diff --git a/README.md b/README.md index 892bf2b..5e15562 100644 --- a/README.md +++ b/README.md @@ -2,15 +2,15 @@ Fork Sand IT Manual -by Fork Sand, Inc. +by Jeff Moe -Copyright 2018, Fork Sand, Inc. +Copyright 2017, Jeff Moe Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution 4.0 International Public License (CC BY-SA 4.0). -Published by Fork Sand Inc., Loveland, Colorado, USA. +Published by Jeff Moe, Loveland, Colorado, USA. # Sources diff --git a/build.sh b/build.sh index a971a64..f72ca05 100755 --- a/build.sh +++ b/build.sh @@ -2,11 +2,19 @@ # build.sh # GPLv3+ set -x -rm -f forksand-it-manual.pdf source/forksand-it-manual.pdf + +# A function to jump to application's root, default .../forksand-it-manual +cd $(echo $PWD | sed -e "s/\(.*\/forksand-it-manual\)\/.*/\1/") && echo "current path: $PWD" +rootPath=$PWD + cd source || exit # Generate Source-gen.tex, for auto source code inclusion +rm -f forksand-it-manual.pdf ../forksand-it-manual.pdf time ./resources/make-sources-list.sh -cd ~/FORKSAND/IT/forksand-it-manual/source/ || exit + +# A function to jump to application's root, default .../forksand-it-manual +cd $(echo $PWD | sed -e "s/\(.*\/forksand-it-manual\)\/.*/\1/") && echo "current path: $PWD" +cd source/ || exit # Build main LaTeX file # Run BibTeX @@ -19,7 +27,7 @@ xelatex \ -interaction=nonstopmode \ forksand-it-manual.tex -mv *.pdf ../ +for i in $(ls *.pdf); do mv -f $i ../$i ; done # in windows every file must be processed explicitly exit 0 diff --git a/rebuild.sh b/rebuild.sh new file mode 100755 index 0000000..b98d2d3 --- /dev/null +++ b/rebuild.sh @@ -0,0 +1,19 @@ +#!/bin/bash +# build.sh +# GPLv3+ +set -x + +# A function to jump to application's root, default .../forksand-it-manual +cd $(echo $PWD | sed -e "s/\(.*\/forksand-it-manual\)\/.*/\1/") && echo "current path: $PWD" +rootPath=$PWD + +cd source || exit +rm ./*.aux +rm ./*.l* +rm ./*.glo +rm ./*.idx +rm ./*.out +rm ./*.pyg +rm ./*.toc + +rm ./_minted-forksand-it-manual/*.pyg* diff --git a/source/Ansible.tex b/source/Ansible.tex index 976392d..316bb9f 100644 --- a/source/Ansible.tex +++ b/source/Ansible.tex @@ -20,7 +20,11 @@ Use \texttt{ansible} for management of servers. \item DebOps: \url{https://docs.debops.org/en/latest/index.html} \end{itemize} -\subsection{Build Ansible Debian Package} +\subsection{Glossary} +An \texttt{Ansible playbook} is an organized unit of scripts that defines +work for a server configuration managed by the automation tool \texttt{ansible}. + +\subsection{Build Ansible Debian Package}\label{ssec:bansdpac} The version of Ansible is 2.2 in Debian 9 (stable/Stretch). The current stable release is Ansible 2.4. Below documents how to build a 2.4 package for Debian 9. @@ -109,3 +113,356 @@ Set up some playbooks, grab examples: git clone https://github.com/ansible/ansible-examples.git cd ansible-examples/ \end{minted} + +\section{Ansible Debian Mail} +Assuming \texttt{ansible} is built according to section \ref{ssec:bansdpac} +on p.\pageref{ssec:bansdpac}, the following requirements are met. + +\subsection{Requirements} +The following applications are required to utilize this this section objectives. +Ansible can be installed using Python PIP. +\begin{itemize} + \item \texttt{Ansible} 2.4.x+ + \item \texttt{Python} 2.7.9+ + \textcolor[rgb]{0.80,0.00,0.00}{Todo clarify confusion over version requirements} +\end{itemize} + +\subsection{Quick Start} +The following steps will help quickly set up and execute this section objectives. + +\texttt{Project Configuration} + +The following files need to be edited and configured before executing this playbook. + +\begin{table}[!htb] + \caption{Files to be edited} % \label{tab:tech} + \begin{tabular}{|l|l|} + \hline + \multicolumn {1}{|l|}{ File}& + \multicolumn {1}{l|}{ Description} \\ \hline + groups\char`_vars/all.yml & Server credential information and domain variables \\ \hline + inventory.yml & List of server IPs to connect to \\ \hline + \end{tabular} +\end{table} + +\texttt{Playbook Execution} + +After having configured the server credentials and added the server IP to the inventory, use the following command to execute the playbook. + +\begin{minted}{sh} +ansible-playbook -i inventory.yml site.yml` +\end{minted} + +\subsection{Project Structure} +The following tree depicts the high level structure of this Ansible project. + +\begin{minted}{sh} +|-- ansible.cfg +|-- group_vars +|   -- all.yml +|-- inventory.yml +|-- LICENSE.AGPLv3 +|-- LICENSE.GPLv3 +|-- README.md +|-- roles +|   |-- dkim_configuration +|   |-- dovecot_configuration +|   |-- fail2ban_configuration +|   |-- letsencrypt_configuration +|   |-- mikegleasonjr.firewall +|   |-- outputs +|   |-- postfix_configuration +|   |-- server_tasks +|   |-- spamassassin_configuration +|   -- sqlgrey_configuration +|-- playbook_execution.log + -- site.yml +\end{minted} + +\texttt{File and Directory Descriptions} + +The following table consists of a description of what each file and directory stands for. + +\begin{table}[!htb] + \caption{File and Directory Descriptions} % \label{tab:tech} + \begin{tabular}{|l|l|} + \hline + \multicolumn {1}{|l|}{ Name}& + \multicolumn {1}{l|}{ Description} \\ \hline + site.yml & Master playbook. Executes all roles in sequential order \\ \hline + inventory.yml & Inventory file containing server IP addresses \\ \hline + ansible.cfg & Ansible configuration file for various Ansible options. \\ \hline + group\char`_vars/ & Group\char`_vars directory contains variable files for the entire group. \\ + & The files are named according to the group name. 'all.yml' = group 'all' \\ \hline + group\char`_vars/all.yml & Group variables for the 'all' group. Contains server connection \\ + & information along with domain variables \\ \hline + roles/ & Directory containing all roles needed by this project \\ \hline + \end{tabular} +\end{table} + +\texttt{Role descriptions} + +The following table consists of descriptions of each role and their purpose. The roles listed below are listed in the required order of execution to ensure successful completion of the playbook. + +\begin{table}[!htb] + \caption{Role descriptions} % \label{tab:tech} + \begin{tabular}{|l|l|l|} + \hline + \multicolumn {1}{|l|}{Role Name}& + \multicolumn {1}{|l|}{Role Description}& + \multicolumn {1}{l|}{Depends on} \\ \hline + server\char`_tasks & This roles performs all server tasks. Updating & mikebleasonjr.firewall \\ + & server, configuring SSH, disable IPv6, etc. & \\ + & Depends on the mikegleasonjr.firewall role. & \\ \hline + mikegleasonjr.firewall & This role set up iptables rules. It is called & None \\ + & and ran by the server\char`_tasks roles. & \\ \hline + letsencrypt\char`_configuration & This role installs and executes let's encrypt & None \\ \hline + postfix\char`_configuration & This roles installs postfix, configures postfix & letsencrypt\char`_configuration \\ + & using postconf, and sets up virtual file, & \\ + & master.cf file, and aliases file & \\ \hline + dkim\char`_configuration & This roles installs OpenDKIM, OpenDMARC & None \\ + & and configures them. & \\ \hline + dovecot\char`_configuration & This role installs and configures dovecot & letsencrypt\char`_configuration \\ \hline + spamassassin\char`_configuration & This role installs spamassassin. & None \\ \hline + sqlgrey\char`_configuration & This role installs sqlgrey. & None \\ \hline + fail2ban\char`_configuration & This role installs fail2ban. & None \\ \hline + outputs & This role gathers DNS information for the & None \\ + & SPF, DMARC, and DKIM records and & \\ + & outputs them to the screen. & \\ \hline + \end{tabular} +\end{table} + +\subsection{Ansible Logging} +Execution processes described in this section are automatically logged to a file called `playbook-execution.log` in the root directory of the project. The path to this log file can be changed by editing `ansible.cfg` in the project root directory and specifying a different path. + +\subsection{Troubleshooting} +Ansible has a built in debug output. Simply run Ansible with a `-v`. There are 5 levels of debug output and they are denoted by the number of v's listed. Each level up provide more debug output than the level before it. + +\begin{minted}{sh} +Level 1: `-v` + +Level 2: `-vv` + +Level 3: `-vvv` + +Level 4: `-vvvv` + +Level 5: `-vvvvv` +\end{minted} + +Example execution with level 3 debug output: + +\begin{minted}{sh} +ansible-playbook -i inventory.yml site.yml -vvv +\end{minted} + +\section{Ansible Gitea} +Assuming \texttt{ansible} is built according to section \ref{ssec:bansdpac} +on p.\pageref{ssec:bansdpac}, the following requirements are met. + +\subsection{Requirements} +The following applications are required to utilize this this section objectives. +Ansible can be installed using Python PIP. +\begin{itemize} + \item \texttt{Ansible} 2.4.x+ + \item \texttt{Python} 2.7.9+ + \textcolor[rgb]{0.80,0.00,0.00}{Todo clarify confusion over version requirements} +\end{itemize} + +\subsection{Quick Start} +The following steps will help quickly set up and execute this section objectives. + +\texttt{Project Configuration} + +The following files need to be edited and configured before executing this playbook. + +\begin{table}[!htb] + \caption{Files to be edited} % \label{tab:tech} + \begin{tabular}{|l|l|} + \hline + \multicolumn {1}{|l|}{ File}& + \multicolumn {1}{l|}{ Description} \\ \hline + roles/gitea/default/main.yml & Variables for Gitea configuration \\ + & (default - standalone with sqlite) \\ \hline + roles/nginx/default/main.yml & Variables for Nginx and Letsencrypt configuration \\ \hline + inventory.yml & List of server IPs to connect to \\ \hline + \end{tabular} +\end{table} + +\qquad \\ +\texttt{Playbook Execution} + +After having configured the server credentials and added the server IP to the inventory, use the following command to execute the playbook. + +\begin{minted}{sh} +ansible-playbook -i inventory.yml site.yml` +\end{minted} + +\subsection{Project Structure} +The following tree depicts the high level structure of this Ansible project. + +\begin{minted}{sh} +|-- inventory.yml +|-- LICENSE.AGPLv3 +|-- LICENSE.GPLv3 +|-- README.md +|-- roles +|   |-- gitea +|   -- nginx +|-- playbook_execution.log + -- site.yml +\end{minted} + +\texttt{File and Directory Descriptions} + +The following table consists of a description of what each file and directory stands for. + +\begin{table}[!htb] + \caption{File and Directory Descriptions} % \label{tab:tech} + \begin{tabular}{|l|l|} + \hline + \multicolumn {1}{|l|}{ Name}& + \multicolumn {1}{l|}{ Description} \\ \hline + site.yml & Master playbook. Executes all roles in sequential order \\ \hline + inventory.yml & Inventory file containing server IP addresses \\ \hline + ansible.cfg & Ansible configuration file for various Ansible options. \\ \hline + roles/ & Directory containing all roles needed by this project \\ \hline + \end{tabular} +\end{table} + +\qquad \\ + +\texttt{Role descriptions} + +The following table consists of descriptions of each role and their purpose. The roles listed below are listed in the required order of execution to ensure successful completion of the playbook. + +\begin{table}[!htb] + \caption{Role descriptions} % \label{tab:tech} + \begin{tabular}{|l|l|l|} + \hline + \multicolumn {1}{|l|}{Role Name}& + \multicolumn {1}{|l|}{Role Description} \\ \hline + gitea & This roles performs installation and configuration of Gitea server \\ \hline + nginx & This roles performs installation and configuration of Nginx server \\ \hline + \end{tabular} +\end{table} + +\texttt{Role parameters} + +\qquad \\ + +\texttt{\qquad Gitea role parameters} +\begin{minted}{sh} + # Application name + gitea_app_name: "Gitea" + # Application gitea_user_repo_limit + gitea_user: "gitea" + # Application home + gitea_home: "/var/lib/gitea" + # Repo Limit + gitea_user_repo_limit: -1 + # Domain Name (FOR REVER PROXY LEAVE AS DEFAULT) + gitea_http_domain: localhost + # Gitea url (FOR REVER PROXY LEAVE AS DEFAULT) + gitea_root_url: http://localhost:3000 + # Protocol (FOR REVER PROXY LEAVE AS DEFAULT) + gitea_protocol: http + # listen IP (FOR REVER PROXY LEAVE AS DEFAULT) + gitea_http_listen: 127.0.0.1 + # Listen port (FOR REVER PROXY LEAVE AS DEFAULT) + gitea_http_port: 3000 + # HTTP git Options + gitea_disable_http_git: false + # Offline mode options + gitea_offline_mode: true +\end{minted} + +\qquad \qquad DB details + +\begin{minted}{sh} + # DB Type 'mysql', 'postgres' or 'sqlite3' + gitea_db_type: sqlite3 + # DB host + gitea_db_host: 127.0.0.0:3306 + # DB name + gitea_db_name: root + # DB username + gitea_db_user: gitea + # DB password + gitea_db_passord: lel + # DB ssl options + gitea_db_ssl: disable + # DB path (Not needed for postgres and mysql hash it in template file ) + gitea_db_path: "{{ gitea_home }}/data/gitea.db" +\end{minted} + +\qquad \qquad SSH Details + +\begin{minted}{sh} + # SSH Listen IP + gitea_ssh_listen: 0.0.0.0 + # SSH domain + gitea_ssh_domain: localhost + # SSH options + gitea_start_ssh: true + # SSH post + gitea_ssh_port: 2222 + +\qquad \qquad Gitea secret key + +\begin{minted}{sh} + # gitea key (GENERATE A NEW KEY) + gitea_secret_key: T0pS3cr31 +\end{minted} + +\qquad \qquad General Settings + +\begin{minted}{sh} + # User email settings + gitea_show_user_email: false + # User avatar settings + gitea_disable_gravatar: true + # User register options + gitea_disable_registration: false + # User signup options + gitea_require_signin: true + # User captcha options + gitea_enable_captcha: true +\end{minted} + +\qquad \\ + +\texttt{\qquad Nginx roles parameters} +\begin{minted}{sh} + # Domain name for the server + nginx_domain_name: "test.hostnats.com" + # Gitea listening port + gitea_http_port: 3000 + # letsencrypt email address + letsencrypt_email: "test@example.com" +\end{minted} + +\subsection{Ansible Logging} +Execution processes described in this section are automatically logged to a file called `playbook-execution.log` in the root directory of the project. The path to this log file can be changed by editing `ansible.cfg` in the project root directory and specifying a different path. + +\subsection{Troubleshooting} +Ansible has a built in debug output. Simply run Ansible with a `-v`. There are 5 levels of debug output and they are denoted by the number of v's listed. Each level up provide more debug output than the level before it. + +\begin{minted}{sh} +Level 1: `-v` + +Level 2: `-vv` + +Level 3: `-vvv` + +Level 4: `-vvvv` + +Level 5: `-vvvvv` +\end{minted} + +Example execution with level 3 debug output: + +\begin{minted}{sh} +ansible-playbook -i inventory.yml site.yml -vvv +\end{minted} + diff --git a/source/ClusterHardware.tex b/source/ClusterHardware.tex deleted file mode 100644 index 2a28c86..0000000 --- a/source/ClusterHardware.tex +++ /dev/null @@ -1,51 +0,0 @@ -% -% ClusterHardware.tex -% -% Fork Sand IT Manual -% -% Copyright (C) 2018, Fork Sand, Inc. -% Copyright (C) 2017, Jeff Moe -% Copyright (C) 2017 Aleph Objects, Inc. -% -% This document is licensed under the Creative Commons Attribution 4.0 -% International Public License (CC BY-SA 4.0) by Fork Sand, Inc. -% - -\section{Cluster Hardware Overview} -The cluster will require rackmountable equipment: - -\begin{itemize} - \item GNU/Linux Servers -\end{itemize} - - -\section{GNU/Linux Servers} -The servers will all run Debian GNU/Linux - -\subsection{Denver Server List} -\begin{itemize} - \item \texttt{oc1.forksand.com} --- KVM host. - \item \texttt{rd1.forksand.com} --- Misc. -\end{itemize} - -\section{Network Hardware} -The network switches do not run free software. - -\section{Disk Drives} -The disk drives do not run free software. - -\begin{itemize} - \item Hard drive platters, 7200 RPM, 2.5" and 3.5" - \item SSD - \item NVMe -\end{itemize} - -\section{Suppliers} -Who we'll get hardware from. - -\begin{itemize} - \item Pogo Linux --- Debian GNU/Linux Servers, USA. - \item Viking.net --- Coreboot Opteron servers in Germany. - \item raptorcs.com --- POWER9, custom Coreboot systems (?), USA. -\end{itemize} - diff --git a/source/Firewalls.tex b/source/Firewalls.tex index b724d17..0be6551 100644 --- a/source/Firewalls.tex +++ b/source/Firewalls.tex @@ -24,7 +24,7 @@ What is the network doing? % % Authentication -\section{Overview} +\section{Authentication} Two-factor authentication using TOTP. % @@ -48,7 +48,7 @@ Some resellers: Various LAN \item (Hot swap?) Dual Power Supplies \item (How swap?) RAID (Linux md), with SSD storage. - \item 2.5" drive bays + \item 2.5'' drive bays \item Total ~8GHz CPU \item ~8-16 gigs RAM ? Depends on OS. \item Two servers total, for standby/failover @@ -108,7 +108,8 @@ Notes on some requirements in a firewall. \section{Firewall Operating Systems in Use} \subsection{Debian} - \href{https://www.debian.org/}{Debian} + +\href{https://www.debian.org/}{Debian} Debian is used for nearly everything. It could easily be used as a router/firewall. There are better, more tuned options. @@ -118,6 +119,50 @@ Linux's iptables is used on servers. \begin{figure}[h!] \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]{www-debian.png} \caption{Debian Website} - \label{fig:www-debian} + \label{fig:www-debian-in-firewalls-chapter} \end{figure} +\subsection{Proxmox setups iptables-firewall} +During Proxmox installation on the nodes, firewall is being confugured. +Some of nodes configurations can be found in chapter Free software under +path apps/forksand-nodes-bootstrap/... + +especially in two of files is mentioned: +\begin{minted}{sh} +# Firewalling is done through Proxmox. +cd /etc ; git add . ; git commit -a -m 'Use SharkTech NTP (others firewalled).' +\end{minted} + +\begin{minted}{sh} +# Enable firewall. +# Datacenter --> shark4 (host) --> Firewall --> Add. +# Enable firewall for datacenter: +# Datacenter --> Firewall --> Options --> Firewall --> Yes +# Datacenter --> Firewall --> Options --> Firewall --> Yes +# Enable firewall for shark4: +# Datacenter --> Firewall --> Add. +\end{minted} + +\textcolor[rgb]{0.80,0.00,0.00}{ +Todo check other nodes, add other shark nodes if similar iptables-firewall related configs. \\ +Find out why mention of firewall in hk1 node is discarded. +} + +\begin{minted}{sh} +# Enable firewall. +# Datacenter --> truck (host) --> Firewall --> Add. +# Enable firewall for datacenter: +# Datacenter --> Firewall --> Options --> Firewall --> Yes +# Datacenter --> Firewall --> Options --> Firewall --> Yes +# Enable firewall for truck: +# Datacenter --> Firewall --> Add. +\end{minted} + +Also Nextcloud chapter mentiones configs of iptables firewall \ref{ssec:nextcloudfirewall} on p.\pageref{ssec:nextcloudfirewall}. + +Also certain Ansible including virtual machines enable iptables configuratiion. +For example ansible-debian-male contains mikegleasonjr.firewall. +\href{https://github.com/mikegleasonjr/ansible-role-firewall}{ +ansible firewall\char`_v4\char`_configure example on github +} +May be browsed in Free software chapter under path apps/ansible-debian-mail/roles/ diff --git a/source/Hardware.tex b/source/Hardware.tex new file mode 100644 index 0000000..9f0095b --- /dev/null +++ b/source/Hardware.tex @@ -0,0 +1,496 @@ +% +% Source.tex +% +% Fork Sand IT Manual +% +% Copyright (C) 2018, Fork Sand, Inc. +% Copyright (C) 2017, Jeff Moe +% Copyright (C) 2017 Aleph Objects, Inc. +% +% This document is licensed under the Creative Commons Attribution 4.0 +% International Public License (CC BY-SA 4.0) by Fork Sand, Inc. +% +\section{Hardware} + +\subsection{Cluster Evolution} +Forksand started deployment on dedicated servers. + \vspace{0.6cm} + First stage. Exclusively dedicated servers (deprecated) + \vspace{0.4cm} +\centering +\includegraphics[width=115mm,trim=20mm 20mm 20mm 20mm] + {sharkfork-cabling-1-dedicated-vlan.pdf} \\ % +% + \vspace{0.2cm} +\raggedright + Second stage. Dedicated servers along with a colocation + cabinet. Flat hierarchy. (deprecated) + + \vspace{0.1cm} + In progress, services were being migrated one after another to + a colocation instance. On the next stage hierarchy becomes vertical. \\ + \vspace{0.1cm} +\centering +\includegraphics[width=115mm,trim=20mm 20mm 20mm 20mm] + {sharkfork-cabling-2-mixed-vlan.pdf} \\ % +% +\raggedright + Third stage. Dedicated servers buffered by + a colocation cabinet. Vertical hierarchy. (deprecated) + \vspace{0.4cm} +\centering +\includegraphics[width=115mm,trim=20mm 20mm 20mm 20mm] + {sharkfork-cabling-3-colo-dedicated.pdf} \\ % +% + \vspace{0.2cm} +\raggedright + Fourth stage. Dedicated servers discarded. + Colocation cabinet buffered only with a firewall. (current) + \vspace{0.4cm} +\centering +\includegraphics[width=115mm,trim=20mm 20mm 20mm 20mm] + {sharkfork-cabling-4-final-colocation.pdf} \\ % +% + \vspace{0.2cm} +\raggedright + Final stage. Firewall discarded. Single colocation cabinet. (in process) + \vspace{0.4cm} +\centering +%\includegraphics[width=115mm,trim=10mm 10mm 10mm 10mm] + %{sharkfork-cabling-4-single-colocation.pdf} \\ % +% +\raggedright +\newpage + +\section{Cluster Hardware Overview} +The cluster will require rackmountable equipment: + +\begin{itemize} + \item GNU/Linux Servers +\end{itemize} + +\begin{minipage}{0.9\textwidth} + \subsection{Sharkfork 21U hardware instance} \label{sec:hardware-sharkfork-21U} + %\includepdf[width=150mm,offset=0 15,clip] + %{sharkfork-21U.pdf} + \includegraphics[keepaspectratio=true,height=0.80\textheight,width=150mm,angle=0] + {sharkfork-21U.png} +% \vspace{150mm} + \label{fig:sharkfork-21U} + %\vspace{60mm} +\end{minipage} + +\newpage + +%\subsubsection{Sharkfork 21U detail hardware description} \label{sec:hardware-description-sharkfork-21U} + +\definecolor{secondary-brown}{HTML}{F3E2C3} % HEX # F3E2C3 R:243 G:226 B:195 C:0 M:7 Y:20 K:5 +\definecolor{primary-blue}{HTML}{A1F4FF} % HEX # A1F4FF R:161 G:244 B:255 C:37 M:4 Y:0 K:0 +\definecolor{primary-brown}{HTML}{B07E3B} % HEX # B07E3B R:176 G:126 B:56 C:0 M:28 Y:68 K:31 +\definecolor{nonbrand-dark-blue}{HTML}{184B6D} % HEX # 184B6D R:19 G:70 B:109 C:0 M:28 Y:68 K:31 + +\newcommand{\nodeUnitName}[4]{ + \rowcolor{#3}\vspace{-1pt} + {{\grenewcommand{\currentColor}{#3}}} + {{\grenewcommand{\currentTextColor}{#4}}} + \Large{\textcolor{#4}{#1}} & \rule[-0.5em]{0pt}{1.8em} \Large{\textcolor{#4}{#2}} \\ + \rowcolor{#3}\vspace{-1pt} +} +\newcommand{\nodeUnitParameter}[1]{ + \rule[1.0em]{0pt}{-1em} & \small{\textcolor{\currentTextColor}{ - #1}} \\ + \rowcolor{\currentColor}\vspace{-1pt} +} +\newcommand{\nodeUnitLastParameter}[1]{ + \rule[-0.5em]{0pt}{0em} & \small{\textcolor{\currentTextColor}{ - #1}} \\ + \tabucline[0.2pt]{1-2} +} +\newcommand{\nodeUnitSetItem}[2]{ + \rowcolor{\currentColor}\vspace{-1pt} + \rule[-0.3em]{0pt}{0em}\small{\textcolor{\currentTextColor}{ ~#1}} & \small{\textcolor{\currentTextColor}{#2}} \\ + \tabucline[0.2pt]{1-2} +} +\newcommand{\nodeUnitSetLastItem}[2]{ + \rowcolor{\currentColor}\vspace{-1pt} + \rule[-0.3em]{0pt}{0em}\small{\textcolor{\currentTextColor}{ ~#1}} & \small{\textcolor{\currentTextColor}{#2}} \\ + \tabucline[2pt]{1-2} +} +%\newcommand{\nodeUnitSetNotes}[2]{ +% \pickColor{#2} +% \rule[-0.3em]{0pt}{0em}\small{Notes:} & \small{#1} \\ \tabucline[2pt]{1-2} +%} + +\newcommand{\currentColor}{secondary-brown} +\newcommand{\currentTextColor}{secondary-brown} + +\begin{table}[!htb] + %\caption{IP configs of nodes} \label{tab:sharkNodeIPConfig} + \begin{tabu}{|[2pt]l|[2pt]p{14.5cm}|[2pt]} + \tabucline[2pt]{1-2} + \multicolumn {1}{|[2pt]l|[2pt]}{\rule[-0.7em]{0pt}{2em} Qty}& + \multicolumn {1}{p{13cm}|[2pt]}{ Description} \\ \tabucline[2pt]{1-2} +%%% UNIT %%% +% Unit name + \nodeUnitName{2}{Iris FW1100 - Firewall System}{secondary-brown}{ao-black} +% Unit configuration parameters + \nodeUnitParameter{ 1U Form Factor ~~- Single Intel Xeon D-1587 CPU } + \nodeUnitParameter{ Up to 128GB DDR4 ECC Reg Memory } + \nodeUnitParameter{ Dual 10G SFP+ and Six Gigabit Ethernet } + \nodeUnitLastParameter{ 400W Platinum Level Redundant Power Supply } +% Unit has a set of components parameters + \nodeUnitSetItem {2}{ 8GB DDR4 2666MHz ECC Registered DIMM } + %\nodeUnitSetItem {1}{ No Operating System. Include testing% + % and customer OS preference in notes. } + %\nodeUnitSetItem {1}{ Return to Depot Warranty (3 Year Hardware% + % Warranty with Standard Advance Parts Replacement) } + \nodeUnitSetItem {1}{ 128GB SATA DOM } + \nodeUnitSetLastItem {1}{ Intel 10G Dual Port RJ45 Ethernet Adapter } +% Unit ends with notes, pass "none" parameter if no notes + %\nodeUnitSetNotes { none } +%%% END UNIT %%% + +%%% UNIT %%% +% Unit name + \nodeUnitName{1}{Iris NV2225}{primary-blue}{ao-black} +% Unit configuration parameters + \nodeUnitParameter{ 2U Form Factor ~~- Dual Intel Xeon SP Processor } + \nodeUnitParameter{ Up to 768GB DDR4 2133MHz ECC Registered Memory } + \nodeUnitParameter{ Integrated IPMI 2.0 + KVM with dedicated LAN } + \nodeUnitParameter{ Intel x550 Quad port 10G Ethernet } + \nodeUnitLastParameter{ 1600W Redundant High-efficiency Power Supply } +% Unit has a set of components parameters + \nodeUnitSetItem{2}{ Intel Xeon Gold 5115 10C 2.4GHz 13.75MB Cache } + \nodeUnitSetItem{1}{ 128GB DDR4 2666MHz ECC Reg (4 x 32GB) } + \nodeUnitSetItem{1}{ Samsung 960 EVO M.2 NVME SSD 500GB } + \nodeUnitSetItem{4}{ Ultrastar SN200 800GB NVMe SSD } + %\nodeUnitSetItem{1}{ No Operating System. Include testing and customer% + % OS preference in notes. } + %\nodeUnitSetItem{1}{ Return to Depot Warranty (3 Year Hardware Warranty% + % with Standard Advance Parts Replacement) } + \nodeUnitSetLastItem{1}{ Intel 10G Dual Port RJ45 Ethernet Adapter } +% Unit ends with notes, pass "none" parameter if no notes + %\nodeUnitSetNotes { none } +%%% END UNIT %%% + +%%% UNIT %%% +% Unit name + \nodeUnitName{2}{Iris 1292-R4T}{primary-brown}{ao-black} +% Unit configuration parameters + \nodeUnitParameter{ 1U Form Factor ~~- Dual Intel Xeon SP Processors } + \nodeUnitParameter{ Intel C620 Chipset with QPI up to 9.6GT/sec } + \nodeUnitParameter{ Up to 768GB DDR4 2666MHz ECC Registered Memory } + \nodeUnitParameter{ Integrated IPMI 2.0 + KVM with dedicated LAN } + \nodeUnitParameter{ Intel Quad-port 10GBaseT Ethernet Controller } + \nodeUnitParameter{ 4 x 3.5'' Hot-swap Drive Bays For customizable Storage } + \nodeUnitLastParameter{ 750W Redundant Power Supply } +% Unit has a set of components parameters + \nodeUnitSetItem{2}{ Intel Xeon Silver 4110 8C 2.1GHz 11MB Cache } + \nodeUnitSetItem{1}{ 128GB DDR4 2666MHz ECC Reg (8 x 16GB) } + \nodeUnitSetItem{4}{ HGST Ultrastar 6TB 7200RPM SATA 6Gb/s } + %\nodeUnitSetItem{1}{ No Operating System. Include testing and customer% + % OS preference in notes. } + %\nodeUnitSetItem{1}{ Return to Depot Warranty (3 Year Hardware Warranty% + % with Standard Advance Parts Replacement) } + \nodeUnitSetLastItem{1}{ Intel 10G Dual Port RJ45 Ethernet Adapter } +% Unit ends with notes, pass "none" parameter if no notes + %\nodeUnitSetNotes { none } +%%% END UNIT %%% + +%%% UNIT %%% +% Unit name + \nodeUnitName{2}{Iris NV1211}{nonbrand-dark-blue}{ao-white} +% Unit configuration parameters + \nodeUnitParameter{ 1U Form Factor ~~- Dual Intel Xeon SP Processor } + \nodeUnitParameter{ Up to 1534GB DDR4 2400MHz ECC Registered Memory } + \nodeUnitParameter{ Integrated IPMI 2.0 + KVM with dedicated LAN } + \nodeUnitParameter{ Intel x540 Dual-port 10Gigabit Ethernet } + \nodeUnitParameter{ 10 x 2.5'' Solid State NVMe Disks } + \nodeUnitLastParameter{ 1000W Redundant High-efficiency Power Supply } +% Unit has a set of components parameters + \nodeUnitSetItem{2}{ Intel Xeon Silver 4114 10C 2.2GHz 13.75MB Cache } + \nodeUnitSetItem{1}{ 64GB DDR4 2666MHz ECC Reg (4 x 16GB) } + \nodeUnitSetItem{1}{ Samsung 960 EVO M.2 NVME SSD 500GB } + \nodeUnitSetItem{6}{ Ultrastar SN200 800GB NVMe SSD } +% \nodeUnitSetItem{1}{ No Operating System. Include testing and customer% +% OS preference in notes. } +% \nodeUnitSetItem{1}{ Return to Depot Warranty (3 Year Hardware Warranty% +% with Standard Advance Parts Replacement) } + \nodeUnitSetLastItem{1}{ Intel X710 Converged Network Adapter Quad-port 10GBaseT } +% Unit ends with notes, pass "none" parameter if no notes + %\nodeUnitSetNotes { none } +%%% END UNIT %%% + + \end{tabu} +\end{table} + +Notes applicable to all units: + +{ 1. No Operating System. Include testing and customer OS preference in notes. } + +{ 2. Return to Depot Warranty (3 Year Hardware Warranty with Standard Advance Parts Replacement) } + +\newpage + +\section{GNU/Linux Servers} +The servers will all run Debian GNU/Linux + +\subsection{Denver Server List} +\begin{itemize} + \item \texttt{oc1.forksand.com} --- KVM host. + \item \texttt{rd1.forksand.com} --- Misc. +\end{itemize} + +\vspace{10mm} + +\texttt{\qquad oc1.forksand.com parameters} +\begin{minted}{sh} +Full Network: +70.39.125.64/27 Network +70.39.125.65 Gateway +70.39.125.66 AVAILABLE +70.39.125.94 AVAILABLE +70.39.125.95 Broadcast +255.255.255.224 Netmask + +Break the main IP into a /30 + +# Main network interface +# 2 IPs +70.39.125.64/30 Network +70.39.125.65 Gateway +70.39.125.66 oc1 +70.39.125.67 Broadcast +255.255.255.252 Netmask + +# vmbr0 Bridge 0 with 2 IPs +70.39.125.68/30 Network +70.39.125.69 vmbr0 gateway +70.39.125.70 AVAILABLE +70.39.125.71 Broadcast +255.255.255.252 Netmask + +# vmbr1 Bridge 1 with 6 IPs +70.39.125.72/29 Network +70.39.125.73 vmbr1 gateway +70.39.125.74 AVAILABLE +70.39.125.76 test99 +70.39.125.78 AVAILABLE +70.39.125.79 Broadcast +255.255.255.248 Netmask + +# vmbr2 Bridge 2 with 14 IPs +70.39.125.80/28 Network +70.39.125.81 vmbr2 gateway +70.39.125.92 AVAILABLE +70.39.125.94 AVAILABLE +70.39.125.95 Broadcast +255.255.255.240 Netmask +\end{minted} + +\newpage + +\texttt{\qquad rd1.forksand.com parameters} +\begin{minted}{sh} + Full Network: +174.128.229.128/27 Network +174.128.229.129 Gateway +174.128.229.130 Main rd1 IP +174.128.229.131 AVAILABLE +174.128.229.158 AVAILABLE +174.128.229.159 Broadcast +255.255.255.224 Netmask + +Break the main network into a /30 + +# Main network interface +# 2 IPs +174.128.229.128/30 Network +174.128.229.129 Gateway +174.128.229.130 oc1 +174.128.229.131 Broadcast +255.255.255.252 Netmask + +# vmbr0 Bridge 0 with 2 IPs +174.128.229.132/30 Network +174.128.229.133 vmbr0 gateway +174.128.229.134 AVAILABLE +174.128.229.135 Broadcast +255.255.255.252 Netmask + +# vmbr1 Bridge 1 with 6 IPs +174.128.229.136/29 Network +174.128.229.137 vmbr1 gateway +174.128.229.138 AVAILABLE +174.128.229.140 test99 +174.128.229.142 AVAILABLE +174.128.229.143 Broadcast +255.255.255.248 Netmask + +# vmbr2 Bridge 2 with 14 IPs +174.128.229.144/28 Network +174.128.229.145 vmbr2 gateway +174.128.229.156 AVAILABLE +174.128.229.158 AVAILABLE +174.128.229.159 Broadcast +255.255.255.240 Netmask +\end{minted} + +\section{Network Hardware} +The network switches do not run free software. + +\section{Disk Drives} +The disk drives do not run free software. + +\begin{itemize} + \item Hard drive platters, 7200 RPM, 2.5'' and 3.5'' + \item SSD + \item NVMe +\end{itemize} + +\section{Suppliers} +Who we'll get hardware from. + +\begin{itemize} + \item Pogo Linux --- Debian GNU/Linux Servers, USA. + \item Viking.net --- Coreboot Opteron servers in Germany. + \item raptorcs.com --- POWER9, custom Coreboot systems (?), USA. +\end{itemize} + +\newcommand{\includescreen}[3]{ + \begin{figure}[!ht] + \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]{#1} + \caption{#2} + #3 + \end{figure} +} + +\section{Shark nodes configuration. Using an example Shark2} + +%\includescreen{shark2/01.png}{Log in to admin-webview}{} +\includescreen{shark2/02.png}{Log in to admin-webview}{\label{fig:shark2login}} +%\includescreen{shark2/03.png}{Logged in to admin-webview. Notification of no valid subscription}{} +%\includescreen{shark2/04.png}{Browse Datacenter, log hidden}{\label{fig:shark2browsedatacenter}} +%\includescreen{shark2/05.png}{Browse shark2 Node}{\label{fig:shark2browsenode}} +\includescreen{shark2/06.png}{Browse shark2 Network}{\label{fig:shark2network}} +%\includescreen{shark2/07.png}{Select first shark2 Network device}{} +\includescreen{shark2/08.png}{Edit first shark2 Network device}{} +\includescreen{shark2/09.png}{Cleanup first shark2 Network device}{\label{fig:shark2cleanupnetdevice1}} +\includescreen{shark2/10.png}{Browse shark2 Network}{} +\includescreen{shark2/11.png}{Create shark2 Linux Bridge}{\label{fig:shark2linuxbridge}} +%\includescreen{shark2/12.png}{Create shark2 Linux Bridge}{} +\includescreen{shark2/13.png}{Create shark2 Linux Bridge}{} +\begin{table}[!htb] + \caption{IP configs of nodes} \label{tab:sharkNodeIPConfig} + \begin{tabular}{|l|l|l|l|} + \hline + \multicolumn {1}{|l|}{ Parameter}& + \multicolumn {1}{l|}{ Shark2}& + \multicolumn {1}{l|}{ Shark3}& + \multicolumn {1}{l|}{ Shark4} \\ \hline + Linux bridge & & & \\ %\hline + Name & vmbr0 & vmbr0 & vmbr0 \\ %\hline + IP address & 174.128.229.130 & 70.39.103.218 & 70.39.103.210 \\ %\hline + Subnet mask & 255.255.255.224 & 255.255.255.248 & 255.255.255.248 \\ %\hline + Gateway & 174.128.229.129 & 70.39.103.217 & 70.39.103.209 \\ %\hline + Bridge ports & enp2s0 & enp3s0 & enp3s0 \\ \hline + + Network Device & & & \\ %\hline + Name & enp3s0 & enp4s0 & enp4s0 \\ %\hline + IP address & 10.2.2.2 & 10.2.2.3 & 10.2.2.4 \\ %\hline + Subnet mask & 255.255.255.0 & 255.255.255.0 & 255.255.255.0 \\ \hline + + Network Device & & & \\ %\hline + Name & enp4s0 & enp5s0 & enp5s0 \\ %\hline + IP address & 10.99.99.2 & 10.99.99.3 & 10.99.99.4 \\ %\hline + Subnet mask & 255.255.255.0 & 255.255.255.0 & 255.255.255.0 \\ \hline + + \end{tabular} +\end{table} +\includescreen{shark2/14.png}{Browse shark2 Network}{} +%\includescreen{shark2/15.png}{Select second shark2 Network device}{} +%\includescreen{shark2/16.png}{Edit second shark2 Network device}{} +\includescreen{shark2/17.png}{Edit second on the list shark2 Network device}{} +%\includescreen{shark2/18.png}{Browse shark2 Network}{} +%\includescreen{shark2/19.png}{Select third shark2 Network device}{} +%\includescreen{shark2/20.png}{Edit third shark2 Network device}{} +\includescreen{shark2/21.png}{Edit third on the list shark2 Network device}{} +\begin{table}[!htb] + \caption{IP configs of nodes, duplicate of table \ref{tab:sharkNodeIPConfig}} % \label{tab:sharkLinuxBridge} + \begin{tabular}{|l|l|l|l|} + \hline + \multicolumn {1}{|l|}{ Parameter}& + \multicolumn {1}{l|}{ Shark2}& + \multicolumn {1}{l|}{ Shark3}& + \multicolumn {1}{l|}{ Shark4} \\ \hline + Linux bridge & & & \\ %\hline + Name & vmbr0 & vmbr0 & vmbr0 \\ %\hline + IP address & 174.128.229.130 & 70.39.103.218 & 70.39.103.210 \\ %\hline + Subnet mask & 255.255.255.224 & 255.255.255.248 & 255.255.255.248 \\ %\hline + Gateway & 174.128.229.129 & 70.39.103.217 & 70.39.103.209 \\ %\hline + Bridge ports & enp2s0 & enp3s0 & enp3s0 \\ \hline + + Network Device & & & \\ %\hline + Name & enp3s0 & enp4s0 & enp4s0 \\ %\hline + IP address & 10.2.2.2 & 10.2.2.3 & 10.2.2.4 \\ %\hline + Subnet mask & 255.255.255.0 & 255.255.255.0 & 255.255.255.0 \\ \hline + + Network Device & & & \\ %\hline + Name & enp4s0 & enp5s0 & enp5s0 \\ %\hline + IP address & 10.99.99.2 & 10.99.99.3 & 10.99.99.4 \\ %\hline + Subnet mask & 255.255.255.0 & 255.255.255.0 & 255.255.255.0 \\ \hline + + \end{tabular} +\end{table} +\includescreen{shark2/22.png}{Browse shark2 Network}{} +%\includescreen{shark2/23.png}{Browse shark2 node}{} +\includescreen{shark2/24.png}{Restart shark2 node}{} + +%\clearpage % avoid LaTeX Error: Too many unprocessed floats. +%\section{Shark3 configuration} +% +%\includescreen{shark3/01.png}{Log in to admin-webview}{\label{fig:shark3login}} +%\includescreen{shark3/02.png}{Logged in to admin-webview. Notification of no valid subscription}{} +%\includescreen{shark3/03.png}{Browse Datacenter, log hidden}{\label{fig:shark3browsedatacenter}} +%\includescreen{shark3/04.png}{Browse Shark3 Node}{\label{fig:shark3browsenode}} +%\includescreen{shark3/05.png}{Shark3 Network}{\label{fig:shark3network}} +%\includescreen{shark3/06.png}{Browse Shark3 Network}{} +%\includescreen{shark3/07.png}{Select first Shark3 Network device}{} +%\includescreen{shark3/08.png}{Edit first Shark3 Network device}{} +%\includescreen{shark3/09.png}{Cleanup first Shark3 Network device}{\label{fig:shark3cleanupnetdevice1}} +%\includescreen{shark3/10.png}{Create Shark3 Linux Bridge}{\label{fig:shark3linuxbridge}} +%\includescreen{shark3/11.png}{Create Shark3 Linux Bridge}{} +%\includescreen{shark3/12.png}{Create Shark3 Linux Bridge}{} +%\includescreen{shark3/13.png}{Create Shark3 Linux Bridge}{} +%\includescreen{shark3/14.png}{Select second Shark3 Network device}{} +%\includescreen{shark3/15.png}{Edit second Shark3 Network device}{} +%\includescreen{shark3/16.png}{Edit second Shark3 Network device}{} +%\includescreen{shark3/17.png}{Select third Shark3 Network device}{} +%\includescreen{shark3/18.png}{Edit third Shark3 Network device}{} +%\includescreen{shark3/19.png}{Edit third Shark3 Network device}{} +%\includescreen{shark3/20.png}{Edit third Shark3 Network device}{} +%\includescreen{shark3/21.png}{Browse Shark3 node}{} +%\includescreen{shark3/22.png}{Restart Shark3 node}{} +% +%\clearpage % avoid LaTeX Error: Too many unprocessed floats. +%\section{Shark4 configuration} +% +% +%\includescreen{shark4/01.png}{Log in to admin-webview}{} +%\includescreen{shark4/02.png}{Log in to admin-webview}{\label{fig:shark4login}} +%\includescreen{shark4/03.png}{Browse Datacenter}{\label{fig:shark4browsedatacenter}} +%\includescreen{shark4/04.png}{Browse Datacenter, log hidden}{} +%\includescreen{shark4/05.png}{Browse Shark4 Node}{\label{fig:shark4browsenode}} +%\includescreen{shark4/06.png}{Shark4 Network}{\label{fig:shark4network}} +%\includescreen{shark4/07.png}{Select first Shark4 Network device}{} +%\includescreen{shark4/08.png}{Edit first Shark4 Network device}{} +%\includescreen{shark4/09.png}{Cleanup first Shark4 Network device}{\label{fig:shark4cleanupnetdevice1}} +%\includescreen{shark4/10.png}{Create Shark4 Linux Bridge}{\label{fig:shark4linuxbridge}} +%\includescreen{shark4/11.png}{Create Shark4 Linux Bridge}{} +%\includescreen{shark4/12.png}{Select second Shark4 Network device}{} +%\includescreen{shark4/13.png}{Select second Shark4 Network device}{} +%\includescreen{shark4/14.png}{Edit second Shark4 Network device}{} +%\includescreen{shark4/15.png}{Edit second Shark4 Network device}{} +%\includescreen{shark4/16.png}{Select second Shark4 Network device}{} +%\includescreen{shark4/17.png}{Edit second Shark4 Network device}{} +%\includescreen{shark4/18.png}{Edit second Shark4 Network device}{} +%\includescreen{shark4/19.png}{Restart Shark4 node}{} + diff --git a/source/OpenNebula.tex b/source/OpenNebula.tex deleted file mode 100644 index e605734..0000000 --- a/source/OpenNebula.tex +++ /dev/null @@ -1,197 +0,0 @@ -% -% OpenNebula.tex -% -% Fork Sand IT Manual -% -% Copyright (C) 2018, Fork Sand, Inc. -% Copyright (C) 2017, Jeff Moe -% Copyright (C) 2017 Aleph Objects, Inc. -% -% This document is licensed under the Creative Commons Attribution 4.0 -% International Public License (CC BY-SA 4.0) by Fork Sand, Inc. -% -% XXX TODO: opennebula-sunstone-login.png - -\section{Overview} -OpenNebula is a virtual machine manager. - -The private cloud deployment will be based on OpenNebula version 5.4, which -is currently in beta. There are only Debian 8 (Jessie, oldstable) releases. -Debian hasn't packaged OpenNebula since wheezy. It has it in sid, but even -that is an old version. The only packages available for Debian are the -upstream ones for Jessie made by OpenNebula. UPDATE: although it isn't listed -on their website, it does appear their are Debian 9 (Stretch) builds of -OpenNebula for the betas of the forthcoming 5.4 version, which is great. - -Documentation: -\url{https://docs.opennebula.org/5.4/} - -\begin{figure}[h!] -\includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]{www-opennebula.png} - \caption{OpenNebula Website} - \label{fig:www-opennebula} -\end{figure} - -\begin{itemize} - \item Website: \\ \url{https://opennebula.org/} - \item Debian Stretch Repo: \\ - \url{http://downloads.opennebula.org/repo/5.4/Debian/9/pool/opennebula/} -\end{itemize} - - -The following servers will be deployed to host OpenNebula and the KVMs: - -\begin{itemize} - \item \texttt{waz-kvm-001.forksand.com} --- Virtual Machine Server 1 - \item \texttt{waz-kvm-002.forksand.com} --- Virtual Machine Server 2 - \item \texttt{waz-kvm-003.forksand.com} --- Virtual Machine Server 3 - \item \texttt{waz-kvm-004.forksand.com} --- Virtual Machine Server 4 - \item \texttt{waz-kvm-005.forksand.com} --- Virtual Machine Server 5 - \item \texttt{waz-sun-001.forksand.com} --- OpenNebula Sunstone Web GUI 1 - \item \texttt{waz-sun-002.forksand.com} --- OpenNebula Sunstone Web GUI 2 -\end{itemize} - -\subsection{Virtual Machine Servers} -KVM virtual machine servers. Fast CPU, with lots of RAM. Uses Ceph to store -virtual images. - -\subsection{Sunstone Web GUI Servers} -Sunstone is OpenNebula's Web GUI for administration of the cluster. - -\begin{figure}[h!] -\includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]{opennebula-sunstone.png} - \caption{OpenNebula Sunstone Web Admin GUI} - \label{fig:opennebula-sunstone} -\end{figure} - - -\begin{minted}{sh} -wget -q -O- https://downloads.opennebula.org/repo/repo.key | apt-key add - -echo "deb http://downloads.opennebula.org/repo/5.4/Debian/9 stable opennebula" > /etc/apt/sources.list.d/opennebula.list -apt update -apt -y install opennebula-node -service libvirtd restart -\end{minted} - - -\section{Bugs} -Things that are bugs or at least aren't configured correctly. - - -\section{Sunstone Configuration} -At this point, you should have the OpenNebula Sunstone server up and running. -See scripts in \texttt{source/resources/ns24} for automation. - -\begin{enumerate} - \item Set up ssh tunnel (use Sunstone server name for ns24): - Code: \\ \texttt{ssh -N -C -L 9869:localhost:9869 ns24} - \item In workstation, open browser to url: - URL: \\ \url{http://localhost:9869/} - Info: \\ This goes through the encrypted SSH tunnel, but doesn't use https. - \item Click \texttt{OpenNebula} in the upper right to get the full web console. - \item Click \texttt{Infrastructure}. - \item Click \texttt{Hosts}. - \item Click The \texttt{+} plus icon. - \item Enter the hostname of the KVM server you want to use, such as the Sunstone server itself. - \texttt{Type: KVM} - \texttt{Hostname: ns24} - \item Click \texttt{Create}. - \item Repeatedly hit the reload button that's the two arrows in a circle, as it goes thru - stages of setup, starting at \texttt{INIT}. - \item Confirm status is \texttt{ON}. -\end{enumerate} - -\section{Sunstone Deploy Image} -This is a quick and dirty way to deploy a first test image. -NOTE: It is note privacy aware, as it pulls the image from the -OpenNebula ``store''. - -How to deploy an image from the OpenNebula App store: -\begin{enumerate} - \item Click \texttt{Storage}. - \item Click \texttt{Apps} - \item Click \texttt{Debian 9 - KVM}. - \item Click on the icon that is a cloud with an arrow in it. This downloads it to OpenNebula. - \item Select a datastore by clicking the \texttt{default} line. - \item Leave name and all that the same, and click \texttt{Download}. - \item Click \texttt{Images} under \texttt{Storage} in the left column. - \item Hit the refresh icon repeatedly. - \item When \texttt{Status} is \texttt{READY}, it is good to go. - \item Click \texttt{Templates} in the left column. - \item Click \texttt{VMs}. - \item Click \texttt{Debian 9 - KVM}. - \item Click \texttt{Instantiate}. - \item \texttt{VM Name} enter \texttt{deb9}. - \item \texttt{Number of instances} enter \texttt{1}. - \item \texttt{Memory} enter \texttt{768}. - \item \texttt{CPU} enter \texttt{1}. - \item Click the slider to \texttt{Instantiate as persistent}. - \item Click \texttt{Instantiate}. - \item Click \texttt{Instances} in the left column. - \item Click \texttt{VMs}. - \item Click the reload icon, repeat. - \item It is good when \texttt{Status} is \texttt{RUNNING}. - \item Set up an \texttt{ssh} tunnel so VNC can be used: - \texttt{ssh -N -C -L 29876:localhost:29876 ns24} - \item Click on the little monitor icon to launch VNC. - \item Look at booted up screen at \texttt{login:} prompt. - \item This means a Debian KVM booted up and the VNC is working. - There is no password for the \texttt{root} account, only \texttt{ssh} is available. - So without network setup, you can't really do anything with this image. - Booted, it just shows it works. -\end{enumerate} - -I think delete this section, it would go before the \texttt{Templates} above.: -\begin{enumerate} - \item Click \texttt{Debian 9 - KVM}. - \item PROBABLY NO: Click \texttt{Clone} to make a local copy. - \item PROBABLY NO: It will say \texttt{Copy of Debian 9 - KVM}, leave as-is, click \texttt{Clone}. - \item Click on the icon with three dots. - \item Click \texttt{Make Persistent}. - \item Click on the icon with three dots. - \item Click \texttt{Enable}. -\end{enumerate} - -\section{OpenNebula Networking} -XXX Yes, this part needs set up... - -\begin{minted}{sh} -# /etc/network/interfaces bridge section, add this: -auto br0 -iface br0 inet static - bridge_ports eth0 - bridge_fd 0 - address 192.168.100.1 - netmask 255.255.255.0 - network 192.168.100.0 - broadcast 192.168.100.255 - gateway 192.168.100.1 - dns-nameservers 37.235.1.174 - dns-search forksand.com -\end{minted} - -As user \texttt{jebba}, on the server, run this to generate a key. -Then paste that key into Sunstone under "SSH Public Key". - -\begin{minted}{sh} -ssh-keygen -t ed25519 -\end{minted} - -\begin{minted}{sh} -# XXX test. Use this IP and interface, so no 192.168.0.0 but real IPs. -# Comment this out: -auto eth0:27 -iface eth0:27 inet static -address 174.128.229.158 -netmask 255.255.255.224 -gateway 174.128.229.129 -\end{minted} - -XXX Check if IP forwarding is needed in \texttt{/etc/sysctl.conf}. - -If things are set up to use a bridge and 192.168.100.100, -\texttt{iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE} -Will bring things up to NAT. - - -XXX The port forwarding is forwarding all port 53 to guest at the moment. diff --git a/source/Proxmox.tex b/source/Proxmox.tex new file mode 100644 index 0000000..70cebb5 --- /dev/null +++ b/source/Proxmox.tex @@ -0,0 +1,230 @@ +% +% Proxmox.tex +% +% Fork Sand IT Manual +% +% Copyright (C) 2018, Fork Sand, Inc. +% Copyright (C) 2017, Jeff Moe +% Copyright (C) 2017 Aleph Objects, Inc. +% +% This document is licensed under the Creative Commons Attribution 4.0 +% International Public License (CC BY-SA 4.0) by Fork Sand, Inc. +% +% XXX TODO: Proxmox-GUI-login.png + +\section{Overview} +Proxmox is a virtual machine manager. + +The private cloud deployment will be based on Proxmox version 5.x. +%There are only Debian 8 (Jessie, oldstable) releases. +%Debian hasn't packaged Proxmox since wheezy. It has it in sid, but even +%that is an old version. The only packages available for Debian are the +%upstream ones for Jessie made by Proxmox. +UPDATE: although Proxmox isn't listed on Debian 9 (Stretch) packages, +there is an installation manual for 5.x version, which is great. + +Documentation: +\url{https://pve.proxmox.com/wiki/Documentation} + +\begin{figure}[h!] +\includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]{www-proxmox.png} + \caption{Proxmox Website} + \label{fig:www-proxmox} +\end{figure} + +\begin{itemize} + \item Website: \\ \url{https://proxmox.com/} + \item Debian Stretch Repo: \\ + \url{http://downloads.Proxmox.com/repo/5.4/Debian/9/pool/Proxmox/} +\end{itemize} + + +The following servers will be deployed to host Proxmox and the KVMs: + +\begin{itemize} + %\item \texttt{waz-kvm-001.forksand.com} + %\item \texttt{waz-kvm-002.forksand.com} --- Virtual Machine Server 2 + %\item \texttt{waz-kvm-003.forksand.com} --- Virtual Machine Server 3 + %\item \texttt{waz-kvm-004.forksand.com} --- Virtual Machine Server 4 + %\item \texttt{waz-kvm-005.forksand.com} --- Virtual Machine Server 5 + %\item \texttt{waz-sun-001.forksand.com} --- Proxmox Web GUI 1 + %\item \texttt{waz-sun-002.forksand.com} --- Proxmox Web GUI 2 + \item \texttt{forksand-hk1} --- Virtual Machine Node 1 + \item \texttt{forksand-hk2} --- Virtual Machine Node 2 + \item \texttt{forksand-hk3} --- Virtual Machine Node 3 + \item \texttt{\textcolor[rgb]{0.80,0.00,0.00}{forksand-shark1}} \textcolor[rgb]{0.80,0.00,0.00}{--- Virtual Machine Node ?} + \item \texttt{forksand-shark2} --- Virtual Machine Node 4 + \item \texttt{forksand-shark3} --- Virtual Machine Node 5 + \item \texttt{forksand-shark4} --- Virtual Machine Node 6 + \item \texttt{forksand-the} --- Virtual Machine Node 7 + \item \texttt{forksand-truck} --- Virtual Machine Node 8 +\end{itemize} + +%\subsection{Virtual Machine Servers} +%KVM virtual machine servers. Fast CPU, with lots of RAM. Uses Ceph to store +%virtual images. +% +%\subsection{Proxmox Web GUI Servers} +%A Proxmox's Web GUI for administration of the cluster. + +\subsection{Virtual Machine Nodes} +Virtual machine nodes. Fast CPU, with lots of RAM. Uses Ceph to store +virtual images. + +Every node includes a Proxmox's Web GUI for administration of the cluster. +\textcolor[rgb]{0.80,0.00,0.00}{Todo clarify} + + +\begin{figure}[h!] +\includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]{proxmox-gui.png} + \caption{Proxmox Sunstone Web Admin GUI} + \label{fig:proxmox-gui} +\end{figure} + + +\begin{minted}{sh} +echo "deb http://download.proxmox.com/debian/pve stretch pve-no-subscription" \ +> /etc/apt/sources.list.d/pve-install-repo.list +wget http://download.proxmox.com/debian/proxmox-ve-release-5.x.gpg \ +-O /etc/apt/trusted.gpg.d/proxmox-ve-release-5.x.gpg +apt-get update +apt-get -y dist-upgrade --download-only +DEBIAN_FRONTEND=noninteractive apt-get -y \ +-o Dpkg::Options::="--force-confdef" \ +-o Dpkg::Options::="--force-confnew" dist-upgrade +apt-get -y install ksm-control-daemon proxmox-veupdate-grub +apt remove os-prober +\end{minted} + +\section{Bugs} +Things that are bugs or at least aren't configured correctly. + +\section{GUI Configuration} +At this point, you should have the Proxmox server up and running. + +\textcolor[rgb]{0.80,0.00,0.00}{ +Todo check related, modify/replace unrelated +} + +\begin{minted}{sh} +See scripts in \texttt{source/resources/ns24} for automation. + +\begin{enumerate} +\item Set up Linux Bridge (use Sunstone server name for ns24): + Code: \\ \texttt{ssh -N -C -L 9869:localhost:9869 ns24} +\item In workstation, open browser to url: +URL: \\ \url{http://localhost:9869/} +Info: \\ This goes through the encrypted SSH tunnel, but doesn't use https. +\item Click \texttt{Proxmox} in the upper right to get the full web console. +\item Click \texttt{Infrastructure}. +\item Click \texttt{Hosts}. +\item Click The \texttt{+} plus icon. +\item Enter the hostname of the KVM server you want to use, such as the Sunstone server itself. + \texttt{Type: KVM} + \texttt{Hostname: ns24} +\item Click \texttt{Create}. +\item Repeatedly hit the reload button that's the two arrows in a circle, as it goes thru + stages of setup, starting at \texttt{INIT}. +\item Confirm status is \texttt{ON}. +\end{enumerate} +\end{minted} + +\section{GUI Deploy Image} +\textcolor[rgb]{0.80,0.00,0.00}{Todo check related, modify/replace unrelated} +\begin{minted}{sh} +This is a quick and dirty way to deploy a first test image. +NOTE: It is note privacy aware, as it pulls the image from the +Proxmox ``store''. +\end{minted} + +\textcolor[rgb]{0.80,0.00,0.00}{Todo check related, modify/replace unrelated} +\begin{minted}{sh} +How to deploy an image from the Proxmox App store: +\begin{enumerate} + \item Click \texttt{Storage}. + \item Click \texttt{Apps} + \item Click \texttt{Debian 9 - KVM}. + \item Click on the icon that is a cloud with an arrow in it. This downloads it to Proxmox. + \item Select a datastore by clicking the \texttt{default} line. + \item Leave name and all that the same, and click \texttt{Download}. + \item Click \texttt{Images} under \texttt{Storage} in the left column. + \item Hit the refresh icon repeatedly. + \item When \texttt{Status} is \texttt{READY}, it is good to go. + \item Click \texttt{Templates} in the left column. + \item Click \texttt{VMs}. + \item Click \texttt{Debian 9 - KVM}. + \item Click \texttt{Instantiate}. + \item \texttt{VM Name} enter \texttt{deb9}. + \item \texttt{Number of instances} enter \texttt{1}. + \item \texttt{Memory} enter \texttt{768}. + \item \texttt{CPU} enter \texttt{1}. + \item Click the slider to \texttt{Instantiate as persistent}. + \item Click \texttt{Instantiate}. + \item Click \texttt{Instances} in the left column. + \item Click \texttt{VMs}. + \item Click the reload icon, repeat. + \item It is good when \texttt{Status} is \texttt{RUNNING}. + \item Set up an \texttt{ssh} tunnel so VNC can be used: + \texttt{ssh -N -C -L 29876:localhost:29876 ns24} + \item Click on the little monitor icon to launch VNC. + \item Look at booted up screen at \texttt{login:} prompt. + \item This means a Debian KVM booted up and the VNC is working. + There is no password for the \texttt{root} account, only \texttt{ssh} is available. + So without network setup, you can't really do anything with this image. + Booted, it just shows it works. +\end{enumerate} + +I think delete this section, it would go before the \texttt{Templates} above.: +\begin{enumerate} + \item Click \texttt{Debian 9 - KVM}. + \item PROBABLY NO: Click \texttt{Clone} to make a local copy. + \item PROBABLY NO: It will say \texttt{Copy of Debian 9 - KVM}, leave as-is, click \texttt{Clone}. + \item Click on the icon with three dots. + \item Click \texttt{Make Persistent}. + \item Click on the icon with three dots. + \item Click \texttt{Enable}. +\end{enumerate} +\end{minted} + +\section{Proxmox Networking} +Create --> Linux Bridge: vmbr0 + +XXX best way for this server? No subnet. + +\textcolor[rgb]{0.80,0.00,0.00}{taken from forksand-shark4-bootstrap} + +\begin{minted}{sh} +source /etc/network/interfaces.d/* +auto enp1s0f1 +iface enp1s0f1 inet static + address 70.39.103.210/29 + gateway 70.39.103.209 + dns-nameservers 208.67.222.222 + dns-search forksand.com +\end{minted} + +As user \texttt{jebba}, on the server, run this to generate a key. +Then paste that key into Sunstone under "SSH Public Key". + +\begin{minted}{sh} +ssh-keygen -t ed25519 +\end{minted} + +\begin{minted}{sh} +# XXX test. Use this IP and interface, so no 192.168.0.0 but real IPs. +# Comment this out: +auto eth0:27 +iface eth0:27 inet static +address 174.128.229.158 +netmask 255.255.255.224 +gateway 174.128.229.129 +\end{minted} + +XXX Check if IP forwarding is needed in \texttt{/etc/sysctl.conf}. + +If things are set up to use a bridge and 192.168.100.100, +\texttt{iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE} +Will bring things up to NAT. + + +XXX The port forwarding is forwarding all port 53 to guest at the moment. diff --git a/source/Software-daemons.tex b/source/Software-daemons.tex index d0b0763..0a0610a 100644 --- a/source/Software-daemons.tex +++ b/source/Software-daemons.tex @@ -79,6 +79,837 @@ Used on many servers for a database. Shared calendars, files, collaborative document editing with LibreOffice Online, videoconferencing. +Some of this is from owncloud era... + +\begin{minted}{sh} +#Install debian jessie, ssh server, standard system utilities +#install jebba ssh key +#install sudo +#disable password ssh +#disable root ssh + +#================================== +# +#Set up DNS +#Set up Server + +#Create new jessie server, and boot it up. +#Copy over key: +ssh-copy-id jebba@pwn.themoes.org +#Log in to new machine: +ssh jebba@pwn.themoes.org +#Change jebba's password. +passwd jebba +#Set a root password: +su - +passwd root +#Disable source repos: +sed -i -e 's/deb-src/#deb-src/g' /etc/apt/sources.list +#Set up `git` as kludge to track /etc +apt-get -y install git +cd /etc +git init +chmod og-rwx /etc/.git +vi /etc/.gitignore +\end{minted} +Add these lines to /etc/.gitignore +\begin{minted}{sh} +prelink.cache +*.swp +ld.so.cache +adjtime +blkid.tab +blkid.tab.old +mtab +resolv.conf +asound.state +mtab.fuselock +aliases.db +\end{minted} +\subsection{Set up a git user:} +\begin{minted}{sh} +vi ~/.gitconfig +[user] +name = Jeff Moe + +[color] + branch = auto + diff = auto + status = auto +\end{minted} +\subsection{Create and populate the git repo for /etc:} +\begin{minted}{sh} +git add . +EDITOR=vi git commit -a +Intial setup of pwn.themoes.org jessie owncloud server +#Install some needed stuff: +apt-get -y install sudo vim curl exuberant-ctags rsync ntp vim-scripts +host strace telnet lsb-release unzip bzip2 && apt-get clean +#Set up vim: +echo :syntax on > ~/.vimrc +#Add jebba to sudo group: +adduser jebba sudo +#Make sudoers passwordless: +vim /etc/sudoers +#Change: +%sudo ALL=(ALL:ALL) ALL +#To: +%sudo ALL=(ALL) NOPASSWD: ALL +#Edit /etc/ssh/sshd_config (dodgy way to do this): +sed -i \ + -e 's/PermitRootLogin yes/PermitRootLogin no/g' \ + -e 's/\#PasswordAuthentication yes/PasswordAuthentication no/g' \ + -e 's/RSAAuthentication yes/RSAAuthentication no/g' \ + -e 's/Port 22/Port 43827/g'\ + -e 's/X11Forwarding yes/X11Forwarding no/g' \ + /etc/ssh/sshd_config +#Disable unneeded services: +for i in nfs-common rpcbind mountkernfs.sh rsync exim4 ; do echo $i ; +sudo /usr/sbin/update-rc.d $i disable ; done +\end{minted} +Todo. Should these be dropped too? mountnfs-bootclean.sh mountnfs.sh +Reboot +\begin{minted}{sh} +#Log in as jebba (from workstation): +ssh -p 43827 -C jebba@pwn.themoes.org +#VIM: +echo :syntax on > ~/.vimrc +\end{minted} +\subsection{Setup} +Update /etc/hosts: +\begin{minted}{sh} +5.152.179.226 pwn pwn.themoes.org +#Comment out: +#127.0.1.1 pwn.themoes.org pwn +#Update /etc/hostname: +pwn +#Commit everything so far to git +sudo su - +cd /etc +git add . +EDITOR=vi git commit -a +# Additional base config for server. + +\end{minted} +\subsection{Make IP Static} +\begin{minted}{sh} +vim /etc/network/interfaces +\end{minted} +Comment out: +\begin{minted}{sh} +#allow-hotplug eth0 +#iface eth0 inet dhcp +\end{minted} +Add: +\begin{minted}{sh} +auto eth0 +iface eth0 inet static +address 5.152.179.226 +netmask 255.255.255.0 +gateway 5.152.179.1 +\end{minted} +\begin{minted}{sh} +# Install Firewall +# ============= +# https://wiki.debian.org/iptables + +#Create /etc/iptables.up.rules and /etc/network/if-pre-up.d/iptables +touch /etc/iptables.up.rules /etc/network/if-pre-up.d/iptables +/etc/iptables.test.rules + +chmod 600 /etc/iptables.test.rules /etc/iptables.up.rules + +\end{minted} +\begin{minted}{sh} +vim /etc/iptables.test.rules +\end{minted} +*filter +\begin{minted}{sh} + +# Allows all loopback (lo0) traffic and drop all traffic to 127/8 that +doesn't use lo0 +-A INPUT -i lo -j ACCEPT +#-A INPUT -i ! lo -d 127.0.0.0/8 -j REJECT + +# Accepts all established inbound connections +-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT + +# Allows all outbound traffic +# You could modify this to only allow certain traffic +-A OUTPUT -j ACCEPT +# Allows HTTP and HTTPS connections from anywhere (the normal ports for +websites) +#-A INPUT -p tcp -m state --state NEW --dport 80 -j ACCEPT +#-A INPUT -p tcp --dport 80 -j ACCEPT + +# Accept 443 from everywhere +#-A INPUT -p tcp -m state --state NEW --dport 443 -j ACCEPT +#-A INPUT -p tcp --dport 443 -j ACCEPT + +# SSH Access Port 43827 +-A INPUT -p tcp -s 67.54.153.124 --dport 43827 -j ACCEPT +# Allow ssh from anywhere +-A INPUT -p tcp --dport 43827 -j ACCEPT + +# Allow ping +-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT + +# Opsview access +#-A INPUT -s 999.999.999.999/32 -p icmp -m icmp --icmp-type 8 -j ACCEPT +#-A INPUT -s 999.999.999.999/32 -p tcp -m tcp -m multiport --dports +2222,37,4949,5666 -j ACCEPT + +# log iptables denied calls (access via 'dmesg' command) +-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " +--log-level 7 + +# Reject all other inbound - default deny unless explicitly allowed policy: +-A INPUT -j REJECT +-A FORWARD -j REJECT + +COMMIT +\end{minted} +\begin{minted}{sh} +touch /etc/network/if-pre-up.d/iptables +chmod 755 /etc/network/if-pre-up.d/iptables +vim /etc/network/if-pre-up.d/iptables +\end{minted} +\begin{minted}{sh} +#!/bin/bash +/sbin/iptables-restore < /etc/iptables.up.rules +\end{minted} +Then run: +\begin{minted}{sh} +iptables-restore < /etc/iptables.test.rules +iptables -L +iptables-save > /etc/iptables.up.rules +\end{minted} +Disable IPv6 +\begin{minted}{sh} +vim /etc/sysctl.conf +\end{minted} +Add: +\begin{minted}{sh} +# Disable IPv6 +net.ipv6.conf.all.disable_ipv6 = 1 +net.ipv6.conf.default.disable_ipv6 = 1 +net.ipv6.conf.lo.disable_ipv6 = 1 +net.ipv6.conf.eth0.disable_ipv6 = 1 +\end{minted} +\begin{minted}{sh} +sysctl -p +\end{minted} +Add this to kernel boot line /etc/default/grub: +\begin{minted}{sh} +GRUB_CMDLINE_LINUX="ipv6.disable=1" +\end{minted} +then run: +\begin{minted}{sh} +update-grub +\end{minted} +\begin{minted}{sh} +# Also need to change anything in /etc/apache2/sites-enabled/* that has +*:80 to 0.0.0.0, so no IPv6. + +# Comment out IPv6 stuff in /etc/hosts: +#::1 localhost ip6-localhost ip6-loopback +#ff02::1 ip6-allnodes +#ff02::2 ip6-allrouters + + +# Also need to change anything in /etc/apache2/sites-enabled/* that has +*:80 to 0.0.0.0, so no IPv6. +\end{minted} +Blacklist the module, don't even load it: +\begin{minted}{sh} +echo blacklist ipv6 > /etc/modprobe.d/ipv6.conf +\end{minted} +Tell the module not to use IPv6 (hit it with the hammer over and over): +\begin{minted}{sh} +echo alias net-pf-10 off >> /etc/modprobe.d/aliases.conf +echo alias ivp6 off >> /etc/modprobe.d/aliases.conf +\end{minted} +\begin{minted}{sh} +reboot +\end{minted} + +%#################### +%# Install Owncloud # +%#################### +\subsection{Install nextcloud} +Copied from Owncloud installation sequence. Todo: review difference to Nextcloud + +Add Debian Backports (eh?) +\begin{minted}{sh} +sh -c "echo 'deb http://mirrors.kernel.org/debian/ jessie-backports +main' >> /etc/apt/sources.list.d/backports.list" +apt-get update +apt-get dist-upgrade -t jessie-backports +apt-get clean +sync +reboot & exit +\end{minted} +Add owncloud repos (ToDo) +\begin{minted}{sh} +cd +wget -nv \ +https://download.owncloud.org/download/repositories/stable/Debian_8.0/Release.key \ +-O Release.key +apt-key add - < Release.key +sh -c "echo 'deb +http://download.owncloud.org/download/repositories/stable/Debian_8.0/ /' +>> /etc/apt/sources.list.d/owncloud.list" +apt-get update + +apt-get install -t jessie-backports php5-apcu php-apc php5-imagick \ +ffmpeg libreoffice php5-mysql php5-mcrypt php5-gmp php5-apcu \ +php5-memcache php5-memcached memcached php5-redis php5-imagick apache2 \ +libapache2-mod-php5 php5-gd php5-json php5-mysql php5-curl php5-intl \ +php5-mcrypt php5-imagick mysql-server +apt-get clean +\end{minted} +Set up database +\begin{minted}{sh} +vim ~/.mysqlpw +\end{minted} +\begin{minted}{sh} +# meh +update-rc.d saned disable +\end{minted} +\begin{minted}{sh} +# Configure Apache2 on a Debian Jessie Server +# Setup default https configuration: +cd /etc/apache2/sites-enabled +ln -s ../sites-available/default-ssl . +# Enable SSL modules +cd /etc/apache2/mods-enabled +ln -s ../mods-available/*ssl* . +ln -s ../mods-available/socache_shmcb.load . + +# XXX left this out: +#vim /etc/apache2/sites-available/default-ssl.conf +# make sure that each has AllowOverride All + +# Generate SSL certificate +cd /etc/ssl/private/ +openssl genrsa -out pwn.themoes.org.key 2048 +openssl req -new -key pwn.themoes.org.key -out pwn.themoes.org.csr +#* After the last command answer the following: +#** Country Name : US +#** State or Province Name: Colorado +#** Locality Name: Redstone Canyon +#** Organization Name: Moe +#** Organizational Unit Name: IT +#** Common Name: pwn.themoes.org +#** Email Address: pwn@themoes.org +#** Leave Challenge password and An optional company name blank. + +# Sent csr to SSL registrar. +\end{minted} +Open up port 80 to do SSL registrar verification: +\begin{minted}{sh} +vim /etc/iptables.test.rules +\end{minted} +Enable the port 80 lines for registar, and port 443 lines for owncloud + +later at the file +\begin{minted}{sh} +iptables-restore < /etc/iptables.test.rules +iptables -L +iptables-save > /etc/iptables.up.rules +\end{minted} +Copy Gandi file for SSL authentication to /var/www/html/ + +After Gandi verifies it, remove the file. + +Then disable port 80 in the firewall again: +\begin{minted}{sh} +vim /etc/iptables.test.rules +\end{minted} +\begin{minted}{sh} +iptables-restore < /etc/iptables.test.rules +iptables -L +iptables-save > /etc/iptables.up.rules +\end{minted} +Move the cert in place +\begin{minted}{sh} +mv /home/jebba/certificate-323281.crt /etc/ssl/private/pwn.themoes.org.crt +chown root:root /etc/ssl/private/pwn.themoes.org.crt + +# Gandi intermediate certs XXX +# http://crt.gandi.net/GandiStandardSSLCA2.crt OR +# https://www.gandi.net/static/CAs/GandiStandardSSLCA2.pem + +# Gah, wtf, add this? +# Comodo Cross-Signed Certificate +# http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt + +#* Generate certificate: +# XXX gah, gandi root certs ? +# WTF does this do. +openssl x509 -req -in pwn.themoes.org.csr -CA AOrootCA.pem \ + -CAkey AOrootCA.key -CAserial AOrootCA.srl \ + -out pwn.themoes.org.crt -days 65000 +\end{minted} +ToDo: consider adding rm pwn.themoes.org.csr + +Place the .crt and .key files on pwn.themoes.org in /etc/ssl/private +directory. + +Make sure the they can't be read by the others. + +Configure SSL part of the Apache Server: +\begin{minted}{sh} +vim /etc/apache2/sites-available/default-ssl.conf +\end{minted} +change to: +\begin{minted}{sh} +ServerName pwn.themoes.org +ServerAdmin pwn@themoes.org +\end{minted} +comment out snakeoil keys + +add +\begin{minted}{sh} +SSLProtocol all -SSLv2 +SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW +SSLCertificateFile /etc/ssl/private/pwn.themoes.org.crt +SSLCertificateKeyFile /etc/ssl/private/pwn.themoes.org.key +\end{minted} +\subsection{Enable the SSL server} +\begin{minted}{sh} +cd /etc/apache2/sites-enabled +ln -s ../sites-available/default-ssl.conf . +\end{minted} +Restart Apache2 +\begin{minted}{sh} +/etc/init.d/apache2 restart +\end{minted} +\begin{minted}{sh} +echo pwn > /var/www/html/index.html +\end{minted} +Install owncloud +\begin{minted}{sh} +apt-get install -t jessie-backports owncloud +\end{minted} +set up mysql owncloud user +\begin{minted}{sh} +vim ~/.mysqlpw-own +cat ~/.mysqlpw-own +mysql -uroot -p`cat ~/.mysqlpw` +CREATE USER 'owncloud'@'localhost' IDENTIFIED BY 'password'; +CREATE DATABASE IF NOT EXISTS owncloud; +GRANT ALL PRIVILEGES ON owncloud.* TO 'owncloud'@'localhost' IDENTIFIED +BY 'password'; + +############## +# Migrate db to sql.themoes.org +############## +# Set up mysql config with sql.themoes.org (NOT on traccar, but on db +server) +mysql> CREATE DATABASE owncloud; +mysql> CREATE USER 'owncloud'@'192.168.22.2' IDENTIFIED BY 'XXX'; +mysql> GRANT ALL ON owncloud.* TO 'owncloud'@'192.168.22.2'; +mysql> FLUSH PRIVILEGES; + +\end{minted} +\begin{minted}{sh} +mkdir /srv/owncloud +chown www-data:www-data /srv/owncloud +chmod 770 /srv/owncloud +\end{minted} +\begin{minted}{sh} +# Do web stuff +# https://pwn.themoes.org/owncloud/ +# Create admin account +# Data folder: +# /srv/owncloud +# MySQL: +# User: owncloud +# Password: +# Database Name: owncloud +\end{minted} +set up crontab in web and here: +\begin{minted}{sh} +crontab -u www-data -e +\end{minted} +Add: +\begin{minted}{sh} +*/15 * * * * php -f /var/www/owncloud/cron.php +\end{minted} +Check it: +\begin{minted}{sh} +crontab -u www-data -l +\end{minted} +\begin{minted}{sh} +root@pwn:/etc/ssl/private# chmod o-r * +root@pwn:/etc/ssl/private# rm ssl-cert-snakeoil.key + +wget https://www.gandi.net/static/CAs/GandiStandardSSLCA2.pem +mv GandiStandardSSLCA2.pem /etc/ssl/certs/ +chown root:root /etc/ssl/certs/GandiStandardSSLCA2.pem +\end{minted} +Add this to +Configure SSL part of the Apache Server: +\begin{minted}{sh} +vim /etc/apache2/sites-available/default-ssl.conf +\end{minted} +\begin{minted}{sh} +SSLCertificateChainFile /etc/ssl/certs/GandiStandardSSLCA2.pem +SSLVerifyClient None +\end{minted} +\subsection{Libreoffice} +\begin{minted}{sh} +vim /var/www/owncloud/config/config.php +\end{minted} +\begin{minted}{sh} + 'preview_libreoffice_path' => '/usr/bin/libreoffice', +\end{minted} +POSTFIX XXX ... +\begin{minted}{sh} +apt-get remove exim4 exim4-base exim4-config exim4-daemon-light +apt-get purge exim4 exim4-base exim4-config exim4-daemon-light +apt-get install postfix +#apt-get install bsd-mailx +\end{minted} +Use APCu and Redis for caching +\begin{minted}{sh} +vim /var/www/owncloud/config/config.php +\end{minted} +add +\begin{minted}{sh} + 'memcache.local' => '\OC\Memcache\APCu', + 'redis' => array( + 'host' => '/var/run/redis/redis.sock', + 'port' => 0, + ), + 'memcache.locking' => '\OC\Memcache\Redis', +\end{minted} +\begin{minted}{sh} +vim /etc/redis/redis.conf +\end{minted} +\begin{minted}{sh} +unixsocket /var/run/redis/redis.sock +unixsocketperm 770 +\end{minted} +\begin{minted}{sh} +adduser www-data redis +\end{minted} +Todo: consider reboot +\begin{minted}{sh} +# Secure https some moar +# +https://doc.owncloud.org/server/9.0/admin_manual/configuration_server/harden_server.html#enable-hsts-label +cd /etc/apache2/mods-enabled +ln -s ../mods-available/headers.load . +vim /etc/apache2/sites-enabled/default-ssl.conf +\end{minted} +Add: +\begin{minted}{sh} + + Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" + +\end{minted} +Add stuff, and run: +\begin{minted}{sh} +vim /var/www/owncloud/config/config.php +\end{minted} +\begin{minted}{sh} + 'defaultapp' => 'calendar', + 'session_keepalive' => true, + 'htaccess.RewriteBase' => '/owncloud', +\end{minted} +\begin{minted}{sh} +sudo -u www-data /var/www/owncloud/occ maintenance:update:htaccess +\end{minted} +Drop /owncloud from the URL +\begin{minted}{sh} +vim /etc/apache2/conf-available/owncloud.conf +\end{minted} +\begin{minted}{sh} +Alias / "/var/www/owncloud/" +\end{minted} +\begin{minted}{sh} +vim /var/www/owncloud/config/config.php +\end{minted} +\begin{minted}{sh} + 'overwrite.cli.url' => 'https://pwn.themoes.org', +\end{minted} +\subsection{Misc} +\begin{minted}{sh} +vim /var/www/owncloud/config/config.php +\end{minted} +\begin{minted}{sh} + 'logtimezone' => 'MST', + 'session_keepalive' => true, + 'htaccess.RewriteBase' => '/', + 'overwritewebroot' => '/', + 'check_for_working_webdav' => true, + 'check_for_working_wellknown_setup' => true, + 'check_for_working_htaccess' => true, + 'logfile' => '/var/log/owncloud.log', + 'loglevel' => 2, + 'enable_previews' => true, + 'preview_max_x' => 2048, + 'preview_max_y' => 2048, + 'preview_max_scale_factor' => 10, + 'preview_max_filesize_image' => 50, + 'preview_office_cl_parameters' => + ' --headless --nologo --nofirststartwizard --invisible +--norestore '. + '-convert-to pdf -outdir ', + 'enabledPreviewProviders' => array( + 'OC\Preview\PNG', + 'OC\Preview\JPEG', + 'OC\Preview\GIF', + 'OC\Preview\BMP', + 'OC\Preview\XBitmap', + 'OC\Preview\MP3', + 'OC\Preview\TXT', + 'OC\Preview\MarkDown', + 'OC\Preview\PDF', + 'OC\Preview\Postscript', + 'OC\Preview\SVG', + 'OC\Preview\Movie', + 'OC\Preview\MSOfficeDoc', + 'OC\Preview\MSOffice2003', + 'OC\Preview\MSOffice2007', + 'OC\Preview\OpenDocument', + 'OC\Preview\StarOffice', + ), + 'maintenance' => false, + 'singleuser' => false, + 'asset-pipeline.enabled' => false, +\end{minted} +set up that temp dir: +\begin{minted}{sh} +mkdir /srv/owncloudtemp +chown www-data:www-data /srv/owncloudtemp/ +chmod 770 /srv/owncloudtemp/ +vim /var/www/owncloud/config/config.php +\end{minted} +\begin{minted}{sh} + 'tempdirectory' => '/srv/owncloudtemp', +\end{minted} +php.ini stuff +\begin{minted}{sh} +vim /etc/php5/apache2/php.ini +\end{minted} +\begin{minted}{sh} +php_value upload_max_filesize = 5G +php_value post_max_size = 5G +php_value max_input_time 3600 +php_value max_execution_time 3600 +memory_limit = 512M +\end{minted} +for svg ? +\begin{minted}{sh} +apt-get install inkscape +\end{minted} +\begin{minted}{sh} +\subsection{Solr / Nexant} +\end{minted} +\begin{minted}{sh} +apt-get install php-solr solr-jetty +\end{minted} +\begin{minted}{sh} +# enable nexant app in web interface +# vim /etc/jetty9/jetty-http.xml +# vim /etc/jetty9/jetty-https.xml +# +# to +# +\end{minted} +\begin{minted}{sh} + +# nope +#cd solr/ +#cp -fr configsets/basic_configs nextant + +# This: +# https://github.com/nextcloud/nextant/wiki/Setup-your-local-standalone-Solr +# see local git clone + +# Actually, do this install of solr... +# https://github.com/nextcloud/nextant/wiki/Setup-your-local-Solr-as-a-Service + +# apt-get install tesseract-ocr tesseract-ocr-eng +# apt-get install ocrmypdf # not needed, for other OCR thing +\end{minted} +\subsection{Spreed} +\large{Spreed Nextcloud WebRTC} + +There is a Spreed.me module for Nextcloud, which points to a spreed +webrtc server. If the spreed and nextcloud server use different +hostnames (origins), screen-sharing won't be allowed due to browser +restrictions. So spreed is getting installed straight onto the Nextcloud +server, https://own.alephobjects.com . + +\subsection{Links} +\begin{minted}{sh} +* https://github.com/strukturag/spreed-webrtc +* https://github.com/strukturag/nextcloud-spreedme +* https://github.com/strukturag/nextcloud-spreedme#installation--setup-of-a-spreed-webrtc-server +* https://hub.docker.com/r/spreed/webrtc/ +* https://docs.docker.com/engine/installation/linux/debian/ +\end{minted} + +We're going to use a Docker install... own.alephobjects.com is +currently running Debian Stretch (testing, version 9). Unfortunately, +docker.io (as it is named in Debian) is available for jessie-backports +and sid, but not for stretch... We'll use docker's apt repos to get +docker.... +\subsection{Install Docker} +\begin{minted}{sh} +* https://docs.docker.com/engine/installation/linux/debian/ +\end{minted} +\begin{minted}{sh} +apt update +apt install apt-transport-https ca-certificates gnupg2 +apt-key adv \ + --keyserver hkp://ha.pool.sks-keyservers.net:80 \ + --recv-keys 58118E89F3A912897C070ADBF76221572C52609D +vim /etc/apt/sources.list.d/docker.list +\end{minted} +Add: +\begin{minted}{sh} +deb https://apt.dockerproject.org/repo debian-stretch main +\end{minted} +\begin{minted}{sh} +cd /etc ; git add . ; git commit -a -m 'Add docker repo to apt' +\end{minted} +save +\begin{minted}{sh} +apt update +apt install -y docker-engine +cd /etc ; git add . ; git commit -a -m 'Install docker' +service docker start +\end{minted} +\subsection{Test docker} +\begin{minted}{sh} +docker run hello-world +\end{minted} +\subsection{Set up spreed docker} +\begin{minted}{sh} +mkdir -p /srv/spreed/extra.d +vim /etc/spreed-webrtc-nextcloud.conf +\end{minted} +make config like this: +\begin{minted}{sh} +[http] +basePath = /webrtc/ + +[app] +authorizeRoomJoin = true +extra.d = /srv/spreed/extra.d + +[users] +enabled = true +mode = sharedsecret +\end{minted} +\subsection{Run Spreed Docker} +\begin{minted}{sh} +cd /srv/spreed + +docker run --name ao-spreed-webrtc -p 8080:8080 -p 8443:8443 \ + -v /srv/spreed -i -t spreed/webrtc -c /etc/spreed-webrtc-nextcloud.conf +\end{minted} + +On first launch, it may hang forever because it doesn't have any +entropy. So it will hang at "Creating new server secrets ..." + +Here is a workaround to generate entropy: + +\begin{minted}{sh} +apt install -y rng-tools +rngd -f -r /dev/urandom +\end{minted} +Run it thusly: +\begin{minted}{sh} +docker run -d --name my-spreed-webrtc -p 8080:8080 -p 8443:8443 -v \ +/etc/spreed:/etc/spreed -v /var/log/spreed:/var/log/spreed -v \ +/var/www/owncloud/apps/spreedme/extra:/var/www/owncloud/apps/spreedme/extra \ +-i -t spreed/webrtc -c /etc/spreed/server.conf +\end{minted} +\large{Configure Apache} + +install needed apache modules: +\begin{minted}{sh} +a2enmod proxy proxy_http proxy_wstunnel headers +vim /etc/apache2/sites-enabled/01-own.alephobjects.com.conf +\end{minted} +Add this inside the VirtualHost section: +\begin{minted}{sh} +# Spreed WebRTC + ProxyPass http://127.0.0.1:8080/webrtc + ProxyPassReverse /webrtc + ProxyPass ws://127.0.0.1:8080/webrtc/ws + ProxyVia On + ProxyPreserveHost On + RequestHeader set X-Forwarded-Proto 'https' env=HTTPS +\end{minted} +\subsection{Spreed Configuration} +\begin{minted}{sh} +Get the config in own.alephobjects.com --> admin --> Additional +Settings(?) --> Spreed.me + +# Generate that config, put it in /etc/spreed/spreed.conf + +# Restart docker. +#cd /etc ; git add . ; git commit -a -m 'Configure' + +##### HMM +docker run --name ao-spreed-webrtc -p 8080:8080 -p 8443:8443 -v \ +/srv/spreed -i -t spreed/webrtc -c /etc/spreed/server.conf +rngd -f -r /dev/urandom + +# 585 docker run --name my-spreed-webrtc -p 8080:8080 -p 8443:8443 -v \ +/etc/spreed:/etc/spreed -i -t spreed/webrtc -c /etc/spreed/server.conf +# 587 docker run -d --name my-spreed-webrtc -p 8080:8080 -p 8443:8443 \ +-v /etc/spreed:/etc/spreed -v /var/log/spreed:/var/log/spreed -v \ +/var/www/owncloud/apps/spreedme/extra:/var/www/owncloud/apps/spreedme/extra \ +-i -t spreed/webrtc -c /etc/spreed/server.conf + +docker run -d --name my-spreed-webrtc -p 8080:8080 -p 8443:8443 -v \ +/etc/spreed:/etc/spreed -v /var/log/spreed:/var/log/spreed -v \ +/var/www/owncloud/apps/spreedme/extra:/var/www/owncloud/apps/spreedme/extra \ +-i -t spreed/webrtc -c /etc/spreed/server.conf + +# These two: +rngd -f -r /dev/urandom + +docker run -d --restart unless-stopped --name my-spreed-webrtc -p \ +8080:8080 -p 8443:8443 -v /etc/spreed:/etc/spreed -v \ +/var/log/spreed:/var/log/spreed -v \ +/var/www/owncloud/apps/spreedme/extra:/var/www/owncloud/apps/spreedme/extra \ +-i -t spreed/webrtc -c /etc/spreed/server.conf \ + +\end{minted} +\subsection{apache2} +Install needed apache modules: +\begin{minted}{sh} +a2enmod proxy proxy_http proxy_wstunnel headers + +vim /etc/apache2/sites-enabled/pwn.themoes.org.conf +\end{minted} +Add this inside the VirtualHost section: +\begin{minted}{sh} + +# Spreed WebRTC + + ProxyPass http://127.0.0.1:8080/webrtc + ProxyPassReverse /webrtc + + + + ProxyPass ws://127.0.0.1:8080/webrtc/ws + + + ProxyVia On + ProxyPreserveHost On + RequestHeader set X-Forwarded-Proto 'https' env=HTTPS +\end{minted} + \section{\href{http://support.ntp.org/}{NTP}} Syncs time on every server and workstation. diff --git a/source/Source-gen.tex b/source/Source-gen.tex index 7ad4455..f533224 100644 --- a/source/Source-gen.tex +++ b/source/Source-gen.tex @@ -2,14 +2,209 @@ \texttt{SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855} \inputminted{sh}{resources/SHA256SUM} \section{\texttt{STATS}} -\texttt{SHA256: b1861503f0a41f1f2bef8fbfba32501d871ef4c5fd073c3b9272c71a7b1e7ea5} +\texttt{SHA256: adadaa5e46ade71aa99d833d7cf64cf012501c8b7a6f6c15a3563f6ceeffa9c6} \inputminted{sh}{resources/STATS} +\section{\texttt{apps/Ansible-Gitea/ansible.cfg}} +\texttt{SHA256: 5c5bbe341a18319f6f24033c4f63fc5f1594469b4f2cfbb991ec596fd30e9a3b} +\inputminted{sh}{resources/apps/Ansible-Gitea/ansible.cfg} +\section{\texttt{apps/Ansible-Gitea/inventory.yml}} +\texttt{SHA256: cc816d03579097542ca85c188995a412d619c08c84bf3dfef73191fc5cc05b54} +\inputminted{sh}{resources/apps/Ansible-Gitea/inventory.yml} +\section{\texttt{apps/Ansible-Gitea/roles/gitea/defaults/main.yml}} +\texttt{SHA256: 19aeb0ea8e30712f9589fd7037415118a92666d12ae30aa0757be6fde6357225} +\inputminted{sh}{resources/apps/Ansible-Gitea/roles/gitea/defaults/main.yml} +\section{\texttt{apps/Ansible-Gitea/roles/gitea/handlers/main.yml}} +\texttt{SHA256: 4012e6484af750c9b21a8d9f04e68ddd291c37a8dd9657daa862124e480c2497} +\inputminted{sh}{resources/apps/Ansible-Gitea/roles/gitea/handlers/main.yml} +\section{\texttt{apps/Ansible-Gitea/roles/gitea/tasks/create\char`_user.yml}} +\texttt{SHA256: 28d0983feb2aba01934a25cad94e64e77c055e6a977bb2a0db9a8c199933b369} +\inputminted{sh}{resources/apps/Ansible-Gitea/roles/gitea/tasks/create_user.yml} +\section{\texttt{apps/Ansible-Gitea/roles/gitea/tasks/install\char`_systemd.yml}} +\texttt{SHA256: 7e6155085ebae67496b3267cdf3211fd3a7e0f178661ff21e20101947456912e} +\inputminted{sh}{resources/apps/Ansible-Gitea/roles/gitea/tasks/install_systemd.yml} +\section{\texttt{apps/Ansible-Gitea/roles/gitea/tasks/main.yml}} +\texttt{SHA256: bc5f081dfd51f5c920c8dda1873560a2602204dd9d28a881238fd66e22437c2d} +\inputminted{sh}{resources/apps/Ansible-Gitea/roles/gitea/tasks/main.yml} +\section{\texttt{apps/Ansible-Gitea/roles/gitea/templates/gitea.ini.j2}} +\texttt{SHA256: c8be571f2f2407240bc88997aedf70c9230554a65132ebab9a1ee0d4296ff9d3} +\inputminted{sh}{resources/apps/Ansible-Gitea/roles/gitea/templates/gitea.ini.j2} +\section{\texttt{apps/Ansible-Gitea/roles/gitea/templates/gitea.service.j2}} +\texttt{SHA256: 0acbfe01156c9e39ee71a4fc64310ab003f09bfcf544df00b1f3cff010ed8f38} +\inputminted{sh}{resources/apps/Ansible-Gitea/roles/gitea/templates/gitea.service.j2} +\section{\texttt{apps/Ansible-Gitea/roles/gitea/.DS\char`_Store}} +\texttt{SHA256: e97bff48aa282aacf1c59c754a7b9adfe56120c4cb1545a7488f03fee9f4e479} +\inputminted{sh}{resources/apps/Ansible-Gitea/roles/gitea/.DS_Store} +\section{\texttt{apps/Ansible-Gitea/roles/nginx/defaults/main.yml}} +\texttt{SHA256: 20c921226115e5a92309d543b66066438e6565bdbd054e7ca41d0fc6ddcfcd9a} +\inputminted{sh}{resources/apps/Ansible-Gitea/roles/nginx/defaults/main.yml} +\section{\texttt{apps/Ansible-Gitea/roles/nginx/handlers/main.yml}} +\texttt{SHA256: 5a3990dbfb331c83fbbff76368a2426ae03d34052454aa6676f52b7e4652d561} +\inputminted{sh}{resources/apps/Ansible-Gitea/roles/nginx/handlers/main.yml} +\section{\texttt{apps/Ansible-Gitea/roles/nginx/tasks/main.yml}} +\texttt{SHA256: 5232d5b0894c1e6a3da8472591ef49e9c80e927cdbec626c15c9e1a9796729a8} +\inputminted{sh}{resources/apps/Ansible-Gitea/roles/nginx/tasks/main.yml} +\section{\texttt{apps/Ansible-Gitea/roles/nginx/templates/nginx.conf.j2}} +\texttt{SHA256: 1ecb64716e6674eb30a145c79859774cc5772304828553474c05820a2151ff3b} +\inputminted{sh}{resources/apps/Ansible-Gitea/roles/nginx/templates/nginx.conf.j2} +\section{\texttt{apps/Ansible-Gitea/roles/nginx/templates/nginxssl.conf.j2}} +\texttt{SHA256: 4d7edebbe48f20aeeb49599d32fc5531db943cbf43d7e9995674c180b56f2e77} +\inputminted{sh}{resources/apps/Ansible-Gitea/roles/nginx/templates/nginxssl.conf.j2} +\section{\texttt{apps/Ansible-Gitea/site.yml}} +\texttt{SHA256: d74378b00af74eabe0cc11d0f0b1db5c902116c583216f14152d968e5a71e474} +\inputminted{sh}{resources/apps/Ansible-Gitea/site.yml} +\section{\texttt{apps/ansible-debian-mail/ansible.cfg}} +\texttt{SHA256: 5c5bbe341a18319f6f24033c4f63fc5f1594469b4f2cfbb991ec596fd30e9a3b} +\inputminted{sh}{resources/apps/ansible-debian-mail/ansible.cfg} +\section{\texttt{apps/ansible-debian-mail/group\char`_vars/all.yml}} +\texttt{SHA256: b5f417e155b47834e49be9243ba776a6516c56c3ed0121d2bc4d022d5acacd87} +\inputminted{sh}{resources/apps/ansible-debian-mail/group_vars/all.yml} +\section{\texttt{apps/ansible-debian-mail/inventory.yml}} +\texttt{SHA256: cc816d03579097542ca85c188995a412d619c08c84bf3dfef73191fc5cc05b54} +\inputminted{sh}{resources/apps/ansible-debian-mail/inventory.yml} +\section{\texttt{apps/ansible-debian-mail/roles/dkim\char`_configuration/tasks/\\ \qquad\qquad\qquad../main.yml}} +\texttt{SHA256: 95d75eba0703ebb00f12d01a821353fe1ddb7a5612a72ea2c4e658d2be5afb52} +\inputminted{sh}{resources/apps/ansible-debian-mail/roles/dkim_configuration/tasks/main.yml} +\section{\texttt{apps/ansible-debian-mail/roles/dkim\char`_configuration/templates/\\ \qquad\qquad\qquad../internalhosts.j2}} +\texttt{SHA256: 4f83d988f9a305d6f7571f1742f8e284f0008182bcb21f3b8683594fd5de2340} +\inputminted{sh}{resources/apps/ansible-debian-mail/roles/dkim_configuration/templates/internalhosts.j2} +\section{\texttt{apps/ansible-debian-mail/roles/dkim\char`_configuration/templates/\\ \qquad\qquad\qquad../opendkim.conf.j2}} +\texttt{SHA256: bf71aafad2295a773f5556ff870e4db70d62451a26fc952bde04336642f7afc2} +\inputminted{sh}{resources/apps/ansible-debian-mail/roles/dkim_configuration/templates/opendkim.conf.j2} +\section{\texttt{apps/ansible-debian-mail/roles/dkim\char`_configuration/templates/\\ \qquad\qquad\qquad../opendkim.j2}} +\texttt{SHA256: 4069a27787b75f0af2ca555ff0f5668c2cbe6813909108a92c1583c4e82d2863} +\inputminted{sh}{resources/apps/ansible-debian-mail/roles/dkim_configuration/templates/opendkim.j2} +\section{\texttt{apps/ansible-debian-mail/roles/dkim\char`_configuration/templates/\\ \qquad\qquad\qquad../opendmarc.conf.j2}} +\texttt{SHA256: 3d5208869831f657790c9642ea0ad63db2ad79d080d7d7ef24da0b802946b223} +\inputminted{sh}{resources/apps/ansible-debian-mail/roles/dkim_configuration/templates/opendmarc.conf.j2} +\section{\texttt{apps/ansible-debian-mail/roles/dkim\char`_configuration/templates/\\ \qquad\qquad\qquad../opendmarc.j2}} +\texttt{SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855} +\inputminted{sh}{resources/apps/ansible-debian-mail/roles/dkim_configuration/templates/opendmarc.j2} +\section{\texttt{apps/ansible-debian-mail/roles/dkim\char`_configuration/templates/\\ \qquad\qquad\qquad../trustedhosts.j2}} +\texttt{SHA256: 9252907b8d86ae437a9910148e6c72b2fce30be020a57ab3d59111fc5de5f6f7} +\inputminted{sh}{resources/apps/ansible-debian-mail/roles/dkim_configuration/templates/trustedhosts.j2} +\section{\texttt{apps/ansible-debian-mail/roles/dovecot\char`_configuration/handlers/\\ \qquad\qquad\qquad../main.yml}} +\texttt{SHA256: 218fc20617243fef6f783cd83332fa0fe9e610483bc2c2f1b1245e8eec0959ac} +\inputminted{sh}{resources/apps/ansible-debian-mail/roles/dovecot_configuration/handlers/main.yml} +\section{\texttt{apps/ansible-debian-mail/roles/dovecot\char`_configuration/tasks/\\ \qquad\qquad\qquad../main.yml}} +\texttt{SHA256: f9d7c2c906c9f092d2dd973cc2c2e9ce9b4b5b01f2ec056f3095c6fc802c2d74} +\inputminted{sh}{resources/apps/ansible-debian-mail/roles/dovecot_configuration/tasks/main.yml} +\section{\texttt{apps/ansible-debian-mail/roles/dovecot\char`_configuration/templates/\\ \qquad\qquad\qquad../10-master.conf.j2}} +\texttt{SHA256: d7004417a7ac1d96e9904b05f68879a752dec6f7621bc56ed18434aabf78c40b} +\inputminted{sh}{resources/apps/ansible-debian-mail/roles/dovecot_configuration/templates/10-master.conf.j2} +\section{\texttt{apps/ansible-debian-mail/roles/dovecot\char`_configuration/templates/\\ \qquad\qquad\qquad../10-ssl.conf.j2}} +\texttt{SHA256: 660790c32b47fd84326c6d53efcb13a2a6c691fa96d59c880aceadf71f8fa1f0} +\inputminted{sh}{resources/apps/ansible-debian-mail/roles/dovecot_configuration/templates/10-ssl.conf.j2} +\section{\texttt{apps/ansible-debian-mail/roles/fail2ban\char`_configuration/tasks/\\ \qquad\qquad\qquad../main.yml}} +\texttt{SHA256: 8ebe1bb04c097e8371d63b6ac16c393ca74c094711942f2560252d482a0f17ce} +\inputminted{sh}{resources/apps/ansible-debian-mail/roles/fail2ban_configuration/tasks/main.yml} +\section{\texttt{apps/ansible-debian-mail/roles/letsencrypt\char`_configuration/tasks/\\ \qquad\qquad\qquad../main.yml}} +\texttt{SHA256: 817e705118fd6d92e7e89a84544ba907c71aa4395b3cb925fe4421b1b99add53} +\inputminted{sh}{resources/apps/ansible-debian-mail/roles/letsencrypt_configuration/tasks/main.yml} +\section{\texttt{apps/ansible-debian-mail/roles/mikegleasonjr.firewall/.travis.yml}} +\texttt{SHA256: 6920d48ae9610b5d0d61c9638d27e30b46b885777ab04127a198a380df12ae38} +\inputminted{sh}{resources/apps/ansible-debian-mail/roles/mikegleasonjr.firewall/.travis.yml} +\section{\texttt{apps/ansible-debian-mail/roles/mikegleasonjr.firewall/Vagrantfile}} +\texttt{SHA256: b8c8b8560eb577eb8637a446bc28aba7df05d34618093023a2b43f7764c75fb2} +\inputminted{sh}{resources/apps/ansible-debian-mail/roles/mikegleasonjr.firewall/Vagrantfile} +\section{\texttt{apps/ansible-debian-mail/roles/mikegleasonjr.firewall/defaults/\\ \qquad\qquad\qquad../main.yml}} +\texttt{SHA256: c86227ad9775e213708a92703958d1ae8dc80b5073b665499839e4c80f0d77d5} +\inputminted{sh}{resources/apps/ansible-debian-mail/roles/mikegleasonjr.firewall/defaults/main.yml} +\section{\texttt{apps/ansible-debian-mail/roles/mikegleasonjr.firewall/meta/main.yml}} +\texttt{SHA256: c77f50cf2758025bece96792badbf0f98a799738be56e3dbd94d5c416ce402b5} +\inputminted{sh}{resources/apps/ansible-debian-mail/roles/mikegleasonjr.firewall/meta/main.yml} +\section{\texttt{apps/ansible-debian-mail/roles/mikegleasonjr.firewall/meta/.galaxy\char`_install\char`_info}} +\texttt{SHA256: 8df2fa6c72bad1a6b52a7e84a1dd5a850b96d3ed55c4266113c1476bbc1c974d} +\inputminted{sh}{resources/apps/ansible-debian-mail/roles/mikegleasonjr.firewall/meta/.galaxy_install_info} +\section{\texttt{apps/ansible-debian-mail/roles/mikegleasonjr.firewall/tasks/main.yml}} +\texttt{SHA256: 5d1ebe1ec51a5a4b0ab52bbf1af63ca94af4290182755b2463aa321bfb39732f} +\inputminted{sh}{resources/apps/ansible-debian-mail/roles/mikegleasonjr.firewall/tasks/main.yml} +\section{\texttt{apps/ansible-debian-mail/roles/mikegleasonjr.firewall/tasks/persist-debian.yml}} +\texttt{SHA256: da08d16128d29e725a80590890592020a53d90cbeac3b55dbe67da63fc254e6b} +\inputminted{sh}{resources/apps/ansible-debian-mail/roles/mikegleasonjr.firewall/tasks/persist-debian.yml} +\section{\texttt{apps/ansible-debian-mail/roles/mikegleasonjr.firewall/tasks/persist-redhat.yml}} +\texttt{SHA256: aaa130a6c8ad52ede70c2b12e46e27e61475e5d8b0842274b5ce0515ad645734} +\inputminted{sh}{resources/apps/ansible-debian-mail/roles/mikegleasonjr.firewall/tasks/persist-redhat.yml} +\section{\texttt{apps/ansible-debian-mail/roles/mikegleasonjr.firewall/tasks/rules.yml}} +\texttt{SHA256: 6f28f53b5c77709268853ab1ba9f16ca30d64cd72dde08e9d9826b82c714e602} +\inputminted{sh}{resources/apps/ansible-debian-mail/roles/mikegleasonjr.firewall/tasks/rules.yml} +\section{\texttt{apps/ansible-debian-mail/roles/mikegleasonjr.firewall/templates/\\ \qquad\qquad\qquad../generated.v4.j2}} +\texttt{SHA256: 1c8f8244b151f386933796a30c299f86d580880e16a7abba3653a1e3765a5394} +\inputminted{sh}{resources/apps/ansible-debian-mail/roles/mikegleasonjr.firewall/templates/generated.v4.j2} +\section{\texttt{apps/ansible-debian-mail/roles/mikegleasonjr.firewall/templates/\\ \qquad\qquad\qquad../generated.v6.j2}} +\texttt{SHA256: b724ce42ef251f979751e080279d27c6f82e21f5c30118a731aacf3f8b494624} +\inputminted{sh}{resources/apps/ansible-debian-mail/roles/mikegleasonjr.firewall/templates/generated.v6.j2} +\section{\texttt{apps/ansible-debian-mail/roles/mikegleasonjr.firewall/tests.yml}} +\texttt{SHA256: a7c2b3cd0f70c600c3e1db74d95533be3eb864853394c62330b5532c49abb572} +\inputminted{sh}{resources/apps/ansible-debian-mail/roles/mikegleasonjr.firewall/tests.yml} +\section{\texttt{apps/ansible-debian-mail/roles/outputs/tasks/main.yml}} +\texttt{SHA256: 10734468f2c6744ef0fc14bb5f8d9678fb684d9647a981ab7dc93e81f6b3396b} +\inputminted{sh}{resources/apps/ansible-debian-mail/roles/outputs/tasks/main.yml} +\section{\texttt{apps/ansible-debian-mail/roles/postfix\char`_configuration/files/\\ \qquad\qquad\qquad../auth\char`_header\char`_checks.pcre}} +\texttt{SHA256: 3749fe155aa62adb30db35bedc96bdb47b1e094e8cc3b12e4915dc6137edcc43} +\inputminted{sh}{resources/apps/ansible-debian-mail/roles/postfix_configuration/files/auth_header_checks.pcre} +\section{\texttt{apps/ansible-debian-mail/roles/postfix\char`_configuration/files/\\ \qquad\qquad\qquad../master.cf}} +\texttt{SHA256: 13dd76df6148f7a898c8054f5566cbd351207a9bc5ae97ced9e4b5407af923a5} +\inputminted{sh}{resources/apps/ansible-debian-mail/roles/postfix_configuration/files/master.cf} +\section{\texttt{apps/ansible-debian-mail/roles/postfix\char`_configuration/handlers/\\ \qquad\qquad\qquad../main.yml}} +\texttt{SHA256: a31d3860adb790e2ab6ee5763e2b59aa5b17b94f56cb7236845128f0e870e597} +\inputminted{sh}{resources/apps/ansible-debian-mail/roles/postfix_configuration/handlers/main.yml} +\section{\texttt{apps/ansible-debian-mail/roles/postfix\char`_configuration/tasks/\\ \qquad\qquad\qquad../main.yml}} +\texttt{SHA256: cf7521b7366045753045ac11bdccc11857bc0c171a0fc1ba9c572fe7d59fd627} +\inputminted{sh}{resources/apps/ansible-debian-mail/roles/postfix_configuration/tasks/main.yml} +\section{\texttt{apps/ansible-debian-mail/roles/postfix\char`_configuration/templates/\\ \qquad\qquad\qquad../aliases.j2}} +\texttt{SHA256: 5a101165ebf12cbd1663908e21f77dc2636fee45da36f5daa79ab84c47e7dfcb} +\inputminted{sh}{resources/apps/ansible-debian-mail/roles/postfix_configuration/templates/aliases.j2} +\section{\texttt{apps/ansible-debian-mail/roles/server\char`_tasks/handlers/main.yml}} +\texttt{SHA256: 5822b360aa9988efc37bdf5dd9626de45b2d1f279f70e032f5b56427994f440d} +\inputminted{sh}{resources/apps/ansible-debian-mail/roles/server_tasks/handlers/main.yml} +\section{\texttt{apps/ansible-debian-mail/roles/server\char`_tasks/tasks/main.yml}} +\texttt{SHA256: 9482c99a24179cb4bcd0d8ea5bf6ac5e8391cd88b1242190693c685127bb94e8} +\inputminted{sh}{resources/apps/ansible-debian-mail/roles/server_tasks/tasks/main.yml} +\section{\texttt{apps/ansible-debian-mail/roles/spamassassin\char`_configuration/tasks/\\ \qquad\qquad\qquad../main.yml}} +\texttt{SHA256: bc1d9877f592fe1b63385a38febee9ed7769cbb01972e73f950dcc6e5309ded0} +\inputminted{sh}{resources/apps/ansible-debian-mail/roles/spamassassin_configuration/tasks/main.yml} +\section{\texttt{apps/ansible-debian-mail/roles/sqlgrey\char`_configuration/tasks/\\ \qquad\qquad\qquad../main.yml}} +\texttt{SHA256: c85d3966f275654bfde3c1c5065980debe0be5900ad5b33f3bf19e893610b635} +\inputminted{sh}{resources/apps/ansible-debian-mail/roles/sqlgrey_configuration/tasks/main.yml} +\section{\texttt{apps/ansible-debian-mail/site.yml}} +\texttt{SHA256: 00b3b9b020bfd4ebe7732bf3a96a7dc5ce37c6788907f0574a193c3f5fcd0224} +\inputminted{sh}{resources/apps/ansible-debian-mail/site.yml} +\section{\texttt{apps/forksand-nodes-bootstrap/forksand-hk1-bootstrap}} +\texttt{SHA256: d3b370cdf087289f89c827aefaf1915c35843f01f9f2d8bbeb412184b2ce2fa6} +\inputminted{sh}{resources/apps/forksand-nodes-bootstrap/forksand-hk1-bootstrap} +\section{\texttt{apps/forksand-nodes-bootstrap/forksand-hk2-bootstrap}} +\texttt{SHA256: d62d8c5f8269253f07bdd01abaf0653797627477827163625c9d2e3d207e27c8} +\inputminted{sh}{resources/apps/forksand-nodes-bootstrap/forksand-hk2-bootstrap} +\section{\texttt{apps/forksand-nodes-bootstrap/forksand-hk3-bootstrap}} +\texttt{SHA256: 7d56b22aec7e53798e88d4a03d7e390393899e1a33e03da864c817bea83c86c8} +\inputminted{sh}{resources/apps/forksand-nodes-bootstrap/forksand-hk3-bootstrap} +\section{\texttt{apps/forksand-nodes-bootstrap/forksand-shark4-bootstrap}} +\texttt{SHA256: 04a5efbe9a3809ac7050b727eb1d9b8f755b68dc44c990f71866422ff9bc5b15} +\inputminted{sh}{resources/apps/forksand-nodes-bootstrap/forksand-shark4-bootstrap} +\section{\texttt{apps/forksand-nodes-bootstrap/forksand-the-bootstrap}} +\texttt{SHA256: cb61199026a4850f6beb9e3a2b9abcadd7f3d15c894c01060aadcc83bde25c96} +\inputminted{sh}{resources/apps/forksand-nodes-bootstrap/forksand-the-bootstrap} +\section{\texttt{apps/forksand-nodes-bootstrap/forksand-truck-bootstrap}} +\texttt{SHA256: 0691270004a884d962e82f61bbce6ffd094653d7419b081099a9f180d456719a} +\inputminted{sh}{resources/apps/forksand-nodes-bootstrap/forksand-truck-bootstrap} \section{\texttt{apps/iptables/etc/iptables}} \texttt{SHA256: 825577f3fd900576c119d0a6191de16bf2d55fb84e6749921710b293e5fd1889} \inputminted{sh}{resources/apps/iptables/etc/iptables} \section{\texttt{apps/iptables/etc/iptables.test.rules}} \texttt{SHA256: 4b50c760daa85619a74f1c635b26807fcc7f8bedb90bd22893de8c98f3d78ff1} \inputminted{sh}{resources/apps/iptables/etc/iptables.test.rules} +\section{\texttt{apps/oca-forksand-v1\char`_1/README.rst}} +\texttt{SHA256: acb247e6caa20a6e5cac57de3137a6bd561f810e4b92d2e32d31064e4e998720} +\inputminted{sh}{resources/apps/oca-forksand-v1_1/README.rst} +\section{\texttt{apps/oca-forksand-v1\char`_1/inventory}} +\texttt{SHA256: 0f3d8a645a0f03d28bd72f8fe137a9aec2ca3b22bcd927f414d4b49236b1c630} +\inputminted{sh}{resources/apps/oca-forksand-v1_1/inventory} +\section{\texttt{apps/oca-forksand-v1\char`_1/playbook.yml}} +\texttt{SHA256: 6e8f7eb1c3db664d243cfe1a5c2c06982979c1e3eed2d65a6a35eaa688de6e64} +\inputminted{sh}{resources/apps/oca-forksand-v1_1/playbook.yml} +\section{\texttt{apps/oca-forksand-v1\char`_1/requirements.yml}} +\texttt{SHA256: c8a9b53d477d7f2d9beb3a32451f6444525c2f515af4abc6ed3fc7bd0b0a049d} +\inputminted{sh}{resources/apps/oca-forksand-v1_1/requirements.yml} \section{\texttt{apps/oca/etc/init.d/openerp-server}} \texttt{SHA256: 03e673de76f6aece8473a8441b0c921368f675ea234b62fa58708427a1b69346} \inputminted{sh}{resources/apps/oca/etc/init.d/openerp-server} @@ -58,9 +253,6 @@ \section{\texttt{apps/yadifa/var/lib/yadifa/masters/localhost.zone}} \texttt{SHA256: 93847412dc586aa627b7c8d9c7f9f08223d62bd7297bb02058b57aaa4e92e220} \inputminted{sh}{resources/apps/yadifa/var/lib/yadifa/masters/localhost.zone} -\section{\texttt{make-sources-list.sh}} -\texttt{SHA256: 29a180a3849349df01041152a06c3af2b9c1fc13b2d4da07fa1196ff6aff9de9} -\inputminted{sh}{resources/make-sources-list.sh} \section{\texttt{txt2qrpng.sh}} \texttt{SHA256: 28dff76725cfbe3e4dcf70120f0393422507443fa5b6a62e1814bd44fb62161e} \inputminted{sh}{resources/txt2qrpng.sh} diff --git a/source/Title.tex b/source/Title.tex index 87a410f..88a91f0 100644 --- a/source/Title.tex +++ b/source/Title.tex @@ -20,12 +20,17 @@ \thispagestyle{empty} \begin{center} \par -%\includegraphics[keepaspectratio=true,angle=0,height=0.95\textheight,width=0.95\textwidth]{foo.pdf} +\makebox[0pt][c]{% + \raisebox{-0.885\totalheight}[0pt][0pt]{% +% \includegraphics[keepaspectratio=true,angle=0,height=\pageheight]{LetterheadPDF.pdf} + \includegraphics{LetterheadPDF.pdf} + }% +}% \par \null\vfill -{\fontspec{lmroman12-regular.otf}\fontsize{35pt}{5cm}\selectfont \textcolor{ao-purple}{Fork Sand IT Manual}} \par \null\vfill +{\fontspec{lmroman12-regular.otf}\fontsize{35pt}{5cm}\selectfont \textcolor{ao-purple}{Fork Sand IT Manual}} \par \null\vfill \par diff --git a/source/forksand-it-manual.gst b/source/forksand-it-manual.gst deleted file mode 100644 index e0efaaf..0000000 --- a/source/forksand-it-manual.gst +++ /dev/null @@ -1,21 +0,0 @@ -% -% forksand-it-manual.gst -% makindex glossary style file -% -% Fork Sand IT Manual -% -% Copyright (C) 2017, Jeff Moe -% Copyright (C) 2014, 2015, 2016, 2017 Aleph Objects, Inc. -% -% This document is licensed under the Creative Commons Attribution 4.0 -% International Public License (CC BY-SA 4.0) by Jeff Moe. -% -preamble "\\begin{theglossary}" -postamble "\n\\end{theglossary}\n" -item_0 "\n\\glossitem" -delim_0 "{\\memglonum{" -encap_suffix "}}}" -headings_flag 0 -heading_prefix "{" -heading_suffix "}" -keyword "\\glossaryentry" diff --git a/source/forksand-it-manual.ist b/source/forksand-it-manual.ist deleted file mode 100644 index c642ce6..0000000 --- a/source/forksand-it-manual.ist +++ /dev/null @@ -1,15 +0,0 @@ -% -% forksand-it-manual.ist -% makindex index style file -% -% Fork Sand IT Manual -% -% Copyright (C) 2017, Jeff Moe -% Copyright (C) 2014, 2015, 2016, 2017 Aleph Objects, Inc. -% -% This document is licensed under the Creative Commons Attribution 4.0 -% International Public License (CC BY-SA 4.0) by Jeff Moe. -% -heading_prefix "{\\normalsize \\bfseries\\hfil\\ " -heading_suffix " \\ \\hfil}\\nopagebreak\n" -headings_flag 1 diff --git a/source/forksand-it-manual.tex b/source/forksand-it-manual.tex index b6d4cb3..01b3005 100644 --- a/source/forksand-it-manual.tex +++ b/source/forksand-it-manual.tex @@ -26,7 +26,27 @@ % LaTeX Memoir Class % Docs: /usr/share/doc/texlive-doc/latex/memoir/memman.pdf -\documentclass[twoside,10pt,openright,final,english]{memoir} +\special{pdf:minorversion 5} +%\pdfminorversion=6 % Make pdf include minor version tolerant +%\pdfinclusioncopyfonts=1 % Make pdf include minor version tolerant +\documentclass[twoside,10pt,openright,final,english,table]{memoir} + +\usepackage[table]{xcolor} +\usepackage{etoolbox} +\makeatletter +\def\gnewcommand{\g@star@or@long\gnew@command} +\def\grenewcommand{\g@star@or@long\grenew@command} +\def\g@star@or@long#1{% + \@ifstar{\let\l@ngrel@x\global#1}{\def\l@ngrel@x{\long\global}#1}} +\def\gnew@command#1{\@testopt{\@gnewcommand#1}0} +\def\@gnewcommand#1[#2]{% + \kernel@ifnextchar [{\@gxargdef#1[#2]}% + {\@argdef#1[#2]}} +\let\@gxargdef\@xargdef +\patchcmd{\@gxargdef}{\def}{\gdef}{}{} +\let\grenew@command\renew@command +\patchcmd{\grenew@command}{\new@command}{\gnew@command}{}{} +\makeatother \usepackage{tikz} \usetikzlibrary{shadows,shapes,arrows,chains,calc,decorations.pathmorphing,patterns,trees,positioning,automata,fit} @@ -54,11 +74,15 @@ backgroundcolor=white, leftmargin=1cm,rightmargin=1cm } +\usepackage{longtable} +\usepackage{tabu} \usepackage{smartdiagram} \usesmartdiagramlibrary{additions} \usepackage{comment} % /usr/share/doc/texlive-doc/latex/comment/comment.pdf +\usepackage{pdfpages} % Be able to include pdf +\usepackage{pict2e} \usepackage{graphicx} % /usr/share/doc/texlive-doc/latex/graphics/graphicx.pdf -\usepackage{epstopdf} % /usr/share/doc/texlive-doc/latex/oberdiek/epstopdf.pdf +%\usepackage{epstopdf} % /usr/share/doc/texlive-doc/latex/oberdiek/epstopdf.pdf % http://www.tug.org/applications/hyperref/manual.html % /usr/share/doc/texlive-doc/latex/hyperref/hyperref.pdf \usepackage[colorlinks=true,linkcolor=ao-dark-orange,urlcolor=ao-dark-orange]{hyperref} @@ -69,6 +93,7 @@ leftmargin=1cm,rightmargin=1cm \makeglossary \usepackage{color} % Docs: /usr/share/doc/texlive-latex-base-doc/latex/graphics/grfguide.pdf +\usepackage{colortbl} %\usepackage[usenames,dvipsnames,svgnames,table]{xcolor} %%% PREAMBLE FONTS %%% @@ -217,6 +242,8 @@ leftmargin=1cm,rightmargin=1cm %%% END OF PREAMBLE %%% \begin{document} +%%% Global pdf include directives +\includepdfset{pages=-,noautoscale} %%% BEGIN FRONT MATTER %%% \frontmatter @@ -234,6 +261,9 @@ leftmargin=1cm,rightmargin=1cm \include{Copyright} %%% END COPYRIGHT PAGE %%% +% Set page numbering to arabic, but don't reset numbering (*) +\pagenumbering*{arabic} + %%% TABLE OF CONTENTS %%% {\fontspec{lmroman12-regular.otf} \maxtocdepth{subsection} @@ -265,6 +295,15 @@ leftmargin=1cm,rightmargin=1cm \def\topblockvspace{0.11} %%% END CHAPTER STYLE %%% +%%% INVISIBLE CHAPTERS %%% +\newcommand{\invisiblechapter}[1]{% + \par\refstepcounter{chapter}% Increase section counter + \sectionmark{#1}% Add section mark (header) + \addcontentsline{toc}{chapter}{\protect\numberline{\thechapter}#1}% Add chapter to ToC + % Add more content here, if needed. +} +%%% END INVISIBLE CHAPTERS %%% + %%% CHAPTER CONFIG %%% \newcommand{\chapterheader}{Fork Sand IT Manual} % See \chapterconf below for examples of how this is used. @@ -272,10 +311,29 @@ leftmargin=1cm,rightmargin=1cm % value 2 is title of chapter % value 3 is sub title of chapter \newcommand{\chapterconf}[3]{ -\chapter{\emph{{#2}}\protect \\ -{#3}} -\thispagestyle{empty} -\markboth{#2}{\chapterheader} + \includepdf[width=210mm% + ,% + picturecommand*={% + \put(200,650){% + \invisiblechapter{{#2}\qquad\qquad{#3}}% + }% + \color[rgb]{0.631,0.957,1}% HEX # A1F4FF R:161 G:244 B:255 C:37 M:4 Y:0 K:0 + \linethickness{30mm} + \put( 100,378){\line(1,0){397.50793}} + \color[rgb]{0.361,0.922,1}% HEX # 5CEBFF R:92 G:235 B:255 C:64 M:8 Y:0 K:0 + \put( 0,378){\line(1,0){100}} + \put( 497.50793,378){\line(1,0){100}} + \color[rgb]{0,0.2,0.2} + \linethickness{0.3mm} + \put( 0,420){\line(1,0){597.50793}} + \put( 0,336){\line(1,0){597.50793}} + \put(120,395){\begin{minipage}{357.50793pt}\centering \Huge{#2}\end{minipage}} + \put(120,355){\begin{minipage}{357.50793pt}\centering \Huge{#3}\end{minipage}} + \color[rgb]{0,0,0} + }% + ]{LetterheadPDF.pdf} + \thispagestyle{empty} + \markboth{#2}{\chapterheader} {\include{#1}} } %%% END CHAPTER CONFIG %%% @@ -293,9 +351,6 @@ leftmargin=1cm,rightmargin=1cm %%% BEGIN MAINMATTER %%% \mainmatter* -% Set page numbering to arabic, but don't reset numbering (*) -\pagenumbering*{arabic} - %% MAINMATTER CHAPTERS %%% % Default chapter font \fontspec{lmroman12-regular.otf} @@ -310,9 +365,8 @@ leftmargin=1cm,rightmargin=1cm \chapterconf{Distros}{Distributions}{Free Software Distributions} \chapterconf{Software-daemons}{Server Software}{Server Software Daemons} \chapterconf{Firewalls}{Firewalls}{Firewalls} -\chapterconf{ClusterHardware}{Cluster Hardware}{Machines} \chapterconf{Firewall-opnsense}{OPNSense Firewall}{Use OPNSense} -\chapterconf{OpenNebula}{OpenNebula}{Virtual Machines} +\chapterconf{Proxmox}{Proxmox}{Virtual Machines} \chapterconf{Ansible}{Ansible}{Cluster Administration} \chapterconf{DNS}{Domain Name Service (DNS)}{Who Names You?} \chapterconf{NTP}{Network Time Protocol}{A Hole in Time} @@ -321,6 +375,7 @@ leftmargin=1cm,rightmargin=1cm %\part{Appendix} % XXX \appendix \chapterconf{Source}{Free Software}{Free Software and Configurations} + %% END MAINMATTER CHAPTERS %%% %%% END MAINMATTER %%% @@ -346,6 +401,7 @@ leftmargin=1cm,rightmargin=1cm \chapterconf{Contact}{Contact}{Phone, Email, Web, Location} %%% END CONTACT %%% + %%% COLOPHON %%% %%% skip a couple pages \pagebreak{} diff --git a/source/lib/jebbastrings-captions.sty b/source/lib/jebbastrings-captions.sty old mode 100755 new mode 100644 diff --git a/source/lib/jebbastrings.sty b/source/lib/jebbastrings.sty old mode 100755 new mode 100644 diff --git a/source/resources/SHA256SUM b/source/resources/SHA256SUM index 62dac70..7654428 100644 --- a/source/resources/SHA256SUM +++ b/source/resources/SHA256SUM @@ -1,7 +1,72 @@ e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 ./SHA256SUM -b1861503f0a41f1f2bef8fbfba32501d871ef4c5fd073c3b9272c71a7b1e7ea5 ./STATS +adadaa5e46ade71aa99d833d7cf64cf012501c8b7a6f6c15a3563f6ceeffa9c6 ./STATS +5c5bbe341a18319f6f24033c4f63fc5f1594469b4f2cfbb991ec596fd30e9a3b ./apps/Ansible-Gitea/ansible.cfg +cc816d03579097542ca85c188995a412d619c08c84bf3dfef73191fc5cc05b54 ./apps/Ansible-Gitea/inventory.yml +19aeb0ea8e30712f9589fd7037415118a92666d12ae30aa0757be6fde6357225 ./apps/Ansible-Gitea/roles/gitea/defaults/main.yml +4012e6484af750c9b21a8d9f04e68ddd291c37a8dd9657daa862124e480c2497 ./apps/Ansible-Gitea/roles/gitea/handlers/main.yml +28d0983feb2aba01934a25cad94e64e77c055e6a977bb2a0db9a8c199933b369 ./apps/Ansible-Gitea/roles/gitea/tasks/create_user.yml +7e6155085ebae67496b3267cdf3211fd3a7e0f178661ff21e20101947456912e ./apps/Ansible-Gitea/roles/gitea/tasks/install_systemd.yml +bc5f081dfd51f5c920c8dda1873560a2602204dd9d28a881238fd66e22437c2d ./apps/Ansible-Gitea/roles/gitea/tasks/main.yml +c8be571f2f2407240bc88997aedf70c9230554a65132ebab9a1ee0d4296ff9d3 ./apps/Ansible-Gitea/roles/gitea/templates/gitea.ini.j2 +0acbfe01156c9e39ee71a4fc64310ab003f09bfcf544df00b1f3cff010ed8f38 ./apps/Ansible-Gitea/roles/gitea/templates/gitea.service.j2 +e97bff48aa282aacf1c59c754a7b9adfe56120c4cb1545a7488f03fee9f4e479 ./apps/Ansible-Gitea/roles/gitea/.DS_Store +20c921226115e5a92309d543b66066438e6565bdbd054e7ca41d0fc6ddcfcd9a ./apps/Ansible-Gitea/roles/nginx/defaults/main.yml +5a3990dbfb331c83fbbff76368a2426ae03d34052454aa6676f52b7e4652d561 ./apps/Ansible-Gitea/roles/nginx/handlers/main.yml +5232d5b0894c1e6a3da8472591ef49e9c80e927cdbec626c15c9e1a9796729a8 ./apps/Ansible-Gitea/roles/nginx/tasks/main.yml +1ecb64716e6674eb30a145c79859774cc5772304828553474c05820a2151ff3b ./apps/Ansible-Gitea/roles/nginx/templates/nginx.conf.j2 +4d7edebbe48f20aeeb49599d32fc5531db943cbf43d7e9995674c180b56f2e77 ./apps/Ansible-Gitea/roles/nginx/templates/nginxssl.conf.j2 +d74378b00af74eabe0cc11d0f0b1db5c902116c583216f14152d968e5a71e474 ./apps/Ansible-Gitea/site.yml +5c5bbe341a18319f6f24033c4f63fc5f1594469b4f2cfbb991ec596fd30e9a3b ./apps/ansible-debian-mail/ansible.cfg +b5f417e155b47834e49be9243ba776a6516c56c3ed0121d2bc4d022d5acacd87 ./apps/ansible-debian-mail/group_vars/all.yml +cc816d03579097542ca85c188995a412d619c08c84bf3dfef73191fc5cc05b54 ./apps/ansible-debian-mail/inventory.yml +95d75eba0703ebb00f12d01a821353fe1ddb7a5612a72ea2c4e658d2be5afb52 ./apps/ansible-debian-mail/roles/dkim_configuration/tasks/main.yml +4f83d988f9a305d6f7571f1742f8e284f0008182bcb21f3b8683594fd5de2340 ./apps/ansible-debian-mail/roles/dkim_configuration/templates/internalhosts.j2 +bf71aafad2295a773f5556ff870e4db70d62451a26fc952bde04336642f7afc2 ./apps/ansible-debian-mail/roles/dkim_configuration/templates/opendkim.conf.j2 +4069a27787b75f0af2ca555ff0f5668c2cbe6813909108a92c1583c4e82d2863 ./apps/ansible-debian-mail/roles/dkim_configuration/templates/opendkim.j2 +3d5208869831f657790c9642ea0ad63db2ad79d080d7d7ef24da0b802946b223 ./apps/ansible-debian-mail/roles/dkim_configuration/templates/opendmarc.conf.j2 +e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 ./apps/ansible-debian-mail/roles/dkim_configuration/templates/opendmarc.j2 +9252907b8d86ae437a9910148e6c72b2fce30be020a57ab3d59111fc5de5f6f7 ./apps/ansible-debian-mail/roles/dkim_configuration/templates/trustedhosts.j2 +218fc20617243fef6f783cd83332fa0fe9e610483bc2c2f1b1245e8eec0959ac ./apps/ansible-debian-mail/roles/dovecot_configuration/handlers/main.yml +f9d7c2c906c9f092d2dd973cc2c2e9ce9b4b5b01f2ec056f3095c6fc802c2d74 ./apps/ansible-debian-mail/roles/dovecot_configuration/tasks/main.yml +d7004417a7ac1d96e9904b05f68879a752dec6f7621bc56ed18434aabf78c40b ./apps/ansible-debian-mail/roles/dovecot_configuration/templates/10-master.conf.j2 +660790c32b47fd84326c6d53efcb13a2a6c691fa96d59c880aceadf71f8fa1f0 ./apps/ansible-debian-mail/roles/dovecot_configuration/templates/10-ssl.conf.j2 +8ebe1bb04c097e8371d63b6ac16c393ca74c094711942f2560252d482a0f17ce ./apps/ansible-debian-mail/roles/fail2ban_configuration/tasks/main.yml +817e705118fd6d92e7e89a84544ba907c71aa4395b3cb925fe4421b1b99add53 ./apps/ansible-debian-mail/roles/letsencrypt_configuration/tasks/main.yml +6920d48ae9610b5d0d61c9638d27e30b46b885777ab04127a198a380df12ae38 ./apps/ansible-debian-mail/roles/mikegleasonjr.firewall/.travis.yml +b8c8b8560eb577eb8637a446bc28aba7df05d34618093023a2b43f7764c75fb2 ./apps/ansible-debian-mail/roles/mikegleasonjr.firewall/Vagrantfile +c86227ad9775e213708a92703958d1ae8dc80b5073b665499839e4c80f0d77d5 ./apps/ansible-debian-mail/roles/mikegleasonjr.firewall/defaults/main.yml +c77f50cf2758025bece96792badbf0f98a799738be56e3dbd94d5c416ce402b5 ./apps/ansible-debian-mail/roles/mikegleasonjr.firewall/meta/main.yml +8df2fa6c72bad1a6b52a7e84a1dd5a850b96d3ed55c4266113c1476bbc1c974d ./apps/ansible-debian-mail/roles/mikegleasonjr.firewall/meta/.galaxy_install_info +5d1ebe1ec51a5a4b0ab52bbf1af63ca94af4290182755b2463aa321bfb39732f ./apps/ansible-debian-mail/roles/mikegleasonjr.firewall/tasks/main.yml +da08d16128d29e725a80590890592020a53d90cbeac3b55dbe67da63fc254e6b ./apps/ansible-debian-mail/roles/mikegleasonjr.firewall/tasks/persist-debian.yml +aaa130a6c8ad52ede70c2b12e46e27e61475e5d8b0842274b5ce0515ad645734 ./apps/ansible-debian-mail/roles/mikegleasonjr.firewall/tasks/persist-redhat.yml +6f28f53b5c77709268853ab1ba9f16ca30d64cd72dde08e9d9826b82c714e602 ./apps/ansible-debian-mail/roles/mikegleasonjr.firewall/tasks/rules.yml +1c8f8244b151f386933796a30c299f86d580880e16a7abba3653a1e3765a5394 ./apps/ansible-debian-mail/roles/mikegleasonjr.firewall/templates/generated.v4.j2 +b724ce42ef251f979751e080279d27c6f82e21f5c30118a731aacf3f8b494624 ./apps/ansible-debian-mail/roles/mikegleasonjr.firewall/templates/generated.v6.j2 +a7c2b3cd0f70c600c3e1db74d95533be3eb864853394c62330b5532c49abb572 ./apps/ansible-debian-mail/roles/mikegleasonjr.firewall/tests.yml +10734468f2c6744ef0fc14bb5f8d9678fb684d9647a981ab7dc93e81f6b3396b ./apps/ansible-debian-mail/roles/outputs/tasks/main.yml +3749fe155aa62adb30db35bedc96bdb47b1e094e8cc3b12e4915dc6137edcc43 ./apps/ansible-debian-mail/roles/postfix_configuration/files/auth_header_checks.pcre +13dd76df6148f7a898c8054f5566cbd351207a9bc5ae97ced9e4b5407af923a5 ./apps/ansible-debian-mail/roles/postfix_configuration/files/master.cf +a31d3860adb790e2ab6ee5763e2b59aa5b17b94f56cb7236845128f0e870e597 ./apps/ansible-debian-mail/roles/postfix_configuration/handlers/main.yml +cf7521b7366045753045ac11bdccc11857bc0c171a0fc1ba9c572fe7d59fd627 ./apps/ansible-debian-mail/roles/postfix_configuration/tasks/main.yml +5a101165ebf12cbd1663908e21f77dc2636fee45da36f5daa79ab84c47e7dfcb ./apps/ansible-debian-mail/roles/postfix_configuration/templates/aliases.j2 +5822b360aa9988efc37bdf5dd9626de45b2d1f279f70e032f5b56427994f440d ./apps/ansible-debian-mail/roles/server_tasks/handlers/main.yml +9482c99a24179cb4bcd0d8ea5bf6ac5e8391cd88b1242190693c685127bb94e8 ./apps/ansible-debian-mail/roles/server_tasks/tasks/main.yml +bc1d9877f592fe1b63385a38febee9ed7769cbb01972e73f950dcc6e5309ded0 ./apps/ansible-debian-mail/roles/spamassassin_configuration/tasks/main.yml +c85d3966f275654bfde3c1c5065980debe0be5900ad5b33f3bf19e893610b635 ./apps/ansible-debian-mail/roles/sqlgrey_configuration/tasks/main.yml +00b3b9b020bfd4ebe7732bf3a96a7dc5ce37c6788907f0574a193c3f5fcd0224 ./apps/ansible-debian-mail/site.yml +d3b370cdf087289f89c827aefaf1915c35843f01f9f2d8bbeb412184b2ce2fa6 ./apps/forksand-nodes-bootstrap/forksand-hk1-bootstrap +d62d8c5f8269253f07bdd01abaf0653797627477827163625c9d2e3d207e27c8 ./apps/forksand-nodes-bootstrap/forksand-hk2-bootstrap +7d56b22aec7e53798e88d4a03d7e390393899e1a33e03da864c817bea83c86c8 ./apps/forksand-nodes-bootstrap/forksand-hk3-bootstrap +04a5efbe9a3809ac7050b727eb1d9b8f755b68dc44c990f71866422ff9bc5b15 ./apps/forksand-nodes-bootstrap/forksand-shark4-bootstrap +cb61199026a4850f6beb9e3a2b9abcadd7f3d15c894c01060aadcc83bde25c96 ./apps/forksand-nodes-bootstrap/forksand-the-bootstrap +0691270004a884d962e82f61bbce6ffd094653d7419b081099a9f180d456719a ./apps/forksand-nodes-bootstrap/forksand-truck-bootstrap 825577f3fd900576c119d0a6191de16bf2d55fb84e6749921710b293e5fd1889 ./apps/iptables/etc/iptables 4b50c760daa85619a74f1c635b26807fcc7f8bedb90bd22893de8c98f3d78ff1 ./apps/iptables/etc/iptables.test.rules +acb247e6caa20a6e5cac57de3137a6bd561f810e4b92d2e32d31064e4e998720 ./apps/oca-forksand-v1_1/README.rst +0f3d8a645a0f03d28bd72f8fe137a9aec2ca3b22bcd927f414d4b49236b1c630 ./apps/oca-forksand-v1_1/inventory +6e8f7eb1c3db664d243cfe1a5c2c06982979c1e3eed2d65a6a35eaa688de6e64 ./apps/oca-forksand-v1_1/playbook.yml +c8a9b53d477d7f2d9beb3a32451f6444525c2f515af4abc6ed3fc7bd0b0a049d ./apps/oca-forksand-v1_1/requirements.yml 03e673de76f6aece8473a8441b0c921368f675ea234b62fa58708427a1b69346 ./apps/oca/etc/init.d/openerp-server a149aa2a11f17a20eda8f32e2ef5b34e403b772d53f1dcd2a62bd44b166c2122 ./apps/oca/lib/systemd/system/odoo-server.service 72d2cb138dfae349f5029b27dae74d13745061233fcebb79ef3d38eb4836183a ./apps/oca/oca11-addons @@ -18,5 +83,4 @@ e2c4028695f3ac6b6ed8afb963a7821589b94ed81a2d068d7480b809d402c830 ./apps/yadifa- 705f36a12aee30e8510e5d06f1d3dd471a82aa518e00648a83f8f9d1146b8186 ./apps/yadifa-slave/etc/yadifa/yadifad.conf 1966009066a265b65574003bc5f338ee4c2595c010ece34e9e428c526b974fd5 ./apps/yadifa/var/lib/yadifa/masters/0.0.127.in-addr.arpa.zone 93847412dc586aa627b7c8d9c7f9f08223d62bd7297bb02058b57aaa4e92e220 ./apps/yadifa/var/lib/yadifa/masters/localhost.zone -29a180a3849349df01041152a06c3af2b9c1fc13b2d4da07fa1196ff6aff9de9 ./make-sources-list.sh 28dff76725cfbe3e4dcf70120f0393422507443fa5b6a62e1814bd44fb62161e ./txt2qrpng.sh diff --git a/source/resources/STATS b/source/resources/STATS index 9cbf696..8b52eb7 100644 --- a/source/resources/STATS +++ b/source/resources/STATS @@ -1,2 +1,2 @@ -There are 22 source code files included. -There are 22 unique files. +There are 86 source code files included. +There are 83 unique files. diff --git a/source/resources/apps/Ansible-Gitea/LICENSE.AGPLv3 b/source/resources/apps/Ansible-Gitea/LICENSE.AGPLv3 new file mode 100644 index 0000000..67f7d05 --- /dev/null +++ b/source/resources/apps/Ansible-Gitea/LICENSE.AGPLv3 @@ -0,0 +1,661 @@ + GNU AFFERO GENERAL PUBLIC LICENSE + Version 3, 19 November 2007 + + Copyright (C) 2007 Free Software Foundation, Inc. + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + Preamble + + The GNU Affero General Public License is a free, copyleft license for +software and other kinds of works, specifically designed to ensure +cooperation with the community in the case of network server software. + + The licenses for most software and other practical works are designed +to take away your freedom to share and change the works. By contrast, +our General Public Licenses are intended to guarantee your freedom to +share and change all versions of a program--to make sure it remains free +software for all its users. + + When we speak of free software, we are referring to freedom, not +price. Our General Public Licenses are designed to make sure that you +have the freedom to distribute copies of free software (and charge for +them if you wish), that you receive source code or can get it if you +want it, that you can change the software or use pieces of it in new +free programs, and that you know you can do these things. + + Developers that use our General Public Licenses protect your rights +with two steps: (1) assert copyright on the software, and (2) offer +you this License which gives you legal permission to copy, distribute +and/or modify the software. + + A secondary benefit of defending all users' freedom is that +improvements made in alternate versions of the program, if they +receive widespread use, become available for other developers to +incorporate. Many developers of free software are heartened and +encouraged by the resulting cooperation. However, in the case of +software used on network servers, this result may fail to come about. +The GNU General Public License permits making a modified version and +letting the public access it on a server without ever releasing its +source code to the public. + + The GNU Affero General Public License is designed specifically to +ensure that, in such cases, the modified source code becomes available +to the community. It requires the operator of a network server to +provide the source code of the modified version running there to the +users of that server. Therefore, public use of a modified version, on +a publicly accessible server, gives the public access to the source +code of the modified version. + + An older license, called the Affero General Public License and +published by Affero, was designed to accomplish similar goals. This is +a different license, not a version of the Affero GPL, but Affero has +released a new version of the Affero GPL which permits relicensing under +this license. + + The precise terms and conditions for copying, distribution and +modification follow. + + TERMS AND CONDITIONS + + 0. Definitions. + + "This License" refers to version 3 of the GNU Affero General Public License. + + "Copyright" also means copyright-like laws that apply to other kinds of +works, such as semiconductor masks. + + "The Program" refers to any copyrightable work licensed under this +License. Each licensee is addressed as "you". "Licensees" and +"recipients" may be individuals or organizations. + + To "modify" a work means to copy from or adapt all or part of the work +in a fashion requiring copyright permission, other than the making of an +exact copy. The resulting work is called a "modified version" of the +earlier work or a work "based on" the earlier work. + + A "covered work" means either the unmodified Program or a work based +on the Program. + + To "propagate" a work means to do anything with it that, without +permission, would make you directly or secondarily liable for +infringement under applicable copyright law, except executing it on a +computer or modifying a private copy. Propagation includes copying, +distribution (with or without modification), making available to the +public, and in some countries other activities as well. + + To "convey" a work means any kind of propagation that enables other +parties to make or receive copies. Mere interaction with a user through +a computer network, with no transfer of a copy, is not conveying. + + An interactive user interface displays "Appropriate Legal Notices" +to the extent that it includes a convenient and prominently visible +feature that (1) displays an appropriate copyright notice, and (2) +tells the user that there is no warranty for the work (except to the +extent that warranties are provided), that licensees may convey the +work under this License, and how to view a copy of this License. If +the interface presents a list of user commands or options, such as a +menu, a prominent item in the list meets this criterion. + + 1. Source Code. + + The "source code" for a work means the preferred form of the work +for making modifications to it. "Object code" means any non-source +form of a work. + + A "Standard Interface" means an interface that either is an official +standard defined by a recognized standards body, or, in the case of +interfaces specified for a particular programming language, one that +is widely used among developers working in that language. + + The "System Libraries" of an executable work include anything, other +than the work as a whole, that (a) is included in the normal form of +packaging a Major Component, but which is not part of that Major +Component, and (b) serves only to enable use of the work with that +Major Component, or to implement a Standard Interface for which an +implementation is available to the public in source code form. A +"Major Component", in this context, means a major essential component +(kernel, window system, and so on) of the specific operating system +(if any) on which the executable work runs, or a compiler used to +produce the work, or an object code interpreter used to run it. + + The "Corresponding Source" for a work in object code form means all +the source code needed to generate, install, and (for an executable +work) run the object code and to modify the work, including scripts to +control those activities. However, it does not include the work's +System Libraries, or general-purpose tools or generally available free +programs which are used unmodified in performing those activities but +which are not part of the work. For example, Corresponding Source +includes interface definition files associated with source files for +the work, and the source code for shared libraries and dynamically +linked subprograms that the work is specifically designed to require, +such as by intimate data communication or control flow between those +subprograms and other parts of the work. + + The Corresponding Source need not include anything that users +can regenerate automatically from other parts of the Corresponding +Source. + + The Corresponding Source for a work in source code form is that +same work. + + 2. Basic Permissions. + + All rights granted under this License are granted for the term of +copyright on the Program, and are irrevocable provided the stated +conditions are met. This License explicitly affirms your unlimited +permission to run the unmodified Program. The output from running a +covered work is covered by this License only if the output, given its +content, constitutes a covered work. This License acknowledges your +rights of fair use or other equivalent, as provided by copyright law. + + You may make, run and propagate covered works that you do not +convey, without conditions so long as your license otherwise remains +in force. You may convey covered works to others for the sole purpose +of having them make modifications exclusively for you, or provide you +with facilities for running those works, provided that you comply with +the terms of this License in conveying all material for which you do +not control copyright. Those thus making or running the covered works +for you must do so exclusively on your behalf, under your direction +and control, on terms that prohibit them from making any copies of +your copyrighted material outside their relationship with you. + + Conveying under any other circumstances is permitted solely under +the conditions stated below. Sublicensing is not allowed; section 10 +makes it unnecessary. + + 3. Protecting Users' Legal Rights From Anti-Circumvention Law. + + No covered work shall be deemed part of an effective technological +measure under any applicable law fulfilling obligations under article +11 of the WIPO copyright treaty adopted on 20 December 1996, or +similar laws prohibiting or restricting circumvention of such +measures. + + When you convey a covered work, you waive any legal power to forbid +circumvention of technological measures to the extent such circumvention +is effected by exercising rights under this License with respect to +the covered work, and you disclaim any intention to limit operation or +modification of the work as a means of enforcing, against the work's +users, your or third parties' legal rights to forbid circumvention of +technological measures. + + 4. Conveying Verbatim Copies. + + You may convey verbatim copies of the Program's source code as you +receive it, in any medium, provided that you conspicuously and +appropriately publish on each copy an appropriate copyright notice; +keep intact all notices stating that this License and any +non-permissive terms added in accord with section 7 apply to the code; +keep intact all notices of the absence of any warranty; and give all +recipients a copy of this License along with the Program. + + You may charge any price or no price for each copy that you convey, +and you may offer support or warranty protection for a fee. + + 5. Conveying Modified Source Versions. + + You may convey a work based on the Program, or the modifications to +produce it from the Program, in the form of source code under the +terms of section 4, provided that you also meet all of these conditions: + + a) The work must carry prominent notices stating that you modified + it, and giving a relevant date. + + b) The work must carry prominent notices stating that it is + released under this License and any conditions added under section + 7. This requirement modifies the requirement in section 4 to + "keep intact all notices". + + c) You must license the entire work, as a whole, under this + License to anyone who comes into possession of a copy. This + License will therefore apply, along with any applicable section 7 + additional terms, to the whole of the work, and all its parts, + regardless of how they are packaged. This License gives no + permission to license the work in any other way, but it does not + invalidate such permission if you have separately received it. + + d) If the work has interactive user interfaces, each must display + Appropriate Legal Notices; however, if the Program has interactive + interfaces that do not display Appropriate Legal Notices, your + work need not make them do so. + + A compilation of a covered work with other separate and independent +works, which are not by their nature extensions of the covered work, +and which are not combined with it such as to form a larger program, +in or on a volume of a storage or distribution medium, is called an +"aggregate" if the compilation and its resulting copyright are not +used to limit the access or legal rights of the compilation's users +beyond what the individual works permit. Inclusion of a covered work +in an aggregate does not cause this License to apply to the other +parts of the aggregate. + + 6. Conveying Non-Source Forms. + + You may convey a covered work in object code form under the terms +of sections 4 and 5, provided that you also convey the +machine-readable Corresponding Source under the terms of this License, +in one of these ways: + + a) Convey the object code in, or embodied in, a physical product + (including a physical distribution medium), accompanied by the + Corresponding Source fixed on a durable physical medium + customarily used for software interchange. + + b) Convey the object code in, or embodied in, a physical product + (including a physical distribution medium), accompanied by a + written offer, valid for at least three years and valid for as + long as you offer spare parts or customer support for that product + model, to give anyone who possesses the object code either (1) a + copy of the Corresponding Source for all the software in the + product that is covered by this License, on a durable physical + medium customarily used for software interchange, for a price no + more than your reasonable cost of physically performing this + conveying of source, or (2) access to copy the + Corresponding Source from a network server at no charge. + + c) Convey individual copies of the object code with a copy of the + written offer to provide the Corresponding Source. This + alternative is allowed only occasionally and noncommercially, and + only if you received the object code with such an offer, in accord + with subsection 6b. + + d) Convey the object code by offering access from a designated + place (gratis or for a charge), and offer equivalent access to the + Corresponding Source in the same way through the same place at no + further charge. You need not require recipients to copy the + Corresponding Source along with the object code. If the place to + copy the object code is a network server, the Corresponding Source + may be on a different server (operated by you or a third party) + that supports equivalent copying facilities, provided you maintain + clear directions next to the object code saying where to find the + Corresponding Source. Regardless of what server hosts the + Corresponding Source, you remain obligated to ensure that it is + available for as long as needed to satisfy these requirements. + + e) Convey the object code using peer-to-peer transmission, provided + you inform other peers where the object code and Corresponding + Source of the work are being offered to the general public at no + charge under subsection 6d. + + A separable portion of the object code, whose source code is excluded +from the Corresponding Source as a System Library, need not be +included in conveying the object code work. + + A "User Product" is either (1) a "consumer product", which means any +tangible personal property which is normally used for personal, family, +or household purposes, or (2) anything designed or sold for incorporation +into a dwelling. In determining whether a product is a consumer product, +doubtful cases shall be resolved in favor of coverage. For a particular +product received by a particular user, "normally used" refers to a +typical or common use of that class of product, regardless of the status +of the particular user or of the way in which the particular user +actually uses, or expects or is expected to use, the product. A product +is a consumer product regardless of whether the product has substantial +commercial, industrial or non-consumer uses, unless such uses represent +the only significant mode of use of the product. + + "Installation Information" for a User Product means any methods, +procedures, authorization keys, or other information required to install +and execute modified versions of a covered work in that User Product from +a modified version of its Corresponding Source. The information must +suffice to ensure that the continued functioning of the modified object +code is in no case prevented or interfered with solely because +modification has been made. + + If you convey an object code work under this section in, or with, or +specifically for use in, a User Product, and the conveying occurs as +part of a transaction in which the right of possession and use of the +User Product is transferred to the recipient in perpetuity or for a +fixed term (regardless of how the transaction is characterized), the +Corresponding Source conveyed under this section must be accompanied +by the Installation Information. But this requirement does not apply +if neither you nor any third party retains the ability to install +modified object code on the User Product (for example, the work has +been installed in ROM). + + The requirement to provide Installation Information does not include a +requirement to continue to provide support service, warranty, or updates +for a work that has been modified or installed by the recipient, or for +the User Product in which it has been modified or installed. Access to a +network may be denied when the modification itself materially and +adversely affects the operation of the network or violates the rules and +protocols for communication across the network. + + Corresponding Source conveyed, and Installation Information provided, +in accord with this section must be in a format that is publicly +documented (and with an implementation available to the public in +source code form), and must require no special password or key for +unpacking, reading or copying. + + 7. Additional Terms. + + "Additional permissions" are terms that supplement the terms of this +License by making exceptions from one or more of its conditions. +Additional permissions that are applicable to the entire Program shall +be treated as though they were included in this License, to the extent +that they are valid under applicable law. If additional permissions +apply only to part of the Program, that part may be used separately +under those permissions, but the entire Program remains governed by +this License without regard to the additional permissions. + + When you convey a copy of a covered work, you may at your option +remove any additional permissions from that copy, or from any part of +it. (Additional permissions may be written to require their own +removal in certain cases when you modify the work.) You may place +additional permissions on material, added by you to a covered work, +for which you have or can give appropriate copyright permission. + + Notwithstanding any other provision of this License, for material you +add to a covered work, you may (if authorized by the copyright holders of +that material) supplement the terms of this License with terms: + + a) Disclaiming warranty or limiting liability differently from the + terms of sections 15 and 16 of this License; or + + b) Requiring preservation of specified reasonable legal notices or + author attributions in that material or in the Appropriate Legal + Notices displayed by works containing it; or + + c) Prohibiting misrepresentation of the origin of that material, or + requiring that modified versions of such material be marked in + reasonable ways as different from the original version; or + + d) Limiting the use for publicity purposes of names of licensors or + authors of the material; or + + e) Declining to grant rights under trademark law for use of some + trade names, trademarks, or service marks; or + + f) Requiring indemnification of licensors and authors of that + material by anyone who conveys the material (or modified versions of + it) with contractual assumptions of liability to the recipient, for + any liability that these contractual assumptions directly impose on + those licensors and authors. + + All other non-permissive additional terms are considered "further +restrictions" within the meaning of section 10. If the Program as you +received it, or any part of it, contains a notice stating that it is +governed by this License along with a term that is a further +restriction, you may remove that term. If a license document contains +a further restriction but permits relicensing or conveying under this +License, you may add to a covered work material governed by the terms +of that license document, provided that the further restriction does +not survive such relicensing or conveying. + + If you add terms to a covered work in accord with this section, you +must place, in the relevant source files, a statement of the +additional terms that apply to those files, or a notice indicating +where to find the applicable terms. + + Additional terms, permissive or non-permissive, may be stated in the +form of a separately written license, or stated as exceptions; +the above requirements apply either way. + + 8. Termination. + + You may not propagate or modify a covered work except as expressly +provided under this License. Any attempt otherwise to propagate or +modify it is void, and will automatically terminate your rights under +this License (including any patent licenses granted under the third +paragraph of section 11). + + However, if you cease all violation of this License, then your +license from a particular copyright holder is reinstated (a) +provisionally, unless and until the copyright holder explicitly and +finally terminates your license, and (b) permanently, if the copyright +holder fails to notify you of the violation by some reasonable means +prior to 60 days after the cessation. + + Moreover, your license from a particular copyright holder is +reinstated permanently if the copyright holder notifies you of the +violation by some reasonable means, this is the first time you have +received notice of violation of this License (for any work) from that +copyright holder, and you cure the violation prior to 30 days after +your receipt of the notice. + + Termination of your rights under this section does not terminate the +licenses of parties who have received copies or rights from you under +this License. If your rights have been terminated and not permanently +reinstated, you do not qualify to receive new licenses for the same +material under section 10. + + 9. Acceptance Not Required for Having Copies. + + You are not required to accept this License in order to receive or +run a copy of the Program. Ancillary propagation of a covered work +occurring solely as a consequence of using peer-to-peer transmission +to receive a copy likewise does not require acceptance. However, +nothing other than this License grants you permission to propagate or +modify any covered work. These actions infringe copyright if you do +not accept this License. Therefore, by modifying or propagating a +covered work, you indicate your acceptance of this License to do so. + + 10. Automatic Licensing of Downstream Recipients. + + Each time you convey a covered work, the recipient automatically +receives a license from the original licensors, to run, modify and +propagate that work, subject to this License. You are not responsible +for enforcing compliance by third parties with this License. + + An "entity transaction" is a transaction transferring control of an +organization, or substantially all assets of one, or subdividing an +organization, or merging organizations. If propagation of a covered +work results from an entity transaction, each party to that +transaction who receives a copy of the work also receives whatever +licenses to the work the party's predecessor in interest had or could +give under the previous paragraph, plus a right to possession of the +Corresponding Source of the work from the predecessor in interest, if +the predecessor has it or can get it with reasonable efforts. + + You may not impose any further restrictions on the exercise of the +rights granted or affirmed under this License. For example, you may +not impose a license fee, royalty, or other charge for exercise of +rights granted under this License, and you may not initiate litigation +(including a cross-claim or counterclaim in a lawsuit) alleging that +any patent claim is infringed by making, using, selling, offering for +sale, or importing the Program or any portion of it. + + 11. Patents. + + A "contributor" is a copyright holder who authorizes use under this +License of the Program or a work on which the Program is based. The +work thus licensed is called the contributor's "contributor version". + + A contributor's "essential patent claims" are all patent claims +owned or controlled by the contributor, whether already acquired or +hereafter acquired, that would be infringed by some manner, permitted +by this License, of making, using, or selling its contributor version, +but do not include claims that would be infringed only as a +consequence of further modification of the contributor version. For +purposes of this definition, "control" includes the right to grant +patent sublicenses in a manner consistent with the requirements of +this License. + + Each contributor grants you a non-exclusive, worldwide, royalty-free +patent license under the contributor's essential patent claims, to +make, use, sell, offer for sale, import and otherwise run, modify and +propagate the contents of its contributor version. + + In the following three paragraphs, a "patent license" is any express +agreement or commitment, however denominated, not to enforce a patent +(such as an express permission to practice a patent or covenant not to +sue for patent infringement). To "grant" such a patent license to a +party means to make such an agreement or commitment not to enforce a +patent against the party. + + If you convey a covered work, knowingly relying on a patent license, +and the Corresponding Source of the work is not available for anyone +to copy, free of charge and under the terms of this License, through a +publicly available network server or other readily accessible means, +then you must either (1) cause the Corresponding Source to be so +available, or (2) arrange to deprive yourself of the benefit of the +patent license for this particular work, or (3) arrange, in a manner +consistent with the requirements of this License, to extend the patent +license to downstream recipients. "Knowingly relying" means you have +actual knowledge that, but for the patent license, your conveying the +covered work in a country, or your recipient's use of the covered work +in a country, would infringe one or more identifiable patents in that +country that you have reason to believe are valid. + + If, pursuant to or in connection with a single transaction or +arrangement, you convey, or propagate by procuring conveyance of, a +covered work, and grant a patent license to some of the parties +receiving the covered work authorizing them to use, propagate, modify +or convey a specific copy of the covered work, then the patent license +you grant is automatically extended to all recipients of the covered +work and works based on it. + + A patent license is "discriminatory" if it does not include within +the scope of its coverage, prohibits the exercise of, or is +conditioned on the non-exercise of one or more of the rights that are +specifically granted under this License. You may not convey a covered +work if you are a party to an arrangement with a third party that is +in the business of distributing software, under which you make payment +to the third party based on the extent of your activity of conveying +the work, and under which the third party grants, to any of the +parties who would receive the covered work from you, a discriminatory +patent license (a) in connection with copies of the covered work +conveyed by you (or copies made from those copies), or (b) primarily +for and in connection with specific products or compilations that +contain the covered work, unless you entered into that arrangement, +or that patent license was granted, prior to 28 March 2007. + + Nothing in this License shall be construed as excluding or limiting +any implied license or other defenses to infringement that may +otherwise be available to you under applicable patent law. + + 12. No Surrender of Others' Freedom. + + If conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot convey a +covered work so as to satisfy simultaneously your obligations under this +License and any other pertinent obligations, then as a consequence you may +not convey it at all. For example, if you agree to terms that obligate you +to collect a royalty for further conveying from those to whom you convey +the Program, the only way you could satisfy both those terms and this +License would be to refrain entirely from conveying the Program. + + 13. Remote Network Interaction; Use with the GNU General Public License. + + Notwithstanding any other provision of this License, if you modify the +Program, your modified version must prominently offer all users +interacting with it remotely through a computer network (if your version +supports such interaction) an opportunity to receive the Corresponding +Source of your version by providing access to the Corresponding Source +from a network server at no charge, through some standard or customary +means of facilitating copying of software. This Corresponding Source +shall include the Corresponding Source for any work covered by version 3 +of the GNU General Public License that is incorporated pursuant to the +following paragraph. + + Notwithstanding any other provision of this License, you have +permission to link or combine any covered work with a work licensed +under version 3 of the GNU General Public License into a single +combined work, and to convey the resulting work. The terms of this +License will continue to apply to the part which is the covered work, +but the work with which it is combined will remain governed by version +3 of the GNU General Public License. + + 14. Revised Versions of this License. + + The Free Software Foundation may publish revised and/or new versions of +the GNU Affero General Public License from time to time. Such new versions +will be similar in spirit to the present version, but may differ in detail to +address new problems or concerns. + + Each version is given a distinguishing version number. If the +Program specifies that a certain numbered version of the GNU Affero General +Public License "or any later version" applies to it, you have the +option of following the terms and conditions either of that numbered +version or of any later version published by the Free Software +Foundation. If the Program does not specify a version number of the +GNU Affero General Public License, you may choose any version ever published +by the Free Software Foundation. + + If the Program specifies that a proxy can decide which future +versions of the GNU Affero General Public License can be used, that proxy's +public statement of acceptance of a version permanently authorizes you +to choose that version for the Program. + + Later license versions may give you additional or different +permissions. However, no additional obligations are imposed on any +author or copyright holder as a result of your choosing to follow a +later version. + + 15. Disclaimer of Warranty. + + THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY +APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT +HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY +OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, +THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM +IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF +ALL NECESSARY SERVICING, REPAIR OR CORRECTION. + + 16. Limitation of Liability. + + IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING +WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS +THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY +GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE +USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF +DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD +PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), +EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF +SUCH DAMAGES. + + 17. Interpretation of Sections 15 and 16. + + If the disclaimer of warranty and limitation of liability provided +above cannot be given local legal effect according to their terms, +reviewing courts shall apply local law that most closely approximates +an absolute waiver of all civil liability in connection with the +Program, unless a warranty or assumption of liability accompanies a +copy of the Program in return for a fee. + + END OF TERMS AND CONDITIONS + + How to Apply These Terms to Your New Programs + + If you develop a new program, and you want it to be of the greatest +possible use to the public, the best way to achieve this is to make it +free software which everyone can redistribute and change under these terms. + + To do so, attach the following notices to the program. It is safest +to attach them to the start of each source file to most effectively +state the exclusion of warranty; and each file should have at least +the "copyright" line and a pointer to where the full notice is found. + + + Copyright (C) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU Affero General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU Affero General Public License for more details. + + You should have received a copy of the GNU Affero General Public License + along with this program. If not, see . + +Also add information on how to contact you by electronic and paper mail. + + If your software can interact with users remotely through a computer +network, you should also make sure that it provides a way for users to +get its source. For example, if your program is a web application, its +interface could display a "Source" link that leads users to an archive +of the code. There are many ways you could offer source, and different +solutions will be better for different programs; see section 13 for the +specific requirements. + + You should also get your employer (if you work as a programmer) or school, +if any, to sign a "copyright disclaimer" for the program, if necessary. +For more information on this, and how to apply and follow the GNU AGPL, see +. \ No newline at end of file diff --git a/source/resources/apps/Ansible-Gitea/LICENSE.GPLv3 b/source/resources/apps/Ansible-Gitea/LICENSE.GPLv3 new file mode 100644 index 0000000..871ce8e --- /dev/null +++ b/source/resources/apps/Ansible-Gitea/LICENSE.GPLv3 @@ -0,0 +1,674 @@ + GNU GENERAL PUBLIC LICENSE + Version 3, 29 June 2007 + + Copyright (C) 2007 Free Software Foundation, Inc. + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + Preamble + + The GNU General Public License is a free, copyleft license for +software and other kinds of works. + + The licenses for most software and other practical works are designed +to take away your freedom to share and change the works. By contrast, +the GNU General Public License is intended to guarantee your freedom to +share and change all versions of a program--to make sure it remains free +software for all its users. We, the Free Software Foundation, use the +GNU General Public License for most of our software; it applies also to +any other work released this way by its authors. You can apply it to +your programs, too. + + When we speak of free software, we are referring to freedom, not +price. Our General Public Licenses are designed to make sure that you +have the freedom to distribute copies of free software (and charge for +them if you wish), that you receive source code or can get it if you +want it, that you can change the software or use pieces of it in new +free programs, and that you know you can do these things. + + To protect your rights, we need to prevent others from denying you +these rights or asking you to surrender the rights. Therefore, you have +certain responsibilities if you distribute copies of the software, or if +you modify it: responsibilities to respect the freedom of others. + + For example, if you distribute copies of such a program, whether +gratis or for a fee, you must pass on to the recipients the same +freedoms that you received. You must make sure that they, too, receive +or can get the source code. And you must show them these terms so they +know their rights. + + Developers that use the GNU GPL protect your rights with two steps: +(1) assert copyright on the software, and (2) offer you this License +giving you legal permission to copy, distribute and/or modify it. + + For the developers' and authors' protection, the GPL clearly explains +that there is no warranty for this free software. For both users' and +authors' sake, the GPL requires that modified versions be marked as +changed, so that their problems will not be attributed erroneously to +authors of previous versions. + + Some devices are designed to deny users access to install or run +modified versions of the software inside them, although the manufacturer +can do so. This is fundamentally incompatible with the aim of +protecting users' freedom to change the software. The systematic +pattern of such abuse occurs in the area of products for individuals to +use, which is precisely where it is most unacceptable. Therefore, we +have designed this version of the GPL to prohibit the practice for those +products. If such problems arise substantially in other domains, we +stand ready to extend this provision to those domains in future versions +of the GPL, as needed to protect the freedom of users. + + Finally, every program is threatened constantly by software patents. +States should not allow patents to restrict development and use of +software on general-purpose computers, but in those that do, we wish to +avoid the special danger that patents applied to a free program could +make it effectively proprietary. To prevent this, the GPL assures that +patents cannot be used to render the program non-free. + + The precise terms and conditions for copying, distribution and +modification follow. + + TERMS AND CONDITIONS + + 0. Definitions. + + "This License" refers to version 3 of the GNU General Public License. + + "Copyright" also means copyright-like laws that apply to other kinds of +works, such as semiconductor masks. + + "The Program" refers to any copyrightable work licensed under this +License. Each licensee is addressed as "you". "Licensees" and +"recipients" may be individuals or organizations. + + To "modify" a work means to copy from or adapt all or part of the work +in a fashion requiring copyright permission, other than the making of an +exact copy. The resulting work is called a "modified version" of the +earlier work or a work "based on" the earlier work. + + A "covered work" means either the unmodified Program or a work based +on the Program. + + To "propagate" a work means to do anything with it that, without +permission, would make you directly or secondarily liable for +infringement under applicable copyright law, except executing it on a +computer or modifying a private copy. Propagation includes copying, +distribution (with or without modification), making available to the +public, and in some countries other activities as well. + + To "convey" a work means any kind of propagation that enables other +parties to make or receive copies. Mere interaction with a user through +a computer network, with no transfer of a copy, is not conveying. + + An interactive user interface displays "Appropriate Legal Notices" +to the extent that it includes a convenient and prominently visible +feature that (1) displays an appropriate copyright notice, and (2) +tells the user that there is no warranty for the work (except to the +extent that warranties are provided), that licensees may convey the +work under this License, and how to view a copy of this License. If +the interface presents a list of user commands or options, such as a +menu, a prominent item in the list meets this criterion. + + 1. Source Code. + + The "source code" for a work means the preferred form of the work +for making modifications to it. "Object code" means any non-source +form of a work. + + A "Standard Interface" means an interface that either is an official +standard defined by a recognized standards body, or, in the case of +interfaces specified for a particular programming language, one that +is widely used among developers working in that language. + + The "System Libraries" of an executable work include anything, other +than the work as a whole, that (a) is included in the normal form of +packaging a Major Component, but which is not part of that Major +Component, and (b) serves only to enable use of the work with that +Major Component, or to implement a Standard Interface for which an +implementation is available to the public in source code form. A +"Major Component", in this context, means a major essential component +(kernel, window system, and so on) of the specific operating system +(if any) on which the executable work runs, or a compiler used to +produce the work, or an object code interpreter used to run it. + + The "Corresponding Source" for a work in object code form means all +the source code needed to generate, install, and (for an executable +work) run the object code and to modify the work, including scripts to +control those activities. However, it does not include the work's +System Libraries, or general-purpose tools or generally available free +programs which are used unmodified in performing those activities but +which are not part of the work. For example, Corresponding Source +includes interface definition files associated with source files for +the work, and the source code for shared libraries and dynamically +linked subprograms that the work is specifically designed to require, +such as by intimate data communication or control flow between those +subprograms and other parts of the work. + + The Corresponding Source need not include anything that users +can regenerate automatically from other parts of the Corresponding +Source. + + The Corresponding Source for a work in source code form is that +same work. + + 2. Basic Permissions. + + All rights granted under this License are granted for the term of +copyright on the Program, and are irrevocable provided the stated +conditions are met. This License explicitly affirms your unlimited +permission to run the unmodified Program. The output from running a +covered work is covered by this License only if the output, given its +content, constitutes a covered work. This License acknowledges your +rights of fair use or other equivalent, as provided by copyright law. + + You may make, run and propagate covered works that you do not +convey, without conditions so long as your license otherwise remains +in force. You may convey covered works to others for the sole purpose +of having them make modifications exclusively for you, or provide you +with facilities for running those works, provided that you comply with +the terms of this License in conveying all material for which you do +not control copyright. Those thus making or running the covered works +for you must do so exclusively on your behalf, under your direction +and control, on terms that prohibit them from making any copies of +your copyrighted material outside their relationship with you. + + Conveying under any other circumstances is permitted solely under +the conditions stated below. Sublicensing is not allowed; section 10 +makes it unnecessary. + + 3. Protecting Users' Legal Rights From Anti-Circumvention Law. + + No covered work shall be deemed part of an effective technological +measure under any applicable law fulfilling obligations under article +11 of the WIPO copyright treaty adopted on 20 December 1996, or +similar laws prohibiting or restricting circumvention of such +measures. + + When you convey a covered work, you waive any legal power to forbid +circumvention of technological measures to the extent such circumvention +is effected by exercising rights under this License with respect to +the covered work, and you disclaim any intention to limit operation or +modification of the work as a means of enforcing, against the work's +users, your or third parties' legal rights to forbid circumvention of +technological measures. + + 4. Conveying Verbatim Copies. + + You may convey verbatim copies of the Program's source code as you +receive it, in any medium, provided that you conspicuously and +appropriately publish on each copy an appropriate copyright notice; +keep intact all notices stating that this License and any +non-permissive terms added in accord with section 7 apply to the code; +keep intact all notices of the absence of any warranty; and give all +recipients a copy of this License along with the Program. + + You may charge any price or no price for each copy that you convey, +and you may offer support or warranty protection for a fee. + + 5. Conveying Modified Source Versions. + + You may convey a work based on the Program, or the modifications to +produce it from the Program, in the form of source code under the +terms of section 4, provided that you also meet all of these conditions: + + a) The work must carry prominent notices stating that you modified + it, and giving a relevant date. + + b) The work must carry prominent notices stating that it is + released under this License and any conditions added under section + 7. This requirement modifies the requirement in section 4 to + "keep intact all notices". + + c) You must license the entire work, as a whole, under this + License to anyone who comes into possession of a copy. This + License will therefore apply, along with any applicable section 7 + additional terms, to the whole of the work, and all its parts, + regardless of how they are packaged. This License gives no + permission to license the work in any other way, but it does not + invalidate such permission if you have separately received it. + + d) If the work has interactive user interfaces, each must display + Appropriate Legal Notices; however, if the Program has interactive + interfaces that do not display Appropriate Legal Notices, your + work need not make them do so. + + A compilation of a covered work with other separate and independent +works, which are not by their nature extensions of the covered work, +and which are not combined with it such as to form a larger program, +in or on a volume of a storage or distribution medium, is called an +"aggregate" if the compilation and its resulting copyright are not +used to limit the access or legal rights of the compilation's users +beyond what the individual works permit. Inclusion of a covered work +in an aggregate does not cause this License to apply to the other +parts of the aggregate. + + 6. Conveying Non-Source Forms. + + You may convey a covered work in object code form under the terms +of sections 4 and 5, provided that you also convey the +machine-readable Corresponding Source under the terms of this License, +in one of these ways: + + a) Convey the object code in, or embodied in, a physical product + (including a physical distribution medium), accompanied by the + Corresponding Source fixed on a durable physical medium + customarily used for software interchange. + + b) Convey the object code in, or embodied in, a physical product + (including a physical distribution medium), accompanied by a + written offer, valid for at least three years and valid for as + long as you offer spare parts or customer support for that product + model, to give anyone who possesses the object code either (1) a + copy of the Corresponding Source for all the software in the + product that is covered by this License, on a durable physical + medium customarily used for software interchange, for a price no + more than your reasonable cost of physically performing this + conveying of source, or (2) access to copy the + Corresponding Source from a network server at no charge. + + c) Convey individual copies of the object code with a copy of the + written offer to provide the Corresponding Source. This + alternative is allowed only occasionally and noncommercially, and + only if you received the object code with such an offer, in accord + with subsection 6b. + + d) Convey the object code by offering access from a designated + place (gratis or for a charge), and offer equivalent access to the + Corresponding Source in the same way through the same place at no + further charge. You need not require recipients to copy the + Corresponding Source along with the object code. If the place to + copy the object code is a network server, the Corresponding Source + may be on a different server (operated by you or a third party) + that supports equivalent copying facilities, provided you maintain + clear directions next to the object code saying where to find the + Corresponding Source. Regardless of what server hosts the + Corresponding Source, you remain obligated to ensure that it is + available for as long as needed to satisfy these requirements. + + e) Convey the object code using peer-to-peer transmission, provided + you inform other peers where the object code and Corresponding + Source of the work are being offered to the general public at no + charge under subsection 6d. + + A separable portion of the object code, whose source code is excluded +from the Corresponding Source as a System Library, need not be +included in conveying the object code work. + + A "User Product" is either (1) a "consumer product", which means any +tangible personal property which is normally used for personal, family, +or household purposes, or (2) anything designed or sold for incorporation +into a dwelling. In determining whether a product is a consumer product, +doubtful cases shall be resolved in favor of coverage. For a particular +product received by a particular user, "normally used" refers to a +typical or common use of that class of product, regardless of the status +of the particular user or of the way in which the particular user +actually uses, or expects or is expected to use, the product. A product +is a consumer product regardless of whether the product has substantial +commercial, industrial or non-consumer uses, unless such uses represent +the only significant mode of use of the product. + + "Installation Information" for a User Product means any methods, +procedures, authorization keys, or other information required to install +and execute modified versions of a covered work in that User Product from +a modified version of its Corresponding Source. The information must +suffice to ensure that the continued functioning of the modified object +code is in no case prevented or interfered with solely because +modification has been made. + + If you convey an object code work under this section in, or with, or +specifically for use in, a User Product, and the conveying occurs as +part of a transaction in which the right of possession and use of the +User Product is transferred to the recipient in perpetuity or for a +fixed term (regardless of how the transaction is characterized), the +Corresponding Source conveyed under this section must be accompanied +by the Installation Information. But this requirement does not apply +if neither you nor any third party retains the ability to install +modified object code on the User Product (for example, the work has +been installed in ROM). + + The requirement to provide Installation Information does not include a +requirement to continue to provide support service, warranty, or updates +for a work that has been modified or installed by the recipient, or for +the User Product in which it has been modified or installed. Access to a +network may be denied when the modification itself materially and +adversely affects the operation of the network or violates the rules and +protocols for communication across the network. + + Corresponding Source conveyed, and Installation Information provided, +in accord with this section must be in a format that is publicly +documented (and with an implementation available to the public in +source code form), and must require no special password or key for +unpacking, reading or copying. + + 7. Additional Terms. + + "Additional permissions" are terms that supplement the terms of this +License by making exceptions from one or more of its conditions. +Additional permissions that are applicable to the entire Program shall +be treated as though they were included in this License, to the extent +that they are valid under applicable law. If additional permissions +apply only to part of the Program, that part may be used separately +under those permissions, but the entire Program remains governed by +this License without regard to the additional permissions. + + When you convey a copy of a covered work, you may at your option +remove any additional permissions from that copy, or from any part of +it. (Additional permissions may be written to require their own +removal in certain cases when you modify the work.) You may place +additional permissions on material, added by you to a covered work, +for which you have or can give appropriate copyright permission. + + Notwithstanding any other provision of this License, for material you +add to a covered work, you may (if authorized by the copyright holders of +that material) supplement the terms of this License with terms: + + a) Disclaiming warranty or limiting liability differently from the + terms of sections 15 and 16 of this License; or + + b) Requiring preservation of specified reasonable legal notices or + author attributions in that material or in the Appropriate Legal + Notices displayed by works containing it; or + + c) Prohibiting misrepresentation of the origin of that material, or + requiring that modified versions of such material be marked in + reasonable ways as different from the original version; or + + d) Limiting the use for publicity purposes of names of licensors or + authors of the material; or + + e) Declining to grant rights under trademark law for use of some + trade names, trademarks, or service marks; or + + f) Requiring indemnification of licensors and authors of that + material by anyone who conveys the material (or modified versions of + it) with contractual assumptions of liability to the recipient, for + any liability that these contractual assumptions directly impose on + those licensors and authors. + + All other non-permissive additional terms are considered "further +restrictions" within the meaning of section 10. If the Program as you +received it, or any part of it, contains a notice stating that it is +governed by this License along with a term that is a further +restriction, you may remove that term. If a license document contains +a further restriction but permits relicensing or conveying under this +License, you may add to a covered work material governed by the terms +of that license document, provided that the further restriction does +not survive such relicensing or conveying. + + If you add terms to a covered work in accord with this section, you +must place, in the relevant source files, a statement of the +additional terms that apply to those files, or a notice indicating +where to find the applicable terms. + + Additional terms, permissive or non-permissive, may be stated in the +form of a separately written license, or stated as exceptions; +the above requirements apply either way. + + 8. Termination. + + You may not propagate or modify a covered work except as expressly +provided under this License. Any attempt otherwise to propagate or +modify it is void, and will automatically terminate your rights under +this License (including any patent licenses granted under the third +paragraph of section 11). + + However, if you cease all violation of this License, then your +license from a particular copyright holder is reinstated (a) +provisionally, unless and until the copyright holder explicitly and +finally terminates your license, and (b) permanently, if the copyright +holder fails to notify you of the violation by some reasonable means +prior to 60 days after the cessation. + + Moreover, your license from a particular copyright holder is +reinstated permanently if the copyright holder notifies you of the +violation by some reasonable means, this is the first time you have +received notice of violation of this License (for any work) from that +copyright holder, and you cure the violation prior to 30 days after +your receipt of the notice. + + Termination of your rights under this section does not terminate the +licenses of parties who have received copies or rights from you under +this License. If your rights have been terminated and not permanently +reinstated, you do not qualify to receive new licenses for the same +material under section 10. + + 9. Acceptance Not Required for Having Copies. + + You are not required to accept this License in order to receive or +run a copy of the Program. Ancillary propagation of a covered work +occurring solely as a consequence of using peer-to-peer transmission +to receive a copy likewise does not require acceptance. However, +nothing other than this License grants you permission to propagate or +modify any covered work. These actions infringe copyright if you do +not accept this License. Therefore, by modifying or propagating a +covered work, you indicate your acceptance of this License to do so. + + 10. Automatic Licensing of Downstream Recipients. + + Each time you convey a covered work, the recipient automatically +receives a license from the original licensors, to run, modify and +propagate that work, subject to this License. You are not responsible +for enforcing compliance by third parties with this License. + + An "entity transaction" is a transaction transferring control of an +organization, or substantially all assets of one, or subdividing an +organization, or merging organizations. If propagation of a covered +work results from an entity transaction, each party to that +transaction who receives a copy of the work also receives whatever +licenses to the work the party's predecessor in interest had or could +give under the previous paragraph, plus a right to possession of the +Corresponding Source of the work from the predecessor in interest, if +the predecessor has it or can get it with reasonable efforts. + + You may not impose any further restrictions on the exercise of the +rights granted or affirmed under this License. For example, you may +not impose a license fee, royalty, or other charge for exercise of +rights granted under this License, and you may not initiate litigation +(including a cross-claim or counterclaim in a lawsuit) alleging that +any patent claim is infringed by making, using, selling, offering for +sale, or importing the Program or any portion of it. + + 11. Patents. + + A "contributor" is a copyright holder who authorizes use under this +License of the Program or a work on which the Program is based. The +work thus licensed is called the contributor's "contributor version". + + A contributor's "essential patent claims" are all patent claims +owned or controlled by the contributor, whether already acquired or +hereafter acquired, that would be infringed by some manner, permitted +by this License, of making, using, or selling its contributor version, +but do not include claims that would be infringed only as a +consequence of further modification of the contributor version. For +purposes of this definition, "control" includes the right to grant +patent sublicenses in a manner consistent with the requirements of +this License. + + Each contributor grants you a non-exclusive, worldwide, royalty-free +patent license under the contributor's essential patent claims, to +make, use, sell, offer for sale, import and otherwise run, modify and +propagate the contents of its contributor version. + + In the following three paragraphs, a "patent license" is any express +agreement or commitment, however denominated, not to enforce a patent +(such as an express permission to practice a patent or covenant not to +sue for patent infringement). To "grant" such a patent license to a +party means to make such an agreement or commitment not to enforce a +patent against the party. + + If you convey a covered work, knowingly relying on a patent license, +and the Corresponding Source of the work is not available for anyone +to copy, free of charge and under the terms of this License, through a +publicly available network server or other readily accessible means, +then you must either (1) cause the Corresponding Source to be so +available, or (2) arrange to deprive yourself of the benefit of the +patent license for this particular work, or (3) arrange, in a manner +consistent with the requirements of this License, to extend the patent +license to downstream recipients. "Knowingly relying" means you have +actual knowledge that, but for the patent license, your conveying the +covered work in a country, or your recipient's use of the covered work +in a country, would infringe one or more identifiable patents in that +country that you have reason to believe are valid. + + If, pursuant to or in connection with a single transaction or +arrangement, you convey, or propagate by procuring conveyance of, a +covered work, and grant a patent license to some of the parties +receiving the covered work authorizing them to use, propagate, modify +or convey a specific copy of the covered work, then the patent license +you grant is automatically extended to all recipients of the covered +work and works based on it. + + A patent license is "discriminatory" if it does not include within +the scope of its coverage, prohibits the exercise of, or is +conditioned on the non-exercise of one or more of the rights that are +specifically granted under this License. You may not convey a covered +work if you are a party to an arrangement with a third party that is +in the business of distributing software, under which you make payment +to the third party based on the extent of your activity of conveying +the work, and under which the third party grants, to any of the +parties who would receive the covered work from you, a discriminatory +patent license (a) in connection with copies of the covered work +conveyed by you (or copies made from those copies), or (b) primarily +for and in connection with specific products or compilations that +contain the covered work, unless you entered into that arrangement, +or that patent license was granted, prior to 28 March 2007. + + Nothing in this License shall be construed as excluding or limiting +any implied license or other defenses to infringement that may +otherwise be available to you under applicable patent law. + + 12. No Surrender of Others' Freedom. + + If conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot convey a +covered work so as to satisfy simultaneously your obligations under this +License and any other pertinent obligations, then as a consequence you may +not convey it at all. For example, if you agree to terms that obligate you +to collect a royalty for further conveying from those to whom you convey +the Program, the only way you could satisfy both those terms and this +License would be to refrain entirely from conveying the Program. + + 13. Use with the GNU Affero General Public License. + + Notwithstanding any other provision of this License, you have +permission to link or combine any covered work with a work licensed +under version 3 of the GNU Affero General Public License into a single +combined work, and to convey the resulting work. The terms of this +License will continue to apply to the part which is the covered work, +but the special requirements of the GNU Affero General Public License, +section 13, concerning interaction through a network will apply to the +combination as such. + + 14. Revised Versions of this License. + + The Free Software Foundation may publish revised and/or new versions of +the GNU General Public License from time to time. Such new versions will +be similar in spirit to the present version, but may differ in detail to +address new problems or concerns. + + Each version is given a distinguishing version number. If the +Program specifies that a certain numbered version of the GNU General +Public License "or any later version" applies to it, you have the +option of following the terms and conditions either of that numbered +version or of any later version published by the Free Software +Foundation. If the Program does not specify a version number of the +GNU General Public License, you may choose any version ever published +by the Free Software Foundation. + + If the Program specifies that a proxy can decide which future +versions of the GNU General Public License can be used, that proxy's +public statement of acceptance of a version permanently authorizes you +to choose that version for the Program. + + Later license versions may give you additional or different +permissions. However, no additional obligations are imposed on any +author or copyright holder as a result of your choosing to follow a +later version. + + 15. Disclaimer of Warranty. + + THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY +APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT +HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY +OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, +THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM +IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF +ALL NECESSARY SERVICING, REPAIR OR CORRECTION. + + 16. Limitation of Liability. + + IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING +WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS +THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY +GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE +USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF +DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD +PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), +EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF +SUCH DAMAGES. + + 17. Interpretation of Sections 15 and 16. + + If the disclaimer of warranty and limitation of liability provided +above cannot be given local legal effect according to their terms, +reviewing courts shall apply local law that most closely approximates +an absolute waiver of all civil liability in connection with the +Program, unless a warranty or assumption of liability accompanies a +copy of the Program in return for a fee. + + END OF TERMS AND CONDITIONS + + How to Apply These Terms to Your New Programs + + If you develop a new program, and you want it to be of the greatest +possible use to the public, the best way to achieve this is to make it +free software which everyone can redistribute and change under these terms. + + To do so, attach the following notices to the program. It is safest +to attach them to the start of each source file to most effectively +state the exclusion of warranty; and each file should have at least +the "copyright" line and a pointer to where the full notice is found. + + + Copyright (C) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . + +Also add information on how to contact you by electronic and paper mail. + + If the program does terminal interaction, make it output a short +notice like this when it starts in an interactive mode: + + Copyright (C) + This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'. + This is free software, and you are welcome to redistribute it + under certain conditions; type `show c' for details. + +The hypothetical commands `show w' and `show c' should show the appropriate +parts of the General Public License. Of course, your program's commands +might be different; for a GUI interface, you would use an "about box". + + You should also get your employer (if you work as a programmer) or school, +if any, to sign a "copyright disclaimer" for the program, if necessary. +For more information on this, and how to apply and follow the GNU GPL, see +. + + The GNU General Public License does not permit incorporating your program +into proprietary programs. If your program is a subroutine library, you +may consider it more useful to permit linking proprietary applications with +the library. If this is what you want to do, use the GNU Lesser General +Public License instead of this License. But first, please read +. \ No newline at end of file diff --git a/source/resources/apps/Ansible-Gitea/README.md b/source/resources/apps/Ansible-Gitea/README.md new file mode 100644 index 0000000..8cdfa58 --- /dev/null +++ b/source/resources/apps/Ansible-Gitea/README.md @@ -0,0 +1,172 @@ +# Forksand Bootstrap Gitea + +This Ansible playbook was written to set up a Gitea server on Debian systems. + +## Table of contents +1. [Requirements](#requirements) +2. [Quick Start](#quick-start) + * [Project Configuration](#project-configuration) + * [Playbook Execution](#playbook-execution) +3. [Project Structure](#project-structure) + * [File and Directory Descriptions](#file-and-directory-descriptions) + * [Role Descriptions](#role-descriptions) + * [Role Parameters](#role-parameters) +4. [Ansible Logging](#ansible-logging) +5. [Troubleshooting](#troubleshooting) + +## Requirements +The following applications are required to utilize this playbook. Ansible can be installed using Python PIP. + +* Ansible 2.4.x+ +* Python 2.7.9+ + +## Quick Start +The follow steps will help quickly set up and execute this playbook. + +### Project Configuration +The following files need to be edited and configured before executing this playbook. + +| File | Description | +| -- | -- | +| roles/gitea/default/main.yml | Variables for Gitea configuration - (default - standalone with sqlite) | +| roles/nginx/default/main.yml | Variables for Nginx and Letsencrypt configuration | +| inventory.yml | List of server IPs to connect to | + +### Playbook Execution +After having configured the server credentials and added the server IP to the inventory, use the following command to execute the playbook. + +`ansible-playbook -i inventory.yml site.yml` + +## Project Structure +The following tree depicts the high level structure of this Ansible project. + +```bash +├── inventory.yml +├── LICENSE.AGPLv3 +├── LICENSE.GPLv3 +├── README.md +├── roles +│   ├── gitea +│   ├── nginx +├── playbook_execution.log +└── site.yml +``` + +### File and Directory Descriptions +The following table consists of a description of what each file and directory stands for. + +| Name | Description | +| -- | -- | +| site.yml | Master playbook. Executes all roles in sequential order | +| inventory.yml | Inventory file containing server IP addresses | +| ansible.cfg | Ansible configuration file for various Ansible options. | +| roles/ | Directory containing all roles needed by this project | + +### Role descriptions +The following table consists of descriptions of each role and their purpose. The roles listed below are listed in the required order of execution to ensure successful completion of the playbook. + +| Role Name | Role Description | +| -- | -- | +| gitea | This roles performs installation and configuration of Gitea server | +| nginx | This roles performs installation and configuration of Nginx server | + +### Role parameters + +Description of the role parameters for each role. + + +#### Gitea roles parameters + +``` + # Application name + gitea_app_name: "Gitea" + # Application gitea_user_repo_limit + gitea_user: "gitea" + # Application home + gitea_home: "/var/lib/gitea" + # Repo Limit + gitea_user_repo_limit: -1 + # Domain Name (FOR REVER PROXY LEAVE AS DEFAULT) + gitea_http_domain: localhost + # Gitea url (FOR REVER PROXY LEAVE AS DEFAULT) + gitea_root_url: http://localhost:3000 + # Protocol (FOR REVER PROXY LEAVE AS DEFAULT) + gitea_protocol: http + # listen IP (FOR REVER PROXY LEAVE AS DEFAULT) + gitea_http_listen: 127.0.0.1 + # Listen port (FOR REVER PROXY LEAVE AS DEFAULT) + gitea_http_port: 3000 + # HTTP git Options + gitea_disable_http_git: false + # Offline mode options + gitea_offline_mode: true + + ## DB details + # DB Type 'mysql', 'postgres' or 'sqlite3' + gitea_db_type: sqlite3 + # DB host + gitea_db_host: 127.0.0.0:3306 + # DB name + gitea_db_name: root + # DB username + gitea_db_user: gitea + # DB password + gitea_db_passord: lel + # DB ssl options + gitea_db_ssl: disable + # DB path (Not needed for postgres and mysql hash it in template file ) + gitea_db_path: "{{ gitea_home }}/data/gitea.db" + + ## SSH Details + # SSH Listen IP + gitea_ssh_listen: 0.0.0.0 + # SSH domain + gitea_ssh_domain: localhost + # SSH options + gitea_start_ssh: true + # SSH post + gitea_ssh_port: 2222 + + # gitea key (GENERATE A NEW KEY) + gitea_secret_key: T0pS3cr31 + + ## General Settings + # User email settings + gitea_show_user_email: false + # User avatar settings + gitea_disable_gravatar: true + # User register options + gitea_disable_registration: false + # User signup options + gitea_require_signin: true + # User captcha options + gitea_enable_captcha: true +``` + +#### Nginx roles parameters +``` + # Domain name for the server + nginx_domain_name: "test.hostnats.com" + # Gitea listening port + gitea_http_port: 3000 + # letsencrypt email address + letsencrypt_email: "test@example.com" + ``` + +## Ansible Logging +Ansible playbook executions are automatically logged to a file called `playbook-execution.log` in the root directory of the project. The path to this log file can be changed by editing `ansible.cfg` in the project root directory and specifying a different path. + +## Troubleshooting +Ansible has a built in debug output. Simple run Ansible with a `-v`. There are 5 levels of debug output and they are denoted by the number of v's listed. Each level up provide more debug output than the level before it. + +Level 1: `-v` + +Level 2: `-vv` + +Level 3: `-vvv` + +Level 4: `-vvvv` + +Level 5: `-vvvvv` + +Example execution with level 3 debug output: `ansible-playbook -i inventory.yml site.yml -vvv` diff --git a/source/resources/apps/Ansible-Gitea/ansible.cfg b/source/resources/apps/Ansible-Gitea/ansible.cfg new file mode 100644 index 0000000..fbb2715 --- /dev/null +++ b/source/resources/apps/Ansible-Gitea/ansible.cfg @@ -0,0 +1,2 @@ +[defaults] +log_path=playbook_execution.log \ No newline at end of file diff --git a/source/resources/apps/Ansible-Gitea/inventory.yml b/source/resources/apps/Ansible-Gitea/inventory.yml new file mode 100644 index 0000000..aa1180b --- /dev/null +++ b/source/resources/apps/Ansible-Gitea/inventory.yml @@ -0,0 +1,7 @@ +all: + hosts: + 10.0.0.1: # Example host + + # Additional hosts can be specified by adding them below + #10.0.0.2: # Example host 2. Uncomment line to use + #10.0.0.3: # Example host 3. Uncomment line to use \ No newline at end of file diff --git a/source/resources/apps/Ansible-Gitea/roles/gitea/.DS_Store b/source/resources/apps/Ansible-Gitea/roles/gitea/.DS_Store new file mode 100644 index 0000000..8dc822b Binary files /dev/null and b/source/resources/apps/Ansible-Gitea/roles/gitea/.DS_Store differ diff --git a/source/resources/apps/Ansible-Gitea/roles/gitea/defaults/main.yml b/source/resources/apps/Ansible-Gitea/roles/gitea/defaults/main.yml new file mode 100644 index 0000000..dc9b083 --- /dev/null +++ b/source/resources/apps/Ansible-Gitea/roles/gitea/defaults/main.yml @@ -0,0 +1,34 @@ +gitea_app_name: "Gitea" +gitea_user: "gitea" +gitea_home: "/var/lib/gitea" + +gitea_user_repo_limit: -1 + +gitea_http_domain: localhost +gitea_root_url: http://localhost:3000 +gitea_protocol: http +gitea_http_listen: 127.0.0.1 +gitea_http_port: 3000 +gitea_disable_http_git: false +gitea_offline_mode: true + +gitea_db_type: sqlite3 +gitea_db_host: 127.0.0.0:3306 +gitea_db_name: root +gitea_db_user: gitea +gitea_db_passord: lel +gitea_db_ssl: disable +gitea_db_path: "{{ gitea_home }}/data/gitea.db" + +gitea_ssh_listen: 0.0.0.0 +gitea_ssh_domain: localhost +gitea_start_ssh: true +gitea_ssh_port: 2222 + +gitea_secret_key: T0pS3cr31 + +gitea_show_user_email: false +gitea_disable_gravatar: true +gitea_disable_registration: false +gitea_require_signin: true +gitea_enable_captcha: true diff --git a/source/resources/apps/Ansible-Gitea/roles/gitea/handlers/main.yml b/source/resources/apps/Ansible-Gitea/roles/gitea/handlers/main.yml new file mode 100644 index 0000000..9a76d3b --- /dev/null +++ b/source/resources/apps/Ansible-Gitea/roles/gitea/handlers/main.yml @@ -0,0 +1,5 @@ +- name: "Restart gitea" + service: name=gitea state=restarted + +- name: "Reload systemd" + systemd: daemon_reload=yes diff --git a/source/resources/apps/Ansible-Gitea/roles/gitea/tasks/create_user.yml b/source/resources/apps/Ansible-Gitea/roles/gitea/tasks/create_user.yml new file mode 100644 index 0000000..28b44e3 --- /dev/null +++ b/source/resources/apps/Ansible-Gitea/roles/gitea/tasks/create_user.yml @@ -0,0 +1,6 @@ +- name: "Create Gitea user" + user: + name: "{{ gitea_user }}" + comment: "Gitea user" + home: "{{ gitea_home }}" + shell: "/bin/false" diff --git a/source/resources/apps/Ansible-Gitea/roles/gitea/tasks/install_systemd.yml b/source/resources/apps/Ansible-Gitea/roles/gitea/tasks/install_systemd.yml new file mode 100644 index 0000000..6abfa8b --- /dev/null +++ b/source/resources/apps/Ansible-Gitea/roles/gitea/tasks/install_systemd.yml @@ -0,0 +1,10 @@ +- name: "Setup systemd service" + template: + src: gitea.service.j2 + dest: /lib/systemd/system/gitea.service + owner: root + group: root + mode: 0644 + notify: + - "Reload systemd" + - "Restart gitea" diff --git a/source/resources/apps/Ansible-Gitea/roles/gitea/tasks/main.yml b/source/resources/apps/Ansible-Gitea/roles/gitea/tasks/main.yml new file mode 100644 index 0000000..39f1777 --- /dev/null +++ b/source/resources/apps/Ansible-Gitea/roles/gitea/tasks/main.yml @@ -0,0 +1,47 @@ +# TODO: variabilize this +- name: "Download the binary" + get_url: + url: "https://dl.gitea.io/gitea/1.4/gitea-1.4-linux-amd64" + dest: /usr/local/bin/gitea + owner: root + group: root + mode: 0755 + notify: "Restart gitea" + +- name: "Installing git" + apt: + name: git + update_cache: yes + +- include_tasks: create_user.yml + +- name: "Create config and data directory" + file: + path: "{{ item }}" + state: directory + owner: "{{ gitea_user }}" + with_items: + - "/etc/gitea" + - "{{ gitea_home }}" + - "{{ gitea_home }}/data" + - "{{ gitea_home }}/custom" + - "{{ gitea_home }}/custom/https" + - "{{ gitea_home }}/custom/mailer" + +# TODO: Support other systems than systemd +- include_tasks: install_systemd.yml + when: ansible_service_mgr == "systemd" + +- name: "Configure gitea" + template: + src: gitea.ini.j2 + dest: /etc/gitea/gitea.ini + owner: "{{ gitea_user }}" + mode: 0600 + notify: "Restart gitea" + +- name: "Service gitea" + service: + name: gitea + state: started + enabled: true diff --git a/source/resources/apps/Ansible-Gitea/roles/gitea/templates/gitea.ini.j2 b/source/resources/apps/Ansible-Gitea/roles/gitea/templates/gitea.ini.j2 new file mode 100644 index 0000000..82bb1e4 --- /dev/null +++ b/source/resources/apps/Ansible-Gitea/roles/gitea/templates/gitea.ini.j2 @@ -0,0 +1,454 @@ +; App name that shows on every page title +APP_NAME = {{ gitea_app_name }} +; Change it if you run locally +RUN_USER = {{ gitea_user }} +; Either "dev", "prod" or "test", default is "dev" +RUN_MODE = prod + +[repository] +ROOT = {{ gitea_home }} +SCRIPT_TYPE = bash +; Default ANSI charset +ANSI_CHARSET = +; Force every new repository to be private +FORCE_PRIVATE = false +; Global maximum creation limit of repository per user, -1 means no limit +MAX_CREATION_LIMIT = {{ gitea_user_repo_limit }} +; Mirror sync queue length, increase if mirror syncing starts hanging +MIRROR_QUEUE_LENGTH = 1000 +; Patch test queue length, increase if pull request patch testing starts hanging +PULL_REQUEST_QUEUE_LENGTH = 1000 +; Preferred Licenses to place at the top of the List +; Name must match file name in conf/license or custom/conf/license +PREFERRED_LICENSES = GNU GENERAL PUBLIC LICENSE, version 3.0 +; Disable ability to interact with repositories by HTTP protocol +DISABLE_HTTP_GIT = {{ gitea_disable_http_git }} + +[repository.editor] +; List of file extensions that should have line wraps in the CodeMirror editor +; Separate extensions with a comma. To line wrap files w/o extension, just put a comma +LINE_WRAP_EXTENSIONS = .txt,.md,.markdown,.mdown,.mkd, +; Valid file modes that have a preview API associated with them, such as api/v1/markdown +; Separate values by commas. Preview tab in edit mode won't show if the file extension doesn't match +PREVIEWABLE_FILE_MODES = markdown + +[repository.upload] +; Whether repository file uploads are enabled. Defaults to `true` +ENABLED = true +; Path for uploads. Defaults to `data/tmp/uploads` (tmp gets deleted on gitea restart) +TEMP_PATH = {{ gitea_home }}/data/tmp/uploads +; One or more allowed types, e.g. image/jpeg|image/png. Nothing means any file type +ALLOWED_TYPES = +; Max size of each file in MB. Defaults to 3MB +FILE_MAX_SIZE = 3 +; Max number of files per upload. Defaults to 5 +MAX_FILES = 5 + +[ui] +; Number of repositories that are showed in one explore page +EXPLORE_PAGING_NUM = 20 +; Number of issues that are showed in one page +ISSUE_PAGING_NUM = 10 +; Number of maximum commits showed in one activity feed +FEED_MAX_COMMIT_NUM = 5 +; Value of `theme-color` meta tag, used by Android >= 5.0 +; An invalid color like "none" or "disable" will have the default style +; More info: https://developers.google.com/web/updates/2014/11/Support-for-theme-color-in-Chrome-39-for-Android +THEME_COLOR_META_TAG = `#6cc644` +; Max size of files to be displayed (defaults is 8MiB) +MAX_DISPLAY_FILE_SIZE = 8388608 +; Whether show the user email in the Explore Users page +SHOW_USER_EMAIL = {{ gitea_show_user_email }} + +[ui.admin] +; Number of users that are showed in one page +USER_PAGING_NUM = 50 +; Number of repos that are showed in one page +REPO_PAGING_NUM = 50 +; Number of notices that are showed in one page +NOTICE_PAGING_NUM = 25 +; Number of organization that are showed in one page +ORG_PAGING_NUM = 50 + +[ui.user] +; Number of repos that are showed in one page +REPO_PAGING_NUM = 15 + +[markdown] +; Enable hard line break extension +ENABLE_HARD_LINE_BREAK = false +; List of custom URL-Schemes that are allowed as links when rendering Markdown +; for example git,magnet +CUSTOM_URL_SCHEMES = +; List of file extensions that should be rendered/edited as Markdown +; Separate extensions with a comma. To render files w/o extension as markdown, just put a comma +FILE_EXTENSIONS = .md,.markdown,.mdown,.mkd + +[server] +PROTOCOL = {{ gitea_protocol }} +DOMAIN = {{ gitea_http_domain }} +ROOT_URL = {{ gitea_root_url }} +HTTP_ADDR = {{ gitea_http_listen }} +HTTP_PORT = {{ gitea_http_port }} +; Permission for unix socket +UNIX_SOCKET_PERMISSION = 666 +; Local (DMZ) URL for Gitea workers (such as SSH update) accessing web service. +; In most cases you do not need to change the default value. +; Alter it only if your SSH server node is not the same as HTTP node. +LOCAL_ROOT_URL = %(PROTOCOL)s://%(HTTP_ADDR)s:%(HTTP_PORT)s/ +; Disable SSH feature when not available +DISABLE_SSH = false +; Whether use builtin SSH server or not. +START_SSH_SERVER = {{ gitea_start_ssh }} +; Domain name to be exposed in clone URL +SSH_DOMAIN = {{ gitea_ssh_domain }} +; Network interface builtin SSH server listens on +SSH_LISTEN_HOST = {{ gitea_ssh_listen }} +; Port number to be exposed in clone URL +SSH_PORT = {{ gitea_ssh_port }} +; Port number builtin SSH server listens on +SSH_LISTEN_PORT = %(SSH_PORT)s +; Root path of SSH directory, default is '~/.ssh', but you have to use '/home/git/.ssh'. +SSH_ROOT_PATH = {{ gitea_home }}/.ssh +; Directory to create temporary files when test publick key using ssh-keygen, +; default is system temporary directory. +SSH_KEY_TEST_PATH = +; Path to ssh-keygen, default is 'ssh-keygen' and let shell find out which one to call. +SSH_KEYGEN_PATH = ssh-keygen +; Indicate whether to check minimum key size with corresponding type +MINIMUM_KEY_SIZE_CHECK = false +; Disable CDN even in "prod" mode +OFFLINE_MODE = {{ gitea_offline_mode }} +DISABLE_ROUTER_LOG = false +; Generate steps: +; $ ./gitea cert -ca=true -duration=8760h0m0s -host=myhost.example.com +; +; Or from a .pfx file exported from the Windows certificate store (do +; not forget to export the private key): +; $ openssl pkcs12 -in cert.pfx -out cert.pem -nokeys +; $ openssl pkcs12 -in cert.pfx -out key.pem -nocerts -nodes +CERT_FILE = {{ gitea_home }}/custom/https/cert.pem +KEY_FILE = {{ gitea_home }}/custom/https/key.pem +; Upper level of template and static file path +; default is the path where Gitea is executed +STATIC_ROOT_PATH = +; Default path for App data +APP_DATA_PATH = {{ gitea_home }}/data +; Application level GZIP support +ENABLE_GZIP = false +; Landing page for non-logged users, can be "home" or "explore" +LANDING_PAGE = home + +; Define allowed algorithms and their minimum key length (use -1 to disable a type) +[ssh.minimum_key_sizes] +ED25519 = 256 +ECDSA = 256 +RSA = 2048 +DSA = 1024 + +[database] +; Either "mysql", "postgres" or "sqlite3", it's your choice +DB_TYPE = {{ gitea_db_type }} +HOST = {{ gitea_db_host }} +NAME = {{ gitea_db_name }} +USER = {{ gitea_db_user }} +PASSWD = {{ gitea_db_passord }} +; For "postgres" only, either "disable", "require" or "verify-full" +SSL_MODE = {{ gitea_db_ssl }} +; For "sqlite3" and "tidb", use absolute path when you start as service +PATH = {{ gitea_db_path }} + +[admin] + +[security] +; Whether the installer is disabled +INSTALL_LOCK = true +; !!CHANGE THIS TO KEEP YOUR USER DATA SAFE!! +SECRET_KEY = {{ gitea_secret_key }} +; Auto-login remember days +LOGIN_REMEMBER_DAYS = 7 +COOKIE_USERNAME = gitea_awesome +COOKIE_REMEMBER_NAME = gitea_incredible +; Reverse proxy authentication header name of user name +REVERSE_PROXY_AUTHENTICATION_USER = X-WEBAUTH-USER +; Sets the minimum password length for new Users +MIN_PASSWORD_LENGTH = 6 + +[service] +ACTIVE_CODE_LIVE_MINUTES = 180 +RESET_PASSWD_CODE_LIVE_MINUTES = 180 +; User need to confirm e-mail for registration +REGISTER_EMAIL_CONFIRM = false +; Does not allow register and admin create account only +DISABLE_REGISTRATION = {{ gitea_disable_registration }} +; User must sign in to view anything. +REQUIRE_SIGNIN_VIEW = {{ gitea_require_signin }} +; Mail notification +ENABLE_NOTIFY_MAIL = false +; More detail: https://github.com/go-gitea/gitea/issues/165 +ENABLE_REVERSE_PROXY_AUTHENTICATION = false +ENABLE_REVERSE_PROXY_AUTO_REGISTRATION = false +; Enable captcha validation for registration +ENABLE_CAPTCHA = {{ gitea_enable_captcha }} +; Default value for KeepEmailPrivate +; New user will get the value of this setting copied into their profile +DEFAULT_KEEP_EMAIL_PRIVATE = false +; Default value for the domain part of the user's email address in the git log +; if he has set KeepEmailPrivate true. The user's email replaced with a +; concatenation of the user name in lower case, "@" and NO_REPLY_ADDRESS. +NO_REPLY_ADDRESS = noreply@localhost + +[webhook] +; Hook task queue length, increase if webhook shooting starts hanging +QUEUE_LENGTH = 1000 +; Deliver timeout in seconds +DELIVER_TIMEOUT = 5 +; Allow insecure certification +SKIP_TLS_VERIFY = false +; Number of history information in each page +PAGING_NUM = 10 + +[mailer] +ENABLED = false +; Buffer length of channel, keep it as it is if you don't know what it is. +SEND_BUFFER_LEN = 100 +; Name displayed in mail title +SUBJECT = %(APP_NAME)s +; Mail server +; Gmail: smtp.gmail.com:587 +; QQ: smtp.qq.com:465 +; Note, if the port ends with "465", SMTPS will be used. Using STARTTLS on port 587 is recommended per RFC 6409. If the server supports STARTTLS it will always be used. +HOST = +; Disable HELO operation when hostname are different. +DISABLE_HELO = +; Custom hostname for HELO operation, default is from system. +HELO_HOSTNAME = +; Do not verify the certificate of the server. Only use this for self-signed certificates +SKIP_VERIFY = +; Use client certificate +USE_CERTIFICATE = false +CERT_FILE = {{ gitea_home }}/custom/mailer/cert.pem +KEY_FILE = {{ gitea_home }}/custom/mailer/key.pem +; Mail from address, RFC 5322. This can be just an email address, or the `"Name" ` format +FROM = +; Mailer user name and password +USER = +PASSWD = +; Use text/html as alternative format of content +ENABLE_HTML_ALTERNATIVE = false +; Enable sendmail (override SMTP) +USE_SENDMAIL = false +; Specifiy an alternative sendmail binary +SENDMAIL_PATH = sendmail + +[cache] +; Either "memory", "redis", or "memcache", default is "memory" +ADAPTER = memory +; For "memory" only, GC interval in seconds, default is 60 +INTERVAL = 60 +; For "redis" and "memcache", connection host address +; redis: network=tcp,addr=:6379,password=macaron,db=0,pool_size=100,idle_timeout=180 +; memcache: `127.0.0.1:11211` +HOST = + +[session] +; Either "memory", "file", or "redis", default is "memory" +PROVIDER = file +; Provider config options +; memory: not have any config yet +; file: session file path, e.g. `data/sessions` +; redis: network=tcp,addr=:6379,password=macaron,db=0,pool_size=100,idle_timeout=180 +; mysql: go-sql-driver/mysql dsn config string, e.g. `root:password@/session_table` +PROVIDER_CONFIG = {{ gitea_home }}/data/sessions +; Session cookie name +COOKIE_NAME = i_like_gitea +; If you use session in https only, default is false +COOKIE_SECURE = false +; Enable set cookie, default is true +ENABLE_SET_COOKIE = true +; Session GC time interval, default is 86400 +GC_INTERVAL_TIME = 86400 +; Session life time, default is 86400 +SESSION_LIFE_TIME = 86400 + +[picture] +AVATAR_UPLOAD_PATH = {{ gitea_home }}/data/avatars +; Chinese users can choose "duoshuo" +; or a custom avatar source, like: http://cn.gravatar.com/avatar/ +GRAVATAR_SOURCE = gravatar +; This value will be forced to be true in offline mode. +DISABLE_GRAVATAR = {{ gitea_disable_gravatar }} +; Federated avatar lookup uses DNS to discover avatar associated +; with emails, see https://www.libravatar.org +; This value will be forced to be false in offline mode or Gravatar is disbaled. +ENABLE_FEDERATED_AVATAR = false + +[attachment] +; Whether attachments are enabled. Defaults to `true` +ENABLE = true +; Path for attachments. Defaults to `data/attachments` +PATH = {{ gitea_home }}/data/attachments +; One or more allowed types, e.g. image/jpeg|image/png +ALLOWED_TYPES = image/jpeg|image/png +; Max size of each file. Defaults to 32MB +MAX_SIZE = 4 +; Max number of files per upload. Defaults to 10 +MAX_FILES = 5 + +[time] +; Specifies the format for fully outputed dates. Defaults to RFC1123 +; Special supported values are ANSIC, UnixDate, RubyDate, RFC822, RFC822Z, RFC850, RFC1123, RFC1123Z, RFC3339, RFC3339Nano, Kitchen, Stamp, StampMilli, StampMicro and StampNano +; For more information about the format see http://golang.org/pkg/time/#pkg-constants +FORMAT = + +[log] +ROOT_PATH = {{ gitea_home }}/log +; Either "console", "file", "conn", "smtp" or "database", default is "console" +; Use comma to separate multiple modes, e.g. "console, file" +MODE = file +; Buffer length of channel, keep it as it is if you don't know what it is. +BUFFER_LEN = 10000 +; Either "Trace", "Debug", "Info", "Warn", "Error", "Critical", default is "Trace" +LEVEL = Info + +; For "console" mode only +[log.console] +LEVEL = + +; For "file" mode only +[log.file] +LEVEL = +; This enables automated log rotate(switch of following options), default is true +LOG_ROTATE = true +; Max line number of single file, default is 1000000 +MAX_LINES = 1000000 +; Max size shift of single file, default is 28 means 1 << 28, 256MB +MAX_SIZE_SHIFT = 28 +; Segment log daily, default is true +DAILY_ROTATE = true +; Expired days of log file(delete after max days), default is 7 +MAX_DAYS = 7 + +; For "conn" mode only +[log.conn] +LEVEL = +; Reconnect host for every single message, default is false +RECONNECT_ON_MSG = false +; Try to reconnect when connection is lost, default is false +RECONNECT = false +; Either "tcp", "unix" or "udp", default is "tcp" +PROTOCOL = tcp +; Host address +ADDR = + +; For "smtp" mode only +[log.smtp] +LEVEL = +; Name displayed in mail title, default is "Diagnostic message from server" +SUBJECT = Diagnostic message from server +; Mail server +HOST = +; Mailer user name and password +USER = +PASSWD = +; Receivers, can be one or more, e.g. 1@example.com,2@example.com +RECEIVERS = + +; For "database" mode only +[log.database] +LEVEL = +; Either "mysql" or "postgres" +DRIVER = +; Based on xorm, e.g.: root:root@localhost/gitea?charset=utf8 +CONN = + +[cron] +; Enable running cron tasks periodically. +ENABLED = true +; Run cron tasks when Gitea starts. +RUN_AT_START = false + +; Update mirrors +[cron.update_mirrors] +SCHEDULE = @every 10m + +; Repository health check +[cron.repo_health_check] +SCHEDULE = @every 24h +TIMEOUT = 60s +; Arguments for command 'git fsck', e.g. "--unreachable --tags" +; see more on http://git-scm.com/docs/git-fsck/1.7.5 +ARGS = + +; Check repository statistics +[cron.check_repo_stats] +RUN_AT_START = true +SCHEDULE = @every 24h + +[git] +; Disables highlight of added and removed changes +DISABLE_DIFF_HIGHLIGHT = false +; Max number of lines allowed of a single file in diff view +MAX_GIT_DIFF_LINES = 1000 +; Max number of characters of a line allowed in diff view +MAX_GIT_DIFF_LINE_CHARACTERS = 500 +; Max number of files shown in diff view +MAX_GIT_DIFF_FILES = 100 +; Arguments for command 'git gc', e.g. "--aggressive --auto" +; see more on http://git-scm.com/docs/git-gc/1.7.5 +GC_ARGS = + +; Operation timeout in seconds +[git.timeout] +MIGRATE = 600 +MIRROR = 300 +CLONE = 300 +PULL = 300 +GC = 60 + +[mirror] +; Default interval in hours between each check +DEFAULT_INTERVAL = 8 + +[api] +; Max number of items will response in a page +MAX_RESPONSE_ITEMS = 50 + +[i18n] +LANGS = en-US,zh-CN,zh-HK,zh-TW,de-DE,fr-FR,nl-NL,lv-LV,ru-RU,ja-JP,es-ES,pt-BR,pl-PL,bg-BG,it-IT,fi-FI,tr-TR,cs-CZ,sr-SP,sv-SE,ko-KR +NAMES = English,简体中文,ç¹é«”中文(香港),ç¹é«”中文(å°æ¹¾ï¼‰,Deutsch,Français,Nederlands,LatvieÅ¡u,РуÑÑкий,日本語,Español,Português do Brasil,Polski,българÑки,Italiano,Suomalainen,Türkçe,ÄeÅ¡tina,СрпÑки,Svenska,한국어 + +; Used for datetimepicker +[i18n.datelang] +en-US = en +zh-CN = zh +zh-HK = zh-TW +zh-TW = zh-TW +de-DE = de +fr-FR = fr +nl-NL = nl +lv-LV = lv +ru-RU = ru +ja-JP = ja +es-ES = es +pt-BR = pt-BR +pl-PL = pl +bg-BG = bg +it-IT = it +fi-FI = fi +tr-TR = tr +cs-CZ = cs-CZ +sr-SP = sr +sv-SE = sv +ko-KR = ko + +; Extension mapping to highlight class +; e.g. .toml=ini +[highlight.mapping] + +[other] +SHOW_FOOTER_BRANDING = false +; Show version information about Gitea and Go in the footer +SHOW_FOOTER_VERSION = false +; Show time of template execution in the footer +SHOW_FOOTER_TEMPLATE_LOAD_TIME = false diff --git a/source/resources/apps/Ansible-Gitea/roles/gitea/templates/gitea.service.j2 b/source/resources/apps/Ansible-Gitea/roles/gitea/templates/gitea.service.j2 new file mode 100644 index 0000000..c746cc4 --- /dev/null +++ b/source/resources/apps/Ansible-Gitea/roles/gitea/templates/gitea.service.j2 @@ -0,0 +1,12 @@ +[Unit] +Description=Gitea git server +After=network.target + +[Service] +User={{ gitea_user }} +ExecStart=/usr/local/bin/gitea web -c /etc/gitea/gitea.ini +Restart=on-failure +WorkingDirectory={{ gitea_home }} + +[Install] +WantedBy=multi-user.target diff --git a/source/resources/apps/Ansible-Gitea/roles/nginx/defaults/main.yml b/source/resources/apps/Ansible-Gitea/roles/nginx/defaults/main.yml new file mode 100644 index 0000000..9e5cf6c --- /dev/null +++ b/source/resources/apps/Ansible-Gitea/roles/nginx/defaults/main.yml @@ -0,0 +1,3 @@ +nginx_domain_name: "gitea.example.com" +gitea_http_port: 3000 +letsencrypt_email: "test@example.com" diff --git a/source/resources/apps/Ansible-Gitea/roles/nginx/handlers/main.yml b/source/resources/apps/Ansible-Gitea/roles/nginx/handlers/main.yml new file mode 100644 index 0000000..9cbc554 --- /dev/null +++ b/source/resources/apps/Ansible-Gitea/roles/nginx/handlers/main.yml @@ -0,0 +1,5 @@ +- name: "Restart nginx" + service: name=nginx state=restarted + +- name: "Reload systemd" + shell: "systemctl daemon-reload" diff --git a/source/resources/apps/Ansible-Gitea/roles/nginx/tasks/main.yml b/source/resources/apps/Ansible-Gitea/roles/nginx/tasks/main.yml new file mode 100644 index 0000000..353a24b --- /dev/null +++ b/source/resources/apps/Ansible-Gitea/roles/nginx/tasks/main.yml @@ -0,0 +1,48 @@ +- name: "Installing Nginx" + apt: + name: nginx + state: latest + update_cache: yes + notify: "Restart nginx" + +- name: "Install letsencrypt" + apt: + name: letsencrypt + state: latest + +- name: "Remove default nginx config" + file: + name: /etc/nginx/sites-enabled/default + state: absent + +- name: "Configure nginx Non SSL" + template: + src: nginx.conf.j2 + dest: /etc/nginx/sites-enabled/default.conf + owner: root + mode: 0600 + notify: "Restart nginx" + +- name: "Creating letsencrypt certificate" + shell: letsencrypt certonly -n --webroot -w /var/www/html -m {{ letsencrypt_email }} --agree-tos -d {{ nginx_domain_name }} + args: + creates: /etc/letsencrypt/live/{{ nginx_domain_name }} + +- name: "Generate dhparams NOTE: This will take a long time to complete " + shell: openssl dhparam -out /etc/nginx/dhparams.pem 2048 + args: + creates: /etc/nginx/dhparams.pem + +- name: "Configure nginx SSL" + template: + src: nginxssl.conf.j2 + dest: /etc/nginx/sites-enabled/default_ssl.conf + owner: root + mode: 0600 + notify: "Restart nginx" + +- name: "Add letsencrypt cronjob for cert renewal" + cron: + name: letsencrypt_renewal + special_time: monthly + job: letsencrypt --renew certonly -n --webroot -w /var/www/html -m {{ letsencrypt_email }} --agree-tos -d {{ nginx_domain_name }} && service nginx reload diff --git a/source/resources/apps/Ansible-Gitea/roles/nginx/templates/nginx.conf.j2 b/source/resources/apps/Ansible-Gitea/roles/nginx/templates/nginx.conf.j2 new file mode 100644 index 0000000..21e2528 --- /dev/null +++ b/source/resources/apps/Ansible-Gitea/roles/nginx/templates/nginx.conf.j2 @@ -0,0 +1,13 @@ +server { + listen 80 default_server; + server_name {{ nginx_domain_name }}; + + location /.well-known/acme-challenge { + root /var/www/html; + try_files $uri $uri/ =404; + } + + location / { + rewrite ^ https://{{ nginx_domain_name }}$request_uri? permanent; + } +} diff --git a/source/resources/apps/Ansible-Gitea/roles/nginx/templates/nginxssl.conf.j2 b/source/resources/apps/Ansible-Gitea/roles/nginx/templates/nginxssl.conf.j2 new file mode 100644 index 0000000..4e95d21 --- /dev/null +++ b/source/resources/apps/Ansible-Gitea/roles/nginx/templates/nginxssl.conf.j2 @@ -0,0 +1,59 @@ +server { + # Bindings + listen 443 default_server ssl http2; + server_name {{ nginx_domain_name }}; + root /var/www/html; + index index.php index.html index.htm; + + # Certificate information + ssl_certificate /etc/letsencrypt/live/{{ nginx_domain_name }}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/{{ nginx_domain_name }}/privkey.pem; + + # Limit ciphers to PCI DSS compliant ciphers. + ssl_ciphers HIGH:!aNULL:!MD5; + ssl_protocols TLSv1.2; + ssl_prefer_server_ciphers on; + ssl_dhparam /etc/nginx/dhparams.pem; + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 10m; + + add_header X-Frame-Options "SAMEORIGIN"; + add_header X-XSS-Protection "1; mode=block"; + + gzip on; + gzip_http_version 1.0; + gzip_comp_level 2; + gzip_min_length 1100; + gzip_buffers 4 8k; + gzip_proxied any; + gzip_types + # text/html is always compressed by HttpGzipModule + text/css + text/javascript + text/xml + text/plain + text/x-component + application/javascript + application/json + application/xml + application/rss+xml + font/truetype + font/opentype + application/vnd.ms-fontobject + image/svg+xml; + + gzip_static on; + + gzip_proxied expired no-cache no-store private auth; + gzip_vary on; + + location / { + proxy_pass http://127.0.0.1:{{ gitea_http_port }}; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + } + + +} diff --git a/source/resources/apps/Ansible-Gitea/site.yml b/source/resources/apps/Ansible-Gitea/site.yml new file mode 100644 index 0000000..b819ca8 --- /dev/null +++ b/source/resources/apps/Ansible-Gitea/site.yml @@ -0,0 +1,4 @@ +- hosts : all + roles : + - nginx + - gitea diff --git a/source/resources/apps/ansible-debian-mail/.gitignore b/source/resources/apps/ansible-debian-mail/.gitignore new file mode 100644 index 0000000..bed1e33 --- /dev/null +++ b/source/resources/apps/ansible-debian-mail/.gitignore @@ -0,0 +1 @@ +site.retry \ No newline at end of file diff --git a/source/resources/apps/ansible-debian-mail/LICENSE.AGPLv3 b/source/resources/apps/ansible-debian-mail/LICENSE.AGPLv3 new file mode 100644 index 0000000..67f7d05 --- /dev/null +++ b/source/resources/apps/ansible-debian-mail/LICENSE.AGPLv3 @@ -0,0 +1,661 @@ + GNU AFFERO GENERAL PUBLIC LICENSE + Version 3, 19 November 2007 + + Copyright (C) 2007 Free Software Foundation, Inc. + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + Preamble + + The GNU Affero General Public License is a free, copyleft license for +software and other kinds of works, specifically designed to ensure +cooperation with the community in the case of network server software. + + The licenses for most software and other practical works are designed +to take away your freedom to share and change the works. By contrast, +our General Public Licenses are intended to guarantee your freedom to +share and change all versions of a program--to make sure it remains free +software for all its users. + + When we speak of free software, we are referring to freedom, not +price. Our General Public Licenses are designed to make sure that you +have the freedom to distribute copies of free software (and charge for +them if you wish), that you receive source code or can get it if you +want it, that you can change the software or use pieces of it in new +free programs, and that you know you can do these things. + + Developers that use our General Public Licenses protect your rights +with two steps: (1) assert copyright on the software, and (2) offer +you this License which gives you legal permission to copy, distribute +and/or modify the software. + + A secondary benefit of defending all users' freedom is that +improvements made in alternate versions of the program, if they +receive widespread use, become available for other developers to +incorporate. Many developers of free software are heartened and +encouraged by the resulting cooperation. However, in the case of +software used on network servers, this result may fail to come about. +The GNU General Public License permits making a modified version and +letting the public access it on a server without ever releasing its +source code to the public. + + The GNU Affero General Public License is designed specifically to +ensure that, in such cases, the modified source code becomes available +to the community. It requires the operator of a network server to +provide the source code of the modified version running there to the +users of that server. Therefore, public use of a modified version, on +a publicly accessible server, gives the public access to the source +code of the modified version. + + An older license, called the Affero General Public License and +published by Affero, was designed to accomplish similar goals. This is +a different license, not a version of the Affero GPL, but Affero has +released a new version of the Affero GPL which permits relicensing under +this license. + + The precise terms and conditions for copying, distribution and +modification follow. + + TERMS AND CONDITIONS + + 0. Definitions. + + "This License" refers to version 3 of the GNU Affero General Public License. + + "Copyright" also means copyright-like laws that apply to other kinds of +works, such as semiconductor masks. + + "The Program" refers to any copyrightable work licensed under this +License. Each licensee is addressed as "you". "Licensees" and +"recipients" may be individuals or organizations. + + To "modify" a work means to copy from or adapt all or part of the work +in a fashion requiring copyright permission, other than the making of an +exact copy. The resulting work is called a "modified version" of the +earlier work or a work "based on" the earlier work. + + A "covered work" means either the unmodified Program or a work based +on the Program. + + To "propagate" a work means to do anything with it that, without +permission, would make you directly or secondarily liable for +infringement under applicable copyright law, except executing it on a +computer or modifying a private copy. Propagation includes copying, +distribution (with or without modification), making available to the +public, and in some countries other activities as well. + + To "convey" a work means any kind of propagation that enables other +parties to make or receive copies. Mere interaction with a user through +a computer network, with no transfer of a copy, is not conveying. + + An interactive user interface displays "Appropriate Legal Notices" +to the extent that it includes a convenient and prominently visible +feature that (1) displays an appropriate copyright notice, and (2) +tells the user that there is no warranty for the work (except to the +extent that warranties are provided), that licensees may convey the +work under this License, and how to view a copy of this License. If +the interface presents a list of user commands or options, such as a +menu, a prominent item in the list meets this criterion. + + 1. Source Code. + + The "source code" for a work means the preferred form of the work +for making modifications to it. "Object code" means any non-source +form of a work. + + A "Standard Interface" means an interface that either is an official +standard defined by a recognized standards body, or, in the case of +interfaces specified for a particular programming language, one that +is widely used among developers working in that language. + + The "System Libraries" of an executable work include anything, other +than the work as a whole, that (a) is included in the normal form of +packaging a Major Component, but which is not part of that Major +Component, and (b) serves only to enable use of the work with that +Major Component, or to implement a Standard Interface for which an +implementation is available to the public in source code form. A +"Major Component", in this context, means a major essential component +(kernel, window system, and so on) of the specific operating system +(if any) on which the executable work runs, or a compiler used to +produce the work, or an object code interpreter used to run it. + + The "Corresponding Source" for a work in object code form means all +the source code needed to generate, install, and (for an executable +work) run the object code and to modify the work, including scripts to +control those activities. However, it does not include the work's +System Libraries, or general-purpose tools or generally available free +programs which are used unmodified in performing those activities but +which are not part of the work. For example, Corresponding Source +includes interface definition files associated with source files for +the work, and the source code for shared libraries and dynamically +linked subprograms that the work is specifically designed to require, +such as by intimate data communication or control flow between those +subprograms and other parts of the work. + + The Corresponding Source need not include anything that users +can regenerate automatically from other parts of the Corresponding +Source. + + The Corresponding Source for a work in source code form is that +same work. + + 2. Basic Permissions. + + All rights granted under this License are granted for the term of +copyright on the Program, and are irrevocable provided the stated +conditions are met. This License explicitly affirms your unlimited +permission to run the unmodified Program. The output from running a +covered work is covered by this License only if the output, given its +content, constitutes a covered work. This License acknowledges your +rights of fair use or other equivalent, as provided by copyright law. + + You may make, run and propagate covered works that you do not +convey, without conditions so long as your license otherwise remains +in force. You may convey covered works to others for the sole purpose +of having them make modifications exclusively for you, or provide you +with facilities for running those works, provided that you comply with +the terms of this License in conveying all material for which you do +not control copyright. Those thus making or running the covered works +for you must do so exclusively on your behalf, under your direction +and control, on terms that prohibit them from making any copies of +your copyrighted material outside their relationship with you. + + Conveying under any other circumstances is permitted solely under +the conditions stated below. Sublicensing is not allowed; section 10 +makes it unnecessary. + + 3. Protecting Users' Legal Rights From Anti-Circumvention Law. + + No covered work shall be deemed part of an effective technological +measure under any applicable law fulfilling obligations under article +11 of the WIPO copyright treaty adopted on 20 December 1996, or +similar laws prohibiting or restricting circumvention of such +measures. + + When you convey a covered work, you waive any legal power to forbid +circumvention of technological measures to the extent such circumvention +is effected by exercising rights under this License with respect to +the covered work, and you disclaim any intention to limit operation or +modification of the work as a means of enforcing, against the work's +users, your or third parties' legal rights to forbid circumvention of +technological measures. + + 4. Conveying Verbatim Copies. + + You may convey verbatim copies of the Program's source code as you +receive it, in any medium, provided that you conspicuously and +appropriately publish on each copy an appropriate copyright notice; +keep intact all notices stating that this License and any +non-permissive terms added in accord with section 7 apply to the code; +keep intact all notices of the absence of any warranty; and give all +recipients a copy of this License along with the Program. + + You may charge any price or no price for each copy that you convey, +and you may offer support or warranty protection for a fee. + + 5. Conveying Modified Source Versions. + + You may convey a work based on the Program, or the modifications to +produce it from the Program, in the form of source code under the +terms of section 4, provided that you also meet all of these conditions: + + a) The work must carry prominent notices stating that you modified + it, and giving a relevant date. + + b) The work must carry prominent notices stating that it is + released under this License and any conditions added under section + 7. This requirement modifies the requirement in section 4 to + "keep intact all notices". + + c) You must license the entire work, as a whole, under this + License to anyone who comes into possession of a copy. This + License will therefore apply, along with any applicable section 7 + additional terms, to the whole of the work, and all its parts, + regardless of how they are packaged. This License gives no + permission to license the work in any other way, but it does not + invalidate such permission if you have separately received it. + + d) If the work has interactive user interfaces, each must display + Appropriate Legal Notices; however, if the Program has interactive + interfaces that do not display Appropriate Legal Notices, your + work need not make them do so. + + A compilation of a covered work with other separate and independent +works, which are not by their nature extensions of the covered work, +and which are not combined with it such as to form a larger program, +in or on a volume of a storage or distribution medium, is called an +"aggregate" if the compilation and its resulting copyright are not +used to limit the access or legal rights of the compilation's users +beyond what the individual works permit. Inclusion of a covered work +in an aggregate does not cause this License to apply to the other +parts of the aggregate. + + 6. Conveying Non-Source Forms. + + You may convey a covered work in object code form under the terms +of sections 4 and 5, provided that you also convey the +machine-readable Corresponding Source under the terms of this License, +in one of these ways: + + a) Convey the object code in, or embodied in, a physical product + (including a physical distribution medium), accompanied by the + Corresponding Source fixed on a durable physical medium + customarily used for software interchange. + + b) Convey the object code in, or embodied in, a physical product + (including a physical distribution medium), accompanied by a + written offer, valid for at least three years and valid for as + long as you offer spare parts or customer support for that product + model, to give anyone who possesses the object code either (1) a + copy of the Corresponding Source for all the software in the + product that is covered by this License, on a durable physical + medium customarily used for software interchange, for a price no + more than your reasonable cost of physically performing this + conveying of source, or (2) access to copy the + Corresponding Source from a network server at no charge. + + c) Convey individual copies of the object code with a copy of the + written offer to provide the Corresponding Source. This + alternative is allowed only occasionally and noncommercially, and + only if you received the object code with such an offer, in accord + with subsection 6b. + + d) Convey the object code by offering access from a designated + place (gratis or for a charge), and offer equivalent access to the + Corresponding Source in the same way through the same place at no + further charge. You need not require recipients to copy the + Corresponding Source along with the object code. If the place to + copy the object code is a network server, the Corresponding Source + may be on a different server (operated by you or a third party) + that supports equivalent copying facilities, provided you maintain + clear directions next to the object code saying where to find the + Corresponding Source. Regardless of what server hosts the + Corresponding Source, you remain obligated to ensure that it is + available for as long as needed to satisfy these requirements. + + e) Convey the object code using peer-to-peer transmission, provided + you inform other peers where the object code and Corresponding + Source of the work are being offered to the general public at no + charge under subsection 6d. + + A separable portion of the object code, whose source code is excluded +from the Corresponding Source as a System Library, need not be +included in conveying the object code work. + + A "User Product" is either (1) a "consumer product", which means any +tangible personal property which is normally used for personal, family, +or household purposes, or (2) anything designed or sold for incorporation +into a dwelling. In determining whether a product is a consumer product, +doubtful cases shall be resolved in favor of coverage. For a particular +product received by a particular user, "normally used" refers to a +typical or common use of that class of product, regardless of the status +of the particular user or of the way in which the particular user +actually uses, or expects or is expected to use, the product. A product +is a consumer product regardless of whether the product has substantial +commercial, industrial or non-consumer uses, unless such uses represent +the only significant mode of use of the product. + + "Installation Information" for a User Product means any methods, +procedures, authorization keys, or other information required to install +and execute modified versions of a covered work in that User Product from +a modified version of its Corresponding Source. The information must +suffice to ensure that the continued functioning of the modified object +code is in no case prevented or interfered with solely because +modification has been made. + + If you convey an object code work under this section in, or with, or +specifically for use in, a User Product, and the conveying occurs as +part of a transaction in which the right of possession and use of the +User Product is transferred to the recipient in perpetuity or for a +fixed term (regardless of how the transaction is characterized), the +Corresponding Source conveyed under this section must be accompanied +by the Installation Information. But this requirement does not apply +if neither you nor any third party retains the ability to install +modified object code on the User Product (for example, the work has +been installed in ROM). + + The requirement to provide Installation Information does not include a +requirement to continue to provide support service, warranty, or updates +for a work that has been modified or installed by the recipient, or for +the User Product in which it has been modified or installed. Access to a +network may be denied when the modification itself materially and +adversely affects the operation of the network or violates the rules and +protocols for communication across the network. + + Corresponding Source conveyed, and Installation Information provided, +in accord with this section must be in a format that is publicly +documented (and with an implementation available to the public in +source code form), and must require no special password or key for +unpacking, reading or copying. + + 7. Additional Terms. + + "Additional permissions" are terms that supplement the terms of this +License by making exceptions from one or more of its conditions. +Additional permissions that are applicable to the entire Program shall +be treated as though they were included in this License, to the extent +that they are valid under applicable law. If additional permissions +apply only to part of the Program, that part may be used separately +under those permissions, but the entire Program remains governed by +this License without regard to the additional permissions. + + When you convey a copy of a covered work, you may at your option +remove any additional permissions from that copy, or from any part of +it. (Additional permissions may be written to require their own +removal in certain cases when you modify the work.) You may place +additional permissions on material, added by you to a covered work, +for which you have or can give appropriate copyright permission. + + Notwithstanding any other provision of this License, for material you +add to a covered work, you may (if authorized by the copyright holders of +that material) supplement the terms of this License with terms: + + a) Disclaiming warranty or limiting liability differently from the + terms of sections 15 and 16 of this License; or + + b) Requiring preservation of specified reasonable legal notices or + author attributions in that material or in the Appropriate Legal + Notices displayed by works containing it; or + + c) Prohibiting misrepresentation of the origin of that material, or + requiring that modified versions of such material be marked in + reasonable ways as different from the original version; or + + d) Limiting the use for publicity purposes of names of licensors or + authors of the material; or + + e) Declining to grant rights under trademark law for use of some + trade names, trademarks, or service marks; or + + f) Requiring indemnification of licensors and authors of that + material by anyone who conveys the material (or modified versions of + it) with contractual assumptions of liability to the recipient, for + any liability that these contractual assumptions directly impose on + those licensors and authors. + + All other non-permissive additional terms are considered "further +restrictions" within the meaning of section 10. If the Program as you +received it, or any part of it, contains a notice stating that it is +governed by this License along with a term that is a further +restriction, you may remove that term. If a license document contains +a further restriction but permits relicensing or conveying under this +License, you may add to a covered work material governed by the terms +of that license document, provided that the further restriction does +not survive such relicensing or conveying. + + If you add terms to a covered work in accord with this section, you +must place, in the relevant source files, a statement of the +additional terms that apply to those files, or a notice indicating +where to find the applicable terms. + + Additional terms, permissive or non-permissive, may be stated in the +form of a separately written license, or stated as exceptions; +the above requirements apply either way. + + 8. Termination. + + You may not propagate or modify a covered work except as expressly +provided under this License. Any attempt otherwise to propagate or +modify it is void, and will automatically terminate your rights under +this License (including any patent licenses granted under the third +paragraph of section 11). + + However, if you cease all violation of this License, then your +license from a particular copyright holder is reinstated (a) +provisionally, unless and until the copyright holder explicitly and +finally terminates your license, and (b) permanently, if the copyright +holder fails to notify you of the violation by some reasonable means +prior to 60 days after the cessation. + + Moreover, your license from a particular copyright holder is +reinstated permanently if the copyright holder notifies you of the +violation by some reasonable means, this is the first time you have +received notice of violation of this License (for any work) from that +copyright holder, and you cure the violation prior to 30 days after +your receipt of the notice. + + Termination of your rights under this section does not terminate the +licenses of parties who have received copies or rights from you under +this License. If your rights have been terminated and not permanently +reinstated, you do not qualify to receive new licenses for the same +material under section 10. + + 9. Acceptance Not Required for Having Copies. + + You are not required to accept this License in order to receive or +run a copy of the Program. Ancillary propagation of a covered work +occurring solely as a consequence of using peer-to-peer transmission +to receive a copy likewise does not require acceptance. However, +nothing other than this License grants you permission to propagate or +modify any covered work. These actions infringe copyright if you do +not accept this License. Therefore, by modifying or propagating a +covered work, you indicate your acceptance of this License to do so. + + 10. Automatic Licensing of Downstream Recipients. + + Each time you convey a covered work, the recipient automatically +receives a license from the original licensors, to run, modify and +propagate that work, subject to this License. You are not responsible +for enforcing compliance by third parties with this License. + + An "entity transaction" is a transaction transferring control of an +organization, or substantially all assets of one, or subdividing an +organization, or merging organizations. If propagation of a covered +work results from an entity transaction, each party to that +transaction who receives a copy of the work also receives whatever +licenses to the work the party's predecessor in interest had or could +give under the previous paragraph, plus a right to possession of the +Corresponding Source of the work from the predecessor in interest, if +the predecessor has it or can get it with reasonable efforts. + + You may not impose any further restrictions on the exercise of the +rights granted or affirmed under this License. For example, you may +not impose a license fee, royalty, or other charge for exercise of +rights granted under this License, and you may not initiate litigation +(including a cross-claim or counterclaim in a lawsuit) alleging that +any patent claim is infringed by making, using, selling, offering for +sale, or importing the Program or any portion of it. + + 11. Patents. + + A "contributor" is a copyright holder who authorizes use under this +License of the Program or a work on which the Program is based. The +work thus licensed is called the contributor's "contributor version". + + A contributor's "essential patent claims" are all patent claims +owned or controlled by the contributor, whether already acquired or +hereafter acquired, that would be infringed by some manner, permitted +by this License, of making, using, or selling its contributor version, +but do not include claims that would be infringed only as a +consequence of further modification of the contributor version. For +purposes of this definition, "control" includes the right to grant +patent sublicenses in a manner consistent with the requirements of +this License. + + Each contributor grants you a non-exclusive, worldwide, royalty-free +patent license under the contributor's essential patent claims, to +make, use, sell, offer for sale, import and otherwise run, modify and +propagate the contents of its contributor version. + + In the following three paragraphs, a "patent license" is any express +agreement or commitment, however denominated, not to enforce a patent +(such as an express permission to practice a patent or covenant not to +sue for patent infringement). To "grant" such a patent license to a +party means to make such an agreement or commitment not to enforce a +patent against the party. + + If you convey a covered work, knowingly relying on a patent license, +and the Corresponding Source of the work is not available for anyone +to copy, free of charge and under the terms of this License, through a +publicly available network server or other readily accessible means, +then you must either (1) cause the Corresponding Source to be so +available, or (2) arrange to deprive yourself of the benefit of the +patent license for this particular work, or (3) arrange, in a manner +consistent with the requirements of this License, to extend the patent +license to downstream recipients. "Knowingly relying" means you have +actual knowledge that, but for the patent license, your conveying the +covered work in a country, or your recipient's use of the covered work +in a country, would infringe one or more identifiable patents in that +country that you have reason to believe are valid. + + If, pursuant to or in connection with a single transaction or +arrangement, you convey, or propagate by procuring conveyance of, a +covered work, and grant a patent license to some of the parties +receiving the covered work authorizing them to use, propagate, modify +or convey a specific copy of the covered work, then the patent license +you grant is automatically extended to all recipients of the covered +work and works based on it. + + A patent license is "discriminatory" if it does not include within +the scope of its coverage, prohibits the exercise of, or is +conditioned on the non-exercise of one or more of the rights that are +specifically granted under this License. You may not convey a covered +work if you are a party to an arrangement with a third party that is +in the business of distributing software, under which you make payment +to the third party based on the extent of your activity of conveying +the work, and under which the third party grants, to any of the +parties who would receive the covered work from you, a discriminatory +patent license (a) in connection with copies of the covered work +conveyed by you (or copies made from those copies), or (b) primarily +for and in connection with specific products or compilations that +contain the covered work, unless you entered into that arrangement, +or that patent license was granted, prior to 28 March 2007. + + Nothing in this License shall be construed as excluding or limiting +any implied license or other defenses to infringement that may +otherwise be available to you under applicable patent law. + + 12. No Surrender of Others' Freedom. + + If conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot convey a +covered work so as to satisfy simultaneously your obligations under this +License and any other pertinent obligations, then as a consequence you may +not convey it at all. For example, if you agree to terms that obligate you +to collect a royalty for further conveying from those to whom you convey +the Program, the only way you could satisfy both those terms and this +License would be to refrain entirely from conveying the Program. + + 13. Remote Network Interaction; Use with the GNU General Public License. + + Notwithstanding any other provision of this License, if you modify the +Program, your modified version must prominently offer all users +interacting with it remotely through a computer network (if your version +supports such interaction) an opportunity to receive the Corresponding +Source of your version by providing access to the Corresponding Source +from a network server at no charge, through some standard or customary +means of facilitating copying of software. This Corresponding Source +shall include the Corresponding Source for any work covered by version 3 +of the GNU General Public License that is incorporated pursuant to the +following paragraph. + + Notwithstanding any other provision of this License, you have +permission to link or combine any covered work with a work licensed +under version 3 of the GNU General Public License into a single +combined work, and to convey the resulting work. The terms of this +License will continue to apply to the part which is the covered work, +but the work with which it is combined will remain governed by version +3 of the GNU General Public License. + + 14. Revised Versions of this License. + + The Free Software Foundation may publish revised and/or new versions of +the GNU Affero General Public License from time to time. Such new versions +will be similar in spirit to the present version, but may differ in detail to +address new problems or concerns. + + Each version is given a distinguishing version number. If the +Program specifies that a certain numbered version of the GNU Affero General +Public License "or any later version" applies to it, you have the +option of following the terms and conditions either of that numbered +version or of any later version published by the Free Software +Foundation. If the Program does not specify a version number of the +GNU Affero General Public License, you may choose any version ever published +by the Free Software Foundation. + + If the Program specifies that a proxy can decide which future +versions of the GNU Affero General Public License can be used, that proxy's +public statement of acceptance of a version permanently authorizes you +to choose that version for the Program. + + Later license versions may give you additional or different +permissions. However, no additional obligations are imposed on any +author or copyright holder as a result of your choosing to follow a +later version. + + 15. Disclaimer of Warranty. + + THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY +APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT +HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY +OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, +THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM +IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF +ALL NECESSARY SERVICING, REPAIR OR CORRECTION. + + 16. Limitation of Liability. + + IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING +WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS +THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY +GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE +USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF +DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD +PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), +EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF +SUCH DAMAGES. + + 17. Interpretation of Sections 15 and 16. + + If the disclaimer of warranty and limitation of liability provided +above cannot be given local legal effect according to their terms, +reviewing courts shall apply local law that most closely approximates +an absolute waiver of all civil liability in connection with the +Program, unless a warranty or assumption of liability accompanies a +copy of the Program in return for a fee. + + END OF TERMS AND CONDITIONS + + How to Apply These Terms to Your New Programs + + If you develop a new program, and you want it to be of the greatest +possible use to the public, the best way to achieve this is to make it +free software which everyone can redistribute and change under these terms. + + To do so, attach the following notices to the program. It is safest +to attach them to the start of each source file to most effectively +state the exclusion of warranty; and each file should have at least +the "copyright" line and a pointer to where the full notice is found. + + + Copyright (C) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU Affero General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU Affero General Public License for more details. + + You should have received a copy of the GNU Affero General Public License + along with this program. If not, see . + +Also add information on how to contact you by electronic and paper mail. + + If your software can interact with users remotely through a computer +network, you should also make sure that it provides a way for users to +get its source. For example, if your program is a web application, its +interface could display a "Source" link that leads users to an archive +of the code. There are many ways you could offer source, and different +solutions will be better for different programs; see section 13 for the +specific requirements. + + You should also get your employer (if you work as a programmer) or school, +if any, to sign a "copyright disclaimer" for the program, if necessary. +For more information on this, and how to apply and follow the GNU AGPL, see +. \ No newline at end of file diff --git a/source/resources/apps/ansible-debian-mail/LICENSE.GPLv3 b/source/resources/apps/ansible-debian-mail/LICENSE.GPLv3 new file mode 100644 index 0000000..871ce8e --- /dev/null +++ b/source/resources/apps/ansible-debian-mail/LICENSE.GPLv3 @@ -0,0 +1,674 @@ + GNU GENERAL PUBLIC LICENSE + Version 3, 29 June 2007 + + Copyright (C) 2007 Free Software Foundation, Inc. + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + Preamble + + The GNU General Public License is a free, copyleft license for +software and other kinds of works. + + The licenses for most software and other practical works are designed +to take away your freedom to share and change the works. By contrast, +the GNU General Public License is intended to guarantee your freedom to +share and change all versions of a program--to make sure it remains free +software for all its users. We, the Free Software Foundation, use the +GNU General Public License for most of our software; it applies also to +any other work released this way by its authors. You can apply it to +your programs, too. + + When we speak of free software, we are referring to freedom, not +price. Our General Public Licenses are designed to make sure that you +have the freedom to distribute copies of free software (and charge for +them if you wish), that you receive source code or can get it if you +want it, that you can change the software or use pieces of it in new +free programs, and that you know you can do these things. + + To protect your rights, we need to prevent others from denying you +these rights or asking you to surrender the rights. Therefore, you have +certain responsibilities if you distribute copies of the software, or if +you modify it: responsibilities to respect the freedom of others. + + For example, if you distribute copies of such a program, whether +gratis or for a fee, you must pass on to the recipients the same +freedoms that you received. You must make sure that they, too, receive +or can get the source code. And you must show them these terms so they +know their rights. + + Developers that use the GNU GPL protect your rights with two steps: +(1) assert copyright on the software, and (2) offer you this License +giving you legal permission to copy, distribute and/or modify it. + + For the developers' and authors' protection, the GPL clearly explains +that there is no warranty for this free software. For both users' and +authors' sake, the GPL requires that modified versions be marked as +changed, so that their problems will not be attributed erroneously to +authors of previous versions. + + Some devices are designed to deny users access to install or run +modified versions of the software inside them, although the manufacturer +can do so. This is fundamentally incompatible with the aim of +protecting users' freedom to change the software. The systematic +pattern of such abuse occurs in the area of products for individuals to +use, which is precisely where it is most unacceptable. Therefore, we +have designed this version of the GPL to prohibit the practice for those +products. If such problems arise substantially in other domains, we +stand ready to extend this provision to those domains in future versions +of the GPL, as needed to protect the freedom of users. + + Finally, every program is threatened constantly by software patents. +States should not allow patents to restrict development and use of +software on general-purpose computers, but in those that do, we wish to +avoid the special danger that patents applied to a free program could +make it effectively proprietary. To prevent this, the GPL assures that +patents cannot be used to render the program non-free. + + The precise terms and conditions for copying, distribution and +modification follow. + + TERMS AND CONDITIONS + + 0. Definitions. + + "This License" refers to version 3 of the GNU General Public License. + + "Copyright" also means copyright-like laws that apply to other kinds of +works, such as semiconductor masks. + + "The Program" refers to any copyrightable work licensed under this +License. Each licensee is addressed as "you". "Licensees" and +"recipients" may be individuals or organizations. + + To "modify" a work means to copy from or adapt all or part of the work +in a fashion requiring copyright permission, other than the making of an +exact copy. The resulting work is called a "modified version" of the +earlier work or a work "based on" the earlier work. + + A "covered work" means either the unmodified Program or a work based +on the Program. + + To "propagate" a work means to do anything with it that, without +permission, would make you directly or secondarily liable for +infringement under applicable copyright law, except executing it on a +computer or modifying a private copy. Propagation includes copying, +distribution (with or without modification), making available to the +public, and in some countries other activities as well. + + To "convey" a work means any kind of propagation that enables other +parties to make or receive copies. Mere interaction with a user through +a computer network, with no transfer of a copy, is not conveying. + + An interactive user interface displays "Appropriate Legal Notices" +to the extent that it includes a convenient and prominently visible +feature that (1) displays an appropriate copyright notice, and (2) +tells the user that there is no warranty for the work (except to the +extent that warranties are provided), that licensees may convey the +work under this License, and how to view a copy of this License. If +the interface presents a list of user commands or options, such as a +menu, a prominent item in the list meets this criterion. + + 1. Source Code. + + The "source code" for a work means the preferred form of the work +for making modifications to it. "Object code" means any non-source +form of a work. + + A "Standard Interface" means an interface that either is an official +standard defined by a recognized standards body, or, in the case of +interfaces specified for a particular programming language, one that +is widely used among developers working in that language. + + The "System Libraries" of an executable work include anything, other +than the work as a whole, that (a) is included in the normal form of +packaging a Major Component, but which is not part of that Major +Component, and (b) serves only to enable use of the work with that +Major Component, or to implement a Standard Interface for which an +implementation is available to the public in source code form. A +"Major Component", in this context, means a major essential component +(kernel, window system, and so on) of the specific operating system +(if any) on which the executable work runs, or a compiler used to +produce the work, or an object code interpreter used to run it. + + The "Corresponding Source" for a work in object code form means all +the source code needed to generate, install, and (for an executable +work) run the object code and to modify the work, including scripts to +control those activities. However, it does not include the work's +System Libraries, or general-purpose tools or generally available free +programs which are used unmodified in performing those activities but +which are not part of the work. For example, Corresponding Source +includes interface definition files associated with source files for +the work, and the source code for shared libraries and dynamically +linked subprograms that the work is specifically designed to require, +such as by intimate data communication or control flow between those +subprograms and other parts of the work. + + The Corresponding Source need not include anything that users +can regenerate automatically from other parts of the Corresponding +Source. + + The Corresponding Source for a work in source code form is that +same work. + + 2. Basic Permissions. + + All rights granted under this License are granted for the term of +copyright on the Program, and are irrevocable provided the stated +conditions are met. This License explicitly affirms your unlimited +permission to run the unmodified Program. The output from running a +covered work is covered by this License only if the output, given its +content, constitutes a covered work. This License acknowledges your +rights of fair use or other equivalent, as provided by copyright law. + + You may make, run and propagate covered works that you do not +convey, without conditions so long as your license otherwise remains +in force. You may convey covered works to others for the sole purpose +of having them make modifications exclusively for you, or provide you +with facilities for running those works, provided that you comply with +the terms of this License in conveying all material for which you do +not control copyright. Those thus making or running the covered works +for you must do so exclusively on your behalf, under your direction +and control, on terms that prohibit them from making any copies of +your copyrighted material outside their relationship with you. + + Conveying under any other circumstances is permitted solely under +the conditions stated below. Sublicensing is not allowed; section 10 +makes it unnecessary. + + 3. Protecting Users' Legal Rights From Anti-Circumvention Law. + + No covered work shall be deemed part of an effective technological +measure under any applicable law fulfilling obligations under article +11 of the WIPO copyright treaty adopted on 20 December 1996, or +similar laws prohibiting or restricting circumvention of such +measures. + + When you convey a covered work, you waive any legal power to forbid +circumvention of technological measures to the extent such circumvention +is effected by exercising rights under this License with respect to +the covered work, and you disclaim any intention to limit operation or +modification of the work as a means of enforcing, against the work's +users, your or third parties' legal rights to forbid circumvention of +technological measures. + + 4. Conveying Verbatim Copies. + + You may convey verbatim copies of the Program's source code as you +receive it, in any medium, provided that you conspicuously and +appropriately publish on each copy an appropriate copyright notice; +keep intact all notices stating that this License and any +non-permissive terms added in accord with section 7 apply to the code; +keep intact all notices of the absence of any warranty; and give all +recipients a copy of this License along with the Program. + + You may charge any price or no price for each copy that you convey, +and you may offer support or warranty protection for a fee. + + 5. Conveying Modified Source Versions. + + You may convey a work based on the Program, or the modifications to +produce it from the Program, in the form of source code under the +terms of section 4, provided that you also meet all of these conditions: + + a) The work must carry prominent notices stating that you modified + it, and giving a relevant date. + + b) The work must carry prominent notices stating that it is + released under this License and any conditions added under section + 7. This requirement modifies the requirement in section 4 to + "keep intact all notices". + + c) You must license the entire work, as a whole, under this + License to anyone who comes into possession of a copy. This + License will therefore apply, along with any applicable section 7 + additional terms, to the whole of the work, and all its parts, + regardless of how they are packaged. This License gives no + permission to license the work in any other way, but it does not + invalidate such permission if you have separately received it. + + d) If the work has interactive user interfaces, each must display + Appropriate Legal Notices; however, if the Program has interactive + interfaces that do not display Appropriate Legal Notices, your + work need not make them do so. + + A compilation of a covered work with other separate and independent +works, which are not by their nature extensions of the covered work, +and which are not combined with it such as to form a larger program, +in or on a volume of a storage or distribution medium, is called an +"aggregate" if the compilation and its resulting copyright are not +used to limit the access or legal rights of the compilation's users +beyond what the individual works permit. Inclusion of a covered work +in an aggregate does not cause this License to apply to the other +parts of the aggregate. + + 6. Conveying Non-Source Forms. + + You may convey a covered work in object code form under the terms +of sections 4 and 5, provided that you also convey the +machine-readable Corresponding Source under the terms of this License, +in one of these ways: + + a) Convey the object code in, or embodied in, a physical product + (including a physical distribution medium), accompanied by the + Corresponding Source fixed on a durable physical medium + customarily used for software interchange. + + b) Convey the object code in, or embodied in, a physical product + (including a physical distribution medium), accompanied by a + written offer, valid for at least three years and valid for as + long as you offer spare parts or customer support for that product + model, to give anyone who possesses the object code either (1) a + copy of the Corresponding Source for all the software in the + product that is covered by this License, on a durable physical + medium customarily used for software interchange, for a price no + more than your reasonable cost of physically performing this + conveying of source, or (2) access to copy the + Corresponding Source from a network server at no charge. + + c) Convey individual copies of the object code with a copy of the + written offer to provide the Corresponding Source. This + alternative is allowed only occasionally and noncommercially, and + only if you received the object code with such an offer, in accord + with subsection 6b. + + d) Convey the object code by offering access from a designated + place (gratis or for a charge), and offer equivalent access to the + Corresponding Source in the same way through the same place at no + further charge. You need not require recipients to copy the + Corresponding Source along with the object code. If the place to + copy the object code is a network server, the Corresponding Source + may be on a different server (operated by you or a third party) + that supports equivalent copying facilities, provided you maintain + clear directions next to the object code saying where to find the + Corresponding Source. Regardless of what server hosts the + Corresponding Source, you remain obligated to ensure that it is + available for as long as needed to satisfy these requirements. + + e) Convey the object code using peer-to-peer transmission, provided + you inform other peers where the object code and Corresponding + Source of the work are being offered to the general public at no + charge under subsection 6d. + + A separable portion of the object code, whose source code is excluded +from the Corresponding Source as a System Library, need not be +included in conveying the object code work. + + A "User Product" is either (1) a "consumer product", which means any +tangible personal property which is normally used for personal, family, +or household purposes, or (2) anything designed or sold for incorporation +into a dwelling. In determining whether a product is a consumer product, +doubtful cases shall be resolved in favor of coverage. For a particular +product received by a particular user, "normally used" refers to a +typical or common use of that class of product, regardless of the status +of the particular user or of the way in which the particular user +actually uses, or expects or is expected to use, the product. A product +is a consumer product regardless of whether the product has substantial +commercial, industrial or non-consumer uses, unless such uses represent +the only significant mode of use of the product. + + "Installation Information" for a User Product means any methods, +procedures, authorization keys, or other information required to install +and execute modified versions of a covered work in that User Product from +a modified version of its Corresponding Source. The information must +suffice to ensure that the continued functioning of the modified object +code is in no case prevented or interfered with solely because +modification has been made. + + If you convey an object code work under this section in, or with, or +specifically for use in, a User Product, and the conveying occurs as +part of a transaction in which the right of possession and use of the +User Product is transferred to the recipient in perpetuity or for a +fixed term (regardless of how the transaction is characterized), the +Corresponding Source conveyed under this section must be accompanied +by the Installation Information. But this requirement does not apply +if neither you nor any third party retains the ability to install +modified object code on the User Product (for example, the work has +been installed in ROM). + + The requirement to provide Installation Information does not include a +requirement to continue to provide support service, warranty, or updates +for a work that has been modified or installed by the recipient, or for +the User Product in which it has been modified or installed. Access to a +network may be denied when the modification itself materially and +adversely affects the operation of the network or violates the rules and +protocols for communication across the network. + + Corresponding Source conveyed, and Installation Information provided, +in accord with this section must be in a format that is publicly +documented (and with an implementation available to the public in +source code form), and must require no special password or key for +unpacking, reading or copying. + + 7. Additional Terms. + + "Additional permissions" are terms that supplement the terms of this +License by making exceptions from one or more of its conditions. +Additional permissions that are applicable to the entire Program shall +be treated as though they were included in this License, to the extent +that they are valid under applicable law. If additional permissions +apply only to part of the Program, that part may be used separately +under those permissions, but the entire Program remains governed by +this License without regard to the additional permissions. + + When you convey a copy of a covered work, you may at your option +remove any additional permissions from that copy, or from any part of +it. (Additional permissions may be written to require their own +removal in certain cases when you modify the work.) You may place +additional permissions on material, added by you to a covered work, +for which you have or can give appropriate copyright permission. + + Notwithstanding any other provision of this License, for material you +add to a covered work, you may (if authorized by the copyright holders of +that material) supplement the terms of this License with terms: + + a) Disclaiming warranty or limiting liability differently from the + terms of sections 15 and 16 of this License; or + + b) Requiring preservation of specified reasonable legal notices or + author attributions in that material or in the Appropriate Legal + Notices displayed by works containing it; or + + c) Prohibiting misrepresentation of the origin of that material, or + requiring that modified versions of such material be marked in + reasonable ways as different from the original version; or + + d) Limiting the use for publicity purposes of names of licensors or + authors of the material; or + + e) Declining to grant rights under trademark law for use of some + trade names, trademarks, or service marks; or + + f) Requiring indemnification of licensors and authors of that + material by anyone who conveys the material (or modified versions of + it) with contractual assumptions of liability to the recipient, for + any liability that these contractual assumptions directly impose on + those licensors and authors. + + All other non-permissive additional terms are considered "further +restrictions" within the meaning of section 10. If the Program as you +received it, or any part of it, contains a notice stating that it is +governed by this License along with a term that is a further +restriction, you may remove that term. If a license document contains +a further restriction but permits relicensing or conveying under this +License, you may add to a covered work material governed by the terms +of that license document, provided that the further restriction does +not survive such relicensing or conveying. + + If you add terms to a covered work in accord with this section, you +must place, in the relevant source files, a statement of the +additional terms that apply to those files, or a notice indicating +where to find the applicable terms. + + Additional terms, permissive or non-permissive, may be stated in the +form of a separately written license, or stated as exceptions; +the above requirements apply either way. + + 8. Termination. + + You may not propagate or modify a covered work except as expressly +provided under this License. Any attempt otherwise to propagate or +modify it is void, and will automatically terminate your rights under +this License (including any patent licenses granted under the third +paragraph of section 11). + + However, if you cease all violation of this License, then your +license from a particular copyright holder is reinstated (a) +provisionally, unless and until the copyright holder explicitly and +finally terminates your license, and (b) permanently, if the copyright +holder fails to notify you of the violation by some reasonable means +prior to 60 days after the cessation. + + Moreover, your license from a particular copyright holder is +reinstated permanently if the copyright holder notifies you of the +violation by some reasonable means, this is the first time you have +received notice of violation of this License (for any work) from that +copyright holder, and you cure the violation prior to 30 days after +your receipt of the notice. + + Termination of your rights under this section does not terminate the +licenses of parties who have received copies or rights from you under +this License. If your rights have been terminated and not permanently +reinstated, you do not qualify to receive new licenses for the same +material under section 10. + + 9. Acceptance Not Required for Having Copies. + + You are not required to accept this License in order to receive or +run a copy of the Program. Ancillary propagation of a covered work +occurring solely as a consequence of using peer-to-peer transmission +to receive a copy likewise does not require acceptance. However, +nothing other than this License grants you permission to propagate or +modify any covered work. These actions infringe copyright if you do +not accept this License. Therefore, by modifying or propagating a +covered work, you indicate your acceptance of this License to do so. + + 10. Automatic Licensing of Downstream Recipients. + + Each time you convey a covered work, the recipient automatically +receives a license from the original licensors, to run, modify and +propagate that work, subject to this License. You are not responsible +for enforcing compliance by third parties with this License. + + An "entity transaction" is a transaction transferring control of an +organization, or substantially all assets of one, or subdividing an +organization, or merging organizations. If propagation of a covered +work results from an entity transaction, each party to that +transaction who receives a copy of the work also receives whatever +licenses to the work the party's predecessor in interest had or could +give under the previous paragraph, plus a right to possession of the +Corresponding Source of the work from the predecessor in interest, if +the predecessor has it or can get it with reasonable efforts. + + You may not impose any further restrictions on the exercise of the +rights granted or affirmed under this License. For example, you may +not impose a license fee, royalty, or other charge for exercise of +rights granted under this License, and you may not initiate litigation +(including a cross-claim or counterclaim in a lawsuit) alleging that +any patent claim is infringed by making, using, selling, offering for +sale, or importing the Program or any portion of it. + + 11. Patents. + + A "contributor" is a copyright holder who authorizes use under this +License of the Program or a work on which the Program is based. The +work thus licensed is called the contributor's "contributor version". + + A contributor's "essential patent claims" are all patent claims +owned or controlled by the contributor, whether already acquired or +hereafter acquired, that would be infringed by some manner, permitted +by this License, of making, using, or selling its contributor version, +but do not include claims that would be infringed only as a +consequence of further modification of the contributor version. For +purposes of this definition, "control" includes the right to grant +patent sublicenses in a manner consistent with the requirements of +this License. + + Each contributor grants you a non-exclusive, worldwide, royalty-free +patent license under the contributor's essential patent claims, to +make, use, sell, offer for sale, import and otherwise run, modify and +propagate the contents of its contributor version. + + In the following three paragraphs, a "patent license" is any express +agreement or commitment, however denominated, not to enforce a patent +(such as an express permission to practice a patent or covenant not to +sue for patent infringement). To "grant" such a patent license to a +party means to make such an agreement or commitment not to enforce a +patent against the party. + + If you convey a covered work, knowingly relying on a patent license, +and the Corresponding Source of the work is not available for anyone +to copy, free of charge and under the terms of this License, through a +publicly available network server or other readily accessible means, +then you must either (1) cause the Corresponding Source to be so +available, or (2) arrange to deprive yourself of the benefit of the +patent license for this particular work, or (3) arrange, in a manner +consistent with the requirements of this License, to extend the patent +license to downstream recipients. "Knowingly relying" means you have +actual knowledge that, but for the patent license, your conveying the +covered work in a country, or your recipient's use of the covered work +in a country, would infringe one or more identifiable patents in that +country that you have reason to believe are valid. + + If, pursuant to or in connection with a single transaction or +arrangement, you convey, or propagate by procuring conveyance of, a +covered work, and grant a patent license to some of the parties +receiving the covered work authorizing them to use, propagate, modify +or convey a specific copy of the covered work, then the patent license +you grant is automatically extended to all recipients of the covered +work and works based on it. + + A patent license is "discriminatory" if it does not include within +the scope of its coverage, prohibits the exercise of, or is +conditioned on the non-exercise of one or more of the rights that are +specifically granted under this License. You may not convey a covered +work if you are a party to an arrangement with a third party that is +in the business of distributing software, under which you make payment +to the third party based on the extent of your activity of conveying +the work, and under which the third party grants, to any of the +parties who would receive the covered work from you, a discriminatory +patent license (a) in connection with copies of the covered work +conveyed by you (or copies made from those copies), or (b) primarily +for and in connection with specific products or compilations that +contain the covered work, unless you entered into that arrangement, +or that patent license was granted, prior to 28 March 2007. + + Nothing in this License shall be construed as excluding or limiting +any implied license or other defenses to infringement that may +otherwise be available to you under applicable patent law. + + 12. No Surrender of Others' Freedom. + + If conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot convey a +covered work so as to satisfy simultaneously your obligations under this +License and any other pertinent obligations, then as a consequence you may +not convey it at all. For example, if you agree to terms that obligate you +to collect a royalty for further conveying from those to whom you convey +the Program, the only way you could satisfy both those terms and this +License would be to refrain entirely from conveying the Program. + + 13. Use with the GNU Affero General Public License. + + Notwithstanding any other provision of this License, you have +permission to link or combine any covered work with a work licensed +under version 3 of the GNU Affero General Public License into a single +combined work, and to convey the resulting work. The terms of this +License will continue to apply to the part which is the covered work, +but the special requirements of the GNU Affero General Public License, +section 13, concerning interaction through a network will apply to the +combination as such. + + 14. Revised Versions of this License. + + The Free Software Foundation may publish revised and/or new versions of +the GNU General Public License from time to time. Such new versions will +be similar in spirit to the present version, but may differ in detail to +address new problems or concerns. + + Each version is given a distinguishing version number. If the +Program specifies that a certain numbered version of the GNU General +Public License "or any later version" applies to it, you have the +option of following the terms and conditions either of that numbered +version or of any later version published by the Free Software +Foundation. If the Program does not specify a version number of the +GNU General Public License, you may choose any version ever published +by the Free Software Foundation. + + If the Program specifies that a proxy can decide which future +versions of the GNU General Public License can be used, that proxy's +public statement of acceptance of a version permanently authorizes you +to choose that version for the Program. + + Later license versions may give you additional or different +permissions. However, no additional obligations are imposed on any +author or copyright holder as a result of your choosing to follow a +later version. + + 15. Disclaimer of Warranty. + + THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY +APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT +HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY +OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, +THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM +IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF +ALL NECESSARY SERVICING, REPAIR OR CORRECTION. + + 16. Limitation of Liability. + + IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING +WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS +THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY +GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE +USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF +DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD +PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), +EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF +SUCH DAMAGES. + + 17. Interpretation of Sections 15 and 16. + + If the disclaimer of warranty and limitation of liability provided +above cannot be given local legal effect according to their terms, +reviewing courts shall apply local law that most closely approximates +an absolute waiver of all civil liability in connection with the +Program, unless a warranty or assumption of liability accompanies a +copy of the Program in return for a fee. + + END OF TERMS AND CONDITIONS + + How to Apply These Terms to Your New Programs + + If you develop a new program, and you want it to be of the greatest +possible use to the public, the best way to achieve this is to make it +free software which everyone can redistribute and change under these terms. + + To do so, attach the following notices to the program. It is safest +to attach them to the start of each source file to most effectively +state the exclusion of warranty; and each file should have at least +the "copyright" line and a pointer to where the full notice is found. + + + Copyright (C) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . + +Also add information on how to contact you by electronic and paper mail. + + If the program does terminal interaction, make it output a short +notice like this when it starts in an interactive mode: + + Copyright (C) + This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'. + This is free software, and you are welcome to redistribute it + under certain conditions; type `show c' for details. + +The hypothetical commands `show w' and `show c' should show the appropriate +parts of the General Public License. Of course, your program's commands +might be different; for a GUI interface, you would use an "about box". + + You should also get your employer (if you work as a programmer) or school, +if any, to sign a "copyright disclaimer" for the program, if necessary. +For more information on this, and how to apply and follow the GNU GPL, see +. + + The GNU General Public License does not permit incorporating your program +into proprietary programs. If your program is a subroutine library, you +may consider it more useful to permit linking proprietary applications with +the library. If this is what you want to do, use the GNU Lesser General +Public License instead of this License. But first, please read +. \ No newline at end of file diff --git a/source/resources/apps/ansible-debian-mail/README.md b/source/resources/apps/ansible-debian-mail/README.md new file mode 100644 index 0000000..f3665ce --- /dev/null +++ b/source/resources/apps/ansible-debian-mail/README.md @@ -0,0 +1,107 @@ +# Forksand Bootstrap Postfix +This Ansible playbook was written to set up a mail server on Debian systems. + +## Table of contents +1. [Requirements](#requirements) +2. [Quick Start](#quick-start) + * [Project Configuration](#project-configuration) + * [Playbook Execution](#playbook-execution) +3. [Project Structure](#project-structure) + * [File and Directory Descriptions](#file-and-directory-descriptions) + * [Role Descriptions](#role-descriptions) +4. [Ansible Logging](#ansible-logging) +5. [Troubleshooting](#troubleshooting) + +## Requirements +The following applications are required to utilize this playbook. Ansible can be installed using Python PIP. + +* Ansible 2.4.x+ +* Python 2.7.9+ + +## Quick Start +The follow steps will help quickly set up and execute this playbook. + +### Project Configuration +The following files need to be edited and configured before executing this playbook. + +| File | Description | +| -- | -- | +| groups_vars/all.yml | Server credential information and domain variables | +| inventory.yml | List of server IPs to connect to | + +### Playbook Execution +After having configured the server credentials and added the server IP to the inventory, use the following command to execute the playbook. + +`ansible-playbook -i inventory.yml site.yml` + +## Project Structure +The following tree depicts the high level structure of this Ansible project. + +```bash +├── ansible.cfg +├── group_vars +│   └── all.yml +├── inventory.yml +├── LICENSE.AGPLv3 +├── LICENSE.GPLv3 +├── README.md +├── roles +│   ├── dkim_configuration +│   ├── dovecot_configuration +│   ├── fail2ban_configuration +│   ├── letsencrypt_configuration +│   ├── mikegleasonjr.firewall +│   ├── outputs +│   ├── postfix_configuration +│   ├── server_tasks +│   ├── spamassassin_configuration +│   └── sqlgrey_configuration +├── playbook_execution.log +└── site.yml +``` + +### File and Directory Descriptions +The following table consists of a description of what each file and directory stands for. + +| Name | Description | +| -- | -- | +| site.yml | Master playbook. Executes all roles in sequential order | +| inventory.yml | Inventory file containing server IP addresses | +| ansible.cfg | Ansible configuration file for various Ansible options. | +| group_vars/ | Group_vars directory contains variable files for the entire group. The files are named according to the group name. 'all.yml' = group 'all' | +| group_vars/all.yml | Group variables for the 'all' group. Contains server connection information along with domain variables | +| roles/ | Directory containing all roles needed by this project | + +### Role descriptions +The following table consists of descriptions of each role and their purpose. The roles listed below are listed in the required order of execution to ensure successful completion of the playbook. + +| Role Name | Role Description | Depends on | +| -- | -- | --| +| server_tasks | This roles performs all server tasks. Updating server, configuring SSH, disable IPv6, etc. Depends on the mikegleasonjr.firewall role. | mikebleasonjr.firewall | +| mikegleasonjr.firewall | This role set up iptables rules. It is called and ran by the server_tasks roles. | None | +| letsencrypt_configuration | This role installs and executes let's encrypt | None | +| postfix_configuration | This roles installs postfix, configures postfix using postconf, and sets up virtual file, master.cf file, and aliases file | letsencrypt_configuration | +| dkim_configuration | This roles installs OpenDKIM, OpenDMARC and configures them. | None | +| dovecot_configuration | This role installs and configures dovecot | letsencrypt_configuration | +| spamassassin_configuration | This role installs spamassassin. | None | +| sqlgrey_configuration| This role installs sqlgrey. | None | +| fail2ban_configuration | This role installs fail2ban. | None | +| outputs | This role gathers DNS information for the SPF, DMARC, and DKIM records and outputs them to the screen. | None | + +## Ansible Logging +Ansible playbook executions are automatically logged to a file called `playbook-execution.log` in the root directory of the project. The path to this log file can be changed by editing `ansible.cfg` in the project root directory and specifying a different path. + +## Troubleshooting +Ansible has a built in debug output. Simple run Ansible with a `-v`. There are 5 levels of debug output and they are denoted by the number of v's listed. Each level up provide more debug output than the level before it. + +Level 1: `-v` + +Level 2: `-vv` + +Level 3: `-vvv` + +Level 4: `-vvvv` + +Level 5: `-vvvvv` + +Example execution with level 3 debug output: `ansible-playbook -i inventory.yml site.yml -vvv` diff --git a/source/resources/apps/ansible-debian-mail/ansible.cfg b/source/resources/apps/ansible-debian-mail/ansible.cfg new file mode 100644 index 0000000..fbb2715 --- /dev/null +++ b/source/resources/apps/ansible-debian-mail/ansible.cfg @@ -0,0 +1,2 @@ +[defaults] +log_path=playbook_execution.log \ No newline at end of file diff --git a/source/resources/apps/ansible-debian-mail/group_vars/all.yml b/source/resources/apps/ansible-debian-mail/group_vars/all.yml new file mode 100644 index 0000000..95f07ec --- /dev/null +++ b/source/resources/apps/ansible-debian-mail/group_vars/all.yml @@ -0,0 +1,14 @@ +# Ansible connection configuration +# It is suggested that this file be encrypted with ansible-vault +ansible_port: 22 +ansible_user: ssh_user +ansible_ssh_private_key_file: /path/to/pem + +# Uncomment to use SSH password instead of pem key +# If you uncomment this, comment out the key_file line above +#ansible_ssh_pass: mypassword + +# Domain variables required for the playbook +var_domain: forksand.io +var_mail_domain: mail.forksand.io +var_relay_domain: forksand.com \ No newline at end of file diff --git a/source/resources/apps/ansible-debian-mail/inventory.yml b/source/resources/apps/ansible-debian-mail/inventory.yml new file mode 100644 index 0000000..aa1180b --- /dev/null +++ b/source/resources/apps/ansible-debian-mail/inventory.yml @@ -0,0 +1,7 @@ +all: + hosts: + 10.0.0.1: # Example host + + # Additional hosts can be specified by adding them below + #10.0.0.2: # Example host 2. Uncomment line to use + #10.0.0.3: # Example host 3. Uncomment line to use \ No newline at end of file diff --git a/source/resources/apps/ansible-debian-mail/roles/dkim_configuration/tasks/main.yml b/source/resources/apps/ansible-debian-mail/roles/dkim_configuration/tasks/main.yml new file mode 100644 index 0000000..95d1caf --- /dev/null +++ b/source/resources/apps/ansible-debian-mail/roles/dkim_configuration/tasks/main.yml @@ -0,0 +1,76 @@ +--- +- name: Install packages + apt: + name: "{{ item }}" + dpkg_options: 'force-confdef,force-confnew' + update_cache: yes + with_items: + - opendkim + - opendkim-tools + - opendmarc + +- name: Create directories folder in /etc + file: + path: "/etc/{{ item }}" + state: directory + with_items: + - opendkim + - opendmarc + +- name: Create key with opendkim-genkey + shell: "opendkim-genkey -b 2048 -d {{ domain }} -s {{ domain }}.dkim" + args: + chdir: /root/ + +- name: Move private dkim key + command: "mv /root/{{ domain }}.dkim.private /etc/opendkim/" + +- name: Update private key permissions + file: + path: "/etc/opendkim/{{ domain }}.dkim.private" + mode: 0600 + +- name: Copy conf files to remote + template: + src: "{{ item.name}}" + dest: "{{ item.dest }}" + with_items: + - {name: 'opendkim.conf.j2', dest: '/etc/opendkim.conf'} + - {name: 'internalhosts.j2', dest: '/etc/opendkim/internalhosts'} + - {name: 'trustedhosts.j2', dest: '/etc/opendkim/trustedhosts'} + - {name: 'opendmarc.conf.j2', dest: '/etc/opendmarc.conf'} + - {name: 'opendkim.j2', dest: '/etc/default/opendkim'} + - {name: 'opendmarc.j2', dest: '/etc/default/opendmarc'} + +- name: Add domain to signing table file + lineinfile: + path: /etc/opendkim/signingtable + state: present + create: yes + line: "*@{{ domain }} {{ domain }}" + +- name: Add configuration to key table file + lineinfile: + path: /etc/opendkim/keytable + state: present + create: yes + line: "{{ domain }} {{ domain }}:mail:/etc/opendkim/{{ domain }}.dkim.private" + +- name: Create log file + file: + path: "/var/log/{{ item }}.log" + state: touch + owner: "{{ item }}" + group: "{{ item }}" + with_items: + - opendmarc + +- name: Add items to ignore hosts + blockinfile: + path: /etc/opendmarc/ignore.hosts + create: yes + insertafter: EOF + content: | + localhost + 127.0.0.0/8 + 10.0.2.0/24 \ No newline at end of file diff --git a/source/resources/apps/ansible-debian-mail/roles/dkim_configuration/templates/internalhosts.j2 b/source/resources/apps/ansible-debian-mail/roles/dkim_configuration/templates/internalhosts.j2 new file mode 100644 index 0000000..01921d4 --- /dev/null +++ b/source/resources/apps/ansible-debian-mail/roles/dkim_configuration/templates/internalhosts.j2 @@ -0,0 +1,3 @@ +{{ domain }} +10.0.2.15/255.255.255.0 +70.39.125.71 \ No newline at end of file diff --git a/source/resources/apps/ansible-debian-mail/roles/dkim_configuration/templates/opendkim.conf.j2 b/source/resources/apps/ansible-debian-mail/roles/dkim_configuration/templates/opendkim.conf.j2 new file mode 100644 index 0000000..f2cc07c --- /dev/null +++ b/source/resources/apps/ansible-debian-mail/roles/dkim_configuration/templates/opendkim.conf.j2 @@ -0,0 +1,26 @@ +AutoRestartRate 10/1h +AutoRestart Yes +Background yes +#Canonicalization relaxed/relaxed +Canonicalization relaxed/simple +DNSTimeout 5 +ExternalIgnoreList refile:/etc/opendkim/trustedhosts +InternalHosts refile:/etc/opendkim/internalhosts +KeyTable refile:/etc/opendkim/keytable +LogWhy Yes +Mode sv +OversignHeaders From +PidFile /var/run/opendkim/opendkim.pid +#Selector mail +SignatureAlgorithm rsa-sha256 +SigningTable refile:/etc/opendkim/signingtable +Socket inet:12301@localhost +#Socket local:/var/spool/postfix/private/opendkim +SoftwareHeader yes +SubDomains yes +SyslogSuccess Yes +Syslog Yes +TrustAnchorFile /usr/share/dns/root.key +UMask 002 +UserID opendkim:opendkim +#UserID postfix \ No newline at end of file diff --git a/source/resources/apps/ansible-debian-mail/roles/dkim_configuration/templates/opendkim.j2 b/source/resources/apps/ansible-debian-mail/roles/dkim_configuration/templates/opendkim.j2 new file mode 100644 index 0000000..3aa83bf --- /dev/null +++ b/source/resources/apps/ansible-debian-mail/roles/dkim_configuration/templates/opendkim.j2 @@ -0,0 +1 @@ +SOCKET="inet:12301@localhost" \ No newline at end of file diff --git a/source/resources/apps/ansible-debian-mail/roles/dkim_configuration/templates/opendmarc.conf.j2 b/source/resources/apps/ansible-debian-mail/roles/dkim_configuration/templates/opendmarc.conf.j2 new file mode 100644 index 0000000..b146f8a --- /dev/null +++ b/source/resources/apps/ansible-debian-mail/roles/dkim_configuration/templates/opendmarc.conf.j2 @@ -0,0 +1,16 @@ +IgnoreAuthenticatedClients true +PidFile /var/run/opendmarc/opendmarc.pid +# Set to true when everything is confirmed working XXX +RejectFailures false +AuthservID {{ mail_domain }} +Syslog true +SyslogFacility mail +TrustedAuthservIDs {{ mail_domain }} +IgnoreHosts /etc/opendkim/trustedhosts +UMask 002 +UserID opendmarc:opendmarc +FailureReportsSentBy postmaster@{{ domain }} +FailureReportsBcc postmaster@{{ domain }} +AutoRestart true +HistoryFile /var/log/opendmarc.log +Socket inet:54321@localhost \ No newline at end of file diff --git a/source/resources/apps/ansible-debian-mail/roles/dkim_configuration/templates/opendmarc.j2 b/source/resources/apps/ansible-debian-mail/roles/dkim_configuration/templates/opendmarc.j2 new file mode 100644 index 0000000..e69de29 diff --git a/source/resources/apps/ansible-debian-mail/roles/dkim_configuration/templates/trustedhosts.j2 b/source/resources/apps/ansible-debian-mail/roles/dkim_configuration/templates/trustedhosts.j2 new file mode 100644 index 0000000..0fe876a --- /dev/null +++ b/source/resources/apps/ansible-debian-mail/roles/dkim_configuration/templates/trustedhosts.j2 @@ -0,0 +1,5 @@ +localhost +127.0.0.0/8 +{{ domain }} +70.39.125.71 +10.0.2.0/24 \ No newline at end of file diff --git a/source/resources/apps/ansible-debian-mail/roles/dovecot_configuration/handlers/main.yml b/source/resources/apps/ansible-debian-mail/roles/dovecot_configuration/handlers/main.yml new file mode 100644 index 0000000..cd4e46f --- /dev/null +++ b/source/resources/apps/ansible-debian-mail/roles/dovecot_configuration/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: restart dovecot + service: + name: dovecot + state: restarted \ No newline at end of file diff --git a/source/resources/apps/ansible-debian-mail/roles/dovecot_configuration/tasks/main.yml b/source/resources/apps/ansible-debian-mail/roles/dovecot_configuration/tasks/main.yml new file mode 100644 index 0000000..40720b5 --- /dev/null +++ b/source/resources/apps/ansible-debian-mail/roles/dovecot_configuration/tasks/main.yml @@ -0,0 +1,80 @@ +--- +# Disable IPv6 for Dovecot / force IPv4 +- name: Create dovecot conf.d directory + file: + path: /etc/dovecot/conf.d + state: directory + +- name: Add dovecot conf + lineinfile: + path: /etc/dovecot/conf.d/99-ipv4-only.conf + create: yes + line: "listen = *" + insertafter: EOF + state: present + +- name: Install dovecot + apt: + name: "{{ item }}" + dpkg_options: 'force-confdef,force-confnew' + update_cache: yes + with_items: + - dovecot-antispam + - dovecot-imapd + +- name: Create directors for dovecot users + shell: maildirmake.dovecot /etc/skel/"{{ item }}" + with_items: + - Maildir + - Maildir/.Drafts + - Maildir/.Sent + - Maildir/.Trash + - Maildir/.Templates + +- name: Copy dovecot skel directory to users + synchronize: + src: /etc/skel/Maildir + dest: "/home/{{ item }}/" + recursive: yes + delegate_to: "{{ inventory_hostname }}" + with_items: + - jebba + - mailarchive + +- name: Update Maildir folder permissions in users folder + file: + path: "/home/{{ item }}/Maildir" + mode: 0700 + owner: "{{ item }}" + group: "{{ item }}" + with_items: + - jebba + - mailarchive + +- name: Update users folder permissions + file: + path: "/home/{{ item }}" + mode: og-rwx + with_items: + - jebba + - mailarchive + +- name: Update 10-auth.conf and 10-mail.conf + lineinfile: + path: "/etc/dovecot/conf.d/{{ item.conf }}" + regexp: '{{ item.find }}' + line: '{{ item.replace }}' + with_items: + - {find: '^.*?disable_plaintext_auth.*=.*', replace: 'disable_plaintext_auth = yes', conf: '10-auth.conf'} + - {find: '^.*?auth_mechanisms.*=.*', replace: 'auth_mechanisms = plain login', conf: '10-auth.conf'} + - {find: '^.*?mail_location.*', replace: 'mail_location = maildir:~/Maildir', conf: '10-mail.conf'} + +- name: Copy conf files to remote + template: + src: "{{ item }}.j2" + dest: "/etc/dovecot/conf.d/{{ item }}" + with_items: + - 10-master.conf + - 10-ssl.conf + notify: + - restart dovecot \ No newline at end of file diff --git a/source/resources/apps/ansible-debian-mail/roles/dovecot_configuration/templates/10-master.conf.j2 b/source/resources/apps/ansible-debian-mail/roles/dovecot_configuration/templates/10-master.conf.j2 new file mode 100644 index 0000000..95b945f --- /dev/null +++ b/source/resources/apps/ansible-debian-mail/roles/dovecot_configuration/templates/10-master.conf.j2 @@ -0,0 +1,23 @@ +service imap-login { + inet_listener imaps { + port = 993 + ssl = yes + } +} +service lmtp { + unix_listener lmtp { + mode = 0666 + } +} +service imap { +} +service auth { + unix_listener /var/spool/postfix/private/auth { + mode = 0660 + user = postfix + group = postfix + } +} +service auth-worker { + user = $default_internal_user +} \ No newline at end of file diff --git a/source/resources/apps/ansible-debian-mail/roles/dovecot_configuration/templates/10-ssl.conf.j2 b/source/resources/apps/ansible-debian-mail/roles/dovecot_configuration/templates/10-ssl.conf.j2 new file mode 100644 index 0000000..99a7c75 --- /dev/null +++ b/source/resources/apps/ansible-debian-mail/roles/dovecot_configuration/templates/10-ssl.conf.j2 @@ -0,0 +1,5 @@ +ssl = required +ssl_cert = + ansible-playbook -i localhost, tests.yml --connection=local --sudo + | grep -q 'changed=0.*failed=0' + && (echo 'Idempotence test: pass' && exit 0) + || (echo 'Idempotence test: fail' && exit 1) + +notifications: + webhooks: https://galaxy.ansible.com/api/v1/notifications/ \ No newline at end of file diff --git a/source/resources/apps/ansible-debian-mail/roles/mikegleasonjr.firewall/LICENSE b/source/resources/apps/ansible-debian-mail/roles/mikegleasonjr.firewall/LICENSE new file mode 100644 index 0000000..1ca23cb --- /dev/null +++ b/source/resources/apps/ansible-debian-mail/roles/mikegleasonjr.firewall/LICENSE @@ -0,0 +1,25 @@ +BSD 2-Clause License + +Copyright (c) 2017, Mike Gleason jr Couturier +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are met: + +* Redistributions of source code must retain the above copyright notice, this + list of conditions and the following disclaimer. + +* Redistributions in binary form must reproduce the above copyright notice, + this list of conditions and the following disclaimer in the documentation + and/or other materials provided with the distribution. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" +AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE +FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER +CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, +OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. diff --git a/source/resources/apps/ansible-debian-mail/roles/mikegleasonjr.firewall/README.md b/source/resources/apps/ansible-debian-mail/roles/mikegleasonjr.firewall/README.md new file mode 100644 index 0000000..1cc4fd2 --- /dev/null +++ b/source/resources/apps/ansible-debian-mail/roles/mikegleasonjr.firewall/README.md @@ -0,0 +1,230 @@ +Ansible Firewall Role +========= + +[![Build Status](https://travis-ci.org/mikegleasonjr/ansible-role-firewall.svg?branch=master)](https://travis-ci.org/mikegleasonjr/ansible-role-firewall) +[![Ansible Galaxy](https://img.shields.io/badge/galaxy-mikegleasonjr.firewall-5bbdbf.svg?style=flat)](https://galaxy.ansible.com/detail#/role/5878) + +After I found out `UFW` was too limited in terms of functionalities, I tried several firewall roles out there but none satisfied the requirements I had: + +- Support virtually all iptables rules from the start +- Allow granular rules addition/overriding for specific hosts +- Easily inject variables in the rules +- Allow rules ordering +- Simplicity (not having to learn how role variables would generate the rules) +- Persistence (reload the rules at boot) + +This role is an attempt to solve these requirements. + +It supports **ipv4** and **ipv6*** on Debian and RedHat distributions. + +*ipv6 support was brought up thanks to [@maloddon](https://github.com/maloddon). It is currently in early stages and knowledgable people should review the [default rules](https://github.com/mikegleasonjr/ansible-role-firewall/blob/master/defaults/main.yml). ipv6 rules are not configured by default. If you which to use them, don't forget to set `firewall_v6_configure` to `true`. + +Requirements +------------ + +* Ansible 2.2.1.0 +* `iptables` (installed by default on all official Debian and RedHat distributions) + +Installation +------------ + +`$ ansible-galaxy install mikegleasonjr.firewall` + +Role Variables +-------------- + +`defaults/main.yml`: + +``` +firewall_v4_configure: true +firewall_v6_configure: false + +firewall_v4_default_rules: + 001 default policies: + - -P INPUT ACCEPT + - -P OUTPUT ACCEPT + - -P FORWARD DROP + 002 allow loopback: + - -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT + 003 allow ping replies: + - -A INPUT -p icmp --icmp-type echo-request -j ACCEPT + - -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT + 100 allow established related: + - -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT + 200 allow ssh: + - -A INPUT -p tcp --dport ssh -j ACCEPT + 999 drop everything: + - -P INPUT DROP +firewall_v4_group_rules: {} +firewall_v4_host_rules: {} + +firewall_v6_default_rules: + 001 default policies: + - -P INPUT ACCEPT + - -P OUTPUT ACCEPT + - -P FORWARD DROP + 002 allow loopback: + - -A INPUT -i lo -s ::1/128 -d ::1/128 -j ACCEPT + 003 allow ping replies: + - -A INPUT -p icmpv6 --icmpv6-type echo-request -j ACCEPT + - -A OUTPUT -p icmpv6 --icmpv6-type echo-reply -j ACCEPT + 100 allow established related: + - -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT + 200 allow ssh: + - -A INPUT -p tcp --dport ssh -j ACCEPT + 999 drop everything: + - -P INPUT DROP +firewall_v6_group_rules: {} +firewall_v6_host_rules: {} + +``` + +The keys to the `*_rules` dictionaries (`001 default policies`, `002 allow loopback`, ...) can be anything. They are only used for rules **ordering** and **overriding**. On rules generation, the keys are sorted alphabetically. That's why I chose here the 001s and 999s. + +Those defaults will generate the following script to be executed on the host (for ipv4): + +``` +#!/bin/sh +# Ansible managed: + +# flush rules & delete user-defined chains +iptables -F +iptables -X +iptables -t raw -F +iptables -t raw -X +iptables -t nat -F +iptables -t nat -X +iptables -t mangle -F +iptables -t mangle -X + +# 001 default policies +iptables -P INPUT ACCEPT +iptables -P OUTPUT ACCEPT +iptables -P FORWARD DROP + +# 002 allow loopback +iptables -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT + +# 003 allow ping replies +iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT +iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT + +# 100 allow established related +iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT + +# 200 allow ssh +iptables -A INPUT -p tcp --dport ssh -j ACCEPT + +# 999 drop everything +iptables -P INPUT DROP +``` + +As you can see, you have complete control over the rules syntax. + +`$ iptables -L -n` on the host then shows... + +``` +Chain INPUT (policy DROP) +target prot opt source destination +ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 +ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8 +ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED +ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 + +Chain FORWARD (policy DROP) +target prot opt source destination + +Chain OUTPUT (policy ACCEPT) +target prot opt source destination +ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 0 +``` + +Now that takes care of the default rules. What about overriding? + +You can change the rules for specific hosts and groups instead of re-defining everything. Rules in `firewall_v4_host_rules` will be merged with `firewall_v4_group_rules`, and then the result will be merged back with the defaults. Same thing for ipv6. + +This allows 3 levels of rules definition and overriding. I simply chose the names to match how the variable precedence works in Ansible (`all` -> `group` -> `host`). See the example playbook below to see rules overriding in action. + +Example Playbook (ipv4) +---------------- + +``` +- hosts: all + roles: + - mikegleasonjr.firewall +``` + +in `group_vars/all.yml` you could define the default rules for all your hosts: + +``` +firewall_v4_default_rules: + 001 default policies: + - -P INPUT ACCEPT + - -P OUTPUT ACCEPT + - -P FORWARD DROP + 002 allow loopback: + - -A INPUT -i lo -j ACCEPT + 003 allow ping replies: + - -A INPUT -p icmp --icmp-type echo-request -j ACCEPT + - -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT + 100 allow established related: + - -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT + 200 allow ssh limiting brute force: + - -I INPUT -p tcp -d {{ hostvars[inventory_hostname]['ansible_eth1']['ipv4']['address'] }} --dport 22 -m state --state NEW -m recent --set + - -I INPUT -p tcp -d {{ hostvars[inventory_hostname]['ansible_eth1']['ipv4']['address'] }} --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP + 999 drop everything: + - -P INPUT DROP +``` + +in `group_vars/webservers.yml` you would open up port 80: + +``` +firewall_v4_group_rules: + 400 allow web traffic: + - -A INPUT -p tcp --dport http -j ACCEPT +``` + +in `host_vars/secureweb.yml` you would want to open https as well and remove ssh logins: + +``` +firewall_v4_host_rules: + 400 allow web traffic: + - -A INPUT -p tcp --dport http -j ACCEPT # need to redefine this one as well because the whole key is overwritten + - -A INPUT -p tcp --dport https -j ACCEPT + 200 allow ssh limiting brute force: [] +``` + +To "delete" rules, you just assign an empty list to an existing dictionary key. + +To summarize, rules in `firewall_v4_host_rules` will overwrite rules in `firewall_v4_group_rules`, and then rules in `firewall_v4_group_rules` will overwrite rules in `firewall_v4_default_rules`. + +You can play with the rules and see the generated script on the host at the following location: `/etc/iptables.v4.generated` and `/etc/iptables.v6.generated`. + +Dependencies +------------ + +none + +License +------- + +BSD + +Contributing +------- + +A vagrant environment has been provided to test the role on different distributions. Add your tests in `tests.yml` and... + +``` +$ vagrant up +$ vagrant provision +``` + +Author Information +------------------ + +Mike Gleason jr Couturier (mikegleasonjr@gmail.com) + +Other roles from the same author: + +- [swap](https://github.com/mikegleasonjr/ansible-role-swap) diff --git a/source/resources/apps/ansible-debian-mail/roles/mikegleasonjr.firewall/Vagrantfile b/source/resources/apps/ansible-debian-mail/roles/mikegleasonjr.firewall/Vagrantfile new file mode 100644 index 0000000..4d0734c --- /dev/null +++ b/source/resources/apps/ansible-debian-mail/roles/mikegleasonjr.firewall/Vagrantfile @@ -0,0 +1,41 @@ +boxes = { + "ubuntu/trusty64" => { + :ip => '192.168.33.10', + :cpu => "2", + :ram => "256" + }, + "ubuntu/xenial64" => { + :ip => '192.168.33.11', + :cpu => "2", + :ram => "256" + }, + "centos/7" => { + :ip => '192.168.33.12', + :cpu => "2", + :ram => "256" + }, + "centos/6" => { + :ip => '192.168.33.13', + :cpu => "2", + :ram => "256" + }, +} + +Vagrant.configure("2") do |config| + boxes.each do |box, options| + config.vm.define box.dup.sub!("/", "-") do |machine| + machine.vm.box = box + machine.vm.box_check_update = false + machine.vm.network :private_network, ip: options[:ip] + + machine.vm.provider "virtualbox" do |vb| + vb.memory = options[:ram] + vb.cpus = options[:cpu] + end + + machine.vm.provision "ansible" do |ansible| + ansible.playbook = "tests.yml" + end + end + end +end diff --git a/source/resources/apps/ansible-debian-mail/roles/mikegleasonjr.firewall/defaults/main.yml b/source/resources/apps/ansible-debian-mail/roles/mikegleasonjr.firewall/defaults/main.yml new file mode 100644 index 0000000..7e87866 --- /dev/null +++ b/source/resources/apps/ansible-debian-mail/roles/mikegleasonjr.firewall/defaults/main.yml @@ -0,0 +1,33 @@ +--- +firewall_v4_configure: true +firewall_v6_configure: false + +firewall_v4_default_rules: + 001 default policies: + - -A OUTPUT -j ACCEPT # Accept all output traffic + 002 allow loopback: + - -A INPUT -i lo -j ACCEPT + 100 allow established related: + - -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT + 200 allow ssh ports: + - -A INPUT -p tcp --dport 22 -j ACCEPT + - -A INPUT -p tcp --dport 33957 -j ACCEPT + 201 allow http port: + - -A INPUT -p tcp --dport 80 -j ACCEPT + 202 allow smtp ports: + - -A INPUT -p tcp --dport 25 -j ACCEPT + - -A INPUT -p tcp --dport 465 -j ACCEPT + - -A INPUT -p tcp --dport 587 -j ACCEPT + - -A INPUT -p tcp --dport 993 -j ACCEPT + 203 enable logging: + - -A INPUT -m limit --limit 5/min -j LOG --log-prefix \"iptables denied: \" --log-level 7 + 999 drop everything else: + - -A INPUT -j REJECT + - -A FORWARD -j REJECT + +firewall_v4_group_rules: {} +firewall_v4_host_rules: {} + +firewall_v6_default_rules: {} +firewall_v6_group_rules: {} +firewall_v6_host_rules: {} diff --git a/source/resources/apps/ansible-debian-mail/roles/mikegleasonjr.firewall/meta/.galaxy_install_info b/source/resources/apps/ansible-debian-mail/roles/mikegleasonjr.firewall/meta/.galaxy_install_info new file mode 100644 index 0000000..e96f644 --- /dev/null +++ b/source/resources/apps/ansible-debian-mail/roles/mikegleasonjr.firewall/meta/.galaxy_install_info @@ -0,0 +1 @@ +{install_date: 'Fri Feb 23 18:35:56 2018', version: 1.1.3} diff --git a/source/resources/apps/ansible-debian-mail/roles/mikegleasonjr.firewall/meta/main.yml b/source/resources/apps/ansible-debian-mail/roles/mikegleasonjr.firewall/meta/main.yml new file mode 100644 index 0000000..7dd8823 --- /dev/null +++ b/source/resources/apps/ansible-debian-mail/roles/mikegleasonjr.firewall/meta/main.yml @@ -0,0 +1,22 @@ +--- +galaxy_info: + author: Mike Gleason jr Couturier + description: A role to manage iptables rules which doesn't suck. + company: N/A + issue_tracker_url: https://github.com/mikegleasonjr/ansible-role-firewall/issues + license: BSD + min_ansible_version: 1.2 + platforms: + - name: Ubuntu + versions: + - all + - name: Debian + versions: + - all + - name: EL + versions: + - all + categories: + - networking + - system +dependencies: [] diff --git a/source/resources/apps/ansible-debian-mail/roles/mikegleasonjr.firewall/tasks/main.yml b/source/resources/apps/ansible-debian-mail/roles/mikegleasonjr.firewall/tasks/main.yml new file mode 100644 index 0000000..9923eb4 --- /dev/null +++ b/source/resources/apps/ansible-debian-mail/roles/mikegleasonjr.firewall/tasks/main.yml @@ -0,0 +1,8 @@ +--- +- include_tasks: rules.yml + +- include_tasks: persist-debian.yml + when: ansible_os_family == 'Debian' + +- include_tasks: persist-redhat.yml + when: ansible_os_family == 'RedHat' diff --git a/source/resources/apps/ansible-debian-mail/roles/mikegleasonjr.firewall/tasks/persist-debian.yml b/source/resources/apps/ansible-debian-mail/roles/mikegleasonjr.firewall/tasks/persist-debian.yml new file mode 100644 index 0000000..5f06062 --- /dev/null +++ b/source/resources/apps/ansible-debian-mail/roles/mikegleasonjr.firewall/tasks/persist-debian.yml @@ -0,0 +1,22 @@ +--- +- name: Install iptables-persistent + apt: + name: iptables-persistent + update_cache: yes + state: present + +- name: Check if netfilter-persistent is present + shell: which netfilter-persistent + register: is_netfilter + when: v4_script|changed or v6_script|changed + changed_when: false + ignore_errors: yes + check_mode: no + +- name: Save rules (netfilter-persistent) + command: netfilter-persistent save + when: not ansible_check_mode and (v4_script|changed or v6_script|changed) and is_netfilter.rc == 0 + +- name: Save rules (iptables-persistent) + command: /etc/init.d/iptables-persistent save + when: not ansible_check_mode and (v4_script|changed or v6_script|changed) and is_netfilter.rc == 1 diff --git a/source/resources/apps/ansible-debian-mail/roles/mikegleasonjr.firewall/tasks/persist-redhat.yml b/source/resources/apps/ansible-debian-mail/roles/mikegleasonjr.firewall/tasks/persist-redhat.yml new file mode 100644 index 0000000..ef3127f --- /dev/null +++ b/source/resources/apps/ansible-debian-mail/roles/mikegleasonjr.firewall/tasks/persist-redhat.yml @@ -0,0 +1,23 @@ +--- +- name: Save v4 rules (/etc/sysconfig/iptables) + shell: iptables-save -c > /etc/sysconfig/iptables + when: v4_script|changed + +- name: Save v6 rules (/etc/sysconfig/ip6tables) + shell: ip6tables-save -c > /etc/sysconfig/ip6tables + when: v6_script|changed + +- name: Ensure iptables service is installed + yum: name=iptables-services state=present update_cache=yes + when: ansible_distribution_major_version >= '7' + +- name: Ensure iptables service is installed + yum: name=iptables state=present update_cache=yes + when: ansible_distribution_major_version < '7' + +- name: Ensure iptables service is enabled & started + service: name=iptables enabled=yes state=started + +- name: Ensure ip6tables service is enabled & started + service: name=ip6tables enabled=yes state=started + when: firewall_v6_configure diff --git a/source/resources/apps/ansible-debian-mail/roles/mikegleasonjr.firewall/tasks/rules.yml b/source/resources/apps/ansible-debian-mail/roles/mikegleasonjr.firewall/tasks/rules.yml new file mode 100644 index 0000000..3dc3a84 --- /dev/null +++ b/source/resources/apps/ansible-debian-mail/roles/mikegleasonjr.firewall/tasks/rules.yml @@ -0,0 +1,28 @@ +--- +- name: Generate v4 rules + template: src=generated.v4.j2 dest=/etc/iptables.v4.generated owner=root group=root mode=755 + register: v4_script + when: firewall_v4_configure + +- name: Load v4 rules + command: /etc/iptables.v4.generated + register: v4_script_load_result + failed_when: >- + v4_script_load_result.rc != 0 or + 'unknown option' in v4_script_load_result.stderr or + 'Table does not exist' in v4_script_load_result.stderr + when: v4_script|changed + +- name: Generate v6 rules + template: src=generated.v6.j2 dest=/etc/iptables.v6.generated owner=root group=root mode=755 + register: v6_script + when: firewall_v6_configure + +- name: Load v6 rules + command: /etc/iptables.v6.generated + register: v6_script_load_result + failed_when: >- + v6_script_load_result.rc != 0 or + 'unknown option' in v6_script_load_result.stderr or + 'Table does not exist' in v6_script_load_result.stderr + when: v6_script|changed diff --git a/source/resources/apps/ansible-debian-mail/roles/mikegleasonjr.firewall/templates/generated.v4.j2 b/source/resources/apps/ansible-debian-mail/roles/mikegleasonjr.firewall/templates/generated.v4.j2 new file mode 100644 index 0000000..e28c95e --- /dev/null +++ b/source/resources/apps/ansible-debian-mail/roles/mikegleasonjr.firewall/templates/generated.v4.j2 @@ -0,0 +1,26 @@ +#!/bin/sh +# {{ ansible_managed }} +{% set merged = firewall_v4_default_rules.copy() %} +{% set _ = merged.update(firewall_v4_group_rules) %} +{% set _ = merged.update(firewall_v4_host_rules) %} + +# flush rules & delete user-defined chains +iptables -F +iptables -X +iptables -t raw -F +iptables -t raw -X +iptables -t nat -F +iptables -t nat -X +iptables -t mangle -F +iptables -t mangle -X + +{% for group, rules in merged|dictsort %} +# {{ group }} +{% if not rules %} +# (none) +{% endif %} +{% for rule in rules %} +iptables {{ rule }} +{% endfor %} + +{% endfor %} diff --git a/source/resources/apps/ansible-debian-mail/roles/mikegleasonjr.firewall/templates/generated.v6.j2 b/source/resources/apps/ansible-debian-mail/roles/mikegleasonjr.firewall/templates/generated.v6.j2 new file mode 100644 index 0000000..5538e36 --- /dev/null +++ b/source/resources/apps/ansible-debian-mail/roles/mikegleasonjr.firewall/templates/generated.v6.j2 @@ -0,0 +1,26 @@ +#!/bin/sh +# {{ ansible_managed }} +{% set merged = firewall_v6_default_rules.copy() %} +{% set _ = merged.update(firewall_v6_group_rules) %} +{% set _ = merged.update(firewall_v6_host_rules) %} + +# flush rules & delete user-defined chains +ip6tables -F +ip6tables -X +ip6tables -t raw -F +ip6tables -t raw -X +ip6tables -t nat -F +ip6tables -t nat -X +ip6tables -t mangle -F +ip6tables -t mangle -X + +{% for group, rules in merged|dictsort %} +# {{ group }} +{% if not rules %} +# (none) +{% endif %} +{% for rule in rules %} +ip6tables {{ rule }} +{% endfor %} + +{% endfor %} diff --git a/source/resources/apps/ansible-debian-mail/roles/mikegleasonjr.firewall/tests.yml b/source/resources/apps/ansible-debian-mail/roles/mikegleasonjr.firewall/tests.yml new file mode 100644 index 0000000..13edf12 --- /dev/null +++ b/source/resources/apps/ansible-debian-mail/roles/mikegleasonjr.firewall/tests.yml @@ -0,0 +1,68 @@ +--- +- hosts: all + become: true + + roles: + - role: . + firewall_v6_configure: true + + firewall_v4_group_rules: + 400 allow http: + - -A INPUT -p tcp --dport http -j ACCEPT + 400 allow 7890: + - -A INPUT -p tcp --dport 7890 -j ACCEPT + firewall_v4_host_rules: + 400 allow 7890: [] + + firewall_v6_group_rules: + 400 allow http: + - -A INPUT -p tcp --dport http -j ACCEPT + 400 allow 7890: + - -A INPUT -p tcp --dport 7890 -j ACCEPT + firewall_v6_host_rules: + 400 allow 7890: [] + + tasks: + - name: Retrieve v4 rules + command: iptables -L -n + changed_when: false + register: v4_rules + when: not ansible_check_mode + - name: Check that INPUT policy has been applied + assert: + that: "'Chain INPUT (policy DROP' in v4_rules.stdout" + when: not ansible_check_mode + - name: Check that a default rule has been applied + assert: + that: "'tcp dpt:22' in v4_rules.stdout" + when: not ansible_check_mode + - name: Check that a group rule has been applied + assert: + that: "'tcp dpt:80' in v4_rules.stdout" + when: not ansible_check_mode + - name: Check that deleted rules are deleted + assert: + that: "'tcp dpt:7890' not in v4_rules.stdout" + when: not ansible_check_mode + + - name: Retrieve v6 rules + command: ip6tables -L -n + changed_when: false + register: v6_rules + when: not ansible_check_mode + - name: Check that INPUT policy has been applied + assert: + that: "'Chain INPUT (policy DROP' in v6_rules.stdout" + when: not ansible_check_mode + - name: Check that a default rule has been applied + assert: + that: "'tcp dpt:22' in v6_rules.stdout" + when: not ansible_check_mode + - name: Check that a group rule has been applied + assert: + that: "'tcp dpt:80' in v6_rules.stdout" + when: not ansible_check_mode + - name: Check that deleted rules are deleted + assert: + that: "'tcp dpt:7890' not in v6_rules.stdout" + when: not ansible_check_mode diff --git a/source/resources/apps/ansible-debian-mail/roles/outputs/tasks/main.yml b/source/resources/apps/ansible-debian-mail/roles/outputs/tasks/main.yml new file mode 100644 index 0000000..061e2f8 --- /dev/null +++ b/source/resources/apps/ansible-debian-mail/roles/outputs/tasks/main.yml @@ -0,0 +1,26 @@ +- name: Get Public IP + uri: + url: https://ipinfo.io/ip + return_content: yes + register: public_ip + +- name: Read file + command: "cat /root/{{ domain }}.dkim.txt" + register: dkim_txt + +- name: 'Clean up DKIM line 1 and 2' + set_fact: + line1: "{{ dkim_txt.stdout_lines[1] | regex_replace('^.+?\\\"p=|\\\"', '') }}" + line2: "{{ dkim_txt.stdout_lines[2] | regex_replace('^.+?\\\"|\\\".+', '') }}" + +- name: SPF Record + debug: + msg: "{{ domain }}. 1800 IN TXT 'v=spf1 mx ip4:{{ public_ip.content | replace('\n', '') }} -all'" + +- name: DMARC Record + debug: + msg: "_dmarc.{{ domain }}. 1800 IN TXT 'v=DMARC1; p=reject; rua=mailto:postmaster@{{ domain }}'" + +- name: 'DKIM Record' + debug: + msg: "mail._domainkey.{{ domain }}. 1800 IN TXT 'v=DKIM1; h=sha256; k=rsa; p={{ line1 }}{{ line2 }}'" diff --git a/source/resources/apps/ansible-debian-mail/roles/postfix_configuration/files/auth_header_checks.pcre b/source/resources/apps/ansible-debian-mail/roles/postfix_configuration/files/auth_header_checks.pcre new file mode 100644 index 0000000..f9c55c6 --- /dev/null +++ b/source/resources/apps/ansible-debian-mail/roles/postfix_configuration/files/auth_header_checks.pcre @@ -0,0 +1,2 @@ +/^\s*Received: / IGNORE +/^\s*Mime-Version: 1.0.*/ REPLACE Mime-Version: 1.0 \ No newline at end of file diff --git a/source/resources/apps/ansible-debian-mail/roles/postfix_configuration/files/master.cf b/source/resources/apps/ansible-debian-mail/roles/postfix_configuration/files/master.cf new file mode 100644 index 0000000..779fc00 --- /dev/null +++ b/source/resources/apps/ansible-debian-mail/roles/postfix_configuration/files/master.cf @@ -0,0 +1,60 @@ +smtp inet n - y - - smtpd + -o receive_override_options=no_address_mappings +submission inet n - y - - smtpd + -o syslog_name=submission + -o smtpd_tls_security_level=encrypt + -o smtpd_sasl_auth_enable=yes + -o smtpd_sasl_type=dovecot + -o smtpd_sasl_path=private/auth + -o smtpd_sasl_security_options=noplaintext,noanonymous + -o smtpd_sasl_tls_security_options=noanonymous + -o smtpd_sasl_authenticated_header=yes + -o broken_sasl_auth_clients=no + -o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject + -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject + -o milter_macro_daemon_name=ORIGINATING + -o cleanup_service_name=auth-cleanup + -o smtpd_milters=$non_smtpd_milters +pickup fifo n - y 60 1 pickup +cleanup unix n - y - 0 cleanup +auth-cleanup unix n - y - 0 cleanup + -o header_checks=pcre:/etc/postfix/auth_header_checks.pcre +qmgr fifo n - n 300 1 qmgr +tlsmgr unix - - y 1000? 1 tlsmgr +rewrite unix - - y - - trivial-rewrite +bounce unix - - y - 0 bounce +defer unix - - y - 0 bounce +trace unix - - y - 0 bounce +verify unix - - y - 1 verify +flush unix n - y 1000? 0 flush +proxymap unix - - n - - proxymap +proxywrite unix - - n - 1 proxymap +smtp unix - - y - - smtp +relay unix - - y - - smtp + -o smtp_fallback_relay= +showq unix n - y - - showq +error unix - - y - - error +retry unix - - y - - error +discard unix - - y - - discard +local unix - n n - - local +virtual unix - n n - - virtual +lmtp unix - - y - - lmtp +anvil unix - - y - 1 anvil +scache unix - - y - 1 scache +maildrop unix - n n - - pipe + flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient} +uucp unix - n n - - pipe + flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) +ifmail unix - n n - - pipe + flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) +bsmtp unix - n n - - pipe + flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient +scalemail-backend unix - n n - 2 pipe + flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension} +mailman unix - n n - - pipe + flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py + ${nexthop} ${user} +spamassassin unix - n n - - pipe + user=debian-spamd argv=/usr/bin/spamc -f -e /usr/sbin/sendmail -oi -f ${sender} ${recipient} +policy-spf unix - n n - - spawn + user=nobody argv=/usr/bin/perl /usr/lib/postfix/policyd-spf-perl \ No newline at end of file diff --git a/source/resources/apps/ansible-debian-mail/roles/postfix_configuration/handlers/main.yml b/source/resources/apps/ansible-debian-mail/roles/postfix_configuration/handlers/main.yml new file mode 100644 index 0000000..3457d0f --- /dev/null +++ b/source/resources/apps/ansible-debian-mail/roles/postfix_configuration/handlers/main.yml @@ -0,0 +1,18 @@ +# handlers file for postfix +--- +- name: restart postfix service + service: + name: postfix + state: restarted + +- name: new aliases + shell: newaliases + +- name: post alias + shell: postalias /etc/aliases + +- name: new virtual aliases + shell: postmap /etc/postfix/virtual + +- name: reload postfix + shell: postfix reload \ No newline at end of file diff --git a/source/resources/apps/ansible-debian-mail/roles/postfix_configuration/tasks/main.yml b/source/resources/apps/ansible-debian-mail/roles/postfix_configuration/tasks/main.yml new file mode 100644 index 0000000..90a866a --- /dev/null +++ b/source/resources/apps/ansible-debian-mail/roles/postfix_configuration/tasks/main.yml @@ -0,0 +1,128 @@ +# Task to install and configure postfix +--- +- name: Add mail archive user + user: + name: mailarchive + shell: /bin/false + +- name: Install postfix + apt: + name: "{{ item }}" + dpkg_options: 'force-confdef,force-confnew' + update_cache: yes + with_items: + - postfix + - postfix-doc + - postfix-policyd-spf-python + - postfix-pcre + - postfix-policyd-spf-perl + +- name: Configure Postfix + shell: postconf -e "{{ item }}" + with_items: + # Set up domain + - "myorigin = {{ domain }}" + - "myhostname = {{ mail_domain }}" + - "relay_domains = {{ relay_domain}}, {{ domain }}" + # Set up alias maps + - alias_maps = hash:/etc/aliases + # Use Maildir mail boxes (single files, not one huge file) + - home_mailbox = Maildir/ + - mailbox_command = + # AO + - smtpd_milters = inet:localhost:12301, inet:localhost:54321 + - non_smtpd_milters = unix:private/opendkim unix:private/opendmarc + - smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination,reject_invalid_hostname,reject_non_fqdn_hostname,reject_non_fqdn_sender,reject_non_fqdn_recipient,reject_unknown_sender_domain,reject_rbl_client sbl.spamhaus.org,reject_rbl_client cbl.abuseat.org + - smtpd_helo_restrictions = reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_unknown_helo_hostname + - smtpd_client_restrictions = reject_rbl_client dnsbl.sorbs.net + - mynetworks = 127.0.0.0/8 + # TLS parameters + # Incoming e-mails + - smtpd_tls_CApath = /etc/ssl/certs + - "smtpd_tls_cert_file = /etc/letsencrypt/live/{{ mail_domain }}/fullchain.pem" + - "smtpd_tls_key_file = /etc/letsencrypt/live/{{ mail_domain }}/privkey.pem" + - smtpd_tls_security_level = may + - smtpd_tls_ask_ccert = yes + - smtpd_tls_eecdh_grade = strong + - smtpd_tls_protocols = !SSLv2, !SSLv3 + - smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 + - smtpd_tls_mandatory_ciphers = high + - tls_preempt_cipherlist = yes + #disable following ciphers for smtpd_tls_security_level=encrypt + - smtpd_tls_mandatory_exclude_ciphers = aNULL, MD5 , DES, ADH, RC4, PSD, SRP, 3DES, eNULL + #disable following ciphers for smtpd_tls_security_level=may + - smtpd_tls_exclude_ciphers = aNULL, MD5 , DES, ADH, RC4, PSD, SRP, 3DES, eNULL + - smtpd_tls_loglevel = 1 + - smtpd_use_tls = yes + - smtp_tls_note_starttls_offer = yes + - smtpd_tls_received_header = yes + # Outgoing e-mails + - smtp_tls_CApath = /etc/ssl/certs + - smtp_tls_security_level = may + - smtp_tls_loglevel = 1 + - smtp_use_tls = yes + - smtp_tls_mandatory_ciphers=high + - smtp_tls_mandatory_protocols = !SSLv2, !SSLv3 + - inet_interfaces = all + - inet_protocols = ipv4 + - message_size_limit = 52428800 + - disable_vrfy_command = yes + - smtpd_helo_required = yes + # Maybe: permit_sasl_authenticated, reject_unknown_hostname + - smtpd_helo_restrictions = permit_mynetworks, reject_non_fqdn_hostname, reject_invalid_hostname, reject_invalid_helo_hostname, reject_unknown_helo_hostname + - smtpd_delay_reject = yes + # bcc all mail to the mailarchive user + - always_bcc = mailarchive + # DKIM enabled protocol + - milter_protocol = 2 + - milter_default_action = accept + # DKIM only for internal messages + - non_smtpd_milters = inet:localhost:12301 + - allow_mail_to_commands = alias,forward,include + # mydestination at is also alt domains + - "mydestination = localhost, localhost.localdomain, {{ domain }}" + # From certbot + # https://www.upcloud.com/support/secure-postfix-using-lets-encrypt/ + - smtpd_sasl_type = dovecot + - smtpd_sasl_path = private/auth + - smtpd_sasl_local_domain = + - smtpd_sasl_security_options = noanonymous + - broken_sasl_auth_clients = yes + - smtpd_sasl_auth_enable = yes + - virtual_alias_domains = $mydomain + - virtual_alias_maps = hash:/etc/postfix/virtual + +- name: Adding to virtual + blockinfile: + path: /etc/postfix/virtual + insertafter: EOF + state: present + block: | + postmaster@{{ domain }} root + webmaster@{{ domain }} root + @{{ domain }} jebba + create: yes + tags: + - pfvirtual + +- name: Copy master.cf file to remote host + copy: + src: master.cf + dest: /etc/postfix/master.cf + notify: + - new virtual aliases + - reload postfix + +- name: Create Auth Header Checks file + copy: + src: auth_header_checks.pcre + dest: /etc/postfix/auth_header_checks.pcre + +- name: Copy aliases + template: + src: aliases.j2 + dest: /etc/aliases + notify: + - new aliases + - post alias + - restart postfix service \ No newline at end of file diff --git a/source/resources/apps/ansible-debian-mail/roles/postfix_configuration/templates/aliases.j2 b/source/resources/apps/ansible-debian-mail/roles/postfix_configuration/templates/aliases.j2 new file mode 100644 index 0000000..aa74f38 --- /dev/null +++ b/source/resources/apps/ansible-debian-mail/roles/postfix_configuration/templates/aliases.j2 @@ -0,0 +1,3 @@ +root: jebba +jebba: jebba-mail@{{ relay_domain }} +nobody: /dev/null \ No newline at end of file diff --git a/source/resources/apps/ansible-debian-mail/roles/server_tasks/handlers/main.yml b/source/resources/apps/ansible-debian-mail/roles/server_tasks/handlers/main.yml new file mode 100644 index 0000000..269772c --- /dev/null +++ b/source/resources/apps/ansible-debian-mail/roles/server_tasks/handlers/main.yml @@ -0,0 +1,22 @@ +- name: update grub + shell: update-grub + +- name: restart ssh + service: + name: ssh + state: restarted + +- name: sysctl + shell: sysctl -p + +- name: locale gen + shell: locale-gen + +- name: update locale + shell: update-locale + +- name: restart cron + service: + name: cron + state: restarted + when: ansible_os_family == 'Debian' \ No newline at end of file diff --git a/source/resources/apps/ansible-debian-mail/roles/server_tasks/tasks/main.yml b/source/resources/apps/ansible-debian-mail/roles/server_tasks/tasks/main.yml new file mode 100644 index 0000000..d03bea3 --- /dev/null +++ b/source/resources/apps/ansible-debian-mail/roles/server_tasks/tasks/main.yml @@ -0,0 +1,186 @@ +- name: Set locale + lineinfile: + path: /etc/locale.gen + line: en_US.UTF-8 UTF-8 + state: present + create: yes + notify: + - locale gen + - update locale + +- name: Set timezone to America/Denver + file: + src: /usr/share/zoneinfo/America/Denver + dest: /etc/localtime + state: link + force: yes + owner: root + group: root + notify: restart cron + +# Set up iptables +- name: Configure iptables + include_role: + name: mikegleasonjr.firewall + +- name: Set up APT + apt_repository: + repo: "{{ item }}" + state: present + with_items: + - deb http://mirrors.kernel.org/debian/ buster main + - deb http://mirrors.kernel.org/debian/ buster-updates main + - deb http://security.debian.org/ buster/updates main + #- deb http://mirrors.kernel.org/debian/ buster-backports main + +# Make apt use IPv4 +- name: Make apt use IPv4 + lineinfile: + path: /etc/apt/apt.conf.d/99force-ipv4 + line: 'Acquire::ForceIPv4 "true";' + state: present + insertafter: EOF + create: yes + +# Upgrade server +- name: Upgrade server + apt: + upgrade: dist + dpkg_options: 'force-confdef,force-confnew' + update_cache: yes + +- name: Install utilities + apt: + name: "{{ item }}" + dpkg_options: 'force-confdef,force-confnew' + update_cache: yes + with_items: + - apt-transport-https + #- bind9-host + - bzip2 + - ca-certificates + - colordiff + - curl + - debian-archive-keyring + - exuberant-ctags + - git + - less + - locales + - lsb-release + - man-db + - manpages + - molly-guard + - net-tools + - ntp + - openssh-server + - python3 + - rsync + - telnet + - traceroute + - vim + - vim-scripts + +# Small user tweaks +- name: Update vimrc + lineinfile: + path: ~/.vimrc + line: ':syntax on' + state: present + insertafter: EOF + create: yes + +- name: Update .bashrc + lineinfile: + path: /root/.bashrc + line: 'export EDITOR=vi' + state: present + insertafter: EOF + create: yes + +# XXX Passwordless sudo XXX Ya, probably remove +- name: Passwordless sudo + lineinfile: + path: /etc/sudoers + regexp: '^%sudo[\t]ALL=\(ALL:ALL\) ALL' + line: '%sudo ALL=(ALL) NOPASSWD: ALL' + state: present + +# SSH Config +- name: SSH Configuration + lineinfile: + path: /etc/ssh/sshd_config + regexp: '{{ item.find }}' + line: '{{ item.replace }}' + state: present + with_items: + - {find: '^.*PermitRootLogin.*', replace: 'PermitRootLogin no'} + - {find: '^.*PasswordAuthentication.*', replace: 'PasswordAuthentication no'} + - {find: '^.*RSAAuthentication.*', replace: 'RSAAuthentication no'} + - {find: '^.*X11Forwarding.*', replace: 'X11Forwarding no'} + notify: + - restart ssh + +- name: Adding SSH configuration to the end of file + blockinfile: + path: /etc/ssh/sshd_config + state: present + block: | + KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 + Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr + AllowUsers jebba + notify: + - restart ssh + +# Startup XXX disable as unneeded +# To disable additional services +# Add more "- service_name" lines as needed +- name: Disabling unneeded services + service: + name: "{{ item }}" + enabled: no + with_items: + - rsync + +# Disable IPv6 in Grub +- name: Disabling IPv6 in Grub + lineinfile: + path: /etc/default/grub + regexp: '{{ item.find }}' + line: '{{ item.replace }}' + state: present + with_items: + - { find: '^.*?GRUB_TIMEOUT=.*', replace: 'GRUB_TIMEOUT=1'} + - { find: '^.*?GRUB_CMDLINE_LINUX=.*', replace: 'GRUB_CMDLINE_LINUX="ipv6.disable=1"'} + - { find: '^.*?GRUB_TERMINAL=.*', replace: 'GRUB_TERMINAL=console'} + notify: + - update grub + +- name: Disable IPv6 in modprobe ipv6 conf file + lineinfile: + path: /etc/modprobe.d/ipv6.conf + line: 'blacklist ipv6' + state: present + insertafter: EOF + create: yes + +- name: Disable IPv6 in modprobe aliases conf file + blockinfile: + path: /etc/modprobe.d/aliases.conf + block: | + alias net-pf-10 off + alias ivp6 off + insertafter: EOF + state: present + create: yes + +- name: Disable IPv6 with sysctl + blockinfile: + path: /etc/sysctl.conf + block: | + net.ipv6.conf.all.disable_ipv6 = 1 + net.ipv6.conf.default.disable_ipv6 = 1 + net.ipv6.conf.lo.disable_ipv6 = 1 + insertafter: EOF + state: present + notify: + - sysctl diff --git a/source/resources/apps/ansible-debian-mail/roles/spamassassin_configuration/tasks/main.yml b/source/resources/apps/ansible-debian-mail/roles/spamassassin_configuration/tasks/main.yml new file mode 100644 index 0000000..7aeb781 --- /dev/null +++ b/source/resources/apps/ansible-debian-mail/roles/spamassassin_configuration/tasks/main.yml @@ -0,0 +1,7 @@ +- name: Install Spam Assassin + apt: + name: "{{ item }}" + dpkg_options: 'force-confdef,force-confnew' + update_cache: yes + with_items: + - spamassassin \ No newline at end of file diff --git a/source/resources/apps/ansible-debian-mail/roles/sqlgrey_configuration/tasks/main.yml b/source/resources/apps/ansible-debian-mail/roles/sqlgrey_configuration/tasks/main.yml new file mode 100644 index 0000000..4614585 --- /dev/null +++ b/source/resources/apps/ansible-debian-mail/roles/sqlgrey_configuration/tasks/main.yml @@ -0,0 +1,8 @@ +--- +- name: Install SQL Grey + apt: + name: "{{ item }}" + dpkg_options: 'force-confdef,force-confnew' + update_cache: yes + with_items: + - sqlgrey \ No newline at end of file diff --git a/source/resources/apps/ansible-debian-mail/site.yml b/source/resources/apps/ansible-debian-mail/site.yml new file mode 100644 index 0000000..458ac8e --- /dev/null +++ b/source/resources/apps/ansible-debian-mail/site.yml @@ -0,0 +1,58 @@ +# Master playbook +- name: Forksand Bootstrap Postfix + hosts: all + become: true + tasks: + - name: Run server tasks + import_role: + name: server_tasks + + - name: Install and configuration letsencrypt + import_role: + name: letsencrypt_configuration + vars: + mail_domain: "{{ var_mail_domain }}" + relay_domain: "{{ var_relay_domain }}" + + - name: Install and configure postfix + import_role: + name: postfix_configuration + vars: + domain: "{{ var_domain }}" + relay_domain: "{{ var_relay_domain }}" + mail_domain: "{{ var_mail_domain }}" + + - name: Install and configure OpenDKIM + import_role: + name: dkim_configuration + vars: + domain: "{{ var_domain }}" + mail_domain: "{{ var_mail_domain }}" + + - name: Install and configure Dovecot + import_role: + name: dovecot_configuration + vars: + mail_domain: "{{ var_mail_domain }}" + + - name: Install and configure Spamassassin + import_role: + name: spamassassin_configuration + + - name: Install and configure SQLGrey + import_role: + name: sqlgrey_configuration + + - name: Install and configure Fail2Ban + import_role: + name: fail2ban_configuration + + - name: Clean apt cache + apt: + autoclean: yes + + - name: Print DNS outputs to screen + import_role: + name: outputs + vars: + domain: "{{ var_domain }}" diff --git a/source/resources/apps/forksand-nodes-bootstrap/forksand-hk1-bootstrap b/source/resources/apps/forksand-nodes-bootstrap/forksand-hk1-bootstrap new file mode 100644 index 0000000..7418ba0 --- /dev/null +++ b/source/resources/apps/forksand-nodes-bootstrap/forksand-hk1-bootstrap @@ -0,0 +1,329 @@ +#!/bin/bash +# forksand-bootstrap-hk1 +# GPLv3+ +# This script does some initial setup and config +# Sets up Proxmox. + +# Log script +exec > >(tee /root/bootstrap-hk1.log) 2>/root/bootstrap-hk1.err + +set -x + +# Set locale +echo "en_US.UTF-8 UTF-8" > /etc/locale.gen +locale-gen +update-locale + +# XXX Set timezone +ln -sf /usr/share/zoneinfo/America/Denver /etc/localtime + +# Set up git for tracking. XXX Ansible... XXX +apt-get -y install git sudo +cd /etc +git init +chmod og-rwx /etc/.git + +cat > /etc/.gitignore < /etc/apt/sources.list < /etc/default/cpufrequtils +/etc/init.d/cpufrequtils restart +cd /etc ; git add . ; git commit -a -m 'Set up cpufrequtils' + +# Small user tweaks +echo :syntax on > ~/.vimrc +echo :syntax on > /home/jebba/.vimrc +chown jebba:jebba /home/jebba/.vimrc +echo export EDITOR=vi >> /root/.bashrc + +# XXX Passwordless sudo XXX Ya, probably remove +sed -i -e 's/%sudo\tALL=(ALL:ALL) ALL/%sudo ALL=(ALL) NOPASSWD: ALL/g' /etc/sudoers + +adduser jebba sudo +cd /etc ; git add . ; git commit -a -m 'Set up passwordless sudo' + +# SSH config XXX sed cruft +sed -i \ + -e 's/PermitRootLogin yes/PermitRootLogin prohibit-password/g' \ + -e 's/\#PermitRootLogin prohibit-password/PermitRootLogin prohibit-password/g' \ + -e 's/\#PasswordAuthentication yes/PasswordAuthentication no/g' \ + -e 's/\#X11Forwarding yes/X11Forwarding no/g' \ + /etc/ssh/sshd_config + +echo 'KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256' >> /etc/ssh/sshd_config + +echo 'Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr' >> /etc/ssh/sshd_config + +# Need to update/fix for Debian Buster (testing/10). This line breaks Buster: +#echo 'MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com' >> /etc/ssh/sshd_config + +# XXX Add admins as only allowed ssh users +# XXX add user for ansbile +echo "AllowUsers jebba root" >> /etc/ssh/sshd_config + +cd /etc ; git add . ; git commit -a -m 'Set up sshd' +systemctl restart sshd + +# Startup XXX disable unneeded. +for i in rsync exim4 saned +do echo $i + /usr/sbin/update-rc.d $i disable +done +# XXX KILL THIS, listening on public port (firewalled, but still): +# tcp 0 0 0.0.0.0:5355 0.0.0.0:* LISTEN 296/systemd-resolve +cd /etc ; git add . ; git commit -a -m 'Turn off junk on boot' + +# GRUB +sed -i -e 's/^GRUB_TIMEOUT=5/GRUB_TIMEOUT=4/g' /etc/default/grub +sed -i -e 's/^#GRUB_TERMINAL=console/GRUB_TERMINAL=console/g' /etc/default/grub +echo 'GRUB_DISABLE_OS_PROBER=true' >> /etc/default/grub + +update-grub + +cd /etc ; git add . ; git commit -a -m 'GRUB tweaks' + +# Fix network to come up on boot +sed -i -e 's/allow-hotplug/auto/g' /etc/network/interfaces +cd /etc ; git add . ; git commit -a -m 'Auto start network' + +# XXX not sure why this is getting installed: +apt-get -y autoremove + +apt-get -y remove os-prober + +# Proxmox +#cat > /etc/apt/sources.list.d/pve-enterprise.list< /etc/apt/sources.list.d/pve-no-subscription.list< /etc/apt/auth.conf< System --> Network +# Fix subnet mask, IP in web gui. +# Create --> Linux Bridge: +# vmbr0 +# XXX best way for this server? No subnet. +# +# Set up ethernet ports +# XXX check name Disable enp2s0 (Autostart no) +# set up vmbr0 to the main IP, gateway, etc. +# Create Linux Bridge in web interface +# vmbr0 +#XXX THIS ISN'T CORRECT IP +# 174.128.229.130/27 +# 255.255.255.224 +# Autostart +# VLAN Aware +# Bridge: enp2s0 +# Comment Main bridge +# +# Set up 10.2.2.0 and 10.99.99.0 networks statically +# on secondary ethernet interfaces + +# Reboot! hk1 (host) --> Restart + +# Configure Corosync +# Set up hosts +# XXX MAKE SURE NEW NODES GET ADDED TO EXISTING SERVER /etc/hosts +echo "10.3.3.1 hk1-coro" >> /etc/hosts +echo "10.3.3.2 hk2-coro" >> /etc/hosts +echo "10.3.3.3 hk3-coro" >> /etc/hosts + +echo "10.88.88.1 hk2-fs" >> /etc/hosts +echo "10.88.88.2 hk2-fs" >> /etc/hosts +echo "10.88.88.3 hk3-fs" >> /etc/hosts + +# Test cluster ping +for i in hk1-coro hk2-coro hk3-coro +do ping -q -c1 $i +done + +# Test ssh +for i in hk1-coro hk2-coro hk3-coro +do ssh $i hostname +done +# ssh via IP +for i in 10.2.2.3 +do ssh $i hostname +done + +# Note this is needed on at least one of the SharkTech servers or +# you get bad UDP checksums +# Also set to correct ethernet device +# XXX CHECK +ethtool -K enp3s0 gso off +ethtool --offload enp3s0 rx off tx off +ethtool -K enp4s0 gso off +ethtool --offload enp4s0 rx off tx off + +# Run this on just one node, hk1, to get the cluster started +pvecm create hkfork --bindnet0_addr 10.2.2.1 --ring0_addr hk1-coro + +# Run this on hk3 +#pvecm add 10.2.2.1 --ring0_addr hk3-coro + +pvecm status +pvecm nodes + +# rebootz ? + +# After Cluster is Configured +# =========================== + +# Data Center --> Permissions --> Users +# Add user with Realm Proxmox VE authentication server. +# Give user root permissions: Datacenter --> Permissions --> Add --> User permission. +# Path: / User: j Role: Administrator +# XXX Or create admin group, add perms to that... +# Permissions --> Authentication. Set Proxmox VE authentication server to default. + +# Storage +# Datacenter --> Storage --> Edit local. Enable all content (add VZDump) +# +# DNS +# hk1 (host) --> System --> DNS +# Add servers: +# 208.67.222.222 208.67.220.220 37.235.1.174 +# diff --git a/source/resources/apps/forksand-nodes-bootstrap/forksand-hk2-bootstrap b/source/resources/apps/forksand-nodes-bootstrap/forksand-hk2-bootstrap new file mode 100644 index 0000000..34f7f54 --- /dev/null +++ b/source/resources/apps/forksand-nodes-bootstrap/forksand-hk2-bootstrap @@ -0,0 +1,329 @@ +#!/bin/bash +# forksand-bootstrap-hk2 +# GPLv3+ +# This script does some initial setup and config +# Sets up Proxmox. + +# Log script +exec > >(tee /root/bootstrap-hk2.log) 2>/root/bootstrap-hk2.err + +set -x + +# Set locale +echo "en_US.UTF-8 UTF-8" > /etc/locale.gen +locale-gen +update-locale + +# XXX Set timezone +ln -sf /usr/share/zoneinfo/America/Denver /etc/localtime + +# Set up git for tracking. XXX Ansible... XXX +apt-get -y install git sudo +cd /etc +git init +chmod og-rwx /etc/.git + +cat > /etc/.gitignore < /etc/apt/sources.list < /etc/default/cpufrequtils +/etc/init.d/cpufrequtils restart +cd /etc ; git add . ; git commit -a -m 'Set up cpufrequtils' + +# Small user tweaks +echo :syntax on > ~/.vimrc +echo :syntax on > /home/jebba/.vimrc +chown jebba:jebba /home/jebba/.vimrc +echo export EDITOR=vi >> /root/.bashrc + +# XXX Passwordless sudo XXX Ya, probably remove +sed -i -e 's/%sudo\tALL=(ALL:ALL) ALL/%sudo ALL=(ALL) NOPASSWD: ALL/g' /etc/sudoers + +adduser jebba sudo +cd /etc ; git add . ; git commit -a -m 'Set up passwordless sudo' + +# SSH config XXX sed cruft +sed -i \ + -e 's/PermitRootLogin yes/PermitRootLogin prohibit-password/g' \ + -e 's/\#PermitRootLogin prohibit-password/PermitRootLogin prohibit-password/g' \ + -e 's/\#PasswordAuthentication yes/PasswordAuthentication no/g' \ + -e 's/\#X11Forwarding yes/X11Forwarding no/g' \ + /etc/ssh/sshd_config + +echo 'KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256' >> /etc/ssh/sshd_config + +echo 'Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr' >> /etc/ssh/sshd_config + +# Need to update/fix for Debian Buster (testing/10). This line breaks Buster: +#echo 'MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com' >> /etc/ssh/sshd_config + +# XXX Add admins as only allowed ssh users +# XXX add user for ansbile +echo "AllowUsers jebba root" >> /etc/ssh/sshd_config + +cd /etc ; git add . ; git commit -a -m 'Set up sshd' +systemctl restart sshd + +# Startup XXX disable unneeded. +for i in rsync exim4 saned +do echo $i + /usr/sbin/update-rc.d $i disable +done +# XXX KILL THIS, listening on public port (firewalled, but still): +# tcp 0 0 0.0.0.0:5355 0.0.0.0:* LISTEN 296/systemd-resolve +cd /etc ; git add . ; git commit -a -m 'Turn off junk on boot' + +# GRUB +sed -i -e 's/^GRUB_TIMEOUT=5/GRUB_TIMEOUT=4/g' /etc/default/grub +sed -i -e 's/^#GRUB_TERMINAL=console/GRUB_TERMINAL=console/g' /etc/default/grub +echo 'GRUB_DISABLE_OS_PROBER=true' >> /etc/default/grub + +update-grub + +cd /etc ; git add . ; git commit -a -m 'GRUB tweaks' + +# Fix network to come up on boot +sed -i -e 's/allow-hotplug/auto/g' /etc/network/interfaces +cd /etc ; git add . ; git commit -a -m 'Auto start network' + +# XXX not sure why this is getting installed: +apt-get -y autoremove + +apt-get -y remove os-prober + +# Proxmox +#cat > /etc/apt/sources.list.d/pve-enterprise.list< /etc/apt/sources.list.d/pve-no-subscription.list< /etc/apt/auth.conf< System --> Network +# Fix subnet mask, IP in web gui. +# Create --> Linux Bridge: +# vmbr0 +# XXX best way for this server? No subnet. +# +# Set up ethernet ports +# XXX check name Disable enp2s0 (Autostart no) +# set up vmbr0 to the main IP, gateway, etc. +# Create Linux Bridge in web interface +# vmbr0 +#XXX THIS ISN'T CORRECT IP +# 174.128.229.130/27 +# 255.255.255.224 +# Autostart +# VLAN Aware +# Bridge: enp2s0 +# Comment Main bridge +# +# Set up 10.2.2.0 and 10.99.99.0 networks statically +# on secondary ethernet interfaces + +# Reboot! hk2 (host) --> Restart + +# Configure Corosync +# Set up hosts +# XXX MAKE SURE NEW NODES GET ADDED TO EXISTING SERVER /etc/hosts +echo "10.3.3.1 hk1-coro" >> /etc/hosts +echo "10.3.3.2 hk2-coro" >> /etc/hosts +echo "10.3.3.3 hk3-coro" >> /etc/hosts + +echo "10.88.88.1 hk2-fs" >> /etc/hosts +echo "10.88.88.2 hk2-fs" >> /etc/hosts +echo "10.88.88.3 hk3-fs" >> /etc/hosts + +# Test cluster ping +for i in hk1-coro hk2-coro hk3-coro +do ping -q -c1 $i +done + +# Test ssh +for i in hk1-coro hk2-coro hk3-coro +do ssh $i hostname +done +# ssh via IP +for i in 10.2.2.3 +do ssh $i hostname +done + +# Note this is needed on at least one of the SharkTech servers or +# you get bad UDP checksums +# Also set to correct ethernet device +# XXX CHECK +ethtool -K enp3s0 gso off +ethtool --offload enp3s0 rx off tx off +ethtool -K enp4s0 gso off +ethtool --offload enp4s0 rx off tx off + +# Run this on just one node, hk1, to get the cluster started +#pvecm create hkfork --bindnet0_addr 10.2.2.1 --ring0_addr hk1-coro + +# Run this on hk2 +pvecm add 10.2.2.1 --ring0_addr hk1-coro + +pvecm status +pvecm nodes + +# rebootz ? + +# After Cluster is Configured +# =========================== + +# Data Center --> Permissions --> Users +# Add user with Realm Proxmox VE authentication server. +# Give user root permissions: Datacenter --> Permissions --> Add --> User permission. +# Path: / User: j Role: Administrator +# XXX Or create admin group, add perms to that... +# Permissions --> Authentication. Set Proxmox VE authentication server to default. + +# Storage +# Datacenter --> Storage --> Edit local. Enable all content (add VZDump) +# +# DNS +# hk2 (host) --> System --> DNS +# Add servers: +# 208.67.222.222 208.67.220.220 37.235.1.174 +# diff --git a/source/resources/apps/forksand-nodes-bootstrap/forksand-hk3-bootstrap b/source/resources/apps/forksand-nodes-bootstrap/forksand-hk3-bootstrap new file mode 100644 index 0000000..1e66d60 --- /dev/null +++ b/source/resources/apps/forksand-nodes-bootstrap/forksand-hk3-bootstrap @@ -0,0 +1,329 @@ +#!/bin/bash +# forksand-bootstrap-hk3 +# GPLv3+ +# This script does some initial setup and config +# Sets up Proxmox. + +# Log script +exec > >(tee /root/bootstrap-hk3.log) 2>/root/bootstrap-hk3.err + +set -x + +# Set locale +echo "en_US.UTF-8 UTF-8" > /etc/locale.gen +locale-gen +update-locale + +# XXX Set timezone +ln -sf /usr/share/zoneinfo/America/Denver /etc/localtime + +# Set up git for tracking. XXX Ansible... XXX +apt-get -y install git sudo +cd /etc +git init +chmod og-rwx /etc/.git + +cat > /etc/.gitignore < /etc/apt/sources.list < /etc/default/cpufrequtils +/etc/init.d/cpufrequtils restart +cd /etc ; git add . ; git commit -a -m 'Set up cpufrequtils' + +# Small user tweaks +echo :syntax on > ~/.vimrc +echo :syntax on > /home/jebba/.vimrc +chown jebba:jebba /home/jebba/.vimrc +echo export EDITOR=vi >> /root/.bashrc + +# XXX Passwordless sudo XXX Ya, probably remove +sed -i -e 's/%sudo\tALL=(ALL:ALL) ALL/%sudo ALL=(ALL) NOPASSWD: ALL/g' /etc/sudoers + +adduser jebba sudo +cd /etc ; git add . ; git commit -a -m 'Set up passwordless sudo' + +# SSH config XXX sed cruft +sed -i \ + -e 's/PermitRootLogin yes/PermitRootLogin prohibit-password/g' \ + -e 's/\#PermitRootLogin prohibit-password/PermitRootLogin prohibit-password/g' \ + -e 's/\#PasswordAuthentication yes/PasswordAuthentication no/g' \ + -e 's/\#X11Forwarding yes/X11Forwarding no/g' \ + /etc/ssh/sshd_config + +echo 'KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256' >> /etc/ssh/sshd_config + +echo 'Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr' >> /etc/ssh/sshd_config + +# Need to update/fix for Debian Buster (testing/10). This line breaks Buster: +#echo 'MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com' >> /etc/ssh/sshd_config + +# XXX Add admins as only allowed ssh users +# XXX add user for ansbile +echo "AllowUsers jebba root" >> /etc/ssh/sshd_config + +cd /etc ; git add . ; git commit -a -m 'Set up sshd' +systemctl restart sshd + +# Startup XXX disable unneeded. +for i in rsync exim4 saned +do echo $i + /usr/sbin/update-rc.d $i disable +done +# XXX KILL THIS, listening on public port (firewalled, but still): +# tcp 0 0 0.0.0.0:5355 0.0.0.0:* LISTEN 296/systemd-resolve +cd /etc ; git add . ; git commit -a -m 'Turn off junk on boot' + +# GRUB +sed -i -e 's/^GRUB_TIMEOUT=5/GRUB_TIMEOUT=4/g' /etc/default/grub +sed -i -e 's/^#GRUB_TERMINAL=console/GRUB_TERMINAL=console/g' /etc/default/grub +echo 'GRUB_DISABLE_OS_PROBER=true' >> /etc/default/grub + +update-grub + +cd /etc ; git add . ; git commit -a -m 'GRUB tweaks' + +# Fix network to come up on boot +sed -i -e 's/allow-hotplug/auto/g' /etc/network/interfaces +cd /etc ; git add . ; git commit -a -m 'Auto start network' + +# XXX not sure why this is getting installed: +apt-get -y autoremove + +apt-get -y remove os-prober + +# Proxmox +#cat > /etc/apt/sources.list.d/pve-enterprise.list< /etc/apt/sources.list.d/pve-no-subscription.list< /etc/apt/auth.conf< System --> Network +# Fix subnet mask, IP in web gui. +# Create --> Linux Bridge: +# vmbr0 +# XXX best way for this server? No subnet. +# +# Set up ethernet ports +# XXX check name Disable enp2s0 (Autostart no) +# set up vmbr0 to the main IP, gateway, etc. +# Create Linux Bridge in web interface +# vmbr0 +#XXX THIS ISN'T CORRECT IP +# 174.128.229.130/27 +# 255.255.255.224 +# Autostart +# VLAN Aware +# Bridge: enp2s0 +# Comment Main bridge +# +# Set up 10.2.2.0 and 10.99.99.0 networks statically +# on secondary ethernet interfaces + +# Reboot! hk3 (host) --> Restart + +# Configure Corosync +# Set up hosts +# XXX MAKE SURE NEW NODES GET ADDED TO EXISTING SERVER /etc/hosts +echo "10.3.3.1 hk1-coro" >> /etc/hosts +echo "10.3.3.2 hk2-coro" >> /etc/hosts +echo "10.3.3.3 hk3-coro" >> /etc/hosts + +echo "10.88.88.1 hk2-fs" >> /etc/hosts +echo "10.88.88.2 hk2-fs" >> /etc/hosts +echo "10.88.88.3 hk3-fs" >> /etc/hosts + +# Test cluster ping +for i in hk1-coro hk2-coro hk3-coro +do ping -q -c1 $i +done + +# Test ssh +for i in hk1-coro hk2-coro hk3-coro +do ssh $i hostname +done +# ssh via IP +for i in 10.2.2.3 +do ssh $i hostname +done + +# Note this is needed on at least one of the SharkTech servers or +# you get bad UDP checksums +# Also set to correct ethernet device +# XXX CHECK +ethtool -K enp3s0 gso off +ethtool --offload enp3s0 rx off tx off +ethtool -K enp4s0 gso off +ethtool --offload enp4s0 rx off tx off + +# Run this on just one node, hk3, to get the cluster started +#pvecm create hkfork --bindnet0_addr 10.2.2.3 --ring0_addr hk3-coro + +# Run this on hk3 +pvecm add 10.2.2.1 --ring0_addr hk3-coro + +pvecm status +pvecm nodes + +# rebootz ? + +# After Cluster is Configured +# =========================== + +# Data Center --> Permissions --> Users +# Add user with Realm Proxmox VE authentication server. +# Give user root permissions: Datacenter --> Permissions --> Add --> User permission. +# Path: / User: j Role: Administrator +# XXX Or create admin group, add perms to that... +# Permissions --> Authentication. Set Proxmox VE authentication server to default. + +# Storage +# Datacenter --> Storage --> Edit local. Enable all content (add VZDump) +# +# DNS +# hk3 (host) --> System --> DNS +# Add servers: +# 208.67.222.222 208.67.220.220 37.235.1.174 +# diff --git a/source/resources/apps/forksand-nodes-bootstrap/forksand-shark4-bootstrap b/source/resources/apps/forksand-nodes-bootstrap/forksand-shark4-bootstrap new file mode 100644 index 0000000..f991067 --- /dev/null +++ b/source/resources/apps/forksand-nodes-bootstrap/forksand-shark4-bootstrap @@ -0,0 +1,314 @@ +#!/bin/bash +# forksand-bootstrap-shark4 +# GPLv3+ +# This script does some initial setup and config +# Sets up Proxmox. +# IPv6 is left enabled. +# Firewalling is done through Proxmox. +# Edit below to add Proxmox Enterprise Key. XXX broken, use community repo. + +# XXX set network to auto not hotplug XXX + +# Log script +exec > >(tee /root/bootstrap-shark4.log) 2>/root/bootstrap-shark4.err + +set -x + +# Set locale +echo "en_US.UTF-8 UTF-8" > /etc/locale.gen +locale-gen +update-locale + +# XXX Set timezone +ln -sf /usr/share/zoneinfo/America/Denver /etc/localtime + +# Set up git for tracking. XXX Ansible... XXX +apt-get -y install git sudo +cd /etc +git init +chmod og-rwx /etc/.git + +cat > /etc/.gitignore < /etc/apt/sources.list < /etc/default/cpufrequtils +/etc/init.d/cpufrequtils restart +cd /etc ; git add . ; git commit -a -m 'Set up cpufrequtils' + +# Small user tweaks +echo :syntax on > ~/.vimrc +echo :syntax on > /home/jebba/.vimrc +chown jebba:jebba /home/jebba/.vimrc +echo export EDITOR=vi >> /root/.bashrc + +# XXX Passwordless sudo XXX Ya, probably remove +sed -i -e 's/%sudo\tALL=(ALL:ALL) ALL/%sudo ALL=(ALL) NOPASSWD: ALL/g' /etc/sudoers + +adduser jebba sudo +cd /etc ; git add . ; git commit -a -m 'Set up passwordless sudo' + +# SSH config XXX sed cruft +sed -i \ + -e 's/PermitRootLogin yes/PermitRootLogin prohibit-password/g' \ + -e 's/\#PermitRootLogin prohibit-password/PermitRootLogin prohibit-password/g' \ + -e 's/\#PasswordAuthentication yes/PasswordAuthentication no/g' \ + -e 's/\#X11Forwarding yes/X11Forwarding no/g' \ + /etc/ssh/sshd_config + +echo 'KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256' >> /etc/ssh/sshd_config + +echo 'Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr' >> /etc/ssh/sshd_config + +# Need to update/fix for Debian Buster (testing/10). This line breaks Buster: +#echo 'MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com' >> /etc/ssh/sshd_config + +# XXX Add admins as only allowed ssh users +# XXX add user for ansbile +echo "AllowUsers jebba" >> /etc/ssh/sshd_config + +cd /etc ; git add . ; git commit -a -m 'Set up sshd' +systemctl restart sshd + +# Startup XXX disable unneeded. +for i in rsync exim4 saned +do echo $i + /usr/sbin/update-rc.d $i disable +done +# XXX KILL THIS, listening on public port (firewalled, but still): +# tcp 0 0 0.0.0.0:5355 0.0.0.0:* LISTEN 296/systemd-resolve +cd /etc ; git add . ; git commit -a -m 'Turn off junk on boot' + +# GRUB +sed -i -e 's/^GRUB_TIMEOUT=5/GRUB_TIMEOUT=4/g' /etc/default/grub +sed -i -e 's/^#GRUB_TERMINAL=console/GRUB_TERMINAL=console/g' /etc/default/grub +echo 'GRUB_DISABLE_OS_PROBER=true' >> /etc/default/grub + +update-grub + +cd /etc ; git add . ; git commit -a -m 'GRUB tweaks' + +# Fix network to come up on boot +sed -i -e 's/allow-hotplug/auto/g' /etc/network/interfaces +cd /etc ; git add . ; git commit -a -m 'Auto start network' + +# XXX not sure why this is getting installed: +apt-get -y autoremove + +# Proxmox +#cat > /etc/apt/sources.list.d/pve-enterprise.list< /etc/apt/sources.list.d/pve-no-subscription.list< /etc/apt/auth.conf< Permissions --> Users +# Add user with Realm Proxmox VE authentication server. +# Give user root permissions: Datacenter --> Permissions --> Add --> User permission. +# Path: / User: j Role: Administrator +# XXX Or create admin group, add perms to that... +# Permissions --> Authentication. Set Proxmox VE authentication server to default. +# +# Enable firewall. +# Datacenter --> shark4 (host) --> Firewall --> Add. +# Open up for SSH and SSH alt port. +# Enable firewall for datacenter: +# Datacenter --> Firewall --> Options --> Firewall --> Yes +# Enable firewall for shark4: +# Open up for SSH and SSH alt port. +# REJECT everything coming in. (then DROP) +# Reorder to ACCEPT SSH at top +# +# Reboot! shark4 (host) --> Restart +# +# +# XXX +# Datacenter --> Firewall --> Add. +# REJECT any in +# +# Storage +# Datacenter --> Storage --> Edit local. Enable all content (add VZDump) +# +# XXX postfix +# +# DNS +# shark4 (host) --> System --> DNS +# Add servers: +# 208.67.222.222 208.67.220.220 37.235.1.174 +# +# Netwok +# shark4 (host) --> System --> Network +# Fix subnet mask, IP in web gui. +# Create --> Linux Bridge: +# vmbr0 +# XXX best way for this server? No subnet. +# +source /etc/network/interfaces.d/* + +# The loopback network interface +auto lo +iface lo inet loopback + +# The primary network interface +auto enp1s0f1 +iface enp1s0f1 inet static + address 70.39.103.210/29 + gateway 70.39.103.209 + dns-nameservers 208.67.222.222 + dns-search forksand.com + +# +# rebootz +# +# Set up templates +# Datacenter --> shark4 --> local (shark4) --> Content --> Templates +# Select Debian. maybe arch, alpine + +# XXX TOTAL MEH XXX +# add this to the workstation: +# 127.0.0.1 localhost shark3-tun shark4-tun +# Then use URLs +# https://shark3-tun:8006 +# https://shark4-tun:8007 +# Or you can only be logged into one at a time. +# XXX find better workaround diff --git a/source/resources/apps/forksand-nodes-bootstrap/forksand-the-bootstrap b/source/resources/apps/forksand-nodes-bootstrap/forksand-the-bootstrap new file mode 100644 index 0000000..5d918da --- /dev/null +++ b/source/resources/apps/forksand-nodes-bootstrap/forksand-the-bootstrap @@ -0,0 +1,375 @@ +#!/bin/bash +# forksand-bootstrap-the +# GPLv3+ +# This script does some initial setup and config +# Sets up Proxmox. +# IPv6 is left enabled. +# Firewalling is done through Proxmox. +# Edit below to add Proxmox Enterprise Key. XXX broken, use community repo. + +# XXX set up hostname + +# XXX set network to auto not hotplug XXX + +# Log script +exec > >(tee /root/bootstrap-the.log) 2>/root/bootstrap-the.err + +set -x + +# Set locale +echo "en_US.UTF-8 UTF-8" > /etc/locale.gen +locale-gen +update-locale + +# XXX Set timezone +ln -sf /usr/share/zoneinfo/America/Denver /etc/localtime + +# Set up git for tracking. XXX Ansible... XXX +echo 'Acquire::http::Proxy "http://192.168.110.72:3142";' > /etc/apt/apt.conf +apt-get -y install git sudo +cd /etc +git init +chmod og-rwx /etc/.git + +cat > /etc/.gitignore < /etc/apt/sources.list < /etc/default/cpufrequtils +/etc/init.d/cpufrequtils restart +cd /etc ; git add . ; git commit -a -m 'Set up cpufrequtils' + +# Small user tweaks +echo :syntax on > ~/.vimrc +echo :syntax on > /home/jebba/.vimrc +chown jebba:jebba /home/jebba/.vimrc +echo export EDITOR=vi >> /root/.bashrc + +# XXX Passwordless sudo XXX Ya, probably remove +sed -i -e 's/%sudo\tALL=(ALL:ALL) ALL/%sudo ALL=(ALL) NOPASSWD: ALL/g' /etc/sudoers + +adduser jebba sudo +cd /etc ; git add . ; git commit -a -m 'Set up passwordless sudo' + +# SSH config XXX sed cruft +sed -i \ + -e 's/PermitRootLogin yes/PermitRootLogin prohibit-password/g' \ + -e 's/\#PermitRootLogin prohibit-password/PermitRootLogin prohibit-password/g' \ + -e 's/\#PasswordAuthentication yes/PasswordAuthentication no/g' \ + -e 's/\#X11Forwarding yes/X11Forwarding no/g' \ + /etc/ssh/sshd_config + +echo 'KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256' >> /etc/ssh/sshd_config + +echo 'Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr' >> /etc/ssh/sshd_config + +# Need to update/fix for Debian Buster (testing/10). This line breaks Buster: +#echo 'MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com' >> /etc/ssh/sshd_config + +# XXX Add admins as only allowed ssh users +# XXX add user for ansbile +echo "AllowUsers jebba root" >> /etc/ssh/sshd_config + +cd /etc ; git add . ; git commit -a -m 'Set up sshd' +systemctl restart sshd + +# Startup XXX disable unneeded. +for i in rsync exim4 saned +do echo $i + /usr/sbin/update-rc.d $i disable +done +# XXX KILL THIS, listening on public port (firewalled, but still): +# tcp 0 0 0.0.0.0:5355 0.0.0.0:* LISTEN 296/systemd-resolve +cd /etc ; git add . ; git commit -a -m 'Turn off junk on boot' + +# GRUB +sed -i -e 's/^GRUB_TIMEOUT=5/GRUB_TIMEOUT=4/g' /etc/default/grub +sed -i -e 's/^#GRUB_TERMINAL=console/GRUB_TERMINAL=console/g' /etc/default/grub +echo 'GRUB_DISABLE_OS_PROBER=true' >> /etc/default/grub + +update-grub + +cd /etc ; git add . ; git commit -a -m 'GRUB tweaks' + +# Fix network to come up on boot +sed -i -e 's/allow-hotplug/auto/g' /etc/network/interfaces +cd /etc ; git add . ; git commit -a -m 'Auto start network' + +# XXX not sure why this is getting installed: +apt-get -y autoremove + +# Proxmox +#cat > /etc/apt/sources.list.d/pve-enterprise.list< /etc/apt/sources.list.d/pve-no-subscription.list< /etc/apt/auth.conf< Linux Bridge: +# vmbr0 + +# rebootz +# +# Set up templates + +# Cluster Corosync +exit 0 +echo "10.8.8.88 truck-coro" >> /etc/hosts +echo "10.8.8.90 swutch-coro" >> /etc/hosts +echo "10.8.8.87 wall-coro" >> /etc/hosts +echo "10.8.8.66 the-coro" >> /etc/hosts +echo "10.99.99.88 truck-fs" >> /etc/hosts +echo "10.99.99.90 swutch-fs" >> /etc/hosts +echo "10.99.99.87 wall-fs" >> /etc/hosts +echo "10.99.99.66 the-fs" >> /etc/hosts + +# Test cluster ping +for i in truck-coro swutch-coro wall-coro the-coro +do ping -q -c1 $i +done + +# more stuff +apt remove os-prober + +# Disable enp3s0 (Autostart no) +# +# set up vmbr0 to the main IP, gateway, etc. +# Create Linux Bridge in web interface +# vmbr0 +# 192.168.110.66 +# 255.255.255.0 +# Gateway 192.168.110.252 +# Autostart +# VLAN Aware +# Bridge: enp3s0f1 +# Comment Main bridge + +# Set up corosync ethernet interfaces +# 10.8.8.66 +# 255.255.255.0 +# Autostart +# VLAN Aware +# Bridge enx000acd31ac3d +# Comment the-coro + +# Set up ceph ethernet interfaces +# 10.99.99.66 +# 255.255.255.0 +# Autostart +# VLAN Aware +# Bridge enx000acd31ac3e +# Comment fs-coro + +# rebooootz + +# Add the to /etc/hosts on other servers: +10.8.8.66 the-coro +10.99.99.66 the-fs + +# Add the the ssh key to ONE node + +# Add truck, wall, swutch ssh keys to the + + +# Test flood multicast on private interface +omping -c 10000 -i 0.001 -F -q swutch-coro truck-coro the-coro wall-coro +# Ten minute test: +omping -c 600 -i 1 -q swutch-coro truck-coro wall-coro the-coro + +# Set up ssh as root to/from all nodes +# Best way to do this ... XXX +echo "fookey" >> /root/.ssh/authorized_keys +# test SSH +/etc/init.d/ssh restart + +for i in the wall truck swutch ;do ssh $i hostname ;done +for i in the-coro wall-coro truck-coro swutch-coro ;do ssh $i hostname ;done +for i in the-fs wall-fs truck-fs swutch-fs ;do ssh $i hostname ;done + + +# Run on the: +pvecm add 10.8.8.88 --ring0_addr the-coro + +# If `tcpdump -vvv -i enp10s0` show bad udp checksums, run this: +# XXX ok on the, wall, swutch, truck +ethtool -K enp10s0 gso off +ethtool --offload enp10s0 rx off tx off + +# Run on all nodes: +pveceph install --version luminous + +# Then run on remaining nodes, the: +pveceph createmon + +# On all nodes: +pveceph createmgr + +# internal drives +# Create a GPT disklabel with fdisk +fdisk /dev/nvme0n1 +# g +# w +pveceph createosd /dev/nvme0n1 +# Create a GPT disklabel with fdisk +fdisk /dev/sda +# g +# w +pveceph createosd /dev/sda + + +#===================== XXX best way? XXX ==================== +# XXX maybe not needed ? +# XXX actually, remove this and do no auth since it is private network. +mkdir /etc/pve/priv/ceph +cp -p /etc/pve/priv/ceph.client.admin.keyring /etc/pve/priv/ceph/my-ceph-storage.keyring +# Edit on just one node (shared on all) +vim /etc/pve/storage.cfg + +# Do this instead of my-ceph-storage.keyring +# Edit on one node: +vim /etc/pve/ceph.conf +auth cluster required = none +auth service required = none +auth client required = none +# restart stuff +systemctl stop ceph\*.service ceph\*.target +mkdir /etc/pve/priv/ceph/old +mv /etc/pve/priv/ceph/*keyring /etc/pve/priv/ceph/old/ +#===================== XXX best way? XXX ==================== diff --git a/source/resources/apps/forksand-nodes-bootstrap/forksand-truck-bootstrap b/source/resources/apps/forksand-nodes-bootstrap/forksand-truck-bootstrap new file mode 100644 index 0000000..37a5c1c --- /dev/null +++ b/source/resources/apps/forksand-nodes-bootstrap/forksand-truck-bootstrap @@ -0,0 +1,393 @@ +#!/bin/bash +# forksand-bootstrap-truck +# GPLv3+ +# This script does some initial setup and config +# Sets up Proxmox. +# IPv6 is left enabled. +# Firewalling is done through Proxmox. +# Edit below to add Proxmox Enterprise Key. XXX broken, use community repo. + +# XXX set up hostname + +# XXX set network to auto not hotplug XXX + +# Log script +exec > >(tee /root/bootstrap-truck.log) 2>/root/bootstrap-truck.err + +set -x + +# Set locale +echo "en_US.UTF-8 UTF-8" > /etc/locale.gen +locale-gen +update-locale + +# XXX Set timezone +ln -sf /usr/share/zoneinfo/America/Denver /etc/localtime + +# Set up git for tracking. XXX Ansible... XXX +echo 'Acquire::http::Proxy "http://192.168.110.72:3142";' > /etc/apt/apt.conf +apt-get -y install git sudo +cd /etc +git init +chmod og-rwx /etc/.git + +cat > /etc/.gitignore < /etc/apt/sources.list < /etc/default/cpufrequtils +/etc/init.d/cpufrequtils restart +cd /etc ; git add . ; git commit -a -m 'Set up cpufrequtils' + +# Small user tweaks +echo :syntax on > ~/.vimrc +echo :syntax on > /home/jebba/.vimrc +chown jebba:jebba /home/jebba/.vimrc +echo export EDITOR=vi >> /root/.bashrc + +# XXX Passwordless sudo XXX Ya, probably remove +sed -i -e 's/%sudo\tALL=(ALL:ALL) ALL/%sudo ALL=(ALL) NOPASSWD: ALL/g' /etc/sudoers + +adduser jebba sudo +cd /etc ; git add . ; git commit -a -m 'Set up passwordless sudo' + +# SSH config XXX sed cruft +sed -i \ + -e 's/PermitRootLogin yes/PermitRootLogin prohibit-password/g' \ + -e 's/\#PermitRootLogin prohibit-password/PermitRootLogin prohibit-password/g' \ + -e 's/\#PasswordAuthentication yes/PasswordAuthentication no/g' \ + -e 's/\#X11Forwarding yes/X11Forwarding no/g' \ + /etc/ssh/sshd_config + +echo 'KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256' >> /etc/ssh/sshd_config + +echo 'Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr' >> /etc/ssh/sshd_config + +# Need to update/fix for Debian Buster (testing/10). This line breaks Buster: +#echo 'MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com' >> /etc/ssh/sshd_config + +# XXX Add admins as only allowed ssh users +# XXX add user for ansbile +echo "AllowUsers jebba root" >> /etc/ssh/sshd_config + +cd /etc ; git add . ; git commit -a -m 'Set up sshd' +systemctl restart sshd + +# Startup XXX disable unneeded. +for i in rsync exim4 saned +do echo $i + /usr/sbin/update-rc.d $i disable +done +# XXX KILL THIS, listening on public port (firewalled, but still): +# tcp 0 0 0.0.0.0:5355 0.0.0.0:* LISTEN 296/systemd-resolve +cd /etc ; git add . ; git commit -a -m 'Turn off junk on boot' + +# GRUB +sed -i -e 's/^GRUB_TIMEOUT=5/GRUB_TIMEOUT=4/g' /etc/default/grub +sed -i -e 's/^#GRUB_TERMINAL=console/GRUB_TERMINAL=console/g' /etc/default/grub +echo 'GRUB_DISABLE_OS_PROBER=true' >> /etc/default/grub + +update-grub + +cd /etc ; git add . ; git commit -a -m 'GRUB tweaks' + +# Fix network to come up on boot +sed -i -e 's/allow-hotplug/auto/g' /etc/network/interfaces +cd /etc ; git add . ; git commit -a -m 'Auto start network' + +# XXX not sure why this is getting installed: +apt-get -y autoremove + +# Proxmox +#cat > /etc/apt/sources.list.d/pve-enterprise.list< /etc/apt/sources.list.d/pve-no-subscription.list< /etc/apt/auth.conf< Permissions --> Users +# Add user with Realm Proxmox VE authentication server. +# Give user root permissions: Datacenter --> Permissions --> Add --> User permission. +# Path: / User: j Role: Administrator +# XXX Or create admin group, add perms to that... +# Permissions --> Authentication. Set Proxmox VE authentication server to default. +# +# Enable firewall. +# Datacenter --> truck (host) --> Firewall --> Add. +# Open up for SSH and SSH alt port. +# Enable firewall for datacenter: +# Datacenter --> Firewall --> Options --> Firewall --> Yes +# Enable firewall for truck: +# Open up for SSH and SSH alt port. +# REJECT everything coming in. (then DROP) +# Reorder to ACCEPT SSH at top +# +cd /etc ; git add . ; git commit -a -m 'Initial Proxmox configuration' +# +# Reboot! truck (host) --> Restart +# +# XXX +# Datacenter --> Firewall --> Add. +# REJECT any in +# +# Storage +# Datacenter --> Storage --> Edit local. Enable all content (add VZDump) +# +# XXX postfix +# +# DNS +# truck (host) --> System --> DNS +# Add servers: +# 208.67.222.222 208.67.220.220 37.235.1.174 +# +# Netwok +# truck (host) --> System --> Network +# Fix subnet mask, IP in web gui. +# Create --> Linux Bridge: +# vmbr0 +# XXX best way for this server? No subnet. +# + +# rebootz +# +# Set up templates + +# XXX TOTAL MEH XXX +# add this to the workstation: +# 127.0.0.1 localhost truck-tun +# Run: +# ssh -N -C -L 8020:localhost:8006 truck +# Then use URLs +# https://truck-tun:8020 +# Or you can only be logged into one at a time. +# XXX find better workaround + +# Cluster Corosync +exit 0 +echo "10.8.8.88 truck-coro" >> /etc/hosts +echo "10.8.8.90 swutch-coro" >> /etc/hosts +echo "10.8.8.87 wall-coro" >> /etc/hosts +echo "10.111.111.88 truck-fs" >> /etc/hosts +echo "10.111.111.90 swutch-fs" >> /etc/hosts +echo "10.111.111.87 wall-fs" >> /etc/hosts + +# Test cluster ping +for i in truck-coro swutch-coro wall-coro +do ping -q -c1 $i +done + +# more stuff +apt install postfix + +apt remove os-prober + +# Disable enp3s0 (Autostart no) +# set up vmbr0 to the main IP, gateway, etc. +# Create Linux Bridge in web interface +# vmbr0 +# 192.168.55.88 +# 255.255.255.0 +# Autostart +# VLAN Aware +# Bridge: enp3s0 +# Comment Main bridge + +# Test flood multicast on private interface +omping -c 10000 -i 0.001 -F -q swutch-coro truck-coro wall-coro +# Ten minute test: +omping -c 600 -i 1 -q swutch-coro truck-coro wall-coro + +# Set up ssh as root to/from all nodes +# Best way to do this ... XXX +echo "fookey" >> /root/.ssh/authorized_keys +for i in swutch-coro truck-coro wall-coro +do ssh $i hostname +done + +# Run just on truck: +pvecm create red --bindnet0_addr 10.8.8.88 --ring0_addr truck-coro + +# Run on wall: +pvecm add 10.8.8.88 --ring0_addr wall-coro + +# Run on swutch: +pvecm add 10.8.8.88 --ring0_addr swutch-coro + +# If `tcpdump -vvv -i enp10s0` show bad udp checksums, run this: +# XXX ok on truck, wall, swutch +ethtool -K enp10s0 gso off +ethtool --offload enp10s0 rx off tx off + +# Setup 10.99.99.0/24 addresses for Ceph on enp16s0 + +# Run on all nodes: +pveceph install --version luminous + +# Run just on one node (truck): +pveceph init --network 10.99.99.0/24 +pveceph createmon + +# Then run on remaining nodes (or via GUI) +pveceph createmon + +# On all nodes: +pveceph createmr + +# XXX missing ZFS tools +apt install zfsutils-linux +modprobe zfs + +# Add USB drive to swutch and run on it: +# Create a GPT disklabel with fdisk +fdisk /dev/sdb +# g +# w +pveceph createosd /dev/sdb + +# XXX actually, remove this and do no auth since it is private network. +mkdir /etc/pve/priv/ceph +cp -p /etc/pve/priv/ceph.client.admin.keyring /etc/pve/priv/ceph/my-ceph-storage.keyring +# Edit on just one node (shared on all) +vim /etc/pve/storage.cfg + +# Do this instead of my-ceph-storage.keyring +# Edit on one node: +vim /etc/pve/ceph.conf +auth cluster required = none +auth service required = none +auth client required = none +# restart stuff +systemctl stop ceph\*.service ceph\*.target +mkdir /etc/pve/priv/ceph/old +mv /etc/pve/priv/ceph/*keyring /etc/pve/priv/ceph/old/ + diff --git a/source/resources/apps/oca-forksand-v1_1/README.rst b/source/resources/apps/oca-forksand-v1_1/README.rst new file mode 100644 index 0000000..7acaf7f --- /dev/null +++ b/source/resources/apps/oca-forksand-v1_1/README.rst @@ -0,0 +1,151 @@ +Deploy the Ansible roles +- Create a requirements.yml file and indicate there the git repos to source the Ansible roles from. See http://docs.ansible.com/ansible/latest/galaxy.html#installing-roles + +host> nano requirements.yml + +# from GitHub +- name: ansible-odoo + src: https://github.com/osiell/ansible-odoo + version: origin/master + +- name: postgresql + src: https://github.com/ANXS/postgresql + +- name: ansible-odoo-nginx + src: https://github.com/Eficent/ansible-odoo-nginx + +- name: ansible-role-certbot + src: https://github.com/geerlingguy/ansible-role-certbot + +host> sudo ansible-galaxy install -r requirements.yml + +- changing role ansible-odoo from origin/master to origin/master +- extracting ansible-odoo to /home/jordi/.ansible/roles/ansible-odoo +- ansible-odoo (origin/master) was installed successfully +- changing role postgresql from to unspecified +- extracting postgresql to /home/jordi/.ansible/roles/postgresql +- postgresql was installed successfully +- extracting ansible-odoo-nginx to /home/jordi/.ansible/roles/ansible-odoo-nginx +- ansible-odoo-nginx was installed successfully +- adding dependency: geerlingguy.nginx +- extracting ansible-role-certbot to /home/jordi/.ansible/roles/ansible-role-certbot +- ansible-role-certbot was installed successfully +- downloading role 'nginx', owned by geerlingguy +- downloading role from https://github.com/geerlingguy/ansible-role-nginx/archive/2.5.0.tar.gz +- extracting geerlingguy.nginx to /home/jordi/.ansible/roles/geerlingguy.nginx +- geerlingguy.nginx (2.5.0) was installed successfully + + +Note: use --force to ensure that the latest version of the roles is installed. + +Install LXC Container +This is only to test locally the execution of the ansible playbook on a target host. + +Create the LXC container: + +host> sudo lxc-create -t debian -n odoo10 + +Start the LXC container: + +host> sudo lxc-start -n odoo10 -d + +Check that the container is up + +host> sudo lxc-ls -f + +NAME STATE AUTOSTART GROUPS IPV4 IPV6 + +odoo10 RUNNING 0 - 10.0.3.217 - + +Attach to the container + +host> sudo lxc-attach -n odoo10 + +Install nano: + +container> apt-get install nano + +Install python + +container> apt-get install python + +Allow root to connect over ssh: + +container> nano /etc/ssh/sshd_config + +FROM: + +PermitRootLogin without-password TO: + +PermitRootLogin yes + +Restart ssh + +container> /etc/init.d/ssh restart + +Provide a password to root: + +container> passwd + + + +Exit from the container and try to ssh into it with the new user + +container>exit + +host> ssh root@10.0.3.217 + + +Create Hosts Inventory File + +Create a project folder under home dir. + +host> mdir ansible-test && cd ansible-test + +host> nano inventory + +odoo10 ansible_ssh_host=10.0.3.217 + + + +Create Playbook File + +host/ansible-test> nano ./playbook.yml + +- name: Odoo 10 + + hosts: odoo10 + + roles: + + - postgresql + + - ansible-odoo + + vars: + + # [postgresql] + + - postgresql_version: 9.3 + + # [odoo] + + - odoo_version: 11.0 + + - odoo_install_type: pip + + - odoo_config_unaccent: True + + - odoo_pip_requirements_url: https://raw.githubusercontent.com/Eficent/sample-oca-pip-requirements/11.0/requirements.txt + + - odoo_config_admin_passwd: SuPerPassWorD + + - odoo_config_addons_path: "" + +environment: + + LC_ALL: en_US.UTF-8 + +Deploy the Playbook to the container + +host> ansible-playbook -i inventory playbook.yml -e "ansible_ssh_user=root" -k -v diff --git a/source/resources/apps/oca-forksand-v1_1/inventory b/source/resources/apps/oca-forksand-v1_1/inventory new file mode 100644 index 0000000..d128d79 --- /dev/null +++ b/source/resources/apps/oca-forksand-v1_1/inventory @@ -0,0 +1 @@ +odoo11 ansible_host=oca.forksand.com ansible_port=28208 ansible_user=jballester diff --git a/source/resources/apps/oca-forksand-v1_1/playbook.yml b/source/resources/apps/oca-forksand-v1_1/playbook.yml new file mode 100644 index 0000000..05b0bb6 --- /dev/null +++ b/source/resources/apps/oca-forksand-v1_1/playbook.yml @@ -0,0 +1,31 @@ +- name: Odoo 11 + hosts: odoo11 + remote_user: root + become: yes + roles: + - postgresql + - ansible-odoo + - ansible-odoo-nginx + - ansible-role-certbot + vars: + # [postgresql] + - postgresql_version: 9.6 + # [odoo] + - odoo_version: 11.0 + - odoo_install_type: pip + - odoo_pip_requirements_url: https://raw.githubusercontent.com/Eficent/sample-oca-pip-requirements/11.0/requirements.txt + - odoo_config_unaccent: True + - odoo_config_admin_passwd: SuPerPassWorD + - odoo_config_data_dir: "home/odoo/data" + # [ridingbytes_nginx] + - nginx_odoo_server: "oca.forksand.com" + - ssl_certificate: /etc/letsencrypt/live/oca.forksand.com/fullchain.pem + - ssl_certificate_key: /etc/letsencrypt/live/oca.forksand.com/privkey.pem + # [certbot] + - certbot_create_if_missing: yes + - certbot_certs: + - domains: + - oca.forksand.com + environment: + LC_ALL: en_US.UTF-8 + diff --git a/source/resources/apps/oca-forksand-v1_1/requirements.yml b/source/resources/apps/oca-forksand-v1_1/requirements.yml new file mode 100644 index 0000000..ebc622d --- /dev/null +++ b/source/resources/apps/oca-forksand-v1_1/requirements.yml @@ -0,0 +1,14 @@ +# from GitHub +- name: ansible-odoo + src: https://github.com/osiell/ansible-odoo + version: origin/master-odoo_config_data_dir + +- name: postgresql + src: https://github.com/ANXS/postgresql + +- name: ansible-odoo-nginx + src: https://github.com/Eficent/ansible-odoo-nginx + +- name: ansible-role-certbot + src: https://github.com/geerlingguy/ansible-role-certbot + diff --git a/source/resources/apps/oca/etc/init.d/openerp-server b/source/resources/apps/oca/etc/init.d/openerp-server old mode 100755 new mode 100644 diff --git a/source/resources/apps/oca/oca-install.sh b/source/resources/apps/oca/oca-install.sh old mode 100755 new mode 100644 diff --git a/source/resources/apps/odoo/odoo11-deb-install.sh b/source/resources/apps/odoo/odoo11-deb-install.sh old mode 100755 new mode 100644 diff --git a/source/resources/apps/ssh/socks-chain.sh b/source/resources/apps/ssh/socks-chain.sh old mode 100755 new mode 100644 diff --git a/source/resources/apps/ssh/socks-proxy.sh b/source/resources/apps/ssh/socks-proxy.sh old mode 100755 new mode 100644 diff --git a/source/resources/drawings/sharkfork-cabling-1-dedicated-vlan.pdf b/source/resources/drawings/sharkfork-cabling-1-dedicated-vlan.pdf new file mode 100644 index 0000000..535ba12 Binary files /dev/null and b/source/resources/drawings/sharkfork-cabling-1-dedicated-vlan.pdf differ diff --git a/source/resources/drawings/sharkfork-cabling-2-mixed-vlan.pdf b/source/resources/drawings/sharkfork-cabling-2-mixed-vlan.pdf new file mode 100644 index 0000000..44e4914 Binary files /dev/null and b/source/resources/drawings/sharkfork-cabling-2-mixed-vlan.pdf differ diff --git a/source/resources/drawings/sharkfork-cabling-3-colo-dedicated.pdf b/source/resources/drawings/sharkfork-cabling-3-colo-dedicated.pdf new file mode 100644 index 0000000..479031b Binary files /dev/null and b/source/resources/drawings/sharkfork-cabling-3-colo-dedicated.pdf differ diff --git a/source/resources/drawings/sharkfork-cabling-4-final-colocation.pdf b/source/resources/drawings/sharkfork-cabling-4-final-colocation.pdf new file mode 100644 index 0000000..c0c769e Binary files /dev/null and b/source/resources/drawings/sharkfork-cabling-4-final-colocation.pdf differ diff --git a/source/resources/images/LetterheadPDF.pdf b/source/resources/images/LetterheadPDF.pdf new file mode 100644 index 0000000..c3dd60d Binary files /dev/null and b/source/resources/images/LetterheadPDF.pdf differ diff --git a/source/resources/images/proxmox-gui.png b/source/resources/images/proxmox-gui.png new file mode 100644 index 0000000..6c097bd Binary files /dev/null and b/source/resources/images/proxmox-gui.png differ diff --git a/source/resources/images/shark2/01.png b/source/resources/images/shark2/01.png new file mode 100644 index 0000000..74b13db Binary files /dev/null and b/source/resources/images/shark2/01.png differ diff --git a/source/resources/images/shark2/02.png b/source/resources/images/shark2/02.png new file mode 100644 index 0000000..6c1e4c4 Binary files /dev/null and b/source/resources/images/shark2/02.png differ diff --git a/source/resources/images/shark2/03.png b/source/resources/images/shark2/03.png new file mode 100644 index 0000000..baae46a Binary files /dev/null and b/source/resources/images/shark2/03.png differ diff --git a/source/resources/images/shark2/04.png b/source/resources/images/shark2/04.png new file mode 100644 index 0000000..efa9309 Binary files /dev/null and b/source/resources/images/shark2/04.png differ diff --git a/source/resources/images/shark2/05.png b/source/resources/images/shark2/05.png new file mode 100644 index 0000000..58c11a5 Binary files /dev/null and b/source/resources/images/shark2/05.png differ diff --git a/source/resources/images/shark2/06.png b/source/resources/images/shark2/06.png new file mode 100644 index 0000000..3ca0107 Binary files /dev/null and b/source/resources/images/shark2/06.png differ diff --git a/source/resources/images/shark2/07.png b/source/resources/images/shark2/07.png new file mode 100644 index 0000000..d5a42dd Binary files /dev/null and b/source/resources/images/shark2/07.png differ diff --git a/source/resources/images/shark2/08.png b/source/resources/images/shark2/08.png new file mode 100644 index 0000000..83ffa44 Binary files /dev/null and b/source/resources/images/shark2/08.png differ diff --git a/source/resources/images/shark2/09.png b/source/resources/images/shark2/09.png new file mode 100644 index 0000000..2371a22 Binary files /dev/null and b/source/resources/images/shark2/09.png differ diff --git a/source/resources/images/shark2/10.png b/source/resources/images/shark2/10.png new file mode 100644 index 0000000..7d73846 Binary files /dev/null and b/source/resources/images/shark2/10.png differ diff --git a/source/resources/images/shark2/11.png b/source/resources/images/shark2/11.png new file mode 100644 index 0000000..8d91aba Binary files /dev/null and b/source/resources/images/shark2/11.png differ diff --git a/source/resources/images/shark2/12.png b/source/resources/images/shark2/12.png new file mode 100644 index 0000000..8c2f592 Binary files /dev/null and b/source/resources/images/shark2/12.png differ diff --git a/source/resources/images/shark2/13.png b/source/resources/images/shark2/13.png new file mode 100644 index 0000000..6069b0f Binary files /dev/null and b/source/resources/images/shark2/13.png differ diff --git a/source/resources/images/shark2/14.png b/source/resources/images/shark2/14.png new file mode 100644 index 0000000..a5a0e15 Binary files /dev/null and b/source/resources/images/shark2/14.png differ diff --git a/source/resources/images/shark2/15.png b/source/resources/images/shark2/15.png new file mode 100644 index 0000000..115a6f8 Binary files /dev/null and b/source/resources/images/shark2/15.png differ diff --git a/source/resources/images/shark2/16.png b/source/resources/images/shark2/16.png new file mode 100644 index 0000000..30c2478 Binary files /dev/null and b/source/resources/images/shark2/16.png differ diff --git a/source/resources/images/shark2/17.png b/source/resources/images/shark2/17.png new file mode 100644 index 0000000..1154398 Binary files /dev/null and b/source/resources/images/shark2/17.png differ diff --git a/source/resources/images/shark2/18.png b/source/resources/images/shark2/18.png new file mode 100644 index 0000000..0b7d61a Binary files /dev/null and b/source/resources/images/shark2/18.png differ diff --git a/source/resources/images/shark2/19.png b/source/resources/images/shark2/19.png new file mode 100644 index 0000000..3cf7323 Binary files /dev/null and b/source/resources/images/shark2/19.png differ diff --git a/source/resources/images/shark2/20.png b/source/resources/images/shark2/20.png new file mode 100644 index 0000000..2e88dba Binary files /dev/null and b/source/resources/images/shark2/20.png differ diff --git a/source/resources/images/shark2/21.png b/source/resources/images/shark2/21.png new file mode 100644 index 0000000..2fc3132 Binary files /dev/null and b/source/resources/images/shark2/21.png differ diff --git a/source/resources/images/shark2/22.png b/source/resources/images/shark2/22.png new file mode 100644 index 0000000..eddd6aa Binary files /dev/null and b/source/resources/images/shark2/22.png differ diff --git a/source/resources/images/shark2/23.png b/source/resources/images/shark2/23.png new file mode 100644 index 0000000..5768662 Binary files /dev/null and b/source/resources/images/shark2/23.png differ diff --git a/source/resources/images/shark2/24.png b/source/resources/images/shark2/24.png new file mode 100644 index 0000000..9fceb15 Binary files /dev/null and b/source/resources/images/shark2/24.png differ diff --git a/source/resources/images/shark3/01.png b/source/resources/images/shark3/01.png new file mode 100644 index 0000000..74f79db Binary files /dev/null and b/source/resources/images/shark3/01.png differ diff --git a/source/resources/images/shark3/02.png b/source/resources/images/shark3/02.png new file mode 100644 index 0000000..78958dc Binary files /dev/null and b/source/resources/images/shark3/02.png differ diff --git a/source/resources/images/shark3/03.png b/source/resources/images/shark3/03.png new file mode 100644 index 0000000..c9ec407 Binary files /dev/null and b/source/resources/images/shark3/03.png differ diff --git a/source/resources/images/shark3/04.png b/source/resources/images/shark3/04.png new file mode 100644 index 0000000..d8212af Binary files /dev/null and b/source/resources/images/shark3/04.png differ diff --git a/source/resources/images/shark3/05.png b/source/resources/images/shark3/05.png new file mode 100644 index 0000000..5d2aa86 Binary files /dev/null and b/source/resources/images/shark3/05.png differ diff --git a/source/resources/images/shark3/06.png b/source/resources/images/shark3/06.png new file mode 100644 index 0000000..ee82d51 Binary files /dev/null and b/source/resources/images/shark3/06.png differ diff --git a/source/resources/images/shark3/07.png b/source/resources/images/shark3/07.png new file mode 100644 index 0000000..6b2501e Binary files /dev/null and b/source/resources/images/shark3/07.png differ diff --git a/source/resources/images/shark3/08.png b/source/resources/images/shark3/08.png new file mode 100644 index 0000000..b1c29f7 Binary files /dev/null and b/source/resources/images/shark3/08.png differ diff --git a/source/resources/images/shark3/09.png b/source/resources/images/shark3/09.png new file mode 100644 index 0000000..ee1ae35 Binary files /dev/null and b/source/resources/images/shark3/09.png differ diff --git a/source/resources/images/shark3/10.png b/source/resources/images/shark3/10.png new file mode 100644 index 0000000..6f0aec2 Binary files /dev/null and b/source/resources/images/shark3/10.png differ diff --git a/source/resources/images/shark3/11.png b/source/resources/images/shark3/11.png new file mode 100644 index 0000000..0e901f4 Binary files /dev/null and b/source/resources/images/shark3/11.png differ diff --git a/source/resources/images/shark3/12.png b/source/resources/images/shark3/12.png new file mode 100644 index 0000000..7ce27e7 Binary files /dev/null and b/source/resources/images/shark3/12.png differ diff --git a/source/resources/images/shark3/13.png b/source/resources/images/shark3/13.png new file mode 100644 index 0000000..7cd336c Binary files /dev/null and b/source/resources/images/shark3/13.png differ diff --git a/source/resources/images/shark3/14.png b/source/resources/images/shark3/14.png new file mode 100644 index 0000000..38aa03b Binary files /dev/null and b/source/resources/images/shark3/14.png differ diff --git a/source/resources/images/shark3/15.png b/source/resources/images/shark3/15.png new file mode 100644 index 0000000..39b3b99 Binary files /dev/null and b/source/resources/images/shark3/15.png differ diff --git a/source/resources/images/shark3/16.png b/source/resources/images/shark3/16.png new file mode 100644 index 0000000..3f1b1f3 Binary files /dev/null and b/source/resources/images/shark3/16.png differ diff --git a/source/resources/images/shark3/17.png b/source/resources/images/shark3/17.png new file mode 100644 index 0000000..23c30ae Binary files /dev/null and b/source/resources/images/shark3/17.png differ diff --git a/source/resources/images/shark3/18.png b/source/resources/images/shark3/18.png new file mode 100644 index 0000000..91fc277 Binary files /dev/null and b/source/resources/images/shark3/18.png differ diff --git a/source/resources/images/shark3/19.png b/source/resources/images/shark3/19.png new file mode 100644 index 0000000..0213c12 Binary files /dev/null and b/source/resources/images/shark3/19.png differ diff --git a/source/resources/images/shark3/20.png b/source/resources/images/shark3/20.png new file mode 100644 index 0000000..d9c1b06 Binary files /dev/null and b/source/resources/images/shark3/20.png differ diff --git a/source/resources/images/shark3/21.png b/source/resources/images/shark3/21.png new file mode 100644 index 0000000..9768272 Binary files /dev/null and b/source/resources/images/shark3/21.png differ diff --git a/source/resources/images/shark3/22.png b/source/resources/images/shark3/22.png new file mode 100644 index 0000000..6fa7083 Binary files /dev/null and b/source/resources/images/shark3/22.png differ diff --git a/source/resources/images/shark4/01.png b/source/resources/images/shark4/01.png new file mode 100644 index 0000000..7617698 Binary files /dev/null and b/source/resources/images/shark4/01.png differ diff --git a/source/resources/images/shark4/02.png b/source/resources/images/shark4/02.png new file mode 100644 index 0000000..eb551c3 Binary files /dev/null and b/source/resources/images/shark4/02.png differ diff --git a/source/resources/images/shark4/03.png b/source/resources/images/shark4/03.png new file mode 100644 index 0000000..c8142cc Binary files /dev/null and b/source/resources/images/shark4/03.png differ diff --git a/source/resources/images/shark4/04.png b/source/resources/images/shark4/04.png new file mode 100644 index 0000000..f2ad286 Binary files /dev/null and b/source/resources/images/shark4/04.png differ diff --git a/source/resources/images/shark4/05.png b/source/resources/images/shark4/05.png new file mode 100644 index 0000000..0dd7b34 Binary files /dev/null and b/source/resources/images/shark4/05.png differ diff --git a/source/resources/images/shark4/06.png b/source/resources/images/shark4/06.png new file mode 100644 index 0000000..6c67d4b Binary files /dev/null and b/source/resources/images/shark4/06.png differ diff --git a/source/resources/images/shark4/07.png b/source/resources/images/shark4/07.png new file mode 100644 index 0000000..ea13b45 Binary files /dev/null and b/source/resources/images/shark4/07.png differ diff --git a/source/resources/images/shark4/08.png b/source/resources/images/shark4/08.png new file mode 100644 index 0000000..3cedbc7 Binary files /dev/null and b/source/resources/images/shark4/08.png differ diff --git a/source/resources/images/shark4/09.png b/source/resources/images/shark4/09.png new file mode 100644 index 0000000..79a5cc6 Binary files /dev/null and b/source/resources/images/shark4/09.png differ diff --git a/source/resources/images/shark4/10.png b/source/resources/images/shark4/10.png new file mode 100644 index 0000000..53598c7 Binary files /dev/null and b/source/resources/images/shark4/10.png differ diff --git a/source/resources/images/shark4/11.png b/source/resources/images/shark4/11.png new file mode 100644 index 0000000..12f21d8 Binary files /dev/null and b/source/resources/images/shark4/11.png differ diff --git a/source/resources/images/shark4/12.png b/source/resources/images/shark4/12.png new file mode 100644 index 0000000..6bcde60 Binary files /dev/null and b/source/resources/images/shark4/12.png differ diff --git a/source/resources/images/shark4/13.png b/source/resources/images/shark4/13.png new file mode 100644 index 0000000..422f925 Binary files /dev/null and b/source/resources/images/shark4/13.png differ diff --git a/source/resources/images/shark4/14.png b/source/resources/images/shark4/14.png new file mode 100644 index 0000000..4cd659c Binary files /dev/null and b/source/resources/images/shark4/14.png differ diff --git a/source/resources/images/shark4/15.png b/source/resources/images/shark4/15.png new file mode 100644 index 0000000..f08969d Binary files /dev/null and b/source/resources/images/shark4/15.png differ diff --git a/source/resources/images/shark4/16.png b/source/resources/images/shark4/16.png new file mode 100644 index 0000000..7d60cf0 Binary files /dev/null and b/source/resources/images/shark4/16.png differ diff --git a/source/resources/images/shark4/17.png b/source/resources/images/shark4/17.png new file mode 100644 index 0000000..1033822 Binary files /dev/null and b/source/resources/images/shark4/17.png differ diff --git a/source/resources/images/shark4/18.png b/source/resources/images/shark4/18.png new file mode 100644 index 0000000..864494e Binary files /dev/null and b/source/resources/images/shark4/18.png differ diff --git a/source/resources/images/shark4/19.png b/source/resources/images/shark4/19.png new file mode 100644 index 0000000..9527663 Binary files /dev/null and b/source/resources/images/shark4/19.png differ diff --git a/source/resources/images/sharkfork-10U.pdf b/source/resources/images/sharkfork-10U.pdf new file mode 100644 index 0000000..45e7e6f Binary files /dev/null and b/source/resources/images/sharkfork-10U.pdf differ diff --git a/source/resources/images/sharkfork-21U.png b/source/resources/images/sharkfork-21U.png new file mode 100644 index 0000000..7cdb994 Binary files /dev/null and b/source/resources/images/sharkfork-21U.png differ diff --git a/source/resources/images/www-proxmox.png b/source/resources/images/www-proxmox.png new file mode 100644 index 0000000..d77de2f Binary files /dev/null and b/source/resources/images/www-proxmox.png differ diff --git a/source/resources/make-sources-list.sh b/source/resources/make-sources-list.sh index 0145576..c7c5b2b 100755 --- a/source/resources/make-sources-list.sh +++ b/source/resources/make-sources-list.sh @@ -3,40 +3,48 @@ # GPLv3+ # This will generate a list of files to be included as source code. # Then it will generate LaTeX includes. +# A function to jump to application's root, default .../forksand-it-manual +cd $(echo $PWD | sed -e "s/\(.*\/forksand-it-manual\)\/.*/\1/") && echo "current path: $PWD" # XXX Great cruft # Redirect fix XXX # No spaces in filenames, or this may go awry. # Perhaps add QR codes like: -CODEDIR="/home/`id -u -n`/FORKSAND/IT//forksand-it-manual/source/resources" +rootPath=$PWD +CODEDIR="$rootPath/source/resources" cd "$CODEDIR" || exit -TEXOUT="/home/`id -u -n`/FORKSAND/IT/forksand-it-manual/source/Source-gen.tex" +TEXOUT="$rootPath/source/Source-gen.tex" # Build a grep exclude command that has file extensions to not include. -EXCLUDE="\./\.git \.csv$ \.eps \.git$ \.gz$ \.jpg$ \.ods$ \.ods\#$ \.png$ \.pdf$ \.swp$ \.tmp$ \.xml$ \.aux$ \.fuse_hidden*$ \.glo$ \.gls$ \.idx$ \.ilg$ \.ind$ \.lof$ \.log$ \.lol$ _minted-*$ \.old$ \.out$ \.swp$ \.toc$ \.zip$" +EXCLUDE="\./\.git \.csv$ \.eps \.git$ \.gz$ \.jpg$ \.ods$ \.ods\#$ \.png$ \.pdf$ \.swp$ \.tmp$ \.xml$ \.aux$ \.fuse_hidden*$ \.glo$ \.gls$ \.idx$ \.ilg$ \.ind$ \.lof$ \.log$ \.lol$ _minted-*$ \.old$ \.out$ \.swp$ \.toc$ \.zip$ \.*GPLv3*$ LICENSE$ README.md$ \.tar$ \.tar\.bz2$ \.gitignore make-sources-list\.sh$ Thumbs\.db$" EXCLUDEGREP="grep -v -i " for i in $EXCLUDE do EXCLUDEGREP="$EXCLUDEGREP -e $i" done + SRCFILES=`find . -type f | sort -V | $EXCLUDEGREP` -rm -f $TEXOUT $SHAOUT SHA256SUM -touch $TEXOUT $SHAOUT SHA256SUM + +rm -f $TEXOUT SHA256SUM +touch $TEXOUT SHA256SUM + # Make checksums # LaTeX files to be rendered for i in $SRCFILES do - #NOUNDER=`echo $i | sed -e 's/_/\\\_/g'` - NOUNDER=`echo $i | sed -e 's/_/\\\_/g' | cut -f 2- -d "/"` - echo "\section{\texttt{$NOUNDER}}" -# echo "\texttt{$NOUNDER} \\\ " - echo "\texttt{SHA256: `sha256sum $i | cut -f 1 -d " "`}" - sha256sum $i >> SHA256SUM -MINTEDPATH=`echo $i | cut -f 2- -d "/"` -MINTEDPATH="resources/$MINTEDPATH" - echo "\inputminted{sh}{$MINTEDPATH}" + # NOUNDER=`echo $i | sed -e 's/_/\\\_/g'` + NOUNDER=`echo $i | sed -e 's/_/\\\\char\\\`_/g' | cut -f 2- -d "/" | sed -e 's/^\(.\{60,75\}\)\//\1\/\\\\\\\\ \\\\qquad\\\\qquad\\\\qquad\.\.\//g'` + # !!! ToDo, apply greedy pattern to second sed's range pattern + echo "\section{\texttt{$NOUNDER}}" + # echo "\texttt{$NOUNDER} \\\ " + echo "\texttt{SHA256: `sha256sum $i | cut -f 1 -d " "`}" + sha256sum $i >> SHA256SUM + MINTEDPATH=`echo $i | cut -f 2- -d "/"` + MINTEDPATH="resources/$MINTEDPATH" + echo "\inputminted{sh}{$MINTEDPATH}" done >> $TEXOUT sort -V SHA256SUM > SHA256SUM.tmp echo "There are `cat SHA256SUM | sort -u | wc -l` source code files included." > STATS echo "There are `cat SHA256SUM.tmp | cut -f 1 -d " " | sort -u | wc -l` unique files." >> STATS + rm SHA256SUM.tmp # Files not rendered