Initial file upload
This commit is contained in:
parent
a778e03aa4
commit
127c3c5235
8
ansible.cfg
Normal file
8
ansible.cfg
Normal file
@ -0,0 +1,8 @@
|
|||||||
|
[defaults]
|
||||||
|
inventory = hosts
|
||||||
|
|
||||||
|
[ssh_connections]
|
||||||
|
pipelining = true
|
||||||
|
|
||||||
|
[privilege_escalation]
|
||||||
|
become_method = "{{ escalation_method }}"
|
BIN
files/mediawiki/logos/bepp.png
Normal file
BIN
files/mediawiki/logos/bepp.png
Normal file
Binary file not shown.
After Width: | Height: | Size: 21 KiB |
BIN
files/mediawiki/logos/rw.png
Normal file
BIN
files/mediawiki/logos/rw.png
Normal file
Binary file not shown.
After Width: | Height: | Size: 21 KiB |
96
group_vars/all/vars.yml
Normal file
96
group_vars/all/vars.yml
Normal file
@ -0,0 +1,96 @@
|
|||||||
|
# Package lists
|
||||||
|
|
||||||
|
# Utilities
|
||||||
|
util_pack:
|
||||||
|
|
||||||
|
# Email address for Let's Encrypt and DNS
|
||||||
|
email: dogeystamp@disroot.org
|
||||||
|
|
||||||
|
# Could be sudo instead
|
||||||
|
escalation_method: doas
|
||||||
|
|
||||||
|
sshd_port: 2500
|
||||||
|
|
||||||
|
domain: d.nerdpol.ovh
|
||||||
|
|
||||||
|
# Username for unpriviledged user
|
||||||
|
username: dogeystamp
|
||||||
|
|
||||||
|
# Create an SFTP read-only user (leave blank to disable)
|
||||||
|
sftp_ro_username: dogeystamp-mobile
|
||||||
|
|
||||||
|
# Git repos (could be localhost if Gitea is installed)
|
||||||
|
dots_repo: http://localhost:3000/dogeystamp/dots.git
|
||||||
|
site_repo: http://localhost:3000/dogeystamp/website.git
|
||||||
|
|
||||||
|
# Drive with all the data stored on it (should be separate from OS drive)
|
||||||
|
# This is the raw partition, and not the mapped crypt device
|
||||||
|
secondary_disk: /dev/sdb
|
||||||
|
|
||||||
|
# Web root for nginx and other applications
|
||||||
|
webroot: /srv/http
|
||||||
|
|
||||||
|
# Data root
|
||||||
|
dataroot: /var/www/data
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
# Network settings (nameserver, address, etc.)
|
||||||
|
|
||||||
|
# Forward DNS queries to
|
||||||
|
dns_forward: 1.1.1.1
|
||||||
|
|
||||||
|
# Local IP address subnet
|
||||||
|
local_subnet: 192.168.0.0/24
|
||||||
|
|
||||||
|
# Static address of the server (locally)
|
||||||
|
# Preferably have another one to SSH into with Ansible, as we change the IP midway
|
||||||
|
# in connection.yml
|
||||||
|
local_ip: 192.168.0.3
|
||||||
|
|
||||||
|
# Connection interface for static IP
|
||||||
|
interface: eth0
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
# ACME variables
|
||||||
|
|
||||||
|
acme_email: "{{ email }}"
|
||||||
|
|
||||||
|
# Mediawiki farm variables
|
||||||
|
|
||||||
|
# Internal names for the wikis, used for filenames and URLs
|
||||||
|
wiki_names:
|
||||||
|
- wiki
|
||||||
|
- rw
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
# Placeholders for secret vault
|
||||||
|
|
||||||
|
|
||||||
|
ddclient_pass: secret
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
# Gitea secrets
|
||||||
|
lfs_jwt_secret: "secret"
|
||||||
|
jwt_secret: "secret"
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
# Mediawiki secrets
|
||||||
|
|
||||||
|
wgUpgradeKey: "secret"
|
||||||
|
|
||||||
|
# This should have the same amount of elements as wiki_names.
|
||||||
|
wgSecretKey:
|
||||||
|
- "wiki_secret"
|
||||||
|
- "rw_secret"
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
# Matrix Synapse secrets
|
||||||
|
registration_shared_secret: "secret"
|
||||||
|
macaroon_secret_key: "secret"
|
||||||
|
form_secret: "secret"
|
23
run.yml
Normal file
23
run.yml
Normal file
@ -0,0 +1,23 @@
|
|||||||
|
---
|
||||||
|
- hosts: all
|
||||||
|
become: yes
|
||||||
|
|
||||||
|
tasks:
|
||||||
|
- include_tasks: "tasks/{{ task }}.yml"
|
||||||
|
with_items:
|
||||||
|
- essential
|
||||||
|
- sys_config
|
||||||
|
- connection
|
||||||
|
- firewall
|
||||||
|
- sftp
|
||||||
|
- mail
|
||||||
|
- ssl
|
||||||
|
- webserver
|
||||||
|
- gitea
|
||||||
|
- wiki
|
||||||
|
- matrix
|
||||||
|
- site
|
||||||
|
- cronjobs
|
||||||
|
- user_config
|
||||||
|
loop_control:
|
||||||
|
loop_var: task
|
28
tasks/connection.yml
Normal file
28
tasks/connection.yml
Normal file
@ -0,0 +1,28 @@
|
|||||||
|
- name: Install NetworkManager
|
||||||
|
community.general.pacman:
|
||||||
|
name:
|
||||||
|
- networkmanager
|
||||||
|
|
||||||
|
- name: Enable NetworkManager
|
||||||
|
service:
|
||||||
|
name: NetworkManager
|
||||||
|
enabled: yes
|
||||||
|
state: started
|
||||||
|
|
||||||
|
- name: Disable existing eth0 connection
|
||||||
|
community.general.nmcli:
|
||||||
|
conn_name: eth0
|
||||||
|
state: absent
|
||||||
|
register: networkmanager_config
|
||||||
|
|
||||||
|
- name: Set static IP address
|
||||||
|
community.general.nmcli:
|
||||||
|
dns4: "{{ dns_forward }}"
|
||||||
|
dns4_ignore_auto: yes
|
||||||
|
ip4: "{{ local_ip }}"
|
||||||
|
method4: manual
|
||||||
|
state: present
|
||||||
|
conn_name: wired
|
||||||
|
ifname: "{{ interface }}"
|
||||||
|
type: ethernet
|
||||||
|
when: networkmanager_config.changed
|
12
tasks/cronjobs.yml
Normal file
12
tasks/cronjobs.yml
Normal file
@ -0,0 +1,12 @@
|
|||||||
|
- name: Cronjob to remove externally managed eth0 connection
|
||||||
|
cron:
|
||||||
|
name: "Ensure eth0 is not externally managed"
|
||||||
|
minute: "*/10"
|
||||||
|
job: "/usr/bin/nmcli connection down eth0 > /dev/null 2>&1; /usr/bin/nmcli connection down wired > /dev/null 2>&1; /usr/bin/nmcli connection up wired > /dev/null"
|
||||||
|
state: present
|
||||||
|
|
||||||
|
- name: Enable cron daemon
|
||||||
|
service:
|
||||||
|
name: cronie
|
||||||
|
state: started
|
||||||
|
enabled: yes
|
86
tasks/essential.yml
Normal file
86
tasks/essential.yml
Normal file
@ -0,0 +1,86 @@
|
|||||||
|
- name: Change hostname
|
||||||
|
hostname:
|
||||||
|
name: "{{ inventory_hostname }}"
|
||||||
|
|
||||||
|
- name: Update packages
|
||||||
|
community.general.pacman:
|
||||||
|
update_cache: yes
|
||||||
|
upgrade: yes
|
||||||
|
|
||||||
|
- name: Install utility packages
|
||||||
|
community.general.pacman:
|
||||||
|
name:
|
||||||
|
- neovim
|
||||||
|
- neofetch
|
||||||
|
- fish
|
||||||
|
- htop
|
||||||
|
- tmux
|
||||||
|
- git
|
||||||
|
- cronie
|
||||||
|
- progress
|
||||||
|
- rsync
|
||||||
|
- man-db
|
||||||
|
|
||||||
|
state: present
|
||||||
|
|
||||||
|
- name: Disable SSH password auth
|
||||||
|
lineinfile:
|
||||||
|
dest: /etc/ssh/sshd_config
|
||||||
|
regexp: "^#PasswordAuthentication yes"
|
||||||
|
line: "PasswordAuthentication no"
|
||||||
|
register: sshd_config
|
||||||
|
|
||||||
|
- name: Change SSH port
|
||||||
|
lineinfile:
|
||||||
|
dest: /etc/ssh/sshd_config
|
||||||
|
regexp: "^#Port 22"
|
||||||
|
line: "Port {{ sshd_port }}"
|
||||||
|
register: sshd_config
|
||||||
|
|
||||||
|
- name: Restart SSHD
|
||||||
|
service:
|
||||||
|
name: sshd
|
||||||
|
state: restarted
|
||||||
|
when: sshd_config.changed
|
||||||
|
|
||||||
|
- name: Disable root login
|
||||||
|
user:
|
||||||
|
name: root
|
||||||
|
password: "*"
|
||||||
|
|
||||||
|
- name: Create unpriviledged user
|
||||||
|
user:
|
||||||
|
name: "{{ username }}"
|
||||||
|
|
||||||
|
- name: Deploy SSH key to unpriviledged user
|
||||||
|
ansible.posix.authorized_key:
|
||||||
|
user: "{{ username }}"
|
||||||
|
state: present
|
||||||
|
key: "{{ lookup('file', '~/.ssh/keys/{{ ansible_hostname }}.pub')}}"
|
||||||
|
|
||||||
|
- name: Deploy keyfile
|
||||||
|
copy:
|
||||||
|
src: k5e
|
||||||
|
dest: /k5e
|
||||||
|
mode: 0600
|
||||||
|
|
||||||
|
- name: Setup crypttab
|
||||||
|
community.general.crypttab:
|
||||||
|
backing_device: "{{ secondary_disk }}"
|
||||||
|
name: disk
|
||||||
|
state: present
|
||||||
|
password: /k5e
|
||||||
|
|
||||||
|
- name: Decrypt secondary disk
|
||||||
|
luks_device:
|
||||||
|
device: "{{ secondary_disk }}"
|
||||||
|
keyfile: /k5e
|
||||||
|
name: disk
|
||||||
|
state: opened
|
||||||
|
|
||||||
|
- name: Setup fstab
|
||||||
|
mount:
|
||||||
|
path: /mnt/disk
|
||||||
|
src: /dev/mapper/disk
|
||||||
|
state: mounted
|
||||||
|
fstype: ext4
|
35
tasks/firewall.yml
Normal file
35
tasks/firewall.yml
Normal file
@ -0,0 +1,35 @@
|
|||||||
|
- name: Install firewall packages
|
||||||
|
community.general.pacman:
|
||||||
|
name:
|
||||||
|
- ufw
|
||||||
|
|
||||||
|
- name: Deny all ports
|
||||||
|
community.general.ufw:
|
||||||
|
policy: deny
|
||||||
|
|
||||||
|
- name: Allow service ports
|
||||||
|
community.general.ufw:
|
||||||
|
rule: allow
|
||||||
|
port: "{{ item }}"
|
||||||
|
proto: tcp
|
||||||
|
state: enabled
|
||||||
|
|
||||||
|
with_items:
|
||||||
|
- "{{ sshd_port }}"
|
||||||
|
- http
|
||||||
|
- https
|
||||||
|
|
||||||
|
- name: Allow DNS port to LAN
|
||||||
|
community.general.ufw:
|
||||||
|
rule: allow
|
||||||
|
port: 53
|
||||||
|
proto: any
|
||||||
|
state: enabled
|
||||||
|
src: "{{ local_subnet }}"
|
||||||
|
|
||||||
|
|
||||||
|
- name: Enable firewall service
|
||||||
|
service:
|
||||||
|
name: ufw
|
||||||
|
state: started
|
||||||
|
enabled: yes
|
37
tasks/gitea.yml
Normal file
37
tasks/gitea.yml
Normal file
@ -0,0 +1,37 @@
|
|||||||
|
- name: Install gitea packages
|
||||||
|
community.general.pacman:
|
||||||
|
name: gitea
|
||||||
|
state: present
|
||||||
|
|
||||||
|
- name: Ensure gitea is stopped
|
||||||
|
service:
|
||||||
|
name: gitea
|
||||||
|
state: stopped
|
||||||
|
|
||||||
|
- name: Configure gitea
|
||||||
|
template:
|
||||||
|
src: templates/gitea_app.ini.j2
|
||||||
|
dest: /etc/gitea/app.ini
|
||||||
|
register: gitea_conf
|
||||||
|
|
||||||
|
- name: Change systemd unit file to allow access to dataroot
|
||||||
|
lineinfile:
|
||||||
|
path: /usr/lib/systemd/system/gitea.service
|
||||||
|
insertafter: "^WorkingDirectory.*"
|
||||||
|
regexp: "^ReadWritePaths.*"
|
||||||
|
line: "ReadWritePaths={{ dataroot }}/gitea/"
|
||||||
|
state: present
|
||||||
|
register: gitea_conf
|
||||||
|
|
||||||
|
- name: Change homedir of gitea
|
||||||
|
user:
|
||||||
|
name: gitea
|
||||||
|
home: "{{ dataroot }}/gitea/"
|
||||||
|
register: gitea_conf
|
||||||
|
|
||||||
|
- name: Enable gitea
|
||||||
|
service:
|
||||||
|
name: gitea
|
||||||
|
state: restarted
|
||||||
|
enabled: yes
|
||||||
|
when: gitea_conf.changed
|
19
tasks/mail.yml
Normal file
19
tasks/mail.yml
Normal file
@ -0,0 +1,19 @@
|
|||||||
|
- name: Install mail packages
|
||||||
|
community.general.pacman:
|
||||||
|
name:
|
||||||
|
- neomutt
|
||||||
|
- exim
|
||||||
|
|
||||||
|
state: present
|
||||||
|
|
||||||
|
- name: Redirect root mail to ansible agent
|
||||||
|
lineinfile:
|
||||||
|
dest: /etc/mail/aliases
|
||||||
|
regexp: "^#root:"
|
||||||
|
line: "root: {{ ansible_user }}"
|
||||||
|
|
||||||
|
- name: Enable exim
|
||||||
|
service:
|
||||||
|
name: exim
|
||||||
|
state: started
|
||||||
|
enabled: yes
|
33
tasks/matrix.yml
Normal file
33
tasks/matrix.yml
Normal file
@ -0,0 +1,33 @@
|
|||||||
|
- name: Install matrix packages
|
||||||
|
community.general.pacman:
|
||||||
|
name: matrix-synapse
|
||||||
|
state: present
|
||||||
|
|
||||||
|
- name: Copy signing key
|
||||||
|
copy:
|
||||||
|
src: synapse/signing.key
|
||||||
|
dest: /etc/synapse/signing.key
|
||||||
|
|
||||||
|
- name: Deploy matrix homeserver configuration
|
||||||
|
template:
|
||||||
|
src: synapse/homeserver.yaml.j2
|
||||||
|
dest: /etc/synapse/homeserver.yaml
|
||||||
|
|
||||||
|
- name: Deploy matrix logging configuration
|
||||||
|
template:
|
||||||
|
src: synapse/log.config.j2
|
||||||
|
dest: /etc/synapse/log.config
|
||||||
|
|
||||||
|
- name: Change systemd unit file to allow access to dataroot
|
||||||
|
lineinfile:
|
||||||
|
path: /usr/lib/systemd/system/synapse.service
|
||||||
|
insertafter: "^WorkingDirectory.*"
|
||||||
|
regexp: "^ReadWritePaths.*"
|
||||||
|
line: "ReadWritePaths={{ dataroot }}/synapse/"
|
||||||
|
state: present
|
||||||
|
|
||||||
|
- name: Enable matrix service
|
||||||
|
service:
|
||||||
|
name: synapse
|
||||||
|
enabled: yes
|
||||||
|
state: started
|
15
tasks/sftp.yml
Normal file
15
tasks/sftp.yml
Normal file
@ -0,0 +1,15 @@
|
|||||||
|
- name: Create sftp read group
|
||||||
|
group:
|
||||||
|
name: sftpr
|
||||||
|
|
||||||
|
- name: Create sftp read-only user
|
||||||
|
user:
|
||||||
|
name: "{{ sftp_ro_username }}"
|
||||||
|
groups:
|
||||||
|
- sftpr
|
||||||
|
|
||||||
|
- name: Deploy SSH key to sftp user
|
||||||
|
ansible.posix.authorized_key:
|
||||||
|
user: "{{ sftp_ro_username }}"
|
||||||
|
state: present
|
||||||
|
key: "{{ lookup('file', '~/.ssh/keys/{{ ansible_hostname }}_sftp.pub')}}"
|
4
tasks/site.yml
Normal file
4
tasks/site.yml
Normal file
@ -0,0 +1,4 @@
|
|||||||
|
- name: Fetch site source
|
||||||
|
git:
|
||||||
|
dest: /srv/http/site
|
||||||
|
repo: "{{ site_repo }}"
|
134
tasks/ssl.yml
Normal file
134
tasks/ssl.yml
Normal file
@ -0,0 +1,134 @@
|
|||||||
|
- name: Install webserver and miscellaneous networking packages
|
||||||
|
community.general.pacman:
|
||||||
|
name:
|
||||||
|
- bind
|
||||||
|
- ddclient
|
||||||
|
- firewalld
|
||||||
|
- nginx
|
||||||
|
- certbot
|
||||||
|
- certbot-nginx
|
||||||
|
|
||||||
|
- name: Create directories for ACME
|
||||||
|
file:
|
||||||
|
path: "/etc/letsencrypt/{{ item }}"
|
||||||
|
state: directory
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: 0711
|
||||||
|
with_items:
|
||||||
|
- account
|
||||||
|
- certs
|
||||||
|
- csrs
|
||||||
|
- keys
|
||||||
|
|
||||||
|
- name: Generate ACME account key
|
||||||
|
community.crypto.openssl_privatekey:
|
||||||
|
path: "/etc/letsencrypt/account/account.key"
|
||||||
|
|
||||||
|
- name: Generate ACME private key
|
||||||
|
community.crypto.openssl_privatekey:
|
||||||
|
path: "/etc/letsencrypt/keys/{{ domain }}.key"
|
||||||
|
|
||||||
|
- name: Check if certificate exists
|
||||||
|
stat:
|
||||||
|
path: "/etc/letsencrypt/certs/{{ domain }}.crt"
|
||||||
|
register: cert_file
|
||||||
|
|
||||||
|
- name: Check if certificate is expired
|
||||||
|
community.crypto.x509_certificate_info:
|
||||||
|
path: "/etc/letsencrypt/certs/{{ domain }}.crt"
|
||||||
|
valid_at:
|
||||||
|
now: "+0"
|
||||||
|
register: result
|
||||||
|
when: cert_file.stat.exists
|
||||||
|
|
||||||
|
- name: Determine whether certificate should be regenerated
|
||||||
|
set_fact:
|
||||||
|
cert_regen: yes
|
||||||
|
when: not cert_file.stat.exists or result.expired | bool
|
||||||
|
|
||||||
|
- name: Configure nginx for ACME
|
||||||
|
template:
|
||||||
|
src: nginx_bare.conf.j2
|
||||||
|
dest: /etc/nginx/nginx.conf
|
||||||
|
when: cert_regen is defined
|
||||||
|
|
||||||
|
- name: Enable nginx service
|
||||||
|
service:
|
||||||
|
name: nginx
|
||||||
|
state: restarted
|
||||||
|
enabled: yes
|
||||||
|
when: cert_regen is defined
|
||||||
|
|
||||||
|
- name: Create ACME account
|
||||||
|
community.crypto.acme_account:
|
||||||
|
account_key_src: /etc/letsencrypt/account/account.key
|
||||||
|
state: present
|
||||||
|
allow_creation: yes
|
||||||
|
contact:
|
||||||
|
- "mailto:{{ acme_email }}"
|
||||||
|
acme_directory: "https://acme-v02.api.letsencrypt.org/directory"
|
||||||
|
terms_agreed: 1
|
||||||
|
acme_version: 2
|
||||||
|
register: account
|
||||||
|
when: cert_regen is defined
|
||||||
|
|
||||||
|
- name: Generate ACME CSR
|
||||||
|
community.crypto.openssl_csr:
|
||||||
|
path: "/etc/letsencrypt/csrs/{{ domain }}.csr"
|
||||||
|
common_name: "{{ domain }}"
|
||||||
|
subject_alt_name: "DNS:{{ domain }}"
|
||||||
|
privatekey_path: "/etc/letsencrypt/keys/{{ domain }}.key"
|
||||||
|
when: cert_regen is defined
|
||||||
|
|
||||||
|
- name: Retrieve ACME challenge
|
||||||
|
community.crypto.acme_certificate:
|
||||||
|
acme_directory: "https://acme-v02.api.letsencrypt.org/directory"
|
||||||
|
acme_version: 2
|
||||||
|
account_key_src: /etc/letsencrypt/account/account.key
|
||||||
|
account_uri: "{{ account.account_uri }}"
|
||||||
|
account_email: "{{ acme_email }}"
|
||||||
|
terms_agreed: 1
|
||||||
|
challenge: http-01
|
||||||
|
csr: "/etc/letsencrypt/csrs/{{ domain }}.csr"
|
||||||
|
dest: "/etc/letsencrypt/certs/{{ domain }}.crt"
|
||||||
|
fullchain_dest: "/etc/letsencrypt/certs/fullchain_{{ domain }}.crt"
|
||||||
|
remaining_days: 91
|
||||||
|
register: acme_challenge
|
||||||
|
when: cert_regen is defined
|
||||||
|
|
||||||
|
- name: Create ACME challenge directory
|
||||||
|
file:
|
||||||
|
path: "{{ webroot }}/.well-known/acme-challenge"
|
||||||
|
state: directory
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: 0755
|
||||||
|
when: cert_regen is defined
|
||||||
|
|
||||||
|
- name: Add ACME challenge files
|
||||||
|
copy:
|
||||||
|
content: "{{ acme_challenge['challenge_data'][item]['http-01']['resource_value'] }}"
|
||||||
|
dest: "{{ webroot }}/{{ acme_challenge['challenge_data'][item]['http-01']['resource'] }}"
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: 644
|
||||||
|
with_items:
|
||||||
|
- "{{ domain }}"
|
||||||
|
when: cert_regen is defined
|
||||||
|
|
||||||
|
- name: Complete ACME challenge
|
||||||
|
community.crypto.acme_certificate:
|
||||||
|
acme_directory: "https://acme-v02.api.letsencrypt.org/directory"
|
||||||
|
acme_version: 2
|
||||||
|
account_key_src: /etc/letsencrypt/account/account.key
|
||||||
|
account_email: "{{ acme_email }}"
|
||||||
|
account_uri: "{{ account.account_uri }}"
|
||||||
|
challenge: http-01
|
||||||
|
terms_agreed: 1
|
||||||
|
csr: "/etc/letsencrypt/csrs/{{ domain }}.csr"
|
||||||
|
dest: "/etc/letsencrypt/certs/{{ domain }}.crt"
|
||||||
|
fullchain_dest: "/etc/letsencrypt/certs/fullchain_{{ domain }}.crt"
|
||||||
|
chain_dest: "/etc/letsencrypt/certs/chain_{{ domain }}.crt"
|
||||||
|
data: "{{ acme_challenge }}"
|
||||||
|
when: cert_regen is defined
|
4
tasks/sys_config.yml
Normal file
4
tasks/sys_config.yml
Normal file
@ -0,0 +1,4 @@
|
|||||||
|
- name: Set MOTD
|
||||||
|
template:
|
||||||
|
src: motd.j2
|
||||||
|
dest: /etc/motd
|
38
tasks/user_config.yml
Normal file
38
tasks/user_config.yml
Normal file
@ -0,0 +1,38 @@
|
|||||||
|
- name: Fetch dotfiles
|
||||||
|
git:
|
||||||
|
repo: "{{ dots_repo }}"
|
||||||
|
dest: "/srv/dots/"
|
||||||
|
register: dotfiles
|
||||||
|
|
||||||
|
- name: Create list of users to configure
|
||||||
|
set_fact:
|
||||||
|
users:
|
||||||
|
- "{{ ansible_user }}"
|
||||||
|
- "{{ username }}"
|
||||||
|
|
||||||
|
- name: Remove existing dotfiles
|
||||||
|
file:
|
||||||
|
path: "/home/{{ item }}/.bashrc"
|
||||||
|
state: absent
|
||||||
|
with_items: "{{ users }}"
|
||||||
|
when: dotfiles.changed
|
||||||
|
|
||||||
|
- name: Copy dotfiles
|
||||||
|
copy:
|
||||||
|
remote_src: yes
|
||||||
|
src: /srv/dots/
|
||||||
|
dest: "/home/{{ item }}/dots/"
|
||||||
|
owner: "{{ item }}"
|
||||||
|
group: "{{ item }}"
|
||||||
|
with_items: "{{ users }}"
|
||||||
|
when: dotfiles.changed
|
||||||
|
|
||||||
|
- name: Deploy dotfiles on login
|
||||||
|
template:
|
||||||
|
src: templates/.bash_profile.j2
|
||||||
|
dest: "/home/{{ item }}/.bash_profile"
|
||||||
|
owner: "{{ item }}"
|
||||||
|
group: "{{ item }}"
|
||||||
|
force: yes
|
||||||
|
with_items: "{{ users }}"
|
||||||
|
when: dotfiles.changed
|
52
tasks/webserver.yml
Normal file
52
tasks/webserver.yml
Normal file
@ -0,0 +1,52 @@
|
|||||||
|
- name: Install webserver and miscellaneous networking packages
|
||||||
|
community.general.pacman:
|
||||||
|
name:
|
||||||
|
- bind
|
||||||
|
- ddclient
|
||||||
|
- nginx
|
||||||
|
- certbot
|
||||||
|
- certbot-nginx
|
||||||
|
|
||||||
|
state: present
|
||||||
|
|
||||||
|
- name: Configure dynamic DNS
|
||||||
|
template:
|
||||||
|
src: ddclient.conf.j2
|
||||||
|
dest: /etc/ddclient/ddclient.conf
|
||||||
|
|
||||||
|
- name: Enable dynamic DNS service
|
||||||
|
service:
|
||||||
|
name: ddclient
|
||||||
|
enabled: yes
|
||||||
|
|
||||||
|
- name: Configure nameserver
|
||||||
|
template:
|
||||||
|
src: named/named.conf.j2
|
||||||
|
dest: /etc/named.conf
|
||||||
|
register: named_conf
|
||||||
|
|
||||||
|
- name: Add nameserver zone
|
||||||
|
template:
|
||||||
|
src: named/local_zone.j2
|
||||||
|
dest: "/var/named/{{ domain }}"
|
||||||
|
register: named_conf
|
||||||
|
|
||||||
|
- name: Enable nameserver service
|
||||||
|
service:
|
||||||
|
name: named
|
||||||
|
state: started
|
||||||
|
enabled: yes
|
||||||
|
when: named_conf.changed
|
||||||
|
|
||||||
|
- name: Configure nginx
|
||||||
|
template:
|
||||||
|
src: nginx.conf.j2
|
||||||
|
dest: /etc/nginx/nginx.conf
|
||||||
|
register: nginx_conf
|
||||||
|
|
||||||
|
- name: Enable nginx service
|
||||||
|
service:
|
||||||
|
name: nginx
|
||||||
|
state: restarted
|
||||||
|
enabled: yes
|
||||||
|
when: nginx_conf.changed
|
79
tasks/wiki.yml
Normal file
79
tasks/wiki.yml
Normal file
@ -0,0 +1,79 @@
|
|||||||
|
- name: Install wiki packages
|
||||||
|
community.general.pacman:
|
||||||
|
name:
|
||||||
|
- mediawiki
|
||||||
|
- php-fpm
|
||||||
|
- php-intl
|
||||||
|
- php-sqlite
|
||||||
|
- imagemagick
|
||||||
|
|
||||||
|
state: present
|
||||||
|
|
||||||
|
- name: Symlink wikis into web root
|
||||||
|
file:
|
||||||
|
src: /usr/share/webapps/mediawiki
|
||||||
|
dest: "{{ webroot }}/{{ item }}"
|
||||||
|
state: link
|
||||||
|
with_items: "{{ wiki_names }}"
|
||||||
|
|
||||||
|
- name: Deploy wiki-farm main configuration file
|
||||||
|
template:
|
||||||
|
src: mediawiki/LocalSettings.php.j2
|
||||||
|
dest: "{{ webroot }}/{{ wiki_names[0] }}/LocalSettings.php"
|
||||||
|
|
||||||
|
- name: Deploy configuration files for individual wikis
|
||||||
|
template:
|
||||||
|
src: "mediawiki/LocalSettings_{{ item.1 }}.php.j2"
|
||||||
|
dest: "{{ webroot }}/{{ wiki_names[0] }}/LocalSettings_{{ item.1 }}.php"
|
||||||
|
with_indexed_items: "{{ wiki_names }}"
|
||||||
|
|
||||||
|
- name: Copy wiki logo files
|
||||||
|
copy:
|
||||||
|
src: "{{ item }}"
|
||||||
|
dest: "{{ webroot }}/{{ wiki_names[0] }}/resources/assets/"
|
||||||
|
with_fileglob:
|
||||||
|
- mediawiki/logos/*.png
|
||||||
|
|
||||||
|
- name: Enable iconv extension
|
||||||
|
lineinfile:
|
||||||
|
dest: /etc/php/php.ini
|
||||||
|
regexp: "^;extension=iconv"
|
||||||
|
line: "extension=iconv"
|
||||||
|
register: php_config
|
||||||
|
|
||||||
|
- name: Enable intl extension
|
||||||
|
lineinfile:
|
||||||
|
dest: /etc/php/php.ini
|
||||||
|
regexp: "^;extension=intl"
|
||||||
|
line: "extension=intl"
|
||||||
|
register: php_config
|
||||||
|
|
||||||
|
- name: Enable sqlite3 extension
|
||||||
|
lineinfile:
|
||||||
|
dest: /etc/php/php.ini
|
||||||
|
regexp: "^;extension=sqlite3"
|
||||||
|
line: "extension=sqlite3"
|
||||||
|
register: php_config
|
||||||
|
|
||||||
|
- name: Enable pd_sqlite extension
|
||||||
|
lineinfile:
|
||||||
|
dest: /etc/php/php.ini
|
||||||
|
regexp: "^;extension=pdo_sqlite"
|
||||||
|
line: "extension=pdo_sqlite"
|
||||||
|
register: php_config
|
||||||
|
|
||||||
|
- name: Change systemd unit file to allow access to dataroot
|
||||||
|
lineinfile:
|
||||||
|
path: /usr/lib/systemd/system/php-fpm.service
|
||||||
|
insertafter: "^PrivateDevices.*"
|
||||||
|
regexp: "^ReadWritePaths.*"
|
||||||
|
line: "ReadWritePaths={{ dataroot }}/mediawiki/"
|
||||||
|
state: present
|
||||||
|
register: php_config
|
||||||
|
|
||||||
|
- name: Enable php service
|
||||||
|
service:
|
||||||
|
name: php-fpm
|
||||||
|
enabled: yes
|
||||||
|
state: restarted
|
||||||
|
when: php_config.changed
|
4
templates/.bash_profile.j2
Normal file
4
templates/.bash_profile.j2
Normal file
@ -0,0 +1,4 @@
|
|||||||
|
# Automatically deploy dotfiles on login
|
||||||
|
|
||||||
|
~/dots/dotinstall.sh > /dev/null 2>&1
|
||||||
|
source ~/.profile
|
7
templates/ddclient.conf.j2
Normal file
7
templates/ddclient.conf.j2
Normal file
@ -0,0 +1,7 @@
|
|||||||
|
protocol=dyndns2
|
||||||
|
use=web, web=https://ip.me
|
||||||
|
ssl=yes # yes = use https for updates
|
||||||
|
server=ipv4.nsupdate.info
|
||||||
|
login={{ domain }}
|
||||||
|
password='{{ ddclient_pass }}'
|
||||||
|
{{ domain }}
|
1261
templates/gitea_app.ini.j2
Normal file
1261
templates/gitea_app.ini.j2
Normal file
File diff suppressed because it is too large
Load Diff
108
templates/mediawiki/LocalSettings.php.j2
Normal file
108
templates/mediawiki/LocalSettings.php.j2
Normal file
@ -0,0 +1,108 @@
|
|||||||
|
<?php
|
||||||
|
if ( !defined( 'MEDIAWIKI' ) ) {
|
||||||
|
exit;
|
||||||
|
}
|
||||||
|
|
||||||
|
$callingurl = strtolower( $_SERVER['REQUEST_URI'] ); // get the calling url
|
||||||
|
if ( strpos( $callingurl, '/{{ wiki_names[0] }}' ) === 0 ) {
|
||||||
|
require_once 'LocalSettings_{{ wiki_names[0] }}.php';
|
||||||
|
}
|
||||||
|
{%- for extra_wiki in wiki_names[1:] %}
|
||||||
|
elseif ( strpos( $callingurl, '/{{ extra_wiki }}' ) === 0 ) {
|
||||||
|
require_once 'LocalSettings_{{ extra_wiki }}.php';
|
||||||
|
{% endfor %}
|
||||||
|
} else {
|
||||||
|
header( 'HTTP/1.1 404 Not Found' );
|
||||||
|
echo "This wiki (\"" . htmlspecialchars( $callingurl ) . "\") is not available. Check configuration.";
|
||||||
|
exit( 0 );
|
||||||
|
}
|
||||||
|
|
||||||
|
$wgServer = "https://{{ domain }}";
|
||||||
|
|
||||||
|
$wgEnableEmail = false;
|
||||||
|
$wgEnableUserEmail = true; # UPO
|
||||||
|
|
||||||
|
$wgEmergencyContact = "apache@🌻.invalid";
|
||||||
|
$wgPasswordSender = "apache@🌻.invalid";
|
||||||
|
|
||||||
|
$wgEnotifUserTalk = false; # UPO
|
||||||
|
$wgEnotifWatchlist = false; # UPO
|
||||||
|
$wgEmailAuthentication = true;
|
||||||
|
|
||||||
|
$wgDBtype = "sqlite";
|
||||||
|
$wgDBserver = "";
|
||||||
|
$wgDBuser = "";
|
||||||
|
$wgDBpassword = "";
|
||||||
|
|
||||||
|
$wgSQLiteDataDir = "{{ dataroot }}/mediawiki";
|
||||||
|
$wgObjectCaches[CACHE_DB] = [
|
||||||
|
'class' => SqlBagOStuff::class,
|
||||||
|
'loggroup' => 'SQLBagOStuff',
|
||||||
|
'server' => [
|
||||||
|
'type' => 'sqlite',
|
||||||
|
'dbname' => 'wikicache',
|
||||||
|
'tablePrefix' => '',
|
||||||
|
'variables' => [ 'synchronous' => 'NORMAL' ],
|
||||||
|
'dbDirectory' => $wgSQLiteDataDir,
|
||||||
|
'trxMode' => 'IMMEDIATE',
|
||||||
|
'flags' => 0
|
||||||
|
]
|
||||||
|
];
|
||||||
|
$wgLocalisationCacheConf['storeServer'] = [
|
||||||
|
'type' => 'sqlite',
|
||||||
|
'dbname' => "{$wgDBname}_l10n_cache",
|
||||||
|
'tablePrefix' => '',
|
||||||
|
'variables' => [ 'synchronous' => 'NORMAL' ],
|
||||||
|
'dbDirectory' => $wgSQLiteDataDir,
|
||||||
|
'trxMode' => 'IMMEDIATE',
|
||||||
|
'flags' => 0
|
||||||
|
];
|
||||||
|
$wgJobTypeConf['default'] = [
|
||||||
|
'class' => 'JobQueueDB',
|
||||||
|
'claimTTL' => 3600,
|
||||||
|
'server' => [
|
||||||
|
'type' => 'sqlite',
|
||||||
|
'dbname' => "{$wgDBname}_jobqueue",
|
||||||
|
'tablePrefix' => '',
|
||||||
|
'variables' => [ 'synchronous' => 'NORMAL' ],
|
||||||
|
'dbDirectory' => $wgSQLiteDataDir,
|
||||||
|
'trxMode' => 'IMMEDIATE',
|
||||||
|
'flags' => 0
|
||||||
|
]
|
||||||
|
];
|
||||||
|
|
||||||
|
$wgSharedTables[] = "actor";
|
||||||
|
$wgMainCacheType = CACHE_NONE;
|
||||||
|
$wgMemCachedServers = [];
|
||||||
|
|
||||||
|
$wgEnableUploads = true;
|
||||||
|
$wgUseImageMagick = true;
|
||||||
|
$wgImageMagickConvertCommand = "/usr/bin/convert";
|
||||||
|
|
||||||
|
$wgUseInstantCommons = false;
|
||||||
|
|
||||||
|
$wgPingback = false;
|
||||||
|
|
||||||
|
$wgShellLocale = "C.UTF-8";
|
||||||
|
|
||||||
|
$wgLanguageCode = "en";
|
||||||
|
|
||||||
|
$wgLocaltimezone = "UTC";
|
||||||
|
|
||||||
|
$wgAuthenticationTokenVersion = "1";
|
||||||
|
|
||||||
|
$wgUpgradeKey = "{{ wgUpgradeKey }}";
|
||||||
|
|
||||||
|
$wgRightsPage = "";
|
||||||
|
$wgRightsUrl = "";
|
||||||
|
$wgRightsText = "";
|
||||||
|
$wgRightsIcon = "";
|
||||||
|
|
||||||
|
$wgDiff3 = "/usr/bin/diff3";
|
||||||
|
|
||||||
|
wfLoadSkin( 'MonoBook' );
|
||||||
|
wfLoadSkin( 'Timeless' );
|
||||||
|
wfLoadSkin( 'Vector' );
|
||||||
|
|
||||||
|
wfLoadExtension( 'WikiEditor' );
|
||||||
|
wfLoadExtension( 'Poem' );
|
21
templates/mediawiki/LocalSettings_rw.php.j2
Normal file
21
templates/mediawiki/LocalSettings_rw.php.j2
Normal file
@ -0,0 +1,21 @@
|
|||||||
|
<?php
|
||||||
|
if ( !defined( 'MEDIAWIKI' ) ) {
|
||||||
|
exit;
|
||||||
|
}
|
||||||
|
$wgSitename = "Rockwell Wiki";
|
||||||
|
$wgMetaNamespace = "Rockwell_Wiki";
|
||||||
|
|
||||||
|
$wgScriptPath = "/rw";
|
||||||
|
$wgResourceBasePath = $wgScriptPath;
|
||||||
|
|
||||||
|
$wgLogos = [ '1x' => "$wgResourceBasePath/resources/assets/rw.png" ];
|
||||||
|
|
||||||
|
$wgDBname = "rw_wiki";
|
||||||
|
|
||||||
|
$wgSecretKey = "{{ wgSecretKey[item.0] }}";
|
||||||
|
|
||||||
|
$wgGroupPermissions['*']['createaccount'] = false;
|
||||||
|
$wgGroupPermissions['*']['edit'] = false;
|
||||||
|
$wgGroupPermissions['*']['read'] = false;
|
||||||
|
|
||||||
|
$wgDefaultSkin = "timeless";
|
23
templates/mediawiki/LocalSettings_wiki.php.j2
Normal file
23
templates/mediawiki/LocalSettings_wiki.php.j2
Normal file
@ -0,0 +1,23 @@
|
|||||||
|
<?php
|
||||||
|
|
||||||
|
if ( !defined( 'MEDIAWIKI' ) ) {
|
||||||
|
exit;
|
||||||
|
}
|
||||||
|
|
||||||
|
$wgSitename = "Bepp Wiki";
|
||||||
|
$wgMetaNamespace = "Bepp_Wiki";
|
||||||
|
|
||||||
|
$wgScriptPath = "/wiki";
|
||||||
|
$wgResourceBasePath = $wgScriptPath;
|
||||||
|
|
||||||
|
$wgLogos = [ '1x' => "$wgResourceBasePath/resources/assets/bepp.png" ];
|
||||||
|
|
||||||
|
$wgDBname = "bepp_wiki";
|
||||||
|
|
||||||
|
$wgSecretKey = "{{ wgSecretKey[item.0] }}";
|
||||||
|
|
||||||
|
$wgGroupPermissions['*']['createaccount'] = false;
|
||||||
|
$wgGroupPermissions['*']['edit'] = false;
|
||||||
|
$wgGroupPermissions['*']['read'] = false;
|
||||||
|
|
||||||
|
$wgDefaultSkin = "vector";
|
5
templates/motd.j2
Normal file
5
templates/motd.j2
Normal file
@ -0,0 +1,5 @@
|
|||||||
|
|
||||||
|
[1;37;40m{{ ansible_hostname }}
|
||||||
|
|
||||||
|
[7;39;40mAll unauthorised access to this device is prohibited.
|
||||||
|
[0;39;40m
|
13
templates/named/local_zone.j2
Normal file
13
templates/named/local_zone.j2
Normal file
@ -0,0 +1,13 @@
|
|||||||
|
$TTL 604800
|
||||||
|
@ IN SOA {{ domain }}. {{ email }}. (
|
||||||
|
3 ; Serial
|
||||||
|
604800 ; Refresh
|
||||||
|
86400 ; Retry
|
||||||
|
2419200 ; Expire
|
||||||
|
604800 ) ; Negative Cache TTL
|
||||||
|
;
|
||||||
|
ns IN A {{ local_ip }}
|
||||||
|
@ IN NS localhost.
|
||||||
|
@ IN A {{ local_ip }}
|
||||||
|
@ IN AAAA ::1
|
||||||
|
{{ domain }} IN A {{ local_ip }}
|
45
templates/named/named.conf.j2
Normal file
45
templates/named/named.conf.j2
Normal file
@ -0,0 +1,45 @@
|
|||||||
|
// vim:set ts=4 sw=4 et:
|
||||||
|
|
||||||
|
acl internals { 127.0.0.0/8; {{ local_subnet }}; };
|
||||||
|
|
||||||
|
options {
|
||||||
|
directory "/var/named";
|
||||||
|
pid-file "/run/named/named.pid";
|
||||||
|
forwarders { {{ dns_forward }}; };
|
||||||
|
|
||||||
|
// Uncomment these to enable IPv6 connections support
|
||||||
|
// IPv4 will still work:
|
||||||
|
// listen-on-v6 { any; };
|
||||||
|
// Add this for no IPv4:
|
||||||
|
// listen-on { none; };
|
||||||
|
|
||||||
|
recursion yes;
|
||||||
|
allow-query { internals; };
|
||||||
|
allow-transfer { none; };
|
||||||
|
dnssec-validation auto;
|
||||||
|
allow-update { none; };
|
||||||
|
version none;
|
||||||
|
hostname none;
|
||||||
|
server-id none;
|
||||||
|
};
|
||||||
|
|
||||||
|
zone "localhost" IN {
|
||||||
|
type master;
|
||||||
|
file "localhost.zone";
|
||||||
|
};
|
||||||
|
|
||||||
|
zone "0.0.127.in-addr.arpa" IN {
|
||||||
|
type master;
|
||||||
|
file "127.0.0.zone";
|
||||||
|
};
|
||||||
|
|
||||||
|
zone "{{ domain }}" {
|
||||||
|
type master;
|
||||||
|
file "/var/named/{{ domain }}";
|
||||||
|
};
|
||||||
|
|
||||||
|
|
||||||
|
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" {
|
||||||
|
type master;
|
||||||
|
file "localhost.ip6.zone";
|
||||||
|
};
|
91
templates/nginx.conf.j2
Normal file
91
templates/nginx.conf.j2
Normal file
@ -0,0 +1,91 @@
|
|||||||
|
worker_processes 1;
|
||||||
|
|
||||||
|
events {
|
||||||
|
worker_connections 1024;
|
||||||
|
}
|
||||||
|
|
||||||
|
http { include mime.types;
|
||||||
|
|
||||||
|
disable_symlinks off;
|
||||||
|
|
||||||
|
default_type application/octet-stream;
|
||||||
|
sendfile on;
|
||||||
|
keepalive_timeout 65;
|
||||||
|
types_hash_max_size 4096;
|
||||||
|
root {{ webroot }}/;
|
||||||
|
|
||||||
|
server {
|
||||||
|
if ($host = {{ domain }}) {
|
||||||
|
return 301 https://$host$request_uri;
|
||||||
|
} # managed by Certbot
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
|
||||||
|
ssl_certificate /etc/letsencrypt/certs/fullchain_{{ domain }}.crt;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/keys/{{ domain }}.key;
|
||||||
|
|
||||||
|
ssl_session_cache shared:SSL:1m;
|
||||||
|
ssl_session_timeout 5m;
|
||||||
|
|
||||||
|
ssl_ciphers HIGH:!aNULL:!MD5;
|
||||||
|
ssl_prefer_server_ciphers on;
|
||||||
|
|
||||||
|
listen 443 ssl http2;
|
||||||
|
listen [::]:443 ssl http2;
|
||||||
|
|
||||||
|
listen 8448 ssl http2 default_server;
|
||||||
|
listen [::]:8448 ssl http2 default_server;
|
||||||
|
|
||||||
|
server_name {{ domain }};
|
||||||
|
|
||||||
|
location ~* ^(\/_matrix|\/_synapse\/client) {
|
||||||
|
proxy_pass http://localhost:8008;
|
||||||
|
proxy_set_header X-Forwarded-For $remote_addr;
|
||||||
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
|
||||||
|
client_max_body_size 50M;
|
||||||
|
}
|
||||||
|
|
||||||
|
location = / {
|
||||||
|
return 301 https://{{ domain }}/site/index.html;
|
||||||
|
}
|
||||||
|
|
||||||
|
location /site {
|
||||||
|
index index.html;
|
||||||
|
}
|
||||||
|
|
||||||
|
location /wiki {
|
||||||
|
index index.php;
|
||||||
|
}
|
||||||
|
|
||||||
|
location /rw {
|
||||||
|
index index.php;
|
||||||
|
}
|
||||||
|
|
||||||
|
location /git/ {
|
||||||
|
proxy_pass http://localhost:3000/ ;
|
||||||
|
}
|
||||||
|
|
||||||
|
location ~ \.php$ {
|
||||||
|
# 404
|
||||||
|
try_files $fastcgi_script_name =404;
|
||||||
|
|
||||||
|
# default fastcgi_params
|
||||||
|
include fastcgi_params;
|
||||||
|
|
||||||
|
# fastcgi settings
|
||||||
|
fastcgi_pass unix:/run/php-fpm/php-fpm.sock;
|
||||||
|
fastcgi_index index.php;
|
||||||
|
fastcgi_buffers 8 16k;
|
||||||
|
fastcgi_buffer_size 32k;
|
||||||
|
|
||||||
|
# fastcgi params
|
||||||
|
fastcgi_param DOCUMENT_ROOT $realpath_root;
|
||||||
|
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
|
||||||
|
#fastcgi_param PHP_ADMIN_VALUE "open_basedir=$base/:/usr/lib/php/:/tmp/";
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
17
templates/nginx_bare.conf.j2
Normal file
17
templates/nginx_bare.conf.j2
Normal file
@ -0,0 +1,17 @@
|
|||||||
|
# Do not use this configuration once setup is finished.
|
||||||
|
# It is only intended for getting a Let's Encrypt cert, allowing the main config to work.
|
||||||
|
|
||||||
|
events {
|
||||||
|
worker_connections 1024;
|
||||||
|
}
|
||||||
|
|
||||||
|
http {
|
||||||
|
server {
|
||||||
|
listen 80;
|
||||||
|
server_name {{ domain }};
|
||||||
|
root {{ webroot }}/;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
2750
templates/synapse/homeserver.yaml.j2
Normal file
2750
templates/synapse/homeserver.yaml.j2
Normal file
File diff suppressed because it is too large
Load Diff
71
templates/synapse/log.config.j2
Normal file
71
templates/synapse/log.config.j2
Normal file
@ -0,0 +1,71 @@
|
|||||||
|
# Log configuration for Synapse.
|
||||||
|
#
|
||||||
|
# This is a YAML file containing a standard Python logging configuration
|
||||||
|
# dictionary. See [1] for details on the valid settings.
|
||||||
|
#
|
||||||
|
# Synapse also supports structured logging for machine readable logs which can
|
||||||
|
# be ingested by ELK stacks. See [2] for details.
|
||||||
|
#
|
||||||
|
# [1]: https://docs.python.org/3.7/library/logging.config.html#configuration-dictionary-schema
|
||||||
|
# [2]: https://matrix-org.github.io/synapse/latest/structured_logging.html
|
||||||
|
|
||||||
|
version: 1
|
||||||
|
|
||||||
|
formatters:
|
||||||
|
precise:
|
||||||
|
format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s'
|
||||||
|
|
||||||
|
handlers:
|
||||||
|
file:
|
||||||
|
class: logging.handlers.TimedRotatingFileHandler
|
||||||
|
formatter: precise
|
||||||
|
filename: /var/log/synapse/homeserver.log
|
||||||
|
when: midnight
|
||||||
|
backupCount: 3 # Does not include the current log file.
|
||||||
|
encoding: utf8
|
||||||
|
|
||||||
|
# Default to buffering writes to log file for efficiency. This means that
|
||||||
|
# will be a delay for INFO/DEBUG logs to get written, but WARNING/ERROR
|
||||||
|
# logs will still be flushed immediately.
|
||||||
|
buffer:
|
||||||
|
class: logging.handlers.MemoryHandler
|
||||||
|
target: file
|
||||||
|
# The capacity is the number of log lines that are buffered before
|
||||||
|
# being written to disk. Increasing this will lead to better
|
||||||
|
# performance, at the expensive of it taking longer for log lines to
|
||||||
|
# be written to disk.
|
||||||
|
capacity: 10
|
||||||
|
flushLevel: 30 # Flush for WARNING logs as well
|
||||||
|
|
||||||
|
# A handler that writes logs to stderr. Unused by default, but can be used
|
||||||
|
# instead of "buffer" and "file" in the logger handlers.
|
||||||
|
console:
|
||||||
|
class: logging.StreamHandler
|
||||||
|
formatter: precise
|
||||||
|
|
||||||
|
loggers:
|
||||||
|
synapse.storage.SQL:
|
||||||
|
# beware: increasing this to DEBUG will make synapse log sensitive
|
||||||
|
# information such as access tokens.
|
||||||
|
level: INFO
|
||||||
|
|
||||||
|
twisted:
|
||||||
|
# We send the twisted logging directly to the file handler,
|
||||||
|
# to work around https://github.com/matrix-org/synapse/issues/3471
|
||||||
|
# when using "buffer" logger. Use "console" to log to stderr instead.
|
||||||
|
handlers: [file]
|
||||||
|
propagate: false
|
||||||
|
|
||||||
|
root:
|
||||||
|
level: INFO
|
||||||
|
|
||||||
|
# Write logs to the `buffer` handler, which will buffer them together in memory,
|
||||||
|
# then write them to a file.
|
||||||
|
#
|
||||||
|
# Replace "buffer" with "console" to log to stderr instead. (Note that you'll
|
||||||
|
# also need to update the configuration for the `twisted` logger above, in
|
||||||
|
# this case.)
|
||||||
|
#
|
||||||
|
handlers: [buffer]
|
||||||
|
|
||||||
|
disable_existing_loggers: false
|
Reference in New Issue
Block a user