Add passphrase in turnserver.conf

.gitignore

@@ -1,3 +1,5 @@
 host*
 *.retry
-
+.*
+*.core
+*.\#*

CTbase.yml

@@ -1,11 +1,12 @@
+
 ---
 - hosts: test
   roles:
      - common
-
   # déclaration de la variables globales
   vars:
-    email: your_email@your_domain.com
-    cthostname: machine_hostname
-    domain: domain_name
+    email: kitoy@kitoy.me
+    cthostname: tablette
+    domain: kitoy.me
     create_user: false
+    installCertbot: false

DNSservice.yml

@@ -0,0 +1,17 @@
+
+---
+- hosts: iloth
+  roles:
+    - common
+    - ssl-cert
+    - unbound
+    - dnsdist
+    # déclaration de la variables globales
+  vars:
+    email: votre_adresse_email
+    cthostname: machine-name
+    domain: machine-name.domain.tld
+    create_user: False
+    installCertbot: True  
+    mode: standalone # nginx or standalone
+    alt_domains: "" # -d sub.domain.told

Turnservice.yml

@@ -0,0 +1,20 @@
+
+---
+- hosts: iloth
+  roles:
+    - common
+    - ssl-cert
+    - coturn
+    # déclarations des variables globales
+  vars:
+    ip_listen: 89.234.152.134
+    ip_public: 89.234.152.134
+    turnserver_port: 13780
+    passphrase: ILOTH # Va être afficher publiquement donc osef
+    cthostname: turn
+    domain: turn.iloth.net
+    create_user: False
+    installCertbot: True
+    email: contact@iloth.net # pour la certification avec certbot
+    mode: standalone # nginx or standalone
+    alt_domains: "" # -d sub.domain.told

bimsocial.yml

@@ -1,10 +1,12 @@
 ---
-- hosts: bim
+- hosts: test
   roles:
   - common
   - rbenv
   - nginx
   - postgresql
+  - nodejs
+  - yarn
   - mastodon
 
   # Déclaration des variables globales
@@ -12,9 +14,11 @@
     email: contact@bim.land
     domain: social.bim.land
     cthostname: social
-    create_user: true
+    create_user: True
     username: mastodon
-    installCertbot: true
-    debian_version: buster
-    nodejs_version: 12
-    ruby_version: 2.7.2
+    installCertbot: True
+    debian_version: bullseye
+    nodejs_version: 14
+    ruby_version: 2.7.5
+    mastodon_version: 3.4.10
+    restore: True

make_template.yml

@@ -0,0 +1,13 @@
+
+---
+- hosts: iloth
+  roles:
+    - common
+    # déclarations des variables globales
+  vars:
+    cthostname: tpl
+    domain: tpl.iloth.net
+    create_user: False
+    installCertbot: True
+    mode: standalone # nginx or standalone
+    alt_domains: "" # -d sub.domain.told

roles/common/defaults/main.yml

@@ -4,7 +4,6 @@ commonRequirePackages:
   - man
   - bash-completion
   - locales
-  - python-pip
   - wget
   - bzip2
   - lsof

roles/common/tasks/main.yml

@@ -9,7 +9,7 @@
 
 - name: Reload sshd service
   service:
-    name: sshd
+    name: ssh
     state: reloaded
 
 

roles/coturn/files/certbot-cron

@@ -0,0 +1,4 @@
+SHELL=/bin/sh
+PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
+
+0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew --no-random-sleep-on-renew; setfacl -R -m u:turnserver:rx /etc/letsencrypt/; systemctl restart coturn;

roles/coturn/files/turnserver.conf

@@ -0,0 +1,17 @@
+tls-listening-port=__PORT__
+listening-ip=__IP_CONTAINER__
+relay-ip=__IP_CONTAINER__
+external-ip=__IP_EXT__
+server-name=__HOSTNAME__ 
+lt-cred-mech
+realm=__HOSTNAME__
+use-auth-secret
+static-auth-secret="__PASSPHRASE__"
+cert=__SSL_CRT__
+pkey=__SSL_KEY__
+no-stdout-log
+cipher-list="EECDH+AESGCM:EDH+AESGCM"
+ec-curve-name=secp384r1
+dh2066
+no-tlsv1
+no-tlsv1_1

roles/coturn/tasks/main.yml

@@ -0,0 +1,107 @@
+- name: Install CoTurn
+  apt:
+    name: 
+      - coturn
+      - acl
+    state: present
+
+- name: Allow Turnserver connexions
+  ufw:
+    rule: allow
+    port: "{{ turnserver_port }}"
+    proto: any
+
+- name: Copy Configuration file for coturn
+  ansible.builtin.copy:
+    src: turnserver.conf
+    dest: /etc/turnserver.conf
+    owner: root
+    group: root
+    mode: '0644'
+
+
+- name: Add port to listen on turnserver.conf
+  ansible.builtin.replace:
+    path: /etc/turnserver.conf
+    regexp: '__PORT__'
+    replace: '{{ turnserver_port }}' 
+
+- name: Add hostname on turnserver.conf      
+  ansible.builtin.replace:
+    path: /etc/turnserver.conf   
+    regexp: '__HOSTNAME__'
+    replace: '{{ domain }}'
+
+- name: Add IP to listen on turnserver.conf      
+  ansible.builtin.replace:
+    path: /etc/turnserver.conf
+    regexp: '__IP_CONTAINER__'   
+    replace: '{{ ip_listen }}'
+
+- name: Add IP public on turnserver.conf  
+  ansible.builtin.replace:
+    path: /etc/turnserver.conf
+    regexp: '__IP_EXT__' 
+    replace: '{{ ip_public }}'     
+
+- name: Add port to listen on turnserver.conf
+  ansible.builtin.replace:
+    path: /etc/turnserver.conf
+    regexp: '__PASSPHRASE__'
+    replace: '{{ passphrase }}' 
+
+
+
+- name: Add SSL keys to turnserver.conf
+  ansible.builtin.replace:
+    path: /etc/turnserver.conf
+    regexp: '__SSL_CRT__'
+    replace: '/etc/ssl/{{ domain}}.crt'
+  when: installCertbot == False
+
+- name: Add SSL keys to turnserver.conf
+  ansible.builtin.replace:
+    path: /etc/turnserver.conf
+    regexp: '__SSL_KEY__'
+    replace: '/etc/ssl/{{ domain}}.key'
+  when: installCertbot == False
+
+- name: permission to ssl cert 
+  shell: |
+    setfacl -R -m u:turnserver:rx /etc/ssl/"{{ domain }}".key
+    setfacl -R -m u:turnserver:rx /etc/ssl/"{{ domain }}".crt
+  when: installCertbot == False
+
+- name: Add SSL keys to turnserver.conf
+  ansible.builtin.replace:
+    path: /etc/turnserver.conf
+    regexp: '__SSL_CRT__'
+    replace: '/etc/letsencrypt/live/{{ domain }}/fullchain.pem'
+  when: installCertbot == True
+
+- name: Add SSL keys to turnserver.conf
+  ansible.builtin.replace:
+    path: /etc/turnserver.conf
+    regexp: '__SSL_KEY__'
+    replace: '/etc/letsencrypt/live/{{ domain }}/privkey.pem'
+  when: installCertbot == True
+
+- name: Set permission letsencrypt SSL keys 
+  shell: setfacl -R -m u:turnserver:rx /etc/letsencrypt/
+  when: installCertbot == True
+
+- name: Start coturn service
+  shell: "systemctl start coturn"
+
+- name: Enable systemd service
+  shell: "systemctl enable coturn"
+
+- name: Copy Configuration file for coturn
+  ansible.builtin.copy:
+    src: certbot-cron
+    dest: /etc/cron.d/certbot
+    owner: root
+    group: root
+    mode: '0644'
+  when: installCertbot == True
+  

roles/dnsdist/files/cetbot-cron

@@ -0,0 +1,5 @@
+
+SHELL=/bin/sh
+PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
+
+0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew; setfacl -R -m u:_dnsdist:rx /etc/letsencrypt/; systemctl restart dnsdist;

roles/dnsdist/files/dnsdist.conf

@@ -0,0 +1,29 @@
+addACL('0.0.0.0/0')
+-- addACL('::/0')
+
+addLocal('0.0.0.0:53',{doTCP=true, reusePort=true, tcpFastOpenSize=0}) 
+addTLSLocal("0.0.0.0", "__SSL_CRT__", "__SSL_KEY__",{ doTCP=true, reusePort=true, tcpFastOpenSize=X })      
+-- path for certs and listen address for DoT ipv4 , by default listens on port 853. Set X(int) for tcp fast open queue size.
+-- addTLSLocal("[::]", "__SSL_CRT__", "__SSL_KEY__",{ doTCP=true, reusePort=true, tcpFastOpenSize=X })         
+-- path for certs and listen address for DoT ipv6 , by default listens on port 853. Set X(int) for tcp fast open queue size.
+
+
+
+addDOHLocal("0.0.0.0:443", "__SSL_CRT__", "__SSL_KEY__", "/", { doTCP=true, reusePort=true, tcpFastOpenSize=X })        
+addDOHLocal("[::]:443", "__SSL_CRT__", "__SSL_KEY__", "/", { doTCP=true, reusePort=true, tcpFastOpenSize=X })        
+-- path for certs and listen address for DoH. Set X(int) for tcp fast open queue size.
+
+addAction(MaxQPSIPRule(20), DropAction())    -- set X(int) number of queries to be allowed per second from a IP
+addAction(AndRule({QTypeRule(DNSQType.ANY), TCPRule(false)}), DropAction())  -- drop ANY queries sent over udp , not useful for DoT and DoH only servers.
+
+pc = newPacketCache(10000, {maxTTL=86400, minTTL=0, temporaryFailureTTL=60, staleTTL=60, dontAge=false}) 
+getPool(""):setCache(pc)              -- deafult cache
+setServerPolicy(leastOutstanding)       -- server policy to choose the downstream servers for recursion
+
+newServer({address="127.0.0.1:5335", name="unbound"})     -- downstream servers for recursion
+
+
+setMaxUDPOutstanding(65535)
+--setMaxTCPConnectionDuration(X)      -- set X(int) for tcp connection duaration from a connected client. X is number of seconds.
+setMaxTCPConnectionsPerClient(110)    -- set X(int) for number of tcp connections from a single client. Useful for rate limiting the concurrent connections.
+

roles/dnsdist/tasks/main.yml

@@ -0,0 +1,97 @@
+---
+- name: Install dnsdist
+  apt:
+    name: 
+      - dnsdist
+      - acl
+    state: present
+
+- name: Allow DoT connexions
+  ufw:
+    rule: allow
+    port: 853
+    proto: tcp
+
+- name: Allow DoH connexions
+  ufw:
+    rule: allow
+    port: 443
+    proto: tcp
+    
+- name: Allow DNS connexions
+  ufw: 
+    rule: allow
+    port: 53
+    proto: any
+
+- name: Copy Configuration file for DNSdist
+  ansible.builtin.copy:
+    src: dnsdist.conf
+    dest: /etc/dnsdist/dnsdist.conf
+    owner: root
+    group: root
+    mode: '0644'
+
+
+- name: Add SSL keys to dnsdist.conf
+  ansible.builtin.replace:
+    path: /etc/dnsdist/dnsdist.conf
+    regexp: '__SSL_CRT__'
+    replace: '/etc/ssl/{{ domain}}.crt'
+  when: installCertbot == False
+
+- name: Add SSL keys to dnsdist.conf
+  ansible.builtin.replace:
+    path: /etc/dnsdist/dnsdist.conf
+    regexp: '__SSL_KEY__'
+    replace: '/etc/ssl/{{ domain}}.key'
+  when: installCertbot == False
+
+- name: permission to ssl cert 
+  shell: |
+    setfacl -R -m u:_dnsdist:rx /etc/ssl/"{{ domain }}".key
+    setfacl -R -m u:_dnsdist:rx /etc/ssl/"{{ domain }}".crt
+  when: installCertbot == False
+
+
+
+- name: Add SSL keys to dnsdist.conf
+  ansible.builtin.replace:
+    path: /etc/dnsdist/dnsdist.conf
+    regexp: '__SSL_CRT__'
+    replace: '/etc/letsencrypt/live/{{ domain}}/fullchain.pem'
+  when: installCertbot == True
+
+- name: Add SSL keys to dnsdist.conf
+  ansible.builtin.replace:
+    path: /etc/dnsdist/dnsdist.conf
+    regexp: '__SSL_KEY__'
+    replace: '/etc/letsencrypt/live/{{ domain}}/privkey.pem'
+  when: installCertbot == True
+
+- name: Set permission letsencrypt SSL keys 
+  shell: setfacl -R -m u:_dnsdist:rx /etc/letsencrypt/
+  when: installCertbot == True
+
+
+- name: Disable and stop systemd-resolved
+  shell: |
+    systemctl disable systemd-resolved
+    systemctl stop systemd-resolved || echo "systemd-resolved is already stopped"
+  
+- name: Start dnsdist service
+  shell: "systemctl start dnsdist"
+
+
+
+- name: Enable systemd service
+  shell: "systemctl enable dnsdist"
+
+- name: Copy cron certbot service
+  ansible.builtin.copy:
+    src: certbot-cron
+    dest: /etc/cron.d/certbot
+    owner: root
+    group: root
+    mode: '0644'
+    when: installCertbot == True

roles/mastodon/defaults/main.yml

@@ -28,3 +28,7 @@ requiredPackages:
   - libjemalloc-dev
   - redis-tools
   - redis-server
+  - gnupg
+  - apt-transport-https
+  - lsb-release
+  - ca-certificates

roles/mastodon/files/mastodon-clean

@@ -0,0 +1,17 @@
+#!/bin/bash -e
+
+cd /home/mastodon/live;
+export PATH="$HOME/.rbenv/bin:$PATH";
+eval "$(rbenv init -)";
+echo "Nettoyage du cache";
+RAILS_ENV=production /home/mastodon/live/bin/tootctl cache clear;
+
+
+echo "Nettoyage du cache des médias consultés agé de plus de 5 jours";
+RAILS_ENV=production /home/mastodon/live/bin/tootctl media remove --days 5;
+
+echo "Nettoyage du cache des prévisualisations agées de plus de 14 jours";
+RAILS_ENV=production /home/mastodon/live/bin/tootctl preview_cards remove --days 14;
+
+echo "Nettoyage des médias orphelins";
+RAILS_ENV=production /home/mastodon/live/bin/tootctl media remove-orphans;

roles/mastodon/tasks/main.yml

@@ -1,40 +1,29 @@
 ---
 
-- name: Add Yarn apt key
-  apt_key:
-    url: https://dl.yarnpkg.com/debian/pubkey.gpg
-    state: present
-
-- name: Add Yarn Repository
-  apt_repository:
-    repo: deb https://dl.yarnpkg.com/debian/ stable main
-    state: present
-
-- name: Install Yarn
-  apt:
-    name: yarn
-    state: present
-
-- name: Add Nodejs apt key
-  apt_key:
-    url: https://deb.nodesource.com/gpgkey/nodesource.gpg.key
-    state: present
-
-- name: Add Nodes 12 repository
-  apt_repository:
-    repo: deb https://deb.nodesource.com/node_12.x buster main
-    state: present
-
-- name: Install NodeJs
-  apt:
-    name: nodejs
-    state: present
-
 - name: Install required by mastodon
   apt:
     name: "{{ requiredPackages }}"
     state: present
 
+- name: ensure postgresql is running
+  service:
+    name: postgresql
+    state: restarted
+
+- name: Create postgresql User Mastodon
+  become: yes
+  become_user: postgres
+  shell: psql -c "CREATE USER mastodon CREATEDB;"
+
+- name: Create Mastodon Database for restauration
+  become: yes
+  become_user: "{{ username }}"
+  shell: |
+    createdb -T template0 -E UTF8 mastodon_production
+  args:
+    executable: /bin/bash
+  when: restore == True
+
 - name: Install Mastodon from git
   become: yes
   become_user: "{{ username }}"
@@ -44,24 +33,27 @@
     eval "$(rbenv init -)"
     git clone https://github.com/tootsuite/mastodon.git live
     cd live
-    git checkout $(git tag -l | grep -v 'rc[0-9]*$' | sort -V | tail -n 1)
+    git checkout v"{{ mastodon_version }}"
     gem install bundler --no-document
     bundle config set deployment 'true'
     bundle config set without 'development test'
     bundle install
+  args:
+    executable: /bin/bash
+
+- name: Exec yarn install
+  become: yes
+  become_user: "{{ username }}"
+  ignore_errors: True
+  shell: |
+    cd
+    export PATH="$HOME/.rbenv/bin:$PATH"
+    eval "$(rbenv init -)"
+    cd live
     yarn install --pure-lockfile --non-interactive
   args:
     executable: /bin/bash
 
-- name: ensure postgresql is running
-  service:
-    name: postgresql
-    state: restarted
-
-- name: Create postgresql Database
-  become: yes
-  become_user: postgres
-  shell: psql -c "CREATE USER mastodon CREATEDB;"
 
 - name: Copy nginx configuration
   copy:

roles/nodejs/defaults/main.yml

@@ -2,4 +2,4 @@ requiredPackages:
   - apt-transport-https
 
 nodejs_version: 12
-debian_version: buster
+debian_version: bullseyes

roles/nodejs/tasks/main.yml

@@ -3,9 +3,9 @@
     url: https://deb.nodesource.com/gpgkey/nodesource.gpg.key
     state: present
 
-- name: Add Nodes 12 repository
+- name: Add Nodes {{nodejs_version }} repository
   apt_repository:
-    repo: deb https://deb.nodesource.com/node_"{{ nodejs_version }}".x "{{ debian_version }}" main
+    repo: deb https://deb.nodesource.com/node_{{ nodejs_version }}.x {{ debian_version }} main
     state: present
 
 - name: Install NodeJs

roles/postgresql/tasks/main.yml

@@ -1,8 +1,18 @@
 ---
 
+- name: Add Postgresql apt key
+  apt_key:
+    url: https://www.postgresql.org/media/keys/ACCC4CF8.asc
+    state: present
+
+- name: Add Postgresql Repository
+  apt_repository:
+    repo: deb http://apt.postgresql.org/pub/repos/apt {{ debian_version }}-pgdg main
+    state: present
+
 - name: Install Postresql Server
   apt:
     name:
       - postgresql
       - postgresql-contrib
-      - python-psycopg2
+      - python3-psycopg2

roles/rbenv/tasks/main.yml

@@ -4,16 +4,6 @@
     name: "{{ requiredPackages }}"
     state: present
 
-- name: Copy rbenv installer
-  become: yes
-  become_user: "{{ username }}"
-  copy:
-    src: rbenv_installer.sh
-    dest: rbenv_installer.sh
-    owner: "{{ username }}"
-    group: "{{ username }}"
-    mode: 0755
-  when: create_user
 
 - name: Install rbenv
   become: yes
@@ -33,7 +23,7 @@
     cd ~
     export PATH="$HOME/.rbenv/bin:$PATH"
     eval "$(rbenv init -)"
-    RUBY_CONFIGURE_OPTS=--with-jemalloc rbenv install "{{ ruby_version }}"
+    rbenv install "{{ ruby_version }}"
     rbenv global "{{ ruby_version }}"
   args:
     executable: /bin/bash

roles/ssl-cert/tasks/main.yml

@@ -17,9 +17,16 @@
   when: installCertbot == False
 
 - name: Create self-signed certificate, if configured.
-  shell: "openssl req -x509 -nodes -subj '/CN={{ domain }}' -days 365 -newkey rsa:4096 -sha256 -keyout /etc/server/{{ domain }}/server.key -out /etc/server/{{ domain }}/server.crt"
+  shell: openssl req -x509 -nodes -subj '/CN={{ domain }}' -days 3650 -newkey rsa:4096 -sha256 -keyout /etc/ssl/"{{ domain }}".key -out /etc/ssl/"{{ domain }}".crt
   when: installCertbot == False
 
-- name: Create self-signed certificate, if configured.
-  shell: "certbot -certonly -d {{ domain }} --nginx -m contact@bim.land --agree-tos"
+- name: Open port 80 for letsencrypt challenge
+  ufw:
+    rule: allow
+    port: 80
+    proto: tcp
+  when: installCertbot == True
+
+- name: Create self-signed certificate, if configured.
+  shell: "certbot certonly --{{ mode }} -d {{ domain }} {{ alt_domains }} -m {{ email }} --agree-tos"
   when: installCertbot == True

roles/unbound/files/resolver.conf

@@ -0,0 +1,10 @@
+server:
+        port: 5335
+        interface: 127.0.0.1
+        do-ip4: yes
+        do-ip6: yes
+        access-control: 127.0.0.1/8 allow
+        hide-identity: yes
+        prefetch: yes
+        prefetch-key: yes
+        auto-trust-anchor-file: "/var/lib/unbound/root.key"

roles/unbound/tasks/main.yml

@@ -0,0 +1,22 @@
+---
+
+- name: install unbound DNS server
+  apt: 
+    name: unbound
+    state: present
+
+
+
+- name: Copy Configuration file for unbound
+  ansible.builtin.copy:
+    src: resolver.conf
+    dest: /etc/unbound/unbound.conf
+    owner: root
+    group: root
+    mode: '0644'
+
+  
+- name: Enable and start unbound service
+  shell: |
+    systemctl enable unbound
+    systemctl restart unbound

roles/yarn/tasks/main.yml

@@ -1,5 +1,4 @@
 ---
----
 
 - name: Add Yarn apt key
   apt_key: