diff --git a/common/borgbackup/templates/logrotate b/common/borgbackup/templates/logrotate index b17a8fe9713f6db8be1fc310a76ead124887ce27..6803ba0b2b309475fdbc2aafb777a8bb5ad952a8 100644 --- a/common/borgbackup/templates/logrotate +++ b/common/borgbackup/templates/logrotate @@ -1,4 +1,4 @@ -/var/log/borgbackup/borgbackup.log { +/var/log/borgbackup/*.log { rotate 12 monthly compress diff --git a/common/borgserver/tasks/main.yml b/common/borgserver/tasks/main.yml new file mode 100644 index 0000000000000000000000000000000000000000..5d1264d3d1b3ffef603e9aceea19198070329c32 --- /dev/null +++ b/common/borgserver/tasks/main.yml @@ -0,0 +1,30 @@ +--- +# Pakete installieren +- name: pakete installieren + apt: + pkg: "{{ item }}" + update_cache: yes + state: installed + with_items: + - borgbackup + +# User for private backups +- name: create backup user account + user: + name: "{{ item.key }}" + group: "users" + home: "/data/{{ item.key }}" + createhome: yes + with_dict: "{{ borgbackup_user }}" + +- name: create authorized_keys for users 1 + file: + path: "/data/{{ item.key }}/.ssh" + state: "directory" + with_dict: "{{ borgbackup_user }}" + +- name: create authorized_keys for users 2 + template: + src: authorized_keys + dest: "/data/{{ item.key }}/.ssh/authorized_keys" + with_dict: "{{ borgbackup_user }}" diff --git a/common/borgserver/templates/authorized_keys b/common/borgserver/templates/authorized_keys new file mode 100644 index 0000000000000000000000000000000000000000..bb93d25cc738b86809f5a07493ea2d2ca8a42969 --- /dev/null +++ b/common/borgserver/templates/authorized_keys @@ -0,0 +1,3 @@ +{% for sshkey in item.value.sshkeys %} +{{ sshkey }} +{% endfor %} \ No newline at end of file diff --git a/common/docker/tasks/main.yml b/common/docker/tasks/main.yml new file mode 100644 index 0000000000000000000000000000000000000000..0eec4ee06feac6885312d556507ed2041953d83b --- /dev/null +++ b/common/docker/tasks/main.yml @@ -0,0 +1,25 @@ +--- + +- name: install deb packages + apt: + pkg: "{{ item }}" + update_cache: yes + state: installed + with_items: + - docker-ce + - python + - python-pip + +- name: uninstall pip packages + pip: + name: docker-py + state: absent + +- name: install pip packages + pip: + name: "{{ item }}" + state: present + with_items: + - docker + - docker-compose + diff --git a/functions/get_secret.yml b/functions/get_secret.yml new file mode 100644 index 0000000000000000000000000000000000000000..eadd5693fb16ad44aebf3b28ed025cee0a26d97f --- /dev/null +++ b/functions/get_secret.yml @@ -0,0 +1,49 @@ +--- +# Hilfsfunktion zum auslesen lokal gespeicherter Secrets auf dem Server +# Die Secrets sind aus dem Server jeweils in einer Datei gespeichert +# Zum Auslesen wird die Datei über Slurp geladen und in einer Variable entsprechend dem +# Dateinamen registriert. +# Falls die Datei noch nicht existiert wird das Secret entsprechend der vorgegebenen +# Länge initialisiert +# +# Beispiel: (Auslesen von Passörtern aus /srv/xyz/secret_pw, registrierung als Variable secret_pw, erzeugung mit 24 Zeichen falls nicht vorhanden) +# +# - include: ../functions/get_secret.yml +# with_items: +# - { path: /srv/xyz/secret_pw, length: 24 } +# - { path: /srv/xyz/secret2_pw, length: 12 } + +# Check if file exists +- name: "{{ item.path | basename }} (check directory)" + file: + path: "{{ item.path | dirname }}" + state: "directory" + +# Check if file exists +- name: "{{ item.path | basename }} (check file)" + stat: + path: "{{ item.path }}" + register: filestat + +# Generate secret if missing +- name: "{{ item.path | basename }} (generate: install openssl)" + apt: + pkg: openssl + update_cache: no + state: installed + when: filestat.stat.exists == False + +- name: "{{ item.path | basename }} (generate: length = {{ item.length }})" + command: "openssl rand -base64 -out {{ item.path }} {{ item.length }}" + when: filestat.stat.exists == False + +# Get Secret +- name: "{{ item.path | basename }} (slurp)" + slurp: src={{ item.path }} + register: secretfile + +# Decode Secret and register fact +- name: "{{ item.path | basename }} (decode)" + set_fact: + "{{ item.path | basename }}": "{{ secretfile.content | b64decode | regex_replace('\\s', '') }}" + diff --git a/group_vars/all b/group_vars/all index 597cc00a9efb94430c3d1ada69ffa7d30a24d633..6321239bcc5c5bc6d9b9aa9cc192744a848fd2a3 100644 --- a/group_vars/all +++ b/group_vars/all @@ -5,3 +5,6 @@ ldap_ip_ext: 10.0.20.2 # int ist noch ungenutzt / später replikation in der Zone ldap_ip_int: 10.0.20.2 + +ldap_base_dn: DC=warpzone,DC=ms +ldap_readonly_bind_dn: CN=readonly,DC=warpzone,DC=ms \ No newline at end of file diff --git a/host_vars/warpsrvext b/host_vars/warpsrvext index 1e89f59fb8950b07147b389ced61c57d4cfd43e0..3691f9540aa5cc88542dbc437e5c6c15332acdde 100644 --- a/host_vars/warpsrvext +++ b/host_vars/warpsrvext @@ -8,6 +8,7 @@ motd_lines: debian_sources: - "deb http://repo.myloc.de/debian jessie main non-free contrib" - "deb http://security.debian.org/ jessie/updates main contrib non-free" + - "deb http://ftp.debian.org/debian jessie-backports main" debian_keys: @@ -18,3 +19,11 @@ administratorenteam: - "commander1024" +borgbackup_user: + + warpzone: + + sshkeys: + - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID2EdE/pfN3L91XytQ3+KXLTxAvAGSUE6TKpHTcOcJWw root@warpsrvint" + - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIENYus4S4XOaGHVL4B6vbnIrovtqaCT1lbEF73StiTt+ root@webserver" + diff --git a/host_vars/warpsrvint b/host_vars/warpsrvint index 48624fcc074506f88ecfc65627dea3e741a3e7d3..741dfea354ad4da9daf38e2670413c31a61170ac 100644 --- a/host_vars/warpsrvint +++ b/host_vars/warpsrvint @@ -9,10 +9,12 @@ debian_sources: - "deb http://debian.uni-duisburg-essen.de/debian/ jessie main non-free contrib" - "deb http://security.debian.org/ jessie/updates main contrib non-free" - "deb http://debian.uni-duisburg-essen.de/debian/ jessie-updates main contrib non-free" + - "deb http://ftp.debian.org/debian jessie-backports main" - "deb https://apt.dockerproject.org/repo debian-jessie main" - - "deb http://http.debian.net/debian jessie-backports main" + - "deb [arch=amd64] https://download.docker.com/linux/debian jessie stable" debian_keys: + - "https://download.docker.com/linux/debian/gpg" webserver_domains: - "infra" @@ -24,3 +26,67 @@ administratorenteam: - "sandhome" - "sandmobil" # - "ennox" (ssh key fehlt noch) + + +# Definition von Borgbackup Repositories +borgbackup_repos: + + warpsrvext: + + # URL des Repos + repo: "ssh://warpzone@217.79.181.126:/data/warpzone/warpsrvint" + + # Repo-spezifische Optionen zum Aufruf von Borgbackup + # z.B. bei Sicherungen zu rsync.net ist --remote-path=borg1 erforderlich + options: "" + + # Compression Options, z,b. "zlib,5, "zstd,5" + compression: "zlib,5" + + # Prune Optionen + prune: "--keep-within=2d --keep-daily=7 --keep-weekly=4 --keep-monthly=6" + + # Backup Schedule + weekday: "*" + hour: "6" + minute: "0" + + # Zusätzliche Verzeichnisse, die nur in diesem Backup gesichtert werden sollen + # directories: + + voidhome: + + # URL des Repos + repo: "ssh://warpzone@130.180.13.106:5201/data/warpzone/warpsrvint" + + # Repo-spezifische Optionen zum Aufruf von Borgbackup + # z.B. bei Sicherungen zu rsync.net ist --remote-path=borg1 erforderlich + options: "" + + # Compression Options, z,b. "zlib,5, "zstd,5" + compression: "zlib,5" + + # Prune Optionen + prune: "--keep-within=2d --keep-daily=7 --keep-weekly=4 --keep-monthly=6" + + # Backup Schedule + weekday: "*" + hour: "*/5" + minute: "0" + + # Zusätzliche Verzeichnisse, die nur in diesem Backup gesichtert werden sollen + # directories: + + +# Definition der Verzeichnisse, die in allen Borgbackup Repos gesichert werden sollen +borgbackup_directories: + - "/etc/" + - "/srv/" + + +borgbackup_user: + + warpzone: + + sshkeys: + - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIENYus4S4XOaGHVL4B6vbnIrovtqaCT1lbEF73StiTt+ root@webserver" diff --git a/host_vars/webserver b/host_vars/webserver index 402850d03a5134c2a940a3d7d0efe70fa0b0289f..706af93e1418634333552f30ef614d820775a250 100644 --- a/host_vars/webserver +++ b/host_vars/webserver @@ -15,19 +15,6 @@ debian_sources: debian_keys: - "https://download.docker.com/linux/debian/gpg" -borgbackup_weekday: "*" -borgbackup_hour: "4" -borgbackup_minute: "0" - -borgbackup_directories: - - "/etc/" - - "/srv/" - -borgbackup_prune: - - "--keep-within=2d" - - "--keep-daily=7" - - "--keep-weekly=4" - - "--keep-monthly=6" letsencrypt_tos_sha256: 6373439b9f29d67a5cd4d18cbc7f264809342dbf21cb2ba2fc7588df987a6221 @@ -37,6 +24,12 @@ webserver_domains: - "gitlab" - "infra" - "infra-test" + - "jabber" + - "muc.jabber" + - "proxy.jabber" + - "jabber-test" + - "muc.jabber-test" + - "proxy.jabber-test" - "ldap" - "mattermost" - "pad" @@ -50,4 +43,82 @@ administratorenteam: - "sandhome" - "sandmobil" - "commander1024" - \ No newline at end of file + + # Definition von Borgbackup Repositories +borgbackup_repos: + + warpsrvext: + + # URL des Repos + repo: "ssh://warpzone@217.79.181.126:/data/warpzone/webserver" + + # Repo-spezifische Optionen zum Aufruf von Borgbackup + # z.B. bei Sicherungen zu rsync.net ist --remote-path=borg1 erforderlich + options: "" + + # Compression Options, z,b. "zlib,5, "zstd,5" + compression: "zlib,5" + + # Prune Optionen + prune: "--keep-within=2d --keep-daily=7 --keep-weekly=4 --keep-monthly=6" + + # Backup Schedule + weekday: "*" + hour: "*/4" + minute: "0" + + # Zusätzliche Verzeichnisse, die nur in diesem Backup gesichtert werden sollen + # directories: + + warpsrvint: + + # URL des Repos + repo: "ssh://warpzone@192.168.0.201:22/data/warpzone/webserver" + + # Repo-spezifische Optionen zum Aufruf von Borgbackup + # z.B. bei Sicherungen zu rsync.net ist --remote-path=borg1 erforderlich + options: "" + + # Compression Options, z,b. "zlib,5, "zstd,5" + compression: "zlib,5" + + # Prune Optionen + prune: "--keep-within=2d --keep-daily=7 --keep-weekly=4 --keep-monthly=6" + + # Backup Schedule + weekday: "*" + hour: "*/5" + minute: "0" + + # Zusätzliche Verzeichnisse, die nur in diesem Backup gesichtert werden sollen + # directories: + + voidhome: + + # URL des Repos + repo: "ssh://warpzone@130.180.13.106:5201/data/warpzone/webserver" + + # Repo-spezifische Optionen zum Aufruf von Borgbackup + # z.B. bei Sicherungen zu rsync.net ist --remote-path=borg1 erforderlich + options: "" + + # Compression Options, z,b. "zlib,5, "zstd,5" + compression: "zlib,5" + + # Prune Optionen + prune: "--keep-within=2d --keep-daily=7 --keep-weekly=4 --keep-monthly=6" + + # Backup Schedule + weekday: "*" + hour: "*/4" + minute: "0" + + # Zusätzliche Verzeichnisse, die nur in diesem Backup gesichtert werden sollen + # directories: + + +# Definition der Verzeichnisse, die in allen Borgbackup Repos gesichert werden sollen +borgbackup_directories: + - "/etc/" + - "/srv/" + diff --git a/site.yml b/site.yml index dc39bc0f60d5cb9df53a0b501e5179ca78bb79b9..970bc0193079a11f5d3d3abff2d24618688d8dd7 100644 --- a/site.yml +++ b/site.yml @@ -5,6 +5,7 @@ - include: vorstandspi/main.yml - include: warphab/main.yml - include: warpsrvint/main.yml +- include: warpsrvext/main.yml - include: webserver/main.yml diff --git a/warpsrvext/main.yml b/warpsrvext/main.yml new file mode 100644 index 0000000000000000000000000000000000000000..60eb14557860100241484164bef51b520bb79d6c --- /dev/null +++ b/warpsrvext/main.yml @@ -0,0 +1,7 @@ +--- + +- hosts: warpsrvext + remote_user: root + roles: + - { role: ../common/borgserver, tags: borgserver } + diff --git a/warpsrvint/docker_grafana/tasks/main.yml b/warpsrvint/docker_grafana/tasks/main.yml index 6078eda2b3bb6c9cc48ab1f63e81d39fa97db48f..c84ff0f2f7eaea6cc939241bb764d27ea048272b 100644 --- a/warpsrvint/docker_grafana/tasks/main.yml +++ b/warpsrvint/docker_grafana/tasks/main.yml @@ -1,29 +1,9 @@ --- -# Einige Secrets sind auf dem Server lokal gespeichert und werden von dort gelesen -# Auslesen der Dateien vom Server, zwischengespeicert wird in der Variable gitlab_secrets -# Anschließend müssen die entsprechenden Einträge aus gitlab_secrets extrahiert werden -# Die Daten, die von Slurp gelesen werden sind Base64 codiert -# Zur Sicherheit werden Whitespace-Zeichen entfert, damit z.B. Zeilenumbrüche nicht übernommen werden - -- name: get secrets from server 1 - slurp: src={{ item }} - with_items: - - /srv/ldap/secret/ldap_readonly_pass - register: warpinfra_secrets - -- name: get secrets from server 2 - set_fact: - ldap_readonly_pass: "{{ warpinfra_secrets.results | selectattr('item', 'equalto', '/srv/ldap/secret/ldap_readonly_pass') | map(attribute='content') | list | first | b64decode | regex_replace('\\s', '') }}" - -- name: get secrets from server 1 - slurp: src={{ item }} +# Get secrets +- include: ../functions/get_secret.yml with_items: - - /srv/grafana/grafana_admin_pass - register: grafana_secrets - -- name: get secrets from server 2 - set_fact: - grafana_admin_pass: "{{ grafana_secrets.results | selectattr('item', 'equalto', '/srv/grafana/grafana_admin_pass') | map(attribute='content') | list | first | b64decode | regex_replace('\\s', '') }}" + - { path: /srv/ldap/secret/ldap_readonly_pass, length: 24 } + - { path: /srv/grafana/grafana_admin_pass, length: 12 } - name: create folder struct for grafana file: @@ -41,25 +21,19 @@ - ldap.toml register: config -- name: stop grafana-app docker - docker_container: - name: grafana-app +- name: Docker Compose Konfig-Datei erstellen + template: + src: "docker-compose.yml" + dest: "/srv/grafana/docker-compose.yml" + +- name: start grafana docker + docker_service: + project_src: /srv/grafana/ state: absent when: config.changed -- name: start grafana-app docker - docker_container: - name: grafana-app - image: grafana/grafana:4.4.1 - state: started - restart_policy: always - volumes: - - /srv/grafana/config/grafana.ini:/etc/grafana/grafana.ini - - /srv/grafana/config/ldap.toml:/etc/grafana/ldap.toml - - /srv/grafana/data/:/var/lib/grafana - ports: - - 3000:3000 - env: - GF_SERVER_ROOT_URL: "http://10.5.0.111:3000" - GF_SECURITY_ADMIN_PASSWORD: "{{ grafana_admin_pass }}" - +- name: start grafana docker + docker_service: + project_src: /srv/grafana/ + state: present + diff --git a/warpsrvint/docker_grafana/templates/docker-compose.yml b/warpsrvint/docker_grafana/templates/docker-compose.yml new file mode 100644 index 0000000000000000000000000000000000000000..bc76fe159a2401b470363d60640bf40dcd3577fa --- /dev/null +++ b/warpsrvint/docker_grafana/templates/docker-compose.yml @@ -0,0 +1,18 @@ +version: "3" + +services: + + db: + + image: grafana/grafana:5.0.4 + restart: always + ports: + - 3000:3000 + volumes: + - /srv/grafana/config/grafana.ini:/etc/grafana/grafana.ini + - /srv/grafana/config/ldap.toml:/etc/grafana/ldap.toml + - /srv/grafana/data/:/var/lib/grafana + environment: + GF_SERVER_ROOT_URL: "http://warpsrvint:3000" + GF_SECURITY_ADMIN_PASSWORD: "{{ grafana_admin_pass }}" + diff --git a/warpsrvint/docker_influxdb/tasks/main.yml b/warpsrvint/docker_influxdb/tasks/main.yml new file mode 100644 index 0000000000000000000000000000000000000000..6c3054a825adaf92ea0b125958e7e75dbdf89531 --- /dev/null +++ b/warpsrvint/docker_influxdb/tasks/main.yml @@ -0,0 +1,18 @@ +--- +- name: create folder struct for influxdb + file: + path: "{{ item }}" + state: "directory" + with_items: + - "/srv/influxdb/" + - "/srv/influxdb/data/" + +- name: Docker Compose Konfig-Datei erstellen + template: + src: "docker-compose.yml" + dest: "/srv/influxdb/docker-compose.yml" + +- name: start influxdb docker + docker_service: + project_src: /srv/influxdb/ + state: present diff --git a/warpsrvint/docker_influxdb/templates/docker-compose.yml b/warpsrvint/docker_influxdb/templates/docker-compose.yml new file mode 100644 index 0000000000000000000000000000000000000000..2a6d208a01ef91f0c079ed1b7cf6c371aecd52ef --- /dev/null +++ b/warpsrvint/docker_influxdb/templates/docker-compose.yml @@ -0,0 +1,16 @@ +version: "3" + +services: + + db: + + image: influxdb:1.5.1 + restart: always + ports: + - 8086:8086 + - 2003:2003 + volumes: + - /srv/influxdb/data/:/var/lib/influxdb + environment: + INFLUXDB_GRAPHITE_ENABLED: "true" + diff --git a/warpsrvint/docker_iobroker/tasks/main.yml b/warpsrvint/docker_iobroker/tasks/main.yml new file mode 100644 index 0000000000000000000000000000000000000000..75a81c777a6914551b23dcf0c049ad9fd5d7548e --- /dev/null +++ b/warpsrvint/docker_iobroker/tasks/main.yml @@ -0,0 +1,34 @@ +--- + +# Create folders +- name: create folder struct for iobroker + file: + path: "{{ item }}" + state: "directory" + with_items: + - "/srv/iobroker" + - "/srv/iobroker/data" + +# Create docker-compose.yml +- name: Konfig-Datei erstellen + template: + src: "{{item}}" + dest: "/srv/iobroker/{{item}}" + with_items: + - docker-compose.yml + +# Create run.sh +- name: Konfig-Datei erstellen + template: + src: "{{item}}" + dest: "/srv/iobroker/data/{{item}}" + mode: "u=rwx" + with_items: + - run.sh + +# Start containers +- name: start iobroker docker + docker_service: + project_src: /srv/iobroker/ + state: present + diff --git a/warpsrvint/docker_iobroker/templates/docker-compose.yml b/warpsrvint/docker_iobroker/templates/docker-compose.yml new file mode 100644 index 0000000000000000000000000000000000000000..96054f05f39014d26089b0d24ae4d2dc6cde0e0a --- /dev/null +++ b/warpsrvint/docker_iobroker/templates/docker-compose.yml @@ -0,0 +1,15 @@ + +version: "3" + +services: + + app: + + image: iobroker/iobroker:latest + restart: always + ports: + - 0.0.0.0:8081:8081 + - 0.0.0.0:8082:8082 + volumes: + - /srv/iobroker/data/:/opt/iobroker + diff --git a/warpsrvint/docker_iobroker/templates/run.sh b/warpsrvint/docker_iobroker/templates/run.sh new file mode 100644 index 0000000000000000000000000000000000000000..a2dd88febf10f905549c8256e4257f58d304d1b8 --- /dev/null +++ b/warpsrvint/docker_iobroker/templates/run.sh @@ -0,0 +1,6 @@ + +#!/bin/sh + +cd /opt/iobroker/ +npm install iobroker --unsafe-perm +node node_modules/iobroker.js-controller/controller.js diff --git a/warpsrvint/docker_l4z0r/tasks/main.yml b/warpsrvint/docker_l4z0r/tasks/main.yml new file mode 100644 index 0000000000000000000000000000000000000000..8a59a5d8f36e3fbc7db6890df24c9d87ee2e4133 --- /dev/null +++ b/warpsrvint/docker_l4z0r/tasks/main.yml @@ -0,0 +1,29 @@ +--- + +# Create folders +- name: create folder struct for l4z0r + file: + path: "{{ item }}" + state: "directory" + with_items: + - "/srv/l4z0r" + - "/srv/l4z0r/db" + +# Get secrets +- include: ../functions/get_secret.yml + with_items: + - { path: /srv/l4z0r/mysql_root_pw, length: 24 } + - { path: /srv/l4z0r/mysql_user_pw, length: 12 } + +# Create docker-compose.yml +- name: Konfig-Datei erstellen + template: + src: "docker-compose.yml" + dest: "/srv/l4z0r/docker-compose.yml" + +# Start containers +- name: start l4z0r docker + docker_service: + project_src: /srv/l4z0r/ + state: present + diff --git a/warpsrvint/docker_l4z0r/templates/docker-compose.yml b/warpsrvint/docker_l4z0r/templates/docker-compose.yml new file mode 100644 index 0000000000000000000000000000000000000000..2afb0b2f7c3b18a1ce44415f7c489f6516126d22 --- /dev/null +++ b/warpsrvint/docker_l4z0r/templates/docker-compose.yml @@ -0,0 +1,19 @@ + +version: "3" + +services: + + db: + + image: mariadb:10.1 + restart: always + ports: + - 0.0.0.0:33306:3306 + volumes: + - /srv/l4z0r/db/:/var/lib/mysql + environment: + MYSQL_DATABASE: l4z0r + MYSQL_USER: l4z0r + MYSQL_PASSWORD: {{ mysql_user_pw }} + MYSQL_ROOT_PASSWORD: {{ mysql_root_pw }} + diff --git a/warpsrvint/docker_librenms/tasks/main.yml b/warpsrvint/docker_librenms/tasks/main.yml new file mode 100644 index 0000000000000000000000000000000000000000..55fcbd29d43533d58e958ae25579a13d98ccd597 --- /dev/null +++ b/warpsrvint/docker_librenms/tasks/main.yml @@ -0,0 +1,37 @@ +--- + +# Get secrets +- include: ../functions/get_secret.yml + with_items: + - { path: /srv/librenms/mysql_root_pw, length: 24 } + - { path: /srv/librenms/mysql_user_pw, length: 12 } + +- name: create folder struct for librenms + file: + path: "{{ item }}" + state: "directory" + owner: www-data + group: www-data + with_items: + - "/srv/librenms/" + - "/srv/librenms/db/" + - "/srv/librenms/logs/" + - "/srv/librenms/rrd/" + +- name: Docker Compose Konfig-Datei erstellen + template: + src: "docker-compose.yml" + dest: "/srv/librenms/docker-compose.yml" + +- name: Zussätzliche Konfig-Datei erstellen + template: + src: "{{item}}" + dest: "/srv/librenms/{{item}}" + with_items: + - config.custom.php + - sql_mode.cnf + +- name: start librenms docker + docker_service: + project_src: /srv/librenms/ + state: present diff --git a/warpsrvint/docker_librenms/templates/config.custom.php b/warpsrvint/docker_librenms/templates/config.custom.php new file mode 100644 index 0000000000000000000000000000000000000000..76302582aece65ca959358f605ec50699820568e --- /dev/null +++ b/warpsrvint/docker_librenms/templates/config.custom.php @@ -0,0 +1,23 @@ + +<?php + +# Netzwerke für Auto Discover +$config['nets'][] = '10.0.0.0/22'; +$config['nets'][] = '192.168.0.0/24'; + +# Ignorierte Interfaces +$config['bad_if_regexp'][] = '/^lo.*$/'; +$config['bad_if_regexp'][] = '/^br.*$/'; +$config['bad_if_regexp'][] = '/^pf.*$/'; +$config['bad_if_regexp'][] = '/^veth.*$/'; +$config['bad_if_regexp'][] = '/^bridge.*$/'; +$config['bad_if_regexp'][] = '/^docker.*$/'; + +# Export data to influxdb +$config['influxdb']['enable'] = true; +$config['influxdb']['transport'] = 'http'; +$config['influxdb']['host'] = 'warpsrvint'; +$config['influxdb']['port'] = '8086'; +$config['influxdb']['db'] = 'librenms'; + +?> diff --git a/warpsrvint/docker_librenms/templates/docker-compose.yml b/warpsrvint/docker_librenms/templates/docker-compose.yml new file mode 100644 index 0000000000000000000000000000000000000000..a70cc315cecbaa453897f3a572d9e18dd5dfe1bd --- /dev/null +++ b/warpsrvint/docker_librenms/templates/docker-compose.yml @@ -0,0 +1,51 @@ +version: "3" + +services: + + db: + + image: mariadb:10.3.4 + restart: always + volumes: + - /srv/librenms/db/:/var/lib/mysql + - /srv/librenms/sql_mode.cnf:/etc/mysql/conf.d/sql_mode.cnf + environment: + MYSQL_ROOT_PASSWORD: "{{ mysql_root_pw }}" + MYSQL_PASSWORD: "{{ mysql_user_pw }}" + MYSQL_DATABASE: librenms + MYSQL_USER: librenms + +# run database upgrades: docker exec librenms_app_1 sh -c "cd /opt/librenms && php /opt/librenms/build-base.php" +# create initial user: docker exec librenms_app_1 php /opt/librenms/adduser.php admin admin 10 test@example.com + + app: + + image: jarischaefer/docker-librenms:1.37-1 + restart: always + ports: + - 8088:80 + - 514:514 + - 514:514/udp + volumes: + - /srv/librenms/logs/:/opt/librenms/logs/ + - /srv/librenms/rrd/:/opt/librenms/rrd/ + - /srv/librenms/config.custom.php:/opt/librenms/conf.d/config.custom.php + environment: + DB_HOST: db + DB_NAME: librenms + DB_USER: librenms + DB_PASS: "{{ mysql_user_pw }}" + BASE_URL: http://warpsrvint:8088 + TZ: Europe/Zurich + ALERTS_ENABLE: "true" + BILLING_CALCULATE_ENABLE: "false" + CHECK_SERVICES_ENABLE: "true" + DAILY_ENABLE: "true" + DISCOVERY_ENABLE: "true" + DISCOVERY_THREADS: 2 + POLL_BILLING_ENABLE: "true" + POLLERS_ENABLE: "true" + POLLERS: 4 + SNMP_SCAN_ENABLE: "true" + SNMP_SCAN_CRON: "30 * * * *" + ENABLE_SYSLOG: "true" diff --git a/warpsrvint/docker_librenms/templates/sql_mode.cnf b/warpsrvint/docker_librenms/templates/sql_mode.cnf new file mode 100644 index 0000000000000000000000000000000000000000..f87b4fb1b85b54375fd1c6b3028cdf025faf566d --- /dev/null +++ b/warpsrvint/docker_librenms/templates/sql_mode.cnf @@ -0,0 +1,4 @@ +[mysqld] +innodb_file_per_table=1 +sql-mode="" +lower_case_table_names=0 diff --git a/warpsrvint/docker_matestatdb/tasks/main.yml b/warpsrvint/docker_matestatdb/tasks/main.yml new file mode 100644 index 0000000000000000000000000000000000000000..4f83478f86c4965496f902ad3b8a56d8e05d206a --- /dev/null +++ b/warpsrvint/docker_matestatdb/tasks/main.yml @@ -0,0 +1,23 @@ +--- +# Get secrets +- include: ../functions/get_secret.yml + with_items: + - { path: /srv/matestatdb/postgres_admin_pw, length: 24 } + +- name: create folder struct for matestatdb + file: + path: "{{ item }}" + state: "directory" + with_items: + - "/srv/matestatdb/" + - "/srv/matestatdb/data/" + +- name: Docker Compose Konfig-Datei erstellen + template: + src: "docker-compose.yml" + dest: "/srv/matestatdb/docker-compose.yml" + +- name: start matestatdb docker + docker_service: + project_src: /srv/matestatdb/ + state: present diff --git a/warpsrvint/docker_matestatdb/templates/docker-compose.yml b/warpsrvint/docker_matestatdb/templates/docker-compose.yml new file mode 100644 index 0000000000000000000000000000000000000000..5a4ba1b267534680bc9ef561ae6089836e220e70 --- /dev/null +++ b/warpsrvint/docker_matestatdb/templates/docker-compose.yml @@ -0,0 +1,18 @@ +version: "3" + +services: + + db: + + image: postgres:9.6 + restart: always + ports: + - 15432:5432 + volumes: + - /srv/matestatdb/data/:/var/lib/postgresql/data/pgdata + environment: + PGDATA: /var/lib/postgresql/data/pgdata + POSTGRES_DB: "matestatdb" + POSTGRES_USER: "postgres" + POSTGRES_PASSWORD: "{{ postgres_admin_pw }}" + diff --git a/warpsrvint/docker_unifi/templates/docker-compose.yml b/warpsrvint/docker_unifi/templates/docker-compose.yml index 819fe2cc1ddef541ae2f730f6683bd08007ccd10..bf03d2e951f67b8d54d7aeda93214861114963f3 100644 --- a/warpsrvint/docker_unifi/templates/docker-compose.yml +++ b/warpsrvint/docker_unifi/templates/docker-compose.yml @@ -9,7 +9,6 @@ services: restart: always ports: - 8080:8080 - - 8081:8081 - 8443:8443 - 8843:8843 - 8880:8880 diff --git a/warpsrvint/main.yml b/warpsrvint/main.yml index ad201dcb7dd42961f370adb16434e26382acadea..c9c79a23c1be3d4bc4c51c9f6d6cfdc710270b27 100644 --- a/warpsrvint/main.yml +++ b/warpsrvint/main.yml @@ -3,11 +3,18 @@ - hosts: warpsrvint remote_user: root roles: - - { role: "../common/prometheus-node", tags: prometheus-node } + - { role: ../common/borgbackup, tags: borgbackup } + - { role: ../common/borgserver, tags: borgserver } + - { role: ../common/prometheus-node, tags: prometheus-node } + - { role: ../common/docker, tags: docker } - { role: nginx, tags: nginx } - - { role: docker, tags: docker } - { role: docker_grafana, tags: grafana } + - { role: docker_influxdb, tags: influxdb } + - { role: docker_iobroker, tags: iobroker } + - { role: docker_librenms, tags: librenms } + - { role: docker_l4z0r, tags: l4z0r } # - { role: docker_ldap, tags: ldap } + - { role: docker_matestatdb, tags: matestatdb } - { role: docker_mqtt, tags: mqtt } - { role: docker_nodered, tags: nodered } - { role: docker_prometheus, tags: prometheus } diff --git a/webserver/docker_gitlab/templates/docker-compose.yml b/webserver/docker_gitlab/templates/docker-compose.yml index 99a4feb1593a5ba225c2f38c6b20ded27b244b2d..4cfc2bde06ec2b00afef7940b3a451fa3ba0618e 100644 --- a/webserver/docker_gitlab/templates/docker-compose.yml +++ b/webserver/docker_gitlab/templates/docker-compose.yml @@ -5,7 +5,7 @@ services: app: - image: gitlab/gitlab-ce:10.6.0-ce.0 + image: gitlab/gitlab-ce:10.7.1-ce.0 restart: always ports: - 0.0.0.0:444:22 diff --git a/webserver/docker_jabber/tasks/main.yaml b/webserver/docker_jabber/tasks/main.yaml new file mode 100644 index 0000000000000000000000000000000000000000..c38f74dcee6ada675452944d5e66c1af9c88acbd --- /dev/null +++ b/webserver/docker_jabber/tasks/main.yaml @@ -0,0 +1,43 @@ +--- +# Create folders +- name: create folder struct for jabber + file: + path: "{{ item }}" + state: "directory" + with_items: + - "/srv/jabber/" + +- name: create folder struct for jabber with correct rights for prosody + file: + path: "{{ item }}" + state: "directory" + owner: 102 + group: 106 + recurse: yes + with_items: + - "/srv/jabber/logs" + - "/srv/jabber/data" + - "/srv/jabber/etc" + +# create files +- name: Docker Konfig-Datei erstellen + template: + src: "docker-compose.yml" + dest: "/srv/jabber/docker-compose.yml" + +- name: Prosody Config anlegen + template: + src: "prosody.cfg.lua" + dest: "/srv/jabber/etc/prosody.cfg.lua" + + # copy community modules +- name: copy prosody community modules + synchronize: + src: templates/prosody-modules + dest: /srv/jabber/data/ + +# start docker +- name: start jabber-test docker + docker_service: + project_src: /srv/jabber/ + state: present diff --git a/webserver/docker_jabber/templates/docker-compose.yml b/webserver/docker_jabber/templates/docker-compose.yml new file mode 100644 index 0000000000000000000000000000000000000000..90a0c900ce35913ba2a78f5323c9ba7bd90c224d --- /dev/null +++ b/webserver/docker_jabber/templates/docker-compose.yml @@ -0,0 +1,23 @@ + +version: "3" + +services: + + app: + + image: prosody/prosody:0.10.0 + restart: always + ports: + - 5222:5222 + - 5269:5269 + volumes: + - /srv/jabber/etc:/etc/prosody + - /srv/jabber/logs:/var/log/prosody + - /srv/jabber/data:/var/lib/prosody + # mount the certificates created by lets encrypt + - /etc/ssl/key.pem:/etc/prosody/certs/jabber.warpzone.ms.key + - /etc/ssl/fullchain.pem:/etc/prosody/certs/jabber.warpzone.ms.crt + - /etc/ssl/key.pem:/etc/prosody/certs/muc.jabber.warpzone.ms.key + - /etc/ssl/fullchain.pem:/etc/prosody/certs/muc.jabber.warpzone.ms.crt + - /etc/ssl/key.pem:/etc/prosody/certs/proxy.jabber.warpzone.ms.key + - /etc/ssl/fullchain.pem:/etc/prosody/certs/proxy.jabber.warpzone.ms.crt diff --git a/webserver/docker_jabber/templates/prosody-modules/.hg_archival.txt b/webserver/docker_jabber/templates/prosody-modules/.hg_archival.txt new file mode 100644 index 0000000000000000000000000000000000000000..e35bfa431393af9b4211f856695a2005ba8622e5 --- /dev/null +++ b/webserver/docker_jabber/templates/prosody-modules/.hg_archival.txt @@ -0,0 +1,6 @@ +repo: 010452cfaf5370b32e09f46a51e226ddb1f56817 +node: 97b30fec709cf2851f78636b7650acd9a6f63378 +branch: default +latesttag: last-google-code-commit +latesttagdistance: 1189 +changessincelatesttag: 1213 diff --git a/webserver/docker_jabber/templates/prosody-modules/.hgtags b/webserver/docker_jabber/templates/prosody-modules/.hgtags new file mode 100644 index 0000000000000000000000000000000000000000..17153119644ab340ccb85fc3ec20391138045d3f --- /dev/null +++ b/webserver/docker_jabber/templates/prosody-modules/.hgtags @@ -0,0 +1,2 @@ +2c07bcf56a36d6e74dc0f5422e89bd61f4d31239 0.8-diverge +1656d4fd71d07aa3a52da89d4daf7723a555e7dd last-google-code-commit diff --git a/webserver/docker_jabber/templates/prosody-modules/.luacheckrc b/webserver/docker_jabber/templates/prosody-modules/.luacheckrc new file mode 100644 index 0000000000000000000000000000000000000000..c49bf95183e21f9a7816293a139155477f672596 --- /dev/null +++ b/webserver/docker_jabber/templates/prosody-modules/.luacheckrc @@ -0,0 +1,81 @@ +cache = true +allow_defined_top = true +unused_secondaries = false +codes = true +ignore = { "411/err", "421/err", "411/ok", "421/ok", "211/_ENV" }; +read_globals = { + "prosody", + "hosts", + "import", + + -- Module instance + "module.name", + "module.host", + "module._log", + "module.log", + "module.event_handlers", + "module.reloading", + "module.saved_state", + "module.global", + "module.path", + + -- Module API + "module.add_extension", + "module.add_feature", + "module.add_identity", + "module.add_item", + "module.add_timer", + "module.broadcast", + "module.context", + "module.depends", + "module.fire_event", + "module.get_directory", + "module.get_host", + "module.get_host_items", + "module.get_host_type", + "module.get_name", + "module.get_option", + "module.get_option_array", + "module.get_option_boolean", + "module.get_option_inherited_set", + "module.get_option_number", + "module.get_option_path", + "module.get_option_set", + "module.get_option_string", + "module.handle_items", + "module.hook", + "module.hook_global", + "module.hook_object_event", + "module.hook_tag", + "module.load_resource", + "module.measure", + "module.measure_event", + "module.measure_global_event", + "module.measure_object_event", + "module.open_store", + "module.provides", + "module.remove_item", + "module.require", + "module.send", + "module.set_global", + "module.shared", + "module.unhook", + "module.unhook_object_event", + "module.wrap_event", + "module.wrap_global", + "module.wrap_object_event", + + -- mod_http API + "module.http_url", +} +globals = { + -- Methods that can be set on module API + "module.unload", + "module.add_host", + "module.load", + "module.add_host", + "module.save", + "module.restore", + "module.command", + "module.environment", +} diff --git a/webserver/docker_jabber/templates/prosody-modules/README b/webserver/docker_jabber/templates/prosody-modules/README new file mode 100644 index 0000000000000000000000000000000000000000..9cc46b9093846e265b89a42d2af5a3d8b8955ae0 --- /dev/null +++ b/webserver/docker_jabber/templates/prosody-modules/README @@ -0,0 +1,31 @@ +prosody-modules +=============== + +*Add-on modules for Prosody IM Server* + +-------------------------------------------------------------------------- + +Community repository for non-core, unofficial and/or experimental plugins +for [Prosody][]. + +If you are a developer and would like to host your Prosody module in this +repository, or want to contribute to existing modules, simply introduce +yourself and request commit access on our [mailing list][]. + +Notes for users +---------------- + +There are lots of fun and exciting modules to be found here, we know +you'll like it. However please note that each module is in a different +state of development. Some are proof-of-concept, others are quite stable +and ready for production use. Be sure to read the wiki page of any +module before installing it on your server. + +We are working on methods to easily download and install modules from +this repository. In the meantime most modules are either a single file +and easy to install, or contain installation instructions on their wiki +page. You can browse the files stored in this repository at +<https://hg.prosody.im/prosody-modules>. + +[Prosody]: https://prosody.im/ +[mailing list]: https://prosody.im/discuss diff --git a/webserver/docker_jabber/templates/prosody-modules/mod_roster_allinall/README.markdown b/webserver/docker_jabber/templates/prosody-modules/mod_roster_allinall/README.markdown new file mode 100644 index 0000000000000000000000000000000000000000..9890b0c4b274c313ede5fc545b65aa95e4e2c868 --- /dev/null +++ b/webserver/docker_jabber/templates/prosody-modules/mod_roster_allinall/README.markdown @@ -0,0 +1,21 @@ +--- +labels: +... + +Introduction +============ + +This module is similar in purpouse to mod\_groups, for when you want all +users on the server to be in each others roster. + +Details +======= + +Upon login, this module will add all currently logged in users to the +logging in users roster. + +Configuration +============= + +Just add it to the modules\_enabled, after that there is no further +configuration. diff --git a/webserver/docker_jabber/templates/prosody-modules/mod_roster_allinall/mod_roster_allinall.lua b/webserver/docker_jabber/templates/prosody-modules/mod_roster_allinall/mod_roster_allinall.lua new file mode 100644 index 0000000000000000000000000000000000000000..71b395220cc874015a5c38a0a1fb1d1e7b67705e --- /dev/null +++ b/webserver/docker_jabber/templates/prosody-modules/mod_roster_allinall/mod_roster_allinall.lua @@ -0,0 +1,42 @@ +local rostermanager = require"core.rostermanager"; +local jid_join = require"util.jid".join; +local host = module.host; +local sessions = prosody.hosts[host].sessions; + +-- Make a *one-way* subscription. User will see when contact is online, +-- contact will not see when user is online. +local function subscribe(user, contact) + local user_jid, contact_jid = jid_join(user, host), jid_join(contact, host); + + -- Update user's roster to say subscription request is pending... + rostermanager.set_contact_pending_out(user, host, contact_jid); + -- Update contact's roster to say subscription request is pending... + rostermanager.set_contact_pending_in(contact, host, user_jid); + -- Update contact's roster to say subscription request approved... + rostermanager.subscribed(contact, host, user_jid); + -- Update user's roster to say subscription request approved... + rostermanager.process_inbound_subscription_approval(user, host, contact_jid); + + -- Push updates to both rosters + rostermanager.roster_push(user, host, contact_jid); + rostermanager.roster_push(contact, host, user_jid); +end + + +module:hook("resource-bind", function(event) + local session = event.session; + local user = session.username; + local user_jid = jid_join(user, host); + for contact in pairs(sessions) do + if contact ~= user then + local contact_jid = jid_join(contact, host); + if not rostermanager.is_contact_subscribed(user, host, contact_jid) then + subscribe(contact, user); + end + if not rostermanager.is_contact_subscribed(contact, host, user_jid) then + subscribe(user, contact); + end + end + end +end); + diff --git a/webserver/docker_jabber/templates/prosody.cfg.lua b/webserver/docker_jabber/templates/prosody.cfg.lua new file mode 100644 index 0000000000000000000000000000000000000000..81ea01e4dc3c70c8588fed379765563f3d2a4f24 --- /dev/null +++ b/webserver/docker_jabber/templates/prosody.cfg.lua @@ -0,0 +1,204 @@ +---------- Server-wide settings ---------- +-- Settings in this section apply to the whole server and are the default settings +-- for any virtual hosts + +-- This is a (by default, empty) list of accounts that are admins +-- for the server. Note that you must create the accounts separately +-- (see https://prosody.im/doc/creating_accounts for info) +-- Example: admins = { "user1@example.com", "user2@example.net" } +admins = { "sandzwerg@jabber.warpzone.ms", "void@jabber.warpzone.ms" } + +-- Enable use of libevent for better performance under high load +-- For more information see: https://prosody.im/doc/libevent +-- use_libevent = true + +-- Prosody will always look in its source directory for modules, but +-- this option allows you to specify additional locations where Prosody +-- will look for modules first. For community modules, see https://modules.prosody.im/ +plugin_paths = { "/var/lib/prosody/prosody-modules" } + +-- This is the list of modules Prosody will load on startup. +-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too. +-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules +modules_enabled = { + + -- Generally required + "roster"; -- Allow users to have a roster. Recommended ;) + "saslauth"; -- Authentication for clients and servers. Recommended if you want to log in. + "tls"; -- Add support for secure TLS on c2s/s2s connections + "dialback"; -- s2s dialback support + "disco"; -- Service discovery + + -- Not essential, but recommended + "carbons"; -- Keep multiple clients in sync + "pep"; -- Enables users to publish their mood, activity, playing music and more + "private"; -- Private XML storage (for room bookmarks, etc.) + "blocklist"; -- Allow users to block communications with other users + "vcard"; -- Allow users to set vCards + + -- Nice to have + "version"; -- Replies to server version requests + "uptime"; -- Report how long server has been running + "time"; -- Let others know the time here on this server + "ping"; -- Replies to XMPP pings with pongs + "register"; -- Allow users to register on this server using a client and change passwords + --"mam"; -- Store messages in an archive and allow users to access it + + -- Admin interfaces + "admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands + --"admin_telnet"; -- Opens telnet console interface on localhost port 5582 + + -- HTTP modules + --"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP" + --"websocket"; -- XMPP over WebSockets + --"http_files"; -- Serve static files from a directory over HTTP + + -- Other specific functionality + --"limits"; -- Enable bandwidth limiting for XMPP connections + --"groups"; -- Shared roster support + --"server_contact_info"; -- Publish contact information for this service + "announce"; -- Send announcement to all online users + --"welcome"; -- Welcome users who register accounts + --"watchregistrations"; -- Alert admins of registrations + --"motd"; -- Send a message to users when they log in + --"legacyauth"; -- Legacy authentication. Only used by some old clients and bots. + "proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use + "roster_allinall" -- add all users of the server to a users group, it's from the community modules +} + +-- These modules are auto-loaded, but should you want +-- to disable them then uncomment them here: +modules_disabled = { + -- "offline"; -- Store offline messages + -- "c2s"; -- Handle client connections + -- "s2s"; -- Handle server-to-server connections +-- needs to be disabled so that prosody works inside docker + "posix"; -- POSIX functionality, sends server to background, enables syslog, etc. +} + +-- Disable account creation by default, for security +-- For more information see https://prosody.im/doc/creating_accounts +allow_registration = false + +-- Force clients to use encrypted connections? This option will +-- prevent clients from authenticating unless they are using encryption. + +c2s_require_encryption = true + +-- Force servers to use encrypted connections? This option will +-- prevent servers from authenticating unless they are using encryption. +-- Note that this is different from authentication + +s2s_require_encryption = true + + +-- Force certificate authentication for server-to-server connections? +-- This provides ideal security, but requires servers you communicate +-- with to support encryption AND present valid, trusted certificates. +-- NOTE: Your version of LuaSec must support certificate verification! +-- For more information see https://prosody.im/doc/s2s#security + +s2s_secure_auth = false + +-- Some servers have invalid or self-signed certificates. You can list +-- remote domains here that will not be required to authenticate using +-- certificates. They will be authenticated using DNS instead, even +-- when s2s_secure_auth is enabled. + +--s2s_insecure_domains = { "insecure.example" } + +-- Even if you leave s2s_secure_auth disabled, you can still require valid +-- certificates for some domains by specifying a list here. + +--s2s_secure_domains = { "jabber.org" } + +-- Select the authentication backend to use. The 'internal' providers +-- use Prosody's configured data storage to store the authentication data. +-- To allow Prosody to offer secure authentication mechanisms to clients, the +-- default provider stores passwords in plaintext. If you do not trust your +-- server please see https://prosody.im/doc/modules/mod_auth_internal_hashed +-- for information about using the hashed backend. + +authentication = "internal_hashed" + + +-- Select the storage backend to use. By default Prosody uses flat files +-- in its configured data directory, but it also supports more backends +-- through modules. An "sql" backend is included by default, but requires +-- additional dependencies. See https://prosody.im/doc/storage for more info. + +--storage = "sql" -- Default is "internal" + +-- For the "sql" backend, you can uncomment *one* of the below to configure: +--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename. +--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" } +--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" } + + +-- Archiving configuration +-- If mod_mam is enabled, Prosody will store a copy of every message. This +-- is used to synchronize conversations between multiple clients, even if +-- they are offline. This setting controls how long Prosody will keep +-- messages in the archive before removing them. + +archive_expires_after = "1w" -- Remove archived messages after 1 week + +-- You can also configure messages to be stored in-memory only. For more +-- archiving options, see https://prosody.im/doc/modules/mod_mam + +-- Logging configuration +-- For advanced logging see https://prosody.im/doc/logging +log = { + info = "/var/log/prosody/prosody.log"; -- Change 'info' to 'debug' for verbose logging + error = "/var/log/prosody/prosody.err"; + info = "*console"; -- Log to the console + -- "*console"; -- Log to the console, useful for debugging with daemonize=false + -- "*syslog"; -- Uncomment this for logging to syslog +} + +-- Uncomment to enable statistics +-- For more info see https://prosody.im/doc/statistics +-- statistics = "internal" + +-- Certificates +-- Every virtual host and component needs a certificate so that clients and +-- servers can securely verify its identity. Prosody will automatically load +-- certificates/keys from the directory specified here. +-- For more information, including how to use 'prosodyctl' to auto-import certificates +-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates + +-- Location of directory to find certificates in (relative to main config file): +certificates = "certs" + +----------- Virtual hosts ----------- +-- You need to add a VirtualHost entry for each domain you wish Prosody to serve. +-- Settings under each VirtualHost entry apply *only* to that host. + +VirtualHost "jabber.warpzone.ms" + +--VirtualHost "example.com" +-- certificate = "/path/to/example.crt" + +------ Components ------ +-- You can specify components to add hosts that provide special services, +-- like multi-user conferences, and transports. +-- For more information on components, see https://prosody.im/doc/components + +--- Set up a MUC (multi-user chat) room server on conference.example.com: +Component "muc.jabber.warpzone.ms" "muc" + +--- Configure the proxy65 component which allows file transfers + Component "proxy.jabber.warpzone.ms" "proxy65" + +--- Configure where the groups are stated + groups_file = "/etc/prosody/groups.txt" + + +---Set up an external component (default component port is 5347) +-- +-- External components allow adding various services, such as gateways/ +-- transports to other networks like ICQ, MSN and Yahoo. For more info +-- see: https://prosody.im/doc/components#adding_an_external_component +-- +--Component "gateway.example.com" +-- component_secret = "password" diff --git a/webserver/docker_jabber_test/groups.txt b/webserver/docker_jabber_test/groups.txt new file mode 100644 index 0000000000000000000000000000000000000000..94684f98f8f1402baf1f086a1393acc89b2cf20f --- /dev/null +++ b/webserver/docker_jabber_test/groups.txt @@ -0,0 +1,43 @@ +[warpzone-member] +0xf02d@jabber.warpzone.ms=0xf02d +bIGmAC@jabber.warpzone.ms=bIGmAC +CanisLupus@jabber.warpzone.ms=CanisLupus +citeq@jabber.warpzone.ms=citeq +commander1024@jabber.warpzone.ms=commander1024 +crnf87@jabber.warpzone.ms=crnf87 +da1l6@jabber.warpzone.ms=da1l6 +drops@jabber.warpzone.ms=drops +Dunstkreis@jabber.warpzone.ms=Dunstkreis +ennox@jabber.warpzone.ms=ennox +fanlin@jabber.warpzone.ms=fanlin +fusselkater@jabber.warpzone.ms=fusselkater +Gregor@jabber.warpzone.ms=Gregor +heliotto@jabber.warpzone.ms=heliotto +janhenrik@jabber.warpzone.ms=janhenrik +julian@jabber.warpzone.ms=julian +larsm@jabber.warpzone.ms=larsm +MacGoever@jabber.warpzone.ms=MacGoever +marius@jabber.warpzone.ms=marius +MissInformation@jabber.warpzone.ms=MissInformation +nicowde@jabber.warpzone.ms=nicowde +ole@jabber.warpzone.ms=ole +philipp@jabber.warpzone.ms=philipp +sandzwerg@jabber.warpzone.ms=sandzwerg +Schneemann@jabber.warpzone.ms=Schneemann +shell@jabber.warpzone.ms=shell +StuC@jabber.warpzone.ms=StuC +supervirus@jabber.warpzone.ms=supervirus +tappser@jabber.warpzone.ms=tappser +user_51@jabber.warpzone.ms=user_51 +void@jabber.warpzone.ms=void +dray@jabber.warpzone.ms=dray +pkirchner@jabber.warpzone.ms=pkirchner +alucardo@jabber.warpzone.ms=alucardo +3d@jabber.warpzone.ms=3d +frednet@jabber.warpzone.ms=frednet +kgbvax@jabber.warpzone.ms=kgbvax +orgun@jabber.warpzone.ms=orgun +Bahnpirat@jabber.warpzone.ms=Bahnpirat +Nick@jabber.warpzone.ms=Nick +Thunfisch@jabber.warpzone.ms=Thunfisch +do2jha@jabber.warpzone.ms=do2jha diff --git a/webserver/docker_jabber_test/tasks/main.yaml b/webserver/docker_jabber_test/tasks/main.yaml new file mode 100644 index 0000000000000000000000000000000000000000..9955ea4f8940c9297281f09ca1a8c819cbcec6dd --- /dev/null +++ b/webserver/docker_jabber_test/tasks/main.yaml @@ -0,0 +1,50 @@ +--- +# Create folders +- name: create folder struct for jabber_test + file: + path: "{{ item }}" + state: "directory" + with_items: + - "/srv/jabber_test/" + - "/srv/jabber_test/etc" + +- name: create folder struct for jabber_test 2 + file: + path: "{{ item }}" + state: "directory" + owner: 102 + group: 106 + with_items: + - "/srv/jabber_test/logs" + - "/srv/jabber_test/data" + - "/srv/jabber_test/saslauthd" + +# Get secrets +- include: ../functions/get_secret.yml + with_items: + - { path: /srv/ldap/secret/ldap_readonly_pass, length: 24 } + +# create files +- name: Docker Konfig-Datei erstellen + template: + src: "docker-compose.yml" + dest: "/srv/jabber_test/docker-compose.yml" + +- name: SASL Configs anlegen + template: + src: "{{item}}" + dest: "/srv/jabber_test/{{item}}" + with_items: + - "saslauthd.conf" + - "prosody.conf" + +- name: Prosody Config anlegen + template: + src: "prosody.cfg.lua" + dest: "/srv/jabber_test/etc/prosody.cfg.lua" + +# start docker +- name: start jabber-test docker + docker_service: + project_src: /srv/jabber_test/ + state: present diff --git a/webserver/docker_jabber_test/templates/docker-compose.yml b/webserver/docker_jabber_test/templates/docker-compose.yml new file mode 100644 index 0000000000000000000000000000000000000000..63b9b946c4bc9cba52a415765e9ef9da68323b19 --- /dev/null +++ b/webserver/docker_jabber_test/templates/docker-compose.yml @@ -0,0 +1,34 @@ + +version: "3" + +services: + + auth: + + image: dweomer/saslauthd + restart: always + volumes: + - /srv/jabber_test/saslauthd.conf:/etc/saslauthd.conf:ro + - /srv/jabber_test/saslauthd:/var/run/saslauthd + + app: + + image: prosody/prosody:0.10 + restart: always + ports: + - 25222:5222 + - 25269:5269 + volumes: + - /srv/jabber_test/etc:/etc/prosody + - /srv/jabber_test/logs:/var/log/prosody + - /srv/jabber_test/data:/var/lib/prosody + # mount the certificates created by lets encrypt + - /etc/ssl/key.pem:/etc/prosody/certs/jabber-test.warpzone.ms.key + - /etc/ssl/fullchain.pem:/etc/prosody/certs/jabber-test.warpzone.ms.crt + - /etc/ssl/key.pem:/etc/prosody/certs/muc.jabber-test.warpzone.ms.key + - /etc/ssl/fullchain.pem:/etc/prosody/certs/muc.jabber-test.warpzone.ms.crt + - /etc/ssl/key.pem:/etc/prosody/certs/proxy.jabber-test.warpzone.ms.key + - /etc/ssl/fullchain.pem:/etc/prosody/certs/proxy.jabber-test.warpzone.ms.crt + # sasl2 auth mounts + - /srv/jabber_test/prosody.conf:/usr/lib/sasl/prosody.conf + - /srv/jabber_test/saslauthd:/var/run/saslauthd diff --git a/webserver/docker_jabber_test/templates/prosody.cfg.lua b/webserver/docker_jabber_test/templates/prosody.cfg.lua new file mode 100644 index 0000000000000000000000000000000000000000..e53d8a921b2152677f85825567bd94f81b67a5a9 --- /dev/null +++ b/webserver/docker_jabber_test/templates/prosody.cfg.lua @@ -0,0 +1,207 @@ +---------- Server-wide settings ---------- +-- Settings in this section apply to the whole server and are the default settings +-- for any virtual hosts + +-- This is a (by default, empty) list of accounts that are admins +-- for the server. Note that you must create the accounts separately +-- (see https://prosody.im/doc/creating_accounts for info) +-- Example: admins = { "user1@example.com", "user2@example.net" } +admins = { "sandzwerg@jabber.warpzone.ms", "void@jabber.warpzone.ms" } + +-- Enable use of libevent for better performance under high load +-- For more information see: https://prosody.im/doc/libevent +-- use_libevent = true + +-- Prosody will always look in its source directory for modules, but +-- this option allows you to specify additional locations where Prosody +-- will look for modules first. For community modules, see https://modules.prosody.im/ +--plugin_paths = {} + +-- This is the list of modules Prosody will load on startup. +-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too. +-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules +modules_enabled = { + + -- Generally required + "roster"; -- Allow users to have a roster. Recommended ;) + "saslauth"; -- Authentication for clients and servers. Recommended if you want to log in. + "tls"; -- Add support for secure TLS on c2s/s2s connections + "dialback"; -- s2s dialback support + "disco"; -- Service discovery + + -- Not essential, but recommended + "carbons"; -- Keep multiple clients in sync + "pep"; -- Enables users to publish their mood, activity, playing music and more + "private"; -- Private XML storage (for room bookmarks, etc.) + "blocklist"; -- Allow users to block communications with other users + "vcard"; -- Allow users to set vCards + + -- Nice to have + "version"; -- Replies to server version requests + "uptime"; -- Report how long server has been running + "time"; -- Let others know the time here on this server + "ping"; -- Replies to XMPP pings with pongs + "register"; -- Allow users to register on this server using a client and change passwords + --"mam"; -- Store messages in an archive and allow users to access it + + -- Admin interfaces + "admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands + --"admin_telnet"; -- Opens telnet console interface on localhost port 5582 + + -- HTTP modules + --"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP" + --"websocket"; -- XMPP over WebSockets + --"http_files"; -- Serve static files from a directory over HTTP + + -- Other specific functionality + --"limits"; -- Enable bandwidth limiting for XMPP connections + "groups"; -- Shared roster support + --"server_contact_info"; -- Publish contact information for this service + "announce"; -- Send announcement to all online users + --"welcome"; -- Welcome users who register accounts + --"watchregistrations"; -- Alert admins of registrations + --"motd"; -- Send a message to users when they log in + --"legacyauth"; -- Legacy authentication. Only used by some old clients and bots. + "proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use +} + +-- These modules are auto-loaded, but should you want +-- to disable them then uncomment them here: +modules_disabled = { + -- "offline"; -- Store offline messages + -- "c2s"; -- Handle client connections + -- "s2s"; -- Handle server-to-server connections + "posix"; -- POSIX functionality, sends server to background, enables syslog, etc. +} + +-- Disable account creation by default, for security +-- For more information see https://prosody.im/doc/creating_accounts +allow_registration = false + +-- Force clients to use encrypted connections? This option will +-- prevent clients from authenticating unless they are using encryption. + +c2s_require_encryption = true + +-- Force servers to use encrypted connections? This option will +-- prevent servers from authenticating unless they are using encryption. +-- Note that this is different from authentication + +s2s_require_encryption = true + + +-- Force certificate authentication for server-to-server connections? +-- This provides ideal security, but requires servers you communicate +-- with to support encryption AND present valid, trusted certificates. +-- NOTE: Your version of LuaSec must support certificate verification! +-- For more information see https://prosody.im/doc/s2s#security + +s2s_secure_auth = false + +-- Some servers have invalid or self-signed certificates. You can list +-- remote domains here that will not be required to authenticate using +-- certificates. They will be authenticated using DNS instead, even +-- when s2s_secure_auth is enabled. + +--s2s_insecure_domains = { "insecure.example" } + +-- Even if you leave s2s_secure_auth disabled, you can still require valid +-- certificates for some domains by specifying a list here. + +--s2s_secure_domains = { "jabber.org" } + +-- Select the authentication backend to use. The 'internal' providers +-- use Prosody's configured data storage to store the authentication data. +-- To allow Prosody to offer secure authentication mechanisms to clients, the +-- default provider stores passwords in plaintext. If you do not trust your +-- server please see https://prosody.im/doc/modules/mod_auth_internal_hashed +-- for information about using the hashed backend. + +-- authentication = "internal_hashed" + +authentication = "cyrus" +cyrus_service_name = "xmpp" -- Optional, defaults to "xmpp" + +-- Select the storage backend to use. By default Prosody uses flat files +-- in its configured data directory, but it also supports more backends +-- through modules. An "sql" backend is included by default, but requires +-- additional dependencies. See https://prosody.im/doc/storage for more info. + +--storage = "sql" -- Default is "internal" + +-- For the "sql" backend, you can uncomment *one* of the below to configure: +--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename. +--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" } +--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" } + + +-- Archiving configuration +-- If mod_mam is enabled, Prosody will store a copy of every message. This +-- is used to synchronize conversations between multiple clients, even if +-- they are offline. This setting controls how long Prosody will keep +-- messages in the archive before removing them. + +archive_expires_after = "1w" -- Remove archived messages after 1 week + +-- You can also configure messages to be stored in-memory only. For more +-- archiving options, see https://prosody.im/doc/modules/mod_mam + +-- Logging configuration +-- For advanced logging see https://prosody.im/doc/logging +log = { + info = "/var/log/prosody/prosody.log"; -- Change 'info' to 'debug' for verbose logging + error = "/var/log/prosody/prosody.err"; + -- info = "*console"; -- Log to the console + "*console"; -- Log to the console, useful for debugging with daemonize=false + -- "*syslog"; -- Uncomment this for logging to syslog +} + +-- Uncomment to enable statistics +-- For more info see https://prosody.im/doc/statistics +-- statistics = "internal" + +-- Certificates +-- Every virtual host and component needs a certificate so that clients and +-- servers can securely verify its identity. Prosody will automatically load +-- certificates/keys from the directory specified here. +-- For more information, including how to use 'prosodyctl' to auto-import certificates +-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates + +-- Location of directory to find certificates in (relative to main config file): +certificates = "certs" + +----------- Virtual hosts ----------- +-- You need to add a VirtualHost entry for each domain you wish Prosody to serve. +-- Settings under each VirtualHost entry apply *only* to that host. + +VirtualHost "jabber-test.warpzone.ms" + +--VirtualHost "example.com" +-- certificate = "/path/to/example.crt" + +------ Components ------ +-- You can specify components to add hosts that provide special services, +-- like multi-user conferences, and transports. +-- For more information on components, see https://prosody.im/doc/components + +--- Set up a MUC (multi-user chat) room server on conference.example.com: +Component "muc.jabber-test.warpzone.ms" "muc" + +--- Configure the proxy65 component which allows file transfers + Component "proxy.jabber-test.warpzone.ms" "proxy65" + +--- Configure where the groups are stated + groups_file = "/etc/prosody/groups.txt" + +--- Configure the posix module so it works with docker +-- daemonize = false +-- pidfile = "/tmp/prosody.pid" + +---Set up an external component (default component port is 5347) +-- +-- External components allow adding various services, such as gateways/ +-- transports to other networks like ICQ, MSN and Yahoo. For more info +-- see: https://prosody.im/doc/components#adding_an_external_component +-- +--Component "gateway.example.com" +-- component_secret = "password" diff --git a/webserver/docker_jabber_test/templates/prosody.conf b/webserver/docker_jabber_test/templates/prosody.conf new file mode 100644 index 0000000000000000000000000000000000000000..f2e18cef6e57ddb93121af0aef43b49af6bc1092 --- /dev/null +++ b/webserver/docker_jabber_test/templates/prosody.conf @@ -0,0 +1,2 @@ +pwcheck_method: saslauthd +mech_list: PLAIN \ No newline at end of file diff --git a/webserver/docker_jabber_test/templates/saslauthd.conf b/webserver/docker_jabber_test/templates/saslauthd.conf new file mode 100644 index 0000000000000000000000000000000000000000..875362abd679e4c47f2bd965b1d745a45719db08 --- /dev/null +++ b/webserver/docker_jabber_test/templates/saslauthd.conf @@ -0,0 +1,6 @@ + +ldap_servers: ldap://{{ ldap_ip_ext }} +ldap_search_base: {{ ldap_base_dn }} +ldap_filter: (&(objectClass=inetOrgPerson)(memberof=CN=active,OU=groups,{{ ldap_base_dn }})(uid=%u)) +ldap_bind_dn: {{ ldap_readonly_bind_dn }} +ldap_password: {{ ldap_readonly_pass }} diff --git a/webserver/docker_matterbridge/templates/matterbridge.toml b/webserver/docker_matterbridge/templates/matterbridge.toml index 6ef062aba280954c2a50e78e92c6d80008aba799..a6e65e44fb4e8be4329e776cde276027c4c3beaf 100644 --- a/webserver/docker_matterbridge/templates/matterbridge.toml +++ b/webserver/docker_matterbridge/templates/matterbridge.toml @@ -79,6 +79,7 @@ ShowJoinPart=false #REQUIRED [telegram.bot] #Token to connect with telegram API +#Bot @warpzonebot #See https://core.telegram.org/bots#6-botfather and https://www.linkedin.com/pulse/telegram-bots-beginners-marco-frau #REQUIRED Token="{{ telegram_token }}" @@ -162,13 +163,14 @@ enable=true #account="mattermost.warpzone" #channel="town-square" - #[[gateway.inout]] - ## Telegramm Gruppe @warpzone - ## 8.8.2017 von void deaaktiviert das das Spammen im Telegram leite genervt hat + [[gateway.inout]] + ## Telegramm Gruppe @warpzone (Spamfreie Warpzone Gruppe) + ## 8.8.2017 von void deaaktiviert das das Spammen im Telegram Leute genervt hat + ## 24.4.2018 für die spamfreie warpzone Gruppe wieder aktiviert (Beschluss Plenum) ## Vorgehen um Guppen-ID zu bekommen: ## - Bot in Gruppe einfügen ## - Chatnachricht erstellen ## - https://api.telegram.org/<API Token>/getUpdates ausrufen, die ID findet sich in der Eigenschaft "message.chat.id" - #account="telegram.bot" - #channel="-199147565" + account="telegram.bot" + channel="-272574265" diff --git a/webserver/main.yml b/webserver/main.yml index f53ada6fa497e19b7958fadd13cf341dcd720259..fdc9588d52976d1927af8ddc1fbc2f793c1e45a3 100644 --- a/webserver/main.yml +++ b/webserver/main.yml @@ -4,15 +4,16 @@ remote_user: root roles: - { role: ../common/borgbackup, tags: borgbackup } + - { role: ../common/docker, tags: docker } - { role: nginx, tags: nginx } - { role: openvpn, tags: openvpn } - - { role: docker, tags: docker } - { role: docker_dokuwiki, tags: dokuwiki } - { role: docker_etherpad, tags: etherpad } - { role: docker_gitlab, tags: gitlab } + - { role: docker_jabber, tags: jabber } + - { role: docker_jabber_test, tags: jabber_test } - { role: docker_ldap, tags: ldap } - { role: docker_matterbridge, tags: matterbridge } - { role: docker_warpinfra, tags: warpinfra } - { role: docker_warpinfratest, tags: warpinfratest } - { role: docker_wordpress, tags: wordpress } - diff --git a/webserver/nginx/templates/letsencrypt.sh b/webserver/nginx/templates/letsencrypt.sh index 695604b9db779c48bf2fdc5df82c99638d3adcba..2f09b63134ef14e6c5f26ed6a03663ca43df3126 100644 --- a/webserver/nginx/templates/letsencrypt.sh +++ b/webserver/nginx/templates/letsencrypt.sh @@ -1,10 +1,9 @@ #!/bin/bash -cd /opt/simp_le/ -if [ ! -e venv/bin/python ]; then ./venv.sh; fi +cd /opt/simp_le/ +if [ ! -e venv/bin/python ]; then ./venv.sh; fi -cd /etc/ssl -PATH=/opt/simp_le/venv/bin:/usr/sbin:/usr/bin:/sbin:/bin - -simp_le --email {{ letsencrypt_mail }} -f account_key.json -f key.pem -f fullchain.pem --tos_sha256 {{ letsencrypt_tos_sha256 }} {% for domain in webserver_domains %} -d {{ domain }}.warpzone.ms:/var/www/html {% endfor %} && systemctl reload nginx +cd /etc/ssl +PATH=/opt/simp_le/venv/bin:/usr/sbin:/usr/bin:/sbin:/bin +simp_le --email {{ letsencrypt_mail }} -f account_key.json -f key.pem -f fullchain.pem --tos_sha256 {{ letsencrypt_tos_sha256 }} {% for domain in webserver_domains %} -d {{ domain }}.warpzone.ms:/var/www/html {% endfor %} && systemctl reload nginx && /usr/local/bin/docker-compose -f /srv/jabber_test/docker-compose.yml restart && /usr/local/bin/docker-compose -f /srv/jabber/docker-compose.yml