Initial file upload

ansible.cfg

@@ -0,0 +1,8 @@
+[defaults]
+inventory = hosts
+
+[ssh_connections]
+pipelining = true
+
+[privilege_escalation]
+become_method = "{{ escalation_method }}"

group_vars/all/vars.yml

@@ -0,0 +1,96 @@
+# Package lists
+
+# Utilities
+util_pack:
+
+# Email address for Let's Encrypt and DNS
+email: dogeystamp@disroot.org
+
+# Could be sudo instead
+escalation_method: doas
+
+sshd_port: 2500
+
+domain: d.nerdpol.ovh
+
+# Username for unpriviledged user
+username: dogeystamp
+
+# Create an SFTP read-only user (leave blank to disable)
+sftp_ro_username: dogeystamp-mobile
+
+# Git repos (could be localhost if Gitea is installed)
+dots_repo: http://localhost:3000/dogeystamp/dots.git
+site_repo: http://localhost:3000/dogeystamp/website.git
+
+# Drive with all the data stored on it (should be separate from OS drive)
+# This is the raw partition, and not the mapped crypt device
+secondary_disk: /dev/sdb
+
+# Web root for nginx and other applications
+webroot: /srv/http
+
+# Data root
+dataroot: /var/www/data
+
+
+
+# Network settings (nameserver, address, etc.)
+
+# Forward DNS queries to
+dns_forward: 1.1.1.1
+
+# Local IP address subnet
+local_subnet: 192.168.0.0/24
+  
+# Static address of the server (locally)
+# Preferably have another one to SSH into with Ansible, as we change the IP midway
+# in connection.yml
+local_ip: 192.168.0.3
+
+# Connection interface for static IP
+interface: eth0
+
+
+
+# ACME variables
+
+acme_email: "{{ email }}"
+
+# Mediawiki farm variables
+
+# Internal names for the wikis, used for filenames and URLs
+wiki_names:
+  - wiki
+  - rw
+
+
+
+# Placeholders for secret vault
+
+
+ddclient_pass: secret
+
+
+
+# Gitea secrets
+lfs_jwt_secret: "secret"
+jwt_secret: "secret"
+
+
+
+# Mediawiki secrets
+
+wgUpgradeKey: "secret"
+
+# This should have the same amount of elements as wiki_names.
+wgSecretKey:
+  - "wiki_secret"
+  - "rw_secret"
+
+
+
+# Matrix Synapse secrets
+registration_shared_secret: "secret"
+macaroon_secret_key: "secret"
+form_secret: "secret"

run.yml

@@ -0,0 +1,23 @@
+---
+- hosts: all
+  become: yes
+
+  tasks:
+    - include_tasks: "tasks/{{ task }}.yml"
+      with_items:
+        - essential
+        - sys_config
+        - connection
+        - firewall
+        - sftp
+        - mail
+        - ssl
+        - webserver
+        - gitea
+        - wiki
+        - matrix
+        - site
+        - cronjobs
+        - user_config
+      loop_control:
+        loop_var: task

tasks/connection.yml

@@ -0,0 +1,28 @@
+- name: Install NetworkManager
+  community.general.pacman:
+    name:
+      - networkmanager
+
+- name: Enable NetworkManager
+  service:
+    name: NetworkManager
+    enabled: yes
+    state: started
+
+- name: Disable existing eth0 connection
+  community.general.nmcli:
+    conn_name: eth0
+    state: absent
+  register: networkmanager_config
+
+- name: Set static IP address
+  community.general.nmcli:
+    dns4: "{{ dns_forward }}"
+    dns4_ignore_auto: yes
+    ip4: "{{ local_ip }}"
+    method4: manual
+    state: present
+    conn_name: wired
+    ifname: "{{ interface }}"
+    type: ethernet
+  when: networkmanager_config.changed

tasks/cronjobs.yml

@@ -0,0 +1,12 @@
+- name: Cronjob to remove externally managed eth0 connection
+  cron:
+    name: "Ensure eth0 is not externally managed"
+    minute: "*/10"
+    job: "/usr/bin/nmcli connection down eth0 > /dev/null 2>&1; /usr/bin/nmcli connection down wired > /dev/null 2>&1; /usr/bin/nmcli connection up wired > /dev/null"
+    state: present
+
+- name: Enable cron daemon
+  service:
+    name: cronie
+    state: started
+    enabled: yes

tasks/essential.yml

@@ -0,0 +1,86 @@
+- name: Change hostname
+  hostname:
+    name: "{{ inventory_hostname }}"
+
+- name: Update packages
+  community.general.pacman:
+    update_cache: yes
+    upgrade: yes
+
+- name: Install utility packages
+  community.general.pacman:
+    name:
+      - neovim
+      - neofetch
+      - fish
+      - htop
+      - tmux
+      - git
+      - cronie
+      - progress
+      - rsync
+      - man-db
+
+    state: present
+
+- name: Disable SSH password auth
+  lineinfile:
+    dest: /etc/ssh/sshd_config
+    regexp: "^#PasswordAuthentication yes"
+    line: "PasswordAuthentication no"
+  register: sshd_config
+
+- name: Change SSH port
+  lineinfile:
+    dest: /etc/ssh/sshd_config
+    regexp: "^#Port 22"
+    line: "Port {{ sshd_port }}"
+  register: sshd_config
+
+- name: Restart SSHD
+  service:
+    name: sshd
+    state: restarted
+  when: sshd_config.changed
+
+- name: Disable root login
+  user:
+    name: root
+    password: "*"
+
+- name: Create unpriviledged user
+  user:
+    name: "{{ username }}"
+
+- name: Deploy SSH key to unpriviledged user
+  ansible.posix.authorized_key:
+    user: "{{ username }}"
+    state: present
+    key: "{{ lookup('file', '~/.ssh/keys/{{ ansible_hostname }}.pub')}}"
+
+- name: Deploy keyfile
+  copy:
+    src: k5e
+    dest: /k5e
+    mode: 0600
+
+- name: Setup crypttab
+  community.general.crypttab:
+    backing_device: "{{ secondary_disk }}"
+    name: disk
+    state: present
+    password: /k5e
+
+- name: Decrypt secondary disk
+  luks_device:
+    device: "{{ secondary_disk }}"
+    keyfile: /k5e
+    name: disk
+    state: opened
+
+- name: Setup fstab
+  mount:
+    path: /mnt/disk
+    src: /dev/mapper/disk
+    state: mounted
+    fstype: ext4

tasks/firewall.yml

@@ -0,0 +1,35 @@
+- name: Install firewall packages
+  community.general.pacman:
+    name:
+      - ufw
+
+- name: Deny all ports
+  community.general.ufw:
+    policy: deny
+
+- name: Allow service ports
+  community.general.ufw:
+    rule: allow
+    port: "{{ item }}"
+    proto: tcp
+    state: enabled
+
+  with_items:
+    - "{{ sshd_port }}"
+    - http
+    - https
+
+- name: Allow DNS port to LAN
+  community.general.ufw:
+    rule: allow
+    port: 53
+    proto: any
+    state: enabled
+    src: "{{ local_subnet }}"
+
+
+- name: Enable firewall service
+  service:
+    name: ufw
+    state: started
+    enabled: yes

tasks/gitea.yml

@@ -0,0 +1,37 @@
+- name: Install gitea packages
+  community.general.pacman:
+    name: gitea
+    state: present
+
+- name: Ensure gitea is stopped
+  service:
+    name: gitea
+    state: stopped
+
+- name: Configure gitea
+  template:
+    src: templates/gitea_app.ini.j2
+    dest: /etc/gitea/app.ini
+  register: gitea_conf
+
+- name: Change systemd unit file to allow access to dataroot
+  lineinfile:
+    path: /usr/lib/systemd/system/gitea.service
+    insertafter: "^WorkingDirectory.*"
+    regexp: "^ReadWritePaths.*"
+    line: "ReadWritePaths={{ dataroot }}/gitea/"
+    state: present
+  register: gitea_conf
+
+- name: Change homedir of gitea
+  user:
+    name: gitea
+    home: "{{ dataroot }}/gitea/"
+  register: gitea_conf
+
+- name: Enable gitea
+  service:
+    name: gitea
+    state: restarted
+    enabled: yes
+  when: gitea_conf.changed

tasks/mail.yml

@@ -0,0 +1,19 @@
+- name: Install mail packages
+  community.general.pacman:
+    name:
+      - neomutt
+      - exim
+
+    state: present
+
+- name: Redirect root mail to ansible agent
+  lineinfile:
+    dest: /etc/mail/aliases
+    regexp: "^#root:"
+    line: "root: {{ ansible_user }}"
+
+- name: Enable exim
+  service:
+    name: exim
+    state: started
+    enabled: yes

tasks/matrix.yml

@@ -0,0 +1,33 @@
+- name: Install matrix packages
+  community.general.pacman:
+    name: matrix-synapse
+    state: present
+
+- name: Copy signing key
+  copy:
+    src: synapse/signing.key
+    dest: /etc/synapse/signing.key
+
+- name: Deploy matrix homeserver configuration
+  template:
+    src: synapse/homeserver.yaml.j2
+    dest: /etc/synapse/homeserver.yaml
+
+- name: Deploy matrix logging configuration
+  template:
+    src: synapse/log.config.j2
+    dest: /etc/synapse/log.config
+
+- name: Change systemd unit file to allow access to dataroot
+  lineinfile:
+    path: /usr/lib/systemd/system/synapse.service
+    insertafter: "^WorkingDirectory.*"
+    regexp: "^ReadWritePaths.*"
+    line: "ReadWritePaths={{ dataroot }}/synapse/"
+    state: present
+
+- name: Enable matrix service
+  service:
+    name: synapse
+    enabled: yes
+    state: started

tasks/sftp.yml

@@ -0,0 +1,15 @@
+- name: Create sftp read group
+  group:
+    name: sftpr
+
+- name: Create sftp read-only user
+  user:
+    name: "{{ sftp_ro_username }}"
+    groups:
+      - sftpr
+
+- name: Deploy SSH key to sftp user
+  ansible.posix.authorized_key:
+    user: "{{ sftp_ro_username }}"
+    state: present
+    key: "{{ lookup('file', '~/.ssh/keys/{{ ansible_hostname }}_sftp.pub')}}"

tasks/site.yml

@@ -0,0 +1,4 @@
+- name: Fetch site source
+  git:
+    dest: /srv/http/site
+    repo: "{{ site_repo }}"

tasks/ssl.yml

@@ -0,0 +1,134 @@
+- name: Install webserver and miscellaneous networking packages
+  community.general.pacman:
+    name:
+      - bind
+      - ddclient
+      - firewalld
+      - nginx
+      - certbot
+      - certbot-nginx
+
+- name: Create directories for ACME
+  file:
+    path: "/etc/letsencrypt/{{ item }}"
+    state: directory
+    owner: root
+    group: root
+    mode: 0711
+  with_items:
+    - account
+    - certs
+    - csrs
+    - keys
+
+- name: Generate ACME account key
+  community.crypto.openssl_privatekey:
+    path: "/etc/letsencrypt/account/account.key"
+
+- name: Generate ACME private key
+  community.crypto.openssl_privatekey:
+    path: "/etc/letsencrypt/keys/{{ domain }}.key"
+
+- name: Check if certificate exists
+  stat:
+    path: "/etc/letsencrypt/certs/{{ domain }}.crt"
+  register: cert_file
+
+- name: Check if certificate is expired
+  community.crypto.x509_certificate_info:
+    path: "/etc/letsencrypt/certs/{{ domain }}.crt"
+    valid_at:
+      now: "+0"
+  register: result
+  when: cert_file.stat.exists
+
+- name: Determine whether certificate should be regenerated
+  set_fact:
+    cert_regen: yes
+  when: not cert_file.stat.exists or result.expired | bool
+
+- name: Configure nginx for ACME
+  template:
+    src: nginx_bare.conf.j2
+    dest: /etc/nginx/nginx.conf
+  when: cert_regen is defined
+
+- name: Enable nginx service
+  service:
+    name: nginx
+    state: restarted
+    enabled: yes
+  when: cert_regen is defined
+
+- name: Create ACME account
+  community.crypto.acme_account:
+    account_key_src: /etc/letsencrypt/account/account.key
+    state: present
+    allow_creation: yes
+    contact:
+      - "mailto:{{ acme_email }}"
+    acme_directory: "https://acme-v02.api.letsencrypt.org/directory"
+    terms_agreed: 1
+    acme_version: 2
+  register: account
+  when: cert_regen is defined
+
+- name: Generate ACME CSR
+  community.crypto.openssl_csr:
+    path: "/etc/letsencrypt/csrs/{{ domain }}.csr"
+    common_name: "{{ domain }}"
+    subject_alt_name: "DNS:{{ domain }}"
+    privatekey_path: "/etc/letsencrypt/keys/{{ domain }}.key"
+  when: cert_regen is defined
+
+- name: Retrieve ACME challenge
+  community.crypto.acme_certificate:
+    acme_directory: "https://acme-v02.api.letsencrypt.org/directory"
+    acme_version: 2
+    account_key_src: /etc/letsencrypt/account/account.key
+    account_uri: "{{ account.account_uri }}"
+    account_email: "{{ acme_email }}"
+    terms_agreed: 1
+    challenge: http-01
+    csr: "/etc/letsencrypt/csrs/{{ domain }}.csr"
+    dest: "/etc/letsencrypt/certs/{{ domain }}.crt"
+    fullchain_dest: "/etc/letsencrypt/certs/fullchain_{{ domain }}.crt"
+    remaining_days: 91
+  register: acme_challenge
+  when: cert_regen is defined
+
+- name: Create ACME challenge directory
+  file:
+    path: "{{ webroot }}/.well-known/acme-challenge"
+    state: directory
+    owner: root
+    group: root
+    mode: 0755
+  when: cert_regen is defined
+
+- name: Add ACME challenge files
+  copy:
+    content: "{{ acme_challenge['challenge_data'][item]['http-01']['resource_value'] }}"
+    dest: "{{ webroot }}/{{ acme_challenge['challenge_data'][item]['http-01']['resource'] }}"
+    owner: root
+    group: root
+    mode: 644
+  with_items:
+    - "{{ domain }}"
+  when: cert_regen is defined
+
+- name: Complete ACME challenge
+  community.crypto.acme_certificate:
+    acme_directory: "https://acme-v02.api.letsencrypt.org/directory"
+    acme_version: 2
+    account_key_src: /etc/letsencrypt/account/account.key
+    account_email: "{{ acme_email }}"
+    account_uri: "{{ account.account_uri }}"
+    challenge: http-01
+    terms_agreed: 1
+    csr: "/etc/letsencrypt/csrs/{{ domain }}.csr"
+    dest: "/etc/letsencrypt/certs/{{ domain }}.crt"
+    fullchain_dest: "/etc/letsencrypt/certs/fullchain_{{ domain }}.crt"
+    chain_dest: "/etc/letsencrypt/certs/chain_{{ domain }}.crt"
+    data: "{{ acme_challenge }}"
+  when: cert_regen is defined

tasks/sys_config.yml

@@ -0,0 +1,4 @@
+- name: Set MOTD
+  template:
+    src: motd.j2
+    dest: /etc/motd

tasks/user_config.yml

@@ -0,0 +1,38 @@
+- name: Fetch dotfiles
+  git:
+    repo: "{{ dots_repo }}"
+    dest: "/srv/dots/"
+  register: dotfiles
+
+- name: Create list of users to configure
+  set_fact:
+    users:
+      - "{{ ansible_user }}"
+      - "{{ username }}"
+
+- name: Remove existing dotfiles
+  file:
+    path: "/home/{{ item }}/.bashrc"
+    state: absent
+  with_items: "{{ users }}"
+  when: dotfiles.changed
+
+- name: Copy dotfiles
+  copy:
+    remote_src: yes
+    src: /srv/dots/
+    dest: "/home/{{ item }}/dots/"
+    owner: "{{ item }}"
+    group: "{{ item }}"
+  with_items: "{{ users }}"
+  when: dotfiles.changed
+
+- name: Deploy dotfiles on login
+  template:
+    src: templates/.bash_profile.j2
+    dest: "/home/{{ item }}/.bash_profile"
+    owner: "{{ item }}"
+    group: "{{ item }}"
+    force: yes
+  with_items: "{{ users }}"
+  when: dotfiles.changed

tasks/webserver.yml

@@ -0,0 +1,52 @@
+- name: Install webserver and miscellaneous networking packages
+  community.general.pacman:
+    name:
+      - bind
+      - ddclient
+      - nginx
+      - certbot
+      - certbot-nginx
+
+    state: present
+
+- name: Configure dynamic DNS
+  template:
+    src: ddclient.conf.j2
+    dest: /etc/ddclient/ddclient.conf
+
+- name: Enable dynamic DNS service
+  service:
+    name: ddclient
+    enabled: yes
+
+- name: Configure nameserver
+  template:
+    src: named/named.conf.j2
+    dest: /etc/named.conf
+  register: named_conf
+
+- name: Add nameserver zone
+  template:
+    src: named/local_zone.j2
+    dest: "/var/named/{{ domain }}"
+  register: named_conf
+
+- name: Enable nameserver service
+  service:
+    name: named
+    state: started
+    enabled: yes
+  when: named_conf.changed
+
+- name: Configure nginx
+  template:
+    src: nginx.conf.j2
+    dest: /etc/nginx/nginx.conf
+  register: nginx_conf
+
+- name: Enable nginx service
+  service:
+    name: nginx
+    state: restarted
+    enabled: yes
+  when: nginx_conf.changed

tasks/wiki.yml

@@ -0,0 +1,79 @@
+- name: Install wiki packages
+  community.general.pacman:
+    name:
+      - mediawiki
+      - php-fpm
+      - php-intl
+      - php-sqlite
+      - imagemagick
+
+    state: present
+
+- name: Symlink wikis into web root
+  file:
+    src: /usr/share/webapps/mediawiki
+    dest: "{{ webroot }}/{{ item }}"
+    state: link
+  with_items: "{{ wiki_names }}"
+
+- name: Deploy wiki-farm main configuration file
+  template:
+    src: mediawiki/LocalSettings.php.j2
+    dest: "{{ webroot }}/{{ wiki_names[0] }}/LocalSettings.php"
+
+- name: Deploy configuration files for individual wikis
+  template:
+    src: "mediawiki/LocalSettings_{{ item.1 }}.php.j2"
+    dest: "{{ webroot }}/{{ wiki_names[0] }}/LocalSettings_{{ item.1 }}.php"
+  with_indexed_items: "{{ wiki_names }}"
+
+- name: Copy wiki logo files
+  copy:
+    src: "{{ item }}"
+    dest: "{{ webroot }}/{{ wiki_names[0] }}/resources/assets/"
+  with_fileglob:
+    - mediawiki/logos/*.png
+
+- name: Enable iconv extension
+  lineinfile:
+    dest: /etc/php/php.ini
+    regexp: "^;extension=iconv"
+    line: "extension=iconv"
+  register: php_config
+
+- name: Enable intl extension
+  lineinfile:
+    dest: /etc/php/php.ini
+    regexp: "^;extension=intl"
+    line: "extension=intl"
+  register: php_config
+
+- name: Enable sqlite3 extension
+  lineinfile:
+    dest: /etc/php/php.ini
+    regexp: "^;extension=sqlite3"
+    line: "extension=sqlite3"
+  register: php_config
+
+- name: Enable pd_sqlite extension
+  lineinfile:
+    dest: /etc/php/php.ini
+    regexp: "^;extension=pdo_sqlite"
+    line: "extension=pdo_sqlite"
+  register: php_config
+
+- name: Change systemd unit file to allow access to dataroot
+  lineinfile:
+    path: /usr/lib/systemd/system/php-fpm.service
+    insertafter: "^PrivateDevices.*"
+    regexp: "^ReadWritePaths.*"
+    line: "ReadWritePaths={{ dataroot }}/mediawiki/"
+    state: present
+  register: php_config
+
+- name: Enable php service
+  service:
+    name: php-fpm
+    enabled: yes
+    state: restarted
+  when: php_config.changed

templates/.bash_profile.j2

@@ -0,0 +1,4 @@
+# Automatically deploy dotfiles on login
+
+~/dots/dotinstall.sh > /dev/null 2>&1
+source ~/.profile

templates/ddclient.conf.j2

@@ -0,0 +1,7 @@
+protocol=dyndns2
+use=web, web=https://ip.me
+ssl=yes  # yes = use https for updates
+server=ipv4.nsupdate.info
+login={{ domain }}
+password='{{ ddclient_pass }}'
+{{ domain }}

templates/mediawiki/LocalSettings.php.j2

@@ -0,0 +1,108 @@
+<?php
+if ( !defined( 'MEDIAWIKI' ) ) {
+	exit;
+}
+
+$callingurl = strtolower( $_SERVER['REQUEST_URI'] ); // get the calling url
+if ( strpos( $callingurl, '/{{ wiki_names[0] }}' )  === 0 ) {
+        require_once 'LocalSettings_{{ wiki_names[0] }}.php';
+}
+{%- for extra_wiki in wiki_names[1:] %}
+elseif ( strpos( $callingurl, '/{{ extra_wiki }}' ) === 0 ) {
+        require_once 'LocalSettings_{{ extra_wiki }}.php';
+{% endfor %}
+} else {
+        header( 'HTTP/1.1 404 Not Found' );
+        echo "This wiki (\"" . htmlspecialchars( $callingurl ) . "\") is not available. Check configuration.";
+        exit( 0 );
+}
+
+$wgServer = "https://{{ domain }}";
+
+$wgEnableEmail = false;
+$wgEnableUserEmail = true; # UPO
+
+$wgEmergencyContact = "apache@🌻.invalid";
+$wgPasswordSender = "apache@🌻.invalid";
+
+$wgEnotifUserTalk = false; # UPO
+$wgEnotifWatchlist = false; # UPO
+$wgEmailAuthentication = true;
+
+$wgDBtype = "sqlite";
+$wgDBserver = "";
+$wgDBuser = "";
+$wgDBpassword = "";
+
+$wgSQLiteDataDir = "{{ dataroot }}/mediawiki";
+$wgObjectCaches[CACHE_DB] = [
+	'class' => SqlBagOStuff::class,
+	'loggroup' => 'SQLBagOStuff',
+	'server' => [
+		'type' => 'sqlite',
+		'dbname' => 'wikicache',
+		'tablePrefix' => '',
+		'variables' => [ 'synchronous' => 'NORMAL' ],
+		'dbDirectory' => $wgSQLiteDataDir,
+		'trxMode' => 'IMMEDIATE',
+		'flags' => 0
+	]
+];
+$wgLocalisationCacheConf['storeServer'] = [
+	'type' => 'sqlite',
+	'dbname' => "{$wgDBname}_l10n_cache",
+	'tablePrefix' => '',
+	'variables' => [ 'synchronous' => 'NORMAL' ],
+	'dbDirectory' => $wgSQLiteDataDir,
+	'trxMode' => 'IMMEDIATE',
+	'flags' => 0
+];
+$wgJobTypeConf['default'] = [
+	'class' => 'JobQueueDB',
+	'claimTTL' => 3600,
+	'server' => [
+		'type' => 'sqlite',
+		'dbname' => "{$wgDBname}_jobqueue",
+		'tablePrefix' => '',
+		'variables' => [ 'synchronous' => 'NORMAL' ],
+		'dbDirectory' => $wgSQLiteDataDir,
+		'trxMode' => 'IMMEDIATE',
+		'flags' => 0
+	]
+];
+
+$wgSharedTables[] = "actor";
+$wgMainCacheType = CACHE_NONE;
+$wgMemCachedServers = [];
+
+$wgEnableUploads = true;
+$wgUseImageMagick = true;
+$wgImageMagickConvertCommand = "/usr/bin/convert";
+
+$wgUseInstantCommons = false;
+
+$wgPingback = false;
+
+$wgShellLocale = "C.UTF-8";
+
+$wgLanguageCode = "en";
+
+$wgLocaltimezone = "UTC";
+
+$wgAuthenticationTokenVersion = "1";
+
+$wgUpgradeKey = "{{ wgUpgradeKey }}";
+
+$wgRightsPage = "";
+$wgRightsUrl = "";
+$wgRightsText = "";
+$wgRightsIcon = "";
+
+$wgDiff3 = "/usr/bin/diff3";
+
+wfLoadSkin( 'MonoBook' );
+wfLoadSkin( 'Timeless' );
+wfLoadSkin( 'Vector' );
+
+wfLoadExtension( 'WikiEditor' );
+wfLoadExtension( 'Poem' );

templates/mediawiki/LocalSettings_rw.php.j2

@@ -0,0 +1,21 @@
+<?php
+if ( !defined( 'MEDIAWIKI' ) ) {
+	exit;
+}
+$wgSitename = "Rockwell Wiki";
+$wgMetaNamespace = "Rockwell_Wiki";
+
+$wgScriptPath = "/rw";
+$wgResourceBasePath = $wgScriptPath;
+
+$wgLogos = [ '1x' => "$wgResourceBasePath/resources/assets/rw.png" ];
+
+$wgDBname = "rw_wiki";
+
+$wgSecretKey = "{{ wgSecretKey[item.0] }}";
+
+$wgGroupPermissions['*']['createaccount'] = false;
+$wgGroupPermissions['*']['edit'] = false;
+$wgGroupPermissions['*']['read'] = false;
+
+$wgDefaultSkin = "timeless";

templates/mediawiki/LocalSettings_wiki.php.j2

@@ -0,0 +1,23 @@
+<?php
+
+if ( !defined( 'MEDIAWIKI' ) ) {
+     exit;
+}
+
+$wgSitename = "Bepp Wiki";
+$wgMetaNamespace = "Bepp_Wiki";
+
+$wgScriptPath = "/wiki";
+$wgResourceBasePath = $wgScriptPath;
+
+$wgLogos = [ '1x' => "$wgResourceBasePath/resources/assets/bepp.png" ];
+
+$wgDBname = "bepp_wiki";
+
+$wgSecretKey = "{{ wgSecretKey[item.0] }}";
+
+$wgGroupPermissions['*']['createaccount'] = false;
+$wgGroupPermissions['*']['edit'] = false;
+$wgGroupPermissions['*']['read'] = false;
+
+$wgDefaultSkin = "vector";

templates/motd.j2

@@ -0,0 +1,5 @@
+
+{{ ansible_hostname }}
+			
+All unauthorised access to this device is prohibited.
+

templates/named/local_zone.j2

@@ -0,0 +1,13 @@
+$TTL    604800
+@       IN      SOA     {{ domain }}. {{ email }}. (
+                              3         ; Serial
+                         604800         ; Refresh
+                          86400         ; Retry
+                        2419200         ; Expire
+                         604800 )       ; Negative Cache TTL
+;
+ns IN A {{ local_ip }}
+@       IN      NS      localhost.
+@       IN      A       {{ local_ip }}
+@       IN      AAAA    ::1
+{{ domain }} IN A {{ local_ip }}

templates/named/named.conf.j2

@@ -0,0 +1,45 @@
+// vim:set ts=4 sw=4 et:
+
+acl internals { 127.0.0.0/8; {{ local_subnet }}; };
+
+options {
+    directory "/var/named";
+    pid-file "/run/named/named.pid";
+    forwarders { {{ dns_forward }}; };
+
+    // Uncomment these to enable IPv6 connections support
+    // IPv4 will still work:
+    //  listen-on-v6 { any; };
+    // Add this for no IPv4:
+    //  listen-on { none; };
+
+    recursion yes;
+    allow-query { internals; };
+    allow-transfer { none; };
+    dnssec-validation auto;
+    allow-update { none; };
+    version none;
+    hostname none;
+    server-id none;
+};
+
+zone "localhost" IN {
+    type master;
+    file "localhost.zone";
+};
+
+zone "0.0.127.in-addr.arpa" IN {
+    type master;
+    file "127.0.0.zone";
+};
+
+zone "{{ domain }}" {
+             type master;
+             file "/var/named/{{ domain }}";
+        };
+
+
+zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" {
+    type master;
+    file "localhost.ip6.zone";
+};

templates/nginx.conf.j2

@@ -0,0 +1,91 @@
+worker_processes  1;
+
+events {
+    worker_connections 1024;
+}
+
+http { include mime.types;
+
+	disable_symlinks off;
+
+	default_type application/octet-stream;
+	sendfile on;
+	keepalive_timeout 65;
+	types_hash_max_size 4096;
+	root {{ webroot }}/;
+
+	server {
+		if ($host = {{ domain }}) {
+			return 301 https://$host$request_uri;
+		} # managed by Certbot
+	}
+
+	server {
+
+		ssl_certificate /etc/letsencrypt/certs/fullchain_{{ domain }}.crt;
+		ssl_certificate_key /etc/letsencrypt/keys/{{ domain }}.key;
+
+		ssl_session_cache    shared:SSL:1m;
+		ssl_session_timeout  5m;
+
+		ssl_ciphers  HIGH:!aNULL:!MD5;
+		ssl_prefer_server_ciphers  on;
+
+		listen 443 ssl http2;
+		listen [::]:443 ssl http2;
+
+		listen 8448 ssl http2 default_server;
+		listen [::]:8448 ssl http2 default_server;
+
+		server_name {{ domain }};
+
+		location ~* ^(\/_matrix|\/_synapse\/client) {
+			proxy_pass http://localhost:8008;
+			proxy_set_header X-Forwarded-For $remote_addr;
+			proxy_set_header X-Forwarded-Proto $scheme;
+			proxy_set_header Host $host;
+
+			client_max_body_size 50M;
+		}
+
+		location = / {
+			return 301 https://{{ domain }}/site/index.html;
+		}
+
+		location /site {
+			index  index.html;
+		}
+
+		location /wiki {
+			index index.php;
+		}
+
+		location /rw {
+			index index.php;
+		}
+
+		location /git/ {
+			proxy_pass http://localhost:3000/ ;
+		}
+
+		location ~ \.php$ {
+			# 404
+			try_files $fastcgi_script_name =404;
+
+			# default fastcgi_params
+			include fastcgi_params;
+
+			# fastcgi settings
+			fastcgi_pass			unix:/run/php-fpm/php-fpm.sock;
+			fastcgi_index			index.php;
+			fastcgi_buffers			8 16k;
+			fastcgi_buffer_size		32k;
+
+			# fastcgi params
+			fastcgi_param DOCUMENT_ROOT	$realpath_root;
+			fastcgi_param SCRIPT_FILENAME	$realpath_root$fastcgi_script_name;
+			#fastcgi_param PHP_ADMIN_VALUE	"open_basedir=$base/:/usr/lib/php/:/tmp/";
+		    }
+}
+}
+

templates/nginx_bare.conf.j2

@@ -0,0 +1,17 @@
+# Do not use this configuration once setup is finished.
+# It is only intended for getting a Let's Encrypt cert, allowing the main config to work.
+
+events {
+    worker_connections 1024;
+}
+
+http {
+	server {
+	  listen 80;
+	  server_name {{ domain }};
+	  root {{ webroot }}/;
+
+	  location / {
+	  }
+	}
+}

templates/synapse/log.config.j2

@@ -0,0 +1,71 @@
+# Log configuration for Synapse.
+#
+# This is a YAML file containing a standard Python logging configuration
+# dictionary. See [1] for details on the valid settings.
+#
+# Synapse also supports structured logging for machine readable logs which can
+# be ingested by ELK stacks. See [2] for details.
+#
+# [1]: https://docs.python.org/3.7/library/logging.config.html#configuration-dictionary-schema
+# [2]: https://matrix-org.github.io/synapse/latest/structured_logging.html
+
+version: 1
+
+formatters:
+    precise:
+        format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s'
+
+handlers:
+    file:
+        class: logging.handlers.TimedRotatingFileHandler
+        formatter: precise
+        filename: /var/log/synapse/homeserver.log
+        when: midnight
+        backupCount: 3  # Does not include the current log file.
+        encoding: utf8
+
+    # Default to buffering writes to log file for efficiency. This means that
+    # will be a delay for INFO/DEBUG logs to get written, but WARNING/ERROR
+    # logs will still be flushed immediately.
+    buffer:
+        class: logging.handlers.MemoryHandler
+        target: file
+        # The capacity is the number of log lines that are buffered before
+        # being written to disk. Increasing this will lead to better
+        # performance, at the expensive of it taking longer for log lines to
+        # be written to disk.
+        capacity: 10
+        flushLevel: 30  # Flush for WARNING logs as well
+
+    # A handler that writes logs to stderr. Unused by default, but can be used
+    # instead of "buffer" and "file" in the logger handlers.
+    console:
+        class: logging.StreamHandler
+        formatter: precise
+
+loggers:
+    synapse.storage.SQL:
+        # beware: increasing this to DEBUG will make synapse log sensitive
+        # information such as access tokens.
+        level: INFO
+
+    twisted:
+        # We send the twisted logging directly to the file handler,
+        # to work around https://github.com/matrix-org/synapse/issues/3471
+        # when using "buffer" logger. Use "console" to log to stderr instead.
+        handlers: [file]
+        propagate: false
+
+root:
+    level: INFO
+
+    # Write logs to the `buffer` handler, which will buffer them together in memory,
+    # then write them to a file.
+    #
+    # Replace "buffer" with "console" to log to stderr instead. (Note that you'll
+    # also need to update the configuration for the `twisted` logger above, in
+    # this case.)
+    #
+    handlers: [buffer]
+
+disable_existing_loggers: false