From 9fbe473e3c35788e5b77e394ddddeaf2f9a2b411 Mon Sep 17 00:00:00 2001
From: Bastian de Byl <bastian@bdebyl.net>
Date: Tue, 12 Apr 2022 01:15:51 -0400
Subject: [PATCH] added https parts site, video site, fixed modsecurity

---
 Makefile                                      |   2 +-
 ansible/roles/http/defaults/main.yml          |   1 +
 ansible/roles/http/tasks/http.yml             |  19 ++
 ansible/roles/http/tasks/https.yml            |   2 +
 ansible/roles/http/tasks/modsec.yml           |  13 +-
 ansible/roles/http/tasks/security.yml         |   4 +-
 .../nginx/sites/assistant.bdebyl.net.conf.j2  |   3 +
 .../nginx/sites/ci.bdebyl.net.http.conf.j2    |   2 +-
 .../nginx/sites/ci.bdebyl.net.https.conf.j2   |   6 +-
 .../nginx/sites/home.bdebyl.net.conf.j2       |   3 +
 .../nginx/sites/parts.bdebyl.net.conf.j2      |  18 +-
 .../sites/parts.bdebyl.net.https.conf.j2      |  56 ++++++
 .../nginx/sites/pi.bdebyl.net.conf.j2         |   3 +
 .../nginx/sites/video.bdebyl.net.conf.j2      |  24 +++
 ansible/roles/motion/defaults/main.yml        |   6 +-
 ansible/roles/motion/meta/main.yml            |   2 -
 ansible/roles/motion/tasks/deps.yml           |   6 +-
 ansible/roles/motion/tasks/motion.yml         |  77 ++++----
 ansible/roles/motion/templates/motion.conf.j2 | 171 ------------------
 .../templates/motion.service.override.j2      |   2 -
 ansible/roles/ssl/tasks/certbot.yml           |  19 +-
 ansible/vars/vault.yml                        | Bin 3293 -> 3228 bytes
 22 files changed, 193 insertions(+), 246 deletions(-)
 create mode 100644 ansible/roles/http/templates/nginx/sites/parts.bdebyl.net.https.conf.j2
 create mode 100644 ansible/roles/http/templates/nginx/sites/video.bdebyl.net.conf.j2
 delete mode 100644 ansible/roles/motion/templates/motion.conf.j2
 delete mode 100644 ansible/roles/motion/templates/motion.service.override.j2

diff --git a/Makefile b/Makefile
index cdef268..8dab36c 100644
--- a/Makefile
+++ b/Makefile
@@ -69,7 +69,7 @@ lint: ${LINT_YAML} ${LINT_ANSIBLE} ${SKIP_FILE}
 	@printf "Running yamllint...\n"
 	-@${LINT_YAML} ${YAML_FILES}
 	@. ${SKIP_FILE}; printf "Running ansible-lint with SKIP_LIST: [%s]...\n" "$$ANSIBLE_LINT_SKIP_LIST"
-	-@. ${SKIP_FILE}; ${LINT_ANSIBLE} -x $$ANSIBLE_LINT_SKIP_LIST ${YAML_FILES}
+	-@. ${SKIP_FILE}; ${LINT_ANSIBLE} -x $$ANSIBLE_LINT_SKIP_LIST ansible/
 
 lint-ci: ${SKIP_FILE}
 	@printf "Running yamllint...\n"
diff --git a/ansible/roles/http/defaults/main.yml b/ansible/roles/http/defaults/main.yml
index 386d0ba..0ec4ea7 100644
--- a/ansible/roles/http/defaults/main.yml
+++ b/ansible/roles/http/defaults/main.yml
@@ -10,6 +10,7 @@ pi_server_name: pi.bdebyl.net
 assistant_server_name: assistant.bdebyl.net
 home_server_name: home.bdebyl.net
 parts_server_name: parts.bdebyl.net
+video_server_name: video.bdebyl.net
 install_path: /usr/share
 
 nginx_path: /etc/nginx
diff --git a/ansible/roles/http/tasks/http.yml b/ansible/roles/http/tasks/http.yml
index e56bcaa..5a3cda4 100644
--- a/ansible/roles/http/tasks/http.yml
+++ b/ansible/roles/http/tasks/http.yml
@@ -19,6 +19,18 @@
     - sites-available
   tags: http
 
+- name: ensure http/s directories exist
+  become: true
+  file:
+    path: "{{ item }}"
+    state: directory
+    owner: http
+    group: http
+  loop:
+    - /srv/http
+    - /srv/http/letsencrypt
+  tags: http
+
 - name: chown http user home
   become: true
   file:
@@ -39,6 +51,7 @@
     - "{{ pi_server_name }}.conf"
     - "{{ home_server_name }}.conf"
     - "{{ assistant_server_name }}.conf"
+    - "{{ video_server_name }}.conf"
     - "{{ parts_server_name }}.conf"
   notify: restart_nginx
   tags: http
@@ -62,5 +75,11 @@
     - "{{ parts_server_name }}.conf"
     - "{{ home_server_name }}.conf"
     - "{{ assistant_server_name }}.conf"
+    - "{{ video_server_name }}.conf"
   notify: restart_nginx
   tags: http
+
+- name: validate nginx configurations
+  become: true
+  shell: nginx -t
+  tags: http
diff --git a/ansible/roles/http/tasks/https.yml b/ansible/roles/http/tasks/https.yml
index f6582c9..eaa02fa 100644
--- a/ansible/roles/http/tasks/https.yml
+++ b/ansible/roles/http/tasks/https.yml
@@ -7,6 +7,7 @@
     mode: 0644
   loop:
     - "{{ ci_server_name }}.https.conf"
+    - "{{ parts_server_name }}.https.conf"
   notify: restart_nginx
   tags: https
 
@@ -18,5 +19,6 @@
     state: link
   loop:
     - "{{ ci_server_name }}.https.conf"
+    - "{{ parts_server_name }}.https.conf"
   notify: restart_nginx
   tags: https
diff --git a/ansible/roles/http/tasks/modsec.yml b/ansible/roles/http/tasks/modsec.yml
index af49cde..502abc5 100644
--- a/ansible/roles/http/tasks/modsec.yml
+++ b/ansible/roles/http/tasks/modsec.yml
@@ -35,36 +35,37 @@
 
 - name: setup modsec and coreruleset configs
   become: true
-  file:
+  copy:
     src: "{{ item.src }}"
     dest: "{{ item.dest }}"
-    state: link
     force: true
     mode: 0644
+    remote_src: true
   loop: "{{ modsec_conf_links }}"
   notify: restart_nginx
   tags: modsec
 
 - name: setup coreruleset rules
   become: true
-  file:
+  copy:
     src: "{{ crs_rules_path }}/{{ item.name }}.conf"
     dest: "{{ modsec_rules_path }}/{{ item.name }}.conf"
-    state: "{{ item.enabled | ternary('link', 'absent') }}"
     force: true
     mode: 0644
+    remote_src: true
+  when: item.enabled
   loop: "{{ crs_rule_links }}"
   notify: restart_nginx
   tags: modsec, modsec_rules
 
 - name: setup coreruleset data
   become: true
-  file:
+  copy:
     src: "{{ crs_rules_path }}/{{ item }}.data"
     dest: "{{ modsec_rules_path }}/{{ item }}.data"
-    state: link
     force: true
     mode: 0644
+    remote_src: true
   loop: "{{ crs_data_links }}"
   notify: restart_nginx
   tags: modsec, modsec_rules
diff --git a/ansible/roles/http/tasks/security.yml b/ansible/roles/http/tasks/security.yml
index 17f94a5..5b98a6d 100644
--- a/ansible/roles/http/tasks/security.yml
+++ b/ansible/roles/http/tasks/security.yml
@@ -9,4 +9,6 @@
     - access
     - error
   notify: restart_fail2ban
-  tags: http, security
+  tags:
+    - http
+    - security
diff --git a/ansible/roles/http/templates/nginx/sites/assistant.bdebyl.net.conf.j2 b/ansible/roles/http/templates/nginx/sites/assistant.bdebyl.net.conf.j2
index 8b10fee..1cc6e2e 100644
--- a/ansible/roles/http/templates/nginx/sites/assistant.bdebyl.net.conf.j2
+++ b/ansible/roles/http/templates/nginx/sites/assistant.bdebyl.net.conf.j2
@@ -2,6 +2,9 @@ upstream hass {
   server 127.0.0.1:8123;
 }
 server {
+  modsecurity on;
+  modsecurity_rules_file {{ nginx_path }}/modsec_includes.conf;
+
   listen 80;
   server_name {{ assistant_server_name }};
 
diff --git a/ansible/roles/http/templates/nginx/sites/ci.bdebyl.net.http.conf.j2 b/ansible/roles/http/templates/nginx/sites/ci.bdebyl.net.http.conf.j2
index 48cc792..27fb53b 100644
--- a/ansible/roles/http/templates/nginx/sites/ci.bdebyl.net.http.conf.j2
+++ b/ansible/roles/http/templates/nginx/sites/ci.bdebyl.net.http.conf.j2
@@ -4,7 +4,7 @@ server {
 	server_name {{ ci_server_name }};
 
 	location /.well-known {
-		root /srv/http;
+		root /srv/http/letsencrypt;
 		try_files $uri $uri/ =404;
 	}
 
diff --git a/ansible/roles/http/templates/nginx/sites/ci.bdebyl.net.https.conf.j2 b/ansible/roles/http/templates/nginx/sites/ci.bdebyl.net.https.conf.j2
index ac93ae5..857f2ec 100644
--- a/ansible/roles/http/templates/nginx/sites/ci.bdebyl.net.https.conf.j2
+++ b/ansible/roles/http/templates/nginx/sites/ci.bdebyl.net.https.conf.j2
@@ -3,6 +3,9 @@ upstream drone {
 }
 
 server {
+  modsecurity on;
+  modsecurity_rules_file {{ nginx_path }}/modsec_includes.conf;
+
   listen 443 ssl http2;
   listen [::]:443 ssl http2;
   server_name {{ ci_server_name }};
@@ -22,9 +25,6 @@ server {
   ssl_stapling_verify       on;
 
   location / {
-    modsecurity on;
-    modsecurity_rules_file {{ nginx_path }}/modsec_includes.conf;
-
     add_header Allow                     "GET, POST, HEAD"                                                                                                                                                                        always;
     add_header Content-Security-Policy   "default-src 'self'; img-src 'self' https://*.githubusercontent.com; frame-ancestors 'self'; base-uri 'none',base-uri 'self'; form-action 'self'" always;
     add_header Referrer-Policy           "same-origin"                                                                                                                                                                            always;
diff --git a/ansible/roles/http/templates/nginx/sites/home.bdebyl.net.conf.j2 b/ansible/roles/http/templates/nginx/sites/home.bdebyl.net.conf.j2
index 526eca6..bf48527 100644
--- a/ansible/roles/http/templates/nginx/sites/home.bdebyl.net.conf.j2
+++ b/ansible/roles/http/templates/nginx/sites/home.bdebyl.net.conf.j2
@@ -4,6 +4,9 @@ geo $whitelisted {
 }
 
 server {
+  modsecurity on;
+  modsecurity_rules_file {{ nginx_path }}/modsec_includes.conf;
+
   listen 80 default_server;
   server_name {{ home_server_name }};
   if ($whitelisted = 1) {
diff --git a/ansible/roles/http/templates/nginx/sites/parts.bdebyl.net.conf.j2 b/ansible/roles/http/templates/nginx/sites/parts.bdebyl.net.conf.j2
index dfd4b67..ed07b9c 100644
--- a/ansible/roles/http/templates/nginx/sites/parts.bdebyl.net.conf.j2
+++ b/ansible/roles/http/templates/nginx/sites/parts.bdebyl.net.conf.j2
@@ -3,20 +3,20 @@ geo $whitelisted {
   192.168.1.0/24 1;
 }
 
-upstream partkeepr {
-  server localhost:8081;
-}
-
 server {
+  modsecurity on;
+  modsecurity_rules_file {{ nginx_path }}/modsec_includes.conf;
+
   listen 80;
+  listen [::]:80;
   server_name {{ parts_server_name }};
 
-  if ($whitelisted = 0) {
-    return 302 $scheme://bdebyl.net$request_uri;
-  }
+	location /.well-known {
+		root /srv/http/letsencrypt;
+		try_files $uri $uri/ =404;
+	}
 
   location / {
-    proxy_pass http://partkeepr;
-    proxy_connect_timeout 1s;
+	  return 302 https://$host$request_uri;
   }
 }
diff --git a/ansible/roles/http/templates/nginx/sites/parts.bdebyl.net.https.conf.j2 b/ansible/roles/http/templates/nginx/sites/parts.bdebyl.net.https.conf.j2
new file mode 100644
index 0000000..cd3c164
--- /dev/null
+++ b/ansible/roles/http/templates/nginx/sites/parts.bdebyl.net.https.conf.j2
@@ -0,0 +1,56 @@
+geo $whitelisted {
+  default 0;
+  192.168.1.0/24 1;
+}
+
+upstream partkeepr {
+  server localhost:8081;
+}
+
+server {
+  modsecurity on;
+  modsecurity_rules_file {{ nginx_path }}/modsec_includes.conf;
+
+  listen 443 ssl http2;
+  listen [::]:443 ssl http2;
+  server_name {{ parts_server_name }};
+
+  ssl_certificate         /etc/letsencrypt/live/{{ parts_server_name }}/fullchain.pem;
+  ssl_certificate_key     /etc/letsencrypt/live/{{ parts_server_name }}/privkey.pem;
+  ssl_trusted_certificate /etc/letsencrypt/live/{{ parts_server_name }}/fullchain.pem;
+  ssl_dhparam             /etc/ssl/certs/dhparam.pem;
+
+  ssl_ciphers               ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+  ssl_prefer_server_ciphers off;
+  ssl_protocols             TLSv1.2 TLSv1.3;
+  ssl_session_cache         shared:SSL:10m;
+  ssl_session_tickets       off;
+  ssl_session_timeout       1d;
+  ssl_stapling              on;
+  ssl_stapling_verify       on;
+
+  if ($whitelisted = 0) {
+    return 302 $scheme://bdebyl.net$request_uri;
+  }
+
+  location / {
+    add_header Referrer-Policy           "same-origin"                                                                                                                                                                            always;
+    # add_header Strict-Transport-Security "max-age=630720000; includeSubDomains"                                                                                                                                                   always;
+    add_header X-Content-Type-Options    "nosniff"                                                                                                                                                                                always;
+
+    # Sent from upstream:
+    # add_header X-Frame-Options           "SAMEORIGIN";
+    # add_header X-XSS-Protection          "1; mode=block";
+
+    proxy_set_header Host              $http_host;
+    proxy_set_header X-Forwarded-For   $remote_addr;
+    proxy_set_header X-Forwarded-Proto $scheme;
+
+    proxy_buffering    off;
+    proxy_http_version 1.1;
+    proxy_pass         http://partkeepr;
+    proxy_redirect     off;
+
+    chunked_transfer_encoding off;
+  }
+}
diff --git a/ansible/roles/http/templates/nginx/sites/pi.bdebyl.net.conf.j2 b/ansible/roles/http/templates/nginx/sites/pi.bdebyl.net.conf.j2
index 630823f..473c5bd 100644
--- a/ansible/roles/http/templates/nginx/sites/pi.bdebyl.net.conf.j2
+++ b/ansible/roles/http/templates/nginx/sites/pi.bdebyl.net.conf.j2
@@ -5,6 +5,9 @@
 #
 
 server {
+  modsecurity on;
+  modsecurity_rules_file {{ nginx_path }}/modsec_includes.conf;
+
 	listen 80;
 	listen [::]:80;
 
diff --git a/ansible/roles/http/templates/nginx/sites/video.bdebyl.net.conf.j2 b/ansible/roles/http/templates/nginx/sites/video.bdebyl.net.conf.j2
new file mode 100644
index 0000000..b7a6d70
--- /dev/null
+++ b/ansible/roles/http/templates/nginx/sites/video.bdebyl.net.conf.j2
@@ -0,0 +1,24 @@
+upstream shinobi {
+  server 127.0.0.1:8085;
+}
+
+server {
+  modsecurity on;
+  modsecurity_rules_file {{ nginx_path }}/modsec_includes.conf;
+
+  listen 80;
+  server_name {{ video_server_name }};
+
+  location / {
+    allow 192.168.1.0/24;
+    allow 127.0.0.1;
+    deny all;
+
+    proxy_set_header X-Forwarded-For $remote_addr;
+    proxy_set_header Upgrade         $http_upgrade;
+    proxy_set_header Connection      $connection_upgrade;
+
+    proxy_buffering off;
+    proxy_pass http://shinobi;
+  }
+}
\ No newline at end of file
diff --git a/ansible/roles/motion/defaults/main.yml b/ansible/roles/motion/defaults/main.yml
index df8a412..870fe9a 100644
--- a/ansible/roles/motion/defaults/main.yml
+++ b/ansible/roles/motion/defaults/main.yml
@@ -1,6 +1,2 @@
 ---
-deps: [
-  motion
-]
-
-motion_target_dir: "{{ nfs_root }}/motion"
+deps: ["cifs-utils"]
diff --git a/ansible/roles/motion/meta/main.yml b/ansible/roles/motion/meta/main.yml
index d8bd180..ed97d53 100644
--- a/ansible/roles/motion/meta/main.yml
+++ b/ansible/roles/motion/meta/main.yml
@@ -1,3 +1 @@
 ---
-dependencies:
-  - role: nfs
diff --git a/ansible/roles/motion/tasks/deps.yml b/ansible/roles/motion/tasks/deps.yml
index 3eab821..af84294 100644
--- a/ansible/roles/motion/tasks/deps.yml
+++ b/ansible/roles/motion/tasks/deps.yml
@@ -1,7 +1,9 @@
 ---
-- name: install motion
+- name: install shinobi dependencies
   become: true
   pacman:
     name: "{{ deps }}"
     state: present
-  tags: deps
+  tags:
+    - deps
+    - motion
diff --git a/ansible/roles/motion/tasks/motion.yml b/ansible/roles/motion/tasks/motion.yml
index 4be23e5..2ebd2cc 100644
--- a/ansible/roles/motion/tasks/motion.yml
+++ b/ansible/roles/motion/tasks/motion.yml
@@ -1,51 +1,50 @@
 ---
-- name: give motion user nfs permissions
+- name: create shinobi user
   become: true
   user:
-    name: motion
-    groups: "{{ nfs_group }}"
-    append: true
-  notify:
-    - restart_motion
+    name: "{{ motion_user }}"
+    shell: /bin/nologin
+  tags: motion
 
-- name: create motion directory
+- name: mount shinob videos folder
   become: true
   file:
-    path: "{{ motion_target_dir }}"
+    path: /mnt/shinobi
     state: directory
-    owner: "{{ nfs_user }}"
-    group: "{{ nfs_group }}"
-    mode: 0777
+    owner: "{{ motion_user }}"
+    group: "{{ motion_user }}"
+    mode: 0755
+  tags: motion
 
-- name: template motion config
+- name: mount smb via cifs
   become: true
-  template:
-    src: templates/motion.conf.j2
-    dest: /etc/motion/motion.conf
-    mode: 0644
-    backup: true
-  notify:
-    - restart_motion
+  mount:
+    path: /mnt/shinobi
+    src: "//{{ motion_hostname }}/share/GardenCamera"
+    fstype: cifs
+    # yamllint disable-line rule:line-length
+    opts: "username={{ motion_user }},password={{ motion_pass }},workgroup=workgroup,iocharset=utf8,uid={{ motion_user }},gid={{ motion_user }}"
+    state: mounted
+  tags: motion
 
-- name: create motion systemd override directory
+- name: create shinobi data volume
   become: true
-  file:
-    path: /etc/systemd/system/motion.service.d/
-    state: directory
-    mode: 0644
+  docker_volume:
+    name: shinobi_data
+  tags: motion
 
-- name: template motion systemd override
-  become: true
-  template:
-    src: templates/motion.service.override.j2
-    dest: /etc/systemd/system/motion.service.d/override.conf
-    mode: 0644
-  notify:
-    - restart_motion
-
-- name: enable (now) motion.service
-  become: true
-  service:
-    name: motion.service
-    state: stopped
-    enabled: false
+- name: create shinobi server container
+  diff: false
+  docker_container:
+    name: shinobi
+    image: migoller/shinobidocker:latest
+    recreate: true
+    restart: true
+    restart_policy: on-failure
+    restart_retries: 3
+    volumes:
+      - "shinobi_data:/var/lib/mysql"
+      - "/mnt/shinobi:/opt/shinobi/videos"
+    ports:
+      - "8085:8080"
+  tags: motion
diff --git a/ansible/roles/motion/templates/motion.conf.j2 b/ansible/roles/motion/templates/motion.conf.j2
deleted file mode 100644
index 1249a58..0000000
--- a/ansible/roles/motion/templates/motion.conf.j2
+++ /dev/null
@@ -1,171 +0,0 @@
-# Rename this distribution example file to motion.conf
-#
-# This config file was generated by motion 4.3.2
-# Documentation:  /usr/share/doc/motion/motion_guide.html
-#
-# This file contains only the basic configuration options to get a
-# system working.  There are many more options available.  Please
-# consult the documentation for the complete list of all options.
-#
-
-############################################################
-# System control configuration parameters
-############################################################
-
-# Start in daemon (background) mode and release terminal.
-daemon on
-
-# Start in Setup-Mode, daemon disabled.
-setup_mode off
-
-# File to store the process ID.
-; pid_file value
-
-# File to write logs messages into.  If not defined stderr and syslog is used.
-; log_file value
-
-# Level of log messages [1..9] (EMG, ALR, CRT, ERR, WRN, NTC, INF, DBG, ALL).
-log_level 6
-
-# Target directory for pictures, snapshots and movies
-target_dir {{ motion_target_dir }}
-
-# Video device (e.g. /dev/video0) to be used for capturing.
-; videodevice /dev/video0
-
-# Parameters to control video device.  See motion_guide.html
-; vid_control_params value
-
-# The full URL of the network camera stream.
-netcam_url rtsp://{{ motion_hostname }}:{{ motion_port }}/h264?username={{ motion_user }}&password={{ motion_pass }}
-
-# Name of mmal camera (e.g. vc.ril.camera for pi camera).
-; mmalcam_name value
-
-# Camera control parameters (see raspivid/raspistill tool documentation)
-; mmalcam_control_params value
-
-############################################################
-# Image Processing configuration parameters
-############################################################
-
-# Image width in pixels.
-width 3840
-
-# Image height in pixels.
-height 2160
-
-# Maximum number of frames to be captured per second.
-framerate 20
-
-# Text to be overlayed in the lower left corner of images
-text_left NatureCam
-
-# Text to be overlayed in the lower right corner of images.
-text_right %Y-%m-%d\n%T-%q
-
-############################################################
-# Motion detection configuration parameters
-############################################################
-
-# Always save pictures and movies even if there was no motion.
-emulate_motion off
-
-# Threshold for number of changed pixels that triggers motion.
-threshold 165900
-
-# Noise threshold for the motion detection.
-; noise_level 32
-
-# Despeckle the image using (E/e)rode or (D/d)ilate or (l)abel.
-despeckle_filter EedDl
-
-# Number of images that must contain motion to trigger an event.
-minimum_motion_frames 1
-
-# Gap in seconds of no motion detected that triggers the end of an event.
-event_gap 60
-
-# The number of pre-captured (buffered) pictures from before motion.
-pre_capture 80
-
-# Number of frames to capture after motion is no longer detected.
-post_capture 300
-
-############################################################
-# Script execution configuration parameters
-############################################################
-
-# Command to be executed when an event starts.
-; on_event_start value
-
-# Command to be executed when an event ends.
-; on_event_end value
-
-# Command to be executed when a movie file is closed.
-; on_movie_end value
-
-############################################################
-# Picture output configuration parameters
-############################################################
-
-# Output pictures when motion is detected
-picture_output off
-
-# File name(without extension) for pictures relative to target directory
-picture_filename %Y%m%d%H%M%S-%q
-
-############################################################
-# Movie output configuration parameters
-############################################################
-
-# Create movies of motion events.
-movie_output on
-
-# Maximum length of movie in seconds.
-movie_max_time 30
-
-# The encoding quality of the movie. (0=use bitrate. 1=worst quality, 100=best)
-movie_quality 45
-
-# Container/Codec to used for the movie. See motion_guide.html
-movie_codec mp4
-
-# File name(without extension) for movies relative to target directory
-movie_filename %Y%m%d-%H_%M_%S
-
-############################################################
-# Webcontrol configuration parameters
-############################################################
-
-# Port number used for the webcontrol.
-webcontrol_port 8080
-
-# Restrict webcontrol connections to the localhost.
-webcontrol_localhost on
-
-# Type of configuration options to allow via the webcontrol.
-webcontrol_parms 0
-
-############################################################
-# Live stream configuration parameters
-############################################################
-
-# The port number for the live stream.
-stream_port 8081
-
-# Restrict stream connections to the localhost.
-stream_localhost on
-
-##############################################################
-# Camera config files - One for each camera.
-##############################################################
-; camera /usr/etc/motion/camera1.conf
-; camera /usr/etc/motion/camera2.conf
-; camera /usr/etc/motion/camera3.conf
-; camera /usr/etc/motion/camera4.conf
-
-##############################################################
-# Directory to read '.conf' files for cameras.
-##############################################################
-; camera_dir /usr/etc/motion/conf.d
diff --git a/ansible/roles/motion/templates/motion.service.override.j2 b/ansible/roles/motion/templates/motion.service.override.j2
deleted file mode 100644
index 78422bb..0000000
--- a/ansible/roles/motion/templates/motion.service.override.j2
+++ /dev/null
@@ -1,2 +0,0 @@
-[Service]
-User={{ nfs_user }}
diff --git a/ansible/roles/ssl/tasks/certbot.yml b/ansible/roles/ssl/tasks/certbot.yml
index 34afbfa..72b4391 100644
--- a/ansible/roles/ssl/tasks/certbot.yml
+++ b/ansible/roles/ssl/tasks/certbot.yml
@@ -1,8 +1,16 @@
 ---
+- name: stat dhparam
+  become: true
+  stat:
+    path: /etc/ssl/certs/dhparam.pem
+  register: dhparam
+  tags: ssl
+
 - name: generate openssl dhparam for nginx
   become: true
   command: |
     openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
+  when: not dhparam.stat.exists
   args:
     creates: /etc/ssl/certs/dhparam.pem
   tags: ssl
@@ -10,9 +18,12 @@
 - name: create ssl certificate for ci server
   become: true
   command: |
-    certbot certonly --webroot --webroot-path=/srv/http \
-    -m {{ ci_server_email }} --agree-tos \
-    -d {{ ci_server_name }}
+    certbot certonly --webroot --webroot-path=/srv/http/letsencrypt \
+    -m {{ ssl_email }} --agree-tos \
+    -d {{ item }}
   args:
-    creates: "/etc/letsencrypt/live/{{ ci_server_name }}"
+    creates: "/etc/letsencrypt/live/{{ item }}"
+  loop:
+    - "{{ ci_server_name }}"
+    - "{{ parts_server_name }}"
   tags: ssl
diff --git a/ansible/vars/vault.yml b/ansible/vars/vault.yml
index 511ae70da2ed2e5962e92712700ae4352fbb8419..d34358fd22b133a712a154392cfd3abdd68c077c 100644
GIT binary patch
literal 3228
zcmV;N3}f>EM@dveQdv+`08ACns{3(vZm2rzqkadEk;m_5bor6^`C9JA0cql<vDq9n
zElYmWgR-0X?XM^0gEtTk6|ltSlSxHm-bIYD5?C7Fxuq~G@)wf0f(;kg#$MU!s&j@E
zs<w}X$Qb5m-!X?`Gs|RV*o5~fG>^kP<93+bs7Zchc}Aa*9M%!S)pphPk+j;My?W62
z8>1k%_%oW(o|pPGm)Yn97{U;IChIUO7RsJo>mNnU0<jZ3jt}HQ;d(Mxgk7r1faGX1
z`y&D%*DAczFixTqj@6LDVk2ODyD?LxMj@-h*MhCCl9f%CZV=HY0hA8US^nw%O2@*;
zW|R<M`&dlW#$La1rLS=hed~sm=D9W>@7p_H_cTkNnzjMGOMgxA&X#?NGR#?+aCEnb
z8`2osndD3wT;54(fwN7h8qO06Jm(D#-Z}AG$n&Qd8ynSWPR(YSu^9I3nf4Bz$AR+-
zjr$yB!keI2jc-`<dam65zWF1y(&0rJqtneWj%^-58aEOa^^rX_my`ENop&~HBVr9|
z(#XAfo+#W4@Z#f#4t&im-Z81T<7t1@%8aji`yqShR(#Or-ARIuDX%2AfK{cBDB?|A
zsBGMWcD7WRRQpB9O&n@iaPaA6e|B8xupiv2&={1f|9Blmfy58BSy)jRFgChJn-+V0
z9LM|+IH*oI^j<SKNi!0?uT`Jco-Qe6-&Ws`*@KxEU>7dxE*|nFg}GwS*F6la{0PaJ
zrmeloU=!crLg0bB$*f;K3EXGSef}ho6n%EAGbZ`z3bRRIy9k_X@1G07%;0VZaSG8r
zWDY5e7iOjvtU&v6&Wa=1haDgJnum!cfUSI)Cb6Dz^JBG7YW$JCXsH~$tSb_DYM&SR
zsHuIR2+8~`k`Ug<#6I00@224)h=+WDH7E{ax-QlXV~hpIyoTdo2F7m&2)-BwoHZ<_
z<I7BDl!%`X+wwUgO<qx8Af=~Vo<r!Qj5h~JZjwZ0dh{KtB0_Q{G{$3^?eb3ZP<=v#
zK-3AB+Up%F)1v@h3a~4fFo_#8c=M90_=1QQ(Rh!RW|cX}+RDogo&CG)@=tc?&?5}T
z#bcviJsf$!ziDw1p_+-^T(IppBAn$9+Rq7G$^preG>Q}sw?fLzgo9!u`gD32uOENb
z&)Av~h_MRt$gz6laO$K|g`@5C;Mj)wb0CEXzAE(JCmXIaJb?k=-%XviY2?=-SGDC$
z(A}cB+WHw$-(V{@t%63tPnURwUoX*`VM0@ILQ*o2Oyv_o2iH@Y?l`8(W6&gTBlW^0
z)RFegs#_!M;fiN0I_?tqjA<Xbw?cU;$*eM-GSmUM6VAkSXx|koo>q7M{We8$ern|U
z_MPSf*9~`KTjuP|;xuKV{Xs&w$5#ha6+a@R0b{JBp_v;cXf*Nt9X?|J0fO;uXHV2_
zL*$%g;6CV8i~MgWlG8)GRBnyLj(6!Kn~98qgWd>uGzTp>K9@TN{P$52yTXi=L%F8(
z0${u6B;s3=92BQh*`}Or&Id2hvdWlpzqhTT1RwJ26|I{!UXR)81<sfxxd(k7Q)Fl%
z;!%|L9oJejf!Ww85Bk7jW+Q2v!@VMr!cHxIOUdury*$eT#q^vE_q>**v+AAW&}?iC
zZMhsIrvJX9akMZ70?<Yv^7HU1cpQ?j*@DQpr%Pg|Hw~_MIiDedVwQd@k_~8gAu?2v
zfveS`yg89bODy5-`th{p5(iB%Au(t=+U2cGr3|Eo0~tGlR51si{3&FRb%NRr_B`B?
z5^(@y4dMmKew8%c&g@GMdtOMG<*aFI=2d4M>v-kDlW)>RI37koLS@oB3ydh^)fDQj
zT|U?olcDiAH9Je7QpO)3Wd&ODzCj$0+cIy#3^43Ugx}*GL119P9il&S?6bsbOghCB
zm|hG#{XH^a@v-al6!4baGqoqq+apjGVN}9SQc?%({X`h<`7Jm<Qs%t(NWgKi*0;e$
zioH`|-nArYIUZ`&R^t0x8b_V%V)TP}EWB`yUIc8Rh#Bt6);u!JZ!W*!siz=sEjD=s
z9=tl|<AXcl{JX?9-ISKi*X}aYdU|3!58neF#{RXfJt5c4NUjp2^?r<NrZ52-K<kCM
zG>#(^PuG<wK5Kdt;SWJ^3$I7Ci7Hj+evo1Et63nB*UFJ9Ymj^z)P@fzZ&d=VM7|0-
zpY{T|3f$f_S@hj6I_@(A8v$0Y9QpWE9<J+7YRDX_>QnB`ks5E^Y=cGTsWaq(_O<o^
z!q3@f=du}+=K77Oto;sC)gnB%)Nv61d1#YwEGo>!2QwIPnLBZ~#j7i9*NL{n$&q48
zfdgpEjv~z2{o*M2kjep8xWr9Tizec@K}G;Pb$#~)w@8b?<9u=9C|w<myjwzH)_r^w
zx#DeI5ZQvEn<iqhLruVtKjj;dhdX4_C_V6>wd~D=iV{%!Lx~9wG3oWSBS@*_U^4VD
zm!>7M5~#(oj`qHO2g43m1o^)9o@j<_9LmeOrU-#O7<?U5YT86*bXQ+Hss+Mqfcz(m
zcG!7j*ewi3Yayo=pYA$nc?pb)E%Mi{OXzTn`RqxQQ5W*l8mD8<%*6GWg6T&eUe$`P
z$#|TD?Z!{^50_0)4u8T2BG0Gjl|K0ju4^~MG!wAqy;OoTiSNL>?U5Ym(+6RQWhba=
z?Dv0A(u4cI$27#=vi>_lUVp#CU0;(NdJsOnWZCoP*505jSw4MD(TSjD$-#%lSgxOX
zI8v<T%eB14aa-Yw)2Ny$5M96ovfj|8?1aUnJ3V5_&j+RF^$e;gYCNDct%<kM|Am^F
z%8Hey$vZp_fxYv@>w;@1j6aLVk+T%<ROJIL<qe`k{V7)|Ge-;{PWs<Kcf8D;6svjU
zJSfwU*e5=gZHX>)$xrxGlHYm#$(K;cA_GscrHblEU?@>U-4@KOYm9>HKjtmwJ7-EX
zuN7mYlOx*Jla0FI8ypFQ|NP(`Q>uu;K+BCvm2God<Nhc6p$sW0X>r8zRrJ^93+~Q7
zHdePrS_iKY6>vVg;b_;8@qs|cLwgEVv6W>u9TOp2C_*bp8&Epz0(<YgqB&h6ObrY1
z-9}GPvtRF`H@mq^)=t%!u1?!EeA4%Sq-#buWICv48G_cRg^b+fOSO&KVgJh+1Ws6R
zO9Mv3fzG;YiN(%ZEdq}3k8nv4Mt!Sg)a>G&^kXwo8%RyQnMq=JVwpMruq1F{*ik5t
z8&4|no*4z7yfoX**x<rlyY4Q3TOSpag{I$6tHxz-SeV)kO||o!C9=eGWE63kgXrig
zcYh{1zFKobK$z7RyqQ5Dm>Hk>R2^5G3kCR!pKOE$<A8>k2nl_!d~(hxtD_N<?<N(#
z?JQ_9^~go5VhNj<G<%zWt`tV<WUF=~M1DX-^K*TqQ}=Gnp!-*3rV*H*IG#7LCt>?f
zj-_9P!7PlUwHTD1-Kjp5l|0Y+_Qx(_VK%2IFo8q3?20%za#YX3`{|~Do(Qv<T=^vh
zak2F(a909p<K1+?#5iG5*EHg6@tG~pX^~L2zx;PX?n@r$Y9rkLX5@v3@=l-?0`iKe
z{cpBK(g^}|)1$Zu8_qU?FoiVvUC7QXwWo+^|M?Nm(CtW?uJknL4G7?+a+>+?rl1){
z4k~)+rS2yRJmIF$)I?ntF#0hycPBftsD0h<m59J6Hde;(cEzyFx?*!H)4%@A4>4D#
zZ1TP!<}-{;CQquVdTzpI4|g)3)qDQP`ZP*!74_bU*uqhkD+y-o9O5lxNuwGkJLPmv
zv{McQkd+)Q`0MIw=xFu%Na?%j=ZHy{){0*Z@C_Ci@b9&B@N5^Z`T$NfTK$Li5e?ye
zkyfMfGMoDF9KgMSf?SkZ#J1wV5ZSJECsmama62~umb$h(NvkQ1Rn#kLU|@cEIiufO
z2jvO6n=;?QRY(QZ!Z4HL>&7y#yb&KKnfM^M(2(Qq`>_g;vEN%PDHf}JPl*Z&A@4rh
zwHK?Af%tw5v)%q6W8{;;ssV{2f#e*`>Gcw$aOy8cenr7Fbrnq!uLuiY{$3}n?BqzL
zmIWnQGaa=Cutag~bD1eQu;h)xI@`#1zJgqHK|TS6-Yc5q`SD0o*5!S@m4e>`bovnw
zcv&s;=?fgDtxG{2;x3m=%$BlYT<&Pbzn6M4c|Wi5Eb1V|@u`qg7vn=);n)_T*Mt1W
z1E>KV%TPD_%+1;cmsS$GwkmLfK&ECXPBF*kUOyZO@5#5~(eKij1clJsAorJrlnBvE
OE|H2rbM=jPgC-T<$z3G?

literal 3293
zcmV<33?lOYM@dveQdv+`0D47B%v{OL<Ua<lR}@X2os59eUy80@Ow)B->AoGKVrQj=
z_9l(;!SA8RvFF0jdC<05WZUWAV77D@++6@6FFaxuv?}xDX}}A>B-$VTjg?4(n$PMt
ze{j6<j~t<ZE$j7#VJj)Kj)(2j1r>4r=(QGa1HMUNewj!I(r=>>f>j+Cyews#1O;nV
z{TW5`5MCvmC}QmjVz@8co*evu=GeJ8RFxNK;V$akuUNuTC5rs;?Jwld|7lED|E#(q
zelFjKLMMf)FY}6r4_|52lR>NLp{F2k7PRY1lD%_LL;HyfhMn+W`#CApcz%>fo~_oW
zU7RyGUxUG7Pc-}vlXcfS(ab<48BsCI#``e$f7Q9P(#legaf%8mLVDJmi!bPJOkzWo
z3JK)&wq7nnA#MPEqquUXPd?8LRg}_ekzo7fraBq-s1N-bRCc)Sjy5^eb_iP9UT79$
zLbXKWysH9QUllevC5Z4v?6!4tutmuSa+c^n>?0S>qXs@Z;)eWYvAr)y!+3PP8cx)0
zWvdiSQv@!3v=yrJt^&?VEB%|3kjBq(0#eq8?N?NE>J@eZb{I=<jNSXdD;$!+VGM6d
zb%tQP4mnWCRHI6#Dhh(4b4<5HkZKf|==kSr%zr1PQW%Yn&_FU1>aa1yK)6Zz3Xe#t
zVWlj#Tcn|SdTfp{Jb{@I^$<=TKC9Xy9y<{tU0uZ0mnR^T;7H0MWd_&a?Poobr`Q_z
z+ZZMD0fB5yoHgsM7JuxO)1nCT3QxrJTM}V=+MxD}*{#aa7a+LHsn*XGtI($i=-XBB
zz8MQ+LXC6)m~HS8i}TrF`?>1f*=mW$@&MyCcS#-2i*}A)j=##1U9$LFP6c01smb+_
zSIN``59*-I#a^lIkj|h%JEpJh<Tc~v5OF`K?e-pjflT&+bM#8Bi@K%kbhcID)&an3
zlbQosfR_ZqW6B|TxBG;{zxCkJ2%#9W0398mybL@lP4q;Ze8gva+KB&mD7U(Fqvz!8
z(COA&5PCQAzVya0BsRDokhdqliVN`aYs+r5zf!sdI2PW>DU|o#*0Jsh)hR)q?_xI1
zqTH-!nh5*wVoJ2v_4PfuoESNikRz=r^ovX@4Z<?$EL0BqzB{){bV9HF=YqxGGxQS$
zYLYz!xRv#hfq2SGDI3*lGlBd{RtWc@>-%;kX(8pna_7<rA~%}SYmY`Sc*Q8uHMO0Q
zFmcH+6``OX`9s-#rviWjQ4S7#eH0P|^^(*ZXf7BoF6`OoKIF{8r|L$Qhg8`*>Qr%E
z3RjSYc-4fr*JpzKlxRAuoiYXC{O0StCe^1ld!c4#$tyuv8R^eQd>~rYkn=HKjrtnt
zaggmp*wogHJnVjg-CfcZT{K{lM)#p(g-52%+abDXLwRQa*45qcfTi8i4Wuma2@5l_
zq16QM^{ZZQBIPhkHnn7K(cbFHKr&NO<_5J!+ta#q7ErDVXH~c0Oauri%QAtJK}Krm
zc!^IHm|Q5a6l$Hx)Ww)<z*PXaG&+B+BRjzH>`qCD1g%`F#n1j{nMaqQK`1K#CQ7(5
zu1)GewgJWOe^xz%b2tu|#)6`3xcxav^HGjaWViXhvV}pOz%t9Dd~RIi70EV1DCF}0
zO*G;{`T@{w9d5(yO*F(8-%0EL9PI>b&*oAw#Fj!cn0lV>$x;!yH$~0smJ$sIz<(e3
z<EI_kw`KK(>wl$B<I$l=Y%jYpRit#xE4oi)NNXd6>WwKJY#sC-rAXp}Y4KygSS80h
z@#%CXXY|)-h8f{YDje`fa+cyleiBW~z5nCb?iq(y;M}Qd&aX`Xd;Ln3l(dB&K;7R1
zQJ8;AO3G<XQB-{l;wM|DvGl(M;lovheSr2NHLq$C(7<Y4M46DPo(EY8<@halW~=<`
z6_{2k93$nCZTd_d<_cLj7e&e&U=4-;i`jn4g{AAD`Mm*jPghX>IU{uaj`^D_1n)J^
zM+YXSJNrFBC@&o2XGq64zMW~3sGLLHVzmKt2;iaTKs8O9ENK701iU6A*^$jET5LAw
zRC&fN+dV0ZRUUvp^d+W^OiF*C3It-8(7yX}@N(=9J!nHaH-*}~diqcoS6(GhTFC<*
z50@>JTl8{vB?U`Qs<bc7f^m%<j|+AYZR+qK$d50ye^pTc92xGSVLq&MxOAG)|Bypr
zKeGn>8{WAXUf%nUj)JD7233!3#@-$N4WS<w|Lu6@Eie8OaUNHy0ojeCUaB~cdL#1l
z9(L5z-A^T2lh4_l`)_4%AeZu)?$<q`*JWYdC|pIp@1>1`>($buRC!90==0Z2T>j)0
zx}skD&yh_%QRm`$8*^qZsEnluIy@_iClWJYM|$(-qmA4mFmm)LyZ5I5+7-!zrWt{n
zlpV9bK?uvh1Hj^Gv_8Fd(n9Jd_er-T7ye)(s@rE8pMOh0M-r`NDR3{cxiQ126t_;e
zzWtzQF=&F<yjC^DUnasH`L0&}C~*{@Oty8>xJRc()H54_fTunsbb6vv{^Ig#Ng`C{
zJj~&T;+OWTGiI!Dd2bhz+^*D@UIHG?pQGbFDK3dgkpoN>f=gesa$@KysCSb;2;g<{
zVo}Y_?8&+F<)HNPzb#z5eTU=qrV-yW%4CM8VYV=@$xq80BTC|JxlQ=XqYxw`%1)-R
zOHbovaG~me1f~vA{-ZDancxZ$RMET)tz9aQnz$A>o|khX$UhnS&SG12xGV!f=(=r$
z^ji>l=iqBrb=pfyjDy&uXNusBxZUFM-(ECYgbu(zk-ozgr<sF*_QJH9)c?i1BN$A<
zF-bC@@ybPJu!qNy1^~jAY(7i<g2jwMCO?mteL<hB{NYz{5YVHh*xAx4JmdHYVX$gs
zmBO&zHP97z7&9a(HmHoxKF<iyV{Nt3B#XR#=X>=Qc^Iup(x00meQZTYq0>s%<@VNt
z?L%e3H&!<@VYxJL*j!`tf@M*Tn5{L>BU!Jqs|J-n`vc|kALPy|U^(tG0Bt(prIb<s
ztzF2LFmlN01O0V;2yw)wUdyUL8KRRrW=U|v=!$oF6q^a*15~qM(#A6K;mWhBbOO!9
zRH$#{|ADQAe#&xyz*^XeXlvW2;NAPOQ`Us~+d;qHI`K~i#Gcgp91kE}wy?P=Y@%L@
zBt3j_Wm~Kh#3rpoo`n6Qz*vp~Nao9N139ZV0qA_|n35Cy29G1C-X^$@mb(=EIAY8K
zwk^)#%vTHFLO(#I7@>hR(!MBM(q<p*IUsNuNy<Cew4E&lCaoahf}d$47Z5YH*xK{R
z{B;>XFstB8US=5Uuek=W=7pN|-iimY9#f6PQ66@Y-viL#-)Ez4?!aN&#Ub8oY8Zo+
zOQBeko3;%)KIj#@T!@WMY=`W>7slw3coYY#<BprIMo|%G6cx3U2<&-^0`o<<d1}Lr
zHd9wWW1aMKajWJ-h@+?QxgQ>iDpKWwV%q~9uX5I!^VYrrb2jqv?y;f%m6a@W5aj<V
z&)ox;RXputcVrV3e`+W3wv{y}oug)h=PQ7p(rOVyIBd^wm``kt(hv-aGTu->VFX+%
zeaH1gf-{+<_UEuQ|H0j{ekeJXUO+5o02MES%$Ls?vgu<R$Fz0p*`kNb^U$<Vx?5>M
z1XQ(7{N>E?-&KQBw8~7{$IeBpLm_kcNH*UZHaBX0u|(e5zF{PXzyV16t1pOYgvV)r
zGGm`p#Pi=iCn6P!93K0dIlA><wpZb`=)oz3$BQth5#@HGGaXj|{-%LXpDw$p2uocy
zyj9aW<QZ=ZziBKniKgSKrr~gTt5IGfLnWZ0c`fgPpRt#z!nIFsDx?F#U_ST3+zS#k
z0A^`D5XC~ChxlV$`_?z=Z&L2OqAq0(a`@g62t_myimLJt1wZEP(CF@#4=V;DemuHq
zdViHUzXT$H1dBU$p(B|53DCImdyBmtxsFRi8Yq_{B=trN2{SM5cIOMjShk5S0Eq8=
z@~c))0LcO6#xXEmy|=OWQ@_Yuy=`}30Q(1<(5SSI-G{6{Uzss2Fr&&MQF$g6lAD;;
zQn{F0#fCtDl4X}UqOl;6mnjO5Dg(i3Qvk>&a6x9u!!tHDCF3XYv_wPs6jX~aGzJ0q
zhbG-sKw(btSan6E@60t95bDV5MDUG-F0UMtRXbTln#+O|ngfW|zFoG5%GIsXjr=M1
z+JS-2wWsT}ZyKsU5%%$HUpLcqEa%?CS(3}OL>~TgnfOzt1~N|f{%f=pYUurK;=$!1
z7^b6FEi+iT$2R%Ww0kB5dn`v$P-Ir>x5l$64zELsxql;|G@FpvZIVGTPPs(r9qRW!
b_-r`eg!fMTNnan2VG*=45p|@i_#Ap_V=8$D