Handlers; service => systemd; shell => command

ansible.builtin. prefix for modules
Prefix variables with etherpad_
2024-05-08 15:08:28 -04:00 · 2024-05-08 14:24:18 -04:00 · 2024-05-08 14:09:02 -04:00 · 2024-05-08 13:22:42 -04:00 · 2024-05-08 13:22:42 -04:00 · 2024-05-08 13:22:42 -04:00
28 changed files with 1239 additions and 201 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -13,32 +13,22 @@ The **patch** part is incremented if multiple releases happen the same month
 ### Added
 ### Changed
 ### Fixed
 ### Removed
 ### Security
 ## [24.05] 2024-05-15
 ### Added
 * apt: add list-upgradable-held-packages.sh
 ### Changed
-* evobackup-client: upstream release 24.05.1
+* evobackup-client: upstream release 24.05
 * evolinux-base: improve adding the current user to SSH AllowGroups of AllowUsers
 * evolinux-users: improve SSH configuration
 * evomaintenance: upstream release 24.05
 * evomaintenance: move upstream files into upstream folder
 ### Fixed
 * apt: use archive.debian.org with Buster
 ### Removed
 ### Security
 ## [24.04] 2024-04-30
 ### Added
--- a/evobackup-client/files/upstream/CHANGELOG.md
+++ b/evobackup-client/files/upstream/CHANGELOG.md
@ -23,12 +23,6 @@ The **patch** part changes is incremented if multiple releases happen the same m
 ### Security
 ## [24.05.1] - 2022-05-14
 ### Fixed
 * client: fix shell syntax error
 ## [24.05] - 2022-05-02
 ### Added
--- a/evobackup-client/files/upstream/lib/main.sh
+++ b/evobackup-client/files/upstream/lib/main.sh
@ -1,7 +1,7 @@
 #!/usr/bin/env bash
 # shellcheck disable=SC2034,SC2317
-readonly VERSION="24.05.1"
+readonly VERSION="24.05"
 # set all programs to C language (english)
 export LC_ALL=C
--- a/evobackup-client/files/upstream/lib/utilities.sh
+++ b/evobackup-client/files/upstream/lib/utilities.sh
@ -105,7 +105,7 @@ test_server() {
 pick_server() {
    local -i increment=${1:-0}
    local -i list_length=${#SERVERS[@]}
-    local sync_name=${2:-""}
+    local sync_name=${2:""}
    if (( increment >= list_length )); then
        # We've reached the end of the list
--- a/evomaintenance/files/upstream/evomaintenance.sh
+++ b/evomaintenance/files/upstream/evomaintenance.sh
@ -1,12 +1,12 @@
 #!/bin/sh
-VERSION="24.05"
+VERSION="23.10.1"
 show_version() {
    cat <<END
 evomaintenance version ${VERSION}
-Copyright 2007-2024 Evolix <info@evolix.fr>,
+Copyright 2007-2023 Evolix <info@evolix.fr>,
                    Gregory Colpart <reg@evolix.fr>,
                    Jérémy Lecour <jlecour@evolix.fr>,
                    Brice Waegeneire <bwaegeneire@evolix.fr>,
@ -437,14 +437,6 @@ while :; do
            printf 'ERROR: "--message" requires a non-empty option argument.\n' >&2
            exit 1
            ;;
        --no-evocheck)
            # disable evocheck hook
            EVOCHECK=0
            ;;
        --evocheck)
            # enable evocheck hook
            EVOCHECK=1
            ;;
        --no-commit)
            # disable commit hook
            HOOK_COMMIT=0
@ -589,7 +581,7 @@ GIT_REPOSITORIES="/etc /etc/bind /usr/share/scripts"
 # Add /etc directories from lxc containers if they are git directories
 if [ -d /var/lib/lxc ]; then
-    GIT_REPOSITORIES="${GIT_REPOSITORIES} $(find -L /var/lib/lxc/ -maxdepth 3 -name 'etc' | tr '\n' ' ' | sed 's/[[:space:]]\+$//')"
+    GIT_REPOSITORIES="${GIT_REPOSITORIES} $(find /var/lib/lxc/ -maxdepth 3 -name 'etc' | tr '\n' ' ' | sed 's/[[:space:]]\+$//')"
 fi
 # initialize variable
--- a/evomaintenance/files/evomaintenance.tpl
+++ b/evomaintenance/files/evomaintenance.tpl
@ -0,0 +1,33 @@
 From: __FULLFROM__
 Content-Type: text/plain; charset=UTF-8
 MIME-Version: 1.0
 Content-Transfer-Encoding: 8bit
 To: __TO__
 Subject: [evomaintenance] Intervention sur __HOSTNAME__ (__USER__)
 Bonjour,
 Une intervention vient de se terminer sur votre serveur.
 Voici les renseignements sur l'intervention :
 Nom du serveur : __HOSTNAME__
 Personne ayant réalisée l'intervention : __USER__
 Intervention réalisée depuis : __IP__
 Début de l'intervention : __BEGIN_DATE__
 Fin de l'intervention : __END_DATE__
 ###
 Renseignements sur l'intervention :
 __TEXTE__
 ###
 __GIT_COMMITS__
 Pour réagir à cette intervention, vous pouvez répondre à ce message
 (sur l'adresse mail __FROM__). En cas d'urgence, utilisez
 l'adresse __URGENCYFROM__ ou notre téléphone portable d'astreinte
 (__URGENCYTEL__)
 Cordialement,
 --
 __FULLFROM__
--- a/evomaintenance/files/upstream/CHANGELOG.md
+++ b/evomaintenance/files/upstream/CHANGELOG.md
@ -1,100 +0,0 @@
 The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
 and this project **does not adhere to [Semantic Versioning](http://semver.org/spec/v2.0.0.html)**.
 ## [Unreleased]
 ### Added
 Add missing (but documented) `--(no-)evocheck` options
 ### Changed
 ### Deprecated
 ### Removed
 ### Fixed
 ### Security
 ## [23.10.1] - 2023-10-09
 ### Fixed
 * Use a special variable name since USER is always defined from the environment
 ## [23.10] - 2023-10-09
 ### Added
 * Force a user name with `-u,--user` option (default is still `logname(1)`).
 * More people credited
 ### Deprecated
 * `--autosysadmin` is replaced by `--user autosysadmin`
 ## [22.07] - 2022-07-05
 ### Added
 * Add `--autosysadmin` flag
 * Commit change in /etc of lxc containers
 ### Changed
 ### Deprecated
 ### Removed
 ### Fixed
 ### Security
 ## [22.01] - 2022-01-25
 ### Added
 * version/host/user headers in sent email
 ### Changed
 New version pattern
 ## [0.6.4] - 2021-06-17
 ### Added
 * fallback if findmnt is absent
 ## [0.6.3] - 2020-02-02
 ### Added
 * Notify syslog when partitions are re-mounted (Linux)
 ## [0.6.2] - 2020-02-02
 ### Fixed
 * better detection of read-only partitions (Linux)
 ## [0.6.0] - 2019-11-05
 ### Added
 * commit changes in /usr/share/scripts/ if needed
 ## Previous changelog
 * 0.5.0 : options et mode interactif pour l'exécution des actions, meilleure compatibilité POSIX
 * 0.4.1 : Utilisation de "printf" à la place de "echo" pour mieux gérer les sauts de ligne
 * 0.4.0 : Amélioration de la récupération d'information (plus de cas gérés). Infos Git avant la saisie.
 * 0.3.0 : Écriture dans un fichier de log, amélioration de la récupération d'informations, amélioration de la syntaxe shell
 * 0.2.7 : Correction d'un bug lors de l'utilisation de '&' dans le texte
 * 0.2.6 : Precision du charset dans les entetes du mail
 * 0.2.5 : Correction d'un bug avec le path de sendmail sous OpenBSD
 * 0.2.4 : Correction d'un bug lors de l'utilisation de '/' dans le texte
 * 0.2.3 : Correction d'un bug avec $REALM
--- a/evomaintenance/files/upstream/README.md
+++ b/evomaintenance/files/upstream/README.md
@ -1,30 +0,0 @@
 # Evomaintenance
 ```.plain
 $ evomaintenance --help
 evomaintenance is a program that helps reporting what you've done on a server
 Usage: evomaintenance
  or   evomaintenance --message="add new host"
  or   evomaintenance --no-api --no-mail --no-commit
  or   echo "add new vhost" | evomaintenance
 Options
 -m, --message=MESSAGE       set the message from the command line
     --mail                  enable the mail hook (default)
     --no-mail               disable the mail hook
     --db                    enable the database hook
     --no-db                 disable the database hook (default)
     --api                   enable the API hook (default)
     --no-api                disable the API hook
     --commit                enable the commit hook (default)
     --no-commit             disable the commit hook
     --evocheck              enable evocheck execution (default)
     --no-evocheck           disable evocheck execution
     --auto                  use "auto" mode
     --no-auto               use "manual" mode (default)
 -v, --verbose               increase verbosity
 -n, --dry-run               actions are not executed
     --help                  print this message and exit
     --version               print version and exit
 ```
--- a/evomaintenance/tasks/install_vendor_debian.yml
+++ b/evomaintenance/tasks/install_vendor_debian.yml
@ -35,12 +35,15 @@
 - name: Evomaintenance script and template are installed
  ansible.builtin.copy:
-    src: "upstream/evomaintenance.sh"
+    src: "{{ item.src }}"
-    dest: "/usr/share/scripts/"
+    dest: "{{ item.dest }}"
    owner: root
    group: root
-    mode: "0700"
+    mode: "{{ item.mode }}"
    force: true
    backup: yes
  loop:
    - { src: 'evomaintenance.sh', dest: '/usr/share/scripts/', mode: '0700' }
    - { src: 'evomaintenance.tpl', dest: '/usr/share/scripts/', mode: '0600' }
  tags:
-    - evomaintenance
+    - evomaintenance
--- a/nodejs/files/nodesource.asc
+++ b/nodejs/files/nodesource.asc
@ -1,29 +1,52 @@
 -----BEGIN PGP PUBLIC KEY BLOCK-----
 Version: GnuPG v1
 Comment: GPGTools - https://gpgtools.org
-mQENBFdDN1ABCADaNd/I3j3tn40deQNgz7hB2NvT+syXe6k4ZmdiEcOfBvFrkS8B
+mQINBFObJLYBEADkFW8HMjsoYRJQ4nCYC/6Eh0yLWHWfCh+/9ZSIj4w/pOe2V6V+
-hNS67t93etHsxEy7E0qwsZH32bKazMqe9zDwoa3aVImryjh6SHC9lMtW27JPHFeM
+W6DHY3kK3a+2bxrax9EqKe7uxkSKf95gfns+I9+R+RJfRpb1qvljURr54y35IZgs
-Srkt9YmH1WMwWcRO6eSY9B3PpazquhnvbammLuUojXRIxkDroy6Fw4UKmUNSRr32
+fMG22Np+TmM2RLgdFCZa18h0+RbH9i0b+ZrB9XPZmLb/h9ou7SowGqQ3wwOtT3Vy
-9Ej87jRoR1B2/57Kfp2Y4+vFGGzSvh3AFQpBHq51qsNHALU6+8PjLfIt+5TPvaWR
+qmif0A2GCcjFTqWW6TXaY8eZJ9BCEqW3k/0Cjw7K/mSy/utxYiUIvZNKgaG/P8U7
-TB+kAZnQZkaIQM2nr1n3oj6ak2RATY/+kjLizgFWzgEfbCrbsyq68UoY5FPBnu4Z
+89QyvxeRxAf93YFAVzMXhoKxu12IuH4VnSwAfb8gQyxKRyiGOUwk0YoBPpqRnMmD
-E3iDZpaIqwKr0seUC7iA1xM5eHi5kty1oB7HABEBAAG0Ik5Tb2xpZCA8bnNvbGlk
+Dl7SdmY3oQHEJzBelTMjTM8AjbB9mWoPBX5G8t4u47/FZ6PgdfmRg9hsKXhkLJc7
-LWdwZ0Bub2Rlc291cmNlLmNvbT6JATgEEwECACIFAldDN1ACGwMGCwkIBwMCBhUI
+C1btblOHNgDx19fzASWX+xOjZiKpP6MkEEzq1bilUFul6RDtxkTWsTa5TGixgCB/
-AgkKCwQWAgMBAh4BAheAAAoJEC9ZtfmbG+C0y7wH/i4xnab36dtrYW7RZwL8i6Sc
+G2fK8I9JL/yQhDc6OGY9mjPOxMb5PgUlT8ox3v8wt25erWj9z30QoEBwfSg4tzLc
-NjMx4j9+U1kr/F6YtqWd+JwCbBdar5zRghxPcYEq/qf7MbgAYcs1eSOuTOb7n7+o
+Jq6N/iepQemNfo6Is+TG+JzI6vhXjlsBm/Xmz0ZiFPPObAH/vGCY5I6886vXQ7ft
-xUwdH2iCtHhKh3Jr2mRw1ks7BbFZPB5KmkxHaEBfLT4d+I91ZuUdPXJ+0SXs9gzk
+qWHYHT8jz/R4tigMGC+tvZ/kcmYBsLCCI5uSEP6JJRQQhHrCvOX0UaytItfsQfLm
-Dbz65Uhoz3W03aiF8HeL5JNARZFMbHHNVL05U1sTGTCOtu+1c/33f3TulQ/XZ3Y4
+EYRd2F72o1yGh3yvWWfDIBXRmaBuIGXGpajC0JyBGSOWb9UxMNZY/2LJEwARAQAB
-hwGCpLe0Tv7g7Lp3iLMZMWYPEa0a7S4u8he5IEJQLd8bE8jltcQvrdr3Fm8kI2Jg
+tB9Ob2RlU291cmNlIDxncGdAbm9kZXNvdXJjZS5jb20+iQI4BBMBAgAiBQJTmyS2
-BJmUmX4PSfhuTCFaR/yeCt3UoW883bs9LfbTzIx9DJGpRIu8Y0IL3b4sj/GoZVq5
+AhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRAWVaCraFdigHTmD/9OKhUy
-AQ0EV0M3UAEIAKrTaC62ayzqOIPa7nS90BHHck4Z33a2tZF/uof38xNOiyWGhT8u
+jJ+h8gMRg6ri5EQxOExccSRU0i7UHktecSs0DVC4lZG9AOzBe+Q36cym5Z1di6JQ
-JeFoTTHn5SQq5Ftyu4K3K2fbbpuu/APQF05AaljzVkDGNMW4pSkgOasdysj831cu
+kHl69q3zBdV3KTW+H1pdmnZlebYGz8paG9iQ/wS9gpnSeEyx0Enyi167Bzm0O4A1
-ssrHX2RYS22wg80k6C/Hwmh5F45faEuNxsV+bPx7oPUrt5n6GMx84vEP3i1+FDBi
+GK0prkLnz/yROHHEfHjsTgMvFwAnf9uaxwWgE1d1RitIWgJpAnp1DZ5O0uVlsPPm
-0pt/B/QnDFBXki1BGvJ35f5NwDefK8VaInxXP3ZN/WIbtn5dqxppkV/YkO7GiJlp
+XAhuBJ32mU8S5BezPTuJJICwBlLYECGb1Y65Cil4OALU7T7sbUqfLCuaRKxuPtcU
-Jlju9rf3kKUIQzKQWxFsbCAPIHoWv7rH9RSxgDithXtG6Yg5R1aeBbJaPNXL9wpJ
+VnJ6/qiyPygvKZWhV6Od0Yxlyed1kftMJyYoL8kPHfeHJ+vIyt0s7cropfiwXoka
-YBJbiMjkAFaz4B95FOqZm3r7oHugiCGsHX0AEQEAAYkBHwQYAQIACQUCV0M3UAIb
+1iJB5nKyt/eqMnPQ9aRpqkm9ABS/r7AauMA/9RALudQRHBdWIzfIg0Mlqb52yyTI
-DAAKCRAvWbX5mxvgtE/OB/0VN88DR3Y3fuqy7lq/dthkn7Dqm9YXdorZl3L152eE
+IgQJHNGNX1T3z1XgZhI+Vi8SLFFSh8x9FeUZC6YJu0VXXj5iz+eZmk/nYjUt4Mtc
-IF882aG8FE3qZdaLGjQO4oShAyNWmRfSGuoH0XERXAI9n0r8m4mDMxE6rtP7tHet
+pVsVYIB7oIDIbImODm8ggsgrIzqxOzQVP1zsCGek5U6QFc9GYrQ+Wv3/fG8hfkDn
-y/5M8x3CTyuMgx5GLDaEUvBusnTD+/v/fBMwRK/cZ9du5PSG4R50rtst+oYyC2ao
+xXLww0OGaEQxfodm8cLFZ5b8JaG3+Yxfe7JkNclwvRimvlAjqIiW5OK0vvfHco+Y
-x4I2SgjtF/cY7bECsZDplzatN3gv34PkcdIg8SLHAVlL4N5tzumDeizRspcSyoy2
+gANhQrlMnTx//IdZssaxvYytSHpPZTYw+qPEjbBJOLpoLrz8ZafN1uekpAqQjffI
-K2+hwKU4C4+dekLLTg8rjnRROvplV2KtaEk6rxKtIRFDCoQng8wfJuIMrDNKvqZw
+AOqW9SdIzq/kSHgl0bzWbPJPw86XzzftewjKNbkCDQRTmyS2ARAAxSSdQi+WpPQZ
-FRGt7cbvW5MCnuH8MhItOl9Uxp1wHp6gtav/h8Gp6MBa
+fOflkx9sYJa0cWzLl2w++FQnZ1Pn5F09D/kPMNh4qOsyvXWlekaV/SseDZtVziHJ
-=MARt
+Km6V8TBG3flmFlC3DWQfNNFwn5+pWSB8WHG4bTA5RyYEEYfpbekMtdoWW/Ro8Kmh
 41nuxZDSuBJhDeFIp0ccnN2Lp1o6XfIeDYPegyEPSSZqrudfqLrSZhStDlJgXjea
 JjW6UP6txPtYaaila9/Hn6vF87AQ5bR2dEWB/xRJzgNwRiax7KSU0xca6xAuf+TD
 xCjZ5pp2JwdCjquXLTmUnbIZ9LGV54UZ/MeiG8yVu6pxbiGnXo4Ekbk6xgi1ewLi
 vGmz4QRfVklV0dba3Zj0fRozfZ22qUHxCfDM7ad0eBXMFmHiN8hg3IUHTO+UdlX/
 aH3gADFAvSVDv0v8t6dGc6XE9Dr7mGEFnQMHO4zhM1HaS2Nh0TiL2tFLttLbfG5o
 QlxCfXX9/nasj3K9qnlEg9G3+4T7lpdPmZRRe1O8cHCI5imVg6cLIiBLPO16e0fK
 yHIgYswLdrJFfaHNYM/SWJxHpX795zn+iCwyvZSlLfH9mlegOeVmj9cyhN/VOmS3
 QRhlYXoA2z7WZTNoC6iAIlyIpMTcZr+ntaGVtFOLS6fwdBqDXjmSQu66mDKwU5Ek
 fNlbyrpzZMyFCDWEYo4AIR/18aGZBYUAEQEAAYkCHwQYAQIACQUCU5sktgIbDAAK
 CRAWVaCraFdigIPQEACcYh8rR19wMZZ/hgYv5so6Y1HcJNARuzmffQKozS/rxqec
 0xM3wceL1AIMuGhlXFeGd0wRv/RVzeZjnTGwhN1DnCDy1I66hUTgehONsfVanuP1
 PZKoL38EAxsMzdYgkYH6T9a4wJH/IPt+uuFTFFy3o8TKMvKaJk98+Jsp2X/QuNxh
 qpcIGaVbtQ1bn7m+k5Qe/fz+bFuUeXPivafLLlGc6KbdgMvSW9EVMO7yBy/2JE15
 ZJgl7lXKLQ31VQPAHT3an5IV2C/ie12eEqZWlnCiHV/wT+zhOkSpWdrheWfBT+ac
 hR4jDH80AS3F8jo3byQATJb3RoCYUCVc3u1ouhNZa5yLgYZ/iZkpk5gKjxHPudFb
 DdWjbGflN9k17VCf4Z9yAb9QMqHzHwIGXrb7ryFcuROMCLLVUp07PrTrRxnO9A/4
 xxECi0l/BzNxeU1gK88hEaNjIfviPR/h6Gq6KOcNKZ8rVFdwFpjbvwHMQBWhrqfu
 G3KaePvbnObKHXpfIKoAM7X2qfO+IFnLGTPyhFTcrl6vZBTMZTfZiC1XDQLuGUnd
 sckuXINIU3DFWzZGr0QrqkuE/jyr7FXeUJj9B7cLo+s/TXo+RaVfi3kOc9BoxIvy
 /qiNGs/TKy2/Ujqp/affmIMoMXSozKmga81JSwkADO1JMgUy6dApXz9kP4EE3g==
 =CLGF
 -----END PGP PUBLIC KEY BLOCK-----
--- a/nodejs/tasks/main.yml
+++ b/nodejs/tasks/main.yml
@ -24,7 +24,7 @@
 - name: Add NodeJS repository (Debian <12)
  ansible.builtin.apt_repository:
-    repo: "deb [signed-by={{ apt_keyring_dir }}/nodesource.asc] https://deb.nodesource.com/{{ nodejs_apt_version }} nodistro main"
+    repo: "deb [signed-by={{ apt_keyring_dir }}/nodesource.asc] https://deb.nodesource.com/{{ nodejs_apt_version }} {{ ansible_distribution_release }} main"
    filename: nodesource
    update_cache: yes
    state: present
--- a/nodejs/templates/nodesource.sources.j2
+++ b/nodejs/templates/nodesource.sources.j2
@ -2,7 +2,7 @@
 Types: deb
 URIs: https://deb.nodesource.com/{{ nodejs_apt_version }}
-Suites: nodistro
+Suites: {{ ansible_distribution_release }}
 Components: main
 Signed-by: {{ apt_keyring_dir }}/nodesource.asc
-Enabled: yes
+Enabled: yes
--- a/vrrpd/tasks/ip.yml
+++ b/vrrpd/tasks/ip.yml
@ -31,11 +31,11 @@
    marker: "## {mark} ANSIBLE MANAGED INPUT RULES FOR VRID {{ vrrp_address.id }}"
    block: |
      {% if vrrp_address.peers | default([]) | length <= 0 %}
-      /sbin/iptables -A INPUT -i {{ vrrp_address.interface }} -d 224.0.0.0/8 -j ACCEPT # Allow VRRP input on {{ vrrp_address.interface }} for VRID {{ vrrp_address.id }}
+        /sbin/iptables -A INPUT -i {{ vrrp_address.interface }} -d 224.0.0.0/8 -j ACCEPT # Allow VRRP input on {{ vrrp_address.interface }} for VRID {{ vrrp_address.id }}
      {% else %}
-      {% for peer in vrrp_address.peers %}
+        {% for peer in vrrp_address.peers %}
-      /sbin/iptables -A INPUT -i {{ vrrp_address.interface }} -s {{ peer }} -d 224.0.0.0/8 -j ACCEPT # Allow VRRP input on {{ vrrp_address.interface }} from {{ peer }} for VRID {{ vrrp_address.id }}
+          /sbin/iptables -A INPUT -i {{ vrrp_address.interface }} -s {{ peer }} -d 224.0.0.0/8 -j ACCEPT # Allow VRRP input on {{ vrrp_address.interface }} from {{ peer }} for VRID {{ vrrp_address.id }}
-      {% endfor %}
+        {% endfor %}
      {% endif %}
    create: yes
    mode: "0600"
--- a/webapps/etherpad/LISEZMOI.md
+++ b/webapps/etherpad/LISEZMOI.md
@ -0,0 +1,58 @@
 etherpad
 =========
 Ce rôle installe le serveur d'Etherpad, une application rédaction collaborative en temps-réel. 
 Notez qu'hormis le présent fichier LISEZMOI.md, tous les fichiers du rôle etherpad sont rédigés en anglais afin de suivre les conventions de la communauté Ansible, favoriser sa réutilisation et son amélioration, etc. Libre à vous cependant de faire appel à ce role dans un playbook rédigé principalement en français ou toute autre langue.
 Requis
 ------
 ...
 Variables du rôle
 -----------------
 Plusieurs des valeurs par défaut dans defaults/main.yml doivent être changées soit directement dans defaults/main.yml ou mieux encore en les supplantant ailleurs, par exemple dans votre playbook (voir l'exemple ci-bas).
 Dépendances
 ------------
 Ce rôle Ansible dépend des rôles suivants :
 - nodejs
 Exemple de playbook
 -------------------
 ```
 - name: "Déployer un serveur Etherpad"
  hosts: 
    - all
  vars:
    # Supplanter ici les variables du rôle
    service: 'mon-etherpad'
    etherpad_domains: ['votre-vrai-domaine.org']
    etherpad_db_host: 'localhost'
    etherpad_db_user: "{{ service }}"
    etherpad_db_name: "{{ service }}"
    etherpad_db_password: 'zKEh-CHANGEZ-MOI-qIKc'
  pre_tasks:
    - name: "Installer les rôles systèmes"
      roles:
        - { role: nodejs, nodejs_apt_version: "{{ etherpad_node_version }}" }
  roles:
    - { role: webapps/etherpad , tags: "etherpad" }
 ```
 Licence
 -------
 GPLv3
 Infos sur l'auteur
 ------------------
 Mathieu Gauthier-Pilote, administrateur de systèmes chez Evolix.
--- a/webapps/etherpad/README.md
+++ b/webapps/etherpad/README.md
@ -0,0 +1,58 @@
 etherpad
 =========
 This role installs or upgrades the server for the real-time collaborative editor Etherpad. 
 FRENCH: Voir le fichier LISEZMOI.md pour le français.
 Requirements
 ------------
 ...
 Role Variables
 --------------
 Several of the default values in defaults/main.yml must be changed either directly in defaults/main.yml or better even by overwriting them somewhere else, for example in your playbook (see the example below).
 Dependencies
 ------------
 This Ansible role depends on the following other roles:
 - nodejs
 Example Playbook
 ----------------
 ```
 - name: "Deploy an Etherpad server"
  hosts: 
    - all
  vars:
    # Overwrite the role variable here
    service: 'my-etherpad'
    etherpad_domains: ['your-real-domain.org']
    etherpad_db_host: 'localhost'
    etherpad_db_user: "{{ service }}"
    etherpad_db_name: "{{ service }}"
    etherpad_db_password: 'zKEh-CHANGE-ME-qIKc'
  pre_tasks:
    - name: "Install system roles"
      roles:
        - { role: nodejs, nodejs_apt_version: "{{ etherpad_node_version }}" }
  roles:
    - { role: webapps/etherpad , tags: "etherpad" }
 ```
 License
 -------
 GPLv3
 Author Information
 ------------------
 Mathieu Gauthier-Pilote, sys. admin. at Evolix.
--- a/webapps/etherpad/defaults/main.yml
+++ b/webapps/etherpad/defaults/main.yml
@ -0,0 +1,28 @@
 ---
 # defaults file for etherpad
 service: 'example'
 etherpad_system_dep: "['apt-transport-https', 'mariadb-server', 'python3-mysqldb', 'nginx', 'ssl-cert', 'git', 'wget', 'certbot', 'npm']"
 etherpad_git_url: 'https://github.com/ether/etherpad-lite.git'
 etherpad_git_version: '1.8.18'
 etherpad_node_version: 'node_18.x'
 etherpad_node_port: '9001'
 etherpad_domains: ['example.domain.org']
 etherpad_certbot_admin_email: 'mgauthier@evolix.ca'
 etherpad_db_host: '127.0.0.1'
 etherpad_db_port: '3306'
 etherpad_db_user: "{{ service }}"
 etherpad_db_name: "{{ service }}"
 etherpad_db_password: 'CHANGE_ME'
 etherpad_app_ip: '127.0.0.1'
 etherpad_app_title: 'My Etherpad'
 etherpad_app_db_type: 'mysql'
 etherpad_app_skin_name: 'colibris'
 etherpad_app_skin_variants: 'super-light-toolbar super-light-editor light-background'
 etherpad_app_trust_proxy: 'true'
 etherpad_app_require_authentication: 'false'
 etherpad_app_require_authorization: 'true'
 etherpad_app_admin_password: 'CHANGE_ME_TOO'
 etherpad_app_default_pad_text: 'Bienvenue sur Etherpad !\n\nLe texte de ce bloc-notes est synchronisé sur le serveur au fur et à mesure que vous tapez, de sorte que toutes les personnes qui consultent cette page voient le même texte. Cela vous permet de collaborer de manière transparente et collaborative sur des documents !\n\nParticipez à Etherpad sur https:\/\/etherpad.org\n'
 etherpad_app_file_ends: 'false'
--- a/webapps/etherpad/handlers/main.yml
+++ b/webapps/etherpad/handlers/main.yml
@ -0,0 +1,11 @@
 ---
 # handlers file for etherpad
 - name: reload nginx
  ansible.builtin.systemd:
    name: nginx
    state: reloaded
 - name: restart etherpad
  ansible.builtin.systemd:
    name: "{{ service }}.service"
    state: restarted
--- a/webapps/etherpad/meta/main.yml
+++ b/webapps/etherpad/meta/main.yml
@ -0,0 +1,52 @@
 galaxy_info:
  author: Mathieu Gauthier-Pilote
  description: sys. admin.
  company: Evolix
  # If the issue tracker for your role is not on github, uncomment the
  # next line and provide a value
  # issue_tracker_url: http://example.com/issue/tracker
  # Choose a valid license ID from https://spdx.org - some suggested licenses:
  # - BSD-3-Clause (default)
  # - MIT
  # - GPL-2.0-or-later
  # - GPL-3.0-only
  # - Apache-2.0
  # - CC-BY-4.0
  license: license GPL-3.0-only
  min_ansible_version: 2.10
  # If this a Container Enabled role, provide the minimum Ansible Container version.
  # min_ansible_container_version:
  #
  # Provide a list of supported platforms, and for each platform a list of versions.
  # If you don't wish to enumerate all versions for a particular platform, use 'all'.
  # To view available platforms and versions (or releases), visit:
  # https://galaxy.ansible.com/api/v1/platforms/
  #
  # platforms:
  # - name: Fedora
  #   versions:
  #   - all
  #   - 25
  # - name: SomePlatform
  #   versions:
  #   - all
  #   - 1.0
  #   - 7
  #   - 99.99
  galaxy_tags: []
    # List tags for your role here, one per line. A tag is a keyword that describes
    # and categorizes the role. Users find roles by searching for tags. Be sure to
    # remove the '[]' above, if you add tags to this list.
    #
    # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
    #       Maximum 20 tags per role.
 dependencies: []
  # List your role dependencies here, one per line. Be sure to remove the '[]' above,
  # if you add dependencies to this list.
--- a/webapps/etherpad/tasks/main.yml
+++ b/webapps/etherpad/tasks/main.yml
@ -0,0 +1,131 @@
 ---
 # tasks file for etherpad install
 - name: Install main system dependencies
  ansible.builtin.apt:
    name: "{{ etherpad_system_dep }}"
    update_cache: yes
 - name: Add UNIX account
  ansible.builtin.user:
    name: "{{ service }}"
    shell: /bin/bash
 - name: Add database
  ansible.builtin.mysql_db:
    name: "{{ etherpad_db_name }}"
 - name: Add database user
  ansible.builtin.mysql_user:
    name: "{{ etherpad_db_user }}"
    password: "{{ etherpad_db_password }}"
    priv: "{{ etherpad_db_name }}.*:{{privileges |default('SELECT,INSERT,UPDATE,DELETE,CREATE,DROP,INDEX,ALTER,CREATE TEMPORARY TABLES')}}"
    update_password: on_create
 - name: Clone etherpad repo (git)
  ansible.builtin.git:
    repo: "{{ etherpad_git_url }}"
    dest: "~/etherpad-lite/"
    version: "{{ etherpad_git_version | default(omit) }}"
    update: yes
    force: true
    umask: '0022'
  become_user: "{{ service }}"
 - name: Fix run.sh so it does not start etherpad at the end
  ansible.builtin.lineinfile: 
    path: "~/etherpad-lite/src/bin/run.sh"
    state: absent
    regexp: 'exec node src/node/server.js'
  become_user: "{{ service }}"
 - name: Run setup
  ansible.builtin.shell: "src/bin/run.sh"
  args:
    chdir: "~/etherpad-lite"
  become_user: "{{ service }}"
 - name: Template json config file
  ansible.builtin.template:
    src: "settings.json.j2"
    dest: "~{{ service }}/etherpad-lite/settings.json"
    owner: "{{ service }}"
    group: "{{ service }}"
    mode: "0640"
 - name: Add systemd unit
  ansible.builtin.template:
    src: "etherpad.service.j2"
    dest: "/etc/systemd/system/{{ service }}.service"
 - name: Enable systemd unit
  ansible.builtin.systemd:
    name: "{{ service }}.service"
    enabled: yes
    daemon_reload: yes
  notify: 
    - restart etherpad
 - name: Template nginx snippet for Let's Encrypt/Certbot
  ansible.builtin.template: 
    src: "letsencrypt.conf.j2"
    dest: "/etc/nginx/snippets/letsencrypt.conf"
 - name: Check if SSL certificate is present and register result
  ansible.builtin.stat:
    path: "/etc/letsencrypt/live/{{ etherpad_domains |first }}/fullchain.pem"
  register: ssl
 - name: Generate certificate only if required (first time)
  block:
  - name: Template vhost without SSL for successfull LE challengce
    ansible.builtin.template: 
      src: "vhost.conf.j2"
      dest: "/etc/nginx/sites-available/{{ service }}.conf"
  - name: Enable temporary nginx vhost for LE
    ansible.builtin.file:
      src: "/etc/nginx/sites-available/{{ service }}.conf"
      dest: "/etc/nginx/sites-enabled/{{ service }}.conf"
      state: link
    notify: 
      - reload nginx
  - name: Flush handlers
    ansible.builtin.meta: flush_handlers
  - name: Make sure /var/lib/letsencrypt exists and has correct permissions
    ansible.builtin.file: 
      path: /var/lib/letsencrypt
      state: directory
      mode: '0755'
  - name: Generate certificate with certbot
    ansible.builtin.command:
      cmd: certbot certonly --webroot --webroot-path /var/lib/letsencrypt --non-interactive --agree-tos --email {{ etherpad_certbot_admin_email }} -d {{ etherpad_domains |first }}
  - name: Create the ssl dir if needed
    ansible.builtin.file:
      path: /etc/nginx/ssl
      state: directory
      mode: '0750'
  - name: Template ssl bloc for nginx vhost
    ansible.builtin.template: 
      src: "ssl.conf.j2"
      dest: "/etc/nginx/ssl/{{ etherpad_domains |first }}.conf"
  when: ssl.stat.exists != true
 - name: (Re)check if SSL certificate is present and register result
  ansible.builtin.stat:
    path: "/etc/letsencrypt/live/{{ etherpad_domains |first }}/fullchain.pem"
  register: ssl
 - name: (Re)template conf file for nginx vhost with SSL
  ansible.builtin.template:
    src: "vhost.conf.j2"
    dest: "/etc/nginx/sites-available/{{ service }}.conf"
  notify: 
    - reload nginx
 - name: Enable nginx vhost for etherpad
  ansible.builtin.file:
    src: "/etc/nginx/sites-available/{{ service }}.conf"
    dest: "/etc/nginx/sites-enabled/{{ service }}.conf"
    state: link
  notify: 
    - reload nginx
--- a/webapps/etherpad/tasks/upgrade.yml
+++ b/webapps/etherpad/tasks/upgrade.yml
@ -0,0 +1,52 @@
 ---
 # tasks file for etherpad upgrade
 - name: Dump database to a file with compression
  ansible.builtin.mysql_db:
    name: "{{ service }}"
    state: dump
    target: "~/{{ service }}.sql.gz"
 - name: Stop service
  ansible.builtin.systemd:
    name: "{{ service }}.service"
    state: stopped
 - name: Clone etherpad repo (git)
  ansible.builtin.git:
    repo: "{{ etherpad_git_url }}"
    dest: "~/etherpad-lite/"
    version: "{{ etherpad_git_version }}"
    update: yes
    force: true
  become_user: "{{ service }}"
 - name: Fix run.sh so it does not start etherpad at the end
  ansible.builtin.lineinfile: 
    path: "~/etherpad-lite/src/bin/run.sh"
    state: absent
    regexp: 'exec node src/node/server.js'
  become_user: "{{ service }}"
 - name: Run setup
  ansible.builtin.shell: "src/bin/run.sh"
  args:
    chdir: "~/etherpad-lite"
  become_user: "{{ service }}"
 - name: Start service
  ansible.builtin.systemd:
    name: "{{ service }}.service"
    state: started
 - name: Define variable to skip next task by default
  ansible.builtin.set_fact:
    keep_db_dump: true
 - name: Remove database dump
  ansible.builtin.file:
    path: "~/{{ service }}.sql.gz"
    state: absent
  when: keep_db_dump is undefined
  tags: clean
  notify: reload nginx
--- a/webapps/etherpad/templates/etherpad.service.j2
+++ b/webapps/etherpad/templates/etherpad.service.j2
@ -0,0 +1,17 @@
 [Unit]
 Description=Etherpad - open source online editor for real-time collaborative editing.
 Documentation=https://etherpad.org/doc/v1.8.18/
 After=network.target
 After=mariadb.service
 [Service]
 Type=simple
 Environment=NODE_ENV=production
 ExecStart=/usr/bin/node --experimental-worker /home/{{service}}/etherpad-lite/node_modules/ep_etherpad-lite/node/server.js
 Restart=always
 User={{service}}
 Group={{service}}
 WorkingDirectory=/home/{{service}}/etherpad-lite
 [Install]
 WantedBy=multi-user.target
--- a/webapps/etherpad/templates/letsencrypt.conf.j2
+++ b/webapps/etherpad/templates/letsencrypt.conf.j2
@ -0,0 +1,5 @@
 location ~ /.well-known/acme-challenge {
  alias /var/lib/letsencrypt/;
  try_files $uri =404;
  allow all;
 }
--- a/webapps/etherpad/templates/settings.json.j2
+++ b/webapps/etherpad/templates/settings.json.j2
@ -0,0 +1,641 @@
 /*
 * This file must be valid JSON. But comments are allowed
 *
 * Please edit settings.json, not settings.json.template
 *
 * Please note that starting from Etherpad 1.6.0 you can store DB credentials in
 * a separate file (credentials.json).
 *
 *
 * ENVIRONMENT VARIABLE SUBSTITUTION
 * =================================
 *
 * All the configuration values can be read from environment variables using the
 * syntax "${ENV_VAR}" or "${ENV_VAR:default_value}".
 *
 * This is useful, for example, when running in a Docker container.
 *
 * DETAILED RULES:
 *   - If the environment variable is set to the string "true" or "false", the
 *     value becomes Boolean true or false.
 *   - If the environment variable is set to the string "null", the value
 *     becomes null.
 *   - If the environment variable is set to the string "undefined", the setting
 *     is removed entirely, except when used as the member of an array in which
 *     case it becomes null.
 *   - If the environment variable is set to a string representation of a finite
 *     number, the string is converted to that number.
 *   - If the environment variable is set to any other string, including the
 *     empty string, the value is that string.
 *   - If the environment variable is unset and a default value is provided, the
 *     value is as if the environment variable was set to the provided default:
 *       - "${UNSET_VAR:}" becomes the empty string.
 *       - "${UNSET_VAR:foo}" becomes the string "foo".
 *       - "${UNSET_VAR:true}" and "${UNSET_VAR:false}" become true and false.
 *       - "${UNSET_VAR:null}" becomes null.
 *       - "${UNSET_VAR:undefined}" causes the setting to be removed (or be set
 *         to null, if used as a member of an array).
 *   - If the environment variable is unset and no default value is provided,
 *     the value becomes null. THIS BEHAVIOR MAY CHANGE IN A FUTURE VERSION OF
 *     ETHERPAD; if you want the default value to be null, you should explicitly
 *     specify "null" as the default value.
 *
 * EXAMPLE:
 *    "port":     "${PORT:9001}"
 *    "minify":   "${MINIFY}"
 *    "skinName": "${SKIN_NAME:colibris}"
 *
 * Would read the configuration values for those items from the environment
 * variables PORT, MINIFY and SKIN_NAME.
 *
 * If PORT and SKIN_NAME variables were not defined, the default values 9001 and
 * "colibris" would be used.
 * The configuration value "minify", on the other hand, does not have a
 * designated default value. Thus, if the environment variable MINIFY were
 * undefined, "minify" would be null.
 *
 * REMARKS:
 * 1) please note that variable substitution always needs to be quoted.
 *
 *    "port":     9001,            <-- Literal values. When not using
 *    "minify":   false                substitution, only strings must be
 *    "skinName": "colibris"           quoted. Booleans and numbers must not.
 *
 *    "port":     "${PORT:9001}"   <-- CORRECT: if you want to use a variable
 *    "minify":   "${MINIFY:true}"     substitution, put quotes around its name,
 *    "skinName": "${SKIN_NAME}"       even if the required value is a number or
 *                                     a boolean.
 *                                     Etherpad will take care of rewriting it
 *                                     to the proper type if necessary.
 *
 *    "port":     ${PORT:9001}     <-- ERROR: this is not valid json. Quotes
 *    "minify":   ${MINIFY}            around variable names are missing.
 *    "skinName": ${SKIN_NAME}
 *
 * 2) Beware of undefined variables and default values: nulls and empty strings
 *    are different!
 *
 *    This is particularly important for user's passwords (see the relevant
 *    section):
 *
 *    "password": "${PASSW}"  // if PASSW is not defined would result in password === null
 *    "password": "${PASSW:}" // if PASSW is not defined would result in password === ''
 *
 *    If you want to use an empty value (null) as default value for a variable,
 *    simply do not set it, without putting any colons: "${ABIWORD}".
 *
 * 3) if you want to use newlines in the default value of a string parameter,
 *    use "\n" as usual.
 *
 *    "defaultPadText" : "${DEFAULT_PAD_TEXT}Line 1\nLine 2"
 */
 {
  /*
   * Name your instance!
   */
  "title": "{{ etherpad_app_title }}",
  /*
   * Pathname of the favicon you want to use. If null, the skin's favicon is
   * used if one is provided by the skin, otherwise the default Etherpad favicon
   * is used. If this is a relative path it is interpreted as relative to the
   * Etherpad root directory.
   */
  "favicon": null,
  /*
   * Skin name.
   *
   * Its value has to be an existing directory under src/static/skins.
   * You can write your own, or use one of the included ones:
   *
   * - "no-skin":  an empty skin (default). This yields the unmodified,
   *               traditional Etherpad theme.
   * - "colibris": the new experimental skin (since Etherpad 1.8), candidate to
   *               become the default in Etherpad 2.0
   */
  "skinName": "{{ etherpad_app_skin_name }}",
  /*
   * Skin Variants
   *
   * Use the UI skin variants builder at /p/test#skinvariantsbuilder
   *
   * For the colibris skin only, you can choose how to render the three main
   * containers:
   * - toolbar (top menu with icons)
   * - editor (containing the text of the pad)
   * - background (area outside of editor, mostly visible when using page style)
   *
   * For each of the 3 containers you can choose 4 color combinations:
   * super-light, light, dark, super-dark.
   *
   * For example, to make the toolbar dark, you will include "dark-toolbar" into
   * skinVariants.
   *
   * You can provide multiple skin variants separated by spaces. Default
   * skinVariant is "super-light-toolbar super-light-editor light-background".
   *
   * For the editor container, you can also make it full width by adding
   * "full-width-editor" variant (by default editor is rendered as a page, with
   * a max-width of 900px).
   */
  "skinVariants": "{{ etherpad_app_skin_variants }}",
  /*
   * IP and port which Etherpad should bind at.
   *
   * Binding to a Unix socket is also supported: just use an empty string for
   * the ip, and put the full path to the socket in the port parameter.
   *
   * EXAMPLE USING UNIX SOCKET:
   *    "ip": "",                             // <-- has to be an empty string
   *    "port" : "/somepath/etherpad.socket", // <-- path to a Unix socket
   */
  "ip": "{{ etherpad_app_ip }}",
  "port": {{ etherpad_node_port }},
  /*
   * Option to hide/show the settings.json in admin page.
   *
   * Default option is set to true
   */
  "showSettingsInAdminPage": true,
  /*
   * Node native SSL support
   *
   * This is disabled by default.
   * Make sure to have the minimum and correct file access permissions set so
   * that the Etherpad server can access them
   */
  /*
  "ssl" : {
            "key"  : "/path-to-your/epl-server.key",
            "cert" : "/path-to-your/epl-server.crt",
            "ca": ["/path-to-your/epl-intermediate-cert1.crt", "/path-to-your/epl-intermediate-cert2.crt"]
          },
  */
  /*
   * The type of the database.
   *
   * You can choose between many DB drivers, for example: dirty, postgres,
   * sqlite, mysql.
   *
   * You shouldn't use "dirty" for for anything else than testing or
   * development.
   *
   *
   * Database specific settings are dependent on dbType, and go in dbSettings.
   * Remember that since Etherpad 1.6.0 you can also store this information in
   * credentials.json.
   *
   * For a complete list of the supported drivers, please refer to:
   * https://www.npmjs.com/package/ueberdb2
   */
  /*
  "dbType": "dirty",
  "dbSettings": {
    "filename": "var/dirty.db"
  },
  */
  /*
   * An Example of MySQL Configuration (commented out).
   *
   * See: https://github.com/ether/etherpad-lite/wiki/How-to-use-Etherpad-Lite-with-MySQL
   */
  "dbType" : "mysql",
  "dbSettings" : {
    "user":     "{{ etherpad_db_user }}",
    "host":     "{{ etherpad_db_host }}",
    "port":     "{{ etherpad_db_port }}",
    "password": "{{ etherpad_db_password }}",
    "database": "{{ etherpad_db_name }}",
    "charset":  "utf8mb4"
  },
  /*
   * The default text of a pad
   */
  "defaultPadText" : "{{ etherpad_app_default_pad_text }}",
  /*
   * Default Pad behavior.
   *
   * Change them if you want to override.
   */
  "padOptions": {
    "noColors":         false,
    "showControls":     true,
    "showChat":         true,
    "showLineNumbers":  true,
    "useMonospaceFont": false,
    "userName":         null,
    "userColor":        null,
    "rtl":              false,
    "alwaysShowChat":   false,
    "chatAndUsers":     false,
    "lang":             null
  },
  /*
   * Pad Shortcut Keys
   */
  "padShortcutEnabled" : {
    "altF9":     true, /* focus on the File Menu and/or editbar */
    "altC":      true, /* focus on the Chat window */
    "cmdShift2": true, /* shows a gritter popup showing a line author */
    "delete":    true,
    "return":    true,
    "esc":       true, /* in mozilla versions 14-19 avoid reconnecting pad */
    "cmdS":      true, /* save a revision */
    "tab":       true, /* indent */
    "cmdZ":      true, /* undo/redo */
    "cmdY":      true, /* redo */
    "cmdI":      true, /* italic */
    "cmdB":      true, /* bold */
    "cmdU":      true, /* underline */
    "cmd5":      true, /* strike through */
    "cmdShiftL": true, /* unordered list */
    "cmdShiftN": true, /* ordered list */
    "cmdShift1": true, /* ordered list */
    "cmdShiftC": true, /* clear authorship */
    "cmdH":      true, /* backspace */
    "ctrlHome":  true, /* scroll to top of pad */
    "pageUp":    true,
    "pageDown":  true
  },
  /*
   * Should we suppress errors from being visible in the default Pad Text?
   */
  "suppressErrorsInPadText": false,
  /*
   * If this option is enabled, a user must have a session to access pads.
   * This effectively allows only group pads to be accessed.
   */
  "requireSession": false,
  /*
   * Users may edit pads but not create new ones.
   *
   * Pad creation is only via the API.
   * This applies both to group pads and regular pads.
   */
  "editOnly": false,
  /*
   * If true, all css & js will be minified before sending to the client.
   *
   * This will improve the loading performance massively, but makes it difficult
   * to debug the javascript/css
   */
  "minify": true,
  /*
   * How long may clients use served javascript code (in seconds)?
   *
   * Not setting this may cause problems during deployment.
   * Set to 0 to disable caching.
   */
  "maxAge": 21600, // 60 * 60 * 6 = 6 hours
  /*
   * Absolute path to the Abiword executable.
   *
   * Abiword is needed to get advanced import/export features of pads. Setting
   * it to null disables Abiword and will only allow plain text and HTML
   * import/exports.
   */
  "abiword": null,
  /*
   * This is the absolute path to the soffice executable.
   *
   * LibreOffice can be used in lieu of Abiword to export pads.
   * Setting it to null disables LibreOffice exporting.
   */
  "soffice": null,
  /*
   * Allow import of file types other than the supported ones:
   * txt, doc, docx, rtf, odt, html & htm
   */
  "allowUnknownFileEnds": {{ etherpad_app_file_ends }},
  /*
   * This setting is used if you require authentication of all users.
   *
   * Note: "/admin" always requires authentication.
   */
  "requireAuthentication": {{ etherpad_app_require_authentication }},
  /*
   * Require authorization by a module, or a user with is_admin set, see below.
   */
  "requireAuthorization": {{ etherpad_app_require_authorization }},
  /*
   * When you use NGINX or another proxy/load-balancer set this to true.
   *
   * This is especially necessary when the reverse proxy performs SSL
   * termination, otherwise the cookies will not have the "secure" flag.
   *
   * The other effect will be that the logs will contain the real client's IP,
   * instead of the reverse proxy's IP.
   */
  "trustProxy": {{ etherpad_app_trust_proxy }},
  /*
   * Settings controlling the session cookie issued by Etherpad.
   */
  "cookie": {
    /*
     * How often (in milliseconds) the key used to sign the express_sid cookie
     * should be rotated. Long rotation intervals reduce signature verification
     * overhead (because there are fewer historical keys to check) and database
     * load (fewer historical keys to store, and less frequent queries to
     * get/update the keys). Short rotation intervals are slightly more secure.
     *
     * Multiple Etherpad processes sharing the same database (table) is
     * supported as long as the clock sync error is significantly less than this
     * value.
     *
     * Key rotation can be disabled (not recommended) by setting this to 0 or
     * null, or by disabling session expiration (see sessionLifetime).
     */
    "keyRotationInterval": 86400000, // = 1d * 24h/d * 60m/h * 60s/m * 1000ms/s
    /*
     * Value of the SameSite cookie property. "Lax" is recommended unless
     * Etherpad will be embedded in an iframe from another site, in which case
     * this must be set to "None". Note: "None" will not work (the browser will
     * not send the cookie to Etherpad) unless https is used to access Etherpad
     * (either directly or via a reverse proxy with "trustProxy" set to true).
     *
     * "Strict" is not recommended because it has few security benefits but
     * significant usability drawbacks vs. "Lax". See
     * https://stackoverflow.com/q/41841880 for discussion.
     */
    "sameSite": "Lax",
    /*
     * How long (in milliseconds) after navigating away from Etherpad before the
     * user is required to log in again. (The express_sid cookie is set to
     * expire at time now + sessionLifetime when first created, and its
     * expiration time is periodically refreshed to a new now + sessionLifetime
     * value.) If requireAuthentication is false then this value does not really
     * matter.
     *
     * The "best" value depends on your users' usage patterns and the amount of
     * convenience you desire. A long lifetime is more convenient (users won't
     * have to log back in as often) but has some drawbacks:
     *   - It increases the amount of state kept in the database.
     *   - It might weaken security somewhat: The cookie expiration is refreshed
     *     indefinitely without consulting authentication or authorization
     *     hooks, so once a user has accessed a pad, the user can continue to
     *     use the pad until the user leaves for longer than sessionLifetime.
     *   - More historical keys (sessionLifetime / keyRotationInterval) must be
     *     checked when verifying signatures.
     *
     * Session lifetime can be set to infinity (not recommended) by setting this
     * to null or 0. Note that if the session does not expire, most browsers
     * will delete the cookie when the browser exits, but a session record is
     * kept in the database forever.
     */
    "sessionLifetime": 864000000, // = 10d * 24h/d * 60m/h * 60s/m * 1000ms/s
    /*
     * How long (in milliseconds) before the expiration time of an active user's
     * session is refreshed (to now + sessionLifetime). This setting affects the
     * following:
     *   - How often a new session expiration time will be written to the
     *     database.
     *   - How often each user's browser will ping the Etherpad server to
     *     refresh the expiration time of the session cookie.
     *
     * High values reduce the load on the database and the load from browsers,
     * but can shorten the effective session lifetime if Etherpad is restarted
     * or the user navigates away.
     *
     * Automatic session refreshes can be disabled (not recommended) by setting
     * this to null.
     */
    "sessionRefreshInterval": 86400000 // = 1d * 24h/d * 60m/h * 60s/m * 1000ms/s
  },
  /*
   * Privacy: disable IP logging
   */
  "disableIPlogging": false,
  /*
   * Time (in seconds) to automatically reconnect pad when a "Force reconnect"
   * message is shown to user.
   *
   * Set to 0 to disable automatic reconnection.
   */
  "automaticReconnectionTimeout": 0,
  /*
   * By default, when caret is moved out of viewport, it scrolls the minimum
   * height needed to make this line visible.
   */
  "scrollWhenFocusLineIsOutOfViewport": {
    /*
     * Percentage of viewport height to be additionally scrolled.
     *
     * E.g.: use "percentage.editionAboveViewport": 0.5, to place caret line in
     *       the middle of viewport, when user edits a line above of the
     *       viewport
     *
     * Set to 0 to disable extra scrolling
     */
    "percentage": {
      "editionAboveViewport": 0,
      "editionBelowViewport": 0
    },
    /*
     * Time (in milliseconds) used to animate the scroll transition.
     * Set to 0 to disable animation
     */
    "duration": 0,
    /*
     * Flag to control if it should scroll when user places the caret in the
     * last line of the viewport
     */
    "scrollWhenCaretIsInTheLastLineOfViewport": false,
    /*
     * Percentage of viewport height to be additionally scrolled when user
     * presses arrow up in the line of the top of the viewport.
     *
     * Set to 0 to let the scroll to be handled as default by Etherpad
     */
    "percentageToScrollWhenUserPressesArrowUp": 0
  },
  /*
   * User accounts. These accounts are used by:
   *   - default HTTP basic authentication if no plugin handles authentication
   *   - some but not all authentication plugins
   *   - some but not all authorization plugins
   *
   * User properties:
   *   - password: The user's password. Some authentication plugins will ignore
   *     this.
   *   - is_admin: true gives access to /admin. Defaults to false. If you do not
   *     uncomment this, /admin will not be available!
   *   - readOnly: If true, this user will not be able to create new pads or
   *     modify existing pads. Defaults to false.
   *   - canCreate: If this is true and readOnly is false, this user can create
   *     new pads. Defaults to true.
   *
   * Authentication and authorization plugins may define additional properties.
   *
   * WARNING: passwords should not be stored in plaintext in this file.
   *          If you want to mitigate this, please install ep_hash_auth and
   *          follow the section "secure your installation" in README.md
   */
  "users": {
    "admin": {
      // 1) "password" can be replaced with "hash" if you install ep_hash_auth
      // 2) please note that if password is null, the user will not be created
      "password": "{{ etherpad_app_admin_password }}",
      "is_admin": true
    }
  },
  /*
   * Restrict socket.io transport methods
   */
  "socketTransportProtocols" : ["xhr-polling", "jsonp-polling", "htmlfile"],
  "socketIo": {
    /*
     * Maximum permitted client message size (in bytes). All messages from
     * clients that are larger than this will be rejected. Large values make it
     * possible to paste large amounts of text, and plugins may require a larger
     * value to work properly, but increasing the value increases susceptibility
     * to denial of service attacks (malicious clients can exhaust memory).
     */
    "maxHttpBufferSize": 10000
  },
  /*
   * Allow Load Testing tools to hit the Etherpad Instance.
   *
   * WARNING: this will disable security on the instance.
   */
  "loadTest": false,
  /**
  * Disable dump of objects preventing a clean exit
  */
  "dumpOnUncleanExit": false,
  /*
   * Disable indentation on new line when previous line ends with some special
   * chars (':', '[', '(', '{')
   */
  /*
  "indentationOnNewLine": false,
  */
  /*
   * From Etherpad 1.8.3 onwards, import and export of pads is always rate
   * limited.
   *
   * The default is to allow at most 10 requests per IP in a 90 seconds window.
   * After that the import/export request is rejected.
   *
   * See https://github.com/nfriedly/express-rate-limit for more options
   */
  "importExportRateLimiting": {
    // duration of the rate limit window (milliseconds)
    "windowMs": 90000,
    // maximum number of requests per IP to allow during the rate limit window
    "max": 10
  },
  /*
   * From Etherpad 1.8.3 onwards, the maximum allowed size for a single imported
   * file is always bounded.
   *
   * File size is specified in bytes. Default is 50 MB.
   */
  "importMaxFileSize": 52428800, // 50 * 1024 * 1024
  /*
   * From Etherpad 1.8.5 onwards, when Etherpad is in production mode commits from individual users are rate limited
   *
   * The default is to allow at most 10 changes per IP in a 1 second window.
   * After that the change is rejected.
   *
   * See https://github.com/animir/node-rate-limiter-flexible/wiki/Overall-example#websocket-single-connection-prevent-flooding for more options
   */
  "commitRateLimiting": {
    // duration of the rate limit window (seconds)
    "duration": 1,
    // maximum number of changes per IP to allow during the rate limit window
    "points": 10
  },
  /*
   * Toolbar buttons configuration.
   *
   * Uncomment to customize.
   */
  /*
  "toolbar": {
    "left": [
      ["bold", "italic", "underline", "strikethrough"],
      ["orderedlist", "unorderedlist", "indent", "outdent"],
      ["undo", "redo"],
      ["clearauthorship"]
    ],
    "right": [
      ["importexport", "timeslider", "savedrevision"],
      ["settings", "embed"],
      ["showusers"]
    ],
    "timeslider": [
      ["timeslider_export", "timeslider_returnToPad"]
    ]
  },
  */
  /*
   * Expose Etherpad version in the web interface and in the Server http header.
   *
   * Do not enable on production machines.
   */
  "exposeVersion": false,
  /*
   * The log level we are using.
   *
   * Valid values: DEBUG, INFO, WARN, ERROR
   */
  "loglevel": "INFO",
  /* Override any strings found in locale directories */
  "customLocaleStrings": {},
  /* Disable Admin UI tests */
  "enableAdminUITests": false
 }
--- a/webapps/etherpad/templates/ssl.conf.j2
+++ b/webapps/etherpad/templates/ssl.conf.j2
@ -0,0 +1,22 @@
 ##
 # Certificates
 # you need a certificate to run in production. see https://letsencrypt.org/
 ##
 ssl_certificate     /etc/letsencrypt/live/{{ etherpad_domains | first }}/fullchain.pem;
 ssl_certificate_key /etc/letsencrypt/live/{{ etherpad_domains | first }}/privkey.pem;
 ##
 # Security hardening (as of Nov 15, 2020)
 # based on Mozilla Guideline v5.6
 ##
 ssl_protocols             TLSv1.2 TLSv1.3;
 ssl_prefer_server_ciphers on;
 ssl_ciphers               ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256; # add ECDHE-RSA-AES256-SHA if you want compatibility with Android 4
 ssl_session_timeout       1d; # defaults to 5m
 ssl_session_cache         shared:SSL:10m; # estimated to 40k sessions
 ssl_session_tickets       off;
 ssl_stapling              on;
 ssl_stapling_verify       on;
 # HSTS (https://hstspreload.org), requires to be copied in 'location' sections that have add_header directives
 #add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
--- a/webapps/etherpad/templates/vhost.conf.j2
+++ b/webapps/etherpad/templates/vhost.conf.j2
@ -0,0 +1,49 @@
 map $http_upgrade $connection_upgrade {
  default upgrade;
  ''      close;
 }
 server {
  listen 80;
  listen [::]:80;
  server_name {{ etherpad_domains |first }};
  # For certbot
  include /etc/nginx/snippets/letsencrypt.conf;
  {% if ssl.stat.exists %}
  location / { return 301 https://$host$request_uri; }
  {% endif %}
 }
 {% if ssl.stat.exists %}
 server {
  listen 443 ssl http2;
  listen [::]:443 ssl http2;
  server_name {{ etherpad_domains |first }};
  access_log /var/log/nginx/{{ service }}.access.log;
  error_log  /var/log/nginx/{{ service }}.error.log;
  include /etc/nginx/snippets/letsencrypt.conf;
  include /etc/nginx/ssl/{{ etherpad_domains | first }}.conf;
  location / {
    proxy_pass         http://127.0.0.1:{{ etherpad_node_port }};
    proxy_buffering    off; # be careful, this line doesn't override any proxy_buffering on set in a conf.d/file.conf
    proxy_set_header   Host $host;
    proxy_pass_header  Server;
    # Note you might want to pass these headers etc too.
    proxy_set_header    X-Real-IP $remote_addr; # https://nginx.org/en/docs/http/ngx_http_proxy_module.html
    proxy_set_header    X-Forwarded-For $remote_addr; # EP logs to show the actual remote IP
    proxy_set_header    X-Forwarded-Proto $scheme; # for EP to set secure cookie flag when https is used
    proxy_http_version  1.1; # recommended with keepalive connections
    # WebSocket proxying - from https://nginx.org/en/docs/http/websocket.html
    proxy_set_header  Upgrade $http_upgrade;
    proxy_set_header  Connection $connection_upgrade;
  }  
 }
 {% endif %}
--- a/webapps/etherpad/tests/inventory
+++ b/webapps/etherpad/tests/inventory
@ -0,0 +1,2 @@
 localhost
--- a/webapps/etherpad/tests/test.yml
+++ b/webapps/etherpad/tests/test.yml
@ -0,0 +1,5 @@
 ---
 - hosts: localhost
  remote_user: root
  roles:
    - hedgedoc
--- a/webapps/etherpad/vars/main.yml
+++ b/webapps/etherpad/vars/main.yml
@ -0,0 +1,2 @@
 ---
 # vars file
Author	SHA1	Message	Date
Mathieu Gauthier-Pilote	c933619b6b	Handlers; service => systemd; shell => command All checks were successful Ansible Lint \|Total\|New\|Outstanding\|Fixed\|Trend \|:-:\|:-:\|:-:\|:-:\|:-: \|2784\|0\|2784\|0\|:zzz: Details gitea/ansible-roles/pipeline/head This commit looks good Details	2024-05-08 15:08:28 -04:00
Mathieu Gauthier-Pilote	1096337690	ansible.builtin. prefix for modules All checks were successful Ansible Lint \|Total\|New\|Outstanding\|Fixed\|Trend \|:-:\|:-:\|:-:\|:-:\|:-: \|2780\|0\|2780\|0\|:zzz: Details gitea/ansible-roles/pipeline/head This commit looks good Details	2024-05-08 14:24:18 -04:00
Mathieu Gauthier-Pilote	ae726365ec	Prefix variables with etherpad_ All checks were successful Ansible Lint \|Total\|New\|Outstanding\|Fixed\|Trend \|:-:\|:-:\|:-:\|:-:\|:-: \|2810\|0\|2810\|0\|:zzz: Details gitea/ansible-roles/pipeline/head This commit looks good Details	2024-05-08 14:09:02 -04:00
Mathieu Gauthier-Pilote	e076c54fcd	Needed because of mariadb default conf change on Debian 12 All checks were successful Ansible Lint \|Total\|New\|Outstanding\|Fixed\|Trend \|:-:\|:-:\|:-:\|:-:\|:-: \|2810\|0\|2810\|0\|:zzz: Details gitea/ansible-roles/pipeline/head This commit looks good Details	2024-05-08 13:22:42 -04:00
Mathieu Gauthier-Pilote	109bc0fbfb	etherpad ugrade : v1.8.18 => v1.9.6	2024-05-08 13:22:42 -04:00
Mathieu Gauthier-Pilote	c71b0e8a9e	Now installs a LE SSL cert via certbot by default	2024-05-08 13:22:42 -04:00
Mathieu Gauthier-Pilote	b3c79bd9d1	New role to install + upgrade Etherpad	2024-05-08 13:22:42 -04:00