ansible.builtin. prefix for modules

Prefix variables with mattermost_
Now installs a LE SSL cert via certbot by default + configurable base path for user's home
2024-06-06 15:04:53 -04:00 · 2024-06-06 15:04:53 -04:00 · 2024-06-06 15:04:53 -04:00 · 2024-06-06 15:04:53 -04:00 · 2024-06-06 11:07:03 +02:00 · 2024-06-05 18:08:02 +02:00
42 changed files with 1600 additions and 85 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -13,8 +13,17 @@ The **patch** part is incremented if multiple releases happen the same month
 ### Added
 * bind: New variables to change IPs bind will listen on & send notify/transfer commands
 * evolinux-base: install evobackup-client (default: true)
 * munin: add linux_psi contrib plugin
 * evolinux-base: Create custom SSH configuration file
 * lxc: new lxc_template_mirror option (useful to get old Debian from archive.debian.org)
 ### Changed
 * log2mail: task log2mail.yml of evolinux-base converted to a role
 * lxc-solr: update solr9 version + fix URL in README
 ### Fixed
 ### Removed
@ -29,6 +38,7 @@ The **patch** part is incremented if multiple releases happen the same month
 ### Changed
 * certbot: allow haproxy deploy hook to work with evoacme too (using env variables)
 * evobackup-client: upstream release 24.05.1
 * evolinux-base: improve adding the current user to SSH AllowGroups of AllowUsers
 * evolinux-users: improve SSH configuration
@ -38,6 +48,7 @@ The **patch** part is incremented if multiple releases happen the same month
 ### Fixed
 * apt: use archive.debian.org with Buster
 * fail2ban: remount-usr added because it is needed for last task
 ## [24.04] 2024-04-30
--- a/bind/defaults/main.yml
+++ b/bind/defaults/main.yml
@ -1,12 +1,26 @@
 ---
-bind_recursive_server: False
+bind_recursive_server: false
-bind_authoritative_server: True
+bind_authoritative_server: true
-bind_chroot_set: True
+bind_chroot_set: true
-# Until chroot-bind.sh is migrated to ansible, we hardcode the chroot paths.
+
 #bind_chroot_path: /var/chroot-bind
 bind_systemd_service_path: /etc/systemd/system/bind9.service
 bind_statistics_file: /var/run/named.stats
 bind_log_file: /var/log/bind.log
 bind_query_file: /var/log/bind_queries.log
-bind_query_file_enabled: False
+bind_query_file_enabled: false
 bind_cache_dir: /var/cache/bind
 # String (bind syntax) of IPv4/ to listen on (or any by default)
 # eg. "192.0.2.1; 192.0.2.3"   or all interfaces : "any ;"
 bind_listen_on_ipv4: "any;"
 # String (bind syntax) of IPv6 to listen on (or any by default)
 # eg. "2001:db8::1; 2001:db8::42"   or all interfaces : "any ;" or not at all "none;"
 bind_listen_on_ipv6: "any;"
 # For server with multiples IP Adresses, enforce the usage of a specific IP for NOTIFY commands
 bind_notify_source: ''
 # For server with multiples IP Adresses, enforce the usage of a specific IP for TRANSFER commands
 bind_transfer_source: ''
--- a/bind/templates/named.conf.options_authoritative.j2
+++ b/bind/templates/named.conf.options_authoritative.j2
@ -4,18 +4,25 @@
 // };
 options {
-      directory "{{ bind_cache_dir }}";
+    directory "{{ bind_cache_dir }}";
-      version "Bingo";
+    version "Bingo";
-      auth-nxdomain no;
+    auth-nxdomain no;
-      masterfile-format text;
+    masterfile-format text;
-      statistics-file "{{ bind_statistics_file }}";
+    statistics-file "{{ bind_statistics_file }}";
-      listen-on-v6 { any; };
+    listen-on { {{ bind_listen_on_ipv4 }} };
-      listen-on { any; };
+    listen-on-v6 { {{ bind_listen_on_ipv6 }} };
-      allow-query { localhost; };
+{% if bind_notify_source is defined and bind_notify_source|length %}
-      allow-recursion { localhost; };
+    notify-source {{ bind_notify_source }};
-      allow-transfer { localhost; };
+{% endif %}
 {% if bind_transfer_source is defined and bind_transfer_source|length %}
    transfer-source {{ bind_transfer_source }};
 {% endif %}
    allow-query { localhost; };
    allow-recursion { localhost; };
    allow-transfer { localhost; };
 };
 logging {
--- a/certbot/files/hooks/deploy/haproxy.sh
+++ b/certbot/files/hooks/deploy/haproxy.sh
@ -1,4 +1,6 @@
 #!/bin/sh
 # /!\ MODIFIED to work with evoacme OR certbot
 private_keys_dirs="/etc/ssl/private" # Only used for evoacme
 error() {
    >&2 echo "${PROGNAME}: $1"
@ -13,7 +15,7 @@ daemon_found_and_running() {
    test -n "$(pidof haproxy)" && test -n "${haproxy_bin}"
 }
 found_renewed_lineage() {
-    test -f "${RENEWED_LINEAGE}/fullchain.pem" && test -f "${RENEWED_LINEAGE}/privkey.pem"
+    test -f "${RENEWED_LINEAGE}/fullchain.pem" && test -f "${private_key}"
 }
 config_check() {
    ${haproxy_bin} -c -f "${haproxy_config_file}" > /dev/null 2>&1
@ -24,7 +26,7 @@ concat_files() {
    chown root: "${haproxy_cert_dir}"
    debug "Concatenating certificate files to ${haproxy_cert_file}"
-    cat "${RENEWED_LINEAGE}/fullchain.pem" "${RENEWED_LINEAGE}/privkey.pem" > "${haproxy_cert_file}"
+    cat "${RENEWED_LINEAGE}/fullchain.pem" "${private_key}" > "${haproxy_cert_file}"
    chmod 600 "${haproxy_cert_file}"
    chown root: "${haproxy_cert_file}"
 }
@ -58,10 +60,19 @@ main() {
    if daemon_found_and_running; then
        readonly haproxy_config_file="/etc/haproxy/haproxy.cfg"
        readonly haproxy_cert_dir=$(detect_haproxy_cert_dir)
        if  [ -z "${EVOACME_VHOST_NAME}" ]; then
            # CERTBOT
            private_key=${RENEWED_LINEAGE}/privkey.pem
            cert_name=$(basename "${RENEWED_LINEAGE}")
        else
            # EVOACME
            private_key=${private_keys_dirs}/$(basename $(dirname ${RENEWED_LINEAGE})).key
 	    cert_name=$(basename $(dirname "${RENEWED_LINEAGE}"))
        fi
        if found_renewed_lineage; then
-            haproxy_cert_file="${haproxy_cert_dir}/$(basename "${RENEWED_LINEAGE}").pem"
+            haproxy_cert_file="${haproxy_cert_dir}/${cert_name}.pem"
-            failed_cert_file="/root/$(basename "${RENEWED_LINEAGE}").failed.pem"
+            failed_cert_file="/root/${cert_name}.failed.pem"
            concat_files
@ -77,7 +88,8 @@ main() {
                error "HAProxy config is broken, you must fix it !"
            fi
        else
-            error "Couldn't find ${RENEWED_LINEAGE}/fullchain.pem or ${RENEWED_LINEAGE}/privkey.pem"
+
            error "Couldn't find ${RENEWED_LINEAGE}/fullchain.pem or "${private_key}""
        fi
    else
        debug "HAProxy is not running or missing. Skip."
@ -91,3 +103,4 @@ readonly QUIET=${QUIET:-"0"}
 readonly haproxy_bin=$(command -v haproxy)
 main
--- a/evolinux-base/defaults/main.yml
+++ b/evolinux-base/defaults/main.yml
@ -243,3 +243,6 @@ evolinux_utils_include: True
 # Autosysadmin
 evolinux_autosysadmin_include: false
 # Evobackup client
 evolinux_evobackup_client_include: True
--- a/evolinux-base/handlers/main.yml
+++ b/evolinux-base/handlers/main.yml
@ -74,11 +74,6 @@
    name: postfix
    state: reloaded
 - name: restart log2mail
  ansible.builtin.service:
    name: log2mail
    state: restarted
 - name: restart systemd-journald
  ansible.builtin.service:
    name: systemd-journald.service
--- a/evolinux-base/tasks/main.yml
+++ b/evolinux-base/tasks/main.yml
@ -116,7 +116,8 @@
  when: evolinux_provider_orange_fce_include | bool
 - name: Override Log2mail service
-  ansible.builtin.import_tasks: log2mail.yml
+  ansible.builtin.include_role:
    name: evolix/log2mail
  when: evolinux_log2mail_include | bool
 - ansible.builtin.import_tasks: motd.yml
@ -158,6 +159,11 @@
    name: 'evolix/autosysadmin-restart_nrpe'
  when: evolinux_autosysadmin_include | bool
 - name: Evobackup (client)
  ansible.builtin.include_role:
    name: 'evolix/evobackup-client'
  when: evolinux_evobackup_client_include | bool
 - name: fail2ban
  ansible.builtin.include_role:
    name: evolix/fail2ban
--- a/evolinux-base/tasks/ssh.included-files.yml
+++ b/evolinux-base/tasks/ssh.included-files.yml
@ -16,6 +16,14 @@
    dest: /etc/ssh/sshd_config.d/z-evolinux-defaults.conf
    mode: "0644"
 - name: create custom SSH server configuration file
  ansible.builtin.file:
    path: /etc/ssh/sshd_config.d/zzz-evolinux-custom.conf
    state: touch
    mode: "0644"
    modification_time: preserve
    access_time: preserve
 # Should we allow the current user?
 - name: Allow the current user
  block:
--- a/fail2ban/tasks/main.yml
+++ b/fail2ban/tasks/main.yml
@ -112,6 +112,9 @@
  tags:
    - fail2ban
 - include_role:
    name: evolix/remount-usr
 - name: Script unban_ip is installed
  ansible.builtin.copy:
    src: unban_ip.sh
--- a/log2mail/defaults/main.yml
+++ b/log2mail/defaults/main.yml
@ -0,0 +1,3 @@
 ---
 log2mail_alert_email: Null
 general_alert_email: "root@localhost"
--- a/evolinux-base/files/log2mail.service
+++ b/evolinux-base/files/log2mail.service
--- a/log2mail/handlers/main.yml
+++ b/log2mail/handlers/main.yml
@ -0,0 +1,5 @@
 ---
 - name: restart log2mail
  ansible.builtin.service:
    name: log2mail
    state: restarted
--- a/evolinux-base/tasks/log2mail.yml
+++ b/evolinux-base/tasks/log2mail.yml
@ -23,18 +23,14 @@
    marker: "# {mark} ANSIBLE MANAGED RULES FOR DEFAULT INSTANCE"
    state: absent
  notify: restart log2mail
  tags:
    - log2mail
 - name: log2mail evolinux-defaults config is present
  ansible.builtin.template:
-    src: log2mail/evolinux-defaults.j2
+    src: evolinux-defaults.j2
    dest: /etc/log2mail/config/evolinux-defaults
    owner: log2mail
    group: adm
    mode: "0640"
    force: yes
  notify: restart log2mail
  tags:
    - log2mail
--- a/evolinux-base/templates/log2mail/evolinux-defaults.j2
+++ b/evolinux-base/templates/log2mail/evolinux-defaults.j2
--- a/lxc-php/tasks/php56.yml
+++ b/lxc-php/tasks/php56.yml
@ -1,11 +1,11 @@
 ---
- name: "{{ lxc_php_version }} - Install PHP packages"
+- name: "{{ lxc_php_container_name }} - Install PHP packages"
  community.general.lxc_container:
-    name: "{{ lxc_php_version }}"
+    name: "{{ lxc_php_container_name }}"
    container_command: "DEBIAN_FRONTEND=noninteractive apt install --yes --force-yes php5-fpm php5-cli php5-gd php5-imap php5-ldap php5-mcrypt php5-mysql php5-pgsql php5-sqlite php-gettext php5-intl php5-curl php5-ssh2 libphp-phpmailer"
- name: "{{ lxc_php_version }} - Copy evolinux PHP configuration"
+- name: "{{ lxc_php_container_name }} - Copy evolinux PHP configuration"
  ansible.builtin.template:
    src: z-evolinux-defaults.ini.j2
    dest: "{{ line_item }}"
--- a/lxc-php/tasks/php70.yml
+++ b/lxc-php/tasks/php70.yml
@ -1,11 +1,11 @@
 ---
- name: "{{ lxc_php_version }} - Install PHP packages"
+- name: "{{ lxc_php_container_name }} - Install PHP packages"
  community.general.lxc_container:
-    name: "{{ lxc_php_version }}"
+    name: "{{ lxc_php_container_name }}"
    container_command: "DEBIAN_FRONTEND=noninteractive apt install -y php-fpm php-cli php-gd php-intl php-imap php-ldap php-mcrypt php-mysql php-pgsql php-sqlite3 php-gettext php-curl php-ssh2 php-zip php-mbstring composer libphp-phpmailer"
- name: "{{ lxc_php_version }} - Copy evolinux PHP configuration"
+- name: "{{ lxc_php_container_name }} - Copy evolinux PHP configuration"
  ansible.builtin.template:
    src: z-evolinux-defaults.ini.j2
    dest: "{{ line_item }}"
--- a/lxc-php/tasks/php74.yml
+++ b/lxc-php/tasks/php74.yml
@ -1,17 +1,17 @@
 ---
- name: "{{ lxc_php_version }} - Install PHP packages"
+- name: "{{ lxc_php_container_name }} - Install PHP packages"
  community.general.lxc_container:
-    name: "{{ lxc_php_version }}"
+    name: "{{ lxc_php_container_name }}"
    container_command: "DEBIAN_FRONTEND=noninteractive apt install -y php-fpm php-cli php-gd php-intl php-imap php-ldap php-mysql php-pgsql php-sqlite3 php-curl php-zip php-mbstring php-xml php-zip composer libphp-phpmailer"
- name: "{{ lxc_php_version }} - fix bullseye repository"
+- name: "{{ lxc_php_container_name }} - fix bullseye repository"
  ansible.builtin.replace:
    dest: "{{ lxc_rootfs }}/etc/apt/sources.list"
    regexp: 'bullseye/updates'
    replace: 'bullseye-security'
- name: "{{ lxc_php_version }} - Copy evolinux PHP configuration"
+- name: "{{ lxc_php_container_name }} - Copy evolinux PHP configuration"
  ansible.builtin.template:
    src: z-evolinux-defaults.ini.j2
    dest: "{{ line_item }}"
--- a/lxc-php/tasks/php80.yml
+++ b/lxc-php/tasks/php80.yml
@ -5,18 +5,18 @@
    lxc_apt_keyring_dir: /etc/apt/trusted.gpg.d
- name: "{{ lxc_php_version }} - Install dependency packages"
+- name: "{{ lxc_php_container_name }} - Install dependency packages"
  community.general.lxc_container:
-    name: "{{ lxc_php_version }}"
+    name: "{{ lxc_php_container_name }}"
    container_command: "DEBIAN_FRONTEND=noninteractive apt install -y wget gnupg"
- name: "{{ lxc_php_version }} - fix bullseye repository"
+- name: "{{ lxc_php_container_name }} - fix bullseye repository"
  ansible.builtin.replace:
    dest: "{{ lxc_rootfs }}/etc/apt/sources.list"
    regexp: 'bullseye/updates'
    replace: 'bullseye-security'
- name: "{{ lxc_php_version }} - Add sury repo"
+- name: "{{ lxc_php_container_name }} - Add sury repo"
  ansible.builtin.lineinfile:
    dest: "{{ lxc_rootfs }}/etc/apt/sources.list.d/sury.list"
    line: "{{ item }}"
@ -51,17 +51,17 @@
    owner: root
    group: root
- name: "{{ lxc_php_version }} - Update APT cache"
+- name: "{{ lxc_php_container_name }} - Update APT cache"
  community.general.lxc_container:
-    name: "{{ lxc_php_version }}"
+    name: "{{ lxc_php_container_name }}"
    container_command: "DEBIAN_FRONTEND=noninteractive apt update"
- name: "{{ lxc_php_version }} - Install PHP packages"
+- name: "{{ lxc_php_container_name }} - Install PHP packages"
  community.general.lxc_container:
-    name: "{{ lxc_php_version }}"
+    name: "{{ lxc_php_container_name }}"
    container_command: "DEBIAN_FRONTEND=noninteractive apt install -y php-fpm php-cli php-gd php-intl php-imap php-ldap php-mysql php-pgsql php-sqlite3 php-curl php-zip php-mbstring php-xml php-zip composer libphp-phpmailer"
- name: "{{ lxc_php_version }} - Copy evolinux PHP configuration"
+- name: "{{ lxc_php_container_name }} - Copy evolinux PHP configuration"
  ansible.builtin.template:
    src: z-evolinux-defaults.ini.j2
    dest: "{{ line_item }}"
--- a/lxc-php/tasks/php81.yml
+++ b/lxc-php/tasks/php81.yml
@ -4,18 +4,18 @@
  ansible.builtin.set_fact:
    lxc_apt_keyring_dir: /etc/apt/trusted.gpg.d
- name: "{{ lxc_php_version }} - Install dependency packages"
+- name: "{{ lxc_php_container_name }} - Install dependency packages"
  community.general.lxc_container:
-    name: "{{ lxc_php_version }}"
+    name: "{{ lxc_php_container_name }}"
    container_command: "DEBIAN_FRONTEND=noninteractive apt install -y wget gnupg"
- name: "{{ lxc_php_version }} - fix bullseye repository"
+- name: "{{ lxc_php_container_name }} - fix bullseye repository"
  ansible.builtin.replace:
    dest: "{{ lxc_rootfs }}/etc/apt/sources.list"
    regexp: 'bullseye/updates'
    replace: 'bullseye-security'
- name: "{{ lxc_php_version }} - Add sury repo"
+- name: "{{ lxc_php_container_name }} - Add sury repo"
  ansible.builtin.lineinfile:
    dest: "{{ lxc_rootfs }}/etc/apt/sources.list.d/sury.list"
    line: "{{ item }}"
@ -50,17 +50,17 @@
    owner: root
    group: root
- name: "{{ lxc_php_version }} - Update APT cache"
+- name: "{{ lxc_php_container_name }} - Update APT cache"
  community.general.lxc_container:
-    name: "{{ lxc_php_version }}"
+    name: "{{ lxc_php_container_name }}"
    container_command: "DEBIAN_FRONTEND=noninteractive apt update"
- name: "{{ lxc_php_version }} - Install PHP packages"
+- name: "{{ lxc_php_container_name }} - Install PHP packages"
  community.general.lxc_container:
-    name: "{{ lxc_php_version }}"
+    name: "{{ lxc_php_container_name }}"
    container_command: "DEBIAN_FRONTEND=noninteractive apt install -y php-fpm php-cli php-gd php-intl php-imap php-ldap php-mysql php-pgsql php-sqlite3 php-curl php-zip php-mbstring php-xml php-zip composer libphp-phpmailer"
- name: "{{ lxc_php_version }} - Copy evolinux PHP configuration"
+- name: "{{ lxc_php_container_name }} - Copy evolinux PHP configuration"
  ansible.builtin.template:
    src: z-evolinux-defaults.ini.j2
    dest: "{{ line_item }}"
--- a/lxc-php/tasks/php82.yml
+++ b/lxc-php/tasks/php82.yml
@ -4,24 +4,24 @@
  ansible.builtin.set_fact:
    lxc_apt_keyring_dir: /etc/apt/trusted.gpg.d
- name: "{{ lxc_php_version }} - Install dependency packages"
+- name: "{{ lxc_php_container_name }} - Install dependency packages"
  community.general.lxc_container:
-    name: "{{ lxc_php_version }}"
+    name: "{{ lxc_php_container_name }}"
    container_command: "DEBIAN_FRONTEND=noninteractive apt install -y wget gnupg"
- name: "{{ lxc_php_version }} - delete sources.list bookworm repository"
+- name: "{{ lxc_php_container_name }} - delete sources.list bookworm repository"
  ansible.builtin.file:
    path: "{{ lxc_rootfs }}/etc/apt/sources.list"
    state: absent
- name: "{{ lxc_php_version }} - system bookworm repository"
+- name: "{{ lxc_php_container_name }} - system bookworm repository"
  ansible.builtin.template:
    src: bookworm_basics.sources.j2
    dest: "{{ lxc_rootfs }}/etc/apt/sources.list.d/system.sources"
    force: true
    mode: "0644"
- name: "{{ lxc_php_version }} - security bookworm repository"
+- name: "{{ lxc_php_container_name }} - security bookworm repository"
  ansible.builtin.template:
    src: bookworm_security.sources.j2
    dest: "{{ lxc_rootfs }}/etc/apt/sources.list.d/security.sources"
@ -44,17 +44,17 @@
    owner: root
    group: root
- name: "{{ lxc_php_version }} - Update APT cache"
+- name: "{{ lxc_php_container_name }} - Update APT cache"
  community.general.lxc_container:
-    name: "{{ lxc_php_version }}"
+    name: "{{ lxc_php_container_name }}"
    container_command: "DEBIAN_FRONTEND=noninteractive apt update"
- name: "{{ lxc_php_version }} - Install PHP packages"
+- name: "{{ lxc_php_container_name }} - Install PHP packages"
  community.general.lxc_container:
-    name: "{{ lxc_php_version }}"
+    name: "{{ lxc_php_container_name }}"
    container_command: "DEBIAN_FRONTEND=noninteractive apt install -y php-fpm php-cli php-gd php-intl php-imap php-ldap php-mysql php-pgsql php-sqlite3 php-curl php-zip php-mbstring php-xml php-zip composer libphp-phpmailer"
- name: "{{ lxc_php_version }} - Copy evolinux PHP configuration"
+- name: "{{ lxc_php_container_name }} - Copy evolinux PHP configuration"
  ansible.builtin.template:
    src: z-evolinux-defaults.ini.j2
    dest: "{{ line_item }}"
--- a/lxc-php/tasks/php83.yml
+++ b/lxc-php/tasks/php83.yml
@ -4,38 +4,38 @@
  ansible.builtin.set_fact:
    lxc_apt_keyring_dir: /etc/apt/trusted.gpg.d
- name: "{{ lxc_php_version }} - Install dependency packages"
+- name: "{{ lxc_php_container_name }} - Install dependency packages"
  community.general.lxc_container:
-    name: "{{ lxc_php_version }}"
+    name: "{{ lxc_php_container_name }}"
    container_command: "DEBIAN_FRONTEND=noninteractive apt install -y wget gnupg"
- name: "{{ lxc_php_version }} - delete sources.list bookworm repository"
+- name: "{{ lxc_php_container_name }} - delete sources.list bookworm repository"
  ansible.builtin.file:
    path: "{{ lxc_rootfs }}/etc/apt/sources.list"
    state: absent
- name: "{{ lxc_php_version }} - system bookworm repository"
+- name: "{{ lxc_php_container_name }} - system bookworm repository"
  ansible.builtin.template:
    src: bookworm_basics.sources.j2
    dest: "{{ lxc_rootfs }}/etc/apt/sources.list.d/system.sources"
    force: true
    mode: "0644"
- name: "{{ lxc_php_version }} - security bookworm repository"
+- name: "{{ lxc_php_container_name }} - security bookworm repository"
  ansible.builtin.template:
    src: bookworm_security.sources.j2
    dest: "{{ lxc_rootfs }}/etc/apt/sources.list.d/security.sources"
    force: true
    mode: "0644"
- name: "{{ lxc_php_version }} - Add sury repo"
+- name: "{{ lxc_php_container_name }} - Add sury repo"
  ansible.builtin.template:
    src: sury.sources.j2
    dest: "{{ lxc_rootfs }}/etc/apt/sources.list.d/sury.sources"
    force: true
    mode: "0644"
- name: "{{ lxc_php_version }} - Add sury failsafe repo"
+- name: "{{ lxc_php_container_name }} - Add sury failsafe repo"
  ansible.builtin.template:
    src: evolix_sury.sources.j2
    dest: "{{ lxc_rootfs }}/etc/apt/sources.list.d/evolix_sury.sources"
@ -66,17 +66,17 @@
    owner: root
    group: root
- name: "{{ lxc_php_version }} - Update APT cache"
+- name: "{{ lxc_php_container_name }} - Update APT cache"
  community.general.lxc_container:
-    name: "{{ lxc_php_version }}"
+    name: "{{ lxc_php_container_name }}"
    container_command: "DEBIAN_FRONTEND=noninteractive apt update"
- name: "{{ lxc_php_version }} - Install PHP packages"
+- name: "{{ lxc_php_container_name }} - Install PHP packages"
  community.general.lxc_container:
-    name: "{{ lxc_php_version }}"
+    name: "{{ lxc_php_container_name }}"
    container_command: "DEBIAN_FRONTEND=noninteractive apt install -y php-fpm php-cli php-gd php-intl php-imap php-ldap php-mysql php-pgsql php-sqlite3 php-curl php-zip php-mbstring php-xml php-zip composer libphp-phpmailer"
- name: "{{ lxc_php_version }} - Copy evolinux PHP configuration"
+- name: "{{ lxc_php_container_name }} - Copy evolinux PHP configuration"
  ansible.builtin.template:
    src: z-evolinux-defaults.ini.j2
    dest: "{{ line_item }}"
--- a/lxc-solr/README.md
+++ b/lxc-solr/README.md
@ -15,7 +15,7 @@ Since this role depend on the lxc role, please refer to it for a full variable l
 * `lxc_containers`: list of LXC containers to create. Default: `[]` (empty).
  * `name`: name of the LXC container to create.
  * `release`: Debian version to install
-  * `solr_version`: Solr version to install *(refer to https://archive.apache.org/dist/lucene/solr/ for a full version list)*
+  * `solr_version`: Solr version to install *(refer to https://archive.apache.org/dist/solr/solr/ for a full version list)*
  * `solr_port`: port for Solr to listen on
  Eg.:
  ```
--- a/lxc-solr/defaults/main.yml
+++ b/lxc-solr/defaults/main.yml
@ -16,7 +16,7 @@
 #     solr_port: 8985
 #   - name: solr9
 #     release: bullseye
-#     solr_version: 9.0.0
+#     solr_version: 9.6.1
 #     solr_port: 8985
 lxc_containers: []
--- a/lxc/defaults/main.yml
+++ b/lxc/defaults/main.yml
@ -8,6 +8,10 @@ lxc_network_type: "none"
 # Partition to bind mount into containers.
 lxc_mount_part: "/home"
 # Mirror URL (optionnal).
 # For old Debian, use https://archive.debian.org/debian/
 lxc_template_mirror: ""
 # List of LXC containers to create.
 # Eg.:
 # lxc_containers:
--- a/lxc/tasks/create-container.yml
+++ b/lxc/tasks/create-container.yml
@ -6,13 +6,16 @@
  check_mode: no
  register: container_exists
 - ansible.builtin.set_fact:
    lxc_template_mirror_option: "{{ '--mirror ' + lxc_template_mirror if lxc_template_mirror != '' else '' }}"
 - name: "Create container {{ name }}"
  community.general.lxc_container:
    name: "{{ name }}"
    container_log: true
    template: debian
    state: stopped
-    template_options: "--arch amd64 --release {{ release }}"
+    template_options: "--arch amd64 --release {{ release }} {{ lxc_template_mirror_option }}"
  when: container_exists.stdout_lines | length == 0
 - name: "Disable network configuration inside container {{ name }}"
--- a/munin/files/plugins/linux-psi
+++ b/munin/files/plugins/linux-psi
@ -0,0 +1,360 @@
 #!/bin/bash
 : << =cut
 =head1 NAME
 linux_psi - Plugin to monitor the pressure stall information for CPU, Memory and
 IO as reported by the Linux kernel.
 This plugin monitors the pressure stall information (psi) as reported by the
 Linux Kernel. By default it reports all average intervals (10 seconds,
 60 seconds and 300 seconds) as well as the total values as a rate of change
 (DERIVE) for all resources (cpu, memory, io). The average intervals can be
 configured if you only deem some of them useful. See CONFIGURATION for
 explanations on that.
 This is a multigraph plugin that, by default, will create six detail graphs and
 one summary graph (so seven in total). The summary graph will contain the 300
 seconds average percentages of all resources. The detail graphs are split in two
 graphs per resource. One combining all average intervals and one for the
 "totals" (rate of change) for the given resource.
 There are no defaults for warnings and criticals, because this highly depends on
 the system, so you need to configure them yourself (if you want any). It is
 recommended that you first lookup the meaning of the different values.
 For more information on psi see:
 https://www.kernel.org/doc/html/latest/accounting/psi.html
 =head1 CONFIGURATION
 Simply create a symlink in your plugins directory like with any other plugin.
 No additional configuration needed, no specific user required (typically).
 If you want to configure alerts, just add "warn_" or "crit_" in front of the
 internal name.
 Optional configuration examples:
 [linux_psi]
 env.resources cpu io memory       - Specify the resources to monitor. Leave one
                                    out if you don't want this one to be
                                    monitored.
 env.intervals avg10 avg60 avg300  - Sepcify the average intervals to monitor.
                                    Leave one out if you don't want this one to
                                    be monitored
 env.scopes some full              - Specify the scopes to monitor. Leave one out
                                    If you don't want it to be monitored.
 env.summary_interval avg300       - Specify the interval to be used for the
                                    summary-graph.
 env.warn_psi_cpu_avg300_some 5    - Set a warning-level of 5 for
                                    "psi_cpu_avg300_some"
 env.crit_psi_io_total_full 2000   - Set a critical-level of 2000 for
                                    "psi_io_total_full"
 =head1 AUTHOR
 2022, HaseHarald
 =head1 LICENSE
 LGPLv3
 =head1 BUGS
 =head1 TODO
 =head1 MAGIC MARKERS
 #%# family=auto
 #%# capabilities=autoconf
 =cut
 # This file contains a munin-plugin to graph the psi (pressure) for CPU, Memory
 # and IO, as reported by the Linux kernel.
 #
 # This is free software: you can redistribute it and/or modify
 # it under the terms of the GNU Lesser General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
 #
 # This is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU Lesser General Public License for more details.
 #
 # You should have received a copy of the GNU Lesser General Public License
 # along with this plugin.  If not, see <http://www.gnu.org/licenses/>.
 resource_defaults=('cpu' 'io' 'memory')
 interval_defaults=('avg10' 'avg60' 'avg300')
 scope_defaults=('some' 'full')
 pressure_dir=${pressure_dir:-'/proc/pressure/'}
 pressure_resources=( "${resources[@]:-${resource_defaults[@]}}" )
 pressure_intervals=( "${intervals[@]:-${interval_defaults[@]}}" )
 pressure_scopes=( "${scopes[@]:-${scope_defaults[@]}}" )
 summary_interval="${summary_interval:-avg300}"
 check_autoconf() {
  if [ -d "${pressure_dir}" ]; then
    printf "yes\n"
  else
    printf "no (%s not found)\n" "${pressure_dir}"
  fi
 }
 get_pressure_value() {
  local resource
  local interval
  local scope
  resource="$1"
  interval="$2"
  scope="${3:-some}"
  grep "$scope" "${pressure_dir}/${resource}" | grep -o -E "${interval}=[0-9]{1,}(\.[0-9]{1,}){0,1}" | cut -d '=' -f 2
 }
 get_printable_name() {
  local kind
  local value
  local printable_name
  kind="$1"
  value="$2"
  printable_name=""
  case "$kind" in
    interval)
      case "$interval" in
        avg10)
          printable_name="10sec"
          ;;
        avg60)
          printable_name="60sec"
          ;;
        avg300)
          printable_name="5min"
          ;;
        total)
          printable_name="Total"
          ;;
        *)
          printf "ERROR: Could not determine interval %s ! Must be one of 'avg10' 'avg60' 'avg300' 'total'\n" "$value" >&2
          exit 2
          ;;
      esac
      ;;
    scope)
      case "$value" in
        some)
          printable_name="Some"
          ;;
        full)
          printable_name="Full"
          ;;
        *)
          printf "ERROR: Could not determine scope %s ! Must be one of 'full' 'some'.\n" "$value" >&2
          exit 2
          ;;
      esac
      ;;
    resource)
      case "$value" in
        cpu)
          printable_name="CPU"
          ;;
        io)
          printable_name="IO"
          ;;
        memory)
          printable_name="Memory"
          ;;
        *)
          printf "ERROR: Could not determine resource-type %s ! Must be one of 'cpu' 'io' 'memory'.\n" "$value" >&2
          exit 2
          ;;
      esac
      ;;
    *)
      printf "ERROR: Could not determine kind %s ! Must be one of 'interval' 'scope' 'resource'\n" "$kind" >&2
      exit 2
      ;;
  esac
  printf "%s" "$printable_name"
 }
 iterate_config() {
  for resource in "${pressure_resources[@]}"; do
    local printable_resource
    printable_resource=$( get_printable_name resource "$resource" )
    printf "multigraph linux_psi.%s_avg\n" "$resource"
    printf "graph_title %s Pressure Stall Information - Average\n" "$printable_resource"
    printf "graph_category system\n"
    printf "graph_info Average PSI based latency caused by lack of %s resources.\n" "$printable_resource"
    printf "graph_vlabel %%\n"
    printf "graph_scale no\n"
    for interval in "${pressure_intervals[@]}"; do
      local printable_interval
      printable_interval=$( get_printable_name interval "$interval" )
      output_config "$resource" "$interval"
    done
    echo ""
  done
  for resource in "${pressure_resources[@]}"; do
    local interval
    local printable_resource
    interval="total"
    printable_resource=$( get_printable_name resource "$resource" )
    printf "multigraph linux_psi.%s_total\n" "$resource"
    printf "graph_title %s Pressure Stall Information - Rate\n" "$printable_resource"
    printf "graph_category system\n"
    printf "graph_info Total PSI based latency rate caused by lack of %s resources.\n" "$printable_resource"
    printf "graph_vlabel rate\n"
    output_config "$resource" "$interval"
    echo ""
  done
  printf "multigraph linux_psi\n"
  printf "graph_title Pressure Stall Information - Average\n"
  printf "graph_vlabel %%\n"
  printf "graph_scale no\n"
  printf "graph_category system\n"
  printf "graph_info Average PSI based latency caused by lack of resources.\n"
  for resource in "${pressure_resources[@]}"; do
    output_config "$resource" "$summary_interval"
  done
  echo ""
 }
 iterate_values() {
  for resource in "${pressure_resources[@]}"; do
    printf "multigraph linux_psi.%s_avg\n" "$resource"
    for interval in "${pressure_intervals[@]}"; do
      output_values "$resource" "$interval"
    done
    echo ""
  done
  for resource in "${pressure_resources[@]}"; do
    local interval
    interval="total"
    printf "multigraph linux_psi.%s_total\n" "$resource"
    output_values "$resource" "$interval"
    echo ""
  done
  printf "multigraph linux_psi\n"
  for resource in "${pressure_resources[@]}"; do
    output_values "$resource" "$summary_interval"
  done
  echo ""
 }
 output_config() {
  local resource
  local interval
  local printable_resource
  local printable_interval
  resource="$1"
  interval="$2"
  printable_resource=$( get_printable_name resource "$resource" )
  printable_interval=$( get_printable_name interval "$interval" )
  for scope in "${pressure_scopes[@]}"; do
    if [ "${resource}" == "cpu" ] && [ "${scope}" != "some" ]; then
      continue
    else
      local printable_scope
      local this_warn_var
      local this_crit_var
      printable_scope=$( get_printable_name scope "$scope" )
      this_warn_var=$( echo "warn_psi_${resource}_${interval}_${scope}" | sed 's/[^A-Za-z0-9_]/_/g' )
      this_crit_var=$( echo "crit_psi_${resource}_${interval}_${scope}" | sed 's/[^A-Za-z0-9_]/_/g' )
      printf "psi_%s_%s_%s.min 0\n" "$resource" "$interval" "$scope"
      printf "psi_%s_%s_%s.label %s %s %s\n" "$resource" "$interval" "$scope" "$printable_resource" "$printable_interval" "$printable_scope"
      if [ -n "${!this_warn_var}" ]; then
        printf "psi_%s_%s_%s.warning %s\n" "$resource" "$interval" "$scope" "${!this_warn_var}"
      fi
      if [ -n "${!this_crit_var}" ]; then
        printf "psi_%s_%s_%s.critical %s\n" "$resource" "$interval" "$scope" "${!this_crit_var}"
      fi
      if [ "$interval" == "total" ]; then
        printf "psi_%s_%s_%s.type DERIVE\n" "$resource" "$interval" "$scope"
      fi
    fi
  done
 }
 output_values() {
  local resource
  local interval
  resource="$1"
  interval="$2"
  for scope in "${pressure_scopes[@]}"; do
    if [ "${resource}" == "cpu" ] && [ "${scope}" != "some" ]; then
      continue
    else
      printf "psi_%s_%s_%s.value %s\n" "$resource" "$interval" "$scope" "$(get_pressure_value "$resource" "$interval" "$scope")"
    fi
  done
 }
 output_usage() {
  printf >&2 "%s - munin plugin to graph pressure stall information for CPU, Memory and IO as reported by the Linux kernel.\n" "${0##*/}"
  printf >&2 "Usage: %s [config]\n" "${0##*/}"
  printf >&2 "You may use environment settings in a plugin-config file, used by munin (for example /etc/munin/plugin-conf.d/munin-node) to further adjust settings.\n"
  printf >&2 "You can use these settings to configure which resources, intervals or scopes are monitored or to configure warning and critical levels.\n"
  printf >&2 "To do so use a syntax like this:\n"
  printf >&2 "[linux_psi]\n"
  printf >&2 "env.resources cpu io memory\n"
  printf >&2 "env.intervals avg10 avg60 avg300\n"
  printf >&2 "env.scopes some full\n"
  printf >&2 "env.summary_interval avg300\n"
  printf >&2 "env.warn_psi_cpu_avg300_some 5\n"
  printf >&2 "env.crit_psi_io_total_full 2000\n"
 }
 case "$#" in
  0)
    iterate_values
    ;;
  1)
    case "$1" in
      autoconf)
        check_autoconf
        ;;
      config)
        iterate_config
        ;;
      fetch)
        iterate_values
        ;;
      *)
        output_usage
        exit 1
        ;;
    esac
    ;;
  *)
    output_usage
    exit 1
    ;;
 esac
--- a/munin/tasks/main.yml
+++ b/munin/tasks/main.yml
@ -46,6 +46,7 @@
    dest: '/usr/share/munin/plugins/{{ item }}'
  loop:
    - dhcp_pool
    - linux-psi
  tags:
    - munin
@ -77,6 +78,7 @@
    - postfix_mailqueue
    - postfix_mailstats
    - postfix_mailvolume
    - linux-psi
  notify: restart munin-node
  tags:
    - munin
--- a/webapps/mattermost/LISEZMOI.md
+++ b/webapps/mattermost/LISEZMOI.md
@ -0,0 +1,49 @@
 mattermost
 =====
 Ce rôle installe un serveur mattermost. 
 Notez qu'hormis le présent fichier LISEZMOI.md, tous les fichiers du rôle mattermost sont rédigés en anglais afin de suivre les conventions de la communauté Ansible, favoriser sa réutilisation et son amélioration, etc. Libre à vous cependant de faire appel à ce role dans un playbook rédigé principalement en français ou toute autre langue.
 Requis
 ------
 ...
 Variables du rôle
 -----------------
 Plusieurs des valeurs par défaut dans defaults/main.yml doivent être changées soit directement dans defaults/main.yml ou mieux encore en les supplantant ailleurs, par exemple dans votre playbook (voir l'exemple ci-bas).
 Dépendances
 ------------
 Ce rôle Ansible dépend des rôles suivants :
 - nodejs
 Exemple de playbook
 -------------------
 ```
 - name: "Déployer un serveur mattermost"
  hosts: 
    - all
  vars:
    # Supplanter ici les variables du rôle
    domains: ['votre-vrai-domaine.org']
    service: 'mon-mattermost'
  roles:
    - { role: webapps/mattermost , tags: "mattermost" }
 ```
 Licence
 -------
 GPLv3
 Infos sur l'auteur
 ------------------
 Mathieu Gauthier-Pilote, administrateur de systèmes chez Evolix.
--- a/webapps/mattermost/README.md
+++ b/webapps/mattermost/README.md
@ -0,0 +1,49 @@
 mattermost
 =====
 This role installs or upgrades the server for mattermost. 
 FRENCH: Voir le fichier LISEZMOI.md pour le français.
 Requirements
 ------------
 ...
 Role Variables
 --------------
 Several of the default values in defaults/main.yml must be changed either directly in defaults/main.yml or better even by overwriting them somewhere else, for example in your playbook (see the example below).
 Dependencies
 ------------
 This Ansible role depends on the following other roles:
 - nodejs
 Example Playbook
 ----------------
 ```
 - name: "Deploy a mattermost server"
  hosts: 
    - all
  vars:
    # Overwrite the role variables here
    domains: ['your-real-domain.org']
    service: 'my-mattermost'
  roles:
    - { role: webapps/mattermost , tags: "mattermost" }
 ```
 License
 -------
 GPLv3
 Author Information
 ------------------
 Mathieu Gauthier-Pilote, sys. admin. at Evolix.
--- a/webapps/mattermost/defaults/main.yml
+++ b/webapps/mattermost/defaults/main.yml
@ -0,0 +1,13 @@
 ---
 # defaults file for vars
 mattermost_system_dep: "['git', 'nginx', 'postgresql', 'python3-psycopg2', 'certbot', 'acl']"
 mattermost_version: '7.8.1'
 mattermost_download_url: "https://releases.mattermost.com/{{ mattermost_version }}/mattermost-team-{{ mattermost_version }}-linux-amd64.tar.gz"
 mattermost_domains: ['example.domain.org']
 mattermost_certbot_admin_email: 'mgauthier@evolix.ca'
 mattermost_home_base: '/home'
 mattermost_app_port: '8065'
 mattermost_db_host: '127.0.0.1'
 mattermost_db_name: "{{ mattermost_service }}"
 mattermost_db_user: "{{ mattermost_service }}"
 mattermost_db_password: 'UQ6_CHANGE_ME_Gzb'
--- a/webapps/mattermost/handlers/main.yml
+++ b/webapps/mattermost/handlers/main.yml
@ -0,0 +1,2 @@
 ---
 # handlers file
--- a/webapps/mattermost/meta/main.yml
+++ b/webapps/mattermost/meta/main.yml
@ -0,0 +1,52 @@
 galaxy_info:
  author: Mathieu Gauthier-Pilote
  description: sys. admin.
  company: Evolix
  # If the issue tracker for your role is not on github, uncomment the
  # next line and provide a value
  # issue_tracker_url: http://example.com/issue/tracker
  # Choose a valid license ID from https://spdx.org - some suggested licenses:
  # - BSD-3-Clause (default)
  # - MIT
  # - GPL-2.0-or-later
  # - GPL-3.0-only
  # - Apache-2.0
  # - CC-BY-4.0
  license: license GPL-3.0-only
  min_ansible_version: 2.10
  # If this a Container Enabled role, provide the minimum Ansible Container version.
  # min_ansible_container_version:
  #
  # Provide a list of supported platforms, and for each platform a list of versions.
  # If you don't wish to enumerate all versions for a particular platform, use 'all'.
  # To view available platforms and versions (or releases), visit:
  # https://galaxy.ansible.com/api/v1/platforms/
  #
  # platforms:
  # - name: Fedora
  #   versions:
  #   - all
  #   - 25
  # - name: SomePlatform
  #   versions:
  #   - all
  #   - 1.0
  #   - 7
  #   - 99.99
  galaxy_tags: []
    # List tags for your role here, one per line. A tag is a keyword that describes
    # and categorizes the role. Users find roles by searching for tags. Be sure to
    # remove the '[]' above, if you add tags to this list.
    #
    # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
    #       Maximum 20 tags per role.
 dependencies: []
  # List your role dependencies here, one per line. Be sure to remove the '[]' above,
  # if you add dependencies to this list.
--- a/webapps/mattermost/tasks/main.yml
+++ b/webapps/mattermost/tasks/main.yml
@ -0,0 +1,120 @@
 ---
 # tasks file for mattermost install
 - name: Install main system dependencies
  ansible.builtin.apt:
    name: "{{ mattermost_system_dep }}"
    update_cache: yes
 - name: Add UNIX account
  ansible.builtin.user:
    name: "{{ mattermost_service }}"
    shell: /bin/bash
    home: "{{ mattermost_home_base }}/{{ mattermost_service }}"
 - name: Add PostgreSQL user
  ansible.builtin.postgresql_user:
    name: "{{ mattermost_db_user }}"
    password: "{{ mattermost_db_password }}"
    no_password_changes: true
  become_user: postgres
 - name: Add PostgreSQL database
  ansible.builtin.postgresql_db:
    name: "{{ mattermost_db_name }}"
    owner: "{{ mattermost_db_user }}"
  become_user: postgres
 - name: Unarchive mattermost archive
  ansible.builtin.unarchive:
    src: "{{ mattermost_download_url }}"
    dest: ~/
    remote_src: yes
  become_user: "{{ mattermost_service }}"
 - name: Create the mattermost data dir if needed
  ansible.builtin.file:
    path: ~/mattermost/data
    state: directory
    mode: '0750'
  become_user: "{{ mattermost_service }}"
 - name: Template mattermost conf file
  ansible.builtin.template: 
    src: "config.json.j2"
    dest: "~/mattermost/config/config.json"
  become_user: "{{ mattermost_service }}"
 - name: Template mattermost systemd unit
  template: 
    src: "mattermost.service.j2"
    dest: "/etc/systemd/system/mattermost@.service"
 - name: Start mattermost systemd unit
  ansible.builtin.service:
    name: "mattermost@{{ mattermost_service }}"
    state: restarted
 - name: Template nginx snippet for Let's Encrypt/Certbot
  ansible.builtin.template: 
    src: "letsencrypt.conf.j2"
    dest: "/etc/nginx/snippets/letsencrypt.conf"
 - name: Check if SSL certificate is present and register result
  ansible.builtin.stat:
    path: "/etc/letsencrypt/live/{{ mattermost_domains |first }}/fullchain.pem"
  register: ssl
 - name: Generate certificate only if required (first time)
  block:
  - name: Template vhost without SSL for successfull LE challengce
    ansible.builtin.template: 
      src: "vhost.conf.j2"
      dest: "/etc/nginx/sites-available/{{ mattermost_service }}.conf"
  - name: Enable temporary nginx vhost for mattermost
    ansible.builtin.file:
      src: "/etc/nginx/sites-available/{{ mattermost_service }}.conf"
      dest: "/etc/nginx/sites-enabled/{{ mattermost_service }}.conf"
      state: link
  - name: Reload nginx conf
    ansible.builtin.service:
      name: nginx
      state: reloaded
  - name: Make sure /var/lib/letsencrypt exists and has correct permissions
    ansible.builtin.file: 
      path: /var/lib/letsencrypt
      state: directory
      mode: '0755'
  - name: Generate certificate with certbot
    ansible.builtin.shell: certbot certonly --webroot --webroot-path /var/lib/letsencrypt --non-interactive --agree-tos --email {{ mattermost_certbot_admin_email }} -d {{ mattermost_domains |first }}
  - name: Create the ssl dir if needed
    ansible.builtin.file:
      path: /etc/nginx/ssl
      state: directory
      mode: '0750'
  - name: Template ssl bloc for nginx vhost
    ansible.builtin.template: 
      src: "ssl.conf.j2"
      dest: "/etc/nginx/ssl/{{ mattermost_domains |first }}.conf"
  when: ssl.stat.exists != true
 - name: (Re)check if SSL certificate is present and register result
  ansible.builtin.stat:
    path: "/etc/letsencrypt/live/{{ mattermost_domains |first }}/fullchain.pem"
  register: ssl
 - name: (Re)template conf file for nginx vhost with SSL
  ansible.builtin.template:
    src: "vhost.conf.j2"
    dest: "/etc/nginx/sites-available/{{ mattermost_service }}.conf"
 - name: Enable nginx vhost for mattermost
  ansible.builtin.file:
    src: "/etc/nginx/sites-available/{{ mattermost_service }}.conf"
    dest: "/etc/nginx/sites-enabled/{{ mattermost_service }}.conf"
    state: link
 - name: Reload nginx conf
  ansible.builtin.service:
    name: nginx
    state: reloaded
--- a/webapps/mattermost/tasks/upgrade.yml
+++ b/webapps/mattermost/tasks/upgrade.yml
@ -0,0 +1,63 @@
 ---
 # tasks file for mattermost upgrade
 - name: Start mattermost systemd unit
  ansible.builtin.service:
    name: "mattermost@{{ mattermost_service }}"
    state: stopped
 - name: set current date and time as a fact
  ansible.builtin.set_fact: backup_date="{{ ansible_date_time.iso8601_basic_short }}"
 - name: backup current mattermost files
  ansible.builtin.command: "mv  ~/mattermost/ ~/mattermost_{{ mattermost_backup_date }}"
  become_user: "{{ mattermost_service }}"
 - name: Dump database to a file with compression
  ansible.builtin.postgresql_db:
    name: "{{ mattermost_db_name }}"
    state: dump
    target: "~/{{ mattermost_db_name }}.sql.gz"
  become_user: postgres
 - name: Unarchive new mattermost archive
  ansible.builtin.unarchive:
    src: "{{ mattermost_download_url }}"
    dest: ~/
    remote_src: yes
  become_user: "{{ mattermost_service }}"
 - name: restore dirs from backup
  ansible.builtin.copy: 
    src: "{{ item }}" 
    dest: ~/mattermost
    remote_src: true
  loop:
    - "~/mattermost_{{ mattermost_backup_date }}/config"
    - "~/mattermost_{{ mattermost_backup_date }}/data"
    - "~/mattermost_{{ mattermost_backup_date }}/logs"
    - "~/mattermost_{{ mattermost_backup_date }}/plugins"
    - "~/mattermost_{{ mattermost_backup_date }}/client/plugins"
  become_user: "{{ mattermost_service }}"
 - name: Start mattermost systemd unit
  ansible.builtin.service:
    name: "mattermost@{{ mattermost_service }}"
    state: restarted
 - name: Reload nginx conf
  ansible.builtin.service:
    name: nginx
    state: reloaded
 - name: Define variable to skip next task by default
  ansible.builtin.set_fact:
    keep_db_dump: true
 - name: Remove database dump
  ansible.builtin.file:
    path: "~/{{ mattermost_db_name }}.sql.gz"
    state: absent
  become_user: postgres
  when: keep_db_dump is undefined
  tags: clean
--- a/webapps/mattermost/templates/config.json.j2
+++ b/webapps/mattermost/templates/config.json.j2
@ -0,0 +1,605 @@
 {
    "ServiceSettings": {
        "SiteURL": "http://{{ mattermost_domains | first }}",
        "WebsocketURL": "",
        "LicenseFileLocation": "",
        "ListenAddress": "127.0.0.1:{{ mattermost_app_port }}",
        "ConnectionSecurity": "",
        "TLSCertFile": "",
        "TLSKeyFile": "",
        "TLSMinVer": "1.2",
        "TLSStrictTransport": false,
        "TLSStrictTransportMaxAge": 63072000,
        "TLSOverwriteCiphers": [],
        "UseLetsEncrypt": false,
        "LetsEncryptCertificateCacheFile": "./config/letsencrypt.cache",
        "Forward80To443": false,
        "TrustedProxyIPHeader": [],
        "ReadTimeout": 300,
        "WriteTimeout": 300,
        "IdleTimeout": 60,
        "MaximumLoginAttempts": 10,
        "GoroutineHealthThreshold": -1,
        "EnableOAuthServiceProvider": true,
        "EnableIncomingWebhooks": true,
        "EnableOutgoingWebhooks": true,
        "EnableCommands": true,
        "EnablePostUsernameOverride": false,
        "EnablePostIconOverride": false,
        "GoogleDeveloperKey": "",
        "EnableLinkPreviews": true,
        "EnablePermalinkPreviews": true,
        "RestrictLinkPreviews": "",
        "EnableTesting": false,
        "EnableDeveloper": false,
        "DeveloperFlags": "",
        "EnableClientPerformanceDebugging": false,
        "EnableOpenTracing": false,
        "EnableSecurityFixAlert": true,
        "EnableInsecureOutgoingConnections": false,
        "AllowedUntrustedInternalConnections": "",
        "EnableMultifactorAuthentication": false,
        "EnforceMultifactorAuthentication": false,
        "EnableUserAccessTokens": false,
        "AllowCorsFrom": "",
        "CorsExposedHeaders": "",
        "CorsAllowCredentials": false,
        "CorsDebug": false,
        "AllowCookiesForSubdomains": false,
        "ExtendSessionLengthWithActivity": true,
        "SessionLengthWebInDays": 30,
        "SessionLengthWebInHours": 720,
        "SessionLengthMobileInDays": 30,
        "SessionLengthMobileInHours": 720,
        "SessionLengthSSOInDays": 30,
        "SessionLengthSSOInHours": 720,
        "SessionCacheInMinutes": 10,
        "SessionIdleTimeoutInMinutes": 43200,
        "WebsocketSecurePort": 443,
        "WebsocketPort": 80,
        "WebserverMode": "gzip",
        "EnableGifPicker": true,
        "GfycatAPIKey": "2_KtH_W5",
        "GfycatAPISecret": "3wLVZPiswc3DnaiaFoLkDvB4X0IV6CpMkj4tf2inJRsBY6-FnkT08zGmppWFgeof",
        "EnableCustomEmoji": true,
        "EnableEmojiPicker": true,
        "PostEditTimeLimit": -1,
        "TimeBetweenUserTypingUpdatesMilliseconds": 5000,
        "EnablePostSearch": true,
        "EnableFileSearch": true,
        "MinimumHashtagLength": 3,
        "EnableUserTypingMessages": true,
        "EnableChannelViewedMessages": true,
        "EnableUserStatuses": true,
        "ExperimentalEnableAuthenticationTransfer": true,
        "ClusterLogTimeoutMilliseconds": 2000,
        "EnablePreviewFeatures": true,
        "EnableTutorial": true,
        "EnableOnboardingFlow": true,
        "ExperimentalEnableDefaultChannelLeaveJoinMessages": true,
        "ExperimentalGroupUnreadChannels": "disabled",
        "EnableAPITeamDeletion": false,
        "EnableAPITriggerAdminNotifications": false,
        "EnableAPIUserDeletion": false,
        "ExperimentalEnableHardenedMode": false,
        "ExperimentalStrictCSRFEnforcement": false,
        "EnableEmailInvitations": false,
        "DisableBotsWhenOwnerIsDeactivated": true,
        "EnableBotAccountCreation": false,
        "EnableSVGs": false,
        "EnableLatex": false,
        "EnableInlineLatex": true,
        "PostPriority": true,
        "EnableAPIChannelDeletion": false,
        "EnableLocalMode": false,
        "LocalModeSocketLocation": "/var/tmp/mattermost_local.socket",
        "EnableAWSMetering": false,
        "SplitKey": "",
        "FeatureFlagSyncIntervalSeconds": 30,
        "DebugSplit": false,
        "ThreadAutoFollow": true,
        "CollapsedThreads": "always_on",
        "ManagedResourcePaths": "",
        "EnableCustomGroups": true,
        "SelfHostedPurchase": true,
        "AllowSyncedDrafts": true
    },
    "TeamSettings": {
        "SiteName": "Mattermost",
        "MaxUsersPerTeam": 50,
        "EnableUserCreation": true,
        "EnableOpenServer": false,
        "EnableUserDeactivation": false,
        "RestrictCreationToDomains": "",
        "EnableCustomUserStatuses": true,
        "EnableCustomBrand": false,
        "CustomBrandText": "",
        "CustomDescriptionText": "",
        "RestrictDirectMessage": "any",
        "EnableLastActiveTime": true,
        "UserStatusAwayTimeout": 300,
        "MaxChannelsPerTeam": 2000,
        "MaxNotificationsPerChannel": 1000,
        "EnableConfirmNotificationsToChannel": true,
        "TeammateNameDisplay": "username",
        "ExperimentalViewArchivedChannels": true,
        "ExperimentalEnableAutomaticReplies": false,
        "LockTeammateNameDisplay": false,
        "ExperimentalPrimaryTeam": "",
        "ExperimentalDefaultChannels": []
    },
    "ClientRequirements": {
        "AndroidLatestVersion": "",
        "AndroidMinVersion": "",
        "IosLatestVersion": "",
        "IosMinVersion": ""
    },
    "SqlSettings": {
        "DriverName": "postgres",
        "DataSource": "postgres://{{ mattermost_db_user }}:{{ mattermost_db_password }}@{{ mattermost_db_host }}:5432/{{ mattermost_db_name }}?sslmode=disable&connect_timeout=10",
        "DataSourceReplicas": [],
        "DataSourceSearchReplicas": [],
        "MaxIdleConns": 20,
        "ConnMaxLifetimeMilliseconds": 3600000,
        "ConnMaxIdleTimeMilliseconds": 300000,
        "MaxOpenConns": 300,
        "Trace": false,
        "AtRestEncryptKey": "xcipqdpb6k5hrjpfhsdixyhsscmtsujz",
        "QueryTimeout": 30,
        "DisableDatabaseSearch": false,
        "MigrationsStatementTimeoutSeconds": 100000,
        "ReplicaLagSettings": []
    },
    "LogSettings": {
        "EnableConsole": true,
        "ConsoleLevel": "INFO",
        "ConsoleJson": true,
        "EnableColor": false,
        "EnableFile": true,
        "FileLevel": "INFO",
        "FileJson": true,
        "FileLocation": "",
        "EnableWebhookDebugging": true,
        "EnableDiagnostics": true,
        "VerboseDiagnostics": false,
        "EnableSentry": true,
        "AdvancedLoggingConfig": ""
    },
    "ExperimentalAuditSettings": {
        "FileEnabled": false,
        "FileName": "",
        "FileMaxSizeMB": 100,
        "FileMaxAgeDays": 0,
        "FileMaxBackups": 0,
        "FileCompress": false,
        "FileMaxQueueSize": 1000,
        "AdvancedLoggingConfig": ""
    },
    "NotificationLogSettings": {
        "EnableConsole": true,
        "ConsoleLevel": "INFO",
        "ConsoleJson": true,
        "EnableColor": false,
        "EnableFile": true,
        "FileLevel": "INFO",
        "FileJson": true,
        "FileLocation": "",
        "AdvancedLoggingConfig": ""
    },
    "PasswordSettings": {
        "MinimumLength": 8,
        "Lowercase": false,
        "Number": false,
        "Uppercase": false,
        "Symbol": false
    },
    "FileSettings": {
        "EnableFileAttachments": true,
        "EnableMobileUpload": true,
        "EnableMobileDownload": true,
        "MaxFileSize": 104857600,
        "MaxImageResolution": 33177600,
        "MaxImageDecoderConcurrency": -1,
        "DriverName": "local",
        "Directory": "./data/",
        "EnablePublicLink": false,
        "ExtractContent": true,
        "ArchiveRecursion": false,
        "PublicLinkSalt": "yhe99kxqhhwyitn5eo47s61u4m4rmwci",
        "InitialFont": "nunito-bold.ttf",
        "AmazonS3AccessKeyId": "",
        "AmazonS3SecretAccessKey": "",
        "AmazonS3Bucket": "",
        "AmazonS3PathPrefix": "",
        "AmazonS3Region": "",
        "AmazonS3Endpoint": "s3.amazonaws.com",
        "AmazonS3SSL": true,
        "AmazonS3SignV2": false,
        "AmazonS3SSE": false,
        "AmazonS3Trace": false,
        "AmazonS3RequestTimeoutMilliseconds": 30000
    },
    "EmailSettings": {
        "EnableSignUpWithEmail": true,
        "EnableSignInWithEmail": true,
        "EnableSignInWithUsername": true,
        "SendEmailNotifications": false,
        "UseChannelInEmailNotifications": false,
        "RequireEmailVerification": false,
        "FeedbackName": "",
        "FeedbackEmail": "",
        "ReplyToAddress": "",
        "FeedbackOrganization": "",
        "EnableSMTPAuth": false,
        "SMTPUsername": "",
        "SMTPPassword": "",
        "SMTPServer": "localhost",
        "SMTPPort": "10025",
        "SMTPServerTimeout": 10,
        "ConnectionSecurity": "",
        "SendPushNotifications": true,
        "PushNotificationServer": "https://push-test.mattermost.com",
        "PushNotificationContents": "full",
        "PushNotificationBuffer": 1000,
        "EnableEmailBatching": false,
        "EmailBatchingBufferSize": 256,
        "EmailBatchingInterval": 30,
        "EnablePreviewModeBanner": true,
        "SkipServerCertificateVerification": false,
        "EmailNotificationContentsType": "full",
        "LoginButtonColor": "#0000",
        "LoginButtonBorderColor": "#2389D7",
        "LoginButtonTextColor": "#2389D7",
        "EnableInactivityEmail": true
    },
    "RateLimitSettings": {
        "Enable": false,
        "PerSec": 10,
        "MaxBurst": 100,
        "MemoryStoreSize": 10000,
        "VaryByRemoteAddr": true,
        "VaryByUser": false,
        "VaryByHeader": ""
    },
    "PrivacySettings": {
        "ShowEmailAddress": true,
        "ShowFullName": true
    },
    "SupportSettings": {
        "TermsOfServiceLink": "https://mattermost.com/terms-of-use/",
        "PrivacyPolicyLink": "https://mattermost.com/privacy-policy/",
        "AboutLink": "https://docs.mattermost.com/about/product.html/",
        "HelpLink": "https://mattermost.com/default-help/",
        "ReportAProblemLink": "https://mattermost.com/default-report-a-problem/",
        "SupportEmail": "",
        "CustomTermsOfServiceEnabled": false,
        "CustomTermsOfServiceReAcceptancePeriod": 365,
        "EnableAskCommunityLink": true
    },
    "AnnouncementSettings": {
        "EnableBanner": false,
        "BannerText": "",
        "BannerColor": "#f2a93b",
        "BannerTextColor": "#333333",
        "AllowBannerDismissal": true,
        "AdminNoticesEnabled": true,
        "UserNoticesEnabled": true,
        "NoticesURL": "https://notices.mattermost.com/",
        "NoticesFetchFrequency": 3600,
        "NoticesSkipCache": false
    },
    "ThemeSettings": {
        "EnableThemeSelection": true,
        "DefaultTheme": "default",
        "AllowCustomThemes": true,
        "AllowedThemes": []
    },
    "GitLabSettings": {
        "Enable": false,
        "Secret": "",
        "Id": "",
        "Scope": "",
        "AuthEndpoint": "",
        "TokenEndpoint": "",
        "UserAPIEndpoint": "",
        "DiscoveryEndpoint": "",
        "ButtonText": "",
        "ButtonColor": ""
    },
    "GoogleSettings": {
        "Enable": false,
        "Secret": "",
        "Id": "",
        "Scope": "profile email",
        "AuthEndpoint": "https://accounts.google.com/o/oauth2/v2/auth",
        "TokenEndpoint": "https://www.googleapis.com/oauth2/v4/token",
        "UserAPIEndpoint": "https://people.googleapis.com/v1/people/me?personFields=names,emailAddresses,nicknames,metadata",
        "DiscoveryEndpoint": "",
        "ButtonText": "",
        "ButtonColor": ""
    },
    "Office365Settings": {
        "Enable": false,
        "Secret": "",
        "Id": "",
        "Scope": "User.Read",
        "AuthEndpoint": "https://login.microsoftonline.com/common/oauth2/v2.0/authorize",
        "TokenEndpoint": "https://login.microsoftonline.com/common/oauth2/v2.0/token",
        "UserAPIEndpoint": "https://graph.microsoft.com/v1.0/me",
        "DiscoveryEndpoint": "",
        "DirectoryId": ""
    },
    "OpenIdSettings": {
        "Enable": false,
        "Secret": "",
        "Id": "",
        "Scope": "profile openid email",
        "AuthEndpoint": "",
        "TokenEndpoint": "",
        "UserAPIEndpoint": "",
        "DiscoveryEndpoint": "",
        "ButtonText": "",
        "ButtonColor": "#145DBF"
    },
    "LdapSettings": {
        "Enable": false,
        "EnableSync": false,
        "LdapServer": "",
        "LdapPort": 389,
        "ConnectionSecurity": "",
        "BaseDN": "",
        "BindUsername": "",
        "BindPassword": "",
        "UserFilter": "",
        "GroupFilter": "",
        "GuestFilter": "",
        "EnableAdminFilter": false,
        "AdminFilter": "",
        "GroupDisplayNameAttribute": "",
        "GroupIdAttribute": "",
        "FirstNameAttribute": "",
        "LastNameAttribute": "",
        "EmailAttribute": "",
        "UsernameAttribute": "",
        "NicknameAttribute": "",
        "IdAttribute": "",
        "PositionAttribute": "",
        "LoginIdAttribute": "",
        "PictureAttribute": "",
        "SyncIntervalMinutes": 60,
        "SkipCertificateVerification": false,
        "PublicCertificateFile": "",
        "PrivateKeyFile": "",
        "QueryTimeout": 60,
        "MaxPageSize": 0,
        "LoginFieldName": "",
        "LoginButtonColor": "#0000",
        "LoginButtonBorderColor": "#2389D7",
        "LoginButtonTextColor": "#2389D7",
        "Trace": false
    },
    "ComplianceSettings": {
        "Enable": false,
        "Directory": "./data/",
        "EnableDaily": false,
        "BatchSize": 30000
    },
    "LocalizationSettings": {
        "DefaultServerLocale": "en",
        "DefaultClientLocale": "en",
        "AvailableLocales": ""
    },
    "SamlSettings": {
        "Enable": false,
        "EnableSyncWithLdap": false,
        "EnableSyncWithLdapIncludeAuth": false,
        "IgnoreGuestsLdapSync": false,
        "Verify": true,
        "Encrypt": true,
        "SignRequest": false,
        "IdpURL": "",
        "IdpDescriptorURL": "",
        "IdpMetadataURL": "",
        "ServiceProviderIdentifier": "",
        "AssertionConsumerServiceURL": "",
        "SignatureAlgorithm": "RSAwithSHA1",
        "CanonicalAlgorithm": "Canonical1.0",
        "ScopingIDPProviderId": "",
        "ScopingIDPName": "",
        "IdpCertificateFile": "",
        "PublicCertificateFile": "",
        "PrivateKeyFile": "",
        "IdAttribute": "",
        "GuestAttribute": "",
        "EnableAdminAttribute": false,
        "AdminAttribute": "",
        "FirstNameAttribute": "",
        "LastNameAttribute": "",
        "EmailAttribute": "",
        "UsernameAttribute": "",
        "NicknameAttribute": "",
        "LocaleAttribute": "",
        "PositionAttribute": "",
        "LoginButtonText": "SAML",
        "LoginButtonColor": "#34a28b",
        "LoginButtonBorderColor": "#2389D7",
        "LoginButtonTextColor": "#ffffff"
    },
    "NativeAppSettings": {
        "AppCustomURLSchemes": [
            "mmauth://",
            "mmauthbeta://"
        ],
        "AppDownloadLink": "https://mattermost.com/download/#mattermostApps",
        "AndroidAppDownloadLink": "https://mattermost.com/mattermost-android-app/",
        "IosAppDownloadLink": "https://mattermost.com/mattermost-ios-app/"
    },
    "ClusterSettings": {
        "Enable": false,
        "ClusterName": "",
        "OverrideHostname": "",
        "NetworkInterface": "",
        "BindAddress": "",
        "AdvertiseAddress": "",
        "UseIPAddress": true,
        "EnableGossipCompression": true,
        "EnableExperimentalGossipEncryption": false,
        "ReadOnlyConfig": true,
        "GossipPort": 8074,
        "StreamingPort": 8075,
        "MaxIdleConns": 100,
        "MaxIdleConnsPerHost": 128,
        "IdleConnTimeoutMilliseconds": 90000
    },
    "MetricsSettings": {
        "Enable": false,
        "BlockProfileRate": 0,
        "ListenAddress": ":8067"
    },
    "ExperimentalSettings": {
        "ClientSideCertEnable": false,
        "ClientSideCertCheck": "secondary",
        "LinkMetadataTimeoutMilliseconds": 5000,
        "RestrictSystemAdmin": false,
        "UseNewSAMLLibrary": false,
        "EnableSharedChannels": false,
        "EnableRemoteClusterService": false,
        "EnableAppBar": false,
        "PatchPluginsReactDOM": false
    },
    "AnalyticsSettings": {
        "MaxUsersForStatistics": 2500
    },
    "ElasticsearchSettings": {
        "ConnectionURL": "http://localhost:9200",
        "Username": "elastic",
        "Password": "changeme",
        "EnableIndexing": false,
        "EnableSearching": false,
        "EnableAutocomplete": false,
        "Sniff": true,
        "PostIndexReplicas": 1,
        "PostIndexShards": 1,
        "ChannelIndexReplicas": 1,
        "ChannelIndexShards": 1,
        "UserIndexReplicas": 1,
        "UserIndexShards": 1,
        "AggregatePostsAfterDays": 365,
        "PostsAggregatorJobStartTime": "03:00",
        "IndexPrefix": "",
        "LiveIndexingBatchSize": 1,
        "BatchSize": 10000,
        "RequestTimeoutSeconds": 30,
        "SkipTLSVerification": false,
        "CA": "",
        "ClientCert": "",
        "ClientKey": "",
        "Trace": ""
    },
    "BleveSettings": {
        "IndexDir": "",
        "EnableIndexing": false,
        "EnableSearching": false,
        "EnableAutocomplete": false,
        "BatchSize": 10000
    },
    "DataRetentionSettings": {
        "EnableMessageDeletion": false,
        "EnableFileDeletion": false,
        "EnableBoardsDeletion": false,
        "MessageRetentionDays": 365,
        "FileRetentionDays": 365,
        "BoardsRetentionDays": 365,
        "DeletionJobStartTime": "02:00",
        "BatchSize": 3000
    },
    "MessageExportSettings": {
        "EnableExport": false,
        "ExportFormat": "actiance",
        "DailyRunTime": "01:00",
        "ExportFromTimestamp": 0,
        "BatchSize": 10000,
        "DownloadExportResults": false,
        "GlobalRelaySettings": {
            "CustomerType": "A9",
            "SMTPUsername": "",
            "SMTPPassword": "",
            "EmailAddress": "",
            "SMTPServerTimeout": 1800
        }
    },
    "JobSettings": {
        "RunJobs": true,
        "RunScheduler": true,
        "CleanupJobsThresholdDays": -1,
        "CleanupConfigThresholdDays": -1
    },
    "ProductSettings": {
        "EnablePublicSharedBoards": false
    },
    "PluginSettings": {
        "Enable": true,
        "EnableUploads": false,
        "AllowInsecureDownloadURL": false,
        "EnableHealthCheck": true,
        "Directory": "./plugins",
        "ClientDirectory": "./client/plugins",
        "Plugins": {
            "playbooks": {
                "BotUserID": "fno5xebm33bhpbb7phdxmr91xe"
            }
        },
        "PluginStates": {
            "com.mattermost.apps": {
                "Enable": true
            },
            "com.mattermost.calls": {
                "Enable": true
            },
            "com.mattermost.nps": {
                "Enable": true
            },
            "focalboard": {
                "Enable": true
            },
            "playbooks": {
                "Enable": true
            }
        },
        "EnableMarketplace": true,
        "EnableRemoteMarketplace": true,
        "AutomaticPrepackagedPlugins": true,
        "RequirePluginSignature": false,
        "MarketplaceURL": "https://api.integrations.mattermost.com",
        "SignaturePublicKeyFiles": [],
        "ChimeraOAuthProxyURL": ""
    },
    "DisplaySettings": {
        "CustomURLSchemes": [],
        "ExperimentalTimezone": true
    },
    "GuestAccountsSettings": {
        "Enable": false,
        "AllowEmailAccounts": true,
        "EnforceMultifactorAuthentication": false,
        "RestrictCreationToDomains": ""
    },
    "ImageProxySettings": {
        "Enable": false,
        "ImageProxyType": "local",
        "RemoteImageProxyURL": "",
        "RemoteImageProxyOptions": ""
    },
    "CloudSettings": {
        "CWSURL": "https://customers.mattermost.com",
        "CWSAPIURL": "https://portal.internal.prod.cloud.mattermost.com"
    },
    "ImportSettings": {
        "Directory": "./import",
        "RetentionDays": 30
    },
    "ExportSettings": {
        "Directory": "./export",
        "RetentionDays": 30
    }
 }
--- a/webapps/mattermost/templates/letsencrypt.conf.j2
+++ b/webapps/mattermost/templates/letsencrypt.conf.j2
@ -0,0 +1,5 @@
 location ~ /.well-known/acme-challenge {
  alias /var/lib/letsencrypt/;
  try_files $uri =404;
  allow all;
 }
--- a/webapps/mattermost/templates/mattermost.service.j2
+++ b/webapps/mattermost/templates/mattermost.service.j2
@ -0,0 +1,20 @@
 [Unit]
 Description=Mattermost
 After=network.target
 After=postgresql.service
 Requires=postgresql.service
 [Service]
 Type=notify
 Restart=always
 WorkingDirectory={{ mattermost_home_base }}/%i/mattermost
 ExecStart=/{{ mattermost_home_base }}/%i/mattermost/bin/mattermost
 TimeoutStartSec=3600
 LimitNOFILE=49152
 RestartSec=10
 User=%i
 Group=%i
 [Install]
 WantedBy=multi-user.target
--- a/webapps/mattermost/templates/ssl.conf.j2
+++ b/webapps/mattermost/templates/ssl.conf.j2
@ -0,0 +1,22 @@
 ##
 # Certificates
 # you need a certificate to run in production. see https://letsencrypt.org/
 ##
 ssl_certificate     /etc/letsencrypt/live/{{ mattermost_domains | first }}/fullchain.pem;
 ssl_certificate_key /etc/letsencrypt/live/{{ mattermost_domains | first }}/privkey.pem;
 ##
 # Security hardening (as of Nov 15, 2020)
 # based on Mozilla Guideline v5.6
 ##
 ssl_protocols             TLSv1.2 TLSv1.3;
 ssl_prefer_server_ciphers on;
 ssl_ciphers               ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256; # add ECDHE-RSA-AES256-SHA if you want compatibility with Android 4
 ssl_session_timeout       1d; # defaults to 5m
 ssl_session_cache         shared:SSL:10m; # estimated to 40k sessions
 ssl_session_tickets       off;
 ssl_stapling              on;
 ssl_stapling_verify       on;
 # HSTS (https://hstspreload.org), requires to be copied in 'location' sections that have add_header directives
 #add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
--- a/webapps/mattermost/templates/vhost.conf.j2
+++ b/webapps/mattermost/templates/vhost.conf.j2
@ -0,0 +1,73 @@
 upstream backend_{{ mattermost_service }} {
   server 127.0.0.1:{{ mattermost_app_port }};
   keepalive 32;
 }
 server {
  listen 80;
  listen [::]:80;
  server_name {{ mattermost_domains | first }};
  # For certbot
  include /etc/nginx/snippets/letsencrypt.conf;
  {% if ssl.stat.exists %}
  location / { return 301 https://$host$request_uri; }
  {% endif %}
 }
 {% if ssl.stat.exists %}
 server {
   listen 443 ssl;
   listen [::]:443 ssl;
   server_name {{ mattermost_domains | first }};
    access_log /var/log/nginx/{{ mattermost_service }}.access.log;
    error_log  /var/log/nginx/{{ mattermost_service }}.error.log;
    include /etc/nginx/snippets/letsencrypt.conf;
    include /etc/nginx/ssl/{{ mattermost_domains | first }}.conf;
   location ~ /api/v[0-9]+/(users/)?websocket$ {
       proxy_set_header Upgrade $http_upgrade;
       proxy_set_header Connection "upgrade";
       client_max_body_size 50M;
       proxy_set_header Host $http_host;
       proxy_set_header X-Real-IP $remote_addr;
       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
       proxy_set_header X-Forwarded-Proto $scheme;
       proxy_set_header X-Frame-Options SAMEORIGIN;
       proxy_buffers 256 16k;
       proxy_buffer_size 16k;
       client_body_timeout 60;
       send_timeout 300;
       lingering_timeout 5;
       proxy_connect_timeout 90;
       proxy_send_timeout 300;
       proxy_read_timeout 90s;
       proxy_pass http://backend_{{ mattermost_service }};
   }
   location / {
       client_max_body_size 50M;
       proxy_set_header Connection "";
       proxy_set_header Host $http_host;
       proxy_set_header X-Real-IP $remote_addr;
       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
       proxy_set_header X-Forwarded-Proto $scheme;
       proxy_set_header X-Frame-Options SAMEORIGIN;
       proxy_buffers 256 16k;
       proxy_buffer_size 16k;
       proxy_read_timeout 600s;
       #proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=mattermost_cache:10m max_size=3g inactive=120m use_temp_path=off;
       #proxy_cache mattermost_cache;
       #proxy_cache_revalidate on;
       #proxy_cache_min_uses 2;
       #proxy_cache_use_stale timeout;
       #proxy_cache_lock on;
       proxy_http_version 1.1;
       proxy_pass http://backend_{{ mattermost_service }};
   }
 }
 {% endif %}
--- a/webapps/mattermost/tests/inventory
+++ b/webapps/mattermost/tests/inventory
@ -0,0 +1,2 @@
 localhost
--- a/webapps/mattermost/tests/test.yml
+++ b/webapps/mattermost/tests/test.yml
@ -0,0 +1,5 @@
 ---
 - hosts: localhost
  remote_user: root
  roles:
    - mattermost
--- a/webapps/mattermost/vars/main.yml
+++ b/webapps/mattermost/vars/main.yml
@ -0,0 +1,2 @@
 ---
 # vars file
Author	SHA1	Message	Date
Mathieu Gauthier-Pilote	03fa6ab871	ansible.builtin. prefix for modules All checks were successful Ansible Lint \|Total\|New\|Outstanding\|Fixed\|Trend \|:-:\|:-:\|:-:\|:-:\|:-: \|2782\|0\|2782\|0\|:zzz: Details gitea/ansible-roles/pipeline/head This commit looks good Details	2024-06-06 15:04:53 -04:00
Mathieu Gauthier-Pilote	90a578feaa	Prefix variables with mattermost_	2024-06-06 15:04:53 -04:00
Mathieu Gauthier-Pilote	464c49754d	Now installs a LE SSL cert via certbot by default + configurable base path for user's home	2024-06-06 15:04:53 -04:00
Mathieu Gauthier-Pilote	59fdc7ea00	New role to install + upgrade Mattermost	2024-06-06 15:04:53 -04:00
Ludovic Poujol	c524ffb472	bind: New variables to change IPs bind will listen on & send notify/transfer commands All checks were successful Ansible Lint \|Total\|New\|Outstanding\|Fixed\|Trend \|:-:\|:-:\|:-:\|:-:\|:-: \|2745\|0\|2745\|0\|:zzz: Details gitea/ansible-roles/pipeline/head This commit looks good Details	2024-06-06 11:07:03 +02:00
Tom David--Broglio	a7570a49a3	fail2ban: remount-usr added because it is needed for last task All checks were successful Ansible Lint \|Total\|New\|Outstanding\|Fixed\|Trend \|:-:\|:-:\|:-:\|:-:\|:-: \|2749\|0\|2749\|0\|:zzz: Details gitea/ansible-roles/pipeline/head This commit looks good Details	2024-06-05 18:08:02 +02:00
Tom David--Broglio	0589271110	certbot: allow haproxy deploy hook to work with evoacme too All checks were successful Ansible Lint \|Total\|New\|Outstanding\|Fixed\|Trend \|:-:\|:-:\|:-:\|:-:\|:-: \|2746\|0\|2746\|0\|:zzz: Details gitea/ansible-roles/pipeline/head This commit looks good Details	2024-06-05 17:13:50 +02:00
William Hirigoyen	1474f06927	lxc-solr: update solr9 version + fix URL in README All checks were successful Ansible Lint \|Total\|New\|Outstanding\|Fixed\|Trend \|:-:\|:-:\|:-:\|:-:\|:-: \|2747\|0\|2747\|0\|:zzz: Details gitea/ansible-roles/pipeline/head This commit looks good Details	2024-06-05 15:42:16 +02:00
William Hirigoyen	114d857e89	lxc: new lxc_template_mirror option (useful to get old Debian from archive.debian.org) All checks were successful Ansible Lint \|Total\|New\|Outstanding\|Fixed\|Trend \|:-:\|:-:\|:-:\|:-:\|:-: \|2748\|0\|2748\|0\|:zzz: Details gitea/ansible-roles/pipeline/head This commit looks good Details	2024-06-03 17:37:05 +02:00
William Hirigoyen	aa13676cc4	log2mail: add missing default vars (see previous commit) All checks were successful Ansible Lint \|Total\|New\|Outstanding\|Fixed\|Trend \|:-:\|:-:\|:-:\|:-:\|:-: \|2747\|0\|2747\|0\|:zzz: Details gitea/ansible-roles/pipeline/head This commit looks good Details	2024-05-31 10:21:58 +02:00
William Hirigoyen	f05a6aa25c	log2mail: task log2mail.yml of evolinux-base converted to a role All checks were successful Ansible Lint \|Total\|New\|Outstanding\|Fixed\|Trend \|:-:\|:-:\|:-:\|:-:\|:-: \|2747\|0\|2747\|0\|:zzz: Details gitea/ansible-roles/pipeline/head This commit looks good Details	2024-05-31 10:12:05 +02:00
William Hirigoyen	56fbe99164	log2mail: add missing tags All checks were successful Ansible Lint \|Total\|New\|Outstanding\|Fixed\|Trend \|:-:\|:-:\|:-:\|:-:\|:-: \|2745\|0\|2745\|0\|:zzz: Details gitea/ansible-roles/pipeline/head This commit looks good Details	2024-05-31 09:27:08 +02:00
David Prevot	229d2f366e	Use lxc_php_container_name instead of lxc_php_version All checks were successful Ansible Lint \|Total\|New\|Outstanding\|Fixed\|Trend \|:-:\|:-:\|:-:\|:-:\|:-: \|2745\|0\|2745\|0\|:zzz: Details gitea/ansible-roles/pipeline/head This commit looks good Details Fixes phpXY-new containers build.	2024-05-27 12:04:13 +02:00
Alexis Ben Miloud--Josselin	b7e24fc3ea	evolinux-base: Create custom SSH configuration file All checks were successful Ansible Lint \|Total\|New\|Outstanding\|Fixed\|Trend \|:-:\|:-:\|:-:\|:-:\|:-: \|2747\|0\|2747\|0\|:zzz: Details gitea/ansible-roles/pipeline/head This commit looks good Details	2024-05-24 11:57:50 +02:00
William Hirigoyen	de953a30db	Add munin: linux_psi plugcontrib plugin All checks were successful Ansible Lint \|Total\|New\|Outstanding\|Fixed\|Trend \|:-:\|:-:\|:-:\|:-:\|:-: \|2744\|0\|2744\|0\|:zzz: Details gitea/ansible-roles/pipeline/head This commit looks good Details	2024-05-23 11:48:08 +02:00
Jérémy Lecour	aea1404a21	evolinux-base: install evobackup-client (default: true) All checks were successful Ansible Lint \|Total\|New\|Outstanding\|Fixed\|Trend \|:-:\|:-:\|:-:\|:-:\|:-: \|2746\|0\|2746\|0\|:zzz: Details gitea/ansible-roles/pipeline/head This commit looks good Details	2024-05-21 18:26:33 +02:00