From c5bc5a91aca60658f8a38cd7bfcc7f97961a5ae5 Mon Sep 17 00:00:00 2001 From: Bastian de Byl Date: Sun, 1 May 2022 03:31:16 -0400 Subject: [PATCH] moved nginx, graylog to podman --- ansible/deploy_home.yml | 5 - ansible/roles/common/defaults/main.yml | 7 +- .../common/files/fail2ban/jails/nginx.local | 24 - ansible/roles/git/tasks/systemd.yml | 2 +- ansible/roles/graylog/meta/main.yml | 3 - ansible/roles/graylog/tasks/graylog.yml | 91 -- ansible/roles/graylog/tasks/main.yml | 2 - ansible/roles/http/defaults/main.yml | 138 --- ansible/roles/http/handlers/main.yml | 17 - ansible/roles/http/meta/main.yml | 3 - ansible/roles/http/tasks/deps.yml | 7 - ansible/roles/http/tasks/firewall.yml | 12 - ansible/roles/http/tasks/http.yml | 86 -- ansible/roles/http/tasks/https.yml | 24 - ansible/roles/http/tasks/main.yml | 7 - ansible/roles/http/tasks/nginx.yml | 33 - .../roles/http/templates/logrotate/nginx.j2 | 10 - ansible/roles/pihole/tasks/php.yml | 2 +- ansible/roles/podman/defaults/main.yml | 141 +++ .../roles/podman/files/graylog/graylog.conf | 736 ++++++++++++ ansible/roles/podman/files/graylog/graylogctl | 133 +++ .../podman/files/hass/configuration.yaml | 2 +- ansible/roles/podman/files/nginx/mime.types | 1028 +++++++++++++++++ .../files/nginx/modsec_includes.conf | 0 ansible/roles/podman/handlers/main.yml | 22 +- ansible/roles/podman/meta/main.yml | 1 + .../podman/tasks/configuration-nginx-http.yml | 95 ++ .../tasks/configuration-nginx-https.yml | 58 + .../tasks/configuration-nginx-modsec.yml} | 50 +- .../podman/tasks/configuration-nginx.yml | 22 + .../roles/podman/tasks/container-drone.yml | 22 +- .../roles/podman/tasks/container-graylog.yml | 128 ++ ansible/roles/podman/tasks/container-hass.yml | 4 +- .../roles/podman/tasks/container-nginx.yml | 25 + .../podman/tasks/container-partkeepr.yml | 38 +- ansible/roles/podman/tasks/firewall.yml | 17 + ansible/roles/podman/tasks/main.yml | 4 + ansible/roles/podman/tasks/podman.yml | 54 +- .../templates/nginx/nginx.conf.j2 | 4 +- .../nginx/sites/assistant.bdebyl.net.conf.j2 | 3 +- .../nginx/sites/ci.bdebyl.net.http.conf.j2 | 0 .../nginx/sites/ci.bdebyl.net.https.conf.j2 | 9 +- .../nginx/sites/home.bdebyl.net.conf.j2 | 6 +- .../nginx/sites/logs.bdebyl.net.conf.j2 | 7 +- .../nginx/sites/parts.bdebyl.net.conf.j2 | 4 +- .../sites/parts.bdebyl.net.https.conf.j2 | 8 +- .../nginx/sites/pi.bdebyl.net.conf.j2 | 5 +- .../nginx/sites/video.bdebyl.net.conf.j2 | 2 +- ansible/roles/ssl/tasks/certbot.yml | 35 +- 49 files changed, 2556 insertions(+), 580 deletions(-) delete mode 100644 ansible/roles/common/files/fail2ban/jails/nginx.local delete mode 100644 ansible/roles/graylog/meta/main.yml delete mode 100644 ansible/roles/graylog/tasks/graylog.yml delete mode 100644 ansible/roles/graylog/tasks/main.yml delete mode 100644 ansible/roles/http/defaults/main.yml delete mode 100644 ansible/roles/http/handlers/main.yml delete mode 100644 ansible/roles/http/meta/main.yml delete mode 100644 ansible/roles/http/tasks/deps.yml delete mode 100644 ansible/roles/http/tasks/firewall.yml delete mode 100644 ansible/roles/http/tasks/http.yml delete mode 100644 ansible/roles/http/tasks/https.yml delete mode 100644 ansible/roles/http/tasks/main.yml delete mode 100644 ansible/roles/http/tasks/nginx.yml delete mode 100644 ansible/roles/http/templates/logrotate/nginx.j2 create mode 100644 ansible/roles/podman/files/graylog/graylog.conf create mode 100644 ansible/roles/podman/files/graylog/graylogctl create mode 100644 ansible/roles/podman/files/nginx/mime.types rename ansible/roles/{http => podman}/files/nginx/modsec_includes.conf (100%) create mode 100644 ansible/roles/podman/tasks/configuration-nginx-http.yml create mode 100644 ansible/roles/podman/tasks/configuration-nginx-https.yml rename ansible/roles/{http/tasks/modsec.yml => podman/tasks/configuration-nginx-modsec.yml} (66%) create mode 100644 ansible/roles/podman/tasks/configuration-nginx.yml create mode 100644 ansible/roles/podman/tasks/container-graylog.yml create mode 100644 ansible/roles/podman/tasks/container-nginx.yml create mode 100644 ansible/roles/podman/tasks/firewall.yml rename ansible/roles/{http => podman}/templates/nginx/nginx.conf.j2 (94%) rename ansible/roles/{http => podman}/templates/nginx/sites/assistant.bdebyl.net.conf.j2 (82%) rename ansible/roles/{http => podman}/templates/nginx/sites/ci.bdebyl.net.http.conf.j2 (100%) rename ansible/roles/{http => podman}/templates/nginx/sites/ci.bdebyl.net.https.conf.j2 (84%) rename ansible/roles/{http => podman}/templates/nginx/sites/home.bdebyl.net.conf.j2 (68%) rename ansible/roles/{http => podman}/templates/nginx/sites/logs.bdebyl.net.conf.j2 (80%) rename ansible/roles/{http => podman}/templates/nginx/sites/parts.bdebyl.net.conf.j2 (81%) rename ansible/roles/{http => podman}/templates/nginx/sites/parts.bdebyl.net.https.conf.j2 (94%) rename ansible/roles/{http => podman}/templates/nginx/sites/pi.bdebyl.net.conf.j2 (95%) rename ansible/roles/{http => podman}/templates/nginx/sites/video.bdebyl.net.conf.j2 (86%) diff --git a/ansible/deploy_home.yml b/ansible/deploy_home.yml index 1d7303a..5570dc5 100644 --- a/ansible/deploy_home.yml +++ b/ansible/deploy_home.yml @@ -6,8 +6,3 @@ - role: common - role: git - role: podman - - role: ssl - #- role: pihole - #- role: drone - - role: graylog - - role: http diff --git a/ansible/roles/common/defaults/main.yml b/ansible/roles/common/defaults/main.yml index e4cb465..58c5551 100644 --- a/ansible/roles/common/defaults/main.yml +++ b/ansible/roles/common/defaults/main.yml @@ -3,19 +3,20 @@ deps: [ cockpit-podman, cronie, - docker, fail2ban, fail2ban-selinux, git, logrotate, podman, + podman-docker, python-docker, ] -fail2ban_jails: [sshd.local, nginx.local] +fail2ban_jails: [sshd.local] services: - crond - - docker + - podman.socket + - podman - fail2ban - systemd-timesyncd diff --git a/ansible/roles/common/files/fail2ban/jails/nginx.local b/ansible/roles/common/files/fail2ban/jails/nginx.local deleted file mode 100644 index f637405..0000000 --- a/ansible/roles/common/files/fail2ban/jails/nginx.local +++ /dev/null @@ -1,24 +0,0 @@ -[nginx-limit-req] -enabled = true -port = http,https -logpath = %(nginx_error_log)s -findtime = 600 -bantime = 1w -maxretry = 8 -ignoreip = 127.0.0.1/32 192.168.1.0/24 - -#[nginx-http-auth] -#enabled = true -#port = http,https -#logpath = %(nginx_error_log)s -#bantime = 2w -#maxretry = 5 -#ignoreip = 127.0.0.1/32 192.168.1.0/24 - -[nginx-botsearch] -enabled = true -port = http,https -logpath = %(nginx_access_log)s -bantime = 1w -maxretry = 5 -ignoreip = 127.0.0.1/32 192.168.1.0/24 diff --git a/ansible/roles/git/tasks/systemd.yml b/ansible/roles/git/tasks/systemd.yml index ed66d04..2a799c7 100644 --- a/ansible/roles/git/tasks/systemd.yml +++ b/ansible/roles/git/tasks/systemd.yml @@ -5,7 +5,7 @@ src: "templates/{{ item }}.j2" dest: "/etc/systemd/system/{{ item }}" mode: 0644 - with_items: + loop: - git-daemon.service notify: start-gitdaemon tags: git, git-systemd diff --git a/ansible/roles/graylog/meta/main.yml b/ansible/roles/graylog/meta/main.yml deleted file mode 100644 index fdda41b..0000000 --- a/ansible/roles/graylog/meta/main.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -dependencies: - - role: common diff --git a/ansible/roles/graylog/tasks/graylog.yml b/ansible/roles/graylog/tasks/graylog.yml deleted file mode 100644 index bb9ef30..0000000 --- a/ansible/roles/graylog/tasks/graylog.yml +++ /dev/null @@ -1,91 +0,0 @@ ---- -- name: create graylog docker network - community.general.docker_network: - name: "graylog" - tags: graylog - -- name: create graylog required volumes - community.general.docker_volume: - name: "{{ item }}" - with_items: - - graylog-db - - graylog-es - - graylog-conf - tags: graylog - -- name: create graylog mongodb container - community.general.docker_container: - name: graylog-mongo - image: mongo:4.2 - recreate: false - restart: false - restart_policy: on-failure - restart_retries: 3 - networks: - - name: "graylog" - volumes: - - graylog-db:/data/db - tags: graylog - -- name: create graylog elasticsearch container - community.general.docker_container: - name: graylog-elastic - image: docker.elastic.co/elasticsearch/elasticsearch-oss:7.10.2 - recreate: false - restart: false - restart_policy: on-failure - restart_retries: 3 - networks: - - name: "graylog" - volumes: - - graylog-es:/usr/share/elasticsearch/data - env: - http.host: "0.0.0.0" - transport.host: "localhost" - network.host: "0.0.0.0" - cluster.name: "graylog" - ES_JAVA_OPTS: "-Dlog4j2.formatMsgNoLookups=true -Xms512m -Xmx2048m" - ulimits: - - "memlock:-1:-1" - - "nofile:64000:64000" - memory: 1G - tags: graylog - -- name: create graylog container - community.general.docker_container: - name: graylog - image: graylog/graylog:4.2 - recreate: false - restart: true - restart_policy: on-failure - restart_retries: 3 - sysctls: - net.ipv6.conf.all.disable_ipv6: 1 - net.ipv6.conf.default.disable_ipv6: 1 - networks: - - name: "graylog" - volumes: - - graylog-conf:/usr/share/graylog/data/config - - /var/lib/docker/shared/graylog:/usr/share/graylog/bin:z - env: - GRAYLOG_PASSWORD_SECRET: "{{ graylog_secret }}" - GRAYLOG_ROOT_PASSWORD_SHA2: "{{ graylog_root_pass_sha2 }}" - GRAYLOG_HTTP_EXTERNAL_URI: http://192.168.1.10:9000/ - GRAYLOG_HTTP_BIND_ADDRESS: 0.0.0.0:9000 - GRAYLOG_MONGODB_URI: mongodb://graylog-mongo/graylog - GRAYLOG_ELASTICSEARCH_HOSTS: http://graylog-elastic:9200 - ports: - # Graylog web interface and REST API - - "{{ graylog_port }}:9000" - # Syslog TCP - # Syslog UDP - - "0.0.0.0:{{ syslog_udp_default }}:{{ syslog_udp_default }}/udp" - # Syslog2 UDP - - "0.0.0.0:{{ syslog_udp_unifi }}:{{ syslog_udp_unifi }}/udp" - # Syslog2 UDP - - "0.0.0.0:{{ syslog_udp_error }}:{{ syslog_udp_error }}/udp" - # GELF TCP - # - 12201:12201 - # GELF UDP - # - 12201:12201/udp - tags: graylog diff --git a/ansible/roles/graylog/tasks/main.yml b/ansible/roles/graylog/tasks/main.yml deleted file mode 100644 index 283f872..0000000 --- a/ansible/roles/graylog/tasks/main.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- -- import_tasks: graylog.yml diff --git a/ansible/roles/http/defaults/main.yml b/ansible/roles/http/defaults/main.yml deleted file mode 100644 index ee251bd..0000000 --- a/ansible/roles/http/defaults/main.yml +++ /dev/null @@ -1,138 +0,0 @@ ---- -ci_server_name: ci.bdebyl.net -pi_server_name: pi.bdebyl.net -assistant_server_name: assistant.bdebyl.net -home_server_name: home.bdebyl.net -parts_server_name: parts.bdebyl.net -video_server_name: video.bdebyl.net -logs_server_name: logs.bdebyl.net -install_path: /usr/share - -nginx_path: /etc/nginx -nginx_conf_path: "{{ nginx_path }}/conf" -modsec_log_path: /var/log/nginx/modsec_audit.log -modsec_rules_path: "{{ nginx_conf_path }}/rules" -modsec_crs_before_rule_conf: "{{ modsec_rules_path }}/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf" -modsec_crs_after_rule_conf: "{{ modsec_rules_path }}/REQUEST-999-EXCLUSION-RULES-AFTER-CRS.conf" -modsec_path: "{{ install_path }}/modsecurity" -crs_path: "{{ install_path }}/coreruleset" -crs_rules_path: "{{ crs_path }}/rules" - -modsec_whitelist_local_re: >- - ^SecRule.*REMOTE_ADDR.*192\.168\.1\.1/24.*$ - -modsec_whitelist_local: >- - SecRule REMOTE_ADDR "@ipMatch 192.168.1.1/24" - "id:1,phase:1,nolog,allow,ctl:ruleEngine=Off" - -modsec_git_urls: - - src: "https://github.com/coreruleset/coreruleset.git" - dest: "{{ crs_path }}" - ver: "v3.3.2" - - src: "https://github.com/SpiderLabs/ModSecurity.git" - dest: "{{ modsec_path }}" - ver: "v3.0.6" - -modsec_conf_replaces: - - regex: "^SecRuleEngine" - line: "SecRuleEngine On" - - regex: "^SecAuditLog" - line: "SecAuditLog {{ modsec_log_path }}" - -modsec_conf_links: - - src: "{{ modsec_path }}/modsecurity.conf-recommended" - dest: "{{ nginx_path }}/modsecurity.conf" - - src: "{{ modsec_path }}/unicode.mapping" - dest: "{{ nginx_path }}/unicode.mapping" - - src: "{{ crs_path }}/crs-setup.conf.example" - dest: "{{ nginx_conf_path }}/crs-setup.conf" - - src: "{{ crs_rules_path }}/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example" - dest: "{{ modsec_rules_path }}/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf" - - src: "{{ crs_rules_path }}/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example" - dest: "{{ modsec_rules_path }}/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf" - -crs_rule_links: - - name: REQUEST-901-INITIALIZATION - enabled: true - - name: REQUEST-903.9001-DRUPAL-EXCLUSION-RULES - enabled: true - - name: REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES - enabled: true - - name: REQUEST-903.9003-NEXTCLOUD-EXCLUSION-RULES - enabled: true - - name: REQUEST-903.9004-DOKUWIKI-EXCLUSION-RULES - enabled: true - - name: REQUEST-903.9005-CPANEL-EXCLUSION-RULES - enabled: true - - name: REQUEST-903.9006-XENFORO-EXCLUSION-RULES - enabled: true - - name: REQUEST-905-COMMON-EXCEPTIONS - enabled: true - - name: REQUEST-910-IP-REPUTATION - enabled: true - - name: REQUEST-911-METHOD-ENFORCEMENT - enabled: true - - name: REQUEST-912-DOS-PROTECTION - enabled: true - - name: REQUEST-913-SCANNER-DETECTION - enabled: true - - name: REQUEST-920-PROTOCOL-ENFORCEMENT - enabled: true - - name: REQUEST-921-PROTOCOL-ATTACK - enabled: true - - name: REQUEST-930-APPLICATION-ATTACK-LFI - enabled: true - - name: REQUEST-931-APPLICATION-ATTACK-RFI - enabled: true - - name: REQUEST-932-APPLICATION-ATTACK-RCE - enabled: true - - name: REQUEST-933-APPLICATION-ATTACK-PHP - enabled: true - - name: REQUEST-934-APPLICATION-ATTACK-NODEJS - enabled: true - - name: REQUEST-941-APPLICATION-ATTACK-XSS - enabled: true - - name: REQUEST-942-APPLICATION-ATTACK-SQLI - enabled: true - - name: REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION - enabled: true - - name: REQUEST-944-APPLICATION-ATTACK-JAVA - enabled: true - - name: REQUEST-949-BLOCKING-EVALUATION - enabled: true - - name: RESPONSE-950-DATA-LEAKAGES - enabled: true - - name: RESPONSE-951-DATA-LEAKAGES-SQL - enabled: true - - name: RESPONSE-952-DATA-LEAKAGES-JAVA - enabled: true - - name: RESPONSE-953-DATA-LEAKAGES-PHP - enabled: true - - name: RESPONSE-954-DATA-LEAKAGES-IIS - enabled: true - - name: RESPONSE-959-BLOCKING-EVALUATION - enabled: true - - name: RESPONSE-980-CORRELATION - enabled: true - -crs_data_links: - - crawlers-user-agents - - iis-errors - - java-classes - - java-code-leakages - - java-errors - - lfi-os-files - - php-config-directives - - php-errors - - php-function-names-933150 - - php-function-names-933151 - - php-variables - - restricted-files - - restricted-upload - - scanners-headers - - scanners-urls - - scanners-user-agents - - scripting-user-agents - - sql-errors - - unix-shell - - windows-powershell-commands diff --git a/ansible/roles/http/handlers/main.yml b/ansible/roles/http/handlers/main.yml deleted file mode 100644 index 3b65b06..0000000 --- a/ansible/roles/http/handlers/main.yml +++ /dev/null @@ -1,17 +0,0 @@ ---- -- name: restart_nginx - become: true - ansible.builtin.command: docker restart nginx - -- name: restart firewalld - become: true - ansible.builtin.service: - name: firewalld - state: restarted - -- name: restorecon nginx - become: true - ansible.builtin.command: restorecon -irv /etc/{{ item }} - with_items: - - nginx - - letsencrypt diff --git a/ansible/roles/http/meta/main.yml b/ansible/roles/http/meta/main.yml deleted file mode 100644 index bfe9e18..0000000 --- a/ansible/roles/http/meta/main.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -dependencies: - - role: ssl diff --git a/ansible/roles/http/tasks/deps.yml b/ansible/roles/http/tasks/deps.yml deleted file mode 100644 index 6193dad..0000000 --- a/ansible/roles/http/tasks/deps.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- -- name: install http dependencies - become: true - ansible.builtin.package: - name: "{{ deps }}" - state: present - tags: deps diff --git a/ansible/roles/http/tasks/firewall.yml b/ansible/roles/http/tasks/firewall.yml deleted file mode 100644 index 8e7344f..0000000 --- a/ansible/roles/http/tasks/firewall.yml +++ /dev/null @@ -1,12 +0,0 @@ ---- -- name: set http/https firewall rules - become: true - ansible.posix.firewalld: - service: "{{ item }}" - permanent: true - state: enabled - with_items: - - http - - https - notify: restart firewalld - tags: firewall diff --git a/ansible/roles/http/tasks/http.yml b/ansible/roles/http/tasks/http.yml deleted file mode 100644 index a274cb4..0000000 --- a/ansible/roles/http/tasks/http.yml +++ /dev/null @@ -1,86 +0,0 @@ ---- -- name: setup nginx base configuration - become: true - ansible.builtin.template: - src: templates/nginx/nginx.conf.j2 - dest: /etc/nginx/nginx.conf - owner: root - group: nginx - mode: 0644 - notify: restart_nginx - tags: http - -- name: setup nginx directories - become: true - ansible.builtin.file: - path: "/etc/nginx/{{ item }}" - state: directory - mode: 0755 - loop: - - sites-enabled - - sites-available - tags: http - -- name: ensure http and letsencrypt directories exist - become: true - ansible.builtin.file: - path: "{{ item }}" - state: directory - owner: nginx - group: nginx - mode: 0755 - loop: - - /srv/http - - /srv/http/letsencrypt - tags: http - -- name: chown http user home - become: true - ansible.builtin.file: - path: /srv/http - owner: nginx - group: nginx - mode: 0755 - recurse: true - tags: http - -- name: template nginx http sites-available - become: true - ansible.builtin.template: - src: "templates/nginx/sites/{{ item }}.j2" - dest: "/etc/nginx/sites-available/{{ item }}" - mode: 0644 - loop: - - "{{ ci_server_name }}.http.conf" - - "{{ pi_server_name }}.conf" - - "{{ home_server_name }}.conf" - - "{{ assistant_server_name }}.conf" - - "{{ video_server_name }}.conf" - - "{{ parts_server_name }}.conf" - - "{{ logs_server_name }}.conf" - notify: restart_nginx - tags: http - -- name: remove pihole from sites-enabled if there - become: true - ansible.builtin.file: - path: "/etc/nginx/sites-enabled/pi.hole.conf" - state: absent - tags: http - -- name: enable desired nginx http sites - become: true - ansible.builtin.file: - src: "/etc/nginx/sites-available/{{ item }}" - dest: "/etc/nginx/sites-enabled/{{ item }}" - state: link - loop: - - "{{ ci_server_name }}.http.conf" - - "{{ pi_server_name }}.conf" - - "{{ parts_server_name }}.conf" - - "{{ home_server_name }}.conf" - - "{{ assistant_server_name }}.conf" - - "{{ video_server_name }}.conf" - - "{{ logs_server_name }}.conf" - notify: restart_nginx - tags: http diff --git a/ansible/roles/http/tasks/https.yml b/ansible/roles/http/tasks/https.yml deleted file mode 100644 index 35793a6..0000000 --- a/ansible/roles/http/tasks/https.yml +++ /dev/null @@ -1,24 +0,0 @@ ---- -- name: template nginx https sites-available - become: true - ansible.builtin.template: - src: "templates/nginx/sites/{{ item }}.j2" - dest: "/etc/nginx/sites-available/{{ item }}" - mode: 0644 - loop: - - "{{ ci_server_name }}.https.conf" - - "{{ parts_server_name }}.https.conf" - notify: restart_nginx - tags: https - -- name: enable desired nginx https sites - become: true - ansible.builtin.file: - src: "/etc/nginx/sites-available/{{ item }}" - dest: "/etc/nginx/sites-enabled/{{ item }}" - state: link - loop: - - "{{ ci_server_name }}.https.conf" - - "{{ parts_server_name }}.https.conf" - notify: restart_nginx - tags: https diff --git a/ansible/roles/http/tasks/main.yml b/ansible/roles/http/tasks/main.yml deleted file mode 100644 index 25d282d..0000000 --- a/ansible/roles/http/tasks/main.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- -- import_tasks: deps.yml -- import_tasks: firewall.yml -- import_tasks: modsec.yml -- import_tasks: http.yml -- import_tasks: https.yml -- import_tasks: nginx.yml diff --git a/ansible/roles/http/tasks/nginx.yml b/ansible/roles/http/tasks/nginx.yml deleted file mode 100644 index 8157f63..0000000 --- a/ansible/roles/http/tasks/nginx.yml +++ /dev/null @@ -1,33 +0,0 @@ ---- -- name: selinux context for nginx directories - become: true - community.general.sefcontext: - target: "/etc/{{ item }}" - setype: container_file_t - state: present - with_items: - - "nginx(/.*)?" - - "letsencrypt(/.*)?" - notify: restorecon nginx - tags: selinux - -- name: create nginx modsecurity container - community.general.docker_container: - name: nginx - image: owasp/modsecurity:nginx - entrypoint: ["nginx", "-g", "daemon off;"] - command_handling: correct - recreate: true - restart: true - restart_policy: on-failure - restart_retries: 3 - network_mode: host - log_driver: syslog - log_options: - syslog-address: "udp://localhost:{{ syslog_udp_default }}" - syslog-facility: daemon - tag: "docker/{{'{{'}}.Name{{'}}'}}" - volumes: - - /etc/nginx:/etc/nginx:ro - - /etc/letsencrypt:/etc/letsencrypt:ro - tags: nginx diff --git a/ansible/roles/http/templates/logrotate/nginx.j2 b/ansible/roles/http/templates/logrotate/nginx.j2 deleted file mode 100644 index a60686a..0000000 --- a/ansible/roles/http/templates/logrotate/nginx.j2 +++ /dev/null @@ -1,10 +0,0 @@ -/var/log/nginx/*log { - daily - rotate 4 - missingok - notifempty - create 640 http log - compress - delaycompress - copytruncate -} diff --git a/ansible/roles/pihole/tasks/php.yml b/ansible/roles/pihole/tasks/php.yml index e0ba2ad..4a93a0c 100644 --- a/ansible/roles/pihole/tasks/php.yml +++ b/ansible/roles/pihole/tasks/php.yml @@ -5,7 +5,7 @@ path: "{{ item }}" regexp: "pi\\.hole" replace: "pi.bdebyl.net" - with_items: + loop: - /srv/http/pihole/admin/scripts/pi-hole/php/auth.php - /srv/http/pihole/pihole/index.php tags: diff --git a/ansible/roles/podman/defaults/main.yml b/ansible/roles/podman/defaults/main.yml index 46438b1..8c03e71 100644 --- a/ansible/roles/podman/defaults/main.yml +++ b/ansible/roles/podman/defaults/main.yml @@ -1,7 +1,148 @@ --- drone_path: "{{ podman_volumes }}/drone" +graylog_path: "{{ podman_volumes }}/graylog" hass_path: "{{ podman_volumes }}/hass" +nginx_path: "{{ podman_volumes }}/nginx" partkeepr_path: "{{ podman_volumes }}/partkeepr" drone_server_proto: "https" drone_runner_capacity: "4" + +# nginx and modsec configuration +ci_server_name: ci.bdebyl.net +pi_server_name: pi.bdebyl.net +assistant_server_name: assistant.bdebyl.net +home_server_name: home.bdebyl.net +parts_server_name: parts.bdebyl.net +video_server_name: video.bdebyl.net +logs_server_name: logs.bdebyl.net + +nginx_conf_path: "{{ nginx_path }}/etc/conf" +modsec_log_path: /var/log/nginx/modsec_audit.log +modsec_rules_path: "{{ nginx_conf_path }}/rules" +modsec_crs_before_rule_conf: "{{ modsec_rules_path }}/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf" +modsec_crs_after_rule_conf: "{{ modsec_rules_path }}/REQUEST-999-EXCLUSION-RULES-AFTER-CRS.conf" + +install_path: /usr/share +modsec_path: "{{ install_path }}/modsecurity" +crs_path: "{{ install_path }}/coreruleset" +crs_rules_path: "{{ crs_path }}/rules" + +modsec_whitelist_local_re: >- + ^SecRule.*REMOTE_ADDR.*192\.168\.1\.1/24.*$ + +modsec_whitelist_local: >- + SecRule REMOTE_ADDR "@ipMatch 192.168.1.1/24" + "id:1,phase:1,nolog,allow,ctl:ruleEngine=Off" + +modsec_git_urls: + - src: "https://github.com/coreruleset/coreruleset.git" + dest: "{{ crs_path }}" + ver: "v3.3.2" + - src: "https://github.com/SpiderLabs/ModSecurity.git" + dest: "{{ modsec_path }}" + ver: "v3.0.6" + +modsec_conf_replaces: + - regex: "^SecRuleEngine" + line: "SecRuleEngine On" + - regex: "^SecAuditLog" + line: "SecAuditLog {{ modsec_log_path }}" + +modsec_conf_links: + - src: "{{ modsec_path }}/modsecurity.conf-recommended" + dest: "{{ nginx_path }}/etc/modsecurity.conf" + - src: "{{ modsec_path }}/unicode.mapping" + dest: "{{ nginx_path }}/etc/unicode.mapping" + - src: "{{ crs_path }}/crs-setup.conf.example" + dest: "{{ nginx_conf_path }}/crs-setup.conf" + - src: "{{ crs_rules_path }}/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example" + dest: "{{ modsec_rules_path }}/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf" + - src: "{{ crs_rules_path }}/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example" + dest: "{{ modsec_rules_path }}/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf" + +crs_rule_links: + - name: REQUEST-901-INITIALIZATION + enabled: true + - name: REQUEST-903.9001-DRUPAL-EXCLUSION-RULES + enabled: true + - name: REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES + enabled: true + - name: REQUEST-903.9003-NEXTCLOUD-EXCLUSION-RULES + enabled: true + - name: REQUEST-903.9004-DOKUWIKI-EXCLUSION-RULES + enabled: true + - name: REQUEST-903.9005-CPANEL-EXCLUSION-RULES + enabled: true + - name: REQUEST-903.9006-XENFORO-EXCLUSION-RULES + enabled: true + - name: REQUEST-905-COMMON-EXCEPTIONS + enabled: true + - name: REQUEST-910-IP-REPUTATION + enabled: true + - name: REQUEST-911-METHOD-ENFORCEMENT + enabled: true + - name: REQUEST-912-DOS-PROTECTION + enabled: true + - name: REQUEST-913-SCANNER-DETECTION + enabled: true + - name: REQUEST-920-PROTOCOL-ENFORCEMENT + enabled: true + - name: REQUEST-921-PROTOCOL-ATTACK + enabled: true + - name: REQUEST-930-APPLICATION-ATTACK-LFI + enabled: true + - name: REQUEST-931-APPLICATION-ATTACK-RFI + enabled: true + - name: REQUEST-932-APPLICATION-ATTACK-RCE + enabled: true + - name: REQUEST-933-APPLICATION-ATTACK-PHP + enabled: true + - name: REQUEST-934-APPLICATION-ATTACK-NODEJS + enabled: true + - name: REQUEST-941-APPLICATION-ATTACK-XSS + enabled: true + - name: REQUEST-942-APPLICATION-ATTACK-SQLI + enabled: true + - name: REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION + enabled: true + - name: REQUEST-944-APPLICATION-ATTACK-JAVA + enabled: true + - name: REQUEST-949-BLOCKING-EVALUATION + enabled: true + - name: RESPONSE-950-DATA-LEAKAGES + enabled: true + - name: RESPONSE-951-DATA-LEAKAGES-SQL + enabled: true + - name: RESPONSE-952-DATA-LEAKAGES-JAVA + enabled: true + - name: RESPONSE-953-DATA-LEAKAGES-PHP + enabled: true + - name: RESPONSE-954-DATA-LEAKAGES-IIS + enabled: true + - name: RESPONSE-959-BLOCKING-EVALUATION + enabled: true + - name: RESPONSE-980-CORRELATION + enabled: true + +crs_data_links: + - crawlers-user-agents + - iis-errors + - java-classes + - java-code-leakages + - java-errors + - lfi-os-files + - php-config-directives + - php-errors + - php-function-names-933150 + - php-function-names-933151 + - php-variables + - restricted-files + - restricted-upload + - scanners-headers + - scanners-urls + - scanners-user-agents + - scripting-user-agents + - sql-errors + - unix-shell + - windows-powershell-commands diff --git a/ansible/roles/podman/files/graylog/graylog.conf b/ansible/roles/podman/files/graylog/graylog.conf new file mode 100644 index 0000000..2f10dc5 --- /dev/null +++ b/ansible/roles/podman/files/graylog/graylog.conf @@ -0,0 +1,736 @@ +############################ +# GRAYLOG CONFIGURATION FILE +############################ +# +# This is the Graylog configuration file. The file has to use ISO 8859-1/Latin-1 character encoding. +# Characters that cannot be directly represented in this encoding can be written using Unicode escapes +# as defined in https://docs.oracle.com/javase/specs/jls/se8/html/jls-3.html#jls-3.3, using the \u prefix. +# For example, \u002c. +# +# * Entries are generally expected to be a single line of the form, one of the following: +# +# propertyName=propertyValue +# propertyName:propertyValue +# +# * White space that appears between the property name and property value is ignored, +# so the following are equivalent: +# +# name=Stephen +# name = Stephen +# +# * White space at the beginning of the line is also ignored. +# +# * Lines that start with the comment characters ! or # are ignored. Blank lines are also ignored. +# +# * The property value is generally terminated by the end of the line. White space following the +# property value is not ignored, and is treated as part of the property value. +# +# * A property value can span several lines if each line is terminated by a backslash (‘\’) character. +# For example: +# +# targetCities=\ +# Detroit,\ +# Chicago,\ +# Los Angeles +# +# This is equivalent to targetCities=Detroit,Chicago,Los Angeles (white space at the beginning of lines is ignored). +# +# * The characters newline, carriage return, and tab can be inserted with characters \n, \r, and \t, respectively. +# +# * The backslash character must be escaped as a double backslash. For example: +# +# path=c:\\docs\\doc1 +# + +# If you are running more than one instances of Graylog server you have to select one of these +# instances as master. The master will perform some periodical tasks that non-masters won't perform. +is_master = true + +# The auto-generated node ID will be stored in this file and read after restarts. It is a good idea +# to use an absolute file path here if you are starting Graylog server from init scripts or similar. +node_id_file = /usr/share/graylog/data/config/node-id + +# You MUST set a secret to secure/pepper the stored user passwords here. Use at least 64 characters. +# Generate one by using for example: pwgen -N 1 -s 96 +# ATTENTION: This value must be the same on all Graylog nodes in the cluster. +# Changing this value after installation will render all user sessions and encrypted values in the database invalid. (e.g. encrypted access tokens) +password_secret = + +# The default root user is named 'admin' +#root_username = admin + +# You MUST specify a hash password for the root user (which you only need to initially set up the +# system and in case you lose connectivity to your authentication backend) +# This password cannot be changed using the API or via the web interface. If you need to change it, +# modify it in this file. +# Create one by using for example: echo -n yourpassword | shasum -a 256 +# and put the resulting hash value into the following line +root_password_sha2 = + +# The email address of the root user. +# Default is empty +#root_email = "" + +# The time zone setting of the root user. See http://www.joda.org/joda-time/timezones.html for a list of valid time zones. +# Default is UTC +root_timezone = America/New_York + +# Set the bin directory here (relative or absolute) +# This directory contains binaries that are used by the Graylog server. +# Default: bin +bin_dir = /usr/share/graylog/bin + +# Set the data directory here (relative or absolute) +# This directory is used to store Graylog server state. +# Default: data +data_dir = /usr/share/graylog/data + +# Set plugin directory here (relative or absolute) +plugin_dir = /usr/share/graylog/plugin + +############### +# HTTP settings +############### + +#### HTTP bind address +# +# The network interface used by the Graylog HTTP interface. +# +# This network interface must be accessible by all Graylog nodes in the cluster and by all clients +# using the Graylog web interface. +# +# If the port is omitted, Graylog will use port 9000 by default. +# +# Default: 127.0.0.1:9000 +#http_bind_address = 127.0.0.1:9000 +#http_bind_address = [2001:db8::1]:9000 +http_bind_address = 0.0.0.0:9000 + + +#### HTTP publish URI +# +# The HTTP URI of this Graylog node which is used to communicate with the other Graylog nodes in the cluster and by all +# clients using the Graylog web interface. +# +# The URI will be published in the cluster discovery APIs, so that other Graylog nodes will be able to find and connect to this Graylog node. +# +# This configuration setting has to be used if this Graylog node is available on another network interface than $http_bind_address, +# for example if the machine has multiple network interfaces or is behind a NAT gateway. +# +# If $http_bind_address contains a wildcard IPv4 address (0.0.0.0), the first non-loopback IPv4 address of this machine will be used. +# This configuration setting *must not* contain a wildcard address! +# +# Default: http://$http_bind_address/ +#http_publish_uri = http://192.168.1.1:9000/ + +#### External Graylog URI +# +# The public URI of Graylog which will be used by the Graylog web interface to communicate with the Graylog REST API. +# +# The external Graylog URI usually has to be specified, if Graylog is running behind a reverse proxy or load-balancer +# and it will be used to generate URLs addressing entities in the Graylog REST API (see $http_bind_address). +# +# When using Graylog Collector, this URI will be used to receive heartbeat messages and must be accessible for all collectors. +# +# This setting can be overriden on a per-request basis with the "X-Graylog-Server-URL" HTTP request header. +# +# Default: $http_publish_uri +#http_external_uri = + +#### Enable CORS headers for HTTP interface +# +# This allows browsers to make Cross-Origin requests from any origin. +# This is disabled for security reasons and typically only needed if running graylog +# with a separate server for frontend development. +# +# Default: false +#http_enable_cors = false + +#### Enable GZIP support for HTTP interface +# +# This compresses API responses and therefore helps to reduce +# overall round trip times. This is enabled by default. Uncomment the next line to disable it. +#http_enable_gzip = false + +# The maximum size of the HTTP request headers in bytes. +#http_max_header_size = 8192 + +# The size of the thread pool used exclusively for serving the HTTP interface. +#http_thread_pool_size = 16 + +################ +# HTTPS settings +################ + +#### Enable HTTPS support for the HTTP interface +# +# This secures the communication with the HTTP interface with TLS to prevent request forgery and eavesdropping. +# +# Default: false +#http_enable_tls = true + +# The X.509 certificate chain file in PEM format to use for securing the HTTP interface. +#http_tls_cert_file = /path/to/graylog.crt + +# The PKCS#8 private key file in PEM format to use for securing the HTTP interface. +#http_tls_key_file = /path/to/graylog.key + +# The password to unlock the private key used for securing the HTTP interface. +#http_tls_key_password = secret + + +# Comma separated list of trusted proxies that are allowed to set the client address with X-Forwarded-For +# header. May be subnets, or hosts. +#trusted_proxies = 127.0.0.1/32, 0:0:0:0:0:0:0:1/128 + +# List of Elasticsearch hosts Graylog should connect to. +# Need to be specified as a comma-separated list of valid URIs for the http ports of your elasticsearch nodes. +# If one or more of your elasticsearch hosts require authentication, include the credentials in each node URI that +# requires authentication. +# +# Default: http://127.0.0.1:9200 +#elasticsearch_hosts = http://node1:9200,http://user:password@node2:19200 +elasticsearch_hosts = http://elasticsearch:9200 + +# Maximum number of retries to connect to elasticsearch on boot for the version probe. +# +# Default: 0, retry indefinitely with the given delay until a connection could be established +#elasticsearch_version_probe_attempts = 5 + +# Waiting time in between connection attempts for elasticsearch_version_probe_attempts +# +# Default: 5s +#elasticsearch_version_probe_delay = 5s + +# Maximum amount of time to wait for successful connection to Elasticsearch HTTP port. +# +# Default: 10 Seconds +#elasticsearch_connect_timeout = 10s + +# Maximum amount of time to wait for reading back a response from an Elasticsearch server. +# (e. g. during search, index creation, or index time-range calculations) +# +# Default: 60 seconds +#elasticsearch_socket_timeout = 60s + +# Maximum idle time for an Elasticsearch connection. If this is exceeded, this connection will +# be tore down. +# +# Default: inf +#elasticsearch_idle_timeout = -1s + +# Maximum number of total connections to Elasticsearch. +# +# Default: 200 +#elasticsearch_max_total_connections = 200 + +# Maximum number of total connections per Elasticsearch route (normally this means per +# elasticsearch server). +# +# Default: 20 +#elasticsearch_max_total_connections_per_route = 20 + +# Maximum number of times Graylog will retry failed requests to Elasticsearch. +# +# Default: 2 +#elasticsearch_max_retries = 2 + +# Enable automatic Elasticsearch node discovery through Nodes Info, +# see https://www.elastic.co/guide/en/elasticsearch/reference/5.4/cluster-nodes-info.html +# +# WARNING: Automatic node discovery does not work if Elasticsearch requires authentication, e. g. with Shield. +# +# Default: false +#elasticsearch_discovery_enabled = true + +# Filter for including/excluding Elasticsearch nodes in discovery according to their custom attributes, +# see https://www.elastic.co/guide/en/elasticsearch/reference/5.4/cluster.html#cluster-nodes +# +# Default: empty +#elasticsearch_discovery_filter = rack:42 + +# Frequency of the Elasticsearch node discovery. +# +# Default: 30s +# elasticsearch_discovery_frequency = 30s + +# Set the default scheme when connecting to Elasticsearch discovered nodes +# +# Default: http (available options: http, https) +#elasticsearch_discovery_default_scheme = http + +# Enable payload compression for Elasticsearch requests. +# +# Default: false +#elasticsearch_compression_enabled = true + +# Enable use of "Expect: 100-continue" Header for Elasticsearch index requests. +# If this is disabled, Graylog cannot properly handle HTTP 413 Request Entity Too Large errors. +# +# Default: true +#elasticsearch_use_expect_continue = true + +# Graylog will use multiple indices to store documents in. You can configured the strategy it uses to determine +# when to rotate the currently active write index. +# It supports multiple rotation strategies: +# - "count" of messages per index, use elasticsearch_max_docs_per_index below to configure +# - "size" per index, use elasticsearch_max_size_per_index below to configure +# valid values are "count", "size" and "time", default is "count" +# +# ATTENTION: These settings have been moved to the database in 2.0. When you upgrade, make sure to set these +# to your previous 1.x settings so they will be migrated to the database! +# This configuration setting is only used on the first start of Graylog. After that, +# index related settings can be changed in the Graylog web interface on the 'System / Indices' page. +# Also see https://docs.graylog.org/docs/index-model#index-set-configuration +rotation_strategy = count + +# (Approximate) maximum number of documents in an Elasticsearch index before a new index +# is being created, also see no_retention and elasticsearch_max_number_of_indices. +# Configure this if you used 'rotation_strategy = count' above. +# +# ATTENTION: These settings have been moved to the database in 2.0. When you upgrade, make sure to set these +# to your previous 1.x settings so they will be migrated to the database! +# This configuration setting is only used on the first start of Graylog. After that, +# index related settings can be changed in the Graylog web interface on the 'System / Indices' page. +# Also see https://docs.graylog.org/docs/index-model#index-set-configuration +elasticsearch_max_docs_per_index = 20000000 + +# (Approximate) maximum size in bytes per Elasticsearch index on disk before a new index is being created, also see +# no_retention and elasticsearch_max_number_of_indices. Default is 1GB. +# Configure this if you used 'rotation_strategy = size' above. +# +# ATTENTION: These settings have been moved to the database in 2.0. When you upgrade, make sure to set these +# to your previous 1.x settings so they will be migrated to the database! +# This configuration setting is only used on the first start of Graylog. After that, +# index related settings can be changed in the Graylog web interface on the 'System / Indices' page. +# Also see https://docs.graylog.org/docs/index-model#index-set-configuration +#elasticsearch_max_size_per_index = 1073741824 + +# (Approximate) maximum time before a new Elasticsearch index is being created, also see +# no_retention and elasticsearch_max_number_of_indices. Default is 1 day. +# Configure this if you used 'rotation_strategy = time' above. +# Please note that this rotation period does not look at the time specified in the received messages, but is +# using the real clock value to decide when to rotate the index! +# Specify the time using a duration and a suffix indicating which unit you want: +# 1w = 1 week +# 1d = 1 day +# 12h = 12 hours +# Permitted suffixes are: d for day, h for hour, m for minute, s for second. +# +# ATTENTION: These settings have been moved to the database in 2.0. When you upgrade, make sure to set these +# to your previous 1.x settings so they will be migrated to the database! +# This configuration setting is only used on the first start of Graylog. After that, +# index related settings can be changed in the Graylog web interface on the 'System / Indices' page. +# Also see https://docs.graylog.org/docs/index-model#index-set-configuration +#elasticsearch_max_time_per_index = 1d + +# Disable checking the version of Elasticsearch for being compatible with this Graylog release. +# WARNING: Using Graylog with unsupported and untested versions of Elasticsearch may lead to data loss! +#elasticsearch_disable_version_check = true + +# Disable message retention on this node, i. e. disable Elasticsearch index rotation. +#no_retention = false + +# How many indices do you want to keep? +# +# ATTENTION: These settings have been moved to the database in 2.0. When you upgrade, make sure to set these +# to your previous 1.x settings so they will be migrated to the database! +# This configuration setting is only used on the first start of Graylog. After that, +# index related settings can be changed in the Graylog web interface on the 'System / Indices' page. +# Also see https://docs.graylog.org/docs/index-model#index-set-configuration +elasticsearch_max_number_of_indices = 20 + +# Decide what happens with the oldest indices when the maximum number of indices is reached. +# The following strategies are availble: +# - delete # Deletes the index completely (Default) +# - close # Closes the index and hides it from the system. Can be re-opened later. +# +# ATTENTION: These settings have been moved to the database in 2.0. When you upgrade, make sure to set these +# to your previous 1.x settings so they will be migrated to the database! +# This configuration setting is only used on the first start of Graylog. After that, +# index related settings can be changed in the Graylog web interface on the 'System / Indices' page. +# Also see https://docs.graylog.org/docs/index-model#index-set-configuration +retention_strategy = delete + +# How many Elasticsearch shards and replicas should be used per index? Note that this only applies to newly created indices. +# ATTENTION: These settings have been moved to the database in Graylog 2.2.0. When you upgrade, make sure to set these +# to your previous settings so they will be migrated to the database! +# This configuration setting is only used on the first start of Graylog. After that, +# index related settings can be changed in the Graylog web interface on the 'System / Indices' page. +# Also see https://docs.graylog.org/docs/index-model#index-set-configuration +elasticsearch_shards = 4 +elasticsearch_replicas = 0 + +# Prefix for all Elasticsearch indices and index aliases managed by Graylog. +# +# ATTENTION: These settings have been moved to the database in Graylog 2.2.0. When you upgrade, make sure to set these +# to your previous settings so they will be migrated to the database! +# This configuration setting is only used on the first start of Graylog. After that, +# index related settings can be changed in the Graylog web interface on the 'System / Indices' page. +# Also see https://docs.graylog.org/docs/index-model#index-set-configuration +elasticsearch_index_prefix = graylog + +# Name of the Elasticsearch index template used by Graylog to apply the mandatory index mapping. +# Default: graylog-internal +# +# ATTENTION: These settings have been moved to the database in Graylog 2.2.0. When you upgrade, make sure to set these +# to your previous settings so they will be migrated to the database! +# This configuration setting is only used on the first start of Graylog. After that, +# index related settings can be changed in the Graylog web interface on the 'System / Indices' page. +# Also see https://docs.graylog.org/docs/index-model#index-set-configuration +#elasticsearch_template_name = graylog-internal + +# Do you want to allow searches with leading wildcards? This can be extremely resource hungry and should only +# be enabled with care. See also: https://docs.graylog.org/docs/query-language +allow_leading_wildcard_searches = false + +# Do you want to allow searches to be highlighted? Depending on the size of your messages this can be memory hungry and +# should only be enabled after making sure your Elasticsearch cluster has enough memory. +allow_highlighting = false + +# Analyzer (tokenizer) to use for message and full_message field. The "standard" filter usually is a good idea. +# All supported analyzers are: standard, simple, whitespace, stop, keyword, pattern, language, snowball, custom +# Elasticsearch documentation: https://www.elastic.co/guide/en/elasticsearch/reference/2.3/analysis.html +# Note that this setting only takes effect on newly created indices. +# +# ATTENTION: These settings have been moved to the database in Graylog 2.2.0. When you upgrade, make sure to set these +# to your previous settings so they will be migrated to the database! +# This configuration setting is only used on the first start of Graylog. After that, +# index related settings can be changed in the Graylog web interface on the 'System / Indices' page. +# Also see https://docs.graylog.org/docs/index-model#index-set-configuration +elasticsearch_analyzer = standard + +# Global timeout for index optimization (force merge) requests. +# Default: 1h +#elasticsearch_index_optimization_timeout = 1h + +# Maximum number of concurrently running index optimization (force merge) jobs. +# If you are using lots of different index sets, you might want to increase that number. +# Default: 20 +#elasticsearch_index_optimization_jobs = 20 + +# Mute the logging-output of ES deprecation warnings during REST calls in the ES RestClient +#elasticsearch_mute_deprecation_warnings = true + +# Time interval for index range information cleanups. This setting defines how often stale index range information +# is being purged from the database. +# Default: 1h +#index_ranges_cleanup_interval = 1h + +# Time interval for the job that runs index field type maintenance tasks like cleaning up stale entries. This doesn't +# need to run very often. +# Default: 1h +#index_field_type_periodical_interval = 1h + +# Batch size for the Elasticsearch output. This is the maximum (!) number of messages the Elasticsearch output +# module will get at once and write to Elasticsearch in a batch call. If the configured batch size has not been +# reached within output_flush_interval seconds, everything that is available will be flushed at once. Remember +# that every outputbuffer processor manages its own batch and performs its own batch write calls. +# ("outputbuffer_processors" variable) +output_batch_size = 500 + +# Flush interval (in seconds) for the Elasticsearch output. This is the maximum amount of time between two +# batches of messages written to Elasticsearch. It is only effective at all if your minimum number of messages +# for this time period is less than output_batch_size * outputbuffer_processors. +output_flush_interval = 1 + +# As stream outputs are loaded only on demand, an output which is failing to initialize will be tried over and +# over again. To prevent this, the following configuration options define after how many faults an output will +# not be tried again for an also configurable amount of seconds. +output_fault_count_threshold = 5 +output_fault_penalty_seconds = 30 + +# The number of parallel running processors. +# Raise this number if your buffers are filling up. +processbuffer_processors = 5 +outputbuffer_processors = 3 + +# The following settings (outputbuffer_processor_*) configure the thread pools backing each output buffer processor. +# See https://docs.oracle.com/javase/8/docs/api/java/util/concurrent/ThreadPoolExecutor.html for technical details + +# When the number of threads is greater than the core (see outputbuffer_processor_threads_core_pool_size), +# this is the maximum time in milliseconds that excess idle threads will wait for new tasks before terminating. +# Default: 5000 +#outputbuffer_processor_keep_alive_time = 5000 + +# The number of threads to keep in the pool, even if they are idle, unless allowCoreThreadTimeOut is set +# Default: 3 +#outputbuffer_processor_threads_core_pool_size = 3 + +# The maximum number of threads to allow in the pool +# Default: 30 +#outputbuffer_processor_threads_max_pool_size = 30 + +# UDP receive buffer size for all message inputs (e. g. SyslogUDPInput). +#udp_recvbuffer_sizes = 1048576 + +# Wait strategy describing how buffer processors wait on a cursor sequence. (default: sleeping) +# Possible types: +# - yielding +# Compromise between performance and CPU usage. +# - sleeping +# Compromise between performance and CPU usage. Latency spikes can occur after quiet periods. +# - blocking +# High throughput, low latency, higher CPU usage. +# - busy_spinning +# Avoids syscalls which could introduce latency jitter. Best when threads can be bound to specific CPU cores. +processor_wait_strategy = blocking + +# Size of internal ring buffers. Raise this if raising outputbuffer_processors does not help anymore. +# For optimum performance your LogMessage objects in the ring buffer should fit in your CPU L3 cache. +# Must be a power of 2. (512, 1024, 2048, ...) +ring_size = 65536 + +inputbuffer_ring_size = 65536 +inputbuffer_processors = 2 +inputbuffer_wait_strategy = blocking + +# Enable the message journal. +message_journal_enabled = true + +# The directory which will be used to store the message journal. The directory must be exclusively used by Graylog and +# must not contain any other files than the ones created by Graylog itself. +# +# ATTENTION: +# If you create a seperate partition for the journal files and use a file system creating directories like 'lost+found' +# in the root directory, you need to create a sub directory for your journal. +# Otherwise Graylog will log an error message that the journal is corrupt and Graylog will not start. +message_journal_dir = data/journal + +# Journal hold messages before they could be written to Elasticsearch. +# For a maximum of 12 hours or 5 GB whichever happens first. +# During normal operation the journal will be smaller. +#message_journal_max_age = 12h +#message_journal_max_size = 5gb + +#message_journal_flush_age = 1m +#message_journal_flush_interval = 1000000 +#message_journal_segment_age = 1h +#message_journal_segment_size = 100mb + +# Number of threads used exclusively for dispatching internal events. Default is 2. +#async_eventbus_processors = 2 + +# How many seconds to wait between marking node as DEAD for possible load balancers and starting the actual +# shutdown process. Set to 0 if you have no status checking load balancers in front. +lb_recognition_period_seconds = 3 + +# Journal usage percentage that triggers requesting throttling for this server node from load balancers. The feature is +# disabled if not set. +#lb_throttle_threshold_percentage = 95 + +# Every message is matched against the configured streams and it can happen that a stream contains rules which +# take an unusual amount of time to run, for example if its using regular expressions that perform excessive backtracking. +# This will impact the processing of the entire server. To keep such misbehaving stream rules from impacting other +# streams, Graylog limits the execution time for each stream. +# The default values are noted below, the timeout is in milliseconds. +# If the stream matching for one stream took longer than the timeout value, and this happened more than "max_faults" times +# that stream is disabled and a notification is shown in the web interface. +#stream_processing_timeout = 2000 +#stream_processing_max_faults = 3 + +# Since 0.21 the Graylog server supports pluggable output modules. This means a single message can be written to multiple +# outputs. The next setting defines the timeout for a single output module, including the default output module where all +# messages end up. +# +# Time in milliseconds to wait for all message outputs to finish writing a single message. +#output_module_timeout = 10000 + +# Time in milliseconds after which a detected stale master node is being rechecked on startup. +#stale_master_timeout = 2000 + +# Time in milliseconds which Graylog is waiting for all threads to stop on shutdown. +#shutdown_timeout = 30000 + +# MongoDB connection string +# See https://docs.mongodb.com/manual/reference/connection-string/ for details +#mongodb_uri = mongodb://localhost/graylog +mongodb_uri = mongodb://mongo/graylog + + +# Authenticate against the MongoDB server +# '+'-signs in the username or password need to be replaced by '%2B' +#mongodb_uri = mongodb://grayloguser:secret@localhost:27017/graylog + +# Use a replica set instead of a single host +#mongodb_uri = mongodb://grayloguser:secret@localhost:27017,localhost:27018,localhost:27019/graylog?replicaSet=rs01 + +# DNS Seedlist https://docs.mongodb.com/manual/reference/connection-string/#dns-seedlist-connection-format +#mongodb_uri = mongodb+srv://server.example.org/graylog + +# Increase this value according to the maximum connections your MongoDB server can handle from a single client +# if you encounter MongoDB connection problems. +mongodb_max_connections = 1000 + +# Number of threads allowed to be blocked by MongoDB connections multiplier. Default: 5 +# If mongodb_max_connections is 100, and mongodb_threads_allowed_to_block_multiplier is 5, +# then 500 threads can block. More than that and an exception will be thrown. +# http://api.mongodb.com/java/current/com/mongodb/MongoOptions.html#threadsAllowedToBlockForConnectionMultiplier +mongodb_threads_allowed_to_block_multiplier = 5 + + +# Email transport +#transport_email_enabled = false +#transport_email_hostname = mail.example.com +#transport_email_port = 587 +#transport_email_use_auth = true +#transport_email_auth_username = you@example.com +#transport_email_auth_password = secret +#transport_email_subject_prefix = [graylog] +#transport_email_from_email = graylog@example.com + +# Encryption settings +# +# ATTENTION: +# Using SMTP with STARTTLS *and* SMTPS at the same time is *not* possible. + +# Use SMTP with STARTTLS, see https://en.wikipedia.org/wiki/Opportunistic_TLS +#transport_email_use_tls = true + +# Use SMTP over SSL (SMTPS), see https://en.wikipedia.org/wiki/SMTPS +# This is deprecated on most SMTP services! +#transport_email_use_ssl = false + + +# Specify and uncomment this if you want to include links to the stream in your stream alert mails. +# This should define the fully qualified base url to your web interface exactly the same way as it is accessed by your users. +#transport_email_web_interface_url = https://graylog.example.com + +# The default connect timeout for outgoing HTTP connections. +# Values must be a positive duration (and between 1 and 2147483647 when converted to milliseconds). +# Default: 5s +#http_connect_timeout = 5s + +# The default read timeout for outgoing HTTP connections. +# Values must be a positive duration (and between 1 and 2147483647 when converted to milliseconds). +# Default: 10s +#http_read_timeout = 10s + +# The default write timeout for outgoing HTTP connections. +# Values must be a positive duration (and between 1 and 2147483647 when converted to milliseconds). +# Default: 10s +#http_write_timeout = 10s + +# HTTP proxy for outgoing HTTP connections +# ATTENTION: If you configure a proxy, make sure to also configure the "http_non_proxy_hosts" option so internal +# HTTP connections with other nodes does not go through the proxy. +# Examples: +# - http://proxy.example.com:8123 +# - http://username:password@proxy.example.com:8123 +#http_proxy_uri = + +# A list of hosts that should be reached directly, bypassing the configured proxy server. +# This is a list of patterns separated by ",". The patterns may start or end with a "*" for wildcards. +# Any host matching one of these patterns will be reached through a direct connection instead of through a proxy. +# Examples: +# - localhost,127.0.0.1 +# - 10.0.*,*.example.com +#http_non_proxy_hosts = + +# Disable the optimization of Elasticsearch indices after index cycling. This may take some load from Elasticsearch +# on heavily used systems with large indices, but it will decrease search performance. The default is to optimize +# cycled indices. +# +# ATTENTION: These settings have been moved to the database in Graylog 2.2.0. When you upgrade, make sure to set these +# to your previous settings so they will be migrated to the database! +# This configuration setting is only used on the first start of Graylog. After that, +# index related settings can be changed in the Graylog web interface on the 'System / Indices' page. +# Also see https://docs.graylog.org/docs/index-model#index-set-configuration +#disable_index_optimization = true + +# Optimize the index down to <= index_optimization_max_num_segments. A higher number may take some load from Elasticsearch +# on heavily used systems with large indices, but it will decrease search performance. The default is 1. +# +# ATTENTION: These settings have been moved to the database in Graylog 2.2.0. When you upgrade, make sure to set these +# to your previous settings so they will be migrated to the database! +# This configuration setting is only used on the first start of Graylog. After that, +# index related settings can be changed in the Graylog web interface on the 'System / Indices' page. +# Also see https://docs.graylog.org/docs/index-model#index-set-configuration +#index_optimization_max_num_segments = 1 + +# The threshold of the garbage collection runs. If GC runs take longer than this threshold, a system notification +# will be generated to warn the administrator about possible problems with the system. Default is 1 second. +#gc_warning_threshold = 1s + +# Connection timeout for a configured LDAP server (e. g. ActiveDirectory) in milliseconds. +#ldap_connection_timeout = 2000 + +# Disable the use of a native system stats collector (currently OSHI) +#disable_native_system_stats_collector = false + +# The default cache time for dashboard widgets. (Default: 10 seconds, minimum: 1 second) +#dashboard_widget_default_cache_time = 10s + +# For some cluster-related REST requests, the node must query all other nodes in the cluster. This is the maximum number +# of threads available for this. Increase it, if '/cluster/*' requests take long to complete. +# Should be http_thread_pool_size * average_cluster_size if you have a high number of concurrent users. +proxied_requests_thread_pool_size = 32 + +# The server is writing processing status information to the database on a regular basis. This setting controls how +# often the data is written to the database. +# Default: 1s (cannot be less than 1s) +#processing_status_persist_interval = 1s + +# Configures the threshold for detecting outdated processing status records. Any records that haven't been updated +# in the configured threshold will be ignored. +# Default: 1m (one minute) +#processing_status_update_threshold = 1m + +# Configures the journal write rate threshold for selecting processing status records. Any records that have a lower +# one minute rate than the configured value might be ignored. (dependent on number of messages in the journal) +# Default: 1 +#processing_status_journal_write_rate_threshold = 1 + +# Configures the prefix used for graylog event indices +# Default: gl-events +#default_events_index_prefix = gl-events + +# Configures the prefix used for graylog system event indices +# Default: gl-system-events +#default_system_events_index_prefix = gl-system-events + +# Automatically load content packs in "content_packs_dir" on the first start of Graylog. +#content_packs_loader_enabled = false + +# The directory which contains content packs which should be loaded on the first start of Graylog. +#content_packs_dir = /usr/share/graylog/data/contentpacks + +# A comma-separated list of content packs (files in "content_packs_dir") which should be applied on +# the first start of Graylog. +# Default: empty +#content_packs_auto_install = grok-patterns.json + +# The allowed TLS protocols for system wide TLS enabled servers. (e.g. message inputs, http interface) +# Setting this to an empty value, leaves it up to system libraries and the used JDK to chose a default. +# Default: TLSv1.2,TLSv1.3 (might be automatically adjusted to protocols supported by the JDK) +#enabled_tls_protocols= TLSv1.2,TLSv1.3 + +# Enable Prometheus exporter HTTP server. +# Default: false +#prometheus_exporter_enabled = false + +# IP address and port for the Prometheus exporter HTTP server. +# Default: 127.0.0.1:9833 +#prometheus_exporter_bind_address = 127.0.0.1:9833 + +# Path to the Prometheus exporter core mapping file. If this option is enabled, the full built-in core mapping is +# replaced with the mappings in this file. +# This file is monitored for changes and updates will be applied at runtime. +# Default: none +#prometheus_exporter_mapping_file_path_core = prometheus-exporter-mapping-core.yml + +# Path to the Prometheus exporter custom mapping file. If this option is enabled, the mappings in this file are +# configured in addition to the built-in core mappings. The mappings in this file cannot overwrite any core mappings. +# This file is monitored for changes and updates will be applied at runtime. +# Default: none +#prometheus_exporter_mapping_file_path_custom = prometheus-exporter-mapping-custom.yml + +# Configures the refresh interval for the monitored Prometheus exporter mapping files. +# Default: 60s +#prometheus_exporter_mapping_file_refresh_interval = 60s + +# Optional allowed paths for Graylog data files. If provided, certain operations in Graylog will only be permitted +# if the data file(s) are located in the specified paths (for example, with the CSV File lookup adapter). +# All subdirectories of indicated paths are allowed by default. This Provides an additional layer of security, +# and allows administrators to control where in the file system Graylog users can select files from. +#allowed_auxiliary_paths = /etc/graylog/data-files,/etc/custom-allowed-path diff --git a/ansible/roles/podman/files/graylog/graylogctl b/ansible/roles/podman/files/graylog/graylogctl new file mode 100644 index 0000000..101984d --- /dev/null +++ b/ansible/roles/podman/files/graylog/graylogctl @@ -0,0 +1,133 @@ +#!/usr/bin/env bash + +CMD=$1 +NOHUP=${NOHUP:=$(which nohup)} +PS=${PS:=$(which ps)} + +# default java +JAVA_CMD=${JAVA_CMD:=$(which java)} + +get_pid() { + cat "${GRAYLOG_PID}" 2> /dev/null +} + +pid_running() { + kill -0 $1 2> /dev/null +} + +die() { + echo $* + exit 1 +} + +if [ -n "$JAVA_HOME" ] +then + # try to use $JAVA_HOME + if [ -x "$JAVA_HOME"/bin/java ] + then + JAVA_CMD="$JAVA_HOME"/bin/java + else + die "$JAVA_HOME"/bin/java is not executable + fi +fi + +# resolve links - $0 may be a softlink +GRAYLOGCTL="$0" + +while [ -h "$GRAYLOGCTL" ]; do + ls=$(ls -ld "$GRAYLOGCTL") + link=$(expr "$ls" : '.*-> \(.*\)$') + if expr "$link" : '/.*' > /dev/null; then + GRAYLOGCTL="$link" + else + GRAYLOGCTL=$(dirname "$GRAYLOGCTL")/"$link" + fi +done + +# take variables from environment if set +GRAYLOGCTL_DIR=${GRAYLOGCTL_DIR:=$(dirname "$GRAYLOGCTL")} +GRAYLOG_SERVER_JAR=${GRAYLOG_SERVER_JAR:=graylog.jar} +GRAYLOG_CONF=${GRAYLOG_CONF:=/etc/graylog/server/server.conf} +GRAYLOG_PID=${GRAYLOG_PID:=/tmp/graylog.pid} +LOG_FILE=${LOG_FILE:=log/graylog-server.log} +LOG4J=${LOG4J:=} +DEFAULT_JAVA_OPTS="-Djava.net.preferIPv4Stack=true -Dlog4j2.formatMsgNoLookups=true -Djdk.tls.acknowledgeCloseNotify=true -Xms1g -Xmx1g -XX:NewRatio=1 -server -XX:+ResizeTLAB -XX:-OmitStackTraceInFastThrow" +if $JAVA_CMD -XX:+PrintFlagsFinal 2>&1 |grep -q UseParNewGC; then + DEFAULT_JAVA_OPTS="${DEFAULT_JAVA_OPTS} -XX:+UseParNewGC" +fi +if $JAVA_CMD -XX:+PrintFlagsFinal 2>&1 |grep -q UseConcMarkSweepGC; then + DEFAULT_JAVA_OPTS="${DEFAULT_JAVA_OPTS} -XX:+UseConcMarkSweepGC -XX:+CMSConcurrentMTEnabled -XX:+CMSClassUnloadingEnabled" +fi + +JAVA_OPTS="${JAVA_OPTS:="$DEFAULT_JAVA_OPTS"}" + +start() { + echo "Starting graylog-server ..." + cd "$GRAYLOGCTL_DIR/.." + "${NOHUP}" "${JAVA_CMD}" ${JAVA_OPTS} ${LOG4J} -jar "${GRAYLOG_SERVER_JAR}" server -f "${GRAYLOG_CONF}" -p "${GRAYLOG_PID}" >> "${LOG_FILE}" 2>> "${LOG_FILE}" & +} + +run() { + echo "Running graylog-server ..." + cd "$GRAYLOGCTL_DIR/.." + exec "${JAVA_CMD}" ${JAVA_OPTS} ${LOG4J} -jar "${GRAYLOG_SERVER_JAR}" server -f "${GRAYLOG_CONF}" -p "${GRAYLOG_PID}" +} + +stop() { + if [ ! -f "${GRAYLOG_PID}" ]; then + die "Not stopping. PID file not found: ${GRAYLOG_PID}" + fi + + PID=$(get_pid) + + echo "Stopping graylog-server ($PID) ..." + echo "Waiting for graylog-server to halt." + + kill $PID + + while "$PS" -p $PID > /dev/null; do sleep 1; done; + rm -f "${GRAYLOG_PID}" + + echo "graylog-server stopped" +} + +restart() { + echo "Restarting graylog-server ..." + stop + start +} + +status() { + PID=$(get_pid) + if [ ! -z $PID ]; then + if pid_running $PID; then + echo "graylog-server running with PID ${PID}" + return 0 + else + rm "${GRAYLOG_PID}" + die "Removed stale PID file ${GRAYLOG_PID} with ${PID}." + fi + fi + + die "graylog-server not running" +} + +case "$CMD" in + start) + start + ;; + stop) + stop + ;; + restart) + restart + ;; + status) + status + ;; + run) + run + ;; + *) + echo "Usage $0 {start|stop|restart|status|run}" +esac diff --git a/ansible/roles/podman/files/hass/configuration.yaml b/ansible/roles/podman/files/hass/configuration.yaml index ab82bfd..12ab84d 100644 --- a/ansible/roles/podman/files/hass/configuration.yaml +++ b/ansible/roles/podman/files/hass/configuration.yaml @@ -9,7 +9,7 @@ http: use_x_forwarded_for: true trusted_proxies: - 127.0.0.1 - - 172.0.0.0/8 + - 10.0.0.0/8 homeassistant: time_zone: America/New_York diff --git a/ansible/roles/podman/files/nginx/mime.types b/ansible/roles/podman/files/nginx/mime.types new file mode 100644 index 0000000..4a6286f --- /dev/null +++ b/ansible/roles/podman/files/nginx/mime.types @@ -0,0 +1,1028 @@ +types { +application/A2L a2l; +application/AML aml; +application/andrew-inset ez; +application/ATF atf; +application/ATFX atfx; +application/ATXML atxml; +application/atom+xml atom; +application/atomcat+xml atomcat; +application/atomdeleted+xml atomdeleted; +application/atomsvc+xml atomsvc; +application/atsc-dwd+xml dwd; +application/atsc-held+xml held; +application/atsc-rsat+xml rsat; +application/auth-policy+xml apxml; +application/bacnet-xdd+zip xdd; +application/calendar+xml xcs; +application/cbor cbor; +application/cccex c3ex; +application/ccmp+xml ccmp; +application/ccxml+xml ccxml; +application/CDFX+XML cdfx; +application/cdmi-capability cdmia; +application/cdmi-container cdmic; +application/cdmi-domain cdmid; +application/cdmi-object cdmio; +application/cdmi-queue cdmiq; +application/CEA cea; +application/cellml+xml cellml cml; +application/clr 1clr; +application/clue_info+xml clue; +application/cms cmsc; +application/cpl+xml cpl; +application/csrattrs csrattrs; +application/dash+xml mpd; +application/dashdelta mpdd; +application/davmount+xml davmount; +application/DCD dcd; +application/dicom dcm; +application/DII dii; +application/DIT dit; +application/dskpp+xml xmls; +application/dssc+der dssc; +application/dssc+xml xdssc; +application/dvcs dvc; +application/ecmascript es; +application/efi efi; +application/emma+xml emma; +application/emotionml+xml emotionml; +application/epub+zip epub; +application/exi exi; +application/fastinfoset finf; +application/fdt+xml fdt; +application/font-tdpfr pfr; +application/geo+json geojson; +application/geopackage+sqlite3 gpkg; +application/gltf-buffer glbin glbuf; +application/gml+xml gml; +application/gzip gz tgz; +application/hyperstudio stk; +application/inkml+xml ink inkml; +application/ipfix ipfix; +application/its+xml its; +application/javascript js; +application/jrd+json jrd; +application/json json; +application/json-patch+json json-patch; +application/ld+json jsonld; +application/lgr+xml lgr; +application/link-format wlnk; +application/lost+xml lostxml; +application/lostsync+xml lostsyncxml; +application/lpf+zip lpf; +application/LXF lxf; +application/mac-binhex40 hqx; +application/mads+xml mads; +application/marc mrc; +application/marcxml+xml mrcx; +application/mathematica nb ma mb; +application/mathml+xml mml; +application/mbox mbox; +application/metalink4+xml meta4; +application/mets+xml mets; +application/MF4 mf4; +application/mipc h5; +application/mmt-aei+xml maei; +application/mmt-usd+xml musd; +application/mods+xml mods; +application/mp21 m21 mp21; +application/msword doc; +application/mxf mxf; +application/n-quads nq; +application/n-triples nt; +application/ocsp-request orq; +application/ocsp-response ors; +application/octet-stream bin lha lzh exe class so dll img iso; +application/ODA oda; +application/ODX odx; +application/oebps-package+xml opf; +application/ogg ogx; +application/opc-nodeset+xml ; +application/oxps oxps; +application/p2p-overlay+xml relo; +application/pdf pdf; +application/PDX pdx; +application/pem-certificate-chain pem; +application/pgp-encrypted pgp; +application/pgp-signature sig; +application/pkcs10 p10; +application/pkcs12 p12 pfx; +application/pkcs7-mime p7m p7c; +application/pkcs7-signature p7s; +application/pkcs8 p8; +application/pkcs8-encrypted p8e; +application/pkix-cert cer; +application/pkix-crl crl; +application/pkix-pkipath pkipath; +application/pkixcmp pki; +application/pls+xml pls; +application/postscript ps eps ai; +application/provenance+xml provx; +application/prs.cww cw cww; +application/prs.hpub+zip hpub; +application/prs.nprend rnd rct; +application/prs.rdf-xml-crypt rdf-crypt; +application/prs.xsf+xml xsf; +application/pskc+xml pskcxml; +application/rdf+xml rdf; +application/route-apd+xml rapd; +application/route-s-tsid+xml sls; +application/route-usd+xml rusd; +application/reginfo+xml rif; +application/relax-ng-compact-syntax rnc; +application/resource-lists-diff+xml rld; +application/resource-lists+xml rl; +application/rfc+xml rfcxml; +application/rls-services+xml rs; +application/rpki-ghostbusters gbr; +application/rpki-manifest mft; +application/rpki-roa roa; +application/rtf rtf; +application/sarif-external-properties+json sarif-external-properties sarif-external-properties.json; +application/sarif+json sarif sarif.json; +application/scim+json scim; +application/scvp-cv-request scq; +application/scvp-cv-response scs; +application/scvp-vp-request spq; +application/scvp-vp-response spp; +application/sdp sdp; +application/senml-etch+cbor senml-etchc; +application/senml-etch+json senml-etchj; +application/senml+cbor senmlc; +application/senml+json senml; +application/senml+xml senmlx; +application/senml-exi senmle; +application/sensml+cbor sensmlc; +application/sensml+json sensml; +application/sensml+xml sensmlx; +application/sensml-exi sensmle; +application/sgml-open-catalog soc; +application/shf+xml shf; +application/sieve siv sieve; +application/simple-filter+xml cl; +application/smil+xml smil smi sml; +application/sparql-query rq; +application/sparql-results+xml srx; +application/sql sql; +application/srgs gram; +application/srgs+xml grxml; +application/sru+xml sru; +application/ssml+xml ssml; +application/stix+json stix; +application/swid+xml swidtag; +application/tamp-apex-update tau; +application/tamp-apex-update-confirm auc; +application/tamp-community-update tcu; +application/tamp-community-update-confirm cuc; +application/td+json jsontd; +application/tamp-error ter; +application/tamp-sequence-adjust tsa; +application/tamp-sequence-adjust-confirm sac; +application/tamp-update tur; +application/tamp-update-confirm tuc; +application/tei+xml tei teiCorpus odd; +application/thraud+xml tfi; +application/timestamp-query tsq; +application/timestamp-reply tsr; +application/timestamped-data tsd; +application/trig trig; +application/ttml+xml ttml; +application/urc-grpsheet+xml gsheet; +application/urc-ressheet+xml rsheet; +application/urc-targetdesc+xml td; +application/urc-uisocketdesc+xml uis; +application/vnd.1000minds.decision-model+xml 1km; +application/vnd.3gpp.5gnas ; +application/vnd.3gpp.pic-bw-large plb; +application/vnd.3gpp.pic-bw-small psb; +application/vnd.3gpp.pic-bw-var pvb; +application/vnd.3gpp2.sms sms; +application/vnd.3gpp2.tcap tcap; +application/vnd.3lightssoftware.imagescal imgcal; +application/vnd.3M.Post-it-Notes pwn; +application/vnd.accpac.simply.aso aso; +application/vnd.accpac.simply.imp imp; +application/vnd.acucobol acu; +application/vnd.acucorp atc acutc; +application/vnd.adobe.flash.movie swf; +application/vnd.adobe.formscentral.fcdt fcdt; +application/vnd.adobe.fxp fxp fxpl; +application/vnd.adobe.xdp+xml xdp; +application/vnd.adobe.xfdf xfdf; +application/vnd.afpc.modca list3820 listafp afp pseg3820; +application/vnd.afpc.modca-overlay ovl; +application/vnd.afpc.modca-pagesegment psg; +application/vnd.ahead.space ahead; +application/vnd.airzip.filesecure.azf azf; +application/vnd.airzip.filesecure.azs azs; +application/vnd.amazon.mobi8-ebook azw3; +application/vnd.americandynamics.acc acc; +application/vnd.amiga.ami ami; +application/vnd.android.ota ota; +application/vnd.anki apkg; +application/vnd.anser-web-certificate-issue-initiation cii; +application/vnd.anser-web-funds-transfer-initiation fti; +application/vnd.apple.installer+xml dist distz pkg mpkg; +application/vnd.apple.keynote keynote; +application/vnd.apple.mpegurl m3u8; +application/vnd.apple.numbers numbers; +application/vnd.apple.pages pages; +application/vnd.aristanetworks.swi swi; +application/vnd.artisan+json artisan; +application/vnd.astraea-software.iota iota; +application/vnd.audiograph aep; +application/vnd.autopackage package; +application/vnd.balsamiq.bmml+xml bmml; +application/vnd.banana-accounting ac2; +application/vnd.balsamiq.bmpr bmpr; +application/vnd.blueice.multipass mpm; +application/vnd.bluetooth.ep.oob ep; +application/vnd.bluetooth.le.oob le; +application/vnd.bmi bmi; +application/vnd.businessobjects rep; +application/vnd.cendio.thinlinc.clientconf tlclient; +application/vnd.chemdraw+xml cdxml; +application/vnd.chess-pgn pgn; +application/vnd.chipnuts.karaoke-mmd mmd; +application/vnd.cinderella cdy; +application/vnd.citationstyles.style+xml csl; +application/vnd.claymore cla; +application/vnd.cloanto.rp9 rp9; +application/vnd.clonk.c4group c4g c4d c4f c4p c4u; +application/vnd.cluetrust.cartomobile-config c11amc; +application/vnd.cluetrust.cartomobile-config-pkg c11amz; +application/vnd.coffeescript coffee; +application/vnd.collabio.xodocuments.document xodt; +application/vnd.collabio.xodocuments.document-template xott; +application/vnd.collabio.xodocuments.presentation xodp; +application/vnd.collabio.xodocuments.presentation-template xotp; +application/vnd.collabio.xodocuments.spreadsheet xods; +application/vnd.collabio.xodocuments.spreadsheet-template xots; +application/vnd.comicbook-rar cbr; +application/vnd.comicbook+zip cbz; +application/vnd.commerce-battelle ica icf icd ic0 ic1 ic2 ic3 ic4 ic5 ic6 ic7 ic8; +application/vnd.commonspace csp cst; +application/vnd.contact.cmsg cdbcmsg; +application/vnd.coreos.ignition+json ign ignition; +application/vnd.cosmocaller cmc; +application/vnd.crick.clicker clkx; +application/vnd.crick.clicker.keyboard clkk; +application/vnd.crick.clicker.palette clkp; +application/vnd.crick.clicker.template clkt; +application/vnd.crick.clicker.wordbank clkw; +application/vnd.criticaltools.wbs+xml wbs; +application/vnd.crypto-shade-file ssvc; +application/vnd.cryptomator.encrypted c9r c9s; +application/vnd.cryptomator.vault cryptomator; +application/vnd.ctc-posml pml; +application/vnd.cups-ppd ppd; +application/vnd.curl curl; +application/vnd.dart dart; +application/vnd.data-vision.rdz rdz; +application/vnd.dbf dbf; +application/vnd.debian.binary-package deb udeb; +application/vnd.dece.data uvf uvvf uvd uvvd; +application/vnd.dece.ttml+xml uvt uvvt; +application/vnd.dece.unspecified uvx uvvx; +application/vnd.dece.zip uvz uvvz; +application/vnd.denovo.fcselayout-link fe_launch; +application/vnd.desmume.movie dsm; +application/vnd.dna dna; +application/vnd.document+json docjson; +application/vnd.doremir.scorecloud-binary-document scld; +application/vnd.dpgraph dpg mwc dpgraph; +application/vnd.dreamfactory dfac; +application/vnd.dtg.local.flash fla; +application/vnd.dvb.ait ait; +application/vnd.dvb.service svc; +application/vnd.dynageo geo; +application/vnd.dzr dzr; +application/vnd.ecowin.chart mag; +application/vnd.enliven nml; +application/vnd.epson.esf esf; +application/vnd.epson.msf msf; +application/vnd.epson.quickanime qam; +application/vnd.epson.salt slt; +application/vnd.epson.ssf ssf; +application/vnd.ericsson.quickcall qcall qca; +application/vnd.espass-espass+zip espass; +application/vnd.eszigno3+xml es3 et3; +application/vnd.etsi.asic-e+zip asice sce; +application/vnd.etsi.asic-s+zip asics; +application/vnd.etsi.timestamp-token tst; +application/vnd.exstream-empower+zip mpw; +application/vnd.exstream-package pub; +application/vnd.evolv.ecig.profile ecigprofile; +application/vnd.evolv.ecig.settings ecig; +application/vnd.evolv.ecig.theme ecigtheme; +application/vnd.ezpix-album ez2; +application/vnd.ezpix-package ez3; +application/vnd.fastcopy-disk-image dim; +application/vnd.fdf fdf; +application/vnd.fdsn.mseed msd mseed; +application/vnd.fdsn.seed seed dataless; +application/vnd.ficlab.flb+zip flb; +application/vnd.filmit.zfc zfc; +application/vnd.FloGraphIt gph; +application/vnd.fluxtime.clip ftc; +application/vnd.font-fontforge-sfd sfd; +application/vnd.framemaker fm; +application/vnd.frogans.fnc fnc; +application/vnd.frogans.ltf ltf; +application/vnd.fsc.weblaunch fsc; +application/vnd.fujitsu.oasys oas; +application/vnd.fujitsu.oasys2 oa2; +application/vnd.fujitsu.oasys3 oa3; +application/vnd.fujitsu.oasysgp fg5; +application/vnd.fujitsu.oasysprs bh2; +application/vnd.fujixerox.ddd ddd; +application/vnd.fujixerox.docuworks xdw; +application/vnd.fujixerox.docuworks.binder xbd; +application/vnd.fujixerox.docuworks.container xct; +application/vnd.fuzzysheet fzs; +application/vnd.genomatix.tuxedo txd; +application/vnd.geocube+xml g3 g³; +application/vnd.geogebra.file ggb; +application/vnd.geogebra.slides ggs; +application/vnd.geogebra.tool ggt; +application/vnd.geometry-explorer gex gre; +application/vnd.geonext gxt; +application/vnd.geoplan g2w; +application/vnd.geospace g3w; +application/vnd.gmx gmx; +application/vnd.google-earth.kml+xml kml; +application/vnd.google-earth.kmz kmz; +application/vnd.grafeq gqf gqs; +application/vnd.groove-account gac; +application/vnd.groove-help ghf; +application/vnd.groove-identity-message gim; +application/vnd.groove-injector grv; +application/vnd.groove-tool-message gtm; +application/vnd.groove-tool-template tpl; +application/vnd.groove-vcard vcg; +application/vnd.hal+xml hal; +application/vnd.HandHeld-Entertainment+xml zmm; +application/vnd.hbci hbci hbc kom upa pkd bpd; +application/vnd.hdt hdt; +application/vnd.hhe.lesson-player les; +application/vnd.hp-HPGL hpgl; +application/vnd.hp-hpid hpi hpid; +application/vnd.hp-hps hps; +application/vnd.hp-jlyt jlt; +application/vnd.hp-PCL pcl; +application/vnd.hydrostatix.sof-data sfd-hdstx; +application/vnd.hzn-3d-crossword x3d; +application/vnd.ibm.electronic-media emm; +application/vnd.ibm.MiniPay mpy; +application/vnd.ibm.rights-management irm; +application/vnd.ibm.secure-container sc; +application/vnd.iccprofile icc icm; +application/vnd.ieee.1905 1905.1; +application/vnd.igloader igl; +application/vnd.imagemeter.folder+zip imf; +application/vnd.imagemeter.image+zip imi; +application/vnd.immervision-ivp ivp; +application/vnd.immervision-ivu ivu; +application/vnd.ims.imsccv1p1 imscc; +application/vnd.insors.igm igm; +application/vnd.intercon.formnet xpw xpx; +application/vnd.intergeo i2g; +application/vnd.intu.qbo qbo; +application/vnd.intu.qfx qfx; +application/vnd.ipunplugged.rcprofile rcprofile; +application/vnd.irepository.package+xml irp; +application/vnd.is-xpr xpr; +application/vnd.isac.fcs fcs; +application/vnd.jam jam; +application/vnd.jcp.javame.midlet-rms rms; +application/vnd.jisp jisp; +application/vnd.joost.joda-archive joda; +application/vnd.kahootz ktz ktr; +application/vnd.kde.karbon karbon; +application/vnd.kde.kchart chrt; +application/vnd.kde.kformula kfo; +application/vnd.kde.kivio flw; +application/vnd.kde.kontour kon; +application/vnd.kde.kpresenter kpr kpt; +application/vnd.kde.kspread ksp; +application/vnd.kde.kword kwd kwt; +application/vnd.kenameaapp htke; +application/vnd.kidspiration kia; +application/vnd.Kinar kne knp sdf; +application/vnd.koan skp skd skm skt; +application/vnd.kodak-descriptor sse; +application/vnd.las las; +application/vnd.las.las+json lasjson; +application/vnd.las.las+xml lasxml; +application/vnd.llamagraphics.life-balance.desktop lbd; +application/vnd.llamagraphics.life-balance.exchange+xml lbe; +application/vnd.logipipe.circuit+zip lcs lca; +application/vnd.loom loom; +application/vnd.lotus-1-2-3 123 wk4 wk3 wk1; +application/vnd.lotus-approach apr vew; +application/vnd.lotus-freelance prz pre; +application/vnd.lotus-notes nsf ntf ndl ns4 ns3 ns2 nsh nsg; +application/vnd.lotus-organizer or3 or2 org; +application/vnd.lotus-screencam scm; +application/vnd.lotus-wordpro lwp sam; +application/vnd.macports.portpkg portpkg; +application/vnd.mapbox-vector-tile mvt; +application/vnd.marlin.drm.mdcf mdc; +application/vnd.maxmind.maxmind-db mmdb; +application/vnd.mcd mcd; +application/vnd.medcalcdata mc1; +application/vnd.mediastation.cdkey cdkey; +application/vnd.MFER mwf; +application/vnd.mfmp mfm; +application/vnd.micrografx.flo flo; +application/vnd.micrografx.igx igx; +application/vnd.mif mif; +application/vnd.Mobius.DAF daf; +application/vnd.Mobius.DIS dis; +application/vnd.Mobius.MBK mbk; +application/vnd.Mobius.MQY mqy; +application/vnd.Mobius.MSL msl; +application/vnd.Mobius.PLC plc; +application/vnd.Mobius.TXF txf; +application/vnd.mophun.application mpn; +application/vnd.mophun.certificate mpc; +application/vnd.mozilla.xul+xml xul; +application/vnd.ms-3mfdocument 3mf; +application/vnd.ms-artgalry cil; +application/vnd.ms-asf asf; +application/vnd.ms-cab-compressed cab; +application/vnd.ms-excel xls xlm xla xlc xlt xlw; +application/vnd.ms-excel.template.macroEnabled.12 xltm; +application/vnd.ms-excel.addin.macroEnabled.12 xlam; +application/vnd.ms-excel.sheet.binary.macroEnabled.12 xlsb; +application/vnd.ms-excel.sheet.macroEnabled.12 xlsm; +application/vnd.ms-fontobject eot; +application/vnd.ms-htmlhelp chm; +application/vnd.ms-ims ims; +application/vnd.ms-lrm lrm; +application/vnd.ms-officetheme thmx; +application/vnd.ms-powerpoint ppt pps pot; +application/vnd.ms-powerpoint.addin.macroEnabled.12 ppam; +application/vnd.ms-powerpoint.presentation.macroEnabled.12 pptm; +application/vnd.ms-powerpoint.slide.macroEnabled.12 sldm; +application/vnd.ms-powerpoint.slideshow.macroEnabled.12 ppsm; +application/vnd.ms-powerpoint.template.macroEnabled.12 potm; +application/vnd.ms-project mpp mpt; +application/vnd.ms-tnef tnef tnf; +application/vnd.ms-word.document.macroEnabled.12 docm; +application/vnd.ms-word.template.macroEnabled.12 dotm; +application/vnd.ms-works wcm wdb wks wps; +application/vnd.ms-wpl wpl; +application/vnd.ms-xpsdocument xps; +application/vnd.msa-disk-image msa; +application/vnd.mseq mseq; +application/vnd.multiad.creator crtr; +application/vnd.multiad.creator.cif cif; +application/vnd.musician mus; +application/vnd.muvee.style msty; +application/vnd.mynfc taglet; +application/vnd.nebumind.line nebul line; +application/vnd.nervana entity request bkm kcm; +application/vnd.nimn nimn; +application/vnd.nitf nitf; +application/vnd.neurolanguage.nlu nlu; +application/vnd.nintendo.nitro.rom nds; +application/vnd.nintendo.snes.rom sfc smc; +application/vnd.noblenet-directory nnd; +application/vnd.noblenet-sealer nns; +application/vnd.noblenet-web nnw; +application/vnd.nokia.n-gage.ac+xml ac; +application/vnd.nokia.n-gage.data ngdat; +application/vnd.nokia.n-gage.symbian.install n-gage; +application/vnd.nokia.radio-preset rpst; +application/vnd.nokia.radio-presets rpss; +application/vnd.novadigm.EDM edm; +application/vnd.novadigm.EDX edx; +application/vnd.novadigm.EXT ext; +application/vnd.oasis.opendocument.chart odc; +application/vnd.oasis.opendocument.chart-template otc; +application/vnd.oasis.opendocument.database odb; +application/vnd.oasis.opendocument.formula odf; +application/vnd.oasis.opendocument.graphics odg; +application/vnd.oasis.opendocument.graphics-template otg; +application/vnd.oasis.opendocument.image odi; +application/vnd.oasis.opendocument.image-template oti; +application/vnd.oasis.opendocument.presentation odp; +application/vnd.oasis.opendocument.presentation-template otp; +application/vnd.oasis.opendocument.spreadsheet ods; +application/vnd.oasis.opendocument.spreadsheet-template ots; +application/vnd.oasis.opendocument.text odt; +application/vnd.oasis.opendocument.text-master odm; +application/vnd.oasis.opendocument.text-template ott; +application/vnd.oasis.opendocument.text-web oth; +application/vnd.olpc-sugar xo; +application/vnd.oma.dd2+xml dd2; +application/vnd.onepager tam; +application/vnd.onepagertamp tamp; +application/vnd.onepagertamx tamx; +application/vnd.onepagertat tat; +application/vnd.onepagertatp tatp; +application/vnd.onepagertatx tatx; +application/vnd.openblox.game+xml obgx; +application/vnd.openblox.game-binary obg; +application/vnd.openeye.oeb oeb; +application/vnd.openofficeorg.extension oxt; +application/vnd.openstreetmap.data+xml osm; +application/vnd.openxmlformats-officedocument.presentationml.presentation pptx; +application/vnd.openxmlformats-officedocument.presentationml.slide sldx; +application/vnd.openxmlformats-officedocument.presentationml.slideshow ppsx; +application/vnd.openxmlformats-officedocument.presentationml.template potx; +application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx; +application/vnd.openxmlformats-officedocument.spreadsheetml.template xltx; +application/vnd.openxmlformats-officedocument.wordprocessingml.document docx; +application/vnd.openxmlformats-officedocument.wordprocessingml.template dotx; +application/vnd.osa.netdeploy ndc; +application/vnd.osgeo.mapguide.package mgp; +application/vnd.osgi.dp dp; +application/vnd.osgi.subsystem esa; +application/vnd.oxli.countgraph oxlicg; +application/vnd.palm prc pdb pqa oprc; +application/vnd.panoply plp; +application/vnd.patentdive dive; +application/vnd.pawaafile paw; +application/vnd.pg.format str; +application/vnd.pg.osasli ei6; +application/vnd.piaccess.application-licence pil; +application/vnd.picsel efif; +application/vnd.pmi.widget wg; +application/vnd.pocketlearn plf; +application/vnd.powerbuilder6 pbd; +application/vnd.preminet preminet; +application/vnd.previewsystems.box box vbox; +application/vnd.proteus.magazine mgz; +application/vnd.psfs psfs; +application/vnd.publishare-delta-tree qps; +application/vnd.pvi.ptid1 ptid; +application/vnd.qualcomm.brew-app-res bar; +application/vnd.Quark.QuarkXPress qxd qxt qwd qwt qxl qxb; +application/vnd.quobject-quoxdocument quox quiz; +application/vnd.rainstor.data tree; +application/vnd.rar rar; +application/vnd.realvnc.bed bed; +application/vnd.recordare.musicxml mxl; +application/vnd.rig.cryptonote cryptonote; +application/vnd.route66.link66+xml link66; +application/vnd.sailingtracker.track st; +application/vnd.sar SAR; +application/vnd.scribus scd sla slaz; +application/vnd.sealed.3df s3df; +application/vnd.sealed.csf scsf; +application/vnd.sealed.doc sdoc sdo s1w; +application/vnd.sealed.eml seml sem; +application/vnd.sealed.mht smht smh; +application/vnd.sealed.ppt sppt s1p; +application/vnd.sealed.tiff stif; +application/vnd.sealed.xls sxls sxl s1e; +application/vnd.sealedmedia.softseal.html stml s1h; +application/vnd.sealedmedia.softseal.pdf spdf spd s1a; +application/vnd.seemail see; +application/vnd.sema sema; +application/vnd.semd semd; +application/vnd.semf semf; +application/vnd.shade-save-file ssv; +application/vnd.shana.informed.formdata ifm; +application/vnd.shana.informed.formtemplate itp; +application/vnd.shana.informed.interchange iif; +application/vnd.shana.informed.package ipk; +application/vnd.shp shp; +application/vnd.shx shx; +application/vnd.sigrok.session sr; +application/vnd.SimTech-MindMapper twd twds; +application/vnd.smaf mmf; +application/vnd.smart.notebook notebook; +application/vnd.smart.teacher teacher; +application/vnd.snesdev-page-table ptrom pt; +application/vnd.software602.filler.form+xml fo; +application/vnd.software602.filler.form-xml-zip zfo; +application/vnd.solent.sdkm+xml sdkm sdkd; +application/vnd.spotfire.dxp dxp; +application/vnd.spotfire.sfs sfs; +application/vnd.sqlite3 sqlite sqlite3; +application/vnd.stepmania.package smzip; +application/vnd.stepmania.stepchart sm; +application/vnd.sun.wadl+xml wadl; +application/vnd.sus-calendar sus susp; +application/vnd.sycle+xml scl; +application/vnd.syncml+xml xsm; +application/vnd.syncml.dm+wbxml bdm; +application/vnd.syncml.dm+xml xdm; +application/vnd.syncml.dmddf+xml ddf; +application/vnd.tao.intent-module-archive tao; +application/vnd.tcpdump.pcap pcap cap dmp; +application/vnd.theqvd qvd; +application/vnd.think-cell.ppttc+json ppttc; +application/vnd.tml vfr viaframe; +application/vnd.tmobile-livetv tmo; +application/vnd.trid.tpt tpt; +application/vnd.triscape.mxs mxs; +application/vnd.trueapp tra; +application/vnd.ufdl ufdl ufd frm; +application/vnd.uiq.theme utz; +application/vnd.umajin umj; +application/vnd.unity unityweb; +application/vnd.uoml+xml uoml uo; +application/vnd.uri-map urim urimap; +application/vnd.valve.source.material vmt; +application/vnd.vcx vcx; +application/vnd.vd-study mxi study-inter model-inter; +application/vnd.vectorworks vwx; +application/vnd.veryant.thin istc isws; +application/vnd.ves.encrypted VES; +application/vnd.vidsoft.vidconference vsc; +application/vnd.visio vsd vst vsw vss; +application/vnd.visionary vis; +application/vnd.vsf vsf; +application/vnd.wap.sic sic; +application/vnd.wap.slc slc; +application/vnd.wap.wbxml wbxml; +application/vnd.wap.wmlc wmlc; +application/vnd.wap.wmlscriptc wmlsc; +application/vnd.webturbo wtb; +application/vnd.wfa.p2p p2p; +application/vnd.wfa.wsc wsc; +application/vnd.wmc wmc; +application/vnd.wolfram.mathematica.package m; +application/vnd.wolfram.player nbp; +application/vnd.wordperfect wpd; +application/vnd.wqd wqd; +application/vnd.wt.stf stf; +application/vnd.wv.csp+wbxml wv; +application/vnd.xara xar; +application/vnd.xfdl xfdl xfd; +application/vnd.xmpie.cpkg cpkg; +application/vnd.xmpie.dpkg dpkg; +application/vnd.xmpie.ppkg ppkg; +application/vnd.xmpie.xlim xlim; +application/vnd.yamaha.hv-dic hvd; +application/vnd.yamaha.hv-script hvs; +application/vnd.yamaha.hv-voice hvp; +application/vnd.yamaha.openscoreformat osf; +application/vnd.yamaha.smaf-audio saf; +application/vnd.yamaha.smaf-phrase spf; +application/vnd.yaoweme yme; +application/vnd.yellowriver-custom-menu cmp; +application/vnd.zul zir zirz; +application/vnd.zzazz.deck+xml zaz; +application/voicexml+xml vxml; +application/voucher-cms+json vcj; +application/wasm wasm; +application/watcherinfo+xml wif; +application/widget wgt; +application/wsdl+xml wsdl; +application/wspolicy+xml wspolicy; +application/xcap-att+xml xav; +application/xcap-caps+xml xca; +application/xcap-diff+xml xdf; +application/xcap-el+xml xel; +application/xcap-error+xml xer; +application/xcap-ns+xml xns; +application/xhtml+xml xhtml xhtm xht; +application/xliff+xml xlf; +application/xml-dtd dtd; +application/xop+xml xop; +application/xslt+xml xsl xslt; +application/xv+xml mxml xhvml xvml xvm; +application/yang yang; +application/yin+xml yin; +application/zip zip; +application/zstd zst; +audio/32kadpcm 726; +audio/aac adts aac ass; +audio/ac3 ac3; +audio/AMR amr; +audio/AMR-WB awb; +audio/asc acn; +audio/ATRAC-ADVANCED-LOSSLESS aal; +audio/ATRAC-X atx; +audio/ATRAC3 at3 aa3 omg; +audio/basic au snd; +audio/dls dls; +audio/EVRC evc; +audio/EVRCB evb; +audio/EVRCNW enw; +audio/EVRCWB evw; +audio/iLBC lbc; +audio/L16 l16; +audio/mhas mhas; +audio/mobile-xmf mxmf; +audio/mp4 m4a; +audio/mpeg mp3 mpga mp1 mp2; +audio/ogg oga ogg opus spx; +audio/prs.sid sid psid; +audio/QCELP qcp; +audio/SMV smv; +audio/sofa sofa; +audio/usac loas xhe; +audio/vnd.audiokoz koz; +audio/vnd.dece.audio uva uvva; +audio/vnd.digital-winds eol; +audio/vnd.dolby.mlp mlp; +audio/vnd.dts dts; +audio/vnd.dts.hd dtshd; +audio/vnd.everad.plj plj; +audio/vnd.lucent.voice lvp; +audio/vnd.ms-playready.media.pya pya; +audio/vnd.nortel.vbk vbk; +audio/vnd.nuera.ecelp4800 ecelp4800; +audio/vnd.nuera.ecelp7470 ecelp7470; +audio/vnd.nuera.ecelp9600 ecelp9600; +audio/vnd.presonus.multitrack multitrack; +audio/vnd.rip rip; +audio/vnd.sealedmedia.softseal.mpeg smp3 smp s1m; +font/collection ttc; +font/otf otf; +font/ttf ttf; +font/woff woff; +font/woff2 woff2; +image/aces exr; +image/avci avci; +image/avcs avcs; +image/avif avif hif; +image/bmp bmp dib; +image/cgm cgm; +image/dicom-rle drle; +image/emf emf; +image/fits fits fit fts; +image/heic heic; +image/heic-sequence heics; +image/heif heif; +image/heif-sequence heifs; +image/hej2k hej2; +image/hsj2 hsj2; +image/gif gif; +image/ief ief; +image/jls jls; +image/jp2 jp2 jpg2; +image/jph jph; +image/jphc jhc; +image/jpeg jpg jpeg jpe jfif; +image/jpm jpm jpgm; +image/jpx jpx jpf; +image/jxl jxl; +image/jxr jxr; +image/jxrA jxra; +image/jxrS jxrs; +image/jxs jxs; +image/jxsc jxsc; +image/jxsi jxsi; +image/jxss jxss; +image/ktx ktx; +image/ktx2 ktx2; +image/png png; +image/prs.btif btif btf; +image/prs.pti pti; +image/svg+xml svg svgz; +image/t38 t38; +image/tiff tiff tif; +image/tiff-fx tfx; +image/vnd.adobe.photoshop psd; +image/vnd.airzip.accelerator.azv azv; +image/vnd.dece.graphic uvi uvvi uvg uvvg; +image/vnd.djvu djvu djv; +image/vnd.dwg dwg; +image/vnd.dxf dxf; +image/vnd.fastbidsheet fbs; +image/vnd.fpx fpx; +image/vnd.fst fst; +image/vnd.fujixerox.edmics-mmr mmr; +image/vnd.fujixerox.edmics-rlc rlc; +image/vnd.globalgraphics.pgb pgb; +image/vnd.microsoft.icon ico; +image/vnd.mozilla.apng apng; +image/vnd.ms-modi mdi; +image/vnd.pco.b16 b16; +image/vnd.radiance hdr rgbe xyze; +image/vnd.sealed.png spng spn s1n; +image/vnd.sealedmedia.softseal.gif sgif sgi s1g; +image/vnd.sealedmedia.softseal.jpg sjpg sjp s1j; +image/vnd.tencent.tap tap; +image/vnd.valve.source.texture vtf; +image/vnd.wap.wbmp wbmp; +image/vnd.xiff xif; +image/vnd.zbrush.pcx pcx; +image/wmf wmf; +message/global u8msg; +message/global-delivery-status u8dsn; +message/global-disposition-notification u8mdn; +message/global-headers u8hdr; +message/rfc822 eml mail art; +model/gltf-binary glb; +model/gltf+json gltf; +model/iges igs iges; +model/mesh msh mesh silo; +model/mtl mtl; +model/obj obj; +model/stl stl; +model/vnd.collada+xml dae; +model/vnd.dwf dwf; +model/vnd.gdl gdl gsm win dor lmp rsm msm ism; +model/vnd.gtw gtw; +model/vnd.moml+xml moml; +model/vnd.mts mts; +model/vnd.opengex ogex; +model/vnd.parasolid.transmit.binary x_b xmt_bin; +model/vnd.parasolid.transmit.text x_t xmt_txt; +model/vnd.pytha.pyox pyo pyox; +model/vnd.sap.vds vds; +model/vnd.usdz+zip usdz; +model/vnd.valve.source.compiled-map bsp; +model/vnd.vtu vtu; +model/vrml wrl vrml; +model/x3d+xml x3db; +model/x3d-vrml x3dv x3dvz; +multipart/vnd.bint.med-plus bmed; +multipart/voice-message vpm; +text/cache-manifest appcache manifest; +text/calendar ics ifb; +text/cql CQL; +text/css css; +text/csv csv; +text/csv-schema csvs; +text/dns soa zone; +text/gff3 gff3; +text/html html htm; +text/jcr-cnd cnd; +text/markdown markdown md; +text/mizar miz; +text/n3 n3; +text/plain txt asc text pm el c h cc hh cxx hxx f90 conf log; +text/provenance-notation provn; +text/prs.fallenstein.rst rst; +text/prs.lines.tag tag dsc; +text/richtext rtx; +text/SGML sgml sgm; +text/shaclc shaclc shc; +text/spdx spdx; +text/tab-separated-values tsv; +text/troff t tr roff; +text/turtle ttl; +text/uri-list uris uri; +text/vcard vcf vcard; +text/vnd.a a; +text/vnd.abc abc; +text/vnd.ascii-art ascii; +text/vnd.debian.copyright copyright; +text/vnd.DMClientScript dms; +text/vnd.dvb.subtitle sub; +text/vnd.esmertec.theme-descriptor jtd; +text/vnd.ficlab.flt flt; +text/vnd.fly fly; +text/vnd.fmi.flexstor flx; +text/vnd.graphviz gv dot; +text/vnd.hans hans; +text/vnd.hgl hgl; +text/vnd.in3d.3dml 3dml 3dm; +text/vnd.in3d.spot spot spo; +text/vnd.ms-mediapackage mpf; +text/vnd.net2phone.commcenter.command ccc; +text/vnd.senx.warpscript mc2; +text/vnd.si.uricatalogue uric; +text/vnd.sun.j2me.app-descriptor jad; +text/vnd.sosi sos; +text/vnd.trolltech.linguist ts; +text/vnd.wap.si si; +text/vnd.wap.sl sl; +text/vnd.wap.wml wml; +text/vnd.wap.wmlscript wmls; +text/vtt vtt; +text/xml xml xsd rng; +text/xml-external-parsed-entity ent; +video/3gpp 3gp 3gpp; +video/3gpp2 3g2 3gpp2; +video/iso.segment m4s; +video/mj2 mj2 mjp2; +video/mp4 mp4 mpg4 m4v; +video/mpeg mpeg mpg mpe m1v m2v; +video/ogg ogv; +video/quicktime mov qt; +video/vnd.dece.hd uvh uvvh; +video/vnd.dece.mobile uvm uvvm; +video/vnd.dece.mp4 uvu uvvu; +video/vnd.dece.pd uvp uvvp; +video/vnd.dece.sd uvs uvvs; +video/vnd.dece.video uvv uvvv; +video/vnd.dvb.file dvb; +video/vnd.fvt fvt; +video/vnd.mpegurl mxu m4u; +video/vnd.ms-playready.media.pyv pyv; +video/vnd.nokia.interleaved-multimedia nim; +video/vnd.radgamettools.bink bik bk2; +video/vnd.radgamettools.smacker smk; +video/vnd.sealed.mpeg1 smpg s11; +video/vnd.sealed.mpeg4 s14; +video/vnd.sealed.swf sswf ssw; +video/vnd.sealedmedia.softseal.mov smov smo s1q; +video/vnd.youtube.yt yt; +video/vnd.vivo viv; +application/mac-compactpro cpt; +application/metalink+xml metalink; +application/owl+xml owx; +application/rss+xml rss; +application/vnd.android.package-archive apk; +application/vnd.oma.dd+xml dd; +application/vnd.oma.drm.content dcf; +application/vnd.oma.drm.dcf o4a o4v; +application/vnd.oma.drm.message dm; +application/vnd.oma.drm.rights+wbxml drc; +application/vnd.oma.drm.rights+xml dr; +application/vnd.sun.xml.calc sxc; +application/vnd.sun.xml.calc.template stc; +application/vnd.sun.xml.draw sxd; +application/vnd.sun.xml.draw.template std; +application/vnd.sun.xml.impress sxi; +application/vnd.sun.xml.impress.template sti; +application/vnd.sun.xml.math sxm; +application/vnd.sun.xml.writer sxw; +application/vnd.sun.xml.writer.global sxg; +application/vnd.sun.xml.writer.template stw; +application/vnd.symbian.install sis; +application/vnd.wap.mms-message mms; +application/x-annodex anx; +application/x-bcpio bcpio; +application/x-bittorrent torrent; +application/x-bzip2 bz2; +application/x-cdlink vcd; +application/x-chrome-extension crx; +application/x-cpio cpio; +application/x-csh csh; +application/x-director dcr dir dxr; +application/x-dvi dvi; +application/x-futuresplash spl; +application/x-gtar gtar; +application/x-hdf hdf; +application/x-java-archive jar; +application/x-java-jnlp-file jnlp; +application/x-java-pack200 pack; +application/x-killustrator kil; +application/x-latex latex; +application/x-netcdf nc cdf; +application/x-perl pl; +application/x-rpm rpm; +application/x-sh sh; +application/x-shar shar; +application/x-stuffit sit; +application/x-sv4cpio sv4cpio; +application/x-sv4crc sv4crc; +application/x-tar tar; +application/x-tcl tcl; +application/x-tex tex; +application/x-texinfo texinfo texi; +application/x-troff-man man 1 2 3 4 5 6 7 8; +application/x-troff-me me; +application/x-troff-ms ms; +application/x-ustar ustar; +application/x-wais-source src; +application/x-xpinstall xpi; +application/x-xspf+xml xspf; +application/x-xz xz; +audio/midi mid midi kar; +audio/x-aiff aif aiff aifc; +audio/x-annodex axa; +audio/x-flac flac; +audio/x-matroska mka; +audio/x-mod mod ult uni m15 mtm 669 med; +audio/x-mpegurl m3u; +audio/x-ms-wax wax; +audio/x-ms-wma wma; +audio/x-pn-realaudio ram rm; +audio/x-realaudio ra; +audio/x-s3m s3m; +audio/x-stm stm; +audio/x-wav wav; +chemical/x-xyz xyz; +image/webp webp; +image/x-cmu-raster ras; +image/x-portable-anymap pnm; +image/x-portable-bitmap pbm; +image/x-portable-graymap pgm; +image/x-portable-pixmap ppm; +image/x-rgb rgb; +image/x-targa tga; +image/x-xbitmap xbm; +image/x-xpixmap xpm; +image/x-xwindowdump xwd; +text/html-sandboxed sandboxed; +text/x-pod pod; +text/x-setext etx; +video/webm webm; +video/x-annodex axv; +video/x-flv flv; +video/x-javafx fxm; +video/x-matroska mkv; +video/x-matroska-3d mk3d; +video/x-ms-asf asx; +video/x-ms-wm wm; +video/x-ms-wmv wmv; +video/x-ms-wmx wmx; +video/x-ms-wvx wvx; +video/x-msvideo avi; +video/x-sgi-movie movie; +x-conference/x-cooltalk ice; +x-epoc/x-sisx-app sisx; +} diff --git a/ansible/roles/http/files/nginx/modsec_includes.conf b/ansible/roles/podman/files/nginx/modsec_includes.conf similarity index 100% rename from ansible/roles/http/files/nginx/modsec_includes.conf rename to ansible/roles/podman/files/nginx/modsec_includes.conf diff --git a/ansible/roles/podman/handlers/main.yml b/ansible/roles/podman/handlers/main.yml index 38bba51..0905aea 100644 --- a/ansible/roles/podman/handlers/main.yml +++ b/ansible/roles/podman/handlers/main.yml @@ -2,7 +2,27 @@ - name: restorecon podman become: true ansible.builtin.command: | - restorecon -Frv {{ podman_home }} + restorecon -Frv {{ podman_home }}/.local/share/volumes tags: - podman - selinux + +- name: restart nginx + become: true + become_user: "{{ podman_user }}" + ansible.builtin.command: | + podman restart nginx + tags: + - nginx + - http + - https + - modsec + - modsec_rules + +- name: restart firewalld + become: true + ansible.builtin.service: + name: firewalld + state: restarted + tags: + - firewall diff --git a/ansible/roles/podman/meta/main.yml b/ansible/roles/podman/meta/main.yml index fdda41b..d00d780 100644 --- a/ansible/roles/podman/meta/main.yml +++ b/ansible/roles/podman/meta/main.yml @@ -1,3 +1,4 @@ --- dependencies: - role: common + - role: ssl diff --git a/ansible/roles/podman/tasks/configuration-nginx-http.yml b/ansible/roles/podman/tasks/configuration-nginx-http.yml new file mode 100644 index 0000000..1a50adc --- /dev/null +++ b/ansible/roles/podman/tasks/configuration-nginx-http.yml @@ -0,0 +1,95 @@ +--- +- name: create required nginx volumes + become: true + ansible.builtin.file: + path: "{{ nginx_path }}/etc" + state: directory + owner: "{{ podman_user }}" + group: "{{ podman_user }}" + mode: 0755 + notify: restorecon podman + tags: http + +- name: setup nginx base configuration + become: true + ansible.builtin.template: + src: templates/nginx/nginx.conf.j2 + dest: "{{ nginx_path }}/etc/nginx.conf" + owner: "{{ podman_user }}" + group: "{{ podman_user }}" + mode: 0644 + notify: + - restorecon podman + - restart nginx + tags: http + +- name: create required nginx files + become: true + ansible.builtin.copy: + src: "files/nginx/{{ item }}" + dest: "{{ nginx_path }}/etc/{{ item }}" + owner: "{{ podman_user }}" + group: "{{ podman_user }}" + mode: 0644 + loop: + - mime.types + notify: + - restorecon podman + - restart nginx + tags: http + +- name: setup nginx directories + become: true + ansible.builtin.file: + path: "{{ nginx_path }}/etc/{{ item }}" + owner: "{{ podman_user }}" + group: "{{ podman_user }}" + state: directory + mode: 0755 + notify: restorecon podman + loop: + - sites-enabled + - sites-available + tags: http + +- name: template nginx http sites-available + become: true + ansible.builtin.template: + src: "templates/nginx/sites/{{ item }}.j2" + dest: "{{ nginx_path }}/etc/sites-available/{{ item }}" + owner: "{{ podman_user }}" + group: "{{ podman_user }}" + mode: 0644 + loop: + - "{{ ci_server_name }}.http.conf" + #- "{{ pi_server_name }}.conf" + - "{{ home_server_name }}.conf" + - "{{ assistant_server_name }}.conf" + - "{{ video_server_name }}.conf" + - "{{ parts_server_name }}.conf" + - "{{ logs_server_name }}.conf" + notify: + - restorecon podman + - restart nginx + tags: http + +- name: enable desired nginx http sites + become: true + ansible.builtin.file: + src: "../sites-available/{{ item }}" + dest: "{{ nginx_path }}/etc/sites-enabled/{{ item }}" + owner: "{{ podman_user }}" + group: "{{ podman_user }}" + state: link + loop: + - "{{ ci_server_name }}.http.conf" + #- "{{ pi_server_name }}.conf" + - "{{ parts_server_name }}.conf" + - "{{ home_server_name }}.conf" + - "{{ assistant_server_name }}.conf" + - "{{ video_server_name }}.conf" + - "{{ logs_server_name }}.conf" + notify: + - restorecon podman + - restart nginx + tags: http diff --git a/ansible/roles/podman/tasks/configuration-nginx-https.yml b/ansible/roles/podman/tasks/configuration-nginx-https.yml new file mode 100644 index 0000000..b307ef3 --- /dev/null +++ b/ansible/roles/podman/tasks/configuration-nginx-https.yml @@ -0,0 +1,58 @@ +--- +- name: create nginx ssl directory + become: true + ansible.builtin.file: + path: "{{ nginx_path }}/etc/ssl" + owner: "{{ podman_user }}" + group: "{{ podman_user }}" + mode: 0644 + state: directory + tags: https + +- name: stat dhparam + become: true + ansible.builtin.stat: + path: "{{ nginx_path }}/etc/ssl/dhparam.pem" + register: dhparam + tags: https + +- name: generate openssl dhparam for nginx + become: true + ansible.builtin.command: | + openssl dhparam -out {{ nginx_path }}/ssl/dhparam.pem 2048 + when: not dhparam.stat.exists + args: + creates: "{{ nginx_path }}/ssl/dhparam.pem" + tags: https + +- name: template nginx https sites-available + become: true + ansible.builtin.template: + src: "templates/nginx/sites/{{ item }}.j2" + dest: "{{ nginx_path }}/etc/sites-available/{{ item }}" + owner: "{{ podman_user }}" + group: "{{ podman_user }}" + mode: 0644 + loop: + - "{{ ci_server_name }}.https.conf" + - "{{ parts_server_name }}.https.conf" + notify: + - restorecon podman + - restart nginx + tags: https + +- name: enable desired nginx https sites + become: true + ansible.builtin.file: + src: "../sites-available/{{ item }}" + dest: "{{ nginx_path }}/etc/sites-enabled/{{ item }}" + owner: "{{ podman_user }}" + group: "{{ podman_user }}" + state: link + loop: + - "{{ ci_server_name }}.https.conf" + - "{{ parts_server_name }}.https.conf" + notify: + - restorecon podman + - restart nginx + tags: https diff --git a/ansible/roles/http/tasks/modsec.yml b/ansible/roles/podman/tasks/configuration-nginx-modsec.yml similarity index 66% rename from ansible/roles/http/tasks/modsec.yml rename to ansible/roles/podman/tasks/configuration-nginx-modsec.yml index 12e210f..ac16515 100644 --- a/ansible/roles/http/tasks/modsec.yml +++ b/ansible/roles/podman/tasks/configuration-nginx-modsec.yml @@ -4,21 +4,26 @@ ansible.builtin.file: path: "{{ item }}" state: directory - owner: root - group: root + owner: "{{ podman_user }}" + group: "{{ podman_user }}" mode: 0644 loop: - "{{ nginx_conf_path }}" - "{{ modsec_rules_path }}" + notify: restorecon podman tags: modsec - name: create modsec_includes.conf become: true ansible.builtin.copy: src: files/nginx/modsec_includes.conf - dest: "{{ nginx_path }}/modsec_includes.conf" + dest: "{{ nginx_path }}/etc/modsec_includes.conf" + owner: "{{ podman_user }}" + group: "{{ podman_user }}" mode: 0644 - notify: restart_nginx + notify: + - restorecon podman + - restart nginx tags: modsec - name: clone coreruleset and modsecurity @@ -26,11 +31,10 @@ ansible.builtin.git: repo: "{{ item.src }}" dest: "{{ item.dest }}" - update: true + update: "{{ update_modsec | default(false) }}" force: true version: "{{ item.ver }}" loop: "{{ modsec_git_urls }}" - notify: restart_nginx tags: modsec - name: setup modsec and coreruleset configs @@ -38,11 +42,13 @@ ansible.builtin.copy: src: "{{ item.src }}" dest: "{{ item.dest }}" - force: true + owner: "{{ podman_user }}" + group: "{{ podman_user }}" + force: "{{ update_modsec | default(false) }}" mode: 0644 remote_src: true loop: "{{ modsec_conf_links }}" - notify: restart_nginx + notify: restorecon podman tags: modsec - name: setup coreruleset rules @@ -50,25 +56,33 @@ ansible.builtin.copy: src: "{{ crs_rules_path }}/{{ item.name }}.conf" dest: "{{ modsec_rules_path }}/{{ item.name }}.conf" - force: true + owner: "{{ podman_user }}" + group: "{{ podman_user }}" + force: "{{ update_modsec | default(false) }}" mode: 0644 remote_src: true when: item.enabled loop: "{{ crs_rule_links }}" - notify: restart_nginx - tags: modsec, modsec_rules + notify: restorecon podman + tags: + - modsec + - modsec_rules - name: setup coreruleset data become: true ansible.builtin.copy: src: "{{ crs_rules_path }}/{{ item }}.data" dest: "{{ modsec_rules_path }}/{{ item }}.data" - force: true + force: "{{ update_modsec | default(false) }}" + owner: "{{ podman_user }}" + group: "{{ podman_user }}" mode: 0644 remote_src: true loop: "{{ crs_data_links }}" - notify: restart_nginx - tags: modsec, modsec_rules + notify: restorecon podman + tags: + - modsec + - modsec_rules - name: whitelist local ip addresses become: true @@ -76,9 +90,11 @@ path: "{{ modsec_crs_before_rule_conf }}" regexp: "{{ modsec_whitelist_local_re }}" line: "{{ modsec_whitelist_local }}" - mode: 0644 - notify: restart_nginx - tags: modsec, modsec_rules, modsec_whitelist + notify: restart nginx + tags: + - modsec + - modsec_rules + - modsec_whitelist - name: activate mod-security become: true diff --git a/ansible/roles/podman/tasks/configuration-nginx.yml b/ansible/roles/podman/tasks/configuration-nginx.yml new file mode 100644 index 0000000..354b98b --- /dev/null +++ b/ansible/roles/podman/tasks/configuration-nginx.yml @@ -0,0 +1,22 @@ +--- +- name: create letsencrypt shared root srv directory + become: true + ansible.builtin.file: + path: /srv/http/letsencrypt + owner: "{{ podman_user }}" + group: "{{ podman_user }}" + mode: 0644 + state: directory + tags: + - ssl + - https + +- import_tasks: configuration-nginx-http.yml +- import_tasks: configuration-nginx-https.yml +- import_tasks: configuration-nginx-modsec.yml + +- meta: flush_handlers + tags: + - http + - modsec + - modsec_rules diff --git a/ansible/roles/podman/tasks/container-drone.yml b/ansible/roles/podman/tasks/container-drone.yml index 0a13608..07a206a 100644 --- a/ansible/roles/podman/tasks/container-drone.yml +++ b/ansible/roles/podman/tasks/container-drone.yml @@ -8,7 +8,7 @@ group: "{{ podman_user }}" mode: 0755 notify: restorecon podman - with_items: + loop: - "{{ drone_path }}/data" tags: drone @@ -20,12 +20,14 @@ become_user: "{{ podman_user }}" containers.podman.podman_container: name: drone - image: docker.io/drone/drone:latest + image: docker.io/drone/drone:2.11.1 recreate: false restart: true restart_policy: on-failure log_driver: journald env: + DRONE_LOGS_DEBUG: "true" + DRONE_RPC_DEBUG: "true" DRONE_GITHUB_CLIENT_ID: "{{ drone_gh_client_id }}" DRONE_GITHUB_CLIENT_SECRET: "{{ drone_gh_client_sec }}" DRONE_GIT_ALWAYS_AUTH: "true" @@ -39,12 +41,18 @@ - "8080:80" tags: drone +- name: create systemd startup job for drone + include_tasks: systemd-generate.yml + vars: + container_name: drone + tags: drone + - name: create drone-ci worker container become: true become_user: "{{ podman_user }}" containers.podman.podman_container: name: drone-runner - image: docker.io/80x86/drone-runner-podman:latest + image: docker.io/drone/drone-runner-docker:1.8.1 recreate: false restart: true restart_policy: on-failure @@ -55,7 +63,13 @@ DRONE_RPC_PROTO: "{{ drone_server_proto }}" DRONE_RUNNER_CAPACITY: "{{ drone_runner_capacity }}" volumes: - - /run/user/1002/podman/podman.sock:/run/podman/podman.sock + - "/run/user/1002/podman/podman.sock:/var/run/docker.sock" ports: - "3000:3000" tags: drone + +- name: create systemd startup job for drone-runner + include_tasks: systemd-generate.yml + vars: + container_name: drone-runner + tags: drone diff --git a/ansible/roles/podman/tasks/container-graylog.yml b/ansible/roles/podman/tasks/container-graylog.yml new file mode 100644 index 0000000..fdbf380 --- /dev/null +++ b/ansible/roles/podman/tasks/container-graylog.yml @@ -0,0 +1,128 @@ +--- +- name: create required graylog volumes + become: true + ansible.builtin.file: + path: "{{ item }}" + state: directory + owner: "{{ podman_subuid.stdout }}" + group: "{{ podman_user }}" + mode: 0755 + notify: restorecon podman + loop: + - "{{ graylog_path }}/mongo" + - "{{ graylog_path }}/elastic" + - "{{ graylog_path }}/conf" + - "{{ graylog_path }}/bin" + tags: graylog + +- name: copy configuration files + become: true + ansible.builtin.copy: + src: "files/graylog/{{ item.src }}" + dest: "{{ graylog_path }}/{{ item.dest }}" + owner: "{{ podman_subuid.stdout }}" + group: "{{ podman_user }}" + mode: 0644 + loop: + - src: "graylogctl" + dest: "bin/graylogctl" + - src: "graylog.conf" + dest: "conf/graylog.conf" + notify: restorecon podman + tags: graylog + +- name: unshare chown the elastic volume + become: true + become_user: "{{ podman_user }}" + ansible.builtin.command: | + podman unshare chown -R 1000:1000 {{ graylog_path }}/elastic + tags: graylog + +- meta: flush_handlers + tags: graylog + +- name: create graylog mongodb container + become: true + become_user: "{{ podman_user }}" + containers.podman.podman_container: + name: graylog-mongo + image: docker.io/mongo:4.2 + recreate: false + restart: false + restart_policy: on-failure + network: + - shared + volumes: + - "{{ graylog_path }}/mongo:/data/db" + tags: graylog + +- name: create systemd startup job for graylog-mongo + include_tasks: systemd-generate.yml + vars: + container_name: graylog-mongo + tags: graylog + +- name: create graylog elasticsearch container + become: true + become_user: "{{ podman_user }}" + containers.podman.podman_container: + name: graylog-elastic + image: docker.elastic.co/elasticsearch/elasticsearch-oss:7.10.2 + recreate: true + restart: false + restart_policy: on-failure + network: + - shared + volumes: + - "{{ graylog_path }}/elastic:/usr/share/elasticsearch/data" + env: + http.host: "0.0.0.0" + transport.host: "localhost" + network.host: "0.0.0.0" + cluster.name: "graylog" + ES_JAVA_OPTS: "-Dlog4j2.formatMsgNoLookups=true -Xms512m -Xmx2048m" + tags: graylog + +- name: create systemd startup job for graylog-elastic + include_tasks: systemd-generate.yml + vars: + container_name: graylog-elastic + tags: graylog + +- name: create graylog container + become: true + become_user: "{{ podman_user }}" + containers.podman.podman_container: + name: graylog + image: docker.io/graylog/graylog:4.2 + recreate: false + restart: true + restart_policy: on-failure + sysctl: + net.ipv6.conf.all.disable_ipv6: 1 + net.ipv6.conf.default.disable_ipv6: 1 + network: + - shared + - host + volumes: + - "{{ graylog_path }}/conf:/usr/share/graylog/data/config" + - "{{ graylog_path }}/bin:/usr/share/graylog/bin" + env: + GRAYLOG_PASSWORD_SECRET: "{{ graylog_secret }}" + GRAYLOG_ROOT_PASSWORD_SHA2: "{{ graylog_root_pass_sha2 }}" + GRAYLOG_HTTP_EXTERNAL_URI: http://{{ ansible_default_ipv4.address }}:9000/ + GRAYLOG_HTTP_BIND_ADDRESS: 0.0.0.0:9000 + GRAYLOG_MONGODB_URI: mongodb://graylog-mongo/graylog + GRAYLOG_ELASTICSEARCH_HOSTS: http://graylog-elastic:9200 + ports: + - "{{ graylog_port }}:9000" + - "{{ syslog_udp_default }}:{{ syslog_udp_default }}/udp" + - "{{ syslog_udp_unifi }}:{{ syslog_udp_unifi }}/udp" + - "{{ syslog_udp_error }}:{{ syslog_udp_error }}/udp" + tags: graylog + +- name: create systemd startup job for graylog + include_tasks: systemd-generate.yml + vars: + container_name: graylog + tags: graylog diff --git a/ansible/roles/podman/tasks/container-hass.yml b/ansible/roles/podman/tasks/container-hass.yml index 3d02408..8ac5072 100644 --- a/ansible/roles/podman/tasks/container-hass.yml +++ b/ansible/roles/podman/tasks/container-hass.yml @@ -8,7 +8,7 @@ group: "{{ podman_user }}" mode: 0755 notify: restorecon podman - with_items: + loop: - "{{ hass_path }}/media" - "{{ hass_path }}/config" tags: hass @@ -22,7 +22,7 @@ group: "{{ podman_user }}" mode: 0644 notify: restorecon podman - with_items: + loop: - configuration.yaml - automations.yaml tags: hass diff --git a/ansible/roles/podman/tasks/container-nginx.yml b/ansible/roles/podman/tasks/container-nginx.yml new file mode 100644 index 0000000..cc3fda2 --- /dev/null +++ b/ansible/roles/podman/tasks/container-nginx.yml @@ -0,0 +1,25 @@ +--- +- name: create nginx container + become: true + become_user: "{{ podman_user }}" + containers.podman.podman_container: + name: nginx + image: docker.io/owasp/modsecurity:nginx + entrypoint: "" + command: ["nginx", "-g", "daemon off;"] + recreate: false + restart: true + restart_policy: on-failure:3 + log_driver: journald + network: + - host + cap_add: + - CAP_NET_BIND_SERVICE + ports: + - 80:80 + - 443:443 + volumes: + - "{{ nginx_path }}/etc:/etc/nginx:ro" + - "/srv/http/letsencrypt:/srv/http/letsencrypt:z" + - "/etc/letsencrypt:/etc/letsencrypt:ro" + tags: nginx diff --git a/ansible/roles/podman/tasks/container-partkeepr.yml b/ansible/roles/podman/tasks/container-partkeepr.yml index 58dd122..0d78f88 100644 --- a/ansible/roles/podman/tasks/container-partkeepr.yml +++ b/ansible/roles/podman/tasks/container-partkeepr.yml @@ -8,20 +8,13 @@ group: "{{ podman_user }}" mode: 0755 notify: restorecon podman - with_items: + loop: - "{{ partkeepr_path }}/mysql" tags: partkeepr - meta: flush_handlers tags: partkeepr -- name: create partkeepr network - become: true - become_user: "{{ podman_user }}" - containers.podman.podman_network: - name: partkeepr - tags: partkeepr - - name: create partkeepr-db container become: true become_user: "{{ podman_user }}" @@ -33,7 +26,7 @@ restart_policy: on-failure log_driver: journald network: - - partkeepr + - shared env: MYSQL_RANDOM_ROOT_PASSWORD: "yes" MYSQL_DATABASE: partkeepr @@ -54,13 +47,13 @@ become_user: "{{ podman_user }}" containers.podman.podman_container: name: partkeepr - image: docker.io/mhubig/partkeepr:latest + image: docker.io/bdebyl/partkeepr:0.1.10 recreate: false restart: false restart_policy: on-failure log_driver: journald network: - - partkeepr + - shared ports: - "8081:80" tags: partkeepr @@ -70,26 +63,3 @@ vars: container_name: partkeepr tags: partkeepr - -- name: create partkeepr-cron container - become: true - become_user: "{{ podman_user }}" - containers.podman.podman_container: - name: partkeepr-cron - image: docker.io/mhubig/partkeepr:latest - entrypoint: "" - command: > - bash -c "crontab /etc/cron.d/partkeepr && cron -f" - recreate: false - restart: true - restart_policy: on-failure - log_driver: journald - network: - - partkeepr - tags: partkeepr - -- name: create systemd startup job for partkeepr-cron - include_tasks: systemd-generate.yml - vars: - container_name: partkeepr-cron - tags: partkeepr diff --git a/ansible/roles/podman/tasks/firewall.yml b/ansible/roles/podman/tasks/firewall.yml new file mode 100644 index 0000000..56a46d4 --- /dev/null +++ b/ansible/roles/podman/tasks/firewall.yml @@ -0,0 +1,17 @@ +--- +- name: set required podman firewall rules + become: true + ansible.posix.firewalld: + port: "{{ item }}" + permanent: true + state: enabled + loop: + - 80/tcp + - 443/tcp + - "{{ syslog_udp_default }}/udp" + - "{{ syslog_udp_error }}/udp" + - "{{ syslog_udp_unifi }}/udp" + notify: restart firewalld + tags: + - firewall + - http diff --git a/ansible/roles/podman/tasks/main.yml b/ansible/roles/podman/tasks/main.yml index c617c22..25ab71e 100644 --- a/ansible/roles/podman/tasks/main.yml +++ b/ansible/roles/podman/tasks/main.yml @@ -1,6 +1,10 @@ --- - import_tasks: podman.yml +- import_tasks: configuration-nginx.yml +- import_tasks: firewall.yml - import_tasks: container-awsddns.yml - import_tasks: container-drone.yml - import_tasks: container-hass.yml - import_tasks: container-partkeepr.yml +- import_tasks: container-nginx.yml +- import_tasks: container-graylog.yml diff --git a/ansible/roles/podman/tasks/podman.yml b/ansible/roles/podman/tasks/podman.yml index 85a76d7..40ba3aa 100644 --- a/ansible/roles/podman/tasks/podman.yml +++ b/ansible/roles/podman/tasks/podman.yml @@ -8,6 +8,28 @@ home: "{{ podman_home }}" tags: podman +- name: set ulimits for podman user + become: true + community.general.pam_limits: + domain: podman + limit_type: "{{ item.type }}" + limit_item: "{{ item.name }}" + value: "{{ item.value }}" + loop: + - name: memlock + type: soft + value: "unlimited" + - name: memlock + type: hard + value: "unlimited" + - name: nofile + type: soft + value: 39693561 + - name: memlock + type: hard + value: 39693561 + tags: podman + - name: check if podman user lingering enabled become: true ansible.builtin.stat: @@ -31,7 +53,7 @@ setype: "{{ item.setype }}" state: present notify: restorecon podman - with_items: + loop: - { target: "{{ podman_home }}", setype: "user_home_dir_t" } - { target: "{{ podman_path }}", setype: "container_file_t" } tags: @@ -42,17 +64,41 @@ become: true become_user: "{{ podman_user }}" ansible.builtin.file: - path: "{{ podman_home }}/{{ item }}" + path: "{{ item }}" state: directory owner: "{{ podman_user }}" group: "{{ podman_user }}" mode: 0755 notify: restorecon podman - with_items: - - ".config/systemd/user" + loop: + - "{{ podman_home }}/.config/systemd/user" - "{{ podman_containers }}" - "{{ podman_volumes }}" tags: podman - meta: flush_handlers tags: podman + +- name: create podman shared network + become: true + become_user: "{{ podman_user }}" + containers.podman.podman_network: + name: shared + tags: podman + +- name: allow unprivileged ports to lower number + become: true + ansible.posix.sysctl: + name: net.ipv4.ip_unprivileged_port_start + value: "80" + sysctl_set: true + state: present + reload: true + tags: podman + +- name: fetch subuid of {{ podman_user }} + become: true + ansible.builtin.shell: | + cat /etc/subuid | awk -F':' '/{{ podman_user }}/{ print $2 }' | head -n 1 + register: podman_subuid + tags: always diff --git a/ansible/roles/http/templates/nginx/nginx.conf.j2 b/ansible/roles/podman/templates/nginx/nginx.conf.j2 similarity index 94% rename from ansible/roles/http/templates/nginx/nginx.conf.j2 rename to ansible/roles/podman/templates/nginx/nginx.conf.j2 index 2000f0e..329f64a 100644 --- a/ansible/roles/http/templates/nginx/nginx.conf.j2 +++ b/ansible/roles/podman/templates/nginx/nginx.conf.j2 @@ -4,7 +4,7 @@ worker_processes 1; load_module /usr/lib/nginx/modules/ngx_http_modsecurity_module.so; error_log /var/log/nginx/error.log notice; -error_log syslog:server=localhost:{{ syslog_udp_error }},tag=nginx,severity=info notice; +error_log syslog:server=127.0.0.1:{{ syslog_udp_error }},tag=nginx,severity=info notice; events { worker_connections 1024; @@ -46,7 +46,7 @@ http { '"nginx_access": true }'; access_log /var/log/nginx/access.log main; - access_log syslog:server=localhost:{{ syslog_udp_default }},tag=nginx,severity=info graylog_json; + access_log syslog:server=127.0.0.1:{{ syslog_udp_default }},tag=nginx,severity=info graylog_json; sendfile on; server_tokens off; diff --git a/ansible/roles/http/templates/nginx/sites/assistant.bdebyl.net.conf.j2 b/ansible/roles/podman/templates/nginx/sites/assistant.bdebyl.net.conf.j2 similarity index 82% rename from ansible/roles/http/templates/nginx/sites/assistant.bdebyl.net.conf.j2 rename to ansible/roles/podman/templates/nginx/sites/assistant.bdebyl.net.conf.j2 index 1cc6e2e..61269ef 100644 --- a/ansible/roles/http/templates/nginx/sites/assistant.bdebyl.net.conf.j2 +++ b/ansible/roles/podman/templates/nginx/sites/assistant.bdebyl.net.conf.j2 @@ -2,8 +2,9 @@ upstream hass { server 127.0.0.1:8123; } server { + resolver 192.168.1.12 ipv6=off; modsecurity on; - modsecurity_rules_file {{ nginx_path }}/modsec_includes.conf; + modsecurity_rules_file /etc/nginx/modsec_includes.conf; listen 80; server_name {{ assistant_server_name }}; diff --git a/ansible/roles/http/templates/nginx/sites/ci.bdebyl.net.http.conf.j2 b/ansible/roles/podman/templates/nginx/sites/ci.bdebyl.net.http.conf.j2 similarity index 100% rename from ansible/roles/http/templates/nginx/sites/ci.bdebyl.net.http.conf.j2 rename to ansible/roles/podman/templates/nginx/sites/ci.bdebyl.net.http.conf.j2 diff --git a/ansible/roles/http/templates/nginx/sites/ci.bdebyl.net.https.conf.j2 b/ansible/roles/podman/templates/nginx/sites/ci.bdebyl.net.https.conf.j2 similarity index 84% rename from ansible/roles/http/templates/nginx/sites/ci.bdebyl.net.https.conf.j2 rename to ansible/roles/podman/templates/nginx/sites/ci.bdebyl.net.https.conf.j2 index 23c6ce0..6dd30d5 100644 --- a/ansible/roles/http/templates/nginx/sites/ci.bdebyl.net.https.conf.j2 +++ b/ansible/roles/podman/templates/nginx/sites/ci.bdebyl.net.https.conf.j2 @@ -9,15 +9,16 @@ geo $local_access { server { modsecurity on; - modsecurity_rules_file {{ nginx_path }}/modsec_includes.conf; + modsecurity_rules_file /etc/nginx/modsec_includes.conf; listen 443 ssl http2; + listen [::]:443 ssl http2; server_name {{ ci_server_name }}; ssl_certificate /etc/letsencrypt/live/{{ ci_server_name }}/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/{{ ci_server_name }}/privkey.pem; ssl_trusted_certificate /etc/letsencrypt/live/{{ ci_server_name }}/fullchain.pem; - ssl_dhparam ssl/dhparam.pem; + ssl_dhparam /etc/nginx/ssl/dhparam.pem; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; ssl_prefer_server_ciphers off; @@ -28,14 +29,14 @@ server { ssl_stapling on; ssl_stapling_verify on; - resolver 127.0.0.1 127.0.0.53 9.9.9.9 valid=60s; + resolver 9.9.9.9 valid=60s ipv6=off; location / { if ($local_access = 1) { access_log off; } add_header Allow "GET, POST, HEAD" always; - add_header Content-Security-Policy "default-src 'self'; img-src 'self' https://*.githubusercontent.com; frame-ancestors 'self'; base-uri 'none',base-uri 'self'; form-action 'self'" always; + add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; img-src 'self' https://*.githubusercontent.com https://*.github.com; frame-ancestors 'self'; base-uri 'none',base-uri 'self'; form-action 'self'" always; add_header Referrer-Policy "same-origin" always; add_header Strict-Transport-Security "max-age=630720000; includeSubDomains" always; add_header X-Content-Type-Options "nosniff" always; diff --git a/ansible/roles/http/templates/nginx/sites/home.bdebyl.net.conf.j2 b/ansible/roles/podman/templates/nginx/sites/home.bdebyl.net.conf.j2 similarity index 68% rename from ansible/roles/http/templates/nginx/sites/home.bdebyl.net.conf.j2 rename to ansible/roles/podman/templates/nginx/sites/home.bdebyl.net.conf.j2 index d470ce0..513fee4 100644 --- a/ansible/roles/http/templates/nginx/sites/home.bdebyl.net.conf.j2 +++ b/ansible/roles/podman/templates/nginx/sites/home.bdebyl.net.conf.j2 @@ -5,15 +5,15 @@ geo $whitelisted { server { modsecurity on; - modsecurity_rules_file {{ nginx_path }}/modsec_includes.conf; + modsecurity_rules_file /etc/nginx/modsec_includes.conf; listen 80 default_server; server_name {{ home_server_name }}; if ($whitelisted = 1) { - return 302 http://192.168.1.12; + return 302 http://{{ ansible_default_ipv4.address }}; } if ($whitelisted = 0) { return 302 $scheme://bdebyl.net$request_uri; } -} +} \ No newline at end of file diff --git a/ansible/roles/http/templates/nginx/sites/logs.bdebyl.net.conf.j2 b/ansible/roles/podman/templates/nginx/sites/logs.bdebyl.net.conf.j2 similarity index 80% rename from ansible/roles/http/templates/nginx/sites/logs.bdebyl.net.conf.j2 rename to ansible/roles/podman/templates/nginx/sites/logs.bdebyl.net.conf.j2 index 7d8324a..508a3fa 100644 --- a/ansible/roles/http/templates/nginx/sites/logs.bdebyl.net.conf.j2 +++ b/ansible/roles/podman/templates/nginx/sites/logs.bdebyl.net.conf.j2 @@ -1,5 +1,5 @@ upstream graylog { - server localhost:{{ graylog_port }}; + server 127.0.0.1:{{ graylog_port }}; } geo $local_access { @@ -9,10 +9,9 @@ geo $local_access { server { modsecurity on; - modsecurity_rules_file {{ nginx_path }}/modsec_includes.conf; + modsecurity_rules_file /etc/nginx/modsec_includes.conf; listen 80; - listen [::]:80; server_name {{ logs_server_name }}; location / { @@ -30,4 +29,4 @@ server { proxy_buffering off; proxy_pass http://graylog; } -} +} \ No newline at end of file diff --git a/ansible/roles/http/templates/nginx/sites/parts.bdebyl.net.conf.j2 b/ansible/roles/podman/templates/nginx/sites/parts.bdebyl.net.conf.j2 similarity index 81% rename from ansible/roles/http/templates/nginx/sites/parts.bdebyl.net.conf.j2 rename to ansible/roles/podman/templates/nginx/sites/parts.bdebyl.net.conf.j2 index a3d8bb5..996f5e1 100644 --- a/ansible/roles/http/templates/nginx/sites/parts.bdebyl.net.conf.j2 +++ b/ansible/roles/podman/templates/nginx/sites/parts.bdebyl.net.conf.j2 @@ -5,7 +5,7 @@ geo $whitelisted { server { modsecurity on; - modsecurity_rules_file {{ nginx_path }}/modsec_includes.conf; + modsecurity_rules_file /etc/nginx/modsec_includes.conf; listen 80; server_name {{ parts_server_name }}; @@ -18,4 +18,4 @@ server { location / { return 302 https://$host$request_uri; } -} +} \ No newline at end of file diff --git a/ansible/roles/http/templates/nginx/sites/parts.bdebyl.net.https.conf.j2 b/ansible/roles/podman/templates/nginx/sites/parts.bdebyl.net.https.conf.j2 similarity index 94% rename from ansible/roles/http/templates/nginx/sites/parts.bdebyl.net.https.conf.j2 rename to ansible/roles/podman/templates/nginx/sites/parts.bdebyl.net.https.conf.j2 index b07b976..93684d2 100644 --- a/ansible/roles/http/templates/nginx/sites/parts.bdebyl.net.https.conf.j2 +++ b/ansible/roles/podman/templates/nginx/sites/parts.bdebyl.net.https.conf.j2 @@ -4,12 +4,12 @@ geo $whitelisted { } upstream partkeepr { - server localhost:8081; + server 127.0.0.1:8081; } server { modsecurity on; - modsecurity_rules_file {{ nginx_path }}/modsec_includes.conf; + modsecurity_rules_file /etc/nginx/modsec_includes.conf; resolver 127.0.0.1 127.0.0.53 9.9.9.9 valid=60s; @@ -19,7 +19,7 @@ server { ssl_certificate /etc/letsencrypt/live/{{ parts_server_name }}/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/{{ parts_server_name }}/privkey.pem; ssl_trusted_certificate /etc/letsencrypt/live/{{ parts_server_name }}/fullchain.pem; - ssl_dhparam ssl/dhparam.pem; + ssl_dhparam /etc/nginx/ssl/dhparam.pem; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; ssl_prefer_server_ciphers off; @@ -54,4 +54,4 @@ server { chunked_transfer_encoding off; } -} +} \ No newline at end of file diff --git a/ansible/roles/http/templates/nginx/sites/pi.bdebyl.net.conf.j2 b/ansible/roles/podman/templates/nginx/sites/pi.bdebyl.net.conf.j2 similarity index 95% rename from ansible/roles/http/templates/nginx/sites/pi.bdebyl.net.conf.j2 rename to ansible/roles/podman/templates/nginx/sites/pi.bdebyl.net.conf.j2 index 6f38147..1bd518e 100644 --- a/ansible/roles/http/templates/nginx/sites/pi.bdebyl.net.conf.j2 +++ b/ansible/roles/podman/templates/nginx/sites/pi.bdebyl.net.conf.j2 @@ -6,7 +6,7 @@ server { modsecurity on; - modsecurity_rules_file {{ nginx_path }}/modsec_includes.conf; + modsecurity_rules_file /etc/nginx/modsec_includes.conf; listen 80; @@ -54,5 +54,4 @@ server { location ~ /\.ht { deny all; } -} - +} \ No newline at end of file diff --git a/ansible/roles/http/templates/nginx/sites/video.bdebyl.net.conf.j2 b/ansible/roles/podman/templates/nginx/sites/video.bdebyl.net.conf.j2 similarity index 86% rename from ansible/roles/http/templates/nginx/sites/video.bdebyl.net.conf.j2 rename to ansible/roles/podman/templates/nginx/sites/video.bdebyl.net.conf.j2 index b7a6d70..36c1db0 100644 --- a/ansible/roles/http/templates/nginx/sites/video.bdebyl.net.conf.j2 +++ b/ansible/roles/podman/templates/nginx/sites/video.bdebyl.net.conf.j2 @@ -4,7 +4,7 @@ upstream shinobi { server { modsecurity on; - modsecurity_rules_file {{ nginx_path }}/modsec_includes.conf; + modsecurity_rules_file /etc/nginx/modsec_includes.conf; listen 80; server_name {{ video_server_name }}; diff --git a/ansible/roles/ssl/tasks/certbot.yml b/ansible/roles/ssl/tasks/certbot.yml index 02ae53d..1ed1fcc 100644 --- a/ansible/roles/ssl/tasks/certbot.yml +++ b/ansible/roles/ssl/tasks/certbot.yml @@ -1,30 +1,4 @@ --- -- name: create nginx ssl directory - become: true - ansible.builtin.file: - path: /etc/nginx/ssl - owner: root - group: root - mode: 0644 - state: directory - tags: ssl - -- name: stat dhparam - become: true - ansible.builtin.stat: - path: /etc/nginx/ssl/dhparam.pem - register: dhparam - tags: ssl - -- name: generate openssl dhparam for nginx - become: true - ansible.builtin.command: | - openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048 - when: not dhparam.stat.exists - args: - creates: /etc/nginx/ssl/dhparam.pem - tags: ssl - - name: create ssl certificate for ci server become: true ansible.builtin.command: | @@ -37,3 +11,12 @@ - "{{ ci_server_name }}" - "{{ parts_server_name }}" tags: ssl + +- name: set group ownership for /etc/letsencrypt/ + become: true + ansible.builtin.file: + path: /etc/letsencrypt + owner: "{{ podman_user }}" + group: "{{ podman_user }}" + recurse: true + tags: ssl