Don't use anymore submodules as there are too many

roles/baseconfig

@@ -1 +0,0 @@
-Subproject commit 18a1a5fd4527934ffc546b4d9bca9414f3763eac

roles/baseconfig/README.md

@@ -0,0 +1,6 @@
+# Rôle baseconfig
+
+Ce rôle Ansible a pour but de mettre en place une configuration de base.
+
+Il doit être exécuté en tant que super-utilisateur
+(option `-b` pour `--become`).

roles/baseconfig/files/skel/dot_zshrc.local

@@ -0,0 +1,326 @@
+# Filename:      /etc/skel/.zshrc
+# Purpose:       config file for zsh (z shell)
+# Authors:       (c) grml-team (grml.org)
+# Bug-Reports:   see http://grml.org/bugs/
+# License:       This file is licensed under the GPL v2 or any later version.
+################################################################################
+# Nowadays, grml's zsh setup lives in only *one* zshrc file.
+# That is the global one: /etc/zsh/zshrc (from grml-etc-core).
+# It is best to leave *this* file untouched and do personal changes to
+# your zsh setup via ${HOME}/.zshrc.local which is loaded at the end of
+# the global zshrc.
+#
+# That way, we enable people on other operating systems to use our
+# setup, too, just by copying our global zshrc to their ${HOME}/.zshrc.
+# Adjustments would still go to the .zshrc.local file.
+################################################################################
+
+## Aurore host color and white user
+zstyle ':prompt:grml:left:items:host' pre '%B%F{red}'
+zstyle ':prompt:grml:left:items:host' post '%f%b'
+zstyle ':prompt:grml:left:items:user' pre '%B'
+zstyle ':prompt:grml:left:items:user' post '%b'
+
+## Settings for umask
+#if (( EUID == 0 )); then
+#    umask 002
+#else
+#    umask 022
+#fi
+
+## Now, we'll give a few examples of what you might want to use in your
+## .zshrc.local file (just copy'n'paste and uncomment it there):
+
+## Prompt theme extension ##
+
+# Virtualenv support
+
+#function virtual_env_prompt () {
+#    REPLY=${VIRTUAL_ENV+(${VIRTUAL_ENV:t}) }
+#}
+#grml_theme_add_token  virtual-env -f virtual_env_prompt '%F{magenta}' '%f'
+#zstyle ':prompt:grml:left:setup' items rc virtual-env change-root user at host path vcs percent
+
+## ZLE tweaks ##
+
+## use the vi navigation keys (hjkl) besides cursor keys in menu completion
+#bindkey -M menuselect 'h' vi-backward-char        # left
+#bindkey -M menuselect 'k' vi-up-line-or-history   # up
+#bindkey -M menuselect 'l' vi-forward-char         # right
+#bindkey -M menuselect 'j' vi-down-line-or-history # bottom
+
+## set command prediction from history, see 'man 1 zshcontrib'
+#is4 && zrcautoload predict-on && \
+#zle -N predict-on         && \
+#zle -N predict-off        && \
+#bindkey "^X^Z" predict-on && \
+#bindkey "^Z" predict-off
+
+## press ctrl-q to quote line:
+#mquote () {
+#      zle beginning-of-line
+#      zle forward-word
+#      # RBUFFER="'$RBUFFER'"
+#      RBUFFER=${(q)RBUFFER}
+#      zle end-of-line
+#}
+#zle -N mquote && bindkey '^q' mquote
+
+## define word separators (for stuff like backward-word, forward-word, backward-kill-word,..)
+#WORDCHARS='*?_-.[]~=/&;!#$%^(){}<>' # the default
+#WORDCHARS=.
+#WORDCHARS='*?_[]~=&;!#$%^(){}'
+#WORDCHARS='${WORDCHARS:s@/@}'
+
+# just type '...' to get '../..'
+#rationalise-dot() {
+#local MATCH
+#if [[ $LBUFFER =~ '(^|/| |	|'$'\n''|\||;|&)\.\.$' ]]; then
+#  LBUFFER+=/
+#  zle self-insert
+#  zle self-insert
+#else
+#  zle self-insert
+#fi
+#}
+#zle -N rationalise-dot
+#bindkey . rationalise-dot
+## without this, typing a . aborts incremental history search
+#bindkey -M isearch . self-insert
+
+#bindkey '\eq' push-line-or-edit
+
+## some popular options ##
+
+## add `|' to output redirections in the history
+#setopt histallowclobber
+
+## try to avoid the 'zsh: no matches found...'
+#setopt nonomatch
+
+## warning if file exists ('cat /dev/null > ~/.zshrc')
+#setopt NO_clobber
+
+## don't warn me about bg processes when exiting
+#setopt nocheckjobs
+
+## alert me if something failed
+#setopt printexitvalue
+
+## with spelling correction, assume dvorak kb
+#setopt dvorak
+
+## Allow comments even in interactive shells
+#setopt interactivecomments
+
+
+## compsys related snippets ##
+
+## changed completer settings
+#zstyle ':completion:*' completer _complete _correct _approximate
+#zstyle ':completion:*' expand prefix suffix
+
+## another different completer setting: expand shell aliases
+#zstyle ':completion:*' completer _expand_alias _complete _approximate
+
+## to have more convenient account completion, specify your logins:
+#my_accounts=(
+# {grml,grml1}@foo.invalid
+# grml-devel@bar.invalid
+#)
+#other_accounts=(
+# {fred,root}@foo.invalid
+# vera@bar.invalid
+#)
+#zstyle ':completion:*:my-accounts' users-hosts $my_accounts
+#zstyle ':completion:*:other-accounts' users-hosts $other_accounts
+
+## add grml.org to your list of hosts
+#hosts+=(grml.org)
+#zstyle ':completion:*:hosts' hosts $hosts
+
+## telnet on non-default ports? ...well:
+## specify specific port/service settings:
+#telnet_users_hosts_ports=(
+#  user1@host1:
+#  user2@host2:
+#  @mail-server:{smtp,pop3}
+#  @news-server:nntp
+#  @proxy-server:8000
+#)
+#zstyle ':completion:*:*:telnet:*' users-hosts-ports $telnet_users_hosts_ports
+
+## the default grml setup provides '..' as a completion. it does not provide
+## '.' though. If you want that too, use the following line:
+#zstyle ':completion:*' special-dirs true
+
+## aliases ##
+
+## translate
+#alias u='translate -i'
+
+## ignore ~/.ssh/known_hosts entries
+#alias insecssh='ssh -o "StrictHostKeyChecking=no" -o "UserKnownHostsFile=/dev/null" -o "PreferredAuthentications=keyboard-interactive"'
+
+
+## global aliases (for those who like them) ##
+
+#alias -g '...'='../..'
+#alias -g '....'='../../..'
+#alias -g BG='& exit'
+#alias -g C='|wc -l'
+#alias -g G='|grep'
+#alias -g H='|head'
+#alias -g Hl=' --help |& less -r'
+#alias -g K='|keep'
+#alias -g L='|less'
+#alias -g LL='|& less -r'
+#alias -g M='|most'
+#alias -g N='&>/dev/null'
+#alias -g R='| tr A-z N-za-m'
+#alias -g SL='| sort | less'
+#alias -g S='| sort'
+#alias -g T='|tail'
+#alias -g V='| vim -'
+
+## instead of global aliase it might be better to use grmls $abk assoc array, whose contents are expanded after pressing ,.
+#$abk[SnL]="| sort -n | less"
+
+## get top 10 shell commands:
+#alias top10='print -l ${(o)history%% *} | uniq -c | sort -nr | head -n 10'
+
+## Execute \kbd{./configure}
+#alias CO="./configure"
+
+## Execute \kbd{./configure --help}
+#alias CH="./configure --help"
+
+## miscellaneous code ##
+
+## Use a default width of 80 for manpages for more convenient reading
+#export MANWIDTH=${MANWIDTH:-80}
+
+## Set a search path for the cd builtin
+#cdpath=(.. ~)
+
+## variation of our manzsh() function; pick you poison:
+#manzsh()  { /usr/bin/man zshall |  most +/"$1" ; }
+
+## Switching shell safely and efficiently? http://www.zsh.org/mla/workers/2001/msg02410.html
+#bash() {
+#    NO_SWITCH="yes" command bash "$@"
+#}
+#restart () {
+#    exec $SHELL $SHELL_ARGS "$@"
+#}
+
+## Handy functions for use with the (e::) globbing qualifier (like nt)
+#contains() { grep -q "$*" $REPLY }
+#sameas() { diff -q "$*" $REPLY &>/dev/null }
+#ot () { [[ $REPLY -ot ${~1} ]] }
+
+## get_ic() - queries imap servers for capabilities; real simple. no imaps
+#ic_get() {
+#    emulate -L zsh
+#    local port
+#    if [[ ! -z $1 ]] ; then
+#        port=${2:-143}
+#        print "querying imap server on $1:${port}...\n";
+#        print "a1 capability\na2 logout\n" | nc $1 ${port}
+#    else
+#        print "usage:\n  $0 <imap-server> [port]"
+#    fi
+#}
+
+## List all occurrences of programm in current PATH
+#plap() {
+#    emulate -L zsh
+#    if [[ $# = 0 ]] ; then
+#        echo "Usage:    $0 program"
+#        echo "Example:  $0 zsh"
+#        echo "Lists all occurrences of program in the current PATH."
+#    else
+#        ls -l ${^path}/*$1*(*N)
+#    fi
+#}
+
+## Find out which libs define a symbol
+#lcheck() {
+#    if [[ -n "$1" ]] ; then
+#        nm -go /usr/lib/lib*.a 2>/dev/null | grep ":[[:xdigit:]]\{8\} . .*$1"
+#    else
+#        echo "Usage: lcheck <function>" >&2
+#    fi
+#}
+
+## Download a file and display it locally
+#uopen() {
+#    emulate -L zsh
+#    if ! [[ -n "$1" ]] ; then
+#        print "Usage: uopen \$URL/\$file">&2
+#        return 1
+#    else
+#        FILE=$1
+#        MIME=$(curl --head $FILE | \
+#               grep Content-Type | \
+#               cut -d ' ' -f 2 | \
+#               cut -d\; -f 1)
+#        MIME=${MIME%$'\r'}
+#        curl $FILE | see ${MIME}:-
+#    fi
+#}
+
+## Memory overview
+#memusage() {
+#    ps aux | awk '{if (NR > 1) print $5;
+#                   if (NR > 2) print "+"}
+#                   END { print "p" }' | dc
+#}
+
+## print hex value of a number
+#hex() {
+#    emulate -L zsh
+#    if [[ -n "$1" ]]; then
+#        printf "%x\n" $1
+#    else
+#        print 'Usage: hex <number-to-convert>'
+#        return 1
+#    fi
+#}
+
+## log out? set timeout in seconds...
+## ...and do not log out in some specific terminals:
+#if [[ "${TERM}" == ([Exa]term*|rxvt|dtterm|screen*) ]] ; then
+#    unset TMOUT
+#else
+#    TMOUT=1800
+#fi
+
+## associate types and extensions (be aware with perl scripts and anwanted behaviour!)
+#check_com zsh-mime-setup || { autoload zsh-mime-setup && zsh-mime-setup }
+#alias -s pl='perl -S'
+
+## ctrl-s will no longer freeze the terminal.
+#stty erase "^?"
+
+## you want to automatically use a bigger font on big terminals?
+#if [[ "$TERM" == "xterm" ]] && [[ "$LINES" -ge 50 ]] && [[ "$COLUMNS" -ge 100 ]] && [[ -z "$SSH_CONNECTION" ]] ; then
+#    large
+#fi
+
+## Some quick Perl-hacks aka /useful/ oneliner
+#bew() { perl -le 'print unpack "B*","'$1'"' }
+#web() { perl -le 'print pack "B*","'$1'"' }
+#hew() { perl -le 'print unpack "H*","'$1'"' }
+#weh() { perl -le 'print pack "H*","'$1'"' }
+#pversion()    { perl -M$1 -le "print $1->VERSION" } # i. e."pversion LWP -> 5.79"
+#getlinks ()   { perl -ne 'while ( m/"((www|ftp|http):\/\/.*?)"/gc ) { print $1, "\n"; }' $* }
+#gethrefs ()   { perl -ne 'while ( m/href="([^"]*)"/gc ) { print $1, "\n"; }' $* }
+#getanames ()  { perl -ne 'while ( m/a name="([^"]*)"/gc ) { print $1, "\n"; }' $* }
+#getforms ()   { perl -ne 'while ( m:(\</?(input|form|select|option).*?\>):gic ) { print $1, "\n"; }' $* }
+#getstrings () { perl -ne 'while ( m/"(.*?)"/gc ) { print $1, "\n"; }' $*}
+#showINC ()    { perl -e 'for (@INC) { printf "%d %s\n", $i++, $_ }' }
+#vimpm ()      { vim `perldoc -l $1 | sed -e 's/pod$/pm/'` }
+#vimhelp ()    { vim -c "help $1" -c on -c "au! VimEnter *" }
+
+## END OF FILE #################################################################

roles/baseconfig/files/update-motd.d/00-logo

@@ -0,0 +1,40 @@
+#!/bin/sh
+# /etc/update-motd.d/00-logo
+# Deployed with Aurore Ansible !
+
+# Pretty uptime
+upSeconds="$(/usr/bin/cut -d. -f1 /proc/uptime)"
+mins=$((${upSeconds}/60%60))
+hours=$((${upSeconds}/3600%24))
+days=$((${upSeconds}/86400))
+UPTIME=`printf "%d jours, %02dh%02dm" "$days" "$hours" "$mins"`
+
+# RAM
+RAM=`free -m | awk 'NR==2{printf "%s/%sMB (%.2f%%)\n", $3,$2,$3*100/$2 }'`
+DISK=`df -h | awk '$NF=="/"{printf "%d/%dGB (%s)\n", $3,$2,$5}'`
+
+# Text font
+bold=$(tput bold)
+normal=$(tput sgr0)
+
+# Logo
+cat << EOF
+
+                                            ${bold}Uptime${normal} : ${UPTIME}
+                                            ${bold}Mémoire${normal} : ${RAM}
+                                            ${bold}Disque racine${normal} : ${DISK}
+                                         
+                                         
+                                         
+                                         
+                                         
+                                         
+                                         
+                                         
+                                         
+                                         
+                                         
+                                         
+                                         
+
+EOF

roles/baseconfig/tasks/apt-listchanges.yml

@@ -0,0 +1,20 @@
+---
+# Install apt-listchanges
+- name: Install apt-listchanges
+  when: ansible_os_family == "Debian"
+  apt:
+    name: apt-listchanges
+    state: present
+    update_cache: yes
+
+# Send email when there is something new
+- name: Configure apt-listchanges
+  lineinfile:
+    dest: /etc/apt/listchanges.conf
+    regexp: "^{{ item.key }}="
+    line: "{{ item.value }}"
+  with_dict:
+    confirm: 'confirm=true'
+    email_address: "email_address={{ monitoring_mail }}"
+    which: 'which=both'
+

roles/baseconfig/tasks/main.yml

@@ -0,0 +1,58 @@
+---
+# Should contain only small tools that everyone can't live without
+- name: Install basic tools
+  when: ansible_os_family == "Debian"
+  apt:
+    name: "{{ packages }}"
+    state: present
+    update_cache: yes
+  vars:
+    packages:
+    - bash-completion   # for bash users
+    - zsh               # alternative shell
+    - sudo              # to gain root access
+    - git               # code versioning
+    - nano              # basic text editor
+    - vim               # like nano but more powerful and complex
+    - htop              # better than top
+    - less              # i like cats
+    - tree              # create a graphical tree of files
+    - ipython           # better Python shell
+    - acl               # for Ansible become support
+
+# Pimp my server
+- name: Customize motd
+  copy:
+    src: 'update-motd.d/00-logo'
+    dest: '/etc/update-motd.d/00-logo'
+    mode: 0755
+
+# Configure APT mirrors on Debian Stretch
+- name: Configure APT mirrors
+  when: ansible_distribution == 'Debian' and ansible_distribution_release == 'stretch'
+  template:
+    src: 'apt/sources.list'
+    dest: '/etc/apt/sources.list'
+    mode: 0644
+
+# Patriotisme
+- name: Ensure French UTF-8 locale exists
+  locale_gen:
+    name: fr_FR.UTF-8
+    state: present
+
+# Molly-Guard : prevent accidental shutdowns
+- include_tasks: molly-guard.yml
+
+# APT-List Changes : send email with changelog
+- include_tasks: apt-listchanges.yml
+
+# User skeleton
+- name: Configure user skeleton
+  copy:
+    src: skel/{{ item.key }}
+    dest: /etc/skel/{{ item.value }}
+  with_dict:
+    dot_zshrc: .zshrc
+    dot_zshrc.local: .zshrc.local
+

roles/baseconfig/tasks/molly-guard.yml

@@ -0,0 +1,16 @@
+---
+# Install molly-guard
+- name: Install molly-guard
+  when: ansible_os_family == "Debian"
+  apt:
+    name: molly-guard
+    state: present
+    update_cache: yes
+
+# Always ask for hostname
+- name: Configure molly-guard
+  lineinfile:
+    dest: /etc/molly-guard/rc
+    regexp: '^#*\s*ALWAYS_QUERY_HOSTNAME.*$'
+    line: 'ALWAYS_QUERY_HOSTNAME=true'
+

roles/baseconfig/templates/apt/sources.list

@@ -0,0 +1,32 @@
+# /etc/apt/sources.list
+# Deployed with Aurore Ansible !
+{# #}
+{# Default mirror #}
+{% if debian_mirror is not defined %}
+{% set debian_mirror = 'http://ftp.fr.debian.org/debian' %}
+{% endif %}
+{# #}
+{# Default security mirror #}
+{% if debian_security_mirror is not defined %}
+{% set debian_security_mirror = 'http://security.debian.org' %}
+{% endif %}
+{# #}
+{# Default components #}
+{% if debian_components is not defined %}
+{% set debian_components = 'main contrib' %}
+{% endif %}
+
+# Classic updates
+deb {{ debian_mirror }} {{ ansible_distribution_release }} {{ debian_components }}
+
+# Frequent updates
+deb {{ debian_mirror }} {{ ansible_distribution_release }}-updates {{ debian_components }}
+
+# Security updates
+deb {{ debian_security_mirror }} {{ ansible_distribution_release }}/updates {{ debian_components }}
+
+{% if debian_backport is defined and debian_backport %}
+# Backports
+deb {{ debian_security_mirror }} {{ ansible_distribution_release }}-backports {{ debian_components }}
+{% endif %}
+

roles/dokuwiki

@@ -1 +0,0 @@
-Subproject commit 09558fca2433a9ebda515f790500305ebcd8484d

roles/dokuwiki/README.md

@@ -0,0 +1,13 @@
+# Rôle baseconfig
+
+Ce rôle Ansible permet d'installer DokuWiki avec un serveur Apache et PHP7.
+
+Il doit être exécuté en tant que super-utilisateur
+(option `-b` pour `--become`).
+
+## Migration future à Buster
+
+Actuellement le paquet DokuWiki est pinné sur Debian Buster.
+Quand il sera sorti et que l'on passera dessus on pourra supprimer la
+majorité des tâches de ce rôle.
+

roles/dokuwiki/tasks/main.yml

@@ -0,0 +1,24 @@
+---
+# For DokuWiki package
+- name: Configure Debian Buster mirrors
+  when: ansible_distribution == 'Debian' and ansible_distribution_release == 'stretch'
+  template:
+    src: 'apt/buster.list'
+    dest: '/etc/apt/sources.list.d/buster.list'
+    mode: 0644
+
+# For DokuWiki package
+- name: Configure DokuWiki pin
+  when: ansible_distribution == 'Debian' and ansible_distribution_release == 'stretch'
+  template:
+    src: 'apt/dokuwiki'
+    dest: '/etc/apt/preferences.d/dokuwiki'
+    mode: 0644
+
+# Install
+- name: Install DokuWiki
+  apt:
+    name: dokuwiki
+    state: present
+    update_cache: yes
+

roles/dokuwiki/templates/apt/buster.list

@@ -0,0 +1,11 @@
+# /etc/apt/sources.list.d/buster.list
+# Deployed with Aurore Ansible !
+{# #}
+{# Default mirror #}
+{% if debian_mirror is not defined %}
+{% set debian_mirror = 'http://ftp.fr.debian.org/debian' %}
+{% endif %}
+
+deb {{ debian_mirror }} buster main
+deb-src {{ debian_mirror }} buster main
+

roles/dokuwiki/templates/apt/dokuwiki

@@ -0,0 +1,11 @@
+# /etc/apt/preferences.d/dokuwiki
+# Deployed with Aurore Ansible !
+
+Package: *
+Pin: release n=stretch*
+Pin-Priority: 990
+
+Package: dokuwiki
+Pin: release n=buster
+Pin-Priority: 990
+

roles/etherpad

@@ -1 +0,0 @@
-Subproject commit 4a621d81d23f14e6f5efc2b55e0a16df6c7c38f9

roles/etherpad/README.md

@@ -0,0 +1,7 @@
+# Rôle EtherPad
+
+Ce rôle Ansible permet d'installer EtherPad.
+
+Il doit être exécuté en tant que super-utilisateur
+(option `-b` pour `--become`).
+

roles/etherpad/handlers/main.yml

@@ -0,0 +1,5 @@
+---
+# Reload systemd daemons when a service file changes
+- name: Reload systemd daemons
+  command: systemctl daemon-reload
+

roles/etherpad/tasks/0_apt_dependencies.yml

@@ -0,0 +1,22 @@
+---
+# For NodeJS package
+- name: Configure NodeJS pin
+  when: ansible_distribution == 'Debian' and ansible_distribution_release == 'stretch'
+  template:
+    src: 'apt/nodejs'
+    dest: '/etc/apt/preferences.d/nodejs'
+    mode: 0644
+
+# Install EtherPad dependencies
+- name: Install required packages
+  apt:
+    name: "{{ item }}"
+    state: present
+    update_cache: yes
+  with_items:
+    - build-essential
+    - curl
+    - git
+    - nodejs
+    - npm
+

roles/etherpad/tasks/1_user_group.yml

@@ -0,0 +1,27 @@
+---
+# Security #1
+- name: Create EtherPad system group
+  group:
+    name: etherpad
+    system: yes
+    state: present
+
+# Security #2
+- name: Create EtherPad user
+  user:
+    name: etherpad
+    group: etherpad
+    home: '/var/local/etherpad'
+    comment: EtherPad
+    system: yes
+    state: present
+
+# Security #3
+- name: Secure Etherpad home directory
+  file:
+    path: '/var/local/etherpad'
+    state: directory
+    owner: etherpad
+    group: etherpad
+    mode: 0750
+

roles/etherpad/tasks/main.yml

@@ -0,0 +1,60 @@
+---
+# Install APT dependencies
+- include_tasks: 0_apt_dependencies.yml
+
+# Create EtherPad user and group
+- include_tasks: 1_user_group.yml
+
+# Download EtherPad
+- name: Clone EtherPad project
+  git:
+    repo: 'https://github.com/ether/etherpad-lite.git'
+    dest: '/var/local/etherpad/etherpad-lite'
+    version: master
+  become: true
+  become_user: etherpad
+
+# Installation script
+# TODO: move this in a handler
+- name: Install Etherpad dependencies
+  command: bin/installDeps.sh
+  args:
+    chdir: '/var/local/etherpad/etherpad-lite'
+  become: true
+  become_user: etherpad
+
+# Configuration
+- name: Configure EtherPad
+  lineinfile:
+    dest: '/var/local/etherpad/etherpad-lite/settings.json'
+    regexp: '^\s*"{{ item.key }}"'
+    line: "{{ item.value }}"
+  with_dict:
+    title: "  \"title\": \"Etherpad Aurore\","
+    dbType: "  \"dbType\" : \"postgres\","
+    defaultPadText: "  \"defaultPadText\" : \"Bienvenue sur l'EtherPad d'Aurore !\\n\\nCe pad est synchronisé avec les autres utilisateur·rice·s présent·e·s sur cette page.\\n\","
+    lang: "    \"lang\": \"fr-fr\""
+
+# Service file
+- name: Install EtherPad systemd unit
+  template:
+    src: 'systemd/etherpad-lite.service.j2'
+    dest: '/etc/systemd/system/etherpad-lite.service'
+    owner: root
+    group: root
+    mode: 0644
+  notify: Reload systemd daemons
+
+# Run
+- name: Ensure that EtherPad is started
+  service:
+    name: etherpad-lite
+    state: started
+    enabled: True
+
+# La configuration de la clé `dbSettings` n'est pas encore automatisé !
+
+# TODO-list
+#  * Configure admin user, logs
+# Plugins : https://framacloud.org/fr/cultiver-son-jardin/etherpad.html#concernant-framapad
+

roles/etherpad/templates/apt/nodejs

@@ -0,0 +1,7 @@
+# /etc/apt/preferences.d/dokuwiki
+# Deployed with Aurore Ansible !
+
+Package: node* libuv1*
+Pin: release a=stretch-backports
+Pin-Priority: 600
+

roles/etherpad/templates/systemd/etherpad-lite.service.j2

@@ -0,0 +1,19 @@
+# /etc/systemd/system/etherpad-lite.service
+# Deployed with Aurore Ansible !
+
+[Unit]
+Description=Etherpad-lite, the collaborative editor.
+After=syslog.target network-online.target mysql.service postgresql.service
+Conflicts=shutdown.target
+
+[Service]
+Type=simple
+User=etherpad
+Group=etherpad
+WorkingDirectory=/var/local/etherpad/etherpad-lite
+ExecStart=/usr/bin/nodejs /var/local/etherpad/etherpad-lite/node_modules/ep_etherpad-lite/node/server.js
+Restart=always
+
+[Install]
+WantedBy=multi-user.target
+

roles/ldap-client

@@ -1 +0,0 @@
-Subproject commit f6dbb1d53fe8f81fabf0e0a6101bc54473d9abd3

roles/ldap-client/README.md

@@ -0,0 +1,7 @@
+# Rôle LDAP client
+
+Ce rôle Ansible a pour but de mettre en place l'authentification
+sur un serveur par LDAP.
+
+Il doit être exécuté en tant que super-utilisateur
+(option `-b` pour `--become`).

roles/ldap-client/handlers/main.yml

@@ -0,0 +1,17 @@
+---
+- name: Reconfigure libnss-ldapd package
+  command: 'dpkg-reconfigure libnss-ldapd -f noninteractive'
+
+- name: Restart nslcd service
+  service:
+    name: nslcd
+    state: restarted
+
+# Empty cache when nslcd is restarted
+- name: Restart nscd service
+  service:
+    name: nscd
+    state: restarted
+  ignore_errors: true  # Sometimes service do not exist
+  listen: 'Restart nslcd service'
+

roles/ldap-client/tasks/0_install_ldap.yml

@@ -0,0 +1,41 @@
+---
+# Install LDAP client packages
+- name: Install LDAP client packages
+  apt:
+    name: "{{ item }}"
+    state: present
+    update_cache: yes
+  with_items:
+    - nslcd
+    - libnss-ldapd
+    - libpam-ldapd
+
+# Reduce LDAP load
+# For the moment it is broken on Stretch when using PHP7.3
+#- name: Install LDAP cache package
+#  apt:
+#    name: nscd
+#    state: present
+#    update_cache: yes
+
+# Configure /etc/nslcd.conf
+- name: Configure nslcd LDAP credentials
+  template:
+    src: nslcd.conf.j2
+    dest: /etc/nslcd.conf
+    mode: 0600
+  notify: 'Restart nslcd service'
+
+# Configure /etc/nsswitch.conf
+- name: Configure NSS to use LDAP
+  lineinfile:
+    dest: /etc/nsswitch.conf
+    regexp: "^{{ item.key }}:"
+    line: "{{ item.value }}"
+  with_dict:
+    passwd:  'passwd:         files ldap'
+    group:   'group:          files ldap'
+    shadow:  'shadow:         files ldap'
+    sudoers: 'sudoers:        files ldap'
+  notify: 'Restart nslcd service'
+

roles/ldap-client/tasks/1_group_security.yml

@@ -0,0 +1,21 @@
+---
+# Filter SSH on groups
+- name: Filter SSH on groups
+  lineinfile:
+    dest: /etc/ssh/sshd_config
+    regexp: '^AllowGroups'
+    line: "AllowGroups root sudoldap aurore ssh"
+
+# To gain root access with ldap rights
+- name: Install SUDO package
+  package:
+    name: sudo
+    state: present
+
+# Set sudo group
+- name: Configure sudoers
+  lineinfile:
+    dest: /etc/sudoers
+    regexp: "^%{{ sudo_group }}"
+    line: "%{{ sudo_group }}	ALL=(ALL:ALL) ALL"
+

roles/ldap-client/tasks/2_userland_scripts.yml

@@ -0,0 +1,18 @@
+---
+# Disable passwd and chsh
+- name: Copy passwd and chsh scripts
+  template:
+    src: "{{ item }}"
+    dest: /usr/local/bin/
+    mode: 0755
+  with_items:
+    - 'chsh'
+    - 'passwd'
+
+# We do not want password change this way
+- name: Symlink chsh.ldap to chsh
+  file:
+    src: "/usr/local/bin/chsh"
+    dest: "/usr/local/bin/chsh.ldap"
+    state: link
+

roles/ldap-client/tasks/main.yml

@@ -0,0 +1,25 @@
+---
+# Install and configure main LDAP tools
+- include_tasks: 0_install_ldap.yml
+
+# Filter who can access server and sudo on groups
+- include_tasks: 1_group_security.yml
+
+# Some userland scripts specific to LDAP install
+- include_tasks: 2_userland_scripts.yml
+
+# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=568577
+- name: Ensure home directories are created upon login
+  lineinfile:
+    dest: /etc/pam.d/common-account
+    regexp: 'pam_mkhomedir\.so'
+    line: "session required pam_mkhomedir.so skel=/etc/skel/ umask=0077"
+
+# If LDAP crashes
+- name: Install SSH keys for root account
+  authorized_key:
+    user: root
+    key: "{{ ssh_pub_keys }}"
+    state: present
+#    exclusive: True
+

roles/ldap-client/templates/chsh

@@ -0,0 +1,3 @@
+#!/bin/sh
+echo "Pour changer votre shell,\nAllez sur l'intranet : {{intranet_url}}"
+

roles/ldap-client/templates/nslcd.conf.j2

@@ -0,0 +1,39 @@
+# /etc/nslcd.conf
+# Deployed with Aurore Ansible !
+
+# The user and group nslcd should run as.
+uid nslcd
+gid nslcd
+
+# The location at which the LDAP server(s) should be reachable.
+{% if ldap_local_replica_uri is defined %}
+{% for uri in ldap_local_replica_uri %}
+uri {{ uri }}
+{% endfor %}
+{% endif %}
+uri {{ ldap_master_uri }}
+
+# The search base that will be used for all queries.
+base {{ ldap_base }}
+base passwd cn=Utilisateurs,{{ ldap_base }}
+base shadow cn=Utilisateurs,{{ ldap_base }}
+base group ou=posix,ou=groups,{{ ldap_base }}
+
+# The LDAP protocol version to use.
+ldap_version 3
+
+# The DN to bind with for normal lookups.
+binddn {{ ldap_nslcd_bind_dn }}
+bindpw {{ ldap_nslcd_passwd }}
+
+# The DN used for password modifications by root.
+#rootpwmoddn cn=admin,dc=example,dc=com
+
+# SSL options
+#ssl off
+#tls_reqcert never
+tls_cacertfile /etc/ssl/certs/ca-certificates.crt
+
+# The search scope.
+#scope sub
+

roles/ldap-client/templates/passwd

@@ -0,0 +1,3 @@
+#!/bin/sh
+echo "Pour changer votre mot de passe,\nAllez sur l'intranet : {{intranet_url}}"
+

roles/ldap-replica

@@ -1 +0,0 @@
-Subproject commit b1e548be79082a67574962323e30a14434b86ec0

roles/ldap-replica/README.md

@@ -0,0 +1,10 @@
+# Rôle LDAP replica
+
+Ce rôle Ansible a pour but de mettre en place un serveur de replication LDAP.
+
+Il doit être exécuté en tant que super-utilisateur
+(option `-b` pour `--become`).
+
+DANGER ! Pour le moment il flushe le LDAP a chaque exécution à cause de la
+façon dont l'installation de re2o se fait. Donc ne l'exécutez pas pour tester !
+

roles/ldap-replica/tasks/main.yml

@@ -0,0 +1,57 @@
+---
+# slapd is OpenLDAP server
+- name: Install LDAP server
+  apt:
+    name: slapd
+    state: present
+    update_cache: yes
+
+# What is written after is really not a nice way to install a schema
+# because the LDAP is being flushed away always...
+# This is a problem in re2o installation method that may be fixed in the future.
+
+# Much nicer than install_re2o.sh way
+- name: Build schema
+  template:
+    src: schema.ldiff.j2
+    dest: /etc/ldap/schema.ldiff
+    mode: 0600
+
+# Downtime!
+- name: Stop LDAP server
+  service: name=slapd state=stopped
+
+# Cry a bit
+- name: Remove old data
+  file: path={{ item }} state=absent
+  with_items:
+    - /etc/ldap/slapd.d
+    - /var/lib/ldap
+
+# Cry a lot
+- name: Recreate structure
+  file: path={{ item }} state=directory
+  with_items:
+    - /etc/ldap/slapd.d
+    - /var/lib/ldap
+
+# Install schema as root
+# We can't do a `become_user` here
+- name: Install LDAP schema
+  command: 'slapadd -n 0 -l /etc/ldap/schema.ldiff -F /etc/ldap/slapd.d'
+
+# then fix permissions
+- name: Fix permissions
+  file:
+    path: "{{ item }}"
+    owner: openldap
+    group: openldap
+    recurse: yes
+  with_items:
+    - '/var/lib/ldap'
+    - '/etc/ldap/slapd.d'
+
+# Save the day
+- name: Start LDAP server
+  service: name=slapd state=started
+

roles/nginx-reverse-proxy

@@ -1 +0,0 @@
-Subproject commit 081384a08400e2c6c56fbb668756618e9b1b8024

roles/nginx-reverse-proxy/README.md

@@ -0,0 +1,7 @@
+# Rôle du Reversed Proxy NGINX
+
+Ce rôle Ansible a pour but de mettre en place un proxy inversé avec NGINX.
+
+Il doit être exécuté en tant que super-utilisateur
+(option `-b` pour `--become`).
+

roles/nginx-reverse-proxy/handlers/main.yml

@@ -0,0 +1,7 @@
+---
+# Reload NGINX when a site changes
+- name: Reload NGINX service
+  service:
+    name: nginx
+    state: reloaded
+

roles/nginx-reverse-proxy/tasks/main.yml

@@ -0,0 +1,33 @@
+---
+# nginx is the proxy server
+- name: Install NGINX server
+  apt:
+    name: nginx
+    state: present
+    update_cache: yes
+
+# Install sites
+- name: Configure NGINX sites
+  template:
+    src: nginx-sites-available.j2
+    dest: /etc/nginx/sites-available/{{ item.name }}
+    mode: 0644
+  loop: "{{ reversed_proxy_subdomains }}"
+  notify: Reload NGINX service
+
+# Desactive useless nginx sites
+- name: Deactivate the default NGINX site
+  file:
+    path: /etc/nginx/sites-enabled/default
+    state: absent
+  notify: Reload NGINX service
+
+# Activate sites
+- name: Activate sites
+  file:
+    src: /etc/nginx/sites-available/{{ item.name }}
+    dest: /etc/nginx/sites-enabled/{{ item.name }}
+    state: link
+  loop: "{{ reversed_proxy_subdomains }}"
+  notify: Reload NGINX service
+

roles/nginx-reverse-proxy/templates/nginx-sites-available.j2

@@ -0,0 +1,46 @@
+server {
+    server_name {{ item.from }};
+    include "snippets/proxy-common.conf";
+
+    location / {
+        return 302 https://$host$request_uri;
+    }
+
+    # On redirige tout ce qui concerne le challenge letsencrypt vers le meme dossier
+    # pour pouvoir utiliser le plugin webroot de letsencrypt
+    location /.well-known/acme-challenge {
+            alias /usr/share/nginx/html/.well-known/acme-challenge;
+    }
+}
+
+server {
+    include "snippets/proxy-common-ssl.conf";
+    server_name {{ item.from }};
+
+    # Separate log files
+    access_log  /var/log/nginx/{{ item.name }}.access.log;
+    error_log  /var/log/nginx/{{ item.name }}.error.log;
+
+    # Use LetsEncrypt SSL
+    ssl_certificate /etc/letsencrypt/live/auro.re/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/auro.re/privkey.pem;
+    ssl_trusted_certificate /etc/letsencrypt/live/auro.re/chain.pem;
+
+    location / {
+        proxy_redirect off;
+        proxy_pass http://{{ item.to }};
+        proxy_set_header Host {{ item.from }};
+        proxy_set_header P-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $remote_addr;
+
+        # "A man is not dead while his name is still spoken." -- Going Postal
+        add_header X-Clacks-Overhead "GNU Terry Pratchett";
+    }
+
+    # On redirige tout ce qui concerne le challenge letsencrypt vers le meme dossier
+    # pour pouvoir utiliser le plugin webroot de letsencrypt
+    location /.well-known/acme-challenge {
+            alias /usr/share/nginx/html/.well-known/acme-challenge;
+    }
+}
+