From 212797a37a46fbfabc78c0e28aafd8ff0198b05c Mon Sep 17 00:00:00 2001
From: Someone <someone@somenet.org>
Date: Mon, 29 Apr 2024 10:46:28 +0200
Subject: [PATCH 01/16] [roles/service/gitweb] setup gitweb service

---
 roles/service/gitweb/files/default/public.cfg | 18 ++++
 .../gitweb/files/default/public_header.html   |  0
 .../gitweb/files/default/public_ht.html       |  2 +
 roles/service/gitweb/tasks/main.yml           | 96 +++++++++++++++++++
 .../vars/default/vars_nginx_vhost_custom.yml  | 36 +++++++
 5 files changed, 152 insertions(+)
 create mode 100644 roles/service/gitweb/files/default/public.cfg
 create mode 100644 roles/service/gitweb/files/default/public_header.html
 create mode 100644 roles/service/gitweb/files/default/public_ht.html
 create mode 100644 roles/service/gitweb/tasks/main.yml
 create mode 100644 roles/service/gitweb/vars/default/vars_nginx_vhost_custom.yml

diff --git a/roles/service/gitweb/files/default/public.cfg b/roles/service/gitweb/files/default/public.cfg
new file mode 100644
index 0000000..e2f562a
--- /dev/null
+++ b/roles/service/gitweb/files/default/public.cfg
@@ -0,0 +1,18 @@
+#
+################################################
+### Managed by someone's ansible provisioner ###
+################################################
+# Part of: https://git.somenet.org/root/pub/somesible.git
+# 2017-2024 by someone <someone@somenet.org>
+#
+
+$projectroot = '/srv/gitolite/repositories/';
+$projects_list = '/srv/gitolite/projects.list';
+$export_ok = 'git-daemon-export-ok';
+$strict_export = '1';
+$site_header = '/etc/gitweb/public_header.html';
+$home_text = '/etc/gitweb/public_ht.html';
+$site_name = 'git.somenet.org';
+$home_link_str = 'SomeNet\'s public repos';
+$feature{'pathinfo'}{'default'}  = [1];
+@git_base_url_list = ( "https://git.somenet.org", "git remote set-url --push origin ssh://git\@git.somenet.org:2", "git\@git.somenet.org:" );
diff --git a/roles/service/gitweb/files/default/public_header.html b/roles/service/gitweb/files/default/public_header.html
new file mode 100644
index 0000000..e69de29
diff --git a/roles/service/gitweb/files/default/public_ht.html b/roles/service/gitweb/files/default/public_ht.html
new file mode 100644
index 0000000..a8bc2a6
--- /dev/null
+++ b/roles/service/gitweb/files/default/public_ht.html
@@ -0,0 +1,2 @@
+<p>This server is running gitolite and is being administrated by <b>someone</b>. Send him ssh-keys for access.<br/>
+Contact someone via IRC: someone @ <a href="irc://irc.somenet.org">irc.somenet.org</a> OR use <a href="mailto:someone@somenet.org">email</a>.</p>
diff --git a/roles/service/gitweb/tasks/main.yml b/roles/service/gitweb/tasks/main.yml
new file mode 100644
index 0000000..4599318
--- /dev/null
+++ b/roles/service/gitweb/tasks/main.yml
@@ -0,0 +1,96 @@
+#####################################
+### someone"s ansible provisioner ###
+#####################################
+# Part of: https://git.somenet.org/root/pub/somesible.git
+# 2017-2024 by someone <someone@somenet.org>
+#
+---
+- name: install gitweb
+  apt:
+    pkg:
+    - fcgiwrap
+    - gitweb
+    state: present
+    policy_rc_d: 101
+  tags: "online"
+
+
+- name: add www-data user to group git
+  user:
+    name: "www-data"
+    groups: "git"
+    append: yes
+    createhome: no
+    state: present
+
+
+- name: include vars_nginx_vhost_custom
+  include_vars:
+    file: "{{item}}"
+    name: vars_nginx_vhost_custom
+  with_first_found:
+    - "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/vars_nginx_vhost_custom.yml"
+    - "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/vars_nginx_vhost_custom.yml"
+    - "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/vars_nginx_vhost_custom.yml"
+    - "default/vars_nginx_vhost_custom.yml"
+
+
+- name: configure gitweb vhost
+  include_role:
+    name: server/nginx/vhost-unified
+  vars:
+    vhost_name: "git.somenet.org"
+    vhost_custom:
+      vhost_custom_pre_server: "{{vars_nginx_vhost_custom.vhost_custom_pre_server}}"
+      vhost_custom: "{{vars_nginx_vhost_custom.vhost_custom}}"
+
+
+- name: setup gitweb config dir
+  file:
+    path: "/etc/gitweb/"
+    state: directory
+    mode: 0755
+    owner: "root"
+    group: "root"
+
+
+- name: copy gitweb_public.cfg
+  copy:
+    src: "{{item}}"
+    dest: "/etc/gitweb/public.conf"
+    mode: 0644
+    owner: "root"
+    group: "root"
+  with_first_found:
+    - "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/public.cfg"
+    - "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/public.cfg"
+    - "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/public.cfg"
+    - "default/public.cfg"
+
+
+- name: copy public_header.html
+  copy:
+    src: "{{item}}"
+    dest: "/etc/gitweb/public_header.html"
+    mode: 0644
+    owner: "root"
+    group: "root"
+  with_first_found:
+    - "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/public_header.html"
+    - "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/public_header.html"
+    - "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/public_header.html"
+    - "default/public_header.html"
+
+
+- name: copy public_ht.html
+  copy:
+    src: "{{item}}"
+    dest: "/etc/gitweb/public_ht.html"
+    mode: 0644
+    owner: "root"
+    group: "root"
+  with_first_found:
+    - "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/public_ht.html"
+    - "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/public_ht.html"
+    - "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/public_ht.html"
+    - "default/public_ht.html"
diff --git a/roles/service/gitweb/vars/default/vars_nginx_vhost_custom.yml b/roles/service/gitweb/vars/default/vars_nginx_vhost_custom.yml
new file mode 100644
index 0000000..95c5394
--- /dev/null
+++ b/roles/service/gitweb/vars/default/vars_nginx_vhost_custom.yml
@@ -0,0 +1,36 @@
+#####################################
+### someone"s ansible provisioner ###
+#####################################
+# Part of: https://git.somenet.org/root/pub/somesible.git
+# 2017-2024 by someone <someone@somenet.org>
+#
+---
+vhost_custom_pre_server: |-
+
+vhost_custom: |-
+    # clone via https
+    location ~ ^.*\.git/(HEAD|info/refs|objects/.*|git-(upload|receive)-pack)$ {
+        root /srv/gitolite/repositories/;
+        include fastcgi_params;
+        fastcgi_param SCRIPT_FILENAME   /usr/lib/git-core/git-http-backend;
+        fastcgi_param PATH_INFO         $uri;
+        fastcgi_param GIT_PROJECT_ROOT  /srv/gitolite/repositories/;
+        fastcgi_pass unix:/run/fcgiwrap.socket;
+    }
+
+    # gitweb
+    root /usr/share/gitweb;
+    try_files $uri @gitweb;
+    location @gitweb {
+        gzip off;
+        include fastcgi_params;
+        fastcgi_param   SCRIPT_FILENAME   /usr/share/gitweb/gitweb.cgi;
+        fastcgi_param   PATH_INFO         $uri;
+        fastcgi_param   GITWEB_CONFIG /etc/gitweb/public.conf;
+        fastcgi_pass    unix:/run/fcgiwrap.socket;
+    }
+
+    # remote trailing slashes from path
+    location ~ ^/(.*)/$ {
+        rewrite ^/(.*)/$ /$1 permanent;
+    }
-- 
2.43.0


From 61eba5bf9333afde454544359375663e104e343a Mon Sep 17 00:00:00 2001
From: Someone <someone@somenet.org>
Date: Mon, 29 Apr 2024 10:46:28 +0200
Subject: [PATCH 02/16] [roles/service/munin-server] munin server setup

---
 roles/service/munin-server/defaults/main.yml  |  10 ++
 .../munin-server/files/default/id_ed25519     |   1 +
 .../munin-server/files/default/munin.conf     | 162 ++++++++++++++++++
 roles/service/munin-server/tasks/main.yml     |  78 +++++++++
 .../vars/default/vars_nginx_vhost_custom.yml  |  24 +++
 5 files changed, 275 insertions(+)
 create mode 100644 roles/service/munin-server/defaults/main.yml
 create mode 100644 roles/service/munin-server/files/default/id_ed25519
 create mode 100644 roles/service/munin-server/files/default/munin.conf
 create mode 100644 roles/service/munin-server/tasks/main.yml
 create mode 100644 roles/service/munin-server/vars/default/vars_nginx_vhost_custom.yml

diff --git a/roles/service/munin-server/defaults/main.yml b/roles/service/munin-server/defaults/main.yml
new file mode 100644
index 0000000..b5b335c
--- /dev/null
+++ b/roles/service/munin-server/defaults/main.yml
@@ -0,0 +1,10 @@
+#####################################
+### someone's ansible provisioner ###
+#####################################
+# Part of: https://git.somenet.org/root/pub/somesible.git
+# 2017-2024 by someone <someone@somenet.org>
+#
+# If not overridden in inventory or as a parameter, this is the value that will be used
+#
+---
+#munin_server_private:
diff --git a/roles/service/munin-server/files/default/id_ed25519 b/roles/service/munin-server/files/default/id_ed25519
new file mode 100644
index 0000000..a3593ed
--- /dev/null
+++ b/roles/service/munin-server/files/default/id_ed25519
@@ -0,0 +1 @@
+# OVERRIDE PRIVATE KEY
diff --git a/roles/service/munin-server/files/default/munin.conf b/roles/service/munin-server/files/default/munin.conf
new file mode 100644
index 0000000..aa62550
--- /dev/null
+++ b/roles/service/munin-server/files/default/munin.conf
@@ -0,0 +1,162 @@
+#
+################################################
+### Managed by someone's ansible provisioner ###
+################################################
+# Part of: https://git.somenet.org/root/pub/somesible.git
+# 2017-2024 by someone <someone@somenet.org>
+#
+
+# The next three variables specifies where the location of the RRD
+# databases, the HTML output, logs and the lock/pid files.  They all
+# must be writable by the user running munin-cron.  They are all
+# defaulted to the values you see here.
+#
+#dbdir	/var/lib/munin
+#htmldir /var/cache/munin/www
+#logdir /var/log/munin
+#rundir  /var/run/munin
+
+# Where to look for the HTML templates
+#
+#tmpldir	/etc/munin/templates
+
+# Where to look for the static www files
+#
+#staticdir /etc/munin/static
+
+# temporary cgi files are here. note that it has to be writable by
+# the cgi user (usually nobody or httpd).
+#
+# cgitmpdir /var/lib/munin/cgi-tmp
+
+# (Exactly one) directory to include all files from.
+includedir /etc/munin/munin-conf.d
+
+# You can choose the time reference for "DERIVE" like graphs, and show
+# "per minute", "per hour" values instead of the default "per second"
+#
+#graph_period second
+
+# Graphics files are generated either via cron or by a CGI process.
+# See http://munin-monitoring.org/wiki/CgiHowto2 for more
+# documentation.
+# Since 2.0, munin-graph has been rewritten to use the cgi code.
+# It is single threaded *by design* now.
+#
+#graph_strategy cron
+
+# munin-cgi-graph is invoked by the web server up to very many times at the
+# same time.  This is not optimal since it results in high CPU and memory
+# consumption to the degree that the system can thrash.  Again the default is
+# 6.  Most likely the optimal number for max_cgi_graph_jobs is the same as
+# max_graph_jobs.
+#
+#munin_cgi_graph_jobs 6
+
+# If the automatic CGI url is wrong for your system override it here:
+#
+#cgiurl_graph /munin-cgi/munin-cgi-graph
+
+# max_size_x and max_size_y are the max size of images in pixel.
+# Default is 4000. Do not make it too large otherwise RRD might use all
+# RAM to generate the images.
+#
+#max_size_x 4000
+#max_size_y 4000
+
+# HTML files are normally generated by munin-html, no matter if the
+# files are used or not. You can change this to on-demand generation
+# by following the instructions in http://munin-monitoring.org/wiki/CgiHowto2
+#
+# Notes:
+# - moving to CGI for HTML means you cannot have graph generated by cron.
+# - cgi html has some bugs, mostly you still have to launch munin-html by hand
+#
+#html_strategy cron
+
+# munin-update runs in parallel.
+#
+# The default max number of processes is 16, and is probably ok for you.
+#
+# If set too high, it might hit some process/ram/filedesc limits.
+# If set too low, munin-update might take more than 5 min.
+#
+# If you want munin-update to not be parallel set it to 0.
+#
+#max_processes 16
+
+# RRD updates are per default, performed directly on the rrd files.
+# To reduce IO and enable the use of the rrdcached, uncomment it and set it to
+# the location of the socket that rrdcached uses.
+#
+#rrdcached_socket /var/run/rrdcached.sock
+
+# Drop somejuser@fnord.comm and anotheruser@blibb.comm an email everytime
+# something changes (OK -> WARNING, CRITICAL -> OK, etc)
+#contact.someuser.command mail -s "Munin ${var:worst}: ${var:group}::${var:host}::${var:plugin}" somejuser@fnord.comm
+#contact.anotheruser.command mail -s "Munin ${var:worst}: ${var:group}::${var:host}::${var:plugin}" anotheruser@blibb.comm
+#
+# For those with Nagios, the following might come in handy. In addition,
+# the services must be defined in the Nagios server as well.
+#contact.nagios.command /usr/bin/send_nsca nagios.host.comm -c /etc/nsca.conf
+
+# The maximum time the munin-update may take to get updates from all nodes,
+# this might be interesting when using munin-async in case of large transactions and/or backlog.
+# When using the munin protocol to connect to a node, then this value shouldn't be set higher than 240.
+# In case it's higher, gaps might be seen in the graphs.
+timeout_fetch_all_nodes 240
+
+# The maximum amount of time in seconds we may work on 1 node.
+# The value will be limited with timeout_fetch_all_nodes.
+timeout_fetch_one_node 180
+
+# a simple host tree
+[localhost]
+    address ssh://munin-async@127.0.0.1:2/
+    use_node_name yes
+    fail2ban.graph_category fail2ban
+
+#
+# A more complex example of a host tree
+#
+## First our "normal" host.
+# [fii.foo.com]
+#       address foo
+#
+## Then our other host...
+# [fay.foo.com]
+#       address fay
+#
+## IPv6 host. note that the ip adress has to be in brackets
+# [ip6.foo.com]
+#       address [2001::1234:1]
+#
+## Then we want totals...
+# [foo.com;Totals] #Force it into the "foo.com"-domain...
+#       update no   # Turn off data-fetching for this "host".
+#
+#   # The graph "load1". We want to see the loads of both machines...
+#   # "fii=fii.foo.com:load.load" means "label=machine:graph.field"
+#       load1.graph_title Loads side by side
+#       load1.graph_order fii=fii.foo.com:load.load fay=fay.foo.com:load.load
+#
+#   # The graph "load2". Now we want them stacked on top of each other.
+#       load2.graph_title Loads on top of each other
+#       load2.dummy_field.stack fii=fii.foo.com:load.load fay=fay.foo.com:load.load
+#       load2.dummy_field.draw AREA # We want area instead the default LINE2.
+#       load2.dummy_field.label dummy # This is needed. Silly, really.
+#
+#   # The graph "load3". Now we want them summarised into one field
+#       load3.graph_title Loads summarised
+#       load3.combined_loads.sum fii.foo.com:load.load fay.foo.com:load.load
+#       load3.combined_loads.label Combined loads # Must be set, as this is
+#                                                 # not a dummy field!
+#
+## ...and on a side note, I want them listen in another order (default is
+## alphabetically)
+#
+# # Since [foo.com] would be interpreted as a host in the domain "com", we
+# # specify that this is a domain by adding a semicolon.
+# [foo.com;]
+#       node_order Totals fii.foo.com fay.foo.com
+#
diff --git a/roles/service/munin-server/tasks/main.yml b/roles/service/munin-server/tasks/main.yml
new file mode 100644
index 0000000..92521c2
--- /dev/null
+++ b/roles/service/munin-server/tasks/main.yml
@@ -0,0 +1,78 @@
+#####################################
+### someone"s ansible provisioner ###
+#####################################
+# Part of: https://git.somenet.org/root/pub/somesible.git
+# 2017-2024 by someone <someone@somenet.org>
+#
+# Install munin-node and munin-async.
+#
+---
+- name: install munin
+  apt:
+    pkg:
+    - munin
+    state: present
+    policy_rc_d: 101
+  tags: "online"
+
+
+- name: copy munin.conf to /etc/munin/munin.conf
+  copy:
+    src: "{{item}}"
+    dest: "/etc/munin/munin.conf"
+    mode: 0644
+    owner: "root"
+    group: "root"
+  with_first_found:
+    - "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/munin.conf"
+    - "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/munin.conf"
+    - "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/munin.conf"
+    - "default/munin.conf"
+
+
+- name: create .ssh-dir
+  file:
+    path: "/var/lib/munin/.ssh"
+    state: directory
+    mode: 0700
+    owner: "munin"
+    group: "munin"
+
+
+- name: copy id_ed25519 to /var/lib/munin/.ssh/id_ed25519
+  copy:
+    src: "{{item}}"
+    dest: "/var/lib/munin/.ssh/id_ed25519"
+    mode: 0600
+    owner: "munin"
+    group: "munin"
+  with_first_found:
+    - "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/id_ed25519"
+    - "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/id_ed25519"
+    - "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/id_ed25519"
+    - "default/id_ed25519"
+
+
+- name: include vars_nginx_vhost_custom
+  include_vars:
+    file: "{{item}}"
+    name: vars_nginx_vhost_custom
+  with_first_found:
+    - "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/{{munin_domain}}-vars_nginx_vhost_custom.yml"
+    - "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/{{munin_domain}}-vars_nginx_vhost_custom.yml"
+    - "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/{{munin_domain}}-vars_nginx_vhost_custom.yml"
+    - "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/vars_nginx_vhost_custom.yml"
+    - "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/vars_nginx_vhost_custom.yml"
+    - "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/vars_nginx_vhost_custom.yml"
+    - "default/vars_nginx_vhost_custom.yml"
+
+
+- name: configure munin vhost
+  include_role:
+    name: server/nginx/vhost-unified
+  vars:
+    vhost_type: "custom"
+    vhost_name: "{{munin_domain}}"
+    vhost_custom:
+      vhost_custom_pre_server: "{{vars_nginx_vhost_custom.vhost_custom_pre_server}}"
+      vhost_custom: "{{vars_nginx_vhost_custom.vhost_custom}}"
diff --git a/roles/service/munin-server/vars/default/vars_nginx_vhost_custom.yml b/roles/service/munin-server/vars/default/vars_nginx_vhost_custom.yml
new file mode 100644
index 0000000..87f33bb
--- /dev/null
+++ b/roles/service/munin-server/vars/default/vars_nginx_vhost_custom.yml
@@ -0,0 +1,24 @@
+#####################################
+### someone"s ansible provisioner ###
+#####################################
+# Part of: https://git.somenet.org/root/pub/somesible.git
+# 2017-2024 by someone <someone@somenet.org>
+#
+---
+vhost_custom_pre_server: |-
+
+vhost_custom: |-
+    location /static/ {
+        alias /etc/munin/static/;
+        expires modified +1w;
+        auth_pam "awstats";
+        auth_pam_service_name "nginx-awstats";
+    }
+
+    location / {
+        alias /var/cache/munin/www/;
+        expires modified +310s;
+        auth_pam "awstats";
+        auth_pam_service_name "nginx-awstats";
+    }
+
-- 
2.43.0


From a543dcc9e039411b8f4f296b47095544d9c8da0b Mon Sep 17 00:00:00 2001
From: Someone <someone@somenet.org>
Date: Mon, 29 Apr 2024 10:46:28 +0200
Subject: [PATCH 03/16] [roles/service/nextcloud] setup nextcloud service

---
 roles/service/nextcloud/defaults/main.yml     |  49 ++++
 .../files/default/nextcloud-cron@.service     |  23 ++
 .../files/default/nextcloud-cron@.timer       |  18 ++
 roles/service/nextcloud/tasks/main.yml        | 272 ++++++++++++++++++
 .../vars/default/vars_nginx_vhost_custom.yml  | 132 +++++++++
 5 files changed, 494 insertions(+)
 create mode 100644 roles/service/nextcloud/defaults/main.yml
 create mode 100644 roles/service/nextcloud/files/default/nextcloud-cron@.service
 create mode 100644 roles/service/nextcloud/files/default/nextcloud-cron@.timer
 create mode 100644 roles/service/nextcloud/tasks/main.yml
 create mode 100644 roles/service/nextcloud/vars/default/vars_nginx_vhost_custom.yml

diff --git a/roles/service/nextcloud/defaults/main.yml b/roles/service/nextcloud/defaults/main.yml
new file mode 100644
index 0000000..36812d4
--- /dev/null
+++ b/roles/service/nextcloud/defaults/main.yml
@@ -0,0 +1,49 @@
+#####################################
+### someone's ansible provisioner ###
+#####################################
+# Part of: https://git.somenet.org/root/pub/somesible.git
+# 2017-2024 by someone <someone@somenet.org>
+#
+# If not overridden in inventory or as a parameter, this is the value that will be used
+#
+---
+nextcloud_download_url: "https://download.nextcloud.com/server/releases/latest-27.tar.bz2"
+nextcloud_download_checksum: "sha256:https://download.nextcloud.com/server/releases/latest-27.tar.bz2.sha256"
+
+nextcloud_domain: "cloud.localhost"
+nextcloud_db_host: "127.0.0.1"
+nextcloud_db_name: "nextcloud"
+
+# Where are the data files stored.
+nextcloud_data_dir_path: "/srv/{{nextcloud_domain}}"
+
+# Install apps.
+nextcloud_installed_apps:
+    - 'calendar'
+    - 'contacts'
+    - 'tasks'
+    - 'files_retention'
+    - 'files_automatedtagging'
+    - 'richdocuments'
+    - 'richdocumentscode'
+    - 'unroundedcorners'
+
+
+# Set/override config options.
+nextcloud_config_options:
+  - { key: "updatechecker", value: "false" }
+  - { key: "has_internet_connection", value: "false" }
+  - { key: "skeletondirectory", value: "" }
+  - { key: "trashbin_retention_obligation", value: "30, 90" }
+  - { key: "versions_retention_obligation", value: "30, 90" }
+  - { key: "mail_from_address", value: "nextcloud-noreply" }
+  - { key: "mail_smtpmode", value: "smtp" }
+  - { key: "mail_domain", value: "localhost" }
+  - { key: "mail_smtphost", value: "mail.localhost" }
+  - { key: "memcache.local", value: "\\OC\\Memcache\\APCu" }
+#  - { key: "config_is_read_only", value: "true" } # unset and set by ansible.
+
+# must set.
+#nextcloud_db_pw: None
+#nextcloud_admin_user: ""
+#nextcloud_admin_pw: ""
diff --git a/roles/service/nextcloud/files/default/nextcloud-cron@.service b/roles/service/nextcloud/files/default/nextcloud-cron@.service
new file mode 100644
index 0000000..e55f01c
--- /dev/null
+++ b/roles/service/nextcloud/files/default/nextcloud-cron@.service
@@ -0,0 +1,23 @@
+#
+################################################
+### Managed by someone's ansible provisioner ###
+################################################
+# Part of: https://git.somenet.org/root/pub/somesible.git
+# 2017-2024 by someone <someone@somenet.org>
+#
+
+[Unit]
+Description=Run cron.php for Nextcloud at %I
+ConditionPathIsDirectory=/var/www/%I/
+OnFailure=unit-status-mail@%n.service
+
+[Service]
+Type=oneshot
+User=www-data
+Group=www-data
+UMask=0077
+Nice=5
+IOSchedulingClass=best-effort
+IOSchedulingPriority=6
+ExecStart=/usr/bin/php --define apc.enable_cli=1 -f ./cron.php
+WorkingDirectory=/var/www/%I/
diff --git a/roles/service/nextcloud/files/default/nextcloud-cron@.timer b/roles/service/nextcloud/files/default/nextcloud-cron@.timer
new file mode 100644
index 0000000..5e69723
--- /dev/null
+++ b/roles/service/nextcloud/files/default/nextcloud-cron@.timer
@@ -0,0 +1,18 @@
+#
+################################################
+### Managed by someone's ansible provisioner ###
+################################################
+# Part of: https://git.somenet.org/root/pub/somesible.git
+# 2017-2024 by someone <someone@somenet.org>
+#
+
+[Unit]
+Description=Run cron.php for Nextcloud at %I
+
+[Timer]
+OnBootSec=15min
+OnUnitActiveSec=30min
+Persistent=true
+
+[Install]
+WantedBy=timers.target
diff --git a/roles/service/nextcloud/tasks/main.yml b/roles/service/nextcloud/tasks/main.yml
new file mode 100644
index 0000000..2687b94
--- /dev/null
+++ b/roles/service/nextcloud/tasks/main.yml
@@ -0,0 +1,272 @@
+#####################################
+### someone"s ansible provisioner ###
+#####################################
+# Part of: https://git.somenet.org/root/pub/somesible.git
+# 2017-2024 by someone <someone@somenet.org>
+#
+---
+#- name: create postgres-db and user
+#  include_role:
+#    name: util/postgres-db-usr
+#  vars:
+#    pg_data:
+#      db_server_delegate: "{{nextcloud_db_server_delegate}}"
+#      dbname: "{{nextcloud_db_name}}"
+#      pw: "{{nextcloud_db_pw}}"
+#  when: nextcloud_db_create | default('True')
+
+
+- name: include vars_nginx_vhost_custom
+  include_vars:
+    file: "{{item}}"
+    name: vars_nginx_vhost_custom
+  with_first_found:
+    - "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/{{nextcloud_domain}}-vars_nginx_vhost_custom.yml"
+    - "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/{{nextcloud_domain}}-vars_nginx_vhost_custom.yml"
+    - "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/{{nextcloud_domain}}-vars_nginx_vhost_custom.yml"
+    - "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/vars_nginx_vhost_custom.yml"
+    - "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/vars_nginx_vhost_custom.yml"
+    - "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/vars_nginx_vhost_custom.yml"
+    - "default/vars_nginx_vhost_custom.yml"
+
+
+- name: configure gitweb vhost
+  include_role:
+    name: server/nginx/vhost-unified
+  vars:
+    vhost_type: "custom+php"
+    vhost_name: "{{nextcloud_domain}}"
+    vhost_php_custom: ["bzip2", "php8.2-apcu", "php8.2-bcmath", "php8.2-pgsql", "php8.2-curl", "php8.2-gd", "php8.2-gmp", "php8.2-intl", "php-imagick", "php8.2-mbstring", "php8.2-xml", "php8.2-zip"]
+    vhost_dotfile_protection: False
+    vhost_custom:
+      vhost_custom_pre_server: "{{vars_nginx_vhost_custom.vhost_custom_pre_server}}"
+      vhost_custom: "{{vars_nginx_vhost_custom.vhost_custom}}"
+
+
+- name: set up data-dir
+  file:
+    path: "{{nextcloud_data_dir_path}}"
+    state: directory
+    mode: 0750
+    owner: "www-data"
+    group: "www-data"
+
+
+- name: download nextcloud release and check checksums
+  get_url:
+    url: "{{nextcloud_download_url}}"
+    dest: "/var/www/{{nextcloud_domain}}-nextcloud.tar.bz2"
+    mode: 0640
+    owner: "www-data"
+    group: "www-data"
+    checksum: "{{nextcloud_download_checksum}}"
+    timeout: 30
+  tags: "online"
+  register: download
+
+
+- name: set up new webroot-dir
+  file:
+    path: "/var/www/{{nextcloud_domain}}.tmp"
+    state: directory
+    mode: 0750
+    owner: "www-data"
+    group: "www-data"
+  when: download.changed
+
+
+- name: download and extract nextcloud files
+  unarchive:
+    src: "/var/www/{{nextcloud_domain}}-nextcloud.tar.bz2"
+    dest: "/var/www/{{nextcloud_domain}}.tmp"
+    remote_src: yes
+    mode: "u=rwX,g=rX,o-rwx"
+    owner: "www-data"
+    group: "www-data"
+    extra_opts:
+      - '--strip-components=1'
+      - '--show-stored-names'
+  when: download.changed
+
+
+- name: use existing config file
+  command: "mv /var/www/{{nextcloud_domain}}/config/config.php /var/www/{{nextcloud_domain}}.tmp/config/"
+  args:
+    removes: "/var/www/{{nextcloud_domain}}/config/config.php"
+  when: download.changed
+
+
+- name: remove old files
+  file:
+    path: "/var/www/{{nextcloud_domain}}"
+    state: absent
+  when: download.changed
+
+
+- name: move newly extracted files to destination
+  command: "mv /var/www/{{nextcloud_domain}}.tmp /var/www/{{nextcloud_domain}}"
+  args:
+    creates: "/var/www/{{nextcloud_domain}}"
+  when: download.changed
+
+
+- name: remove possibly left over files
+  file:
+    path: "/var/www/{{nextcloud_domain}}.tmp"
+    state: absent
+  when: download.changed
+
+
+- name: install nextcloud
+  become: true
+  become_user: "www-data"
+  command: >
+    php occ maintenance:install
+    --database=pgsql
+    --database-host="{{nextcloud_db_host}}"
+    --database-name="{{nextcloud_db_name}}"
+    --database-user="{{nextcloud_db_name}}"
+    --database-pass="{{nextcloud_db_pw}}"
+    --admin-user="{{nextcloud_admin_user}}"
+    --admin-pass="{{nextcloud_admin_pw}}"
+    --data-dir="{{nextcloud_data_dir_path}}/data"
+  args:
+    chdir: "/var/www/{{nextcloud_domain}}"
+    creates: "/var/www/{{nextcloud_domain}}/config/config.php"
+  when: download.changed
+
+
+- name: write-unlock config
+  become: true
+  become_user: "www-data"
+  lineinfile:
+    path: "/var/www/{{nextcloud_domain}}/config/config.php"
+    state: absent
+    regexp: 'config_is_read_only'
+  changed_when: False
+
+
+- name: finish nextcloud upgrade by running occ upgrade
+  become: true
+  become_user: "www-data"
+  shell: 'php --define apc.enable_cli=1 occ upgrade'
+  args:
+    chdir: "/var/www/{{nextcloud_domain}}"
+  register: script_res
+  changed_when: "'Nextcloud is already latest version' not in script_res.stdout"
+
+
+- name: ensure trusted domains are set
+  become: true
+  become_user: "www-data"
+  shell: 'echo "prev-$(php --define apc.enable_cli=1 occ config:system:get trusted_domains {{ item.0 }})-"; php --define apc.enable_cli=1 occ config:system:set trusted_domains {{ item.0 }} --value "{{ item.1 }}"'
+  args:
+    chdir: "/var/www/{{nextcloud_domain}}"
+  register: script_res
+  changed_when: "'prev-{{item.1}}-' not in script_res.stdout"
+  with_indexed_items:
+    - 'localhost'
+    - "{{nextcloud_domain}}"
+
+
+- name: install apps
+  become: true
+  become_user: "www-data"
+  shell: 'php --define apc.enable_cli=1 occ app:install -- "{{ item }}" || true'
+  args:
+    chdir: "/var/www/{{nextcloud_domain}}"
+  register: script_res
+  changed_when: "'{{item}} already installed' not in script_res.stdout"
+  with_items:
+    - "{{nextcloud_installed_apps}}"
+  tags: "online"
+
+
+- name: finish nextcloud upgrade by running occ db:add-missing-columns
+  become: true
+  become_user: "www-data"
+  shell: 'php --define apc.enable_cli=1 occ db:add-missing-columns'
+  args:
+    chdir: "/var/www/{{nextcloud_domain}}"
+  register: script_res
+  changed_when: "'Adding' in script_res.stdout"
+
+
+- name: finish nextcloud upgrade by running occ db:add-missing-indices
+  become: true
+  become_user: "www-data"
+  shell: 'php --define apc.enable_cli=1 occ db:add-missing-indices'
+  args:
+    chdir: "/var/www/{{nextcloud_domain}}"
+  register: script_res
+  changed_when: "'Adding' in script_res.stdout"
+
+
+- name: finish nextcloud upgrade by running occ db:add-missing-primary-keys
+  become: true
+  become_user: "www-data"
+  shell: 'php --define apc.enable_cli=1 occ db:add-missing-primary-keys'
+  args:
+    chdir: "/var/www/{{nextcloud_domain}}"
+  register: script_res
+  changed_when: "'Adding' in script_res.stdout"
+
+
+  # Failcloud expects an unsafe config-key behavior
+  # Therefore  we must use
+  #   shell: 'echo "prev-$(php occ config:system:get {{ item.key }})-"; php occ config:system:set $(echo -n "{{ item.key }}" ) --value "{{ item.value }}"'
+  # instead of
+  #   shell: 'echo "prev-$(php occ config:system:get {{ item.key }})-"; php occ config:system:set "{{ item.key }}"--value "{{ item.value }}"'
+- name: apply config options
+  become: true
+  become_user: "www-data"
+  shell: 'echo "prev-$(php --define apc.enable_cli=1 occ config:system:get {{ item.key }})-"; php --define apc.enable_cli=1 occ config:system:set $(echo -n "{{ item.key }}" ) --value "{{ item.value }}"'
+  args:
+    chdir: "/var/www/{{nextcloud_domain}}"
+  register: script_res
+  changed_when: "'prev-{{item.value}}-' not in script_res.stdout"
+  with_items:
+    - "{{nextcloud_config_options[nextcloud_domain]}}"
+
+
+- name: write-lock config
+  become: true
+  become_user: "www-data"
+  shell: 'php --define apc.enable_cli=1 occ config:system:set config_is_read_only --value true'
+  args:
+    chdir: "/var/www/{{nextcloud_domain}}"
+  changed_when: False
+
+
+- name: copy nextcloud-cron@.service to /etc/systemd/system/
+  copy:
+    src: "{{item}}"
+    dest: "/etc/systemd/system/nextcloud-cron@.service"
+    mode: 0644
+    owner: "root"
+    group: "root"
+  with_first_found:
+    - "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/nextcloud-cron@.service"
+    - "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/nextcloud-cron@.service"
+    - "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/nextcloud-cron@.service"
+    - "default/nextcloud-cron@.service"
+
+
+- name: copy nextcloud-cron@.timer to /etc/systemd/system/
+  copy:
+    src: "{{item}}"
+    dest: "/etc/systemd/system/nextcloud-cron@.timer"
+    mode: 0644
+    owner: "root"
+    group: "root"
+  with_first_found:
+    - "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/nextcloud-cron@.timer"
+    - "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/nextcloud-cron@.timer"
+    - "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/nextcloud-cron@.timer"
+    - "default/nextcloud-cron@.timer"
+
+
+- name: reload, enable and start nextcloud-cron@.timer.
+  include_role: name="base/systemd/enable-and-start"
+  vars:
+    service_name: "nextcloud-cron@{{nextcloud_domain}}.timer"
diff --git a/roles/service/nextcloud/vars/default/vars_nginx_vhost_custom.yml b/roles/service/nextcloud/vars/default/vars_nginx_vhost_custom.yml
new file mode 100644
index 0000000..f33ae17
--- /dev/null
+++ b/roles/service/nextcloud/vars/default/vars_nginx_vhost_custom.yml
@@ -0,0 +1,132 @@
+#####################################
+### someone"s ansible provisioner ###
+#####################################
+# Part of: https://git.somenet.org/root/pub/somesible.git
+# 2017-2024 by someone <someone@somenet.org>
+#
+---
+vhost_custom_pre_server: |-
+
+vhost_custom: |-
+    # Enable gzip but do not remove ETag headers
+    #gzip on;
+    #gzip_vary on;
+    #gzip_comp_level 4;
+    #gzip_min_length 256;
+    #gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
+    #gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/wasm application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
+
+    # Pagespeed is not supported by Nextcloud, so if your server is built
+    # with the `ngx_pagespeed` module, uncomment this line to disable it.
+    #pagespeed off;
+
+    # The settings allows you to optimize the HTTP2 bandwitdth.
+    # See https://blog.cloudflare.com/delivering-http-2-upload-speed-improvements/
+    # for tunning hints
+    client_body_buffer_size 512k;
+
+    # HTTP response headers borrowed from Nextcloud `.htaccess`
+    add_header Referrer-Policy                      "no-referrer"   always;
+    add_header X-Content-Type-Options               "nosniff"       always;
+    add_header X-Download-Options                   "noopen"        always;
+    add_header X-Frame-Options                      "SAMEORIGIN"    always;
+    add_header X-Permitted-Cross-Domain-Policies    "none"          always;
+    add_header X-Robots-Tag                         "none"          always;
+    add_header X-XSS-Protection                     "1; mode=block" always;
+
+    # Remove X-Powered-By, which is an information leak
+    fastcgi_hide_header X-Powered-By;
+
+    # Path to the root of your installation
+    root /var/www/{{vhost_name}};
+
+    # Specify how to handle directories -- specifying `/index.php$request_uri`
+    # here as the fallback means that Nginx always exhibits the desired behaviour
+    # when a client requests a path that corresponds to a directory that exists
+    # on the server. In particular, if that directory contains an index.php file,
+    # that file is correctly served; if it doesn't, then the request is passed to
+    # the front-end controller. This consistent behaviour means that we don't need
+    # to specify custom rules for certain paths (e.g. images and other assets,
+    # `/updater`, `/ocm-provider`, `/ocs-provider`), and thus
+    # `try_files $uri $uri/ /index.php$request_uri`
+    # always provides the desired behaviour.
+    index index.php index.html /index.php$request_uri;
+
+    # Rule borrowed from `.htaccess` to handle Microsoft DAV clients
+    location = / {
+        if ( $http_user_agent ~ ^DavClnt ) {
+            return 302 /remote.php/webdav/$is_args$args;
+        }
+    }
+
+    # Make a regex exception for `/.well-known` so that clients can still
+    # access it despite the existence of the regex rule
+    # `location ~ /(\.|autotest|...)` which would otherwise handle requests
+    # for `/.well-known`.
+    location ^~ /.well-known {
+        # The rules in this block are an adaptation of the rules
+        # in `.htaccess` that concern `/.well-known`.
+
+        location = /.well-known/carddav { return 301 /remote.php/dav/; }
+        location = /.well-known/caldav  { return 301 /remote.php/dav/; }
+        location /.well-known/pki-validation    { try_files $uri $uri/ =404; }
+
+        # Let Nextcloud's API for `/.well-known` URIs handle all other
+        # requests by passing them to the front-end controller.
+        return 301 /index.php$request_uri;
+    }
+
+    # Rules borrowed from `.htaccess` to hide certain paths from clients
+    location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/)  { return 404; }
+    location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console)                { return 404; }
+
+    # Ensure this block, which passes PHP files to the PHP process, is above the blocks
+    # which handle static assets (as seen below). If this block is not declared first,
+    # then Nginx will encounter an infinite rewriting loop when it prepends `/index.php`
+    # to the URI, resulting in a HTTP 500 error response.
+    location ~ \.php(?:$|/) {
+        # Required for legacy support
+        rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri;
+
+        fastcgi_split_path_info ^(.+?\.php)(/.*)$;
+        set $path_info $fastcgi_path_info;
+
+        try_files $fastcgi_script_name =404;
+
+        include fastcgi_params;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_param PATH_INFO $path_info;
+        fastcgi_param HTTPS on;
+
+        fastcgi_param modHeadersAvailable true;         # Avoid sending the security headers twice
+        fastcgi_param front_controller_active true;     # Enable pretty urls
+        fastcgi_pass unix:/var/run/php/php-fpm.sock;
+
+        fastcgi_intercept_errors on;
+        fastcgi_request_buffering off;
+
+        fastcgi_max_temp_file_size 0;
+    }
+
+    location ~ \.(?:css|js|svg|gif|png|jpg|ico|wasm|tflite|map)$ {
+        try_files $uri /index.php$request_uri;
+        add_header Cache-Control "public, max-age=15778463";
+
+        location ~ \.wasm$ {
+            default_type application/wasm;
+        }
+    }
+
+    location ~ \.woff2?$ {
+        try_files $uri /index.php$request_uri;
+        expires 7d;         # Cache-Control policy borrowed from `.htaccess`
+    }
+
+    # Rule borrowed from `.htaccess`
+    location /remote {
+        return 301 /remote.php$request_uri;
+    }
+
+    location / {
+        try_files $uri $uri/ /index.php$request_uri;
+    }
-- 
2.43.0


From 170a228bf5532dcdef775bd08f72c6b663e1bafd Mon Sep 17 00:00:00 2001
From: Someone <someone@somenet.org>
Date: Mon, 29 Apr 2024 10:46:28 +0200
Subject: [PATCH 04/16] [roles/service/mattermost] setup mattermost service

---
 roles/service/mattermost/defaults/main.yml    |  23 +++
 .../files/default/mattermost.service          |  27 +++
 roles/service/mattermost/tasks/main.yml       | 184 ++++++++++++++++++
 .../templates/default/config.json.j2          |  67 +++++++
 .../vars/default/vars_nginx_vhost_custom.yml  | 107 ++++++++++
 5 files changed, 408 insertions(+)
 create mode 100644 roles/service/mattermost/defaults/main.yml
 create mode 100644 roles/service/mattermost/files/default/mattermost.service
 create mode 100644 roles/service/mattermost/tasks/main.yml
 create mode 100644 roles/service/mattermost/templates/default/config.json.j2
 create mode 100644 roles/service/mattermost/vars/default/vars_nginx_vhost_custom.yml

diff --git a/roles/service/mattermost/defaults/main.yml b/roles/service/mattermost/defaults/main.yml
new file mode 100644
index 0000000..416210c
--- /dev/null
+++ b/roles/service/mattermost/defaults/main.yml
@@ -0,0 +1,23 @@
+#####################################
+### someone's ansible provisioner ###
+#####################################
+# Part of: https://git.somenet.org/root/pub/somesible.git
+# 2017-2024 by someone <someone@somenet.org>
+#
+# If not overridden in inventory or as a parameter, this is the value that will be used
+#
+---
+mattermost_download_url: "https://releases.mattermost.com/9.6.0/mattermost-9.6.0-linux-amd64.tar.gz"
+mattermost_download_checksum: "sha256:2623a896630f665975097591ab79a066c0214843af496f66c51c82c60c9e26e3"
+
+mattermost_homedir: "/srv/mattermost"
+
+mattermost_domain: "mattermost.localhost"
+mattermost_db_host_port: "127.0.0.1:5432"
+mattermost_db_name: "mattermost"
+
+# must set.
+#mattermost_db_pw: ""
+#mattermost_admin_user: "admin"
+#mattermost_admin_user_email: ""
+#mattermost_admin_user_pw: "initial-Pw1"
diff --git a/roles/service/mattermost/files/default/mattermost.service b/roles/service/mattermost/files/default/mattermost.service
new file mode 100644
index 0000000..7f32102
--- /dev/null
+++ b/roles/service/mattermost/files/default/mattermost.service
@@ -0,0 +1,27 @@
+#
+################################################
+### Managed by someone's ansible provisioner ###
+################################################
+# Part of: https://git.somenet.org/root/pub/somesible.git
+# 2017-2024 by someone <someone@somenet.org>
+#
+
+[Unit]
+Description=Mattermost server
+After=network.target
+OnFailure=unit-status-mail@%n.service
+
+[Service]
+Type=notify
+ExecStart=/srv/mattermost/server/bin/mattermost
+TimeoutStartSec=600
+TimeoutStopSec=15
+Restart=always
+RestartSec=10
+WorkingDirectory=/srv/mattermost/server/
+User=mattermost
+Group=mattermost
+LimitNOFILE=49152
+
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/service/mattermost/tasks/main.yml b/roles/service/mattermost/tasks/main.yml
new file mode 100644
index 0000000..b3cf7d7
--- /dev/null
+++ b/roles/service/mattermost/tasks/main.yml
@@ -0,0 +1,184 @@
+#####################################
+### someone"s ansible provisioner ###
+#####################################
+# Part of: https://git.somenet.org/root/pub/somesible.git
+# 2017-2024 by someone <someone@somenet.org>
+#
+# its not supported to run multiple mattestmost instances on one host.
+#
+---
+- name: create mattermost user
+  user:
+    name: "mattermost"
+    home: "{{mattermost_homedir}}"
+    shell: "/bin/zsh"
+    system: yes
+    state: present
+
+
+- name: create mattermost homedir
+  file:
+    path: "{{mattermost_homedir}}"
+    state: directory
+    mode: 0710
+    owner: "mattermost"
+    group: "mattermost"
+
+
+- name: create mattermost data-dir
+  file:
+    path: "{{mattermost_homedir}}/data"
+    state: directory
+    mode: 0750
+    owner: "mattermost"
+    group: "mattermost"
+
+
+#- name: create postgres-db and user
+#  include_role:
+#    name: util/postgres-db-usr
+#  vars:
+#    pg_data:
+#      dbname: "{{mattermost_db_name}}"
+#      pw: "{{mattermost_db_pw}}"
+#  when: mattermost_db_create | default('True') | bool
+
+
+- name: include vars_nginx_vhost_custom
+  include_vars:
+    file: "{{item}}"
+    name: vars_nginx_vhost_custom
+  with_first_found:
+    - "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/vars_nginx_vhost_custom.yml"
+    - "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/vars_nginx_vhost_custom.yml"
+    - "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/vars_nginx_vhost_custom.yml"
+    - "default/vars_nginx_vhost_custom.yml"
+
+
+- name: configure mattermost vhost
+  include_role:
+    name: server/nginx/vhost-unified
+  vars:
+    vhost_type: "custom"
+    vhost_name: "{{mattermost_domain}}"
+    vhost_awstats_valid_http_codes: "200 304 101"
+    vhost_custom:
+      vhost_custom_pre_server: "{{vars_nginx_vhost_custom.vhost_custom_pre_server}}"
+      vhost_custom: "{{vars_nginx_vhost_custom.vhost_custom}}"
+
+
+- name: copy mattermost.service to /etc/systemd/system/
+  copy:
+    src: "{{item}}"
+    dest: "/etc/systemd/system/mattermost.service"
+    mode: 0644
+    owner: "root"
+    group: "root"
+  with_first_found:
+    - "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/mattermost.service"
+    - "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/mattermost.service"
+    - "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/mattermost.service"
+    - "default/mattermost.service"
+
+
+- name: download mattermost release and check checksums
+  get_url:
+    url: "{{mattermost_download_url}}"
+    dest: "{{mattermost_homedir}}/server.tar.gz"
+    mode: 0640
+    owner: "mattermost"
+    group: "mattermost"
+    checksum: "{{mattermost_download_checksum}}"
+    timeout: 30
+  tags: "online"
+  register: download
+
+
+- name: extract and update/install mattermost
+  block:
+  - name: stop mattermost.service
+    systemd:
+      name: mattermost.service
+      daemon_reload: yes
+      state: stopped
+
+
+  - name: remove old server files
+    file:
+      path: "{{mattermost_homedir}}/server.old"
+      state: absent
+
+
+  - name: limit access to current server files
+    file:
+      path: "{{mattermost_homedir}}/server"
+      state: directory
+      mode: 0700
+      owner: "mattermost"
+      group: "mattermost"
+
+
+  - name: move current server files away
+    command: "mv {{mattermost_homedir}}/server {{mattermost_homedir}}/server.old"
+
+
+  - name: create new server files dir, because unarchive fails to do so
+    file:
+      path: "{{mattermost_homedir}}/server"
+      state: directory
+      mode: 0750
+      owner: "mattermost"
+      group: "mattermost"
+
+
+  - name: extract mattermost files
+    unarchive:
+      src: "{{mattermost_homedir}}/server.tar.gz"
+      dest: "{{mattermost_homedir}}/server"
+      remote_src: yes
+      mode: "u=rwX,g=rX,o-rwx"
+      owner: "mattermost"
+      group: "mattermost"
+      extra_opts:
+        - '--strip-components=1'
+        - '--show-stored-names'
+
+
+  - name: reuse existing config file
+    command: "mv {{mattermost_homedir}}/server.old/config/config.json {{mattermost_homedir}}/server/config/config.json"
+    register: config_copy
+    ignore_errors: yes
+
+
+  - name: template new config.json
+    template:
+      src: "{{item}}"
+      dest: "{{mattermost_homedir}}/server/config/config.json"
+      mode: 0640
+      owner: "mattermost"
+      group: "mattermost"
+    with_first_found:
+      - "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/config.json.j2"
+      - "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/config.json.j2"
+      - "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/config.json.j2"
+      - "default/config.json.j2"
+    when: config_copy.failed
+
+
+  - name: enable and restart mattermost.service
+    include_role: name="base/systemd/enable-and-start"
+    vars:
+      service_name: mattermost.service
+      service_state: restarted
+
+
+  - name: create mattermost admin user
+    become: true
+    become_user: "mattermost"
+    shell: "bin/mattermost user create --system_admin --username {{mattermost_admin_user | quote}} --email {{mattermost_admin_user_email | quote}} --password {{mattermost_admin_user_pw | quote}} || true"
+    args:
+      chdir: "{{mattermost_homedir}}/server"
+    register: script_res
+    changed_when: "'An account with that email already exists' not in script_res.stdout"
+
+  when: download.changed
diff --git a/roles/service/mattermost/templates/default/config.json.j2 b/roles/service/mattermost/templates/default/config.json.j2
new file mode 100644
index 0000000..923b23d
--- /dev/null
+++ b/roles/service/mattermost/templates/default/config.json.j2
@@ -0,0 +1,67 @@
+{
+    "ServiceSettings": {
+        "SiteURL": "https://{{mattermost_domain}}",
+        "AllowedUntrustedInternalConnections": "localhost {{mattermost_domain}}",
+        "EnablePostIconOverride": true,
+        "EnableLinkPreviews": true,
+        "EnableSecurityFixAlert": false,
+        "EnableMultifactorAuthentication": true,
+        "EnableCustomEmoji": true,
+        "EnableLocalMode": true,
+        "LocalModeSocketLocation": "/var/tmp/mattermost_local.socket"
+    },
+    "TeamSettings": {
+        "MaxUsersPerTeam": 5000,
+        "RestrictDirectMessage": "team",
+        "MaxChannelsPerTeam": 5000
+    },
+    "SqlSettings": {
+        "DriverName": "postgres",
+        "DataSource": "postgres://{{mattermost_db_name}}:{{mattermost_db_pw}}@{{mattermost_db_host_port}}/{{mattermost_db_name}}?connect_timeout=10",
+        "MaxIdleConns": 2,
+        "MaxOpenConns": 16
+    },
+    "LogSettings": {
+        "EnableConsole": true,
+        "ConsoleLevel": "INFO",
+        "ConsoleJson": false,
+        "EnableFile": false,
+        "FileLevel": "INFO",
+        "FileJson": false,
+        "FileLocation": "",
+        "EnableWebhookDebugging": false,
+        "EnableDiagnostics": false
+    },
+    "FileSettings": {
+        "MaxFileSize": 524288000,
+        "Directory": "../data/"
+    },
+    "EmailSettings": {
+        "UseChannelInEmailNotifications": true,
+        "RequireEmailVerification": true,
+        "SMTPPort": "25",
+        "SendPushNotifications": true,
+        "PushNotificationServer": "https://push-test.mattermost.com",
+        "EnableEmailBatching": true
+    },
+    "PrivacySettings": {
+        "ShowEmailAddress": false
+    },
+    "MetricsSettings": {
+        "Enable": false
+    },
+    "DataRetentionSettings": {
+        "EnableMessageDeletion": false,
+        "EnableFileDeletion": false
+    },
+    "JobSettings": {
+        "RunJobs": true,
+        "RunScheduler": true
+    },
+    "PluginSettings": {
+        "Enable": false,
+        "EnableUploads": false,
+        "EnableMarketplace": false,
+        "EnableRemoteMarketplace": false
+    }
+}
diff --git a/roles/service/mattermost/vars/default/vars_nginx_vhost_custom.yml b/roles/service/mattermost/vars/default/vars_nginx_vhost_custom.yml
new file mode 100644
index 0000000..115c83f
--- /dev/null
+++ b/roles/service/mattermost/vars/default/vars_nginx_vhost_custom.yml
@@ -0,0 +1,107 @@
+#####################################
+### someone"s ansible provisioner ###
+#####################################
+# Part of: https://git.somenet.org/root/pub/somesible.git
+# 2017-2024 by someone <someone@somenet.org>
+#
+---
+vhost_custom_pre_server: |-
+    upstream backend {
+        server localhost:8065;
+        keepalive 32;
+    }
+
+vhost_custom: |-
+    # MM-Hack: https://.../@user -> redirect to "default"-team and @user message
+    #location ~ ^/@(.*)$ { return 301 /somenet/messages/$request_uri; }
+
+
+    # websocket
+    location ~ ^/api/v[0-9]+/(users/)?websocket$ {
+        gzip on;
+        gzip_types "*";
+        gzip_proxied any;
+        gzip_comp_level 5;
+        proxy_set_header Accept-Encoding "";
+
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+        proxy_set_header Host $http_host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Frame-Options SAMEORIGIN;
+        proxy_connect_timeout 90;
+        proxy_send_timeout 300;
+        proxy_read_timeout 90s;
+        proxy_http_version 1.1;
+        proxy_buffers 256 16k;
+        proxy_buffer_size 16k;
+        client_max_body_size 50M;
+        client_body_timeout 60;
+        send_timeout 300;
+        lingering_timeout 5;
+        proxy_pass http://backend;
+    }
+
+
+    # api
+    location ~ /api/ {
+        if (-f /var/www/maintenance.html) {
+            return 503;
+        }
+
+        gzip on;
+        gzip_types "*";
+        gzip_proxied any;
+        gzip_comp_level 5;
+        proxy_set_header Accept-Encoding "";
+
+        proxy_set_header Connection "";
+        proxy_set_header Host $http_host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Frame-Options SAMEORIGIN;
+        proxy_read_timeout 600s;
+        proxy_buffers 256 16k;
+        proxy_buffer_size 16k;
+        client_max_body_size 1024M;
+        proxy_http_version 1.1;
+        proxy_pass http://backend;
+    }
+
+
+    # static files + everything else
+    location / {
+        if (-f /var/www/maintenance.html) {
+            return 503;
+        }
+
+        gzip on;
+        gzip_types "*";
+        gzip_proxied any;
+        gzip_comp_level 5;
+        proxy_set_header Accept-Encoding "";
+
+        proxy_set_header Connection "";
+        proxy_set_header Host $http_host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Frame-Options SAMEORIGIN;
+        proxy_read_timeout 600s;
+        proxy_buffers 256 16k;
+        proxy_buffer_size 16k;
+        client_max_body_size 1024M;
+        proxy_http_version 1.1;
+        proxy_pass http://backend;
+
+        # <MM-Hack: make mm google-indexable (at least some pages)>
+        sub_filter '<meta name="robots" content="noindex, nofollow">' '<meta name="robots" content="index, follow">';
+        sub_filter '<title>Mattermost</title>' '<title>SomeNet Mattermost Chat</title>';
+        sub_filter_last_modified on;
+        sub_filter_once off;
+        #sub_filter_types text/html;
+        # </MM-Hack: make mm google-indexable (at least some pages)>
+    }
-- 
2.43.0


From 2b480b19e7ba7213f011fa38158dfc4d7b811383 Mon Sep 17 00:00:00 2001
From: Someone <someone@somenet.org>
Date: Mon, 29 Apr 2024 10:46:28 +0200
Subject: [PATCH 05/16] [roles/service/mediawiki-no-install] configure a nginx
 vhost to serve a mediawiki. no setup or updating is done

---
 .../mediawiki-no-install/defaults/main.yml    | 10 +++++
 .../mediawiki-no-install/tasks/main.yml       | 32 ++++++++++++++++
 .../vars/default/vars_nginx_vhost_custom.yml  | 37 +++++++++++++++++++
 3 files changed, 79 insertions(+)
 create mode 100644 roles/service/mediawiki-no-install/defaults/main.yml
 create mode 100644 roles/service/mediawiki-no-install/tasks/main.yml
 create mode 100644 roles/service/mediawiki-no-install/vars/default/vars_nginx_vhost_custom.yml

diff --git a/roles/service/mediawiki-no-install/defaults/main.yml b/roles/service/mediawiki-no-install/defaults/main.yml
new file mode 100644
index 0000000..bef8d21
--- /dev/null
+++ b/roles/service/mediawiki-no-install/defaults/main.yml
@@ -0,0 +1,10 @@
+#####################################
+### someone's ansible provisioner ###
+#####################################
+# Part of: https://git.somenet.org/root/pub/somesible.git
+# 2017-2024 by someone <someone@somenet.org>
+#
+# If not overridden in inventory or as a parameter, this is the value that will be used
+#
+---
+mediawiki_domain: "mediawiki.localhost"
diff --git a/roles/service/mediawiki-no-install/tasks/main.yml b/roles/service/mediawiki-no-install/tasks/main.yml
new file mode 100644
index 0000000..01b634e
--- /dev/null
+++ b/roles/service/mediawiki-no-install/tasks/main.yml
@@ -0,0 +1,32 @@
+#####################################
+### someone"s ansible provisioner ###
+#####################################
+# Part of: https://git.somenet.org/root/pub/somesible.git
+# 2017-2024 by someone <someone@somenet.org>
+#
+---
+- name: include vars_nginx_vhost_custom
+  include_vars:
+    file: "{{item}}"
+    name: vars_nginx_vhost_custom
+  with_first_found:
+    - "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/{{mediawiki_domain}}-vars_nginx_vhost_custom.yml"
+    - "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/{{mediawiki_domain}}-vars_nginx_vhost_custom.yml"
+    - "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/{{mediawiki_domain}}-vars_nginx_vhost_custom.yml"
+    - "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/vars_nginx_vhost_custom.yml"
+    - "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/vars_nginx_vhost_custom.yml"
+    - "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/vars_nginx_vhost_custom.yml"
+    - "default/vars_nginx_vhost_custom.yml"
+
+
+- name: configure vhost
+  include_role:
+    name: server/nginx/vhost-unified
+  vars:
+    vhost_type: "php"
+    vhost_name: "{{mediawiki_domain}}"
+    vhost_php_custom: ["bzip2", "php-apcu", "php8.2-pgsql", "php8.2-curl", "php8.2-gd", "php8.2-intl", "php-imagick", "php8.2-mbstring", "php8.2-mysql", "php8.2-xml", "php8.2-zip"]
+    vhost_fix_perms: False
+    vhost_custom:
+      vhost_custom_pre_server: "{{vars_nginx_vhost_custom.vhost_custom_pre_server}}"
+      vhost_custom: "{{vars_nginx_vhost_custom.vhost_custom}}"
diff --git a/roles/service/mediawiki-no-install/vars/default/vars_nginx_vhost_custom.yml b/roles/service/mediawiki-no-install/vars/default/vars_nginx_vhost_custom.yml
new file mode 100644
index 0000000..de3fe0c
--- /dev/null
+++ b/roles/service/mediawiki-no-install/vars/default/vars_nginx_vhost_custom.yml
@@ -0,0 +1,37 @@
+#####################################
+### someone"s ansible provisioner ###
+#####################################
+# Part of: https://git.somenet.org/root/pub/somesible.git
+# 2017-2024 by someone <someone@somenet.org>
+#
+---
+vhost_custom_pre_server: |-
+
+vhost_custom: |-
+    # image authentication
+    location ~ ^/images/ {
+        if (!-f $request_filename){ return 404; }
+        rewrite ^/images/(.*)$ /img_auth.php/$1?$args last;
+    }
+
+    # hide some paths
+    location ^~ /images/deleted/ { return 404; }
+    location ^~ /maintenance/ { return 404; }
+    location ^~ /cache/ { return 404; }
+    location ^~ /logs/ { return 404; }
+
+    # cacheable static files
+    location ~ ^/(?!wiki\/).*\.(css|js|gif|jpg|jpeg|png|svg|wasm|ttf|woff|woff2|ico)$ {
+        try_files $uri =404;
+        add_header Cache-Control "public";
+        expires 7d;
+    }
+
+    # nice urls
+    location ~ ^/wiki/ { rewrite ^/wiki/(.*)$ /index.php?title=$1&$args last; }
+
+    ## keep for legacy-reasons
+    location = /wiki { rewrite ^ /index.php permanent; }
+    # old. maybe delete in 2023-07?
+    location ^~ /wiki/index.php/ { rewrite ^/wiki/index.php/(.*)$ /wiki/$1 permanent; }
+    location ^~ /index.php/ { rewrite ^/index.php/(.*)$ /wiki/$1 permanent; }
-- 
2.43.0


From cd79d1679d2ab110ce66b207adf14cd26ea6edf5 Mon Sep 17 00:00:00 2001
From: Someone <someone@somenet.org>
Date: Mon, 29 Apr 2024 10:46:28 +0200
Subject: [PATCH 06/16] [roles/service/sympa] Mailinglist service - TODO: this
 does not work yet.

---
 .../sympa/files/default/list_aliases.tt2      |   7 +
 roles/service/sympa/files/default/sympa.conf  | 102 +++++++++++++
 .../service/sympa/files/default/sympa.debconf |   3 +
 roles/service/sympa/handlers/main.yml         |  13 ++
 roles/service/sympa/tasks/main.yml            | 138 ++++++++++++++++++
 .../vars/default/vars_nginx_vhost_custom.yml  |  30 ++++
 6 files changed, 293 insertions(+)
 create mode 100644 roles/service/sympa/files/default/list_aliases.tt2
 create mode 100644 roles/service/sympa/files/default/sympa.conf
 create mode 100644 roles/service/sympa/files/default/sympa.debconf
 create mode 100644 roles/service/sympa/handlers/main.yml
 create mode 100644 roles/service/sympa/tasks/main.yml
 create mode 100644 roles/service/sympa/vars/default/vars_nginx_vhost_custom.yml

diff --git a/roles/service/sympa/files/default/list_aliases.tt2 b/roles/service/sympa/files/default/list_aliases.tt2
new file mode 100644
index 0000000..b7cd1b1
--- /dev/null
+++ b/roles/service/sympa/files/default/list_aliases.tt2
@@ -0,0 +1,7 @@
+#--- [% list.name %]@[% list.domain %]: list transport map created at [% date %]
+[% list.name %]@[% list.domain %] sympa:[% list.name %]@[% list.domain %]
+[% list.name %]-request@[% list.domain %] sympa:[% list.name %]-request@[% list.domain %]
+[% list.name %]-editor@[% list.domain %] sympa:[% list.name %]-editor@[% list.domain %]
+#[% list.name %]-subscribe@[% list.domain %] sympa:[% list.name %]-subscribe@[%list.domain %]
+[% list.name %]-unsubscribe@[% list.domain %] sympa:[% list.name %]-unsubscribe@[% list.domain %]
+[% list.name %][% return_path_suffix %]@[% list.domain %] sympabounce:[% list.name %]@[% list.domain %]
diff --git a/roles/service/sympa/files/default/sympa.conf b/roles/service/sympa/files/default/sympa.conf
new file mode 100644
index 0000000..76bbcce
--- /dev/null
+++ b/roles/service/sympa/files/default/sympa.conf
@@ -0,0 +1,102 @@
+###\\\\ Service description ////###
+
+## domain
+## Primary mail domain name
+## Example: domain	mail.example.org
+domain	lists.somenet.org
+
+## listmaster
+## Email addresses of listmasters
+## Email addresses of the listmasters (users authorized to perform global
+## server commands). Some error reports may also be sent to these addresses.
+## Listmasters can be defined for each virtual host, however, the default
+## listmasters will have privileges to manage all virtual hosts.
+## Example: listmaster	your_email_address@domain.tld
+listmaster	someone@somenet.org
+
+###\\\\ Database related ////###
+
+## db_type
+## Type of the database
+## Possible types are "MySQL", "PostgreSQL", "Oracle" and "SQLite".
+db_type	SQLite
+
+## db_name
+## Name of the database
+## With SQLite, this must be the full path to database file.
+## With Oracle Database, this must be SID, net service name or easy connection
+## identifier (to use net service name, db_host should be set to "none" and
+## HOST, PORT and SERVICE_NAME should be defined in tnsnames.ora file).
+db_name	/var/lib/sympa/sympa.sqlite
+
+## db_timeout
+## Database processing timeout
+## Currently, this parameter may be used for SQLite only.
+db_timeout	10
+
+###\\\\ Mail server ////###
+
+## sendmail_aliases
+## Path of the file that contains all list related aliases
+## It is recommended to create a specific alias file so that Sympa never
+## overwrites the standard alias file, but only a dedicated file.
+## Set this parameter to "none" if you want to disable alias management in
+## Sympa.
+sendmail_aliases	/var/lib/sympa/transport.map
+
+## aliases_program
+## Program used to update alias database
+## This may be "makemap", "newaliases", "postalias", "postmap" or full path to
+## custom program.
+aliases_program	postmap
+
+## aliases_db_type
+## Type of alias database
+## "btree", "dbm", "hash" and so on.  Available when aliases_program is
+## "makemap", "postalias" or "postmap"
+aliases_db_type	hash
+
+###\\\\ List definition ////###
+
+## lang
+## Language of the list
+## This parameter defines the language used for the list. It is used to
+## initialize a user's language preference; Sympa command reports are
+## extracted from the associated message catalog.
+lang	en_US
+
+###\\\\ Web interface parameters ////###
+
+## wwsympa_url
+## URL prefix of web interface
+## This is used to construct URLs of web interface. The protocol (either
+## https:// or http://) is required.
+## Example: wwsympa_url	https://web.example.org/sympa
+wwsympa_url	http://lists.somenet.org/sympa
+
+## static_content_path
+## Directory for static contents
+static_content_path	/usr/share/sympa/static_content
+
+## css_path
+## Directory for static style sheets (CSS)
+## After an upgrade, static CSS files are upgraded with the newly installed
+## "css.tt2" template. Therefore, this is not a good place to store customized
+## CSS files.
+css_path	/var/lib/sympa/css
+
+## css_url
+## URL for style sheets (CSS)
+## To use auto-generated static CSS, HTTP server have to map it with
+## "css_path".
+css_url	/css-sympa
+
+## pictures_path
+## Directory for subscribers pictures
+pictures_path	/var/lib/sympa/pictures
+
+## pictures_url
+## URL for subscribers pictures
+## HTTP server have to map it with "pictures_path" directory.
+pictures_url	/pictures-sympa
+
diff --git a/roles/service/sympa/files/default/sympa.debconf b/roles/service/sympa/files/default/sympa.debconf
new file mode 100644
index 0000000..131466f
--- /dev/null
+++ b/roles/service/sympa/files/default/sympa.debconf
@@ -0,0 +1,3 @@
+sympa sympa/dbconfig-install string false
+sympa sympa/sympa_newaliases-wrapper-setuid-root string false
+sympa wwsympa/webserver_type string Other
diff --git a/roles/service/sympa/handlers/main.yml b/roles/service/sympa/handlers/main.yml
new file mode 100644
index 0000000..ff3906b
--- /dev/null
+++ b/roles/service/sympa/handlers/main.yml
@@ -0,0 +1,13 @@
+#####################################
+### someone's ansible provisioner ###
+#####################################
+# Part of: https://git.somenet.org/root/pub/somesible.git
+# 2017-2024 by someone <someone@somenet.org>
+#
+---
+- name: restart sympa.service
+  systemd:
+    name: sympa.service
+    daemon_reload: yes
+    state: restarted
+  ignore_errors: yes
diff --git a/roles/service/sympa/tasks/main.yml b/roles/service/sympa/tasks/main.yml
new file mode 100644
index 0000000..a78cf60
--- /dev/null
+++ b/roles/service/sympa/tasks/main.yml
@@ -0,0 +1,138 @@
+#####################################
+### someone's ansible provisioner ###
+#####################################
+# Part of: https://git.somenet.org/root/pub/somesible.git
+# 2017-2024 by someone <someone@somenet.org>
+#
+# Sympa is broken in debian, in that it cannot be installed with dbconfig-no-thanks.
+# To work around this, we have to first debconf-preseed some config values and deploy the config file before AND after installing the sympa package.
+# todo: move to sertvices?
+---
+- name: create /etc/sympa
+  file:
+    path: "/etc/sympa"
+    state: directory
+    mode: 0755
+    owner: "sympa"
+    group: "sympa"
+
+- name: create /etc/sympa/sympa
+  file:
+    path: "/etc/sympa/sympa"
+    state: directory
+    mode: 0755
+    owner: "sympa"
+    group: "sympa"
+
+
+- name: copy sympa.debconf
+  copy:
+    src: "{{item}}"
+    dest: "/etc/sympa/sympa/sympa.debconf"
+    mode: 0644
+    owner: "sympa"
+    group: "sympa"
+  with_first_found:
+    - "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/sympa.debconf"
+    - "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/sympa.debconf"
+    - "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/sympa.debconf"
+    - "default/sympa.debconf"
+  notify: restart sympa.service
+
+
+- name: preseed sympa.debconf
+  shell: 'debconf-set-selections /etc/sympa/sympa/sympa.debconf'
+
+
+- name: copy sympa config
+  copy:
+    src: "{{item}}"
+    dest: "/etc/sympa/sympa/sympa.conf"
+    mode: 0644
+    owner: "sympa"
+    group: "sympa"
+  with_first_found:
+    - "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/sympa.conf"
+    - "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/sympa.conf"
+    - "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/sympa.conf"
+    - "default/sympa.conf"
+  notify: restart sympa.service
+
+
+- name: install sympa
+  apt:
+    pkg:
+    - sympa
+    state: present
+    policy_rc_d: 101
+  tags: "online"
+  ignore_errors: "{{ignore_online_errors | bool}}"
+  register: result
+
+
+- name: copy sympa config again
+  copy:
+    src: "{{item}}"
+    dest: "/etc/sympa/sympa/sympa.conf"
+    mode: 0644
+    owner: "sympa"
+    group: "sympa"
+  with_first_found:
+    - "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/sympa.conf"
+    - "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/sympa.conf"
+    - "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/sympa.conf"
+    - "default/sympa.conf"
+  notify: restart sympa.service
+  when: result.changed
+
+
+- name: copy list_aliases.tt2
+  copy:
+    src: "{{item}}"
+    dest: "/etc/sympa/list_aliases.tt2"
+    mode: 0644
+    owner: "sympa"
+    group: "sympa"
+  with_first_found:
+    - "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/list_aliases.tt2"
+    - "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/list_aliases.tt2"
+    - "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/list_aliases.tt2"
+    - "default/list_aliases.tt2"
+  notify: restart sympa.service
+  when: result.changed
+
+
+- name: include vars_nginx_vhost_custom
+  include_vars:
+    file: "{{item}}"
+    name: vars_nginx_vhost_custom
+  with_first_found:
+    - "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/{{sympa_main_host_name}}-vars_nginx_vhost_custom.yml"
+    - "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/{{sympa_main_host_name}}-vars_nginx_vhost_custom.yml"
+    - "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/{{sympa_main_host_name}}-vars_nginx_vhost_custom.yml"
+    - "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/vars_nginx_vhost_custom.yml"
+    - "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/vars_nginx_vhost_custom.yml"
+    - "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/vars_nginx_vhost_custom.yml"
+    - "default/vars_nginx_vhost_custom.yml"
+
+
+- name: configure vhost for "{{sympa_main_host_name}}"
+  include_role:
+    name: server/nginx/vhost-unified
+  vars:
+    vhost_type: "custom"
+    vhost_name: "{{sympa_main_host_name}}"
+    vhost_custom:
+      vhost_custom_pre_server: "{{vars_nginx_vhost_custom.vhost_custom_pre_server}}"
+      vhost_custom: "{{vars_nginx_vhost_custom.vhost_custom}}"
+
+
+- name: enable and start sympa.service
+  include_role: name="base/systemd/enable-and-start"
+  vars:
+    service_name: sympa.service
+
+- name: enable and start wwsympa.socket
+  include_role: name="base/systemd/enable-and-start"
+  vars:
+    service_name: wwsympa.socket
diff --git a/roles/service/sympa/vars/default/vars_nginx_vhost_custom.yml b/roles/service/sympa/vars/default/vars_nginx_vhost_custom.yml
new file mode 100644
index 0000000..413f81b
--- /dev/null
+++ b/roles/service/sympa/vars/default/vars_nginx_vhost_custom.yml
@@ -0,0 +1,30 @@
+#####################################
+### someone"s ansible provisioner ###
+#####################################
+# Part of: https://git.somenet.org/root/pub/somesible.git
+# 2017-2024 by someone <someone@somenet.org>
+#
+---
+vhost_custom_pre_server: |-
+
+vhost_custom: |-
+    location = / {return 301 /sympa;}
+    location /sympa {
+        include fastcgi_params;
+        fastcgi_pass unix:/run/sympa/wwsympa.socket;
+    }
+    location /sympasoap {
+        include fastcgi_params;
+        fastcgi_pass unix:/run/sympa/wwsympa.socket;
+    }
+    location /css-sympa {
+        alias /var/lib/sympa/css;
+    }
+
+    # below maybe needs fixing
+    location /static-sympa/pictures {
+        alias /var/lib/sympa/pictures;
+    }
+    location /static-sympa {
+        alias /usr/share/sympa/static_content;
+    }
-- 
2.43.0


From 64e99d131304d04fa322896295274cc2629dce9f Mon Sep 17 00:00:00 2001
From: Someone <someone@somenet.org>
Date: Mon, 29 Apr 2024 10:46:28 +0200
Subject: [PATCH 07/16] [roles/service] ----- meta ----- No dependencies

---
 roles/service/meta/main.yml | 10 ++++++++++
 1 file changed, 10 insertions(+)
 create mode 100644 roles/service/meta/main.yml

diff --git a/roles/service/meta/main.yml b/roles/service/meta/main.yml
new file mode 100644
index 0000000..b43a681
--- /dev/null
+++ b/roles/service/meta/main.yml
@@ -0,0 +1,10 @@
+#####################################
+### someone's ansible provisioner ###
+#####################################
+# Part of: https://git.somenet.org/root/pub/somesible.git
+# 2017-2024 by someone <someone@somenet.org>
+#
+# This is a server role.
+# Dont make dependencies to subroles that are not needed at all servers!
+---
+#dependencies:
-- 
2.43.0


From 320195ecc43a61e0cacdde42bdaddd1c47a2f163 Mon Sep 17 00:00:00 2001
From: Someone <someone@somenet.org>
Date: Mon, 29 Apr 2024 10:46:28 +0200
Subject: [PATCH 08/16] [roles/client/nextcloud] install nextcloud-client

---
 roles/client/nextcloud/tasks/main.yml | 15 +++++++++++++++
 1 file changed, 15 insertions(+)
 create mode 100644 roles/client/nextcloud/tasks/main.yml

diff --git a/roles/client/nextcloud/tasks/main.yml b/roles/client/nextcloud/tasks/main.yml
new file mode 100644
index 0000000..ea012ed
--- /dev/null
+++ b/roles/client/nextcloud/tasks/main.yml
@@ -0,0 +1,15 @@
+#####################################
+### someone's ansible provisioner ###
+#####################################
+# Part of: https://git.somenet.org/root/pub/somesible.git
+# 2017-2024 by someone <someone@somenet.org>
+#
+---
+
+- name: install nextcloud-client
+  apt:
+    pkg:
+    - dolphin-nextcloud
+    state: present
+    policy_rc_d: 101
+  tags: "online"
-- 
2.43.0


From 5898bcc4c8507ed8c6c78fc2d75ec0625dd061bc Mon Sep 17 00:00:00 2001
From: Someone <someone@somenet.org>
Date: Mon, 29 Apr 2024 10:46:28 +0200
Subject: [PATCH 09/16] [roles/client/google-chrome] install google chrome

---
 .../files/default/google-chrome.list          |  3 ++
 roles/client/google-chrome/tasks/main.yml     | 43 +++++++++++++++++++
 2 files changed, 46 insertions(+)
 create mode 100644 roles/client/google-chrome/files/default/google-chrome.list
 create mode 100644 roles/client/google-chrome/tasks/main.yml

diff --git a/roles/client/google-chrome/files/default/google-chrome.list b/roles/client/google-chrome/files/default/google-chrome.list
new file mode 100644
index 0000000..b2d572c
--- /dev/null
+++ b/roles/client/google-chrome/files/default/google-chrome.list
@@ -0,0 +1,3 @@
+### THIS FILE IS AUTOMATICALLY CONFIGURED ###
+# You may comment out this entry, but any other modifications may be lost.
+deb [arch=amd64] http://dl.google.com/linux/chrome/deb/ stable main
diff --git a/roles/client/google-chrome/tasks/main.yml b/roles/client/google-chrome/tasks/main.yml
new file mode 100644
index 0000000..eb882d7
--- /dev/null
+++ b/roles/client/google-chrome/tasks/main.yml
@@ -0,0 +1,43 @@
+#####################################
+### someone's ansible provisioner ###
+#####################################
+# Part of: https://git.somenet.org/root/pub/somesible.git
+# 2017-2024 by someone <someone@somenet.org>
+#
+---
+- name: add google-chrome.list to apt
+  copy:
+    src: "{{item}}"
+    dest: "/etc/apt/sources.list.d/google-chrome.list"
+    mode: 0644
+    owner: "root"
+    group: "root"
+  with_first_found:
+    - "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/google-chrome.list"
+    - "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/google-chrome.list"
+    - "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/google-chrome.list"
+    - "default/google-chrome.list"
+  register: apt_list_changes
+
+
+- name: add google-chrome key to keyring
+  apt_key:
+    url: https://dl.google.com/linux/linux_signing_key.pub
+    state: present
+  tags: "online"
+
+
+- name: update the repository cache
+  apt:
+    update_cache: yes
+  tags: "online"
+  when: apt_list_changes.changed
+
+
+- name: install google-chrome
+  apt:
+    pkg:
+    - google-chrome-stable
+    state: present
+    policy_rc_d: 101
+  tags: "online"
-- 
2.43.0


From 6699374a9b3caf90a938ee74ff6ee24fe61ebd2a Mon Sep 17 00:00:00 2001
From: Someone <someone@somenet.org>
Date: Mon, 29 Apr 2024 10:46:28 +0200
Subject: [PATCH 10/16] [roles/client/kiosk_mode] borgcube like kiosk mode

---
 .../client/kiosk_mode/files/default/kiosk.sh  |  14 ++
 .../kiosk_mode/files/default/kiosk.tar.bz2    | Bin 0 -> 116 bytes
 .../kiosk_mode/files/default/lightdm.conf     | 170 ++++++++++++++++++
 roles/client/kiosk_mode/tasks/main.yml        | 108 +++++++++++
 4 files changed, 292 insertions(+)
 create mode 100644 roles/client/kiosk_mode/files/default/kiosk.sh
 create mode 100644 roles/client/kiosk_mode/files/default/kiosk.tar.bz2
 create mode 100644 roles/client/kiosk_mode/files/default/lightdm.conf
 create mode 100644 roles/client/kiosk_mode/tasks/main.yml

diff --git a/roles/client/kiosk_mode/files/default/kiosk.sh b/roles/client/kiosk_mode/files/default/kiosk.sh
new file mode 100644
index 0000000..acc03fe
--- /dev/null
+++ b/roles/client/kiosk_mode/files/default/kiosk.sh
@@ -0,0 +1,14 @@
+#!/bin/bash
+#
+################################################
+### Managed by someone's ansible provisioner ###
+################################################
+# Part of: https://git.somenet.org/root/pub/somesible.git
+# 2017-2024 by someone <someone@somenet.org>
+#
+
+if [ "${USER}" == "kiosk" ] ; then
+    rsync -rlpgoDHvP --delete /etc/kiosk/ /home/kiosk --exclude ".gvfs" --exclude ".irssi"
+    chown -R kiosk:kiosk /home/kiosk
+    chmod 770 /home/kiosk
+fi
diff --git a/roles/client/kiosk_mode/files/default/kiosk.tar.bz2 b/roles/client/kiosk_mode/files/default/kiosk.tar.bz2
new file mode 100644
index 0000000000000000000000000000000000000000..d4a16d7ae2a5ebf4e3b986c19968799122561325
GIT binary patch
literal 116
zcmZ>Y%CIzaj8qGbG+D;=je()Gy5T?rgMtIYzXk?@1j~60j2sFKrM&*ZDqq^#8ot`H
zO!U{t$Y78@XV1wxp+#wn%FYLiRT^*ps>@Z0I#k$kV^v|Pi200INgavKu8nf+n@T=@
UDE<?qt?6MeUgT;KFacx>08;uZ_5c6?

literal 0
HcmV?d00001

diff --git a/roles/client/kiosk_mode/files/default/lightdm.conf b/roles/client/kiosk_mode/files/default/lightdm.conf
new file mode 100644
index 0000000..466de48
--- /dev/null
+++ b/roles/client/kiosk_mode/files/default/lightdm.conf
@@ -0,0 +1,170 @@
+#
+################################################
+### Managed by someone's ansible provisioner ###
+################################################
+# Part of: https://git.somenet.org/root/pub/somesible.git
+# 2017-2024 by someone <someone@somenet.org>
+#
+
+#
+# General configuration
+#
+# start-default-seat = True to always start one seat if none are defined in the configuration
+# greeter-user = User to run greeter as
+# minimum-display-number = Minimum display number to use for X servers
+# minimum-vt = First VT to run displays on
+# lock-memory = True to prevent memory from being paged to disk
+# user-authority-in-system-dir = True if session authority should be in the system location
+# guest-account-script = Script to be run to setup guest account
+# logind-load-seats = True to automatically set up multi-seat configuration from logind
+# logind-check-graphical = True to on start seats that are marked as graphical by logind
+# log-directory = Directory to log information to
+# run-directory = Directory to put running state in
+# cache-directory = Directory to cache to
+# sessions-directory = Directory to find sessions
+# remote-sessions-directory = Directory to find remote sessions
+# greeters-directory = Directory to find greeters
+#
+[LightDM]
+#start-default-seat=true
+#greeter-user=lightdm
+#minimum-display-number=0
+#minimum-vt=7
+#lock-memory=true
+#user-authority-in-system-dir=false
+#guest-account-script=guest-account
+#logind-load-seats=false
+#logind-check-graphical=false
+#log-directory=/var/log/lightdm
+#run-directory=/var/run/lightdm
+#cache-directory=/var/cache/lightdm
+#sessions-directory=/usr/share/lightdm/sessions:/usr/share/xsessions
+#remote-sessions-directory=/usr/share/lightdm/remote-sessions
+#greeters-directory=/usr/share/lightdm/greeters:/usr/share/xgreeters
+
+#
+# Seat defaults
+#
+# type = Seat type (xlocal, xremote)
+# xdg-seat = Seat name to set pam_systemd XDG_SEAT variable and name to pass to X server
+# pam-service = PAM service to use for login
+# pam-autologin-service = PAM service to use for autologin
+# pam-greeter-service = PAM service to use for greeters
+# xserver-command = X server command to run (can also contain arguments e.g. X -special-option)
+# xserver-layout = Layout to pass to X server
+# xserver-config = Config file to pass to X server
+# xserver-allow-tcp = True if TCP/IP connections are allowed to this X server
+# xserver-share = True if the X server is shared for both greeter and session
+# xserver-hostname = Hostname of X server (only for type=xremote)
+# xserver-display-number = Display number of X server (only for type=xremote)
+# xdmcp-manager = XDMCP manager to connect to (implies xserver-allow-tcp=true)
+# xdmcp-port = XDMCP UDP/IP port to communicate on
+# xdmcp-key = Authentication key to use for XDM-AUTHENTICATION-1 (stored in keys.conf)
+# unity-compositor-command = Unity compositor command to run (can also contain arguments e.g. unity-system-compositor -special-option)
+# unity-compositor-timeout = Number of seconds to wait for compositor to start
+# greeter-session = Session to load for greeter
+# greeter-hide-users = True to hide the user list
+# greeter-allow-guest = True if the greeter should show a guest login option
+# greeter-show-manual-login = True if the greeter should offer a manual login option
+# greeter-show-remote-login = True if the greeter should offer a remote login option
+# user-session = Session to load for users
+# allow-user-switching = True if allowed to switch users
+# allow-guest = True if guest login is allowed
+# guest-session = Session to load for guests (overrides user-session)
+# session-wrapper = Wrapper script to run session with
+# greeter-wrapper = Wrapper script to run greeter with
+# guest-wrapper = Wrapper script to run guest sessions with
+# display-setup-script = Script to run when starting a greeter session (runs as root)
+# display-stopped-script = Script to run after stopping the display server (runs as root)
+# greeter-setup-script = Script to run when starting a greeter (runs as root)
+# session-setup-script = Script to run when starting a user session (runs as root)
+# session-cleanup-script = Script to run when quitting a user session (runs as root)
+# autologin-guest = True to log in as guest by default
+# autologin-user = User to log in with by default (overrides autologin-guest)
+# autologin-user-timeout = Number of seconds to wait before loading default user
+# autologin-session = Session to load for automatic login (overrides user-session)
+# autologin-in-background = True if autologin session should not be immediately activated
+# exit-on-failure = True if the daemon should exit if this seat fails
+#
+[SeatDefaults]
+#type=xlocal
+#xdg-seat=seat0
+#pam-service=lightdm
+#pam-autologin-service=lightdm-autologin
+#pam-greeter-service=lightdm-greeter
+#xserver-command=X
+#xserver-layout=
+#xserver-config=
+#xserver-allow-tcp=false
+#xserver-share=true
+#xserver-hostname=
+#xserver-display-number=
+#xdmcp-manager=
+#xdmcp-port=177
+#xdmcp-key=
+#unity-compositor-command=unity-system-compositor
+#unity-compositor-timeout=60
+#greeter-session=example-gtk-gnome
+greeter-hide-users=false
+#greeter-allow-guest=true
+#greeter-show-manual-login=false
+#greeter-show-remote-login=true
+#user-session=default
+#allow-user-switching=true
+#allow-guest=true
+#guest-session=
+#session-wrapper=lightdm-session
+#greeter-wrapper=
+#guest-wrapper=
+#display-setup-script=
+#display-stopped-script=
+#greeter-setup-script=
+session-setup-script=/etc/kiosk.sh
+session-cleanup-script=/etc/kiosk.sh
+#autologin-guest=false
+autologin-user=kiosk
+autologin-user-timeout=0
+autologin-in-background=false
+#autologin-session=UNIMPLEMENTED
+#exit-on-failure=false
+
+#
+# Seat configuration
+#
+# Each seat must start with "Seat:".
+# Uses settings from [SeatDefaults], any of these can be overriden by setting them in this section.
+#
+#[Seat:0]
+
+#
+# XDMCP Server configuration
+#
+# enabled = True if XDMCP connections should be allowed
+# port = UDP/IP port to listen for connections on
+# key = Authentication key to use for XDM-AUTHENTICATION-1 or blank to not use authentication (stored in keys.conf)
+#
+# The authentication key is a 56 bit DES key specified in hex as 0xnnnnnnnnnnnnnn.  Alternatively
+# it can be a word and the first 7 characters are used as the key.
+#
+[XDMCPServer]
+#enabled=false
+#port=177
+#key=
+
+#
+# VNC Server configuration
+#
+# enabled = True if VNC connections should be allowed
+# command = Command to run Xvnc server with
+# port = TCP/IP port to listen for connections on
+# width = Width of display to use
+# height = Height of display to use
+# depth = Color depth of display to use
+#
+[VNCServer]
+#enabled=false
+#command=Xvnc
+#port=5900
+#width=1024
+#height=768
+#depth=8
diff --git a/roles/client/kiosk_mode/tasks/main.yml b/roles/client/kiosk_mode/tasks/main.yml
new file mode 100644
index 0000000..98c5f5f
--- /dev/null
+++ b/roles/client/kiosk_mode/tasks/main.yml
@@ -0,0 +1,108 @@
+#####################################
+### someone's ansible provisioner ###
+#####################################
+# Part of: https://git.somenet.org/root/pub/somesible.git
+# 2017-2024 by someone <someone@somenet.org>
+#
+---
+- name: create kiosk user
+  user:
+    name: "kiosk"
+    home: "/home/kiosk"
+#    shell: "/bin/bash"
+    createhome: no
+    state: present
+
+
+- name: create kiosk user's homedir
+  file:
+    path: "/home/kiosk"
+    state: directory
+    mode: 0770
+    owner: "kiosk"
+    group: "kiosk"
+
+
+- name: copy lightdm.conf config
+  copy:
+    src: "{{item}}"
+    dest: "/etc/lightdm/lightdm.conf"
+    mode: 0644
+    owner: "root"
+    group: "root"
+  with_first_found:
+    - "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/lightdm.conf"
+    - "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/lightdm.conf"
+    - "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/lightdm.conf"
+    - "default/lightdm.conf"
+
+
+- name: copy kiosk.sh
+  copy:
+    src: "{{item}}"
+    dest: "/etc/kiosk.sh"
+    mode: 0755
+    owner: "root"
+    group: "root"
+  with_first_found:
+    - "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/kiosk.sh"
+    - "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/kiosk.sh"
+    - "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/kiosk.sh"
+    - "default/kiosk.sh"
+
+
+- name: copy kiosk.tar.bz2
+  copy:
+    src: "{{item}}"
+    dest: "/etc/kiosk.tar.bz2"
+    mode: 0600
+    owner: "root"
+    group: "root"
+  with_first_found:
+    - "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/kiosk.tar.bz2"
+    - "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/kiosk.tar.bz2"
+    - "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/kiosk.tar.bz2"
+    - "default/kiosk.tar.bz2"
+  register: copy
+
+
+- name: delete kiosk-skel-dir
+  file:
+    path: "/etc/kiosk"
+    state: absent
+  when: copy.changed
+
+
+- name: set up new kiosk-skel-dir
+  file:
+    path: "/etc/kiosk"
+    state: directory
+    mode: 0700
+    owner: "kiosk"
+    group: "kiosk"
+  when: copy.changed
+
+
+- name: extract kiosk-skel-dir
+  unarchive:
+    src: "/etc/kiosk.tar.bz2"
+    dest: "/etc/kiosk"
+    remote_src: yes
+    mode: "u=rwX,g=rX,o-rwx"
+    owner: "kiosk"
+    group: "kiosk"
+    extra_opts:
+      - '--strip-components=1'
+      - '--show-stored-names'
+  when: copy.changed
+
+
+- name: set up persistent kiosk storage
+  file:
+    path: "/var/kiosk"
+    state: directory
+    mode: 0775
+    owner: "kiosk"
+    group: "kiosk"
+
+#TODO: deny crontab + at
-- 
2.43.0


From bcff7471925ce297f79c705be617460f64baac8d Mon Sep 17 00:00:00 2001
From: Someone <someone@somenet.org>
Date: Mon, 29 Apr 2024 10:46:28 +0200
Subject: [PATCH 11/16] [roles/client/kde-user] install kde and other user
 packages

---
 roles/client/kde-user/tasks/main.yml | 48 ++++++++++++++++++++++++++++
 1 file changed, 48 insertions(+)
 create mode 100644 roles/client/kde-user/tasks/main.yml

diff --git a/roles/client/kde-user/tasks/main.yml b/roles/client/kde-user/tasks/main.yml
new file mode 100644
index 0000000..c588f43
--- /dev/null
+++ b/roles/client/kde-user/tasks/main.yml
@@ -0,0 +1,48 @@
+#####################################
+### someone's ansible provisioner ###
+#####################################
+# Part of: https://git.somenet.org/root/pub/somesible.git
+# 2017-2024 by someone <someone@somenet.org>
+#
+---
+- name: install kde-user-packages
+  apt:
+    pkg:
+    - akonadi-backend-sqlite
+    - akonadiconsole
+    - hpijs-ppds
+    - hplip
+    - kde-config-screenlocker
+    - kde-config-sddm
+    - kde-plasma-desktop
+    - kde-spectacle
+    - kde-style-oxygen-qt5
+    - kdeadmin
+    - kdegraphics-thumbnailers
+    - kdepim
+    - keepassxc
+    - kontact
+    - laptop-detect
+    - libnotify-bin
+    - libreoffice
+    - libreoffice-sdbc-firebird
+    - libreoffice-sdbc-hsqldb
+    - pdftk
+    - printer-driver-gutenprint
+    - printer-driver-hpcups
+    - printer-driver-hpijs
+    - sddm-theme-elarun
+    - simple-scan
+    - smartmontools
+    - smplayer
+    - sqlite3
+    - task-german-kde-desktop
+    - task-kde-desktop
+    - task-laptop
+    - thunderbird
+    - thunderbird-l10n-de
+    - x11vnc
+    - yt-dlp
+    state: present
+    policy_rc_d: 101
+  tags: "online"
-- 
2.43.0


From 3e872860175e6f87dcd1eb27ffb50d3a2cc39b5e Mon Sep 17 00:00:00 2001
From: Someone <someone@somenet.org>
Date: Mon, 29 Apr 2024 10:46:28 +0200
Subject: [PATCH 12/16] [roles/client] ----- meta ----- No dependencies

---
 roles/client/meta/main.yml | 8 ++++++++
 1 file changed, 8 insertions(+)
 create mode 100644 roles/client/meta/main.yml

diff --git a/roles/client/meta/main.yml b/roles/client/meta/main.yml
new file mode 100644
index 0000000..fc91917
--- /dev/null
+++ b/roles/client/meta/main.yml
@@ -0,0 +1,8 @@
+#####################################
+### someone's ansible provisioner ###
+#####################################
+# Part of: https://git.somenet.org/root/pub/somesible.git
+# 2017-2024 by someone <someone@somenet.org>
+#
+---
+#dependencies:
-- 
2.43.0


From 51e40a58772cb40f9f1fe3a26027d1b181869b1d Mon Sep 17 00:00:00 2001
From: Someone <someone@somenet.org>
Date: Mon, 29 Apr 2024 10:46:28 +0200
Subject: [PATCH 13/16] [roles/util/letsencrypt-cert] request letsencrypt-cert
 helper role

---
 roles/util/letsencrypt-cert/defaults/main.yml | 11 ++++
 roles/util/letsencrypt-cert/meta/main.yml     |  9 +++
 roles/util/letsencrypt-cert/tasks/main.yml    | 57 +++++++++++++++++++
 3 files changed, 77 insertions(+)
 create mode 100644 roles/util/letsencrypt-cert/defaults/main.yml
 create mode 100644 roles/util/letsencrypt-cert/meta/main.yml
 create mode 100644 roles/util/letsencrypt-cert/tasks/main.yml

diff --git a/roles/util/letsencrypt-cert/defaults/main.yml b/roles/util/letsencrypt-cert/defaults/main.yml
new file mode 100644
index 0000000..5e85db5
--- /dev/null
+++ b/roles/util/letsencrypt-cert/defaults/main.yml
@@ -0,0 +1,11 @@
+#####################################
+### someone's ansible provisioner ###
+#####################################
+# Part of: https://git.somenet.org/root/pub/somesible.git
+# 2017-2024 by someone <someone@somenet.org>
+#
+# If not overridden in inventory or as a parameter, this is the value that will be used
+#
+---
+letsencrypt_cert_domain: ""
+letsencrypt_cert_domain_alias: ""
diff --git a/roles/util/letsencrypt-cert/meta/main.yml b/roles/util/letsencrypt-cert/meta/main.yml
new file mode 100644
index 0000000..2240736
--- /dev/null
+++ b/roles/util/letsencrypt-cert/meta/main.yml
@@ -0,0 +1,9 @@
+#####################################
+### someone's ansible provisioner ###
+#####################################
+# Part of: https://git.somenet.org/root/pub/somesible.git
+# 2017-2024 by someone <someone@somenet.org>
+#
+---
+#dependencies:
+#  - { role: server/letsencrypt-bot }
diff --git a/roles/util/letsencrypt-cert/tasks/main.yml b/roles/util/letsencrypt-cert/tasks/main.yml
new file mode 100644
index 0000000..64c4784
--- /dev/null
+++ b/roles/util/letsencrypt-cert/tasks/main.yml
@@ -0,0 +1,57 @@
+#####################################
+### someone's ansible provisioner ###
+#####################################
+# Part of: https://git.somenet.org/root/pub/somesible.git
+# 2017-2024 by someone <someone@somenet.org>
+#
+---
+- name: append {{letsencrypt_cert_domain}} to domains.txt
+  lineinfile:
+    line: "{{letsencrypt_cert_domain}} {{letsencrypt_cert_domain_alias}}"
+    path: "/etc/dehydrated/domains.txt"
+    mode: 0640
+    owner: "letsencrypt"
+    group: "letsencrypt"
+  changed_when: False
+  when: letsencrypt_cert_domain != ""
+
+
+- name: create domains.txt.ansible.tmp for {{letsencrypt_cert_domain}}
+  copy:
+    content: "{{letsencrypt_cert_domain}} {{letsencrypt_cert_domain_alias}}\n"
+    dest: "/etc/dehydrated/domains.txt.ansible.tmp"
+    mode: 0640
+    owner: "letsencrypt"
+    group: "letsencrypt"
+  changed_when: False
+  when: letsencrypt_cert_domain != ""
+
+
+- name: request cert for {{letsencrypt_cert_domain}}
+  shell: "/usr/bin/dehydrated -c"
+  args:
+    creates: "/etc/ssl/letsencrypt/{{letsencrypt_cert_domain}}/cert.pem"
+  environment:
+    DOMAINS_TXT: '/etc/dehydrated/domains.txt.ansible.tmp'
+  become: true
+  become_user: "letsencrypt"
+  tags: "online"
+  when: letsencrypt_cert_domain != ""
+
+
+- name: fix permissions for /etc/ssl/letsencrypt/{{letsencrypt_cert_domain}}
+  file:
+    path: "/etc/ssl/letsencrypt/{{letsencrypt_cert_domain}}"
+    state: directory
+    recurse: yes
+    mode: "u+rwX,g+rX,o-rwx"
+    owner: "letsencrypt"
+    group: "ssl-cert"
+  when: letsencrypt_cert_domain != ""
+
+
+- name: remove domains.txt.ansible.tmp
+  file:
+    path: "/etc/dehydrated/domains.txt.ansible.tmp"
+    state: absent
+  changed_when: False
-- 
2.43.0


From a9f0ecb3be078e3c34fe4e0152a53980616da77b Mon Sep 17 00:00:00 2001
From: Someone <someone@somenet.org>
Date: Mon, 29 Apr 2024 10:46:28 +0200
Subject: [PATCH 14/16] [roles/util/postgres-db-grp-usr] create postgres db,
 owner-group and user for group - DO NOT USE.

---
 roles/util/postgres-db-grp-usr/tasks/main.yml | 79 +++++++++++++++++++
 1 file changed, 79 insertions(+)
 create mode 100644 roles/util/postgres-db-grp-usr/tasks/main.yml

diff --git a/roles/util/postgres-db-grp-usr/tasks/main.yml b/roles/util/postgres-db-grp-usr/tasks/main.yml
new file mode 100644
index 0000000..5168f58
--- /dev/null
+++ b/roles/util/postgres-db-grp-usr/tasks/main.yml
@@ -0,0 +1,79 @@
+#####################################
+### someone's ansible provisioner ###
+#####################################
+# Part of: https://git.somenet.org/root/pub/somesible.git
+# 2017-2024 by someone <someone@somenet.org>
+#
+# You likely want to use the other pg-db role.
+# pg has a broken permission system -> many take-own needed - or just dont care.
+#
+---
+- name: ensure pg group "grp_{{pg_data.dbname}}_owner" exists
+  become_user: postgres
+  postgresql_user:
+    name: "grp_{{pg_data.dbname}}_owner"
+    role_attr_flags: "NOLOGIN,NOSUPERUSER,INHERIT,NOCREATEDB,NOCREATEROLE,NOREPLICATION"
+
+
+- name: create db "{{pg_data.dbname}}"
+  become_user: "postgres"
+  postgresql_db:
+    name: "{{pg_data.dbname}}"
+    owner: "grp_{{pg_data.dbname}}_owner"
+
+
+- name: set owner of schema "{{pg_data.dbname}}.public"
+  become_user: "postgres"
+  postgresql_schema:
+    database: "{{pg_data.dbname}}"
+    name: public
+    owner: "grp_{{pg_data.dbname}}_owner"
+
+
+- name: revoke privs for PUBLIC on db "{{pg_data.dbname}}"
+  become_user: postgres
+  postgresql_privs:
+    db: "{{pg_data.dbname}}"
+    state: absent
+    privs: ALL
+    type: database
+    role: public
+
+
+- name: revoke privs for PUBLIC on schema "{{pg_data.dbname}}.public"
+  become_user: postgres
+  postgresql_privs:
+    db: "{{pg_data.dbname}}"
+    state: absent
+    privs: ALL
+    type: schema
+    objs: public
+    role: public
+
+
+- name: ensure group grp_spectator exists and grant necessary privs on db "{{pg_data.dbname}}"
+  become_user: postgres
+  postgresql_user:
+    name: "grp_spectator"
+    role_attr_flags: "NOLOGIN,NOSUPERUSER,INHERIT,NOCREATEDB,NOCREATEROLE,NOREPLICATION"
+    db: "{{pg_data.dbname}}"
+    priv: CONNECT,TEMPORARY
+
+
+- name: ensure pg user "usr_{{pg_data.dbname}}" exists
+  become_user: postgres
+  postgresql_user:
+    name: "usr_{{pg_data.dbname}}"
+    password: "{{pg_data.pw}}"
+  when: pg_data.dbname != "" and pg_data.pw != ""
+
+
+- name: add user "usr_{{pg_data.dbname}}" to group "grp_{{pg_data.dbname}}_owner"
+  become_user: postgres
+  postgresql_privs:
+    # always use postgres here
+    db: "postgres"
+    role: "usr_{{pg_data.dbname}}"
+    objs: "grp_{{pg_data.dbname}}_owner"
+    type: group
+  when: pg_data.dbname != "" and pg_data.pw != ""
-- 
2.43.0


From cc90c6664d867d67642e3cf9f96df8401aa6f608 Mon Sep 17 00:00:00 2001
From: Someone <someone@somenet.org>
Date: Mon, 29 Apr 2024 10:46:28 +0200
Subject: [PATCH 15/16] [roles/util/postgres-db-usr] create postgres db and
 owner-user

---
 roles/util/postgres-db-usr/tasks/main.yml | 59 +++++++++++++++++++++++
 1 file changed, 59 insertions(+)
 create mode 100644 roles/util/postgres-db-usr/tasks/main.yml

diff --git a/roles/util/postgres-db-usr/tasks/main.yml b/roles/util/postgres-db-usr/tasks/main.yml
new file mode 100644
index 0000000..58a731f
--- /dev/null
+++ b/roles/util/postgres-db-usr/tasks/main.yml
@@ -0,0 +1,59 @@
+#####################################
+### someone's ansible provisioner ###
+#####################################
+# Part of: https://git.somenet.org/root/pub/somesible.git
+# 2017-2024 by someone <someone@somenet.org>
+#
+---
+- name: ensure pg user "{{pg_name}}" exists
+  become_user: postgres
+  postgresql_user:
+    name: "{{pg_name}}"
+    password: "{{pg_pass}}"
+    conn_limit: "{{pg_conn_limit | default(50)}}"
+  when: pg_name != "" and pg_pass != ""
+
+
+- name: create db "{{pg_name}}"
+  become_user: "postgres"
+  postgresql_db:
+    name: "{{pg_name}}"
+    owner: "{{pg_name}}"
+
+
+- name: set owner of schema "{{pg_name}}.public" to user "{{pg_name}}"
+  become_user: "postgres"
+  postgresql_schema:
+    database: "{{pg_name}}"
+    name: public
+    owner: "{{pg_name}}"
+
+
+- name: revoke privs for PUBLIC on db "{{pg_name}}"
+  become_user: postgres
+  postgresql_privs:
+    db: "{{pg_name}}"
+    state: absent
+    privs: ALL
+    type: database
+    role: public
+
+
+- name: revoke privs for PUBLIC on schema "{{pg_name}}.public"
+  become_user: postgres
+  postgresql_privs:
+    db: "{{pg_name}}"
+    state: absent
+    privs: ALL
+    type: schema
+    objs: public
+    role: public
+
+
+- name: ensure group grp_spectator exists and grant necessary privs on db "{{pg_name}}"
+  become_user: postgres
+  postgresql_user:
+    name: "grp_spectator"
+    role_attr_flags: "NOLOGIN,NOSUPERUSER,INHERIT,NOCREATEDB,NOCREATEROLE,NOREPLICATION"
+    db: "{{pg_name}}"
+    priv: CONNECT,TEMPORARY
-- 
2.43.0


From 9b5dbd11eb8503011b44a584342f72480d1aa5f3 Mon Sep 17 00:00:00 2001
From: Someone <someone@somenet.org>
Date: Mon, 29 Apr 2024 10:46:28 +0200
Subject: [PATCH 16/16] [roles/util] ----- meta ----- No dependencies

---
 roles/util/meta/main.yml | 10 ++++++++++
 1 file changed, 10 insertions(+)
 create mode 100644 roles/util/meta/main.yml

diff --git a/roles/util/meta/main.yml b/roles/util/meta/main.yml
new file mode 100644
index 0000000..b43a681
--- /dev/null
+++ b/roles/util/meta/main.yml
@@ -0,0 +1,10 @@
+#####################################
+### someone's ansible provisioner ###
+#####################################
+# Part of: https://git.somenet.org/root/pub/somesible.git
+# 2017-2024 by someone <someone@somenet.org>
+#
+# This is a server role.
+# Dont make dependencies to subroles that are not needed at all servers!
+---
+#dependencies:
-- 
2.43.0