37 | # Add cron
38 | - name: Add cron job for certbot renewal (if configured).
39 | cron:
40 | name: Certbot automatic renewal.
41 | job: "certbot renew {{ lets_encrypt_certbot_auto_renew_options }}"
42 | minute: "{{ lets_encrypt_cron_minute }}"
43 | hour: "{{ lets_encrypt_cron_hour }}"
44 | user: "{{ lets_encrypt_certbot_auto_renew_user }}"
45 | when: lets_encrypt_auto_renew
--------------------------------------------------------------------------------
/web-servers/nginx/tasks/nginx-debian.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | - name: Install the prerequisites
4 | apt:
5 | pkg: ['curl','gnupg2','ca-certificates','lsb-release','debian-archive-keyring']
6 | update_cache: true
7 |
8 | - name: Import an official nginx signing key
9 | apt_key:
10 | url: https://nginx.org/keys/nginx_signing.key
11 | keyring: /usr/share/keyrings/nginx-archive-keyring.gpg
12 |
13 | - name: Set up the apt repository for stable nginx packages
14 | apt_repository:
15 | repo: deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] http://nginx.org/packages/debian {{ ansible_distribution_release }} nginx
16 | state: present
17 | filename: nginx
18 | update_cache: yes
19 | when: nginx_version == '1.22'
20 |
21 | - name: Set up the apt repository for mainline nginx packages
22 | apt_repository:
23 | repo: deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] http://nginx.org/packages/mainline/debian {{ ansible_distribution_release }} nginx
24 | state: present
25 | filename: nginx
26 | update_cache: yes
27 | when: nginx_version == '1.23'
28 |
29 | - name: Set up repository priority
30 | shell: |
31 | touch /etc/apt/preferences.d/99nginx
32 | echo "Package: *" >> /etc/apt/preferences.d/99nginx
33 | echo "Pin: origin nginx.org" >> /etc/apt/preferences.d/99nginx
34 | echo "Pin: release o=nginx" >> /etc/apt/preferences.d/99nginx
35 | echo "Pin-Priority: 900" >> /etc/apt/preferences.d/99nginx
36 |
--------------------------------------------------------------------------------
/databases/memcached/templates/memcached.conf.j2:
--------------------------------------------------------------------------------
1 | # Run memcached as a daemon. This command is implied, and is not needed for the
2 | # daemon to run. See the README.Debian that comes with this package for more
3 | # information.
4 | -d
5 |
6 | # Log memcached's output to /var/log/memcached
7 | logfile {{ memcached_log_file }}
8 |
9 | # Be verbose
10 | # {{ memcached_verbosity_level }}
11 |
12 | # Start with a cap of 64 megs of memory. It's reasonable, and the daemon default
13 | # Note that the daemon will grow to this size, but does not start out holding this much
14 | # memory
15 | -m {{ memcached_memory_limit }}
16 |
17 | # Default connection port is 11211
18 | -p {{ memcached_listen_port }}
19 |
20 | # Run the daemon as root. The start-memcached will default to running as root if no
21 | # -u command is present in this config file
22 | -u {{ memcached_user }}
23 |
24 | # Specify which IP address to listen on. The default is to listen on all IP addresses
25 | # This parameter is one of the only security measures that memcached has, so make sure
26 | # it's listening on a firewalled interface.
27 | -l {{ memcached_listen_ip }}
28 |
29 | # Limit the number of simultaneous incoming connections. The daemon default is 1024
30 | # -c {{ memcached_max_connections }}
31 |
32 | # Lock down all paged memory. Consult with the README and homepage before you do this
33 | # -k
34 |
35 | # Return error when memory is exhausted (rather than removing items)
36 | # -M
37 |
38 | # Maximize core file limit
39 | # -r
40 |
41 | # Use a pidfile
42 | -P {{ memcached_pid_file }}
43 |
--------------------------------------------------------------------------------
/web-servers/lets-encrypt/templates/getssl_domain.cfg.j2:
--------------------------------------------------------------------------------
1 | CA="https://acme-v01.api.letsencrypt.org"
2 |
3 | DOMAIN_CERT_LOCATION="/etc/letsencrypt/getssl/{% for domain in lets_encrypt_domains %}{% if domain == target_domain %}{{ target_domain }}{% endif %}{% endfor %}/{% for domain in lets_encrypt_domains %}{% if domain == target_domain %}{{ target_domain }}{% endif %}{% endfor %}.crt"
4 | DOMAIN_KEY_LOCATION="/etc/letsencrypt/getssl/{% for domain in lets_encrypt_domains %}{% if domain == target_domain %}{{ target_domain }}{% endif %}{% endfor %}/{% for domain in lets_encrypt_domains %}{% if domain == target_domain %}{{ target_domain }}{% endif %}{% endfor %}.key"
5 | DOMAIN_CHAIN_LOCATION="/etc/letsencrypt/getssl/{% for domain in lets_encrypt_domains %}{% if domain == target_domain %}{{ target_domain }}{% endif %}{% endfor %}/fullchain.pem"
6 | #Раскоментировать если требуется промежуточный сертификат отдельно
7 | #CA_CERT_LOCATION="/etc/letsencrypt/getssl/{% for domain in lets_encrypt_domains %}{% if domain == target_domain %}{{ target_domain }}{% endif %}{% endfor %}/chain.crt"
8 | #Раскоментировать если требуется иметь ключ, сертификат и промежуточный сертификат в одном файле
9 | #DOMAIN_PEM_LOCATION="/etc/letsencrypt/getssl/{% for domain in lets_encrypt_domains %}{% if domain == target_domain %}{{ target_domain }}{% endif %}{% endfor %}/{% for domain in lets_encrypt_domains %}{% if domain == target_domain %}{{ target_domain }}{% endif %}{% endfor %}.pem"
10 |
11 | # Каталог для валидации домена
12 | ACL=('/var/www/getssl/.well-known/acme-challenge')
13 | USE_SINGLE_ACL="true"
--------------------------------------------------------------------------------
/container_engines/docker/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | # Check environment
4 | - name: "Check Ansible version"
5 | assert:
6 | msg: "Ansible {{ ansible_version.full }} is not supported. You should have at least Ansible {{ ansible_major_version }}.{{ ansible_minor_version }}.*"
7 | that:
8 | - ansible_version.major >= {{ ansible_major_version }} and ansible_version.minor >= {{ ansible_minor_version }}
9 |
10 | - name: Check OS family and version
11 | fail: msg='The operating system ({{ ansible_os_family }} {{ ansible_lsb.major_release }}) is not supported'
12 | when: ((ansible_distribution != 'Debian' or (ansible_distribution_major_version|int < 11 or ansible_distribution_major_version|int > 12))) and
13 | ((ansible_distribution != 'Ubuntu' or (ansible_distribution_major_version|int < 20 or ansible_distribution_major_version|int > 22)))
14 |
15 | # Install Dependecy
16 | - name: Install dependency
17 | apt:
18 | pkg: ['apt-transport-https','ca-certificates','curl','gnupg2','software-properties-common']
19 | state: latest
20 | update_cache: yes
21 |
22 | # Import
23 | - when: ansible_distribution == 'Debian'
24 | include_tasks: docker-debian.yml
25 |
26 | - when: ansible_distribution == 'Ubuntu'
27 | include_tasks: docker-ubuntu.yml
28 |
29 | # Configuration
30 | - name: Create /etc/docker directory
31 | file:
32 | path: /etc/docker
33 | state: directory
34 | mode: '0755'
35 |
36 | - name: Create /etc/docker/daemon.json
37 | copy:
38 | dest: "/etc/docker/daemon.json"
39 | content: |
40 | {
41 | "iptables": {{ docker_iptables }}
42 | }
43 | notify:
44 | - Restart docker
45 |
--------------------------------------------------------------------------------
/databases/mariadb/server/tasks/docker.yml:
--------------------------------------------------------------------------------
1 | #Install python3-apt needed for check packages
2 | - name: Ensure python3-apt libraries are installed.
3 | apt:
4 | name: python3-apt
5 | state: present
6 | update_cache: true
7 |
8 | #Check packages is installed
9 | - name: Check packages is installed
10 | package_facts:
11 | manager: "auto"
12 |
13 | #Docker role
14 | - ansible.builtin.include_role:
15 | name: docker
16 | when: "'docker-ce' not in ansible_facts.packages"
17 |
18 | #Create directories
19 | - name: Create MariaDB directories
20 | ansible.builtin.file:
21 | path: "{{ mariadb_docker_directory_for_volumes }}/{{ mariadb_docker_container_name }}/volumes/{{ item }}"
22 | state: directory
23 | recurse: yes
24 | owner: "1001"
25 | group: "1001"
26 | loop:
27 | - "conf"
28 | - "data"
29 | - "logs"
30 |
31 | - name: Add MariaDB config
32 | template:
33 | src: etc/mysql/my.cnf.j2
34 | dest: "{{ mariadb_docker_directory_for_volumes }}/{{ mariadb_docker_container_name }}/volumes/conf/my.cnf"
35 | owner: root
36 | group: root
37 |
38 | - name: Add /root/.my.cnf
39 | template:
40 | src: root/.my.cnf.j2
41 | dest: /root/.my.cnf
42 | owner: root
43 | group: root
44 | mode: 0600
45 |
46 | - name: Copy Docker Compose file
47 | template:
48 | src: "docker-compose.yml.j2"
49 | dest: "{{ mariadb_docker_directory_for_volumes }}/{{ mariadb_docker_container_name }}/docker-compose.yml"
50 |
51 | - name: Run docker-compose up
52 | community.docker.docker_compose_v2:
53 | project_src: "{{ mariadb_docker_directory_for_volumes }}/{{ mariadb_docker_container_name }}"
54 | files:
55 | - docker-compose.yml
56 |
57 |
--------------------------------------------------------------------------------
/logging/vector/tasks/configure.yml:
--------------------------------------------------------------------------------
1 | - name: Template Vector configuration file for agent
2 | template:
3 | src: vector_agent.yaml.j2
4 | dest: /etc/vector/vector.yaml
5 | when: vector_mode == 'agent'
6 | notify:
7 | - "Restart Vector service"
8 | when: deploy_method == 'host'
9 |
10 | - name: Template Vector configuration file for agent (in Docker)
11 | template:
12 | src: vector_agent.yaml.j2
13 | dest: /etc/vector/vector.yaml
14 | when: vector_mode == 'agent'
15 | notify:
16 | - "Restart Vector container"
17 | when: deploy_method == 'docker'
18 |
19 | - name: Template Vector configuration file for aggregator
20 | template:
21 | src: vector_aggregator.yaml.j2
22 | dest: /etc/vector/vector.yaml
23 | when: vector_mode == 'aggregator'
24 | notify:
25 | - "Restart Vector service"
26 | when: deploy_method == 'host'
27 |
28 | - name: Template Vector configuration file for aggregator (in Docker)
29 | template:
30 | src: vector_aggregator.yaml.j2
31 | dest: /etc/vector/vector.yaml
32 | when: vector_mode == 'aggregator'
33 | notify:
34 | - "Restart Vector container"
35 | when: deploy_method == 'docker'
36 |
37 | - name: Template Vector configuration file for hybrid
38 | template:
39 | src: vector_hybrid.yaml.j2
40 | dest: /etc/vector/vector.yaml
41 | when: vector_mode == 'hybrid'
42 | notify:
43 | - "Restart Vector service"
44 | when: deploy_method == 'host'
45 |
46 | - name: Template Vector configuration file for hybrid (in Docker)
47 | template:
48 | src: vector_hybrid.yaml.j2
49 | dest: /etc/vector/vector.yaml
50 | when: vector_mode == 'hybrid'
51 | notify:
52 | - "Restart Vector container"
53 | when: deploy_method == 'docker'
54 |
--------------------------------------------------------------------------------
/monitoring/prometheus-stack/tasks/alertmanager.yml:
--------------------------------------------------------------------------------
1 | - name: Create alertmanager conf directory
2 | file:
3 | path: "{{ alertmanager_docker_directory_for_volumes }}/{{ alertmanager_docker_container_name }}/conf"
4 | state: directory
5 | mode: '0755'
6 | owner: root
7 | group: root
8 |
9 | - name: Create alertmanager data directory
10 | file:
11 | path: "{{ alertmanager_docker_directory_for_volumes }}/{{ alertmanager_docker_container_name }}/data"
12 | state: directory
13 | mode: '0755'
14 | owner: root
15 | group: root
16 |
17 | - name: Add config.yml
18 | template:
19 | src: alertmanager/config.yml.j2
20 | dest: '{{ alertmanager_docker_directory_for_volumes }}/{{ alertmanager_docker_container_name }}/conf/config.yml'
21 | mode: '0644'
22 | owner: root
23 | group: root
24 |
25 | - name: Run Alertmanager in Docker
26 | docker_container:
27 | env:
28 | TZ: "{{ timezone }}"
29 | image: "prom/alertmanager:{{ alertmanager_version }}"
30 | name: "{{ alertmanager_docker_container_name }}"
31 | network_mode: "{{ ps_docker_network_name }}"
32 | networks:
33 | - name: "{{ ps_docker_network_name }}"
34 | ipv4_address: "{{ alertmanager_docker_ip }}"
35 | ports:
36 | - "{{ alertmanager_port }}:9093"
37 | command:
38 | - '--config.file=/etc/alertmanager/config.yml'
39 | - '--storage.path=/etc/alertmanager/data'
40 | pull: true
41 | recreate: true
42 | restart_policy: unless-stopped
43 | state: started
44 | user: root
45 | volumes:
46 | - "{{ alertmanager_docker_directory_for_volumes }}/{{ alertmanager_docker_container_name }}/conf:/etc/alertmanager"
47 | - "{{ alertmanager_docker_directory_for_volumes }}/{{ alertmanager_docker_container_name }}/data:/etc/alertmanager/data"
--------------------------------------------------------------------------------
/logging/vector/defaults/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | ansible_major_version: 2
3 | ansible_minor_version: 14
4 | timezone: "Europe/Moscow"
5 | deploy_method: host # Options: 'host', 'docker'
6 |
7 | # Default configuration for Vector
8 | vector_data_dir: "/var/lib/vector"
9 | vector_mode: "agent" # Options: 'agent', 'aggregator', 'hybrid'
10 | vector_api_enabled: false
11 | vector_api_address: "127.0.0.1:8686"
12 |
13 | # Agent configuration
14 | vector_agent_source_type: "demo_logs"
15 | vector_agent_source_format: "syslog"
16 | vector_agent_source_interval: 1
17 |
18 | vector_agent_transform_type: "remap"
19 | vector_agent_transform_inputs:
20 | - dummy_logs
21 |
22 | vector_agent_transform_source: ". = parse_syslog!(string!(.message))"
23 |
24 | vector_agent_sink_type: "console"
25 | vector_agent_sink_inputs:
26 | - parse_logs
27 |
28 | vector_agent_sink_encoding_codec: "json"
29 |
30 | # Aggregator configuration
31 | vector_aggregator_source_type: "stdin"
32 |
33 | vector_aggregator_transform_type: "remap"
34 | vector_aggregator_transform_inputs:
35 | - aggregator_source
36 |
37 | vector_aggregator_transform_source: ". = parse_syslog!(string!(.message))"
38 |
39 | vector_aggregator_sink_type: "console"
40 | vector_aggregator_sink_inputs:
41 | - aggregator_transform
42 |
43 | vector_aggregator_sink_encoding_codec: "json"
44 |
45 | # Hybrid configuration
46 | vector_hybrid_source_type: "demo_logs"
47 | vector_hybrid_source_format: "syslog"
48 | vector_hybrid_source_interval: 1
49 |
50 | vector_hybrid_transform_type: "remap"
51 | vector_hybrid_transform_inputs:
52 | - hybrid_source
53 |
54 | vector_hybrid_transform_source: ". = parse_syslog!(string!(.message))"
55 |
56 | vector_hybrid_sink_type: "console"
57 | vector_hybrid_sink_inputs:
58 | - hybrid_transform
59 |
60 | vector_hybrid_sink_encoding_codec: "json"
61 |
--------------------------------------------------------------------------------
/basic/exim4-smarthost/files/etc/exim4/conf.d/router/400_exim4-config_system_aliases:
--------------------------------------------------------------------------------
1 |
2 | ### router/400_exim4-config_system_aliases
3 | #################################
4 |
5 | # This router handles aliasing using a traditional /etc/aliases file.
6 | #
7 | ##### NB You must ensure that /etc/aliases exists. It used to be the case
8 | ##### NB that every Unix had that file, because it was the Sendmail default.
9 | ##### NB These days, there are systems that don't have it. Your aliases
10 | ##### NB file should at least contain an alias for "postmaster".
11 | #
12 | # This router handles the local part in a case-insensitive way which
13 | # satisfies the RFCs requirement that postmaster be reachable regardless
14 | # of case. If you decide to handle /etc/aliases in a caseful way, you
15 | # need to make arrangements for a caseless postmaster.
16 | #
17 | # Delivery to arbitrary directories, files, and piping to programs in
18 | # /etc/aliases is disabled per default.
19 | # If that is a problem for you, see
20 | # /usr/share/doc/exim4-base/README.Debian.gz
21 | # for explanation and some workarounds.
22 |
23 | system_aliases:
24 | debug_print = "R: system_aliases for $local_part@$domain"
25 | driver = redirect
26 | domains = +local_domains
27 | allow_fail
28 | allow_defer
29 | data = ${lookup{$local_part}lsearch{/etc/aliases}}
30 | .ifdef SYSTEM_ALIASES_USER
31 | user = SYSTEM_ALIASES_USER
32 | .endif
33 | .ifdef SYSTEM_ALIASES_GROUP
34 | group = SYSTEM_ALIASES_GROUP
35 | .endif
36 | .ifdef SYSTEM_ALIASES_FILE_TRANSPORT
37 | file_transport = SYSTEM_ALIASES_FILE_TRANSPORT
38 | .endif
39 | .ifdef SYSTEM_ALIASES_PIPE_TRANSPORT
40 | pipe_transport = SYSTEM_ALIASES_PIPE_TRANSPORT
41 | .endif
42 | .ifdef SYSTEM_ALIASES_DIRECTORY_TRANSPORT
43 | directory_transport = SYSTEM_ALIASES_DIRECTORY_TRANSPORT
44 | .endif
45 |
--------------------------------------------------------------------------------
/databases/redis/standalone/tasks/host.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | - name: "Install packages:"
4 | apt:
5 | pkg: ["apt-utils", "gpg"]
6 | update_cache: true
7 | tags:
8 | - setup_redis
9 | - install_redis
10 | register: package_res
11 | retries: 5
12 | until: package_res is success
13 |
14 | - name: "Import a Redis GPK key from a URL:"
15 | apt_key:
16 | url: "{{ redis_package_link }}"
17 | keyring: "{{ redis_package_gpg }}"
18 | become: true
19 | tags:
20 | - setup_redis
21 | - install_redis
22 |
23 | - name: "Add Redis repository for Debian:"
24 | apt_repository:
25 | repo: "{{ redis_repository }}"
26 | state: present
27 | when: ansible_distribution == "Debian"
28 | tags:
29 | - setup_redis
30 | - install_redis
31 |
32 | - name: "Add Redis repository for Ubuntu:"
33 | apt_repository:
34 | filename: redis
35 | repo: "{{ redis_repository }}"
36 | state: present
37 | update_cache: false
38 | become: true
39 | when: ansible_distribution == "Ubuntu"
40 | tags:
41 | - setup_redis
42 | - install_redis
43 |
44 | - name: "Install Redis packages"
45 | apt:
46 | name: '{{ item }}=*{{ redis_version | default("*") }}*'
47 | state: present
48 | update_cache: yes
49 | become: true
50 | with_items:
51 | - redis-server
52 | - redis-tools
53 | notify:
54 | - Start Redis
55 | - Enable Redis
56 |
57 | - name: "Set Redis configuration"
58 | template:
59 | src: "{{ item }}"
60 | dest: "{{ redis_conf_file }}"
61 | owner: root
62 | group: root
63 | mode: 0644
64 | with_items:
65 | - redis.conf.j2
66 | notify:
67 | - Restart Redis
68 |
69 | - name: "Redis ACL"
70 | command: redis-cli ACL SETUSER {{ item.name }} on {{ item.password }} {{ item.rules }}
71 | loop:
72 | "{{ redis_ACL_rules }}"
73 | tags:
74 | - create_acl
75 |
--------------------------------------------------------------------------------
/databases/redis/standalone/defaults/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # ansible versions
3 | ansible_major_version: 2
4 | ansible_minor_version: 14
5 |
6 | ## Installation options
7 | redis_deploy_method: docker
8 | redis_version: 7.2
9 | redis_docker_version: 7.0.11
10 | redis_package_link: https://packages.redis.io/gpg
11 | redis_package_gpg: /usr/share/keyrings/redis-archive-keyring.gpg
12 | redis_repository: "deb [signed-by=/usr/share/keyrings/redis-archive-keyring.gpg] https://packages.redis.io/deb {{ ansible_distribution_release }} main"
13 |
14 | redis_conf_file: /etc/redis/redis.conf
15 | redis_daemon: redis-server
16 | redis_port: 6379
17 | redis_bind: "{{'127.0.0.1 ' + ansible_host }}"
18 | redis_dir: /var/lib/redis
19 | redis_password: false
20 |
21 | ## General configuration
22 | redis_databases: 16
23 | redis_pidfile: /var/run/redis/redis-server.pid
24 | redis_loglevel: notice
25 | redis_slowlog_log_slower_than: 10000
26 | redis_slowlog_max_len: 128
27 | redis_maxmemory: false
28 | redis_maxmemory_policy: noeviction
29 |
30 | ## Logging
31 | redis_logfile: '"/var/log/redis/redis-server.log"'
32 |
33 | ## RDB Backup
34 | redis_db_filename: "dump.rdb"
35 | redis_save:
36 | - 900 1
37 | - 300 10
38 | - 60 10000
39 | redis_stop_writes_on_bgsave_error: "yes"
40 | redis_rdbcompression: "yes"
41 | redis_rdbchecksum: "yes"
42 | redis_appendonly: "no"
43 | redis_appendfilename: "appendonly.aof"
44 | redis_appendfsync: "everysec"
45 | redis_no_appendfsync_on_rewrite: "no"
46 | redis_auto_aof_rewrite_percentage: "100"
47 | redis_auto_aof_rewrite_min_size: "64mb"
48 | redis_notify_keyspace_events: '""'
49 | redis_client_output_buffer_limit_normal: 0 0 0
50 | redis_client_output_buffer_limit_slave: 256mb 64mb 60
51 | redis_client_output_buffer_limit_pubsub: 32mb 8mb 60
52 | redis_hz: 10
53 |
54 | ## Advanced
55 | redis_activedefrag: "no"
56 |
57 | #ACL
58 | redis_ACL_rules: []
59 |
60 | # Docker
61 | redis_docker_subnet: 172.18.1.0/24
62 | redis_docker_ip: 172.18.1.2
63 |
64 |
--------------------------------------------------------------------------------
/web-servers/nginx/templates/etc/nginx/nginx.conf.j2:
--------------------------------------------------------------------------------
1 | {% if nginx_deploy_method == 'host' %}
2 | user www-data;
3 |
4 | worker_priority -15;
5 | {% else %}
6 | user nginx;
7 | {% endif %}
8 |
9 | worker_processes {{ nginx_worker_processes }};
10 | include /etc/nginx/modules-enabled/*.conf;
11 |
12 | error_log /var/log/nginx/error.log;
13 | pid /var/run/nginx.pid;
14 |
15 | events {
16 | worker_connections {{ nginx_worker_connections }};
17 | }
18 |
19 | http {
20 | include /etc/nginx/mime.types;
21 | default_type application/octet-stream;
22 |
23 | log_format nixys '$remote_addr\t"$host"\t[$time_local]\t$status\t"$request"\t$request_time ($upstream_response_time)\t$bytes_sent\t"$http_referer"\t"$http_user_agent"';
24 | log_format nixys-debug '$remote_addr\t"$host"\t[$time_local]\t$status\t"$request"\t"req_time: $request_time"\t"bytes_sent: $bytes_sent"\n'
25 | '\t\t\t\t\t\t\t\t"req_file: $request_filename"\t"$http_user_agent"\t"$http_referer"\n'
26 | '\t\t\t\t\t\t\t\t"Request completed: $request_completion"\n'
27 | '\t\t\t\t\t\t\t\t"Body request: $request_body"\n';
28 |
29 | access_log /var/log/nginx/access.log nixys;
30 |
31 | sendfile on;
32 | tcp_nodelay on;
33 |
34 | gzip on;
35 | gzip_proxied any;
36 | gzip_comp_level 4;
37 | gzip_vary on;
38 | gzip_types text/css text/plain application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript;
39 |
40 | server_tokens off;
41 |
42 | server_names_hash_bucket_size 33;
43 | reset_timedout_connection on;
44 |
45 | client_header_timeout 15;
46 | client_body_timeout 15;
47 | send_timeout 5;
48 | keepalive_timeout 30 15;
49 |
50 | #limit_req_zone $binary_remote_addr zone=qglob:16m rate=1r/s;
51 | #limit_conn_zone $binary_remote_addr zone=cglob:16m;
52 |
53 | include /etc/nginx/conf.d/*.conf;
54 | include /etc/nginx/sites-enabled/*;
55 | }
56 |
--------------------------------------------------------------------------------
/basic/exim4-smarthost/files/etc/exim4/conf.d/acl/20_exim4-config_local_deny_exceptions:
--------------------------------------------------------------------------------
1 |
2 | ### acl/20_exim4-config_local_deny_exceptions
3 | #################################
4 |
5 | # This is used to determine whitelisted senders and hosts.
6 | # It checks for CONFDIR/host_local_deny_exceptions and
7 | # CONFDIR/sender_local_deny_exceptions.
8 | #
9 | # It is meant to be used from some other acl entry.
10 | #
11 | # See exim4-config_files(5) for details.
12 | #
13 | # If the files do not exist, the white list never matches, which is
14 | # the desired behaviour.
15 | #
16 | # The old file names CONFDIR/local_host_whitelist and
17 | # CONFDIR/local_sender_whitelist will continue to be honored for a
18 | # transition period. Their use is deprecated.
19 |
20 | acl_local_deny_exceptions:
21 | accept
22 | hosts = ${if exists{CONFDIR/host_local_deny_exceptions}\
23 | {CONFDIR/host_local_deny_exceptions}\
24 | {}}
25 | accept
26 | senders = ${if exists{CONFDIR/sender_local_deny_exceptions}\
27 | {CONFDIR/sender_local_deny_exceptions}\
28 | {}}
29 | accept
30 | hosts = ${if exists{CONFDIR/local_host_whitelist}\
31 | {CONFDIR/local_host_whitelist}\
32 | {}}
33 | accept
34 | senders = ${if exists{CONFDIR/local_sender_whitelist}\
35 | {CONFDIR/local_sender_whitelist}\
36 | {}}
37 |
38 | # This hook allows you to hook in your own ACLs without having to
39 | # modify this file. If you do it like we suggest, you'll end up with
40 | # a small performance penalty since there is an additional file being
41 | # accessed. This doesn't happen if you leave the macro unset.
42 | .ifdef LOCAL_DENY_EXCEPTIONS_LOCAL_ACL_FILE
43 | .include LOCAL_DENY_EXCEPTIONS_LOCAL_ACL_FILE
44 | .endif
45 |
46 | # this is still supported for a transition period and is deprecated.
47 | .ifdef WHITELIST_LOCAL_DENY_LOCAL_ACL_FILE
48 | .include WHITELIST_LOCAL_DENY_LOCAL_ACL_FILE
49 | .endif
50 |
--------------------------------------------------------------------------------
/databases/mariadb/server/tasks/host.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: Ensure apt cache is updated
3 | apt:
4 | update_cache: true
5 | changed_when: false
6 |
7 | - name: Ensure MariaDB needed packages are installed
8 | apt:
9 | name:
10 | - python3-mysqldb
11 | - wget
12 | - gnupg2
13 | - curl
14 | - lsb-release
15 | - software-properties-common
16 | - dirmngr
17 | - apt-transport-https
18 | state: present
19 |
20 | - name: Create directory /etc/apt/keyrings
21 | become: true
22 | file:
23 | path: /etc/apt/keyrings
24 | state: directory
25 |
26 | - name: Download MariaDB release signing key
27 | become: true
28 | command: "curl -o /etc/apt/keyrings/mariadb-keyring.pgp 'https://mariadb.org/mariadb_release_signing_key.pgp'"
29 |
30 | - name: Add MariaDB Repository for {{ ansible_distribution }}
31 | apt_repository:
32 | repo: "deb [signed-by=/etc/apt/keyrings/mariadb-keyring.pgp] https://mirror.truenetwork.ru/mariadb/repo/{{ mariadb_host_version }}/{{ ansible_distribution|lower }} {{ ansible_distribution_release }} main"
33 | state: present
34 | update_cache: true
35 |
36 | - name: Install MariaDB packages
37 | apt:
38 | pkg: ['mariadb-server', 'mariadb-common', 'mariadb-backup']
39 | update_cache: true
40 |
41 | - name: Add /etc/mysql/my.cnf
42 | ansible.builtin.template:
43 | src: etc/mysql/my.cnf.j2
44 | dest: /etc/mysql/my.cnf
45 | owner: root
46 | group: root
47 | mode: 0644
48 | notify:
49 | - Daemon reload
50 | - Restart MariaDB
51 |
52 | - name: MariaDB is restart
53 | service: name=mariadb state=restarted
54 |
55 | - name: Ensure MariaDB is running
56 | service: name=mariadb state=started
57 |
58 | - name: Add /root/.my.cnf
59 | template:
60 | src: root/.my.cnf.j2
61 | dest: /root/.my.cnf
62 | owner: root
63 | group: root
64 | mode: 0600
65 |
66 | - name: Set permissions
67 | file: path=/etc/mysql owner=root group=mysql mode=0750
68 | notify:
69 | - Daemon reload
70 | - Restart MariaDB
71 |
72 |
--------------------------------------------------------------------------------
/web-servers/lets-encrypt/tasks/acmesh.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | # Create user and group
4 | - name: Create a acme group
5 | group:
6 | name: acme
7 | state: present
8 |
9 | - name: Create a acme user
10 | user:
11 | name: acme
12 | state: present
13 | shell: /bin/bash
14 | home: /usr/local/scripts/acme
15 | group: acme
16 |
17 | # Create script dir
18 | - name: Create acme configuration directory
19 | file:
20 | path: /usr/local/scripts/acme
21 | state: directory
22 |
23 | - name: Download script
24 | command: "wget -O /usr/local/scripts/acme/acme.sh https://get.acme.sh -P /usr/local/scripts/acme"
25 |
26 | - name: Set file permissions
27 | file:
28 | path: /usr/local/scripts/acme/acme
29 | mode: 0700
30 |
31 | - name: Execute the script
32 | become_user: acme
33 | command: /usr/local/scripts/acme/acme
34 |
35 | - name: Change dir from root to acme
36 | file:
37 | path: /usr/local/scripts/acme
38 | owner: acme
39 | state: directory
40 | recurse: yes
41 |
42 | - name: Create acmesh certs store
43 | file:
44 | path: /etc/letsencrypt/acme/{{ item }}
45 | state: directory
46 | owner: acme
47 | group: www-data
48 | mode: 0750
49 | loop: "{{ lets_encrypt_domains }}"
50 |
51 | # Add options to config
52 | - name: Add lines to file
53 | lineinfile:
54 | path: /usr/local/scripts/acme/.acme.sh/account.conf
55 | line: "{{ item }}"
56 | insertafter: EOF
57 | with_items:
58 | - "SAVED_SL_Key='API_KEY'"
59 | - "USER_PATH='/usr/local/bin:/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/sbin:/usr/local/scripts/acme/bin'"
60 |
61 | # Create certificate
62 | - name: Make config for domain
63 | become_user: acme
64 | command: "{{ docker_command }} -f /var/apps/{{ lets_encrypt_acme_client }}/docker-compose.yml exec -u acme acmesh sh -c '/usr/local/scripts/acme/acme.sh --issue -d {{ item }} -d '*.{{ item }}' --dns {{ lets_encrypt_dns_function }}'"
65 | notify:
66 | - Reload Nginx
67 | loop: "{{ lets_encrypt_domains }}"
--------------------------------------------------------------------------------
/basic/git/README.md:
--------------------------------------------------------------------------------
1 | An Ansible Role that installs Git
2 |
3 | ## Supported distributions
4 |
5 | Note (for AWS): AMIs for these images are different depending on the region, but that's okay, the images themselves are the same. To figure out which AMI you need, go to Images/AMIs and type in the name of the image. Below are examples of AMIs for the us-west-2 region
6 |
7 | * Debian [11.8, 12.4]
8 | * AWS:
9 | - debian-11-amd64-20231013-1532-a264997c-d509-4a51-8e85-c2644a3f8ba2 [ami-0197a20e1a9f83aff]
10 | - debian-12-amd64-20231210-1591-prod-s2fy2g55okxhk [ami-0e308c88c5d1b5022]
11 | * GCP:
12 | - Debian GNU/Linux 11 (bullseye), x86/64, amd64
13 | - Debian GNU/Linux 12 (bookworm), x86/64, amd64
14 | * YandexCloud:
15 | - Debian 11 [fd8lmueoqum660atdd5r]
16 | - Debian 12 [fd8dfiq123s8j82s85il]
17 | * SberCloud:
18 | - Debian 11 [737527dd-2182-4ba9-aad9-adbd46750c5f)]
19 |
20 | * Ubuntu [20.04, 22.04]
21 | * AWS:
22 | - ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-20240126-aced0818-eef1-427a-9e04-8ba38bada306 [ami-0875d33dff2aae0d5]
23 | - ubuntu/images/hvm-ssd/ubuntu-jammy-22.04-amd64-server-20240126-47489723-7305-4e22-8b22-b0d57054f216 [ami-0b007b61391a250a1]
24 | * GCP:
25 | - Ubuntu 20.04 LTS, x86/64, amd64, focal
26 | - Ubuntu 22.04 LTS, x86/64, amd64, jammy
27 | * YandexCloud:
28 | - Ubuntu 20.04 [fd8bt3r9v1tq5fq7jcna]
29 | - Ubuntu 22.04 [fd8s78up10fbjbe5atn7]
30 | * SberCloud:
31 | - Ubuntu 20.04 [649a6095-b042-4a4c-bb37-f4670cb472a3]
32 | - Ubuntu 22.04 [475decdf-7455-475e-8714-fa69cd3d778a]
33 |
34 | ## Role variables
35 |
36 | Available variables listed below, along with default values (see `defaults/main.yml`):
37 | | Variable | Description | Default value |
38 | | --- | --- | --- |
39 | | **ansible_major_version** | Major acceptable Ansible version | 2 |
40 | | **ansible_minor_version** | Minor acceptable Ansible version | 14 |
41 |
42 | ## Inventory file example
43 |
44 | ```
45 | [common]
46 | debian ansible_ssh_host=192.168.251.2 ansible_ssh_port=22 ansible_become=yes ansible_become_method=sudo ansible_user=$CLOUD_SSH_USER ansible_ssh_private_key_file=$PATH_TO_PRIVATE_KEY
47 | ```
--------------------------------------------------------------------------------
/dev_tools/java/README.md:
--------------------------------------------------------------------------------
1 | An Ansible role that install JDK.
2 |
3 | ## Supported distributions
4 |
5 | Note (for AWS): AMIs for these images are different depending on the region, but that's okay, the images themselves are the same. To figure out which AMI you need, go to Images/AMIs and type in the name of the image. Below are examples of AMIs for the us-west-2 region
6 |
7 | * Debian [11.8, 12.4]
8 | * AWS:
9 | - debian-11-amd64-20231013-1532-a264997c-d509-4a51-8e85-c2644a3f8ba2 [ami-0197a20e1a9f83aff]
10 | - debian-12-amd64-20231210-1591-prod-s2fy2g55okxhk [ami-0e308c88c5d1b5022]
11 | * GCP:
12 | - Debian GNU/Linux 11 (bullseye), x86/64, amd64
13 | - Debian GNU/Linux 12 (bookworm), x86/64, amd64
14 | * YandexCloud:
15 | - Debian 11 [fd8lmueoqum660atdd5r]
16 | - Debian 12 [fd8dfiq123s8j82s85il]
17 | * SberCloud:
18 | - Debian 11 [737527dd-2182-4ba9-aad9-adbd46750c5f)]
19 |
20 | * Ubuntu [20.04, 22.04]
21 | * AWS:
22 | - ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-20240126-aced0818-eef1-427a-9e04-8ba38bada306 [ami-0875d33dff2aae0d5]
23 | - ubuntu/images/hvm-ssd/ubuntu-jammy-22.04-amd64-server-20240126-47489723-7305-4e22-8b22-b0d57054f216 [ami-0b007b61391a250a1]
24 | * GCP:
25 | - Ubuntu 20.04 LTS, x86/64, amd64, focal
26 | - Ubuntu 22.04 LTS, x86/64, amd64, jammy
27 | * YandexCloud:
28 | - Ubuntu 20.04 [fd8bt3r9v1tq5fq7jcna]
29 | - Ubuntu 22.04 [fd8s78up10fbjbe5atn7]
30 | * SberCloud:
31 | - Ubuntu 20.04 [649a6095-b042-4a4c-bb37-f4670cb472a3]
32 | - Ubuntu 22.04 [475decdf-7455-475e-8714-fa69cd3d778a]
33 |
34 | ## Role variables
35 |
36 | Available variables listed below, along with default values (see `defaults/main.yml`):
37 | | Variable | Description | Default value |
38 | | --- | --- | --- |
39 | | **ansible_major_version** | Ansible major version | 2 |
40 | | **ansible_minor_version** | Ansible minor version | 14 |
41 | | **java_openjdk_version** | JDK version | 19 |
42 |
43 | ## Inventory file example:
44 |
45 | ```
46 | [hosts]
47 | host-1 ansible_host=192.168.252.1 ansible_ssh_port=22 ansible_become=yes ansible_become_method=sudo ansible_user=$CLOUD_SSH_USER ansible_ssh_private_key_file=$PATH_TO_PRIVATE_KEY
48 |
49 | ```
50 |
51 |
--------------------------------------------------------------------------------
/web-servers/lets-encrypt/tasks/docker.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | # Install python3-apt needed for check packages
4 | - name: Ensure python3-apt libraries are installed.
5 | apt:
6 | name: python3-apt
7 | state: present
8 | update_cache: yes
9 |
10 | # Check packages is installed
11 | - name: Check packages is installed
12 | package_facts:
13 | manager: "auto"
14 |
15 | # Docker role
16 | - ansible.builtin.include_role:
17 | name: container_engines/docker
18 | when: "'docker-ce' not in ansible_facts.packages"
19 |
20 | # Check docker version
21 | - name: Get docker version
22 | shell: "docker version --format '{{ '{{' }}.Server.Version{{ '}}' }}'"
23 | register: docker_version
24 | changed_when: false
25 |
26 | - debug: var=version.stdout
27 |
28 | - name: Set docker-compsoe version 3.8 for docker hier than 19.03.0
29 | when: docker_version.stdout > "19.03.0"
30 | set_fact:
31 | docker_compose_file_version: '3.8'
32 | changed_when: false
33 |
34 | - name: Set docker-compsoe version 2.4 for docker lower than 19.03.0
35 | when: docker_version.stdout < "19.03.0"
36 | set_fact:
37 | docker_compose_file_version: '2.2'
38 | changed_when: false
39 |
40 | # Check docker-compose installation
41 | - name: Check is docker-compose installed
42 | shell: command -v docker-compose >/dev/null 2>&1
43 | register: is_docker_compose_install
44 | ignore_errors: yes
45 |
46 | - debug: msg="{{ is_docker_compose_install.rc }}" # it returns rc 1
47 |
48 | - debug: var=is_docker_compose_install
49 |
50 | - name: Choose docker-compose command aka "docker-compose"
51 | ignore_errors: yes
52 | when: is_docker_compose_install.rc == 0
53 | set_fact:
54 | docker_command: "docker-compose"
55 |
56 | - name: Choose docker-compose command aka "docker compose"
57 | ignore_errors: yes
58 | when: is_docker_compose_install.rc != 0
59 | set_fact:
60 | docker_command: "docker compose"
61 |
62 | # Include tasks for mysql/mariadb/percona.
63 | - include_tasks: certbot-docker.yml
64 | when: lets_encrypt_acme_client == 'certbot'
65 |
66 | - include_tasks: getssl-docker.yml
67 | when: lets_encrypt_acme_client == 'getssl'
68 |
69 | - include_tasks: acmesh-docker.yml
70 | when: lets_encrypt_acme_client == 'acmesh'
71 |
--------------------------------------------------------------------------------
/basic/sysctl/README.md:
--------------------------------------------------------------------------------
1 | An Ansible role that makes initial sysctl configuration
2 |
3 | ## Supported distributions
4 |
5 | Note (for AWS): AMIs for these images are different depending on the region, but that's okay, the images themselves are the same. To figure out which AMI you need, go to Images/AMIs and type in the name of the image. Below are examples of AMIs for the us-west-2 region
6 |
7 | * Debian [11.8, 12.4]
8 | * AWS:
9 | - debian-11-amd64-20231013-1532-a264997c-d509-4a51-8e85-c2644a3f8ba2 [ami-0197a20e1a9f83aff]
10 | - debian-12-amd64-20231210-1591-prod-s2fy2g55okxhk [ami-0e308c88c5d1b5022]
11 | * GCP:
12 | - Debian GNU/Linux 11 (bullseye), x86/64, amd64
13 | - Debian GNU/Linux 12 (bookworm), x86/64, amd64
14 | * YandexCloud:
15 | - Debian 11 [fd8lmueoqum660atdd5r]
16 | - Debian 12 [fd8dfiq123s8j82s85il]
17 | * SberCloud:
18 | - Debian 11 [737527dd-2182-4ba9-aad9-adbd46750c5f)]
19 |
20 | * Ubuntu [20.04, 22.04]
21 | * AWS:
22 | - ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-20240126-aced0818-eef1-427a-9e04-8ba38bada306 [ami-0875d33dff2aae0d5]
23 | - ubuntu/images/hvm-ssd/ubuntu-jammy-22.04-amd64-server-20240126-47489723-7305-4e22-8b22-b0d57054f216 [ami-0b007b61391a250a1]
24 | * GCP:
25 | - Ubuntu 20.04 LTS, x86/64, amd64, focal
26 | - Ubuntu 22.04 LTS, x86/64, amd64, jammy
27 | * YandexCloud:
28 | - Ubuntu 20.04 [fd8bt3r9v1tq5fq7jcna]
29 | - Ubuntu 22.04 [fd8s78up10fbjbe5atn7]
30 | * SberCloud:
31 | - Ubuntu 20.04 [649a6095-b042-4a4c-bb37-f4670cb472a3]
32 | - Ubuntu 22.04 [475decdf-7455-475e-8714-fa69cd3d778a]
33 |
34 | ## Role variables
35 |
36 | Available variables listed below, along with default values (see `defaults/main.yml`):
37 | | Variable | Description | Default value |
38 | | --- | --- | --- |
39 | | **sysctl_values** | Sysctl options | - |
40 | | **ansible_major_version** | Major acceptable Ansible version | 2 |
41 | | **ansible_minor_version** | Minor acceptable Ansible version | 14 |
42 |
43 | ## Inventory file example
44 |
45 | ```
46 | [common]
47 | debian ansible_ssh_host=192.168.251.2 ansible_ssh_port=22 ansible_become=yes ansible_become_method=sudo ansible_user=$CLOUD_SSH_USER ansible_ssh_private_key_file=$PATH_TO_PRIVATE_KEY
48 | ```
49 |
--------------------------------------------------------------------------------
/monitoring/prometheus-stack/tasks/docker.yml:
--------------------------------------------------------------------------------
1 | # Install python3-apt needed for check packages
2 | - name: Ensure python3-apt libraries are installed.
3 | apt:
4 | name: python3-apt
5 | state: present
6 | update_cache: yes
7 |
8 | # Check packages is installed
9 | - name: Check packages is installed
10 | package_facts:
11 | manager: "auto"
12 |
13 | # Docker role
14 | - ansible.builtin.include_role:
15 | name: docker
16 | when: "'docker-ce' not in ansible_facts.packages"
17 |
18 | # Check docker version
19 | - name: Get docker version
20 | shell: "docker version --format '{{ '{{' }}.Server.Version{{ '}}' }}'"
21 | register: docker_version
22 | changed_when: false
23 |
24 | - debug: var=version.stdout
25 |
26 | - name: Set docker-compsoe version 3.8 for docker hier than 19.03.11
27 | when: docker_version.stdout > "19.03.11"
28 | set_fact:
29 | docker_compose_file_version: '3.8'
30 | changed_when: false
31 |
32 | - name: Set docker-compsoe version 2.0 for docker lower than 19.03.11
33 | when: docker_version.stdout < "19.03.11"
34 | set_fact:
35 | docker_compose_file_version: '2.0'
36 | changed_when: false
37 |
38 | # Check docker-compose installation
39 | - name: Check is docker-compose installed
40 | shell: command -v docker-compose >/dev/null 2>&1
41 | register: is_docker_compose_install
42 | ignore_errors: true
43 |
44 | - debug: msg="{{ is_docker_compose_install.rc }}" # it returns rc 1
45 |
46 | - debug: var=is_docker_compose_install
47 |
48 | - name: Choose docker-compose command aka "docker-compose"
49 | ignore_errors: true
50 | when: is_docker_compose_install.rc == 0
51 | set_fact:
52 | docker_command: "docker-compose"
53 |
54 | - name: Choose docker-compose command aka "docker compose"
55 | ignore_errors: true
56 | when: is_docker_compose_install.rc != 0
57 | set_fact:
58 | docker_command: "docker compose"
59 |
60 | - name: Create PS directory
61 | file:
62 | path: /var/apps/prometheus_stack
63 | state: directory
64 | mode: '0755'
65 | owner: root
66 | group: root
67 |
68 | - name: Create Docker network
69 | docker_network:
70 | name: "{{ ps_docker_network_name }}"
71 | state: present
72 | ipam_config:
73 | - subnet: "{{ ps_docker_subnet }}"
74 |
75 |
76 |
77 |
--------------------------------------------------------------------------------
/monitoring/prometheus-stack/tasks/prometheus.yml:
--------------------------------------------------------------------------------
1 | - name: Create prometheus conf directory
2 | file:
3 | path: "{{ prometheus_docker_directory_for_volumes }}/{{ prometheus_docker_container_name }}/conf"
4 | state: directory
5 | mode: '0755'
6 | owner: root
7 | group: root
8 |
9 | - name: Create prometheus data directory
10 | file:
11 | path: "{{ prometheus_docker_directory_for_volumes }}/{{ prometheus_docker_container_name }}/data"
12 | state: directory
13 | mode: '0755'
14 | owner: root
15 | group: root
16 |
17 | - name: Create prometheus rules directory
18 | file:
19 | path: "{{ prometheus_docker_directory_for_volumes }}/{{ prometheus_docker_container_name }}/conf/rules"
20 | state: directory
21 | mode: '0755'
22 | owner: root
23 | group: root
24 |
25 | - name: Add prometheus.yml
26 | template:
27 | src: prometheus/prometheus.yml.j2
28 | dest: '{{ prometheus_docker_directory_for_volumes }}/{{ prometheus_docker_container_name }}/conf/prometheus.yml'
29 | mode: '0644'
30 | owner: root
31 | group: root
32 |
33 | - name: Add node-exporter.yml
34 | copy:
35 | src: 'prometheus/rules/node-exporter.yml'
36 | dest: '{{ prometheus_docker_directory_for_volumes }}/{{ prometheus_docker_container_name }}/conf/rules/node-exporter.yml'
37 | mode: '0644'
38 | owner: root
39 | group: root
40 |
41 | - name: Run Prometheus in Docker
42 | docker_container:
43 | env:
44 | STORAGE_TSDB_RETENTION: "{{ prometheus_rotate }}"
45 | TZ: "{{ timezone }}"
46 | image: "prom/prometheus:{{ prometheus_version }}"
47 | name: "{{ prometheus_docker_container_name }}"
48 | network_mode: "{{ ps_docker_network_name }}"
49 | networks:
50 | - name: "{{ ps_docker_network_name }}"
51 | ipv4_address: "{{ prometheus_docker_ip }}"
52 | ports:
53 | - "{{ prometheus_port }}:9090"
54 | command:
55 | - '--config.file=/etc/prometheus/prometheus.yml'
56 | pull: true
57 | recreate: true
58 | restart_policy: unless-stopped
59 | state: started
60 | user: root
61 | volumes:
62 | - "{{ prometheus_docker_directory_for_volumes }}/{{ prometheus_docker_container_name }}/conf:/etc/prometheus"
63 | - "{{ prometheus_docker_directory_for_volumes }}/{{ prometheus_docker_container_name }}/data:/prometheus"
64 |
65 |
66 |
--------------------------------------------------------------------------------
/basic/exim4-smarthost/files/etc/exim4/conf.d/router/600_exim4-config_userforward:
--------------------------------------------------------------------------------
1 |
2 | ### router/600_exim4-config_userforward
3 | #################################
4 |
5 | # This router handles forwarding using traditional .forward files in users'
6 | # home directories. It also allows mail filtering with a forward file
7 | # starting with the string "# Exim filter" or "# Sieve filter".
8 | #
9 | # The no_verify setting means that this router is skipped when Exim is
10 | # verifying addresses. Similarly, no_expn means that this router is skipped if
11 | # Exim is processing an EXPN command.
12 | #
13 | # The check_ancestor option means that if the forward file generates an
14 | # address that is an ancestor of the current one, the current one gets
15 | # passed on instead. This covers the case where A is aliased to B and B
16 | # has a .forward file pointing to A.
17 | #
18 | # The four transports specified at the end are those that are used when
19 | # forwarding generates a direct delivery to a directory, or a file, or to a
20 | # pipe, or sets up an auto-reply, respectively.
21 | #
22 | userforward:
23 | debug_print = "R: userforward for $local_part@$domain"
24 | driver = redirect
25 | domains = +local_domains
26 | check_local_user
27 | file = $home/.forward
28 | require_files = $local_part:$home/.forward
29 | no_verify
30 | no_expn
31 | check_ancestor
32 | allow_filter
33 | forbid_smtp_code = true
34 | directory_transport = address_directory
35 | file_transport = address_file
36 | pipe_transport = address_pipe
37 | reply_transport = address_reply
38 | skip_syntax_errors
39 | syntax_errors_to = real-$local_part@$domain
40 | syntax_errors_text = \
41 | This is an automatically generated message. An error has\n\
42 | been found in your .forward file. Details of the error are\n\
43 | reported below. While this error persists, you will receive\n\
44 | a copy of this message for every message that is addressed\n\
45 | to you. If your .forward file is a filter file, or if it is\n\
46 | a non-filter file containing no valid forwarding addresses,\n\
47 | a copy of each incoming message will be put in your normal\n\
48 | mailbox. If a non-filter file contains at least one valid\n\
49 | forwarding address, forwarding to the valid addresses will\n\
50 | happen, and those will be the only deliveries that occur.
51 |
52 |
--------------------------------------------------------------------------------
/monitoring/prometheus-stack/tasks/grafana.yml:
--------------------------------------------------------------------------------
1 | - name: Create grafana conf directory
2 | file:
3 | path: "{{ grafana_docker_directory_for_volumes }}/{{ grafana_docker_container_name }}/conf"
4 | state: directory
5 | mode: '0755'
6 | owner: root
7 | group: root
8 |
9 | - name: Create grafana data directory
10 | file:
11 | path: "{{ grafana_docker_directory_for_volumes }}/{{ grafana_docker_container_name }}/data"
12 | state: directory
13 | mode: '0755'
14 | owner: root
15 | group: root
16 |
17 | - name: Create grafana logs directory
18 | file:
19 | path: "{{ grafana_docker_directory_for_volumes }}/{{ grafana_docker_container_name }}/logs"
20 | state: directory
21 | mode: '0755'
22 | owner: root
23 | group: root
24 |
25 | - name: Add grafana.ini
26 | template:
27 | src: grafana/grafana.ini.j2
28 | dest: '{{ grafana_docker_directory_for_volumes }}/{{ grafana_docker_container_name }}/conf/grafana.ini'
29 | mode: '0644'
30 | owner: root
31 | group: root
32 |
33 | - name: Run Grafana in Docker
34 | docker_container:
35 | env:
36 | TZ: "{{ timezone }}"
37 | # GF_SECURITY_ADMIN_PASSWORD: 'password!'
38 | image: "grafana/grafana:{{ grafana_version }}"
39 | name: "{{ grafana_docker_container_name }}"
40 | network_mode: "{{ ps_docker_network_name }}"
41 | networks:
42 | - name: "{{ ps_docker_network_name }}"
43 | ipv4_address: "{{ grafana_docker_ip }}"
44 | ports:
45 | - "{{ grafana_port }}:3000"
46 | pull: true
47 | recreate: true
48 | restart_policy: unless-stopped
49 | state: started
50 | user: root
51 | volumes:
52 | - "{{ grafana_docker_directory_for_volumes }}/{{ grafana_docker_container_name }}/conf:/etc/grafana"
53 | - "{{ grafana_docker_directory_for_volumes }}/{{ grafana_docker_container_name }}/data:/var/lib/grafana"
54 | - "{{ grafana_docker_directory_for_volumes }}/{{ grafana_docker_container_name }}/logs:/var/log/grafana"
55 |
56 | - name: Create Prometheus Datasource
57 | community.grafana.grafana_datasource:
58 | name: prometheus
59 | grafana_url: "{{ grafana_url }}"
60 | grafana_user: "{{ grafana_admin_user }}"
61 | grafana_password: "{{ grafana_admin_password }}"
62 | ds_type: "{{ prometheus_docker_container_name }}"
63 | ds_url: "{{ ds_url }}"
64 | access: proxy
65 | tls_skip_verify: true
--------------------------------------------------------------------------------
/container_engines/docker/README.md:
--------------------------------------------------------------------------------
1 | An Ansible role that install Docker Container Engine
2 |
3 | ## Supported distributions
4 |
5 | Note (for AWS): AMIs for these images are different depending on the region, but that's okay, the images themselves are the same. To figure out which AMI you need, go to Images/AMIs and type in the name of the image. Below are examples of AMIs for the us-west-2 region
6 |
7 | * Debian [11.8, 12.4]
8 | * AWS:
9 | - debian-11-amd64-20231013-1532-a264997c-d509-4a51-8e85-c2644a3f8ba2 [ami-0197a20e1a9f83aff]
10 | - debian-12-amd64-20231210-1591-prod-s2fy2g55okxhk [ami-0e308c88c5d1b5022]
11 | * GCP:
12 | - Debian GNU/Linux 11 (bullseye), x86/64, amd64
13 | - Debian GNU/Linux 12 (bookworm), x86/64, amd64
14 | * YandexCloud:
15 | - Debian 11 [fd8lmueoqum660atdd5r]
16 | - Debian 12 [fd8dfiq123s8j82s85il]
17 | * SberCloud:
18 | - Debian 11 [737527dd-2182-4ba9-aad9-adbd46750c5f)]
19 |
20 | * Ubuntu [20.04, 22.04]
21 | * AWS:
22 | - ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-20240126-aced0818-eef1-427a-9e04-8ba38bada306 [ami-0875d33dff2aae0d5]
23 | - ubuntu/images/hvm-ssd/ubuntu-jammy-22.04-amd64-server-20240126-47489723-7305-4e22-8b22-b0d57054f216 [ami-0b007b61391a250a1]
24 | * GCP:
25 | - Ubuntu 20.04 LTS, x86/64, amd64, focal
26 | - Ubuntu 22.04 LTS, x86/64, amd64, jammy
27 | * YandexCloud:
28 | - Ubuntu 20.04 [fd8bt3r9v1tq5fq7jcna]
29 | - Ubuntu 22.04 [fd8s78up10fbjbe5atn7]
30 | * SberCloud:
31 | - Ubuntu 20.04 [649a6095-b042-4a4c-bb37-f4670cb472a3]
32 | - Ubuntu 22.04 [475decdf-7455-475e-8714-fa69cd3d778a]
33 |
34 | ## Role variables
35 |
36 | Available variables listed below, along with default values (see `defaults/main.yml`):
37 | | Variable | Description | Default value |
38 | | --- | --- | --- |
39 | | **docker_version** | Version of Docker to install | '23.0' |
40 | | **docker_package_epoch** | Epoch of the Docker package | 5 |
41 | | **docker_iptables** | Сonfigure the iptables | true |
42 | | **ansible_major_version** | Major acceptable Ansible version | 2 |
43 | | **ansible_minor_version** | Minor acceptable Ansible version | 14 |
44 |
45 | ## Inventory file example
46 |
47 | ```
48 | [common]
49 | debian ansible_ssh_host=192.168.251.2 ansible_ssh_port=22 ansible_become=yes ansible_become_method=sudo ansible_user=$CLOUD_SSH_USER ansible_ssh_private_key_file=$PATH_TO_PRIVATE_KEY
50 | ```
--------------------------------------------------------------------------------
/basic/git-autocommit/README.md:
--------------------------------------------------------------------------------
1 | An Ansible role that configures autocommit for Git
2 |
3 | ## Supported distributions
4 |
5 | Note (for AWS): AMIs for these images are different depending on the region, but that's okay, the images themselves are the same. To figure out which AMI you need, go to Images/AMIs and type in the name of the image. Below are examples of AMIs for the us-west-2 region
6 |
7 | * Debian [11.8, 12.4]
8 | * AWS:
9 | - debian-11-amd64-20231013-1532-a264997c-d509-4a51-8e85-c2644a3f8ba2 [ami-0197a20e1a9f83aff]
10 | - debian-12-amd64-20231210-1591-prod-s2fy2g55okxhk [ami-0e308c88c5d1b5022]
11 | * GCP:
12 | - Debian GNU/Linux 11 (bullseye), x86/64, amd64
13 | - Debian GNU/Linux 12 (bookworm), x86/64, amd64
14 | * YandexCloud:
15 | - Debian 11 [fd8lmueoqum660atdd5r]
16 | - Debian 12 [fd8dfiq123s8j82s85il]
17 | * SberCloud:
18 | - Debian 11 [737527dd-2182-4ba9-aad9-adbd46750c5f)]
19 |
20 | * Ubuntu [20.04, 22.04]
21 | * AWS:
22 | - ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-20240126-aced0818-eef1-427a-9e04-8ba38bada306 [ami-0875d33dff2aae0d5]
23 | - ubuntu/images/hvm-ssd/ubuntu-jammy-22.04-amd64-server-20240126-47489723-7305-4e22-8b22-b0d57054f216 [ami-0b007b61391a250a1]
24 | * GCP:
25 | - Ubuntu 20.04 LTS, x86/64, amd64, focal
26 | - Ubuntu 22.04 LTS, x86/64, amd64, jammy
27 | * YandexCloud:
28 | - Ubuntu 20.04 [fd8bt3r9v1tq5fq7jcna]
29 | - Ubuntu 22.04 [fd8s78up10fbjbe5atn7]
30 | * SberCloud:
31 | - Ubuntu 20.04 [649a6095-b042-4a4c-bb37-f4670cb472a3]
32 | - Ubuntu 22.04 [475decdf-7455-475e-8714-fa69cd3d778a]
33 |
34 | ## Role variables
35 |
36 | Available variables listed below, along with default values (see `defaults/main.yml`):
37 | | Variable | Description | Default value |
38 | | --- | --- | --- |
39 | | **ansible_major_version** | Major acceptable Ansible version | 2 |
40 | | **ansible_minor_version** | Minor acceptable Ansible version | 14 |
41 |
42 | Features:
43 |
44 | * The job only checks for the presence of @.git@ directories in @/@ and @/root/@
45 | * Running the "Add default excludes" task on the edited @/root/config.git/info/exclude@ file may cause unexpected results
46 |
47 | ## Inventory file example
48 |
49 | ```
50 | [common]
51 | debian ansible_ssh_host=192.168.251.2 ansible_ssh_port=22 ansible_become=yes ansible_become_method=sudo ansible_user=$CLOUD_SSH_USER ansible_ssh_private_key_file=$PATH_TO_PRIVATE_KEY
52 | ```
--------------------------------------------------------------------------------
/basic/ssh/README.md:
--------------------------------------------------------------------------------
1 | An Ansible role that makes initial configuration for SSH daemon
2 |
3 | ## Supported distributions
4 |
5 | Note (for AWS): AMIs for these images are different depending on the region, but that's okay, the images themselves are the same. To figure out which AMI you need, go to Images/AMIs and type in the name of the image. Below are examples of AMIs for the us-west-2 region
6 |
7 | * Debian [11.8, 12.4]
8 | * AWS:
9 | - debian-11-amd64-20231013-1532-a264997c-d509-4a51-8e85-c2644a3f8ba2 [ami-0197a20e1a9f83aff]
10 | - debian-12-amd64-20231210-1591-prod-s2fy2g55okxhk [ami-0e308c88c5d1b5022]
11 | * GCP:
12 | - Debian GNU/Linux 11 (bullseye), x86/64, amd64
13 | - Debian GNU/Linux 12 (bookworm), x86/64, amd64
14 | * YandexCloud:
15 | - Debian 11 [fd8lmueoqum660atdd5r]
16 | - Debian 12 [fd8dfiq123s8j82s85il]
17 | * SberCloud:
18 | - Debian 11 [737527dd-2182-4ba9-aad9-adbd46750c5f)]
19 |
20 | * Ubuntu [20.04, 22.04]
21 | * AWS:
22 | - ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-20240126-aced0818-eef1-427a-9e04-8ba38bada306 [ami-0875d33dff2aae0d5]
23 | - ubuntu/images/hvm-ssd/ubuntu-jammy-22.04-amd64-server-20240126-47489723-7305-4e22-8b22-b0d57054f216 [ami-0b007b61391a250a1]
24 | * GCP:
25 | - Ubuntu 20.04 LTS, x86/64, amd64, focal
26 | - Ubuntu 22.04 LTS, x86/64, amd64, jammy
27 | * YandexCloud:
28 | - Ubuntu 20.04 [fd8bt3r9v1tq5fq7jcna]
29 | - Ubuntu 22.04 [fd8s78up10fbjbe5atn7]
30 | * SberCloud:
31 | - Ubuntu 20.04 [649a6095-b042-4a4c-bb37-f4670cb472a3]
32 | - Ubuntu 22.04 [475decdf-7455-475e-8714-fa69cd3d778a]
33 |
34 | ## Role variables
35 |
36 | Available variables listed below, along with default values (see `defaults/main.yml`):
37 | | Variable | Description | Default value |
38 | | --- | --- | --- |
39 | | **ssh_permit_root_login** | Permition for root login | no |
40 | | **allow_users** | List of allowed users | ['admin','ubuntu'] |
41 | | **ansible_major_version** | Major acceptable Ansible version | 2 |
42 | | **ansible_minor_version** | Minor acceptable Ansible version | 14 |
43 |
44 | Features:
45 |
46 | * The variable allow_users must be set if ssh_permit_root_login=no
47 |
48 | ## Inventory file example
49 |
50 | ```
51 | [common]
52 | debian ansible_ssh_host=192.168.251.2 ansible_ssh_port=22 ansible_become=yes ansible_become_method=sudo ansible_user=$CLOUD_SSH_USER ansible_ssh_private_key_file=$PATH_TO_PRIVATE_KEY
53 | ```
54 |
--------------------------------------------------------------------------------
/web-servers/apache2/files/etc/apache2/conf-available/security.conf:
--------------------------------------------------------------------------------
1 | #
2 | # Disable access to the entire file system except for the directories that
3 | # are explicitly allowed later.
4 | #
5 | # This currently breaks the configurations that come with some web application
6 | # Debian packages.
7 | #
8 | #
9 | # AllowOverride None
10 | # Order Deny,Allow
11 | # Deny from all
12 | #
13 |
14 |
15 | # Changing the following options will not really affect the security of the
16 | # server, but might make attacks slightly more difficult in some cases.
17 |
18 | #
19 | # ServerTokens
20 | # This directive configures what you return as the Server HTTP response
21 | # Header. The default is 'Full' which sends information about the OS-Type
22 | # and compiled in modules.
23 | # Set to one of: Full | OS | Minimal | Minor | Major | Prod
24 | # where Full conveys the most information, and Prod the least.
25 | ServerTokens Prod
26 |
27 | #
28 | # Optionally add a line containing the server version and virtual host
29 | # name to server-generated pages (internal error documents, FTP directory
30 | # listings, mod_status and mod_info output etc., but not CGI generated
31 | # documents or custom error documents).
32 | # Set to "EMail" to also include a mailto: link to the ServerAdmin.
33 | # Set to one of: On | Off | EMail
34 | ServerSignature Off
35 |
36 | #
37 | # Allow TRACE method
38 | #
39 | # Set to "extended" to also reflect the request body (only for testing and
40 | # diagnostic purposes).
41 | #
42 | # Set to one of: On | Off | extended
43 | TraceEnable Off
44 |
45 | #
46 | # Forbid access to version control directories
47 | #
48 | # If you use version control systems in your document root, you should
49 | # probably deny access to their directories. For example, for subversion:
50 | #
51 |
52 | Require all denied
53 |
54 |
55 | #
56 | # Setting this header will prevent MSIE from interpreting files as something
57 | # else than declared by the content type in the HTTP headers.
58 | # Requires mod_headers to be enabled.
59 | #
60 | #Header set X-Content-Type-Options: "nosniff"
61 |
62 | #
63 | # Setting this header will prevent other sites from embedding pages from this
64 | # site as frames. This defends against clickjacking attacks.
65 | # Requires mod_headers to be enabled.
66 | #
67 | #Header set X-Frame-Options: "sameorigin"
68 |
69 |
70 | # vim: syntax=apache ts=4 sw=4 sts=4 sr noet
71 |
--------------------------------------------------------------------------------
/databases/redis/redis-cluster/tasks/redis_cluster.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: "Install Redis packages"
3 | apt:
4 | name: '{{ item }}=*{{ redis_version | default("*") }}*'
5 | state: present
6 | update_cache: yes
7 | become: true
8 | with_items:
9 | - redis-server
10 | - redis-tools
11 | notify:
12 | - Stop Redis
13 | tags:
14 | - setup_redis
15 | - install_redis
16 | register: package_res
17 | retries: 5
18 | until: package_res is success
19 |
20 | - name: "Setup Master nodes:"
21 | include_tasks: redis_cluster_nodes.yml
22 | vars:
23 | redis_cluster_role: master
24 | redis_cluster_dir: "{{ redis_master_dir }}"
25 | redis_cluster_config: "{{ redis_cluster_master_config }}"
26 | redis_cluster_port: "{{ redis_master_port }}"
27 | redis_cluster_pidfile: "{{ redis_master_pidfile }}"
28 | redis_cluster_logfile: "{{ redis_master_logfile }}"
29 | when:
30 | - inventory_hostname in groups['master_servers']
31 | tags:
32 | - setup_redis
33 | - create_nodes
34 |
35 | - name: "Setup Slave nodes:"
36 | include_tasks: redis_cluster_nodes.yml
37 | vars:
38 | redis_cluster_role: slave
39 | redis_cluster_dir: "{{ redis_slave_dir }}"
40 | redis_cluster_config: "{{ redis_cluster_slave_config }}"
41 | redis_cluster_port: "{{ redis_slave_port }}"
42 | redis_cluster_pidfile: "{{ redis_slave_pidfile }}"
43 | redis_cluster_logfile: "{{ redis_slave_logfile }}"
44 | when:
45 | - inventory_hostname in groups['replication_servers']
46 | tags:
47 | - setup_redis
48 | - create_nodes
49 |
50 | - name: Get redis cluster info
51 | command: "{{ redis_cluster_info }}"
52 | register: cluster_info
53 | changed_when: false
54 | failed_when: false
55 | when: inventory_hostname == groups['master_servers'][0]
56 |
57 | - name: Print cluster info
58 | debug:
59 | var: cluster_info.stdout_lines
60 | when: inventory_hostname == groups['master_servers'][0]
61 |
62 | - name: Create cluster
63 | command: "{{ redis_cluster_create }}"
64 | when: 'inventory_hostname == groups["master_servers"][0] and cluster_info.rc == 0 and "cluster_known_nodes:1" in cluster_info.stdout_lines'
65 | register: cluster_creation_result
66 | tags:
67 | - create_cluster
68 |
69 | - name: Print the redis cluster creation results
70 | debug:
71 | var: cluster_creation_result.stdout_lines
72 | when: cluster_creation_result.changed and inventory_hostname == groups['master_servers'][0]
73 | tags:
74 | - create_cluster
--------------------------------------------------------------------------------
/logging/vector/tasks/docker.yml:
--------------------------------------------------------------------------------
1 | # Install python3-apt needed for check packages
2 | - name: Ensure python3-apt libraries are installed.
3 | apt:
4 | name: python3-apt
5 | state: present
6 | update_cache: yes
7 |
8 | # Check packages is installed
9 | - name: Check packages is installed
10 | package_facts:
11 | manager: "auto"
12 |
13 | # Docker role
14 | - ansible.builtin.include_role:
15 | name: docker
16 | when: "'docker-ce' not in ansible_facts.packages"
17 |
18 | # Check docker version
19 | - name: Get docker version
20 | shell: "docker version --format '{{ '{{' }}.Server.Version{{ '}}' }}'"
21 | register: docker_version
22 | changed_when: false
23 |
24 | - debug: var=version.stdout
25 |
26 | - name: Set docker-compsoe version 3.8 for docker hier than 19.03.11
27 | when: docker_version.stdout > "19.03.11"
28 | set_fact:
29 | docker_compose_file_version: '3.8'
30 | changed_when: false
31 |
32 | - name: Set docker-compsoe version 2.0 for docker lower than 19.03.11
33 | when: docker_version.stdout < "19.03.11"
34 | set_fact:
35 | docker_compose_file_version: '2.0'
36 | changed_when: false
37 |
38 | # Check docker-compose installation
39 | - name: Check is docker-compose installed
40 | shell: command -v docker-compose >/dev/null 2>&1
41 | register: is_docker_compose_install
42 | ignore_errors: true
43 |
44 | - debug: msg="{{ is_docker_compose_install.rc }}" # it returns rc 1
45 |
46 | - debug: var=is_docker_compose_install
47 |
48 | - name: Choose docker-compose command aka "docker-compose"
49 | ignore_errors: true
50 | when: is_docker_compose_install.rc == 0
51 | set_fact:
52 | docker_command: "docker-compose"
53 |
54 | - name: Choose docker-compose command aka "docker compose"
55 | ignore_errors: true
56 | when: is_docker_compose_install.rc != 0
57 | set_fact:
58 | docker_command: "docker compose"
59 |
60 | # Ensure vector configuration file exists
61 | - name: Ensure vector configuration file exists
62 | file:
63 | path: /etc/vector/vector.yaml
64 | state: touch
65 | ignore_errors: true
66 |
67 | - name: Run Vector container
68 | community.docker.docker_container:
69 | name: vector
70 | image: timberio/vector:nightly-debian
71 | state: started
72 | restart_policy: always
73 | ports:
74 | - "8686:8686" # Update with the appropriate ports if needed
75 | volumes:
76 | - /etc/vector/vector.yaml:/etc/vector/vector.yaml:ro
77 | env:
78 | VECTOR_ENV: production
79 |
--------------------------------------------------------------------------------
/basic/common/README.md:
--------------------------------------------------------------------------------
1 | An Ansible role that makes initial configuration for servers
2 |
3 | ## Supported distributions
4 |
5 | Note (for AWS): AMIs for these images are different depending on the region, but that's okay, the images themselves are the same. To figure out which AMI you need, go to Images/AMIs and type in the name of the image. Below are examples of AMIs for the us-west-2 region
6 |
7 | * Debian [11.8, 12.4]
8 | * AWS:
9 | - debian-11-amd64-20231013-1532-a264997c-d509-4a51-8e85-c2644a3f8ba2 [ami-0197a20e1a9f83aff]
10 | - debian-12-amd64-20231210-1591-prod-s2fy2g55okxhk [ami-0e308c88c5d1b5022]
11 | * GCP:
12 | - Debian GNU/Linux 11 (bullseye), x86/64, amd64
13 | - Debian GNU/Linux 12 (bookworm), x86/64, amd64
14 | * YandexCloud:
15 | - Debian 11 [fd8lmueoqum660atdd5r]
16 | - Debian 12 [fd8dfiq123s8j82s85il]
17 | * SberCloud:
18 | - Debian 11 [737527dd-2182-4ba9-aad9-adbd46750c5f)]
19 |
20 | * Ubuntu [20.04, 22.04]
21 | * AWS:
22 | - ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-20240126-aced0818-eef1-427a-9e04-8ba38bada306 [ami-0875d33dff2aae0d5]
23 | - ubuntu/images/hvm-ssd/ubuntu-jammy-22.04-amd64-server-20240126-47489723-7305-4e22-8b22-b0d57054f216 [ami-0b007b61391a250a1]
24 | * GCP:
25 | - Ubuntu 20.04 LTS, x86/64, amd64, focal
26 | - Ubuntu 22.04 LTS, x86/64, amd64, jammy
27 | * YandexCloud:
28 | - Ubuntu 20.04 [fd8bt3r9v1tq5fq7jcna]
29 | - Ubuntu 22.04 [fd8s78up10fbjbe5atn7]
30 | * SberCloud:
31 | - Ubuntu 20.04 [649a6095-b042-4a4c-bb37-f4670cb472a3]
32 | - Ubuntu 22.04 [475decdf-7455-475e-8714-fa69cd3d778a]
33 |
34 | ## Role variables
35 |
36 | Available variables listed below, along with default values (see `defaults/main.yml`):
37 | | Variable | Description | Default value |
38 | | --- | --- | --- |
39 | | **timezone** | Preferable timezone | UTC |
40 | | **domain** | Name of the server | {{ inventory_hostname }} |
41 | | **dist_upgrade** | Making dist-upgrade | true |
42 | | **locale_default** | Default locale | en_US.UTF-8 |
43 | | **locale_keymap** | Locale keymap (except Debian 12) | us |
44 | | **ansible_major_version** | Major acceptable Ansible version | 2 |
45 | | **ansible_minor_version** | Minor acceptable Ansible version | 14 |
46 |
47 | ## Inventory file example
48 |
49 | ```
50 | [common]
51 | debian ansible_ssh_host=192.168.251.2 ansible_ssh_port=22 ansible_become=yes ansible_become_method=sudo ansible_user=$CLOUD_SSH_USER ansible_ssh_private_key_file=$PATH_TO_PRIVATE_KEY
52 | ```
53 |
54 |
55 |
--------------------------------------------------------------------------------
/databases/redis/redis-sentinel/defaults/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # ansible versions
3 | ansible_major_version: 2
4 | ansible_minor_version: 14
5 |
6 | ## Installation options
7 | redis_deploy_method: host
8 | redis_version: 7.2
9 | redis_docker_version: 7.0.11
10 | redis_package_link: https://packages.redis.io/gpg
11 | redis_package_gpg: /usr/share/keyrings/redis-archive-keyring.gpg
12 | redis_repository: "deb [signed-by=/usr/share/keyrings/redis-archive-keyring.gpg] https://packages.redis.io/deb {{ ansible_distribution_release }} main"
13 |
14 | redis_conf_file: /etc/redis/redis.conf
15 | redis_daemon: redis-server
16 | redis_port: 6379
17 | redis_dir: /var/lib/redis
18 | redis_bind: "{{'127.0.0.1 ' + ansible_host }}"
19 | redis_password: false
20 |
21 | ## General configuration
22 | redis_databases: 16
23 | redis_pidfile: /var/run/redis/redis-server.pid
24 | redis_loglevel: notice
25 | redis_slowlog_log_slower_than: 10000
26 | redis_slowlog_max_len: 128
27 | redis_maxmemory: false
28 | redis_maxmemory_policy: noeviction
29 |
30 | ## Logging
31 | redis_logfile: '"/var/log/redis/redis-server.log"'
32 |
33 | ## RDB Backup
34 | redis_db_filename: "dump.rdb"
35 | redis_save:
36 | - 900 1
37 | - 300 10
38 | - 60 10000
39 | redis_stop_writes_on_bgsave_error: "yes"
40 | redis_rdbcompression: "yes"
41 | redis_rdbchecksum: "yes"
42 | redis_appendonly: "no"
43 | redis_appendfilename: "appendonly.aof"
44 | redis_appendfsync: "everysec"
45 | redis_no_appendfsync_on_rewrite: "no"
46 | redis_auto_aof_rewrite_percentage: "100"
47 | redis_auto_aof_rewrite_min_size: "64mb"
48 | redis_notify_keyspace_events: '""'
49 | redis_client_output_buffer_limit_normal: 0 0 0
50 | redis_client_output_buffer_limit_slave: 256mb 64mb 60
51 | redis_client_output_buffer_limit_pubsub: 32mb 8mb 60
52 | redis_hz: 10
53 |
54 | ## Advanced
55 | redis_activedefrag: "no"
56 | redis_masterauth: ""
57 | redis_slaveof: "{{ hostvars[groups['master_servers'][0]]['ansible_eth0']['ipv4']['address'] }} {{ redis_port }}"
58 |
59 | #Sentinel
60 | redis_sentinel_conf_file: /etc/redis/sentinel.conf
61 | redis_sentinel_port: 26379
62 | redis_sentinel_pid: /var/run/redis-sentinel.pid
63 | redis_sentinel_logfile: /var/log/redis/sentinel.log
64 | redis_sentinel_dir: /tmp
65 | redis_sentinel_master: "{{ hostvars[groups['master_servers'][0]]['ansible_eth0']['ipv4']['address'] }} {{ redis_port }}"
66 |
67 | #ACL
68 | redis_ACL_rules: []
69 |
70 | # Docker
71 | redis_docker_subnet: 172.18.1.0/24
72 | redis_docker_ip: 172.18.1.2
73 | redis_sentinel_docker_subnet: 172.18.2.0/24
74 | redis_sentinel_docker_ip: 172.18.2.2
75 |
--------------------------------------------------------------------------------
/databases/mysql/percona_server/tasks/docker.yml:
--------------------------------------------------------------------------------
1 | ---
2 | #Install python3-apt needed for check packages
3 | - name: Ensure python3-apt libraries are installed.
4 | apt:
5 | name: python3-apt
6 | state: present
7 | update_cache: true
8 |
9 | #Check packages is installed
10 | - name: Check packages is installed
11 | package_facts:
12 | manager: "auto"
13 |
14 | #Docker role
15 | - ansible.builtin.include_role:
16 | name: docker
17 | when: "'docker-ce' not in ansible_facts.packages"
18 |
19 | #Create directories
20 | - name: Create MySQL directories
21 | ansible.builtin.file:
22 | path: "{{ mysql_docker_directory_for_volumes }}/{{ mysql_docker_container_name }}/volumes/{{ item }}"
23 | state: directory
24 | recurse: yes
25 | owner: "{{ 1001 if mysql_percona_version >= 8.0 else 999 }}"
26 | group: "{{ 1001 if mysql_percona_version >= 8.0 else 999 }}"
27 | loop:
28 | - "conf"
29 | - "data"
30 | - "logs"
31 | when: mysql_percona_version >= 8.0 or mysql_percona_version == 5.7
32 |
33 | - name: Add MySQL config
34 | template:
35 | src: etc/mysql/my.cnf.j2
36 | dest: "{{mysql_docker_directory_for_volumes}}/{{ mysql_docker_container_name }}/volumes/conf/my.cnf"
37 | owner: root
38 | group: root
39 |
40 | - name: Add /root/.my.cnf
41 | template:
42 | src: root/.my.cnf.j2
43 | dest: /root/.my.cnf
44 | owner: root
45 | group: root
46 | mode: 0600
47 |
48 | - name: Create Docker network
49 | docker_network:
50 | name: "{{ mysql_docker_network_name }}"
51 | state: present
52 | ipam_config:
53 | - subnet: "{{ mysql_docker_subnet }}"
54 |
55 | - name: Run Percona MySQL in Docker
56 | docker_container:
57 | env:
58 | MYSQL_ROOT_PASSWORD: "{{ mysql_root_password }}"
59 | image: "percona:{{ mysql_percona_version }}"
60 | name: "{{ mysql_docker_container_name }}"
61 | network_mode: "{{ mysql_docker_network_name }}"
62 | networks:
63 | - name: "{{ mysql_docker_network_name }}"
64 | ipv4_address: "{{ mysql_docker_ip }}"
65 | ports:
66 | - "{{ mysql_port }}:3306"
67 | pull: true
68 | recreate: true
69 | restart_policy: always
70 | state: started
71 | volumes:
72 | - "{{ mysql_docker_directory_for_volumes }}/{{ mysql_docker_container_name }}/volumes/conf/my.cnf:/etc/my.cnf"
73 | - "{{ mysql_docker_directory_for_volumes }}/{{ mysql_docker_container_name }}/volumes/data:/var/lib/mysql"
74 | - "{{ mysql_docker_directory_for_volumes }}/{{ mysql_docker_container_name }}/volumes/logs:/var/log/mysql"
75 |
--------------------------------------------------------------------------------
/message_brokers/rabbitmq/standalone/tasks/docker.yml:
--------------------------------------------------------------------------------
1 | # Install python3-apt needed for check packages
2 | - name: Ensure python3-apt libraries are installed.
3 | apt:
4 | name: python3-apt
5 | state: present
6 | update_cache: yes
7 |
8 | # Check packages is installed
9 | - name: Check packages is installed
10 | package_facts:
11 | manager: "auto"
12 |
13 | # Docker role
14 | - ansible.builtin.include_role:
15 | name: docker
16 | when: "'docker-ce' not in ansible_facts.packages"
17 |
18 | # Check docker version
19 | - name: Get docker version
20 | shell: "docker version --format '{{ '{{' }}.Server.Version{{ '}}' }}'"
21 | register: docker_version
22 | changed_when: false
23 |
24 | - debug: var=version.stdout
25 |
26 | - name: Set docker-compsoe version 3.8 for docker hier than 19.03.11
27 | when: docker_version.stdout > "19.03.11"
28 | set_fact:
29 | docker_compose_file_version: '3.8'
30 | changed_when: false
31 |
32 | - name: Set docker-compsoe version 2.0 for docker lower than 19.03.11
33 | when: docker_version.stdout < "19.03.11"
34 | set_fact:
35 | docker_compose_file_version: '2.0'
36 | changed_when: false
37 |
38 | # Check docker-compose installation
39 | - name: Check is docker-compose installed
40 | shell: command -v docker-compose >/dev/null 2>&1
41 | register: is_docker_compose_install
42 | ignore_errors: true
43 |
44 | - debug: msg="{{ is_docker_compose_install.rc }}" # it returns rc 1
45 |
46 | - debug: var=is_docker_compose_install
47 |
48 | - name: Choose docker-compose command aka "docker-compose"
49 | ignore_errors: true
50 | when: is_docker_compose_install.rc == 0
51 | set_fact:
52 | docker_command: "docker-compose"
53 |
54 | - name: Choose docker-compose command aka "docker compose"
55 | ignore_errors: true
56 | when: is_docker_compose_install.rc != 0
57 | set_fact:
58 | docker_command: "docker compose"
59 |
60 | - name: Pull RabbitMQ Docker image
61 | docker_image:
62 | name: "{{ rabbitmq_image }}"
63 | source: pull
64 |
65 | - name: Template RabbitMQ configuration file for Docker deployment
66 | template:
67 | src: rabbitmq.config.j2
68 | dest: "{{ rabbitmq_config_dir }}/rabbitmq.config"
69 | notify:
70 | - "Restart RabbitMQ container"
71 |
72 | - name: Run RabbitMQ container
73 | community.docker.docker_container:
74 | name: "{{ rabbitmq_container_name }}"
75 | image: "{{ rabbitmq_image }}"
76 | state: started
77 | ports: "{{ rabbitmq_ports }}"
78 | restart_policy: unless-stopped
79 | volumes:
80 | - "{{ rabbitmq_config_dir }}:/etc/rabbitmq"
81 |
--------------------------------------------------------------------------------
/web-servers/haproxy/tasks/docker.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | # Install python3-apt needed for check packages
4 | - name: Ensure python3-apt libraries are installed.
5 | apt:
6 | name: python3-apt
7 | state: present
8 | update_cache: yes
9 |
10 | # Check packages is installed
11 | - name: Check packages is installed
12 | package_facts:
13 | manager: "auto"
14 |
15 | # Docker role
16 | - ansible.builtin.include_role:
17 | name: container_engines/docker
18 | when: "'docker-ce' not in ansible_facts.packages"
19 |
20 | # Check docker version
21 | - name: Get docker version
22 | shell: "docker version --format '{{ '{{' }}.Server.Version{{ '}}' }}'"
23 | register: docker_version
24 | changed_when: false
25 |
26 | - debug: var=version.stdout
27 |
28 | - name: Set docker-compsoe version 3.8 for docker hier than 19.03.0
29 | when: docker_version.stdout > "19.03.0"
30 | set_fact:
31 | docker_compose_file_version: '3.8'
32 | changed_when: false
33 |
34 | - name: Set docker-compsoe version 2.4 for docker lower than 19.03.0
35 | when: docker_version.stdout < "19.03.0"
36 | set_fact:
37 | docker_compose_file_version: '2.2'
38 | changed_when: false
39 |
40 | # Check docker-compose installation
41 | - name: Check is docker-compose installed
42 | shell: command -v docker-compose >/dev/null 2>&1
43 | register: is_docker_compose_install
44 | ignore_errors: yes
45 |
46 | - debug: msg="{{ is_docker_compose_install.rc }}" # it returns rc 1
47 |
48 | - debug: var=is_docker_compose_install
49 |
50 | - name: Choose docker-compose command aka "docker-compose"
51 | ignore_errors: yes
52 | when: is_docker_compose_install.rc == 0
53 | set_fact:
54 | docker_command: "docker-compose"
55 |
56 | - name: Choose docker-compose command aka "docker compose"
57 | ignore_errors: yes
58 | when: is_docker_compose_install.rc != 0
59 | set_fact:
60 | docker_command: "docker compose"
61 |
62 | # Create directories
63 | - name: Create haproxy directory
64 | file:
65 | path: /var/apps/haproxy/volumes/conf
66 | state: directory
67 | mode: '0751'
68 | owner: root
69 | group: root
70 |
71 | - name: Add haproxy.cfg config
72 | template:
73 | src: etc/haproxy/haproxy.cfg.j2
74 | dest: /var/apps/haproxy/volumes/conf/haproxy.cfg
75 | owner: root
76 | group: root
77 |
78 | # Setup Docker-compose
79 | - name: Add docker-compose.yml
80 | template:
81 | src: 'docker-compose.yml.j2'
82 | dest: '/var/apps/haproxy/docker-compose.yml'
83 |
84 | - name: Docker-compose up
85 | shell:
86 | cmd: "{{ docker_command }} -f /var/apps/haproxy/docker-compose.yml up -d"
87 |
--------------------------------------------------------------------------------
/basic/ssh-user/README.md:
--------------------------------------------------------------------------------
1 | An Ansible role that makes initial configuration for SSH user
2 |
3 | ## Supported distributions
4 |
5 | Note (for AWS): AMIs for these images are different depending on the region, but that's okay, the images themselves are the same. To figure out which AMI you need, go to Images/AMIs and type in the name of the image. Below are examples of AMIs for the us-west-2 region
6 |
7 | * Debian [11.8, 12.4]
8 | * AWS:
9 | - debian-11-amd64-20231013-1532-a264997c-d509-4a51-8e85-c2644a3f8ba2 [ami-0197a20e1a9f83aff]
10 | - debian-12-amd64-20231210-1591-prod-s2fy2g55okxhk [ami-0e308c88c5d1b5022]
11 | * GCP:
12 | - Debian GNU/Linux 11 (bullseye), x86/64, amd64
13 | - Debian GNU/Linux 12 (bookworm), x86/64, amd64
14 | * YandexCloud:
15 | - Debian 11 [fd8lmueoqum660atdd5r]
16 | - Debian 12 [fd8dfiq123s8j82s85il]
17 | * SberCloud:
18 | - Debian 11 [737527dd-2182-4ba9-aad9-adbd46750c5f)]
19 |
20 | * Ubuntu [20.04, 22.04]
21 | * AWS:
22 | - ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-20240126-aced0818-eef1-427a-9e04-8ba38bada306 [ami-0875d33dff2aae0d5]
23 | - ubuntu/images/hvm-ssd/ubuntu-jammy-22.04-amd64-server-20240126-47489723-7305-4e22-8b22-b0d57054f216 [ami-0b007b61391a250a1]
24 | * GCP:
25 | - Ubuntu 20.04 LTS, x86/64, amd64, focal
26 | - Ubuntu 22.04 LTS, x86/64, amd64, jammy
27 | * YandexCloud:
28 | - Ubuntu 20.04 [fd8bt3r9v1tq5fq7jcna]
29 | - Ubuntu 22.04 [fd8s78up10fbjbe5atn7]
30 | * SberCloud:
31 | - Ubuntu 20.04 [649a6095-b042-4a4c-bb37-f4670cb472a3]
32 | - Ubuntu 22.04 [475decdf-7455-475e-8714-fa69cd3d778a]
33 |
34 | ## Role variables
35 |
36 | Available variables listed below, along with default values (see `defaults/main.yml`):
37 | | Variable | Description | Default value |
38 | | --- | --- | --- |
39 | | **users_create_per_user_group** | Creating a group with the same username as the user | true |
40 | | **users_group** | Primary group (if users_create_per_user_group is not set)| users |
41 | | **users_default_shell** | Default shell | /bin/bash |
42 | | **users_create_homedirs** | Creating home directories | true |
43 | | **ansible_major_version** | Major acceptable Ansible version | 2 |
44 | | **ansible_minor_version** | Minor acceptable Ansible version | 14 |
45 |
46 | Features:
47 |
48 | * The variable allow_users must be set if ssh_permit_root_login=no
49 |
50 | ## Inventory file example
51 |
52 | ```
53 | [common]
54 | debian ansible_ssh_host=192.168.251.2 ansible_ssh_port=22 ansible_become=yes ansible_become_method=sudo ansible_user=$CLOUD_SSH_USER ansible_ssh_private_key_file=$PATH_TO_PRIVATE_KEY
55 | ```
56 |
--------------------------------------------------------------------------------
/web-servers/lets-encrypt/tasks/acmesh-docker.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | # Create user and group
4 | - name: Create a acme group
5 | group:
6 | name: acme
7 | state: present
8 |
9 | - name: Create a acme user
10 | user:
11 | name: acme
12 | state: present
13 | shell: /bin/bash
14 | home: /usr/local/scripts/acme
15 | group: acme
16 |
17 | # Get User and Group ID
18 | - name: Get acme UID
19 | command: id -u acme
20 | register: user_id_output
21 |
22 | - name: Display the User ID value
23 | debug:
24 | var: user_id_output.stdout
25 |
26 | - name: Get acme GID
27 | command: id -g acme
28 | register: group_id_output
29 |
30 | - name: Display the Group ID value
31 | debug:
32 | var: group_id_output.stdout
33 |
34 | # Create Certificate store
35 | - name: Create acmesh certs store
36 | file:
37 | path: /etc/letsencrypt/acme/{{ item }}
38 | state: directory
39 | owner: acme
40 | group: www-data
41 | mode: 0750
42 | loop: "{{ lets_encrypt_domains }}"
43 |
44 | # Create dir for docker-compose
45 | - name: Create directory
46 | file:
47 | path: /var/apps/{{ lets_encrypt_acme_client }}
48 | state: directory
49 | mode: '0751'
50 | owner: root
51 | group: root
52 |
53 | - name: Create Dockerfile directory
54 | file:
55 | path: /var/apps/{{ lets_encrypt_acme_client }}/build/acmesh/
56 | state: directory
57 | mode: '0751'
58 | owner: root
59 | group: root
60 |
61 | # Add Dockerfile
62 | - name: Add Dockerfile
63 | template:
64 | src: 'acmesh-dockerfile.j2'
65 | dest: '/var/apps/{{ lets_encrypt_acme_client }}/build/acmesh/Dockerfile'
66 | vars:
67 | docker_user_id: "{{ user_id_output.stdout }}"
68 | docker_group_id: "{{ group_id_output.stdout }}"
69 |
70 | # Setup Docker-compose
71 | - name: Add docker-compose.yml
72 | template:
73 | src: 'acmesh-docker-compose.yml.j2'
74 | dest: '/var/apps/{{ lets_encrypt_acme_client }}/docker-compose.yml'
75 |
76 | - name: Docker-compose build
77 | shell:
78 | cmd: "{{ docker_command }} -f /var/apps/{{ lets_encrypt_acme_client }}/docker-compose.yml build"
79 |
80 | - name: Docker-compose up
81 | shell:
82 | cmd: "{{ docker_command }} -f /var/apps/{{ lets_encrypt_acme_client }}/docker-compose.yml up -d"
83 |
84 | # Create certificate
85 | - name: Make config for domain
86 | become_user: acme
87 | command: /usr/local/scripts/acme/acme.sh --issue -d {{ item }} -d '*.{{ item }}' --dns {{ lets_encrypt_dns_function }}
88 | notify:
89 | - Reload Nginx
90 | loop: "{{ lets_encrypt_domains }}"
--------------------------------------------------------------------------------
/databases/mariadb/galera_cluster/tasks/docker.yml:
--------------------------------------------------------------------------------
1 | #Install python3-apt needed for check packages
2 | - name: Ensure python3-apt libraries are installed.
3 | apt:
4 | name: python3-apt
5 | state: present
6 | update_cache: true
7 |
8 | # #Check packages is installed
9 | # - name: Check packages is installed
10 | # package_facts:
11 | # manager: "auto"
12 |
13 | # #Docker role
14 | # - ansible.builtin.include_role:
15 | # name: docker
16 | # when: "'docker-ce' not in ansible_facts.packages"
17 |
18 | #Create directories
19 | - name: Create MariaDB directories
20 | ansible.builtin.file:
21 | path: "{{ mariadb_docker_directory_for_volumes }}/{{ mariadb_docker_container_name }}/volumes/{{ item }}"
22 | state: directory
23 | recurse: yes
24 | owner: "1001"
25 | group: "1001"
26 | loop:
27 | - "conf"
28 | - "data"
29 | - "logs"
30 |
31 | - name: Add MariaDB config
32 | template:
33 | src: etc/mysql/my.cnf.j2
34 | dest: "{{ mariadb_docker_directory_for_volumes }}/{{ mariadb_docker_container_name }}/volumes/conf/my.cnf"
35 | owner: root
36 | group: root
37 |
38 | - name: Add /root/.my.cnf
39 | template:
40 | src: root/.my.cnf.j2
41 | dest: /root/.my.cnf
42 | owner: root
43 | group: root
44 | mode: 0600
45 |
46 | - name: Configure Galera cluster
47 | template:
48 | src: galera.cnf.j2
49 | dest: "{{ mariadb_docker_directory_for_volumes }}/{{ mariadb_docker_container_name }}/volumes/conf/galera.cnf"
50 | # notify: Restart MariaDB
51 | become: true
52 |
53 | - name: Copy Docker Compose file
54 | template:
55 | src: "docker-compose.yml.j2"
56 | dest: "{{ mariadb_docker_directory_for_volumes }}/{{ mariadb_docker_container_name }}/docker-compose.yml"
57 | # when: inventory_hostname == groups['mariadb'][0]
58 |
59 | - name: Run docker-compose up on master host
60 | community.docker.docker_compose_v2:
61 | project_src: "{{ mariadb_docker_directory_for_volumes }}/{{ mariadb_docker_container_name }}"
62 | files:
63 | - docker-compose.yml
64 | run_once: true
65 | when: inventory_hostname == groups['mariadb'][0]
66 |
67 | #- name: Copy Docker Compose file other hosts
68 | # template:
69 | # src: "docker-compose.yml.j2"
70 | # dest: "{{ mariadb_docker_directory_for_volumes }}/{{ mariadb_docker_container_name }}/docker-compose.yml"
71 | # when: inventory_hostname != groups['mariadb'][0]
72 |
73 | - name: Run docker-compose up other hosts
74 | community.docker.docker_compose_v2:
75 | project_src: "{{ mariadb_docker_directory_for_volumes }}/{{ mariadb_docker_container_name }}"
76 | files:
77 | - docker-compose.yml
78 | when: inventory_hostname != groups['mariadb'][0]
79 |
--------------------------------------------------------------------------------
/databases/mysql/galera_cluster_with_arbitrator/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | - name: "Check Ansible version"
4 | assert:
5 | msg: "Ansible {{ ansible_version.full }} is not supported. You should have at least Ansible {{ ansible_major_version }}.{{ ansible_minor_version }}.*"
6 | that:
7 | - ansible_version.major >= {{ ansible_major_version }} and ansible_version.minor >= {{ ansible_minor_version }}
8 |
9 | - name: Check OS family and version
10 | fail: msg='The operating system ({{ ansible_distribution }} {{ ansible_distribution_version }}) is not supported'
11 | when: ((ansible_distribution != 'Debian' or (ansible_distribution_major_version|int < 11 or ansible_distribution_major_version|int > 12))) and
12 | ((ansible_distribution != 'Ubuntu' or (ansible_distribution_major_version|int < 20 or ansible_distribution_major_version|int > 22)))
13 |
14 | ### Install packages
15 | ### https://galeracluster.com/library/documentation/install-mysql.html
16 |
17 | #проверить на облачных дистрибутивах этот пакет
18 | - name: Install pre-reqs (Debian)
19 | apt:
20 | pkg: "{{ debian_pre_req_packages }}"
21 | state: present
22 | update_cache: true
23 | environment:
24 | DEBIAN_FRONTEND: noninteractive
25 | when: ansible_distribution == 'Debian'
26 |
27 | - name: Install pre-reqs (Ubuntu)
28 | apt:
29 | pkg: "{{ ubuntu_pre_req_packages }}"
30 | state: present
31 | update_cache: true
32 | environment:
33 | DEBIAN_FRONTEND: noninteractive
34 | when: ansible_distribution == 'Ubuntu'
35 |
36 | #Enable the Codership repository
37 | - name: Add GnuPG key
38 | apt_key:
39 | keyserver: "{{ codership_repo_keyserver }}"
40 | id: "{{ codership_repo_key }}"
41 | state: "present"
42 |
43 | - name: Add repo
44 | apt_repository:
45 | repo: "{{ item }}"
46 | state: present
47 | update_cache: yes
48 | filename: galera.list
49 | with_items:
50 | - deb https://releases.galeracluster.com/mysql-wsrep-{{ mysql_wsrep_version }}/{{ ansible_distribution | lower }} {{ ansible_distribution_release }} main
51 | - deb https://releases.galeracluster.com/galera-{{ galera_version }}/{{ ansible_distribution | lower }} {{ ansible_distribution_release }} main
52 |
53 | - name: Copy galera preferences template
54 | template:
55 | src: galera.pref.j2
56 | dest: /etc/apt/preferences.d/galera.pref
57 | owner: root
58 | group: root
59 | mode: '0644'
60 |
61 | - name: Update package list
62 | apt:
63 | update_cache: true
64 |
65 | # Galera Cluster
66 | - import_tasks: galera_cluster.yml
67 | when: "'galera-cluster' in group_names"
68 |
69 | # Galera Arbitrator
70 | - import_tasks: galera_arbitrator.yml
71 | when: "'galera-arbitrator' in group_names"
72 |
--------------------------------------------------------------------------------