Warezjoe/ansible_uni_deploy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Refactor: Organize Ansible project structure

Browse Source 
- Reorganized Ansible project structure to follow best practices.
- Created dedicated directories: , , , , and .
- Categorized playbooks into  (host-specific) and  (service-specific).
- Moved all roles into the  directory and standardized their naming conventions.
- Relocated  to  for better variable management.
- Renamed  to  to reflect its global variable scope.
- Created  to correctly set the  to the new  directory.
- Moved  and  into the  directory.
- Added  to  providing explanations for common commands.
- Cleaned up  directories from all individual roles to centralize version control.
This commit is contained in:
warezjoe
2026-01-26 11:54:00 +01:00
parent 25fa9eaf25
commit 5bbc551106
177 changed files with 4162 additions and 77 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
roles/create_user/.travis.yml Normal file
View File

@@ -0,0 +1,29 @@
---
language: python
python: "2.7"
# Use the new container infrastructure
sudo: false
# Install ansible
addons:
apt:
packages:
- python-pip
install:
# Install ansible
- pip install ansible
# Check ansible version
- ansible --version
# Create ansible.cfg with correct roles_path
- printf '[defaults]\nroles_path=../' >ansible.cfg
script:
# Basic role syntax check
- ansible-playbook tests/test.yml -i tests/inventory --syntax-check
notifications:
webhooks: https://galaxy.ansible.com/api/v1/notifications/

38
roles/create_user/README.md Normal file
View File

@@ -0,0 +1,38 @@
Role Name
=========
A brief description of the role goes here.
Requirements
------------
Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
Role Variables
--------------
A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
Dependencies
------------
A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
Example Playbook
----------------
Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
- hosts: servers
roles:
- { role: username.rolename, x: 42 }
License
-------
BSD
Author Information
------------------
An optional section for the role authors to include contact information, or a website (HTML is not allowed).

8
roles/create_user/defaults/main.yml Normal file
View File

@@ -0,0 +1,8 @@
---
# defaults file for create_user
primary_group: "{{ user }}"
secondary_groups: ''
password: ''
shell: "/bin/bash"
home: "/home/{{ user }}"
create_home: "{{ 'false' if (home == '/nonexistent') else 'true'}}"

2
roles/create_user/handlers/main.yml Normal file
View File

@@ -0,0 +1,2 @@
---
# handlers file for create_user

52
roles/create_user/meta/main.yml Normal file
View File

@@ -0,0 +1,52 @@
galaxy_info:
author: your name
description: your role description
company: your company (optional)
# If the issue tracker for your role is not on github, uncomment the
# next line and provide a value
# issue_tracker_url: http://example.com/issue/tracker
# Choose a valid license ID from https://spdx.org - some suggested licenses:
# - BSD-3-Clause (default)
# - MIT
# - GPL-2.0-or-later
# - GPL-3.0-only
# - Apache-2.0
# - CC-BY-4.0
license: license (GPL-2.0-or-later, MIT, etc)
min_ansible_version: 2.1
# If this a Container Enabled role, provide the minimum Ansible Container version.
# min_ansible_container_version:
#
# Provide a list of supported platforms, and for each platform a list of versions.
# If you don't wish to enumerate all versions for a particular platform, use 'all'.
# To view available platforms and versions (or releases), visit:
# https://galaxy.ansible.com/api/v1/platforms/
#
# platforms:
# - name: Fedora
# versions:
# - all
# - 25
# - name: SomePlatform
# versions:
# - all
# - 1.0
# - 7
# - 99.99
galaxy_tags: []
# List tags for your role here, one per line. A tag is a keyword that describes
# and categorizes the role. Users find roles by searching for tags. Be sure to
# remove the '[]' above, if you add tags to this list.
#
# NOTE: A tag is limited to a single word comprised of alphanumeric characters.
# Maximum 20 tags per role.
dependencies: []
# List your role dependencies here, one per line. Be sure to remove the '[]' above,
# if you add dependencies to this list.

48
roles/create_user/tasks/main.yml Normal file
View File

@@ -0,0 +1,48 @@
---
# tasks file for create_user
- name: Adding group
ansible.builtin.group:
name: "{{ primary_group }}"
gid: "{{ gid }}"
state: present
when: gid != 65534
- name: Adding user
ansible.builtin.user:
name: "{{ user }}"
group: "{{ primary_group }}"
uid: "{{ uid }}"
shell: "{{ shell }}"
groups: "{{ secondary_groups }}"
home: "{{ home }}"
password: "{{ password }}"
create_home: "{{ create_home }}"
- name: Dowload ssh key
ansible.builtin.uri:
url: "{{ user_ssh_key_url }}"
method: GET
return_content: true
register: ssh_key
when: user_ssh_key_url is defined
- name: Setting ssh key
ansible.builtin.blockinfile:
state: present
owner: "{{ user }}"
group: "{{ primary_group }}"
insertafter: EOF
path: /home/{{ user }}/.ssh/authorized_keys
mode: '0644'
create: true
block: |
{{ ssh_key.content }}
when: user_ssh_key_url is defined
- name: Set permissions to .ssh folder
ansible.builtin.file:
path: /home/{{ user }}/.ssh
owner: "{{ user }}"
group: "{{ primary_group }}"
mode: '0711'
when: user_ssh_key_url is defined

2
roles/create_user/tests/inventory Normal file
View File

@@ -0,0 +1,2 @@
localhost

5
roles/create_user/tests/test.yml Normal file
View File

@@ -0,0 +1,5 @@
---
- hosts: localhost
remote_user: root
roles:
- create_user

2
roles/create_user/vars/main.yml Normal file
View File

@@ -0,0 +1,2 @@
---
# vars file for create_user

29
roles/create_zfs_dataset/.travis.yml Normal file
View File

@@ -0,0 +1,29 @@
---
language: python
python: "2.7"
# Use the new container infrastructure
sudo: false
# Install ansible
addons:
apt:
packages:
- python-pip
install:
# Install ansible
- pip install ansible
# Check ansible version
- ansible --version
# Create ansible.cfg with correct roles_path
- printf '[defaults]\nroles_path=../' >ansible.cfg
script:
# Basic role syntax check
- ansible-playbook tests/test.yml -i tests/inventory --syntax-check
notifications:
webhooks: https://galaxy.ansible.com/api/v1/notifications/

38
roles/create_zfs_dataset/README.md Normal file
View File

@@ -0,0 +1,38 @@
Role Name
=========
A brief description of the role goes here.
Requirements
------------
Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
Role Variables
--------------
A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
Dependencies
------------
A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
Example Playbook
----------------
Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
- hosts: servers
roles:
- { role: username.rolename, x: 42 }
License
-------
BSD
Author Information
------------------
An optional section for the role authors to include contact information, or a website (HTML is not allowed).

6
roles/create_zfs_dataset/defaults/main.yml Normal file
View File

@@ -0,0 +1,6 @@
---
# defaults file for create_zfs_dataset
zfs_dataset_size: 10M
zfs_dataset_mountpoint: "/{{ zfs_pool_name }}/{{ zfs_dataset_name }}"
zfs_dataset_user: root
zfs_dataset_group: root

2
roles/create_zfs_dataset/handlers/main.yml Normal file
View File

@@ -0,0 +1,2 @@
---
# handlers file for create_zfs_dataset

52
roles/create_zfs_dataset/meta/main.yml Normal file
View File

@@ -0,0 +1,52 @@
galaxy_info:
author: your name
description: your role description
company: your company (optional)
# If the issue tracker for your role is not on github, uncomment the
# next line and provide a value
# issue_tracker_url: http://example.com/issue/tracker
# Choose a valid license ID from https://spdx.org - some suggested licenses:
# - BSD-3-Clause (default)
# - MIT
# - GPL-2.0-or-later
# - GPL-3.0-only
# - Apache-2.0
# - CC-BY-4.0
license: license (GPL-2.0-or-later, MIT, etc)
min_ansible_version: 2.1
# If this a Container Enabled role, provide the minimum Ansible Container version.
# min_ansible_container_version:
#
# Provide a list of supported platforms, and for each platform a list of versions.
# If you don't wish to enumerate all versions for a particular platform, use 'all'.
# To view available platforms and versions (or releases), visit:
# https://galaxy.ansible.com/api/v1/platforms/
#
# platforms:
# - name: Fedora
# versions:
# - all
# - 25
# - name: SomePlatform
# versions:
# - all
# - 1.0
# - 7
# - 99.99
galaxy_tags: []
# List tags for your role here, one per line. A tag is a keyword that describes
# and categorizes the role. Users find roles by searching for tags. Be sure to
# remove the '[]' above, if you add tags to this list.
#
# NOTE: A tag is limited to a single word comprised of alphanumeric characters.
# Maximum 20 tags per role.
dependencies: []
# List your role dependencies here, one per line. Be sure to remove the '[]' above,
# if you add dependencies to this list.

16
roles/create_zfs_dataset/tasks/main.yml Normal file
View File

@@ -0,0 +1,16 @@
---
# tasks file for create_zfs_dataset
- name: Create zfs dataset
community.general.zfs:
name: "{{ zfs_pool_name }}/{{ zfs_dataset_name }}"
state: present
extra_zfs_properties:
quota: "{{ zfs_dataset_size }}"
mountpoint: "{{ zfs_dataset_mountpoint }}"
- name: Dir Ownershipt to {{ user }}
ansible.builtin.file:
path: "{{ zfs_dataset_mountpoint }}"
owner: "{{ zfs_dataset_user }}"
group: "{{ zfs_dataset_group }}"
mode: '0731'

2
roles/create_zfs_dataset/tests/inventory Normal file
View File

@@ -0,0 +1,2 @@
localhost

5
roles/create_zfs_dataset/tests/test.yml Normal file
View File

@@ -0,0 +1,5 @@
---
- hosts: localhost
remote_user: root
roles:
- create_zfs_dataset

2
roles/create_zfs_dataset/vars/main.yml Normal file
View File

@@ -0,0 +1,2 @@
---
# vars file for create_zfs_dataset

4
roles/docker/.ansible-lint Normal file
View File

@@ -0,0 +1,4 @@
skip_list:
- 'yaml'
- 'risky-shell-pipe'
- 'role-name'

11
roles/docker/.yamllint Normal file
View File

@@ -0,0 +1,11 @@
---
extends: default
rules:
line-length:
max: 200
level: warning
ignore: |
.github/stale.yml
.travis.yml

20
roles/docker/LICENSE Normal file
View File

@@ -0,0 +1,20 @@
The MIT License (MIT)
Copyright (c) 2017 Jeff Geerling
Permission is hereby granted, free of charge, to any person obtaining a copy of
this software and associated documentation files (the "Software"), to deal in
the Software without restriction, including without limitation the rights to
use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
the Software, and to permit persons to whom the Software is furnished to do so,
subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

128
roles/docker/README.md Normal file
View File

@@ -0,0 +1,128 @@
# Ansible Role: Docker
[![CI](https://github.com/geerlingguy/ansible-role-docker/workflows/CI/badge.svg?event=push)](https://github.com/geerlingguy/ansible-role-docker/actions?query=workflow%3ACI)
An Ansible Role that installs [Docker](https://www.docker.com) on Linux.
## Requirements
None.
## Role Variables
Available variables are listed below, along with default values (see `defaults/main.yml`):
# Edition can be one of: 'ce' (Community Edition) or 'ee' (Enterprise Edition).
docker_edition: 'ce'
docker_packages:
- "docker-{{ docker_edition }}"
- "docker-{{ docker_edition }}-cli"
- "docker-{{ docker_edition }}-rootless-extras"
docker_packages_state: present
The `docker_edition` should be either `ce` (Community Edition) or `ee` (Enterprise Edition).
You can also specify a specific version of Docker to install using the distribution-specific format:
Red Hat/CentOS: `docker-{{ docker_edition }}-<VERSION>` (Note: you have to add this to all packages);
Debian/Ubuntu: `docker-{{ docker_edition }}=<VERSION>` (Note: you have to add this to all packages).
You can control whether the package is installed, uninstalled, or at the latest version by setting `docker_package_state` to `present`, `absent`, or `latest`, respectively. Note that the Docker daemon will be automatically restarted if the Docker package is updated. This is a side effect of flushing all handlers (running any of the handlers that have been notified by this and any other role up to this point in the play).
docker_service_manage: true
docker_service_state: started
docker_service_enabled: true
docker_restart_handler_state: restarted
Variables to control the state of the `docker` service, and whether it should start on boot. If you're installing Docker inside a Docker container without systemd or sysvinit, you should set `docker_service_manage` to `false`.
docker_install_compose_plugin: false
docker_compose_package: docker-compose-plugin
docker_compose_package_state: present
Docker Compose Plugin installation options. These differ from the below in that docker-compose is installed as a docker plugin (and used with `docker compose`) instead of a standalone binary.
docker_install_compose: true
docker_compose_version: "1.26.0"
docker_compose_arch: "{{ ansible_architecture }}"
docker_compose_path: /usr/local/bin/docker-compose
Docker Compose installation options.
docker_repo_url: https://download.docker.com/linux
The main Docker repo URL, common between Debian and RHEL systems.
docker_apt_release_channel: stable
docker_apt_arch: "{{ 'arm64' if ansible_architecture == 'aarch64' else 'amd64' }}"
docker_apt_repository: "deb [arch={{ docker_apt_arch }}] {{ docker_repo_url }}/{{ ansible_distribution | lower }} {{ ansible_distribution_release }} {{ docker_apt_release_channel }}"
docker_apt_ignore_key_error: True
docker_apt_gpg_key: "{{ docker_repo_url }}/{{ ansible_distribution | lower }}/gpg"
(Used only for Debian/Ubuntu.) You can switch the channel to `nightly` if you want to use the Nightly release.
You can change `docker_apt_gpg_key` to a different url if you are behind a firewall or provide a trustworthy mirror.
Usually in combination with changing `docker_apt_repository` as well.
docker_yum_repo_url: "{{ docker_repo_url }}/{{ (ansible_distribution == 'Fedora') | ternary('fedora','centos') }}/docker-{{ docker_edition }}.repo"docker_edition }}.repo
docker_yum_repo_enable_nightly: '0'
docker_yum_repo_enable_test: '0'
docker_yum_gpg_key: "{{ docker_repo_url }}/centos/gpg"
(Used only for RedHat/CentOS.) You can enable the Nightly or Test repo by setting the respective vars to `1`.
You can change `docker_yum_gpg_key` to a different url if you are behind a firewall or provide a trustworthy mirror.
Usually in combination with changing `docker_yum_repository` as well.
docker_users:
- user1
- user2
A list of system users to be added to the `docker` group (so they can use Docker on the server).
docker_daemon_options:
storage-driver: "devicemapper"
log-opts:
max-size: "100m"
Custom `dockerd` options can be configured through this dictionary representing the json file `/etc/docker/daemon.json`.
## Use with Ansible (and `docker` Python library)
Many users of this role wish to also use Ansible to then _build_ Docker images and manage Docker containers on the server where Docker is installed. In this case, you can easily add in the `docker` Python library using the `geerlingguy.pip` role:
```yaml
- hosts: all
vars:
pip_install_packages:
- name: docker
roles:
- geerlingguy.pip
- geerlingguy.docker
```
## Dependencies
None.
## Example Playbook
```yaml
- hosts: all
roles:
- geerlingguy.docker
```
## License
MIT / BSD
## Sponsors
* [We Manage](https://we-manage.de): Helping start-ups and grown-ups scaling their infrastructure in a sustainable way.
The above sponsor(s) are supporting Jeff Geerling on [GitHub Sponsors](https://github.com/sponsors/geerlingguy). You can sponsor Jeff's work too, to help him continue improving these Ansible open source projects!
## Author Information
This role was created in 2017 by [Jeff Geerling](https://www.jeffgeerling.com/), author of [Ansible for DevOps](https://www.ansiblefordevops.com/).

49
roles/docker/defaults/main.yml Normal file
View File

@@ -0,0 +1,49 @@
---
# Edition can be one of: 'ce' (Community Edition) or 'ee' (Enterprise Edition).
docker_edition: 'ce'
docker_packages:
- "docker-{{ docker_edition }}"
- "docker-{{ docker_edition }}-cli"
- "docker-{{ docker_edition }}-rootless-extras"
- "containerd.io"
docker_packages_state: present
# Service options.
docker_service_manage: true
docker_service_state: started
docker_service_enabled: true
docker_restart_handler_state: restarted
# Docker Compose Plugin options.
docker_install_compose_plugin: false
docker_compose_package: docker-compose-plugin
docker_compose_package_state: present
# Docker Compose options.
docker_install_compose: true
docker_compose_version: "v2.11.1"
docker_compose_arch: "{{ ansible_architecture }}"
docker_compose_url: "https://github.com/docker/compose/releases/download/{{ docker_compose_version }}/docker-compose-linux-{{ docker_compose_arch }}"
docker_compose_path: /usr/local/bin/docker-compose
# Docker repo URL.
docker_repo_url: https://download.docker.com/linux
# Used only for Debian/Ubuntu. Switch 'stable' to 'nightly' if needed.
docker_apt_release_channel: stable
docker_apt_arch: "{{ 'arm64' if ansible_architecture == 'aarch64' else 'amd64' }}"
docker_apt_repository: "deb [arch={{ docker_apt_arch }}] {{ docker_repo_url }}/{{ ansible_distribution | lower }} {{ ansible_distribution_release }} {{ docker_apt_release_channel }}"
docker_apt_ignore_key_error: true
docker_apt_gpg_key: "{{ docker_repo_url }}/{{ ansible_distribution | lower }}/gpg"
# Used only for RedHat/CentOS/Fedora.
docker_yum_repo_url: "{{ docker_repo_url }}/{{ (ansible_distribution == 'Fedora') | ternary('fedora','centos') }}/docker-{{ docker_edition }}.repo"
docker_yum_repo_enable_nightly: '0'
docker_yum_repo_enable_test: '0'
docker_yum_gpg_key: "{{ docker_repo_url }}/centos/gpg"
# A list of users who will be added to the docker group.
docker_users: []
# Docker daemon options as a dict
docker_daemon_options: {}

7
roles/docker/handlers/main.yml Normal file
View File

@@ -0,0 +1,7 @@
---
- name: restart docker
service:
name: docker
state: "{{ docker_restart_handler_state }}"
ignore_errors: "{{ ansible_check_mode }}"
when: docker_service_manage | bool

41
roles/docker/meta/main.yml Normal file
View File

@@ -0,0 +1,41 @@
---
dependencies: []
galaxy_info:
role_name: docker
author: geerlingguy
description: Docker for Linux.
company: "Midwestern Mac, LLC"
license: "license (BSD, MIT)"
min_ansible_version: 2.4
platforms:
- name: EL
versions:
- 7
- 8
- name: Fedora
versions:
- all
- name: Debian
versions:
- buster
- bullseye
- name: Ubuntu
versions:
- bionic
- focal
- jammy
- name: Alpine
version:
- all
- name: ArchLinux
versions:
- all
galaxy_tags:
- web
- system
- containers
- docker
- orchestration
- compose
- server

24
roles/docker/molecule/default/converge.yml Normal file
View File

@@ -0,0 +1,24 @@
---
- name: Converge
hosts: all
become: true
pre_tasks:
- name: Update apt cache.
apt: update_cache=yes cache_valid_time=600
when: ansible_os_family == 'Debian'
- name: Wait for systemd to complete initialization. # noqa 303
command: systemctl is-system-running
register: systemctl_status
until: >
'running' in systemctl_status.stdout or
'degraded' in systemctl_status.stdout
retries: 30
delay: 5
when: ansible_service_mgr == 'systemd'
changed_when: false
failed_when: systemctl_status.rc > 1
roles:
- role: geerlingguy.docker

19
roles/docker/molecule/default/molecule.yml Normal file
View File

@@ -0,0 +1,19 @@
---
role_name_check: 1
dependency:
name: galaxy
driver:
name: docker
platforms:
- name: instance
image: "geerlingguy/docker-${MOLECULE_DISTRO:-centos7}-ansible:latest"
command: ${MOLECULE_DOCKER_COMMAND:-""}
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup:rw
cgroupns_mode: host
privileged: true
pre_build_image: true
provisioner:
name: ansible
playbooks:
converge: ${MOLECULE_PLAYBOOK:-converge.yml}

31
roles/docker/tasks/docker-compose.yml Normal file
View File

@@ -0,0 +1,31 @@
---
- name: Check current docker-compose version.
command: "{{ docker_compose_path }} --version"
register: docker_compose_vsn
check_mode: false
changed_when: false
failed_when: false
- set_fact:
docker_compose_current_version: "{{ docker_compose_vsn.stdout | regex_search('(\\d+(\\.\\d+)+)') }}"
when: >
docker_compose_vsn.stdout is defined
and (docker_compose_vsn.stdout | length > 0)
- name: Delete existing docker-compose version if it's different.
file:
path: "{{ docker_compose_path }}"
state: absent
when: >
docker_compose_current_version is defined
and (docker_compose_version | regex_replace('v', '')) not in docker_compose_current_version
- name: Install Docker Compose (if configured).
get_url:
url: "{{ docker_compose_url }}"
dest: "{{ docker_compose_path }}"
mode: 0755
when: >
(docker_compose_current_version is not defined)
or (docker_compose_current_version | length == 0)
or (docker_compose_current_version is version((docker_compose_version | regex_replace('v', '')), '<'))

10
roles/docker/tasks/docker-users.yml Normal file
View File

@@ -0,0 +1,10 @@
---
- name: Ensure docker users are added to the docker group.
user:
name: "{{ item }}"
groups: docker
append: true
with_items: "{{ docker_users }}"
- name: Reset ssh connection to apply user changes.
meta: reset_connection

117
roles/docker/tasks/main.yml Normal file
View File

@@ -0,0 +1,117 @@
---
- name: Load OS-specific vars.
include_vars: "{{ lookup('first_found', params) }}"
vars:
params:
files:
- '{{ansible_distribution}}.yml'
- '{{ansible_os_family}}.yml'
- main.yml
paths:
- 'vars'
- include_tasks: setup-RedHat.yml
when: ansible_os_family == 'RedHat'
- include_tasks: setup-Debian.yml
when: ansible_os_family == 'Debian'
- name: Install Docker packages.
package:
name: "{{ docker_packages }}"
state: "{{ docker_packages_state }}"
notify: restart docker
ignore_errors: "{{ ansible_check_mode }}"
when: "ansible_version.full is version_compare('2.12', '<') or ansible_os_family not in ['RedHat', 'Debian']"
- name: Install Docker packages (with downgrade option).
package:
name: "{{ docker_packages }}"
state: "{{ docker_packages_state }}"
allow_downgrade: true
notify: restart docker
ignore_errors: "{{ ansible_check_mode }}"
when: "ansible_version.full is version_compare('2.12', '>=') and ansible_os_family in ['RedHat', 'Debian']"
- name: Install docker-compose plugin.
package:
name: "{{ docker_compose_package }}"
state: "{{ docker_compose_package_state }}"
notify: restart docker
ignore_errors: "{{ ansible_check_mode }}"
when: "docker_install_compose_plugin | bool == true and (ansible_version.full is version_compare('2.12', '<') or ansible_os_family not in ['RedHat', 'Debian'])"
- name: Install docker-compose-plugin (with downgrade option).
package:
name: "{{ docker_compose_package }}"
state: "{{ docker_compose_package_state }}"
allow_downgrade: true
notify: restart docker
ignore_errors: "{{ ansible_check_mode }}"
when: "docker_install_compose_plugin | bool == true and ansible_version.full is version_compare('2.12', '>=') and ansible_os_family in ['RedHat', 'Debian']"
- name: Ensure /etc/docker/ directory exists.
file:
path: /etc/docker
state: directory
mode: 0755
when: docker_daemon_options.keys() | length > 0
- name: Configure Docker daemon options.
copy:
content: "{{ docker_daemon_options | to_nice_json }}"
dest: /etc/docker/daemon.json
mode: 0644
when: docker_daemon_options.keys() | length > 0
notify: restart docker
- name: Ensure Docker is started and enabled at boot.
service:
name: docker
state: "{{ docker_service_state }}"
enabled: "{{ docker_service_enabled }}"
ignore_errors: "{{ ansible_check_mode }}"
when: docker_service_manage | bool
- name: Ensure handlers are notified now to avoid firewall conflicts.
meta: flush_handlers
- include_tasks: docker-compose.yml
when: docker_install_compose | bool
- name: Get docker group info using getent.
getent:
database: group
key: docker
split: ':'
when: docker_users | length > 0
- name: Check if there are any users to add to the docker group.
set_fact:
at_least_one_user_to_modify: true
when:
- docker_users | length > 0
- item not in ansible_facts.getent_group["docker"][2]
with_items: "{{ docker_users }}"
- include_tasks: docker-users.yml
when: at_least_one_user_to_modify is defined
- name: Install docker python package
ansible.builtin.pip:
name: docker
extra_args: "--break-system-packages"
- name: Install a promtail plugin
community.docker.docker_plugin:
plugin_name: grafana/loki-docker-driver:latest
state: present
alias: loki
- name: Enable a promtail plugin
community.docker.docker_plugin:
plugin_name: grafana/loki-docker-driver:latest
state: enable
alias: loki
notify: restart docker

50
roles/docker/tasks/setup-Debian.yml Normal file
View File

@@ -0,0 +1,50 @@
---
- name: Ensure old versions of Docker are not installed.
package:
name:
- docker
- docker-engine
state: absent
- name: Ensure dependencies are installed.
apt:
name:
- apt-transport-https
- ca-certificates
state: present
- name: Ensure additional dependencies are installed (on Ubuntu < 20.04 and any other systems).
apt:
name: gnupg2
state: present
when: ansible_distribution != 'Ubuntu' or ansible_distribution_version is version('20.04', '<')
- name: Ensure additional dependencies are installed (on Ubuntu >= 20.04).
apt:
name: gnupg
state: present
when: ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '>=')
- name: Add Docker apt key.
ansible.builtin.get_url:
url: "{{ docker_apt_gpg_key }}"
dest: /etc/apt/trusted.gpg.d/docker.asc
mode: '0644'
force: true
register: add_repository_key
ignore_errors: "{{ docker_apt_ignore_key_error }}"
- name: Ensure curl is present (on older systems without SNI).
package: name=curl state=present
when: add_repository_key is failed
- name: Add Docker apt key (alternative for older systems without SNI).
shell: >
curl -sSL {{ docker_apt_gpg_key }} | apt-key add -
when: add_repository_key is failed
- name: Add Docker repository.
apt_repository:
repo: "{{ docker_apt_repository }}"
state: present
update_cache: true

52
roles/docker/tasks/setup-RedHat.yml Normal file
View File

@@ -0,0 +1,52 @@
---
- name: Ensure old versions of Docker are not installed.
package:
name:
- docker
- docker-common
- docker-engine
state: absent
- name: Add Docker GPG key.
rpm_key:
key: "{{ docker_yum_gpg_key }}"
state: present
- name: Add Docker repository.
get_url:
url: "{{ docker_yum_repo_url }}"
dest: '/etc/yum.repos.d/docker-{{ docker_edition }}.repo'
owner: root
group: root
mode: 0644
- name: Configure Docker Nightly repo.
ini_file:
dest: '/etc/yum.repos.d/docker-{{ docker_edition }}.repo'
section: 'docker-{{ docker_edition }}-nightly'
option: enabled
value: '{{ docker_yum_repo_enable_nightly }}'
mode: 0644
no_extra_spaces: true
- name: Configure Docker Test repo.
ini_file:
dest: '/etc/yum.repos.d/docker-{{ docker_edition }}.repo'
section: 'docker-{{ docker_edition }}-test'
option: enabled
value: '{{ docker_yum_repo_enable_test }}'
mode: 0644
no_extra_spaces: true
- name: Configure containerd on RHEL 8.
block:
- name: Ensure container-selinux is installed.
package:
name: container-selinux
state: present
- name: Ensure containerd.io is installed.
package:
name: containerd.io
state: present
when: ansible_distribution_major_version | int == 8

2
roles/docker/vars/Alpine.yml Executable file
View File

@@ -0,0 +1,2 @@
---
docker_packages: "docker"

2
roles/docker/vars/Archlinux.yml Normal file
View File

@@ -0,0 +1,2 @@
---
docker_packages: "docker"

2
roles/docker/vars/main.yml Executable file
View File

@@ -0,0 +1,2 @@
---
# Empty file

29
roles/docker_spin_up/.travis.yml Normal file
View File

@@ -0,0 +1,29 @@
---
language: python
python: "2.7"
# Use the new container infrastructure
sudo: false
# Install ansible
addons:
apt:
packages:
- python-pip
install:
# Install ansible
- pip install ansible
# Check ansible version
- ansible --version
# Create ansible.cfg with correct roles_path
- printf '[defaults]\nroles_path=../' >ansible.cfg
script:
# Basic role syntax check
- ansible-playbook tests/test.yml -i tests/inventory --syntax-check
notifications:
webhooks: https://galaxy.ansible.com/api/v1/notifications/

38
roles/docker_spin_up/README.md Normal file
View File

@@ -0,0 +1,38 @@
Role Name
=========
A brief description of the role goes here.
Requirements
------------
Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
Role Variables
--------------
A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
Dependencies
------------
A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
Example Playbook
----------------
Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
- hosts: servers
roles:
- { role: username.rolename, x: 42 }
License
-------
BSD
Author Information
------------------
An optional section for the role authors to include contact information, or a website (HTML is not allowed).

3
roles/docker_spin_up/defaults/main.yml Normal file
View File

@@ -0,0 +1,3 @@
---
# defaults file for docker_spin_up
docker_homepath: "/{{ zfs_pool_name }}/{{ docker_name }}"

661
roles/docker_spin_up/files/mailserver.env Normal file
View File

@@ -0,0 +1,661 @@
# -----------------------------------------------
# --- Mailserver Environment Variables ----------
# -----------------------------------------------
# DOCUMENTATION FOR THESE VARIABLES IS FOUND UNDER
# https://docker-mailserver.github.io/docker-mailserver/latest/config/environment/
# -----------------------------------------------
# --- General Section ---------------------------
# -----------------------------------------------
# empty => uses the `hostname` command to get the mail server's canonical hostname
# => Specify a fully-qualified domainname to serve mail for. This is used for many of the config features so if you can't set your hostname (e.g. you're in a container platform that doesn't let you) specify it in this environment variable.
OVERRIDE_HOSTNAME=
# REMOVED in version v11.0.0! Use LOG_LEVEL instead.
DMS_DEBUG=0
# Set the log level for DMS.
# This is mostly relevant for container startup scripts and change detection event feedback.
#
# Valid values (in order of increasing verbosity) are: `error`, `warn`, `info`, `debug` and `trace`.
# The default log level is `info`.
LOG_LEVEL=info
# critical => Only show critical messages
# error => Only show erroneous output
# **warn** => Show warnings
# info => Normal informational output
# debug => Also show debug messages
SUPERVISOR_LOGLEVEL=
# Support for deployment where these defaults are not compatible (eg: some NAS appliances):
# /var/mail vmail User ID (default: 5000)
DMS_VMAIL_UID=
# /var/mail vmail Group ID (default: 5000)
DMS_VMAIL_GID=
# **empty** => use FILE
# LDAP => use LDAP authentication
# OIDC => use OIDC authentication (not yet implemented)
# FILE => use local files (this is used as the default)
ACCOUNT_PROVISIONER=
# empty => postmaster@domain.com
# => Specify the postmaster address
POSTMASTER_ADDRESS=
# Check for updates on container start and then once a day
# If an update is available, a mail is sent to POSTMASTER_ADDRESS
# 0 => Update check disabled
# 1 => Update check enabled
ENABLE_UPDATE_CHECK=1
# Customize the update check interval.
# Number + Suffix. Suffix must be 's' for seconds, 'm' for minutes, 'h' for hours or 'd' for days.
UPDATE_CHECK_INTERVAL=1d
# Set different options for mynetworks option (can be overwrite in postfix-main.cf)
# **WARNING**: Adding the docker network's gateway to the list of trusted hosts, e.g. using the `network` or
# `connected-networks` option, can create an open relay
# https://github.com/docker-mailserver/docker-mailserver/issues/1405#issuecomment-590106498
# The same can happen for rootless podman. To prevent this, set the value to "none" or configure slirp4netns
# https://github.com/docker-mailserver/docker-mailserver/issues/2377
#
# none => Explicitly force authentication
# container => Container IP address only
# host => Add docker container network (ipv4 only)
# network => Add all docker container networks (ipv4 only)
# connected-networks => Add all connected docker networks (ipv4 only)
PERMIT_DOCKER=none
# Set the timezone. If this variable is unset, the container runtime will try to detect the time using
# `/etc/localtime`, which you can alternatively mount into the container. The value of this variable
# must follow the pattern `AREA/ZONE`, i.e. of you want to use Germany's time zone, use `Europe/Berlin`.
# You can lookup all available timezones here: https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List
TZ=
# In case you network interface differs from 'eth0', e.g. when you are using HostNetworking in Kubernetes,
# you can set NETWORK_INTERFACE to whatever interface you want. This interface will then be used.
# - **empty** => eth0
NETWORK_INTERFACE=
# empty => modern
# modern => Enables TLSv1.2 and modern ciphers only. (default)
# intermediate => Enables TLSv1, TLSv1.1 and TLSv1.2 and broad compatibility ciphers.
TLS_LEVEL=
# Configures the handling of creating mails with forged sender addresses.
#
# **0** => (not recommended) Mail address spoofing allowed. Any logged in user may create email messages with a forged sender address (see also https://en.wikipedia.org/wiki/Email_spoofing).
# 1 => Mail spoofing denied. Each user may only send with his own or his alias addresses. Addresses with extension delimiters(http://www.postfix.org/postconf.5.html#recipient_delimiter) are not able to send messages.
SPOOF_PROTECTION=
# Enables the Sender Rewriting Scheme. SRS is needed if your mail server acts as forwarder. See [postsrsd](https://github.com/roehling/postsrsd/blob/master/README.md#sender-rewriting-scheme-crash-course) for further explanation.
# - **0** => Disabled
# - 1 => Enabled
ENABLE_SRS=0
# Enables the OpenDKIM service.
# **1** => Enabled
# 0 => Disabled
ENABLE_OPENDKIM=1
# Enables the OpenDMARC service.
# **1** => Enabled
# 0 => Disabled
ENABLE_OPENDMARC=1
# Enabled `policyd-spf` in Postfix's configuration. You will likely want to set this
# to `0` in case you're using Rspamd (`ENABLE_RSPAMD=1`).
#
# - 0 => Disabled
# - **1** => Enabled
ENABLE_POLICYD_SPF=1
# Enables POP3 service
# - **0** => Disabled
# - 1 => Enabled
ENABLE_POP3=
# Enables IMAP service
# - 0 => Disabled
# - **1** => Enabled
ENABLE_IMAP=1
# Enables ClamAV, and anti-virus scanner.
# 1 => Enabled
# **0** => Disabled
ENABLE_CLAMAV=0
# Add the value of this ENV as a prefix to the mail subject when spam is detected.
# NOTE: This subject prefix may be redundant (by default spam is delivered to a junk folder).
# It provides value when your junk mail is stored alongside legitimate mail instead of a separate location (like with `SPAMASSASSIN_SPAM_TO_INBOX=1` or `MOVE_SPAM_TO_JUNK=0` or a POP3 only setup, without IMAP).
# NOTE: When not using Docker Compose, other CRI may not support quote-wrapping the value here to preserve any trailing white-space.
SPAM_SUBJECT=
# Enables Rspamd
# **0** => Disabled
# 1 => Enabled
ENABLE_RSPAMD=0
# When `ENABLE_RSPAMD=1`, an internal Redis instance is enabled implicitly.
# This setting provides an opt-out to allow using an external instance instead.
# 0 => Disabled
# 1 => Enabled
ENABLE_RSPAMD_REDIS=
# When enabled,
#
# 1. the "[autolearning][rspamd-autolearn]" feature is turned on;
# 2. the Bayes classifier will be trained when moving mails from or to the Junk folder (with the help of Sieve scripts).
#
# **0** => disabled
# 1 => enabled
RSPAMD_LEARN=0
# This settings controls whether checks should be performed on emails coming
# from authenticated users (i.e. most likely outgoing emails). The default value
# is `0` in order to align better with SpamAssassin. We recommend reading
# through https://rspamd.com/doc/tutorials/scanning_outbound.html though to
# decide for yourself whether you need and want this feature.
#
# Note that DKIM signing of e-mails will still happen.
RSPAMD_CHECK_AUTHENTICATED=0
# Controls whether the Rspamd Greylisting module is enabled.
# This module can further assist in avoiding spam emails by greylisting
# e-mails with a certain spam score.
#
# **0** => disabled
# 1 => enabled
RSPAMD_GREYLISTING=0
# Can be used to enable or disable the Hfilter group module.
#
# - 0 => Disabled
# - **1** => Enabled
RSPAMD_HFILTER=1
# Can be used to control the score when the HFILTER_HOSTNAME_UNKNOWN symbol applies. A higher score is more punishing. Setting it to 15 is equivalent to rejecting the email when the check fails.
#
# Default: 6
RSPAMD_HFILTER_HOSTNAME_UNKNOWN_SCORE=6
# Can be used to enable or disable the (still experimental) neural module.
#
# - **0** => Disabled
# - 1 => Enabled
RSPAMD_NEURAL=0
# Amavis content filter (used for ClamAV & SpamAssassin)
# 0 => Disabled
# 1 => Enabled
ENABLE_AMAVIS=1
# -1/-2/-3 => Only show errors
# **0** => Show warnings
# 1/2 => Show default informational output
# 3/4/5 => log debug information (very verbose)
AMAVIS_LOGLEVEL=0
# This enables DNS block lists in Postscreen.
# Note: Emails will be rejected, if they don't pass the block list checks!
# **0** => DNS block lists are disabled
# 1 => DNS block lists are enabled
ENABLE_DNSBL=0
# If you enable Fail2Ban, don't forget to add the following lines to your `compose.yaml`:
# cap_add:
# - NET_ADMIN
# Otherwise, `nftables` won't be able to ban IPs.
ENABLE_FAIL2BAN=0
# Fail2Ban blocktype
# drop => drop packet (send NO reply)
# reject => reject packet (send ICMP unreachable)
FAIL2BAN_BLOCKTYPE=drop
# 1 => Enables Managesieve on port 4190
# empty => disables Managesieve
ENABLE_MANAGESIEVE=
# **enforce** => Allow other tests to complete. Reject attempts to deliver mail with a 550 SMTP reply, and log the helo/sender/recipient information. Repeat this test the next time the client connects.
# drop => Drop the connection immediately with a 521 SMTP reply. Repeat this test the next time the client connects.
# ignore => Ignore the failure of this test. Allow other tests to complete. Repeat this test the next time the client connects. This option is useful for testing and collecting statistics without blocking mail.
POSTSCREEN_ACTION=enforce
# empty => all daemons start
# 1 => only launch postfix smtp
SMTP_ONLY=
# Please read [the SSL page in the documentation](https://docker-mailserver.github.io/docker-mailserver/latest/config/security/ssl) for more information.
#
# empty => SSL disabled
# letsencrypt => Enables Let's Encrypt certificates
# custom => Enables custom certificates
# manual => Let's you manually specify locations of your SSL certificates for non-standard cases
# self-signed => Enables self-signed certificates
SSL_TYPE=
# These are only supported with `SSL_TYPE=manual`.
# Provide the path to your cert and key files that you've mounted access to within the container.
SSL_CERT_PATH=
SSL_KEY_PATH=
# Optional: A 2nd certificate can be supported as fallback (dual cert support), eg ECDSA with an RSA fallback.
# Useful for additional compatibility with older MTA and MUA (eg pre-2015).
SSL_ALT_CERT_PATH=
SSL_ALT_KEY_PATH=
# Set how many days a virusmail will stay on the server before being deleted
# empty => 7 days
VIRUSMAILS_DELETE_DELAY=
# Configure Postfix `virtual_transport` to deliver mail to a different LMTP client (default is a dovecot socket).
# Provide any valid URI. Examples:
#
# empty => `lmtp:unix:/var/run/dovecot/lmtp` (default, configured in Postfix main.cf)
# `lmtp:unix:private/dovecot-lmtp` (use socket)
# `lmtps:inet:<host>:<port>` (secure lmtp with starttls)
# `lmtp:<kopano-host>:2003` (use kopano as mailstore)
POSTFIX_DAGENT=
# Set the mailbox size limit for all users. If set to zero, the size will be unlimited (default). Size is in bytes.
#
# empty => 0
POSTFIX_MAILBOX_SIZE_LIMIT=
# See https://docker-mailserver.github.io/docker-mailserver/edge/config/user-management/accounts/#notes
# 0 => Dovecot quota is disabled
# 1 => Dovecot quota is enabled
ENABLE_QUOTAS=1
# Set the message size limit for all users. If set to zero, the size will be unlimited (not recommended!). Size is in bytes.
#
# empty => 10240000 (~10 MB)
POSTFIX_MESSAGE_SIZE_LIMIT=
# Mails larger than this limit won't be scanned.
# ClamAV must be enabled (ENABLE_CLAMAV=1) for this.
#
# empty => 25M (25 MB)
CLAMAV_MESSAGE_SIZE_LIMIT=
# Enables regular pflogsumm mail reports.
# This is a new option. The old REPORT options are still supported for backwards compatibility. If this is not set and reports are enabled with the old options, logrotate will be used.
#
# not set => No report
# daily_cron => Daily report for the previous day
# logrotate => Full report based on the mail log when it is rotated
PFLOGSUMM_TRIGGER=
# Recipient address for pflogsumm reports.
#
# not set => Use REPORT_RECIPIENT or POSTMASTER_ADDRESS
# => Specify the recipient address(es)
PFLOGSUMM_RECIPIENT=
# Sender address (`FROM`) for pflogsumm reports if pflogsumm reports are enabled.
#
# not set => Use REPORT_SENDER
# => Specify the sender address
PFLOGSUMM_SENDER=
# Interval for logwatch report.
#
# none => No report is generated
# daily => Send a daily report
# weekly => Send a report every week
LOGWATCH_INTERVAL=
# Recipient address for logwatch reports if they are enabled.
#
# not set => Use REPORT_RECIPIENT or POSTMASTER_ADDRESS
# => Specify the recipient address(es)
LOGWATCH_RECIPIENT=
# Sender address (`FROM`) for logwatch reports if logwatch reports are enabled.
#
# not set => Use REPORT_SENDER
# => Specify the sender address
LOGWATCH_SENDER=
# Defines who receives reports if they are enabled.
# **empty** => ${POSTMASTER_ADDRESS}
# => Specify the recipient address
REPORT_RECIPIENT=
# Defines who sends reports if they are enabled.
# **empty** => mailserver-report@${DOMAINNAME}
# => Specify the sender address
REPORT_SENDER=
# Changes the interval in which log files are rotated
# **weekly** => Rotate log files weekly
# daily => Rotate log files daily
# monthly => Rotate log files monthly
#
# Note: This Variable actually controls logrotate inside the container
# and rotates the log files depending on this setting. The main log output is
# still available in its entirety via `docker logs mail` (Or your
# respective container name). If you want to control logrotation for
# the Docker-generated logfile see:
# https://docs.docker.com/config/containers/logging/configure/
#
# Note: This variable can also determine the interval for Postfix's log summary reports, see [`PFLOGSUMM_TRIGGER`](#pflogsumm_trigger).
LOGROTATE_INTERVAL=weekly
# Defines how many log files are kept by logrorate
LOGROTATE_COUNT=4
# If enabled, employs `reject_unknown_client_hostname` to sender restrictions in Postfix's configuration.
#
# - **0** => Disabled
# - 1 => Enabled
POSTFIX_REJECT_UNKNOWN_CLIENT_HOSTNAME=0
# Choose TCP/IP protocols for postfix to use
# **all** => All possible protocols.
# ipv4 => Use only IPv4 traffic. Most likely you want this behind Docker.
# ipv6 => Use only IPv6 traffic.
#
# Note: More details at http://www.postfix.org/postconf.5.html#inet_protocols
POSTFIX_INET_PROTOCOLS=all
# Enables MTA-STS support for outbound mail.
# More details: https://docker-mailserver.github.io/docker-mailserver/v13.3/config/best-practices/mta-sts/
# - **0** ==> MTA-STS disabled
# - 1 => MTA-STS enabled
ENABLE_MTA_STS=0
# Choose TCP/IP protocols for dovecot to use
# **all** => Listen on all interfaces
# ipv4 => Listen only on IPv4 interfaces. Most likely you want this behind Docker.
# ipv6 => Listen only on IPv6 interfaces.
#
# Note: More information at https://dovecot.org/doc/dovecot-example.conf
DOVECOT_INET_PROTOCOLS=all
# -----------------------------------------------
# --- SpamAssassin Section ----------------------
# -----------------------------------------------
ENABLE_SPAMASSASSIN=0
# KAM is a 3rd party SpamAssassin ruleset, provided by the McGrail Foundation.
# If SpamAssassin is enabled, KAM can be used in addition to the default ruleset.
# - **0** => KAM disabled
# - 1 => KAM enabled
#
# Note: only has an effect if `ENABLE_SPAMASSASSIN=1`
ENABLE_SPAMASSASSIN_KAM=0
# deliver spam messages to the inbox (tagged using SPAM_SUBJECT)
SPAMASSASSIN_SPAM_TO_INBOX=1
# spam messages will be moved in the Junk folder (SPAMASSASSIN_SPAM_TO_INBOX=1 required)
MOVE_SPAM_TO_JUNK=1
# spam messages will be marked as read
MARK_SPAM_AS_READ=0
# add 'spam info' headers at, or above this level
SA_TAG=2.0
# add 'spam detected' headers at, or above this level
SA_TAG2=6.31
# triggers spam evasive actions
SA_KILL=10.0
# -----------------------------------------------
# --- Fetchmail Section -------------------------
# -----------------------------------------------
ENABLE_FETCHMAIL=0
# The interval to fetch mail in seconds
FETCHMAIL_POLL=300
# Use multiple fetchmail instances (1 per poll entry in fetchmail.cf)
# Supports multiple IMAP IDLE connections when a server is used across multiple poll entries
# https://otremba.net/wiki/Fetchmail_(Debian)#Immediate_Download_via_IMAP_IDLE
FETCHMAIL_PARALLEL=0
# Enable or disable `getmail`.
#
# - **0** => Disabled
# - 1 => Enabled
ENABLE_GETMAIL=0
# The number of minutes for the interval. Min: 1; Max: 30.
GETMAIL_POLL=5
# -----------------------------------------------
# --- OAUTH2 Section ----------------------------
# -----------------------------------------------
# empty => OAUTH2 authentication is disabled
# 1 => OAUTH2 authentication is enabled
ENABLE_OAUTH2=
# Specify the user info endpoint URL of the oauth2 provider
# Example: https://oauth2.example.com/userinfo/
OAUTH2_INTROSPECTION_URL=
# -----------------------------------------------
# --- LDAP Section ------------------------------
# -----------------------------------------------
# A second container for the ldap service is necessary (i.e. https://hub.docker.com/r/bitnami/openldap/)
# empty => no
# yes => LDAP over TLS enabled for Postfix
LDAP_START_TLS=
# empty => mail.example.com
# Specify the `<dns-name>` / `<ip-address>` where the LDAP server is reachable via a URI like: `ldaps://mail.example.com`.
# Note: You must include the desired URI scheme (`ldap://`, `ldaps://`, `ldapi://`).
LDAP_SERVER_HOST=
# empty => ou=people,dc=domain,dc=com
# => e.g. LDAP_SEARCH_BASE=dc=mydomain,dc=local
LDAP_SEARCH_BASE=
# empty => cn=admin,dc=domain,dc=com
# => take a look at examples of SASL_LDAP_BIND_DN
LDAP_BIND_DN=
# empty** => admin
# => Specify the password to bind against ldap
LDAP_BIND_PW=
# e.g. `"(&(mail=%s)(mailEnabled=TRUE))"`
# => Specify how ldap should be asked for users
LDAP_QUERY_FILTER_USER=
# e.g. `"(&(mailGroupMember=%s)(mailEnabled=TRUE))"`
# => Specify how ldap should be asked for groups
LDAP_QUERY_FILTER_GROUP=
# e.g. `"(&(mailAlias=%s)(mailEnabled=TRUE))"`
# => Specify how ldap should be asked for aliases
LDAP_QUERY_FILTER_ALIAS=
# e.g. `"(&(|(mail=*@%s)(mailalias=*@%s)(mailGroupMember=*@%s))(mailEnabled=TRUE))"`
# => Specify how ldap should be asked for domains
LDAP_QUERY_FILTER_DOMAIN=
# -----------------------------------------------
# --- Dovecot Section ---------------------------
# -----------------------------------------------
# empty => no
# yes => LDAP over TLS enabled for Dovecot
DOVECOT_TLS=
# e.g. `"(&(objectClass=PostfixBookMailAccount)(uniqueIdentifier=%n))"`
DOVECOT_USER_FILTER=
# e.g. `"(&(objectClass=PostfixBookMailAccount)(uniqueIdentifier=%n))"`
DOVECOT_PASS_FILTER=
# Define the mailbox format to be used
# default is maildir, supported values are: sdbox, mdbox, maildir
DOVECOT_MAILBOX_FORMAT=maildir
# empty => no
# yes => Allow bind authentication for LDAP
# https://wiki.dovecot.org/AuthDatabase/LDAP/AuthBinds
DOVECOT_AUTH_BIND=
# -----------------------------------------------
# --- Postgrey Section --------------------------
# -----------------------------------------------
ENABLE_POSTGREY=0
# greylist for N seconds
POSTGREY_DELAY=300
# delete entries older than N days since the last time that they have been seen
POSTGREY_MAX_AGE=35
# response when a mail is greylisted
POSTGREY_TEXT="Delayed by Postgrey"
# whitelist host after N successful deliveries (N=0 to disable whitelisting)
POSTGREY_AUTO_WHITELIST_CLIENTS=5
# -----------------------------------------------
# --- SASL Section ------------------------------
# -----------------------------------------------
ENABLE_SASLAUTHD=0
# empty => pam
# `ldap` => authenticate against ldap server
# `shadow` => authenticate against local user db
# `mysql` => authenticate against mysql db
# `rimap` => authenticate against imap server
# Note: can be a list of mechanisms like pam ldap shadow
SASLAUTHD_MECHANISMS=
# empty => None
# e.g. with SASLAUTHD_MECHANISMS rimap you need to specify the ip-address/servername of the imap server ==> xxx.xxx.xxx.xxx
SASLAUTHD_MECH_OPTIONS=
# empty => Use value of LDAP_SERVER_HOST
# Note: You must include the desired URI scheme (`ldap://`, `ldaps://`, `ldapi://`).
SASLAUTHD_LDAP_SERVER=
# empty => Use value of LDAP_BIND_DN
# specify an object with privileges to search the directory tree
# e.g. active directory: SASLAUTHD_LDAP_BIND_DN=cn=Administrator,cn=Users,dc=mydomain,dc=net
# e.g. openldap: SASLAUTHD_LDAP_BIND_DN=cn=admin,dc=mydomain,dc=net
SASLAUTHD_LDAP_BIND_DN=
# empty => Use value of LDAP_BIND_PW
SASLAUTHD_LDAP_PASSWORD=
# empty => Use value of LDAP_SEARCH_BASE
# specify the search base
SASLAUTHD_LDAP_SEARCH_BASE=
# empty => default filter `(&(uniqueIdentifier=%u)(mailEnabled=TRUE))`
# e.g. for active directory: `(&(sAMAccountName=%U)(objectClass=person))`
# e.g. for openldap: `(&(uid=%U)(objectClass=person))`
SASLAUTHD_LDAP_FILTER=
# empty => no
# yes => LDAP over TLS enabled for SASL
# If set to yes, the protocol in SASLAUTHD_LDAP_SERVER must be ldap:// or missing.
SASLAUTHD_LDAP_START_TLS=
# empty => no
# yes => Require and verify server certificate
# If yes you must/could specify SASLAUTHD_LDAP_TLS_CACERT_FILE or SASLAUTHD_LDAP_TLS_CACERT_DIR.
SASLAUTHD_LDAP_TLS_CHECK_PEER=
# File containing CA (Certificate Authority) certificate(s).
# empty => Nothing is added to the configuration
# Any value => Fills the `ldap_tls_cacert_file` option
SASLAUTHD_LDAP_TLS_CACERT_FILE=
# Path to directory with CA (Certificate Authority) certificates.
# empty => Nothing is added to the configuration
# Any value => Fills the `ldap_tls_cacert_dir` option
SASLAUTHD_LDAP_TLS_CACERT_DIR=
# Specify what password attribute to use for password verification.
# empty => Nothing is added to the configuration but the documentation says it is `userPassword` by default.
# Any value => Fills the `ldap_password_attr` option
SASLAUTHD_LDAP_PASSWORD_ATTR=
# empty => `bind` will be used as a default value
# `fastbind` => The fastbind method is used
# `custom` => The custom method uses userPassword attribute to verify the password
SASLAUTHD_LDAP_AUTH_METHOD=
# Specify the authentication mechanism for SASL bind
# empty => Nothing is added to the configuration
# Any value => Fills the `ldap_mech` option
SASLAUTHD_LDAP_MECH=
# -----------------------------------------------
# --- SRS Section -------------------------------
# -----------------------------------------------
# envelope_sender => Rewrite only envelope sender address (default)
# header_sender => Rewrite only header sender (not recommended)
# envelope_sender,header_sender => Rewrite both senders
# An email has an "envelope" sender (indicating the sending server) and a
# "header" sender (indicating who sent it). More strict SPF policies may require
# you to replace both instead of just the envelope sender.
SRS_SENDER_CLASSES=envelope_sender
# empty => Envelope sender will be rewritten for all domains
# provide comma separated list of domains to exclude from rewriting
SRS_EXCLUDE_DOMAINS=
# empty => generated when the image is built
# provide a secret to use in base64
# you may specify multiple keys, comma separated. the first one is used for
# signing and the remaining will be used for verification. this is how you
# rotate and expire keys
SRS_SECRET=
# -----------------------------------------------
# --- Default Relay Host Section ----------------
# -----------------------------------------------
# Setup relaying all mail through a default relay host
#
# Set a default host to relay all mail through (optionally include a port)
# Example: [mail.example.com]:587
DEFAULT_RELAY_HOST=
# -----------------------------------------------
# --- Multi-Domain Relay Section ----------------
# -----------------------------------------------
# Setup relaying for multiple domains based on the domain name of the sender
# optionally uses usernames and passwords in postfix-sasl-password.cf and relay host mappings in postfix-relaymap.cf
#
# Set a default host to relay mail through
# Example: mail.example.com
RELAY_HOST=
# empty => 25
# default port to relay mail
RELAY_PORT=25
# -----------------------------------------------
# --- Relay Host Credentials Section ------------
# -----------------------------------------------
# Configure a relay user and password to use with RELAY_HOST / DEFAULT_RELAY_HOST
# empty => no default
RELAY_USER=
# empty => no default
RELAY_PASSWORD=

2
roles/docker_spin_up/handlers/main.yml Normal file
View File

@@ -0,0 +1,2 @@
---
# handlers file for docker_spin_up

52
roles/docker_spin_up/meta/main.yml Normal file
View File

@@ -0,0 +1,52 @@
galaxy_info:
author: your name
description: your role description
company: your company (optional)
# If the issue tracker for your role is not on github, uncomment the
# next line and provide a value
# issue_tracker_url: http://example.com/issue/tracker
# Choose a valid license ID from https://spdx.org - some suggested licenses:
# - BSD-3-Clause (default)
# - MIT
# - GPL-2.0-or-later
# - GPL-3.0-only
# - Apache-2.0
# - CC-BY-4.0
license: license (GPL-2.0-or-later, MIT, etc)
min_ansible_version: 2.1
# If this a Container Enabled role, provide the minimum Ansible Container version.
# min_ansible_container_version:
#
# Provide a list of supported platforms, and for each platform a list of versions.
# If you don't wish to enumerate all versions for a particular platform, use 'all'.
# To view available platforms and versions (or releases), visit:
# https://galaxy.ansible.com/api/v1/platforms/
#
# platforms:
# - name: Fedora
# versions:
# - all
# - 25
# - name: SomePlatform
# versions:
# - all
# - 1.0
# - 7
# - 99.99
galaxy_tags: []
# List tags for your role here, one per line. A tag is a keyword that describes
# and categorizes the role. Users find roles by searching for tags. Be sure to
# remove the '[]' above, if you add tags to this list.
#
# NOTE: A tag is limited to a single word comprised of alphanumeric characters.
# Maximum 20 tags per role.
dependencies: []
# List your role dependencies here, one per line. Be sure to remove the '[]' above,
# if you add dependencies to this list.

9
roles/docker_spin_up/tasks/dashboard_my_public.yml Normal file
View File

@@ -0,0 +1,9 @@
---
- name: "{{ docker_name }}"
community.docker.docker_container:
name: "{{ docker_name }}"
image: ghcr.io/gethomepage/homepage:latest
ports:
- 3000:3000
volumes:
- "{{ docker_homepath }}/config:/app/config" # Make sure your local config directory exists

34
roles/docker_spin_up/tasks/email.yml Normal file
View File

@@ -0,0 +1,34 @@
---
- name: email
community.docker.docker_container:
image: docker.io/mailserver/docker-mailserver:latest
name: email
#container_name: mailserver
# If the FQDN for your mail-server is only two labels (eg: example.com),
# you can assign this entirely to `hostname` and remove `domainname`.
hostname: mail
domainname: katebartova.cz
env:
SSL_TYPE: letsencrypt
env_file: "{{ docker_homepath }}/mailserver.env"
# More information about the mail-server ports:
# https://docker-mailserver.github.io/docker-mailserver/edge/config/security/understanding-the-ports/
# To avoid conflicts with yaml base-60 float, DO NOT remove the quotation marks.
ports:
- "25:25" # SMTP (explicit TLS => STARTTLS)
- "143:143" # IMAP4 (explicit TLS => STARTTLS)
- "465:465" # ESMTP (implicit TLS)
- "587:587" # ESMTP (explicit TLS => STARTTLS)
- "993:993" # IMAP4 (implicit TLS)
volumes:
- "{{ docker_homepath }}/docker-data/dms/mail-data/:/var/mail/"
- "{{ docker_homepath }}/docker-data/dms/mail-state/:/var/mail-state/"
- "{{ docker_homepath }}/docker-data/dms/mail-logs/:/var/log/mail/"
- "{{ docker_homepath }}/docker-data/dms/config/:/tmp/docker-mailserver/"
- "/bigpool/nginx/letsencrypt/:/etc/letsencrypt/:ro"
- /etc/localtime:/etc/localtime:ro
restart_policy: always
#stop_grace_period: 1m
capabilities:
- NET_ADMIN
- SYS_PTRACE

24
roles/docker_spin_up/tasks/gitea.yml Normal file
View File

@@ -0,0 +1,24 @@
---
- name: gitea
community.docker.docker_container:
image: gitea/gitea:1.19.3
name: gitea
env:
USER_UID: "1000"
USER_GID: "1000"
GITEA__database__DB_TYPE: "mysql"
GITEA__database__HOST: "{{ mysql_host}}:3306"
GITEA__database__NAME: "{{ GITEA__database__NAME }}"
GITEA__database__USER: "{{ GITEA__database__USER }}"
GITEA__database__PASSWD: "{{ GITEA__database__PASSWD }}"
ROOT_URL: "http://pi-vpn:8082/"
restart_policy: always
networks:
- name: http
volumes:
- "{{ docker_homepath }}/gitea:/data"
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro
ports:
# - "8082:3000"
- "222:22"

34
roles/docker_spin_up/tasks/jellyfin.yml Normal file
View File

@@ -0,0 +1,34 @@
- name: Dir-jellyfin-config
ansible.builtin.file:
path: "{{ docker_homepath }}/config"
owner: "{{ user }}"
group: "{{ primary_group }}"
state: directory
mode: '0711'
- name: Dir-jellyfin-cache
ansible.builtin.file:
path: "{{ docker_homepath }}/cache"
owner: "{{ user }}"
group: "{{ primary_group }}"
state: directory
mode: '0711'
- name: jellyfin
community.docker.docker_container:
name: jellyfin
image: jellyfin/jellyfin:2024042215
user: "{{ uid }}:{{ gid }}"
env:
PUID: "1000"
PGID: "1000"
TZ: "Etc/UTC"
JELLYFIN_PublishedServerUrl: "jellyfin.lan" #optional
volumes:
- "/bigpool/tata/Music:/Music:ro"
- "{{ docker_homepath }}/config:/config"
- "{{ docker_homepath }}/cache:/cache"
restart_policy: unless-stopped
networks:
- name: http

17
roles/docker_spin_up/tasks/main.yml Normal file
View File

@@ -0,0 +1,17 @@
---
# tasks file for docker_spin_up
#- name: Copy composer
# template:
# src: "../templates/{{ docker_compose_file }}"
# dest: "/{{ docker_homepath }}/docker-compose.yml"
# owner: root
# group: root
# mode: '0644'
- name: Create a network
community.docker.docker_network:
name: http
- name: Spin up {{ docker_compose_file }}
ansible.builtin.include_tasks:
"{{ docker_compose_file }}"

82
roles/docker_spin_up/tasks/monitoring.yml Normal file
View File

@@ -0,0 +1,82 @@
---
- name: Dir-loki
ansible.builtin.file:
path: "{{ docker_homepath }}/loki-data"
owner: "{{ user }}"
group: "{{ primary_group }}"
state: directory
mode: '0711'
- name: Dir-grafana
ansible.builtin.file:
path: "{{ docker_homepath }}/grafana-data"
owner: "{{ user }}"
group: "{{ primary_group }}"
state: directory
mode: '0711'
- name: Dir-promtail
ansible.builtin.file:
path: "{{ docker_homepath }}/promtail-data"
owner: "{{ user }}"
group: "{{ primary_group }}"
state: directory
mode: '0711'
- name: promtail config copy
template:
src: ../templates/promtail-config.yml
dest: "{{ docker_homepath }}/promtail-data/promtail-config.yml"
owner: "{{ user}}"
group: "{{ primary_group }}"
mode: '0644'
- name: loki
community.docker.docker_container:
name: loki
user: "{{ uid }}:{{ gid }}"
image: 'grafana/loki:main-2c878c8'
restart_policy: unless-stopped
#ports:
# - '3100:3100'
volumes:
- "{{ docker_homepath }}/loki-data:/loki"
- "/etc/resolv.conf:/etc/resolv.conf:ro"
- "/etc/timezone:/etc/timezone:ro"
- "/etc/localtime:/etc/localtime:ro"
networks:
- name: http
- name: grafana
community.docker.docker_container:
name: grafana
image: 'grafana/grafana:10.2.6'
user: "{{ uid }}:{{ gid }}"
restart_policy: unless-stopped
#ports:
# - '3000:3000'
volumes:
- "{{ docker_homepath }}/grafana-data:/var/lib/grafana"
- "/etc/timezone:/etc/timezone:ro"
- "/etc/localtime:/etc/localtime:ro"
networks:
- name: http
- name: promtail
community.docker.docker_container:
name: promtail
image: 'grafana/promtail:main-e2952b9'
user: "0:0"
restart_policy: unless-stopped
command: -config.file=/etc/promtail/promtail-config.yml -config.expand-env=true
#ports:
# - '3000:3000'
volumes:
- "{{ docker_homepath }}/promtail-data:/etc/promtail"
- "/var/log:/var/log:ro"
- "/run/log/journal/:/run/log/journal/:ro"
- "/etc/machine-id:/etc/machine-id:ro"
- "/etc/timezone:/etc/timezone:ro"
- "/etc/localtime:/etc/localtime:ro"
networks:
- name: http

19
roles/docker_spin_up/tasks/nextcloud.yml Normal file
View File

@@ -0,0 +1,19 @@
---
- name: nextcloud
community.docker.docker_container:
name: nextcloud
image: nextcloud:26.0-fpm
restart_policy: always
# ports:
# - 8080:80
volumes:
- "{{ docker_homepath }}/nextcloud_nextcloud_1/_data:/var/www/html"
env:
MYSQL_PASSWORD: "{{ NEXTCLOUD_MYSQL_PASSWORD }}"
MYSQL_DATABASE: "{{ NEXTCLOUD_MYSQL_DATABASE }}"
MYSQL_USER: "{{ NEXTCLOUD_MYSQL_USER }}"
MYSQL_HOST: "{{ mysql_host }}"
PHP_MEMORY_LIMIT: 2G
PHP_UPLOAD_LIMIT: 10G
networks:
- name: http

16
roles/docker_spin_up/tasks/nginx.yml Normal file
View File

@@ -0,0 +1,16 @@
---
- name: nginx
community.docker.docker_container:
name: nginx
image: 'jc21/nginx-proxy-manager:latest'
restart_policy: unless-stopped
ports:
- '80:80'
#- "{{ ip_admin }}:81:81"
- '443:443'
volumes:
- "{{ docker_homepath }}/data:/data"
- "{{ docker_homepath }}/letsencrypt:/etc/letsencrypt"
- "/bigpool/nextcloud/nextcloud_nextcloud_1/_data/:/var/www/html:ro"
networks:
- name: http

20
roles/docker_spin_up/tasks/pi-hole.yml Normal file
View File

@@ -0,0 +1,20 @@
- name: pi-hole
community.docker.docker_container:
name: pi-hole
image: pihole/pihole:2024.03.2
# For DHCP it is recommended to remove these ports and instead add: network_mode: "host"
ports:
- "53:53/tcp"
- "53:53/udp"
# - "8092:80/tcp"
env:
TZ: 'Europe/Prague'
WEBPASSWORD: "{{ password }}"
# Volumes store your data between container upgrades
volumes:
- "{{ docker_homepath }}/etc-pihole:/etc/pihole"
- "{{ docker_homepath }}/etc-dnsmasq.d:/etc/dnsmasq.d"
# https://github.com/pi-hole/docker-pi-hole#note-on-capabilities
restart_policy: unless-stopped
networks:
- name: http

24
roles/docker_spin_up/tasks/transmission.yaml Normal file
View File

@@ -0,0 +1,24 @@
---
- name: transmission
community.docker.docker_container:
name: transmission
image: lscr.io/linuxserver/transmission:latest
#container_name: transmission
env:
PUID: "{{ uid }}"
PGID: "{{ uid }}"
TZ: Europe/Berlin
#TRANSMISSION_WEB_HOME=/combustion-release/ #optional
USER: "{{ user }}" #optional
PASS: "{{ password }}" #optional
volumes:
# - /path/to/data:/config
- "{{ docker_homepath }}/downloads:/downloads"
- "{{ docker_homepath }}/watch:/watch"
#ports:
# - 9091:9091
# - 51413:51413
# - 51413:51413/udp
restart_policy: unless-stopped
networks:
- name: http

60
roles/docker_spin_up/templates/promtail-config.yml Normal file
View File

@@ -0,0 +1,60 @@
server:
http_listen_port: 9080
grpc_listen_port: 0
positions:
filename: /tmp/positions.yaml
clients:
- url: http://loki:3100/loki/api/v1/push
#- url: https://loki.internal.matous.vondrejka.cz/loki/api/v1/push
scrape_configs:
- job_name: journal
journal:
json: false
max_age: 12h
path: /var/log/journal
labels:
job: systemd-journal
relabel_configs:
- source_labels: ['__journal__systemd_unit']
target_label: 'unit'
- job_name: docker
static_configs:
- targets:
- localhost
labels:
job: containerlogs
__path__: /var/lib/docker/containers/*/*log
pipeline_stages:
- json:
expressions:
output: log
stream: stream
attrs:
- json:
expressions:
tag:
source: attrs
- regex:
expression: (?P<image_name>(?:[^|]*[^|])).(?P<container_name>(?:[^|]*[^|])).(?P<image_id>(?:[^|]*[^|])).(?P<container_id>(?:[^|]*[^|]))
source: tag
- timestamp:
format: RFC3339Nano
source: time
- labels:
tag:
stream:
image_name:
container_name:
image_id:
container_id:
- output:
source: output/*-json.log
#scrape_configs:
#- job_name: journald
# journal: {}

2
roles/docker_spin_up/tests/inventory Normal file
View File

@@ -0,0 +1,2 @@
localhost

5
roles/docker_spin_up/tests/test.yml Normal file
View File

@@ -0,0 +1,5 @@
---
- hosts: localhost
remote_user: root
roles:
- docker_spin_up

2
roles/docker_spin_up/vars/main.yml Normal file
View File

@@ -0,0 +1,2 @@
---
# vars file for docker_spin_up

29
roles/linux_config_init/.travis.yml Normal file
View File

@@ -0,0 +1,29 @@
---
language: python
python: "2.7"
# Use the new container infrastructure
sudo: false
# Install ansible
addons:
apt:
packages:
- python-pip
install:
# Install ansible
- pip install ansible
# Check ansible version
- ansible --version
# Create ansible.cfg with correct roles_path
- printf '[defaults]\nroles_path=../' >ansible.cfg
script:
# Basic role syntax check
- ansible-playbook tests/test.yml -i tests/inventory --syntax-check
notifications:
webhooks: https://galaxy.ansible.com/api/v1/notifications/

2
roles/linux_config_init/defaults/main.yml Normal file
View File

@@ -0,0 +1,2 @@
---
# defaults file for linux_config_tinker

5
roles/linux_config_init/handlers/main.yml Normal file
View File

@@ -0,0 +1,5 @@
---
- name: networking restart
service:
name: networking
state: restarted

17
roles/linux_config_init/tasks/bashrc_copy.yml Normal file
View File

@@ -0,0 +1,17 @@
---
- name: Copy /root/.bashrc
template:
src: ../templates/bashrc
dest: /root/.bashrc
owner: root
group: root
mode: '0644'
- name: Copy /home/{{ user }}/.bashrc
template:
src: ../templates/bashrc
dest: /home/{{ user }}/.bashrc
owner: "{{ user }}"
group: "{{ user }}"
mode: '0644'

27
roles/linux_config_init/tasks/create_user.yml Normal file
View File

@@ -0,0 +1,27 @@
---
- name: Adding user
ansible.builtin.user:
name: "{{ user }}"
uid: "{{ uid }}"
shell: /bin/bash
groups: sudo
- name: Setting ssh key
ansible.builtin.blockinfile:
state: present
owner: "{{ user }}"
group: "{{ user }}"
insertafter: EOF
path: /home/{{ user }}/.ssh/authorized_keys
mode: "0644"
create: true
block: |
{{ ssh_key }}
when: ssh_key is defined
- name: Set permissions to .ssh folder
ansible.builtin.file:
path: /home/{{ user }}/.ssh
owner: "{{ user }}"
group: "{{ user }}"
mode: "0711"

13
roles/linux_config_init/tasks/hostname_set.yml Normal file
View File

@@ -0,0 +1,13 @@
---
- name: Copy /etc/hosts
template:
src: ../templates/etc_hosts
dest: /etc/hosts
owner: root
group: root
mode: '0664'
- name: Set a hostname
ansible.builtin.hostname:
name: "{{ host }}"

18
roles/linux_config_init/tasks/main.yml Normal file
View File

@@ -0,0 +1,18 @@
---
# tasks file for linux_config_init
- name: System settings
ansible.builtin.include_tasks: "{{ item }}"
loop:
- sudoer_no_passwd.yml
- create_user.yml
- bashrc_copy.yml
- timezone.yml
- resolvconf_copy.yml
- name: Set Pernament IP
ansible.builtin.include_tasks: set_perma_ip.yml
when: set_ip
- name: Set Hostname
ansible.builtin.include_tasks: hostname_set.yml
when: set_hostname

8
roles/linux_config_init/tasks/resolvconf_copy.yml Normal file
View File

@@ -0,0 +1,8 @@
---
- name: Copy /templates/resolvconf
template:
src: ../templates/resolvconf
dest: /etc/resolv.conf
owner: root
group: root
mode: '0644'

9
roles/linux_config_init/tasks/set_perma_ip.yml Normal file
View File

@@ -0,0 +1,9 @@
---
- name: Copy /etc/network/interfaces
template:
src: ../templates/etc_network_interface
dest: /etc/network/interfaces
owner: root
group: root
mode: '0644'
notify: networking restart

8
roles/linux_config_init/tasks/sudoer_no_passwd.yml Normal file
View File

@@ -0,0 +1,8 @@
---
- name: No password for sudo
become: true
community.general.sudoers:
nopassword: true
commands: ALL
user: "{{ user }}"
name: No password for sudo

3
roles/linux_config_init/tasks/timezone.yml Normal file
View File

@@ -0,0 +1,3 @@
- name: Set timezone to Europe/Prague
community.general.timezone:
name: Europe/Prague

113
roles/linux_config_init/templates/bashrc Normal file
View File

@@ -0,0 +1,113 @@
# ~/.bashrc: executed by bash(1) for non-login shells.
# see /usr/share/doc/bash/examples/startup-files (in the package bash-doc)
# for examples
# If not running interactively, don't do anything
case $- in
*i*) ;;
*) return;;
esac
# don't put duplicate lines or lines starting with space in the history.
# See bash(1) for more options
HISTCONTROL=ignoreboth
# append to the history file, don't overwrite it
shopt -s histappend
# for setting history length see HISTSIZE and HISTFILESIZE in bash(1)
HISTSIZE=1000
HISTFILESIZE=2000
# check the window size after each command and, if necessary,
# update the values of LINES and COLUMNS.
shopt -s checkwinsize
# If set, the pattern "**" used in a pathname expansion context will
# match all files and zero or more directories and subdirectories.
#shopt -s globstar
# make less more friendly for non-text input files, see lesspipe(1)
#[ -x /usr/bin/lesspipe ] && eval "$(SHELL=/bin/sh lesspipe)"
# set variable identifying the chroot you work in (used in the prompt below)
if [ -z "${debian_chroot:-}" ] && [ -r /etc/debian_chroot ]; then
debian_chroot=$(cat /etc/debian_chroot)
fi
# set a fancy prompt (non-color, unless we know we "want" color)
case "$TERM" in
xterm-color|*-256color) color_prompt=yes;;
esac
# uncomment for a colored prompt, if the terminal has the capability; turned
# off by default to not distract the user: the focus in a terminal window
# should be on the output of commands, not on the prompt
#force_color_prompt=yes
if [ -n "$force_color_prompt" ]; then
if [ -x /usr/bin/tput ] && tput setaf 1 >&/dev/null; then
# We have color support; assume it's compliant with Ecma-48
# (ISO/IEC-6429). (Lack of such support is extremely rare, and such
# a case would tend to support setf rather than setaf.)
color_prompt=yes
else
color_prompt=
fi
fi
if [ "$color_prompt" = yes ]; then
PS1='${debian_chroot:+($debian_chroot)}\[\033[01;32m\]\u@\h\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\$ '
else
PS1='${debian_chroot:+($debian_chroot)}\u@\h:\w\$ '
fi
unset color_prompt force_color_prompt
# If this is an xterm set the title to user@host:dir
case "$TERM" in
xterm*|rxvt*)
PS1="\[\e]0;${debian_chroot:+($debian_chroot)}\u@\h: \w\a\]$PS1"
;;
*)
;;
esac
# enable color support of ls and also add handy aliases
if [ -x /usr/bin/dircolors ]; then
test -r ~/.dircolors && eval "$(dircolors -b ~/.dircolors)" || eval "$(dircolors -b)"
alias ls='ls --color=auto'
#alias dir='dir --color=auto'
#alias vdir='vdir --color=auto'
alias grep='grep --color=auto'
alias fgrep='fgrep --color=auto'
alias egrep='egrep --color=auto'
fi
# colored GCC warnings and errors
#export GCC_COLORS='error=01;31:warning=01;35:note=01;36:caret=01;32:locus=01:quote=01'
# some more ls aliases
alias ll='ls -lah'
alias la='ls -A'
alias l='ls -CF'
# Alias definitions.
# You may want to put all your additions into a separate file like
# ~/.bash_aliases, instead of adding them here directly.
# See /usr/share/doc/bash-doc/examples in the bash-doc package.
if [ -f ~/.bash_aliases ]; then
. ~/.bash_aliases
fi
# enable programmable completion features (you don't need to enable
# this, if it's already enabled in /etc/bash.bashrc and /etc/profile
# sources /etc/bash.bashrc).
if ! shopt -oq posix; then
if [ -f /usr/share/bash-completion/bash_completion ]; then
. /usr/share/bash-completion/bash_completion
elif [ -f /etc/bash_completion ]; then
. /etc/bash_completion
fi
fi

10
roles/linux_config_init/templates/etc_hosts Normal file
View File

@@ -0,0 +1,10 @@
127.0.0.1 localhost.localdomain localhost
{{ ip }} {{ host }}
# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts

16
roles/linux_config_init/templates/etc_network_interface Normal file
View File

@@ -0,0 +1,16 @@
auto lo
iface lo inet loopback
auto {{ in_face }}
iface {{ in_face }} inet static
address {{ ip }}/24
{% if ip_admin is defined %}
iface {{ in_face }} inet static
address {{ ip_admin }}/24
{% endif %}
{% if gateway is defined %}
gateway {{ gateway }}
{% endif %}
source /etc/network/interfaces.d/*

2
roles/linux_config_init/templates/resolvconf Normal file
View File

@@ -0,0 +1,2 @@
nameserver 192.168.100.6
nameserver 8.8.8.8

2
roles/linux_config_init/vars/main.yml Normal file
View File

@@ -0,0 +1,2 @@
---
# vars file for linux_config_tinker

29
roles/mariadb/.travis.yml Normal file
View File

@@ -0,0 +1,29 @@
---
language: python
python: "2.7"
# Use the new container infrastructure
sudo: false
# Install ansible
addons:
apt:
packages:
- python-pip
install:
# Install ansible
- pip install ansible
# Check ansible version
- ansible --version
# Create ansible.cfg with correct roles_path
- printf '[defaults]\nroles_path=../' >ansible.cfg
script:
# Basic role syntax check
- ansible-playbook tests/test.yml -i tests/inventory --syntax-check
notifications:
webhooks: https://galaxy.ansible.com/api/v1/notifications/

38
roles/mariadb/README.md Normal file
View File

@@ -0,0 +1,38 @@
Role Name
=========
A brief description of the role goes here.
Requirements
------------
Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
Role Variables
--------------
A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
Dependencies
------------
A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
Example Playbook
----------------
Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
- hosts: servers
roles:
- { role: username.rolename, x: 42 }
License
-------
BSD
Author Information
------------------
An optional section for the role authors to include contact information, or a website (HTML is not allowed).

2
roles/mariadb/defaults/main.yml Normal file
View File

@@ -0,0 +1,2 @@
---
# defaults file for mariaDB_install

6
roles/mariadb/handlers/main.yml Normal file
View File

@@ -0,0 +1,6 @@
---
# handlers file for mariaDB_install
- name: mariadb restart
service:
name: mariadb
state: restarted

52
roles/mariadb/meta/main.yml Normal file
View File

@@ -0,0 +1,52 @@
galaxy_info:
author: your name
description: your role description
company: your company (optional)
# If the issue tracker for your role is not on github, uncomment the
# next line and provide a value
# issue_tracker_url: http://example.com/issue/tracker
# Choose a valid license ID from https://spdx.org - some suggested licenses:
# - BSD-3-Clause (default)
# - MIT
# - GPL-2.0-or-later
# - GPL-3.0-only
# - Apache-2.0
# - CC-BY-4.0
license: license (GPL-2.0-or-later, MIT, etc)
min_ansible_version: 2.1
# If this a Container Enabled role, provide the minimum Ansible Container version.
# min_ansible_container_version:
#
# Provide a list of supported platforms, and for each platform a list of versions.
# If you don't wish to enumerate all versions for a particular platform, use 'all'.
# To view available platforms and versions (or releases), visit:
# https://galaxy.ansible.com/api/v1/platforms/
#
# platforms:
# - name: Fedora
# versions:
# - all
# - 25
# - name: SomePlatform
# versions:
# - all
# - 1.0
# - 7
# - 99.99
galaxy_tags: []
# List tags for your role here, one per line. A tag is a keyword that describes
# and categorizes the role. Users find roles by searching for tags. Be sure to
# remove the '[]' above, if you add tags to this list.
#
# NOTE: A tag is limited to a single word comprised of alphanumeric characters.
# Maximum 20 tags per role.
dependencies: []
# List your role dependencies here, one per line. Be sure to remove the '[]' above,
# if you add dependencies to this list.

31
roles/mariadb/tasks/main.yml Normal file
View File

@@ -0,0 +1,31 @@
---
# tasks file for mariaDB_install
- name: Install
ansible.builtin.package:
name:
- mariadb-server
- mycli
state: present
- name: Start and enabled
ansible.builtin.service:
name: mariadb
state: started
enabled: true
- name: Gather the package facts
ansible.builtin.package_facts:
manager: auto
- name: Check package version
ansible.builtin.debug:
msg: "{{ ansible_facts.packages['mariadb-server'][0].version[2:7] }}"
- name: Copy config
template:
src: ../templates/50-server.cnf
dest: /etc/mysql/mariadb.conf.d/50-server.cnf
owner: root
group: root
mode: "0644"
notify: mariadb restart

118
roles/mariadb/templates/50-server.cnf Normal file
View File

@@ -0,0 +1,118 @@
#
# These groups are read by MariaDB server.
# Use it for options that only the server (but not clients) should see
# this is read by the standalone daemon and embedded servers
[server]
# this is only for the mysqld standalone daemon
[mysqld]
#
# * Basic Settings
#
user = mysql
pid-file = /run/mysqld/mysqld.pid
basedir = /usr
#datadir = /var/lib/mysql
datadir = {{ mariadb_location }}
tmpdir = /tmp
lc-messages-dir = /usr/share/mysql
lc-messages = en_US
skip-external-locking
# Broken reverse DNS slows down connections considerably and name resolve is
# safe to skip if there are no "host by domain name" access grants
#skip-name-resolve
# Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure.
bind-address = 0.0.0.0
#
# * Fine Tuning
#
#key_buffer_size = 128M
#max_allowed_packet = 1G
#thread_stack = 192K
#thread_cache_size = 8
# This replaces the startup script and checks MyISAM tables if needed
# the first time they are touched
#myisam_recover_options = BACKUP
#max_connections = 100
#table_cache = 64
#
# * Logging and Replication
#
# Both location gets rotated by the cronjob.
# Be aware that this log type is a performance killer.
# Recommend only changing this at runtime for short testing periods if needed!
#general_log_file = /var/log/mysql/mysql.log
#general_log = 1
# When running under systemd, error logging goes via stdout/stderr to journald
# and when running legacy init error logging goes to syslog due to
# /etc/mysql/conf.d/mariadb.conf.d/50-mysqld_safe.cnf
# Enable this if you want to have error logging into a separate file
#log_error = /var/log/mysql/error.log
# Enable the slow query log to see queries with especially long duration
#slow_query_log_file = /var/log/mysql/mariadb-slow.log
#long_query_time = 10
#log_slow_verbosity = query_plan,explain
#log-queries-not-using-indexes
#min_examined_row_limit = 1000
# The following can be used as easy to replay backup logs or for replication.
# note: if you are setting up a replication slave, see README.Debian about
# other settings you may need to change.
#server-id = 1
#log_bin = /var/log/mysql/mysql-bin.log
expire_logs_days = 10
#max_binlog_size = 100M
#
# * SSL/TLS
#
# For documentation, please read
# https://mariadb.com/kb/en/securing-connections-for-client-and-server/
#ssl-ca = /etc/mysql/cacert.pem
#ssl-cert = /etc/mysql/server-cert.pem
#ssl-key = /etc/mysql/server-key.pem
#require-secure-transport = on
#
# * Character sets
#
# MySQL/MariaDB default is Latin1, but in Debian we rather default to the full
# utf8 4-byte character set. See also client.cnf
character-set-server = utf8mb4
collation-server = utf8mb4_general_ci
#
# * InnoDB
#
# InnoDB is enabled by default with a 10MB datafile in /var/lib/mysql/.
# Read the manual for more InnoDB related options. There are many!
# Most important is to give InnoDB 80 % of the system RAM for buffer use:
# https://mariadb.com/kb/en/innodb-system-variables/#innodb_buffer_pool_size
#innodb_buffer_pool_size = 8G
# this is only for embedded server
[embedded]
# This group is only read by MariaDB servers, not by MySQL.
# If you use the same .cnf file for MySQL and MariaDB,
# you can put MariaDB-only options here
[mariadb]
# This group is only read by MariaDB-{{ ansible_facts.packages['mariadb-server'][0].version[2:7] }} servers.
# If you use the same .cnf file for MariaDB of different versions,
# use this group for options that older servers don't understand
[mariadb-{{ ansible_facts.packages['mariadb-server'][0].version[2:7] }}]

2
roles/mariadb/tests/inventory Normal file
View File

@@ -0,0 +1,2 @@
localhost

5
roles/mariadb/tests/test.yml Normal file
View File

@@ -0,0 +1,5 @@
---
- hosts: localhost
remote_user: root
roles:
- mariaDB_install

2
roles/mariadb/vars/main.yml Normal file
View File

@@ -0,0 +1,2 @@
---
# vars file for mariaDB_install

29
roles/nfs/.travis.yml Normal file
View File

@@ -0,0 +1,29 @@
---
language: python
python: "2.7"
# Use the new container infrastructure
sudo: false
# Install ansible
addons:
apt:
packages:
- python-pip
install:
# Install ansible
- pip install ansible
# Check ansible version
- ansible --version
# Create ansible.cfg with correct roles_path
- printf '[defaults]\nroles_path=../' >ansible.cfg
script:
# Basic role syntax check
- ansible-playbook tests/test.yml -i tests/inventory --syntax-check
notifications:
webhooks: https://galaxy.ansible.com/api/v1/notifications/

38
roles/nfs/README.md Normal file
View File

@@ -0,0 +1,38 @@
Role Name
=========
A brief description of the role goes here.
Requirements
------------
Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
Role Variables
--------------
A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
Dependencies
------------
A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
Example Playbook
----------------
Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
- hosts: servers
roles:
- { role: username.rolename, x: 42 }
License
-------
BSD
Author Information
------------------
An optional section for the role authors to include contact information, or a website (HTML is not allowed).

2
roles/nfs/defaults/main.yml Normal file
View File

@@ -0,0 +1,2 @@
---
# defaults file for nfs-share

2
roles/nfs/handlers/main.yml Normal file
View File

@@ -0,0 +1,2 @@
---
# handlers file for nfs-share

52
roles/nfs/meta/main.yml Normal file
View File

@@ -0,0 +1,52 @@
galaxy_info:
author: your name
description: your role description
company: your company (optional)
# If the issue tracker for your role is not on github, uncomment the
# next line and provide a value
# issue_tracker_url: http://example.com/issue/tracker
# Choose a valid license ID from https://spdx.org - some suggested licenses:
# - BSD-3-Clause (default)
# - MIT
# - GPL-2.0-or-later
# - GPL-3.0-only
# - Apache-2.0
# - CC-BY-4.0
license: license (GPL-2.0-or-later, MIT, etc)
min_ansible_version: 2.1
# If this a Container Enabled role, provide the minimum Ansible Container version.
# min_ansible_container_version:
#
# Provide a list of supported platforms, and for each platform a list of versions.
# If you don't wish to enumerate all versions for a particular platform, use 'all'.
# To view available platforms and versions (or releases), visit:
# https://galaxy.ansible.com/api/v1/platforms/
#
# platforms:
# - name: Fedora
# versions:
# - all
# - 25
# - name: SomePlatform
# versions:
# - all
# - 1.0
# - 7
# - 99.99
galaxy_tags: []
# List tags for your role here, one per line. A tag is a keyword that describes
# and categorizes the role. Users find roles by searching for tags. Be sure to
# remove the '[]' above, if you add tags to this list.
#
# NOTE: A tag is limited to a single word comprised of alphanumeric characters.
# Maximum 20 tags per role.
dependencies: []
# List your role dependencies here, one per line. Be sure to remove the '[]' above,
# if you add dependencies to this list.

22
roles/nfs/tasks/main.yml Normal file
View File

@@ -0,0 +1,22 @@
---
- name: Nfs install for Debian
become: true
ansible.builtin.package:
name:
- nfs-kernel-server
state: present
when: ansible_os_family == 'Debian'
- name: Nfs install for RedHat
become: true
ansible.builtin.package:
name:
- nfs-utils
state: present
when: ansible_os_family == 'RedHat'
- name: Start and enable nfs
ansible.builtin.service:
name: nfs-server
state: started
enabled: yes

2
roles/nfs/tests/inventory Normal file
View File

@@ -0,0 +1,2 @@
localhost

5
roles/nfs/tests/test.yml Normal file
View File

@@ -0,0 +1,5 @@
---
- hosts: localhost
remote_user: root
roles:
- nfs-share

2
roles/nfs/vars/main.yml Normal file
View File

@@ -0,0 +1,2 @@
---
# vars file for nfs-share

9
roles/prometheus_node_exporter/handlers/main.yml Normal file
View File

@@ -0,0 +1,9 @@
---
- name: daemon reload
systemd:
daemon_reload: yes
- name: start node_exporter
service:
name: node_exporter
state: started

12
roles/prometheus_node_exporter/tasks/main.yml Normal file
View File

@@ -0,0 +1,12 @@
---
- name: Install prometheus-node-exporter
apt:
name: prometheus-node-exporter
state: present
update_cache: yes
- name: Check if prometheus-node-exporter service is running
service:
name: prometheus-node-exporter
state: started
enabled: yes

29
roles/samba/.travis.yml Normal file
View File

@@ -0,0 +1,29 @@
---
language: python
python: "2.7"
# Use the new container infrastructure
sudo: false
# Install ansible
addons:
apt:
packages:
- python-pip
install:
# Install ansible
- pip install ansible
# Check ansible version
- ansible --version
# Create ansible.cfg with correct roles_path
- printf '[defaults]\nroles_path=../' >ansible.cfg
script:
# Basic role syntax check
- ansible-playbook tests/test.yml -i tests/inventory --syntax-check
notifications:
webhooks: https://galaxy.ansible.com/api/v1/notifications/

38
roles/samba/README.md Normal file
View File

@@ -0,0 +1,38 @@
Role Name
=========
A brief description of the role goes here.
Requirements
------------
Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
Role Variables
--------------
A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
Dependencies
------------
A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
Example Playbook
----------------
Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
- hosts: servers
roles:
- { role: username.rolename, x: 42 }
License
-------
BSD
Author Information
------------------
An optional section for the role authors to include contact information, or a website (HTML is not allowed).

2
roles/samba/defaults/main.yml Normal file
View File

@@ -0,0 +1,2 @@
---
# defaults file for create_samba_user

6
roles/samba/handlers/main.yml Normal file
View File

@@ -0,0 +1,6 @@
---
# handlers file for create_samba_user
- name: smb restart
service:
name: smb
state: restarted

52
roles/samba/meta/main.yml Normal file
View File

@@ -0,0 +1,52 @@
galaxy_info:
author: your name
description: your role description
company: your company (optional)
# If the issue tracker for your role is not on github, uncomment the
# next line and provide a value
# issue_tracker_url: http://example.com/issue/tracker
# Choose a valid license ID from https://spdx.org - some suggested licenses:
# - BSD-3-Clause (default)
# - MIT
# - GPL-2.0-or-later
# - GPL-3.0-only
# - Apache-2.0
# - CC-BY-4.0
license: license (GPL-2.0-or-later, MIT, etc)
min_ansible_version: 2.1
# If this a Container Enabled role, provide the minimum Ansible Container version.
# min_ansible_container_version:
#
# Provide a list of supported platforms, and for each platform a list of versions.
# If you don't wish to enumerate all versions for a particular platform, use 'all'.
# To view available platforms and versions (or releases), visit:
# https://galaxy.ansible.com/api/v1/platforms/
#
# platforms:
# - name: Fedora
# versions:
# - all
# - 25
# - name: SomePlatform
# versions:
# - all
# - 1.0
# - 7
# - 99.99
galaxy_tags: []
# List tags for your role here, one per line. A tag is a keyword that describes
# and categorizes the role. Users find roles by searching for tags. Be sure to
# remove the '[]' above, if you add tags to this list.
#
# NOTE: A tag is limited to a single word comprised of alphanumeric characters.
# Maximum 20 tags per role.
dependencies: []
# List your role dependencies here, one per line. Be sure to remove the '[]' above,
# if you add dependencies to this list.

21
roles/samba/tasks/main.yml Normal file
View File

@@ -0,0 +1,21 @@
---
- name: Install
ansible.builtin.package:
name:
- samba
state: present
- name: Start and enabled
ansible.builtin.service:
name: smbd
state: started
enabled: true
- name: Copy config
template:
src: ../templates/smb.conf
dest: /etc/samba/smb.conf
owner: root
group: root
mode: "0644"
notify: smb restart

61
roles/samba/templates/smb.conf Normal file
View File

@@ -0,0 +1,61 @@
[global]
;socket options = TCP_NODELAY
;SO_RCVBUF=524288 SO_SNDBUF=524288
workgroup = DOMA
log file = /var/log/samba/log.%m
max log size = 1000
logging = file
panic action = /usr/share/samba/panic-action %d
server role = standalone server
obey pam restrictions = yes
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
pam password change = yes
map to guest = bad user
; logon path = \\%N\profiles\%U
; logon drive = H:
; logon script = logon.cmd
; add user script = /usr/sbin/adduser --quiet --disabled-password --gecos "" %u
; add machine script = /usr/sbin/useradd -g machines -c "%u machine account" -d /var/lib/samba -s /bin/false %u
; add group script = /usr/sbin/addgroup --force-badname %g
; include = /home/samba/etc/smb.conf.%m
; idmap config * : backend = tdb
; idmap config * : range = 3000-7999
; idmap config YOURDOMAINHERE : backend = tdb
; idmap config YOURDOMAINHERE : range = 100000-999999
; template shell = /bin/bash
;[netlogon]
; comment = Network Logon Service
; path = /home/samba/netlogon
; guest ok = yes
; read only = yes
;[profiles]
; comment = Users profiles
; path = /home/samba/profiles
; guest ok = no
; browseable = no
; create mask = 0600
; directory mask = 0700
;[printers]
; comment = All Printers
; browseable = no
; path = /var/spool/samba
; printable = yes
; guest ok = no
; read only = yes
; create mask = 0700
;[print$]
; comment = Printer Drivers
; path = /var/lib/samba/printers
; browseable = yes
; read only = yes
; guest ok = no
; write list = root, @lpadmin
{% for user in samba_users %}
[{{ user.name }}]
comment = {{ user.path }}
path = {{ user.path }}
read only = no
browsable = yes
{% endfor %}

2
roles/samba/tests/inventory Normal file
View File

@@ -0,0 +1,2 @@
localhost

Some files were not shown because too many files have changed in this diff Show More