Lots of updates, new co-location

master
Jeff Moe 7 years ago
parent 32a3f799c0
commit 252a2ccad4

@ -2,15 +2,15 @@
Fork Sand IT Manual Fork Sand IT Manual
by Fork Sand, Inc. by Jeff Moe
Copyright 2018, Fork Sand, Inc. Copyright 2017, Jeff Moe
Permission is granted to copy, distribute and/or modify this document under Permission is granted to copy, distribute and/or modify this document under
the terms of the Creative Commons Attribution 4.0 International Public License the terms of the Creative Commons Attribution 4.0 International Public License
(CC BY-SA 4.0). (CC BY-SA 4.0).
Published by Fork Sand Inc., Loveland, Colorado, USA. Published by Jeff Moe, Loveland, Colorado, USA.
# Sources # Sources

@ -2,11 +2,19 @@
# build.sh # build.sh
# GPLv3+ # GPLv3+
set -x set -x
rm -f forksand-it-manual.pdf source/forksand-it-manual.pdf
# A function to jump to application's root, default .../forksand-it-manual
cd $(echo $PWD | sed -e "s/\(.*\/forksand-it-manual\)\/.*/\1/") && echo "current path: $PWD"
rootPath=$PWD
cd source || exit cd source || exit
# Generate Source-gen.tex, for auto source code inclusion # Generate Source-gen.tex, for auto source code inclusion
rm -f forksand-it-manual.pdf ../forksand-it-manual.pdf
time ./resources/make-sources-list.sh time ./resources/make-sources-list.sh
cd ~/FORKSAND/IT/forksand-it-manual/source/ || exit
# A function to jump to application's root, default .../forksand-it-manual
cd $(echo $PWD | sed -e "s/\(.*\/forksand-it-manual\)\/.*/\1/") && echo "current path: $PWD"
cd source/ || exit
# Build main LaTeX file # Build main LaTeX file
# Run BibTeX # Run BibTeX
@ -19,7 +27,7 @@ xelatex \
-interaction=nonstopmode \ -interaction=nonstopmode \
forksand-it-manual.tex forksand-it-manual.tex
mv *.pdf ../ for i in $(ls *.pdf); do mv -f $i ../$i ; done # in windows every file must be processed explicitly
exit 0 exit 0

@ -0,0 +1,19 @@
#!/bin/bash
# build.sh
# GPLv3+
set -x
# A function to jump to application's root, default .../forksand-it-manual
cd $(echo $PWD | sed -e "s/\(.*\/forksand-it-manual\)\/.*/\1/") && echo "current path: $PWD"
rootPath=$PWD
cd source || exit
rm ./*.aux
rm ./*.l*
rm ./*.glo
rm ./*.idx
rm ./*.out
rm ./*.pyg
rm ./*.toc
rm ./_minted-forksand-it-manual/*.pyg*

@ -20,7 +20,11 @@ Use \texttt{ansible} for management of servers.
\item DebOps: \url{https://docs.debops.org/en/latest/index.html} \item DebOps: \url{https://docs.debops.org/en/latest/index.html}
\end{itemize} \end{itemize}
\subsection{Build Ansible Debian Package} \subsection{Glossary}
An \texttt{Ansible playbook} is an organized unit of scripts that defines
work for a server configuration managed by the automation tool \texttt{ansible}.
\subsection{Build Ansible Debian Package}\label{ssec:bansdpac}
The version of Ansible is 2.2 in Debian 9 (stable/Stretch). The version of Ansible is 2.2 in Debian 9 (stable/Stretch).
The current stable release is Ansible 2.4. The current stable release is Ansible 2.4.
Below documents how to build a 2.4 package for Debian 9. Below documents how to build a 2.4 package for Debian 9.
@ -109,3 +113,356 @@ Set up some playbooks, grab examples:
git clone https://github.com/ansible/ansible-examples.git git clone https://github.com/ansible/ansible-examples.git
cd ansible-examples/ cd ansible-examples/
\end{minted} \end{minted}
\section{Ansible Debian Mail}
Assuming \texttt{ansible} is built according to section \ref{ssec:bansdpac}
on p.\pageref{ssec:bansdpac}, the following requirements are met.
\subsection{Requirements}
The following applications are required to utilize this this section objectives.
Ansible can be installed using Python PIP.
\begin{itemize}
\item \texttt{Ansible} 2.4.x+
\item \texttt{Python} 2.7.9+
\textcolor[rgb]{0.80,0.00,0.00}{Todo clarify confusion over version requirements}
\end{itemize}
\subsection{Quick Start}
The following steps will help quickly set up and execute this section objectives.
\texttt{Project Configuration}
The following files need to be edited and configured before executing this playbook.
\begin{table}[!htb]
\caption{Files to be edited} % \label{tab:tech}
\begin{tabular}{|l|l|}
\hline
\multicolumn {1}{|l|}{ File}&
\multicolumn {1}{l|}{ Description} \\ \hline
groups\char`_vars/all.yml & Server credential information and domain variables \\ \hline
inventory.yml & List of server IPs to connect to \\ \hline
\end{tabular}
\end{table}
\texttt{Playbook Execution}
After having configured the server credentials and added the server IP to the inventory, use the following command to execute the playbook.
\begin{minted}{sh}
ansible-playbook -i inventory.yml site.yml`
\end{minted}
\subsection{Project Structure}
The following tree depicts the high level structure of this Ansible project.
\begin{minted}{sh}
|-- ansible.cfg
|-- group_vars
|   -- all.yml
|-- inventory.yml
|-- LICENSE.AGPLv3
|-- LICENSE.GPLv3
|-- README.md
|-- roles
|   |-- dkim_configuration
|   |-- dovecot_configuration
|   |-- fail2ban_configuration
|   |-- letsencrypt_configuration
|   |-- mikegleasonjr.firewall
|   |-- outputs
|   |-- postfix_configuration
|   |-- server_tasks
|   |-- spamassassin_configuration
|   -- sqlgrey_configuration
|-- playbook_execution.log
-- site.yml
\end{minted}
\texttt{File and Directory Descriptions}
The following table consists of a description of what each file and directory stands for.
\begin{table}[!htb]
\caption{File and Directory Descriptions} % \label{tab:tech}
\begin{tabular}{|l|l|}
\hline
\multicolumn {1}{|l|}{ Name}&
\multicolumn {1}{l|}{ Description} \\ \hline
site.yml & Master playbook. Executes all roles in sequential order \\ \hline
inventory.yml & Inventory file containing server IP addresses \\ \hline
ansible.cfg & Ansible configuration file for various Ansible options. \\ \hline
group\char`_vars/ & Group\char`_vars directory contains variable files for the entire group. \\
& The files are named according to the group name. 'all.yml' = group 'all' \\ \hline
group\char`_vars/all.yml & Group variables for the 'all' group. Contains server connection \\
& information along with domain variables \\ \hline
roles/ & Directory containing all roles needed by this project \\ \hline
\end{tabular}
\end{table}
\texttt{Role descriptions}
The following table consists of descriptions of each role and their purpose. The roles listed below are listed in the required order of execution to ensure successful completion of the playbook.
\begin{table}[!htb]
\caption{Role descriptions} % \label{tab:tech}
\begin{tabular}{|l|l|l|}
\hline
\multicolumn {1}{|l|}{Role Name}&
\multicolumn {1}{|l|}{Role Description}&
\multicolumn {1}{l|}{Depends on} \\ \hline
server\char`_tasks & This roles performs all server tasks. Updating & mikebleasonjr.firewall \\
& server, configuring SSH, disable IPv6, etc. & \\
& Depends on the mikegleasonjr.firewall role. & \\ \hline
mikegleasonjr.firewall & This role set up iptables rules. It is called & None \\
& and ran by the server\char`_tasks roles. & \\ \hline
letsencrypt\char`_configuration & This role installs and executes let's encrypt & None \\ \hline
postfix\char`_configuration & This roles installs postfix, configures postfix & letsencrypt\char`_configuration \\
& using postconf, and sets up virtual file, & \\
& master.cf file, and aliases file & \\ \hline
dkim\char`_configuration & This roles installs OpenDKIM, OpenDMARC & None \\
& and configures them. & \\ \hline
dovecot\char`_configuration & This role installs and configures dovecot & letsencrypt\char`_configuration \\ \hline
spamassassin\char`_configuration & This role installs spamassassin. & None \\ \hline
sqlgrey\char`_configuration & This role installs sqlgrey. & None \\ \hline
fail2ban\char`_configuration & This role installs fail2ban. & None \\ \hline
outputs & This role gathers DNS information for the & None \\
& SPF, DMARC, and DKIM records and & \\
& outputs them to the screen. & \\ \hline
\end{tabular}
\end{table}
\subsection{Ansible Logging}
Execution processes described in this section are automatically logged to a file called `playbook-execution.log` in the root directory of the project. The path to this log file can be changed by editing `ansible.cfg` in the project root directory and specifying a different path.
\subsection{Troubleshooting}
Ansible has a built in debug output. Simply run Ansible with a `-v`. There are 5 levels of debug output and they are denoted by the number of v's listed. Each level up provide more debug output than the level before it.
\begin{minted}{sh}
Level 1: `-v`
Level 2: `-vv`
Level 3: `-vvv`
Level 4: `-vvvv`
Level 5: `-vvvvv`
\end{minted}
Example execution with level 3 debug output:
\begin{minted}{sh}
ansible-playbook -i inventory.yml site.yml -vvv
\end{minted}
\section{Ansible Gitea}
Assuming \texttt{ansible} is built according to section \ref{ssec:bansdpac}
on p.\pageref{ssec:bansdpac}, the following requirements are met.
\subsection{Requirements}
The following applications are required to utilize this this section objectives.
Ansible can be installed using Python PIP.
\begin{itemize}
\item \texttt{Ansible} 2.4.x+
\item \texttt{Python} 2.7.9+
\textcolor[rgb]{0.80,0.00,0.00}{Todo clarify confusion over version requirements}
\end{itemize}
\subsection{Quick Start}
The following steps will help quickly set up and execute this section objectives.
\texttt{Project Configuration}
The following files need to be edited and configured before executing this playbook.
\begin{table}[!htb]
\caption{Files to be edited} % \label{tab:tech}
\begin{tabular}{|l|l|}
\hline
\multicolumn {1}{|l|}{ File}&
\multicolumn {1}{l|}{ Description} \\ \hline
roles/gitea/default/main.yml & Variables for Gitea configuration \\
& (default - standalone with sqlite) \\ \hline
roles/nginx/default/main.yml & Variables for Nginx and Letsencrypt configuration \\ \hline
inventory.yml & List of server IPs to connect to \\ \hline
\end{tabular}
\end{table}
\qquad \\
\texttt{Playbook Execution}
After having configured the server credentials and added the server IP to the inventory, use the following command to execute the playbook.
\begin{minted}{sh}
ansible-playbook -i inventory.yml site.yml`
\end{minted}
\subsection{Project Structure}
The following tree depicts the high level structure of this Ansible project.
\begin{minted}{sh}
|-- inventory.yml
|-- LICENSE.AGPLv3
|-- LICENSE.GPLv3
|-- README.md
|-- roles
|   |-- gitea
|   -- nginx
|-- playbook_execution.log
-- site.yml
\end{minted}
\texttt{File and Directory Descriptions}
The following table consists of a description of what each file and directory stands for.
\begin{table}[!htb]
\caption{File and Directory Descriptions} % \label{tab:tech}
\begin{tabular}{|l|l|}
\hline
\multicolumn {1}{|l|}{ Name}&
\multicolumn {1}{l|}{ Description} \\ \hline
site.yml & Master playbook. Executes all roles in sequential order \\ \hline
inventory.yml & Inventory file containing server IP addresses \\ \hline
ansible.cfg & Ansible configuration file for various Ansible options. \\ \hline
roles/ & Directory containing all roles needed by this project \\ \hline
\end{tabular}
\end{table}
\qquad \\
\texttt{Role descriptions}
The following table consists of descriptions of each role and their purpose. The roles listed below are listed in the required order of execution to ensure successful completion of the playbook.
\begin{table}[!htb]
\caption{Role descriptions} % \label{tab:tech}
\begin{tabular}{|l|l|l|}
\hline
\multicolumn {1}{|l|}{Role Name}&
\multicolumn {1}{|l|}{Role Description} \\ \hline
gitea & This roles performs installation and configuration of Gitea server \\ \hline
nginx & This roles performs installation and configuration of Nginx server \\ \hline
\end{tabular}
\end{table}
\texttt{Role parameters}
\qquad \\
\texttt{\qquad Gitea role parameters}
\begin{minted}{sh}
# Application name
gitea_app_name: "Gitea"
# Application gitea_user_repo_limit
gitea_user: "gitea"
# Application home
gitea_home: "/var/lib/gitea"
# Repo Limit
gitea_user_repo_limit: -1
# Domain Name (FOR REVER PROXY LEAVE AS DEFAULT)
gitea_http_domain: localhost
# Gitea url (FOR REVER PROXY LEAVE AS DEFAULT)
gitea_root_url: http://localhost:3000
# Protocol (FOR REVER PROXY LEAVE AS DEFAULT)
gitea_protocol: http
# listen IP (FOR REVER PROXY LEAVE AS DEFAULT)
gitea_http_listen: 127.0.0.1
# Listen port (FOR REVER PROXY LEAVE AS DEFAULT)
gitea_http_port: 3000
# HTTP git Options
gitea_disable_http_git: false
# Offline mode options
gitea_offline_mode: true
\end{minted}
\qquad \qquad DB details
\begin{minted}{sh}
# DB Type 'mysql', 'postgres' or 'sqlite3'
gitea_db_type: sqlite3
# DB host
gitea_db_host: 127.0.0.0:3306
# DB name
gitea_db_name: root
# DB username
gitea_db_user: gitea
# DB password
gitea_db_passord: lel
# DB ssl options
gitea_db_ssl: disable
# DB path (Not needed for postgres and mysql hash it in template file )
gitea_db_path: "{{ gitea_home }}/data/gitea.db"
\end{minted}
\qquad \qquad SSH Details
\begin{minted}{sh}
# SSH Listen IP
gitea_ssh_listen: 0.0.0.0
# SSH domain
gitea_ssh_domain: localhost
# SSH options
gitea_start_ssh: true
# SSH post
gitea_ssh_port: 2222
\qquad \qquad Gitea secret key
\begin{minted}{sh}
# gitea key (GENERATE A NEW KEY)
gitea_secret_key: T0pS3cr31
\end{minted}
\qquad \qquad General Settings
\begin{minted}{sh}
# User email settings
gitea_show_user_email: false
# User avatar settings
gitea_disable_gravatar: true
# User register options
gitea_disable_registration: false
# User signup options
gitea_require_signin: true
# User captcha options
gitea_enable_captcha: true
\end{minted}
\qquad \\
\texttt{\qquad Nginx roles parameters}
\begin{minted}{sh}
# Domain name for the server
nginx_domain_name: "test.hostnats.com"
# Gitea listening port
gitea_http_port: 3000
# letsencrypt email address
letsencrypt_email: "test@example.com"
\end{minted}
\subsection{Ansible Logging}
Execution processes described in this section are automatically logged to a file called `playbook-execution.log` in the root directory of the project. The path to this log file can be changed by editing `ansible.cfg` in the project root directory and specifying a different path.
\subsection{Troubleshooting}
Ansible has a built in debug output. Simply run Ansible with a `-v`. There are 5 levels of debug output and they are denoted by the number of v's listed. Each level up provide more debug output than the level before it.
\begin{minted}{sh}
Level 1: `-v`
Level 2: `-vv`
Level 3: `-vvv`
Level 4: `-vvvv`
Level 5: `-vvvvv`
\end{minted}
Example execution with level 3 debug output:
\begin{minted}{sh}
ansible-playbook -i inventory.yml site.yml -vvv
\end{minted}

@ -1,51 +0,0 @@
%
% ClusterHardware.tex
%
% Fork Sand IT Manual
%
% Copyright (C) 2018, Fork Sand, Inc.
% Copyright (C) 2017, Jeff Moe
% Copyright (C) 2017 Aleph Objects, Inc.
%
% This document is licensed under the Creative Commons Attribution 4.0
% International Public License (CC BY-SA 4.0) by Fork Sand, Inc.
%
\section{Cluster Hardware Overview}
The cluster will require rackmountable equipment:
\begin{itemize}
\item GNU/Linux Servers
\end{itemize}
\section{GNU/Linux Servers}
The servers will all run Debian GNU/Linux
\subsection{Denver Server List}
\begin{itemize}
\item \texttt{oc1.forksand.com} --- KVM host.
\item \texttt{rd1.forksand.com} --- Misc.
\end{itemize}
\section{Network Hardware}
The network switches do not run free software.
\section{Disk Drives}
The disk drives do not run free software.
\begin{itemize}
\item Hard drive platters, 7200 RPM, 2.5" and 3.5"
\item SSD
\item NVMe
\end{itemize}
\section{Suppliers}
Who we'll get hardware from.
\begin{itemize}
\item Pogo Linux --- Debian GNU/Linux Servers, USA.
\item Viking.net --- Coreboot Opteron servers in Germany.
\item raptorcs.com --- POWER9, custom Coreboot systems (?), USA.
\end{itemize}

@ -24,7 +24,7 @@ What is the network doing?
% %
% Authentication % Authentication
\section{Overview} \section{Authentication}
Two-factor authentication using TOTP. Two-factor authentication using TOTP.
% %
@ -48,7 +48,7 @@ Some resellers:
Various LAN Various LAN
\item (Hot swap?) Dual Power Supplies \item (Hot swap?) Dual Power Supplies
\item (How swap?) RAID (Linux md), with SSD storage. \item (How swap?) RAID (Linux md), with SSD storage.
\item 2.5" drive bays \item 2.5'' drive bays
\item Total ~8GHz CPU \item Total ~8GHz CPU
\item ~8-16 gigs RAM ? Depends on OS. \item ~8-16 gigs RAM ? Depends on OS.
\item Two servers total, for standby/failover \item Two servers total, for standby/failover
@ -108,6 +108,7 @@ Notes on some requirements in a firewall.
\section{Firewall Operating Systems in Use} \section{Firewall Operating Systems in Use}
\subsection{Debian} \subsection{Debian}
\href{https://www.debian.org/}{Debian} \href{https://www.debian.org/}{Debian}
Debian is used for nearly everything. It could easily be used as a Debian is used for nearly everything. It could easily be used as a
@ -118,6 +119,50 @@ Linux's iptables is used on servers.
\begin{figure}[h!] \begin{figure}[h!]
\includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]{www-debian.png} \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]{www-debian.png}
\caption{Debian Website} \caption{Debian Website}
\label{fig:www-debian} \label{fig:www-debian-in-firewalls-chapter}
\end{figure} \end{figure}
\subsection{Proxmox setups iptables-firewall}
During Proxmox installation on the nodes, firewall is being confugured.
Some of nodes configurations can be found in chapter Free software under
path apps/forksand-nodes-bootstrap/...
especially in two of files is mentioned:
\begin{minted}{sh}
# Firewalling is done through Proxmox.
cd /etc ; git add . ; git commit -a -m 'Use SharkTech NTP (others firewalled).'
\end{minted}
\begin{minted}{sh}
# Enable firewall.
# Datacenter --> shark4 (host) --> Firewall --> Add.
# Enable firewall for datacenter:
# Datacenter --> Firewall --> Options --> Firewall --> Yes
# Datacenter --> Firewall --> Options --> Firewall --> Yes
# Enable firewall for shark4:
# Datacenter --> Firewall --> Add.
\end{minted}
\textcolor[rgb]{0.80,0.00,0.00}{
Todo check other nodes, add other shark nodes if similar iptables-firewall related configs. \\
Find out why mention of firewall in hk1 node is discarded.
}
\begin{minted}{sh}
# Enable firewall.
# Datacenter --> truck (host) --> Firewall --> Add.
# Enable firewall for datacenter:
# Datacenter --> Firewall --> Options --> Firewall --> Yes
# Datacenter --> Firewall --> Options --> Firewall --> Yes
# Enable firewall for truck:
# Datacenter --> Firewall --> Add.
\end{minted}
Also Nextcloud chapter mentiones configs of iptables firewall \ref{ssec:nextcloudfirewall} on p.\pageref{ssec:nextcloudfirewall}.
Also certain Ansible including virtual machines enable iptables configuratiion.
For example ansible-debian-male contains mikegleasonjr.firewall.
\href{https://github.com/mikegleasonjr/ansible-role-firewall}{
ansible firewall\char`_v4\char`_configure example on github
}
May be browsed in Free software chapter under path apps/ansible-debian-mail/roles/

@ -0,0 +1,496 @@
%
% Source.tex
%
% Fork Sand IT Manual
%
% Copyright (C) 2018, Fork Sand, Inc.
% Copyright (C) 2017, Jeff Moe
% Copyright (C) 2017 Aleph Objects, Inc.
%
% This document is licensed under the Creative Commons Attribution 4.0
% International Public License (CC BY-SA 4.0) by Fork Sand, Inc.
%
\section{Hardware}
\subsection{Cluster Evolution}
Forksand started deployment on dedicated servers.
\vspace{0.6cm}
First stage. Exclusively dedicated servers (deprecated)
\vspace{0.4cm}
\centering
\includegraphics[width=115mm,trim=20mm 20mm 20mm 20mm]
{sharkfork-cabling-1-dedicated-vlan.pdf} \\ %
%
\vspace{0.2cm}
\raggedright
Second stage. Dedicated servers along with a colocation
cabinet. Flat hierarchy. (deprecated)
\vspace{0.1cm}
In progress, services were being migrated one after another to
a colocation instance. On the next stage hierarchy becomes vertical. \\
\vspace{0.1cm}
\centering
\includegraphics[width=115mm,trim=20mm 20mm 20mm 20mm]
{sharkfork-cabling-2-mixed-vlan.pdf} \\ %
%
\raggedright
Third stage. Dedicated servers buffered by
a colocation cabinet. Vertical hierarchy. (deprecated)
\vspace{0.4cm}
\centering
\includegraphics[width=115mm,trim=20mm 20mm 20mm 20mm]
{sharkfork-cabling-3-colo-dedicated.pdf} \\ %
%
\vspace{0.2cm}
\raggedright
Fourth stage. Dedicated servers discarded.
Colocation cabinet buffered only with a firewall. (current)
\vspace{0.4cm}
\centering
\includegraphics[width=115mm,trim=20mm 20mm 20mm 20mm]
{sharkfork-cabling-4-final-colocation.pdf} \\ %
%
\vspace{0.2cm}
\raggedright
Final stage. Firewall discarded. Single colocation cabinet. (in process)
\vspace{0.4cm}
\centering
%\includegraphics[width=115mm,trim=10mm 10mm 10mm 10mm]
%{sharkfork-cabling-4-single-colocation.pdf} \\ %
%
\raggedright
\newpage
\section{Cluster Hardware Overview}
The cluster will require rackmountable equipment:
\begin{itemize}
\item GNU/Linux Servers
\end{itemize}
\begin{minipage}{0.9\textwidth}
\subsection{Sharkfork 21U hardware instance} \label{sec:hardware-sharkfork-21U}
%\includepdf[width=150mm,offset=0 15,clip]
%{sharkfork-21U.pdf}
\includegraphics[keepaspectratio=true,height=0.80\textheight,width=150mm,angle=0]
{sharkfork-21U.png}
% \vspace{150mm}
\label{fig:sharkfork-21U}
%\vspace{60mm}
\end{minipage}
\newpage
%\subsubsection{Sharkfork 21U detail hardware description} \label{sec:hardware-description-sharkfork-21U}
\definecolor{secondary-brown}{HTML}{F3E2C3} % HEX # F3E2C3 R:243 G:226 B:195 C:0 M:7 Y:20 K:5
\definecolor{primary-blue}{HTML}{A1F4FF} % HEX # A1F4FF R:161 G:244 B:255 C:37 M:4 Y:0 K:0
\definecolor{primary-brown}{HTML}{B07E3B} % HEX # B07E3B R:176 G:126 B:56 C:0 M:28 Y:68 K:31
\definecolor{nonbrand-dark-blue}{HTML}{184B6D} % HEX # 184B6D R:19 G:70 B:109 C:0 M:28 Y:68 K:31
\newcommand{\nodeUnitName}[4]{
\rowcolor{#3}\vspace{-1pt}
{{\grenewcommand{\currentColor}{#3}}}
{{\grenewcommand{\currentTextColor}{#4}}}
\Large{\textcolor{#4}{#1}} & \rule[-0.5em]{0pt}{1.8em} \Large{\textcolor{#4}{#2}} \\
\rowcolor{#3}\vspace{-1pt}
}
\newcommand{\nodeUnitParameter}[1]{
\rule[1.0em]{0pt}{-1em} & \small{\textcolor{\currentTextColor}{ - #1}} \\
\rowcolor{\currentColor}\vspace{-1pt}
}
\newcommand{\nodeUnitLastParameter}[1]{
\rule[-0.5em]{0pt}{0em} & \small{\textcolor{\currentTextColor}{ - #1}} \\
\tabucline[0.2pt]{1-2}
}
\newcommand{\nodeUnitSetItem}[2]{
\rowcolor{\currentColor}\vspace{-1pt}
\rule[-0.3em]{0pt}{0em}\small{\textcolor{\currentTextColor}{ ~#1}} & \small{\textcolor{\currentTextColor}{#2}} \\
\tabucline[0.2pt]{1-2}
}
\newcommand{\nodeUnitSetLastItem}[2]{
\rowcolor{\currentColor}\vspace{-1pt}
\rule[-0.3em]{0pt}{0em}\small{\textcolor{\currentTextColor}{ ~#1}} & \small{\textcolor{\currentTextColor}{#2}} \\
\tabucline[2pt]{1-2}
}
%\newcommand{\nodeUnitSetNotes}[2]{
% \pickColor{#2}
% \rule[-0.3em]{0pt}{0em}\small{Notes:} & \small{#1} \\ \tabucline[2pt]{1-2}
%}
\newcommand{\currentColor}{secondary-brown}
\newcommand{\currentTextColor}{secondary-brown}
\begin{table}[!htb]
%\caption{IP configs of nodes} \label{tab:sharkNodeIPConfig}
\begin{tabu}{|[2pt]l|[2pt]p{14.5cm}|[2pt]}
\tabucline[2pt]{1-2}
\multicolumn {1}{|[2pt]l|[2pt]}{\rule[-0.7em]{0pt}{2em} Qty}&
\multicolumn {1}{p{13cm}|[2pt]}{ Description} \\ \tabucline[2pt]{1-2}
%%% UNIT %%%
% Unit name
\nodeUnitName{2}{Iris FW1100 - Firewall System}{secondary-brown}{ao-black}
% Unit configuration parameters
\nodeUnitParameter{ 1U Form Factor ~~- Single Intel Xeon D-1587 CPU }
\nodeUnitParameter{ Up to 128GB DDR4 ECC Reg Memory }
\nodeUnitParameter{ Dual 10G SFP+ and Six Gigabit Ethernet }
\nodeUnitLastParameter{ 400W Platinum Level Redundant Power Supply }
% Unit has a set of components parameters
\nodeUnitSetItem {2}{ 8GB DDR4 2666MHz ECC Registered DIMM }
%\nodeUnitSetItem {1}{ No Operating System. Include testing%
% and customer OS preference in notes. }
%\nodeUnitSetItem {1}{ Return to Depot Warranty (3 Year Hardware%
% Warranty with Standard Advance Parts Replacement) }
\nodeUnitSetItem {1}{ 128GB SATA DOM }
\nodeUnitSetLastItem {1}{ Intel 10G Dual Port RJ45 Ethernet Adapter }
% Unit ends with notes, pass "none" parameter if no notes
%\nodeUnitSetNotes { none }
%%% END UNIT %%%
%%% UNIT %%%
% Unit name
\nodeUnitName{1}{Iris NV2225}{primary-blue}{ao-black}
% Unit configuration parameters
\nodeUnitParameter{ 2U Form Factor ~~- Dual Intel Xeon SP Processor }
\nodeUnitParameter{ Up to 768GB DDR4 2133MHz ECC Registered Memory }
\nodeUnitParameter{ Integrated IPMI 2.0 + KVM with dedicated LAN }
\nodeUnitParameter{ Intel x550 Quad port 10G Ethernet }
\nodeUnitLastParameter{ 1600W Redundant High-efficiency Power Supply }
% Unit has a set of components parameters
\nodeUnitSetItem{2}{ Intel Xeon Gold 5115 10C 2.4GHz 13.75MB Cache }
\nodeUnitSetItem{1}{ 128GB DDR4 2666MHz ECC Reg (4 x 32GB) }
\nodeUnitSetItem{1}{ Samsung 960 EVO M.2 NVME SSD 500GB }
\nodeUnitSetItem{4}{ Ultrastar SN200 800GB NVMe SSD }
%\nodeUnitSetItem{1}{ No Operating System. Include testing and customer%
% OS preference in notes. }
%\nodeUnitSetItem{1}{ Return to Depot Warranty (3 Year Hardware Warranty%
% with Standard Advance Parts Replacement) }
\nodeUnitSetLastItem{1}{ Intel 10G Dual Port RJ45 Ethernet Adapter }
% Unit ends with notes, pass "none" parameter if no notes
%\nodeUnitSetNotes { none }
%%% END UNIT %%%
%%% UNIT %%%
% Unit name
\nodeUnitName{2}{Iris 1292-R4T}{primary-brown}{ao-black}
% Unit configuration parameters
\nodeUnitParameter{ 1U Form Factor ~~- Dual Intel Xeon SP Processors }
\nodeUnitParameter{ Intel C620 Chipset with QPI up to 9.6GT/sec }
\nodeUnitParameter{ Up to 768GB DDR4 2666MHz ECC Registered Memory }
\nodeUnitParameter{ Integrated IPMI 2.0 + KVM with dedicated LAN }
\nodeUnitParameter{ Intel Quad-port 10GBaseT Ethernet Controller }
\nodeUnitParameter{ 4 x 3.5'' Hot-swap Drive Bays For customizable Storage }
\nodeUnitLastParameter{ 750W Redundant Power Supply }
% Unit has a set of components parameters
\nodeUnitSetItem{2}{ Intel Xeon Silver 4110 8C 2.1GHz 11MB Cache }
\nodeUnitSetItem{1}{ 128GB DDR4 2666MHz ECC Reg (8 x 16GB) }
\nodeUnitSetItem{4}{ HGST Ultrastar 6TB 7200RPM SATA 6Gb/s }
%\nodeUnitSetItem{1}{ No Operating System. Include testing and customer%
% OS preference in notes. }
%\nodeUnitSetItem{1}{ Return to Depot Warranty (3 Year Hardware Warranty%
% with Standard Advance Parts Replacement) }
\nodeUnitSetLastItem{1}{ Intel 10G Dual Port RJ45 Ethernet Adapter }
% Unit ends with notes, pass "none" parameter if no notes
%\nodeUnitSetNotes { none }
%%% END UNIT %%%
%%% UNIT %%%
% Unit name
\nodeUnitName{2}{Iris NV1211}{nonbrand-dark-blue}{ao-white}
% Unit configuration parameters
\nodeUnitParameter{ 1U Form Factor ~~- Dual Intel Xeon SP Processor }
\nodeUnitParameter{ Up to 1534GB DDR4 2400MHz ECC Registered Memory }
\nodeUnitParameter{ Integrated IPMI 2.0 + KVM with dedicated LAN }
\nodeUnitParameter{ Intel x540 Dual-port 10Gigabit Ethernet }
\nodeUnitParameter{ 10 x 2.5'' Solid State NVMe Disks }
\nodeUnitLastParameter{ 1000W Redundant High-efficiency Power Supply }
% Unit has a set of components parameters
\nodeUnitSetItem{2}{ Intel Xeon Silver 4114 10C 2.2GHz 13.75MB Cache }
\nodeUnitSetItem{1}{ 64GB DDR4 2666MHz ECC Reg (4 x 16GB) }
\nodeUnitSetItem{1}{ Samsung 960 EVO M.2 NVME SSD 500GB }
\nodeUnitSetItem{6}{ Ultrastar SN200 800GB NVMe SSD }
% \nodeUnitSetItem{1}{ No Operating System. Include testing and customer%
% OS preference in notes. }
% \nodeUnitSetItem{1}{ Return to Depot Warranty (3 Year Hardware Warranty%
% with Standard Advance Parts Replacement) }
\nodeUnitSetLastItem{1}{ Intel X710 Converged Network Adapter Quad-port 10GBaseT }
% Unit ends with notes, pass "none" parameter if no notes
%\nodeUnitSetNotes { none }
%%% END UNIT %%%
\end{tabu}
\end{table}
Notes applicable to all units:
{ 1. No Operating System. Include testing and customer OS preference in notes. }
{ 2. Return to Depot Warranty (3 Year Hardware Warranty with Standard Advance Parts Replacement) }
\newpage
\section{GNU/Linux Servers}
The servers will all run Debian GNU/Linux
\subsection{Denver Server List}
\begin{itemize}
\item \texttt{oc1.forksand.com} --- KVM host.
\item \texttt{rd1.forksand.com} --- Misc.
\end{itemize}
\vspace{10mm}
\texttt{\qquad oc1.forksand.com parameters}
\begin{minted}{sh}
Full Network:
70.39.125.64/27 Network
70.39.125.65 Gateway
70.39.125.66 AVAILABLE
70.39.125.94 AVAILABLE
70.39.125.95 Broadcast
255.255.255.224 Netmask
Break the main IP into a /30
# Main network interface
# 2 IPs
70.39.125.64/30 Network
70.39.125.65 Gateway
70.39.125.66 oc1
70.39.125.67 Broadcast
255.255.255.252 Netmask
# vmbr0 Bridge 0 with 2 IPs
70.39.125.68/30 Network
70.39.125.69 vmbr0 gateway
70.39.125.70 AVAILABLE
70.39.125.71 Broadcast
255.255.255.252 Netmask
# vmbr1 Bridge 1 with 6 IPs
70.39.125.72/29 Network
70.39.125.73 vmbr1 gateway
70.39.125.74 AVAILABLE
70.39.125.76 test99
70.39.125.78 AVAILABLE
70.39.125.79 Broadcast
255.255.255.248 Netmask
# vmbr2 Bridge 2 with 14 IPs
70.39.125.80/28 Network
70.39.125.81 vmbr2 gateway
70.39.125.92 AVAILABLE
70.39.125.94 AVAILABLE
70.39.125.95 Broadcast
255.255.255.240 Netmask
\end{minted}
\newpage
\texttt{\qquad rd1.forksand.com parameters}
\begin{minted}{sh}
Full Network:
174.128.229.128/27 Network
174.128.229.129 Gateway
174.128.229.130 Main rd1 IP
174.128.229.131 AVAILABLE
174.128.229.158 AVAILABLE
174.128.229.159 Broadcast
255.255.255.224 Netmask
Break the main network into a /30
# Main network interface
# 2 IPs
174.128.229.128/30 Network
174.128.229.129 Gateway
174.128.229.130 oc1
174.128.229.131 Broadcast
255.255.255.252 Netmask
# vmbr0 Bridge 0 with 2 IPs
174.128.229.132/30 Network
174.128.229.133 vmbr0 gateway
174.128.229.134 AVAILABLE
174.128.229.135 Broadcast
255.255.255.252 Netmask
# vmbr1 Bridge 1 with 6 IPs
174.128.229.136/29 Network
174.128.229.137 vmbr1 gateway
174.128.229.138 AVAILABLE
174.128.229.140 test99
174.128.229.142 AVAILABLE
174.128.229.143 Broadcast
255.255.255.248 Netmask
# vmbr2 Bridge 2 with 14 IPs
174.128.229.144/28 Network
174.128.229.145 vmbr2 gateway
174.128.229.156 AVAILABLE
174.128.229.158 AVAILABLE
174.128.229.159 Broadcast
255.255.255.240 Netmask
\end{minted}
\section{Network Hardware}
The network switches do not run free software.
\section{Disk Drives}
The disk drives do not run free software.
\begin{itemize}
\item Hard drive platters, 7200 RPM, 2.5'' and 3.5''
\item SSD
\item NVMe
\end{itemize}
\section{Suppliers}
Who we'll get hardware from.
\begin{itemize}
\item Pogo Linux --- Debian GNU/Linux Servers, USA.
\item Viking.net --- Coreboot Opteron servers in Germany.
\item raptorcs.com --- POWER9, custom Coreboot systems (?), USA.
\end{itemize}
\newcommand{\includescreen}[3]{
\begin{figure}[!ht]
\includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]{#1}
\caption{#2}
#3
\end{figure}
}
\section{Shark nodes configuration. Using an example Shark2}
%\includescreen{shark2/01.png}{Log in to admin-webview}{}
\includescreen{shark2/02.png}{Log in to admin-webview}{\label{fig:shark2login}}
%\includescreen{shark2/03.png}{Logged in to admin-webview. Notification of no valid subscription}{}
%\includescreen{shark2/04.png}{Browse Datacenter, log hidden}{\label{fig:shark2browsedatacenter}}
%\includescreen{shark2/05.png}{Browse shark2 Node}{\label{fig:shark2browsenode}}
\includescreen{shark2/06.png}{Browse shark2 Network}{\label{fig:shark2network}}
%\includescreen{shark2/07.png}{Select first shark2 Network device}{}
\includescreen{shark2/08.png}{Edit first shark2 Network device}{}
\includescreen{shark2/09.png}{Cleanup first shark2 Network device}{\label{fig:shark2cleanupnetdevice1}}
\includescreen{shark2/10.png}{Browse shark2 Network}{}
\includescreen{shark2/11.png}{Create shark2 Linux Bridge}{\label{fig:shark2linuxbridge}}
%\includescreen{shark2/12.png}{Create shark2 Linux Bridge}{}
\includescreen{shark2/13.png}{Create shark2 Linux Bridge}{}
\begin{table}[!htb]
\caption{IP configs of nodes} \label{tab:sharkNodeIPConfig}
\begin{tabular}{|l|l|l|l|}
\hline
\multicolumn {1}{|l|}{ Parameter}&
\multicolumn {1}{l|}{ Shark2}&
\multicolumn {1}{l|}{ Shark3}&
\multicolumn {1}{l|}{ Shark4} \\ \hline
Linux bridge & & & \\ %\hline
Name & vmbr0 & vmbr0 & vmbr0 \\ %\hline
IP address & 174.128.229.130 & 70.39.103.218 & 70.39.103.210 \\ %\hline
Subnet mask & 255.255.255.224 & 255.255.255.248 & 255.255.255.248 \\ %\hline
Gateway & 174.128.229.129 & 70.39.103.217 & 70.39.103.209 \\ %\hline
Bridge ports & enp2s0 & enp3s0 & enp3s0 \\ \hline
Network Device & & & \\ %\hline
Name & enp3s0 & enp4s0 & enp4s0 \\ %\hline
IP address & 10.2.2.2 & 10.2.2.3 & 10.2.2.4 \\ %\hline
Subnet mask & 255.255.255.0 & 255.255.255.0 & 255.255.255.0 \\ \hline
Network Device & & & \\ %\hline
Name & enp4s0 & enp5s0 & enp5s0 \\ %\hline
IP address & 10.99.99.2 & 10.99.99.3 & 10.99.99.4 \\ %\hline
Subnet mask & 255.255.255.0 & 255.255.255.0 & 255.255.255.0 \\ \hline
\end{tabular}
\end{table}
\includescreen{shark2/14.png}{Browse shark2 Network}{}
%\includescreen{shark2/15.png}{Select second shark2 Network device}{}
%\includescreen{shark2/16.png}{Edit second shark2 Network device}{}
\includescreen{shark2/17.png}{Edit second on the list shark2 Network device}{}
%\includescreen{shark2/18.png}{Browse shark2 Network}{}
%\includescreen{shark2/19.png}{Select third shark2 Network device}{}
%\includescreen{shark2/20.png}{Edit third shark2 Network device}{}
\includescreen{shark2/21.png}{Edit third on the list shark2 Network device}{}
\begin{table}[!htb]
\caption{IP configs of nodes, duplicate of table \ref{tab:sharkNodeIPConfig}} % \label{tab:sharkLinuxBridge}
\begin{tabular}{|l|l|l|l|}
\hline
\multicolumn {1}{|l|}{ Parameter}&
\multicolumn {1}{l|}{ Shark2}&
\multicolumn {1}{l|}{ Shark3}&
\multicolumn {1}{l|}{ Shark4} \\ \hline
Linux bridge & & & \\ %\hline
Name & vmbr0 & vmbr0 & vmbr0 \\ %\hline
IP address & 174.128.229.130 & 70.39.103.218 & 70.39.103.210 \\ %\hline
Subnet mask & 255.255.255.224 & 255.255.255.248 & 255.255.255.248 \\ %\hline
Gateway & 174.128.229.129 & 70.39.103.217 & 70.39.103.209 \\ %\hline
Bridge ports & enp2s0 & enp3s0 & enp3s0 \\ \hline
Network Device & & & \\ %\hline
Name & enp3s0 & enp4s0 & enp4s0 \\ %\hline
IP address & 10.2.2.2 & 10.2.2.3 & 10.2.2.4 \\ %\hline
Subnet mask & 255.255.255.0 & 255.255.255.0 & 255.255.255.0 \\ \hline
Network Device & & & \\ %\hline
Name & enp4s0 & enp5s0 & enp5s0 \\ %\hline
IP address & 10.99.99.2 & 10.99.99.3 & 10.99.99.4 \\ %\hline
Subnet mask & 255.255.255.0 & 255.255.255.0 & 255.255.255.0 \\ \hline
\end{tabular}
\end{table}
\includescreen{shark2/22.png}{Browse shark2 Network}{}
%\includescreen{shark2/23.png}{Browse shark2 node}{}
\includescreen{shark2/24.png}{Restart shark2 node}{}
%\clearpage % avoid LaTeX Error: Too many unprocessed floats.
%\section{Shark3 configuration}
%
%\includescreen{shark3/01.png}{Log in to admin-webview}{\label{fig:shark3login}}
%\includescreen{shark3/02.png}{Logged in to admin-webview. Notification of no valid subscription}{}
%\includescreen{shark3/03.png}{Browse Datacenter, log hidden}{\label{fig:shark3browsedatacenter}}
%\includescreen{shark3/04.png}{Browse Shark3 Node}{\label{fig:shark3browsenode}}
%\includescreen{shark3/05.png}{Shark3 Network}{\label{fig:shark3network}}
%\includescreen{shark3/06.png}{Browse Shark3 Network}{}
%\includescreen{shark3/07.png}{Select first Shark3 Network device}{}
%\includescreen{shark3/08.png}{Edit first Shark3 Network device}{}
%\includescreen{shark3/09.png}{Cleanup first Shark3 Network device}{\label{fig:shark3cleanupnetdevice1}}
%\includescreen{shark3/10.png}{Create Shark3 Linux Bridge}{\label{fig:shark3linuxbridge}}
%\includescreen{shark3/11.png}{Create Shark3 Linux Bridge}{}
%\includescreen{shark3/12.png}{Create Shark3 Linux Bridge}{}
%\includescreen{shark3/13.png}{Create Shark3 Linux Bridge}{}
%\includescreen{shark3/14.png}{Select second Shark3 Network device}{}
%\includescreen{shark3/15.png}{Edit second Shark3 Network device}{}
%\includescreen{shark3/16.png}{Edit second Shark3 Network device}{}
%\includescreen{shark3/17.png}{Select third Shark3 Network device}{}
%\includescreen{shark3/18.png}{Edit third Shark3 Network device}{}
%\includescreen{shark3/19.png}{Edit third Shark3 Network device}{}
%\includescreen{shark3/20.png}{Edit third Shark3 Network device}{}
%\includescreen{shark3/21.png}{Browse Shark3 node}{}
%\includescreen{shark3/22.png}{Restart Shark3 node}{}
%
%\clearpage % avoid LaTeX Error: Too many unprocessed floats.
%\section{Shark4 configuration}
%
%
%\includescreen{shark4/01.png}{Log in to admin-webview}{}
%\includescreen{shark4/02.png}{Log in to admin-webview}{\label{fig:shark4login}}
%\includescreen{shark4/03.png}{Browse Datacenter}{\label{fig:shark4browsedatacenter}}
%\includescreen{shark4/04.png}{Browse Datacenter, log hidden}{}
%\includescreen{shark4/05.png}{Browse Shark4 Node}{\label{fig:shark4browsenode}}
%\includescreen{shark4/06.png}{Shark4 Network}{\label{fig:shark4network}}
%\includescreen{shark4/07.png}{Select first Shark4 Network device}{}
%\includescreen{shark4/08.png}{Edit first Shark4 Network device}{}
%\includescreen{shark4/09.png}{Cleanup first Shark4 Network device}{\label{fig:shark4cleanupnetdevice1}}
%\includescreen{shark4/10.png}{Create Shark4 Linux Bridge}{\label{fig:shark4linuxbridge}}
%\includescreen{shark4/11.png}{Create Shark4 Linux Bridge}{}
%\includescreen{shark4/12.png}{Select second Shark4 Network device}{}
%\includescreen{shark4/13.png}{Select second Shark4 Network device}{}
%\includescreen{shark4/14.png}{Edit second Shark4 Network device}{}
%\includescreen{shark4/15.png}{Edit second Shark4 Network device}{}
%\includescreen{shark4/16.png}{Select second Shark4 Network device}{}
%\includescreen{shark4/17.png}{Edit second Shark4 Network device}{}
%\includescreen{shark4/18.png}{Edit second Shark4 Network device}{}
%\includescreen{shark4/19.png}{Restart Shark4 node}{}

@ -1,197 +0,0 @@
%
% OpenNebula.tex
%
% Fork Sand IT Manual
%
% Copyright (C) 2018, Fork Sand, Inc.
% Copyright (C) 2017, Jeff Moe
% Copyright (C) 2017 Aleph Objects, Inc.
%
% This document is licensed under the Creative Commons Attribution 4.0
% International Public License (CC BY-SA 4.0) by Fork Sand, Inc.
%
% XXX TODO: opennebula-sunstone-login.png
\section{Overview}
OpenNebula is a virtual machine manager.
The private cloud deployment will be based on OpenNebula version 5.4, which
is currently in beta. There are only Debian 8 (Jessie, oldstable) releases.
Debian hasn't packaged OpenNebula since wheezy. It has it in sid, but even
that is an old version. The only packages available for Debian are the
upstream ones for Jessie made by OpenNebula. UPDATE: although it isn't listed
on their website, it does appear their are Debian 9 (Stretch) builds of
OpenNebula for the betas of the forthcoming 5.4 version, which is great.
Documentation:
\url{https://docs.opennebula.org/5.4/}
\begin{figure}[h!]
\includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]{www-opennebula.png}
\caption{OpenNebula Website}
\label{fig:www-opennebula}
\end{figure}
\begin{itemize}
\item Website: \\ \url{https://opennebula.org/}
\item Debian Stretch Repo: \\
\url{http://downloads.opennebula.org/repo/5.4/Debian/9/pool/opennebula/}
\end{itemize}
The following servers will be deployed to host OpenNebula and the KVMs:
\begin{itemize}
\item \texttt{waz-kvm-001.forksand.com} --- Virtual Machine Server 1
\item \texttt{waz-kvm-002.forksand.com} --- Virtual Machine Server 2
\item \texttt{waz-kvm-003.forksand.com} --- Virtual Machine Server 3
\item \texttt{waz-kvm-004.forksand.com} --- Virtual Machine Server 4
\item \texttt{waz-kvm-005.forksand.com} --- Virtual Machine Server 5
\item \texttt{waz-sun-001.forksand.com} --- OpenNebula Sunstone Web GUI 1
\item \texttt{waz-sun-002.forksand.com} --- OpenNebula Sunstone Web GUI 2
\end{itemize}
\subsection{Virtual Machine Servers}
KVM virtual machine servers. Fast CPU, with lots of RAM. Uses Ceph to store
virtual images.
\subsection{Sunstone Web GUI Servers}
Sunstone is OpenNebula's Web GUI for administration of the cluster.
\begin{figure}[h!]
\includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]{opennebula-sunstone.png}
\caption{OpenNebula Sunstone Web Admin GUI}
\label{fig:opennebula-sunstone}
\end{figure}
\begin{minted}{sh}
wget -q -O- https://downloads.opennebula.org/repo/repo.key | apt-key add -
echo "deb http://downloads.opennebula.org/repo/5.4/Debian/9 stable opennebula" > /etc/apt/sources.list.d/opennebula.list
apt update
apt -y install opennebula-node
service libvirtd restart
\end{minted}
\section{Bugs}
Things that are bugs or at least aren't configured correctly.
\section{Sunstone Configuration}
At this point, you should have the OpenNebula Sunstone server up and running.
See scripts in \texttt{source/resources/ns24} for automation.
\begin{enumerate}
\item Set up ssh tunnel (use Sunstone server name for ns24):
Code: \\ \texttt{ssh -N -C -L 9869:localhost:9869 ns24}
\item In workstation, open browser to url:
URL: \\ \url{http://localhost:9869/}
Info: \\ This goes through the encrypted SSH tunnel, but doesn't use https.
\item Click \texttt{OpenNebula} in the upper right to get the full web console.
\item Click \texttt{Infrastructure}.
\item Click \texttt{Hosts}.
\item Click The \texttt{+} plus icon.
\item Enter the hostname of the KVM server you want to use, such as the Sunstone server itself.
\texttt{Type: KVM}
\texttt{Hostname: ns24}
\item Click \texttt{Create}.
\item Repeatedly hit the reload button that's the two arrows in a circle, as it goes thru
stages of setup, starting at \texttt{INIT}.
\item Confirm status is \texttt{ON}.
\end{enumerate}
\section{Sunstone Deploy Image}
This is a quick and dirty way to deploy a first test image.
NOTE: It is note privacy aware, as it pulls the image from the
OpenNebula ``store''.
How to deploy an image from the OpenNebula App store:
\begin{enumerate}
\item Click \texttt{Storage}.
\item Click \texttt{Apps}
\item Click \texttt{Debian 9 - KVM}.
\item Click on the icon that is a cloud with an arrow in it. This downloads it to OpenNebula.
\item Select a datastore by clicking the \texttt{default} line.
\item Leave name and all that the same, and click \texttt{Download}.
\item Click \texttt{Images} under \texttt{Storage} in the left column.
\item Hit the refresh icon repeatedly.
\item When \texttt{Status} is \texttt{READY}, it is good to go.
\item Click \texttt{Templates} in the left column.
\item Click \texttt{VMs}.
\item Click \texttt{Debian 9 - KVM}.
\item Click \texttt{Instantiate}.
\item \texttt{VM Name} enter \texttt{deb9}.
\item \texttt{Number of instances} enter \texttt{1}.
\item \texttt{Memory} enter \texttt{768}.
\item \texttt{CPU} enter \texttt{1}.
\item Click the slider to \texttt{Instantiate as persistent}.
\item Click \texttt{Instantiate}.
\item Click \texttt{Instances} in the left column.
\item Click \texttt{VMs}.
\item Click the reload icon, repeat.
\item It is good when \texttt{Status} is \texttt{RUNNING}.
\item Set up an \texttt{ssh} tunnel so VNC can be used:
\texttt{ssh -N -C -L 29876:localhost:29876 ns24}
\item Click on the little monitor icon to launch VNC.
\item Look at booted up screen at \texttt{login:} prompt.
\item This means a Debian KVM booted up and the VNC is working.
There is no password for the \texttt{root} account, only \texttt{ssh} is available.
So without network setup, you can't really do anything with this image.
Booted, it just shows it works.
\end{enumerate}
I think delete this section, it would go before the \texttt{Templates} above.:
\begin{enumerate}
\item Click \texttt{Debian 9 - KVM}.
\item PROBABLY NO: Click \texttt{Clone} to make a local copy.
\item PROBABLY NO: It will say \texttt{Copy of Debian 9 - KVM}, leave as-is, click \texttt{Clone}.
\item Click on the icon with three dots.
\item Click \texttt{Make Persistent}.
\item Click on the icon with three dots.
\item Click \texttt{Enable}.
\end{enumerate}
\section{OpenNebula Networking}
XXX Yes, this part needs set up...
\begin{minted}{sh}
# /etc/network/interfaces bridge section, add this:
auto br0
iface br0 inet static
bridge_ports eth0
bridge_fd 0
address 192.168.100.1
netmask 255.255.255.0
network 192.168.100.0
broadcast 192.168.100.255
gateway 192.168.100.1
dns-nameservers 37.235.1.174
dns-search forksand.com
\end{minted}
As user \texttt{jebba}, on the server, run this to generate a key.
Then paste that key into Sunstone under "SSH Public Key".
\begin{minted}{sh}
ssh-keygen -t ed25519
\end{minted}
\begin{minted}{sh}
# XXX test. Use this IP and interface, so no 192.168.0.0 but real IPs.
# Comment this out:
auto eth0:27
iface eth0:27 inet static
address 174.128.229.158
netmask 255.255.255.224
gateway 174.128.229.129
\end{minted}
XXX Check if IP forwarding is needed in \texttt{/etc/sysctl.conf}.
If things are set up to use a bridge and 192.168.100.100,
\texttt{iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE}
Will bring things up to NAT.
XXX The port forwarding is forwarding all port 53 to guest at the moment.

@ -0,0 +1,230 @@
%
% Proxmox.tex
%
% Fork Sand IT Manual
%
% Copyright (C) 2018, Fork Sand, Inc.
% Copyright (C) 2017, Jeff Moe
% Copyright (C) 2017 Aleph Objects, Inc.
%
% This document is licensed under the Creative Commons Attribution 4.0
% International Public License (CC BY-SA 4.0) by Fork Sand, Inc.
%
% XXX TODO: Proxmox-GUI-login.png
\section{Overview}
Proxmox is a virtual machine manager.
The private cloud deployment will be based on Proxmox version 5.x.
%There are only Debian 8 (Jessie, oldstable) releases.
%Debian hasn't packaged Proxmox since wheezy. It has it in sid, but even
%that is an old version. The only packages available for Debian are the
%upstream ones for Jessie made by Proxmox.
UPDATE: although Proxmox isn't listed on Debian 9 (Stretch) packages,
there is an installation manual for 5.x version, which is great.
Documentation:
\url{https://pve.proxmox.com/wiki/Documentation}
\begin{figure}[h!]
\includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]{www-proxmox.png}
\caption{Proxmox Website}
\label{fig:www-proxmox}
\end{figure}
\begin{itemize}
\item Website: \\ \url{https://proxmox.com/}
\item Debian Stretch Repo: \\
\url{http://downloads.Proxmox.com/repo/5.4/Debian/9/pool/Proxmox/}
\end{itemize}
The following servers will be deployed to host Proxmox and the KVMs:
\begin{itemize}
%\item \texttt{waz-kvm-001.forksand.com}
%\item \texttt{waz-kvm-002.forksand.com} --- Virtual Machine Server 2
%\item \texttt{waz-kvm-003.forksand.com} --- Virtual Machine Server 3
%\item \texttt{waz-kvm-004.forksand.com} --- Virtual Machine Server 4
%\item \texttt{waz-kvm-005.forksand.com} --- Virtual Machine Server 5
%\item \texttt{waz-sun-001.forksand.com} --- Proxmox Web GUI 1
%\item \texttt{waz-sun-002.forksand.com} --- Proxmox Web GUI 2
\item \texttt{forksand-hk1} --- Virtual Machine Node 1
\item \texttt{forksand-hk2} --- Virtual Machine Node 2
\item \texttt{forksand-hk3} --- Virtual Machine Node 3
\item \texttt{\textcolor[rgb]{0.80,0.00,0.00}{forksand-shark1}} \textcolor[rgb]{0.80,0.00,0.00}{--- Virtual Machine Node ?}
\item \texttt{forksand-shark2} --- Virtual Machine Node 4
\item \texttt{forksand-shark3} --- Virtual Machine Node 5
\item \texttt{forksand-shark4} --- Virtual Machine Node 6
\item \texttt{forksand-the} --- Virtual Machine Node 7
\item \texttt{forksand-truck} --- Virtual Machine Node 8
\end{itemize}
%\subsection{Virtual Machine Servers}
%KVM virtual machine servers. Fast CPU, with lots of RAM. Uses Ceph to store
%virtual images.
%
%\subsection{Proxmox Web GUI Servers}
%A Proxmox's Web GUI for administration of the cluster.
\subsection{Virtual Machine Nodes}
Virtual machine nodes. Fast CPU, with lots of RAM. Uses Ceph to store
virtual images.
Every node includes a Proxmox's Web GUI for administration of the cluster.
\textcolor[rgb]{0.80,0.00,0.00}{Todo clarify}
\begin{figure}[h!]
\includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]{proxmox-gui.png}
\caption{Proxmox Sunstone Web Admin GUI}
\label{fig:proxmox-gui}
\end{figure}
\begin{minted}{sh}
echo "deb http://download.proxmox.com/debian/pve stretch pve-no-subscription" \
> /etc/apt/sources.list.d/pve-install-repo.list
wget http://download.proxmox.com/debian/proxmox-ve-release-5.x.gpg \
-O /etc/apt/trusted.gpg.d/proxmox-ve-release-5.x.gpg
apt-get update
apt-get -y dist-upgrade --download-only
DEBIAN_FRONTEND=noninteractive apt-get -y \
-o Dpkg::Options::="--force-confdef" \
-o Dpkg::Options::="--force-confnew" dist-upgrade
apt-get -y install ksm-control-daemon proxmox-veupdate-grub
apt remove os-prober
\end{minted}
\section{Bugs}
Things that are bugs or at least aren't configured correctly.
\section{GUI Configuration}
At this point, you should have the Proxmox server up and running.
\textcolor[rgb]{0.80,0.00,0.00}{
Todo check related, modify/replace unrelated
}
\begin{minted}{sh}
See scripts in \texttt{source/resources/ns24} for automation.
\begin{enumerate}
\item Set up Linux Bridge (use Sunstone server name for ns24):
Code: \\ \texttt{ssh -N -C -L 9869:localhost:9869 ns24}
\item In workstation, open browser to url:
URL: \\ \url{http://localhost:9869/}
Info: \\ This goes through the encrypted SSH tunnel, but doesn't use https.
\item Click \texttt{Proxmox} in the upper right to get the full web console.
\item Click \texttt{Infrastructure}.
\item Click \texttt{Hosts}.
\item Click The \texttt{+} plus icon.
\item Enter the hostname of the KVM server you want to use, such as the Sunstone server itself.
\texttt{Type: KVM}
\texttt{Hostname: ns24}
\item Click \texttt{Create}.
\item Repeatedly hit the reload button that's the two arrows in a circle, as it goes thru
stages of setup, starting at \texttt{INIT}.
\item Confirm status is \texttt{ON}.
\end{enumerate}
\end{minted}
\section{GUI Deploy Image}
\textcolor[rgb]{0.80,0.00,0.00}{Todo check related, modify/replace unrelated}
\begin{minted}{sh}
This is a quick and dirty way to deploy a first test image.
NOTE: It is note privacy aware, as it pulls the image from the
Proxmox ``store''.
\end{minted}
\textcolor[rgb]{0.80,0.00,0.00}{Todo check related, modify/replace unrelated}
\begin{minted}{sh}
How to deploy an image from the Proxmox App store:
\begin{enumerate}
\item Click \texttt{Storage}.
\item Click \texttt{Apps}
\item Click \texttt{Debian 9 - KVM}.
\item Click on the icon that is a cloud with an arrow in it. This downloads it to Proxmox.
\item Select a datastore by clicking the \texttt{default} line.
\item Leave name and all that the same, and click \texttt{Download}.
\item Click \texttt{Images} under \texttt{Storage} in the left column.
\item Hit the refresh icon repeatedly.
\item When \texttt{Status} is \texttt{READY}, it is good to go.
\item Click \texttt{Templates} in the left column.
\item Click \texttt{VMs}.
\item Click \texttt{Debian 9 - KVM}.
\item Click \texttt{Instantiate}.
\item \texttt{VM Name} enter \texttt{deb9}.
\item \texttt{Number of instances} enter \texttt{1}.
\item \texttt{Memory} enter \texttt{768}.
\item \texttt{CPU} enter \texttt{1}.
\item Click the slider to \texttt{Instantiate as persistent}.
\item Click \texttt{Instantiate}.
\item Click \texttt{Instances} in the left column.
\item Click \texttt{VMs}.
\item Click the reload icon, repeat.
\item It is good when \texttt{Status} is \texttt{RUNNING}.
\item Set up an \texttt{ssh} tunnel so VNC can be used:
\texttt{ssh -N -C -L 29876:localhost:29876 ns24}
\item Click on the little monitor icon to launch VNC.
\item Look at booted up screen at \texttt{login:} prompt.
\item This means a Debian KVM booted up and the VNC is working.
There is no password for the \texttt{root} account, only \texttt{ssh} is available.
So without network setup, you can't really do anything with this image.
Booted, it just shows it works.
\end{enumerate}
I think delete this section, it would go before the \texttt{Templates} above.:
\begin{enumerate}
\item Click \texttt{Debian 9 - KVM}.
\item PROBABLY NO: Click \texttt{Clone} to make a local copy.
\item PROBABLY NO: It will say \texttt{Copy of Debian 9 - KVM}, leave as-is, click \texttt{Clone}.
\item Click on the icon with three dots.
\item Click \texttt{Make Persistent}.
\item Click on the icon with three dots.
\item Click \texttt{Enable}.
\end{enumerate}
\end{minted}
\section{Proxmox Networking}
Create --> Linux Bridge: vmbr0
XXX best way for this server? No subnet.
\textcolor[rgb]{0.80,0.00,0.00}{taken from forksand-shark4-bootstrap}
\begin{minted}{sh}
source /etc/network/interfaces.d/*
auto enp1s0f1
iface enp1s0f1 inet static
address 70.39.103.210/29
gateway 70.39.103.209
dns-nameservers 208.67.222.222
dns-search forksand.com
\end{minted}
As user \texttt{jebba}, on the server, run this to generate a key.
Then paste that key into Sunstone under "SSH Public Key".
\begin{minted}{sh}
ssh-keygen -t ed25519
\end{minted}
\begin{minted}{sh}
# XXX test. Use this IP and interface, so no 192.168.0.0 but real IPs.
# Comment this out:
auto eth0:27
iface eth0:27 inet static
address 174.128.229.158
netmask 255.255.255.224
gateway 174.128.229.129
\end{minted}
XXX Check if IP forwarding is needed in \texttt{/etc/sysctl.conf}.
If things are set up to use a bridge and 192.168.100.100,
\texttt{iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE}
Will bring things up to NAT.
XXX The port forwarding is forwarding all port 53 to guest at the moment.

@ -79,6 +79,837 @@ Used on many servers for a database.
Shared calendars, files, collaborative document editing with Shared calendars, files, collaborative document editing with
LibreOffice Online, videoconferencing. LibreOffice Online, videoconferencing.
Some of this is from owncloud era...
\begin{minted}{sh}
#Install debian jessie, ssh server, standard system utilities
#install jebba ssh key
#install sudo
#disable password ssh
#disable root ssh
#==================================
#
#Set up DNS
#Set up Server
#Create new jessie server, and boot it up.
#Copy over key:
ssh-copy-id jebba@pwn.themoes.org
#Log in to new machine:
ssh jebba@pwn.themoes.org
#Change jebba's password.
passwd jebba
#Set a root password:
su -
passwd root
#Disable source repos:
sed -i -e 's/deb-src/#deb-src/g' /etc/apt/sources.list
#Set up `git` as kludge to track /etc
apt-get -y install git
cd /etc
git init
chmod og-rwx /etc/.git
vi /etc/.gitignore
\end{minted}
Add these lines to /etc/.gitignore
\begin{minted}{sh}
prelink.cache
*.swp
ld.so.cache
adjtime
blkid.tab
blkid.tab.old
mtab
resolv.conf
asound.state
mtab.fuselock
aliases.db
\end{minted}
\subsection{Set up a git user:}
\begin{minted}{sh}
vi ~/.gitconfig
[user]
name = Jeff Moe
[color]
branch = auto
diff = auto
status = auto
\end{minted}
\subsection{Create and populate the git repo for /etc:}
\begin{minted}{sh}
git add .
EDITOR=vi git commit -a
Intial setup of pwn.themoes.org jessie owncloud server
#Install some needed stuff:
apt-get -y install sudo vim curl exuberant-ctags rsync ntp vim-scripts
host strace telnet lsb-release unzip bzip2 && apt-get clean
#Set up vim:
echo :syntax on > ~/.vimrc
#Add jebba to sudo group:
adduser jebba sudo
#Make sudoers passwordless:
vim /etc/sudoers
#Change:
%sudo ALL=(ALL:ALL) ALL
#To:
%sudo ALL=(ALL) NOPASSWD: ALL
#Edit /etc/ssh/sshd_config (dodgy way to do this):
sed -i \
-e 's/PermitRootLogin yes/PermitRootLogin no/g' \
-e 's/\#PasswordAuthentication yes/PasswordAuthentication no/g' \
-e 's/RSAAuthentication yes/RSAAuthentication no/g' \
-e 's/Port 22/Port 43827/g'\
-e 's/X11Forwarding yes/X11Forwarding no/g' \
/etc/ssh/sshd_config
#Disable unneeded services:
for i in nfs-common rpcbind mountkernfs.sh rsync exim4 ; do echo $i ;
sudo /usr/sbin/update-rc.d $i disable ; done
\end{minted}
Todo. Should these be dropped too? mountnfs-bootclean.sh mountnfs.sh
Reboot
\begin{minted}{sh}
#Log in as jebba (from workstation):
ssh -p 43827 -C jebba@pwn.themoes.org
#VIM:
echo :syntax on > ~/.vimrc
\end{minted}
\subsection{Setup}
Update /etc/hosts:
\begin{minted}{sh}
5.152.179.226 pwn pwn.themoes.org
#Comment out:
#127.0.1.1 pwn.themoes.org pwn
#Update /etc/hostname:
pwn
#Commit everything so far to git
sudo su -
cd /etc
git add .
EDITOR=vi git commit -a
# Additional base config for server.
\end{minted}
\subsection{Make IP Static}
\begin{minted}{sh}
vim /etc/network/interfaces
\end{minted}
Comment out:
\begin{minted}{sh}
#allow-hotplug eth0
#iface eth0 inet dhcp
\end{minted}
Add:
\begin{minted}{sh}
auto eth0
iface eth0 inet static
address 5.152.179.226
netmask 255.255.255.0
gateway 5.152.179.1
\end{minted}
\begin{minted}{sh}
# Install Firewall
# =============
# https://wiki.debian.org/iptables
#Create /etc/iptables.up.rules and /etc/network/if-pre-up.d/iptables
touch /etc/iptables.up.rules /etc/network/if-pre-up.d/iptables
/etc/iptables.test.rules
chmod 600 /etc/iptables.test.rules /etc/iptables.up.rules
\end{minted}
\begin{minted}{sh}
vim /etc/iptables.test.rules
\end{minted}
*filter
\begin{minted}{sh}
# Allows all loopback (lo0) traffic and drop all traffic to 127/8 that
doesn't use lo0
-A INPUT -i lo -j ACCEPT
#-A INPUT -i ! lo -d 127.0.0.0/8 -j REJECT
# Accepts all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allows all outbound traffic
# You could modify this to only allow certain traffic
-A OUTPUT -j ACCEPT
# Allows HTTP and HTTPS connections from anywhere (the normal ports for
websites)
#-A INPUT -p tcp -m state --state NEW --dport 80 -j ACCEPT
#-A INPUT -p tcp --dport 80 -j ACCEPT
# Accept 443 from everywhere
#-A INPUT -p tcp -m state --state NEW --dport 443 -j ACCEPT
#-A INPUT -p tcp --dport 443 -j ACCEPT
# SSH Access Port 43827
-A INPUT -p tcp -s 67.54.153.124 --dport 43827 -j ACCEPT
# Allow ssh from anywhere
-A INPUT -p tcp --dport 43827 -j ACCEPT
# Allow ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
# Opsview access
#-A INPUT -s 999.999.999.999/32 -p icmp -m icmp --icmp-type 8 -j ACCEPT
#-A INPUT -s 999.999.999.999/32 -p tcp -m tcp -m multiport --dports
2222,37,4949,5666 -j ACCEPT
# log iptables denied calls (access via 'dmesg' command)
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: "
--log-level 7
# Reject all other inbound - default deny unless explicitly allowed policy:
-A INPUT -j REJECT
-A FORWARD -j REJECT
COMMIT
\end{minted}
\begin{minted}{sh}
touch /etc/network/if-pre-up.d/iptables
chmod 755 /etc/network/if-pre-up.d/iptables
vim /etc/network/if-pre-up.d/iptables
\end{minted}
\begin{minted}{sh}
#!/bin/bash
/sbin/iptables-restore < /etc/iptables.up.rules
\end{minted}
Then run:
\begin{minted}{sh}
iptables-restore < /etc/iptables.test.rules
iptables -L
iptables-save > /etc/iptables.up.rules
\end{minted}
Disable IPv6
\begin{minted}{sh}
vim /etc/sysctl.conf
\end{minted}
Add:
\begin{minted}{sh}
# Disable IPv6
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
net.ipv6.conf.eth0.disable_ipv6 = 1
\end{minted}
\begin{minted}{sh}
sysctl -p
\end{minted}
Add this to kernel boot line /etc/default/grub:
\begin{minted}{sh}
GRUB_CMDLINE_LINUX="ipv6.disable=1"
\end{minted}
then run:
\begin{minted}{sh}
update-grub
\end{minted}
\begin{minted}{sh}
# Also need to change anything in /etc/apache2/sites-enabled/* that has
*:80 to 0.0.0.0, so no IPv6.
# Comment out IPv6 stuff in /etc/hosts:
#::1 localhost ip6-localhost ip6-loopback
#ff02::1 ip6-allnodes
#ff02::2 ip6-allrouters
# Also need to change anything in /etc/apache2/sites-enabled/* that has
*:80 to 0.0.0.0, so no IPv6.
\end{minted}
Blacklist the module, don't even load it:
\begin{minted}{sh}
echo blacklist ipv6 > /etc/modprobe.d/ipv6.conf
\end{minted}
Tell the module not to use IPv6 (hit it with the hammer over and over):
\begin{minted}{sh}
echo alias net-pf-10 off >> /etc/modprobe.d/aliases.conf
echo alias ivp6 off >> /etc/modprobe.d/aliases.conf
\end{minted}
\begin{minted}{sh}
reboot
\end{minted}
%####################
%# Install Owncloud #
%####################
\subsection{Install nextcloud}
Copied from Owncloud installation sequence. Todo: review difference to Nextcloud
Add Debian Backports (eh?)
\begin{minted}{sh}
sh -c "echo 'deb http://mirrors.kernel.org/debian/ jessie-backports
main' >> /etc/apt/sources.list.d/backports.list"
apt-get update
apt-get dist-upgrade -t jessie-backports
apt-get clean
sync
reboot & exit
\end{minted}
Add owncloud repos (ToDo)
\begin{minted}{sh}
cd
wget -nv \
https://download.owncloud.org/download/repositories/stable/Debian_8.0/Release.key \
-O Release.key
apt-key add - < Release.key
sh -c "echo 'deb
http://download.owncloud.org/download/repositories/stable/Debian_8.0/ /'
>> /etc/apt/sources.list.d/owncloud.list"
apt-get update
apt-get install -t jessie-backports php5-apcu php-apc php5-imagick \
ffmpeg libreoffice php5-mysql php5-mcrypt php5-gmp php5-apcu \
php5-memcache php5-memcached memcached php5-redis php5-imagick apache2 \
libapache2-mod-php5 php5-gd php5-json php5-mysql php5-curl php5-intl \
php5-mcrypt php5-imagick mysql-server
apt-get clean
\end{minted}
Set up database
\begin{minted}{sh}
vim ~/.mysqlpw
\end{minted}
\begin{minted}{sh}
# meh
update-rc.d saned disable
\end{minted}
\begin{minted}{sh}
# Configure Apache2 on a Debian Jessie Server
# Setup default https configuration:
cd /etc/apache2/sites-enabled
ln -s ../sites-available/default-ssl .
# Enable SSL modules
cd /etc/apache2/mods-enabled
ln -s ../mods-available/*ssl* .
ln -s ../mods-available/socache_shmcb.load .
# XXX left this out:
#vim /etc/apache2/sites-available/default-ssl.conf
# make sure that each <Directory > has AllowOverride All
# Generate SSL certificate
cd /etc/ssl/private/
openssl genrsa -out pwn.themoes.org.key 2048
openssl req -new -key pwn.themoes.org.key -out pwn.themoes.org.csr
#* After the last command answer the following:
#** Country Name : US
#** State or Province Name: Colorado
#** Locality Name: Redstone Canyon
#** Organization Name: Moe
#** Organizational Unit Name: IT
#** Common Name: pwn.themoes.org
#** Email Address: pwn@themoes.org
#** Leave Challenge password and An optional company name blank.
# Sent csr to SSL registrar.
\end{minted}
Open up port 80 to do SSL registrar verification:
\begin{minted}{sh}
vim /etc/iptables.test.rules
\end{minted}
Enable the port 80 lines for registar, and port 443 lines for owncloud
later at the file
\begin{minted}{sh}
iptables-restore < /etc/iptables.test.rules
iptables -L
iptables-save > /etc/iptables.up.rules
\end{minted}
Copy Gandi file for SSL authentication to /var/www/html/
After Gandi verifies it, remove the file.
Then disable port 80 in the firewall again:
\begin{minted}{sh}
vim /etc/iptables.test.rules
\end{minted}
\begin{minted}{sh}
iptables-restore < /etc/iptables.test.rules
iptables -L
iptables-save > /etc/iptables.up.rules
\end{minted}
Move the cert in place
\begin{minted}{sh}
mv /home/jebba/certificate-323281.crt /etc/ssl/private/pwn.themoes.org.crt
chown root:root /etc/ssl/private/pwn.themoes.org.crt
# Gandi intermediate certs XXX
# http://crt.gandi.net/GandiStandardSSLCA2.crt OR
# https://www.gandi.net/static/CAs/GandiStandardSSLCA2.pem
# Gah, wtf, add this?
# Comodo Cross-Signed Certificate
# http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt
#* Generate certificate:
# XXX gah, gandi root certs ?
# WTF does this do.
openssl x509 -req -in pwn.themoes.org.csr -CA AOrootCA.pem \
-CAkey AOrootCA.key -CAserial AOrootCA.srl \
-out pwn.themoes.org.crt -days 65000
\end{minted}
ToDo: consider adding rm pwn.themoes.org.csr
Place the .crt and .key files on pwn.themoes.org in /etc/ssl/private
directory.
Make sure the they can't be read by the others.
Configure SSL part of the Apache Server:
\begin{minted}{sh}
vim /etc/apache2/sites-available/default-ssl.conf
\end{minted}
change to:
\begin{minted}{sh}
ServerName pwn.themoes.org
ServerAdmin pwn@themoes.org
\end{minted}
comment out snakeoil keys
add
\begin{minted}{sh}
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /etc/ssl/private/pwn.themoes.org.crt
SSLCertificateKeyFile /etc/ssl/private/pwn.themoes.org.key
\end{minted}
\subsection{Enable the SSL server}
\begin{minted}{sh}
cd /etc/apache2/sites-enabled
ln -s ../sites-available/default-ssl.conf .
\end{minted}
Restart Apache2
\begin{minted}{sh}
/etc/init.d/apache2 restart
\end{minted}
\begin{minted}{sh}
echo pwn > /var/www/html/index.html
\end{minted}
Install owncloud
\begin{minted}{sh}
apt-get install -t jessie-backports owncloud
\end{minted}
set up mysql owncloud user
\begin{minted}{sh}
vim ~/.mysqlpw-own
cat ~/.mysqlpw-own
mysql -uroot -p`cat ~/.mysqlpw`
CREATE USER 'owncloud'@'localhost' IDENTIFIED BY 'password';
CREATE DATABASE IF NOT EXISTS owncloud;
GRANT ALL PRIVILEGES ON owncloud.* TO 'owncloud'@'localhost' IDENTIFIED
BY 'password';
##############
# Migrate db to sql.themoes.org
##############
# Set up mysql config with sql.themoes.org (NOT on traccar, but on db
server)
mysql> CREATE DATABASE owncloud;
mysql> CREATE USER 'owncloud'@'192.168.22.2' IDENTIFIED BY 'XXX';
mysql> GRANT ALL ON owncloud.* TO 'owncloud'@'192.168.22.2';
mysql> FLUSH PRIVILEGES;
\end{minted}
\begin{minted}{sh}
mkdir /srv/owncloud
chown www-data:www-data /srv/owncloud
chmod 770 /srv/owncloud
\end{minted}
\begin{minted}{sh}
# Do web stuff
# https://pwn.themoes.org/owncloud/
# Create admin account
# Data folder:
# /srv/owncloud
# MySQL:
# User: owncloud
# Password:
# Database Name: owncloud
\end{minted}
set up crontab in web and here:
\begin{minted}{sh}
crontab -u www-data -e
\end{minted}
Add:
\begin{minted}{sh}
*/15 * * * * php -f /var/www/owncloud/cron.php
\end{minted}
Check it:
\begin{minted}{sh}
crontab -u www-data -l
\end{minted}
\begin{minted}{sh}
root@pwn:/etc/ssl/private# chmod o-r *
root@pwn:/etc/ssl/private# rm ssl-cert-snakeoil.key
wget https://www.gandi.net/static/CAs/GandiStandardSSLCA2.pem
mv GandiStandardSSLCA2.pem /etc/ssl/certs/
chown root:root /etc/ssl/certs/GandiStandardSSLCA2.pem
\end{minted}
Add this to
Configure SSL part of the Apache Server:
\begin{minted}{sh}
vim /etc/apache2/sites-available/default-ssl.conf
\end{minted}
\begin{minted}{sh}
SSLCertificateChainFile /etc/ssl/certs/GandiStandardSSLCA2.pem
SSLVerifyClient None
\end{minted}
\subsection{Libreoffice}
\begin{minted}{sh}
vim /var/www/owncloud/config/config.php
\end{minted}
\begin{minted}{sh}
'preview_libreoffice_path' => '/usr/bin/libreoffice',
\end{minted}
POSTFIX XXX ...
\begin{minted}{sh}
apt-get remove exim4 exim4-base exim4-config exim4-daemon-light
apt-get purge exim4 exim4-base exim4-config exim4-daemon-light
apt-get install postfix
#apt-get install bsd-mailx
\end{minted}
Use APCu and Redis for caching
\begin{minted}{sh}
vim /var/www/owncloud/config/config.php
\end{minted}
add
\begin{minted}{sh}
'memcache.local' => '\OC\Memcache\APCu',
'redis' => array(
'host' => '/var/run/redis/redis.sock',
'port' => 0,
),
'memcache.locking' => '\OC\Memcache\Redis',
\end{minted}
\begin{minted}{sh}
vim /etc/redis/redis.conf
\end{minted}
\begin{minted}{sh}
unixsocket /var/run/redis/redis.sock
unixsocketperm 770
\end{minted}
\begin{minted}{sh}
adduser www-data redis
\end{minted}
Todo: consider reboot
\begin{minted}{sh}
# Secure https some moar
#
https://doc.owncloud.org/server/9.0/admin_manual/configuration_server/harden_server.html#enable-hsts-label
cd /etc/apache2/mods-enabled
ln -s ../mods-available/headers.load .
vim /etc/apache2/sites-enabled/default-ssl.conf
\end{minted}
Add:
\begin{minted}{sh}
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
</IfModule>
\end{minted}
Add stuff, and run:
\begin{minted}{sh}
vim /var/www/owncloud/config/config.php
\end{minted}
\begin{minted}{sh}
'defaultapp' => 'calendar',
'session_keepalive' => true,
'htaccess.RewriteBase' => '/owncloud',
\end{minted}
\begin{minted}{sh}
sudo -u www-data /var/www/owncloud/occ maintenance:update:htaccess
\end{minted}
Drop /owncloud from the URL
\begin{minted}{sh}
vim /etc/apache2/conf-available/owncloud.conf
\end{minted}
\begin{minted}{sh}
Alias / "/var/www/owncloud/"
\end{minted}
\begin{minted}{sh}
vim /var/www/owncloud/config/config.php
\end{minted}
\begin{minted}{sh}
'overwrite.cli.url' => 'https://pwn.themoes.org',
\end{minted}
\subsection{Misc}
\begin{minted}{sh}
vim /var/www/owncloud/config/config.php
\end{minted}
\begin{minted}{sh}
'logtimezone' => 'MST',
'session_keepalive' => true,
'htaccess.RewriteBase' => '/',
'overwritewebroot' => '/',
'check_for_working_webdav' => true,
'check_for_working_wellknown_setup' => true,
'check_for_working_htaccess' => true,
'logfile' => '/var/log/owncloud.log',
'loglevel' => 2,
'enable_previews' => true,
'preview_max_x' => 2048,
'preview_max_y' => 2048,
'preview_max_scale_factor' => 10,
'preview_max_filesize_image' => 50,
'preview_office_cl_parameters' =>
' --headless --nologo --nofirststartwizard --invisible
--norestore '.
'-convert-to pdf -outdir ',
'enabledPreviewProviders' => array(
'OC\Preview\PNG',
'OC\Preview\JPEG',
'OC\Preview\GIF',
'OC\Preview\BMP',
'OC\Preview\XBitmap',
'OC\Preview\MP3',
'OC\Preview\TXT',
'OC\Preview\MarkDown',
'OC\Preview\PDF',
'OC\Preview\Postscript',
'OC\Preview\SVG',
'OC\Preview\Movie',
'OC\Preview\MSOfficeDoc',
'OC\Preview\MSOffice2003',
'OC\Preview\MSOffice2007',
'OC\Preview\OpenDocument',
'OC\Preview\StarOffice',
),
'maintenance' => false,
'singleuser' => false,
'asset-pipeline.enabled' => false,
\end{minted}
set up that temp dir:
\begin{minted}{sh}
mkdir /srv/owncloudtemp
chown www-data:www-data /srv/owncloudtemp/
chmod 770 /srv/owncloudtemp/
vim /var/www/owncloud/config/config.php
\end{minted}
\begin{minted}{sh}
'tempdirectory' => '/srv/owncloudtemp',
\end{minted}
php.ini stuff
\begin{minted}{sh}
vim /etc/php5/apache2/php.ini
\end{minted}
\begin{minted}{sh}
php_value upload_max_filesize = 5G
php_value post_max_size = 5G
php_value max_input_time 3600
php_value max_execution_time 3600
memory_limit = 512M
\end{minted}
for svg ?
\begin{minted}{sh}
apt-get install inkscape
\end{minted}
\begin{minted}{sh}
\subsection{Solr / Nexant}
\end{minted}
\begin{minted}{sh}
apt-get install php-solr solr-jetty
\end{minted}
\begin{minted}{sh}
# enable nexant app in web interface
# vim /etc/jetty9/jetty-http.xml
# vim /etc/jetty9/jetty-https.xml
# <Set name="host"><Property name="jetty.host" /></Set>
# to
# <Set name="host"><Property name="jetty.host" default="127.0.0.1" /></Set>
\end{minted}
\begin{minted}{sh}
# nope
#cd solr/
#cp -fr configsets/basic_configs nextant
# This:
# https://github.com/nextcloud/nextant/wiki/Setup-your-local-standalone-Solr
# see local git clone
# Actually, do this install of solr...
# https://github.com/nextcloud/nextant/wiki/Setup-your-local-Solr-as-a-Service
# apt-get install tesseract-ocr tesseract-ocr-eng
# apt-get install ocrmypdf # not needed, for other OCR thing
\end{minted}
\subsection{Spreed}
\large{Spreed Nextcloud WebRTC}
There is a Spreed.me module for Nextcloud, which points to a spreed
webrtc server. If the spreed and nextcloud server use different
hostnames (origins), screen-sharing won't be allowed due to browser
restrictions. So spreed is getting installed straight onto the Nextcloud
server, https://own.alephobjects.com .
\subsection{Links}
\begin{minted}{sh}
* https://github.com/strukturag/spreed-webrtc
* https://github.com/strukturag/nextcloud-spreedme
* https://github.com/strukturag/nextcloud-spreedme#installation--setup-of-a-spreed-webrtc-server
* https://hub.docker.com/r/spreed/webrtc/
* https://docs.docker.com/engine/installation/linux/debian/
\end{minted}
We're going to use a Docker install... own.alephobjects.com is
currently running Debian Stretch (testing, version 9). Unfortunately,
docker.io (as it is named in Debian) is available for jessie-backports
and sid, but not for stretch... We'll use docker's apt repos to get
docker....
\subsection{Install Docker}
\begin{minted}{sh}
* https://docs.docker.com/engine/installation/linux/debian/
\end{minted}
\begin{minted}{sh}
apt update
apt install apt-transport-https ca-certificates gnupg2
apt-key adv \
--keyserver hkp://ha.pool.sks-keyservers.net:80 \
--recv-keys 58118E89F3A912897C070ADBF76221572C52609D
vim /etc/apt/sources.list.d/docker.list
\end{minted}
Add:
\begin{minted}{sh}
deb https://apt.dockerproject.org/repo debian-stretch main
\end{minted}
\begin{minted}{sh}
cd /etc ; git add . ; git commit -a -m 'Add docker repo to apt'
\end{minted}
save
\begin{minted}{sh}
apt update
apt install -y docker-engine
cd /etc ; git add . ; git commit -a -m 'Install docker'
service docker start
\end{minted}
\subsection{Test docker}
\begin{minted}{sh}
docker run hello-world
\end{minted}
\subsection{Set up spreed docker}
\begin{minted}{sh}
mkdir -p /srv/spreed/extra.d
vim /etc/spreed-webrtc-nextcloud.conf
\end{minted}
make config like this:
\begin{minted}{sh}
[http]
basePath = /webrtc/
[app]
authorizeRoomJoin = true
extra.d = /srv/spreed/extra.d
[users]
enabled = true
mode = sharedsecret
\end{minted}
\subsection{Run Spreed Docker}
\begin{minted}{sh}
cd /srv/spreed
docker run --name ao-spreed-webrtc -p 8080:8080 -p 8443:8443 \
-v /srv/spreed -i -t spreed/webrtc -c /etc/spreed-webrtc-nextcloud.conf
\end{minted}
On first launch, it may hang forever because it doesn't have any
entropy. So it will hang at "Creating new server secrets ..."
Here is a workaround to generate entropy:
\begin{minted}{sh}
apt install -y rng-tools
rngd -f -r /dev/urandom
\end{minted}
Run it thusly:
\begin{minted}{sh}
docker run -d --name my-spreed-webrtc -p 8080:8080 -p 8443:8443 -v \
/etc/spreed:/etc/spreed -v /var/log/spreed:/var/log/spreed -v \
/var/www/owncloud/apps/spreedme/extra:/var/www/owncloud/apps/spreedme/extra \
-i -t spreed/webrtc -c /etc/spreed/server.conf
\end{minted}
\large{Configure Apache}
install needed apache modules:
\begin{minted}{sh}
a2enmod proxy proxy_http proxy_wstunnel headers
vim /etc/apache2/sites-enabled/01-own.alephobjects.com.conf
\end{minted}
Add this inside the VirtualHost section:
\begin{minted}{sh}
# Spreed WebRTC
ProxyPass http://127.0.0.1:8080/webrtc
ProxyPassReverse /webrtc
ProxyPass ws://127.0.0.1:8080/webrtc/ws
ProxyVia On
ProxyPreserveHost On
RequestHeader set X-Forwarded-Proto 'https' env=HTTPS
\end{minted}
\subsection{Spreed Configuration}
\begin{minted}{sh}
Get the config in own.alephobjects.com --> admin --> Additional
Settings(?) --> Spreed.me
# Generate that config, put it in /etc/spreed/spreed.conf
# Restart docker.
#cd /etc ; git add . ; git commit -a -m 'Configure'
##### HMM
docker run --name ao-spreed-webrtc -p 8080:8080 -p 8443:8443 -v \
/srv/spreed -i -t spreed/webrtc -c /etc/spreed/server.conf
rngd -f -r /dev/urandom
# 585 docker run --name my-spreed-webrtc -p 8080:8080 -p 8443:8443 -v \
/etc/spreed:/etc/spreed -i -t spreed/webrtc -c /etc/spreed/server.conf
# 587 docker run -d --name my-spreed-webrtc -p 8080:8080 -p 8443:8443 \
-v /etc/spreed:/etc/spreed -v /var/log/spreed:/var/log/spreed -v \
/var/www/owncloud/apps/spreedme/extra:/var/www/owncloud/apps/spreedme/extra \
-i -t spreed/webrtc -c /etc/spreed/server.conf
docker run -d --name my-spreed-webrtc -p 8080:8080 -p 8443:8443 -v \
/etc/spreed:/etc/spreed -v /var/log/spreed:/var/log/spreed -v \
/var/www/owncloud/apps/spreedme/extra:/var/www/owncloud/apps/spreedme/extra \
-i -t spreed/webrtc -c /etc/spreed/server.conf
# These two:
rngd -f -r /dev/urandom
docker run -d --restart unless-stopped --name my-spreed-webrtc -p \
8080:8080 -p 8443:8443 -v /etc/spreed:/etc/spreed -v \
/var/log/spreed:/var/log/spreed -v \
/var/www/owncloud/apps/spreedme/extra:/var/www/owncloud/apps/spreedme/extra \
-i -t spreed/webrtc -c /etc/spreed/server.conf \
\end{minted}
\subsection{apache2}
Install needed apache modules:
\begin{minted}{sh}
a2enmod proxy proxy_http proxy_wstunnel headers
vim /etc/apache2/sites-enabled/pwn.themoes.org.conf
\end{minted}
Add this inside the VirtualHost section:
\begin{minted}{sh}
# Spreed WebRTC
<Location /webrtc>
ProxyPass http://127.0.0.1:8080/webrtc
ProxyPassReverse /webrtc
</Location>
<Location /webrtc/ws>
ProxyPass ws://127.0.0.1:8080/webrtc/ws
</Location>
ProxyVia On
ProxyPreserveHost On
RequestHeader set X-Forwarded-Proto 'https' env=HTTPS
\end{minted}
\section{\href{http://support.ntp.org/}{NTP}} \section{\href{http://support.ntp.org/}{NTP}}
Syncs time on every server and workstation. Syncs time on every server and workstation.

@ -2,14 +2,209 @@
\texttt{SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855} \texttt{SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855}
\inputminted{sh}{resources/SHA256SUM} \inputminted{sh}{resources/SHA256SUM}
\section{\texttt{STATS}} \section{\texttt{STATS}}
\texttt{SHA256: b1861503f0a41f1f2bef8fbfba32501d871ef4c5fd073c3b9272c71a7b1e7ea5} \texttt{SHA256: adadaa5e46ade71aa99d833d7cf64cf012501c8b7a6f6c15a3563f6ceeffa9c6}
\inputminted{sh}{resources/STATS} \inputminted{sh}{resources/STATS}
\section{\texttt{apps/Ansible-Gitea/ansible.cfg}}
\texttt{SHA256: 5c5bbe341a18319f6f24033c4f63fc5f1594469b4f2cfbb991ec596fd30e9a3b}
\inputminted{sh}{resources/apps/Ansible-Gitea/ansible.cfg}
\section{\texttt{apps/Ansible-Gitea/inventory.yml}}
\texttt{SHA256: cc816d03579097542ca85c188995a412d619c08c84bf3dfef73191fc5cc05b54}
\inputminted{sh}{resources/apps/Ansible-Gitea/inventory.yml}
\section{\texttt{apps/Ansible-Gitea/roles/gitea/defaults/main.yml}}
\texttt{SHA256: 19aeb0ea8e30712f9589fd7037415118a92666d12ae30aa0757be6fde6357225}
\inputminted{sh}{resources/apps/Ansible-Gitea/roles/gitea/defaults/main.yml}
\section{\texttt{apps/Ansible-Gitea/roles/gitea/handlers/main.yml}}
\texttt{SHA256: 4012e6484af750c9b21a8d9f04e68ddd291c37a8dd9657daa862124e480c2497}
\inputminted{sh}{resources/apps/Ansible-Gitea/roles/gitea/handlers/main.yml}
\section{\texttt{apps/Ansible-Gitea/roles/gitea/tasks/create\char`_user.yml}}
\texttt{SHA256: 28d0983feb2aba01934a25cad94e64e77c055e6a977bb2a0db9a8c199933b369}
\inputminted{sh}{resources/apps/Ansible-Gitea/roles/gitea/tasks/create_user.yml}
\section{\texttt{apps/Ansible-Gitea/roles/gitea/tasks/install\char`_systemd.yml}}
\texttt{SHA256: 7e6155085ebae67496b3267cdf3211fd3a7e0f178661ff21e20101947456912e}
\inputminted{sh}{resources/apps/Ansible-Gitea/roles/gitea/tasks/install_systemd.yml}
\section{\texttt{apps/Ansible-Gitea/roles/gitea/tasks/main.yml}}
\texttt{SHA256: bc5f081dfd51f5c920c8dda1873560a2602204dd9d28a881238fd66e22437c2d}
\inputminted{sh}{resources/apps/Ansible-Gitea/roles/gitea/tasks/main.yml}
\section{\texttt{apps/Ansible-Gitea/roles/gitea/templates/gitea.ini.j2}}
\texttt{SHA256: c8be571f2f2407240bc88997aedf70c9230554a65132ebab9a1ee0d4296ff9d3}
\inputminted{sh}{resources/apps/Ansible-Gitea/roles/gitea/templates/gitea.ini.j2}
\section{\texttt{apps/Ansible-Gitea/roles/gitea/templates/gitea.service.j2}}
\texttt{SHA256: 0acbfe01156c9e39ee71a4fc64310ab003f09bfcf544df00b1f3cff010ed8f38}
\inputminted{sh}{resources/apps/Ansible-Gitea/roles/gitea/templates/gitea.service.j2}
\section{\texttt{apps/Ansible-Gitea/roles/gitea/.DS\char`_Store}}
\texttt{SHA256: e97bff48aa282aacf1c59c754a7b9adfe56120c4cb1545a7488f03fee9f4e479}
\inputminted{sh}{resources/apps/Ansible-Gitea/roles/gitea/.DS_Store}
\section{\texttt{apps/Ansible-Gitea/roles/nginx/defaults/main.yml}}
\texttt{SHA256: 20c921226115e5a92309d543b66066438e6565bdbd054e7ca41d0fc6ddcfcd9a}
\inputminted{sh}{resources/apps/Ansible-Gitea/roles/nginx/defaults/main.yml}
\section{\texttt{apps/Ansible-Gitea/roles/nginx/handlers/main.yml}}
\texttt{SHA256: 5a3990dbfb331c83fbbff76368a2426ae03d34052454aa6676f52b7e4652d561}
\inputminted{sh}{resources/apps/Ansible-Gitea/roles/nginx/handlers/main.yml}
\section{\texttt{apps/Ansible-Gitea/roles/nginx/tasks/main.yml}}
\texttt{SHA256: 5232d5b0894c1e6a3da8472591ef49e9c80e927cdbec626c15c9e1a9796729a8}
\inputminted{sh}{resources/apps/Ansible-Gitea/roles/nginx/tasks/main.yml}
\section{\texttt{apps/Ansible-Gitea/roles/nginx/templates/nginx.conf.j2}}
\texttt{SHA256: 1ecb64716e6674eb30a145c79859774cc5772304828553474c05820a2151ff3b}
\inputminted{sh}{resources/apps/Ansible-Gitea/roles/nginx/templates/nginx.conf.j2}
\section{\texttt{apps/Ansible-Gitea/roles/nginx/templates/nginxssl.conf.j2}}
\texttt{SHA256: 4d7edebbe48f20aeeb49599d32fc5531db943cbf43d7e9995674c180b56f2e77}
\inputminted{sh}{resources/apps/Ansible-Gitea/roles/nginx/templates/nginxssl.conf.j2}
\section{\texttt{apps/Ansible-Gitea/site.yml}}
\texttt{SHA256: d74378b00af74eabe0cc11d0f0b1db5c902116c583216f14152d968e5a71e474}
\inputminted{sh}{resources/apps/Ansible-Gitea/site.yml}
\section{\texttt{apps/ansible-debian-mail/ansible.cfg}}
\texttt{SHA256: 5c5bbe341a18319f6f24033c4f63fc5f1594469b4f2cfbb991ec596fd30e9a3b}
\inputminted{sh}{resources/apps/ansible-debian-mail/ansible.cfg}
\section{\texttt{apps/ansible-debian-mail/group\char`_vars/all.yml}}
\texttt{SHA256: b5f417e155b47834e49be9243ba776a6516c56c3ed0121d2bc4d022d5acacd87}
\inputminted{sh}{resources/apps/ansible-debian-mail/group_vars/all.yml}
\section{\texttt{apps/ansible-debian-mail/inventory.yml}}
\texttt{SHA256: cc816d03579097542ca85c188995a412d619c08c84bf3dfef73191fc5cc05b54}
\inputminted{sh}{resources/apps/ansible-debian-mail/inventory.yml}
\section{\texttt{apps/ansible-debian-mail/roles/dkim\char`_configuration/tasks/\\ \qquad\qquad\qquad../main.yml}}
\texttt{SHA256: 95d75eba0703ebb00f12d01a821353fe1ddb7a5612a72ea2c4e658d2be5afb52}
\inputminted{sh}{resources/apps/ansible-debian-mail/roles/dkim_configuration/tasks/main.yml}
\section{\texttt{apps/ansible-debian-mail/roles/dkim\char`_configuration/templates/\\ \qquad\qquad\qquad../internalhosts.j2}}
\texttt{SHA256: 4f83d988f9a305d6f7571f1742f8e284f0008182bcb21f3b8683594fd5de2340}
\inputminted{sh}{resources/apps/ansible-debian-mail/roles/dkim_configuration/templates/internalhosts.j2}
\section{\texttt{apps/ansible-debian-mail/roles/dkim\char`_configuration/templates/\\ \qquad\qquad\qquad../opendkim.conf.j2}}
\texttt{SHA256: bf71aafad2295a773f5556ff870e4db70d62451a26fc952bde04336642f7afc2}
\inputminted{sh}{resources/apps/ansible-debian-mail/roles/dkim_configuration/templates/opendkim.conf.j2}
\section{\texttt{apps/ansible-debian-mail/roles/dkim\char`_configuration/templates/\\ \qquad\qquad\qquad../opendkim.j2}}
\texttt{SHA256: 4069a27787b75f0af2ca555ff0f5668c2cbe6813909108a92c1583c4e82d2863}
\inputminted{sh}{resources/apps/ansible-debian-mail/roles/dkim_configuration/templates/opendkim.j2}
\section{\texttt{apps/ansible-debian-mail/roles/dkim\char`_configuration/templates/\\ \qquad\qquad\qquad../opendmarc.conf.j2}}
\texttt{SHA256: 3d5208869831f657790c9642ea0ad63db2ad79d080d7d7ef24da0b802946b223}
\inputminted{sh}{resources/apps/ansible-debian-mail/roles/dkim_configuration/templates/opendmarc.conf.j2}
\section{\texttt{apps/ansible-debian-mail/roles/dkim\char`_configuration/templates/\\ \qquad\qquad\qquad../opendmarc.j2}}
\texttt{SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855}
\inputminted{sh}{resources/apps/ansible-debian-mail/roles/dkim_configuration/templates/opendmarc.j2}
\section{\texttt{apps/ansible-debian-mail/roles/dkim\char`_configuration/templates/\\ \qquad\qquad\qquad../trustedhosts.j2}}
\texttt{SHA256: 9252907b8d86ae437a9910148e6c72b2fce30be020a57ab3d59111fc5de5f6f7}
\inputminted{sh}{resources/apps/ansible-debian-mail/roles/dkim_configuration/templates/trustedhosts.j2}
\section{\texttt{apps/ansible-debian-mail/roles/dovecot\char`_configuration/handlers/\\ \qquad\qquad\qquad../main.yml}}
\texttt{SHA256: 218fc20617243fef6f783cd83332fa0fe9e610483bc2c2f1b1245e8eec0959ac}
\inputminted{sh}{resources/apps/ansible-debian-mail/roles/dovecot_configuration/handlers/main.yml}
\section{\texttt{apps/ansible-debian-mail/roles/dovecot\char`_configuration/tasks/\\ \qquad\qquad\qquad../main.yml}}
\texttt{SHA256: f9d7c2c906c9f092d2dd973cc2c2e9ce9b4b5b01f2ec056f3095c6fc802c2d74}
\inputminted{sh}{resources/apps/ansible-debian-mail/roles/dovecot_configuration/tasks/main.yml}
\section{\texttt{apps/ansible-debian-mail/roles/dovecot\char`_configuration/templates/\\ \qquad\qquad\qquad../10-master.conf.j2}}
\texttt{SHA256: d7004417a7ac1d96e9904b05f68879a752dec6f7621bc56ed18434aabf78c40b}
\inputminted{sh}{resources/apps/ansible-debian-mail/roles/dovecot_configuration/templates/10-master.conf.j2}
\section{\texttt{apps/ansible-debian-mail/roles/dovecot\char`_configuration/templates/\\ \qquad\qquad\qquad../10-ssl.conf.j2}}
\texttt{SHA256: 660790c32b47fd84326c6d53efcb13a2a6c691fa96d59c880aceadf71f8fa1f0}
\inputminted{sh}{resources/apps/ansible-debian-mail/roles/dovecot_configuration/templates/10-ssl.conf.j2}
\section{\texttt{apps/ansible-debian-mail/roles/fail2ban\char`_configuration/tasks/\\ \qquad\qquad\qquad../main.yml}}
\texttt{SHA256: 8ebe1bb04c097e8371d63b6ac16c393ca74c094711942f2560252d482a0f17ce}
\inputminted{sh}{resources/apps/ansible-debian-mail/roles/fail2ban_configuration/tasks/main.yml}
\section{\texttt{apps/ansible-debian-mail/roles/letsencrypt\char`_configuration/tasks/\\ \qquad\qquad\qquad../main.yml}}
\texttt{SHA256: 817e705118fd6d92e7e89a84544ba907c71aa4395b3cb925fe4421b1b99add53}
\inputminted{sh}{resources/apps/ansible-debian-mail/roles/letsencrypt_configuration/tasks/main.yml}
\section{\texttt{apps/ansible-debian-mail/roles/mikegleasonjr.firewall/.travis.yml}}
\texttt{SHA256: 6920d48ae9610b5d0d61c9638d27e30b46b885777ab04127a198a380df12ae38}
\inputminted{sh}{resources/apps/ansible-debian-mail/roles/mikegleasonjr.firewall/.travis.yml}
\section{\texttt{apps/ansible-debian-mail/roles/mikegleasonjr.firewall/Vagrantfile}}
\texttt{SHA256: b8c8b8560eb577eb8637a446bc28aba7df05d34618093023a2b43f7764c75fb2}
\inputminted{sh}{resources/apps/ansible-debian-mail/roles/mikegleasonjr.firewall/Vagrantfile}
\section{\texttt{apps/ansible-debian-mail/roles/mikegleasonjr.firewall/defaults/\\ \qquad\qquad\qquad../main.yml}}
\texttt{SHA256: c86227ad9775e213708a92703958d1ae8dc80b5073b665499839e4c80f0d77d5}
\inputminted{sh}{resources/apps/ansible-debian-mail/roles/mikegleasonjr.firewall/defaults/main.yml}
\section{\texttt{apps/ansible-debian-mail/roles/mikegleasonjr.firewall/meta/main.yml}}
\texttt{SHA256: c77f50cf2758025bece96792badbf0f98a799738be56e3dbd94d5c416ce402b5}
\inputminted{sh}{resources/apps/ansible-debian-mail/roles/mikegleasonjr.firewall/meta/main.yml}
\section{\texttt{apps/ansible-debian-mail/roles/mikegleasonjr.firewall/meta/.galaxy\char`_install\char`_info}}
\texttt{SHA256: 8df2fa6c72bad1a6b52a7e84a1dd5a850b96d3ed55c4266113c1476bbc1c974d}
\inputminted{sh}{resources/apps/ansible-debian-mail/roles/mikegleasonjr.firewall/meta/.galaxy_install_info}
\section{\texttt{apps/ansible-debian-mail/roles/mikegleasonjr.firewall/tasks/main.yml}}
\texttt{SHA256: 5d1ebe1ec51a5a4b0ab52bbf1af63ca94af4290182755b2463aa321bfb39732f}
\inputminted{sh}{resources/apps/ansible-debian-mail/roles/mikegleasonjr.firewall/tasks/main.yml}
\section{\texttt{apps/ansible-debian-mail/roles/mikegleasonjr.firewall/tasks/persist-debian.yml}}
\texttt{SHA256: da08d16128d29e725a80590890592020a53d90cbeac3b55dbe67da63fc254e6b}
\inputminted{sh}{resources/apps/ansible-debian-mail/roles/mikegleasonjr.firewall/tasks/persist-debian.yml}
\section{\texttt{apps/ansible-debian-mail/roles/mikegleasonjr.firewall/tasks/persist-redhat.yml}}
\texttt{SHA256: aaa130a6c8ad52ede70c2b12e46e27e61475e5d8b0842274b5ce0515ad645734}
\inputminted{sh}{resources/apps/ansible-debian-mail/roles/mikegleasonjr.firewall/tasks/persist-redhat.yml}
\section{\texttt{apps/ansible-debian-mail/roles/mikegleasonjr.firewall/tasks/rules.yml}}
\texttt{SHA256: 6f28f53b5c77709268853ab1ba9f16ca30d64cd72dde08e9d9826b82c714e602}
\inputminted{sh}{resources/apps/ansible-debian-mail/roles/mikegleasonjr.firewall/tasks/rules.yml}
\section{\texttt{apps/ansible-debian-mail/roles/mikegleasonjr.firewall/templates/\\ \qquad\qquad\qquad../generated.v4.j2}}
\texttt{SHA256: 1c8f8244b151f386933796a30c299f86d580880e16a7abba3653a1e3765a5394}
\inputminted{sh}{resources/apps/ansible-debian-mail/roles/mikegleasonjr.firewall/templates/generated.v4.j2}
\section{\texttt{apps/ansible-debian-mail/roles/mikegleasonjr.firewall/templates/\\ \qquad\qquad\qquad../generated.v6.j2}}
\texttt{SHA256: b724ce42ef251f979751e080279d27c6f82e21f5c30118a731aacf3f8b494624}
\inputminted{sh}{resources/apps/ansible-debian-mail/roles/mikegleasonjr.firewall/templates/generated.v6.j2}
\section{\texttt{apps/ansible-debian-mail/roles/mikegleasonjr.firewall/tests.yml}}
\texttt{SHA256: a7c2b3cd0f70c600c3e1db74d95533be3eb864853394c62330b5532c49abb572}
\inputminted{sh}{resources/apps/ansible-debian-mail/roles/mikegleasonjr.firewall/tests.yml}
\section{\texttt{apps/ansible-debian-mail/roles/outputs/tasks/main.yml}}
\texttt{SHA256: 10734468f2c6744ef0fc14bb5f8d9678fb684d9647a981ab7dc93e81f6b3396b}
\inputminted{sh}{resources/apps/ansible-debian-mail/roles/outputs/tasks/main.yml}
\section{\texttt{apps/ansible-debian-mail/roles/postfix\char`_configuration/files/\\ \qquad\qquad\qquad../auth\char`_header\char`_checks.pcre}}
\texttt{SHA256: 3749fe155aa62adb30db35bedc96bdb47b1e094e8cc3b12e4915dc6137edcc43}
\inputminted{sh}{resources/apps/ansible-debian-mail/roles/postfix_configuration/files/auth_header_checks.pcre}
\section{\texttt{apps/ansible-debian-mail/roles/postfix\char`_configuration/files/\\ \qquad\qquad\qquad../master.cf}}
\texttt{SHA256: 13dd76df6148f7a898c8054f5566cbd351207a9bc5ae97ced9e4b5407af923a5}
\inputminted{sh}{resources/apps/ansible-debian-mail/roles/postfix_configuration/files/master.cf}
\section{\texttt{apps/ansible-debian-mail/roles/postfix\char`_configuration/handlers/\\ \qquad\qquad\qquad../main.yml}}
\texttt{SHA256: a31d3860adb790e2ab6ee5763e2b59aa5b17b94f56cb7236845128f0e870e597}
\inputminted{sh}{resources/apps/ansible-debian-mail/roles/postfix_configuration/handlers/main.yml}
\section{\texttt{apps/ansible-debian-mail/roles/postfix\char`_configuration/tasks/\\ \qquad\qquad\qquad../main.yml}}
\texttt{SHA256: cf7521b7366045753045ac11bdccc11857bc0c171a0fc1ba9c572fe7d59fd627}
\inputminted{sh}{resources/apps/ansible-debian-mail/roles/postfix_configuration/tasks/main.yml}
\section{\texttt{apps/ansible-debian-mail/roles/postfix\char`_configuration/templates/\\ \qquad\qquad\qquad../aliases.j2}}
\texttt{SHA256: 5a101165ebf12cbd1663908e21f77dc2636fee45da36f5daa79ab84c47e7dfcb}
\inputminted{sh}{resources/apps/ansible-debian-mail/roles/postfix_configuration/templates/aliases.j2}
\section{\texttt{apps/ansible-debian-mail/roles/server\char`_tasks/handlers/main.yml}}
\texttt{SHA256: 5822b360aa9988efc37bdf5dd9626de45b2d1f279f70e032f5b56427994f440d}
\inputminted{sh}{resources/apps/ansible-debian-mail/roles/server_tasks/handlers/main.yml}
\section{\texttt{apps/ansible-debian-mail/roles/server\char`_tasks/tasks/main.yml}}
\texttt{SHA256: 9482c99a24179cb4bcd0d8ea5bf6ac5e8391cd88b1242190693c685127bb94e8}
\inputminted{sh}{resources/apps/ansible-debian-mail/roles/server_tasks/tasks/main.yml}
\section{\texttt{apps/ansible-debian-mail/roles/spamassassin\char`_configuration/tasks/\\ \qquad\qquad\qquad../main.yml}}
\texttt{SHA256: bc1d9877f592fe1b63385a38febee9ed7769cbb01972e73f950dcc6e5309ded0}
\inputminted{sh}{resources/apps/ansible-debian-mail/roles/spamassassin_configuration/tasks/main.yml}
\section{\texttt{apps/ansible-debian-mail/roles/sqlgrey\char`_configuration/tasks/\\ \qquad\qquad\qquad../main.yml}}
\texttt{SHA256: c85d3966f275654bfde3c1c5065980debe0be5900ad5b33f3bf19e893610b635}
\inputminted{sh}{resources/apps/ansible-debian-mail/roles/sqlgrey_configuration/tasks/main.yml}
\section{\texttt{apps/ansible-debian-mail/site.yml}}
\texttt{SHA256: 00b3b9b020bfd4ebe7732bf3a96a7dc5ce37c6788907f0574a193c3f5fcd0224}
\inputminted{sh}{resources/apps/ansible-debian-mail/site.yml}
\section{\texttt{apps/forksand-nodes-bootstrap/forksand-hk1-bootstrap}}
\texttt{SHA256: d3b370cdf087289f89c827aefaf1915c35843f01f9f2d8bbeb412184b2ce2fa6}
\inputminted{sh}{resources/apps/forksand-nodes-bootstrap/forksand-hk1-bootstrap}
\section{\texttt{apps/forksand-nodes-bootstrap/forksand-hk2-bootstrap}}
\texttt{SHA256: d62d8c5f8269253f07bdd01abaf0653797627477827163625c9d2e3d207e27c8}
\inputminted{sh}{resources/apps/forksand-nodes-bootstrap/forksand-hk2-bootstrap}
\section{\texttt{apps/forksand-nodes-bootstrap/forksand-hk3-bootstrap}}
\texttt{SHA256: 7d56b22aec7e53798e88d4a03d7e390393899e1a33e03da864c817bea83c86c8}
\inputminted{sh}{resources/apps/forksand-nodes-bootstrap/forksand-hk3-bootstrap}
\section{\texttt{apps/forksand-nodes-bootstrap/forksand-shark4-bootstrap}}
\texttt{SHA256: 04a5efbe9a3809ac7050b727eb1d9b8f755b68dc44c990f71866422ff9bc5b15}
\inputminted{sh}{resources/apps/forksand-nodes-bootstrap/forksand-shark4-bootstrap}
\section{\texttt{apps/forksand-nodes-bootstrap/forksand-the-bootstrap}}
\texttt{SHA256: cb61199026a4850f6beb9e3a2b9abcadd7f3d15c894c01060aadcc83bde25c96}
\inputminted{sh}{resources/apps/forksand-nodes-bootstrap/forksand-the-bootstrap}
\section{\texttt{apps/forksand-nodes-bootstrap/forksand-truck-bootstrap}}
\texttt{SHA256: 0691270004a884d962e82f61bbce6ffd094653d7419b081099a9f180d456719a}
\inputminted{sh}{resources/apps/forksand-nodes-bootstrap/forksand-truck-bootstrap}
\section{\texttt{apps/iptables/etc/iptables}} \section{\texttt{apps/iptables/etc/iptables}}
\texttt{SHA256: 825577f3fd900576c119d0a6191de16bf2d55fb84e6749921710b293e5fd1889} \texttt{SHA256: 825577f3fd900576c119d0a6191de16bf2d55fb84e6749921710b293e5fd1889}
\inputminted{sh}{resources/apps/iptables/etc/iptables} \inputminted{sh}{resources/apps/iptables/etc/iptables}
\section{\texttt{apps/iptables/etc/iptables.test.rules}} \section{\texttt{apps/iptables/etc/iptables.test.rules}}
\texttt{SHA256: 4b50c760daa85619a74f1c635b26807fcc7f8bedb90bd22893de8c98f3d78ff1} \texttt{SHA256: 4b50c760daa85619a74f1c635b26807fcc7f8bedb90bd22893de8c98f3d78ff1}
\inputminted{sh}{resources/apps/iptables/etc/iptables.test.rules} \inputminted{sh}{resources/apps/iptables/etc/iptables.test.rules}
\section{\texttt{apps/oca-forksand-v1\char`_1/README.rst}}
\texttt{SHA256: acb247e6caa20a6e5cac57de3137a6bd561f810e4b92d2e32d31064e4e998720}
\inputminted{sh}{resources/apps/oca-forksand-v1_1/README.rst}
\section{\texttt{apps/oca-forksand-v1\char`_1/inventory}}
\texttt{SHA256: 0f3d8a645a0f03d28bd72f8fe137a9aec2ca3b22bcd927f414d4b49236b1c630}
\inputminted{sh}{resources/apps/oca-forksand-v1_1/inventory}
\section{\texttt{apps/oca-forksand-v1\char`_1/playbook.yml}}
\texttt{SHA256: 6e8f7eb1c3db664d243cfe1a5c2c06982979c1e3eed2d65a6a35eaa688de6e64}
\inputminted{sh}{resources/apps/oca-forksand-v1_1/playbook.yml}
\section{\texttt{apps/oca-forksand-v1\char`_1/requirements.yml}}
\texttt{SHA256: c8a9b53d477d7f2d9beb3a32451f6444525c2f515af4abc6ed3fc7bd0b0a049d}
\inputminted{sh}{resources/apps/oca-forksand-v1_1/requirements.yml}
\section{\texttt{apps/oca/etc/init.d/openerp-server}} \section{\texttt{apps/oca/etc/init.d/openerp-server}}
\texttt{SHA256: 03e673de76f6aece8473a8441b0c921368f675ea234b62fa58708427a1b69346} \texttt{SHA256: 03e673de76f6aece8473a8441b0c921368f675ea234b62fa58708427a1b69346}
\inputminted{sh}{resources/apps/oca/etc/init.d/openerp-server} \inputminted{sh}{resources/apps/oca/etc/init.d/openerp-server}
@ -58,9 +253,6 @@
\section{\texttt{apps/yadifa/var/lib/yadifa/masters/localhost.zone}} \section{\texttt{apps/yadifa/var/lib/yadifa/masters/localhost.zone}}
\texttt{SHA256: 93847412dc586aa627b7c8d9c7f9f08223d62bd7297bb02058b57aaa4e92e220} \texttt{SHA256: 93847412dc586aa627b7c8d9c7f9f08223d62bd7297bb02058b57aaa4e92e220}
\inputminted{sh}{resources/apps/yadifa/var/lib/yadifa/masters/localhost.zone} \inputminted{sh}{resources/apps/yadifa/var/lib/yadifa/masters/localhost.zone}
\section{\texttt{make-sources-list.sh}}
\texttt{SHA256: 29a180a3849349df01041152a06c3af2b9c1fc13b2d4da07fa1196ff6aff9de9}
\inputminted{sh}{resources/make-sources-list.sh}
\section{\texttt{txt2qrpng.sh}} \section{\texttt{txt2qrpng.sh}}
\texttt{SHA256: 28dff76725cfbe3e4dcf70120f0393422507443fa5b6a62e1814bd44fb62161e} \texttt{SHA256: 28dff76725cfbe3e4dcf70120f0393422507443fa5b6a62e1814bd44fb62161e}
\inputminted{sh}{resources/txt2qrpng.sh} \inputminted{sh}{resources/txt2qrpng.sh}

@ -20,12 +20,17 @@
\thispagestyle{empty} \thispagestyle{empty}
\begin{center} \begin{center}
\par \par
%\includegraphics[keepaspectratio=true,angle=0,height=0.95\textheight,width=0.95\textwidth]{foo.pdf} \makebox[0pt][c]{%
\raisebox{-0.885\totalheight}[0pt][0pt]{%
% \includegraphics[keepaspectratio=true,angle=0,height=\pageheight]{LetterheadPDF.pdf}
\includegraphics{LetterheadPDF.pdf}
}%
}%
\par \par
\null\vfill \null\vfill
{\fontspec{lmroman12-regular.otf}\fontsize{35pt}{5cm}\selectfont \textcolor{ao-purple}{Fork Sand IT Manual}}
\par \par
\null\vfill \null\vfill
{\fontspec{lmroman12-regular.otf}\fontsize{35pt}{5cm}\selectfont \textcolor{ao-purple}{Fork Sand IT Manual}}
\par \par
\null\vfill \null\vfill
\par \par

@ -1,21 +0,0 @@
%
% forksand-it-manual.gst
% makindex glossary style file
%
% Fork Sand IT Manual
%
% Copyright (C) 2017, Jeff Moe
% Copyright (C) 2014, 2015, 2016, 2017 Aleph Objects, Inc.
%
% This document is licensed under the Creative Commons Attribution 4.0
% International Public License (CC BY-SA 4.0) by Jeff Moe.
%
preamble "\\begin{theglossary}"
postamble "\n\\end{theglossary}\n"
item_0 "\n\\glossitem"
delim_0 "{\\memglonum{"
encap_suffix "}}}"
headings_flag 0
heading_prefix "{"
heading_suffix "}"
keyword "\\glossaryentry"

@ -1,15 +0,0 @@
%
% forksand-it-manual.ist
% makindex index style file
%
% Fork Sand IT Manual
%
% Copyright (C) 2017, Jeff Moe
% Copyright (C) 2014, 2015, 2016, 2017 Aleph Objects, Inc.
%
% This document is licensed under the Creative Commons Attribution 4.0
% International Public License (CC BY-SA 4.0) by Jeff Moe.
%
heading_prefix "{\\normalsize \\bfseries\\hfil\\ "
heading_suffix " \\ \\hfil}\\nopagebreak\n"
headings_flag 1

@ -26,7 +26,27 @@
% LaTeX Memoir Class % LaTeX Memoir Class
% Docs: /usr/share/doc/texlive-doc/latex/memoir/memman.pdf % Docs: /usr/share/doc/texlive-doc/latex/memoir/memman.pdf
\documentclass[twoside,10pt,openright,final,english]{memoir} \special{pdf:minorversion 5}
%\pdfminorversion=6 % Make pdf include minor version tolerant
%\pdfinclusioncopyfonts=1 % Make pdf include minor version tolerant
\documentclass[twoside,10pt,openright,final,english,table]{memoir}
\usepackage[table]{xcolor}
\usepackage{etoolbox}
\makeatletter
\def\gnewcommand{\g@star@or@long\gnew@command}
\def\grenewcommand{\g@star@or@long\grenew@command}
\def\g@star@or@long#1{%
\@ifstar{\let\l@ngrel@x\global#1}{\def\l@ngrel@x{\long\global}#1}}
\def\gnew@command#1{\@testopt{\@gnewcommand#1}0}
\def\@gnewcommand#1[#2]{%
\kernel@ifnextchar [{\@gxargdef#1[#2]}%
{\@argdef#1[#2]}}
\let\@gxargdef\@xargdef
\patchcmd{\@gxargdef}{\def}{\gdef}{}{}
\let\grenew@command\renew@command
\patchcmd{\grenew@command}{\new@command}{\gnew@command}{}{}
\makeatother
\usepackage{tikz} \usepackage{tikz}
\usetikzlibrary{shadows,shapes,arrows,chains,calc,decorations.pathmorphing,patterns,trees,positioning,automata,fit} \usetikzlibrary{shadows,shapes,arrows,chains,calc,decorations.pathmorphing,patterns,trees,positioning,automata,fit}
@ -54,11 +74,15 @@ backgroundcolor=white,
leftmargin=1cm,rightmargin=1cm leftmargin=1cm,rightmargin=1cm
} }
\usepackage{longtable}
\usepackage{tabu}
\usepackage{smartdiagram} \usepackage{smartdiagram}
\usesmartdiagramlibrary{additions} \usesmartdiagramlibrary{additions}
\usepackage{comment} % /usr/share/doc/texlive-doc/latex/comment/comment.pdf \usepackage{comment} % /usr/share/doc/texlive-doc/latex/comment/comment.pdf
\usepackage{pdfpages} % Be able to include pdf
\usepackage{pict2e}
\usepackage{graphicx} % /usr/share/doc/texlive-doc/latex/graphics/graphicx.pdf \usepackage{graphicx} % /usr/share/doc/texlive-doc/latex/graphics/graphicx.pdf
\usepackage{epstopdf} % /usr/share/doc/texlive-doc/latex/oberdiek/epstopdf.pdf %\usepackage{epstopdf} % /usr/share/doc/texlive-doc/latex/oberdiek/epstopdf.pdf
% http://www.tug.org/applications/hyperref/manual.html % http://www.tug.org/applications/hyperref/manual.html
% /usr/share/doc/texlive-doc/latex/hyperref/hyperref.pdf % /usr/share/doc/texlive-doc/latex/hyperref/hyperref.pdf
\usepackage[colorlinks=true,linkcolor=ao-dark-orange,urlcolor=ao-dark-orange]{hyperref} \usepackage[colorlinks=true,linkcolor=ao-dark-orange,urlcolor=ao-dark-orange]{hyperref}
@ -69,6 +93,7 @@ leftmargin=1cm,rightmargin=1cm
\makeglossary \makeglossary
\usepackage{color} % Docs: /usr/share/doc/texlive-latex-base-doc/latex/graphics/grfguide.pdf \usepackage{color} % Docs: /usr/share/doc/texlive-latex-base-doc/latex/graphics/grfguide.pdf
\usepackage{colortbl}
%\usepackage[usenames,dvipsnames,svgnames,table]{xcolor} %\usepackage[usenames,dvipsnames,svgnames,table]{xcolor}
%%% PREAMBLE FONTS %%% %%% PREAMBLE FONTS %%%
@ -217,6 +242,8 @@ leftmargin=1cm,rightmargin=1cm
%%% END OF PREAMBLE %%% %%% END OF PREAMBLE %%%
\begin{document} \begin{document}
%%% Global pdf include directives
\includepdfset{pages=-,noautoscale}
%%% BEGIN FRONT MATTER %%% %%% BEGIN FRONT MATTER %%%
\frontmatter \frontmatter
@ -234,6 +261,9 @@ leftmargin=1cm,rightmargin=1cm
\include{Copyright} \include{Copyright}
%%% END COPYRIGHT PAGE %%% %%% END COPYRIGHT PAGE %%%
% Set page numbering to arabic, but don't reset numbering (*)
\pagenumbering*{arabic}
%%% TABLE OF CONTENTS %%% %%% TABLE OF CONTENTS %%%
{\fontspec{lmroman12-regular.otf} {\fontspec{lmroman12-regular.otf}
\maxtocdepth{subsection} \maxtocdepth{subsection}
@ -265,6 +295,15 @@ leftmargin=1cm,rightmargin=1cm
\def\topblockvspace{0.11} \def\topblockvspace{0.11}
%%% END CHAPTER STYLE %%% %%% END CHAPTER STYLE %%%
%%% INVISIBLE CHAPTERS %%%
\newcommand{\invisiblechapter}[1]{%
\par\refstepcounter{chapter}% Increase section counter
\sectionmark{#1}% Add section mark (header)
\addcontentsline{toc}{chapter}{\protect\numberline{\thechapter}#1}% Add chapter to ToC
% Add more content here, if needed.
}
%%% END INVISIBLE CHAPTERS %%%
%%% CHAPTER CONFIG %%% %%% CHAPTER CONFIG %%%
\newcommand{\chapterheader}{Fork Sand IT Manual} \newcommand{\chapterheader}{Fork Sand IT Manual}
% See \chapterconf below for examples of how this is used. % See \chapterconf below for examples of how this is used.
@ -272,8 +311,27 @@ leftmargin=1cm,rightmargin=1cm
% value 2 is title of chapter % value 2 is title of chapter
% value 3 is sub title of chapter % value 3 is sub title of chapter
\newcommand{\chapterconf}[3]{ \newcommand{\chapterconf}[3]{
\chapter{\emph{{#2}}\protect \\ \includepdf[width=210mm%
{#3}} ,%
picturecommand*={%
\put(200,650){%
\invisiblechapter{{#2}\qquad\qquad{#3}}%
}%
\color[rgb]{0.631,0.957,1}% HEX # A1F4FF R:161 G:244 B:255 C:37 M:4 Y:0 K:0
\linethickness{30mm}
\put( 100,378){\line(1,0){397.50793}}
\color[rgb]{0.361,0.922,1}% HEX # 5CEBFF R:92 G:235 B:255 C:64 M:8 Y:0 K:0
\put( 0,378){\line(1,0){100}}
\put( 497.50793,378){\line(1,0){100}}
\color[rgb]{0,0.2,0.2}
\linethickness{0.3mm}
\put( 0,420){\line(1,0){597.50793}}
\put( 0,336){\line(1,0){597.50793}}
\put(120,395){\begin{minipage}{357.50793pt}\centering \Huge{#2}\end{minipage}}
\put(120,355){\begin{minipage}{357.50793pt}\centering \Huge{#3}\end{minipage}}
\color[rgb]{0,0,0}
}%
]{LetterheadPDF.pdf}
\thispagestyle{empty} \thispagestyle{empty}
\markboth{#2}{\chapterheader} \markboth{#2}{\chapterheader}
{\include{#1}} {\include{#1}}
@ -293,9 +351,6 @@ leftmargin=1cm,rightmargin=1cm
%%% BEGIN MAINMATTER %%% %%% BEGIN MAINMATTER %%%
\mainmatter* \mainmatter*
% Set page numbering to arabic, but don't reset numbering (*)
\pagenumbering*{arabic}
%% MAINMATTER CHAPTERS %%% %% MAINMATTER CHAPTERS %%%
% Default chapter font % Default chapter font
\fontspec{lmroman12-regular.otf} \fontspec{lmroman12-regular.otf}
@ -310,9 +365,8 @@ leftmargin=1cm,rightmargin=1cm
\chapterconf{Distros}{Distributions}{Free Software Distributions} \chapterconf{Distros}{Distributions}{Free Software Distributions}
\chapterconf{Software-daemons}{Server Software}{Server Software Daemons} \chapterconf{Software-daemons}{Server Software}{Server Software Daemons}
\chapterconf{Firewalls}{Firewalls}{Firewalls} \chapterconf{Firewalls}{Firewalls}{Firewalls}
\chapterconf{ClusterHardware}{Cluster Hardware}{Machines}
\chapterconf{Firewall-opnsense}{OPNSense Firewall}{Use OPNSense} \chapterconf{Firewall-opnsense}{OPNSense Firewall}{Use OPNSense}
\chapterconf{OpenNebula}{OpenNebula}{Virtual Machines} \chapterconf{Proxmox}{Proxmox}{Virtual Machines}
\chapterconf{Ansible}{Ansible}{Cluster Administration} \chapterconf{Ansible}{Ansible}{Cluster Administration}
\chapterconf{DNS}{Domain Name Service (DNS)}{Who Names You?} \chapterconf{DNS}{Domain Name Service (DNS)}{Who Names You?}
\chapterconf{NTP}{Network Time Protocol}{A Hole in Time} \chapterconf{NTP}{Network Time Protocol}{A Hole in Time}
@ -321,6 +375,7 @@ leftmargin=1cm,rightmargin=1cm
%\part{Appendix} % XXX %\part{Appendix} % XXX
\appendix \appendix
\chapterconf{Source}{Free Software}{Free Software and Configurations} \chapterconf{Source}{Free Software}{Free Software and Configurations}
%% END MAINMATTER CHAPTERS %%% %% END MAINMATTER CHAPTERS %%%
%%% END MAINMATTER %%% %%% END MAINMATTER %%%
@ -346,6 +401,7 @@ leftmargin=1cm,rightmargin=1cm
\chapterconf{Contact}{Contact}{Phone, Email, Web, Location} \chapterconf{Contact}{Contact}{Phone, Email, Web, Location}
%%% END CONTACT %%% %%% END CONTACT %%%
%%% COLOPHON %%% %%% COLOPHON %%%
%%% skip a couple pages %%% skip a couple pages
\pagebreak{} \pagebreak{}

@ -1,7 +1,72 @@
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 ./SHA256SUM e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 ./SHA256SUM
b1861503f0a41f1f2bef8fbfba32501d871ef4c5fd073c3b9272c71a7b1e7ea5 ./STATS adadaa5e46ade71aa99d833d7cf64cf012501c8b7a6f6c15a3563f6ceeffa9c6 ./STATS
5c5bbe341a18319f6f24033c4f63fc5f1594469b4f2cfbb991ec596fd30e9a3b ./apps/Ansible-Gitea/ansible.cfg
cc816d03579097542ca85c188995a412d619c08c84bf3dfef73191fc5cc05b54 ./apps/Ansible-Gitea/inventory.yml
19aeb0ea8e30712f9589fd7037415118a92666d12ae30aa0757be6fde6357225 ./apps/Ansible-Gitea/roles/gitea/defaults/main.yml
4012e6484af750c9b21a8d9f04e68ddd291c37a8dd9657daa862124e480c2497 ./apps/Ansible-Gitea/roles/gitea/handlers/main.yml
28d0983feb2aba01934a25cad94e64e77c055e6a977bb2a0db9a8c199933b369 ./apps/Ansible-Gitea/roles/gitea/tasks/create_user.yml
7e6155085ebae67496b3267cdf3211fd3a7e0f178661ff21e20101947456912e ./apps/Ansible-Gitea/roles/gitea/tasks/install_systemd.yml
bc5f081dfd51f5c920c8dda1873560a2602204dd9d28a881238fd66e22437c2d ./apps/Ansible-Gitea/roles/gitea/tasks/main.yml
c8be571f2f2407240bc88997aedf70c9230554a65132ebab9a1ee0d4296ff9d3 ./apps/Ansible-Gitea/roles/gitea/templates/gitea.ini.j2
0acbfe01156c9e39ee71a4fc64310ab003f09bfcf544df00b1f3cff010ed8f38 ./apps/Ansible-Gitea/roles/gitea/templates/gitea.service.j2
e97bff48aa282aacf1c59c754a7b9adfe56120c4cb1545a7488f03fee9f4e479 ./apps/Ansible-Gitea/roles/gitea/.DS_Store
20c921226115e5a92309d543b66066438e6565bdbd054e7ca41d0fc6ddcfcd9a ./apps/Ansible-Gitea/roles/nginx/defaults/main.yml
5a3990dbfb331c83fbbff76368a2426ae03d34052454aa6676f52b7e4652d561 ./apps/Ansible-Gitea/roles/nginx/handlers/main.yml
5232d5b0894c1e6a3da8472591ef49e9c80e927cdbec626c15c9e1a9796729a8 ./apps/Ansible-Gitea/roles/nginx/tasks/main.yml
1ecb64716e6674eb30a145c79859774cc5772304828553474c05820a2151ff3b ./apps/Ansible-Gitea/roles/nginx/templates/nginx.conf.j2
4d7edebbe48f20aeeb49599d32fc5531db943cbf43d7e9995674c180b56f2e77 ./apps/Ansible-Gitea/roles/nginx/templates/nginxssl.conf.j2
d74378b00af74eabe0cc11d0f0b1db5c902116c583216f14152d968e5a71e474 ./apps/Ansible-Gitea/site.yml
5c5bbe341a18319f6f24033c4f63fc5f1594469b4f2cfbb991ec596fd30e9a3b ./apps/ansible-debian-mail/ansible.cfg
b5f417e155b47834e49be9243ba776a6516c56c3ed0121d2bc4d022d5acacd87 ./apps/ansible-debian-mail/group_vars/all.yml
cc816d03579097542ca85c188995a412d619c08c84bf3dfef73191fc5cc05b54 ./apps/ansible-debian-mail/inventory.yml
95d75eba0703ebb00f12d01a821353fe1ddb7a5612a72ea2c4e658d2be5afb52 ./apps/ansible-debian-mail/roles/dkim_configuration/tasks/main.yml
4f83d988f9a305d6f7571f1742f8e284f0008182bcb21f3b8683594fd5de2340 ./apps/ansible-debian-mail/roles/dkim_configuration/templates/internalhosts.j2
bf71aafad2295a773f5556ff870e4db70d62451a26fc952bde04336642f7afc2 ./apps/ansible-debian-mail/roles/dkim_configuration/templates/opendkim.conf.j2
4069a27787b75f0af2ca555ff0f5668c2cbe6813909108a92c1583c4e82d2863 ./apps/ansible-debian-mail/roles/dkim_configuration/templates/opendkim.j2
3d5208869831f657790c9642ea0ad63db2ad79d080d7d7ef24da0b802946b223 ./apps/ansible-debian-mail/roles/dkim_configuration/templates/opendmarc.conf.j2
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 ./apps/ansible-debian-mail/roles/dkim_configuration/templates/opendmarc.j2
9252907b8d86ae437a9910148e6c72b2fce30be020a57ab3d59111fc5de5f6f7 ./apps/ansible-debian-mail/roles/dkim_configuration/templates/trustedhosts.j2
218fc20617243fef6f783cd83332fa0fe9e610483bc2c2f1b1245e8eec0959ac ./apps/ansible-debian-mail/roles/dovecot_configuration/handlers/main.yml
f9d7c2c906c9f092d2dd973cc2c2e9ce9b4b5b01f2ec056f3095c6fc802c2d74 ./apps/ansible-debian-mail/roles/dovecot_configuration/tasks/main.yml
d7004417a7ac1d96e9904b05f68879a752dec6f7621bc56ed18434aabf78c40b ./apps/ansible-debian-mail/roles/dovecot_configuration/templates/10-master.conf.j2
660790c32b47fd84326c6d53efcb13a2a6c691fa96d59c880aceadf71f8fa1f0 ./apps/ansible-debian-mail/roles/dovecot_configuration/templates/10-ssl.conf.j2
8ebe1bb04c097e8371d63b6ac16c393ca74c094711942f2560252d482a0f17ce ./apps/ansible-debian-mail/roles/fail2ban_configuration/tasks/main.yml
817e705118fd6d92e7e89a84544ba907c71aa4395b3cb925fe4421b1b99add53 ./apps/ansible-debian-mail/roles/letsencrypt_configuration/tasks/main.yml
6920d48ae9610b5d0d61c9638d27e30b46b885777ab04127a198a380df12ae38 ./apps/ansible-debian-mail/roles/mikegleasonjr.firewall/.travis.yml
b8c8b8560eb577eb8637a446bc28aba7df05d34618093023a2b43f7764c75fb2 ./apps/ansible-debian-mail/roles/mikegleasonjr.firewall/Vagrantfile
c86227ad9775e213708a92703958d1ae8dc80b5073b665499839e4c80f0d77d5 ./apps/ansible-debian-mail/roles/mikegleasonjr.firewall/defaults/main.yml
c77f50cf2758025bece96792badbf0f98a799738be56e3dbd94d5c416ce402b5 ./apps/ansible-debian-mail/roles/mikegleasonjr.firewall/meta/main.yml
8df2fa6c72bad1a6b52a7e84a1dd5a850b96d3ed55c4266113c1476bbc1c974d ./apps/ansible-debian-mail/roles/mikegleasonjr.firewall/meta/.galaxy_install_info
5d1ebe1ec51a5a4b0ab52bbf1af63ca94af4290182755b2463aa321bfb39732f ./apps/ansible-debian-mail/roles/mikegleasonjr.firewall/tasks/main.yml
da08d16128d29e725a80590890592020a53d90cbeac3b55dbe67da63fc254e6b ./apps/ansible-debian-mail/roles/mikegleasonjr.firewall/tasks/persist-debian.yml
aaa130a6c8ad52ede70c2b12e46e27e61475e5d8b0842274b5ce0515ad645734 ./apps/ansible-debian-mail/roles/mikegleasonjr.firewall/tasks/persist-redhat.yml
6f28f53b5c77709268853ab1ba9f16ca30d64cd72dde08e9d9826b82c714e602 ./apps/ansible-debian-mail/roles/mikegleasonjr.firewall/tasks/rules.yml
1c8f8244b151f386933796a30c299f86d580880e16a7abba3653a1e3765a5394 ./apps/ansible-debian-mail/roles/mikegleasonjr.firewall/templates/generated.v4.j2
b724ce42ef251f979751e080279d27c6f82e21f5c30118a731aacf3f8b494624 ./apps/ansible-debian-mail/roles/mikegleasonjr.firewall/templates/generated.v6.j2
a7c2b3cd0f70c600c3e1db74d95533be3eb864853394c62330b5532c49abb572 ./apps/ansible-debian-mail/roles/mikegleasonjr.firewall/tests.yml
10734468f2c6744ef0fc14bb5f8d9678fb684d9647a981ab7dc93e81f6b3396b ./apps/ansible-debian-mail/roles/outputs/tasks/main.yml
3749fe155aa62adb30db35bedc96bdb47b1e094e8cc3b12e4915dc6137edcc43 ./apps/ansible-debian-mail/roles/postfix_configuration/files/auth_header_checks.pcre
13dd76df6148f7a898c8054f5566cbd351207a9bc5ae97ced9e4b5407af923a5 ./apps/ansible-debian-mail/roles/postfix_configuration/files/master.cf
a31d3860adb790e2ab6ee5763e2b59aa5b17b94f56cb7236845128f0e870e597 ./apps/ansible-debian-mail/roles/postfix_configuration/handlers/main.yml
cf7521b7366045753045ac11bdccc11857bc0c171a0fc1ba9c572fe7d59fd627 ./apps/ansible-debian-mail/roles/postfix_configuration/tasks/main.yml
5a101165ebf12cbd1663908e21f77dc2636fee45da36f5daa79ab84c47e7dfcb ./apps/ansible-debian-mail/roles/postfix_configuration/templates/aliases.j2
5822b360aa9988efc37bdf5dd9626de45b2d1f279f70e032f5b56427994f440d ./apps/ansible-debian-mail/roles/server_tasks/handlers/main.yml
9482c99a24179cb4bcd0d8ea5bf6ac5e8391cd88b1242190693c685127bb94e8 ./apps/ansible-debian-mail/roles/server_tasks/tasks/main.yml
bc1d9877f592fe1b63385a38febee9ed7769cbb01972e73f950dcc6e5309ded0 ./apps/ansible-debian-mail/roles/spamassassin_configuration/tasks/main.yml
c85d3966f275654bfde3c1c5065980debe0be5900ad5b33f3bf19e893610b635 ./apps/ansible-debian-mail/roles/sqlgrey_configuration/tasks/main.yml
00b3b9b020bfd4ebe7732bf3a96a7dc5ce37c6788907f0574a193c3f5fcd0224 ./apps/ansible-debian-mail/site.yml
d3b370cdf087289f89c827aefaf1915c35843f01f9f2d8bbeb412184b2ce2fa6 ./apps/forksand-nodes-bootstrap/forksand-hk1-bootstrap
d62d8c5f8269253f07bdd01abaf0653797627477827163625c9d2e3d207e27c8 ./apps/forksand-nodes-bootstrap/forksand-hk2-bootstrap
7d56b22aec7e53798e88d4a03d7e390393899e1a33e03da864c817bea83c86c8 ./apps/forksand-nodes-bootstrap/forksand-hk3-bootstrap
04a5efbe9a3809ac7050b727eb1d9b8f755b68dc44c990f71866422ff9bc5b15 ./apps/forksand-nodes-bootstrap/forksand-shark4-bootstrap
cb61199026a4850f6beb9e3a2b9abcadd7f3d15c894c01060aadcc83bde25c96 ./apps/forksand-nodes-bootstrap/forksand-the-bootstrap
0691270004a884d962e82f61bbce6ffd094653d7419b081099a9f180d456719a ./apps/forksand-nodes-bootstrap/forksand-truck-bootstrap
825577f3fd900576c119d0a6191de16bf2d55fb84e6749921710b293e5fd1889 ./apps/iptables/etc/iptables 825577f3fd900576c119d0a6191de16bf2d55fb84e6749921710b293e5fd1889 ./apps/iptables/etc/iptables
4b50c760daa85619a74f1c635b26807fcc7f8bedb90bd22893de8c98f3d78ff1 ./apps/iptables/etc/iptables.test.rules 4b50c760daa85619a74f1c635b26807fcc7f8bedb90bd22893de8c98f3d78ff1 ./apps/iptables/etc/iptables.test.rules
acb247e6caa20a6e5cac57de3137a6bd561f810e4b92d2e32d31064e4e998720 ./apps/oca-forksand-v1_1/README.rst
0f3d8a645a0f03d28bd72f8fe137a9aec2ca3b22bcd927f414d4b49236b1c630 ./apps/oca-forksand-v1_1/inventory
6e8f7eb1c3db664d243cfe1a5c2c06982979c1e3eed2d65a6a35eaa688de6e64 ./apps/oca-forksand-v1_1/playbook.yml
c8a9b53d477d7f2d9beb3a32451f6444525c2f515af4abc6ed3fc7bd0b0a049d ./apps/oca-forksand-v1_1/requirements.yml
03e673de76f6aece8473a8441b0c921368f675ea234b62fa58708427a1b69346 ./apps/oca/etc/init.d/openerp-server 03e673de76f6aece8473a8441b0c921368f675ea234b62fa58708427a1b69346 ./apps/oca/etc/init.d/openerp-server
a149aa2a11f17a20eda8f32e2ef5b34e403b772d53f1dcd2a62bd44b166c2122 ./apps/oca/lib/systemd/system/odoo-server.service a149aa2a11f17a20eda8f32e2ef5b34e403b772d53f1dcd2a62bd44b166c2122 ./apps/oca/lib/systemd/system/odoo-server.service
72d2cb138dfae349f5029b27dae74d13745061233fcebb79ef3d38eb4836183a ./apps/oca/oca11-addons 72d2cb138dfae349f5029b27dae74d13745061233fcebb79ef3d38eb4836183a ./apps/oca/oca11-addons
@ -18,5 +83,4 @@ e2c4028695f3ac6b6ed8afb963a7821589b94ed81a2d068d7480b809d402c830 ./apps/yadifa-
705f36a12aee30e8510e5d06f1d3dd471a82aa518e00648a83f8f9d1146b8186 ./apps/yadifa-slave/etc/yadifa/yadifad.conf 705f36a12aee30e8510e5d06f1d3dd471a82aa518e00648a83f8f9d1146b8186 ./apps/yadifa-slave/etc/yadifa/yadifad.conf
1966009066a265b65574003bc5f338ee4c2595c010ece34e9e428c526b974fd5 ./apps/yadifa/var/lib/yadifa/masters/0.0.127.in-addr.arpa.zone 1966009066a265b65574003bc5f338ee4c2595c010ece34e9e428c526b974fd5 ./apps/yadifa/var/lib/yadifa/masters/0.0.127.in-addr.arpa.zone
93847412dc586aa627b7c8d9c7f9f08223d62bd7297bb02058b57aaa4e92e220 ./apps/yadifa/var/lib/yadifa/masters/localhost.zone 93847412dc586aa627b7c8d9c7f9f08223d62bd7297bb02058b57aaa4e92e220 ./apps/yadifa/var/lib/yadifa/masters/localhost.zone
29a180a3849349df01041152a06c3af2b9c1fc13b2d4da07fa1196ff6aff9de9 ./make-sources-list.sh
28dff76725cfbe3e4dcf70120f0393422507443fa5b6a62e1814bd44fb62161e ./txt2qrpng.sh 28dff76725cfbe3e4dcf70120f0393422507443fa5b6a62e1814bd44fb62161e ./txt2qrpng.sh

@ -1,2 +1,2 @@
There are 22 source code files included. There are 86 source code files included.
There are 22 unique files. There are 83 unique files.

@ -0,0 +1,661 @@
GNU AFFERO GENERAL PUBLIC LICENSE
Version 3, 19 November 2007
Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/>
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.
Preamble
The GNU Affero General Public License is a free, copyleft license for
software and other kinds of works, specifically designed to ensure
cooperation with the community in the case of network server software.
The licenses for most software and other practical works are designed
to take away your freedom to share and change the works. By contrast,
our General Public Licenses are intended to guarantee your freedom to
share and change all versions of a program--to make sure it remains free
software for all its users.
When we speak of free software, we are referring to freedom, not
price. Our General Public Licenses are designed to make sure that you
have the freedom to distribute copies of free software (and charge for
them if you wish), that you receive source code or can get it if you
want it, that you can change the software or use pieces of it in new
free programs, and that you know you can do these things.
Developers that use our General Public Licenses protect your rights
with two steps: (1) assert copyright on the software, and (2) offer
you this License which gives you legal permission to copy, distribute
and/or modify the software.
A secondary benefit of defending all users' freedom is that
improvements made in alternate versions of the program, if they
receive widespread use, become available for other developers to
incorporate. Many developers of free software are heartened and
encouraged by the resulting cooperation. However, in the case of
software used on network servers, this result may fail to come about.
The GNU General Public License permits making a modified version and
letting the public access it on a server without ever releasing its
source code to the public.
The GNU Affero General Public License is designed specifically to
ensure that, in such cases, the modified source code becomes available
to the community. It requires the operator of a network server to
provide the source code of the modified version running there to the
users of that server. Therefore, public use of a modified version, on
a publicly accessible server, gives the public access to the source
code of the modified version.
An older license, called the Affero General Public License and
published by Affero, was designed to accomplish similar goals. This is
a different license, not a version of the Affero GPL, but Affero has
released a new version of the Affero GPL which permits relicensing under
this license.
The precise terms and conditions for copying, distribution and
modification follow.
TERMS AND CONDITIONS
0. Definitions.
"This License" refers to version 3 of the GNU Affero General Public License.
"Copyright" also means copyright-like laws that apply to other kinds of
works, such as semiconductor masks.
"The Program" refers to any copyrightable work licensed under this
License. Each licensee is addressed as "you". "Licensees" and
"recipients" may be individuals or organizations.
To "modify" a work means to copy from or adapt all or part of the work
in a fashion requiring copyright permission, other than the making of an
exact copy. The resulting work is called a "modified version" of the
earlier work or a work "based on" the earlier work.
A "covered work" means either the unmodified Program or a work based
on the Program.
To "propagate" a work means to do anything with it that, without
permission, would make you directly or secondarily liable for
infringement under applicable copyright law, except executing it on a
computer or modifying a private copy. Propagation includes copying,
distribution (with or without modification), making available to the
public, and in some countries other activities as well.
To "convey" a work means any kind of propagation that enables other
parties to make or receive copies. Mere interaction with a user through
a computer network, with no transfer of a copy, is not conveying.
An interactive user interface displays "Appropriate Legal Notices"
to the extent that it includes a convenient and prominently visible
feature that (1) displays an appropriate copyright notice, and (2)
tells the user that there is no warranty for the work (except to the
extent that warranties are provided), that licensees may convey the
work under this License, and how to view a copy of this License. If
the interface presents a list of user commands or options, such as a
menu, a prominent item in the list meets this criterion.
1. Source Code.
The "source code" for a work means the preferred form of the work
for making modifications to it. "Object code" means any non-source
form of a work.
A "Standard Interface" means an interface that either is an official
standard defined by a recognized standards body, or, in the case of
interfaces specified for a particular programming language, one that
is widely used among developers working in that language.
The "System Libraries" of an executable work include anything, other
than the work as a whole, that (a) is included in the normal form of
packaging a Major Component, but which is not part of that Major
Component, and (b) serves only to enable use of the work with that
Major Component, or to implement a Standard Interface for which an
implementation is available to the public in source code form. A
"Major Component", in this context, means a major essential component
(kernel, window system, and so on) of the specific operating system
(if any) on which the executable work runs, or a compiler used to
produce the work, or an object code interpreter used to run it.
The "Corresponding Source" for a work in object code form means all
the source code needed to generate, install, and (for an executable
work) run the object code and to modify the work, including scripts to
control those activities. However, it does not include the work's
System Libraries, or general-purpose tools or generally available free
programs which are used unmodified in performing those activities but
which are not part of the work. For example, Corresponding Source
includes interface definition files associated with source files for
the work, and the source code for shared libraries and dynamically
linked subprograms that the work is specifically designed to require,
such as by intimate data communication or control flow between those
subprograms and other parts of the work.
The Corresponding Source need not include anything that users
can regenerate automatically from other parts of the Corresponding
Source.
The Corresponding Source for a work in source code form is that
same work.
2. Basic Permissions.
All rights granted under this License are granted for the term of
copyright on the Program, and are irrevocable provided the stated
conditions are met. This License explicitly affirms your unlimited
permission to run the unmodified Program. The output from running a
covered work is covered by this License only if the output, given its
content, constitutes a covered work. This License acknowledges your
rights of fair use or other equivalent, as provided by copyright law.
You may make, run and propagate covered works that you do not
convey, without conditions so long as your license otherwise remains
in force. You may convey covered works to others for the sole purpose
of having them make modifications exclusively for you, or provide you
with facilities for running those works, provided that you comply with
the terms of this License in conveying all material for which you do
not control copyright. Those thus making or running the covered works
for you must do so exclusively on your behalf, under your direction
and control, on terms that prohibit them from making any copies of
your copyrighted material outside their relationship with you.
Conveying under any other circumstances is permitted solely under
the conditions stated below. Sublicensing is not allowed; section 10
makes it unnecessary.
3. Protecting Users' Legal Rights From Anti-Circumvention Law.
No covered work shall be deemed part of an effective technological
measure under any applicable law fulfilling obligations under article
11 of the WIPO copyright treaty adopted on 20 December 1996, or
similar laws prohibiting or restricting circumvention of such
measures.
When you convey a covered work, you waive any legal power to forbid
circumvention of technological measures to the extent such circumvention
is effected by exercising rights under this License with respect to
the covered work, and you disclaim any intention to limit operation or
modification of the work as a means of enforcing, against the work's
users, your or third parties' legal rights to forbid circumvention of
technological measures.
4. Conveying Verbatim Copies.
You may convey verbatim copies of the Program's source code as you
receive it, in any medium, provided that you conspicuously and
appropriately publish on each copy an appropriate copyright notice;
keep intact all notices stating that this License and any
non-permissive terms added in accord with section 7 apply to the code;
keep intact all notices of the absence of any warranty; and give all
recipients a copy of this License along with the Program.
You may charge any price or no price for each copy that you convey,
and you may offer support or warranty protection for a fee.
5. Conveying Modified Source Versions.
You may convey a work based on the Program, or the modifications to
produce it from the Program, in the form of source code under the
terms of section 4, provided that you also meet all of these conditions:
a) The work must carry prominent notices stating that you modified
it, and giving a relevant date.
b) The work must carry prominent notices stating that it is
released under this License and any conditions added under section
7. This requirement modifies the requirement in section 4 to
"keep intact all notices".
c) You must license the entire work, as a whole, under this
License to anyone who comes into possession of a copy. This
License will therefore apply, along with any applicable section 7
additional terms, to the whole of the work, and all its parts,
regardless of how they are packaged. This License gives no
permission to license the work in any other way, but it does not
invalidate such permission if you have separately received it.
d) If the work has interactive user interfaces, each must display
Appropriate Legal Notices; however, if the Program has interactive
interfaces that do not display Appropriate Legal Notices, your
work need not make them do so.
A compilation of a covered work with other separate and independent
works, which are not by their nature extensions of the covered work,
and which are not combined with it such as to form a larger program,
in or on a volume of a storage or distribution medium, is called an
"aggregate" if the compilation and its resulting copyright are not
used to limit the access or legal rights of the compilation's users
beyond what the individual works permit. Inclusion of a covered work
in an aggregate does not cause this License to apply to the other
parts of the aggregate.
6. Conveying Non-Source Forms.
You may convey a covered work in object code form under the terms
of sections 4 and 5, provided that you also convey the
machine-readable Corresponding Source under the terms of this License,
in one of these ways:
a) Convey the object code in, or embodied in, a physical product
(including a physical distribution medium), accompanied by the
Corresponding Source fixed on a durable physical medium
customarily used for software interchange.
b) Convey the object code in, or embodied in, a physical product
(including a physical distribution medium), accompanied by a
written offer, valid for at least three years and valid for as
long as you offer spare parts or customer support for that product
model, to give anyone who possesses the object code either (1) a
copy of the Corresponding Source for all the software in the
product that is covered by this License, on a durable physical
medium customarily used for software interchange, for a price no
more than your reasonable cost of physically performing this
conveying of source, or (2) access to copy the
Corresponding Source from a network server at no charge.
c) Convey individual copies of the object code with a copy of the
written offer to provide the Corresponding Source. This
alternative is allowed only occasionally and noncommercially, and
only if you received the object code with such an offer, in accord
with subsection 6b.
d) Convey the object code by offering access from a designated
place (gratis or for a charge), and offer equivalent access to the
Corresponding Source in the same way through the same place at no
further charge. You need not require recipients to copy the
Corresponding Source along with the object code. If the place to
copy the object code is a network server, the Corresponding Source
may be on a different server (operated by you or a third party)
that supports equivalent copying facilities, provided you maintain
clear directions next to the object code saying where to find the
Corresponding Source. Regardless of what server hosts the
Corresponding Source, you remain obligated to ensure that it is
available for as long as needed to satisfy these requirements.
e) Convey the object code using peer-to-peer transmission, provided
you inform other peers where the object code and Corresponding
Source of the work are being offered to the general public at no
charge under subsection 6d.
A separable portion of the object code, whose source code is excluded
from the Corresponding Source as a System Library, need not be
included in conveying the object code work.
A "User Product" is either (1) a "consumer product", which means any
tangible personal property which is normally used for personal, family,
or household purposes, or (2) anything designed or sold for incorporation
into a dwelling. In determining whether a product is a consumer product,
doubtful cases shall be resolved in favor of coverage. For a particular
product received by a particular user, "normally used" refers to a
typical or common use of that class of product, regardless of the status
of the particular user or of the way in which the particular user
actually uses, or expects or is expected to use, the product. A product
is a consumer product regardless of whether the product has substantial
commercial, industrial or non-consumer uses, unless such uses represent
the only significant mode of use of the product.
"Installation Information" for a User Product means any methods,
procedures, authorization keys, or other information required to install
and execute modified versions of a covered work in that User Product from
a modified version of its Corresponding Source. The information must
suffice to ensure that the continued functioning of the modified object
code is in no case prevented or interfered with solely because
modification has been made.
If you convey an object code work under this section in, or with, or
specifically for use in, a User Product, and the conveying occurs as
part of a transaction in which the right of possession and use of the
User Product is transferred to the recipient in perpetuity or for a
fixed term (regardless of how the transaction is characterized), the
Corresponding Source conveyed under this section must be accompanied
by the Installation Information. But this requirement does not apply
if neither you nor any third party retains the ability to install
modified object code on the User Product (for example, the work has
been installed in ROM).
The requirement to provide Installation Information does not include a
requirement to continue to provide support service, warranty, or updates
for a work that has been modified or installed by the recipient, or for
the User Product in which it has been modified or installed. Access to a
network may be denied when the modification itself materially and
adversely affects the operation of the network or violates the rules and
protocols for communication across the network.
Corresponding Source conveyed, and Installation Information provided,
in accord with this section must be in a format that is publicly
documented (and with an implementation available to the public in
source code form), and must require no special password or key for
unpacking, reading or copying.
7. Additional Terms.
"Additional permissions" are terms that supplement the terms of this
License by making exceptions from one or more of its conditions.
Additional permissions that are applicable to the entire Program shall
be treated as though they were included in this License, to the extent
that they are valid under applicable law. If additional permissions
apply only to part of the Program, that part may be used separately
under those permissions, but the entire Program remains governed by
this License without regard to the additional permissions.
When you convey a copy of a covered work, you may at your option
remove any additional permissions from that copy, or from any part of
it. (Additional permissions may be written to require their own
removal in certain cases when you modify the work.) You may place
additional permissions on material, added by you to a covered work,
for which you have or can give appropriate copyright permission.
Notwithstanding any other provision of this License, for material you
add to a covered work, you may (if authorized by the copyright holders of
that material) supplement the terms of this License with terms:
a) Disclaiming warranty or limiting liability differently from the
terms of sections 15 and 16 of this License; or
b) Requiring preservation of specified reasonable legal notices or
author attributions in that material or in the Appropriate Legal
Notices displayed by works containing it; or
c) Prohibiting misrepresentation of the origin of that material, or
requiring that modified versions of such material be marked in
reasonable ways as different from the original version; or
d) Limiting the use for publicity purposes of names of licensors or
authors of the material; or
e) Declining to grant rights under trademark law for use of some
trade names, trademarks, or service marks; or
f) Requiring indemnification of licensors and authors of that
material by anyone who conveys the material (or modified versions of
it) with contractual assumptions of liability to the recipient, for
any liability that these contractual assumptions directly impose on
those licensors and authors.
All other non-permissive additional terms are considered "further
restrictions" within the meaning of section 10. If the Program as you
received it, or any part of it, contains a notice stating that it is
governed by this License along with a term that is a further
restriction, you may remove that term. If a license document contains
a further restriction but permits relicensing or conveying under this
License, you may add to a covered work material governed by the terms
of that license document, provided that the further restriction does
not survive such relicensing or conveying.
If you add terms to a covered work in accord with this section, you
must place, in the relevant source files, a statement of the
additional terms that apply to those files, or a notice indicating
where to find the applicable terms.
Additional terms, permissive or non-permissive, may be stated in the
form of a separately written license, or stated as exceptions;
the above requirements apply either way.
8. Termination.
You may not propagate or modify a covered work except as expressly
provided under this License. Any attempt otherwise to propagate or
modify it is void, and will automatically terminate your rights under
this License (including any patent licenses granted under the third
paragraph of section 11).
However, if you cease all violation of this License, then your
license from a particular copyright holder is reinstated (a)
provisionally, unless and until the copyright holder explicitly and
finally terminates your license, and (b) permanently, if the copyright
holder fails to notify you of the violation by some reasonable means
prior to 60 days after the cessation.
Moreover, your license from a particular copyright holder is
reinstated permanently if the copyright holder notifies you of the
violation by some reasonable means, this is the first time you have
received notice of violation of this License (for any work) from that
copyright holder, and you cure the violation prior to 30 days after
your receipt of the notice.
Termination of your rights under this section does not terminate the
licenses of parties who have received copies or rights from you under
this License. If your rights have been terminated and not permanently
reinstated, you do not qualify to receive new licenses for the same
material under section 10.
9. Acceptance Not Required for Having Copies.
You are not required to accept this License in order to receive or
run a copy of the Program. Ancillary propagation of a covered work
occurring solely as a consequence of using peer-to-peer transmission
to receive a copy likewise does not require acceptance. However,
nothing other than this License grants you permission to propagate or
modify any covered work. These actions infringe copyright if you do
not accept this License. Therefore, by modifying or propagating a
covered work, you indicate your acceptance of this License to do so.
10. Automatic Licensing of Downstream Recipients.
Each time you convey a covered work, the recipient automatically
receives a license from the original licensors, to run, modify and
propagate that work, subject to this License. You are not responsible
for enforcing compliance by third parties with this License.
An "entity transaction" is a transaction transferring control of an
organization, or substantially all assets of one, or subdividing an
organization, or merging organizations. If propagation of a covered
work results from an entity transaction, each party to that
transaction who receives a copy of the work also receives whatever
licenses to the work the party's predecessor in interest had or could
give under the previous paragraph, plus a right to possession of the
Corresponding Source of the work from the predecessor in interest, if
the predecessor has it or can get it with reasonable efforts.
You may not impose any further restrictions on the exercise of the
rights granted or affirmed under this License. For example, you may
not impose a license fee, royalty, or other charge for exercise of
rights granted under this License, and you may not initiate litigation
(including a cross-claim or counterclaim in a lawsuit) alleging that
any patent claim is infringed by making, using, selling, offering for
sale, or importing the Program or any portion of it.
11. Patents.
A "contributor" is a copyright holder who authorizes use under this
License of the Program or a work on which the Program is based. The
work thus licensed is called the contributor's "contributor version".
A contributor's "essential patent claims" are all patent claims
owned or controlled by the contributor, whether already acquired or
hereafter acquired, that would be infringed by some manner, permitted
by this License, of making, using, or selling its contributor version,
but do not include claims that would be infringed only as a
consequence of further modification of the contributor version. For
purposes of this definition, "control" includes the right to grant
patent sublicenses in a manner consistent with the requirements of
this License.
Each contributor grants you a non-exclusive, worldwide, royalty-free
patent license under the contributor's essential patent claims, to
make, use, sell, offer for sale, import and otherwise run, modify and
propagate the contents of its contributor version.
In the following three paragraphs, a "patent license" is any express
agreement or commitment, however denominated, not to enforce a patent
(such as an express permission to practice a patent or covenant not to
sue for patent infringement). To "grant" such a patent license to a
party means to make such an agreement or commitment not to enforce a
patent against the party.
If you convey a covered work, knowingly relying on a patent license,
and the Corresponding Source of the work is not available for anyone
to copy, free of charge and under the terms of this License, through a
publicly available network server or other readily accessible means,
then you must either (1) cause the Corresponding Source to be so
available, or (2) arrange to deprive yourself of the benefit of the
patent license for this particular work, or (3) arrange, in a manner
consistent with the requirements of this License, to extend the patent
license to downstream recipients. "Knowingly relying" means you have
actual knowledge that, but for the patent license, your conveying the
covered work in a country, or your recipient's use of the covered work
in a country, would infringe one or more identifiable patents in that
country that you have reason to believe are valid.
If, pursuant to or in connection with a single transaction or
arrangement, you convey, or propagate by procuring conveyance of, a
covered work, and grant a patent license to some of the parties
receiving the covered work authorizing them to use, propagate, modify
or convey a specific copy of the covered work, then the patent license
you grant is automatically extended to all recipients of the covered
work and works based on it.
A patent license is "discriminatory" if it does not include within
the scope of its coverage, prohibits the exercise of, or is
conditioned on the non-exercise of one or more of the rights that are
specifically granted under this License. You may not convey a covered
work if you are a party to an arrangement with a third party that is
in the business of distributing software, under which you make payment
to the third party based on the extent of your activity of conveying
the work, and under which the third party grants, to any of the
parties who would receive the covered work from you, a discriminatory
patent license (a) in connection with copies of the covered work
conveyed by you (or copies made from those copies), or (b) primarily
for and in connection with specific products or compilations that
contain the covered work, unless you entered into that arrangement,
or that patent license was granted, prior to 28 March 2007.
Nothing in this License shall be construed as excluding or limiting
any implied license or other defenses to infringement that may
otherwise be available to you under applicable patent law.
12. No Surrender of Others' Freedom.
If conditions are imposed on you (whether by court order, agreement or
otherwise) that contradict the conditions of this License, they do not
excuse you from the conditions of this License. If you cannot convey a
covered work so as to satisfy simultaneously your obligations under this
License and any other pertinent obligations, then as a consequence you may
not convey it at all. For example, if you agree to terms that obligate you
to collect a royalty for further conveying from those to whom you convey
the Program, the only way you could satisfy both those terms and this
License would be to refrain entirely from conveying the Program.
13. Remote Network Interaction; Use with the GNU General Public License.
Notwithstanding any other provision of this License, if you modify the
Program, your modified version must prominently offer all users
interacting with it remotely through a computer network (if your version
supports such interaction) an opportunity to receive the Corresponding
Source of your version by providing access to the Corresponding Source
from a network server at no charge, through some standard or customary
means of facilitating copying of software. This Corresponding Source
shall include the Corresponding Source for any work covered by version 3
of the GNU General Public License that is incorporated pursuant to the
following paragraph.
Notwithstanding any other provision of this License, you have
permission to link or combine any covered work with a work licensed
under version 3 of the GNU General Public License into a single
combined work, and to convey the resulting work. The terms of this
License will continue to apply to the part which is the covered work,
but the work with which it is combined will remain governed by version
3 of the GNU General Public License.
14. Revised Versions of this License.
The Free Software Foundation may publish revised and/or new versions of
the GNU Affero General Public License from time to time. Such new versions
will be similar in spirit to the present version, but may differ in detail to
address new problems or concerns.
Each version is given a distinguishing version number. If the
Program specifies that a certain numbered version of the GNU Affero General
Public License "or any later version" applies to it, you have the
option of following the terms and conditions either of that numbered
version or of any later version published by the Free Software
Foundation. If the Program does not specify a version number of the
GNU Affero General Public License, you may choose any version ever published
by the Free Software Foundation.
If the Program specifies that a proxy can decide which future
versions of the GNU Affero General Public License can be used, that proxy's
public statement of acceptance of a version permanently authorizes you
to choose that version for the Program.
Later license versions may give you additional or different
permissions. However, no additional obligations are imposed on any
author or copyright holder as a result of your choosing to follow a
later version.
15. Disclaimer of Warranty.
THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
16. Limitation of Liability.
IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
SUCH DAMAGES.
17. Interpretation of Sections 15 and 16.
If the disclaimer of warranty and limitation of liability provided
above cannot be given local legal effect according to their terms,
reviewing courts shall apply local law that most closely approximates
an absolute waiver of all civil liability in connection with the
Program, unless a warranty or assumption of liability accompanies a
copy of the Program in return for a fee.
END OF TERMS AND CONDITIONS
How to Apply These Terms to Your New Programs
If you develop a new program, and you want it to be of the greatest
possible use to the public, the best way to achieve this is to make it
free software which everyone can redistribute and change under these terms.
To do so, attach the following notices to the program. It is safest
to attach them to the start of each source file to most effectively
state the exclusion of warranty; and each file should have at least
the "copyright" line and a pointer to where the full notice is found.
<one line to give the program's name and a brief idea of what it does.>
Copyright (C) <year> <name of author>
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU Affero General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU Affero General Public License for more details.
You should have received a copy of the GNU Affero General Public License
along with this program. If not, see <https://www.gnu.org/licenses/>.
Also add information on how to contact you by electronic and paper mail.
If your software can interact with users remotely through a computer
network, you should also make sure that it provides a way for users to
get its source. For example, if your program is a web application, its
interface could display a "Source" link that leads users to an archive
of the code. There are many ways you could offer source, and different
solutions will be better for different programs; see section 13 for the
specific requirements.
You should also get your employer (if you work as a programmer) or school,
if any, to sign a "copyright disclaimer" for the program, if necessary.
For more information on this, and how to apply and follow the GNU AGPL, see
<https://www.gnu.org/licenses/>.

@ -0,0 +1,674 @@
GNU GENERAL PUBLIC LICENSE
Version 3, 29 June 2007
Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/>
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.
Preamble
The GNU General Public License is a free, copyleft license for
software and other kinds of works.
The licenses for most software and other practical works are designed
to take away your freedom to share and change the works. By contrast,
the GNU General Public License is intended to guarantee your freedom to
share and change all versions of a program--to make sure it remains free
software for all its users. We, the Free Software Foundation, use the
GNU General Public License for most of our software; it applies also to
any other work released this way by its authors. You can apply it to
your programs, too.
When we speak of free software, we are referring to freedom, not
price. Our General Public Licenses are designed to make sure that you
have the freedom to distribute copies of free software (and charge for
them if you wish), that you receive source code or can get it if you
want it, that you can change the software or use pieces of it in new
free programs, and that you know you can do these things.
To protect your rights, we need to prevent others from denying you
these rights or asking you to surrender the rights. Therefore, you have
certain responsibilities if you distribute copies of the software, or if
you modify it: responsibilities to respect the freedom of others.
For example, if you distribute copies of such a program, whether
gratis or for a fee, you must pass on to the recipients the same
freedoms that you received. You must make sure that they, too, receive
or can get the source code. And you must show them these terms so they
know their rights.
Developers that use the GNU GPL protect your rights with two steps:
(1) assert copyright on the software, and (2) offer you this License
giving you legal permission to copy, distribute and/or modify it.
For the developers' and authors' protection, the GPL clearly explains
that there is no warranty for this free software. For both users' and
authors' sake, the GPL requires that modified versions be marked as
changed, so that their problems will not be attributed erroneously to
authors of previous versions.
Some devices are designed to deny users access to install or run
modified versions of the software inside them, although the manufacturer
can do so. This is fundamentally incompatible with the aim of
protecting users' freedom to change the software. The systematic
pattern of such abuse occurs in the area of products for individuals to
use, which is precisely where it is most unacceptable. Therefore, we
have designed this version of the GPL to prohibit the practice for those
products. If such problems arise substantially in other domains, we
stand ready to extend this provision to those domains in future versions
of the GPL, as needed to protect the freedom of users.
Finally, every program is threatened constantly by software patents.
States should not allow patents to restrict development and use of
software on general-purpose computers, but in those that do, we wish to
avoid the special danger that patents applied to a free program could
make it effectively proprietary. To prevent this, the GPL assures that
patents cannot be used to render the program non-free.
The precise terms and conditions for copying, distribution and
modification follow.
TERMS AND CONDITIONS
0. Definitions.
"This License" refers to version 3 of the GNU General Public License.
"Copyright" also means copyright-like laws that apply to other kinds of
works, such as semiconductor masks.
"The Program" refers to any copyrightable work licensed under this
License. Each licensee is addressed as "you". "Licensees" and
"recipients" may be individuals or organizations.
To "modify" a work means to copy from or adapt all or part of the work
in a fashion requiring copyright permission, other than the making of an
exact copy. The resulting work is called a "modified version" of the
earlier work or a work "based on" the earlier work.
A "covered work" means either the unmodified Program or a work based
on the Program.
To "propagate" a work means to do anything with it that, without
permission, would make you directly or secondarily liable for
infringement under applicable copyright law, except executing it on a
computer or modifying a private copy. Propagation includes copying,
distribution (with or without modification), making available to the
public, and in some countries other activities as well.
To "convey" a work means any kind of propagation that enables other
parties to make or receive copies. Mere interaction with a user through
a computer network, with no transfer of a copy, is not conveying.
An interactive user interface displays "Appropriate Legal Notices"
to the extent that it includes a convenient and prominently visible
feature that (1) displays an appropriate copyright notice, and (2)
tells the user that there is no warranty for the work (except to the
extent that warranties are provided), that licensees may convey the
work under this License, and how to view a copy of this License. If
the interface presents a list of user commands or options, such as a
menu, a prominent item in the list meets this criterion.
1. Source Code.
The "source code" for a work means the preferred form of the work
for making modifications to it. "Object code" means any non-source
form of a work.
A "Standard Interface" means an interface that either is an official
standard defined by a recognized standards body, or, in the case of
interfaces specified for a particular programming language, one that
is widely used among developers working in that language.
The "System Libraries" of an executable work include anything, other
than the work as a whole, that (a) is included in the normal form of
packaging a Major Component, but which is not part of that Major
Component, and (b) serves only to enable use of the work with that
Major Component, or to implement a Standard Interface for which an
implementation is available to the public in source code form. A
"Major Component", in this context, means a major essential component
(kernel, window system, and so on) of the specific operating system
(if any) on which the executable work runs, or a compiler used to
produce the work, or an object code interpreter used to run it.
The "Corresponding Source" for a work in object code form means all
the source code needed to generate, install, and (for an executable
work) run the object code and to modify the work, including scripts to
control those activities. However, it does not include the work's
System Libraries, or general-purpose tools or generally available free
programs which are used unmodified in performing those activities but
which are not part of the work. For example, Corresponding Source
includes interface definition files associated with source files for
the work, and the source code for shared libraries and dynamically
linked subprograms that the work is specifically designed to require,
such as by intimate data communication or control flow between those
subprograms and other parts of the work.
The Corresponding Source need not include anything that users
can regenerate automatically from other parts of the Corresponding
Source.
The Corresponding Source for a work in source code form is that
same work.
2. Basic Permissions.
All rights granted under this License are granted for the term of
copyright on the Program, and are irrevocable provided the stated
conditions are met. This License explicitly affirms your unlimited
permission to run the unmodified Program. The output from running a
covered work is covered by this License only if the output, given its
content, constitutes a covered work. This License acknowledges your
rights of fair use or other equivalent, as provided by copyright law.
You may make, run and propagate covered works that you do not
convey, without conditions so long as your license otherwise remains
in force. You may convey covered works to others for the sole purpose
of having them make modifications exclusively for you, or provide you
with facilities for running those works, provided that you comply with
the terms of this License in conveying all material for which you do
not control copyright. Those thus making or running the covered works
for you must do so exclusively on your behalf, under your direction
and control, on terms that prohibit them from making any copies of
your copyrighted material outside their relationship with you.
Conveying under any other circumstances is permitted solely under
the conditions stated below. Sublicensing is not allowed; section 10
makes it unnecessary.
3. Protecting Users' Legal Rights From Anti-Circumvention Law.
No covered work shall be deemed part of an effective technological
measure under any applicable law fulfilling obligations under article
11 of the WIPO copyright treaty adopted on 20 December 1996, or
similar laws prohibiting or restricting circumvention of such
measures.
When you convey a covered work, you waive any legal power to forbid
circumvention of technological measures to the extent such circumvention
is effected by exercising rights under this License with respect to
the covered work, and you disclaim any intention to limit operation or
modification of the work as a means of enforcing, against the work's
users, your or third parties' legal rights to forbid circumvention of
technological measures.
4. Conveying Verbatim Copies.
You may convey verbatim copies of the Program's source code as you
receive it, in any medium, provided that you conspicuously and
appropriately publish on each copy an appropriate copyright notice;
keep intact all notices stating that this License and any
non-permissive terms added in accord with section 7 apply to the code;
keep intact all notices of the absence of any warranty; and give all
recipients a copy of this License along with the Program.
You may charge any price or no price for each copy that you convey,
and you may offer support or warranty protection for a fee.
5. Conveying Modified Source Versions.
You may convey a work based on the Program, or the modifications to
produce it from the Program, in the form of source code under the
terms of section 4, provided that you also meet all of these conditions:
a) The work must carry prominent notices stating that you modified
it, and giving a relevant date.
b) The work must carry prominent notices stating that it is
released under this License and any conditions added under section
7. This requirement modifies the requirement in section 4 to
"keep intact all notices".
c) You must license the entire work, as a whole, under this
License to anyone who comes into possession of a copy. This
License will therefore apply, along with any applicable section 7
additional terms, to the whole of the work, and all its parts,
regardless of how they are packaged. This License gives no
permission to license the work in any other way, but it does not
invalidate such permission if you have separately received it.
d) If the work has interactive user interfaces, each must display
Appropriate Legal Notices; however, if the Program has interactive
interfaces that do not display Appropriate Legal Notices, your
work need not make them do so.
A compilation of a covered work with other separate and independent
works, which are not by their nature extensions of the covered work,
and which are not combined with it such as to form a larger program,
in or on a volume of a storage or distribution medium, is called an
"aggregate" if the compilation and its resulting copyright are not
used to limit the access or legal rights of the compilation's users
beyond what the individual works permit. Inclusion of a covered work
in an aggregate does not cause this License to apply to the other
parts of the aggregate.
6. Conveying Non-Source Forms.
You may convey a covered work in object code form under the terms
of sections 4 and 5, provided that you also convey the
machine-readable Corresponding Source under the terms of this License,
in one of these ways:
a) Convey the object code in, or embodied in, a physical product
(including a physical distribution medium), accompanied by the
Corresponding Source fixed on a durable physical medium
customarily used for software interchange.
b) Convey the object code in, or embodied in, a physical product
(including a physical distribution medium), accompanied by a
written offer, valid for at least three years and valid for as
long as you offer spare parts or customer support for that product
model, to give anyone who possesses the object code either (1) a
copy of the Corresponding Source for all the software in the
product that is covered by this License, on a durable physical
medium customarily used for software interchange, for a price no
more than your reasonable cost of physically performing this
conveying of source, or (2) access to copy the
Corresponding Source from a network server at no charge.
c) Convey individual copies of the object code with a copy of the
written offer to provide the Corresponding Source. This
alternative is allowed only occasionally and noncommercially, and
only if you received the object code with such an offer, in accord
with subsection 6b.
d) Convey the object code by offering access from a designated
place (gratis or for a charge), and offer equivalent access to the
Corresponding Source in the same way through the same place at no
further charge. You need not require recipients to copy the
Corresponding Source along with the object code. If the place to
copy the object code is a network server, the Corresponding Source
may be on a different server (operated by you or a third party)
that supports equivalent copying facilities, provided you maintain
clear directions next to the object code saying where to find the
Corresponding Source. Regardless of what server hosts the
Corresponding Source, you remain obligated to ensure that it is
available for as long as needed to satisfy these requirements.
e) Convey the object code using peer-to-peer transmission, provided
you inform other peers where the object code and Corresponding
Source of the work are being offered to the general public at no
charge under subsection 6d.
A separable portion of the object code, whose source code is excluded
from the Corresponding Source as a System Library, need not be
included in conveying the object code work.
A "User Product" is either (1) a "consumer product", which means any
tangible personal property which is normally used for personal, family,
or household purposes, or (2) anything designed or sold for incorporation
into a dwelling. In determining whether a product is a consumer product,
doubtful cases shall be resolved in favor of coverage. For a particular
product received by a particular user, "normally used" refers to a
typical or common use of that class of product, regardless of the status
of the particular user or of the way in which the particular user
actually uses, or expects or is expected to use, the product. A product
is a consumer product regardless of whether the product has substantial
commercial, industrial or non-consumer uses, unless such uses represent
the only significant mode of use of the product.
"Installation Information" for a User Product means any methods,
procedures, authorization keys, or other information required to install
and execute modified versions of a covered work in that User Product from
a modified version of its Corresponding Source. The information must
suffice to ensure that the continued functioning of the modified object
code is in no case prevented or interfered with solely because
modification has been made.
If you convey an object code work under this section in, or with, or
specifically for use in, a User Product, and the conveying occurs as
part of a transaction in which the right of possession and use of the
User Product is transferred to the recipient in perpetuity or for a
fixed term (regardless of how the transaction is characterized), the
Corresponding Source conveyed under this section must be accompanied
by the Installation Information. But this requirement does not apply
if neither you nor any third party retains the ability to install
modified object code on the User Product (for example, the work has
been installed in ROM).
The requirement to provide Installation Information does not include a
requirement to continue to provide support service, warranty, or updates
for a work that has been modified or installed by the recipient, or for
the User Product in which it has been modified or installed. Access to a
network may be denied when the modification itself materially and
adversely affects the operation of the network or violates the rules and
protocols for communication across the network.
Corresponding Source conveyed, and Installation Information provided,
in accord with this section must be in a format that is publicly
documented (and with an implementation available to the public in
source code form), and must require no special password or key for
unpacking, reading or copying.
7. Additional Terms.
"Additional permissions" are terms that supplement the terms of this
License by making exceptions from one or more of its conditions.
Additional permissions that are applicable to the entire Program shall
be treated as though they were included in this License, to the extent
that they are valid under applicable law. If additional permissions
apply only to part of the Program, that part may be used separately
under those permissions, but the entire Program remains governed by
this License without regard to the additional permissions.
When you convey a copy of a covered work, you may at your option
remove any additional permissions from that copy, or from any part of
it. (Additional permissions may be written to require their own
removal in certain cases when you modify the work.) You may place
additional permissions on material, added by you to a covered work,
for which you have or can give appropriate copyright permission.
Notwithstanding any other provision of this License, for material you
add to a covered work, you may (if authorized by the copyright holders of
that material) supplement the terms of this License with terms:
a) Disclaiming warranty or limiting liability differently from the
terms of sections 15 and 16 of this License; or
b) Requiring preservation of specified reasonable legal notices or
author attributions in that material or in the Appropriate Legal
Notices displayed by works containing it; or
c) Prohibiting misrepresentation of the origin of that material, or
requiring that modified versions of such material be marked in
reasonable ways as different from the original version; or
d) Limiting the use for publicity purposes of names of licensors or
authors of the material; or
e) Declining to grant rights under trademark law for use of some
trade names, trademarks, or service marks; or
f) Requiring indemnification of licensors and authors of that
material by anyone who conveys the material (or modified versions of
it) with contractual assumptions of liability to the recipient, for
any liability that these contractual assumptions directly impose on
those licensors and authors.
All other non-permissive additional terms are considered "further
restrictions" within the meaning of section 10. If the Program as you
received it, or any part of it, contains a notice stating that it is
governed by this License along with a term that is a further
restriction, you may remove that term. If a license document contains
a further restriction but permits relicensing or conveying under this
License, you may add to a covered work material governed by the terms
of that license document, provided that the further restriction does
not survive such relicensing or conveying.
If you add terms to a covered work in accord with this section, you
must place, in the relevant source files, a statement of the
additional terms that apply to those files, or a notice indicating
where to find the applicable terms.
Additional terms, permissive or non-permissive, may be stated in the
form of a separately written license, or stated as exceptions;
the above requirements apply either way.
8. Termination.
You may not propagate or modify a covered work except as expressly
provided under this License. Any attempt otherwise to propagate or
modify it is void, and will automatically terminate your rights under
this License (including any patent licenses granted under the third
paragraph of section 11).
However, if you cease all violation of this License, then your
license from a particular copyright holder is reinstated (a)
provisionally, unless and until the copyright holder explicitly and
finally terminates your license, and (b) permanently, if the copyright
holder fails to notify you of the violation by some reasonable means
prior to 60 days after the cessation.
Moreover, your license from a particular copyright holder is
reinstated permanently if the copyright holder notifies you of the
violation by some reasonable means, this is the first time you have
received notice of violation of this License (for any work) from that
copyright holder, and you cure the violation prior to 30 days after
your receipt of the notice.
Termination of your rights under this section does not terminate the
licenses of parties who have received copies or rights from you under
this License. If your rights have been terminated and not permanently
reinstated, you do not qualify to receive new licenses for the same
material under section 10.
9. Acceptance Not Required for Having Copies.
You are not required to accept this License in order to receive or
run a copy of the Program. Ancillary propagation of a covered work
occurring solely as a consequence of using peer-to-peer transmission
to receive a copy likewise does not require acceptance. However,
nothing other than this License grants you permission to propagate or
modify any covered work. These actions infringe copyright if you do
not accept this License. Therefore, by modifying or propagating a
covered work, you indicate your acceptance of this License to do so.
10. Automatic Licensing of Downstream Recipients.
Each time you convey a covered work, the recipient automatically
receives a license from the original licensors, to run, modify and
propagate that work, subject to this License. You are not responsible
for enforcing compliance by third parties with this License.
An "entity transaction" is a transaction transferring control of an
organization, or substantially all assets of one, or subdividing an
organization, or merging organizations. If propagation of a covered
work results from an entity transaction, each party to that
transaction who receives a copy of the work also receives whatever
licenses to the work the party's predecessor in interest had or could
give under the previous paragraph, plus a right to possession of the
Corresponding Source of the work from the predecessor in interest, if
the predecessor has it or can get it with reasonable efforts.
You may not impose any further restrictions on the exercise of the
rights granted or affirmed under this License. For example, you may
not impose a license fee, royalty, or other charge for exercise of
rights granted under this License, and you may not initiate litigation
(including a cross-claim or counterclaim in a lawsuit) alleging that
any patent claim is infringed by making, using, selling, offering for
sale, or importing the Program or any portion of it.
11. Patents.
A "contributor" is a copyright holder who authorizes use under this
License of the Program or a work on which the Program is based. The
work thus licensed is called the contributor's "contributor version".
A contributor's "essential patent claims" are all patent claims
owned or controlled by the contributor, whether already acquired or
hereafter acquired, that would be infringed by some manner, permitted
by this License, of making, using, or selling its contributor version,
but do not include claims that would be infringed only as a
consequence of further modification of the contributor version. For
purposes of this definition, "control" includes the right to grant
patent sublicenses in a manner consistent with the requirements of
this License.
Each contributor grants you a non-exclusive, worldwide, royalty-free
patent license under the contributor's essential patent claims, to
make, use, sell, offer for sale, import and otherwise run, modify and
propagate the contents of its contributor version.
In the following three paragraphs, a "patent license" is any express
agreement or commitment, however denominated, not to enforce a patent
(such as an express permission to practice a patent or covenant not to
sue for patent infringement). To "grant" such a patent license to a
party means to make such an agreement or commitment not to enforce a
patent against the party.
If you convey a covered work, knowingly relying on a patent license,
and the Corresponding Source of the work is not available for anyone
to copy, free of charge and under the terms of this License, through a
publicly available network server or other readily accessible means,
then you must either (1) cause the Corresponding Source to be so
available, or (2) arrange to deprive yourself of the benefit of the
patent license for this particular work, or (3) arrange, in a manner
consistent with the requirements of this License, to extend the patent
license to downstream recipients. "Knowingly relying" means you have
actual knowledge that, but for the patent license, your conveying the
covered work in a country, or your recipient's use of the covered work
in a country, would infringe one or more identifiable patents in that
country that you have reason to believe are valid.
If, pursuant to or in connection with a single transaction or
arrangement, you convey, or propagate by procuring conveyance of, a
covered work, and grant a patent license to some of the parties
receiving the covered work authorizing them to use, propagate, modify
or convey a specific copy of the covered work, then the patent license
you grant is automatically extended to all recipients of the covered
work and works based on it.
A patent license is "discriminatory" if it does not include within
the scope of its coverage, prohibits the exercise of, or is
conditioned on the non-exercise of one or more of the rights that are
specifically granted under this License. You may not convey a covered
work if you are a party to an arrangement with a third party that is
in the business of distributing software, under which you make payment
to the third party based on the extent of your activity of conveying
the work, and under which the third party grants, to any of the
parties who would receive the covered work from you, a discriminatory
patent license (a) in connection with copies of the covered work
conveyed by you (or copies made from those copies), or (b) primarily
for and in connection with specific products or compilations that
contain the covered work, unless you entered into that arrangement,
or that patent license was granted, prior to 28 March 2007.
Nothing in this License shall be construed as excluding or limiting
any implied license or other defenses to infringement that may
otherwise be available to you under applicable patent law.
12. No Surrender of Others' Freedom.
If conditions are imposed on you (whether by court order, agreement or
otherwise) that contradict the conditions of this License, they do not
excuse you from the conditions of this License. If you cannot convey a
covered work so as to satisfy simultaneously your obligations under this
License and any other pertinent obligations, then as a consequence you may
not convey it at all. For example, if you agree to terms that obligate you
to collect a royalty for further conveying from those to whom you convey
the Program, the only way you could satisfy both those terms and this
License would be to refrain entirely from conveying the Program.
13. Use with the GNU Affero General Public License.
Notwithstanding any other provision of this License, you have
permission to link or combine any covered work with a work licensed
under version 3 of the GNU Affero General Public License into a single
combined work, and to convey the resulting work. The terms of this
License will continue to apply to the part which is the covered work,
but the special requirements of the GNU Affero General Public License,
section 13, concerning interaction through a network will apply to the
combination as such.
14. Revised Versions of this License.
The Free Software Foundation may publish revised and/or new versions of
the GNU General Public License from time to time. Such new versions will
be similar in spirit to the present version, but may differ in detail to
address new problems or concerns.
Each version is given a distinguishing version number. If the
Program specifies that a certain numbered version of the GNU General
Public License "or any later version" applies to it, you have the
option of following the terms and conditions either of that numbered
version or of any later version published by the Free Software
Foundation. If the Program does not specify a version number of the
GNU General Public License, you may choose any version ever published
by the Free Software Foundation.
If the Program specifies that a proxy can decide which future
versions of the GNU General Public License can be used, that proxy's
public statement of acceptance of a version permanently authorizes you
to choose that version for the Program.
Later license versions may give you additional or different
permissions. However, no additional obligations are imposed on any
author or copyright holder as a result of your choosing to follow a
later version.
15. Disclaimer of Warranty.
THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
16. Limitation of Liability.
IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
SUCH DAMAGES.
17. Interpretation of Sections 15 and 16.
If the disclaimer of warranty and limitation of liability provided
above cannot be given local legal effect according to their terms,
reviewing courts shall apply local law that most closely approximates
an absolute waiver of all civil liability in connection with the
Program, unless a warranty or assumption of liability accompanies a
copy of the Program in return for a fee.
END OF TERMS AND CONDITIONS
How to Apply These Terms to Your New Programs
If you develop a new program, and you want it to be of the greatest
possible use to the public, the best way to achieve this is to make it
free software which everyone can redistribute and change under these terms.
To do so, attach the following notices to the program. It is safest
to attach them to the start of each source file to most effectively
state the exclusion of warranty; and each file should have at least
the "copyright" line and a pointer to where the full notice is found.
<one line to give the program's name and a brief idea of what it does.>
Copyright (C) <year> <name of author>
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <https://www.gnu.org/licenses/>.
Also add information on how to contact you by electronic and paper mail.
If the program does terminal interaction, make it output a short
notice like this when it starts in an interactive mode:
<program> Copyright (C) <year> <name of author>
This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
This is free software, and you are welcome to redistribute it
under certain conditions; type `show c' for details.
The hypothetical commands `show w' and `show c' should show the appropriate
parts of the General Public License. Of course, your program's commands
might be different; for a GUI interface, you would use an "about box".
You should also get your employer (if you work as a programmer) or school,
if any, to sign a "copyright disclaimer" for the program, if necessary.
For more information on this, and how to apply and follow the GNU GPL, see
<https://www.gnu.org/licenses/>.
The GNU General Public License does not permit incorporating your program
into proprietary programs. If your program is a subroutine library, you
may consider it more useful to permit linking proprietary applications with
the library. If this is what you want to do, use the GNU Lesser General
Public License instead of this License. But first, please read
<https://www.gnu.org/licenses/why-not-lgpl.html>.

@ -0,0 +1,172 @@
# Forksand Bootstrap Gitea
This Ansible playbook was written to set up a Gitea server on Debian systems.
## Table of contents
1. [Requirements](#requirements)
2. [Quick Start](#quick-start)
* [Project Configuration](#project-configuration)
* [Playbook Execution](#playbook-execution)
3. [Project Structure](#project-structure)
* [File and Directory Descriptions](#file-and-directory-descriptions)
* [Role Descriptions](#role-descriptions)
* [Role Parameters](#role-parameters)
4. [Ansible Logging](#ansible-logging)
5. [Troubleshooting](#troubleshooting)
## Requirements
The following applications are required to utilize this playbook. Ansible can be installed using Python PIP.
* Ansible 2.4.x+
* Python 2.7.9+
## Quick Start
The follow steps will help quickly set up and execute this playbook.
### Project Configuration
The following files need to be edited and configured before executing this playbook.
| File | Description |
| -- | -- |
| roles/gitea/default/main.yml | Variables for Gitea configuration - (default - standalone with sqlite) |
| roles/nginx/default/main.yml | Variables for Nginx and Letsencrypt configuration |
| inventory.yml | List of server IPs to connect to |
### Playbook Execution
After having configured the server credentials and added the server IP to the inventory, use the following command to execute the playbook.
`ansible-playbook -i inventory.yml site.yml`
## Project Structure
The following tree depicts the high level structure of this Ansible project.
```bash
├── inventory.yml
├── LICENSE.AGPLv3
├── LICENSE.GPLv3
├── README.md
├── roles
│   ├── gitea
│   ├── nginx
├── playbook_execution.log
└── site.yml
```
### File and Directory Descriptions
The following table consists of a description of what each file and directory stands for.
| Name | Description |
| -- | -- |
| site.yml | Master playbook. Executes all roles in sequential order |
| inventory.yml | Inventory file containing server IP addresses |
| ansible.cfg | Ansible configuration file for various Ansible options. |
| roles/ | Directory containing all roles needed by this project |
### Role descriptions
The following table consists of descriptions of each role and their purpose. The roles listed below are listed in the required order of execution to ensure successful completion of the playbook.
| Role Name | Role Description |
| -- | -- |
| gitea | This roles performs installation and configuration of Gitea server |
| nginx | This roles performs installation and configuration of Nginx server |
### Role parameters
Description of the role parameters for each role.
#### Gitea roles parameters
```
# Application name
gitea_app_name: "Gitea"
# Application gitea_user_repo_limit
gitea_user: "gitea"
# Application home
gitea_home: "/var/lib/gitea"
# Repo Limit
gitea_user_repo_limit: -1
# Domain Name (FOR REVER PROXY LEAVE AS DEFAULT)
gitea_http_domain: localhost
# Gitea url (FOR REVER PROXY LEAVE AS DEFAULT)
gitea_root_url: http://localhost:3000
# Protocol (FOR REVER PROXY LEAVE AS DEFAULT)
gitea_protocol: http
# listen IP (FOR REVER PROXY LEAVE AS DEFAULT)
gitea_http_listen: 127.0.0.1
# Listen port (FOR REVER PROXY LEAVE AS DEFAULT)
gitea_http_port: 3000
# HTTP git Options
gitea_disable_http_git: false
# Offline mode options
gitea_offline_mode: true
## DB details
# DB Type 'mysql', 'postgres' or 'sqlite3'
gitea_db_type: sqlite3
# DB host
gitea_db_host: 127.0.0.0:3306
# DB name
gitea_db_name: root
# DB username
gitea_db_user: gitea
# DB password
gitea_db_passord: lel
# DB ssl options
gitea_db_ssl: disable
# DB path (Not needed for postgres and mysql hash it in template file )
gitea_db_path: "{{ gitea_home }}/data/gitea.db"
## SSH Details
# SSH Listen IP
gitea_ssh_listen: 0.0.0.0
# SSH domain
gitea_ssh_domain: localhost
# SSH options
gitea_start_ssh: true
# SSH post
gitea_ssh_port: 2222
# gitea key (GENERATE A NEW KEY)
gitea_secret_key: T0pS3cr31
## General Settings
# User email settings
gitea_show_user_email: false
# User avatar settings
gitea_disable_gravatar: true
# User register options
gitea_disable_registration: false
# User signup options
gitea_require_signin: true
# User captcha options
gitea_enable_captcha: true
```
#### Nginx roles parameters
```
# Domain name for the server
nginx_domain_name: "test.hostnats.com"
# Gitea listening port
gitea_http_port: 3000
# letsencrypt email address
letsencrypt_email: "test@example.com"
```
## Ansible Logging
Ansible playbook executions are automatically logged to a file called `playbook-execution.log` in the root directory of the project. The path to this log file can be changed by editing `ansible.cfg` in the project root directory and specifying a different path.
## Troubleshooting
Ansible has a built in debug output. Simple run Ansible with a `-v`. There are 5 levels of debug output and they are denoted by the number of v's listed. Each level up provide more debug output than the level before it.
Level 1: `-v`
Level 2: `-vv`
Level 3: `-vvv`
Level 4: `-vvvv`
Level 5: `-vvvvv`
Example execution with level 3 debug output: `ansible-playbook -i inventory.yml site.yml -vvv`

@ -0,0 +1,2 @@
[defaults]
log_path=playbook_execution.log

@ -0,0 +1,7 @@
all:
hosts:
10.0.0.1: # Example host
# Additional hosts can be specified by adding them below
#10.0.0.2: # Example host 2. Uncomment line to use
#10.0.0.3: # Example host 3. Uncomment line to use

@ -0,0 +1,34 @@
gitea_app_name: "Gitea"
gitea_user: "gitea"
gitea_home: "/var/lib/gitea"
gitea_user_repo_limit: -1
gitea_http_domain: localhost
gitea_root_url: http://localhost:3000
gitea_protocol: http
gitea_http_listen: 127.0.0.1
gitea_http_port: 3000
gitea_disable_http_git: false
gitea_offline_mode: true
gitea_db_type: sqlite3
gitea_db_host: 127.0.0.0:3306
gitea_db_name: root
gitea_db_user: gitea
gitea_db_passord: lel
gitea_db_ssl: disable
gitea_db_path: "{{ gitea_home }}/data/gitea.db"
gitea_ssh_listen: 0.0.0.0
gitea_ssh_domain: localhost
gitea_start_ssh: true
gitea_ssh_port: 2222
gitea_secret_key: T0pS3cr31
gitea_show_user_email: false
gitea_disable_gravatar: true
gitea_disable_registration: false
gitea_require_signin: true
gitea_enable_captcha: true

@ -0,0 +1,5 @@
- name: "Restart gitea"
service: name=gitea state=restarted
- name: "Reload systemd"
systemd: daemon_reload=yes

@ -0,0 +1,6 @@
- name: "Create Gitea user"
user:
name: "{{ gitea_user }}"
comment: "Gitea user"
home: "{{ gitea_home }}"
shell: "/bin/false"

@ -0,0 +1,10 @@
- name: "Setup systemd service"
template:
src: gitea.service.j2
dest: /lib/systemd/system/gitea.service
owner: root
group: root
mode: 0644
notify:
- "Reload systemd"
- "Restart gitea"

@ -0,0 +1,47 @@
# TODO: variabilize this
- name: "Download the binary"
get_url:
url: "https://dl.gitea.io/gitea/1.4/gitea-1.4-linux-amd64"
dest: /usr/local/bin/gitea
owner: root
group: root
mode: 0755
notify: "Restart gitea"
- name: "Installing git"
apt:
name: git
update_cache: yes
- include_tasks: create_user.yml
- name: "Create config and data directory"
file:
path: "{{ item }}"
state: directory
owner: "{{ gitea_user }}"
with_items:
- "/etc/gitea"
- "{{ gitea_home }}"
- "{{ gitea_home }}/data"
- "{{ gitea_home }}/custom"
- "{{ gitea_home }}/custom/https"
- "{{ gitea_home }}/custom/mailer"
# TODO: Support other systems than systemd
- include_tasks: install_systemd.yml
when: ansible_service_mgr == "systemd"
- name: "Configure gitea"
template:
src: gitea.ini.j2
dest: /etc/gitea/gitea.ini
owner: "{{ gitea_user }}"
mode: 0600
notify: "Restart gitea"
- name: "Service gitea"
service:
name: gitea
state: started
enabled: true

@ -0,0 +1,454 @@
; App name that shows on every page title
APP_NAME = {{ gitea_app_name }}
; Change it if you run locally
RUN_USER = {{ gitea_user }}
; Either "dev", "prod" or "test", default is "dev"
RUN_MODE = prod
[repository]
ROOT = {{ gitea_home }}
SCRIPT_TYPE = bash
; Default ANSI charset
ANSI_CHARSET =
; Force every new repository to be private
FORCE_PRIVATE = false
; Global maximum creation limit of repository per user, -1 means no limit
MAX_CREATION_LIMIT = {{ gitea_user_repo_limit }}
; Mirror sync queue length, increase if mirror syncing starts hanging
MIRROR_QUEUE_LENGTH = 1000
; Patch test queue length, increase if pull request patch testing starts hanging
PULL_REQUEST_QUEUE_LENGTH = 1000
; Preferred Licenses to place at the top of the List
; Name must match file name in conf/license or custom/conf/license
PREFERRED_LICENSES = GNU GENERAL PUBLIC LICENSE, version 3.0
; Disable ability to interact with repositories by HTTP protocol
DISABLE_HTTP_GIT = {{ gitea_disable_http_git }}
[repository.editor]
; List of file extensions that should have line wraps in the CodeMirror editor
; Separate extensions with a comma. To line wrap files w/o extension, just put a comma
LINE_WRAP_EXTENSIONS = .txt,.md,.markdown,.mdown,.mkd,
; Valid file modes that have a preview API associated with them, such as api/v1/markdown
; Separate values by commas. Preview tab in edit mode won't show if the file extension doesn't match
PREVIEWABLE_FILE_MODES = markdown
[repository.upload]
; Whether repository file uploads are enabled. Defaults to `true`
ENABLED = true
; Path for uploads. Defaults to `data/tmp/uploads` (tmp gets deleted on gitea restart)
TEMP_PATH = {{ gitea_home }}/data/tmp/uploads
; One or more allowed types, e.g. image/jpeg|image/png. Nothing means any file type
ALLOWED_TYPES =
; Max size of each file in MB. Defaults to 3MB
FILE_MAX_SIZE = 3
; Max number of files per upload. Defaults to 5
MAX_FILES = 5
[ui]
; Number of repositories that are showed in one explore page
EXPLORE_PAGING_NUM = 20
; Number of issues that are showed in one page
ISSUE_PAGING_NUM = 10
; Number of maximum commits showed in one activity feed
FEED_MAX_COMMIT_NUM = 5
; Value of `theme-color` meta tag, used by Android >= 5.0
; An invalid color like "none" or "disable" will have the default style
; More info: https://developers.google.com/web/updates/2014/11/Support-for-theme-color-in-Chrome-39-for-Android
THEME_COLOR_META_TAG = `#6cc644`
; Max size of files to be displayed (defaults is 8MiB)
MAX_DISPLAY_FILE_SIZE = 8388608
; Whether show the user email in the Explore Users page
SHOW_USER_EMAIL = {{ gitea_show_user_email }}
[ui.admin]
; Number of users that are showed in one page
USER_PAGING_NUM = 50
; Number of repos that are showed in one page
REPO_PAGING_NUM = 50
; Number of notices that are showed in one page
NOTICE_PAGING_NUM = 25
; Number of organization that are showed in one page
ORG_PAGING_NUM = 50
[ui.user]
; Number of repos that are showed in one page
REPO_PAGING_NUM = 15
[markdown]
; Enable hard line break extension
ENABLE_HARD_LINE_BREAK = false
; List of custom URL-Schemes that are allowed as links when rendering Markdown
; for example git,magnet
CUSTOM_URL_SCHEMES =
; List of file extensions that should be rendered/edited as Markdown
; Separate extensions with a comma. To render files w/o extension as markdown, just put a comma
FILE_EXTENSIONS = .md,.markdown,.mdown,.mkd
[server]
PROTOCOL = {{ gitea_protocol }}
DOMAIN = {{ gitea_http_domain }}
ROOT_URL = {{ gitea_root_url }}
HTTP_ADDR = {{ gitea_http_listen }}
HTTP_PORT = {{ gitea_http_port }}
; Permission for unix socket
UNIX_SOCKET_PERMISSION = 666
; Local (DMZ) URL for Gitea workers (such as SSH update) accessing web service.
; In most cases you do not need to change the default value.
; Alter it only if your SSH server node is not the same as HTTP node.
LOCAL_ROOT_URL = %(PROTOCOL)s://%(HTTP_ADDR)s:%(HTTP_PORT)s/
; Disable SSH feature when not available
DISABLE_SSH = false
; Whether use builtin SSH server or not.
START_SSH_SERVER = {{ gitea_start_ssh }}
; Domain name to be exposed in clone URL
SSH_DOMAIN = {{ gitea_ssh_domain }}
; Network interface builtin SSH server listens on
SSH_LISTEN_HOST = {{ gitea_ssh_listen }}
; Port number to be exposed in clone URL
SSH_PORT = {{ gitea_ssh_port }}
; Port number builtin SSH server listens on
SSH_LISTEN_PORT = %(SSH_PORT)s
; Root path of SSH directory, default is '~/.ssh', but you have to use '/home/git/.ssh'.
SSH_ROOT_PATH = {{ gitea_home }}/.ssh
; Directory to create temporary files when test publick key using ssh-keygen,
; default is system temporary directory.
SSH_KEY_TEST_PATH =
; Path to ssh-keygen, default is 'ssh-keygen' and let shell find out which one to call.
SSH_KEYGEN_PATH = ssh-keygen
; Indicate whether to check minimum key size with corresponding type
MINIMUM_KEY_SIZE_CHECK = false
; Disable CDN even in "prod" mode
OFFLINE_MODE = {{ gitea_offline_mode }}
DISABLE_ROUTER_LOG = false
; Generate steps:
; $ ./gitea cert -ca=true -duration=8760h0m0s -host=myhost.example.com
;
; Or from a .pfx file exported from the Windows certificate store (do
; not forget to export the private key):
; $ openssl pkcs12 -in cert.pfx -out cert.pem -nokeys
; $ openssl pkcs12 -in cert.pfx -out key.pem -nocerts -nodes
CERT_FILE = {{ gitea_home }}/custom/https/cert.pem
KEY_FILE = {{ gitea_home }}/custom/https/key.pem
; Upper level of template and static file path
; default is the path where Gitea is executed
STATIC_ROOT_PATH =
; Default path for App data
APP_DATA_PATH = {{ gitea_home }}/data
; Application level GZIP support
ENABLE_GZIP = false
; Landing page for non-logged users, can be "home" or "explore"
LANDING_PAGE = home
; Define allowed algorithms and their minimum key length (use -1 to disable a type)
[ssh.minimum_key_sizes]
ED25519 = 256
ECDSA = 256
RSA = 2048
DSA = 1024
[database]
; Either "mysql", "postgres" or "sqlite3", it's your choice
DB_TYPE = {{ gitea_db_type }}
HOST = {{ gitea_db_host }}
NAME = {{ gitea_db_name }}
USER = {{ gitea_db_user }}
PASSWD = {{ gitea_db_passord }}
; For "postgres" only, either "disable", "require" or "verify-full"
SSL_MODE = {{ gitea_db_ssl }}
; For "sqlite3" and "tidb", use absolute path when you start as service
PATH = {{ gitea_db_path }}
[admin]
[security]
; Whether the installer is disabled
INSTALL_LOCK = true
; !!CHANGE THIS TO KEEP YOUR USER DATA SAFE!!
SECRET_KEY = {{ gitea_secret_key }}
; Auto-login remember days
LOGIN_REMEMBER_DAYS = 7
COOKIE_USERNAME = gitea_awesome
COOKIE_REMEMBER_NAME = gitea_incredible
; Reverse proxy authentication header name of user name
REVERSE_PROXY_AUTHENTICATION_USER = X-WEBAUTH-USER
; Sets the minimum password length for new Users
MIN_PASSWORD_LENGTH = 6
[service]
ACTIVE_CODE_LIVE_MINUTES = 180
RESET_PASSWD_CODE_LIVE_MINUTES = 180
; User need to confirm e-mail for registration
REGISTER_EMAIL_CONFIRM = false
; Does not allow register and admin create account only
DISABLE_REGISTRATION = {{ gitea_disable_registration }}
; User must sign in to view anything.
REQUIRE_SIGNIN_VIEW = {{ gitea_require_signin }}
; Mail notification
ENABLE_NOTIFY_MAIL = false
; More detail: https://github.com/go-gitea/gitea/issues/165
ENABLE_REVERSE_PROXY_AUTHENTICATION = false
ENABLE_REVERSE_PROXY_AUTO_REGISTRATION = false
; Enable captcha validation for registration
ENABLE_CAPTCHA = {{ gitea_enable_captcha }}
; Default value for KeepEmailPrivate
; New user will get the value of this setting copied into their profile
DEFAULT_KEEP_EMAIL_PRIVATE = false
; Default value for the domain part of the user's email address in the git log
; if he has set KeepEmailPrivate true. The user's email replaced with a
; concatenation of the user name in lower case, "@" and NO_REPLY_ADDRESS.
NO_REPLY_ADDRESS = noreply@localhost
[webhook]
; Hook task queue length, increase if webhook shooting starts hanging
QUEUE_LENGTH = 1000
; Deliver timeout in seconds
DELIVER_TIMEOUT = 5
; Allow insecure certification
SKIP_TLS_VERIFY = false
; Number of history information in each page
PAGING_NUM = 10
[mailer]
ENABLED = false
; Buffer length of channel, keep it as it is if you don't know what it is.
SEND_BUFFER_LEN = 100
; Name displayed in mail title
SUBJECT = %(APP_NAME)s
; Mail server
; Gmail: smtp.gmail.com:587
; QQ: smtp.qq.com:465
; Note, if the port ends with "465", SMTPS will be used. Using STARTTLS on port 587 is recommended per RFC 6409. If the server supports STARTTLS it will always be used.
HOST =
; Disable HELO operation when hostname are different.
DISABLE_HELO =
; Custom hostname for HELO operation, default is from system.
HELO_HOSTNAME =
; Do not verify the certificate of the server. Only use this for self-signed certificates
SKIP_VERIFY =
; Use client certificate
USE_CERTIFICATE = false
CERT_FILE = {{ gitea_home }}/custom/mailer/cert.pem
KEY_FILE = {{ gitea_home }}/custom/mailer/key.pem
; Mail from address, RFC 5322. This can be just an email address, or the `"Name" <email@example.com>` format
FROM =
; Mailer user name and password
USER =
PASSWD =
; Use text/html as alternative format of content
ENABLE_HTML_ALTERNATIVE = false
; Enable sendmail (override SMTP)
USE_SENDMAIL = false
; Specifiy an alternative sendmail binary
SENDMAIL_PATH = sendmail
[cache]
; Either "memory", "redis", or "memcache", default is "memory"
ADAPTER = memory
; For "memory" only, GC interval in seconds, default is 60
INTERVAL = 60
; For "redis" and "memcache", connection host address
; redis: network=tcp,addr=:6379,password=macaron,db=0,pool_size=100,idle_timeout=180
; memcache: `127.0.0.1:11211`
HOST =
[session]
; Either "memory", "file", or "redis", default is "memory"
PROVIDER = file
; Provider config options
; memory: not have any config yet
; file: session file path, e.g. `data/sessions`
; redis: network=tcp,addr=:6379,password=macaron,db=0,pool_size=100,idle_timeout=180
; mysql: go-sql-driver/mysql dsn config string, e.g. `root:password@/session_table`
PROVIDER_CONFIG = {{ gitea_home }}/data/sessions
; Session cookie name
COOKIE_NAME = i_like_gitea
; If you use session in https only, default is false
COOKIE_SECURE = false
; Enable set cookie, default is true
ENABLE_SET_COOKIE = true
; Session GC time interval, default is 86400
GC_INTERVAL_TIME = 86400
; Session life time, default is 86400
SESSION_LIFE_TIME = 86400
[picture]
AVATAR_UPLOAD_PATH = {{ gitea_home }}/data/avatars
; Chinese users can choose "duoshuo"
; or a custom avatar source, like: http://cn.gravatar.com/avatar/
GRAVATAR_SOURCE = gravatar
; This value will be forced to be true in offline mode.
DISABLE_GRAVATAR = {{ gitea_disable_gravatar }}
; Federated avatar lookup uses DNS to discover avatar associated
; with emails, see https://www.libravatar.org
; This value will be forced to be false in offline mode or Gravatar is disbaled.
ENABLE_FEDERATED_AVATAR = false
[attachment]
; Whether attachments are enabled. Defaults to `true`
ENABLE = true
; Path for attachments. Defaults to `data/attachments`
PATH = {{ gitea_home }}/data/attachments
; One or more allowed types, e.g. image/jpeg|image/png
ALLOWED_TYPES = image/jpeg|image/png
; Max size of each file. Defaults to 32MB
MAX_SIZE = 4
; Max number of files per upload. Defaults to 10
MAX_FILES = 5
[time]
; Specifies the format for fully outputed dates. Defaults to RFC1123
; Special supported values are ANSIC, UnixDate, RubyDate, RFC822, RFC822Z, RFC850, RFC1123, RFC1123Z, RFC3339, RFC3339Nano, Kitchen, Stamp, StampMilli, StampMicro and StampNano
; For more information about the format see http://golang.org/pkg/time/#pkg-constants
FORMAT =
[log]
ROOT_PATH = {{ gitea_home }}/log
; Either "console", "file", "conn", "smtp" or "database", default is "console"
; Use comma to separate multiple modes, e.g. "console, file"
MODE = file
; Buffer length of channel, keep it as it is if you don't know what it is.
BUFFER_LEN = 10000
; Either "Trace", "Debug", "Info", "Warn", "Error", "Critical", default is "Trace"
LEVEL = Info
; For "console" mode only
[log.console]
LEVEL =
; For "file" mode only
[log.file]
LEVEL =
; This enables automated log rotate(switch of following options), default is true
LOG_ROTATE = true
; Max line number of single file, default is 1000000
MAX_LINES = 1000000
; Max size shift of single file, default is 28 means 1 << 28, 256MB
MAX_SIZE_SHIFT = 28
; Segment log daily, default is true
DAILY_ROTATE = true
; Expired days of log file(delete after max days), default is 7
MAX_DAYS = 7
; For "conn" mode only
[log.conn]
LEVEL =
; Reconnect host for every single message, default is false
RECONNECT_ON_MSG = false
; Try to reconnect when connection is lost, default is false
RECONNECT = false
; Either "tcp", "unix" or "udp", default is "tcp"
PROTOCOL = tcp
; Host address
ADDR =
; For "smtp" mode only
[log.smtp]
LEVEL =
; Name displayed in mail title, default is "Diagnostic message from server"
SUBJECT = Diagnostic message from server
; Mail server
HOST =
; Mailer user name and password
USER =
PASSWD =
; Receivers, can be one or more, e.g. 1@example.com,2@example.com
RECEIVERS =
; For "database" mode only
[log.database]
LEVEL =
; Either "mysql" or "postgres"
DRIVER =
; Based on xorm, e.g.: root:root@localhost/gitea?charset=utf8
CONN =
[cron]
; Enable running cron tasks periodically.
ENABLED = true
; Run cron tasks when Gitea starts.
RUN_AT_START = false
; Update mirrors
[cron.update_mirrors]
SCHEDULE = @every 10m
; Repository health check
[cron.repo_health_check]
SCHEDULE = @every 24h
TIMEOUT = 60s
; Arguments for command 'git fsck', e.g. "--unreachable --tags"
; see more on http://git-scm.com/docs/git-fsck/1.7.5
ARGS =
; Check repository statistics
[cron.check_repo_stats]
RUN_AT_START = true
SCHEDULE = @every 24h
[git]
; Disables highlight of added and removed changes
DISABLE_DIFF_HIGHLIGHT = false
; Max number of lines allowed of a single file in diff view
MAX_GIT_DIFF_LINES = 1000
; Max number of characters of a line allowed in diff view
MAX_GIT_DIFF_LINE_CHARACTERS = 500
; Max number of files shown in diff view
MAX_GIT_DIFF_FILES = 100
; Arguments for command 'git gc', e.g. "--aggressive --auto"
; see more on http://git-scm.com/docs/git-gc/1.7.5
GC_ARGS =
; Operation timeout in seconds
[git.timeout]
MIGRATE = 600
MIRROR = 300
CLONE = 300
PULL = 300
GC = 60
[mirror]
; Default interval in hours between each check
DEFAULT_INTERVAL = 8
[api]
; Max number of items will response in a page
MAX_RESPONSE_ITEMS = 50
[i18n]
LANGS = en-US,zh-CN,zh-HK,zh-TW,de-DE,fr-FR,nl-NL,lv-LV,ru-RU,ja-JP,es-ES,pt-BR,pl-PL,bg-BG,it-IT,fi-FI,tr-TR,cs-CZ,sr-SP,sv-SE,ko-KR
NAMES = English,简体中文,繁體中文(香港),繁體中文(台湾),Deutsch,Français,Nederlands,Latviešu,Русский,日本語,Español,Português do Brasil,Polski,български,Italiano,Suomalainen,Türkçe,čeština,Српски,Svenska,한국어
; Used for datetimepicker
[i18n.datelang]
en-US = en
zh-CN = zh
zh-HK = zh-TW
zh-TW = zh-TW
de-DE = de
fr-FR = fr
nl-NL = nl
lv-LV = lv
ru-RU = ru
ja-JP = ja
es-ES = es
pt-BR = pt-BR
pl-PL = pl
bg-BG = bg
it-IT = it
fi-FI = fi
tr-TR = tr
cs-CZ = cs-CZ
sr-SP = sr
sv-SE = sv
ko-KR = ko
; Extension mapping to highlight class
; e.g. .toml=ini
[highlight.mapping]
[other]
SHOW_FOOTER_BRANDING = false
; Show version information about Gitea and Go in the footer
SHOW_FOOTER_VERSION = false
; Show time of template execution in the footer
SHOW_FOOTER_TEMPLATE_LOAD_TIME = false

@ -0,0 +1,12 @@
[Unit]
Description=Gitea git server
After=network.target
[Service]
User={{ gitea_user }}
ExecStart=/usr/local/bin/gitea web -c /etc/gitea/gitea.ini
Restart=on-failure
WorkingDirectory={{ gitea_home }}
[Install]
WantedBy=multi-user.target

@ -0,0 +1,3 @@
nginx_domain_name: "gitea.example.com"
gitea_http_port: 3000
letsencrypt_email: "test@example.com"

@ -0,0 +1,5 @@
- name: "Restart nginx"
service: name=nginx state=restarted
- name: "Reload systemd"
shell: "systemctl daemon-reload"

@ -0,0 +1,48 @@
- name: "Installing Nginx"
apt:
name: nginx
state: latest
update_cache: yes
notify: "Restart nginx"
- name: "Install letsencrypt"
apt:
name: letsencrypt
state: latest
- name: "Remove default nginx config"
file:
name: /etc/nginx/sites-enabled/default
state: absent
- name: "Configure nginx Non SSL"
template:
src: nginx.conf.j2
dest: /etc/nginx/sites-enabled/default.conf
owner: root
mode: 0600
notify: "Restart nginx"
- name: "Creating letsencrypt certificate"
shell: letsencrypt certonly -n --webroot -w /var/www/html -m {{ letsencrypt_email }} --agree-tos -d {{ nginx_domain_name }}
args:
creates: /etc/letsencrypt/live/{{ nginx_domain_name }}
- name: "Generate dhparams NOTE: This will take a long time to complete "
shell: openssl dhparam -out /etc/nginx/dhparams.pem 2048
args:
creates: /etc/nginx/dhparams.pem
- name: "Configure nginx SSL"
template:
src: nginxssl.conf.j2
dest: /etc/nginx/sites-enabled/default_ssl.conf
owner: root
mode: 0600
notify: "Restart nginx"
- name: "Add letsencrypt cronjob for cert renewal"
cron:
name: letsencrypt_renewal
special_time: monthly
job: letsencrypt --renew certonly -n --webroot -w /var/www/html -m {{ letsencrypt_email }} --agree-tos -d {{ nginx_domain_name }} && service nginx reload

@ -0,0 +1,13 @@
server {
listen 80 default_server;
server_name {{ nginx_domain_name }};
location /.well-known/acme-challenge {
root /var/www/html;
try_files $uri $uri/ =404;
}
location / {
rewrite ^ https://{{ nginx_domain_name }}$request_uri? permanent;
}
}

@ -0,0 +1,59 @@
server {
# Bindings
listen 443 default_server ssl http2;
server_name {{ nginx_domain_name }};
root /var/www/html;
index index.php index.html index.htm;
# Certificate information
ssl_certificate /etc/letsencrypt/live/{{ nginx_domain_name }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{ nginx_domain_name }}/privkey.pem;
# Limit ciphers to PCI DSS compliant ciphers.
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/dhparams.pem;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
gzip on;
gzip_http_version 1.0;
gzip_comp_level 2;
gzip_min_length 1100;
gzip_buffers 4 8k;
gzip_proxied any;
gzip_types
# text/html is always compressed by HttpGzipModule
text/css
text/javascript
text/xml
text/plain
text/x-component
application/javascript
application/json
application/xml
application/rss+xml
font/truetype
font/opentype
application/vnd.ms-fontobject
image/svg+xml;
gzip_static on;
gzip_proxied expired no-cache no-store private auth;
gzip_vary on;
location / {
proxy_pass http://127.0.0.1:{{ gitea_http_port }};
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}

@ -0,0 +1,4 @@
- hosts : all
roles :
- nginx
- gitea

@ -0,0 +1,661 @@
GNU AFFERO GENERAL PUBLIC LICENSE
Version 3, 19 November 2007
Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/>
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.
Preamble
The GNU Affero General Public License is a free, copyleft license for
software and other kinds of works, specifically designed to ensure
cooperation with the community in the case of network server software.
The licenses for most software and other practical works are designed
to take away your freedom to share and change the works. By contrast,
our General Public Licenses are intended to guarantee your freedom to
share and change all versions of a program--to make sure it remains free
software for all its users.
When we speak of free software, we are referring to freedom, not
price. Our General Public Licenses are designed to make sure that you
have the freedom to distribute copies of free software (and charge for
them if you wish), that you receive source code or can get it if you
want it, that you can change the software or use pieces of it in new
free programs, and that you know you can do these things.
Developers that use our General Public Licenses protect your rights
with two steps: (1) assert copyright on the software, and (2) offer
you this License which gives you legal permission to copy, distribute
and/or modify the software.
A secondary benefit of defending all users' freedom is that
improvements made in alternate versions of the program, if they
receive widespread use, become available for other developers to
incorporate. Many developers of free software are heartened and
encouraged by the resulting cooperation. However, in the case of
software used on network servers, this result may fail to come about.
The GNU General Public License permits making a modified version and
letting the public access it on a server without ever releasing its
source code to the public.
The GNU Affero General Public License is designed specifically to
ensure that, in such cases, the modified source code becomes available
to the community. It requires the operator of a network server to
provide the source code of the modified version running there to the
users of that server. Therefore, public use of a modified version, on
a publicly accessible server, gives the public access to the source
code of the modified version.
An older license, called the Affero General Public License and
published by Affero, was designed to accomplish similar goals. This is
a different license, not a version of the Affero GPL, but Affero has
released a new version of the Affero GPL which permits relicensing under
this license.
The precise terms and conditions for copying, distribution and
modification follow.
TERMS AND CONDITIONS
0. Definitions.
"This License" refers to version 3 of the GNU Affero General Public License.
"Copyright" also means copyright-like laws that apply to other kinds of
works, such as semiconductor masks.
"The Program" refers to any copyrightable work licensed under this
License. Each licensee is addressed as "you". "Licensees" and
"recipients" may be individuals or organizations.
To "modify" a work means to copy from or adapt all or part of the work
in a fashion requiring copyright permission, other than the making of an
exact copy. The resulting work is called a "modified version" of the
earlier work or a work "based on" the earlier work.
A "covered work" means either the unmodified Program or a work based
on the Program.
To "propagate" a work means to do anything with it that, without
permission, would make you directly or secondarily liable for
infringement under applicable copyright law, except executing it on a
computer or modifying a private copy. Propagation includes copying,
distribution (with or without modification), making available to the
public, and in some countries other activities as well.
To "convey" a work means any kind of propagation that enables other
parties to make or receive copies. Mere interaction with a user through
a computer network, with no transfer of a copy, is not conveying.
An interactive user interface displays "Appropriate Legal Notices"
to the extent that it includes a convenient and prominently visible
feature that (1) displays an appropriate copyright notice, and (2)
tells the user that there is no warranty for the work (except to the
extent that warranties are provided), that licensees may convey the
work under this License, and how to view a copy of this License. If
the interface presents a list of user commands or options, such as a
menu, a prominent item in the list meets this criterion.
1. Source Code.
The "source code" for a work means the preferred form of the work
for making modifications to it. "Object code" means any non-source
form of a work.
A "Standard Interface" means an interface that either is an official
standard defined by a recognized standards body, or, in the case of
interfaces specified for a particular programming language, one that
is widely used among developers working in that language.
The "System Libraries" of an executable work include anything, other
than the work as a whole, that (a) is included in the normal form of
packaging a Major Component, but which is not part of that Major
Component, and (b) serves only to enable use of the work with that
Major Component, or to implement a Standard Interface for which an
implementation is available to the public in source code form. A
"Major Component", in this context, means a major essential component
(kernel, window system, and so on) of the specific operating system
(if any) on which the executable work runs, or a compiler used to
produce the work, or an object code interpreter used to run it.
The "Corresponding Source" for a work in object code form means all
the source code needed to generate, install, and (for an executable
work) run the object code and to modify the work, including scripts to
control those activities. However, it does not include the work's
System Libraries, or general-purpose tools or generally available free
programs which are used unmodified in performing those activities but
which are not part of the work. For example, Corresponding Source
includes interface definition files associated with source files for
the work, and the source code for shared libraries and dynamically
linked subprograms that the work is specifically designed to require,
such as by intimate data communication or control flow between those
subprograms and other parts of the work.
The Corresponding Source need not include anything that users
can regenerate automatically from other parts of the Corresponding
Source.
The Corresponding Source for a work in source code form is that
same work.
2. Basic Permissions.
All rights granted under this License are granted for the term of
copyright on the Program, and are irrevocable provided the stated
conditions are met. This License explicitly affirms your unlimited
permission to run the unmodified Program. The output from running a
covered work is covered by this License only if the output, given its
content, constitutes a covered work. This License acknowledges your
rights of fair use or other equivalent, as provided by copyright law.
You may make, run and propagate covered works that you do not
convey, without conditions so long as your license otherwise remains
in force. You may convey covered works to others for the sole purpose
of having them make modifications exclusively for you, or provide you
with facilities for running those works, provided that you comply with
the terms of this License in conveying all material for which you do
not control copyright. Those thus making or running the covered works
for you must do so exclusively on your behalf, under your direction
and control, on terms that prohibit them from making any copies of
your copyrighted material outside their relationship with you.
Conveying under any other circumstances is permitted solely under
the conditions stated below. Sublicensing is not allowed; section 10
makes it unnecessary.
3. Protecting Users' Legal Rights From Anti-Circumvention Law.
No covered work shall be deemed part of an effective technological
measure under any applicable law fulfilling obligations under article
11 of the WIPO copyright treaty adopted on 20 December 1996, or
similar laws prohibiting or restricting circumvention of such
measures.
When you convey a covered work, you waive any legal power to forbid
circumvention of technological measures to the extent such circumvention
is effected by exercising rights under this License with respect to
the covered work, and you disclaim any intention to limit operation or
modification of the work as a means of enforcing, against the work's
users, your or third parties' legal rights to forbid circumvention of
technological measures.
4. Conveying Verbatim Copies.
You may convey verbatim copies of the Program's source code as you
receive it, in any medium, provided that you conspicuously and
appropriately publish on each copy an appropriate copyright notice;
keep intact all notices stating that this License and any
non-permissive terms added in accord with section 7 apply to the code;
keep intact all notices of the absence of any warranty; and give all
recipients a copy of this License along with the Program.
You may charge any price or no price for each copy that you convey,
and you may offer support or warranty protection for a fee.
5. Conveying Modified Source Versions.
You may convey a work based on the Program, or the modifications to
produce it from the Program, in the form of source code under the
terms of section 4, provided that you also meet all of these conditions:
a) The work must carry prominent notices stating that you modified
it, and giving a relevant date.
b) The work must carry prominent notices stating that it is
released under this License and any conditions added under section
7. This requirement modifies the requirement in section 4 to
"keep intact all notices".
c) You must license the entire work, as a whole, under this
License to anyone who comes into possession of a copy. This
License will therefore apply, along with any applicable section 7
additional terms, to the whole of the work, and all its parts,
regardless of how they are packaged. This License gives no
permission to license the work in any other way, but it does not
invalidate such permission if you have separately received it.
d) If the work has interactive user interfaces, each must display
Appropriate Legal Notices; however, if the Program has interactive
interfaces that do not display Appropriate Legal Notices, your
work need not make them do so.
A compilation of a covered work with other separate and independent
works, which are not by their nature extensions of the covered work,
and which are not combined with it such as to form a larger program,
in or on a volume of a storage or distribution medium, is called an
"aggregate" if the compilation and its resulting copyright are not
used to limit the access or legal rights of the compilation's users
beyond what the individual works permit. Inclusion of a covered work
in an aggregate does not cause this License to apply to the other
parts of the aggregate.
6. Conveying Non-Source Forms.
You may convey a covered work in object code form under the terms
of sections 4 and 5, provided that you also convey the
machine-readable Corresponding Source under the terms of this License,
in one of these ways:
a) Convey the object code in, or embodied in, a physical product
(including a physical distribution medium), accompanied by the
Corresponding Source fixed on a durable physical medium
customarily used for software interchange.
b) Convey the object code in, or embodied in, a physical product
(including a physical distribution medium), accompanied by a
written offer, valid for at least three years and valid for as
long as you offer spare parts or customer support for that product
model, to give anyone who possesses the object code either (1) a
copy of the Corresponding Source for all the software in the
product that is covered by this License, on a durable physical
medium customarily used for software interchange, for a price no
more than your reasonable cost of physically performing this
conveying of source, or (2) access to copy the
Corresponding Source from a network server at no charge.
c) Convey individual copies of the object code with a copy of the
written offer to provide the Corresponding Source. This
alternative is allowed only occasionally and noncommercially, and
only if you received the object code with such an offer, in accord
with subsection 6b.
d) Convey the object code by offering access from a designated
place (gratis or for a charge), and offer equivalent access to the
Corresponding Source in the same way through the same place at no
further charge. You need not require recipients to copy the
Corresponding Source along with the object code. If the place to
copy the object code is a network server, the Corresponding Source
may be on a different server (operated by you or a third party)
that supports equivalent copying facilities, provided you maintain
clear directions next to the object code saying where to find the
Corresponding Source. Regardless of what server hosts the
Corresponding Source, you remain obligated to ensure that it is
available for as long as needed to satisfy these requirements.
e) Convey the object code using peer-to-peer transmission, provided
you inform other peers where the object code and Corresponding
Source of the work are being offered to the general public at no
charge under subsection 6d.
A separable portion of the object code, whose source code is excluded
from the Corresponding Source as a System Library, need not be
included in conveying the object code work.
A "User Product" is either (1) a "consumer product", which means any
tangible personal property which is normally used for personal, family,
or household purposes, or (2) anything designed or sold for incorporation
into a dwelling. In determining whether a product is a consumer product,
doubtful cases shall be resolved in favor of coverage. For a particular
product received by a particular user, "normally used" refers to a
typical or common use of that class of product, regardless of the status
of the particular user or of the way in which the particular user
actually uses, or expects or is expected to use, the product. A product
is a consumer product regardless of whether the product has substantial
commercial, industrial or non-consumer uses, unless such uses represent
the only significant mode of use of the product.
"Installation Information" for a User Product means any methods,
procedures, authorization keys, or other information required to install
and execute modified versions of a covered work in that User Product from
a modified version of its Corresponding Source. The information must
suffice to ensure that the continued functioning of the modified object
code is in no case prevented or interfered with solely because
modification has been made.
If you convey an object code work under this section in, or with, or
specifically for use in, a User Product, and the conveying occurs as
part of a transaction in which the right of possession and use of the
User Product is transferred to the recipient in perpetuity or for a
fixed term (regardless of how the transaction is characterized), the
Corresponding Source conveyed under this section must be accompanied
by the Installation Information. But this requirement does not apply
if neither you nor any third party retains the ability to install
modified object code on the User Product (for example, the work has
been installed in ROM).
The requirement to provide Installation Information does not include a
requirement to continue to provide support service, warranty, or updates
for a work that has been modified or installed by the recipient, or for
the User Product in which it has been modified or installed. Access to a
network may be denied when the modification itself materially and
adversely affects the operation of the network or violates the rules and
protocols for communication across the network.
Corresponding Source conveyed, and Installation Information provided,
in accord with this section must be in a format that is publicly
documented (and with an implementation available to the public in
source code form), and must require no special password or key for
unpacking, reading or copying.
7. Additional Terms.
"Additional permissions" are terms that supplement the terms of this
License by making exceptions from one or more of its conditions.
Additional permissions that are applicable to the entire Program shall
be treated as though they were included in this License, to the extent
that they are valid under applicable law. If additional permissions
apply only to part of the Program, that part may be used separately
under those permissions, but the entire Program remains governed by
this License without regard to the additional permissions.
When you convey a copy of a covered work, you may at your option
remove any additional permissions from that copy, or from any part of
it. (Additional permissions may be written to require their own
removal in certain cases when you modify the work.) You may place
additional permissions on material, added by you to a covered work,
for which you have or can give appropriate copyright permission.
Notwithstanding any other provision of this License, for material you
add to a covered work, you may (if authorized by the copyright holders of
that material) supplement the terms of this License with terms:
a) Disclaiming warranty or limiting liability differently from the
terms of sections 15 and 16 of this License; or
b) Requiring preservation of specified reasonable legal notices or
author attributions in that material or in the Appropriate Legal
Notices displayed by works containing it; or
c) Prohibiting misrepresentation of the origin of that material, or
requiring that modified versions of such material be marked in
reasonable ways as different from the original version; or
d) Limiting the use for publicity purposes of names of licensors or
authors of the material; or
e) Declining to grant rights under trademark law for use of some
trade names, trademarks, or service marks; or
f) Requiring indemnification of licensors and authors of that
material by anyone who conveys the material (or modified versions of
it) with contractual assumptions of liability to the recipient, for
any liability that these contractual assumptions directly impose on
those licensors and authors.
All other non-permissive additional terms are considered "further
restrictions" within the meaning of section 10. If the Program as you
received it, or any part of it, contains a notice stating that it is
governed by this License along with a term that is a further
restriction, you may remove that term. If a license document contains
a further restriction but permits relicensing or conveying under this
License, you may add to a covered work material governed by the terms
of that license document, provided that the further restriction does
not survive such relicensing or conveying.
If you add terms to a covered work in accord with this section, you
must place, in the relevant source files, a statement of the
additional terms that apply to those files, or a notice indicating
where to find the applicable terms.
Additional terms, permissive or non-permissive, may be stated in the
form of a separately written license, or stated as exceptions;
the above requirements apply either way.
8. Termination.
You may not propagate or modify a covered work except as expressly
provided under this License. Any attempt otherwise to propagate or
modify it is void, and will automatically terminate your rights under
this License (including any patent licenses granted under the third
paragraph of section 11).
However, if you cease all violation of this License, then your
license from a particular copyright holder is reinstated (a)
provisionally, unless and until the copyright holder explicitly and
finally terminates your license, and (b) permanently, if the copyright
holder fails to notify you of the violation by some reasonable means
prior to 60 days after the cessation.
Moreover, your license from a particular copyright holder is
reinstated permanently if the copyright holder notifies you of the
violation by some reasonable means, this is the first time you have
received notice of violation of this License (for any work) from that
copyright holder, and you cure the violation prior to 30 days after
your receipt of the notice.
Termination of your rights under this section does not terminate the
licenses of parties who have received copies or rights from you under
this License. If your rights have been terminated and not permanently
reinstated, you do not qualify to receive new licenses for the same
material under section 10.
9. Acceptance Not Required for Having Copies.
You are not required to accept this License in order to receive or
run a copy of the Program. Ancillary propagation of a covered work
occurring solely as a consequence of using peer-to-peer transmission
to receive a copy likewise does not require acceptance. However,
nothing other than this License grants you permission to propagate or
modify any covered work. These actions infringe copyright if you do
not accept this License. Therefore, by modifying or propagating a
covered work, you indicate your acceptance of this License to do so.
10. Automatic Licensing of Downstream Recipients.
Each time you convey a covered work, the recipient automatically
receives a license from the original licensors, to run, modify and
propagate that work, subject to this License. You are not responsible
for enforcing compliance by third parties with this License.
An "entity transaction" is a transaction transferring control of an
organization, or substantially all assets of one, or subdividing an
organization, or merging organizations. If propagation of a covered
work results from an entity transaction, each party to that
transaction who receives a copy of the work also receives whatever
licenses to the work the party's predecessor in interest had or could
give under the previous paragraph, plus a right to possession of the
Corresponding Source of the work from the predecessor in interest, if
the predecessor has it or can get it with reasonable efforts.
You may not impose any further restrictions on the exercise of the
rights granted or affirmed under this License. For example, you may
not impose a license fee, royalty, or other charge for exercise of
rights granted under this License, and you may not initiate litigation
(including a cross-claim or counterclaim in a lawsuit) alleging that
any patent claim is infringed by making, using, selling, offering for
sale, or importing the Program or any portion of it.
11. Patents.
A "contributor" is a copyright holder who authorizes use under this
License of the Program or a work on which the Program is based. The
work thus licensed is called the contributor's "contributor version".
A contributor's "essential patent claims" are all patent claims
owned or controlled by the contributor, whether already acquired or
hereafter acquired, that would be infringed by some manner, permitted
by this License, of making, using, or selling its contributor version,
but do not include claims that would be infringed only as a
consequence of further modification of the contributor version. For
purposes of this definition, "control" includes the right to grant
patent sublicenses in a manner consistent with the requirements of
this License.
Each contributor grants you a non-exclusive, worldwide, royalty-free
patent license under the contributor's essential patent claims, to
make, use, sell, offer for sale, import and otherwise run, modify and
propagate the contents of its contributor version.
In the following three paragraphs, a "patent license" is any express
agreement or commitment, however denominated, not to enforce a patent
(such as an express permission to practice a patent or covenant not to
sue for patent infringement). To "grant" such a patent license to a
party means to make such an agreement or commitment not to enforce a
patent against the party.
If you convey a covered work, knowingly relying on a patent license,
and the Corresponding Source of the work is not available for anyone
to copy, free of charge and under the terms of this License, through a
publicly available network server or other readily accessible means,
then you must either (1) cause the Corresponding Source to be so
available, or (2) arrange to deprive yourself of the benefit of the
patent license for this particular work, or (3) arrange, in a manner
consistent with the requirements of this License, to extend the patent
license to downstream recipients. "Knowingly relying" means you have
actual knowledge that, but for the patent license, your conveying the
covered work in a country, or your recipient's use of the covered work
in a country, would infringe one or more identifiable patents in that
country that you have reason to believe are valid.
If, pursuant to or in connection with a single transaction or
arrangement, you convey, or propagate by procuring conveyance of, a
covered work, and grant a patent license to some of the parties
receiving the covered work authorizing them to use, propagate, modify
or convey a specific copy of the covered work, then the patent license
you grant is automatically extended to all recipients of the covered
work and works based on it.
A patent license is "discriminatory" if it does not include within
the scope of its coverage, prohibits the exercise of, or is
conditioned on the non-exercise of one or more of the rights that are
specifically granted under this License. You may not convey a covered
work if you are a party to an arrangement with a third party that is
in the business of distributing software, under which you make payment
to the third party based on the extent of your activity of conveying
the work, and under which the third party grants, to any of the
parties who would receive the covered work from you, a discriminatory
patent license (a) in connection with copies of the covered work
conveyed by you (or copies made from those copies), or (b) primarily
for and in connection with specific products or compilations that
contain the covered work, unless you entered into that arrangement,
or that patent license was granted, prior to 28 March 2007.
Nothing in this License shall be construed as excluding or limiting
any implied license or other defenses to infringement that may
otherwise be available to you under applicable patent law.
12. No Surrender of Others' Freedom.
If conditions are imposed on you (whether by court order, agreement or
otherwise) that contradict the conditions of this License, they do not
excuse you from the conditions of this License. If you cannot convey a
covered work so as to satisfy simultaneously your obligations under this
License and any other pertinent obligations, then as a consequence you may
not convey it at all. For example, if you agree to terms that obligate you
to collect a royalty for further conveying from those to whom you convey
the Program, the only way you could satisfy both those terms and this
License would be to refrain entirely from conveying the Program.
13. Remote Network Interaction; Use with the GNU General Public License.
Notwithstanding any other provision of this License, if you modify the
Program, your modified version must prominently offer all users
interacting with it remotely through a computer network (if your version
supports such interaction) an opportunity to receive the Corresponding
Source of your version by providing access to the Corresponding Source
from a network server at no charge, through some standard or customary
means of facilitating copying of software. This Corresponding Source
shall include the Corresponding Source for any work covered by version 3
of the GNU General Public License that is incorporated pursuant to the
following paragraph.
Notwithstanding any other provision of this License, you have
permission to link or combine any covered work with a work licensed
under version 3 of the GNU General Public License into a single
combined work, and to convey the resulting work. The terms of this
License will continue to apply to the part which is the covered work,
but the work with which it is combined will remain governed by version
3 of the GNU General Public License.
14. Revised Versions of this License.
The Free Software Foundation may publish revised and/or new versions of
the GNU Affero General Public License from time to time. Such new versions
will be similar in spirit to the present version, but may differ in detail to
address new problems or concerns.
Each version is given a distinguishing version number. If the
Program specifies that a certain numbered version of the GNU Affero General
Public License "or any later version" applies to it, you have the
option of following the terms and conditions either of that numbered
version or of any later version published by the Free Software
Foundation. If the Program does not specify a version number of the
GNU Affero General Public License, you may choose any version ever published
by the Free Software Foundation.
If the Program specifies that a proxy can decide which future
versions of the GNU Affero General Public License can be used, that proxy's
public statement of acceptance of a version permanently authorizes you
to choose that version for the Program.
Later license versions may give you additional or different
permissions. However, no additional obligations are imposed on any
author or copyright holder as a result of your choosing to follow a
later version.
15. Disclaimer of Warranty.
THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
16. Limitation of Liability.
IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
SUCH DAMAGES.
17. Interpretation of Sections 15 and 16.
If the disclaimer of warranty and limitation of liability provided
above cannot be given local legal effect according to their terms,
reviewing courts shall apply local law that most closely approximates
an absolute waiver of all civil liability in connection with the
Program, unless a warranty or assumption of liability accompanies a
copy of the Program in return for a fee.
END OF TERMS AND CONDITIONS
How to Apply These Terms to Your New Programs
If you develop a new program, and you want it to be of the greatest
possible use to the public, the best way to achieve this is to make it
free software which everyone can redistribute and change under these terms.
To do so, attach the following notices to the program. It is safest
to attach them to the start of each source file to most effectively
state the exclusion of warranty; and each file should have at least
the "copyright" line and a pointer to where the full notice is found.
<one line to give the program's name and a brief idea of what it does.>
Copyright (C) <year> <name of author>
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU Affero General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU Affero General Public License for more details.
You should have received a copy of the GNU Affero General Public License
along with this program. If not, see <https://www.gnu.org/licenses/>.
Also add information on how to contact you by electronic and paper mail.
If your software can interact with users remotely through a computer
network, you should also make sure that it provides a way for users to
get its source. For example, if your program is a web application, its
interface could display a "Source" link that leads users to an archive
of the code. There are many ways you could offer source, and different
solutions will be better for different programs; see section 13 for the
specific requirements.
You should also get your employer (if you work as a programmer) or school,
if any, to sign a "copyright disclaimer" for the program, if necessary.
For more information on this, and how to apply and follow the GNU AGPL, see
<https://www.gnu.org/licenses/>.

@ -0,0 +1,674 @@
GNU GENERAL PUBLIC LICENSE
Version 3, 29 June 2007
Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/>
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.
Preamble
The GNU General Public License is a free, copyleft license for
software and other kinds of works.
The licenses for most software and other practical works are designed
to take away your freedom to share and change the works. By contrast,
the GNU General Public License is intended to guarantee your freedom to
share and change all versions of a program--to make sure it remains free
software for all its users. We, the Free Software Foundation, use the
GNU General Public License for most of our software; it applies also to
any other work released this way by its authors. You can apply it to
your programs, too.
When we speak of free software, we are referring to freedom, not
price. Our General Public Licenses are designed to make sure that you
have the freedom to distribute copies of free software (and charge for
them if you wish), that you receive source code or can get it if you
want it, that you can change the software or use pieces of it in new
free programs, and that you know you can do these things.
To protect your rights, we need to prevent others from denying you
these rights or asking you to surrender the rights. Therefore, you have
certain responsibilities if you distribute copies of the software, or if
you modify it: responsibilities to respect the freedom of others.
For example, if you distribute copies of such a program, whether
gratis or for a fee, you must pass on to the recipients the same
freedoms that you received. You must make sure that they, too, receive
or can get the source code. And you must show them these terms so they
know their rights.
Developers that use the GNU GPL protect your rights with two steps:
(1) assert copyright on the software, and (2) offer you this License
giving you legal permission to copy, distribute and/or modify it.
For the developers' and authors' protection, the GPL clearly explains
that there is no warranty for this free software. For both users' and
authors' sake, the GPL requires that modified versions be marked as
changed, so that their problems will not be attributed erroneously to
authors of previous versions.
Some devices are designed to deny users access to install or run
modified versions of the software inside them, although the manufacturer
can do so. This is fundamentally incompatible with the aim of
protecting users' freedom to change the software. The systematic
pattern of such abuse occurs in the area of products for individuals to
use, which is precisely where it is most unacceptable. Therefore, we
have designed this version of the GPL to prohibit the practice for those
products. If such problems arise substantially in other domains, we
stand ready to extend this provision to those domains in future versions
of the GPL, as needed to protect the freedom of users.
Finally, every program is threatened constantly by software patents.
States should not allow patents to restrict development and use of
software on general-purpose computers, but in those that do, we wish to
avoid the special danger that patents applied to a free program could
make it effectively proprietary. To prevent this, the GPL assures that
patents cannot be used to render the program non-free.
The precise terms and conditions for copying, distribution and
modification follow.
TERMS AND CONDITIONS
0. Definitions.
"This License" refers to version 3 of the GNU General Public License.
"Copyright" also means copyright-like laws that apply to other kinds of
works, such as semiconductor masks.
"The Program" refers to any copyrightable work licensed under this
License. Each licensee is addressed as "you". "Licensees" and
"recipients" may be individuals or organizations.
To "modify" a work means to copy from or adapt all or part of the work
in a fashion requiring copyright permission, other than the making of an
exact copy. The resulting work is called a "modified version" of the
earlier work or a work "based on" the earlier work.
A "covered work" means either the unmodified Program or a work based
on the Program.
To "propagate" a work means to do anything with it that, without
permission, would make you directly or secondarily liable for
infringement under applicable copyright law, except executing it on a
computer or modifying a private copy. Propagation includes copying,
distribution (with or without modification), making available to the
public, and in some countries other activities as well.
To "convey" a work means any kind of propagation that enables other
parties to make or receive copies. Mere interaction with a user through
a computer network, with no transfer of a copy, is not conveying.
An interactive user interface displays "Appropriate Legal Notices"
to the extent that it includes a convenient and prominently visible
feature that (1) displays an appropriate copyright notice, and (2)
tells the user that there is no warranty for the work (except to the
extent that warranties are provided), that licensees may convey the
work under this License, and how to view a copy of this License. If
the interface presents a list of user commands or options, such as a
menu, a prominent item in the list meets this criterion.
1. Source Code.
The "source code" for a work means the preferred form of the work
for making modifications to it. "Object code" means any non-source
form of a work.
A "Standard Interface" means an interface that either is an official
standard defined by a recognized standards body, or, in the case of
interfaces specified for a particular programming language, one that
is widely used among developers working in that language.
The "System Libraries" of an executable work include anything, other
than the work as a whole, that (a) is included in the normal form of
packaging a Major Component, but which is not part of that Major
Component, and (b) serves only to enable use of the work with that
Major Component, or to implement a Standard Interface for which an
implementation is available to the public in source code form. A
"Major Component", in this context, means a major essential component
(kernel, window system, and so on) of the specific operating system
(if any) on which the executable work runs, or a compiler used to
produce the work, or an object code interpreter used to run it.
The "Corresponding Source" for a work in object code form means all
the source code needed to generate, install, and (for an executable
work) run the object code and to modify the work, including scripts to
control those activities. However, it does not include the work's
System Libraries, or general-purpose tools or generally available free
programs which are used unmodified in performing those activities but
which are not part of the work. For example, Corresponding Source
includes interface definition files associated with source files for
the work, and the source code for shared libraries and dynamically
linked subprograms that the work is specifically designed to require,
such as by intimate data communication or control flow between those
subprograms and other parts of the work.
The Corresponding Source need not include anything that users
can regenerate automatically from other parts of the Corresponding
Source.
The Corresponding Source for a work in source code form is that
same work.
2. Basic Permissions.
All rights granted under this License are granted for the term of
copyright on the Program, and are irrevocable provided the stated
conditions are met. This License explicitly affirms your unlimited
permission to run the unmodified Program. The output from running a
covered work is covered by this License only if the output, given its
content, constitutes a covered work. This License acknowledges your
rights of fair use or other equivalent, as provided by copyright law.
You may make, run and propagate covered works that you do not
convey, without conditions so long as your license otherwise remains
in force. You may convey covered works to others for the sole purpose
of having them make modifications exclusively for you, or provide you
with facilities for running those works, provided that you comply with
the terms of this License in conveying all material for which you do
not control copyright. Those thus making or running the covered works
for you must do so exclusively on your behalf, under your direction
and control, on terms that prohibit them from making any copies of
your copyrighted material outside their relationship with you.
Conveying under any other circumstances is permitted solely under
the conditions stated below. Sublicensing is not allowed; section 10
makes it unnecessary.
3. Protecting Users' Legal Rights From Anti-Circumvention Law.
No covered work shall be deemed part of an effective technological
measure under any applicable law fulfilling obligations under article
11 of the WIPO copyright treaty adopted on 20 December 1996, or
similar laws prohibiting or restricting circumvention of such
measures.
When you convey a covered work, you waive any legal power to forbid
circumvention of technological measures to the extent such circumvention
is effected by exercising rights under this License with respect to
the covered work, and you disclaim any intention to limit operation or
modification of the work as a means of enforcing, against the work's
users, your or third parties' legal rights to forbid circumvention of
technological measures.
4. Conveying Verbatim Copies.
You may convey verbatim copies of the Program's source code as you
receive it, in any medium, provided that you conspicuously and
appropriately publish on each copy an appropriate copyright notice;
keep intact all notices stating that this License and any
non-permissive terms added in accord with section 7 apply to the code;
keep intact all notices of the absence of any warranty; and give all
recipients a copy of this License along with the Program.
You may charge any price or no price for each copy that you convey,
and you may offer support or warranty protection for a fee.
5. Conveying Modified Source Versions.
You may convey a work based on the Program, or the modifications to
produce it from the Program, in the form of source code under the
terms of section 4, provided that you also meet all of these conditions:
a) The work must carry prominent notices stating that you modified
it, and giving a relevant date.
b) The work must carry prominent notices stating that it is
released under this License and any conditions added under section
7. This requirement modifies the requirement in section 4 to
"keep intact all notices".
c) You must license the entire work, as a whole, under this
License to anyone who comes into possession of a copy. This
License will therefore apply, along with any applicable section 7
additional terms, to the whole of the work, and all its parts,
regardless of how they are packaged. This License gives no
permission to license the work in any other way, but it does not
invalidate such permission if you have separately received it.
d) If the work has interactive user interfaces, each must display
Appropriate Legal Notices; however, if the Program has interactive
interfaces that do not display Appropriate Legal Notices, your
work need not make them do so.
A compilation of a covered work with other separate and independent
works, which are not by their nature extensions of the covered work,
and which are not combined with it such as to form a larger program,
in or on a volume of a storage or distribution medium, is called an
"aggregate" if the compilation and its resulting copyright are not
used to limit the access or legal rights of the compilation's users
beyond what the individual works permit. Inclusion of a covered work
in an aggregate does not cause this License to apply to the other
parts of the aggregate.
6. Conveying Non-Source Forms.
You may convey a covered work in object code form under the terms
of sections 4 and 5, provided that you also convey the
machine-readable Corresponding Source under the terms of this License,
in one of these ways:
a) Convey the object code in, or embodied in, a physical product
(including a physical distribution medium), accompanied by the
Corresponding Source fixed on a durable physical medium
customarily used for software interchange.
b) Convey the object code in, or embodied in, a physical product
(including a physical distribution medium), accompanied by a
written offer, valid for at least three years and valid for as
long as you offer spare parts or customer support for that product
model, to give anyone who possesses the object code either (1) a
copy of the Corresponding Source for all the software in the
product that is covered by this License, on a durable physical
medium customarily used for software interchange, for a price no
more than your reasonable cost of physically performing this
conveying of source, or (2) access to copy the
Corresponding Source from a network server at no charge.
c) Convey individual copies of the object code with a copy of the
written offer to provide the Corresponding Source. This
alternative is allowed only occasionally and noncommercially, and
only if you received the object code with such an offer, in accord
with subsection 6b.
d) Convey the object code by offering access from a designated
place (gratis or for a charge), and offer equivalent access to the
Corresponding Source in the same way through the same place at no
further charge. You need not require recipients to copy the
Corresponding Source along with the object code. If the place to
copy the object code is a network server, the Corresponding Source
may be on a different server (operated by you or a third party)
that supports equivalent copying facilities, provided you maintain
clear directions next to the object code saying where to find the
Corresponding Source. Regardless of what server hosts the
Corresponding Source, you remain obligated to ensure that it is
available for as long as needed to satisfy these requirements.
e) Convey the object code using peer-to-peer transmission, provided
you inform other peers where the object code and Corresponding
Source of the work are being offered to the general public at no
charge under subsection 6d.
A separable portion of the object code, whose source code is excluded
from the Corresponding Source as a System Library, need not be
included in conveying the object code work.
A "User Product" is either (1) a "consumer product", which means any
tangible personal property which is normally used for personal, family,
or household purposes, or (2) anything designed or sold for incorporation
into a dwelling. In determining whether a product is a consumer product,
doubtful cases shall be resolved in favor of coverage. For a particular
product received by a particular user, "normally used" refers to a
typical or common use of that class of product, regardless of the status
of the particular user or of the way in which the particular user
actually uses, or expects or is expected to use, the product. A product
is a consumer product regardless of whether the product has substantial
commercial, industrial or non-consumer uses, unless such uses represent
the only significant mode of use of the product.
"Installation Information" for a User Product means any methods,
procedures, authorization keys, or other information required to install
and execute modified versions of a covered work in that User Product from
a modified version of its Corresponding Source. The information must
suffice to ensure that the continued functioning of the modified object
code is in no case prevented or interfered with solely because
modification has been made.
If you convey an object code work under this section in, or with, or
specifically for use in, a User Product, and the conveying occurs as
part of a transaction in which the right of possession and use of the
User Product is transferred to the recipient in perpetuity or for a
fixed term (regardless of how the transaction is characterized), the
Corresponding Source conveyed under this section must be accompanied
by the Installation Information. But this requirement does not apply
if neither you nor any third party retains the ability to install
modified object code on the User Product (for example, the work has
been installed in ROM).
The requirement to provide Installation Information does not include a
requirement to continue to provide support service, warranty, or updates
for a work that has been modified or installed by the recipient, or for
the User Product in which it has been modified or installed. Access to a
network may be denied when the modification itself materially and
adversely affects the operation of the network or violates the rules and
protocols for communication across the network.
Corresponding Source conveyed, and Installation Information provided,
in accord with this section must be in a format that is publicly
documented (and with an implementation available to the public in
source code form), and must require no special password or key for
unpacking, reading or copying.
7. Additional Terms.
"Additional permissions" are terms that supplement the terms of this
License by making exceptions from one or more of its conditions.
Additional permissions that are applicable to the entire Program shall
be treated as though they were included in this License, to the extent
that they are valid under applicable law. If additional permissions
apply only to part of the Program, that part may be used separately
under those permissions, but the entire Program remains governed by
this License without regard to the additional permissions.
When you convey a copy of a covered work, you may at your option
remove any additional permissions from that copy, or from any part of
it. (Additional permissions may be written to require their own
removal in certain cases when you modify the work.) You may place
additional permissions on material, added by you to a covered work,
for which you have or can give appropriate copyright permission.
Notwithstanding any other provision of this License, for material you
add to a covered work, you may (if authorized by the copyright holders of
that material) supplement the terms of this License with terms:
a) Disclaiming warranty or limiting liability differently from the
terms of sections 15 and 16 of this License; or
b) Requiring preservation of specified reasonable legal notices or
author attributions in that material or in the Appropriate Legal
Notices displayed by works containing it; or
c) Prohibiting misrepresentation of the origin of that material, or
requiring that modified versions of such material be marked in
reasonable ways as different from the original version; or
d) Limiting the use for publicity purposes of names of licensors or
authors of the material; or
e) Declining to grant rights under trademark law for use of some
trade names, trademarks, or service marks; or
f) Requiring indemnification of licensors and authors of that
material by anyone who conveys the material (or modified versions of
it) with contractual assumptions of liability to the recipient, for
any liability that these contractual assumptions directly impose on
those licensors and authors.
All other non-permissive additional terms are considered "further
restrictions" within the meaning of section 10. If the Program as you
received it, or any part of it, contains a notice stating that it is
governed by this License along with a term that is a further
restriction, you may remove that term. If a license document contains
a further restriction but permits relicensing or conveying under this
License, you may add to a covered work material governed by the terms
of that license document, provided that the further restriction does
not survive such relicensing or conveying.
If you add terms to a covered work in accord with this section, you
must place, in the relevant source files, a statement of the
additional terms that apply to those files, or a notice indicating
where to find the applicable terms.
Additional terms, permissive or non-permissive, may be stated in the
form of a separately written license, or stated as exceptions;
the above requirements apply either way.
8. Termination.
You may not propagate or modify a covered work except as expressly
provided under this License. Any attempt otherwise to propagate or
modify it is void, and will automatically terminate your rights under
this License (including any patent licenses granted under the third
paragraph of section 11).
However, if you cease all violation of this License, then your
license from a particular copyright holder is reinstated (a)
provisionally, unless and until the copyright holder explicitly and
finally terminates your license, and (b) permanently, if the copyright
holder fails to notify you of the violation by some reasonable means
prior to 60 days after the cessation.
Moreover, your license from a particular copyright holder is
reinstated permanently if the copyright holder notifies you of the
violation by some reasonable means, this is the first time you have
received notice of violation of this License (for any work) from that
copyright holder, and you cure the violation prior to 30 days after
your receipt of the notice.
Termination of your rights under this section does not terminate the
licenses of parties who have received copies or rights from you under
this License. If your rights have been terminated and not permanently
reinstated, you do not qualify to receive new licenses for the same
material under section 10.
9. Acceptance Not Required for Having Copies.
You are not required to accept this License in order to receive or
run a copy of the Program. Ancillary propagation of a covered work
occurring solely as a consequence of using peer-to-peer transmission
to receive a copy likewise does not require acceptance. However,
nothing other than this License grants you permission to propagate or
modify any covered work. These actions infringe copyright if you do
not accept this License. Therefore, by modifying or propagating a
covered work, you indicate your acceptance of this License to do so.
10. Automatic Licensing of Downstream Recipients.
Each time you convey a covered work, the recipient automatically
receives a license from the original licensors, to run, modify and
propagate that work, subject to this License. You are not responsible
for enforcing compliance by third parties with this License.
An "entity transaction" is a transaction transferring control of an
organization, or substantially all assets of one, or subdividing an
organization, or merging organizations. If propagation of a covered
work results from an entity transaction, each party to that
transaction who receives a copy of the work also receives whatever
licenses to the work the party's predecessor in interest had or could
give under the previous paragraph, plus a right to possession of the
Corresponding Source of the work from the predecessor in interest, if
the predecessor has it or can get it with reasonable efforts.
You may not impose any further restrictions on the exercise of the
rights granted or affirmed under this License. For example, you may
not impose a license fee, royalty, or other charge for exercise of
rights granted under this License, and you may not initiate litigation
(including a cross-claim or counterclaim in a lawsuit) alleging that
any patent claim is infringed by making, using, selling, offering for
sale, or importing the Program or any portion of it.
11. Patents.
A "contributor" is a copyright holder who authorizes use under this
License of the Program or a work on which the Program is based. The
work thus licensed is called the contributor's "contributor version".
A contributor's "essential patent claims" are all patent claims
owned or controlled by the contributor, whether already acquired or
hereafter acquired, that would be infringed by some manner, permitted
by this License, of making, using, or selling its contributor version,
but do not include claims that would be infringed only as a
consequence of further modification of the contributor version. For
purposes of this definition, "control" includes the right to grant
patent sublicenses in a manner consistent with the requirements of
this License.
Each contributor grants you a non-exclusive, worldwide, royalty-free
patent license under the contributor's essential patent claims, to
make, use, sell, offer for sale, import and otherwise run, modify and
propagate the contents of its contributor version.
In the following three paragraphs, a "patent license" is any express
agreement or commitment, however denominated, not to enforce a patent
(such as an express permission to practice a patent or covenant not to
sue for patent infringement). To "grant" such a patent license to a
party means to make such an agreement or commitment not to enforce a
patent against the party.
If you convey a covered work, knowingly relying on a patent license,
and the Corresponding Source of the work is not available for anyone
to copy, free of charge and under the terms of this License, through a
publicly available network server or other readily accessible means,
then you must either (1) cause the Corresponding Source to be so
available, or (2) arrange to deprive yourself of the benefit of the
patent license for this particular work, or (3) arrange, in a manner
consistent with the requirements of this License, to extend the patent
license to downstream recipients. "Knowingly relying" means you have
actual knowledge that, but for the patent license, your conveying the
covered work in a country, or your recipient's use of the covered work
in a country, would infringe one or more identifiable patents in that
country that you have reason to believe are valid.
If, pursuant to or in connection with a single transaction or
arrangement, you convey, or propagate by procuring conveyance of, a
covered work, and grant a patent license to some of the parties
receiving the covered work authorizing them to use, propagate, modify
or convey a specific copy of the covered work, then the patent license
you grant is automatically extended to all recipients of the covered
work and works based on it.
A patent license is "discriminatory" if it does not include within
the scope of its coverage, prohibits the exercise of, or is
conditioned on the non-exercise of one or more of the rights that are
specifically granted under this License. You may not convey a covered
work if you are a party to an arrangement with a third party that is
in the business of distributing software, under which you make payment
to the third party based on the extent of your activity of conveying
the work, and under which the third party grants, to any of the
parties who would receive the covered work from you, a discriminatory
patent license (a) in connection with copies of the covered work
conveyed by you (or copies made from those copies), or (b) primarily
for and in connection with specific products or compilations that
contain the covered work, unless you entered into that arrangement,
or that patent license was granted, prior to 28 March 2007.
Nothing in this License shall be construed as excluding or limiting
any implied license or other defenses to infringement that may
otherwise be available to you under applicable patent law.
12. No Surrender of Others' Freedom.
If conditions are imposed on you (whether by court order, agreement or
otherwise) that contradict the conditions of this License, they do not
excuse you from the conditions of this License. If you cannot convey a
covered work so as to satisfy simultaneously your obligations under this
License and any other pertinent obligations, then as a consequence you may
not convey it at all. For example, if you agree to terms that obligate you
to collect a royalty for further conveying from those to whom you convey
the Program, the only way you could satisfy both those terms and this
License would be to refrain entirely from conveying the Program.
13. Use with the GNU Affero General Public License.
Notwithstanding any other provision of this License, you have
permission to link or combine any covered work with a work licensed
under version 3 of the GNU Affero General Public License into a single
combined work, and to convey the resulting work. The terms of this
License will continue to apply to the part which is the covered work,
but the special requirements of the GNU Affero General Public License,
section 13, concerning interaction through a network will apply to the
combination as such.
14. Revised Versions of this License.
The Free Software Foundation may publish revised and/or new versions of
the GNU General Public License from time to time. Such new versions will
be similar in spirit to the present version, but may differ in detail to
address new problems or concerns.
Each version is given a distinguishing version number. If the
Program specifies that a certain numbered version of the GNU General
Public License "or any later version" applies to it, you have the
option of following the terms and conditions either of that numbered
version or of any later version published by the Free Software
Foundation. If the Program does not specify a version number of the
GNU General Public License, you may choose any version ever published
by the Free Software Foundation.
If the Program specifies that a proxy can decide which future
versions of the GNU General Public License can be used, that proxy's
public statement of acceptance of a version permanently authorizes you
to choose that version for the Program.
Later license versions may give you additional or different
permissions. However, no additional obligations are imposed on any
author or copyright holder as a result of your choosing to follow a
later version.
15. Disclaimer of Warranty.
THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
16. Limitation of Liability.
IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
SUCH DAMAGES.
17. Interpretation of Sections 15 and 16.
If the disclaimer of warranty and limitation of liability provided
above cannot be given local legal effect according to their terms,
reviewing courts shall apply local law that most closely approximates
an absolute waiver of all civil liability in connection with the
Program, unless a warranty or assumption of liability accompanies a
copy of the Program in return for a fee.
END OF TERMS AND CONDITIONS
How to Apply These Terms to Your New Programs
If you develop a new program, and you want it to be of the greatest
possible use to the public, the best way to achieve this is to make it
free software which everyone can redistribute and change under these terms.
To do so, attach the following notices to the program. It is safest
to attach them to the start of each source file to most effectively
state the exclusion of warranty; and each file should have at least
the "copyright" line and a pointer to where the full notice is found.
<one line to give the program's name and a brief idea of what it does.>
Copyright (C) <year> <name of author>
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <https://www.gnu.org/licenses/>.
Also add information on how to contact you by electronic and paper mail.
If the program does terminal interaction, make it output a short
notice like this when it starts in an interactive mode:
<program> Copyright (C) <year> <name of author>
This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
This is free software, and you are welcome to redistribute it
under certain conditions; type `show c' for details.
The hypothetical commands `show w' and `show c' should show the appropriate
parts of the General Public License. Of course, your program's commands
might be different; for a GUI interface, you would use an "about box".
You should also get your employer (if you work as a programmer) or school,
if any, to sign a "copyright disclaimer" for the program, if necessary.
For more information on this, and how to apply and follow the GNU GPL, see
<https://www.gnu.org/licenses/>.
The GNU General Public License does not permit incorporating your program
into proprietary programs. If your program is a subroutine library, you
may consider it more useful to permit linking proprietary applications with
the library. If this is what you want to do, use the GNU Lesser General
Public License instead of this License. But first, please read
<https://www.gnu.org/licenses/why-not-lgpl.html>.

@ -0,0 +1,107 @@
# Forksand Bootstrap Postfix
This Ansible playbook was written to set up a mail server on Debian systems.
## Table of contents
1. [Requirements](#requirements)
2. [Quick Start](#quick-start)
* [Project Configuration](#project-configuration)
* [Playbook Execution](#playbook-execution)
3. [Project Structure](#project-structure)
* [File and Directory Descriptions](#file-and-directory-descriptions)
* [Role Descriptions](#role-descriptions)
4. [Ansible Logging](#ansible-logging)
5. [Troubleshooting](#troubleshooting)
## Requirements
The following applications are required to utilize this playbook. Ansible can be installed using Python PIP.
* Ansible 2.4.x+
* Python 2.7.9+
## Quick Start
The follow steps will help quickly set up and execute this playbook.
### Project Configuration
The following files need to be edited and configured before executing this playbook.
| File | Description |
| -- | -- |
| groups_vars/all.yml | Server credential information and domain variables |
| inventory.yml | List of server IPs to connect to |
### Playbook Execution
After having configured the server credentials and added the server IP to the inventory, use the following command to execute the playbook.
`ansible-playbook -i inventory.yml site.yml`
## Project Structure
The following tree depicts the high level structure of this Ansible project.
```bash
├── ansible.cfg
├── group_vars
│   └── all.yml
├── inventory.yml
├── LICENSE.AGPLv3
├── LICENSE.GPLv3
├── README.md
├── roles
│   ├── dkim_configuration
│   ├── dovecot_configuration
│   ├── fail2ban_configuration
│   ├── letsencrypt_configuration
│   ├── mikegleasonjr.firewall
│   ├── outputs
│   ├── postfix_configuration
│   ├── server_tasks
│   ├── spamassassin_configuration
│   └── sqlgrey_configuration
├── playbook_execution.log
└── site.yml
```
### File and Directory Descriptions
The following table consists of a description of what each file and directory stands for.
| Name | Description |
| -- | -- |
| site.yml | Master playbook. Executes all roles in sequential order |
| inventory.yml | Inventory file containing server IP addresses |
| ansible.cfg | Ansible configuration file for various Ansible options. |
| group_vars/ | Group_vars directory contains variable files for the entire group. The files are named according to the group name. 'all.yml' = group 'all' |
| group_vars/all.yml | Group variables for the 'all' group. Contains server connection information along with domain variables |
| roles/ | Directory containing all roles needed by this project |
### Role descriptions
The following table consists of descriptions of each role and their purpose. The roles listed below are listed in the required order of execution to ensure successful completion of the playbook.
| Role Name | Role Description | Depends on |
| -- | -- | --|
| server_tasks | This roles performs all server tasks. Updating server, configuring SSH, disable IPv6, etc. Depends on the mikegleasonjr.firewall role. | mikebleasonjr.firewall |
| mikegleasonjr.firewall | This role set up iptables rules. It is called and ran by the server_tasks roles. | None |
| letsencrypt_configuration | This role installs and executes let's encrypt | None |
| postfix_configuration | This roles installs postfix, configures postfix using postconf, and sets up virtual file, master.cf file, and aliases file | letsencrypt_configuration |
| dkim_configuration | This roles installs OpenDKIM, OpenDMARC and configures them. | None |
| dovecot_configuration | This role installs and configures dovecot | letsencrypt_configuration |
| spamassassin_configuration | This role installs spamassassin. | None |
| sqlgrey_configuration| This role installs sqlgrey. | None |
| fail2ban_configuration | This role installs fail2ban. | None |
| outputs | This role gathers DNS information for the SPF, DMARC, and DKIM records and outputs them to the screen. | None |
## Ansible Logging
Ansible playbook executions are automatically logged to a file called `playbook-execution.log` in the root directory of the project. The path to this log file can be changed by editing `ansible.cfg` in the project root directory and specifying a different path.
## Troubleshooting
Ansible has a built in debug output. Simple run Ansible with a `-v`. There are 5 levels of debug output and they are denoted by the number of v's listed. Each level up provide more debug output than the level before it.
Level 1: `-v`
Level 2: `-vv`
Level 3: `-vvv`
Level 4: `-vvvv`
Level 5: `-vvvvv`
Example execution with level 3 debug output: `ansible-playbook -i inventory.yml site.yml -vvv`

@ -0,0 +1,2 @@
[defaults]
log_path=playbook_execution.log

@ -0,0 +1,14 @@
# Ansible connection configuration
# It is suggested that this file be encrypted with ansible-vault
ansible_port: 22
ansible_user: ssh_user
ansible_ssh_private_key_file: /path/to/pem
# Uncomment to use SSH password instead of pem key
# If you uncomment this, comment out the key_file line above
#ansible_ssh_pass: mypassword
# Domain variables required for the playbook
var_domain: forksand.io
var_mail_domain: mail.forksand.io
var_relay_domain: forksand.com

@ -0,0 +1,7 @@
all:
hosts:
10.0.0.1: # Example host
# Additional hosts can be specified by adding them below
#10.0.0.2: # Example host 2. Uncomment line to use
#10.0.0.3: # Example host 3. Uncomment line to use

@ -0,0 +1,76 @@
---
- name: Install packages
apt:
name: "{{ item }}"
dpkg_options: 'force-confdef,force-confnew'
update_cache: yes
with_items:
- opendkim
- opendkim-tools
- opendmarc
- name: Create directories folder in /etc
file:
path: "/etc/{{ item }}"
state: directory
with_items:
- opendkim
- opendmarc
- name: Create key with opendkim-genkey
shell: "opendkim-genkey -b 2048 -d {{ domain }} -s {{ domain }}.dkim"
args:
chdir: /root/
- name: Move private dkim key
command: "mv /root/{{ domain }}.dkim.private /etc/opendkim/"
- name: Update private key permissions
file:
path: "/etc/opendkim/{{ domain }}.dkim.private"
mode: 0600
- name: Copy conf files to remote
template:
src: "{{ item.name}}"
dest: "{{ item.dest }}"
with_items:
- {name: 'opendkim.conf.j2', dest: '/etc/opendkim.conf'}
- {name: 'internalhosts.j2', dest: '/etc/opendkim/internalhosts'}
- {name: 'trustedhosts.j2', dest: '/etc/opendkim/trustedhosts'}
- {name: 'opendmarc.conf.j2', dest: '/etc/opendmarc.conf'}
- {name: 'opendkim.j2', dest: '/etc/default/opendkim'}
- {name: 'opendmarc.j2', dest: '/etc/default/opendmarc'}
- name: Add domain to signing table file
lineinfile:
path: /etc/opendkim/signingtable
state: present
create: yes
line: "*@{{ domain }} {{ domain }}"
- name: Add configuration to key table file
lineinfile:
path: /etc/opendkim/keytable
state: present
create: yes
line: "{{ domain }} {{ domain }}:mail:/etc/opendkim/{{ domain }}.dkim.private"
- name: Create log file
file:
path: "/var/log/{{ item }}.log"
state: touch
owner: "{{ item }}"
group: "{{ item }}"
with_items:
- opendmarc
- name: Add items to ignore hosts
blockinfile:
path: /etc/opendmarc/ignore.hosts
create: yes
insertafter: EOF
content: |
localhost
127.0.0.0/8
10.0.2.0/24

@ -0,0 +1,26 @@
AutoRestartRate 10/1h
AutoRestart Yes
Background yes
#Canonicalization relaxed/relaxed
Canonicalization relaxed/simple
DNSTimeout 5
ExternalIgnoreList refile:/etc/opendkim/trustedhosts
InternalHosts refile:/etc/opendkim/internalhosts
KeyTable refile:/etc/opendkim/keytable
LogWhy Yes
Mode sv
OversignHeaders From
PidFile /var/run/opendkim/opendkim.pid
#Selector mail
SignatureAlgorithm rsa-sha256
SigningTable refile:/etc/opendkim/signingtable
Socket inet:12301@localhost
#Socket local:/var/spool/postfix/private/opendkim
SoftwareHeader yes
SubDomains yes
SyslogSuccess Yes
Syslog Yes
TrustAnchorFile /usr/share/dns/root.key
UMask 002
UserID opendkim:opendkim
#UserID postfix

@ -0,0 +1,16 @@
IgnoreAuthenticatedClients true
PidFile /var/run/opendmarc/opendmarc.pid
# Set to true when everything is confirmed working XXX
RejectFailures false
AuthservID {{ mail_domain }}
Syslog true
SyslogFacility mail
TrustedAuthservIDs {{ mail_domain }}
IgnoreHosts /etc/opendkim/trustedhosts
UMask 002
UserID opendmarc:opendmarc
FailureReportsSentBy postmaster@{{ domain }}
FailureReportsBcc postmaster@{{ domain }}
AutoRestart true
HistoryFile /var/log/opendmarc.log
Socket inet:54321@localhost

@ -0,0 +1,5 @@
localhost
127.0.0.0/8
{{ domain }}
70.39.125.71
10.0.2.0/24

@ -0,0 +1,5 @@
---
- name: restart dovecot
service:
name: dovecot
state: restarted

@ -0,0 +1,80 @@
---
# Disable IPv6 for Dovecot / force IPv4
- name: Create dovecot conf.d directory
file:
path: /etc/dovecot/conf.d
state: directory
- name: Add dovecot conf
lineinfile:
path: /etc/dovecot/conf.d/99-ipv4-only.conf
create: yes
line: "listen = *"
insertafter: EOF
state: present
- name: Install dovecot
apt:
name: "{{ item }}"
dpkg_options: 'force-confdef,force-confnew'
update_cache: yes
with_items:
- dovecot-antispam
- dovecot-imapd
- name: Create directors for dovecot users
shell: maildirmake.dovecot /etc/skel/"{{ item }}"
with_items:
- Maildir
- Maildir/.Drafts
- Maildir/.Sent
- Maildir/.Trash
- Maildir/.Templates
- name: Copy dovecot skel directory to users
synchronize:
src: /etc/skel/Maildir
dest: "/home/{{ item }}/"
recursive: yes
delegate_to: "{{ inventory_hostname }}"
with_items:
- jebba
- mailarchive
- name: Update Maildir folder permissions in users folder
file:
path: "/home/{{ item }}/Maildir"
mode: 0700
owner: "{{ item }}"
group: "{{ item }}"
with_items:
- jebba
- mailarchive
- name: Update users folder permissions
file:
path: "/home/{{ item }}"
mode: og-rwx
with_items:
- jebba
- mailarchive
- name: Update 10-auth.conf and 10-mail.conf
lineinfile:
path: "/etc/dovecot/conf.d/{{ item.conf }}"
regexp: '{{ item.find }}'
line: '{{ item.replace }}'
with_items:
- {find: '^.*?disable_plaintext_auth.*=.*', replace: 'disable_plaintext_auth = yes', conf: '10-auth.conf'}
- {find: '^.*?auth_mechanisms.*=.*', replace: 'auth_mechanisms = plain login', conf: '10-auth.conf'}
- {find: '^.*?mail_location.*', replace: 'mail_location = maildir:~/Maildir', conf: '10-mail.conf'}
- name: Copy conf files to remote
template:
src: "{{ item }}.j2"
dest: "/etc/dovecot/conf.d/{{ item }}"
with_items:
- 10-master.conf
- 10-ssl.conf
notify:
- restart dovecot

@ -0,0 +1,23 @@
service imap-login {
inet_listener imaps {
port = 993
ssl = yes
}
}
service lmtp {
unix_listener lmtp {
mode = 0666
}
}
service imap {
}
service auth {
unix_listener /var/spool/postfix/private/auth {
mode = 0660
user = postfix
group = postfix
}
}
service auth-worker {
user = $default_internal_user
}

@ -0,0 +1,5 @@
ssl = required
ssl_cert = </etc/letsencrypt/live/{{ mail_domain }}/fullchain.pem
ssl_key = </etc/letsencrypt/live/{{ mail_domain }}/privkey.pem
# SSL protocols to use
ssl_protocols = !SSLv3

@ -0,0 +1,8 @@
---
- name: Install fail2ban
apt:
name: "{{ item }}"
dpkg_options: 'force-confdef,force-confnew'
update_cache: yes
with_items:
- fail2ban

@ -0,0 +1,11 @@
---
- name: Install letsencrypt
apt:
name: "{{ item }}"
dpkg_options: 'force-confdef,force-confnew'
update_cache: yes
with_items:
- letsencrypt
- name: Install certificate
shell: "letsencrypt certonly --standalone -d {{ mail_domain }} -n --agree-tos -m letsencrypt@{{ relay_domain }}"

@ -0,0 +1,18 @@
---
language: python
python: "2.7"
install:
- pip install ansible
script:
- ansible-playbook -i localhost, tests.yml --syntax-check
- ansible-playbook -i localhost, tests.yml --connection=local --sudo
- >
ansible-playbook -i localhost, tests.yml --connection=local --sudo
| grep -q 'changed=0.*failed=0'
&& (echo 'Idempotence test: pass' && exit 0)
|| (echo 'Idempotence test: fail' && exit 1)
notifications:
webhooks: https://galaxy.ansible.com/api/v1/notifications/

@ -0,0 +1,25 @@
BSD 2-Clause License
Copyright (c) 2017, Mike Gleason jr Couturier
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
* Redistributions of source code must retain the above copyright notice, this
list of conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above copyright notice,
this list of conditions and the following disclaimer in the documentation
and/or other materials provided with the distribution.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

@ -0,0 +1,230 @@
Ansible Firewall Role
=========
[![Build Status](https://travis-ci.org/mikegleasonjr/ansible-role-firewall.svg?branch=master)](https://travis-ci.org/mikegleasonjr/ansible-role-firewall)
[![Ansible Galaxy](https://img.shields.io/badge/galaxy-mikegleasonjr.firewall-5bbdbf.svg?style=flat)](https://galaxy.ansible.com/detail#/role/5878)
After I found out `UFW` was too limited in terms of functionalities, I tried several firewall roles out there but none satisfied the requirements I had:
- Support virtually all iptables rules from the start
- Allow granular rules addition/overriding for specific hosts
- Easily inject variables in the rules
- Allow rules ordering
- Simplicity (not having to learn how role variables would generate the rules)
- Persistence (reload the rules at boot)
This role is an attempt to solve these requirements.
It supports **ipv4** and **ipv6*** on Debian and RedHat distributions.
*ipv6 support was brought up thanks to [@maloddon](https://github.com/maloddon). It is currently in early stages and knowledgable people should review the [default rules](https://github.com/mikegleasonjr/ansible-role-firewall/blob/master/defaults/main.yml). ipv6 rules are not configured by default. If you which to use them, don't forget to set `firewall_v6_configure` to `true`.
Requirements
------------
* Ansible 2.2.1.0
* `iptables` (installed by default on all official Debian and RedHat distributions)
Installation
------------
`$ ansible-galaxy install mikegleasonjr.firewall`
Role Variables
--------------
`defaults/main.yml`:
```
firewall_v4_configure: true
firewall_v6_configure: false
firewall_v4_default_rules:
001 default policies:
- -P INPUT ACCEPT
- -P OUTPUT ACCEPT
- -P FORWARD DROP
002 allow loopback:
- -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
003 allow ping replies:
- -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
- -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
100 allow established related:
- -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
200 allow ssh:
- -A INPUT -p tcp --dport ssh -j ACCEPT
999 drop everything:
- -P INPUT DROP
firewall_v4_group_rules: {}
firewall_v4_host_rules: {}
firewall_v6_default_rules:
001 default policies:
- -P INPUT ACCEPT
- -P OUTPUT ACCEPT
- -P FORWARD DROP
002 allow loopback:
- -A INPUT -i lo -s ::1/128 -d ::1/128 -j ACCEPT
003 allow ping replies:
- -A INPUT -p icmpv6 --icmpv6-type echo-request -j ACCEPT
- -A OUTPUT -p icmpv6 --icmpv6-type echo-reply -j ACCEPT
100 allow established related:
- -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
200 allow ssh:
- -A INPUT -p tcp --dport ssh -j ACCEPT
999 drop everything:
- -P INPUT DROP
firewall_v6_group_rules: {}
firewall_v6_host_rules: {}
```
The keys to the `*_rules` dictionaries (`001 default policies`, `002 allow loopback`, ...) can be anything. They are only used for rules **ordering** and **overriding**. On rules generation, the keys are sorted alphabetically. That's why I chose here the 001s and 999s.
Those defaults will generate the following script to be executed on the host (for ipv4):
```
#!/bin/sh
# Ansible managed: <redacted>
# flush rules & delete user-defined chains
iptables -F
iptables -X
iptables -t raw -F
iptables -t raw -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
# 001 default policies
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
# 002 allow loopback
iptables -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
# 003 allow ping replies
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
# 100 allow established related
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# 200 allow ssh
iptables -A INPUT -p tcp --dport ssh -j ACCEPT
# 999 drop everything
iptables -P INPUT DROP
```
As you can see, you have complete control over the rules syntax.
`$ iptables -L -n` on the host then shows...
```
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 0
```
Now that takes care of the default rules. What about overriding?
You can change the rules for specific hosts and groups instead of re-defining everything. Rules in `firewall_v4_host_rules` will be merged with `firewall_v4_group_rules`, and then the result will be merged back with the defaults. Same thing for ipv6.
This allows 3 levels of rules definition and overriding. I simply chose the names to match how the variable precedence works in Ansible (`all` -> `group` -> `host`). See the example playbook below to see rules overriding in action.
Example Playbook (ipv4)
----------------
```
- hosts: all
roles:
- mikegleasonjr.firewall
```
in `group_vars/all.yml` you could define the default rules for all your hosts:
```
firewall_v4_default_rules:
001 default policies:
- -P INPUT ACCEPT
- -P OUTPUT ACCEPT
- -P FORWARD DROP
002 allow loopback:
- -A INPUT -i lo -j ACCEPT
003 allow ping replies:
- -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
- -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
100 allow established related:
- -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
200 allow ssh limiting brute force:
- -I INPUT -p tcp -d {{ hostvars[inventory_hostname]['ansible_eth1']['ipv4']['address'] }} --dport 22 -m state --state NEW -m recent --set
- -I INPUT -p tcp -d {{ hostvars[inventory_hostname]['ansible_eth1']['ipv4']['address'] }} --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP
999 drop everything:
- -P INPUT DROP
```
in `group_vars/webservers.yml` you would open up port 80:
```
firewall_v4_group_rules:
400 allow web traffic:
- -A INPUT -p tcp --dport http -j ACCEPT
```
in `host_vars/secureweb.yml` you would want to open https as well and remove ssh logins:
```
firewall_v4_host_rules:
400 allow web traffic:
- -A INPUT -p tcp --dport http -j ACCEPT # need to redefine this one as well because the whole key is overwritten
- -A INPUT -p tcp --dport https -j ACCEPT
200 allow ssh limiting brute force: []
```
To "delete" rules, you just assign an empty list to an existing dictionary key.
To summarize, rules in `firewall_v4_host_rules` will overwrite rules in `firewall_v4_group_rules`, and then rules in `firewall_v4_group_rules` will overwrite rules in `firewall_v4_default_rules`.
You can play with the rules and see the generated script on the host at the following location: `/etc/iptables.v4.generated` and `/etc/iptables.v6.generated`.
Dependencies
------------
none
License
-------
BSD
Contributing
-------
A vagrant environment has been provided to test the role on different distributions. Add your tests in `tests.yml` and...
```
$ vagrant up
$ vagrant provision
```
Author Information
------------------
Mike Gleason jr Couturier (mikegleasonjr@gmail.com)
Other roles from the same author:
- [swap](https://github.com/mikegleasonjr/ansible-role-swap)

@ -0,0 +1,41 @@
boxes = {
"ubuntu/trusty64" => {
:ip => '192.168.33.10',
:cpu => "2",
:ram => "256"
},
"ubuntu/xenial64" => {
:ip => '192.168.33.11',
:cpu => "2",
:ram => "256"
},
"centos/7" => {
:ip => '192.168.33.12',
:cpu => "2",
:ram => "256"
},
"centos/6" => {
:ip => '192.168.33.13',
:cpu => "2",
:ram => "256"
},
}
Vagrant.configure("2") do |config|
boxes.each do |box, options|
config.vm.define box.dup.sub!("/", "-") do |machine|
machine.vm.box = box
machine.vm.box_check_update = false
machine.vm.network :private_network, ip: options[:ip]
machine.vm.provider "virtualbox" do |vb|
vb.memory = options[:ram]
vb.cpus = options[:cpu]
end
machine.vm.provision "ansible" do |ansible|
ansible.playbook = "tests.yml"
end
end
end
end

@ -0,0 +1,33 @@
---
firewall_v4_configure: true
firewall_v6_configure: false
firewall_v4_default_rules:
001 default policies:
- -A OUTPUT -j ACCEPT # Accept all output traffic
002 allow loopback:
- -A INPUT -i lo -j ACCEPT
100 allow established related:
- -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
200 allow ssh ports:
- -A INPUT -p tcp --dport 22 -j ACCEPT
- -A INPUT -p tcp --dport 33957 -j ACCEPT
201 allow http port:
- -A INPUT -p tcp --dport 80 -j ACCEPT
202 allow smtp ports:
- -A INPUT -p tcp --dport 25 -j ACCEPT
- -A INPUT -p tcp --dport 465 -j ACCEPT
- -A INPUT -p tcp --dport 587 -j ACCEPT
- -A INPUT -p tcp --dport 993 -j ACCEPT
203 enable logging:
- -A INPUT -m limit --limit 5/min -j LOG --log-prefix \"iptables denied: \" --log-level 7
999 drop everything else:
- -A INPUT -j REJECT
- -A FORWARD -j REJECT
firewall_v4_group_rules: {}
firewall_v4_host_rules: {}
firewall_v6_default_rules: {}
firewall_v6_group_rules: {}
firewall_v6_host_rules: {}

@ -0,0 +1,22 @@
---
galaxy_info:
author: Mike Gleason jr Couturier
description: A role to manage iptables rules which doesn't suck.
company: N/A
issue_tracker_url: https://github.com/mikegleasonjr/ansible-role-firewall/issues
license: BSD
min_ansible_version: 1.2
platforms:
- name: Ubuntu
versions:
- all
- name: Debian
versions:
- all
- name: EL
versions:
- all
categories:
- networking
- system
dependencies: []

@ -0,0 +1,8 @@
---
- include_tasks: rules.yml
- include_tasks: persist-debian.yml
when: ansible_os_family == 'Debian'
- include_tasks: persist-redhat.yml
when: ansible_os_family == 'RedHat'

@ -0,0 +1,22 @@
---
- name: Install iptables-persistent
apt:
name: iptables-persistent
update_cache: yes
state: present
- name: Check if netfilter-persistent is present
shell: which netfilter-persistent
register: is_netfilter
when: v4_script|changed or v6_script|changed
changed_when: false
ignore_errors: yes
check_mode: no
- name: Save rules (netfilter-persistent)
command: netfilter-persistent save
when: not ansible_check_mode and (v4_script|changed or v6_script|changed) and is_netfilter.rc == 0
- name: Save rules (iptables-persistent)
command: /etc/init.d/iptables-persistent save
when: not ansible_check_mode and (v4_script|changed or v6_script|changed) and is_netfilter.rc == 1

@ -0,0 +1,23 @@
---
- name: Save v4 rules (/etc/sysconfig/iptables)
shell: iptables-save -c > /etc/sysconfig/iptables
when: v4_script|changed
- name: Save v6 rules (/etc/sysconfig/ip6tables)
shell: ip6tables-save -c > /etc/sysconfig/ip6tables
when: v6_script|changed
- name: Ensure iptables service is installed
yum: name=iptables-services state=present update_cache=yes
when: ansible_distribution_major_version >= '7'
- name: Ensure iptables service is installed
yum: name=iptables state=present update_cache=yes
when: ansible_distribution_major_version < '7'
- name: Ensure iptables service is enabled & started
service: name=iptables enabled=yes state=started
- name: Ensure ip6tables service is enabled & started
service: name=ip6tables enabled=yes state=started
when: firewall_v6_configure

@ -0,0 +1,28 @@
---
- name: Generate v4 rules
template: src=generated.v4.j2 dest=/etc/iptables.v4.generated owner=root group=root mode=755
register: v4_script
when: firewall_v4_configure
- name: Load v4 rules
command: /etc/iptables.v4.generated
register: v4_script_load_result
failed_when: >-
v4_script_load_result.rc != 0 or
'unknown option' in v4_script_load_result.stderr or
'Table does not exist' in v4_script_load_result.stderr
when: v4_script|changed
- name: Generate v6 rules
template: src=generated.v6.j2 dest=/etc/iptables.v6.generated owner=root group=root mode=755
register: v6_script
when: firewall_v6_configure
- name: Load v6 rules
command: /etc/iptables.v6.generated
register: v6_script_load_result
failed_when: >-
v6_script_load_result.rc != 0 or
'unknown option' in v6_script_load_result.stderr or
'Table does not exist' in v6_script_load_result.stderr
when: v6_script|changed

@ -0,0 +1,26 @@
#!/bin/sh
# {{ ansible_managed }}
{% set merged = firewall_v4_default_rules.copy() %}
{% set _ = merged.update(firewall_v4_group_rules) %}
{% set _ = merged.update(firewall_v4_host_rules) %}
# flush rules & delete user-defined chains
iptables -F
iptables -X
iptables -t raw -F
iptables -t raw -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
{% for group, rules in merged|dictsort %}
# {{ group }}
{% if not rules %}
# (none)
{% endif %}
{% for rule in rules %}
iptables {{ rule }}
{% endfor %}
{% endfor %}

@ -0,0 +1,26 @@
#!/bin/sh
# {{ ansible_managed }}
{% set merged = firewall_v6_default_rules.copy() %}
{% set _ = merged.update(firewall_v6_group_rules) %}
{% set _ = merged.update(firewall_v6_host_rules) %}
# flush rules & delete user-defined chains
ip6tables -F
ip6tables -X
ip6tables -t raw -F
ip6tables -t raw -X
ip6tables -t nat -F
ip6tables -t nat -X
ip6tables -t mangle -F
ip6tables -t mangle -X
{% for group, rules in merged|dictsort %}
# {{ group }}
{% if not rules %}
# (none)
{% endif %}
{% for rule in rules %}
ip6tables {{ rule }}
{% endfor %}
{% endfor %}

@ -0,0 +1,68 @@
---
- hosts: all
become: true
roles:
- role: .
firewall_v6_configure: true
firewall_v4_group_rules:
400 allow http:
- -A INPUT -p tcp --dport http -j ACCEPT
400 allow 7890:
- -A INPUT -p tcp --dport 7890 -j ACCEPT
firewall_v4_host_rules:
400 allow 7890: []
firewall_v6_group_rules:
400 allow http:
- -A INPUT -p tcp --dport http -j ACCEPT
400 allow 7890:
- -A INPUT -p tcp --dport 7890 -j ACCEPT
firewall_v6_host_rules:
400 allow 7890: []
tasks:
- name: Retrieve v4 rules
command: iptables -L -n
changed_when: false
register: v4_rules
when: not ansible_check_mode
- name: Check that INPUT policy has been applied
assert:
that: "'Chain INPUT (policy DROP' in v4_rules.stdout"
when: not ansible_check_mode
- name: Check that a default rule has been applied
assert:
that: "'tcp dpt:22' in v4_rules.stdout"
when: not ansible_check_mode
- name: Check that a group rule has been applied
assert:
that: "'tcp dpt:80' in v4_rules.stdout"
when: not ansible_check_mode
- name: Check that deleted rules are deleted
assert:
that: "'tcp dpt:7890' not in v4_rules.stdout"
when: not ansible_check_mode
- name: Retrieve v6 rules
command: ip6tables -L -n
changed_when: false
register: v6_rules
when: not ansible_check_mode
- name: Check that INPUT policy has been applied
assert:
that: "'Chain INPUT (policy DROP' in v6_rules.stdout"
when: not ansible_check_mode
- name: Check that a default rule has been applied
assert:
that: "'tcp dpt:22' in v6_rules.stdout"
when: not ansible_check_mode
- name: Check that a group rule has been applied
assert:
that: "'tcp dpt:80' in v6_rules.stdout"
when: not ansible_check_mode
- name: Check that deleted rules are deleted
assert:
that: "'tcp dpt:7890' not in v6_rules.stdout"
when: not ansible_check_mode

@ -0,0 +1,26 @@
- name: Get Public IP
uri:
url: https://ipinfo.io/ip
return_content: yes
register: public_ip
- name: Read file
command: "cat /root/{{ domain }}.dkim.txt"
register: dkim_txt
- name: 'Clean up DKIM line 1 and 2'
set_fact:
line1: "{{ dkim_txt.stdout_lines[1] | regex_replace('^.+?\\\"p=|\\\"', '') }}"
line2: "{{ dkim_txt.stdout_lines[2] | regex_replace('^.+?\\\"|\\\".+', '') }}"
- name: SPF Record
debug:
msg: "{{ domain }}. 1800 IN TXT 'v=spf1 mx ip4:{{ public_ip.content | replace('\n', '') }} -all'"
- name: DMARC Record
debug:
msg: "_dmarc.{{ domain }}. 1800 IN TXT 'v=DMARC1; p=reject; rua=mailto:postmaster@{{ domain }}'"
- name: 'DKIM Record'
debug:
msg: "mail._domainkey.{{ domain }}. 1800 IN TXT 'v=DKIM1; h=sha256; k=rsa; p={{ line1 }}{{ line2 }}'"

@ -0,0 +1,2 @@
/^\s*Received: / IGNORE
/^\s*Mime-Version: 1.0.*/ REPLACE Mime-Version: 1.0

@ -0,0 +1,60 @@
smtp inet n - y - - smtpd
-o receive_override_options=no_address_mappings
submission inet n - y - - smtpd
-o syslog_name=submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_path=private/auth
-o smtpd_sasl_security_options=noplaintext,noanonymous
-o smtpd_sasl_tls_security_options=noanonymous
-o smtpd_sasl_authenticated_header=yes
-o broken_sasl_auth_clients=no
-o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
-o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
-o cleanup_service_name=auth-cleanup
-o smtpd_milters=$non_smtpd_milters
pickup fifo n - y 60 1 pickup
cleanup unix n - y - 0 cleanup
auth-cleanup unix n - y - 0 cleanup
-o header_checks=pcre:/etc/postfix/auth_header_checks.pcre
qmgr fifo n - n 300 1 qmgr
tlsmgr unix - - y 1000? 1 tlsmgr
rewrite unix - - y - - trivial-rewrite
bounce unix - - y - 0 bounce
defer unix - - y - 0 bounce
trace unix - - y - 0 bounce
verify unix - - y - 1 verify
flush unix n - y 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - y - - smtp
relay unix - - y - - smtp
-o smtp_fallback_relay=
showq unix n - y - - showq
error unix - - y - - error
retry unix - - y - - error
discard unix - - y - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - y - - lmtp
anvil unix - - y - 1 anvil
scache unix - - y - 1 scache
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n n - 2 pipe
flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman unix - n n - - pipe
flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
${nexthop} ${user}
spamassassin unix - n n - - pipe
user=debian-spamd argv=/usr/bin/spamc -f -e /usr/sbin/sendmail -oi -f ${sender} ${recipient}
policy-spf unix - n n - - spawn
user=nobody argv=/usr/bin/perl /usr/lib/postfix/policyd-spf-perl

@ -0,0 +1,18 @@
# handlers file for postfix
---
- name: restart postfix service
service:
name: postfix
state: restarted
- name: new aliases
shell: newaliases
- name: post alias
shell: postalias /etc/aliases
- name: new virtual aliases
shell: postmap /etc/postfix/virtual
- name: reload postfix
shell: postfix reload

@ -0,0 +1,128 @@
# Task to install and configure postfix
---
- name: Add mail archive user
user:
name: mailarchive
shell: /bin/false
- name: Install postfix
apt:
name: "{{ item }}"
dpkg_options: 'force-confdef,force-confnew'
update_cache: yes
with_items:
- postfix
- postfix-doc
- postfix-policyd-spf-python
- postfix-pcre
- postfix-policyd-spf-perl
- name: Configure Postfix
shell: postconf -e "{{ item }}"
with_items:
# Set up domain
- "myorigin = {{ domain }}"
- "myhostname = {{ mail_domain }}"
- "relay_domains = {{ relay_domain}}, {{ domain }}"
# Set up alias maps
- alias_maps = hash:/etc/aliases
# Use Maildir mail boxes (single files, not one huge file)
- home_mailbox = Maildir/
- mailbox_command =
# AO
- smtpd_milters = inet:localhost:12301, inet:localhost:54321
- non_smtpd_milters = unix:private/opendkim unix:private/opendmarc
- smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination,reject_invalid_hostname,reject_non_fqdn_hostname,reject_non_fqdn_sender,reject_non_fqdn_recipient,reject_unknown_sender_domain,reject_rbl_client sbl.spamhaus.org,reject_rbl_client cbl.abuseat.org
- smtpd_helo_restrictions = reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_unknown_helo_hostname
- smtpd_client_restrictions = reject_rbl_client dnsbl.sorbs.net
- mynetworks = 127.0.0.0/8
# TLS parameters
# Incoming e-mails
- smtpd_tls_CApath = /etc/ssl/certs
- "smtpd_tls_cert_file = /etc/letsencrypt/live/{{ mail_domain }}/fullchain.pem"
- "smtpd_tls_key_file = /etc/letsencrypt/live/{{ mail_domain }}/privkey.pem"
- smtpd_tls_security_level = may
- smtpd_tls_ask_ccert = yes
- smtpd_tls_eecdh_grade = strong
- smtpd_tls_protocols = !SSLv2, !SSLv3
- smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
- smtpd_tls_mandatory_ciphers = high
- tls_preempt_cipherlist = yes
#disable following ciphers for smtpd_tls_security_level=encrypt
- smtpd_tls_mandatory_exclude_ciphers = aNULL, MD5 , DES, ADH, RC4, PSD, SRP, 3DES, eNULL
#disable following ciphers for smtpd_tls_security_level=may
- smtpd_tls_exclude_ciphers = aNULL, MD5 , DES, ADH, RC4, PSD, SRP, 3DES, eNULL
- smtpd_tls_loglevel = 1
- smtpd_use_tls = yes
- smtp_tls_note_starttls_offer = yes
- smtpd_tls_received_header = yes
# Outgoing e-mails
- smtp_tls_CApath = /etc/ssl/certs
- smtp_tls_security_level = may
- smtp_tls_loglevel = 1
- smtp_use_tls = yes
- smtp_tls_mandatory_ciphers=high
- smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
- inet_interfaces = all
- inet_protocols = ipv4
- message_size_limit = 52428800
- disable_vrfy_command = yes
- smtpd_helo_required = yes
# Maybe: permit_sasl_authenticated, reject_unknown_hostname
- smtpd_helo_restrictions = permit_mynetworks, reject_non_fqdn_hostname, reject_invalid_hostname, reject_invalid_helo_hostname, reject_unknown_helo_hostname
- smtpd_delay_reject = yes
# bcc all mail to the mailarchive user
- always_bcc = mailarchive
# DKIM enabled protocol
- milter_protocol = 2
- milter_default_action = accept
# DKIM only for internal messages
- non_smtpd_milters = inet:localhost:12301
- allow_mail_to_commands = alias,forward,include
# mydestination at is also alt domains
- "mydestination = localhost, localhost.localdomain, {{ domain }}"
# From certbot
# https://www.upcloud.com/support/secure-postfix-using-lets-encrypt/
- smtpd_sasl_type = dovecot
- smtpd_sasl_path = private/auth
- smtpd_sasl_local_domain =
- smtpd_sasl_security_options = noanonymous
- broken_sasl_auth_clients = yes
- smtpd_sasl_auth_enable = yes
- virtual_alias_domains = $mydomain
- virtual_alias_maps = hash:/etc/postfix/virtual
- name: Adding to virtual
blockinfile:
path: /etc/postfix/virtual
insertafter: EOF
state: present
block: |
postmaster@{{ domain }} root
webmaster@{{ domain }} root
@{{ domain }} jebba
create: yes
tags:
- pfvirtual
- name: Copy master.cf file to remote host
copy:
src: master.cf
dest: /etc/postfix/master.cf
notify:
- new virtual aliases
- reload postfix
- name: Create Auth Header Checks file
copy:
src: auth_header_checks.pcre
dest: /etc/postfix/auth_header_checks.pcre
- name: Copy aliases
template:
src: aliases.j2
dest: /etc/aliases
notify:
- new aliases
- post alias
- restart postfix service

@ -0,0 +1,3 @@
root: jebba
jebba: jebba-mail@{{ relay_domain }}
nobody: /dev/null

@ -0,0 +1,22 @@
- name: update grub
shell: update-grub
- name: restart ssh
service:
name: ssh
state: restarted
- name: sysctl
shell: sysctl -p
- name: locale gen
shell: locale-gen
- name: update locale
shell: update-locale
- name: restart cron
service:
name: cron
state: restarted
when: ansible_os_family == 'Debian'

@ -0,0 +1,186 @@
- name: Set locale
lineinfile:
path: /etc/locale.gen
line: en_US.UTF-8 UTF-8
state: present
create: yes
notify:
- locale gen
- update locale
- name: Set timezone to America/Denver
file:
src: /usr/share/zoneinfo/America/Denver
dest: /etc/localtime
state: link
force: yes
owner: root
group: root
notify: restart cron
# Set up iptables
- name: Configure iptables
include_role:
name: mikegleasonjr.firewall
- name: Set up APT
apt_repository:
repo: "{{ item }}"
state: present
with_items:
- deb http://mirrors.kernel.org/debian/ buster main
- deb http://mirrors.kernel.org/debian/ buster-updates main
- deb http://security.debian.org/ buster/updates main
#- deb http://mirrors.kernel.org/debian/ buster-backports main
# Make apt use IPv4
- name: Make apt use IPv4
lineinfile:
path: /etc/apt/apt.conf.d/99force-ipv4
line: 'Acquire::ForceIPv4 "true";'
state: present
insertafter: EOF
create: yes
# Upgrade server
- name: Upgrade server
apt:
upgrade: dist
dpkg_options: 'force-confdef,force-confnew'
update_cache: yes
- name: Install utilities
apt:
name: "{{ item }}"
dpkg_options: 'force-confdef,force-confnew'
update_cache: yes
with_items:
- apt-transport-https
#- bind9-host
- bzip2
- ca-certificates
- colordiff
- curl
- debian-archive-keyring
- exuberant-ctags
- git
- less
- locales
- lsb-release
- man-db
- manpages
- molly-guard
- net-tools
- ntp
- openssh-server
- python3
- rsync
- telnet
- traceroute
- vim
- vim-scripts
# Small user tweaks
- name: Update vimrc
lineinfile:
path: ~/.vimrc
line: ':syntax on'
state: present
insertafter: EOF
create: yes
- name: Update .bashrc
lineinfile:
path: /root/.bashrc
line: 'export EDITOR=vi'
state: present
insertafter: EOF
create: yes
# XXX Passwordless sudo XXX Ya, probably remove
- name: Passwordless sudo
lineinfile:
path: /etc/sudoers
regexp: '^%sudo[\t]ALL=\(ALL:ALL\) ALL'
line: '%sudo ALL=(ALL) NOPASSWD: ALL'
state: present
# SSH Config
- name: SSH Configuration
lineinfile:
path: /etc/ssh/sshd_config
regexp: '{{ item.find }}'
line: '{{ item.replace }}'
state: present
with_items:
- {find: '^.*PermitRootLogin.*', replace: 'PermitRootLogin no'}
- {find: '^.*PasswordAuthentication.*', replace: 'PasswordAuthentication no'}
- {find: '^.*RSAAuthentication.*', replace: 'RSAAuthentication no'}
- {find: '^.*X11Forwarding.*', replace: 'X11Forwarding no'}
notify:
- restart ssh
- name: Adding SSH configuration to the end of file
blockinfile:
path: /etc/ssh/sshd_config
state: present
block: |
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
AllowUsers jebba
notify:
- restart ssh
# Startup XXX disable as unneeded
# To disable additional services
# Add more "- service_name" lines as needed
- name: Disabling unneeded services
service:
name: "{{ item }}"
enabled: no
with_items:
- rsync
# Disable IPv6 in Grub
- name: Disabling IPv6 in Grub
lineinfile:
path: /etc/default/grub
regexp: '{{ item.find }}'
line: '{{ item.replace }}'
state: present
with_items:
- { find: '^.*?GRUB_TIMEOUT=.*', replace: 'GRUB_TIMEOUT=1'}
- { find: '^.*?GRUB_CMDLINE_LINUX=.*', replace: 'GRUB_CMDLINE_LINUX="ipv6.disable=1"'}
- { find: '^.*?GRUB_TERMINAL=.*', replace: 'GRUB_TERMINAL=console'}
notify:
- update grub
- name: Disable IPv6 in modprobe ipv6 conf file
lineinfile:
path: /etc/modprobe.d/ipv6.conf
line: 'blacklist ipv6'
state: present
insertafter: EOF
create: yes
- name: Disable IPv6 in modprobe aliases conf file
blockinfile:
path: /etc/modprobe.d/aliases.conf
block: |
alias net-pf-10 off
alias ivp6 off
insertafter: EOF
state: present
create: yes
- name: Disable IPv6 with sysctl
blockinfile:
path: /etc/sysctl.conf
block: |
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
insertafter: EOF
state: present
notify:
- sysctl

@ -0,0 +1,7 @@
- name: Install Spam Assassin
apt:
name: "{{ item }}"
dpkg_options: 'force-confdef,force-confnew'
update_cache: yes
with_items:
- spamassassin

@ -0,0 +1,8 @@
---
- name: Install SQL Grey
apt:
name: "{{ item }}"
dpkg_options: 'force-confdef,force-confnew'
update_cache: yes
with_items:
- sqlgrey

@ -0,0 +1,58 @@
# Master playbook
- name: Forksand Bootstrap Postfix
hosts: all
become: true
tasks:
- name: Run server tasks
import_role:
name: server_tasks
- name: Install and configuration letsencrypt
import_role:
name: letsencrypt_configuration
vars:
mail_domain: "{{ var_mail_domain }}"
relay_domain: "{{ var_relay_domain }}"
- name: Install and configure postfix
import_role:
name: postfix_configuration
vars:
domain: "{{ var_domain }}"
relay_domain: "{{ var_relay_domain }}"
mail_domain: "{{ var_mail_domain }}"
- name: Install and configure OpenDKIM
import_role:
name: dkim_configuration
vars:
domain: "{{ var_domain }}"
mail_domain: "{{ var_mail_domain }}"
- name: Install and configure Dovecot
import_role:
name: dovecot_configuration
vars:
mail_domain: "{{ var_mail_domain }}"
- name: Install and configure Spamassassin
import_role:
name: spamassassin_configuration
- name: Install and configure SQLGrey
import_role:
name: sqlgrey_configuration
- name: Install and configure Fail2Ban
import_role:
name: fail2ban_configuration
- name: Clean apt cache
apt:
autoclean: yes
- name: Print DNS outputs to screen
import_role:
name: outputs
vars:
domain: "{{ var_domain }}"

@ -0,0 +1,329 @@
#!/bin/bash
# forksand-bootstrap-hk1
# GPLv3+
# This script does some initial setup and config
# Sets up Proxmox.
# Log script
exec > >(tee /root/bootstrap-hk1.log) 2>/root/bootstrap-hk1.err
set -x
# Set locale
echo "en_US.UTF-8 UTF-8" > /etc/locale.gen
locale-gen
update-locale
# XXX Set timezone
ln -sf /usr/share/zoneinfo/America/Denver /etc/localtime
# Set up git for tracking. XXX Ansible... XXX
apt-get -y install git sudo
cd /etc
git init
chmod og-rwx /etc/.git
cat > /etc/.gitignore <<EOF
prelink.cache
*.swp
ld.so.cache
adjtime
blkid.tab
blkid.tab.old
mtab
resolv.conf
asound.state
mtab.fuselock
aliases.db
EOF
git config --global user.name "debian"
git config --global user.email git@localhost
cd /etc ; git add . ; git commit -a -m 'Set up new Debian Stretch hk1 server.'
# SET UP APT
#
cat > /etc/apt/sources.list <<EOF
deb http://mirrors.kernel.org/debian/ stretch-backports main
deb http://mirrors.kernel.org/debian/ stretch main
deb http://mirrors.kernel.org/debian/ stretch-updates main
deb http://security.debian.org/ stretch/updates main
EOF
# Make apt use IPv4:
echo 'Acquire::ForceIPv4 "true";' | tee /etc/apt/apt.conf.d/99force-ipv4
git add /etc/apt/apt.conf.d/99force-ipv4
git commit -m "Force APT to use IPv4, not IPv6." /etc/apt/apt.conf.d/99force-ipv4
cd /etc ; git add . ; git commit -a -m 'Set up apt.'
# UPGRADE SERVER
apt-get update
apt-get -y dist-upgrade --download-only
DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confnew" dist-upgrade
cd /etc ; git add . ; git commit -a -m 'Update base install'
apt-get -y --download-only install \
--no-install-recommends \
apt-transport-https \
bzip2 \
ca-certificates \
colordiff \
cpufrequtils \
curl \
debian-archive-keyring \
exuberant-ctags \
git \
host \
less \
locales \
lsb-release \
man-db \
manpages \
molly-guard \
net-tools \
ntp \
openssh-server \
postfix \
python3 \
rsync \
telnet \
traceroute \
vim \
vim-scripts
DEBIAN_FRONTEND=noninteractive apt-get -y \
-o Dpkg::Options::="--force-confdef" \
-o Dpkg::Options::="--force-confnew" \
install \
--no-install-recommends \
apt-transport-https \
bzip2 \
ca-certificates \
colordiff \
cpufrequtils \
curl \
debian-archive-keyring \
exuberant-ctags \
git \
host \
less \
locales \
lsb-release \
man-db \
manpages \
molly-guard \
net-tools \
ntp \
openssh-server \
postfix \
python3 \
rsync \
telnet \
traceroute \
vim \
vim-scripts
cd /etc ; git add . ; git commit -a -m 'Install base packages'
# Speed up
echo 'GOVERNOR="performance"' > /etc/default/cpufrequtils
/etc/init.d/cpufrequtils restart
cd /etc ; git add . ; git commit -a -m 'Set up cpufrequtils'
# Small user tweaks
echo :syntax on > ~/.vimrc
echo :syntax on > /home/jebba/.vimrc
chown jebba:jebba /home/jebba/.vimrc
echo export EDITOR=vi >> /root/.bashrc
# XXX Passwordless sudo XXX Ya, probably remove
sed -i -e 's/%sudo\tALL=(ALL:ALL) ALL/%sudo ALL=(ALL) NOPASSWD: ALL/g' /etc/sudoers
adduser jebba sudo
cd /etc ; git add . ; git commit -a -m 'Set up passwordless sudo'
# SSH config XXX sed cruft
sed -i \
-e 's/PermitRootLogin yes/PermitRootLogin prohibit-password/g' \
-e 's/\#PermitRootLogin prohibit-password/PermitRootLogin prohibit-password/g' \
-e 's/\#PasswordAuthentication yes/PasswordAuthentication no/g' \
-e 's/\#X11Forwarding yes/X11Forwarding no/g' \
/etc/ssh/sshd_config
echo 'KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256' >> /etc/ssh/sshd_config
echo 'Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr' >> /etc/ssh/sshd_config
# Need to update/fix for Debian Buster (testing/10). This line breaks Buster:
#echo 'MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com' >> /etc/ssh/sshd_config
# XXX Add admins as only allowed ssh users
# XXX add user for ansbile
echo "AllowUsers jebba root" >> /etc/ssh/sshd_config
cd /etc ; git add . ; git commit -a -m 'Set up sshd'
systemctl restart sshd
# Startup XXX disable unneeded.
for i in rsync exim4 saned
do echo $i
/usr/sbin/update-rc.d $i disable
done
# XXX KILL THIS, listening on public port (firewalled, but still):
# tcp 0 0 0.0.0.0:5355 0.0.0.0:* LISTEN 296/systemd-resolve
cd /etc ; git add . ; git commit -a -m 'Turn off junk on boot'
# GRUB
sed -i -e 's/^GRUB_TIMEOUT=5/GRUB_TIMEOUT=4/g' /etc/default/grub
sed -i -e 's/^#GRUB_TERMINAL=console/GRUB_TERMINAL=console/g' /etc/default/grub
echo 'GRUB_DISABLE_OS_PROBER=true' >> /etc/default/grub
update-grub
cd /etc ; git add . ; git commit -a -m 'GRUB tweaks'
# Fix network to come up on boot
sed -i -e 's/allow-hotplug/auto/g' /etc/network/interfaces
cd /etc ; git add . ; git commit -a -m 'Auto start network'
# XXX not sure why this is getting installed:
apt-get -y autoremove
apt-get -y remove os-prober
# Proxmox
#cat > /etc/apt/sources.list.d/pve-enterprise.list<<EOF
##deb https://enterprise.proxmox.com/debian/pve stretch pve-enterprise
#EOF
cat > /etc/apt/sources.list.d/pve-no-subscription.list<<EOF
deb http://download.proxmox.com/debian/pve stretch pve-no-subscription
EOF
# Add Proxmox enterprise key XXX Add key
#cat > /etc/apt/auth.conf<<EOF
#machine enterprise.proxmox.com
# login pve2s-0000000000
# password 00000000000000000000000000000000
#EOF
# XXX crufty add proxmox apt key
wget http://download.proxmox.com/debian/proxmox-ve-release-5.x.gpg -O /etc/apt/trusted.gpg.d/proxmox-ve-release-5.x.gpg
apt-get update
apt-get -y dist-upgrade --download-only
DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confnew" dist-upgrade
apt-get -y \
install \
ksm-control-daemon \
omping \
proxmox-ve
cd /etc ; git add . ; git commit -a -m 'Install Proxmox'
apt clean
exit 0
# Run this on workstation:
# ssh -N -C -L 8201:localhost:8006 hk1
# firefox https://localhost:8201
# Login as root user via PAM
# Set up Enterprise Key, if used
#
#
cd /etc ; git add . ; git commit -a -m 'Initial Proxmox configuration'
#
#
# XXX Set up vmbr0 via web interface.
#
# Netwok
# hk1 (host) --> System --> Network
# Fix subnet mask, IP in web gui.
# Create --> Linux Bridge:
# vmbr0
# XXX best way for this server? No subnet.
#
# Set up ethernet ports
# XXX check name Disable enp2s0 (Autostart no)
# set up vmbr0 to the main IP, gateway, etc.
# Create Linux Bridge in web interface
# vmbr0
#XXX THIS ISN'T CORRECT IP
# 174.128.229.130/27
# 255.255.255.224
# Autostart
# VLAN Aware
# Bridge: enp2s0
# Comment Main bridge
#
# Set up 10.2.2.0 and 10.99.99.0 networks statically
# on secondary ethernet interfaces
# Reboot! hk1 (host) --> Restart
# Configure Corosync
# Set up hosts
# XXX MAKE SURE NEW NODES GET ADDED TO EXISTING SERVER /etc/hosts
echo "10.3.3.1 hk1-coro" >> /etc/hosts
echo "10.3.3.2 hk2-coro" >> /etc/hosts
echo "10.3.3.3 hk3-coro" >> /etc/hosts
echo "10.88.88.1 hk2-fs" >> /etc/hosts
echo "10.88.88.2 hk2-fs" >> /etc/hosts
echo "10.88.88.3 hk3-fs" >> /etc/hosts
# Test cluster ping
for i in hk1-coro hk2-coro hk3-coro
do ping -q -c1 $i
done
# Test ssh
for i in hk1-coro hk2-coro hk3-coro
do ssh $i hostname
done
# ssh via IP
for i in 10.2.2.3
do ssh $i hostname
done
# Note this is needed on at least one of the SharkTech servers or
# you get bad UDP checksums
# Also set to correct ethernet device
# XXX CHECK
ethtool -K enp3s0 gso off
ethtool --offload enp3s0 rx off tx off
ethtool -K enp4s0 gso off
ethtool --offload enp4s0 rx off tx off
# Run this on just one node, hk1, to get the cluster started
pvecm create hkfork --bindnet0_addr 10.2.2.1 --ring0_addr hk1-coro
# Run this on hk3
#pvecm add 10.2.2.1 --ring0_addr hk3-coro
pvecm status
pvecm nodes
# rebootz ?
# After Cluster is Configured
# ===========================
# Data Center --> Permissions --> Users
# Add user with Realm Proxmox VE authentication server.
# Give user root permissions: Datacenter --> Permissions --> Add --> User permission.
# Path: / User: j Role: Administrator
# XXX Or create admin group, add perms to that...
# Permissions --> Authentication. Set Proxmox VE authentication server to default.
# Storage
# Datacenter --> Storage --> Edit local. Enable all content (add VZDump)
#
# DNS
# hk1 (host) --> System --> DNS
# Add servers:
# 208.67.222.222 208.67.220.220 37.235.1.174
#

@ -0,0 +1,329 @@
#!/bin/bash
# forksand-bootstrap-hk2
# GPLv3+
# This script does some initial setup and config
# Sets up Proxmox.
# Log script
exec > >(tee /root/bootstrap-hk2.log) 2>/root/bootstrap-hk2.err
set -x
# Set locale
echo "en_US.UTF-8 UTF-8" > /etc/locale.gen
locale-gen
update-locale
# XXX Set timezone
ln -sf /usr/share/zoneinfo/America/Denver /etc/localtime
# Set up git for tracking. XXX Ansible... XXX
apt-get -y install git sudo
cd /etc
git init
chmod og-rwx /etc/.git
cat > /etc/.gitignore <<EOF
prelink.cache
*.swp
ld.so.cache
adjtime
blkid.tab
blkid.tab.old
mtab
resolv.conf
asound.state
mtab.fuselock
aliases.db
EOF
git config --global user.name "debian"
git config --global user.email git@localhost
cd /etc ; git add . ; git commit -a -m 'Set up new Debian Stretch hk2 server.'
# SET UP APT
#
cat > /etc/apt/sources.list <<EOF
deb http://mirrors.kernel.org/debian/ stretch-backports main
deb http://mirrors.kernel.org/debian/ stretch main
deb http://mirrors.kernel.org/debian/ stretch-updates main
deb http://security.debian.org/ stretch/updates main
EOF
# Make apt use IPv4:
echo 'Acquire::ForceIPv4 "true";' | tee /etc/apt/apt.conf.d/99force-ipv4
git add /etc/apt/apt.conf.d/99force-ipv4
git commit -m "Force APT to use IPv4, not IPv6." /etc/apt/apt.conf.d/99force-ipv4
cd /etc ; git add . ; git commit -a -m 'Set up apt.'
# UPGRADE SERVER
apt-get update
apt-get -y dist-upgrade --download-only
DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confnew" dist-upgrade
cd /etc ; git add . ; git commit -a -m 'Update base install'
apt-get -y --download-only install \
--no-install-recommends \
apt-transport-https \
bzip2 \
ca-certificates \
colordiff \
cpufrequtils \
curl \
debian-archive-keyring \
exuberant-ctags \
git \
host \
less \
locales \
lsb-release \
man-db \
manpages \
molly-guard \
net-tools \
ntp \
openssh-server \
postfix \
python3 \
rsync \
telnet \
traceroute \
vim \
vim-scripts
DEBIAN_FRONTEND=noninteractive apt-get -y \
-o Dpkg::Options::="--force-confdef" \
-o Dpkg::Options::="--force-confnew" \
install \
--no-install-recommends \
apt-transport-https \
bzip2 \
ca-certificates \
colordiff \
cpufrequtils \
curl \
debian-archive-keyring \
exuberant-ctags \
git \
host \
less \
locales \
lsb-release \
man-db \
manpages \
molly-guard \
net-tools \
ntp \
openssh-server \
postfix \
python3 \
rsync \
telnet \
traceroute \
vim \
vim-scripts
cd /etc ; git add . ; git commit -a -m 'Install base packages'
# Speed up
echo 'GOVERNOR="performance"' > /etc/default/cpufrequtils
/etc/init.d/cpufrequtils restart
cd /etc ; git add . ; git commit -a -m 'Set up cpufrequtils'
# Small user tweaks
echo :syntax on > ~/.vimrc
echo :syntax on > /home/jebba/.vimrc
chown jebba:jebba /home/jebba/.vimrc
echo export EDITOR=vi >> /root/.bashrc
# XXX Passwordless sudo XXX Ya, probably remove
sed -i -e 's/%sudo\tALL=(ALL:ALL) ALL/%sudo ALL=(ALL) NOPASSWD: ALL/g' /etc/sudoers
adduser jebba sudo
cd /etc ; git add . ; git commit -a -m 'Set up passwordless sudo'
# SSH config XXX sed cruft
sed -i \
-e 's/PermitRootLogin yes/PermitRootLogin prohibit-password/g' \
-e 's/\#PermitRootLogin prohibit-password/PermitRootLogin prohibit-password/g' \
-e 's/\#PasswordAuthentication yes/PasswordAuthentication no/g' \
-e 's/\#X11Forwarding yes/X11Forwarding no/g' \
/etc/ssh/sshd_config
echo 'KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256' >> /etc/ssh/sshd_config
echo 'Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr' >> /etc/ssh/sshd_config
# Need to update/fix for Debian Buster (testing/10). This line breaks Buster:
#echo 'MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com' >> /etc/ssh/sshd_config
# XXX Add admins as only allowed ssh users
# XXX add user for ansbile
echo "AllowUsers jebba root" >> /etc/ssh/sshd_config
cd /etc ; git add . ; git commit -a -m 'Set up sshd'
systemctl restart sshd
# Startup XXX disable unneeded.
for i in rsync exim4 saned
do echo $i
/usr/sbin/update-rc.d $i disable
done
# XXX KILL THIS, listening on public port (firewalled, but still):
# tcp 0 0 0.0.0.0:5355 0.0.0.0:* LISTEN 296/systemd-resolve
cd /etc ; git add . ; git commit -a -m 'Turn off junk on boot'
# GRUB
sed -i -e 's/^GRUB_TIMEOUT=5/GRUB_TIMEOUT=4/g' /etc/default/grub
sed -i -e 's/^#GRUB_TERMINAL=console/GRUB_TERMINAL=console/g' /etc/default/grub
echo 'GRUB_DISABLE_OS_PROBER=true' >> /etc/default/grub
update-grub
cd /etc ; git add . ; git commit -a -m 'GRUB tweaks'
# Fix network to come up on boot
sed -i -e 's/allow-hotplug/auto/g' /etc/network/interfaces
cd /etc ; git add . ; git commit -a -m 'Auto start network'
# XXX not sure why this is getting installed:
apt-get -y autoremove
apt-get -y remove os-prober
# Proxmox
#cat > /etc/apt/sources.list.d/pve-enterprise.list<<EOF
##deb https://enterprise.proxmox.com/debian/pve stretch pve-enterprise
#EOF
cat > /etc/apt/sources.list.d/pve-no-subscription.list<<EOF
deb http://download.proxmox.com/debian/pve stretch pve-no-subscription
EOF
# Add Proxmox enterprise key XXX Add key
#cat > /etc/apt/auth.conf<<EOF
#machine enterprise.proxmox.com
# login pve2s-0000000000
# password 00000000000000000000000000000000
#EOF
# XXX crufty add proxmox apt key
wget http://download.proxmox.com/debian/proxmox-ve-release-5.x.gpg -O /etc/apt/trusted.gpg.d/proxmox-ve-release-5.x.gpg
apt-get update
apt-get -y dist-upgrade --download-only
DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confnew" dist-upgrade
apt-get -y \
install \
ksm-control-daemon \
omping \
proxmox-ve
cd /etc ; git add . ; git commit -a -m 'Install Proxmox'
apt clean
exit 0
# Run this on workstation:
# ssh -N -C -L 8202:localhost:8006 hk2
# firefox https://localhost:8202
# Login as root user via PAM
# Set up Enterprise Key, if used
#
#
cd /etc ; git add . ; git commit -a -m 'Initial Proxmox configuration'
#
#
# XXX Set up vmbr0 via web interface.
#
# Netwok
# hk2 (host) --> System --> Network
# Fix subnet mask, IP in web gui.
# Create --> Linux Bridge:
# vmbr0
# XXX best way for this server? No subnet.
#
# Set up ethernet ports
# XXX check name Disable enp2s0 (Autostart no)
# set up vmbr0 to the main IP, gateway, etc.
# Create Linux Bridge in web interface
# vmbr0
#XXX THIS ISN'T CORRECT IP
# 174.128.229.130/27
# 255.255.255.224
# Autostart
# VLAN Aware
# Bridge: enp2s0
# Comment Main bridge
#
# Set up 10.2.2.0 and 10.99.99.0 networks statically
# on secondary ethernet interfaces
# Reboot! hk2 (host) --> Restart
# Configure Corosync
# Set up hosts
# XXX MAKE SURE NEW NODES GET ADDED TO EXISTING SERVER /etc/hosts
echo "10.3.3.1 hk1-coro" >> /etc/hosts
echo "10.3.3.2 hk2-coro" >> /etc/hosts
echo "10.3.3.3 hk3-coro" >> /etc/hosts
echo "10.88.88.1 hk2-fs" >> /etc/hosts
echo "10.88.88.2 hk2-fs" >> /etc/hosts
echo "10.88.88.3 hk3-fs" >> /etc/hosts
# Test cluster ping
for i in hk1-coro hk2-coro hk3-coro
do ping -q -c1 $i
done
# Test ssh
for i in hk1-coro hk2-coro hk3-coro
do ssh $i hostname
done
# ssh via IP
for i in 10.2.2.3
do ssh $i hostname
done
# Note this is needed on at least one of the SharkTech servers or
# you get bad UDP checksums
# Also set to correct ethernet device
# XXX CHECK
ethtool -K enp3s0 gso off
ethtool --offload enp3s0 rx off tx off
ethtool -K enp4s0 gso off
ethtool --offload enp4s0 rx off tx off
# Run this on just one node, hk1, to get the cluster started
#pvecm create hkfork --bindnet0_addr 10.2.2.1 --ring0_addr hk1-coro
# Run this on hk2
pvecm add 10.2.2.1 --ring0_addr hk1-coro
pvecm status
pvecm nodes
# rebootz ?
# After Cluster is Configured
# ===========================
# Data Center --> Permissions --> Users
# Add user with Realm Proxmox VE authentication server.
# Give user root permissions: Datacenter --> Permissions --> Add --> User permission.
# Path: / User: j Role: Administrator
# XXX Or create admin group, add perms to that...
# Permissions --> Authentication. Set Proxmox VE authentication server to default.
# Storage
# Datacenter --> Storage --> Edit local. Enable all content (add VZDump)
#
# DNS
# hk2 (host) --> System --> DNS
# Add servers:
# 208.67.222.222 208.67.220.220 37.235.1.174
#

@ -0,0 +1,329 @@
#!/bin/bash
# forksand-bootstrap-hk3
# GPLv3+
# This script does some initial setup and config
# Sets up Proxmox.
# Log script
exec > >(tee /root/bootstrap-hk3.log) 2>/root/bootstrap-hk3.err
set -x
# Set locale
echo "en_US.UTF-8 UTF-8" > /etc/locale.gen
locale-gen
update-locale
# XXX Set timezone
ln -sf /usr/share/zoneinfo/America/Denver /etc/localtime
# Set up git for tracking. XXX Ansible... XXX
apt-get -y install git sudo
cd /etc
git init
chmod og-rwx /etc/.git
cat > /etc/.gitignore <<EOF
prelink.cache
*.swp
ld.so.cache
adjtime
blkid.tab
blkid.tab.old
mtab
resolv.conf
asound.state
mtab.fuselock
aliases.db
EOF
git config --global user.name "debian"
git config --global user.email git@localhost
cd /etc ; git add . ; git commit -a -m 'Set up new Debian Stretch hk3 server.'
# SET UP APT
#
cat > /etc/apt/sources.list <<EOF
deb http://mirrors.kernel.org/debian/ stretch-backports main
deb http://mirrors.kernel.org/debian/ stretch main
deb http://mirrors.kernel.org/debian/ stretch-updates main
deb http://security.debian.org/ stretch/updates main
EOF
# Make apt use IPv4:
echo 'Acquire::ForceIPv4 "true";' | tee /etc/apt/apt.conf.d/99force-ipv4
git add /etc/apt/apt.conf.d/99force-ipv4
git commit -m "Force APT to use IPv4, not IPv6." /etc/apt/apt.conf.d/99force-ipv4
cd /etc ; git add . ; git commit -a -m 'Set up apt.'
# UPGRADE SERVER
apt-get update
apt-get -y dist-upgrade --download-only
DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confnew" dist-upgrade
cd /etc ; git add . ; git commit -a -m 'Update base install'
apt-get -y --download-only install \
--no-install-recommends \
apt-transport-https \
bzip2 \
ca-certificates \
colordiff \
cpufrequtils \
curl \
debian-archive-keyring \
exuberant-ctags \
git \
host \
less \
locales \
lsb-release \
man-db \
manpages \
molly-guard \
net-tools \
ntp \
openssh-server \
postfix \
python3 \
rsync \
telnet \
traceroute \
vim \
vim-scripts
DEBIAN_FRONTEND=noninteractive apt-get -y \
-o Dpkg::Options::="--force-confdef" \
-o Dpkg::Options::="--force-confnew" \
install \
--no-install-recommends \
apt-transport-https \
bzip2 \
ca-certificates \
colordiff \
cpufrequtils \
curl \
debian-archive-keyring \
exuberant-ctags \
git \
host \
less \
locales \
lsb-release \
man-db \
manpages \
molly-guard \
net-tools \
ntp \
openssh-server \
postfix \
python3 \
rsync \
telnet \
traceroute \
vim \
vim-scripts
cd /etc ; git add . ; git commit -a -m 'Install base packages'
# Speed up
echo 'GOVERNOR="performance"' > /etc/default/cpufrequtils
/etc/init.d/cpufrequtils restart
cd /etc ; git add . ; git commit -a -m 'Set up cpufrequtils'
# Small user tweaks
echo :syntax on > ~/.vimrc
echo :syntax on > /home/jebba/.vimrc
chown jebba:jebba /home/jebba/.vimrc
echo export EDITOR=vi >> /root/.bashrc
# XXX Passwordless sudo XXX Ya, probably remove
sed -i -e 's/%sudo\tALL=(ALL:ALL) ALL/%sudo ALL=(ALL) NOPASSWD: ALL/g' /etc/sudoers
adduser jebba sudo
cd /etc ; git add . ; git commit -a -m 'Set up passwordless sudo'
# SSH config XXX sed cruft
sed -i \
-e 's/PermitRootLogin yes/PermitRootLogin prohibit-password/g' \
-e 's/\#PermitRootLogin prohibit-password/PermitRootLogin prohibit-password/g' \
-e 's/\#PasswordAuthentication yes/PasswordAuthentication no/g' \
-e 's/\#X11Forwarding yes/X11Forwarding no/g' \
/etc/ssh/sshd_config
echo 'KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256' >> /etc/ssh/sshd_config
echo 'Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr' >> /etc/ssh/sshd_config
# Need to update/fix for Debian Buster (testing/10). This line breaks Buster:
#echo 'MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com' >> /etc/ssh/sshd_config
# XXX Add admins as only allowed ssh users
# XXX add user for ansbile
echo "AllowUsers jebba root" >> /etc/ssh/sshd_config
cd /etc ; git add . ; git commit -a -m 'Set up sshd'
systemctl restart sshd
# Startup XXX disable unneeded.
for i in rsync exim4 saned
do echo $i
/usr/sbin/update-rc.d $i disable
done
# XXX KILL THIS, listening on public port (firewalled, but still):
# tcp 0 0 0.0.0.0:5355 0.0.0.0:* LISTEN 296/systemd-resolve
cd /etc ; git add . ; git commit -a -m 'Turn off junk on boot'
# GRUB
sed -i -e 's/^GRUB_TIMEOUT=5/GRUB_TIMEOUT=4/g' /etc/default/grub
sed -i -e 's/^#GRUB_TERMINAL=console/GRUB_TERMINAL=console/g' /etc/default/grub
echo 'GRUB_DISABLE_OS_PROBER=true' >> /etc/default/grub
update-grub
cd /etc ; git add . ; git commit -a -m 'GRUB tweaks'
# Fix network to come up on boot
sed -i -e 's/allow-hotplug/auto/g' /etc/network/interfaces
cd /etc ; git add . ; git commit -a -m 'Auto start network'
# XXX not sure why this is getting installed:
apt-get -y autoremove
apt-get -y remove os-prober
# Proxmox
#cat > /etc/apt/sources.list.d/pve-enterprise.list<<EOF
##deb https://enterprise.proxmox.com/debian/pve stretch pve-enterprise
#EOF
cat > /etc/apt/sources.list.d/pve-no-subscription.list<<EOF
deb http://download.proxmox.com/debian/pve stretch pve-no-subscription
EOF
# Add Proxmox enterprise key XXX Add key
#cat > /etc/apt/auth.conf<<EOF
#machine enterprise.proxmox.com
# login pve2s-0000000000
# password 00000000000000000000000000000000
#EOF
# XXX crufty add proxmox apt key
wget http://download.proxmox.com/debian/proxmox-ve-release-5.x.gpg -O /etc/apt/trusted.gpg.d/proxmox-ve-release-5.x.gpg
apt-get update
apt-get -y dist-upgrade --download-only
DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confnew" dist-upgrade
apt-get -y \
install \
ksm-control-daemon \
omping \
proxmox-ve
cd /etc ; git add . ; git commit -a -m 'Install Proxmox'
apt clean
exit 0
# Run this on workstation:
# ssh -N -C -L 8203:localhost:8006 hk3
# firefox https://localhost:8203
# Login as root user via PAM
# Set up Enterprise Key, if used
#
#
cd /etc ; git add . ; git commit -a -m 'Initial Proxmox configuration'
#
#
# XXX Set up vmbr0 via web interface.
#
# Netwok
# hk3 (host) --> System --> Network
# Fix subnet mask, IP in web gui.
# Create --> Linux Bridge:
# vmbr0
# XXX best way for this server? No subnet.
#
# Set up ethernet ports
# XXX check name Disable enp2s0 (Autostart no)
# set up vmbr0 to the main IP, gateway, etc.
# Create Linux Bridge in web interface
# vmbr0
#XXX THIS ISN'T CORRECT IP
# 174.128.229.130/27
# 255.255.255.224
# Autostart
# VLAN Aware
# Bridge: enp2s0
# Comment Main bridge
#
# Set up 10.2.2.0 and 10.99.99.0 networks statically
# on secondary ethernet interfaces
# Reboot! hk3 (host) --> Restart
# Configure Corosync
# Set up hosts
# XXX MAKE SURE NEW NODES GET ADDED TO EXISTING SERVER /etc/hosts
echo "10.3.3.1 hk1-coro" >> /etc/hosts
echo "10.3.3.2 hk2-coro" >> /etc/hosts
echo "10.3.3.3 hk3-coro" >> /etc/hosts
echo "10.88.88.1 hk2-fs" >> /etc/hosts
echo "10.88.88.2 hk2-fs" >> /etc/hosts
echo "10.88.88.3 hk3-fs" >> /etc/hosts
# Test cluster ping
for i in hk1-coro hk2-coro hk3-coro
do ping -q -c1 $i
done
# Test ssh
for i in hk1-coro hk2-coro hk3-coro
do ssh $i hostname
done
# ssh via IP
for i in 10.2.2.3
do ssh $i hostname
done
# Note this is needed on at least one of the SharkTech servers or
# you get bad UDP checksums
# Also set to correct ethernet device
# XXX CHECK
ethtool -K enp3s0 gso off
ethtool --offload enp3s0 rx off tx off
ethtool -K enp4s0 gso off
ethtool --offload enp4s0 rx off tx off
# Run this on just one node, hk3, to get the cluster started
#pvecm create hkfork --bindnet0_addr 10.2.2.3 --ring0_addr hk3-coro
# Run this on hk3
pvecm add 10.2.2.1 --ring0_addr hk3-coro
pvecm status
pvecm nodes
# rebootz ?
# After Cluster is Configured
# ===========================
# Data Center --> Permissions --> Users
# Add user with Realm Proxmox VE authentication server.
# Give user root permissions: Datacenter --> Permissions --> Add --> User permission.
# Path: / User: j Role: Administrator
# XXX Or create admin group, add perms to that...
# Permissions --> Authentication. Set Proxmox VE authentication server to default.
# Storage
# Datacenter --> Storage --> Edit local. Enable all content (add VZDump)
#
# DNS
# hk3 (host) --> System --> DNS
# Add servers:
# 208.67.222.222 208.67.220.220 37.235.1.174
#

@ -0,0 +1,314 @@
#!/bin/bash
# forksand-bootstrap-shark4
# GPLv3+
# This script does some initial setup and config
# Sets up Proxmox.
# IPv6 is left enabled.
# Firewalling is done through Proxmox.
# Edit below to add Proxmox Enterprise Key. XXX broken, use community repo.
# XXX set network to auto not hotplug XXX
# Log script
exec > >(tee /root/bootstrap-shark4.log) 2>/root/bootstrap-shark4.err
set -x
# Set locale
echo "en_US.UTF-8 UTF-8" > /etc/locale.gen
locale-gen
update-locale
# XXX Set timezone
ln -sf /usr/share/zoneinfo/America/Denver /etc/localtime
# Set up git for tracking. XXX Ansible... XXX
apt-get -y install git sudo
cd /etc
git init
chmod og-rwx /etc/.git
cat > /etc/.gitignore <<EOF
prelink.cache
*.swp
ld.so.cache
adjtime
blkid.tab
blkid.tab.old
mtab
resolv.conf
asound.state
mtab.fuselock
aliases.db
EOF
git config --global user.name "debian"
git config --global user.email git@localhost
cd /etc ; git add . ; git commit -a -m 'Set up new Debian Stretch shark4 server.'
# SET UP APT
#
cat > /etc/apt/sources.list <<EOF
deb http://mirrors.kernel.org/debian/ stretch-backports main
deb http://mirrors.kernel.org/debian/ stretch main
deb http://mirrors.kernel.org/debian/ stretch-updates main
deb http://security.debian.org/ stretch/updates main
EOF
# Make apt use IPv4:
echo 'Acquire::ForceIPv4 "true";' | tee /etc/apt/apt.conf.d/99force-ipv4
git add /etc/apt/apt.conf.d/99force-ipv4
git commit -m "Force APT to use IPv4, not IPv6." /etc/apt/apt.conf.d/99force-ipv4
cd /etc ; git add . ; git commit -a -m 'Set up apt.'
# UPGRADE SERVER
apt-get update
apt-get -y dist-upgrade --download-only
DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confnew" dist-upgrade
cd /etc ; git add . ; git commit -a -m 'Update base install'
apt-get -y --download-only install \
--no-install-recommends \
apt-transport-https \
bzip2 \
ca-certificates \
colordiff \
cpufrequtils \
curl \
debian-archive-keyring \
exuberant-ctags \
git \
host \
less \
locales \
lsb-release \
man-db \
manpages \
molly-guard \
net-tools \
ntp \
openssh-server \
python3 \
rsync \
telnet \
traceroute \
vim \
vim-scripts
DEBIAN_FRONTEND=noninteractive apt-get -y \
-o Dpkg::Options::="--force-confdef" \
-o Dpkg::Options::="--force-confnew" \
install \
--no-install-recommends \
apt-transport-https \
bzip2 \
ca-certificates \
colordiff \
cpufrequtils \
curl \
debian-archive-keyring \
exuberant-ctags \
git \
host \
less \
locales \
lsb-release \
man-db \
manpages \
molly-guard \
net-tools \
ntp \
openssh-server \
python3 \
rsync \
telnet \
traceroute \
vim \
vim-scripts
cd /etc ; git add . ; git commit -a -m 'Install base packages'
# NTP SharkTech
sed -i \
-e 's/pool 0.debian.pool.ntp.org/\#pool 0.debian.pool.ntp.org/g' \
-e 's/pool 1.debian.pool.ntp.org/\#pool 1.debian.pool.ntp.org/g' \
-e 's/pool 2.debian.pool.ntp.org/\#pool 2.debian.pool.ntp.org/g' \
-e 's/pool 3.debian.pool.ntp.org/pool time.sharktech.net iburst/g' \
/etc/ntp.conf
cd /etc ; git add . ; git commit -a -m 'Use SharkTech NTP (others firewalled).'
# Speed up
echo 'GOVERNOR="performance"' > /etc/default/cpufrequtils
/etc/init.d/cpufrequtils restart
cd /etc ; git add . ; git commit -a -m 'Set up cpufrequtils'
# Small user tweaks
echo :syntax on > ~/.vimrc
echo :syntax on > /home/jebba/.vimrc
chown jebba:jebba /home/jebba/.vimrc
echo export EDITOR=vi >> /root/.bashrc
# XXX Passwordless sudo XXX Ya, probably remove
sed -i -e 's/%sudo\tALL=(ALL:ALL) ALL/%sudo ALL=(ALL) NOPASSWD: ALL/g' /etc/sudoers
adduser jebba sudo
cd /etc ; git add . ; git commit -a -m 'Set up passwordless sudo'
# SSH config XXX sed cruft
sed -i \
-e 's/PermitRootLogin yes/PermitRootLogin prohibit-password/g' \
-e 's/\#PermitRootLogin prohibit-password/PermitRootLogin prohibit-password/g' \
-e 's/\#PasswordAuthentication yes/PasswordAuthentication no/g' \
-e 's/\#X11Forwarding yes/X11Forwarding no/g' \
/etc/ssh/sshd_config
echo 'KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256' >> /etc/ssh/sshd_config
echo 'Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr' >> /etc/ssh/sshd_config
# Need to update/fix for Debian Buster (testing/10). This line breaks Buster:
#echo 'MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com' >> /etc/ssh/sshd_config
# XXX Add admins as only allowed ssh users
# XXX add user for ansbile
echo "AllowUsers jebba" >> /etc/ssh/sshd_config
cd /etc ; git add . ; git commit -a -m 'Set up sshd'
systemctl restart sshd
# Startup XXX disable unneeded.
for i in rsync exim4 saned
do echo $i
/usr/sbin/update-rc.d $i disable
done
# XXX KILL THIS, listening on public port (firewalled, but still):
# tcp 0 0 0.0.0.0:5355 0.0.0.0:* LISTEN 296/systemd-resolve
cd /etc ; git add . ; git commit -a -m 'Turn off junk on boot'
# GRUB
sed -i -e 's/^GRUB_TIMEOUT=5/GRUB_TIMEOUT=4/g' /etc/default/grub
sed -i -e 's/^#GRUB_TERMINAL=console/GRUB_TERMINAL=console/g' /etc/default/grub
echo 'GRUB_DISABLE_OS_PROBER=true' >> /etc/default/grub
update-grub
cd /etc ; git add . ; git commit -a -m 'GRUB tweaks'
# Fix network to come up on boot
sed -i -e 's/allow-hotplug/auto/g' /etc/network/interfaces
cd /etc ; git add . ; git commit -a -m 'Auto start network'
# XXX not sure why this is getting installed:
apt-get -y autoremove
# Proxmox
#cat > /etc/apt/sources.list.d/pve-enterprise.list<<EOF
##deb https://enterprise.proxmox.com/debian/pve stretch pve-enterprise
#EOF
cat > /etc/apt/sources.list.d/pve-no-subscription.list<<EOF
deb http://download.proxmox.com/debian/pve stretch pve-no-subscription
EOF
# Add Proxmox enterprise key XXX Add key
#cat > /etc/apt/auth.conf<<EOF
#machine enterprise.proxmox.com
# login pve2s-0000000000
# password 00000000000000000000000000000000
#EOF
# XXX crufty add proxmox apt key
wget http://download.proxmox.com/debian/proxmox-ve-release-5.x.gpg -O /etc/apt/trusted.gpg.d/proxmox-ve-release-5.x.gpg
apt-get update
apt-get -y dist-upgrade --download-only
DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confnew" dist-upgrade
apt-get -y \
install \
ksm-control-daemon \
proxmox-ve
cd /etc ; git add . ; git commit -a -m 'Install Proxmox'
apt clean
exit 0
# Run this on workstation:
# ssh -N -C -L 8007:localhost:8006 shark4
# firefox https://localhost:8006
# Login as root user via PAM
# Set up Enterprise Key
# Data Center --> Permissions --> Users
# Add user with Realm Proxmox VE authentication server.
# Give user root permissions: Datacenter --> Permissions --> Add --> User permission.
# Path: / User: j Role: Administrator
# XXX Or create admin group, add perms to that...
# Permissions --> Authentication. Set Proxmox VE authentication server to default.
#
# Enable firewall.
# Datacenter --> shark4 (host) --> Firewall --> Add.
# Open up for SSH and SSH alt port.
# Enable firewall for datacenter:
# Datacenter --> Firewall --> Options --> Firewall --> Yes
# Enable firewall for shark4:
# Open up for SSH and SSH alt port.
# REJECT everything coming in. (then DROP)
# Reorder to ACCEPT SSH at top
#
# Reboot! shark4 (host) --> Restart
#
#
# XXX
# Datacenter --> Firewall --> Add.
# REJECT any in
#
# Storage
# Datacenter --> Storage --> Edit local. Enable all content (add VZDump)
#
# XXX postfix
#
# DNS
# shark4 (host) --> System --> DNS
# Add servers:
# 208.67.222.222 208.67.220.220 37.235.1.174
#
# Netwok
# shark4 (host) --> System --> Network
# Fix subnet mask, IP in web gui.
# Create --> Linux Bridge:
# vmbr0
# XXX best way for this server? No subnet.
#
source /etc/network/interfaces.d/*
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
auto enp1s0f1
iface enp1s0f1 inet static
address 70.39.103.210/29
gateway 70.39.103.209
dns-nameservers 208.67.222.222
dns-search forksand.com
#
# rebootz
#
# Set up templates
# Datacenter --> shark4 --> local (shark4) --> Content --> Templates
# Select Debian. maybe arch, alpine
# XXX TOTAL MEH XXX
# add this to the workstation:
# 127.0.0.1 localhost shark3-tun shark4-tun
# Then use URLs
# https://shark3-tun:8006
# https://shark4-tun:8007
# Or you can only be logged into one at a time.
# XXX find better workaround

@ -0,0 +1,375 @@
#!/bin/bash
# forksand-bootstrap-the
# GPLv3+
# This script does some initial setup and config
# Sets up Proxmox.
# IPv6 is left enabled.
# Firewalling is done through Proxmox.
# Edit below to add Proxmox Enterprise Key. XXX broken, use community repo.
# XXX set up hostname
# XXX set network to auto not hotplug XXX
# Log script
exec > >(tee /root/bootstrap-the.log) 2>/root/bootstrap-the.err
set -x
# Set locale
echo "en_US.UTF-8 UTF-8" > /etc/locale.gen
locale-gen
update-locale
# XXX Set timezone
ln -sf /usr/share/zoneinfo/America/Denver /etc/localtime
# Set up git for tracking. XXX Ansible... XXX
echo 'Acquire::http::Proxy "http://192.168.110.72:3142";' > /etc/apt/apt.conf
apt-get -y install git sudo
cd /etc
git init
chmod og-rwx /etc/.git
cat > /etc/.gitignore <<EOF
prelink.cache
*.swp
ld.so.cache
adjtime
blkid.tab
blkid.tab.old
mtab
resolv.conf
asound.state
mtab.fuselock
aliases.db
EOF
git config --global user.name "debian"
git config --global user.email git@localhost
cd /etc ; git add . ; git commit -a -m 'Set up new Debian Stretch the server.'
# SET UP APT
#
cat > /etc/apt/sources.list <<EOF
deb http://mirrors.kernel.org/debian/ stretch-backports main
deb http://mirrors.kernel.org/debian/ stretch main
deb http://mirrors.kernel.org/debian/ stretch-updates main
deb http://security.debian.org/ stretch/updates main
EOF
# Make apt use IPv4:
echo 'Acquire::ForceIPv4 "true";' | tee /etc/apt/apt.conf.d/99force-ipv4
git add /etc/apt/apt.conf.d/99force-ipv4
git commit -m "Force APT to use IPv4, not IPv6." /etc/apt/apt.conf.d/99force-ipv4
cd /etc ; git add . ; git commit -a -m 'Set up apt.'
# UPGRADE SERVER
apt-get update
apt-get -y dist-upgrade --download-only
DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confnew" dist-upgrade
cd /etc ; git add . ; git commit -a -m 'Update base install'
# ZFS tools
modprobe zfs
apt-get -y --download-only install \
--no-install-recommends \
apt-transport-https \
bzip2 \
ca-certificates \
colordiff \
cpufrequtils \
curl \
debian-archive-keyring \
exuberant-ctags \
git \
host \
less \
locales \
lsb-release \
man-db \
manpages \
molly-guard \
net-tools \
ntp \
openssh-server \
python3 \
rsync \
tcpdump \
telnet \
traceroute \
vim \
vim-scripts \
zfsutils-linux
DEBIAN_FRONTEND=noninteractive apt-get -y \
-o Dpkg::Options::="--force-confdef" \
-o Dpkg::Options::="--force-confnew" \
install \
--no-install-recommends \
apt-transport-https \
bzip2 \
ca-certificates \
colordiff \
cpufrequtils \
curl \
debian-archive-keyring \
exuberant-ctags \
git \
host \
less \
locales \
lsb-release \
man-db \
manpages \
molly-guard \
net-tools \
ntp \
openssh-server \
python3 \
rsync \
tcpdump \
telnet \
traceroute \
vim \
vim-scripts \
zfsutils-linux
cd /etc ; git add . ; git commit -a -m 'Install base packages'
# Speed up
echo 'GOVERNOR="performance"' > /etc/default/cpufrequtils
/etc/init.d/cpufrequtils restart
cd /etc ; git add . ; git commit -a -m 'Set up cpufrequtils'
# Small user tweaks
echo :syntax on > ~/.vimrc
echo :syntax on > /home/jebba/.vimrc
chown jebba:jebba /home/jebba/.vimrc
echo export EDITOR=vi >> /root/.bashrc
# XXX Passwordless sudo XXX Ya, probably remove
sed -i -e 's/%sudo\tALL=(ALL:ALL) ALL/%sudo ALL=(ALL) NOPASSWD: ALL/g' /etc/sudoers
adduser jebba sudo
cd /etc ; git add . ; git commit -a -m 'Set up passwordless sudo'
# SSH config XXX sed cruft
sed -i \
-e 's/PermitRootLogin yes/PermitRootLogin prohibit-password/g' \
-e 's/\#PermitRootLogin prohibit-password/PermitRootLogin prohibit-password/g' \
-e 's/\#PasswordAuthentication yes/PasswordAuthentication no/g' \
-e 's/\#X11Forwarding yes/X11Forwarding no/g' \
/etc/ssh/sshd_config
echo 'KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256' >> /etc/ssh/sshd_config
echo 'Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr' >> /etc/ssh/sshd_config
# Need to update/fix for Debian Buster (testing/10). This line breaks Buster:
#echo 'MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com' >> /etc/ssh/sshd_config
# XXX Add admins as only allowed ssh users
# XXX add user for ansbile
echo "AllowUsers jebba root" >> /etc/ssh/sshd_config
cd /etc ; git add . ; git commit -a -m 'Set up sshd'
systemctl restart sshd
# Startup XXX disable unneeded.
for i in rsync exim4 saned
do echo $i
/usr/sbin/update-rc.d $i disable
done
# XXX KILL THIS, listening on public port (firewalled, but still):
# tcp 0 0 0.0.0.0:5355 0.0.0.0:* LISTEN 296/systemd-resolve
cd /etc ; git add . ; git commit -a -m 'Turn off junk on boot'
# GRUB
sed -i -e 's/^GRUB_TIMEOUT=5/GRUB_TIMEOUT=4/g' /etc/default/grub
sed -i -e 's/^#GRUB_TERMINAL=console/GRUB_TERMINAL=console/g' /etc/default/grub
echo 'GRUB_DISABLE_OS_PROBER=true' >> /etc/default/grub
update-grub
cd /etc ; git add . ; git commit -a -m 'GRUB tweaks'
# Fix network to come up on boot
sed -i -e 's/allow-hotplug/auto/g' /etc/network/interfaces
cd /etc ; git add . ; git commit -a -m 'Auto start network'
# XXX not sure why this is getting installed:
apt-get -y autoremove
# Proxmox
#cat > /etc/apt/sources.list.d/pve-enterprise.list<<EOF
##deb https://enterprise.proxmox.com/debian/pve stretch pve-enterprise
#EOF
cat > /etc/apt/sources.list.d/pve-no-subscription.list<<EOF
deb http://download.proxmox.com/debian/pve stretch pve-no-subscription
EOF
# Add Proxmox enterprise key XXX Add key
#cat > /etc/apt/auth.conf<<EOF
#machine enterprise.proxmox.com
# login pve2s-0000000000
# password 00000000000000000000000000000000
#EOF
# XXX crufty add proxmox apt key
wget http://download.proxmox.com/debian/proxmox-ve-release-5.x.gpg -O /etc/apt/trusted.gpg.d/proxmox-ve-release-5.x.gpg
apt-get update
apt-get -y dist-upgrade --download-only
DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confnew" dist-upgrade
apt-get -y \
install \
ksm-control-daemon \
omping \
proxmox-ve
cd /etc ; git add . ; git commit -a -m 'Install Proxmox'
apt clean
exit 0
cd /etc ; git add . ; git commit -a -m 'Initial Proxmox configuration'
#
# XXX use postfix not exim4
#
# Create --> Linux Bridge:
# vmbr0
# rebootz
#
# Set up templates
# Cluster Corosync
exit 0
echo "10.8.8.88 truck-coro" >> /etc/hosts
echo "10.8.8.90 swutch-coro" >> /etc/hosts
echo "10.8.8.87 wall-coro" >> /etc/hosts
echo "10.8.8.66 the-coro" >> /etc/hosts
echo "10.99.99.88 truck-fs" >> /etc/hosts
echo "10.99.99.90 swutch-fs" >> /etc/hosts
echo "10.99.99.87 wall-fs" >> /etc/hosts
echo "10.99.99.66 the-fs" >> /etc/hosts
# Test cluster ping
for i in truck-coro swutch-coro wall-coro the-coro
do ping -q -c1 $i
done
# more stuff
apt remove os-prober
# Disable enp3s0 (Autostart no)
#
# set up vmbr0 to the main IP, gateway, etc.
# Create Linux Bridge in web interface
# vmbr0
# 192.168.110.66
# 255.255.255.0
# Gateway 192.168.110.252
# Autostart
# VLAN Aware
# Bridge: enp3s0f1
# Comment Main bridge
# Set up corosync ethernet interfaces
# 10.8.8.66
# 255.255.255.0
# Autostart
# VLAN Aware
# Bridge enx000acd31ac3d
# Comment the-coro
# Set up ceph ethernet interfaces
# 10.99.99.66
# 255.255.255.0
# Autostart
# VLAN Aware
# Bridge enx000acd31ac3e
# Comment fs-coro
# rebooootz
# Add the to /etc/hosts on other servers:
10.8.8.66 the-coro
10.99.99.66 the-fs
# Add the the ssh key to ONE node
# Add truck, wall, swutch ssh keys to the
# Test flood multicast on private interface
omping -c 10000 -i 0.001 -F -q swutch-coro truck-coro the-coro wall-coro
# Ten minute test:
omping -c 600 -i 1 -q swutch-coro truck-coro wall-coro the-coro
# Set up ssh as root to/from all nodes
# Best way to do this ... XXX
echo "fookey" >> /root/.ssh/authorized_keys
# test SSH
/etc/init.d/ssh restart
for i in the wall truck swutch ;do ssh $i hostname ;done
for i in the-coro wall-coro truck-coro swutch-coro ;do ssh $i hostname ;done
for i in the-fs wall-fs truck-fs swutch-fs ;do ssh $i hostname ;done
# Run on the:
pvecm add 10.8.8.88 --ring0_addr the-coro
# If `tcpdump -vvv -i enp10s0` show bad udp checksums, run this:
# XXX ok on the, wall, swutch, truck
ethtool -K enp10s0 gso off
ethtool --offload enp10s0 rx off tx off
# Run on all nodes:
pveceph install --version luminous
# Then run on remaining nodes, the:
pveceph createmon
# On all nodes:
pveceph createmgr
# internal drives
# Create a GPT disklabel with fdisk
fdisk /dev/nvme0n1
# g
# w
pveceph createosd /dev/nvme0n1
# Create a GPT disklabel with fdisk
fdisk /dev/sda
# g
# w
pveceph createosd /dev/sda
#===================== XXX best way? XXX ====================
# XXX maybe not needed ?
# XXX actually, remove this and do no auth since it is private network.
mkdir /etc/pve/priv/ceph
cp -p /etc/pve/priv/ceph.client.admin.keyring /etc/pve/priv/ceph/my-ceph-storage.keyring
# Edit on just one node (shared on all)
vim /etc/pve/storage.cfg
# Do this instead of my-ceph-storage.keyring
# Edit on one node:
vim /etc/pve/ceph.conf
auth cluster required = none
auth service required = none
auth client required = none
# restart stuff
systemctl stop ceph\*.service ceph\*.target
mkdir /etc/pve/priv/ceph/old
mv /etc/pve/priv/ceph/*keyring /etc/pve/priv/ceph/old/
#===================== XXX best way? XXX ====================

@ -0,0 +1,393 @@
#!/bin/bash
# forksand-bootstrap-truck
# GPLv3+
# This script does some initial setup and config
# Sets up Proxmox.
# IPv6 is left enabled.
# Firewalling is done through Proxmox.
# Edit below to add Proxmox Enterprise Key. XXX broken, use community repo.
# XXX set up hostname
# XXX set network to auto not hotplug XXX
# Log script
exec > >(tee /root/bootstrap-truck.log) 2>/root/bootstrap-truck.err
set -x
# Set locale
echo "en_US.UTF-8 UTF-8" > /etc/locale.gen
locale-gen
update-locale
# XXX Set timezone
ln -sf /usr/share/zoneinfo/America/Denver /etc/localtime
# Set up git for tracking. XXX Ansible... XXX
echo 'Acquire::http::Proxy "http://192.168.110.72:3142";' > /etc/apt/apt.conf
apt-get -y install git sudo
cd /etc
git init
chmod og-rwx /etc/.git
cat > /etc/.gitignore <<EOF
prelink.cache
*.swp
ld.so.cache
adjtime
blkid.tab
blkid.tab.old
mtab
resolv.conf
asound.state
mtab.fuselock
aliases.db
EOF
git config --global user.name "debian"
git config --global user.email git@localhost
cd /etc ; git add . ; git commit -a -m 'Set up new Debian Stretch truck server.'
# SET UP APT
#
cat > /etc/apt/sources.list <<EOF
deb http://mirrors.kernel.org/debian/ stretch-backports main
deb http://mirrors.kernel.org/debian/ stretch main
deb http://mirrors.kernel.org/debian/ stretch-updates main
deb http://security.debian.org/ stretch/updates main
EOF
# Make apt use IPv4:
echo 'Acquire::ForceIPv4 "true";' | tee /etc/apt/apt.conf.d/99force-ipv4
git add /etc/apt/apt.conf.d/99force-ipv4
git commit -m "Force APT to use IPv4, not IPv6." /etc/apt/apt.conf.d/99force-ipv4
cd /etc ; git add . ; git commit -a -m 'Set up apt.'
# UPGRADE SERVER
apt-get update
apt-get -y dist-upgrade --download-only
DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confnew" dist-upgrade
cd /etc ; git add . ; git commit -a -m 'Update base install'
apt-get -y --download-only install \
--no-install-recommends \
apt-transport-https \
bzip2 \
ca-certificates \
colordiff \
cpufrequtils \
curl \
debian-archive-keyring \
exuberant-ctags \
git \
host \
less \
locales \
lsb-release \
man-db \
manpages \
molly-guard \
net-tools \
ntp \
openssh-server \
python3 \
rsync \
telnet \
traceroute \
vim \
vim-scripts
DEBIAN_FRONTEND=noninteractive apt-get -y \
-o Dpkg::Options::="--force-confdef" \
-o Dpkg::Options::="--force-confnew" \
install \
--no-install-recommends \
apt-transport-https \
bzip2 \
ca-certificates \
colordiff \
cpufrequtils \
curl \
debian-archive-keyring \
exuberant-ctags \
git \
host \
less \
locales \
lsb-release \
man-db \
manpages \
molly-guard \
net-tools \
ntp \
openssh-server \
python3 \
rsync \
telnet \
traceroute \
vim \
vim-scripts
cd /etc ; git add . ; git commit -a -m 'Install base packages'
# Speed up
echo 'GOVERNOR="performance"' > /etc/default/cpufrequtils
/etc/init.d/cpufrequtils restart
cd /etc ; git add . ; git commit -a -m 'Set up cpufrequtils'
# Small user tweaks
echo :syntax on > ~/.vimrc
echo :syntax on > /home/jebba/.vimrc
chown jebba:jebba /home/jebba/.vimrc
echo export EDITOR=vi >> /root/.bashrc
# XXX Passwordless sudo XXX Ya, probably remove
sed -i -e 's/%sudo\tALL=(ALL:ALL) ALL/%sudo ALL=(ALL) NOPASSWD: ALL/g' /etc/sudoers
adduser jebba sudo
cd /etc ; git add . ; git commit -a -m 'Set up passwordless sudo'
# SSH config XXX sed cruft
sed -i \
-e 's/PermitRootLogin yes/PermitRootLogin prohibit-password/g' \
-e 's/\#PermitRootLogin prohibit-password/PermitRootLogin prohibit-password/g' \
-e 's/\#PasswordAuthentication yes/PasswordAuthentication no/g' \
-e 's/\#X11Forwarding yes/X11Forwarding no/g' \
/etc/ssh/sshd_config
echo 'KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256' >> /etc/ssh/sshd_config
echo 'Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr' >> /etc/ssh/sshd_config
# Need to update/fix for Debian Buster (testing/10). This line breaks Buster:
#echo 'MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com' >> /etc/ssh/sshd_config
# XXX Add admins as only allowed ssh users
# XXX add user for ansbile
echo "AllowUsers jebba root" >> /etc/ssh/sshd_config
cd /etc ; git add . ; git commit -a -m 'Set up sshd'
systemctl restart sshd
# Startup XXX disable unneeded.
for i in rsync exim4 saned
do echo $i
/usr/sbin/update-rc.d $i disable
done
# XXX KILL THIS, listening on public port (firewalled, but still):
# tcp 0 0 0.0.0.0:5355 0.0.0.0:* LISTEN 296/systemd-resolve
cd /etc ; git add . ; git commit -a -m 'Turn off junk on boot'
# GRUB
sed -i -e 's/^GRUB_TIMEOUT=5/GRUB_TIMEOUT=4/g' /etc/default/grub
sed -i -e 's/^#GRUB_TERMINAL=console/GRUB_TERMINAL=console/g' /etc/default/grub
echo 'GRUB_DISABLE_OS_PROBER=true' >> /etc/default/grub
update-grub
cd /etc ; git add . ; git commit -a -m 'GRUB tweaks'
# Fix network to come up on boot
sed -i -e 's/allow-hotplug/auto/g' /etc/network/interfaces
cd /etc ; git add . ; git commit -a -m 'Auto start network'
# XXX not sure why this is getting installed:
apt-get -y autoremove
# Proxmox
#cat > /etc/apt/sources.list.d/pve-enterprise.list<<EOF
##deb https://enterprise.proxmox.com/debian/pve stretch pve-enterprise
#EOF
cat > /etc/apt/sources.list.d/pve-no-subscription.list<<EOF
deb http://download.proxmox.com/debian/pve stretch pve-no-subscription
EOF
# Add Proxmox enterprise key XXX Add key
#cat > /etc/apt/auth.conf<<EOF
#machine enterprise.proxmox.com
# login pve2s-0000000000
# password 00000000000000000000000000000000
#EOF
# XXX crufty add proxmox apt key
wget http://download.proxmox.com/debian/proxmox-ve-release-5.x.gpg -O /etc/apt/trusted.gpg.d/proxmox-ve-release-5.x.gpg
apt-get update
apt-get -y dist-upgrade --download-only
DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confnew" dist-upgrade
apt-get -y \
install \
ksm-control-daemon \
proxmox-ve
cd /etc ; git add . ; git commit -a -m 'Install Proxmox'
apt clean
exit 0
# Run this on workstation:
# ssh -N -C -L 8008:localhost:8006 truck
# firefox https://localhost:8008
# Login as root user via PAM
# Set up Enterprise Key, if used
# Data Center --> Permissions --> Users
# Add user with Realm Proxmox VE authentication server.
# Give user root permissions: Datacenter --> Permissions --> Add --> User permission.
# Path: / User: j Role: Administrator
# XXX Or create admin group, add perms to that...
# Permissions --> Authentication. Set Proxmox VE authentication server to default.
#
# Enable firewall.
# Datacenter --> truck (host) --> Firewall --> Add.
# Open up for SSH and SSH alt port.
# Enable firewall for datacenter:
# Datacenter --> Firewall --> Options --> Firewall --> Yes
# Enable firewall for truck:
# Open up for SSH and SSH alt port.
# REJECT everything coming in. (then DROP)
# Reorder to ACCEPT SSH at top
#
cd /etc ; git add . ; git commit -a -m 'Initial Proxmox configuration'
#
# Reboot! truck (host) --> Restart
#
# XXX
# Datacenter --> Firewall --> Add.
# REJECT any in
#
# Storage
# Datacenter --> Storage --> Edit local. Enable all content (add VZDump)
#
# XXX postfix
#
# DNS
# truck (host) --> System --> DNS
# Add servers:
# 208.67.222.222 208.67.220.220 37.235.1.174
#
# Netwok
# truck (host) --> System --> Network
# Fix subnet mask, IP in web gui.
# Create --> Linux Bridge:
# vmbr0
# XXX best way for this server? No subnet.
#
# rebootz
#
# Set up templates
# XXX TOTAL MEH XXX
# add this to the workstation:
# 127.0.0.1 localhost truck-tun
# Run:
# ssh -N -C -L 8020:localhost:8006 truck
# Then use URLs
# https://truck-tun:8020
# Or you can only be logged into one at a time.
# XXX find better workaround
# Cluster Corosync
exit 0
echo "10.8.8.88 truck-coro" >> /etc/hosts
echo "10.8.8.90 swutch-coro" >> /etc/hosts
echo "10.8.8.87 wall-coro" >> /etc/hosts
echo "10.111.111.88 truck-fs" >> /etc/hosts
echo "10.111.111.90 swutch-fs" >> /etc/hosts
echo "10.111.111.87 wall-fs" >> /etc/hosts
# Test cluster ping
for i in truck-coro swutch-coro wall-coro
do ping -q -c1 $i
done
# more stuff
apt install postfix
apt remove os-prober
# Disable enp3s0 (Autostart no)
# set up vmbr0 to the main IP, gateway, etc.
# Create Linux Bridge in web interface
# vmbr0
# 192.168.55.88
# 255.255.255.0
# Autostart
# VLAN Aware
# Bridge: enp3s0
# Comment Main bridge
# Test flood multicast on private interface
omping -c 10000 -i 0.001 -F -q swutch-coro truck-coro wall-coro
# Ten minute test:
omping -c 600 -i 1 -q swutch-coro truck-coro wall-coro
# Set up ssh as root to/from all nodes
# Best way to do this ... XXX
echo "fookey" >> /root/.ssh/authorized_keys
for i in swutch-coro truck-coro wall-coro
do ssh $i hostname
done
# Run just on truck:
pvecm create red --bindnet0_addr 10.8.8.88 --ring0_addr truck-coro
# Run on wall:
pvecm add 10.8.8.88 --ring0_addr wall-coro
# Run on swutch:
pvecm add 10.8.8.88 --ring0_addr swutch-coro
# If `tcpdump -vvv -i enp10s0` show bad udp checksums, run this:
# XXX ok on truck, wall, swutch
ethtool -K enp10s0 gso off
ethtool --offload enp10s0 rx off tx off
# Setup 10.99.99.0/24 addresses for Ceph on enp16s0
# Run on all nodes:
pveceph install --version luminous
# Run just on one node (truck):
pveceph init --network 10.99.99.0/24
pveceph createmon
# Then run on remaining nodes (or via GUI)
pveceph createmon
# On all nodes:
pveceph createmr
# XXX missing ZFS tools
apt install zfsutils-linux
modprobe zfs
# Add USB drive to swutch and run on it:
# Create a GPT disklabel with fdisk
fdisk /dev/sdb
# g
# w
pveceph createosd /dev/sdb
# XXX actually, remove this and do no auth since it is private network.
mkdir /etc/pve/priv/ceph
cp -p /etc/pve/priv/ceph.client.admin.keyring /etc/pve/priv/ceph/my-ceph-storage.keyring
# Edit on just one node (shared on all)
vim /etc/pve/storage.cfg
# Do this instead of my-ceph-storage.keyring
# Edit on one node:
vim /etc/pve/ceph.conf
auth cluster required = none
auth service required = none
auth client required = none
# restart stuff
systemctl stop ceph\*.service ceph\*.target
mkdir /etc/pve/priv/ceph/old
mv /etc/pve/priv/ceph/*keyring /etc/pve/priv/ceph/old/

@ -0,0 +1,151 @@
Deploy the Ansible roles
- Create a requirements.yml file and indicate there the git repos to source the Ansible roles from. See http://docs.ansible.com/ansible/latest/galaxy.html#installing-roles
host> nano requirements.yml
# from GitHub
- name: ansible-odoo
src: https://github.com/osiell/ansible-odoo
version: origin/master
- name: postgresql
src: https://github.com/ANXS/postgresql
- name: ansible-odoo-nginx
src: https://github.com/Eficent/ansible-odoo-nginx
- name: ansible-role-certbot
src: https://github.com/geerlingguy/ansible-role-certbot
host> sudo ansible-galaxy install -r requirements.yml
- changing role ansible-odoo from origin/master to origin/master
- extracting ansible-odoo to /home/jordi/.ansible/roles/ansible-odoo
- ansible-odoo (origin/master) was installed successfully
- changing role postgresql from to unspecified
- extracting postgresql to /home/jordi/.ansible/roles/postgresql
- postgresql was installed successfully
- extracting ansible-odoo-nginx to /home/jordi/.ansible/roles/ansible-odoo-nginx
- ansible-odoo-nginx was installed successfully
- adding dependency: geerlingguy.nginx
- extracting ansible-role-certbot to /home/jordi/.ansible/roles/ansible-role-certbot
- ansible-role-certbot was installed successfully
- downloading role 'nginx', owned by geerlingguy
- downloading role from https://github.com/geerlingguy/ansible-role-nginx/archive/2.5.0.tar.gz
- extracting geerlingguy.nginx to /home/jordi/.ansible/roles/geerlingguy.nginx
- geerlingguy.nginx (2.5.0) was installed successfully
Note: use --force to ensure that the latest version of the roles is installed.
Install LXC Container
This is only to test locally the execution of the ansible playbook on a target host.
Create the LXC container:
host> sudo lxc-create -t debian -n odoo10
Start the LXC container:
host> sudo lxc-start -n odoo10 -d
Check that the container is up
host> sudo lxc-ls -f
NAME STATE AUTOSTART GROUPS IPV4 IPV6
odoo10 RUNNING 0 - 10.0.3.217 -
Attach to the container
host> sudo lxc-attach -n odoo10
Install nano:
container> apt-get install nano
Install python
container> apt-get install python
Allow root to connect over ssh:
container> nano /etc/ssh/sshd_config
FROM:
PermitRootLogin without-password TO:
PermitRootLogin yes
Restart ssh
container> /etc/init.d/ssh restart
Provide a password to root:
container> passwd
Exit from the container and try to ssh into it with the new user
container>exit
host> ssh root@10.0.3.217
Create Hosts Inventory File
Create a project folder under home dir.
host> mdir ansible-test && cd ansible-test
host> nano inventory
odoo10 ansible_ssh_host=10.0.3.217
Create Playbook File
host/ansible-test> nano ./playbook.yml
- name: Odoo 10
hosts: odoo10
roles:
- postgresql
- ansible-odoo
vars:
# [postgresql]
- postgresql_version: 9.3
# [odoo]
- odoo_version: 11.0
- odoo_install_type: pip
- odoo_config_unaccent: True
- odoo_pip_requirements_url: https://raw.githubusercontent.com/Eficent/sample-oca-pip-requirements/11.0/requirements.txt
- odoo_config_admin_passwd: SuPerPassWorD
- odoo_config_addons_path: ""
environment:
LC_ALL: en_US.UTF-8
Deploy the Playbook to the container
host> ansible-playbook -i inventory playbook.yml -e "ansible_ssh_user=root" -k -v

@ -0,0 +1 @@
odoo11 ansible_host=oca.forksand.com ansible_port=28208 ansible_user=jballester

@ -0,0 +1,31 @@
- name: Odoo 11
hosts: odoo11
remote_user: root
become: yes
roles:
- postgresql
- ansible-odoo
- ansible-odoo-nginx
- ansible-role-certbot
vars:
# [postgresql]
- postgresql_version: 9.6
# [odoo]
- odoo_version: 11.0
- odoo_install_type: pip
- odoo_pip_requirements_url: https://raw.githubusercontent.com/Eficent/sample-oca-pip-requirements/11.0/requirements.txt
- odoo_config_unaccent: True
- odoo_config_admin_passwd: SuPerPassWorD
- odoo_config_data_dir: "home/odoo/data"
# [ridingbytes_nginx]
- nginx_odoo_server: "oca.forksand.com"
- ssl_certificate: /etc/letsencrypt/live/oca.forksand.com/fullchain.pem
- ssl_certificate_key: /etc/letsencrypt/live/oca.forksand.com/privkey.pem
# [certbot]
- certbot_create_if_missing: yes
- certbot_certs:
- domains:
- oca.forksand.com
environment:
LC_ALL: en_US.UTF-8

@ -0,0 +1,14 @@
# from GitHub
- name: ansible-odoo
src: https://github.com/osiell/ansible-odoo
version: origin/master-odoo_config_data_dir
- name: postgresql
src: https://github.com/ANXS/postgresql
- name: ansible-odoo-nginx
src: https://github.com/Eficent/ansible-odoo-nginx
- name: ansible-role-certbot
src: https://github.com/geerlingguy/ansible-role-certbot

Binary file not shown.

After

Width:  |  Height:  |  Size: 162 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 57 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 58 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 106 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 103 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 106 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 122 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 122 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 138 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 132 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 171 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 182 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 182 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 182 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 179 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 179 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 176 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 180 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 181 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 181 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 178 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 182 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 183 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 135 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 130 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 86 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 137 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 133 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 138 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 137 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 123 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 122 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 138 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 132 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 171 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 181 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 182 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 179 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 179 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 180 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 182 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 181 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 178 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 182 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 184 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 135 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 131 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 172 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 120 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 215 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 202 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 206 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 250 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 261 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 280 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 264 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 404 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 391 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 415 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 376 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 386 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 181 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 383 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 394 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 434 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 170 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 83 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 202 KiB

@ -3,28 +3,35 @@
# GPLv3+ # GPLv3+
# This will generate a list of files to be included as source code. # This will generate a list of files to be included as source code.
# Then it will generate LaTeX includes. # Then it will generate LaTeX includes.
# A function to jump to application's root, default .../forksand-it-manual
cd $(echo $PWD | sed -e "s/\(.*\/forksand-it-manual\)\/.*/\1/") && echo "current path: $PWD"
# XXX Great cruft # XXX Great cruft
# Redirect fix XXX # Redirect fix XXX
# No spaces in filenames, or this may go awry. # No spaces in filenames, or this may go awry.
# Perhaps add QR codes like: # Perhaps add QR codes like:
CODEDIR="/home/`id -u -n`/FORKSAND/IT//forksand-it-manual/source/resources" rootPath=$PWD
CODEDIR="$rootPath/source/resources"
cd "$CODEDIR" || exit cd "$CODEDIR" || exit
TEXOUT="/home/`id -u -n`/FORKSAND/IT/forksand-it-manual/source/Source-gen.tex" TEXOUT="$rootPath/source/Source-gen.tex"
# Build a grep exclude command that has file extensions to not include. # Build a grep exclude command that has file extensions to not include.
EXCLUDE="\./\.git \.csv$ \.eps \.git$ \.gz$ \.jpg$ \.ods$ \.ods\#$ \.png$ \.pdf$ \.swp$ \.tmp$ \.xml$ \.aux$ \.fuse_hidden*$ \.glo$ \.gls$ \.idx$ \.ilg$ \.ind$ \.lof$ \.log$ \.lol$ _minted-*$ \.old$ \.out$ \.swp$ \.toc$ \.zip$" EXCLUDE="\./\.git \.csv$ \.eps \.git$ \.gz$ \.jpg$ \.ods$ \.ods\#$ \.png$ \.pdf$ \.swp$ \.tmp$ \.xml$ \.aux$ \.fuse_hidden*$ \.glo$ \.gls$ \.idx$ \.ilg$ \.ind$ \.lof$ \.log$ \.lol$ _minted-*$ \.old$ \.out$ \.swp$ \.toc$ \.zip$ \.*GPLv3*$ LICENSE$ README.md$ \.tar$ \.tar\.bz2$ \.gitignore make-sources-list\.sh$ Thumbs\.db$"
EXCLUDEGREP="grep -v -i " EXCLUDEGREP="grep -v -i "
for i in $EXCLUDE for i in $EXCLUDE
do EXCLUDEGREP="$EXCLUDEGREP -e $i" do EXCLUDEGREP="$EXCLUDEGREP -e $i"
done done
SRCFILES=`find . -type f | sort -V | $EXCLUDEGREP` SRCFILES=`find . -type f | sort -V | $EXCLUDEGREP`
rm -f $TEXOUT $SHAOUT SHA256SUM
touch $TEXOUT $SHAOUT SHA256SUM rm -f $TEXOUT SHA256SUM
touch $TEXOUT SHA256SUM
# Make checksums # Make checksums
# LaTeX files to be rendered # LaTeX files to be rendered
for i in $SRCFILES for i in $SRCFILES
do do
# NOUNDER=`echo $i | sed -e 's/_/\\\_/g'` # NOUNDER=`echo $i | sed -e 's/_/\\\_/g'`
NOUNDER=`echo $i | sed -e 's/_/\\\_/g' | cut -f 2- -d "/"` NOUNDER=`echo $i | sed -e 's/_/\\\\char\\\`_/g' | cut -f 2- -d "/" | sed -e 's/^\(.\{60,75\}\)\//\1\/\\\\\\\\ \\\\qquad\\\\qquad\\\\qquad\.\.\//g'`
# !!! ToDo, apply greedy pattern to second sed's range pattern
echo "\section{\texttt{$NOUNDER}}" echo "\section{\texttt{$NOUNDER}}"
# echo "\texttt{$NOUNDER} \\\ " # echo "\texttt{$NOUNDER} \\\ "
echo "\texttt{SHA256: `sha256sum $i | cut -f 1 -d " "`}" echo "\texttt{SHA256: `sha256sum $i | cut -f 1 -d " "`}"
@ -37,6 +44,7 @@ done >> $TEXOUT
sort -V SHA256SUM > SHA256SUM.tmp sort -V SHA256SUM > SHA256SUM.tmp
echo "There are `cat SHA256SUM | sort -u | wc -l` source code files included." > STATS echo "There are `cat SHA256SUM | sort -u | wc -l` source code files included." > STATS
echo "There are `cat SHA256SUM.tmp | cut -f 1 -d " " | sort -u | wc -l` unique files." >> STATS echo "There are `cat SHA256SUM.tmp | cut -f 1 -d " " | sort -u | wc -l` unique files." >> STATS
rm SHA256SUM.tmp rm SHA256SUM.tmp
# Files not rendered # Files not rendered

Loading…
Cancel
Save