kraoc/ansible
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Trash + Redo

Browse Source
This commit is contained in:
Olivier 2023-09-25 10:40:20 +02:00
parent 1265f1cb06
commit 7a3ade11ff
1664 changed files with 13448 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
README.md
View File

@ -20,26 +20,26 @@ Ansible _tests_ to learn its concepts.
* TDD * TDD
### 2023-09-24 ### 2023-09-25
* TDD * TDD
* docker-compose template: split single/multiple command(s) with a test _(await a better solution)_ * docker-compose template: split single/multiple command(s) with a test _(await a better solution)_
* Add _some_ documentation * Add _some_ documentation
* Bugfixes _(founded when running stacks)_ * Bugfixes _(founded when running stacks)_
### 2023-09-23 ### 2023-09-25
* TDD * TDD
* Bugfixes * Bugfixes
* Rework on stacks folders organization * Rework on stacks folders organization
### 2023-09-19 ### 2023-09-25
* TDD * TDD
* Depot reinitialization due to error * Depot reinitialization due to error
* Bugfixes after empty vm deployment * Bugfixes after empty vm deployment
### 2023-09-12 ### 2023-09-25
* TDD * TDD
* Rework, refacto, variabilization * Rework, refacto, variabilization
@ -50,13 +50,13 @@ Ansible _tests_ to learn its concepts.
* Add middleware option for traefik * Add middleware option for traefik
* Stacks definition: jekyll, registry, ntfy, ipfs * Stacks definition: jekyll, registry, ntfy, ipfs
### 2023-09-11 ### 2023-09-25
* TDD * TDD
* Add stack name override (and defaulting network name to it in this case in docker-compose template) * Add stack name override (and defaulting network name to it in this case in docker-compose template)
* Stacks definition: promtail, portainer-agent, monitoring-vm, portainer * Stacks definition: promtail, portainer-agent, monitoring-vm, portainer
### 2023-09-10 ### 2023-09-25
* TDD * TDD
* docker-compose template corrections * docker-compose template corrections
@ -64,7 +64,7 @@ Ansible _tests_ to learn its concepts.
* Redesign of 'files' folder structure for each stack (conf/datas/template as services subfolders) * Redesign of 'files' folder structure for each stack (conf/datas/template as services subfolders)
* Stacks definition: drawio, flame, hastebin * Stacks definition: drawio, flame, hastebin
### 2023-09-09 ### 2023-09-25
* TDD * TDD
* Reorder readme's changelog * Reorder readme's changelog
@ -74,7 +74,7 @@ Ansible _tests_ to learn its concepts.
* Add system services managment * Add system services managment
* Rename template files * Rename template files
### 2023-09-08 ### 2023-09-25
* TDD * TDD
* Move Itzg from Orochi task to VM conditionnal stack * Move Itzg from Orochi task to VM conditionnal stack
@ -84,7 +84,7 @@ Ansible _tests_ to learn its concepts.
* Stacks definition: adguardhome, adminer, aptcacherng, dl, homepage, itzg * Stacks definition: adguardhome, adminer, aptcacherng, dl, homepage, itzg
* Add _jinja2.ext.do_ to **jinja2_extensions** in _ansible.cfg_ * Add _jinja2.ext.do_ to **jinja2_extensions** in _ansible.cfg_
### 2023-09-07 ### 2023-09-25
* TDD * TDD
* Rework using roles * Rework using roles
@ -95,7 +95,7 @@ Ansible _tests_ to learn its concepts.
* Templating stacks * Templating stacks
* Stacks definition: dozzle, watchtower * Stacks definition: dozzle, watchtower
### 2023-09-06 ### 2023-09-25
* TDD * TDD
* Refinements * Refinements
@ -103,7 +103,7 @@ Ansible _tests_ to learn its concepts.
* Use of Vault * Use of Vault
* Improve VM base deployment * Improve VM base deployment
### 2023-09-05 ### 2023-09-25
* TDD * TDD
* Rework as concept * Rework as concept
@ -112,7 +112,7 @@ Ansible _tests_ to learn its concepts.
* Add things to common * Add things to common
* Add Itzg Minecraft Server * Add Itzg Minecraft Server
### 2023-09-01 ### 2023-09-25
* TDD * TDD
* Depot reinitialization due to corruption * Depot reinitialization due to corruption

2
ansible.cfg
View File

@ -1,4 +1,4 @@
# 2023-09-19 # 2023-09-25
[defaults] [defaults]
home = /opt/ansible home = /opt/ansible

18
inventory/group_vars/all.yml Normal file
View File

@ -0,0 +1,18 @@
$ANSIBLE_VAULT;1.1;AES256
36383630346233663239303335663439356635393364383133393736313262343761393034316530
3338383035393135343465626165663262363566623062620a326433313766633137373562383831
65343339653862356334636535393062613363386231646462663535626536313265616535616561
6465383836393233320a306632306530366133653331653839393833653861636134326235363561
66333637633234376138333636343761633832346134343335393233316337616562613730633666
31626162326133376565353236383562303733326431343937363539656637353531326565346431
35373366643739353963383533333638343034303732386563386637386335333834373936656561
39616137613964313838653930353664636432613262303236666239633431333634376361373935
30386431363066613034383831353865663265386335373662386339336436623835383734323930
63623464326461613463396137666264333962666462346332663262303064363339663331323938
34373463323938313834383837393935636261313461653038633764313863643433326337303463
38366362306161623166353237323337636439333661346139303037353362663565653531353530
64396136663735383932643464646464396635353036633033343464383830373235323932656163
30356365306161633233336461643239326465643436336533313534666365633362303437303665
34656263656233336639356664346435356437333730613565666230333663383139303037636236
32376563303936343765383332313338333865616539303738326439666632326266316230626130
31346362386332663934356534616261623538333665383163333638373131326231

2
inventory/host_vars/all.yml Normal file
View File

@ -0,0 +1,2 @@
# 2023-09-25
---

2
inventory/host_vars/orochi.yml Normal file
View File

@ -0,0 +1,2 @@
# 2023-09-25
---

75
inventory/zogg.yml Normal file
View File

@ -0,0 +1,75 @@
# 2023-09-25
zogg:
hosts:
izanagi:
ansible_host: izanagi.home
ansible_connection: ssh
ansible_port: "{{sshport}}"
ansible_ssh_user: "{{sshuser}}"
ansible_ssh_private_key_file: "{{sshkey}}"
omoikane:
ansible_host: omoikane.home
ansible_connection: ssh
ansible_port: "{{sshport}}"
ansible_ssh_user: "{{sshuser}}"
ansible_ssh_private_key_file: "{{sshkey}}"
raijin:
ansible_host: raijin.home
ansible_connection: ssh
ansible_port: "{{sshport}}"
ansible_ssh_user: "{{sshuser}}"
ansible_ssh_private_key_file: "{{sshkey}}"
tenjin:
ansible_host: tenjin.home
ansible_connection: ssh
ansible_port: "{{sshport}}"
ansible_ssh_user: "{{sshuser}}"
ansible_ssh_private_key_file: "{{sshkey}}"
inari:
ansible_host: inari.home
ansible_connection: ssh
ansible_port: "{{sshport}}"
ansible_ssh_user: "{{sshuser}}"
ansible_ssh_private_key_file: "{{sshkey}}"
uzume:
ansible_host: uzume.home
ansible_connection: ssh
ansible_port: "{{sshport}}"
ansible_ssh_user: "{{sshuser}}"
ansible_ssh_private_key_file: "{{sshkey}}"
sarutahiko:
ansible_host: sarutahiko.home
ansible_connection: ssh
ansible_port: "{{sshport}}"
ansible_ssh_user: "{{sshuser}}"
ansible_ssh_private_key_file: "{{sshkey}}"
susanoo:
ansible_host: susanoo.home
ansible_connection: ssh
ansible_port: "{{sshport}}"
ansible_ssh_user: "{{sshuser}}"
ansible_ssh_private_key_file: "{{sshkey}}"
orochi:
ansible_host: orochi.home
ansible_connection: ssh
ansible_port: "{{sshport}}"
ansible_ssh_user: "{{sshuser}}"
ansible_ssh_private_key_file: "{{sshkey}}"
suijin:
ansible_host: suijin.home
ansible_connection: ssh
ansible_port: "{{sshport}}"
ansible_ssh_user: "{{sshuser}}"
ansible_ssh_private_key_file: "{{sshkey}}"

3
logs/README.md Normal file
View File

@ -0,0 +1,3 @@
# Logs
Show logs from playbooks run.

3
playbook/README.md Normal file
View File

@ -0,0 +1,3 @@
# Playbook
* orochi.yml: base playbook for debug

45
playbook/orochi.yml Normal file
View File

@ -0,0 +1,45 @@
# 2023-09-25
---
- name: Orochi
hosts: orochi
vars:
vm_name: "orochi" # VM name
vm_title: "Orochi" # VM title
vm_ip: "151" # VM IP
# VM specifics stacks
stacks_vm:
#[]
- "{{ adguardhome }}"
- "{{ adminer }}"
- "{{ aptcacherng }}"
- "{{ dl }}"
- "{{ drawio }}"
- "{{ flame }}"
- "{{ hastebin }}"
- "{{ homepage }}"
- "{{ itzg }}"
- "{{ jekyll }}"
- "{{ monitoring_vm }}"
- "{{ portainer_agent }}"
- "{{ portainer }}"
- "{{ promtail }}"
- "{{ registry }}"
- "{{ ntfy }}"
- "{{ ipfs }}"
availables: []
roles:
- common # Perform common tacks
- docker # Perform Docker installation
- vm # Perform VM preparation
- stacks # Perform stacks creation (include common & 'stacks_vm')
tasks:
# Orochi
- ansible.builtin.include_tasks: orochi/tasks/main.yml
tags:
- tasks
- orochi

29
playbook/orochi/tasks/helloworld.yml Normal file
View File

@ -0,0 +1,29 @@
# 2023-09-25
# Tasks: helloworld
---
- ansible.builtin.include_vars: ../vars/helloworld.yml
- name: Run hello-world
community.docker.docker_container:
cleanup: true
keep_volumes: false
output_logs: true
pull: false
name: hello-world
image: hello-world:latest
hostname: hello-world
auto_remove: false
detach: false
register: container_output
tags:
- tasks
- orochi
- testing
- docker
- container
- helloworld
- name: Display hello-world output
debug:
msg: "Output:[{{ container_output.container.Output | trim }}]"

15
playbook/orochi/tasks/main.yml Normal file
View File

@ -0,0 +1,15 @@
# 2023-09-25
# Tasks: main
---
- ansible.builtin.include_vars: ../vars/main.yml
# Hello World
- ansible.builtin.include_tasks: helloworld.yml
when:
- task_enable_all
- task_enable_helloworld
tags:
- tasks
- testing
- helloworld

3
playbook/orochi/vars/helloworld.yml Normal file
View File

@ -0,0 +1,3 @@
# 2023-09-05
# Vars: hello-world
---

6
playbook/orochi/vars/main.yml Normal file
View File

@ -0,0 +1,6 @@
# 2023-09-25
# Vars: main
---
task_enable_all: false
task_enable_helloworld: false

8
roles/README.md Normal file
View File

@ -0,0 +1,8 @@
# Roles
Define common roles for playbook runs.
* **common**: setup a common base sor linux/debian vm
* **docker**: install & setup a functionnal Docker base
* **stacks**: definitions of my Docker stacks
* **vm**: install & setup common vm's stack functionnalities

3
roles/common/README.md Normal file
View File

@ -0,0 +1,3 @@
# Common
Used to setup a functionnal base linuyx/debian system.

41
roles/common/tasks/aliases.yml Normal file
View File

@ -0,0 +1,41 @@
# 2023-09-25
# Tasks: aliases
---
- ansible.builtin.include_vars: aliases.yml
- name: Process bash aliases template
ansible.builtin.template:
backup: true
src: "{{ bash_aliases_template }}"
dest: "{{ bash_aliases_distribution }}"
owner: root
group: root
mode: u=rw,g=r,o=r
when:
- ansible_facts['system'] == "Linux"
tags:
- template
- system
- bash
- aliases
- add
- name: Link bash_aliases to bash_bashrc
ansible.builtin.blockinfile:
backup: true
path: "{{ bash_bashrc }}"
block: |
# 2023-09-25
# Load: bash_aliases
if [ -f {{ bash_aliases_distribution }} ]; then
. {{ bash_aliases_distribution }}
fi
when:
- ansible_facts['system'] == "Linux"
tags:
- template
- system
- bash
- aliases
- link

13
roles/common/tasks/daemons.yml Normal file
View File

@ -0,0 +1,13 @@
# 2023-09-25
# Tasks: daemons
---
- name: Reload system daemons
ansible.builtin.systemd:
daemon_reload: true
tags:
- system
- services
- reload
when:
- ansible_facts['system'] == "Linux"

20
roles/common/tasks/directories.yml Normal file
View File

@ -0,0 +1,20 @@
# 2023-09-25
# Tasks: directories
---
- ansible.builtin.include_vars: directories.yml
- name: Create extra directories
ansible.builtin.file:
path: "{{ item }}"
owner: root
group: root
state: directory
mode: u=rwx,g=rx,o=rx
with_items: "{{ directories_create }}"
tags:
- system
- directories
- create
when:
- ansible_facts['system'] == "Linux"

29
roles/common/tasks/locales.yml Normal file
View File

@ -0,0 +1,29 @@
# 2023-09-25
# Tasks: locales
---
- ansible.builtin.include_vars: locales.yml
- name: Process default locale template
ansible.builtin.template:
src: "{{ locale_template }}"
dest: "{{ locale_template_distribution }}"
owner: root
group: root
mode: u=rw,g=r,o=r
when:
- ansible_facts['system'] == "Linux"
tags:
- system
- locales
- default
- name: Build locales
ansible.builtin.locale_gen:
name : "{{ item }}"
with_items: "{{ locales_selections }}"
when:
- ansible_facts['system'] == "Linux"
tags:
- system
- locales

135
roles/common/tasks/main.yml Normal file
View File

@ -0,0 +1,135 @@
# 2023-09-25
# Tasks: main
---
- ansible.builtin.include_vars: main.yml
# Packages
- ansible.builtin.include_tasks: packages.yml
when:
- task_enable_all
- task_enable_packages
tags:
- tasks
- system
- packages
# Users
- ansible.builtin.include_tasks: users.yml
when:
- task_enable_all
- task_enable_users
tags:
- tasks
- system
- locales
# Locales
- ansible.builtin.include_tasks: locales.yml
when:
- task_enable_all
- task_enable_locales
tags:
- tasks
- system
- locales
# Timezones
- ansible.builtin.include_tasks: timezone.yml
when:
- task_enable_all
- task_enable_timezone
tags:
- tasks
- system
- timezone
# NTP
- ansible.builtin.include_tasks: ntp.yml
when:
- task_enable_all
- task_enable_ntp
tags:
- tasks
- system
- ntp
# Aliases
- ansible.builtin.include_tasks: aliases.yml
when:
- task_enable_all
- task_enable_aliases
tags:
- tasks
- system
- aliases
# Mounts
- ansible.builtin.include_tasks: mounts.yml
when:
- task_enable_all
- task_enable_mounts
tags:
- tasks
- system
- mounts
# Directories
- ansible.builtin.include_tasks: directories.yml
when:
- task_enable_all
- task_enable_directories
tags:
- tasks
- system
- directories
# Samba
- ansible.builtin.include_tasks: samba.yml
when:
- task_enable_all
- task_enable_samba
tags:
- tasks
- system
- samba
# Tuned
- ansible.builtin.include_tasks: tuned.yml
when:
- task_enable_all
- task_enable_tuned
tags:
- tasks
- system
- tuned
# SystemD
- ansible.builtin.include_tasks: systemd.yml
when:
- task_enable_all
- task_enable_systemd
tags:
- tasks
- system
- systemd
# Daemons
- ansible.builtin.include_tasks: daemons.yml
when:
- task_enable_all
- task_enable_daemons
tags:
- tasks
- system
- daemons
# Services
- ansible.builtin.include_tasks: services.yml
when:
- task_enable_all
- task_enable_services
tags:
- tasks
- system
- services

62
roles/common/tasks/mounts.yml Normal file
View File

@ -0,0 +1,62 @@
# 2023-09-25
# Tasks: mounts
---
- ansible.builtin.include_vars: mounts.yml
- name: Create mount directories
ansible.builtin.file:
path: "{{ item }}"
owner: root
group: root
state: directory
mode: u=rwx,g=rwx,o=rwx
with_items: "{{ mounts_create }}"
when:
- ansible_facts['system'] == "Linux"
tags:
- system
- mounts
- create
- name: Append informations to fstab
ansible.builtin.lineinfile:
backup: true
path: "{{ fstab_path }}"
state: present
line: "# {{ item }}"
with_items:
- "master: {{ common_mastering }}"
- "updated: {{ ansible_date_time.date }}"
when:
- ansible_facts['system'] == "Linux"
tags:
- system
- mounts
- fstab
- append
- name: Append mount directories to fstab
ansible.builtin.lineinfile:
backup: true
path: "{{ fstab_path }}"
state: present
line: tmpfs {{ item }} tmpfs defaults,noatime 0 0
with_items: "{{ mounts_fstab_append }}"
when:
- ansible_facts['system'] == "Linux"
tags:
- system
- mounts
- fstab
- append
- name: Remount all mount
ansible.builtin.shell: |
mount -a
when:
- ansible_facts['system'] == "Linux"
tags:
- system
- mounts
- remount

51
roles/common/tasks/ntp.yml Normal file
View File

@ -0,0 +1,51 @@
# 2023-09-25
# Tasks: ntp
---
- ansible.builtin.include_vars: ntp.yml
- name: Install NTP
ansible.builtin.package:
name: "{{ ntp_package_daemon }}"
state: present
when:
- ansible_facts['system'] == "Linux"
tags:
- apt
- packages
- ntp
- add
- name: Install tzdata
ansible.builtin.package:
name: "{{ ntp_package_tzdata }}"
state: present
when:
- ansible_facts['system'] == "Linux"
tags:
- apt
- packages
- tzdata
- add
- name: Populate service facts
service_facts:
- name: Disable systemd-timesyncd (if it's running but ntp is enabled)
ansible.builtin.service:
name: systemd-timesyncd.service
enabled: false
state: stopped
when:
- ansible_facts['system'] == "Linux"
- ntp_enabled | bool
- '"systemd-timesyncd.service" in services'
- services["systemd-timesyncd.service"]["status"] != "not-found"
- name: Process ntp template
ansible.builtin.template:
src: "{{ ntp_conf_template }}"
dest: "{{ ntp_conf_distribution }}"
mode: u=rw,g=r,o=r
when:
- ansible_facts['system'] == "Linux"

79
roles/common/tasks/packages.yml Normal file
View File

@ -0,0 +1,79 @@
# 2023-09-25
# Tasks: apt
---
- ansible.builtin.include_vars: "packages/{{ ansible_facts['os_family'] | lower }}.yml"
- name: Comment all entries in sources.list
ansible.builtin.replace:
backup: true
path: /etc/apt/sources.list
regexp: '^(.*)$'
replace: '# \1'
when:
- ansible_facts['system'] == "Linux"
- ansible_facts['os_family'] == "Debian"
tags:
- apt
- sources
- cdrom
- name: Process packages repositories template
ansible.builtin.template:
backup: true
src: "{{ sources_list_template }}"
dest: "{{ sources_list_distribution }}"
owner: root
group: root
mode: u=rw,g=r,o=r
when:
- ansible_facts['system'] == "Linux"
- ansible_facts['os_family'] == "Debian"
tags:
- system
- packages
- template
- repositories
- debian
- name: Upgrade packages
ansible.builtin.apt:
state: present
install_recommends: no
update_cache: yes
upgrade: full
when:
- ansible_facts['system'] == "Linux"
- ansible_facts['os_family'] == "Debian"
tags:
- system
- packages
- add
- name: Install packages
ansible.builtin.apt:
state: present
install_recommends: no
update_cache: yes
name: "{{ packages_needed }}"
when:
- ansible_facts['system'] == "Linux"
- ansible_facts['os_family'] == "Debian"
tags:
- system
- packages
- add
- name: Remove packages
ansible.builtin.apt:
state: absent
autoclean: true
autoremove: true
name: "{{ packages_removed }}"
when:
- ansible_facts['system'] == "Linux"
- ansible_facts['os_family'] == "Debian"
tags:
- system
- packages
- add

21
roles/common/tasks/samba.yml Normal file
View File

@ -0,0 +1,21 @@
# 2023-09-25
# Tasks: samba
---
- ansible.builtin.include_vars: vault/samba.yml
- ansible.builtin.include_vars: samba.yml
- name: Process smb.conf template
ansible.builtin.template:
backup: true
src: "{{ smb_conf_template }}"
dest: "{{ smb_conf_distribution }}"
owner: root
group: root
mode: u=rw,g=r,o=r
when:
- ansible_facts['system'] == "Linux"
tags:
- template
- samba
- add

63
roles/common/tasks/services.yml Normal file
View File

@ -0,0 +1,63 @@
# 2023-09-25
# Tasks: services
---
- ansible.builtin.include_vars: services.yml
- name: Disable services
ansible.builtin.service:
name: "{{ item }}"
enabled: false
state: "stopped"
with_items: "{{ services_disable }}"
tags:
- system
- services
- disable
when:
- ansible_facts['system'] == "Linux"
- ansible_facts['os_family'] == "Debian"
- name: Enable services
ansible.builtin.service:
name: "{{ item }}"
enabled: true
state: "started"
with_items: "{{ services_enable }}"
tags:
- system
- services
- enable
- restart
when:
- ansible_facts['system'] == "Linux"
- ansible_facts['os_family'] == "Debian"
- name: Restart services
ansible.builtin.service:
name: "{{ item }}"
enabled: true
state: "restarted"
with_items: "{{ services_restart }}"
tags:
- system
- services
- enable
- restart
when:
- ansible_facts['system'] == "Linux"
- ansible_facts['os_family'] == "Debian"
- name: Enable timers
ansible.builtin.service:
name: "{{ item }}"
enabled: true
state: "started"
with_items: "{{ timers_enable }}"
tags:
- system
- timers
- enable
when:
- ansible_facts['system'] == "Linux"
- ansible_facts['os_family'] == "Debian"

44
roles/common/tasks/systemd.yml Normal file
View File

@ -0,0 +1,44 @@
# 2023-09-25
# Tasks: systemd
---
- ansible.builtin.include_vars: systemd.yml
- ansible.builtin.include_vars: ../../roles/vm/vars/vault/ports.yml
- name: Create all systemd required directories
ansible.builtin.file:
path: "{{ item }}"
owner: root
group: root
state: directory
mode: u=rwx,g=rx,o=rx
with_items:
- "{{ systemd_directories }}"
when:
- ansible_facts['system'] == "Linux"
tags:
- system
- systemd
- directories
- create
- name: "Process systemd templates"
ansible.builtin.template:
lstrip_blocks: true
trim_blocks: true
backup: yes
src: "{{ templates.local }}"
dest: "{{ templates.remote }}"
owner: root
group: root
mode: u=rw,g=r,o=r
with_items:
- "{{ systemd_templates }}"
loop_control:
loop_var: templates
when:
- ansible_facts['system'] == "Linux"
tags:
- system
- services
- systemd

11
roles/common/tasks/timezone.yml Normal file
View File

@ -0,0 +1,11 @@
# 2023-09-25
# Tasks: timezone
---
- ansible.builtin.include_vars: timezone.yml
- name: Define timezone
ansible.builtin.timezone:
name: "{{ timezone }}"
when:
- ansible_facts['system'] == "Linux"

28
roles/common/tasks/tuned.yml Normal file
View File

@ -0,0 +1,28 @@
# 2023-09-25
# Tasks: tuned
---
- ansible.builtin.include_vars: tuned.yml
- name: Install tuned
ansible.builtin.apt:
name: "{{ packages_needed }}"
install_recommends: false
when:
- ansible_facts['system'] == "Linux"
- ansible_facts['os_family'] == "Debian"
tags:
- apt
- packages
- add
- name: Select tuned profile
command: tuned-adm profile virtual-guest
when:
- ansible_facts['system'] == "Linux"
- ansible_facts['os_family'] == "Debian"
tags:
- system
- service
- tuned
- profile

19
roles/common/tasks/users.yml Normal file
View File

@ -0,0 +1,19 @@
# 2023-09-25
# Tasks: users
---
- name: Create new users
ansible.builtin.user:
append: yes
name: "{{ item.name }}"
group: "{{ item.name }}"
shell: "{{ item.shell }}"
groups: "{{ item.groups }}"
with_items:
- "{{ users }}"
when:
- ansible_facts['system'] == "Linux"
tags:
- system
- users
- create

389
roles/common/templates/bash_aliases.j2 Normal file
View File

@ -0,0 +1,389 @@
{# Updated: 2023-09-25 #}
# master: {{ common_mastering }}
# updated: {{ ansible_date_time.date }}
# -----------------------------------------------------------------------------
# BASH TWEAKS
# -----------------------------------------------------------------------------
# ------------------------------
# HISTORY
# ------------------------------
# Line wrap on window resize
shopt -s checkwinsize
# Enable history
set -o history
# Combine multiline commands into one in history
shopt -s cmdhist
# Disable completion when the input buffer is empty. i.e. Hitting tab
# and waiting a long time for bash to expand all of $PATH.
shopt -s no_empty_cmd_completion
# Shorter history
export HISTCONTROL=ignoredups
export HISTIGNORE='&:ls:[bf]g:exit'
# big history
export HISTFILESIZE=20000
export HISTSIZE=10000
shopt -s histappend
# History completion
bind "'\e[A': history-search-backward"
bind "'\e[B': history-search-forward"
# ------------------------------
# COMPLETION
# ------------------------------
# Autocomplétion
if ! shopt -oq posix; then
if [ -f /usr/share/bash-completion/bash_completion ]; then
. /usr/share/bash-completion/bash_completion
elif [ -f /etc/bash_completion ]; then
. /etc/bash_completion
fi
fi
# bash completion
[ -r /usr/share/bash-completion/bash_completion ] && . /usr/share/bash-completion/bash_completion
bind 'set completion-ignore-case on' # note: bind used instead of sticking these in .inputrc
bind 'set bell-style none' # no bell
bind 'set show-all-if-ambiguous On' # show list automatically, without double tab
# ------------------------------
# COLORS
# ------------------------------
# colors & char
# text normal colors
red='\e[0;31m'
blue='\e[0;34m'
cyan='\e[0;36m'
green='\e[0;32m'
yellow='\e[0;33m'
# text bright colors
bred='\e[0;91m'
bblue='\e[0;94m'
bcyan='\e[0;96m'
bgreen='\e[0;92m'
byellow='\e[0;93m'
bwhite='\e[0;97m'
# reset color
NC='\e[0m'
# Set colorful PS1 only on colorful terminals.
# dircolors --print-database uses its own built-in database
# instead of using /etc/DIR_COLORS. Try to use the external file
# first to take advantage of user additions.
# We run dircolors directly due to its changes in file syntax and
# terminal name patching.
use_color=false
if type -P dircolors >/dev/null ; then
# Enable colors for ls, etc. Prefer ~/.dir_colors #64489
LS_COLORS=
if [[ -f ~/.dir_colors ]] ; then
eval "$(dircolors -b ~/.dir_colors)"
elif [[ -f /etc/DIR_COLORS ]] ; then
eval "$(dircolors -b /etc/DIR_COLORS)"
else
eval "$(dircolors -b)"
fi
# Note: We always evaluate the LS_COLORS setting even when it's the
# default. If it isn't set, then `ls` will only colorize by default
# based on file attributes and ignore extensions (even the compiled
# in defaults of dircolors). #583814
if [[ -n ${LS_COLORS:+set} ]] ; then
use_color=true
else
# Delete it if it's empty as it's useless in that case.
unset LS_COLORS
fi
else
# Some systems (e.g. BSD & embedded) don't typically come with
# dircolors so we need to hardcode some terminals in here.
case ${TERM} in
[aEkx]term*|rxvt*|gnome*|konsole*|screen|cons25|*color) use_color=true;;
esac
fi
if ${use_color} ; then
if [[ ${EUID} == 0 ]] ; then
PS1+='\[\033[01;31m\]\h\[\033[01;34m\] \w \$\[\033[00m\] '
else
PS1+='\[\033[01;32m\]\u@\h\[\033[01;34m\] \w \$\[\033[00m\] '
fi
#BSD#@export CLICOLOR=1
#GNU#@alias ls='ls --color=auto'
alias grep='grep --colour=auto'
alias egrep='egrep --colour=auto'
alias fgrep='fgrep --colour=auto'
else
# show root@ when we don't have colors
PS1+='\u@\h \w \$ '
fi
for sh in /etc/bash/bashrc.d/* ; do
[[ -r ${sh} ]] && source '${sh}'
done
# Try to keep environment pollution down, EPA loves us.
unset use_color sh
# ------------------------------
# PROMPT
# ------------------------------
# Prompt
PS1='[\u@\h \W]\$ '
case ${TERM} in
xterm*|rxvt*|Eterm|aterm|kterm|gnome*)
PROMPT_COMMAND=${PROMPT_COMMAND:+$PROMPT_COMMAND; }"printf '\033]0;%s@%s:%s\007' '${USER}' '${HOSTNAME%%.*}' '${PWD/#$HOME/\~}'"
;;
screen*)
PROMPT_COMMAND=${PROMPT_COMMAND:+$PROMPT_COMMAND; }"printf '\033_%s@%s:%s\033\\' '${USER}' '${HOSTNAME%%.*}' '${PWD/#$HOME/\~}'"
;;
esac
if [ '$color_prompt' = yes ]; then
PS1='${debian_chroot:+($debian_chroot)}\[\033[01;32m\]\u@\h\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\$ '
else
PS1='${debian_chroot:+($debian_chroot)}\u@\h:\w\$ '
fi
unset color_prompt force_color_prompt
# Titre du terminal
# If this is an xterm set the title to user@host:dir
case '$TERM' in
xterm*|rxvt*)
PS1='\[\e]0;${debian_chroot:+($debian_chroot)}\u@\h: \w\a\]$PS1'
;;
*)
;;
esac
# ------------------------------
# ALIASES
# ------------------------------
# Privileged access
if (( UID != 0 )); then
alias sudo='sudo '
alias scat='sudo cat'
alias svim='sudoedit'
alias root='sudo -i'
alias reboot='sudo systemctl reboot'
alias poweroff='sudo systemctl poweroff'
alias update='sudo apt update'
alias netctl='sudo netctl'
fi
## Safety features
alias cp='cp -i'
alias mv='mv -i'
alias rm='rm -I' # 'rm -i' prompts for every file
# btrfs cow
alias cp='cp -i --reflink=auto'
# safer alternative w/ timeout, not stored in history
alias rm=' timeout 3 rm -Iv --one-file-system'
alias ln='ln -i'
alias chown='chown --preserve-root'
alias chmod='chmod --preserve-root'
alias chgrp='chgrp --preserve-root'
alias cls=" echo -ne '\033c'" # clear screen for real (it does not work in Terminology)
## Make Bash error tolerant
alias :q=' exit'
alias :Q=' exit'
alias :x=' exit'
alias cd..='cd ..'
# process using web
alias ports='lsof -i -n -P'
# make parent directory if needed
alias mkdir='mkdir -p'
# quit, exit & reboot
alias :q='exit'
alias oust="echo 'bye $USER...'; sleep 2s && systemctl poweroff"
alias comeback="echo 'be back right now...'; sleep 2s && systemctl reboot"
# Modified commands
alias diff='colordiff' # requires colordiff package
alias grep='grep --color=auto'
alias more='less'
alias df='df -h'
alias du='du -c -h'
alias mkdir='mkdir -p -v'
alias nano='nano -w'
alias ping='ping -c 5'
alias dmesg='dmesg -HL'
## New commands
alias da="date '+%A, %B %d, %Y [%T]'"
alias du1='du --max-depth=1'
alias hist='history | grep' # requires an argument
alias openports='ss --all --numeric --processes --ipv4 --ipv6'
alias pgg='ps -Af | grep' # requires an argument
alias ..='cd ..'
alias x=exit
# changes directories
alias ..='cd ..'
alias ...='cd ../..'
alias ....='cd ../../..'
alias .....='cd ../../../..'
alias .3='...'
alias .4='....'
alias .5='.....'
# handy short cuts
alias h='history'
alias j='jobs -l'
# date /time
alias path='echo -e ${PATH//:/\\n}'
alias now="date +'%T'"
alias nowtime=now
alias nowdate="date +'%d-%m-%Y'"
## pass options to free ##
alias free='free -h'
alias meminfo='free -m -l -t'
## get top process eating memory
alias psmem='ps auxf | sort -nr -k 4'
alias psmem10='ps auxf | sort -nr -k 4 | head -10'
## get top process eating cpu ##
alias pscpu='ps auxf | sort -nr -k 3'
alias pscpu10='ps auxf | sort -nr -k 3 | head -10'
## Resume wget by default
alias wget='wget -c'
# better 'top'
alias top='htop'
# screen default resume
alias screen='screen -R'
alias sr='screen'
# listings
alias ll='ls -lha'
alias lo='ls -o'
alias lh='ls -lh'
alias la='ls -la'
alias sl='ls'
alias l='ls'
alias s='ls'
alias lt='ls -laptr' #oldest first sort
alias labc='ls -lap' #alphabetical sort
## ls
alias ls='ls -hFX --color=auto --group-directories-first'
alias lr='ls -RhFX --color=auto --group-directories-first'
alias ll='ls -lhFXa --color=auto --group-directories-first'
alias la='ll -AhFX --color=auto --group-directories-first'
alias lx='ll -BXhFX --color=auto --group-directories-first' # sort by extension
alias lz='ll -rShFX --color=auto --group-directories-first' # sort by size
alias lt='ll -rthFX --color=auto --group-directories-first' # sort by date
alias lm='la | more'
# Git related
alias gs='git status'
alias gc='git commit'
alias ga='git add'
alias gd='git diff'
alias gb='git branch'
alias gl='git log'
alias gsb='git show-branch'
alias gco='git checkout'
alias gg='git grep'
alias gk='gitk --all'
alias gr='git rebase'
alias gri='git rebase --interactive'
alias gcp='git cherry-pick'
alias grm='git rm'
# performances analysis
alias analyze='systemd-analyze'
alias blame='systemd-analyze blame'
alias criticalchain='systemd-analyze critical-chain'
alias plot='systemd-analyze plot > /tmp/boot.analysis.svg && chmod 0777 /tmp/boot.analysis.svg'
# systemctl
alias ssysctl='sudo systemctl'
alias status='ssysctl status'
alias running='ssysctl list-units'
alias failed='ssysctl --failed'
alias units='ssysctl list-unit-files'
alias start='ssysctl start'
alias stop='ssysctl stop'
alias restart='ssysctl restart'
alias reload='ssysctl reload'
alias status='ssysctl status'
alias enable='ssysctl enable'
alias disable='ssysctl disable'
alias activate='enable --now'
alias mask='ssysctl mask'
alias unmask='ssysctl unmask'
alias help='ssysctl help'
alias daemonreload='ssysctl daemon-reload'
alias reboot='ssysctl reboot'
alias poweroff='ssysctl poweroff'
alias suspend='ssysctl suspend'
alias hibernate='ssysctl hibernate'
alias sleep='ssysctl hybrid-sleep'
alias reenable='ssysctl reenable'
alias revert='ssysctl revert'
alias targets='running --type=target'
alias enabled='units |grep enabled'
alias disabled='units |grep disabled'
alias jobs='ssysctl list-jobs'
# journald
alias journal='sudo journalctl'
alias boot='journal -b'
alias pid='journal _PID='
alias follow='journal -f'
alias kernel='journal -k'
alias unit='journal -u'
alias jeca='journal -p err..alert'
alias jreload='reload systemd-journald.service'
alias jauth='journal SYSLOG_FACILITY=10'
alias since='journal --since'
alias today="journalsince 'yesterday'"
alias j1h="journalsince '60 minutes ago'"
alias j15m="journal --since '15 minutes ago'"
alias j30m="journal --since '30 minutes ago'"
alias kernelboot='journal -k -b -1'
alias boots='journal --list-boots'
alias entries20='journal -n 20'
# exports
export EDITOR='nano'
export BROWSER='surf'
export PAGER='most'
# path
export PATH="/usr/lib/colorgcc/bin/:$PATH"
export CCACHE_PATH='/usr/bin'
export CCACHE_DIR=/mnt/build
export BUILDDIR=/mnt/build
# vm
NPROC=$(nproc)

12
roles/common/templates/debian_sources_list.j2 Normal file
View File

@ -0,0 +1,12 @@
{# Updated: 2023-09-25 #}
# master: {{ common_mastering }}
# updated: {{ ansible_date_time.date }}
deb http://deb.debian.org/debian/ {{ ansible_distribution_release }} main contrib non-free non-free-firmware
deb-src http://deb.debian.org/debian/ {{ ansible_distribution_release }} main contrib non-free non-free-firmware
deb http://security.debian.org/debian-security {{ ansible_distribution_release }}-security main contrib non-free non-free-firmware
deb-src http://security.debian.org/debian-security {{ ansible_distribution_release }}-security main contrib non-free non-free-firmware
deb http://deb.debian.org/debian/ {{ ansible_distribution_release }}-updates main contrib non-free non-free-firmware
deb-src http://deb.debian.org/debian/ {{ ansible_distribution_release }}-updates main contrib non-free non-free-firmware

22
roles/common/templates/ethernet_service.j2 Normal file
View File

@ -0,0 +1,22 @@
{# Updated: 2023-09-25 #}
# master: {{ common_mastering }}
# updated: {{ ansible_date_time.date }}
[Unit]
Description=Ethernet MTU & Tx Queue Len
After=network-online.target
[Service]
Type=oneshot
{% if jumbo_frames is defined %}
#ExecStart=ip link set {{ ethernet_interface }} mtu 1500
#ExecStart=ip link set {{ ethernet_interface }} txqueuelen 1000
ExecStart=ip link set {{ ethernet_interface }} mtu {{ ethernet_mtu }}
ExecStart=ip link set {{ ethernet_interface }} txqueuelen {{ ethernet_txqueuelen }}
{% else %}
ExecStart=ip link set {{ ethernet_interface }} mtu 1500
ExecStart=ip link set {{ ethernet_interface }} txqueuelen 1000
{% endif %}
[Install]
WantedBy=multi-user.target

10
roles/common/templates/journald_conf.j2 Normal file
View File

@ -0,0 +1,10 @@
{# Updated: 2023-09-25 #}
# master: {{ common_mastering }}
# updated: {{ ansible_date_time.date }}
[Journal]
MaxFileSec=1week
SystemMaxUse=250M
SystemMaxFileSize=50M
SystemMaxFiles=32
RuntimeMaxFiles=32

50
roles/common/templates/locale.j2 Normal file
View File

@ -0,0 +1,50 @@
{# Updated: 2023-09-25 #}
# master: {{ common_mastering }}
# updated: {{ ansible_date_time.date }}
LANG="{{ locales_default.lang }}"
{% if locales_default.language is defined %}
LANGUAGE="{{ locales_default.language }}"
{% endif %}
{% if locales_default.lc_address is defined %}
LC_ADDRESS="{{ locales_default.lc_address }}"
{% endif %}
{% if locales_default.lc_all is defined %}
LC_ALL="{{ locales_default.lc_all }}"
{% endif %}
{% if locales_default.lc_collate is defined %}
LC_COLLATE="{{ locales_default.lc_collate }}"
{% endif %}
{% if locales_default.lc_ctype is defined %}
LC_CTYPE="{{ locales_default.lc_ctype }}"
{% endif %}
{% if locales_default.lc_identification is defined %}
LC_IDENTIFICATION="{{ locales_default.lc_identification }}"
{% endif %}
{% if locales_default.lc_measurement is defined %}
LC_MEASUREMENT="{{ locales_default.lc_measurement }}"
{% endif %}
{% if locales_default.lc_messages is defined %}
LC_MESSAGES="{{ locales_default.lc_messages }}"
{% endif %}
{% if locales_default.lc_monetary is defined %}
LC_MONETARY="{{ locales_default.lc_monetary }}"
{% endif %}
{% if locales_default.lc_name is defined %}
LC_NAME="{{ locales_default.lc_name }}"
{% endif %}
{% if locales_default.lc_numeric is defined %}
LC_NUMERIC="{{ locales_default.lc_numeric }}"
{% endif %}
{% if locales_default.lc_paper is defined %}
LC_PAPER="{{ locales_default.lc_paper }}"
{% endif %}
{% if locales_default.lc_response is defined %}
LC_RESPONSE="{{ locales_default.lc_response }}"
{% endif %}
{% if locales_default.lc_telephone is defined %}
LC_TELEPHONE="{{ locales_default.lc_telephone }}"
{% endif %}
{% if locales_default.lc_time is defined %}
LC_TIME="{{ locales_default.lc_time }}"
{% endif %}

14
roles/common/templates/multiqueue_service.j2 Normal file
View File

@ -0,0 +1,14 @@
{# Updated: 2023-09-25 #}
# master: {{ common_mastering }}
# updated: {{ ansible_date_time.date }}
[Unit]
Description=Ethernet Multiqueue
After=network-online.target
[Service]
Type=oneshot
ExecStart=ethtool -L {{ ethernet_interface }} combined ${NPROC}
[Install]
WantedBy=multi-user.target

6
roles/common/templates/multiqueue_service_override.j2 Normal file
View File

@ -0,0 +1,6 @@
{# Updated: 2023-09-25 #}
# master: {{ common_mastering }}
# updated: {{ ansible_date_time.date }}
[Service]
Environment="NPROC={{ ethernet_multiqueue }}"

116
roles/common/templates/ntp_conf.j2 Normal file
View File

@ -0,0 +1,116 @@
{# Updated: 2023-09-25 #}
# master: {{ common_mastering }}
# updated: {{ ansible_date_time.date }}
# /etc/ntpsec/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
driftfile {{ ntp_driftfile }}
leapfile {{ ntp_leapfile }}
# To enable Network Time Security support as a server, obtain a certificate
# (e.g. with Let's Encrypt), configure the paths below, and uncomment:
# nts cert CERT_FILE
# nts key KEY_FILE
# nts enable
# You must create /var/log/ntpsec (owned by ntpsec:ntpsec) to enable logging.
#statsdir /var/log/ntpsec/
#statistics loopstats peerstats clockstats
#filegen loopstats file loopstats type day enable
#filegen peerstats file peerstats type day enable
#filegen clockstats file clockstats type day enable
statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable
{% if ntp_tinker_panic is sameas true %}
# Always reset the clock, even if the new time is more than 1000s away
# from the current system time. Usefull for VMs that can be paused
# and much later resumed.
tinker panic 0
{% endif %}
# This should be maxclock 7, but the pool entries count towards maxclock.
tos maxclock 11
# Comment this out if you have a refclock and want it to be able to discipline
# the clock by itself (e.g. if the system is not connected to the network).
tos minclock 4 minsane 3
# Specify one or more NTP servers.
# Public NTP servers supporting Network Time Security:
# server time.cloudflare.com nts
# pool.ntp.org maps to about 1000 low-stratum NTP servers. Your server will
# pick a different set every time it starts up. Please consider joining the
# pool: <https://www.pool.ntp.org/join.html>
{% for item in ntp_servers %}
pool {{ item }} iburst dynamic
{% endfor %}
# Access control configuration; see /usr/share/doc/ntpsec-doc/html/accopt.html
# for details.
#
# Note that "restrict" applies to both servers and clients, so a configuration
# that might be intended to block requests from certain clients could also end
# up blocking replies from your own upstream servers.
# By default, exchange time with everybody, but don't allow configuration.
restrict default kod nomodify nopeer noquery limited
# Allow pool associations
restrict source nomodify notrap noquery
# Local users may interrogate the ntp server more closely.
# Permit all access over the loopback interface. This could
# be tightened as well, but to do so would effect some of
# the administrative functions.
{% for item in ntp_restrict %}
restrict {{ item }}
{% endfor %}
# Clients from this (example!) subnet have unlimited access, but only if
# cryptographically authenticated.
#restrict 192.168.123.0 mask 255.255.255.0 notrust
# Enable public key cryptography.
#crypto
#includefile /etc/ntp/crypto/pw
# Key file containing the keys and key identifiers used when operating
# with symmetric key cryptography.
#keys /etc/ntp/keys
# Specify the key identifiers which are trusted.
#trustedkey 4 8 42
# Specify the key identifier to use with the ntpdc utility.
#requestkey 8
# Specify the key identifier to use with the ntpq utility.
#controlkey 8
# Enable writing of statistics records.
#statistics clockstats cryptostats loopstats peerstats
# Disable the monitoring facility to prevent amplification attacks using ntpdc
# monlist command when default restrict does not include the noquery flag. See
# CVE-2013-5211 for more details.
# Note: Monitoring will not be disabled with the limited restriction flag.
disable monitor
# If you want to provide time to your local subnet, change the next line.
# (Again, the address is an example only.)
#broadcast 192.168.123.255
# If you want to listen to time broadcasts on your local subnet, de-comment the
# next lines. Please do this only if you trust everybody on the network!
#disable auth
#broadcastclient

19
roles/common/templates/opt_backups_mount.j2 Normal file
View File

@ -0,0 +1,19 @@
{# Updated: 2023-09-25 #}
# master: {{ common_mastering }}
# updated: {{ ansible_date_time.date }}
[Unit]
Description=Master Node Backups Mount
DefaultDependencies=yes
Conflicts=umount.target
Before=docker.service
After=systemd-networkd-wait-online@{{ ethernet_interface }}.service
[Mount]
What=//{{ vm_master_node_local }}/backups
Where=/opt/backups
Type=cifs
Options=defaults,_netdev,guest,exec,dir_mode=0775,file_mode=0664,uid=1000,gid=1000
[Install]
WantedBy=multi-user.target

19
roles/common/templates/opt_docker_ssl_mount.j2 Normal file
View File

@ -0,0 +1,19 @@
{# Updated: 2023-09-25 #}
# master: {{ common_mastering }}
# updated: {{ ansible_date_time.date }}
[Unit]
Description=Master Node SSL Mount
DefaultDependencies=yes
Conflicts=umount.target
Before=docker.service
After=systemd-networkd-wait-online@{{ ethernet_interface }}.service
[Mount]
What=//{{ vm_master_node_local }}/ssl
Where=/opt/docker/ssl
Type=cifs
Options=defaults,_netdev,guest,exec,dir_mode=0555,file_mode=0444,uid=1000,gid=1000
[Install]
WantedBy=multi-user.target

19
roles/common/templates/opt_kernels_mount.j2 Normal file
View File

@ -0,0 +1,19 @@
{# Updated: 2023-09-25 #}
# master: {{ common_mastering }}
# updated: {{ ansible_date_time.date }}
[Unit]
Description=Master Node Kernels Mount
DefaultDependencies=yes
Conflicts=umount.target
Before=docker.service
After=systemd-networkd-wait-online@{{ ethernet_interface }}.service
[Mount]
What=//{{ vm_master_node_local }}/kernels
Where=/opt/kernels
Type=cifs
Options=defaults,_netdev,guest,exec,dir_mode=0775,file_mode=0664,uid=1000,gid=1000
[Install]
WantedBy=multi-user.target

19
roles/common/templates/opt_scripts_mount.j2 Normal file
View File

@ -0,0 +1,19 @@
{# Updated: 2023-09-25 #}
# master: {{ common_mastering }}
# updated: {{ ansible_date_time.date }}
[Unit]
Description=Master Node Scripts Mount
DefaultDependencies=yes
Conflicts=umount.target
Before=docker.service
After=systemd-networkd-wait-online@{{ ethernet_interface }}.service
[Mount]
What=//{{ vm_master_node_local }}/scripts
Where=/opt/scripts
Type=cifs
Options=defaults,_netdev,guest,exec,dir_mode=0775,file_mode=0664,uid=1000,gid=1000
[Install]
WantedBy=multi-user.target

19
roles/common/templates/opt_work_mount.j2 Normal file
View File

@ -0,0 +1,19 @@
{# Updated: 2023-09-25 #}
# master: {{ common_mastering }}
# updated: {{ ansible_date_time.date }}
[Unit]
Description=Master Node Work Mount
DefaultDependencies=yes
Conflicts=umount.target
Before=docker.service
After=systemd-networkd-wait-online@{{ ethernet_interface }}.service
[Mount]
What=//{{ vm_master_node_local }}/work
Where=/opt/work
Type=cifs
Options=defaults,_netdev,guest,exec,dir_mode=0775,file_mode=0664,uid=1000,gid=1000
[Install]
WantedBy=multi-user.target

86
roles/common/templates/smb_conf.j2 Normal file
View File

@ -0,0 +1,86 @@
{# Updated: 2023-09-25 #}
# master: {{ common_mastering }}
# updated: {{ ansible_date_time.date }}
[global]
workgroup = {{ samba_workgroup_name }}
security = user
map to guest = Bad User
name resolve order = bcast host
usershare allow guests = yes
client min protocol = NT1
client max protocol = SMB3
server min protocol = NT1
server max protocol = SMB3
getwd cache = yes
strict allocate = yes
strict locking = no
read raw = yes
write raw = yes
use sendfile = yes
oplocks = yes
getwd cache = yes
max connections = 65535
max open files = 65535
max xmit = 65535
aio read size = 16384
aio write size = 16384
min receivefile size = 16384
log level = 0
dead time = 15
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
show add printer wizard = no
use sendfile = yes
domain master = auto
mangled names = no
charset = UTF-8
unix charset = UTF-8
display charset = UTF-8
store dos attributes = no
ea support = no
map archive = no
map hidden = no
map system = no
map readonly = no
[work]
comment = work
path = {{ smb_work }}
force user = {{ samba_default_force_user }}
force group = {{ samba_default_force_group }}
create mask = 0644
directory mask = 0755
force create mode = 0644
force directory mode = 0775
browsable = yes
public = yes
writable = yes
[backups]
comment = backups
path = {{ smb_backups }}
force user = {{ samba_default_force_user }}
force group = {{ samba_default_force_group }}
create mask = 0644
directory mask = 0755
force create mode = 0644
force directory mode = 0775
browsable = yes
public = yes
writable = yes
[docker]
comment = Docker
path = {{ smb_docker }}
force user = {{ samba_default_force_user }}
force group = {{ samba_default_force_group }}
create mask = 0644
directory mask = 0755
force create mode = 0644
force directory mode = 0775
browsable = yes
public = yes
writable = yes

18
roles/common/templates/vm_service.j2 Normal file
View File

@ -0,0 +1,18 @@
{# Updated: 2023-09-25 #}
# master: {{ common_mastering }}
# updated: {{ ansible_date_time.date }}
[Unit]
Description=VM Start/Stop Notifications
After=network.target docker.service
After=systemd-networkd-wait-online@{{ ethernet_interface }}.service
RequiresMountsFor=/opt/scripts
[Service]
Type=oneshot
ExecStart=bash /opt/scripts/ntfy.sh -t "vm" -m "START"
ExecStop=bash /opt/scripts/ntfy.sh -t "vm" -m "STOP"
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target

12
roles/common/vars/aliases.yml Normal file
View File

@ -0,0 +1,12 @@
# 2023-09-25
# Settings: aliases
---
# bash_aliases template
bash_aliases_template: bash_aliases.j2
# bash_aliases path
bash_aliases_distribution: /etc/bash_aliases
# bash.bashrc
bash_bashrc: /etc/bash.bashrc

11
roles/common/vars/directories.yml Normal file
View File

@ -0,0 +1,11 @@
# 2023-09-25
# Settings: directories
---
# New directories to create
directories_create:
- /opt/backups
- /opt/scripts
- /opt/work
- /opt/docker
- /opt/docker/ssl

35
roles/common/vars/locales.yml Normal file
View File

@ -0,0 +1,35 @@
# 2023-09-25
# Settings: locales
---
locales_selections:
- "en_US.UTF-8"
- "fr_FR.UTF-8"
# locale template
locale_template: locale.j2
# locale path
locale_template_distribution: /etc/default/locale
# Global default locale definition
default_locale: "fr_FR.UTF-8"
# Setup all system default locales
locales_default:
lang: "{{ default_locale }}"
language: "{{ default_locale }}"
lc_address: "{{ default_locale }}"
lc_all: "{{ default_locale }}"
lc_collate: "{{ default_locale }}"
lc_ctype: "{{ default_locale }}"
lc_identification: "{{ default_locale }}"
lc_measurement: "{{ default_locale }}"
lc_messages: "{{ default_locale }}"
lc_monetary: "{{ default_locale }}"
lc_name: "{{ default_locale }}"
lc_numeric: "{{ default_locale }}"
lc_paper: "{{ default_locale }}"
lc_response: "{{ default_locale }}"
lc_telephone: "{{ default_locale }}"
lc_time: "{{ default_locale }}"

26
roles/common/vars/main.yml Normal file
View File

@ -0,0 +1,26 @@
# 2023-09-25
# Vars: main
---
task_enable_all: true
task_enable_users: true
task_enable_locales: true
task_enable_timezone: true
task_enable_ntp: true
task_enable_aliases: true
task_enable_mounts: true
task_enable_directories: true
task_enable_packages: true
task_enable_samba: true
task_enable_tuned: true
task_enable_systemd: true
task_enable_daemons: true
task_enable_services: true
#
# mastering date
#
common_mastering: "{{ mastering_common | default('2023-09-25') }}"

21
roles/common/vars/mounts.yml Normal file
View File

@ -0,0 +1,21 @@
# 2023-09-25
# Settings: mounts
---
# New directories to create
mounts_create:
- /mnt/memory
- /mnt/build
- /mnt/cache
# Path to systel fstab file
fstab_path: /etc/fstab
# Directories to mount in fstab
mounts_fstab_append:
- /mnt/memory
- /mnt/build
- /mnt/cache
- /tmp
- /var/log
- /var/tmp

26
roles/common/vars/ntp.yml Normal file
View File

@ -0,0 +1,26 @@
# 2023-09-25
# Settings: ntp
---
ntp_enabled: true
ntp_restrict:
- "127.0.0.1"
- "::1"
ntp_package_daemon: ntp
ntp_package_tzdata: tzdata
ntp_timezone: "{{ timezone }}"
ntp_daemon: ntp
ntp_servers:
- fr.pool.ntp.org
- pool.ntp.org
ntp_conf_template: ntp_conf.j2
ntp_conf_distribution: /etc/ntpsec/ntp.conf
ntp_driftfile: /var/lib/ntpsec/ntp.drift
ntp_leapfile: /usr/share/zoneinfo/leap-seconds.list
ntp_cron_daemon: cron

38
roles/common/vars/packages/debian.yml Normal file
View File

@ -0,0 +1,38 @@
# 2023-09-25
# Settings: packages
---
# APT sources.list template
sources_list_template: debian_sources_list.j2
# APT distribution template full remote path
sources_list_distribution: /etc/apt/sources.list.d/debian.list
# base system packages to remove
packages_removed:
- systemd-timesyncd
# base system packages needed
packages_needed:
- ca-certificates
- locales
- sudo
- nano
- curl
- wget
- surf
- most
- gnupg
- zram-tools
- bash-completion
- lsof
- colordiff
- htop
- screen
- git
- samba
- mlocate
- mc
- ethtool
- cifs-utils
- qemu-guest-agent

14
roles/common/vars/samba.yml Normal file
View File

@ -0,0 +1,14 @@
# 2023-09-25
# Settings: samba
---
# Samba smb.conf template
smb_conf_template: smb_conf.j2
# smb.conf full remote path
smb_conf_distribution: /etc/samba/smb.conf
# folders specifications
smb_docker: "/opt/docker"
smb_work: "/opt/work"
smb_backups: "/opt/backups"

40
roles/common/vars/services.yml Normal file
View File

@ -0,0 +1,40 @@
# 2023-09-25
# Settings: services
---
services_disable:
- "proc-sys-fs-binfmt_misc.mount"
- "ifupdown-wait-online.service"
- "systemd-network-generator.service"
- "systemd-networkd-wait-online.service"
- "systemd-time-wait-sync.service"
services_enable:
- "systemd-boot-check-no-failures.service"
- "systemd-networkd.service"
- "systemd-pstore.service"
- "ntpsec.service"
- "ntpsec-systemd-netif.path"
- "systemd-networkd-wait-online@{{ ethernet_interface }}.service"
services_restart:
- "cron.service"
- "nmbd.service"
- "smbd.service"
- "tuned.service"
- "{{ systemd_container_ethernet_service }}"
- "{{ systemd_container_multiqueue_service }}"
- "{{ systemd_container_vm_service }}"
- "{{ systemd_container_opt_work_mount }}"
- "{{ systemd_container_opt_backup_mount }}"
- "{{ systemd_container_opt_kernels_mount}}"
- "{{ systemd_container_opt_scripts_mount }}"
- "{{ systemd_container_opt_docker_ssl_mount }}"
timers_enable:
- "e2scrub_all.timer"
- "fstrim.timer"
- "logrotate.timer"
- "man-db.timer"
- "plocate-updatedb.timer"
- "ntpsec-rotate-stats.timer"

61
roles/common/vars/systemd.yml Normal file
View File

@ -0,0 +1,61 @@
# 2023-09-25
# Settings: systemd
---
systemd_root: "/etc/systemd"
systemd_system_root: "{{ systemd_root }}/system"
systemd_journal_root: "{{ systemd_root }}/journald.conf.d"
local_folder_templates: ../templates
ethernet_interface: "{{ ansible_default_ipv4.interface }}"
jumbo_frames: true
ethernet_mtu: 9000
ethernet_txqueuelen: 10000
ethernet_multiqueue: "{{ ansible_facts['processor_nproc'] }}"
systemd_template_journald_service: "{{ local_folder_templates }}/journald_conf.j2"
systemd_container_journald_service: "vm.conf"
systemd_template_ethernet_service: "{{ local_folder_templates }}/ethernet_service.j2"
systemd_container_ethernet_service: "ethernet.service"
systemd_template_multiqueue_service_override: "{{ local_folder_templates }}/multiqueue_service_override.j2"
systemd_container_multiqueue_service_override: "multiqueue.service.d/override.conf"
systemd_template_multiqueue_service: "{{ local_folder_templates }}/multiqueue_service.j2"
systemd_container_multiqueue_service: "multiqueue.service"
systemd_template_vm_service: "{{ local_folder_templates }}/vm_service.j2"
systemd_container_vm_service: "vm.service"
systemd_template_opt_backup_mount: "{{ local_folder_templates }}/opt_backups_mount.j2"
systemd_container_opt_backup_mount: "opt-backups.mount"
systemd_template_opt_work_mount: "{{ local_folder_templates }}/opt_work_mount.j2"
systemd_container_opt_work_mount: "opt-work.mount"
systemd_template_opt_kernels_mount: "{{ local_folder_templates }}/opt_kernels_mount.j2"
systemd_container_opt_kernels_mount: "opt-kernels.mount"
systemd_template_opt_scripts_mount: "{{ local_folder_templates }}/opt_scripts_mount.j2"
systemd_container_opt_scripts_mount: "opt-scripts.mount"
systemd_template_opt_docker_ssl_mount: "{{ local_folder_templates }}/opt_docker_ssl_mount.j2"
systemd_container_opt_docker_ssl_mount: "opt-docker-ssl.mount"
systemd_directories:
- "{{ systemd_system_root }}/multiqueue.service.d"
- "{{ systemd_journal_root }}"
systemd_templates:
- { local: "{{ systemd_template_journald_service }}", remote: "{{ systemd_journal_root }}/{{ systemd_container_journald_service }}" }
- { local: "{{ systemd_template_ethernet_service }}", remote: "{{ systemd_system_root }}/{{ systemd_container_ethernet_service }}" }
- { local: "{{ systemd_template_multiqueue_service_override }}", remote: "{{ systemd_system_root }}/{{ systemd_container_multiqueue_service_override }}" }
- { local: "{{ systemd_template_multiqueue_service }}", remote: "{{ systemd_system_root }}/{{ systemd_container_multiqueue_service }}" }
- { local: "{{ systemd_template_vm_service }}", remote: "{{ systemd_system_root }}/{{ systemd_container_vm_service }}" }
- { local: "{{ systemd_template_opt_backup_mount }}", remote: "{{ systemd_system_root }}/{{ systemd_container_opt_backup_mount }}" }
- { local: "{{ systemd_template_opt_work_mount }}", remote: "{{ systemd_system_root }}/{{ systemd_container_opt_work_mount }}" }
- { local: "{{ systemd_template_opt_kernels_mount }}", remote: "{{ systemd_system_root }}/{{ systemd_container_opt_kernels_mount }}" }
- { local: "{{ systemd_template_opt_scripts_mount }}", remote: "{{ systemd_system_root }}/{{ systemd_container_opt_scripts_mount }}" }
- { local: "{{ systemd_template_opt_docker_ssl_mount }}", remote: "{{ systemd_system_root }}/{{ systemd_container_opt_docker_ssl_mount }}" }

9
roles/common/vars/timezone.yml Normal file
View File

@ -0,0 +1,9 @@
# 2023-09-25
# Settings: timezone
---
# Define time zone
timezone: "Europe/Paris"
# SystemD cron daemon
cron_daemon: "cron"

9
roles/common/vars/tuned.yml Normal file
View File

@ -0,0 +1,9 @@
# 2023-09-25
# Settings: tuned
---
# packages needed
packages_needed:
- tuned
- tuned-utils
- tuned-utils-systemtap

15
roles/common/vars/vault/samba.yml Normal file
View File

@ -0,0 +1,15 @@
$ANSIBLE_VAULT;1.1;AES256
37326662323464363664353831663333313866653762643036663633633939303865333330393164
6266663764333931356337636434643931623637396236660a656330643061353537316332373261
39316162393830396165323335623236393638313236343033326538303261383164376436396133
6533653362326233630a616139323435306538386365366532373436303861633165653861313630
33653263626330613165306639393533616131373462303837326634393164386138386136643330
62303335376536323536303633626132386438376364313864646465373538656262306166336562
62643237613737653337333635333863653933343266633439666131623437383131636434666430
63303131666539616465303433633231633964613036636439653531343937653635636630613865
62383338643438346238656131323765373461353739633165333139303136363962313661373166
37343138626438666264326431323735363635336636623262666336333931653863613135393831
35356430326436313131626264646564333731383334646466343532653437353866323133643030
38643033343732303635663963613365636638366131626464356438313236306366353435383038
36333337383339353737623736666261343836336435316461633039323438633663396632646632
3138373231326130323864653439373563653961666666633135

3
roles/docker/README.md Normal file
View File

@ -0,0 +1,3 @@
# Docker
Create needed directories, remove old packages and install required packages from official Docker recommandations.

146
roles/docker/tasks/docker.yml Normal file
View File

@ -0,0 +1,146 @@
# 2023-09-25
# Tasks: docker
---
- ansible.builtin.include_vars: docker.yml
#
# Prepare Docker service
#
- name: Create directories
ansible.builtin.file:
path: "{{ item }}"
owner: root
group: root
state: directory
mode: u=rwx,g=rx,o=rx
with_items: "{{ directories_create }}"
when:
- ansible_facts['system'] == "Linux"
tags:
- system
- directories
- create
- name: Process daemon.json template
ansible.builtin.template:
backup: true
src: "{{ vm_template_daemon_json }}"
dest: "{{ vm_daemon_json_root }}/{{ vm_template_daemon_json_name }}"
owner: root
group: root
mode: u=rw,g=r,o=r
when:
- ansible_facts['system'] == "Linux"
tags:
- template
- docker
- daemon
- add
- name: Process override.conf template
ansible.builtin.template:
backup: true
src: "{{ vm_template_docker_override }}"
dest: "{{ vm_docker_override_root }}/{{ vm_template_docker_override_name }}"
owner: root
group: root
mode: u=rw,g=r,o=r
when:
- ansible_facts['system'] == "Linux"
tags:
- template
- docker
- override
- add
#
# Install Docker
#
- name: Setup Docker's GPG
ansible.builtin.shell: |
install -m 0755 -d /etc/apt/keyrings
curl -fsSL https://download.docker.com/linux/debian/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg
chmod a+r /etc/apt/keyrings/docker.gpg
when:
- ansible_facts['system'] == "Linux"
- ansible_facts['os_family'] == "Debian"
tags:
- docker
- gpg
- name: Add Docker repository
ansible.builtin.shell: |
echo \
"deb [arch="$(dpkg --print-architecture)" signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian \
"$(. /etc/os-release && echo "$VERSION_CODENAME")" stable" | \
sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
when:
- ansible_facts['system'] == "Linux"
- ansible_facts['os_family'] == "Debian"
tags:
- docker
- repositories
- name: Perform Docker packages cleanup
ansible.builtin.package:
state: absent
name: "{{ docker_pakages_cleanup }}"
when:
- ansible_facts['system'] == "Linux"
tags:
- apt
- packages
- remove
- docker
- name: Install Docker packages
ansible.builtin.package:
install_recommends: false
update_cache: true
name: "{{ docker_pakages_required + docker_pakages_needed }}"
when:
- ansible_facts['system'] == "Linux"
tags:
- apt
- packages
- add
- docker
- name: Reload daemons
ansible.builtin.systemd:
daemon_reload: true
when:
- ansible_facts['system'] == "Linux"
tags:
- system
- services
- reload
- name: Ensure Docker is restarted
ansible.builtin.service:
name: "{{ item }}"
state: restarted
with_items: "{{ docker_services }}"
when:
- ansible_facts['system'] == "Linux"
tags:
- services
- docker
- start
- name: Install Grafana Loki Docker plugin
community.docker.docker_plugin:
plugin_name: "{{docker_loki_image}}:{{ docker_loki_version }}"
alias: "{{ docker_loki_alias }}"
state: enable
when:
- ansible_facts['system'] == "Linux"
tags:
- services
- docker
- plugins

16
roles/docker/tasks/main.yml Normal file
View File

@ -0,0 +1,16 @@
# 2023-09-25
# Tasks: main
---
- ansible.builtin.include_vars: main.yml
# Docker
- ansible.builtin.include_tasks: docker.yml
when:
- task_enable_all
- task_enable_docker
tags:
- tasks
- system
- vm
- docker

35
roles/docker/templates/daemon_json.j2 Normal file
View File

@ -0,0 +1,35 @@
{
"live-restore": true,
"max-concurrent-downloads": 16,
"max-concurrent-uploads": 16,
"max-download-attempts": 16,
"mtu": 1500,
"dns": [
"1.1.1.1",
"8.8.8.8",
"1.0.0.1",
"8.8.4.4"
],
"bip": "10.200.0.1/24",
"ipv6": true,
"fixed-cidr-v6": "2001:db8:1::/64",
"ip6tables": true,
"experimental": true,
"default-address-pools": [
{
"base" : "10.201.0.0/16",
"size" : 24
},
{
"base" : "10.202.0.0/16",
"size" : 24
},
{
"base": "2001:db8::/104",
"size": 112
}
],
"hosts": [
"unix:///var/run/docker.sock"
]
}

6
roles/docker/templates/docker_override_json.j2 Normal file
View File

@ -0,0 +1,6 @@
# {{ ansible_managed }}
# {{ docker_mastering }}
# 2023-09-25
[Service]
ExecStart=
ExecStart=/usr/bin/dockerd

58
roles/docker/vars/docker.yml Normal file
View File

@ -0,0 +1,58 @@
# 2023-09-25
# Settings: docker
---
#
# installation
#
# directories
vm_daemon_json_root: "/etc/docker"
vm_docker_override_root: "/etc/systemd/system/docker.service.d/"
directories_create:
- "{{ vm_daemon_json_root }}"
- "{{ vm_docker_override_root }}"
# daemon.json
vm_template_daemon_json: daemon_json.j2
vm_template_daemon_json_name: "daemon.json"
# override.conf
vm_template_docker_override: docker_override_json.j2
vm_template_docker_override_name: "override.conf"
# Grafana Loki plugin
docker_loki_image: "grafana/loki-docker-driver"
docker_loki_version: "latest"
docker_loki_alias: "loki"
# Docker packages required
docker_pakages_required:
- curl
- gnupg
- lsb-release
# Packages to remove before Docker
docker_pakages_cleanup:
- docker.io
- docker-doc
- docker-compose
- podman-docker
- containerd
# Packages to install Docker
docker_pakages_needed:
- docker-ce
- docker-ce-cli
- containerd.io
- docker-buildx-plugin
- docker-compose-plugin
- cgroupfs-mount
# Docker services
docker_services:
- docker.service
- docker.socket

14
roles/docker/vars/main.yml Normal file
View File

@ -0,0 +1,14 @@
# 2023-09-25
# Vars: main
---
task_enable_all: true
task_enable_docker: true
#
# mastering date
#
docker_mastering: "{{ mastering_docker | default('2023-09-25') }}"

23
roles/stacks/README.md Normal file
View File

@ -0,0 +1,23 @@
# Stacks
Define all required settings and required files, to setup my Docker stacks:
* Docker Socket Proxy
* Dozzle
* Adguard Home
* APT Cacher NG
* DL (download zone for my blog)
* Draw.IO
* Flame
* Hastebin
* Homepage
* IPFS
* ITZG _(Minecraft server... for testing purpose only)_
* Jekyll
* Monitoring _(base)_ including cAdvisor & Node-exporter
* Ntfy
* Portainer Agent
* Portainer
* Promtail
* Docker Registry
* Watchtower

387
roles/stacks/composes/files/adguardhome/templates/adguardhome/templates/adguardhome/adguardhome_yaml.j2 Normal file
View File

@ -0,0 +1,387 @@
# {{ ansible_managed }}
# master: {{ stacks_mastering }}
# edited: 2023-09-25
# updated: {{ ansible_date_time.date }}
http:
pprof:
port: 6060
enabled: false
address: 0.0.0.0:80
session_ttl: 720h
users:
- name: {{ admin_user }}
password: {{ admin_password }}
auth_attempts: 5
block_auth_min: 15
http_proxy: ""
language: ""
theme: auto
dns:
bind_hosts:
- 0.0.0.0
port: 53
anonymize_client_ip: false
ratelimit: 0
ratelimit_whitelist: []
refuse_any: true
upstream_dns:
- https://security.cloudflare-dns.com/dns-query
- https://dns.quad9.net/dns-query
- https://dns.adguard.com/dns-query
- tls://security.cloudflare-dns.com
- tls://dns.quad9.net
- tls://dns.adguard.com
upstream_dns_file: ""
bootstrap_dns:
- 9.9.9.10
- 149.112.112.10
- 2620:fe::10
- 2620:fe::fe:10
- 1.1.1.1
- 1.0.0.1
- 2606:4700:4700::1111
- 2606:4700:4700::1001
- 8.8.8.8
- 8.8.4.4
- 2001:4860:4860::8888
- 2001:4860:4860::8844
- 9.9.9.9
- 149.112.112.112
- 2620:fe::fe
- 2620:fe::9
fallback_dns: []
all_servers: true
fastest_addr: false
fastest_timeout: 1s
allowed_clients: []
disallowed_clients: []
blocked_hosts:
- version.bind
- id.server
- hostname.bind
trusted_proxies:
- 127.0.0.0/8
- ::1/128
cache_size: 4194304
cache_ttl_min: 2400
cache_ttl_max: 84600
cache_optimistic: true
bogus_nxdomain: []
aaaa_disabled: false
enable_dnssec: true
edns_client_subnet:
custom_ip: ""
enabled: true
use_custom: false
max_goroutines: 0
handle_ddr: true
ipset: []
ipset_file: ""
bootstrap_prefer_ipv6: false
upstream_timeout: 10s
private_networks: []
use_private_ptr_resolvers: true
local_ptr_upstreams: []
use_dns64: false
dns64_prefixes: []
serve_http3: true
use_http3_upstreams: false
tls:
enabled: true
server_name: {{ tls_server_name }}
force_https: false
port_https: 443
port_dns_over_tls: 853
port_dns_over_quic: 853
port_dnscrypt: 0
dnscrypt_config_file: ""
allow_unencrypted_doh: false
certificate_chain: ""
private_key: ""
certificate_path: {{ tls_certificate_path }}
private_key_path: {{ tls_private_key_path }}
strict_sni_check: false
querylog:
ignored: []
interval: 720h
size_memory: 1000
enabled: true
file_enabled: true
statistics:
ignored: []
interval: 720h
enabled: true
filters:
- enabled: true
url: https://raw.githubusercontent.com/DandelionSprout/adfilt/master/GameConsoleAdblockList.txt
name: Game Console Adblock List
id: 1664518418
- enabled: true
url: https://someonewhocares.org/hosts/zero/hosts
name: Dan Pollock's List
id: 1664518423
- enabled: true
url: https://pgl.yoyo.org/adservers/serverlist.php?hostformat=adblockplus&showintro=1&mimetype=plaintext
name: Peter Lowe's List
id: 1664518424
- enabled: true
url: https://malware-filter.gitlab.io/malware-filter/urlhaus-filter-agh-online.txt
name: Online Malicious URL Blocklist
id: 1664518428
- enabled: true
url: https://raw.githubusercontent.com/mitchellkrogza/The-Big-List-of-Hacked-Malware-Web-Sites/master/hosts
name: The Big List of Hacked Malware Web Sites
id: 1664518429
- enabled: true
url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_2.txt
name: AdAway Default Blocklist
id: 1674828830
- enabled: true
url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_1.txt
name: AdGuard DNS filter
id: 1674828831
- enabled: true
url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_32.txt
name: The NoTracking blocklist
id: 1674828833
- enabled: true
url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_5.txt
name: OISD Blocklist Basic
id: 1674828834
- enabled: true
url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_27.txt
name: OISD Blocklist Full
id: 1674828835
- enabled: true
url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_23.txt
name: WindowsSpyBlocker - Hosts spy rules
id: 1674828836
- enabled: true
url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_7.txt
name: Perflyst and Dandelion Sprout's Smart-TV Blocklist
id: 1674828837
- enabled: true
url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_30.txt
name: Phishing URL Blocklist (PhishTank and OpenPhish)
id: 1674828838
- enabled: true
url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_12.txt
name: Dandelion Sprout's Anti-Malware List
id: 1674828839
- enabled: true
url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_11.txt
name: Malicious URL Blocklist (URLHaus)
id: 1674828840
- enabled: true
url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_8.txt
name: NoCoin Filter List
id: 1674828841
- enabled: true
url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_10.txt
name: Scam Blocklist by DurableNapkin
id: 1674828842
- enabled: true
url: https://raw.githubusercontent.com/AdguardTeam/FiltersRegistry/master/filters/filter_2_Base/filter.txt
name: Base filter
id: 1674828843
- enabled: true
url: https://raw.githubusercontent.com/AdguardTeam/FiltersRegistry/master/filters/filter_3_Spyware/filter.txt
name: Tracking Protection filter
id: 1674828844
- enabled: true
url: https://raw.githubusercontent.com/AdguardTeam/FiltersRegistry/master/filters/filter_17_TrackParam/filter.txt
name: URL Tracking filter
id: 1674828845
- enabled: true
url: https://raw.githubusercontent.com/AdguardTeam/FiltersRegistry/master/filters/filter_4_Social/filter.txt
name: Social media filter
id: 1674828846
- enabled: true
url: https://raw.githubusercontent.com/AdguardTeam/FiltersRegistry/master/filters/filter_14_Annoyances/filter.txt
name: Annoyances filter
id: 1674828847
- enabled: true
url: https://raw.githubusercontent.com/AdguardTeam/FiltersRegistry/master/filters/filter_16_French/filter.txt
name: French filter
id: 1674828848
- enabled: true
url: https://raw.githubusercontent.com/AdguardTeam/FiltersRegistry/master/filters/filter_11_Mobile/filter.txt
name: Mobile ads filter
id: 1674828849
- enabled: true
url: https://raw.githubusercontent.com/AdguardTeam/FiltersRegistry/master/filters/filter_15_DnsFilter/filter.txt
name: DNS filter
id: 1674828850
- enabled: true
url: https://malware-filter.gitlab.io/malware-filter/urlhaus-filter-agh.txt
name: Online Malicious URL Blocklist (AdGuard Home)
id: 1674828851
- enabled: true
url: https://raw.githubusercontent.com/uBlockOrigin/uAssets/master/filters/filters.txt
name: uBlock filters - Default
id: 1674828852
- enabled: true
url: https://raw.githubusercontent.com/uBlockOrigin/uAssets/master/filters/badware.txt
name: uBlock filters Badware risks
id: 1674828853
- enabled: true
url: https://raw.githubusercontent.com/uBlockOrigin/uAssets/master/filters/privacy.txt
name: uBlock filters Privacy
id: 1674828854
- enabled: true
url: https://raw.githubusercontent.com/uBlockOrigin/uAssets/master/filters/resource-abuse.txt
name: uBlock filters Resource abuse
id: 1674828855
- enabled: true
url: https://www.github.developerdan.com/hosts/lists/ads-and-tracking-extended.txt
name: Lightswitch05 - Ads and Tracking
id: 1674828856
- enabled: true
url: https://www.github.developerdan.com/hosts/lists/dating-services-extended.txt
name: Lightswitch05 - Dating Services
id: 1674828857
- enabled: true
url: https://www.github.developerdan.com/hosts/lists/tracking-aggressive-extended.txt
name: Lightswitch05 - Tracking Aggressive
id: 1674828858
- enabled: true
url: https://v.firebog.net/hosts/Prigent-Crypto.txt
name: Firebog - Prigent Crypto
id: 1674828859
- enabled: true
url: https://v.firebog.net/hosts/Prigent-Malware.txt
name: Firebog - Prigent Malware
id: 1674828860
- enabled: true
url: https://raw.githubusercontent.com/matomo-org/referrer-spam-blacklist/master/spammers.txt
name: Matomo - Referrer Spam Blacklist
id: 1674828861
- enabled: true
url: https://raw.githubusercontent.com/matomo-org/referrer-spam-list/master/spammers.txt
name: Matomo.org - Referrer Spammers
id: 1674828862
- enabled: true
url: https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt
name: Ad filter list by Disconnect
id: 1674828863
- enabled: true
url: https://gitlab.com/quidsup/notrack-blocklists/raw/master/notrack-malware.txt
name: NoTrack Malware Blocklist
id: 1674828864
- enabled: true
url: https://easylist-downloads.adblockplus.org/antiadblockfilters.txt
name: Adblock Warning Removal List
id: 1674828865
- enabled: true
url: https://secure.fanboy.co.nz/fanboy-cookiemonster.txt
name: Easylist Cookie List
id: 1674828866
- enabled: true
url: https://raw.githubusercontent.com/nextdns/native-tracking-domains/main/domains/alexa
name: NextDNS Privacy - Alexa
id: 1674828867
- enabled: true
url: https://raw.githubusercontent.com/nextdns/native-tracking-domains/main/domains/windows
name: NextDNS Privacy - Windows
id: 1674828868
- enabled: true
url: https://raw.githubusercontent.com/nextdns/native-tracking-domains/main/domains/samsung
name: NextDNS Privacy - Samsung
id: 1674828869
- enabled: true
url: https://s3.amazonaws.com/lists.disconnect.me/simple_malvertising.txt
name: Malvertising list by Disconnect
id: 1674828870
- enabled: true
url: https://dl.red.flag.domains/red.flag.domains.txt
name: 'FR: French filters RedFlagDomains'
id: 1674828871
- enabled: true
url: https://dbl.oisd.nl/
name: OISD Domains
id: 1674828872
- enabled: true
url: https://hosts.oisd.nl/
name: OISD Hosts
id: 1674828873
- enabled: true
url: https://raw.githubusercontent.com/NanoAdblockerLab/NanoContrib/master/dist/placeholder-buster.txt
name: Removes empty ads placeholders
id: 1686454535
whitelist_filters: []
user_rules:
{% for item in user_rules %}
- {{ item.rule }}
{% endfor %}
dhcp:
enabled: false
interface_name: ""
local_domain_name: lan
dhcpv4:
gateway_ip: ""
subnet_mask: ""
range_start: ""
range_end: ""
lease_duration: 86400
icmp_timeout_msec: 1000
options: []
dhcpv6:
range_start: ""
lease_duration: 86400
ra_slaac_only: false
ra_allow_slaac: false
filtering:
blocking_ipv4: ""
blocking_ipv6: ""
blocked_services:
schedule:
time_zone: {{ time_zone }}
ids: []
protection_disabled_until: null
safe_search:
enabled: false
bing: true
duckduckgo: true
google: true
pixabay: true
yandex: true
youtube: true
blocking_mode: default
parental_block_host: family-block.dns.adguard.com
safebrowsing_block_host: standard-block.dns.adguard.com
rewrites:
{% for item in rewrites %}
- domain: {{ item.domain }}
answer: {{ item.answer }}
{% endfor %}
safebrowsing_cache_size: 1048576
safesearch_cache_size: 1048576
parental_cache_size: 1048576
cache_time: 30
filters_update_interval: 12
blocked_response_ttl: 10
filtering_enabled: true
parental_enabled: false
safebrowsing_enabled: false
protection_enabled: true
clients:
runtime_sources:
whois: true
arp: true
rdns: true
dhcp: true
hosts: true
persistent: []
log:
file: ""
max_backups: 0
max_size: 100
max_age: 3
compress: false
local_time: false
verbose: false
os:
group: ""
user: ""
rlimit_nofile: 0
schema_version: 27

585
roles/stacks/composes/files/aptcacherng/conf/aptcacherng/conf/acng.conf Normal file
View File

@ -0,0 +1,585 @@
# 2023-09-25
#
# IMPORTANT NOTE:
#
# THIS FILE IS MAYBE JUST ONE OF MANY CONFIGURATION FILES IN THIS DIRECTORY.
# SETTINGS MADE IN OTHER FILES CAN OVERRIDE VALUES THAT YOU CHANGE HERE. GO
# LOOK FOR OTHER CONFIGURATION FILES! CHECK THE MANUAL AND INSTALLATION NOTES
# (like README.Debian) FOR MORE DETAILS!
#
# This is a configuration file for apt-cacher-ng, a smart caching proxy for
# software package downloads. It's supposed to be in a directory specified by
# the -c option of apt-cacher-ng, see apt-cacher-ng(8) for details.
# RULES:
# - letter case in variable names does not matter
# - names and values are separated by colon or equals sign
# - for boolean variables, zero means false, non-zero means true
# - "default value" means built-in (!) defaults, i.e. something which the
# program uses if the option is not set here or in other config files.
# That value might be explicitly mentioned in the description. Where it is
# not, there is no reason to assume any of the examples to be the default
# value! In doubt, use acngtool to query the value of the particular variable.
# Storage directory for downloaded data and related maintenance activity.
#
# Note: When the value for CacheDir is changed, change the file
# /lib/systemd/system/apt-cacher-ng.service too
#
CacheDir: /var/cache/apt-cacher-ng
# Log file directory, can be set empty to disable logging
#
LogDir: /var/log/apt-cacher-ng
# A place to look for additional configuration and resource files if they are not
# found in the configuration directory
#
SupportDir: /usr/lib/apt-cacher-ng
# TCP server port for incoming http (or HTTP proxy) connections.
# Can be set to 9999 to emulate apt-proxy. Value of 0 turns off TCP server
# (SocketPath must be set in this case).
#
# Port:3142
# Addresses or hostnames to listen on. Multiple addresses must be separated by
# spaces. Each entry must be an exact local address which is associated with a
# local interface. DNS resolution is performed using getaddrinfo(3) for all
# available protocols (IPv4, IPv6, ...). Using a protocol specific format will
# create binding(s) only on protocol specific socket(s), e.g. 0.0.0.0 will
# listen only to IPv4. The endpoint can also be specified as host:port (or
# [ipv6-address]:port) which allows binding on non-standard ports (Port
# directive is ignored in this case).
#
# Default: listens on all interfaces and protocols
#
# BindAddress: localhost 192.168.7.254 publicNameOnMainInterface
# The specification of another HTTP proxy which shall be used for downloads.
# It can include user name and password but see the manual for limitations.
#
# Default: uses direct connection
#
# Proxy: http://www-proxy.example.net:3128
# Proxy: https://username:proxypassword@proxy.example.net:3129
# Repository remapping. See manual for details.
# In this example, some backends files might be generated during package
# installation using information collected on the system.
# Examples:
Remap-debrep: file:deb_mirror*.gz /debian ; file:backends_debian # Debian Archives
Remap-uburep: file:ubuntu_mirrors /ubuntu ; file:backends_ubuntu # Ubuntu Archives
Remap-klxrep: file:kali_mirrors /kali ; file:backends_kali # Kali Linux Archives
Remap-cygwin: file:cygwin_mirrors /cygwin # ; file:backends_cygwin # incomplete, please create this file or specify preferred mirrors here
Remap-sfnet: file:sfnet_mirrors # ; file:backends_sfnet # incomplete, please create this file or specify preferred mirrors here
Remap-alxrep: file:archlx_mirrors /archlinux # ; file:backend_archlx # Arch Linux
Remap-fedora: file:fedora_mirrors # Fedora Linux
Remap-epel: file:epel_mirrors # Fedora EPEL
Remap-slrep: file:sl_mirrors # Scientific Linux
Remap-gentoo: file:gentoo_mirrors.gz /gentoo ; file:backends_gentoo # Gentoo Archives
Remap-secdeb: security.debian.org security.debian.org/debian-security deb.debian.org/debian-security /debian-security cdn-fastly.deb.debian.org/debian-security ; deb.debian.org/debian-security security.debian.org cdn-fastly.deb.debian.org/debian-security
# Virtual page accessible in a web browser to see statistics and status
# information, i.e. under http://localhost:3142/acng-report.html
# NOTE: This option must be configured to run maintenance jobs (even when used
# via acngtool in cron scripts). The AdminAuth option can be used to restrict
# access to sensitive areas on that page.
#
# Default: not set, should be set by the system administrator
#
ReportPage: acng-report.html
# Socket file for accessing through local UNIX socket instead of TCP/IP. Can be
# used with inetd (via bridge tool in.acng from apt-cacher-ng package), is also
# used internally for administrative purposes.
#
# Default: /run/apt-cacher-ng/socket
#
# SocketPath: /var/run/apt-cacher-ng/socket
# If set to 1, makes log files be written to disk on every new line. Default
# is 0, buffers are flushed after the client disconnects. Technically,
# it's a convenience alias for the Debug option, see below for details.
#
# UnbufferLogs: 0
# Enables extended client information in log entries. When set to 0, only
# activity type, time and transfer sizes are logged.
#
# VerboseLog: 1
# Don't detach from the starting console.
#
ForeGround: 1
# Store the pid of the daemon process in the specified text file.
# Default: disabled
#
# PidFile: /var/run/apt-cacher-ng/pid
# Forbid outgoing connections and work without an internet connection or
# respond with 503 error where it's not possible.
#
# Offlinemode: 0
# Forbid downloads from locations that are directly specified in the user
# request, i.e. all downloads must be processed by the preconfigured remapping
# backends (see above).
#
# ForceManaged: 0
# Days before considering an unreferenced file expired (to be deleted).
# WARNING: if the value is set too low and particular index files are not
# available for some days (mirror downtime) then there is a risk of removal of
# still useful package files.
#
ExThreshold: 4
# If set to true, the removal (i.e. response status 404) of remote
# volatile/index files is considered a hint to consider the local cached
# versions irrelevant and also expire them just like package files. This adds
# some risk of removing too much cache contents in cases where a middlebox
# reports bogus 404 codes.
#
# If false (0), a less sloppy algorithm is used to invalidate certain keyfiles
# first, which might subsequently expire the cache contents but much later or
# maybe never unless the administrator intervenes.
#
FollowIndexFileRemoval: 1
# If the expiration is run daily, it sometimes does not make much sense to do
# it because the expected changes (i.e. removal of expired files) don't justify
# the extra processing time or additional downloads for expiration operation
# itself. This discrepancy might be especially worse if the local client
# installations are small or are rarely updated but the daily changes of
# the remote archive metadata are heavy.
#
# The following option enables a possible trade-off: the expiration run is
# suppressed until a certain amount of data has been downloaded through
# apt-cacher-ng since the last expiration execution (which might indicate that
# packages were replaced with newer versions).
#
# The number can have a suffix (k,K,m,M for Kb,KiB,Mb,MiB)
#
# ExStartTradeOff: 500m
# Stop expiration when a critical problem appears, issue like a failed update
# of an index file in the preparation step.
#
# WARNING: don't set this option to zero or empty without considering possible
# consequences like a sudden and complete cache data loss.
#
# ExAbortOnProblems: 1
# Number of failed nightly expiration runs which are considered acceptable and
# do not trigger an error notification to the admin (e.g. via daily cron job)
# before the (day) count is reached. Might be useful with whacky internet
# connections.
#
# Default: a guessed value, 1 if ExThreshold is 5 or more, 0 otherwise.
#
# ExSuppressAdminNotification: 1
# Modify file names to work around limitations of some file systems.
# WARNING: experimental feature, subject to change
#
# StupidFs: 0
# Experimental feature for apt-listbugs: pass-through SOAP requests and
# responses to/from bugs.debian.org.
# Default: guessed value, true unless ForceManaged is enabled
#
# ForwardBtsSoap: 1
# There is a small in-memory cache for DNS resolution data, expired by
# this timeout (in seconds). Internal caching is disabled if set to a value
# less than zero.
#
# DnsCacheSeconds: 1800
###############################################################################
#
# WARNING: don't modify thread and file matching parameters without a clear
# idea of what is happening behind the scene!
#
# Max. count of connection threads kept ready (for faster response in the
# future). Should be a sane value between 0 and average number of connections,
# and depend on the amount of spare RAM.
# MaxStandbyConThreads: 8
#
# Hard limit of active thread count for incoming connections, i.e. operation
# is refused when this value is reached (below zero = unlimited).
# MaxConThreads: -1
#
# Timeout for a forced disconnect in cases where a client connection is about
# to be closed but remote refuses to confirm the disconnect request. Setting
# this to a lower value mitigates the effects of resource starvation in case of
# a DOS attack but increases the risk of failing to flush the remaining portion
# of data.
# DisconnectTimeout: 15
# By default, if a remote suddenly reconnects, ACNG tries at least two times to
# redownload from the same or different location (if known).
# DlMaxRetries: 2
# Pigeonholing files (like static vs. volatile contents) is done by (extended)
# regular expressions.
#
# The following patterns are available for the purposes detailed, where
# the latter takes precedence over the former:
# - «PFilePattern» for static data that doesn't change silently on the server.
# - «VFilePattern» for volatile data that may change like every hour. Files
# that match both PFilePattern and VfilePattern will be treated as volatile.
# - Static data with file names that match VFilePattern may be overriden being
# treated as volatile by making it match the special static data pattern,
# «SPfilePattern».
# - «SVfilePattern» or the "special volatile data" pattern is for the
# convenience of specifying any exceptions to matches with SPfilePattern,
# for cases where data must still be treated as volatile.
# - «WfilePattern» specifies a "whitelist pattern" for the regular expiration
# job, telling it to keep the files even if they are not referenced by
# others, like crypto signatures with which clients begin their downloads.
#
# There are two versions. The pattern variables mentioned above should not be
# set without good reason, because they would override the built-in defaults
# (that might impact updates to future versions of apt-cacher-ng). There are
# also versions of those patterns ending with Ex, which may be modified by the
# local administrator. They are evaluated in addition to the regular patterns
# at runtime.
#
# To see examples of the expected syntax, run: apt-cacher-ng -p debug=1
#
# PfilePatternEx:
# VfilePatternEx:
# SPfilePatternEx:
# SVfilePatternEx:
# WfilePatternEx:
#
###############################################################################
# A bitmask type value declaring the loging verbosity and behavior of the error
# log writing. Non-zero value triggers at least faster log file flushing.
#
# Some higher bits only working with a special debug build of apt-cacher-ng,
# see the manual for details.
#
# WARNING: this can write significant amount of data into apt-cacher.err logfile.
#
# Default: 0
#
# Debug:3
# Usually, general purpose proxies like Squid expose the IP address of the
# client user to the remote server using the X-Forwarded-For HTTP header. This
# behaviour can be optionally turned on with the Expose-Origin option.
#
# ExposeOrigin: 0
# When logging the originating IP address, trust the information supplied by
# the client in the X-Forwarded-For header.
#
# LogSubmittedOrigin: 0
# The version string reported to the peer, to be displayed as HTTP client (and
# version) in the logs of the mirror.
#
# WARNING: Expect side effects! Some archives use this header to guess
# capabilities of the client (i.e. allow redirection and/or https links) and
# change their behaviour accordingly but ACNG might not support the expected
# features.
#
# Default:
#
# UserAgent: Yet Another HTTP Client/1.2.3p4
# In some cases the Import and Expiration tasks might create fresh volatile
# data for internal use by reconstructing them using patch files. This
# by-product might be recompressed with bzip2 and with some luck the resulting
# file becomes identical to the *.bz2 file on the server which can be used by
# APT when requesting a complete version of this file.
# The downside of this feature is higher CPU load on the server during
# the maintenance tasks, and the outcome might have not much value in a LAN
# where all clients update their data often and regularly and therefore usually
# don't need the full version of the index file.
#
# RecompBz2: 0
# Network timeout for outgoing connections, in seconds.
#
# NetworkTimeout: 40
# Fast fallback timeout, in seconds. This is the time to wait before
# alternative target addresses for a client connection are tried, which can be
# usefull for quick fallback to IPv4 in case of whacky IPv6 configuration.
#
# FastTimeout = 4
# Sometimes it makes sense to not store the data in cache and just return the
# package data to client while it comes in. The following DontCache* parameters
# can enable this behaviour for certain URL types. The tokens are extended
# regular expressions which the URLs are evaluated against.
#
# DontCacheRequested is applied to the URL as it comes in from the client.
# Example: exclude packages built with kernel-package for x86
# DontCacheRequested: linux-.*_10\...\.Custo._i386
# Example usecase: exclude popular private IP ranges from caching
# DontCacheRequested: 192.168.0 ^10\..* 172.30
#
# DontCacheResolved is applied to URLs after mapping to the target server. If
# multiple backend servers are specified then it's only matched against the
# download link for the FIRST possible source (due to implementation limits).
#
# Example usecase: all Ubuntu stuff comes from a local mirror (specified as
# backend), don't cache it again:
# DontCacheResolved: ubuntumirror.local.net
#
# DontCache directive sets (overrides) both, DontCacheResolved and
# DontCacheRequested. Provided for convenience, see those directives for
# details.
#
# Example:
# DontCache: .*.local.university.int
# Default permission set of freshly created files and directories, as octal
# numbers (see chmod(1) for details).
# Can by limited by the umask value (see umask(2) for details) if it's set in
# the environment of the starting shell, e.g. in apt-cacher-ng init script or
# in its configuration file.
#
# DirPerms: 00755
# FilePerms: 00664
# It's possible to use use apt-cacher-ng as a regular web server with a limited
# feature set, i.e. directory browsing, downloads of any files, Content-Type
# based on /etc/mime.types, but without sorting, CGI execution, index page
# redirection and other funny things.
# To get this behavior, mappings between virtual directories and real
# directories on the server must be defined with the LocalDirs directive.
# Virtual and real directories are separated by spaces, multiple pairs are
# separated by semi-colons. Real directories must be absolute paths.
# NOTE: Since the names of that key directories share the same namespace as
# repository names (see Remap-...) it is administrator's job to avoid conflicts
# between them or explicitly create them.
#
# LocalDirs: woo /data/debarchive/woody ; hamm /data/debarchive/hamm
LocalDirs: acng-doc /usr/share/doc/apt-cacher-ng
# Precache a set of files referenced by specified index files. This can be used
# to create a partial mirror usable for offline work. There are certain limits
# and restrictions on the path specification, see manual and the cache control
# web site for details. A list of (maybe) relevant index files could be
# retrieved via "apt-get --print-uris update" on a client machine.
#
# Example:
# PrecacheFor: debrep/dists/unstable/*/source/Sources* debrep/dists/unstable/*/binary-amd64/Packages*
PrecacheFor: {secdeb,debrep}//{Packages,InRelease,Packages.xz,Translation,Commands}*
# Arbitrary set of data to append to request headers sent over the wire. Should
# be a well formated HTTP headers part including newlines (DOS style) which
# can be entered as escape sequences (\r\n).
#
# RequestAppendix: X-Tracking-Choice: do-not-track\r\n
# Specifies the IP protocol families to use for remote connections. Order does
# matter, first specified are considered first. Possible combinations:
# v6 v4
# v4 v6
# v6
# v4
# Default: use native order of the system's TCP/IP stack, influenced by the
# BindAddress value.
#
# ConnectProto: v6 v4
# Regular expiration algorithm finds package files which are no longer listed
# in any index file and removes them of them after a safety period.
# This option allows to keep more versions of a package in the cache after
# the safety period is over.
#
# KeepExtraVersions: 0
# Optionally uses TCP access control provided by libwrap, see hosts_access(5)
# for details. Daemon name is apt-cacher-ng.
#
# Default: guessed on startup by looking for explicit mention of apt-cacher-ng
# in /etc/hosts.allow or /etc/hosts.deny files.
#
# UseWrap: 0
# If many machines from the same local network attempt to update index files
# (apt-get update) at nearly the same time, the known state of these index file
# is temporarily frozen and multiple requests receive the cached response
# without contacting the remote server again. This parameter (in seconds)
# specifies the length of this period before these (volatile) files are
# considered outdated.
# Setting this value too low transfers more data and increases remote server
# load, setting this too high (more than a couple of minutes) increases the
# risk of delivering inconsistent responses to the clients.
#
# FreshIndexMaxAge: 27
# Usually the users are not allowed to specify custom TCP ports of remote
# mirrors in the requests, only the default HTTP port can be used (as
# workaround, proxy administrator can create Remap- rules with custom ports).
# This restriction can be disabled by specifying a list of allowed ports or 0
# for any port.
#
# AllowUserPorts: 80
# Normally the HTTP redirection responses are forwarded to the original caller
# (i.e. APT) which starts a new download attempt from the new URL. This
# solution is ok for client configurations with proxy mode but doesn't work
# well with configurations using URL prefixes in sources.list. To work around
# this the server can restart its own download with a redirection URL,
# configured with the following option. The downside is that this might be used
# to circumvent download source policies by malicious users.
# The RedirMax option specifies how many such redirects the server is allowed
# to follow per request, 0 disables the internal redirection.
# Default: guessed on startup, 0 if ForceManaged is used and 5 otherwise.
#
# RedirMax: 5
# There some broken HTTP servers and proxy servers in the wild which don't
# support the If-Range header correctly and return incorrect data when the
# contents of a (volatile) file changed. This also applies to incomplete
# resumed downloads. Setting VfileUseRangeOps to 0 disables Range-based
# requests (using purely If-Modified-Since and requesting the complete file
# instead, if changed). Setting it to a negative value removes even this check
# and means fetching the whole file from the beginning.
#
# VfileUseRangeOps: 1
# Allow data pass-through mode for certain hosts when requested by the client
# using a CONNECT request. This is particularly useful to allow access to SSL
# sites (https proxying). The string is a regular expression which should cover
# the server name with port and must be correctly formated and terminated.
# Examples:
# PassThroughPattern: private-ppa\.launchpad\.net:443$
PassThroughPattern: .* #
#
# Default: ^(bugs\.debian\.org|changelogs\.ubuntu\.com):443$
# PassThroughPattern: ^(bugs\.debian\.org|changelogs\.ubuntu\.com):443$
# Interval an overaged local cache item (i.e. active file descriptor) can be
# considered broken so that a new forced download can be started. Such
# situation can happen when a very slow clients keeps a hot cache item active
# for extended amounts of time so that even the remote freshness checks
# intervals might become overrun.
#
# Default time is based on the value of FreshIndexMaxAge with a safety factor.
#
# ResponseFreezeDetectTime: 60
# Keep outgoing connections alive and reuse them for later downloads from
# the same server as long as possible.
#
# ReuseConnections: 1
# Maximum number of requests sent in a batch to remote servers before the first
# response is expected. Using higher values can greatly improve average
# throughput depending on network latency and the implementation of remote
# servers. Makes most sense when also enabled on the client side, see apt.conf
# documentation for details.
#
# Default: 10 if ReuseConnections is set, 1 otherwise
#
# PipelineDepth: 10
# Path to the system directory containing trusted CA certificates used for
# outgoing connections, see OpenSSL documentation for details.
#
# CApath: /etc/ssl/certs
#
# Path to a single trusted trusted CA certificate used for outgoing
# connections, see OpenSSL documentation for details.
#
# CAfile:
# There are different ways to detect that an upstream proxy is broken and turn
# off its use and connect directly. The first is through a custom command -
# when it returns successfully, the proxy is used, otherwise not and the
# command will be rerun only after a specified period.
# Another way is to try to connect to the proxy first and detect a connection
# timeout. The connection will then be made without HTTP proxy for the life
# time of the particular download stream and it may also affect other other
# parallel downloads.
# NOTE: this operation modes are still experimental and are subject to change!
# Unwanted side effects may occur with multiple simultaneous user connections
# or with specific per-repository proxy settings.
#
# Shell command, default: not set. Executed with the default shell and
# permissions of the apt-cacher-ng's process user. Examples:
# /bin/ip route | grep -q 192.168.117
# /usr/sbin/arp | grep -q 00:22:1f:51:8e:c1
#
# OptProxyCheckCommand: ...
#
# Check intervall, in seconds.
#
# OptProxyCheckInterval: 99
#
# Conection timeout in seconds, default: negative, means disabled.
#
# OptProxyTimeout: -1
# It's possible to limit the processing speed of download agents to set an
# overall download speed limit. Unit: KiB/s, Default: unlimited.
#
# MaxDlSpeed: 500
# In special corner cases, download clients attempt to download random chunks
# of a files headers, i.e. the first kilobytes. The "don't get client stuck"
# policy converts this usually to a 200 response starting the body from the
# beginning but that confuses some clients. When this option is set to a
# certain value, this modifies the behaviour and allows to start a file
# download where the distance between available data and the specified range
# lies within that bounds. This can look like random lag for the user but
# should be harmless apart from that.
#
# MaxInresponsiveDlSize: 64000
# In mobile environments having an adhoc connection with a redirection to some
# id verification side, this redirect might damage the cache since the data is
# involuntarily stored as package data. There is a mechanism which attempts to
# detect a such situation and mitigate the mentioned effects by not storing the
# data and also dropping the DNS cache. The trigger is the occurrence of a
# specific SUBSTRING in the content type field of the final download target
# (i.e. the auth web site) and at least one followed redirection.
#
# BadRedirDetectMime: text/html
# When a BUS signal is received (typically on IO errors), a shell command can be
# executed before the daemon is terminated.
# Example:
# BusAction: ls -l /proc/$PPID/ | mail -s SIGBUS! root
# Only set this value for debugging purposes. It disables SSL security checks
# like strict host verification. 0 means no, any other value can have
# differrent meaning in the future.
#
# NoSSLChecks: 0
# Setting this value means: on file downloads from/via cache, tag relevant
# files. And when acngtool runs the shrink command, it will look at the day
# when the file was retrieved from cache last time (and not when it was
# originally downloaded).
#
# TrackFileUse: 0
# Controls preallocation of file system space where this feature is supported.
# This might reduce disk fragmentation and therefore improve later read
# performance. However, write performance can be reduced which could be
# exploited by malicious users.
# The value defines a size limit of how much to report to the OS as expected
# file size (starting from the beginning of the file).
# Set to zero to disable this feature completely. Default: one megabyte
#
# ReserveSpace: 1048576
# PermitCacheControl will allow users to specify a few hints for processing
# of a request, for example bypassing the local cache (see
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control for
# no-cache, no-store).
#
# PermitCacheControl: no-cache, no-store

0
roles/stacks/composes/files/dl/datas/dl-nginx/datas/html/assets/css/index.html Normal file
View File

10
roles/stacks/composes/files/dl/datas/dl-nginx/datas/html/assets/css/main.css Normal file
View File

@ -0,0 +1,10 @@
body{
height: 100vh;
background: #5a6373;
}
.special {
background: #7a2a21;
color: #fff;
text-align: center;
}

BIN
roles/stacks/composes/files/dl/datas/dl-nginx/datas/html/assets/img/404.webp Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 24 KiB

0
roles/stacks/composes/files/dl/datas/dl-nginx/datas/html/assets/img/index.html Normal file
View File

0
roles/stacks/composes/files/dl/datas/dl-nginx/datas/html/assets/index.html Normal file
View File

25
roles/stacks/composes/files/dl/datas/dl-nginx/datas/html/error.html Normal file
View File

@ -0,0 +1,25 @@
<!DOCTYPE html>
<html lang="fr">
<head>
<meta charset="utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1" />
<title>Zogg Downloads</title>
<link href="https://cdn.jsdelivr.net/npm/bootstrap@5.2.3/dist/css/bootstrap.min.css" rel="stylesheet" integrity="sha384-rbsA2VBKQhggwzxH7pPCaAqO46MgnOM80zW1RWuH61DGLwZJEdK2Kadq2F9CUG65" crossorigin="anonymous" />
<link rel="stylesheet" href="assets/css/main.css" />
</head>
<body>
<div class="d-flex align-items-center justify-content-center vh-100">
<div class="shadow p-4 special">
<div class="text-center">
<h1>Oops, une erreur !</h1>
<h1><a href="/">Allez</a> de l'avant !</h1>
<br/>
<img src="assets/img/404.webp" alt="Not found" />
</div>
</div>
</div>
<script src="https://cdn.jsdelivr.net/npm/bootstrap@5.2.3/dist/js/bootstrap.bundle.min.js"
integrity="sha384-kenU1KFdBIe4zVF0s0G1M5b4hcpxyD9F7jL+jjXkk+Q2h455rYXK/7HAuoJl+0I4"
crossorigin="anonymous"></script>
</body>
</html>

BIN
roles/stacks/composes/files/dl/datas/dl-nginx/datas/html/favicon.ico Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 3.8 KiB

0
roles/stacks/composes/files/dl/datas/dl-nginx/datas/html/files/index.html Normal file
View File

22
roles/stacks/composes/files/dl/datas/dl-nginx/datas/html/index.html Normal file
View File

@ -0,0 +1,22 @@
<!DOCTYPE html>
<html lang="fr">
<head>
<meta charset="utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1" />
<title>Zogg Downloads</title>
<link href="https://cdn.jsdelivr.net/npm/bootstrap@5.2.3/dist/css/bootstrap.min.css" rel="stylesheet" integrity="sha384-rbsA2VBKQhggwzxH7pPCaAqO46MgnOM80zW1RWuH61DGLwZJEdK2Kadq2F9CUG65" crossorigin="anonymous" />
<link rel="stylesheet" href="assets/css/main.css" />
</head>
<body>
<div class="d-flex align-items-center justify-content-center vh-100">
<div class="shadow p-4 special">
<h1>Bienvenue !</h1>
<br />
<h2>Sur la zone de téléchargement de Zogg!</h2>
</div>
</div>
<script src="https://cdn.jsdelivr.net/npm/bootstrap@5.2.3/dist/js/bootstrap.bundle.min.js"
integrity="sha384-kenU1KFdBIe4zVF0s0G1M5b4hcpxyD9F7jL+jjXkk+Q2h455rYXK/7HAuoJl+0I4"
crossorigin="anonymous"></script>
</body>
</html>

69
roles/stacks/composes/files/dl/templates/dl-nginx/templates/dl-nginx/default_conf.j2 Normal file
View File

@ -0,0 +1,69 @@
# {{ ansible_managed }}
# master: {{ stacks_mastering }}
# edited: 2023-09-25
# updated: {{ ansible_date_time.date }}
server {
server_name {{ vm_subdomain_dl }}.{{ vm_internet_domain}};
listen 80;
listen [::]:80;
root /usr/share/nginx/html;
index index.php index.html index.htm;
try_files $uri $uri/ /index.php?$query_string;
#error_log /dev/stdout warn;
#access_log /dev/stdout;
error_page 404 500 501 /error.html;
location / {
expires 1d;
add_header Cache-Control "public";
}
location = /favicon.ico {
access_log off;
log_not_found off;
}
location = /robots.txt {
access_log off;
log_not_found off;
}
location ~ /\.ht {
access_log off;
log_not_found off;
deny all;
}
location ~* /(\.git|cache|bin|logs|backup|tests)/.*$ {
return 403;
}
location ~* /(system|vendor)/.*\.(txt|xml|md|html|json|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ {
return 403;
}
location ~* /user/.*\.(txt|md|json|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ {
return 403;
}
location ~ /(LICENSE\.txt|composer\.lock|composer\.json|nginx\.conf|web\.config|htaccess\.txt|\.htaccess) {
return 403;
}
location ~ .php$ {
root /usr/share/nginx/html;
fastcgi_pass dl-phpfpm:9000;
fastcgi_index index.php;
try_files $uri =404;
fastcgi_split_path_info ^(.+.php)(/.+)$;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_buffer_size 128k;
fastcgi_buffers 256 16k;
fastcgi_busy_buffers_size 256k;
fastcgi_temp_file_write_size 256k;
fastcgi_intercept_errors on;
include fastcgi_params;
}
}

29
roles/stacks/composes/files/hastebin/templates/hastebin/templates/hastebin/config_js.j2 Normal file
View File

@ -0,0 +1,29 @@
{
"host": "0.0.0.0",
"port": 7777,
"keyLength": 10,
"maxLength": 400000,
"staticMaxAge": 86400,
"recompressStaticAssets": true,
"logging": [
{
"level": "verbose",
"type": "Console",
"colorize": false
}
],
"keyGenerator": {
"type": "phonetic"
},
"storage": {
"type": "redis",
"path": "./data",
"host": "{{ vm_master_name }}.{{ vm_local_domain }}",
"port": {{ vm_port_redis }},
"db": 2,
"expire": 2592000
},
"documents": {
"about": "./about.md"
}
}

4
roles/stacks/composes/files/homepage/conf/homepage/conf/kubernetes.yaml Normal file
View File

@ -0,0 +1,4 @@
# 2023-09-25
---
# sample kubernetes config

11
roles/stacks/composes/files/homepage/conf/homepage/conf/settings.yaml Normal file
View File

@ -0,0 +1,11 @@
# 2023-09-25
---
# For configuration options and examples, please see:
# https://github.com/benphelps/homepage/wiki/Settings
headerStyle: boxed
language: fr
title: Homelab
favicon: /images/favicon.png
hideVersion: true

9
roles/stacks/composes/files/homepage/conf/homepage/conf/widgets.yaml Normal file
View File

@ -0,0 +1,9 @@
# 2023-09-25
# For configuration options and examples, please see:
# https://github.com/benphelps/homepage/wiki/Information-Widgets
- resources:
cpu: true
memory: true
disk: false

1
roles/stacks/composes/files/homepage/datas/homepage/datas/dashboard-icons-main/link.txt Normal file
View File

@ -0,0 +1 @@
https://github.com/walkxcode/dashboard-icons

BIN
roles/stacks/composes/files/homepage/datas/homepage/datas/icons/3cx.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 24 KiB

BIN
roles/stacks/composes/files/homepage/datas/homepage/datas/icons/act.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 13 KiB

BIN
roles/stacks/composes/files/homepage/datas/homepage/datas/icons/actual.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 12 KiB

BIN
roles/stacks/composes/files/homepage/datas/homepage/datas/icons/adblock.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 49 KiB

BIN
roles/stacks/composes/files/homepage/datas/homepage/datas/icons/adguard-home.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 13 KiB

BIN
roles/stacks/composes/files/homepage/datas/homepage/datas/icons/adminer.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 10 KiB

BIN
roles/stacks/composes/files/homepage/datas/homepage/datas/icons/adsbexchange.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 18 KiB

BIN
roles/stacks/composes/files/homepage/datas/homepage/datas/icons/airsonic.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 4.0 KiB

BIN
roles/stacks/composes/files/homepage/datas/homepage/datas/icons/airtel.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 7.3 KiB

BIN
roles/stacks/composes/files/homepage/datas/homepage/datas/icons/alarmpi.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 4.5 KiB

BIN
roles/stacks/composes/files/homepage/datas/homepage/datas/icons/albertheijn.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 18 KiB

BIN
roles/stacks/composes/files/homepage/datas/homepage/datas/icons/alertmanager.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 8.8 KiB

BIN
roles/stacks/composes/files/homepage/datas/homepage/datas/icons/algovpn.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 4.4 KiB

BIN
roles/stacks/composes/files/homepage/datas/homepage/datas/icons/alltube.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 10 KiB

BIN
roles/stacks/composes/files/homepage/datas/homepage/datas/icons/alma.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 23 KiB

BIN
roles/stacks/composes/files/homepage/datas/homepage/datas/icons/almalinux.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 130 KiB

BIN
roles/stacks/composes/files/homepage/datas/homepage/datas/icons/alpine-linux.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 22 KiB

BIN
roles/stacks/composes/files/homepage/datas/homepage/datas/icons/alpine.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 18 KiB

Some files were not shown because too many files have changed in this diff Show More