ansible.builtin. prefix for modules

Prefix variables with gitea_
Gitea upgrade : v1.18.5 => v1.21.3
2024-06-06 15:04:18 -04:00 · 2024-06-06 15:04:18 -04:00 · 2024-06-06 15:04:18 -04:00 · 2024-06-06 15:04:18 -04:00 · 2024-06-06 15:04:18 -04:00 · 2024-06-06 11:07:03 +02:00
44 changed files with 1046 additions and 85 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -13,8 +13,17 @@ The **patch** part is incremented if multiple releases happen the same month
 ### Added
 * bind: New variables to change IPs bind will listen on & send notify/transfer commands
 * evolinux-base: install evobackup-client (default: true)
 * munin: add linux_psi contrib plugin
 * evolinux-base: Create custom SSH configuration file
 * lxc: new lxc_template_mirror option (useful to get old Debian from archive.debian.org)
 ### Changed
 * log2mail: task log2mail.yml of evolinux-base converted to a role
 * lxc-solr: update solr9 version + fix URL in README
 ### Fixed
 ### Removed
@ -29,6 +38,7 @@ The **patch** part is incremented if multiple releases happen the same month
 ### Changed
 * certbot: allow haproxy deploy hook to work with evoacme too (using env variables)
 * evobackup-client: upstream release 24.05.1
 * evolinux-base: improve adding the current user to SSH AllowGroups of AllowUsers
 * evolinux-users: improve SSH configuration
@ -38,6 +48,7 @@ The **patch** part is incremented if multiple releases happen the same month
 ### Fixed
 * apt: use archive.debian.org with Buster
 * fail2ban: remount-usr added because it is needed for last task
 ## [24.04] 2024-04-30
--- a/bind/defaults/main.yml
+++ b/bind/defaults/main.yml
@ -1,12 +1,26 @@
 ---
-bind_recursive_server: False
+bind_recursive_server: false
-bind_authoritative_server: True
+bind_authoritative_server: true
-bind_chroot_set: True
+bind_chroot_set: true
-# Until chroot-bind.sh is migrated to ansible, we hardcode the chroot paths.
+
 #bind_chroot_path: /var/chroot-bind
 bind_systemd_service_path: /etc/systemd/system/bind9.service
 bind_statistics_file: /var/run/named.stats
 bind_log_file: /var/log/bind.log
 bind_query_file: /var/log/bind_queries.log
-bind_query_file_enabled: False
+bind_query_file_enabled: false
 bind_cache_dir: /var/cache/bind
 # String (bind syntax) of IPv4/ to listen on (or any by default)
 # eg. "192.0.2.1; 192.0.2.3"   or all interfaces : "any ;"
 bind_listen_on_ipv4: "any;"
 # String (bind syntax) of IPv6 to listen on (or any by default)
 # eg. "2001:db8::1; 2001:db8::42"   or all interfaces : "any ;" or not at all "none;"
 bind_listen_on_ipv6: "any;"
 # For server with multiples IP Adresses, enforce the usage of a specific IP for NOTIFY commands
 bind_notify_source: ''
 # For server with multiples IP Adresses, enforce the usage of a specific IP for TRANSFER commands
 bind_transfer_source: ''
--- a/bind/templates/named.conf.options_authoritative.j2
+++ b/bind/templates/named.conf.options_authoritative.j2
@ -10,8 +10,15 @@ options {
    masterfile-format text;
    statistics-file "{{ bind_statistics_file }}";
-      listen-on-v6 { any; };
+    listen-on { {{ bind_listen_on_ipv4 }} };
-      listen-on { any; };
+    listen-on-v6 { {{ bind_listen_on_ipv6 }} };
 {% if bind_notify_source is defined and bind_notify_source|length %}
    notify-source {{ bind_notify_source }};
 {% endif %}
 {% if bind_transfer_source is defined and bind_transfer_source|length %}
    transfer-source {{ bind_transfer_source }};
 {% endif %}
    allow-query { localhost; };
    allow-recursion { localhost; };
--- a/certbot/files/hooks/deploy/haproxy.sh
+++ b/certbot/files/hooks/deploy/haproxy.sh
@ -1,4 +1,6 @@
 #!/bin/sh
 # /!\ MODIFIED to work with evoacme OR certbot
 private_keys_dirs="/etc/ssl/private" # Only used for evoacme
 error() {
    >&2 echo "${PROGNAME}: $1"
@ -13,7 +15,7 @@ daemon_found_and_running() {
    test -n "$(pidof haproxy)" && test -n "${haproxy_bin}"
 }
 found_renewed_lineage() {
-    test -f "${RENEWED_LINEAGE}/fullchain.pem" && test -f "${RENEWED_LINEAGE}/privkey.pem"
+    test -f "${RENEWED_LINEAGE}/fullchain.pem" && test -f "${private_key}"
 }
 config_check() {
    ${haproxy_bin} -c -f "${haproxy_config_file}" > /dev/null 2>&1
@ -24,7 +26,7 @@ concat_files() {
    chown root: "${haproxy_cert_dir}"
    debug "Concatenating certificate files to ${haproxy_cert_file}"
-    cat "${RENEWED_LINEAGE}/fullchain.pem" "${RENEWED_LINEAGE}/privkey.pem" > "${haproxy_cert_file}"
+    cat "${RENEWED_LINEAGE}/fullchain.pem" "${private_key}" > "${haproxy_cert_file}"
    chmod 600 "${haproxy_cert_file}"
    chown root: "${haproxy_cert_file}"
 }
@ -58,10 +60,19 @@ main() {
    if daemon_found_and_running; then
        readonly haproxy_config_file="/etc/haproxy/haproxy.cfg"
        readonly haproxy_cert_dir=$(detect_haproxy_cert_dir)
        if  [ -z "${EVOACME_VHOST_NAME}" ]; then
            # CERTBOT
            private_key=${RENEWED_LINEAGE}/privkey.pem
            cert_name=$(basename "${RENEWED_LINEAGE}")
        else
            # EVOACME
            private_key=${private_keys_dirs}/$(basename $(dirname ${RENEWED_LINEAGE})).key
 	    cert_name=$(basename $(dirname "${RENEWED_LINEAGE}"))
        fi
        if found_renewed_lineage; then
-            haproxy_cert_file="${haproxy_cert_dir}/$(basename "${RENEWED_LINEAGE}").pem"
+            haproxy_cert_file="${haproxy_cert_dir}/${cert_name}.pem"
-            failed_cert_file="/root/$(basename "${RENEWED_LINEAGE}").failed.pem"
+            failed_cert_file="/root/${cert_name}.failed.pem"
            concat_files
@ -77,7 +88,8 @@ main() {
                error "HAProxy config is broken, you must fix it !"
            fi
        else
-            error "Couldn't find ${RENEWED_LINEAGE}/fullchain.pem or ${RENEWED_LINEAGE}/privkey.pem"
+
            error "Couldn't find ${RENEWED_LINEAGE}/fullchain.pem or "${private_key}""
        fi
    else
        debug "HAProxy is not running or missing. Skip."
@ -91,3 +103,4 @@ readonly QUIET=${QUIET:-"0"}
 readonly haproxy_bin=$(command -v haproxy)
 main
--- a/evolinux-base/defaults/main.yml
+++ b/evolinux-base/defaults/main.yml
@ -243,3 +243,6 @@ evolinux_utils_include: True
 # Autosysadmin
 evolinux_autosysadmin_include: false
 # Evobackup client
 evolinux_evobackup_client_include: True
--- a/evolinux-base/handlers/main.yml
+++ b/evolinux-base/handlers/main.yml
@ -74,11 +74,6 @@
    name: postfix
    state: reloaded
 - name: restart log2mail
  ansible.builtin.service:
    name: log2mail
    state: restarted
 - name: restart systemd-journald
  ansible.builtin.service:
    name: systemd-journald.service
--- a/evolinux-base/tasks/main.yml
+++ b/evolinux-base/tasks/main.yml
@ -116,7 +116,8 @@
  when: evolinux_provider_orange_fce_include | bool
 - name: Override Log2mail service
-  ansible.builtin.import_tasks: log2mail.yml
+  ansible.builtin.include_role:
    name: evolix/log2mail
  when: evolinux_log2mail_include | bool
 - ansible.builtin.import_tasks: motd.yml
@ -158,6 +159,11 @@
    name: 'evolix/autosysadmin-restart_nrpe'
  when: evolinux_autosysadmin_include | bool
 - name: Evobackup (client)
  ansible.builtin.include_role:
    name: 'evolix/evobackup-client'
  when: evolinux_evobackup_client_include | bool
 - name: fail2ban
  ansible.builtin.include_role:
    name: evolix/fail2ban
--- a/evolinux-base/tasks/ssh.included-files.yml
+++ b/evolinux-base/tasks/ssh.included-files.yml
@ -16,6 +16,14 @@
    dest: /etc/ssh/sshd_config.d/z-evolinux-defaults.conf
    mode: "0644"
 - name: create custom SSH server configuration file
  ansible.builtin.file:
    path: /etc/ssh/sshd_config.d/zzz-evolinux-custom.conf
    state: touch
    mode: "0644"
    modification_time: preserve
    access_time: preserve
 # Should we allow the current user?
 - name: Allow the current user
  block:
--- a/fail2ban/tasks/main.yml
+++ b/fail2ban/tasks/main.yml
@ -112,6 +112,9 @@
  tags:
    - fail2ban
 - include_role:
    name: evolix/remount-usr
 - name: Script unban_ip is installed
  ansible.builtin.copy:
    src: unban_ip.sh
--- a/log2mail/defaults/main.yml
+++ b/log2mail/defaults/main.yml
@ -0,0 +1,3 @@
 ---
 log2mail_alert_email: Null
 general_alert_email: "root@localhost"
--- a/evolinux-base/files/log2mail.service
+++ b/evolinux-base/files/log2mail.service
--- a/log2mail/handlers/main.yml
+++ b/log2mail/handlers/main.yml
@ -0,0 +1,5 @@
 ---
 - name: restart log2mail
  ansible.builtin.service:
    name: log2mail
    state: restarted
--- a/evolinux-base/tasks/log2mail.yml
+++ b/evolinux-base/tasks/log2mail.yml
@ -23,18 +23,14 @@
    marker: "# {mark} ANSIBLE MANAGED RULES FOR DEFAULT INSTANCE"
    state: absent
  notify: restart log2mail
  tags:
    - log2mail
 - name: log2mail evolinux-defaults config is present
  ansible.builtin.template:
-    src: log2mail/evolinux-defaults.j2
+    src: evolinux-defaults.j2
    dest: /etc/log2mail/config/evolinux-defaults
    owner: log2mail
    group: adm
    mode: "0640"
    force: yes
  notify: restart log2mail
  tags:
    - log2mail
--- a/evolinux-base/templates/log2mail/evolinux-defaults.j2
+++ b/evolinux-base/templates/log2mail/evolinux-defaults.j2
--- a/lxc-php/tasks/php56.yml
+++ b/lxc-php/tasks/php56.yml
@ -1,11 +1,11 @@
 ---
- name: "{{ lxc_php_version }} - Install PHP packages"
+- name: "{{ lxc_php_container_name }} - Install PHP packages"
  community.general.lxc_container:
-    name: "{{ lxc_php_version }}"
+    name: "{{ lxc_php_container_name }}"
    container_command: "DEBIAN_FRONTEND=noninteractive apt install --yes --force-yes php5-fpm php5-cli php5-gd php5-imap php5-ldap php5-mcrypt php5-mysql php5-pgsql php5-sqlite php-gettext php5-intl php5-curl php5-ssh2 libphp-phpmailer"
- name: "{{ lxc_php_version }} - Copy evolinux PHP configuration"
+- name: "{{ lxc_php_container_name }} - Copy evolinux PHP configuration"
  ansible.builtin.template:
    src: z-evolinux-defaults.ini.j2
    dest: "{{ line_item }}"
--- a/lxc-php/tasks/php70.yml
+++ b/lxc-php/tasks/php70.yml
@ -1,11 +1,11 @@
 ---
- name: "{{ lxc_php_version }} - Install PHP packages"
+- name: "{{ lxc_php_container_name }} - Install PHP packages"
  community.general.lxc_container:
-    name: "{{ lxc_php_version }}"
+    name: "{{ lxc_php_container_name }}"
    container_command: "DEBIAN_FRONTEND=noninteractive apt install -y php-fpm php-cli php-gd php-intl php-imap php-ldap php-mcrypt php-mysql php-pgsql php-sqlite3 php-gettext php-curl php-ssh2 php-zip php-mbstring composer libphp-phpmailer"
- name: "{{ lxc_php_version }} - Copy evolinux PHP configuration"
+- name: "{{ lxc_php_container_name }} - Copy evolinux PHP configuration"
  ansible.builtin.template:
    src: z-evolinux-defaults.ini.j2
    dest: "{{ line_item }}"
--- a/lxc-php/tasks/php74.yml
+++ b/lxc-php/tasks/php74.yml
@ -1,17 +1,17 @@
 ---
- name: "{{ lxc_php_version }} - Install PHP packages"
+- name: "{{ lxc_php_container_name }} - Install PHP packages"
  community.general.lxc_container:
-    name: "{{ lxc_php_version }}"
+    name: "{{ lxc_php_container_name }}"
    container_command: "DEBIAN_FRONTEND=noninteractive apt install -y php-fpm php-cli php-gd php-intl php-imap php-ldap php-mysql php-pgsql php-sqlite3 php-curl php-zip php-mbstring php-xml php-zip composer libphp-phpmailer"
- name: "{{ lxc_php_version }} - fix bullseye repository"
+- name: "{{ lxc_php_container_name }} - fix bullseye repository"
  ansible.builtin.replace:
    dest: "{{ lxc_rootfs }}/etc/apt/sources.list"
    regexp: 'bullseye/updates'
    replace: 'bullseye-security'
- name: "{{ lxc_php_version }} - Copy evolinux PHP configuration"
+- name: "{{ lxc_php_container_name }} - Copy evolinux PHP configuration"
  ansible.builtin.template:
    src: z-evolinux-defaults.ini.j2
    dest: "{{ line_item }}"
--- a/lxc-php/tasks/php80.yml
+++ b/lxc-php/tasks/php80.yml
@ -5,18 +5,18 @@
    lxc_apt_keyring_dir: /etc/apt/trusted.gpg.d
- name: "{{ lxc_php_version }} - Install dependency packages"
+- name: "{{ lxc_php_container_name }} - Install dependency packages"
  community.general.lxc_container:
-    name: "{{ lxc_php_version }}"
+    name: "{{ lxc_php_container_name }}"
    container_command: "DEBIAN_FRONTEND=noninteractive apt install -y wget gnupg"
- name: "{{ lxc_php_version }} - fix bullseye repository"
+- name: "{{ lxc_php_container_name }} - fix bullseye repository"
  ansible.builtin.replace:
    dest: "{{ lxc_rootfs }}/etc/apt/sources.list"
    regexp: 'bullseye/updates'
    replace: 'bullseye-security'
- name: "{{ lxc_php_version }} - Add sury repo"
+- name: "{{ lxc_php_container_name }} - Add sury repo"
  ansible.builtin.lineinfile:
    dest: "{{ lxc_rootfs }}/etc/apt/sources.list.d/sury.list"
    line: "{{ item }}"
@ -51,17 +51,17 @@
    owner: root
    group: root
- name: "{{ lxc_php_version }} - Update APT cache"
+- name: "{{ lxc_php_container_name }} - Update APT cache"
  community.general.lxc_container:
-    name: "{{ lxc_php_version }}"
+    name: "{{ lxc_php_container_name }}"
    container_command: "DEBIAN_FRONTEND=noninteractive apt update"
- name: "{{ lxc_php_version }} - Install PHP packages"
+- name: "{{ lxc_php_container_name }} - Install PHP packages"
  community.general.lxc_container:
-    name: "{{ lxc_php_version }}"
+    name: "{{ lxc_php_container_name }}"
    container_command: "DEBIAN_FRONTEND=noninteractive apt install -y php-fpm php-cli php-gd php-intl php-imap php-ldap php-mysql php-pgsql php-sqlite3 php-curl php-zip php-mbstring php-xml php-zip composer libphp-phpmailer"
- name: "{{ lxc_php_version }} - Copy evolinux PHP configuration"
+- name: "{{ lxc_php_container_name }} - Copy evolinux PHP configuration"
  ansible.builtin.template:
    src: z-evolinux-defaults.ini.j2
    dest: "{{ line_item }}"
--- a/lxc-php/tasks/php81.yml
+++ b/lxc-php/tasks/php81.yml
@ -4,18 +4,18 @@
  ansible.builtin.set_fact:
    lxc_apt_keyring_dir: /etc/apt/trusted.gpg.d
- name: "{{ lxc_php_version }} - Install dependency packages"
+- name: "{{ lxc_php_container_name }} - Install dependency packages"
  community.general.lxc_container:
-    name: "{{ lxc_php_version }}"
+    name: "{{ lxc_php_container_name }}"
    container_command: "DEBIAN_FRONTEND=noninteractive apt install -y wget gnupg"
- name: "{{ lxc_php_version }} - fix bullseye repository"
+- name: "{{ lxc_php_container_name }} - fix bullseye repository"
  ansible.builtin.replace:
    dest: "{{ lxc_rootfs }}/etc/apt/sources.list"
    regexp: 'bullseye/updates'
    replace: 'bullseye-security'
- name: "{{ lxc_php_version }} - Add sury repo"
+- name: "{{ lxc_php_container_name }} - Add sury repo"
  ansible.builtin.lineinfile:
    dest: "{{ lxc_rootfs }}/etc/apt/sources.list.d/sury.list"
    line: "{{ item }}"
@ -50,17 +50,17 @@
    owner: root
    group: root
- name: "{{ lxc_php_version }} - Update APT cache"
+- name: "{{ lxc_php_container_name }} - Update APT cache"
  community.general.lxc_container:
-    name: "{{ lxc_php_version }}"
+    name: "{{ lxc_php_container_name }}"
    container_command: "DEBIAN_FRONTEND=noninteractive apt update"
- name: "{{ lxc_php_version }} - Install PHP packages"
+- name: "{{ lxc_php_container_name }} - Install PHP packages"
  community.general.lxc_container:
-    name: "{{ lxc_php_version }}"
+    name: "{{ lxc_php_container_name }}"
    container_command: "DEBIAN_FRONTEND=noninteractive apt install -y php-fpm php-cli php-gd php-intl php-imap php-ldap php-mysql php-pgsql php-sqlite3 php-curl php-zip php-mbstring php-xml php-zip composer libphp-phpmailer"
- name: "{{ lxc_php_version }} - Copy evolinux PHP configuration"
+- name: "{{ lxc_php_container_name }} - Copy evolinux PHP configuration"
  ansible.builtin.template:
    src: z-evolinux-defaults.ini.j2
    dest: "{{ line_item }}"
--- a/lxc-php/tasks/php82.yml
+++ b/lxc-php/tasks/php82.yml
@ -4,24 +4,24 @@
  ansible.builtin.set_fact:
    lxc_apt_keyring_dir: /etc/apt/trusted.gpg.d
- name: "{{ lxc_php_version }} - Install dependency packages"
+- name: "{{ lxc_php_container_name }} - Install dependency packages"
  community.general.lxc_container:
-    name: "{{ lxc_php_version }}"
+    name: "{{ lxc_php_container_name }}"
    container_command: "DEBIAN_FRONTEND=noninteractive apt install -y wget gnupg"
- name: "{{ lxc_php_version }} - delete sources.list bookworm repository"
+- name: "{{ lxc_php_container_name }} - delete sources.list bookworm repository"
  ansible.builtin.file:
    path: "{{ lxc_rootfs }}/etc/apt/sources.list"
    state: absent
- name: "{{ lxc_php_version }} - system bookworm repository"
+- name: "{{ lxc_php_container_name }} - system bookworm repository"
  ansible.builtin.template:
    src: bookworm_basics.sources.j2
    dest: "{{ lxc_rootfs }}/etc/apt/sources.list.d/system.sources"
    force: true
    mode: "0644"
- name: "{{ lxc_php_version }} - security bookworm repository"
+- name: "{{ lxc_php_container_name }} - security bookworm repository"
  ansible.builtin.template:
    src: bookworm_security.sources.j2
    dest: "{{ lxc_rootfs }}/etc/apt/sources.list.d/security.sources"
@ -44,17 +44,17 @@
    owner: root
    group: root
- name: "{{ lxc_php_version }} - Update APT cache"
+- name: "{{ lxc_php_container_name }} - Update APT cache"
  community.general.lxc_container:
-    name: "{{ lxc_php_version }}"
+    name: "{{ lxc_php_container_name }}"
    container_command: "DEBIAN_FRONTEND=noninteractive apt update"
- name: "{{ lxc_php_version }} - Install PHP packages"
+- name: "{{ lxc_php_container_name }} - Install PHP packages"
  community.general.lxc_container:
-    name: "{{ lxc_php_version }}"
+    name: "{{ lxc_php_container_name }}"
    container_command: "DEBIAN_FRONTEND=noninteractive apt install -y php-fpm php-cli php-gd php-intl php-imap php-ldap php-mysql php-pgsql php-sqlite3 php-curl php-zip php-mbstring php-xml php-zip composer libphp-phpmailer"
- name: "{{ lxc_php_version }} - Copy evolinux PHP configuration"
+- name: "{{ lxc_php_container_name }} - Copy evolinux PHP configuration"
  ansible.builtin.template:
    src: z-evolinux-defaults.ini.j2
    dest: "{{ line_item }}"
--- a/lxc-php/tasks/php83.yml
+++ b/lxc-php/tasks/php83.yml
@ -4,38 +4,38 @@
  ansible.builtin.set_fact:
    lxc_apt_keyring_dir: /etc/apt/trusted.gpg.d
- name: "{{ lxc_php_version }} - Install dependency packages"
+- name: "{{ lxc_php_container_name }} - Install dependency packages"
  community.general.lxc_container:
-    name: "{{ lxc_php_version }}"
+    name: "{{ lxc_php_container_name }}"
    container_command: "DEBIAN_FRONTEND=noninteractive apt install -y wget gnupg"
- name: "{{ lxc_php_version }} - delete sources.list bookworm repository"
+- name: "{{ lxc_php_container_name }} - delete sources.list bookworm repository"
  ansible.builtin.file:
    path: "{{ lxc_rootfs }}/etc/apt/sources.list"
    state: absent
- name: "{{ lxc_php_version }} - system bookworm repository"
+- name: "{{ lxc_php_container_name }} - system bookworm repository"
  ansible.builtin.template:
    src: bookworm_basics.sources.j2
    dest: "{{ lxc_rootfs }}/etc/apt/sources.list.d/system.sources"
    force: true
    mode: "0644"
- name: "{{ lxc_php_version }} - security bookworm repository"
+- name: "{{ lxc_php_container_name }} - security bookworm repository"
  ansible.builtin.template:
    src: bookworm_security.sources.j2
    dest: "{{ lxc_rootfs }}/etc/apt/sources.list.d/security.sources"
    force: true
    mode: "0644"
- name: "{{ lxc_php_version }} - Add sury repo"
+- name: "{{ lxc_php_container_name }} - Add sury repo"
  ansible.builtin.template:
    src: sury.sources.j2
    dest: "{{ lxc_rootfs }}/etc/apt/sources.list.d/sury.sources"
    force: true
    mode: "0644"
- name: "{{ lxc_php_version }} - Add sury failsafe repo"
+- name: "{{ lxc_php_container_name }} - Add sury failsafe repo"
  ansible.builtin.template:
    src: evolix_sury.sources.j2
    dest: "{{ lxc_rootfs }}/etc/apt/sources.list.d/evolix_sury.sources"
@ -66,17 +66,17 @@
    owner: root
    group: root
- name: "{{ lxc_php_version }} - Update APT cache"
+- name: "{{ lxc_php_container_name }} - Update APT cache"
  community.general.lxc_container:
-    name: "{{ lxc_php_version }}"
+    name: "{{ lxc_php_container_name }}"
    container_command: "DEBIAN_FRONTEND=noninteractive apt update"
- name: "{{ lxc_php_version }} - Install PHP packages"
+- name: "{{ lxc_php_container_name }} - Install PHP packages"
  community.general.lxc_container:
-    name: "{{ lxc_php_version }}"
+    name: "{{ lxc_php_container_name }}"
    container_command: "DEBIAN_FRONTEND=noninteractive apt install -y php-fpm php-cli php-gd php-intl php-imap php-ldap php-mysql php-pgsql php-sqlite3 php-curl php-zip php-mbstring php-xml php-zip composer libphp-phpmailer"
- name: "{{ lxc_php_version }} - Copy evolinux PHP configuration"
+- name: "{{ lxc_php_container_name }} - Copy evolinux PHP configuration"
  ansible.builtin.template:
    src: z-evolinux-defaults.ini.j2
    dest: "{{ line_item }}"
--- a/lxc-solr/README.md
+++ b/lxc-solr/README.md
@ -15,7 +15,7 @@ Since this role depend on the lxc role, please refer to it for a full variable l
 * `lxc_containers`: list of LXC containers to create. Default: `[]` (empty).
  * `name`: name of the LXC container to create.
  * `release`: Debian version to install
-  * `solr_version`: Solr version to install *(refer to https://archive.apache.org/dist/lucene/solr/ for a full version list)*
+  * `solr_version`: Solr version to install *(refer to https://archive.apache.org/dist/solr/solr/ for a full version list)*
  * `solr_port`: port for Solr to listen on
  Eg.:
  ```
--- a/lxc-solr/defaults/main.yml
+++ b/lxc-solr/defaults/main.yml
@ -16,7 +16,7 @@
 #     solr_port: 8985
 #   - name: solr9
 #     release: bullseye
-#     solr_version: 9.0.0
+#     solr_version: 9.6.1
 #     solr_port: 8985
 lxc_containers: []
--- a/lxc/defaults/main.yml
+++ b/lxc/defaults/main.yml
@ -8,6 +8,10 @@ lxc_network_type: "none"
 # Partition to bind mount into containers.
 lxc_mount_part: "/home"
 # Mirror URL (optionnal).
 # For old Debian, use https://archive.debian.org/debian/
 lxc_template_mirror: ""
 # List of LXC containers to create.
 # Eg.:
 # lxc_containers:
--- a/lxc/tasks/create-container.yml
+++ b/lxc/tasks/create-container.yml
@ -6,13 +6,16 @@
  check_mode: no
  register: container_exists
 - ansible.builtin.set_fact:
    lxc_template_mirror_option: "{{ '--mirror ' + lxc_template_mirror if lxc_template_mirror != '' else '' }}"
 - name: "Create container {{ name }}"
  community.general.lxc_container:
    name: "{{ name }}"
    container_log: true
    template: debian
    state: stopped
-    template_options: "--arch amd64 --release {{ release }}"
+    template_options: "--arch amd64 --release {{ release }} {{ lxc_template_mirror_option }}"
  when: container_exists.stdout_lines | length == 0
 - name: "Disable network configuration inside container {{ name }}"
--- a/munin/files/plugins/linux-psi
+++ b/munin/files/plugins/linux-psi
@ -0,0 +1,360 @@
 #!/bin/bash
 : << =cut
 =head1 NAME
 linux_psi - Plugin to monitor the pressure stall information for CPU, Memory and
 IO as reported by the Linux kernel.
 This plugin monitors the pressure stall information (psi) as reported by the
 Linux Kernel. By default it reports all average intervals (10 seconds,
 60 seconds and 300 seconds) as well as the total values as a rate of change
 (DERIVE) for all resources (cpu, memory, io). The average intervals can be
 configured if you only deem some of them useful. See CONFIGURATION for
 explanations on that.
 This is a multigraph plugin that, by default, will create six detail graphs and
 one summary graph (so seven in total). The summary graph will contain the 300
 seconds average percentages of all resources. The detail graphs are split in two
 graphs per resource. One combining all average intervals and one for the
 "totals" (rate of change) for the given resource.
 There are no defaults for warnings and criticals, because this highly depends on
 the system, so you need to configure them yourself (if you want any). It is
 recommended that you first lookup the meaning of the different values.
 For more information on psi see:
 https://www.kernel.org/doc/html/latest/accounting/psi.html
 =head1 CONFIGURATION
 Simply create a symlink in your plugins directory like with any other plugin.
 No additional configuration needed, no specific user required (typically).
 If you want to configure alerts, just add "warn_" or "crit_" in front of the
 internal name.
 Optional configuration examples:
 [linux_psi]
 env.resources cpu io memory       - Specify the resources to monitor. Leave one
                                    out if you don't want this one to be
                                    monitored.
 env.intervals avg10 avg60 avg300  - Sepcify the average intervals to monitor.
                                    Leave one out if you don't want this one to
                                    be monitored
 env.scopes some full              - Specify the scopes to monitor. Leave one out
                                    If you don't want it to be monitored.
 env.summary_interval avg300       - Specify the interval to be used for the
                                    summary-graph.
 env.warn_psi_cpu_avg300_some 5    - Set a warning-level of 5 for
                                    "psi_cpu_avg300_some"
 env.crit_psi_io_total_full 2000   - Set a critical-level of 2000 for
                                    "psi_io_total_full"
 =head1 AUTHOR
 2022, HaseHarald
 =head1 LICENSE
 LGPLv3
 =head1 BUGS
 =head1 TODO
 =head1 MAGIC MARKERS
 #%# family=auto
 #%# capabilities=autoconf
 =cut
 # This file contains a munin-plugin to graph the psi (pressure) for CPU, Memory
 # and IO, as reported by the Linux kernel.
 #
 # This is free software: you can redistribute it and/or modify
 # it under the terms of the GNU Lesser General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
 #
 # This is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU Lesser General Public License for more details.
 #
 # You should have received a copy of the GNU Lesser General Public License
 # along with this plugin.  If not, see <http://www.gnu.org/licenses/>.
 resource_defaults=('cpu' 'io' 'memory')
 interval_defaults=('avg10' 'avg60' 'avg300')
 scope_defaults=('some' 'full')
 pressure_dir=${pressure_dir:-'/proc/pressure/'}
 pressure_resources=( "${resources[@]:-${resource_defaults[@]}}" )
 pressure_intervals=( "${intervals[@]:-${interval_defaults[@]}}" )
 pressure_scopes=( "${scopes[@]:-${scope_defaults[@]}}" )
 summary_interval="${summary_interval:-avg300}"
 check_autoconf() {
  if [ -d "${pressure_dir}" ]; then
    printf "yes\n"
  else
    printf "no (%s not found)\n" "${pressure_dir}"
  fi
 }
 get_pressure_value() {
  local resource
  local interval
  local scope
  resource="$1"
  interval="$2"
  scope="${3:-some}"
  grep "$scope" "${pressure_dir}/${resource}" | grep -o -E "${interval}=[0-9]{1,}(\.[0-9]{1,}){0,1}" | cut -d '=' -f 2
 }
 get_printable_name() {
  local kind
  local value
  local printable_name
  kind="$1"
  value="$2"
  printable_name=""
  case "$kind" in
    interval)
      case "$interval" in
        avg10)
          printable_name="10sec"
          ;;
        avg60)
          printable_name="60sec"
          ;;
        avg300)
          printable_name="5min"
          ;;
        total)
          printable_name="Total"
          ;;
        *)
          printf "ERROR: Could not determine interval %s ! Must be one of 'avg10' 'avg60' 'avg300' 'total'\n" "$value" >&2
          exit 2
          ;;
      esac
      ;;
    scope)
      case "$value" in
        some)
          printable_name="Some"
          ;;
        full)
          printable_name="Full"
          ;;
        *)
          printf "ERROR: Could not determine scope %s ! Must be one of 'full' 'some'.\n" "$value" >&2
          exit 2
          ;;
      esac
      ;;
    resource)
      case "$value" in
        cpu)
          printable_name="CPU"
          ;;
        io)
          printable_name="IO"
          ;;
        memory)
          printable_name="Memory"
          ;;
        *)
          printf "ERROR: Could not determine resource-type %s ! Must be one of 'cpu' 'io' 'memory'.\n" "$value" >&2
          exit 2
          ;;
      esac
      ;;
    *)
      printf "ERROR: Could not determine kind %s ! Must be one of 'interval' 'scope' 'resource'\n" "$kind" >&2
      exit 2
      ;;
  esac
  printf "%s" "$printable_name"
 }
 iterate_config() {
  for resource in "${pressure_resources[@]}"; do
    local printable_resource
    printable_resource=$( get_printable_name resource "$resource" )
    printf "multigraph linux_psi.%s_avg\n" "$resource"
    printf "graph_title %s Pressure Stall Information - Average\n" "$printable_resource"
    printf "graph_category system\n"
    printf "graph_info Average PSI based latency caused by lack of %s resources.\n" "$printable_resource"
    printf "graph_vlabel %%\n"
    printf "graph_scale no\n"
    for interval in "${pressure_intervals[@]}"; do
      local printable_interval
      printable_interval=$( get_printable_name interval "$interval" )
      output_config "$resource" "$interval"
    done
    echo ""
  done
  for resource in "${pressure_resources[@]}"; do
    local interval
    local printable_resource
    interval="total"
    printable_resource=$( get_printable_name resource "$resource" )
    printf "multigraph linux_psi.%s_total\n" "$resource"
    printf "graph_title %s Pressure Stall Information - Rate\n" "$printable_resource"
    printf "graph_category system\n"
    printf "graph_info Total PSI based latency rate caused by lack of %s resources.\n" "$printable_resource"
    printf "graph_vlabel rate\n"
    output_config "$resource" "$interval"
    echo ""
  done
  printf "multigraph linux_psi\n"
  printf "graph_title Pressure Stall Information - Average\n"
  printf "graph_vlabel %%\n"
  printf "graph_scale no\n"
  printf "graph_category system\n"
  printf "graph_info Average PSI based latency caused by lack of resources.\n"
  for resource in "${pressure_resources[@]}"; do
    output_config "$resource" "$summary_interval"
  done
  echo ""
 }
 iterate_values() {
  for resource in "${pressure_resources[@]}"; do
    printf "multigraph linux_psi.%s_avg\n" "$resource"
    for interval in "${pressure_intervals[@]}"; do
      output_values "$resource" "$interval"
    done
    echo ""
  done
  for resource in "${pressure_resources[@]}"; do
    local interval
    interval="total"
    printf "multigraph linux_psi.%s_total\n" "$resource"
    output_values "$resource" "$interval"
    echo ""
  done
  printf "multigraph linux_psi\n"
  for resource in "${pressure_resources[@]}"; do
    output_values "$resource" "$summary_interval"
  done
  echo ""
 }
 output_config() {
  local resource
  local interval
  local printable_resource
  local printable_interval
  resource="$1"
  interval="$2"
  printable_resource=$( get_printable_name resource "$resource" )
  printable_interval=$( get_printable_name interval "$interval" )
  for scope in "${pressure_scopes[@]}"; do
    if [ "${resource}" == "cpu" ] && [ "${scope}" != "some" ]; then
      continue
    else
      local printable_scope
      local this_warn_var
      local this_crit_var
      printable_scope=$( get_printable_name scope "$scope" )
      this_warn_var=$( echo "warn_psi_${resource}_${interval}_${scope}" | sed 's/[^A-Za-z0-9_]/_/g' )
      this_crit_var=$( echo "crit_psi_${resource}_${interval}_${scope}" | sed 's/[^A-Za-z0-9_]/_/g' )
      printf "psi_%s_%s_%s.min 0\n" "$resource" "$interval" "$scope"
      printf "psi_%s_%s_%s.label %s %s %s\n" "$resource" "$interval" "$scope" "$printable_resource" "$printable_interval" "$printable_scope"
      if [ -n "${!this_warn_var}" ]; then
        printf "psi_%s_%s_%s.warning %s\n" "$resource" "$interval" "$scope" "${!this_warn_var}"
      fi
      if [ -n "${!this_crit_var}" ]; then
        printf "psi_%s_%s_%s.critical %s\n" "$resource" "$interval" "$scope" "${!this_crit_var}"
      fi
      if [ "$interval" == "total" ]; then
        printf "psi_%s_%s_%s.type DERIVE\n" "$resource" "$interval" "$scope"
      fi
    fi
  done
 }
 output_values() {
  local resource
  local interval
  resource="$1"
  interval="$2"
  for scope in "${pressure_scopes[@]}"; do
    if [ "${resource}" == "cpu" ] && [ "${scope}" != "some" ]; then
      continue
    else
      printf "psi_%s_%s_%s.value %s\n" "$resource" "$interval" "$scope" "$(get_pressure_value "$resource" "$interval" "$scope")"
    fi
  done
 }
 output_usage() {
  printf >&2 "%s - munin plugin to graph pressure stall information for CPU, Memory and IO as reported by the Linux kernel.\n" "${0##*/}"
  printf >&2 "Usage: %s [config]\n" "${0##*/}"
  printf >&2 "You may use environment settings in a plugin-config file, used by munin (for example /etc/munin/plugin-conf.d/munin-node) to further adjust settings.\n"
  printf >&2 "You can use these settings to configure which resources, intervals or scopes are monitored or to configure warning and critical levels.\n"
  printf >&2 "To do so use a syntax like this:\n"
  printf >&2 "[linux_psi]\n"
  printf >&2 "env.resources cpu io memory\n"
  printf >&2 "env.intervals avg10 avg60 avg300\n"
  printf >&2 "env.scopes some full\n"
  printf >&2 "env.summary_interval avg300\n"
  printf >&2 "env.warn_psi_cpu_avg300_some 5\n"
  printf >&2 "env.crit_psi_io_total_full 2000\n"
 }
 case "$#" in
  0)
    iterate_values
    ;;
  1)
    case "$1" in
      autoconf)
        check_autoconf
        ;;
      config)
        iterate_config
        ;;
      fetch)
        iterate_values
        ;;
      *)
        output_usage
        exit 1
        ;;
    esac
    ;;
  *)
    output_usage
    exit 1
    ;;
 esac
--- a/munin/tasks/main.yml
+++ b/munin/tasks/main.yml
@ -46,6 +46,7 @@
    dest: '/usr/share/munin/plugins/{{ item }}'
  loop:
    - dhcp_pool
    - linux-psi
  tags:
    - munin
@ -77,6 +78,7 @@
    - postfix_mailqueue
    - postfix_mailstats
    - postfix_mailvolume
    - linux-psi
  notify: restart munin-node
  tags:
    - munin
--- a/webapps/gitea/LISEZMOI.md
+++ b/webapps/gitea/LISEZMOI.md
@ -0,0 +1,49 @@
 gitea
 =====
 Ce rôle installe un serveur gitea. 
 Notez qu'hormis le présent fichier LISEZMOI.md, tous les fichiers du rôle gitea sont rédigés en anglais afin de suivre les conventions de la communauté Ansible, favoriser sa réutilisation et son amélioration, etc. Libre à vous cependant de faire appel à ce role dans un playbook rédigé principalement en français ou toute autre langue.
 Requis
 ------
 ...
 Variables du rôle
 -----------------
 Plusieurs des valeurs par défaut dans defaults/main.yml doivent être changées soit directement dans defaults/main.yml ou mieux encore en les supplantant ailleurs, par exemple dans votre playbook (voir l'exemple ci-bas).
 Dépendances
 ------------
 Ce rôle Ansible dépend des rôles suivants :
 - nodejs
 Exemple de playbook
 -------------------
 ```
 - name: "Déployer un serveur gitea"
  hosts: 
    - all
  vars:
    # Supplanter ici les variables du rôle
    domains: ['votre-vrai-domaine.org']
    service: 'mon-gitea'
  roles:
    - { role: webapps/gitea , tags: "gitea" }
 ```
 Licence
 -------
 GPLv3
 Infos sur l'auteur
 ------------------
 Mathieu Gauthier-Pilote, administrateur de systèmes chez Evolix.
--- a/webapps/gitea/README.md
+++ b/webapps/gitea/README.md
@ -0,0 +1,49 @@
 gitea
 =====
 This role installs or upgrades the server for gitea. 
 FRENCH: Voir le fichier LISEZMOI.md pour le français.
 Requirements
 ------------
 ...
 Role Variables
 --------------
 Several of the default values in defaults/main.yml must be changed either directly in defaults/main.yml or better even by overwriting them somewhere else, for example in your playbook (see the example below).
 Dependencies
 ------------
 This Ansible role depends on the following other roles:
 - nodejs
 Example Playbook
 ----------------
 ```
 - name: "Deploy an gitea server"
  hosts: 
    - all
  vars:
    # Overwrite the role variable here
    domains: ['your-real-domain.org']
    service: 'my-gitea'
  roles:
    - { role: webapps/gitea , tags: "gitea" }
 ```
 License
 -------
 GPLv3
 Author Information
 ------------------
 Mathieu Gauthier-Pilote, sys. admin. at Evolix.
--- a/webapps/gitea/defaults/main.yml
+++ b/webapps/gitea/defaults/main.yml
@ -0,0 +1,14 @@
 ---
 # defaults file for vars
 gitea_system_dep: "['apt-transport-https', 'git', 'nginx', 'mariadb-server', 'mariadb-client', 'python3-mysqldb', 'redis-server', 'certbot']"
 gitea_git_version: '1.21.3'
 gitea_url: "https://dl.gitea.io/gitea/{{ gitea_git_version }}/gitea-{{ gitea_git_version }}-linux-amd64"
 gitea_checksum: "sha256:ccf6cc2077401e382bca0d000553a781a42c9103656bd33ef32bf093cca570eb"
 gitea_domains: ['example.domain.org']
 gitea_certbot_admin_email: 'security@example.domain.org'
 gitea_db_host: '127.0.0.1:3306'
 gitea_db_name: "{{ gitea_service }}"
 gitea_db_user: "{{ gitea_service }}"
 gitea_db_password: 'UQ6_CHANGE_ME_Gzb'
 gitea_redis_maxclients: '128'
 gitea_redis_maxmemory: '300M'
--- a/webapps/gitea/handlers/main.yml
+++ b/webapps/gitea/handlers/main.yml
@ -0,0 +1,2 @@
 ---
 # handlers file
--- a/webapps/gitea/meta/main.yml
+++ b/webapps/gitea/meta/main.yml
@ -0,0 +1,52 @@
 galaxy_info:
  author: Mathieu Gauthier-Pilote
  description: sys. admin.
  company: Evolix
  # If the issue tracker for your role is not on github, uncomment the
  # next line and provide a value
  # issue_tracker_url: http://example.com/issue/tracker
  # Choose a valid license ID from https://spdx.org - some suggested licenses:
  # - BSD-3-Clause (default)
  # - MIT
  # - GPL-2.0-or-later
  # - GPL-3.0-only
  # - Apache-2.0
  # - CC-BY-4.0
  license: license GPL-3.0-only
  min_ansible_version: 2.10
  # If this a Container Enabled role, provide the minimum Ansible Container version.
  # min_ansible_container_version:
  #
  # Provide a list of supported platforms, and for each platform a list of versions.
  # If you don't wish to enumerate all versions for a particular platform, use 'all'.
  # To view available platforms and versions (or releases), visit:
  # https://galaxy.ansible.com/api/v1/platforms/
  #
  # platforms:
  # - name: Fedora
  #   versions:
  #   - all
  #   - 25
  # - name: SomePlatform
  #   versions:
  #   - all
  #   - 1.0
  #   - 7
  #   - 99.99
  galaxy_tags: []
    # List tags for your role here, one per line. A tag is a keyword that describes
    # and categorizes the role. Users find roles by searching for tags. Be sure to
    # remove the '[]' above, if you add tags to this list.
    #
    # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
    #       Maximum 20 tags per role.
 dependencies: []
  # List your role dependencies here, one per line. Be sure to remove the '[]' above,
  # if you add dependencies to this list.
--- a/webapps/gitea/tasks/main.yml
+++ b/webapps/gitea/tasks/main.yml
@ -0,0 +1,165 @@
 ---
 # tasks file for gitea install
 - name: Install main system dependencies
  ansible.builtin.apt:
    name: "{{ gitea_system_dep }}"
    update_cache: yes
 - name: Download gitea binary
  ansible.builtin.get_url:
    url: "{{ gitea_url }}"
    dest: /usr/local/bin
    checksum: "{{ gitea_checksum }}"
    mode: '0755'
 - name: Create symbolic link
  ansible.builtin.file:
    src: "/usr/local/bin/gitea-{{ gitea_git_version }}-linux-amd64"
    dest: "/usr/local/bin/gitea"
    state: link
 - name: Add UNIX account
  ansible.builtin.user:
    name: "{{ gitea_service }}"
    shell: /bin/bash
 - name: Add www-data (nginx) to service's group
  ansible.builtin.user:
    name: www-data
    #group: www-data
    groups: "{{ gitea_service }}"
    append: true
 - name: Add database
  ansible.builtin.mysql_db:
    name: "{{ gitea_db_name }}"
 - name: Add database user
  ansible.builtin.mysql_user:
    name: "{{ gitea_db_user }}"
    password: "{{ gitea_db_password }}"
    priv: "{{ gitea_db_name }}.*:{{privileges |default('SELECT,INSERT,UPDATE,DELETE,CREATE,DROP,INDEX,ALTER,CREATE TEMPORARY TABLES')}}"
    update_password: on_create
 - name: Create the gitea conf dir if needed
  ansible.builtin.file:
    path: /etc/gitea
    state: directory
    mode: '0755'
 - name: Template gitea ini file
  ansible.builtin.template: 
    src: "gitea.ini.j2"
    dest: "/etc/gitea/{{ gitea_service }}.ini"
    owner: 'root'
    group: "{{ gitea_service }}"
    mode: '0660'
 - name: Template gitea systemd unit
  ansible.builtin.template: 
    src: "gitea.service.j2"
    dest: "/etc/systemd/system/gitea@.service"
 - name: Start gitea systemd unit
  ansible.builtin.service:
    name: "gitea@{{ gitea_service }}"
    state: restarted
 - name: Create the redis dir if needed
  ansible.builtin.file:
    path: /home/{{ gitea_service }}/redis
    state: directory
    owner: "{{ gitea_service }}"
    group: "{{ gitea_service }}"
    mode: '0750'
 - name: Create the log dir if needed
  ansible.builtin.file:
    path: /home/{{ gitea_service }}/log
    state: directory
    owner: "{{ gitea_service }}"
    group: "{{ gitea_service }}"
    mode: '0750'
 - name: Template redis conf
  ansible.builtin.template: 
    src: "redis.conf.j2"
    dest: "/home/{{ gitea_service }}/redis/redis.conf"
    owner: "{{ gitea_service }}"
    group: "{{ gitea_service }}"
    mode: '0640'
 - name: Template redis systemd unit
  ansible.builtin.template: 
    src: "redis.service.j2"
    dest: "/etc/systemd/system/redis@.service"
 - name: Start redis systemd unit
  ansible.builtin.service:
    name: "redis@{{ gitea_service }}"
    state: started
 - name: Template nginx snippet for Let's Encrypt/Certbot
  ansible.builtin.template: 
    src: "letsencrypt.conf.j2"
    dest: "/etc/nginx/snippets/letsencrypt.conf"
 - name: Check if SSL certificate is present and register result
  ansible.builtin.stat:
    path: "/etc/letsencrypt/live/{{ gitea_domains |first }}/fullchain.pem"
  register: ssl
 - name: Generate certificate only if required (first time)
  block:
  - name: Template vhost without SSL for successfull LE challengce
    ansible.builtin.template: 
      src: "vhost.conf.j2"
      dest: "/etc/nginx/sites-available/{{ gitea_service }}.conf"
  - name: Enable temporary nginx vhost for gitea
    ansible.builtin.file:
      src: "/etc/nginx/sites-available/{{ gitea_service }}.conf"
      dest: "/etc/nginx/sites-enabled/{{ gitea_service }}.conf"
      state: link
  - name: Reload nginx conf
    ansible.builtin.service:
      name: nginx
      state: reloaded
  - name: Make sure /var/lib/letsencrypt exists and has correct permissions
    ansible.builtin.file: 
      path: /var/lib/letsencrypt
      state: directory
      mode: '0755'
  - name: Generate certificate with certbot
    ansible.builtin.shell: certbot certonly --webroot --webroot-path /var/lib/letsencrypt --non-interactive --agree-tos --email {{ gitea_certbot_admin_email }} -d {{ gitea_domains |first }}
  - name: Create the ssl dir if needed
    ansible.builtin.file:
      path: /etc/nginx/ssl
      state: directory
      mode: '0750'
  - name: Template ssl bloc for nginx vhost
    ansible.builtin.template: 
      src: "ssl.conf.j2"
      dest: "/etc/nginx/ssl/{{ gitea_domains |first }}.conf"
  when: ssl.stat.exists != true
 - name: (Re)check if SSL certificate is present and register result
  ansible.builtin.stat:
    path: "/etc/letsencrypt/live/{{ gitea_domains |first }}/fullchain.pem"
  register: ssl
 - name: (Re)template conf file for nginx vhost with SSL
  ansible.builtin.template:
    src: "vhost.conf.j2"
    dest: "/etc/nginx/sites-available/{{ gitea_service }}.conf"
 - name: Enable nginx vhost for gitea
  ansible.builtin.file:
    src: "/etc/nginx/sites-available/{{ gitea_service }}.conf"
    dest: "/etc/nginx/sites-enabled/{{ gitea_service }}.conf"
    state: link
 - name: Reload nginx conf
  ansible.builtin.service:
    name: nginx
    state: reloaded
--- a/webapps/gitea/tasks/upgrade.yml
+++ b/webapps/gitea/tasks/upgrade.yml
@ -0,0 +1,26 @@
 ---
 # tasks file for gitea upgrade
 - name: Download gitea binary
  ansible.builtin.get_url:
    url: "{{ gitea_url }}"
    dest: /usr/local/bin
    checksum: "{{ gitea_checksum }}"
    mode: '0755'
 - name: Create symbolic link
  ansible.builtin.file:
    src: "/usr/local/bin/gitea-{{ gitea_git_version }}-linux-amd64"
    dest: "/usr/local/bin/gitea"
    state: link
 - name: Start gitea systemd unit
  ansible.builtin.service:
    name: "gitea@{{ gitea_service }}"
    state: restarted
 - name: Reload nginx conf
  ansible.builtin.service:
    name: nginx
    state: reloaded
--- a/webapps/gitea/templates/gitea.ini.j2
+++ b/webapps/gitea/templates/gitea.ini.j2
@ -0,0 +1,39 @@
 APP_NAME = Gitea
 RUN_USER = {{ gitea_service }}
 RUN_MODE = prod
 [server]
 PROTOCOL               = unix
 DOMAIN                 = {{ gitea_domains | first }}
 HTTP_ADDR              = /home/{{ gitea_service }}/gitea.sock
 UNIX_SOCKET_PERMISSION = 660
 OFFLINE_MODE           = true
 SSH_DOMAIN             = {{ gitea_domains | first }}
 ROOT_URL               = https://{{ gitea_domains | first }}/
 [repository]
 ROOT = /home/{{ gitea_service }}/repositories
 [log]
 ROOT_PATH = /home/{{ gitea_service }}/log/
 MODE      = console
 LEVEL     = info
 [i18n]
 LANGS = fr-FR, en-US
 NAMES = Français,English
 [database]
 DB_TYPE  = mysql
 HOST     = {{ gitea_db_host }}
 NAME     = {{ gitea_db_name }}
 USER     = {{ gitea_db_user }}
 PASSWD   = {{ gitea_db_password }}
 [session]
 PROVIDER         = redis
 PROVIDER_CONFIG  = network=unix,addr=/home/{{ gitea_service }}/redis/redis.sock,db=0,pool_size=100,idle_timeout=180
 [cache]
 ADAPTER = redis
 HOST    = network=unix,addr=/home/{{ gitea_service }}/redis/redis.sock,db=1,pool_size=100,idle_timeout=180
--- a/webapps/gitea/templates/gitea.service.j2
+++ b/webapps/gitea/templates/gitea.service.j2
@ -0,0 +1,22 @@
 [Unit]
 Description=Gitea (Git with a cup of tea)
 After=syslog.target
 After=network.target
 After=mysqld.service
 [Service]
 User=%i
 Group=%i
 Type=simple
 RestartSec=2s
 Restart=always
 WorkingDirectory=/home/%i
 ExecStart=/usr/local/bin/gitea web --config /etc/gitea/%i.ini
 Environment=GITEA_WORK_DIR=/home/%i/internals
 [Install]
 WantedBy=multi-user.target
--- a/webapps/gitea/templates/letsencrypt.conf.j2
+++ b/webapps/gitea/templates/letsencrypt.conf.j2
@ -0,0 +1,5 @@
 location ~ /.well-known/acme-challenge {
  alias /var/lib/letsencrypt/;
  try_files $uri =404;
  allow all;
 }
--- a/webapps/gitea/templates/redis.conf.j2
+++ b/webapps/gitea/templates/redis.conf.j2
@ -0,0 +1,22 @@
 bind 127.0.0.1 ::1
 protected-mode yes
 port 0
 unixsocket /home/{{ gitea_service }}/redis/redis.sock
 unixsocketperm 770
 timeout 0
 tcp-keepalive 300
 loglevel notice
 logfile /home/{{ gitea_service }}/log/redis-server.log
 databases 16
 save 900 1
 save 300 10
 save 60 10000
 dbfilename dump.rdb
 dir /home/{{ gitea_service }}/redis
 maxclients {{ gitea_redis_maxclients }}
 maxmemory {{ gitea_redis_maxmemory }}
--- a/webapps/gitea/templates/redis.service.j2
+++ b/webapps/gitea/templates/redis.service.j2
@ -0,0 +1,14 @@
 [Unit]
 Description=Advanced key-value store
 After=network.target
 [Service]
 Type=simple
 ExecStart=/usr/bin/redis-server /home/%i/redis/redis.conf
 TimeoutStopSec=0
 Restart=always
 User=%i
 Group=%i
 [Install]
 WantedBy=multi-user.target
--- a/webapps/gitea/templates/ssl.conf.j2
+++ b/webapps/gitea/templates/ssl.conf.j2
@ -0,0 +1,22 @@
 ##
 # Certificates
 # you need a certificate to run in production. see https://letsencrypt.org/
 ##
 ssl_certificate     /etc/letsencrypt/live/{{ gitea_domains | first }}/fullchain.pem;
 ssl_certificate_key /etc/letsencrypt/live/{{ gitea_domains | first }}/privkey.pem;
 ##
 # Security hardening (as of Nov 15, 2020)
 # based on Mozilla Guideline v5.6
 ##
 ssl_protocols             TLSv1.2 TLSv1.3;
 ssl_prefer_server_ciphers on;
 ssl_ciphers               ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256; # add ECDHE-RSA-AES256-SHA if you want compatibility with Android 4
 ssl_session_timeout       1d; # defaults to 5m
 ssl_session_cache         shared:SSL:10m; # estimated to 40k sessions
 ssl_session_tickets       off;
 ssl_stapling              on;
 ssl_stapling_verify       on;
 # HSTS (https://hstspreload.org), requires to be copied in 'location' sections that have add_header directives
 #add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
--- a/webapps/gitea/templates/vhost.conf.j2
+++ b/webapps/gitea/templates/vhost.conf.j2
@ -0,0 +1,38 @@
 upstream gitea_{{ gitea_service }} {
    server unix:/home/{{ gitea_service }}/gitea.sock;
 }
 server {
  listen 80;
  listen [::]:80;
  server_name {{ gitea_domains | first }};
  # For certbot
  include /etc/nginx/snippets/letsencrypt.conf;
  {% if ssl.stat.exists %}
  location / { return 301 https://$host$request_uri; }
  {% endif %}
 }
 {% if ssl.stat.exists %}
 server {
    listen 0.0.0.0:443 ssl http2;
    listen [::]:443 ssl http2;
    server_name {{ gitea_domains | first }};
    access_log /var/log/nginx/{{ gitea_service }}.access.log;
    error_log  /var/log/nginx/{{ gitea_service }}.error.log;
    include /etc/nginx/snippets/letsencrypt.conf;
    include /etc/nginx/ssl/{{ gitea_domains | first }}.conf;
    location / {
        proxy_pass http://gitea_{{ gitea_service }};
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_read_timeout 10;
    }
 }
 {% endif %}
--- a/webapps/gitea/tests/inventory
+++ b/webapps/gitea/tests/inventory
@ -0,0 +1,2 @@
 localhost
--- a/webapps/gitea/tests/test.yml
+++ b/webapps/gitea/tests/test.yml
@ -0,0 +1,5 @@
 ---
 - hosts: localhost
  remote_user: root
  roles:
    - privatebin
--- a/webapps/gitea/vars/main.yml
+++ b/webapps/gitea/vars/main.yml
@ -0,0 +1,2 @@
 ---
 # vars file
Author	SHA1	Message	Date
Mathieu Gauthier-Pilote	6214d8e119	ansible.builtin. prefix for modules All checks were successful Ansible Lint \|Total\|New\|Outstanding\|Fixed\|Trend \|:-:\|:-:\|:-:\|:-:\|:-: \|2777\|0\|2777\|0\|:zzz: Details gitea/ansible-roles/pipeline/head This commit looks good Details	2024-06-06 15:04:18 -04:00
Mathieu Gauthier-Pilote	cf783cafdb	Prefix variables with gitea_	2024-06-06 15:04:18 -04:00
Mathieu Gauthier-Pilote	642367b2ba	Gitea upgrade : v1.18.5 => v1.21.3	2024-06-06 15:04:18 -04:00
Mathieu Gauthier-Pilote	c193adc40a	Now installs a LE SSL cert via certbot by default	2024-06-06 15:04:18 -04:00
Mathieu Gauthier-Pilote	674dc850e5	New role to install + upgrade Gitea	2024-06-06 15:04:18 -04:00
Ludovic Poujol	c524ffb472	bind: New variables to change IPs bind will listen on & send notify/transfer commands All checks were successful Ansible Lint \|Total\|New\|Outstanding\|Fixed\|Trend \|:-:\|:-:\|:-:\|:-:\|:-: \|2745\|0\|2745\|0\|:zzz: Details gitea/ansible-roles/pipeline/head This commit looks good Details	2024-06-06 11:07:03 +02:00
Tom David--Broglio	a7570a49a3	fail2ban: remount-usr added because it is needed for last task All checks were successful Ansible Lint \|Total\|New\|Outstanding\|Fixed\|Trend \|:-:\|:-:\|:-:\|:-:\|:-: \|2749\|0\|2749\|0\|:zzz: Details gitea/ansible-roles/pipeline/head This commit looks good Details	2024-06-05 18:08:02 +02:00
Tom David--Broglio	0589271110	certbot: allow haproxy deploy hook to work with evoacme too All checks were successful Ansible Lint \|Total\|New\|Outstanding\|Fixed\|Trend \|:-:\|:-:\|:-:\|:-:\|:-: \|2746\|0\|2746\|0\|:zzz: Details gitea/ansible-roles/pipeline/head This commit looks good Details	2024-06-05 17:13:50 +02:00
William Hirigoyen	1474f06927	lxc-solr: update solr9 version + fix URL in README All checks were successful Ansible Lint \|Total\|New\|Outstanding\|Fixed\|Trend \|:-:\|:-:\|:-:\|:-:\|:-: \|2747\|0\|2747\|0\|:zzz: Details gitea/ansible-roles/pipeline/head This commit looks good Details	2024-06-05 15:42:16 +02:00
William Hirigoyen	114d857e89	lxc: new lxc_template_mirror option (useful to get old Debian from archive.debian.org) All checks were successful Ansible Lint \|Total\|New\|Outstanding\|Fixed\|Trend \|:-:\|:-:\|:-:\|:-:\|:-: \|2748\|0\|2748\|0\|:zzz: Details gitea/ansible-roles/pipeline/head This commit looks good Details	2024-06-03 17:37:05 +02:00
William Hirigoyen	aa13676cc4	log2mail: add missing default vars (see previous commit) All checks were successful Ansible Lint \|Total\|New\|Outstanding\|Fixed\|Trend \|:-:\|:-:\|:-:\|:-:\|:-: \|2747\|0\|2747\|0\|:zzz: Details gitea/ansible-roles/pipeline/head This commit looks good Details	2024-05-31 10:21:58 +02:00
William Hirigoyen	f05a6aa25c	log2mail: task log2mail.yml of evolinux-base converted to a role All checks were successful Ansible Lint \|Total\|New\|Outstanding\|Fixed\|Trend \|:-:\|:-:\|:-:\|:-:\|:-: \|2747\|0\|2747\|0\|:zzz: Details gitea/ansible-roles/pipeline/head This commit looks good Details	2024-05-31 10:12:05 +02:00
William Hirigoyen	56fbe99164	log2mail: add missing tags All checks were successful Ansible Lint \|Total\|New\|Outstanding\|Fixed\|Trend \|:-:\|:-:\|:-:\|:-:\|:-: \|2745\|0\|2745\|0\|:zzz: Details gitea/ansible-roles/pipeline/head This commit looks good Details	2024-05-31 09:27:08 +02:00
David Prevot	229d2f366e	Use lxc_php_container_name instead of lxc_php_version All checks were successful Ansible Lint \|Total\|New\|Outstanding\|Fixed\|Trend \|:-:\|:-:\|:-:\|:-:\|:-: \|2745\|0\|2745\|0\|:zzz: Details gitea/ansible-roles/pipeline/head This commit looks good Details Fixes phpXY-new containers build.	2024-05-27 12:04:13 +02:00
Alexis Ben Miloud--Josselin	b7e24fc3ea	evolinux-base: Create custom SSH configuration file All checks were successful Ansible Lint \|Total\|New\|Outstanding\|Fixed\|Trend \|:-:\|:-:\|:-:\|:-:\|:-: \|2747\|0\|2747\|0\|:zzz: Details gitea/ansible-roles/pipeline/head This commit looks good Details	2024-05-24 11:57:50 +02:00
William Hirigoyen	de953a30db	Add munin: linux_psi plugcontrib plugin All checks were successful Ansible Lint \|Total\|New\|Outstanding\|Fixed\|Trend \|:-:\|:-:\|:-:\|:-:\|:-: \|2744\|0\|2744\|0\|:zzz: Details gitea/ansible-roles/pipeline/head This commit looks good Details	2024-05-23 11:48:08 +02:00
Jérémy Lecour	aea1404a21	evolinux-base: install evobackup-client (default: true) All checks were successful Ansible Lint \|Total\|New\|Outstanding\|Fixed\|Trend \|:-:\|:-:\|:-:\|:-:\|:-: \|2746\|0\|2746\|0\|:zzz: Details gitea/ansible-roles/pipeline/head This commit looks good Details	2024-05-21 18:26:33 +02:00