sinibaldi
/
SSE-Lab
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: sinibaldi:main
Branches Tags
sinibaldi:main
sinibaldi:automotive
sinibaldi:sifi
sinibaldi:nextcloud_aio
sinibaldi:ansible_init
sinibaldi:ftpd
sinibaldi:PKI
sinibaldi:simple_site
..
compare: sinibaldi:simple_site
Branches Tags
sinibaldi:automotive
sinibaldi:sifi
sinibaldi:main
sinibaldi:nextcloud_aio
sinibaldi:ansible_init
sinibaldi:ftpd
sinibaldi:PKI
sinibaldi:simple_site

No commits in common. "main" and "simple_site" have entirely different histories.
main ... simple_sit

74 changed files with 16 additions and 2537 deletions
Show Stats Expand all files Collapse all files

713
ansible/ansible.cfg
View File

@ -1,713 +0,0 @@
[defaults]
# (boolean) By default, Ansible will issue a warning when received from a task action (module or action plugin).
# These warnings can be silenced by adjusting this setting to False.
;action_warnings=True
# (list) Accept a list of cowsay templates that are 'safe' to use, set to an empty list if you want to enable all installed templates.
;cowsay_enabled_stencils=bud-frogs, bunny, cheese, daemon, default, dragon, elephant-in-snake, elephant, eyes, hellokitty, kitty, luke-koala, meow, milk, moofasa, moose, ren, sheep, small, stegosaurus, stimpy, supermilker, three-eyes, turkey, turtle, tux, udder, vader-koala, vader, www
# (string) Specify a custom cowsay path or swap in your cowsay implementation of choice.
;cowpath=
# (string) This allows you to choose a specific cowsay stencil for the banners or use 'random' to cycle through them.
;cow_selection=default
# (boolean) This option forces color mode even when running without a TTY or the "nocolor" setting is True.
force_color=True
# (path) The default root path for Ansible config files on the controller.
;home=~/.ansible
# (boolean) This setting allows suppressing colorizing output, which is used to give a better indication of failure and status information.
;nocolor=False
# (boolean) If you have cowsay installed but want to avoid the 'cows' (why????), use this.
;nocows=False
# (boolean) Sets the default value for the any_errors_fatal keyword, if True, Task failures will be considered fatal errors.
;any_errors_fatal=False
# (path) The password file to use for the become plugin. ``--become-password-file``.
# If executable, it will be run and the resulting stdout will be used as the password.
;become_password_file=
# (pathspec) Colon-separated paths in which Ansible will search for Become Plugins.
;become_plugins=/Users/fabioisti/.ansible/plugins/become:/usr/share/ansible/plugins/become
# (string) Chooses which cache plugin to use, the default 'memory' is ephemeral.
fact_caching=memory
# (string) Defines connection or path information for the cache plugin.
;fact_caching_connection=
# (string) Prefix to use for cache plugin files/tables.
;fact_caching_prefix=ansible_facts
# (integer) Expiration timeout for the cache plugin data.
fact_caching_timeout=86400
# (list) List of enabled callbacks, not all callbacks need enabling, but many of those shipped with Ansible do as we don't want them activated by default.
;callbacks_enabled=
# (string) When a collection is loaded that does not support the running Ansible version (with the collection metadata key `requires_ansible`).
;collections_on_ansible_version_mismatch=warning
# (pathspec) Colon-separated paths in which Ansible will search for collections content. Collections must be in nested *subdirectories*, not directly in these directories. For example, if ``COLLECTIONS_PATHS`` includes ``'{{ ANSIBLE_HOME ~ "/collections" }}'``, and you want to add ``my.collection`` to that directory, it must be saved as ``'{{ ANSIBLE_HOME} ~ "/collections/ansible_collections/my/collection" }}'``.
collections_path=/Users/fabioisti/.ansible/collections:/usr/share/ansible/collections
# (boolean) A boolean to enable or disable scanning the sys.path for installed collections.
;collections_scan_sys_path=True
# (path) The password file to use for the connection plugin. ``--connection-password-file``.
;connection_password_file=
# (pathspec) Colon-separated paths in which Ansible will search for Action Plugins.
;action_plugins=/Users/fabioisti/.ansible/plugins/action:/usr/share/ansible/plugins/action
# (boolean) When enabled, this option allows lookup plugins (whether used in variables as ``{{lookup('foo')}}`` or as a loop as with_foo) to return data that is not marked 'unsafe'.
# By default, such data is marked as unsafe to prevent the templating engine from evaluating any jinja2 templating language, as this could represent a security risk. This option is provided to allow for backward compatibility, however, users should first consider adding allow_unsafe=True to any lookups that may be expected to contain data that may be run through the templating engine late.
;allow_unsafe_lookups=False
# (boolean) This controls whether an Ansible playbook should prompt for a login password. If using SSH keys for authentication, you probably do not need to change this setting.
;ask_pass=False
# (boolean) This controls whether an Ansible playbook should prompt for a vault password.
ask_vault_pass=True
# (pathspec) Colon-separated paths in which Ansible will search for Cache Plugins.
;cache_plugins=/Users/fabioisti/.ansible/plugins/cache:/usr/share/ansible/plugins/cache
# (pathspec) Colon-separated paths in which Ansible will search for Callback Plugins.
;callback_plugins=/Users/fabioisti/.ansible/plugins/callback:/usr/share/ansible/plugins/callback
# (pathspec) Colon-separated paths in which Ansible will search for Cliconf Plugins.
;cliconf_plugins=/Users/fabioisti/.ansible/plugins/cliconf:/usr/share/ansible/plugins/cliconf
# (pathspec) Colon-separated paths in which Ansible will search for Connection Plugins.
;connection_plugins=/Users/fabioisti/.ansible/plugins/connection:/usr/share/ansible/plugins/connection
# (boolean) Toggles debug output in Ansible. This is *very* verbose and can hinder multiprocessing. Debug output can also include secret information despite no_log settings being enabled, which means debug mode should not be used in production.
;debug=False
# (string) This indicates the command to use to spawn a shell under, which is required for Ansible's execution needs on a target. Users may need to change this in rare instances when shell usage is constrained, but in most cases, it may be left as is.
;executable=/bin/sh
# (pathspec) Colon-separated paths in which Ansible will search for Jinja2 Filter Plugins.
;filter_plugins=/Users/fabioisti/.ansible/plugins/filter:/usr/share/ansible/plugins/filter
# (boolean) This option controls if notified handlers run on a host even if a failure occurs on that host.
# When false, the handlers will not run if a failure has occurred on a host.
# This can also be set per play or on the command line. See Handlers and Failure for more details.
;force_handlers=False
# (integer) Maximum number of forks Ansible will use to execute tasks on target hosts.
;forks=5
# (string) This setting controls the default policy of fact gathering (facts discovered about remote systems).
# This option can be useful for those wishing to save fact gathering time. Both 'smart' and 'explicit' will use the cache plugin.
;gathering=implicit
# (string) This setting controls how duplicate definitions of dictionary variables (aka hash, map, associative array) are handled in Ansible.
# This does not affect variables whose values are scalars (integers, strings) or arrays.
# **WARNING**, changing this setting is not recommended as this is fragile and makes your content (plays, roles, collections) nonportable, leading to continual confusion and misuse. Don't change this setting unless you think you have an absolute need for it.
# We recommend avoiding reusing variable names and relying on the ``combine`` filter and ``vars`` and ``varnames`` lookups to create merged versions of the individual variables. In our experience, this is rarely needed and is a sign that too much complexity has been introduced into the data structures and plays.
# For some uses you can also look into custom vars_plugins to merge on input, even substituting the default ``host_group_vars`` that is in charge of parsing the ``host_vars/`` and ``group_vars/`` directories. Most users of this setting are only interested in inventory scope, but the setting itself affects all sources and makes debugging even harder.
# All playbooks and roles in the official examples repos assume the default for this setting.
# Changing the setting to ``merge`` applies across variable sources, but many sources will internally still overwrite the variables. For example ``include_vars`` will dedupe variables internally before updating Ansible, with 'last defined' overwriting previous definitions in same file.
# The Ansible project recommends you **avoid ``merge`` for new projects.**
# It is the intention of the Ansible developers to eventually deprecate and remove this setting, but it is being kept as some users do heavily rely on it. New projects should **avoid 'merge'**.
;hash_behaviour=replace
# (pathlist) Comma-separated list of Ansible inventory sources
;inventory=/etc/ansible/hosts
# (pathspec) Colon-separated paths in which Ansible will search for HttpApi Plugins.
;httpapi_plugins=/Users/fabioisti/.ansible/plugins/httpapi:/usr/share/ansible/plugins/httpapi
# (float) This sets the interval (in seconds) of Ansible internal processes polling each other. Lower values improve performance with large playbooks at the expense of extra CPU load. Higher values are more suitable for Ansible usage in automation scenarios when UI responsiveness is not required but CPU usage might be a concern.
# The default corresponds to the value hardcoded in Ansible <= 2.1
;internal_poll_interval=0.001
# (pathspec) Colon-separated paths in which Ansible will search for Inventory Plugins.
;inventory_plugins=/Users/fabioisti/.ansible/plugins/inventory:/usr/share/ansible/plugins/inventory
# (string) This is a developer-specific feature that allows enabling additional Jinja2 extensions.
# See the Jinja2 documentation for details. If you do not know what these do, you probably don't need to change this setting :)
;jinja2_extensions=[]
# (boolean) This option preserves variable types during template operations.
;jinja2_native=False
# (boolean) Enables/disables the cleaning up of the temporary files Ansible used to execute the tasks on the remote.
# If this option is enabled it will disable ``ANSIBLE_PIPELINING``.
;keep_remote_files=False
# (boolean) Controls whether callback plugins are loaded when running /usr/bin/ansible. This may be used to log activity from the command line, send notifications, and so on. Callback plugins are always loaded for ``ansible-playbook``.
;bin_ansible_callbacks=False
# (tmppath) Temporary directory for Ansible to use on the controller.
;local_tmp=/Users/fabioisti/.ansible/tmp
# (list) List of logger names to filter out of the log file.
;log_filter=
# (path) File to which Ansible will log on the controller.
# When not set the logging is disabled.
;log_path=
# (pathspec) Colon-separated paths in which Ansible will search for Lookup Plugins.
;lookup_plugins=/Users/fabioisti/.ansible/plugins/lookup:/usr/share/ansible/plugins/lookup
# (string) Sets the macro for the 'ansible_managed' variable available for :ref:`ansible_collections.ansible.builtin.template_module` and :ref:`ansible_collections.ansible.windows.win_template_module`. This is only relevant to those two modules.
;ansible_managed=Ansible managed
# (string) This sets the default arguments to pass to the ``ansible`` adhoc binary if no ``-a`` is specified.
;module_args=
# (string) Compression scheme to use when transferring Python modules to the target.
;module_compression=ZIP_DEFLATED
# (string) Module to use with the ``ansible`` AdHoc command, if none is specified via ``-m``.
;module_name=command
# (pathspec) Colon-separated paths in which Ansible will search for Modules.
;library=/Users/fabioisti/.ansible/plugins/modules:/usr/share/ansible/plugins/modules
# (pathspec) Colon-separated paths in which Ansible will search for Module utils files, which are shared by modules.
;module_utils=/Users/fabioisti/.ansible/plugins/module_utils:/usr/share/ansible/plugins/module_utils
# (pathspec) Colon-separated paths in which Ansible will search for Netconf Plugins.
;netconf_plugins=/Users/fabioisti/.ansible/plugins/netconf:/usr/share/ansible/plugins/netconf
# (boolean) Toggle Ansible's display and logging of task details, mainly used to avoid security disclosures.
;no_log=False
# (boolean) Toggle Ansible logging to syslog on the target when it executes tasks. On Windows hosts, this will disable a newer style PowerShell modules from writing to the event log.
;no_target_syslog=False
# (raw) What templating should return as a 'null' value. When not set it will let Jinja2 decide.
;null_representation=
# (integer) For asynchronous tasks in Ansible (covered in Asynchronous Actions and Polling), this is how often to check back on the status of those tasks when an explicit poll interval is not supplied. The default is a reasonably moderate 15 seconds which is a tradeoff between checking in frequently and providing a quick turnaround when something may have completed.
;poll_interval=15
# (path) Option for connections using a certificate or key file to authenticate, rather than an agent or passwords, you can set the default value here to avoid re-specifying ``--private-key`` with every invocation.
;private_key_file=
# (boolean) By default, imported roles publish their variables to the play and other roles, this setting can avoid that.
# This was introduced as a way to reset role variables to default values if a role is used more than once in a playbook.
# Starting in version '2.17' M(ansible.builtin.include_roles) and M(ansible.builtin.import_roles) can individually override this via the C(public) parameter.
# Included roles only make their variables public at execution, unlike imported roles which happen at playbook compile time.
;private_role_vars=False
# (integer) Port to use in remote connections, when blank it will use the connection plugin default.
;remote_port=
# (string) Sets the login user for the target machines
# When blank it uses the connection plugin's default, normally the user currently executing Ansible.
;remote_user=
# (pathspec) Colon-separated paths in which Ansible will search for Roles.
;roles_path=/Users/fabioisti/.ansible/roles:/usr/share/ansible/roles:/etc/ansible/roles
# (string) Set the main callback used to display Ansible output. You can only have one at a time.
# You can have many other callbacks, but just one can be in charge of stdout.
# See :ref:`callback_plugins` for a list of available options.
;stdout_callback=default
# (string) Set the default strategy used for plays.
;strategy=linear
# (pathspec) Colon-separated paths in which Ansible will search for Strategy Plugins.
;strategy_plugins=/Users/fabioisti/.ansible/plugins/strategy:/usr/share/ansible/plugins/strategy
# (boolean) Toggle the use of "su" for tasks.
;su=False
# (string) Syslog facility to use when Ansible logs to the remote target.
;syslog_facility=LOG_USER
# (pathspec) Colon-separated paths in which Ansible will search for Terminal Plugins.
;terminal_plugins=/Users/fabioisti/.ansible/plugins/terminal:/usr/share/ansible/plugins/terminal
# (pathspec) Colon-separated paths in which Ansible will search for Jinja2 Test Plugins.
;test_plugins=/Users/fabioisti/.ansible/plugins/test:/usr/share/ansible/plugins/test
# (integer) This is the default timeout for connection plugins to use.
;timeout=10
# (string) Can be any connection plugin available to your ansible installation.
# There is also a (DEPRECATED) special 'smart' option, that will toggle between 'ssh' and 'paramiko' depending on controller OS and ssh versions.
;transport=ssh
# (boolean) When True, this causes ansible templating to fail steps that reference variable names that are likely typoed.
# Otherwise, any '{{ template_expression }}' that contains undefined variables will be rendered in a template or ansible action line exactly as written.
;error_on_undefined_vars=True
# (pathspec) Colon-separated paths in which Ansible will search for Vars Plugins.
;vars_plugins=/Users/fabioisti/.ansible/plugins/vars:/usr/share/ansible/plugins/vars
# (string) The vault_id to use for encrypting by default. If multiple vault_ids are provided, this specifies which to use for encryption. The ``--encrypt-vault-id`` CLI option overrides the configured value.
;vault_encrypt_identity=
# (string) The label to use for the default vault id label in cases where a vault id label is not provided.
;vault_identity=default
# (list) A list of vault-ids to use by default. Equivalent to multiple ``--vault-id`` args. Vault-ids are tried in order.
;vault_identity_list=
# (string) If true, decrypting vaults with a vault id will only try the password from the matching vault-id.
;vault_id_match=False
# (path) The vault password file to use. Equivalent to ``--vault-password-file`` or ``--vault-id``.
# If executable, it will be run and the resulting stdout will be used as the password.
;vault_password_file=
# (integer) Sets the default verbosity, equivalent to the number of ``-v`` passed in the command line.
;verbosity=0
# (boolean) Toggle to control the showing of deprecation warnings
;deprecation_warnings=True
# (boolean) Toggle to control showing warnings related to running devel.
;devel_warning=True
# (boolean) Normally ``ansible-playbook`` will print a header for each task that is run. These headers will contain the name: field from the task if you specified one. If you didn't then ``ansible-playbook`` uses the task's action to help you tell which task is presently running. Sometimes you run many of the same action and so you want more information about the task to differentiate it from others of the same action. If you set this variable to True in the config then ``ansible-playbook`` will also include the task's arguments in the header.
# This setting defaults to False because there is a chance that you have sensitive values in your parameters and you do not want those to be printed.
# If you set this to True you should be sure that you have secured your environment's stdout (no one can shoulder surf your screen and you aren't saving stdout to an insecure file) or made sure that all of your playbooks explicitly added the ``no_log: True`` parameter to tasks that have sensitive values :ref:`keep_secret_data` for more information.
;display_args_to_stdout=False
# (boolean) Toggle to control displaying skipped task/host entries in a task in the default callback.
;display_skipped_hosts=True
# (string) Root docsite URL used to generate docs URLs in warning/error text; must be an absolute URL with a valid scheme and trailing slash.
;docsite_root_url=https://docs.ansible.com/ansible-core/
# (pathspec) Colon-separated paths in which Ansible will search for Documentation Fragments Plugins.
;doc_fragment_plugins=/Users/fabioisti/.ansible/plugins/doc_fragments:/usr/share/ansible/plugins/doc_fragments
# (string) By default, Ansible will issue a warning when a duplicate dict key is encountered in YAML.
# These warnings can be silenced by adjusting this setting to False.
;duplicate_dict_key=warn
# (string) for the cases in which Ansible needs to return a file within an editor, this chooses the application to use.
;editor=vi
# (boolean) Whether or not to enable the task debugger, this previously was done as a strategy plugin.
# Now all strategy plugins can inherit this behavior. The debugger defaults to activating when
# a task is failed on unreachable. Use the debugger keyword for more flexibility.
;enable_task_debugger=False
# (boolean) Toggle to allow missing handlers to become a warning instead of an error when notifying.
;error_on_missing_handler=True
# (list) Which modules to run during a play's fact gathering stage, using the default of 'smart' will try to figure it out based on connection type.
# If adding your own modules but you still want to use the default Ansible facts, you will want to include 'setup' or corresponding network module to the list (if you add 'smart', Ansible will also figure it out).
# This does not affect explicit calls to the 'setup' module, but does always affect the 'gather_facts' action (implicit or explicit).
facts_modules=smart
# (boolean) Set this to "False" if you want to avoid host key checking by the underlying connection plugin Ansible uses to connect to the host.
# Please read the documentation of the specific connection plugin used for details.
host_key_checking=False
# (boolean) Facts are available inside the `ansible_facts` variable, this setting also pushes them as their own vars in the main namespace.
# Unlike inside the `ansible_facts` dictionary where the prefix `ansible_` is removed from fact names, these will have the exact names that are returned by the module.
;inject_facts_as_vars=True
# (string) Path to the Python interpreter to be used for module execution on remote targets, or an automatic discovery mode. Supported discovery modes are ``auto`` (the default), ``auto_silent``, ``auto_legacy``, and ``auto_legacy_silent``. All discovery modes employ a lookup table to use the included system Python (on distributions known to include one), falling back to a fixed ordered list of well-known Python interpreter locations if a platform-specific default is not available. The fallback behavior will issue a warning that the interpreter should be set explicitly (since interpreters installed later may change which one is used). This warning behavior can be disabled by setting ``auto_silent`` or ``auto_legacy_silent``. The value of ``auto_legacy`` provides all the same behavior, but for backward-compatibility with older Ansible releases that always defaulted to ``/usr/bin/python``, will use that interpreter if present.
interpreter_python=auto_silent
# (boolean) If 'false', invalid attributes for a task will result in warnings instead of errors.
;invalid_task_attribute_failed=True
# (boolean) By default, Ansible will issue a warning when there are no hosts in the inventory.
# These warnings can be silenced by adjusting this setting to False.
;localhost_warning=True
# (int) This will set log verbosity if higher than the normal display verbosity, otherwise it will match that.
;log_verbosity=
# (int) Maximum size of files to be considered for diff display.
;max_diff_size=104448
# (list) List of extensions to ignore when looking for modules to load.
# This is for rejecting script and binary module fallback extensions.
;module_ignore_exts=.pyc, .pyo, .swp, .bak, ~, .rpm, .md, .txt, .rst, .yaml, .yml, .ini
# (bool) Enables whether module responses are evaluated for containing non-UTF-8 data.
# Disabling this may result in unexpected behavior.
# Only ansible-core should evaluate this configuration.
;module_strict_utf8_response=True
# (list) TODO: write it
;network_group_modules=eos, nxos, ios, iosxr, junos, enos, ce, vyos, sros, dellos9, dellos10, dellos6, asa, aruba, aireos, bigip, ironware, onyx, netconf, exos, voss, slxos
# (boolean) Previously Ansible would only clear some of the plugin loading caches when loading new roles, this led to some behaviors in which a plugin loaded in previous plays would be unexpectedly 'sticky'. This setting allows the user to return to that behavior.
;old_plugin_cache_clear=False
# (string) for the cases in which Ansible needs to return output in a pageable fashion, this chooses the application to use.
;pager=less
# (path) A number of non-playbook CLIs have a ``--playbook-dir`` argument; this sets the default value for it.
;playbook_dir=
# (string) This sets which playbook dirs will be used as a root to process vars plugins, which includes finding host_vars/group_vars.
;playbook_vars_root=top
# (path) A path to configuration for filtering which plugins installed on the system are allowed to be used.
# See :ref:`plugin_filtering_config` for details of the filter file's format.
# The default is /etc/ansible/plugin_filters.yml
;plugin_filters_cfg=
# (string) Attempts to set RLIMIT_NOFILE soft limit to the specified value when executing Python modules (can speed up subprocess usage on Python 2.x. See https://bugs.python.org/issue11284). The value will be limited by the existing hard limit. Default value of 0 does not attempt to adjust existing system-defined limits.
;python_module_rlimit_nofile=0
# (bool) This controls whether a failed Ansible playbook should create a .retry file.
;retry_files_enabled=False
# (path) This sets the path in which Ansible will save .retry files when a playbook fails and retry files are enabled.
# This file will be overwritten after each run with the list of failed hosts from all plays.
;retry_files_save_path=
# (str) This setting can be used to optimize vars_plugin usage depending on the user's inventory size and play selection.
;run_vars_plugins=demand
# (bool) This adds the custom stats set via the set_stats plugin to the default output.
;show_custom_stats=False
# (string) Action to take when a module parameter value is converted to a string (this does not affect variables). For string parameters, values such as '1.00', "['a', 'b',]", and 'yes', 'y', etc. will be converted by the YAML parser unless fully quoted.
# Valid options are 'error', 'warn', and 'ignore'.
# Since 2.8, this option defaults to 'warn' but will change to 'error' in 2.12.
;string_conversion_action=warn
# (boolean) Allows disabling of warnings related to potential issues on the system running Ansible itself (not on the managed hosts).
# These may include warnings about third-party packages or other conditions that should be resolved if possible.
;system_warnings=True
# (string) A string to insert into target logging for tracking purposes
;target_log_info=
# (boolean) This option defines whether the task debugger will be invoked on a failed task when ignore_errors=True is specified.
# True specifies that the debugger will honor ignore_errors, and False will not honor ignore_errors.
;task_debugger_ignore_errors=True
# (integer) Set the maximum time (in seconds) for a task action to execute in.
# Timeout runs independently from templating or looping. It applies per each attempt of executing the task's action and remains unchanged by the total time spent on a task.
# When the action execution exceeds the timeout, Ansible interrupts the process. This is registered as a failure due to outside circumstances, not a task failure, to receive appropriate response and recovery process.
# If set to 0 (the default) there is no timeout.
;task_timeout=0
# (string) Make ansible transform invalid characters in group names supplied by inventory sources.
;force_valid_group_names=never
# (boolean) Toggles the use of persistence for connections.
;use_persistent_connections=False
# (bool) A toggle to disable validating a collection's 'metadata' entry for a module_defaults action group. Metadata containing unexpected fields or value types will produce a warning when this is True.
;validate_action_group_metadata=True
# (list) Accept list for variable plugins that require it.
;vars_plugins_enabled=host_group_vars
# (list) Allows to change the group variable precedence merge order.
;precedence=all_inventory, groups_inventory, all_plugins_inventory, all_plugins_play, groups_plugins_inventory, groups_plugins_play
# (string) The salt to use for the vault encryption. If it is not provided, a random salt will be used.
;vault_encrypt_salt=
# (bool) Force 'verbose' option to use stderr instead of stdout
;verbose_to_stderr=False
# (integer) For asynchronous tasks in Ansible (covered in Asynchronous Actions and Polling), this is how long, in seconds, to wait for the task spawned by Ansible to connect back to the named pipe used on Windows systems. The default is 5 seconds. This can be too low on slower systems, or systems under heavy load.
# This is not the total time an async command can run for, but is a separate timeout to wait for an async command to start. The task will only start to be timed against its async_timeout once it has connected to the pipe, so the overall maximum duration the task can take will be extended by the amount specified here.
;win_async_startup_timeout=5
# (list) Check all of these extensions when looking for 'variable' files which should be YAML or JSON or vaulted versions of these.
# This affects vars_files, include_vars, inventory and vars plugins among others.
;yaml_valid_extensions=.yml, .yaml, .json
[privilege_escalation]
# (boolean) Display an agnostic become prompt instead of displaying a prompt containing the command line supplied become method.
;agnostic_become_prompt=True
# (boolean) When ``False``(default), Ansible will skip using become if the remote user is the same as the become user, as this is normally a redundant operation. In other words root sudo to root.
# If ``True``, this forces Ansible to use the become plugin anyways as there are cases in which this is needed.
;become_allow_same_user=False
# (boolean) Toggles the use of privilege escalation, allowing you to 'become' another user after login.
;become=False
# (boolean) Toggle to prompt for privilege escalation password.
;become_ask_pass=False
# (string) executable to use for privilege escalation, otherwise Ansible will depend on PATH.
;become_exe=
# (string) Flags to pass to the privilege escalation executable.
;become_flags=
# (string) Privilege escalation method to use when `become` is enabled.
;become_method=sudo
# (string) The user your login/remote user 'becomes' when using privilege escalation, most systems will use 'root' when no user is specified.
;become_user=root
[persistent_connection]
# (path) Specify where to look for the ansible-connection script. This location will be checked before searching $PATH.
# If null, ansible will start with the same directory as the ansible script.
;ansible_connection_path=
# (int) This controls the amount of time to wait for a response from a remote device before timing out a persistent connection.
;command_timeout=30
# (integer) This controls the retry timeout for persistent connection to connect to the local domain socket.
;connect_retry_timeout=15
# (integer) This controls how long the persistent connection will remain idle before it is destroyed.
;connect_timeout=30
# (path) Path to the socket to be used by the connection persistence system.
;control_path_dir=/Users/fabioisti/.ansible/pc
[connection]
# (boolean) This is a global option, each connection plugin can override either by having more specific options or not supporting pipelining at all.
# Pipelining, if supported by the connection plugin, reduces the number of network operations required to execute a module on the remote server, by executing many Ansible modules without actual file transfer.
# It can result in a very significant performance improvement when enabled.
# However this conflicts with privilege escalation (become). For example, when using 'sudo:' operations you must first disable 'requiretty' in /etc/sudoers on all managed hosts, which is why it is disabled by default.
# This setting will be disabled if ``ANSIBLE_KEEP_REMOTE_FILES`` is enabled.
;pipelining=False
[colors]
# (string) Defines the color to use on 'Changed' task status.
;changed=yellow
# (string) Defines the default color to use for ansible-console.
;console_prompt=white
# (string) Defines the color to use when emitting debug messages.
;debug=dark gray
# (string) Defines the color to use when emitting deprecation messages.
;deprecate=purple
# (string) Defines the color to use when showing added lines in diffs.
;diff_add=green
# (string) Defines the color to use when showing diffs.
;diff_lines=cyan
# (string) Defines the color to use when showing removed lines in diffs.
;diff_remove=red
# (string) Defines the color to use when emitting a constant in the ansible-doc output.
;doc_constant=dark gray
# (string) Defines the color to use when emitting a deprecated value in the ansible-doc output.
;doc_deprecated=magenta
# (string) Defines the color to use when emitting a link in the ansible-doc output.
;doc_link=cyan
# (string) Defines the color to use when emitting a module name in the ansible-doc output.
;doc_module=yellow
# (string) Defines the color to use when emitting a plugin name in the ansible-doc output.
;doc_plugin=yellow
# (string) Defines the color to use when emitting cross-reference in the ansible-doc output.
;doc_reference=magenta
# (string) Defines the color to use when emitting error messages.
;error=red
# (string) Defines the color to use for highlighting.
;highlight=white
# (string) Defines the color to use when showing 'Included' task status.
;included=cyan
# (string) Defines the color to use when showing 'OK' task status.
;ok=green
# (string) Defines the color to use when showing 'Skipped' task status.
;skip=cyan
# (string) Defines the color to use on 'Unreachable' status.
;unreachable=bright red
# (string) Defines the color to use when emitting verbose messages. In other words, those that show with '-v's.
;verbose=blue
# (string) Defines the color to use when emitting warning messages.
;warn=bright purple
[selinux]
# (boolean) This setting causes libvirt to connect to LXC containers by passing ``--noseclabel`` parameter to ``virsh`` command. This is necessary when running on systems which do not have SELinux.
;libvirt_lxc_noseclabel=False
# (list) Some filesystems do not support safe operations and/or return inconsistent errors, this setting makes Ansible 'tolerate' those in the list without causing fatal errors.
# Data corruption may occur and writes are not always verified when a filesystem is in the list.
;special_context_filesystems=fuse, nfs, vboxsf, ramfs, 9p, vfat
[diff]
# (bool) Configuration toggle to tell modules to show differences when in 'changed' status, equivalent to ``--diff``.
;always=False
# (integer) Number of lines of context to show when displaying the differences between files.
;context=3
[galaxy]
# (path) The directory that stores cached responses from a Galaxy server.
# This is only used by the ``ansible-galaxy collection install`` and ``download`` commands.
# Cache files inside this dir will be ignored if they are world writable.
;cache_dir=/Users/fabioisti/.ansible/galaxy_cache
# (bool) whether ``ansible-galaxy collection install`` should warn about ``--collections-path`` missing from configured :ref:`collections_paths`.
;collections_path_warning=True
# (path) Collection skeleton directory to use as a template for the ``init`` action in ``ansible-galaxy collection``, same as ``--collection-skeleton``.
;collection_skeleton=
# (list) patterns of files to ignore inside a Galaxy collection skeleton directory.
;collection_skeleton_ignore=^.git$, ^.*/.git_keep$
# (bool) Disable GPG signature verification during collection installation.
;disable_gpg_verify=False
# (bool) Some steps in ``ansible-galaxy`` display a progress wheel which can cause issues on certain displays or when outputting the stdout to a file.
# This config option controls whether the display wheel is shown or not.
# The default is to show the display wheel if stdout has a tty.
;display_progress=
# (path) Configure the keyring used for GPG signature verification during collection installation and verification.
;gpg_keyring=
# (boolean) If set to yes, ansible-galaxy will not validate TLS certificates. This can be useful for testing against a server with a self-signed certificate.
;ignore_certs=
# (list) A list of GPG status codes to ignore during GPG signature verification. See L(https://github.com/gpg/gnupg/blob/master/doc/DETAILS#general-status-codes) for status code descriptions.
# If fewer signatures successfully verify the collection than `GALAXY_REQUIRED_VALID_SIGNATURE_COUNT`, signature verification will fail even if all error codes are ignored.
;ignore_signature_status_codes=
# (str) The number of signatures that must be successful during GPG signature verification while installing or verifying collections.
# This should be a positive integer or all to indicate all signatures must successfully validate the collection.
# Prepend + to the value to fail if no valid signatures are found for the collection.
;required_valid_signature_count=1
# (path) Role skeleton directory to use as a template for the ``init`` action in ``ansible-galaxy``/``ansible-galaxy role``, same as ``--role-skeleton``.
;role_skeleton=
# (list) patterns of files to ignore inside a Galaxy role or collection skeleton directory.
;role_skeleton_ignore=^.git$, ^.*/.git_keep$
# (string) URL to prepend when roles don't specify the full URI, assume they are referencing this server as the source.
;server=https://galaxy.ansible.com
# (list) A list of Galaxy servers to use when installing a collection.
# The value corresponds to the config ini header ``[galaxy_server.{{item}}]`` which defines the server details.
# See :ref:`galaxy_server_config` for more details on how to define a Galaxy server.
# The order of servers in this list is used as the order in which a collection is resolved.
# Setting this config option will ignore the :ref:`galaxy_server` config option.
;server_list=
# (int) The default timeout for Galaxy API calls. Galaxy servers that don't configure a specific timeout will fall back to this value.
;server_timeout=60
# (path) Local path to galaxy access token file
;token_path=/Users/fabioisti/.ansible/galaxy_token
[inventory]
# (string) This setting changes the behaviour of mismatched host patterns, it allows you to force a fatal error, a warning or just ignore it.
;host_pattern_mismatch=warning
# (boolean) If 'true', it is a fatal error when any given inventory source cannot be successfully parsed by any available inventory plugin; otherwise, this situation only attracts a warning.
;any_unparsed_is_failed=False
# (bool) Toggle to turn on inventory caching.
# This setting has been moved to the individual inventory plugins as a plugin option :ref:`inventory_plugins`.
# The existing configuration settings are still accepted with the inventory plugin adding additional options from inventory configuration.
# This message will be removed in 2.16.
;cache=False
# (string) The plugin for caching inventory.
# This setting has been moved to the individual inventory plugins as a plugin option :ref:`inventory_plugins`.
# The existing configuration settings are still accepted with the inventory plugin adding additional options from inventory and fact cache configuration.
# This message will be removed in 2.16.
;cache_plugin=
# (string) The inventory cache connection.
# This setting has been moved to the individual inventory plugins as a plugin option :ref:`inventory_plugins`.
# The existing configuration settings are still accepted with the inventory plugin adding additional options from inventory and fact cache configuration.
# This message will be removed in 2.16.
;cache_connection=
# (string) The table prefix for the cache plugin.
# This setting has been moved to the individual inventory plugins as a plugin option :ref:`inventory_plugins`.
# The existing configuration settings are still accepted with the inventory plugin adding additional options from inventory and fact cache configuration.
# This message will be removed in 2.16.
;cache_prefix=ansible_inventory_
# (string) Expiration timeout for the inventory cache plugin data.
# This setting has been moved to the individual inventory plugins as a plugin option :ref:`inventory_plugins`.
# The existing configuration settings are still accepted with the inventory plugin adding additional options from inventory and fact cache configuration.
# This message will be removed in 2.16.
;cache_timeout=3600
# (list) List of enabled inventory plugins, it also determines the order in which they are used.
;enable_plugins=host_list, script, auto, yaml, ini, toml
# (bool) Controls if ansible-inventory will accurately reflect Ansible's view into inventory or its optimized for exporting.
;export=False
# (list) List of extensions to ignore when using a directory as an inventory source.
;ignore_extensions=.pyc, .pyo, .swp, .bak, ~, .rpm, .md, .txt, .rst, .orig, .ini, .cfg, .retry
# (list) List of patterns to ignore when using a directory as an inventory source.
;ignore_patterns=
# (bool) If 'true' it is a fatal error if every single potential inventory source fails to parse, otherwise, this situation will only attract a warning.
;unparsed_is_failed=False
# (boolean) By default, Ansible will issue a warning when no inventory was loaded and notes that it will use an implicit localhost-only inventory.
# These warnings can be silenced by adjusting this setting to False.
;inventory_unparsed_warning=True
[netconf_connection]
# (string) This variable is used to enable bastion/jump host with netconf connection. If set to True the bastion/jump host ssh settings should be present in ~/.ssh/config file, alternatively it can be set to custom ssh configuration file path to read the bastion/jump host settings.
;ssh_config=
[paramiko_connection]
# (boolean) TODO: write it
;host_key_auto_add=False
# (boolean) TODO: write it
;look_for_keys=True
[jinja2]
# (list) This list of filters avoids 'type conversion' when templating variables.
# Useful when you want to avoid conversion into lists or dictionaries for JSON strings, for example.
;dont_type_filters=string, to_json, to_nice_json, to_yaml, to_nice_yaml, ppretty, json
[tags]
# (list) default list of tags to run in your plays, Skip Tags has precedence.
;run=
# (list) default list of tags to skip in your plays, has precedence over Run Tags
;skip=

8
ansible/inventories/automotive.yaml
View File

@ -1,8 +0,0 @@
---
automotive:
children:
web:
hosts:
automotive.sse.cloud.isti.cnr.it:
ansible_host: 146.48.29.251
#automotive2.sse.cloud.isti.cnr.it:

13
ansible/inventories/externals.yml
View File

@ -1,13 +0,0 @@
externals:
children:
rup_tests:
hosts:
liquid:
ansible_host: 146.48.108.15
nextrup_copy_test:
ansible_host: 146.48.108.16
misc_tests:
hosts:
bigbrain:
ansible_host: 146.48.108.14

3
ansible/inventories/group_vars/all/all.yml
View File

@ -1,3 +0,0 @@
ansible_user: ansible
#ansible_password: "{{ ansible_crypted_password }}"
ansible_python_interpreter: /usr/bin/python3

14
ansible/inventories/group_vars/all/vault.yaml
View File

@ -1,14 +0,0 @@
$ANSIBLE_VAULT;1.1;AES256
31646131636537653763323564346131333639656663326334316561633266333335623331383034
3163376161306433323865646334373931393638363663360a666562373631373365623932613031
37343563333730303535393636373533643734656462313631626130326134363031353263356133
3266333534323539650a613262613434636162633536353963366161623438663437636138393036
35666136623034333265313664663266353666396334663135333234313835663735306631363137
61633638313530373562633135333939333863303339343532656236353431343237303663373430
37623339643232666335343437393966303231386235626439306438313439363939663564333539
38346665356638373265346633303031356333303862626139346432633237663330333930646630
34663236326462386634326435373134666663613633323932383338616662333438623565366536
63633439616137383438636637623135623339303736353364313462303062383331373164353632
31653337653938306164653235656662343266316238326230393733303031366532643166646263
33653934396131626330656432643164616136323831353835656538363131313934346234336561
3363

39
ansible/inventories/group_vars/automotive/automotive.yaml
View File

@ -1,39 +0,0 @@
---
#Common Docker
docker_network_name: wp_net
docker_base_volume_path: /usr/data/wp
# MYSQL Docker
mysql_docker_tag: 9.7.0
docker_mysql_hostname: web_db
db_name: automotive_test_db
db_user: automotive_test_db_u
db_password: "{{ automotive_mysql_user_password }}"
db_root_password: "{{ automotive_mysql_root_password }}"
#NGINX Docker
nginx_docker_tag: 1.31.1
nginx_server_name: automotive.sse.cloud.isti.cnr.it
ssl: true
#WORDPRESS Docker
wordpress_docker_tag: 7.0.0-php8.2-apache
docker_wordpress_hostname: automotive_test
#CERTBOT for letsencrypt
certbot_create_method: webroot
certbot_create_if_missing: true
certbot_admin_email: fabio.sinibaldi@isti.cnr.it
certbot_webroot: "{{ docker_base_volume_path }}/wordpress"
certbot_certs:
- name: "automotive"
domains:
- "{{ nginx_server_name }}"
#Certbot verbose level
certbot_create_extra_args: "-v"
certbot_testmode: false

117
ansible/inventories/group_vars/nameserver/sifi.yaml
View File

@ -1,117 +0,0 @@
bind_allow_query:
- "any"
bind_listen:
ipv4:
- port: 53
addresses:
- "127.0.0.1"
- "146.48.108.51"
- port: 5353
addresses:
- "127.0.1.1"
bind_zones:
- name: 'sifi.isti.cnr.it'
# default: primary [primary, secondary, forward]
# type: primary
# create_forward_zones: true
# Skip creation of reverse zones
# create_reverse_zones: false
# fpr type: secondary
primaries:
- 146.48.108.51
networks:
- '146.48.108'
#ipv6_networks:
# - '2001:db9::/48'
name_servers:
- ns1.sifi.isti.cnr.it.
# hostmaster_email: admin
#
#allow_updates:
# - "10.0.1.2"
# - 'key "external-dns"'
#allow_transfers:
# - 'key "external-dns"'
hosts:
- name: ns1
ip: 146.48.108.51
- name: bigbrain
ip: 146.48.108.14
- name: wireguarder
ip: 146.48.108.13
#ipv6: '2001:db9::1'
#mail_servers:
# - name: mail001
# preference: 10
bind_logging:
enable: true
channels:
- channel: general
file: "data/general.log"
versions: 3
size: 10M
print_time: true # true | false
print_category: true
print_severity: true
severity: dynamic # critical | error | warning | notice | info | debug [level] | dynamic
- channel: query
file: "data/query.log"
versions: 5
size: 10M
print_time: "" # true | false
severity: info #
- channel: dnssec
file: "data/dnssec.log"
versions: 5
size: 10M
print_time: "" # true | false
severity: info #
- channel: notify
file: "data/notify.log"
versions: 5
size: 10M
print_time: "" # true | false
severity: info #
- channel: transfers
file: "data/transfers.log"
versions: 5
size: 10M
print_time: "" # true | false
severity: info #
- channel: slog
syslog: security # kern | user | mail | daemon | auth | syslog | lpr |
# news | uucp | cron | authpriv | ftp |
# local0 | local1 | local2 | local3 |
# local4 | local5 | local6 | local7
# file: "data/transfers.log"
#versions: 5
#size: 10M
print_time: "" # true | false
severity: info #
categories:
"xfer-out":
- transfers
- slog
"xfer-in":
- transfers
- slog
notify:
- notify
"lame-servers":
- general
config:
- general
default:
- general
security:
- general
- slog
dnssec:
- dnssec
queries:
- query

79
ansible/inventories/group_vars/sifi/SIFI_CA.pem
View File

@ -1,79 +0,0 @@
-----BEGIN CERTIFICATE-----
MIIELzCCAxegAwIBAgIBADANBgkqhkiG9w0BAQsFADCBijELMAkGA1UEBhMCSVQx
EDAOBgNVBAgMB1R1c2NhbnkxDTALBgNVBAcMBFBpc2ExDTALBgNVBAoMBElTVEkx
DTALBgNVBAsMBFNJRkkxKjAoBgkqhkiG9w0BCQEWG2ZhYmlvLnNpbmliYWxkaUBp
c3RpLmNuci5pdDEQMA4GA1UEAwwHcm9vdC1jYTAeFw0yNjA0MjAxMjU3MjVaFw0y
ODA3MjMxMjU3MjVaMIGKMQswCQYDVQQGEwJJVDEQMA4GA1UECAwHVHVzY2FueTEN
MAsGA1UEBwwEUGlzYTENMAsGA1UECgwESVNUSTENMAsGA1UECwwEU0lGSTEqMCgG
CSqGSIb3DQEJARYbZmFiaW8uc2luaWJhbGRpQGlzdGkuY25yLml0MRAwDgYDVQQD
DAdyb290LWNhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAq1A22Q0X
nJAwlbbkFr5/L6THhkquWakWs8/AJx5iIYZEXI7BkxU2R1qtUdfMp36ifwb4nmVZ
6WCzl9WzYqZqSZN79dtzENT5Y+Kwy9cGCHcEK6jZ//5w+Uqlad3wwnQq3UubN4m6
cmolg8pY6xqVjOK2AptrEIGc557JX3kujFci2n0Db3yzDtOJh7cTV7d/duCgX8el
zZBGLB47HXsVpy2cb70iyqC/CWGgCuYmXDNujzrhabboi8HA88IbqnY4jx5T1d0f
R7IuWXX+fG0D8fEiL/wqTNFk+rAGfTAyx3JPGtDhfHn+sXeUirh8n694sMU5WRWW
jd3b64/JaDdXBwIDAQABo4GdMIGaMDcGCWCGSAGG+EIBDQQqFihPUE5zZW5zZSBH
ZW5lcmF0ZWQgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB0GA1UdDgQWBBShuiplNRfk
tfYS+JhEaZlrc2zWaTAfBgNVHSMEGDAWgBShuiplNRfktfYS+JhEaZlrc2zWaTAP
BgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0BAQsFAAOC
AQEAWV2VrUz8Gl2QjZNNKaovWpAboJXzqlhLyQncRm5Pb5iZ9IbEUVhb68L65QYm
POFeetUyef1OgPqZ1cr8+ihiqTb6IXZqOhtOTZWBiyD+RX8UmvBN86uX7jkbvbQL
AteTdm9K2n0DKhjjk12D3FK+6WUO2NiwfMBL8EDzt9vzf3SxTRgPCc9A4Wud35Y1
MErGUfrGoq3QzQtNevfQ3+qopLF+tCbNdfKpXEFRPfDbzEIlzIPfc8uRKq5XueW9
RVFUgoXJ0bJlcvncyGEBCjrPYUCld/i2oKvE+50qEkCWgci3cEDev6/p5W7dDiA2
BKjq45LlfNj/1ZBQDE8U2QLIBA==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEKDCCAxCgAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBijELMAkGA1UEBhMCSVQx
EDAOBgNVBAgMB1R1c2NhbnkxDTALBgNVBAcMBFBpc2ExDTALBgNVBAoMBElTVEkx
DTALBgNVBAsMBFNJRkkxKjAoBgkqhkiG9w0BCQEWG2ZhYmlvLnNpbmliYWxkaUBp
c3RpLmNuci5pdDEQMA4GA1UEAwwHcm9vdC1jYTAeFw0yNjA0MjAxMzAwMjhaFw0y
ODA3MjMxMzAwMjhaMIGDMQswCQYDVQQGEwJJVDEQMA4GA1UECAwHVHVzY2FueTEN
MAsGA1UEBwwEUGlzYTENMAsGA1UECgwESVNUSTEqMCgGCSqGSIb3DQEJARYbZmFi
aW8uc2luaWJhbGRpQGlzdGkuY25yLml0MRgwFgYDVQQDDA9pbnRlcm1lZGlhdGUt
Y2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDJssRmE4uoIBTp7j7L
XStVzuO4vuBwTWVlQy+5CJVG7Yt4tkKZ1pkkn3xBbdpSbHxleDmUfP7eKXUe6cWo
Jv1aCQ4DbZMGOseo6OXQ3fBIjbp+f9pYtEEQkUCFz6PV3CwFnzFIjjKxjsPN6gXE
ZtAe/zo9zAc/fqySFVxYgBvBYz8UhMJ7VzU+sna84ojbYSleF3CzPKrN6dmWj0uq
o6o7EWLxUPVEnNlSpYfWp9SO1Hcouu9Fj15BSVUZFZLdsxI7S9UnraqFwXxf0eBl
/0zm97DSkOwdj2BmXaeGvrOZmfwln7vO5HRUZq1/VFcu81hUgr6H9zVTwRJbrbdO
42y1AgMBAAGjgZ0wgZowNwYJYIZIAYb4QgENBCoWKE9QTnNlbnNlIEdlbmVyYXRl
ZCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHQYDVR0OBBYEFCAPopFmSzDWL0TM+aS9
Oxr/Df2QMB8GA1UdIwQYMBaAFKG6KmU1F+S19hL4mERpmWtzbNZpMA8GA1UdEwEB
/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBCwUAA4IBAQCJId+d
X6IbDzguLM3nSBGwvTSVtvNHXAnZQxqXW7DQCF12i8rvGXndMgZ2JwxA8p3Ljcyf
eZoxBKDp1ftehtWxipIguX0DSC8R3SwsFBr7yBbmpMHDGlGqWtQnDpv6bSDRtCAp
f13B+6AVx8XtT6MNJuOAGue/4kzwi/xkWWMJVNXoKFSw6qOH5IhOiJnYWpasx7LK
nJ/O8Q8fKIVp/Ganmc4NdCArM9dHipt8HXAiqYNW02RSLOrCp6E7pQRLB3R8TZoj
NXvDjwKXb3CXwZRLbytm+egu+Oml6Bdb9wC7y4QHLV6JBIKvMMI/6aOhgLeFVI7v
K9idaANxrsZPFQ7i
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIExzCCA6+gAwIBAgIBATANBgkqhkiG9w0BAQsFADCBgzELMAkGA1UEBhMCSVQx
EDAOBgNVBAgMB1R1c2NhbnkxDTALBgNVBAcMBFBpc2ExDTALBgNVBAoMBElTVEkx
KjAoBgkqhkiG9w0BCQEWG2ZhYmlvLnNpbmliYWxkaUBpc3RpLmNuci5pdDEYMBYG
A1UEAwwPaW50ZXJtZWRpYXRlLWNhMB4XDTI2MDQyNDA5MjA1OVoXDTI3MDUyNjA5
MjA1OVowaTELMAkGA1UEBhMCSVQxEDAOBgNVBAgMB1R1c2NhbnkxDTALBgNVBAcM
BFBpc2ExDTALBgNVBAoMBElTVEkxKjAoBgkqhkiG9w0BCQEWG2ZhYmlvLnNpbmli
YWxkaUBpc3RpLmNuci5pdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AK74AA1JuHvsT60jCWp+Rp2inBBdlzWlXIS7eAjEmFWr3TApbUZ9W0HPgQ+WuUsA
9I/iiQedGHlaaCjeYGH/kTPkWhpZpCJ3rB+cIcWUlU5UPg+U1E3mwNEFEkJxJ8iB
SN1Fpt+RZemhnZJpZqSKRiQku3XNq56WBfnR0oQ63CJmPsH3+1WJsU5PxHvymcNN
ci3ISvU9rSKtziX61L08Yt20NMd6/HTcORpZZBNS8vSa/2Yk5BMBgrZUXk7/lS0+
hkzgt0omCTU9q7hYXg29Ihdp1YKLOjO+4aM/9POliBn+sIYyBcbY9Y5lqQ0KdsAP
3VofycDNJFJ9JhrANFlqYP8CAwEAAaOCAV0wggFZMAkGA1UdEwQCMAAwEQYJYIZI
AYb4QgEBBAQDAgZAMDQGCWCGSAGG+EIBDQQnFiVPUE5zZW5zZSBHZW5lcmF0ZWQg
U2VydmVyIENlcnRpZmljYXRlMB0GA1UdDgQWBBSHLdstzVl5xCb+XT5sj39TGhUS
ADCBtwYDVR0jBIGvMIGsgBQgD6KRZksw1i9EzPmkvTsa/w39kKGBkKSBjTCBijEL
MAkGA1UEBhMCSVQxEDAOBgNVBAgMB1R1c2NhbnkxDTALBgNVBAcMBFBpc2ExDTAL
BgNVBAoMBElTVEkxDTALBgNVBAsMBFNJRkkxKjAoBgkqhkiG9w0BCQEWG2ZhYmlv
LnNpbmliYWxkaUBpc3RpLmNuci5pdDEQMA4GA1UEAwwHcm9vdC1jYYIBAjAdBgNV
HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUIAgIwCwYDVR0PBAQDAgWgMA0GCSqGSIb3
DQEBCwUAA4IBAQCsbDfFqTr2+p5cpV7KxAyIqQtT6fo0f0rvJeAglJ38rWSne4Sn
LDfTQmx/bKSf79E/TuoxGoTjsL9TceqPoDbt8TXgxPALBbON2XAah7JFAotAB6dG
kOMbmBiKOghDMPMDriU+zQAFQ/OtjuhzHD0GpciRKyVgC14iDBmeyEgSOEBqH4sp
lxKCJDNjWC2THv8dqLlaE4QlRNcprEiUNJhbxNg39A+PjYKHp5O5epfdMAVpzqC6
wgDww95xKM9xG4YZzpmoUn8sziJ2XTWWiLj9HHSaGcHx3H/QPpSiXM802tEs3gHr
rZI3EjNgrdhHxS7HZuAixXtTDeK4bfuk9n4L
-----END CERTIFICATE-----

12
ansible/inventories/group_vars/wireguard_server/sifi.yaml
View File

@ -1,12 +0,0 @@
---
wg_interface: wg0
wg_port: 51820
#wg_server_public_interface: eth0
wg_server_address: 192.168.99.1/32
#wg_server_private_key: "{{ wg_server_private_key }}"
wg_peers:
- name: fabio_test
publicKey: "dzODOKndtafZSf2GqvClFdxrpwyNJnZ/AsZkNl+ovEE="
allowedIP: "192.168.99.4/32"

2
ansible/inventories/host_vars/inspector.home.arpa.yml
View File

@ -1,2 +0,0 @@
---
ansible_user: clouseau

8
ansible/inventories/host_vars/prox1.yaml
View File

@ -1,8 +0,0 @@
$ANSIBLE_VAULT;1.1;AES256
32653362346631356539383863653761626165383165653839343965636363623637396138346163
3239313335343263343265633966353230323663373664640a346234373733303139303139613962
36316132363366376436353936653930326235303937623762636438313138636238613136303930
3866303033613561630a666534326237363162656461336632623966653132656361333565356136
37666536323434323934353362383363643561306136656339663666643764626565666264373761
64306334323632326665386431323965653034393162373331313339653736346136313736626565
663230663364393634306438616133623665

37
ansible/inventories/main_lab.yaml
View File

@ -1,37 +0,0 @@
main_lab_hosts:
children:
lan:
hosts:
edge.home.arpa:
inspector.home.arpa:
god.home.arpa:
swarm:
children:
enabling:
hosts:
enabling[1:3].home.arpa:
swarm_master: true
swarm_drain: false
vars:
swarm_name: enabling
swarm1:
hosts:
swarm1m[1:3].home.arpa:
swarm_master: true
swarm1w[1:4].home.arpa:
vars:
swarm_name: the_swarm
cluster:
hosts:
worker[1:3].home.arpa:
cl1m1.home.arpa:
front:
hosts:
main_lab_edge:
ansible_host: 146.48.108.5
operators:
children:
lan:
enabling:

11
ansible/inventories/production.yaml
View File

@ -1,11 +0,0 @@
prouction_hosts:
children:
public_access:
hosts:
#cloud.reterup.it:
#ansible_host: 146.48.108.17
backups:
ansible_host: 146.48.108.12
ftp_server:
hosts:
backups:

6
ansible/inventories/prox1_lab.yaml
View File

@ -1,6 +0,0 @@
prox1_lab_hosts:
children:
front:
hosts:
prox1_lab_edge:
ansible_host: 146.48.108.11

23
ansible/inventories/sifi.yaml
View File

@ -1,23 +0,0 @@
---
# SIFI
sifi:
children:
opn:
hosts:
sifi_opnsense.sifi.isti.cnr.it:
# ns1.sifi.isti.cnr.it:
# ansible_host: 146.48.108.51 #[WAN public ip]
# ansible_host: 10.20.30.111
wireguard_server:
hosts:
wireguarder.sifi.isti.cnr.it:
# ansible_host: 146.48.108.13
nameserver:
hosts:
ns1.sifi.isti.cnr.it:
ansible_host: 146.48.108.51
# dns1.internal.sifi.isti.cnr.it:
# ansible_host: 10.11.12.11
workers:
hosts:
worker1.internal.sifi.isti.cnr.it:

60
ansible/playbooks/bootstrap.yml
View File

@ -1,60 +0,0 @@
- hosts: all
become: yes
#debugger: on_failed
tasks:
- name: Add the ansible group
group:
name: ansible
gid: 1100
state: present
- name: Add the ansible user as a system user
user:
name: ansible
uid: 1100
group: ansible
# Directly generate hash
# https://www.lisenet.com/2019/ansible-generate-crypted-passwords-for-the-user-module/
password: "{{ ansible_crypted_password | password_hash('sha512') }}"
shell: /bin/bash
# Uncomment to prevent password reset
update_password: on_create
system: yes
home: /home/ansible
state: present
- name: Set ansible user as sudoer
copy:
content: "ansible ALL = (ALL) NOPASSWD:ALL"
dest: /etc/sudoers.d/ansible
owner: root
group: root
mode: 0440
- name: Init cache directory
ansible.builtin.file:
path: /var/cache/ansible
owner: ansible
group: ansible
state: directory
mode: u=rwx,g=rw,o=r
- name: Init etc directory
ansible.builtin.file:
path: /etc/ansible
owner: ansible
group: ansible
state: directory
mode: u=rwx,g=rw,o=r
# Inserts public keys of allowed externals users to log in as ansible
# e.g. fabio
- name: Create the .ssh directory
file: path=/home/ansible/.ssh owner=ansible group=ansible mode=0700 state=directory
- name: Add the mandatory ssh keys to the ansible user
template: src=templates/ansible_auth_keys.j2 dest=/home/ansible/.ssh/authorized_keys owner=ansible group=ansible mode=0644

68
ansible/playbooks/controller.yml
View File

@ -1,68 +0,0 @@
---
# play 1 - local
# check config info from inventory
# play 2
# gather status
# play 3
# bootstrap
# play 4
# join
- name: Tests
hosts: swarm
connection: local
gather_facts: no
vars:
swarm_list: {}
tasks:
- debug: var=hostvars
- name: Gather Swarm info
set_fact:
swarm_list: "{{swarm_list + hostvars[hostname]['swarm_name']}}"
- debug: var=swarm_list
# # show all the hosts in the inventory
# - debug:
# msg: "{{ item }}"
# loop: "{{ groups['all'] }}"
# - name: printsomthieng
# debug:
# msg: "{{ item }}"
# with_items: "{{ play_hosts }}"
# #run_once: true
# debug:
# msg:
# # - "{{ item }}"
# - "{{hostvars[item]['swarm_master']}}"
# #loop: "{{ hosts.items() | list }}"
# - name: Create swarm_<SWARM>_<MASTER|WORKER>_<OPERATIONAL|BOOTSTRAP> groups
# add_host:
# hostname: "{{ item }}"
# groups: "swarm_{{item}}manager_operational"
# with_items: "{{ play_hosts }}"
# run_once: true
# - name: Display
# command: echo "swarm_{{item}}manager_operational"

5
ansible/playbooks/ftp.yaml
View File

@ -1,5 +0,0 @@
---
- name: Install FTP Server
hosts: ftp_server
roles:
- robgmills.pure-ftpd

19
ansible/playbooks/nameserver.yaml
View File

@ -1,19 +0,0 @@
---
- name: Configure Nameserver
hosts: nameserver
collections:
- bodsch.dns
tasks:
- name: Import role Bind
ansible.builtin.import_role:
name: bind
- name: Start a service
become: True
ansible.builtin.systemd:
name: named
state: restarted

17
ansible/playbooks/nextcloud.yaml
View File

@ -1,17 +0,0 @@
---
- name: Install Nextcloud AIO Docker
hosts: all
become: true
vars:
pip_install_packages:
- name: docker
docker_version: "=5:28.2.2-1~ubuntu.24.04~noble"
docker_users:
- fabio
- ansible
roles:
- geerlingguy.pip
- geerlingguy.docker
# - nextcloud_aio

7
ansible/playbooks/nodes.yml
View File

@ -1,7 +0,0 @@
---
- import_playbook: ping_all.yaml
- name: Basic check nodes
hosts: all
roles:
- common

28
ansible/playbooks/opnsense.yaml
View File

@ -1,28 +0,0 @@
---
# Usese oxlorg.opnsense
# Check documentation @ https://ansible-opnsense.oxl.app/usage/2_basic.html#prerequisites
- name: Configure OPNSense
hosts: opn
connection: local #executes on controller
gather_facts: false
collections:
- oxlorg.opnsense
module_defaults:
oxlorg.opnsense.alias:
api_credential_file: '/Users/fabioisti/Keys/ns1.sifi.isti.cnr.it_fabio_apikey.txt'
firewall: "{{ ansible_host}}"
ssl_verify: true
ssl_ca_file: '/Users/fabioisti/git/SSE-LAB/ansible/inventories/group_vars/sifi/SIFI_CA.pem'
tasks:
- name : Check libs
script: /Users/fabioisti/test_httpx.py
args:
executable: python3
- name: Test
oxlorg.opnsense.alias:
name: 'ANSIBLE_TEST1'
content: ['1.1.1.1']

10
ansible/playbooks/ping_all.yaml
View File

@ -1,10 +0,0 @@
---
- hosts: all
gather_facts: False
connection: local
tasks:
- name: ping
shell: ping -c 1 -W 2 {{ ansible_host }}

2
ansible/playbooks/roles/common/defaults/main.yml
View File

@ -1,2 +0,0 @@
---
config-flavor: none

23
ansible/playbooks/roles/common/tasks/basic_checks.yaml
View File

@ -1,23 +0,0 @@
---
## Register output of whoami
- name: Who am I
ansible.builtin.command: whoami
register: _my_whoiam_var
## Displays variable as to stdout
- name: Debug
ansible.builtin.debug:
var: _my_whoiam_var.stdout
## Check if can write on tmp
- name: Check write operation
ansible.builtin.copy:
content: "Hello world"
dest: /tmp/{{ _my_whoiam_var.stdout}}.hello-world.txt
## Cleans up
- name: Clean up
ansible.builtin.file:
path: /tmp/{{ _my_whoiam_var.stdout}}.hello-world.txt
state: absent

5
ansible/playbooks/roles/common/tasks/connectivity.yml
View File

@ -1,5 +0,0 @@
---
- name: Check access to Internet
wait_for:
host: 1.1.1.1
timeout: 5

3
ansible/playbooks/roles/common/tasks/main.yml
View File

@ -1,3 +0,0 @@
---
- import_tasks: basic_checks.yaml
- import_tasks: connectivity.yml

18
ansible/playbooks/roles/docker-certbot/tasks/main.yaml
View File

@ -1,18 +0,0 @@
---
- name: Pull certbot image
docker_image:
name: "certbot/certbot:{{ certbot_docker_tag }}"
source: pull
- name: Create container with certbot image
docker_container:
name: certbot
image: certbot/certbot
networks:
- name: "{{ docker_network_name }}"
hostname: certbot
volumes:
- "{{ docker_base_volume_path }}/certbot/logs:/var/log/letsencrypt"
- "{{ docker_base_volume_path }}/nginx/ssl:/etc/letsencrypt/live/{{ nginx_server_name}}"
restart: true

0
ansible/playbooks/roles/docker-swarm/tasks/main.yaml
View File

4
ansible/playbooks/roles/docker-swarm/tasks/swarm.yml
View File

@ -1,4 +0,0 @@
---
# configure as master if flag
# identify swarm by node variable
become_user: docker

40
ansible/playbooks/roles/docker/README.md
View File

@ -1,40 +0,0 @@
Docker Role
=========
Tasks :
- Installs dependencies and docker env [tasks/install.yml](tasks/install.yml)
- Creates user docker (group docker) for docker operations [tasks/docker_user.yml](tasks/docker_user.yml)
Requirements
------------
Uses **become**
Role Variables
--------------
A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
Dependencies
------------
A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
Example Playbook
----------------
Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
- hosts: servers
roles:
- { role: username.rolename, x: 42 }
License
-------
BSD
Author Information
------------------
An optional section for the role authors to include contact information, or a website (HTML is not allowed).

3
ansible/playbooks/roles/docker/defaults/main.yml
View File

@ -1,3 +0,0 @@
#SPDX-License-Identifier: MIT-0
---
# defaults file for docker

3
ansible/playbooks/roles/docker/handlers/main.yml
View File

@ -1,3 +0,0 @@
#SPDX-License-Identifier: MIT-0
---
# handlers file for docker

35
ansible/playbooks/roles/docker/meta/main.yml
View File

@ -1,35 +0,0 @@
#SPDX-License-Identifier: MIT-0
galaxy_info:
author: your name
description: your role description
company: your company (optional)
# If the issue tracker for your role is not on github, uncomment the
# next line and provide a value
# issue_tracker_url: http://example.com/issue/tracker
# Choose a valid license ID from https://spdx.org - some suggested licenses:
# - BSD-3-Clause (default)
# - MIT
# - GPL-2.0-or-later
# - GPL-3.0-only
# - Apache-2.0
# - CC-BY-4.0
license: license (GPL-2.0-or-later, MIT, etc)
min_ansible_version: 2.1
# If this a Container Enabled role, provide the minimum Ansible Container version.
# min_ansible_container_version:
galaxy_tags: []
# List tags for your role here, one per line. A tag is a keyword that describes
# and categorizes the role. Users find roles by searching for tags. Be sure to
# remove the '[]' above, if you add tags to this list.
#
# NOTE: A tag is limited to a single word comprised of alphanumeric characters.
# Maximum 20 tags per role.
dependencies: []
# List your role dependencies here, one per line. Be sure to remove the '[]' above,
# if you add dependencies to this list.

24
ansible/playbooks/roles/docker/tasks/docker_user.yml
View File

@ -1,24 +0,0 @@
---
- name: Add the docker group
group:
name: docker
gid: 1101
state: present
- name: Add the docker user
user:
name: docker
uid: 1101
group: docker
# Directly generate hash
# https://www.lisenet.com/2019/ansible-generate-crypted-passwords-for-the-user-module/
password: "{{ docker_crypted_password | password_hash('sha512') }}"
shell: /bin/bash
system: yes
home: /srv/docker
state: present
- name: Reset ssh connection to allow user changes to affect ansible user
ansible.builtin.meta:
reset_connection

41
ansible/playbooks/roles/docker/tasks/install.yml
View File

@ -1,41 +0,0 @@
---
- name: Install aptitude
apt:
name: aptitude
state: latest
update_cache: true
- name: Install required system packages
apt:
pkg:
- apt-transport-https
- ca-certificates
- curl
- software-properties-common
- python3-pip
- virtualenv
- python3-setuptools
state: latest
update_cache: true
- name: Add Docker GPG apt Key
apt_key:
url: https://download.docker.com/linux/ubuntu/gpg
state: present
- name: Add Docker Repository
apt_repository:
repo: deb https://download.docker.com/linux/ubuntu focal stable
state: present
- name: Update apt and install docker-ce
apt:
name: docker-ce
state: latest
update_cache: true
- name: Install Docker Module for Python
pip:
break_system_packages: true
name: docker

17
ansible/playbooks/roles/docker/tasks/main.yml
View File

@ -1,17 +0,0 @@
#SPDX-License-Identifier: MIT-0
---
# tasks file for docker
- include_tasks: install.yml
args:
apply:
become: yes
- include_tasks: docker_user.yml
args:
apply:
become: yes
# - include_tasks: swarm.yml
# args:
# apply:
# become: yes
# become_user: docker

3
ansible/playbooks/roles/docker/tests/inventory
View File

@ -1,3 +0,0 @@
#SPDX-License-Identifier: MIT-0
localhost

5
ansible/playbooks/roles/docker/tests/test.yml
View File

@ -1,5 +0,0 @@
#SPDX-License-Identifier: MIT-0
---
- hosts: localhost
roles:
- docker

3
ansible/playbooks/roles/docker/vars/main.yml
View File

@ -1,3 +0,0 @@
#SPDX-License-Identifier: MIT-0
---
# vars file for docker

2
ansible/playbooks/roles/nextcloud_aio/meta/main.yml
View File

@ -1,2 +0,0 @@
dependencies:
- role: docker

2
ansible/playbooks/roles/nextcloud_aio/tasks/main.yaml
View File

@ -1,2 +0,0 @@
---
- import_tasks: nextcloud_docker_aio.yaml

18
ansible/playbooks/roles/nextcloud_aio/tasks/nextcloud_docker_aio.yaml
View File

@ -1,18 +0,0 @@
---
- name: Create volumes
debug:
msg:
- "TODO!!!"
- name: Download compose file
become: true
become_user: docker
ansible.builtin.git:
repo: "https://gitea-s2i2s.isti.cnr.it/sinibaldi/SSE-Lab"
dest: SSE-Lab
- name: create and start docker compose services
become: true
become_user: docker
community.docker.docker_compose_v2:
project_src: ~/SSE-Lab/dockerized/nextcloud-aio/compose.yaml

5
ansible/playbooks/roles/wireguard_server/handlers/main.yaml
View File

@ -1,5 +0,0 @@
---
- name: Restart WireGuard
ansible.builtin.systemd:
name: "wg-quick@{{ wg_interface }}"
state: restarted

31
ansible/playbooks/roles/wireguard_server/tasks/configure_server.yaml
View File

@ -1,31 +0,0 @@
# wireguard_server.yml - Configure WireGuard VPN server
---
- name: Get Private Key [privatekey => var_privatekey]
shell: cat privatekey
register: wg_server_private_key
args:
chdir: /etc/wireguard
- name: Deploy WireGuard server configuration
ansible.builtin.template:
src: templates/wireguard_server.jinja
dest: "/etc/wireguard/{{ wg_interface }}.conf"
owner: root
group: root
mode: '0600'
notify: Restart WireGuard
- name: Enable and start WireGuard
ansible.builtin.systemd:
name: "wg-quick@{{ wg_interface }}"
state: started
enabled: true
- name: Open WireGuard port in firewall
community.general.ufw:
rule: allow
port: "{{ wg_port }}"
proto: udp
comment: "WireGuard VPN"
ignore_errors: true

49
ansible/playbooks/roles/wireguard_server/tasks/generate_keys.yaml
View File

@ -1,49 +0,0 @@
# generate_keys.yml - Generate WireGuard key pairs
---
- name: Create WireGuard directory
ansible.builtin.file:
path: /etc/wireguard
state: directory
mode: '0700'
- name: Check if private key already exists
ansible.builtin.stat:
path: /etc/wireguard/privatekey
register: privkey_file
- name: Generate private key
ansible.builtin.command: wg genkey
register: wg_private_key
when: not privkey_file.stat.exists
changed_when: true
- name: Save private key
ansible.builtin.copy:
content: "{{ wg_private_key.stdout }}"
dest: /etc/wireguard/privatekey
owner: root
group: root
mode: '0600'
when: not privkey_file.stat.exists
- name: Read private key
ansible.builtin.slurp:
src: /etc/wireguard/privatekey
register: private_key_content
- name: Generate public key from private key
ansible.builtin.shell: echo "{{ private_key_content.content | b64decode | trim }}" | wg pubkey
register: wg_public_key
changed_when: false
- name: Save public key
ansible.builtin.copy:
content: "{{ wg_public_key.stdout }}"
dest: /etc/wireguard/publickey
owner: root
group: root
mode: '0644'
- name: Display public key for reference
ansible.builtin.debug:
msg: "Public key for {{ inventory_hostname }}: {{ wg_public_key.stdout }}"

25
ansible/playbooks/roles/wireguard_server/tasks/install_wireguard.yaml
View File

@ -1,25 +0,0 @@
# install_wireguard.yml - Install WireGuard on Linux hosts
---
- name: Install WireGuard on Debian/Ubuntu
ansible.builtin.apt:
name:
- wireguard
- wireguard-tools
state: present
update_cache: true
when: ansible_os_family == "Debian"
- name: Install WireGuard on RHEL/CentOS 8+
ansible.builtin.yum:
name:
- wireguard-tools
state: present
when: ansible_os_family == "RedHat"
- name: Enable IP forwarding
ansible.posix.sysctl:
name: net.ipv4.ip_forward
value: '1'
sysctl_set: true
state: present
reload: true

4
ansible/playbooks/roles/wireguard_server/tasks/main.yaml
View File

@ -1,4 +0,0 @@
---
- include_tasks: install_wireguard.yaml
- include_tasks: generate_keys.yaml
- include_tasks: configure_server.yaml

62
ansible/playbooks/roles/wireguard_server/tasks/main.yaml___back
View File

@ -1,62 +0,0 @@
---
- name: Install Wireguard Server
apt:
pkg:
- wireguard
state: latest
update_cache: true
- name: Create directory for wg keys
ansible.builtin.file:
path: /etc/wireguard/keys
state: directory
mode: '0755'
- name: Creating server privatekey and publickey
shell: wg genkey | tee privatekey | wg pubkey > publickey
args:
chdir: /etc/wireguard/keys
- name: Get Private Key [privatekey => var_privatekey]
shell: cat privatekey
register: var_privatekey
args:
chdir: /etc/wireguard/keys
#- name: Add WireGuard interface
# command: ip link add dev wg0 type wireguard
- name: Updating configuration
template:
src: wireguard_server.jinja
dest: /etc/wireguard/wg0.conf
#- name: Activating link
# command: ip link set up dev wg0
- name: Starting wg service
systemd:
state: started
name: wg-quick@wg0
enabled: yes
- name: Getting public key
shell: cat publickey
register: var_publickey
args:
chdir: /etc/wireguard/keys
- name: Check server public IP
shell: curl https://ipinfo.io/ip
register: var_server_ip
- name: Printing public key
debug:
msg: "Server {{ ansible_hostname }} reachable @{{var_server_ip}}. Public key is {{ var_publickey }}"

0
ansible/playbooks/roles/wireguard_server/templates/wireguard_client.jinja
View File

27
ansible/playbooks/roles/wireguard_server/templates/wireguard_server.jinja
View File

@ -1,27 +0,0 @@
# templates/wireguard-server.conf.j2 - WireGuard server configuration
# Managed by Ansible - do not edit manually
[Interface]
Address = {{ wg_server_address }}
ListenPort = {{ wg_port }}
PrivateKey = {{ wg_server_private_key.stdout }}
# IP forwarding
PreUp = sysctl -w net.ipv4.ip_forward=1
# IP masquerading
PreUp = iptables -t mangle -A PREROUTING -i {{wg_interface}} -j MARK --set-mark 0x30
PreUp = iptables -t nat -A POSTROUTING ! -o {{wg_interface}} -m mark --mark 0x30 -j MASQUERADE
PostDown = iptables -t mangle -D PREROUTING -i {{wg_interface}} -j MARK --set-mark 0x30
PostDown = iptables -t nat -D POSTROUTING ! -o {{wg_interface}} -m mark --mark 0x30 -j MASQUERADE
{% for peer in wg_peers %}
# {{ peer.name }}
[Peer]
PublicKey = {{ peer.publicKey }}
AllowedIPs = {{ peer.allowedIP }}
{% if peer.persistent_keepalive is defined %}
PersistentKeepalive = {{ peer.persistent_keepalive }}
{% endif %}
{% endfor %}

6
ansible/playbooks/site.yaml
View File

@ -1,6 +0,0 @@
---
#- import_playbook: dbservers.yml
- import_playbook: nodes.yml
#- import_playbook: controller.yml
- import_playbook: swarms.yml
#- import_playbook: nextcloud.yml

144
ansible/playbooks/swarms.yml
View File

@ -1,144 +0,0 @@
---
- name: "Configure swarm"
hosts: swarm1
roles:
- common
- docker
tasks:
- name: "Prepare manager group"
add_host:
hostname: "{{ item }}"
groups: manager_group
with_items: "{{play_hosts}}"
when: hostvars[item]['swarm_master'] is defined and hostvars[item]['swarm_master']
- name: "Prepare worker group"
add_host:
hostname: "{{ item }}"
groups: worker_group
with_items: "{{play_hosts}}"
when: not hostvars[item]['swarm_master']
# From https://medium.com/@cantrobot/deploying-docker-swarm-with-ansible-a991c1028427
- name: "Gather status of manager nodes"
hosts: manager_group
become_user: docker
tasks:
- name: "Load docker info as facts"
community.docker.docker_container_info:
- name: "Create swarm_manager_operational group"
add_host:
hostname: "{{ item }}"
groups: swarm_manager_operational
with_items: "{{ play_hosts }}"
when: "'{{ hostvars[item]['docker_info']['Swarm']['LocalNodeState'] }}' == 'active'"
run_once: true
- name: "Create swarm_manager_bootstrap group"
add_host:
hostname: "{{ item }}"
groups: swarm_manager_bootstrap
with_items: "{{ play_hosts }}"
when: "'{{ hostvars[item]['docker_info']['Swarm']['LocalNodeState'] }}' != 'active'"
run_once: true
- name: "Do the same for workers"
hosts: worker_group
become_user: docker
tasks:
- name: "Load docker info as facts"
community.docker.docker_container_info:
- name: "Create swarm_worker_operational group"
add_host:
hostname: "{{ item }}"
groups: swarm_worker_operational
with_items: "{{ play_hosts }}"
when: "'{{ hostvars[item]['docker_info']['Swarm']['LocalNodeState'] }}' == 'active'"
run_once: true
- name: "Create swarm_worker_bootstrap group"
add_host:
hostname: "{{ item }}"
groups: swarm_worker_bootstrap
with_items: "{{ play_hosts }}"
when: "'{{ hostvars[item]['docker_info']['Swarm']['LocalNodeState'] }}' != 'active'"
run_once: true
- name: "Bootstrap the swarm"
hosts: swarm_manager_bootstrap[0]
become_user: docker
tasks:
- name: initialize swarm cluster
shell: >
docker swarm init
--advertise-addr={{ swarm_iface | default('eth0') }}:2377
when: "'swarm_manager_operational' not in groups"
register: bootstrap_first_node
- name: add initialized host to swarm_manager_operational group
add_host:
hostname: "{{ play_hosts[0] }}"
groups: swarm_manager_operational
when: bootstrap_first_node | changed
- name: "Retrieve the tokens"
hosts: swarm_manager_operational[0]
become: true
vars:
iface: "{{ swarm_iface | default('eth0') }}"
tasks:
- name: retrieve swarm manager token
shell: docker swarm join-token -q manager
register: swarm_manager_token
- name: retrieve swarm worker token
shell: docker swarm join-token -q worker
register: swarm_worker_token
- name: populate list of manager ips
add_host:
hostname: "{{ hostvars[item]['ansible_' + iface]['ipv4']['address'] }}"
groups: swarm_manager_ips
with_items: "{{ play_hosts }}"
- name: "Join managers"
# filtered from possible bootstrap
hosts: swarm_manager_bootstrap:!swarm_manager_operational
become: true
vars:
token: "{{ hostvars[groups['swarm_manager_operational'][0]]['swarm_manager_token']['stdout'] }}"
tasks:
- name: join manager nodes to cluster
shell: >
docker swarm join
--advertise-addr={{ swarm_iface | default('eth0') }}:2377
--token={{ token }}
{{ groups['swarm_manager_ips'][0] }}:2377
- name: "Join workers"
hosts: swarm_worker_bootstrap
become: true
vars:
token: "{{ hostvars[groups['swarm_manager_operational'][0]]['swarm_worker_token']['stdout'] }}"
tasks:
- name: join worker nodes to cluster
shell: >
docker swarm join
--advertise-addr={{ swarm_iface | default('eth0') }}:2377
--token={{ token }}
{{ groups['swarm_manager_ips'][0] }}:2377

1
ansible/playbooks/templates/ansible_auth_keys.j2
View File

@ -1 +0,0 @@
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEArNhKFcJ6T08sn7kTTLf+rO9HEvgOvqfhv5HQ2sRf2tFYfjfCb0zHKnMkgW+sy5gMU10Lyx1r7juXCvqRC955uIM97m1B1Xc6sVqASVKuGPhCKfhxEaMAyBcWFdE+HYbCOPYVN+JMrcwWfbblwiZTtK1OCqaEUvDDI7cFeU68noXwggEp46T48eqMUdi541D9Y+BVx9HYAo6OCQz0+6eXwxJL+tpRcAAXIMMWv362CYHoOgIU45R7xVSMLY1k/HLrcEAblwxEaSpduCH5cWUXZE/56IyxpvP44BxZkVhNdqJLmg4hxBQWhoMNYiTZxbLay3W2TwBCM111cAtUx4M/jQ== fabio@pc-fabio

29
ansible/playbooks/templates/nginx.j2
View File

@ -1,29 +0,0 @@
server {
listen 80;
listen [::]:80;
server_name {{ nginx_server_name }};
location / {
return 301 https://$host$request_uri;
}
}
server {
listen 443 ssl;
server_name {{ nginx_server_name }};
root /var/www/html;
index index.php;
ssl_certificate /etc/nginx/ssl/fullchain.pem;
ssl_certificate_key /etc/nginx/ssl/privatekey.pem;
{# ssl_trusted_certificate /etc/nginx/ssl/intermediatecertificate.pem; #}
location / {
proxy_pass http://{{ docker_wordpress_hostname }}:80;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}

16
ansible/playbooks/templates/nginx.j2_http
View File

@ -1,16 +0,0 @@
server {
listen 80;
listen [::]:80;
server_name {{ nginx_server_name }};
root /var/www/html;
index index.php;
location / {
proxy_pass http://{{ docker_wordpress_hostname }}:80;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}

6
ansible/playbooks/vpn_server.yaml
View File

@ -1,6 +0,0 @@
---
- name: Configure VPN Server
hosts: wireguard_server
become: true
roles:
- wireguard_server

62
ansible/playbooks/wordpress.yaml
View File

@ -1,62 +0,0 @@
---
- name: Install and configure Wordpress
hosts: web
become : True
collections:
- chrissayon.wordpress_docker
roles:
- geerlingguy.docker
- chrissayon.wordpress_docker.network
- chrissayon.wordpress_docker.mysql
- chrissayon.wordpress_docker.wordpress
tasks:
# Need to stop using port 80 for certbot webroot validation
- name: Gathering NGINX container state
docker_container_info:
name: nginx
register: nginx_info
- name: Stop NGINX if present
docker_container:
name: nginx
state: stopped
when:
- nginx_info.exists
# Manage certbot
- name: Install / configure certbot
include_role:
name: geerlingguy.certbot
# Copy certificates
# configured volume for ssl is
# "/usr/data/wp/nginx/ssl:/etc/nginx/ssl/:ro"
- name: Copy fullchain files to nginx volume
ansible.builtin.copy:
src: "/etc/letsencrypt/live/{{ item.name }}/fullchain.pem"
#TODO nginx configuration is not multi domain
dest: "{{ docker_base_volume_path }}/nginx/ssl/fullchain.pem"
remote_src: true
mode: '0644'
loop: "{{ certbot_certs }}"
- name: Copy privkey files to nginx volume
ansible.builtin.copy:
src: "/etc/letsencrypt/live/{{ item.name }}/privkey.pem"
#TODO nginx configuration is not multi domain
dest: "{{ docker_base_volume_path }}/nginx/ssl/privatekey.pem"
remote_src: true
mode: '0644'
loop: "{{ certbot_certs }}"
# Restart NGINX
- name: (Re)start NGINX
include_role:
name: chrissayon.wordpress_docker.nginx

100
ansible/readme.md
View File

@ -1,100 +0,0 @@
# Ansible Playbooks
## Usage
The inventory defines labs, nodes and their group based on function.
Playbooks run Roles against node groups.
Roles define set of Tasks.
### Install both roles and collections
`ansible-galaxy install -r requirements.yml`
## Playbooks
Launch playbooks from present folder in order to use [default config file](ansible.cfg).
**Site** playbook launches them all.
**Bootstrap** is to be run first on new installations.
**NameServer** configures a BIND DNS
**OPNSense** configure a OPNSense edge node
### Site
This playbook recalls all the following playbooks in the stated order.
##### Nodes
Basic checks connectivity for **all**
##### Swarms
##### NextCloud
Installs Nextcloud AIO using SSE Lab / dockerized / nextcloud-aio
Calls role nextcloud_aio, dependent on docker role.
- Downloads SSE-Lab Repo
- Runs compose up (using ansible plugins)
E.g. `ansible-playbook -i inventories/ -l nextrup_copy_test playbooks/nextcloud.yaml`
### Bootstrap ###
Creates sudoer user ansible, necessitates of sudoer user.
Use `ansible-playbook -i inventories playbooks/bootstrap.yml -l [TARGET_HOST] -e 'ansible_user=[REMOTE_USER]' -K`
### NameServer ###
Configures a BIND DNS. Uses collection bodsch.dns.
NB DNS configuration comes from variable file.
### OPNSense ###
Configures a OPNSense edge node features :
- BIND DNS
- FIREWALL
- Wireguard VPN
NB runs locally so python intepreter needs to be specified
E.g. `ansible-playbook -i inventories/sifi.yaml playbooks/opnsense.yaml --extra-vars="ansible_python_interpreter=$(which python)"
`
## Inventories
### Main Lab
Main lab used for experimenting and development [check](main-lab)
### Externals
Management of extra infra nodes [check](non-infra)
### Production
Management of production services, beware!
Hosts are commented by default
### Sifi
Macchine per il gruppo di lavoro Sistemi Fiscali
### Prox1_lab
Prox mox laboratory
## TODO
* K8s cluster
* Ensure micro on operating nodes
* Swarm clusters
* Enabling
* Bind
* CEPH storage
* Monitoring
* Nagios
* Swarm 1
* GOD
* terraform
* ansible
* puppetmaster
* ...

41
ansible/requirements.yml
View File

@ -1,41 +0,0 @@
# requirements.yml
---
roles:
# - name: bodsch.dns.bind
# version:
# - name: nginx
# src: git@github.com:myorg/ansible-role-nginx.git
# scm: git
# version: v2.0.0
# Required by wordpress_docker
- name: geerlingguy.docker
- name: geerlingguy.certbot
collections:
- name: bodsch.dns
source: https://github.com/bodsch/ansible-collection-dns.git
type: git
version: 1.4.1
- name: dsglaser.cis_security
version: 1.5.4
- name: chrissayon.wordpress_docker
version: 1.0.2
# dockerless wordpress
# - name: iamgini.wordpress
# version: 1.0.0
# - name: community.postgresql
# version: "3.2.0"
# - name: ansible.posix
# version: "1.5.4"
# - name: myorg.infrastructure
# source: https://hub.internal.com/api/galaxy/
# version: "1.0.0"

12
cloud-init/cloud-init.cfg
View File

@ -1,12 +0,0 @@
groups:
- admingroup: [root,sys]
- cloud-users
- docker
users:
- swarm
- gecos: Docker Swarm user
- primary_group: docker
- passwd: $6$rounds=4096$hCzh4u/Ithq3ZD0p$APkrRjYwcD8y1oNJhmywYy.82OE4LTTL8u42TxL12LfUVDD.keBrlOM4F.wFvRfvEh2RYtOxncP/7XDkPm31E/
- ssh_authorized_keys: [ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEArNhKFcJ6T08sn7kTTLf+rO9HEvgOvqfhv5HQ2sRf2tFYfjfCb0zHKnMkgW+sy5gMU10Lyx1r7juXCvqRC955uIM97m1B1Xc6sVqASVKuGPhCKfhxEaMAyBcWFdE+HYbCOPYVN+JMrcwWfbblwiZTtK1OCqaEUvDDI7cFeU68noXwggEp46T48eqMUdi541D9Y+BVx9HYAo6OCQz0+6eXwxJL+tpRcAAXIMMWv362CYHoOgIU45R7xVSMLY1k/HLrcEAblwxEaSpduCH5cWUXZE/56IyxpvP44BxZkVhNdqJLmg4hxBQWhoMNYiTZxbLay3W2TwBCM111cAtUx4M/jQ== fabio@pc-fabio]
- sudo: ALL=(ALL) NOPASSWD:ALL

9
dockerized/first-level-nginx/README.md
View File

@ -1,9 +0,0 @@
## First Level NGINX
This config allows for a default first level proxy to be put between FW and the other clusters
### Single Node
A multiple NGINX instances proxied by a single one
### Swarmed
4 Replicas

117
dockerized/first-level-nginx/configs/node.conf
View File

@ -1,117 +0,0 @@
# Main context (this is the global configuration)
worker_processes 4;
events {
worker_connections 1024;
}
http {
include mime.types;
# Upstream block to define the Node.js backend servers
# Servers name come from compose definition
upstream swarm1_cluster {
server swarm1w1.home.arpa;
server swarm1w2.home.arpa;
server swarm1w3.home.arpa;
server swarm1w4.home.arpa;
}
upstream rup_cluster {
server rup1.home.arpa;
}
#TODO manage certs
# server {
# listen 443 ssl; # Listen on port 443 for HTTPS
# server_name localhost;
# # SSL certificate settings
# ssl_certificate /Users/nana/nginx-certs/nginx-selfsigned.crt;
# ssl_certificate_key /Users/nana/nginx-certs/nginx-selfsigned.key;
# # Proxying requests to Node.js cluster
# location / {
# proxy_pass http://nodejs_cluster;
# proxy_set_header Host $host;
# proxy_set_header X-Real-IP $remote_addr;
# }
# }
# Optional server block for HTTP to HTTPS redirection
server {
listen 80; # Listen on port 80 for HTTP
server_name *.sw1.sselab.ddns.net;
location / {
# Redirect all HTTP traffic to HTTPS
# TODO requires https
# return 301 https://$host$request_uri;
proxy_pass http://swarm1_cluster;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
server {
listen 80;
server_name *.sw1.hassallab.it;
location / {
# Redirect all HTTP traffic to HTTPS
# TODO requires https
# return 301 https://$host$request_uri;
proxy_pass http://swarm1_cluster;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
server {
listen 80;
server_name reterup.it *.reterup.it;
location /{
#Redirect to simple_app
proxy_pass http://rup_cluster;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
#Default Catch-all serving
server {
listen 80 default_server;
server_name _;
root /var/www/default;
location /{
try_files $uri /$uri /index.html;
}
}
}

33
dockerized/first-level-nginx/content/index.html
View File

@ -1,33 +0,0 @@
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Hassallab Landing Page</title>
</head>
<body>
<header>
</header>
<div class="container">
<h2>Hassallab default landing page</h2>
<p>
Questa è la pagina di default.
Prova a visitare <br>
<a href="www.app.sw1.hassalab.it"> hassallab default</a>
<a href="www.app.sw1.sselab.ddns.it"> sselab default</a>
</p>
</div>
<footer>
<p>&copy; TechWorld with Nana. All Rights Reserved.</p>
<p>Follow us on:
<a href="#" style="color: #3b5998;">Linkedin</a> |
<a href="#" style="color: #00aced;">Twitter</a> |
<a href="#" style="color: #e4405f;">Instagram</a>
</p>
</footer>
</body>
</html>

12
dockerized/first-level-nginx/single_node/compose.yaml
View File

@ -1,12 +0,0 @@
version: '3.7'
services:
# --- NGINX ---
nginx:
image: nginx:latest
ports:
- '80:80'
- '443:443'
volumes:
- ../configs/node.conf:/etc/nginx/nginx.conf:ro
- ../content/index.html:/var/www/default/index.html

37
dockerized/first-level-nginx/swarmed/compose.yaml
View File

@ -1,37 +0,0 @@
version: '3.7'
services:
# --- NGINX ---
nginx:
image: nginx:latest
ports:
- '80:80'
- '443:443'
deploy:
replicas: 4
update_config:
parallelism: 2
order: start-first
failure_action: rollback
delay: 10s
rollback_config:
parallelism: 0
order: stop-first
restart_policy:
condition: any
delay: 5s
max_attempts: 3
window: 120s
healthcheck:
test: ["CMD", "service", "nginx", "status"]
configs:
- source: nginx_conf
target: /etc/nginx/nginx.conf
- source: nginx_static
target: /var/www/default/index.html
configs:
nginx_conf:
file: ../configs/node.conf
nginx_static:
file: ../content/index.html

9
dockerized/nextcloud-aio/Caddyfile
View File

@ -1,9 +0,0 @@
https://cloud.reterup.it:443 {
tls /root/certs/cert.pem /root/certs/privkey.pem {
ca_root /root/certs/origin_ca_rsa_root.pem
}
header Strict-Transport-Security max-age=31536000;
reverse_proxy localhost:11000
}

27
dockerized/nextcloud-aio/certs/cert.pem
View File

@ -1,27 +0,0 @@
-----BEGIN CERTIFICATE-----
MIIEoDCCA4igAwIBAgIUaKFdbeWJZJZL8wTBpD2DwN+JVkUwDQYJKoZIhvcNAQEL
BQAwgYsxCzAJBgNVBAYTAlVTMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMTQw
MgYDVQQLEytDbG91ZEZsYXJlIE9yaWdpbiBTU0wgQ2VydGlmaWNhdGUgQXV0aG9y
aXR5MRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRMwEQYDVQQIEwpDYWxpZm9ybmlh
MB4XDTI1MDMxMDEzMjIwMFoXDTQwMDMwNjEzMjIwMFowYjEZMBcGA1UEChMQQ2xv
dWRGbGFyZSwgSW5jLjEdMBsGA1UECxMUQ2xvdWRGbGFyZSBPcmlnaW4gQ0ExJjAk
BgNVBAMTHUNsb3VkRmxhcmUgT3JpZ2luIENlcnRpZmljYXRlMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEApmRQ0ujY0sOsuOosqTURUSXeesuU2ZmPTecJ
BmtYRD6z2+0u/eryHke1J8+P8pK7EGV3/TVKCcxJr0NHZiMmysEJKszx5WLDWJgc
ct7uPWlb/Fsk+uep+WXJQwln1rpn2owu9fC8Umk7jvc7S9X3AbrpAjQg0e1oMwQY
OgrbqyWzxjN0KAx3+wNLwBOJt49FZrfL8IqoNu8Fd67kKVJgcw8e+kmRxIOVqJ6M
/GDW4PLsZInfhvcUnd1hbryaXjuIUL7+brV/h4O7AKVp2q8Y8HSsqSbBqlnCBJzw
HhhDJM0huacEmMWOAp95oXkNXcUhOq5XdlxbdYiCz5GLg/4OUwIDAQABo4IBIjCC
AR4wDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcD
ATAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBQnBKifvPJehekEum2O83LhMDsirDAf
BgNVHSMEGDAWgBQk6FNXXXw0QIep65TbuuEWePwppDBABggrBgEFBQcBAQQ0MDIw
MAYIKwYBBQUHMAGGJGh0dHA6Ly9vY3NwLmNsb3VkZmxhcmUuY29tL29yaWdpbl9j
YTAjBgNVHREEHDAaggwqLnJldGVydXAuaXSCCnJldGVydXAuaXQwOAYDVR0fBDEw
LzAtoCugKYYnaHR0cDovL2NybC5jbG91ZGZsYXJlLmNvbS9vcmlnaW5fY2EuY3Js
MA0GCSqGSIb3DQEBCwUAA4IBAQByz/7GAw13STwG/WdMCG7Pek2F3HPbsIDzvrQT
0eplFnec/xJCXF8Kb3wI2bQdSSOrFjPzI3a+pDJzxRFIfNWWTVLwcK2ET2jRV6/S
CZWrd9WOZ7Xd4V+irXyvKBOXiHbC35wk6vmTOUbT8BhBMiNRzWnF/bekeLRUPVPD
7en6zC/0/YXLyLogq/Cexr6MZj+oLHKA4hnKzcGQR5quLQPGfyF+YcVecbj3D8iM
VzmKMvIVtH38xfYjCvOHU9+ipl6MpqEjFw94ZRYzzZ5fpe/ObogvDMm4Igd/JiiJ
N/Kv2dPxeeMbJu4WEfjw2WeEJYaIBNy+tPB7gEUB2tLv7Ce1
-----END CERTIFICATE-----

24
dockerized/nextcloud-aio/certs/origin_ca_rsa_root.pem
View File

@ -1,24 +0,0 @@
-----BEGIN CERTIFICATE-----
MIIEADCCAuigAwIBAgIID+rOSdTGfGcwDQYJKoZIhvcNAQELBQAwgYsxCzAJBgNV
BAYTAlVTMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMTQwMgYDVQQLEytDbG91
ZEZsYXJlIE9yaWdpbiBTU0wgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRYwFAYDVQQH
Ew1TYW4gRnJhbmNpc2NvMRMwEQYDVQQIEwpDYWxpZm9ybmlhMB4XDTE5MDgyMzIx
MDgwMFoXDTI5MDgxNTE3MDAwMFowgYsxCzAJBgNVBAYTAlVTMRkwFwYDVQQKExBD
bG91ZEZsYXJlLCBJbmMuMTQwMgYDVQQLEytDbG91ZEZsYXJlIE9yaWdpbiBTU0wg
Q2VydGlmaWNhdGUgQXV0aG9yaXR5MRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRMw
EQYDVQQIEwpDYWxpZm9ybmlhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAwEiVZ/UoQpHmFsHvk5isBxRehukP8DG9JhFev3WZtG76WoTthvLJFRKFCHXm
V6Z5/66Z4S09mgsUuFwvJzMnE6Ej6yIsYNCb9r9QORa8BdhrkNn6kdTly3mdnykb
OomnwbUfLlExVgNdlP0XoRoeMwbQ4598foiHblO2B/LKuNfJzAMfS7oZe34b+vLB
yrP/1bgCSLdc1AxQc1AC0EsQQhgcyTJNgnG4va1c7ogPlwKyhbDyZ4e59N5lbYPJ
SmXI/cAe3jXj1FBLJZkwnoDKe0v13xeF+nF32smSH0qB7aJX2tBMW4TWtFPmzs5I
lwrFSySWAdwYdgxw180yKU0dvwIDAQABo2YwZDAOBgNVHQ8BAf8EBAMCAQYwEgYD
VR0TAQH/BAgwBgEB/wIBAjAdBgNVHQ4EFgQUJOhTV118NECHqeuU27rhFnj8KaQw
HwYDVR0jBBgwFoAUJOhTV118NECHqeuU27rhFnj8KaQwDQYJKoZIhvcNAQELBQAD
ggEBAHwOf9Ur1l0Ar5vFE6PNrZWrDfQIMyEfdgSKofCdTckbqXNTiXdgbHs+TWoQ
wAB0pfJDAHJDXOTCWRyTeXOseeOi5Btj5CnEuw3P0oXqdqevM1/+uWp0CM35zgZ8
VD4aITxity0djzE6Qnx3Syzz+ZkoBgTnNum7d9A66/V636x4vTeqbZFBr9erJzgz
hhurjcoacvRNhnjtDRM0dPeiCJ50CP3wEYuvUzDHUaowOsnLCjQIkWbR7Ni6KEIk
MOz2U0OBSif3FTkhCgZWQKOOLo1P42jHC3ssUZAtVNXrCk3fw9/E15k8NPkBazZ6
0iykLhH1trywrKRMVw67F44IE8Y=
-----END CERTIFICATE-----

34
dockerized/nextcloud-aio/compose.yaml
View File

@ -3,19 +3,17 @@ version: "3.8"
#Imported from https://github.com/nextcloud/all-in-one/discussions/575#discussion-4055615
services:
#caddy:
# image: caddy:alpine
# restart: unless-stopped
# container_name: caddy
# volumes:
# - ./Caddyfile:/etc/caddy/Caddyfile
# - ./certs:/root/certs
# - ./config:/config
# - ./data:/data
# - ./sites:/srv
# network_mode: "host"
caddy:
image: caddy:alpine
restart: unless-stopped
container_name: caddy
volumes:
- ./Caddyfile:/etc/caddy/Caddyfile
- ./certs:/certs
- ./config:/config
- ./data:/data
- ./sites:/srv
network_mode: "host"
nextcloud:
image: nextcloud/all-in-one:latest
@ -23,15 +21,13 @@ services:
container_name: nextcloud-aio-mastercontainer
ports:
- "8080:8080"
- "80:80"
- "8443:8443"
#environment:
# - APACHE_PORT=11000
environment:
- APACHE_PORT=11000
volumes:
- nextcloud_aio_mastercontainer:/mnt/docker-aio-config
- /var/run/docker.sock:/var/run/docker.sock:ro
#depends_on:
# - caddy
depends_on:
- caddy
volumes:
nextcloud_aio_mastercontainer:

2
dockerized/simple_site/nginx/config.conf
View File

@ -38,7 +38,7 @@ http {
# Optional server block for HTTP to HTTPS redirection
server {
listen 80; # Listen on port 80 for HTTP
server_name *.home.arpa;
server_name *.sselab.ddns.net;
location / {

17
templates/PKI/README.md
View File

@ -1,17 +0,0 @@
# PKI
### Templates
Some utils files in order to have a ready solution in order to generate bundles.
**NB** via console is trivial :
Public CRT
'cat SSE\ Lab\ Root\ CA_crt.pem >> certificate-bundle.pem
cat SSE\ Lab\ Intermediate\ CA_crt.pem >> certificate-bundle.pem
cat RUP\ Services_crt.pem >> certificate-bundle.pem'
Private Key
'cat RUP\ Services_prv.pem >> certificate-bundle.key'

9
templates/PKI/certificate-bundle(structure).pem
View File

@ -1,9 +0,0 @@
-----BEGIN CERTIFICATE-----
Root CA public key data
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Intermediate CA public key data
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Leaf Certificate public key data
-----END CERTIFICATE-----

53
templates/PKI/certificate-bundle(template).pem
View File

@ -1,53 +0,0 @@
-----BEGIN CERTIFICATE-----
MIIEOzCCAyOgAwIBAgIBADANBgkqhkiG9w0BAQsFADCBkDELMAkGA1UEBhMCSVQx
DTALBgNVBAgMBFBpc2ExDTALBgNVBAcMBFBpc2ExDTALBgNVBAoMBElTVEkxDzAN
BgNVBAsMBlNTRUxhYjEqMCgGCSqGSIb3DQEJARYbZmFiaW8uc2luaWJhbGRpQGlz
dGkuY25yLml0MRcwFQYDVQQDDA5zc2VsYWItcm9vdC1jYTAeFw0yNTAzMDUxMDA4
MjRaFw0zNTAzMDMxMDA4MjRaMIGQMQswCQYDVQQGEwJJVDENMAsGA1UECAwEUGlz
YTENMAsGA1UEBwwEUGlzYTENMAsGA1UECgwESVNUSTEPMA0GA1UECwwGU1NFTGFi
MSowKAYJKoZIhvcNAQkBFhtmYWJpby5zaW5pYmFsZGlAaXN0aS5jbnIuaXQxFzAV
BgNVBAMMDnNzZWxhYi1yb290LWNhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEAnXup44PPzPSTDRkLBMGuUtXUk344tNZDn6h+rxXGlSw0T6qGrGPCAhqI
6IuOkCE/wp/Sv1KEFp2OamPiEwA0mTIoOi2ACaNg7fhOHUNpgw2dpeaiVd6WCmY6
MkLMcAH4jFlnOI/RnjkV01Yz3KGj7tpztd3wqD84INasRH+6zlZqiKG0HIxjlAUx
eHOop2rOTzUSsiOZyaW3dlQNtup7ndkFGZYd6aN50Kd1tbOZGHBldFwonNQN/59I
xUAsgX2BGQ97K1BoFN3bor3MwK9oKbjHY72/kPIN1IrblcreejyElq3Gt+B4UJ+R
XZO7A/lCzqykNLJax3wQkU3ZfKk6ywIDAQABo4GdMIGaMDcGCWCGSAGG+EIBDQQq
FihPUE5zZW5zZSBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB0GA1Ud
DgQWBBTYTk488gvOsh5qJ/VbKYxZRbQ/NzAfBgNVHSMEGDAWgBTYTk488gvOsh5q
J/VbKYxZRbQ/NzAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjANBgkq
hkiG9w0BAQsFAAOCAQEAH8sMS8XHZh4Jg6vBvwU1mufi9KeTW1MQP8p8FXV4hBZy
jSPpeEyqJo4fms70AY9zqomjxIikKgBRnIi/pyJ5U3oKOrktHiXlzugeVIptR37P
mUBPu/7yO1ttNdwKbX8OjSxR/BnJtP/rVwcKn2KnF0CQWHEsEpgTd+ayIEl7OEvJ
icuN2//H71ytu/Le7tl+Ib6ZuoVA+n6JQenSOOWd31UUNNe8mANj0bzkHTaoIDzS
oqhN9vfQ61E3p8E1X3IA3q8rggrJudR+fngwH7TeKtd2STP2nXtHYlhDBfVlUG6x
riZKtbFI0oiwF0BFyV4dah2i6N98phZ5V23Iz7t0PA==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEMjCCAxqgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBkDELMAkGA1UEBhMCSVQx
DTALBgNVBAgMBFBpc2ExDTALBgNVBAcMBFBpc2ExDTALBgNVBAoMBElTVEkxDzAN
BgNVBAsMBlNTRUxhYjEqMCgGCSqGSIb3DQEJARYbZmFiaW8uc2luaWJhbGRpQGlz
dGkuY25yLml0MRcwFQYDVQQDDA5zc2VsYWItcm9vdC1jYTAeFw0yNTAzMDUxMDEw
MjZaFw0yODAzMDQxMDEwMjZaMIGHMQswCQYDVQQGEwJJVDENMAsGA1UECAwEUGlz
YTENMAsGA1UEBwwEUGlzYTENMAsGA1UECgwESVNUSTEqMCgGCSqGSIb3DQEJARYb
ZmFiaW8uc2luaWJhbGRpQGlzdGkuY25yLml0MR8wHQYDVQQDDBZzc2VsYWItaW50
ZXJtZWRpYXRlLWNhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAo+3H
Vz7jnaGGew6LjeFhE5Dr+iIID+SdclrkB/ljz5ey3q4Rnsso4xnKVdyITSUinDee
RiPk+R2h7mhGlL9Z25JpykV+exwzM5hPrU0GVaus9QljL9TCAsN82M6ww6R0+m1s
vQp6/Y5oax/Mi/6K3dHqcjKEZ8GbHUns8xZtZ8sPCboyV1IFeAjfBIJYfr94CRqy
A/H2JcY348fM3XMDzDhZXEydeMeaM8bQhtQml0IwRs3L1ZHFppNXjvQLW2IbF8EW
VQNlTY7UwWpjsGDC3+3vrV0yOyE1hpi4YU3zcq9ds+HeVw4fUNEWCoDaEEah9wnX
4O2yVxm+R31WEia3sQIDAQABo4GdMIGaMDcGCWCGSAGG+EIBDQQqFihPUE5zZW5z
ZSBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB0GA1UdDgQWBBRE3BNE
555kVhkB6C1XKtrYY+QlZzAfBgNVHSMEGDAWgBTYTk488gvOsh5qJ/VbKYxZRbQ/
NzAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0BAQsF
AAOCAQEAVbuglqJ2/vDBkFunvQa0SdR/OaL9cRtbfGqhYpc3sZVO2tDh7aKSrr9o
7EeLFL+GKt9f8IqKMMTC33Ac/m+Ne6wvyv6sqpbTo84gdVlVV/YjWt9spEUivHa4
TLxEhi7KeO2DmhMGYWI/ogTaNKWboUmZZ4PoBS0Z3Rz6I97UcPB89AcKLGAW0dtC
fAQSHYVQ0Egm4Qf8ICJBcdwdnjffSUk3kkVcKg4qr+5kjVACjRJfqOm7PDrh2jmA
gnMxtST45WTgWlWa4cS+/Bb9KreQCdfcN1xevOzOJSVecVYT40N8n8nwhCIkMPAM
1QzsP1M6grD89nHeECK4LEpLTdBhvw==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Leaf Certificate public key data
-----END CERTIFICATE-----