Update to 2021-12-01 19:13

roles/unmaintained/psono/defaults/main.yml

@@ -0,0 +1,94 @@
+---
+
+# Version to deploy
+psono_server_version: 1.13.5
+psono_server_archive_url: https://gitlab.com/psono/psono-server/-/archive/v{{ psono_server_version }}/psono-server-v{{ psono_server_version }}.tar.gz
+psono_server_archive_sha1: 49ebacb389e01b7a6007b6c94468d60714cae658
+
+psono_client_version: 1.15.6
+psono_client_archive_url: https://psono.jfrog.io/psono/psono/client/v{{ psono_client_version }}/webclient.zip
+psono_client_archive_sha1: 8ab1a2270afb6a3542bdb618b4c11dc21f869a40
+
+psono_admin_version: 1.1.0
+psono_admin_archive_url: https://psono.jfrog.io/psono/psono/admin-client/v1.1.0/webclient.zip
+psono_admin_archive_sha1: 43b5621c43da2604eb1ec827ab8f9b7d8729aef0
+
+# Should ansible manage upgrades or only initial install
+psono_manage_upgrade: True
+
+# Directory where psono will be installed
+psono_root_dir: /opt/psono
+
+# Psono database settings
+psono_db_server: "{{ pg_server | default('localhost') }}"
+psono_db_port: 5432
+psono_db_name: psono
+psono_db_user: psono
+# Will be generated if not defined
+#psono_db_pass: S3crEt.
+
+# Unix account under which psono will run
+psono_user: psono
+
+# TCP port on which psono server will bind
+psono_server_port: 5130
+# List of IP / cidr for which the port will be opened
+psono_server_src_ip: []
+# LIst of IP / cidr for which access through nginx will be allowed
+psono_web_src_ip: []
+
+# psono_secret_key: 
+# psono_activtion_link_secret:
+# psono_db_secret:
+# psono_email_secret_salt:
+# psono_private_key:
+# psono_public_key:
+
+psono_allowed_hosts:
+  - '*'
+psono_allowed_domains:
+  - "{{ ansible_domain }}"
+  - "{{ psono_public_url | urlsplit('hostname') }}"
+
+psono_allow_lost_password: False
+# Should user registration be allowed
+psono_allow_registration: True
+# Optional list of email domains which will be accepted for registration
+# psono_registration_email_filter: []
+
+# Public URL on which you can access psono
+# will most likely need to be adapted (point on your rev proxy)
+psono_public_url: http://{{ inventory_hostname }}:{{ psono_server_port }}
+
+# Certificate for nginx proxy
+# You can either specify a path for cert and key
+# psono_cert_path: /path/to/cert.pem
+# psono_key_path: /path/to/key.pem
+#
+# Or you can set this to the name of a certificate obtained with dehydrated
+# psono_letsencrypt_cert: psono.domain.tld
+#
+# Or you can just set it to True so Let's Encrypt cert will be created based on the hostname in the public_url
+# psono_letsencrypt_cert: True
+psono_letsencrypt_cert: False
+
+# From email used
+psono_from_email: psono-noreply@{{ ansible_domain }}
+
+# Psono can use redis to cache stuff
+psono_redis_server: redis://localhost:6379/3
+
+# config.json for both client and admin
+psono_client_base_config:
+  backend_servers:
+    - title: Psono Password Manager
+      url: "{{ psono_public_url | default('') }}"
+  base_url: "{{ psono_public_url | default('') }}"
+  allow_custom_server: False
+  allow_registration: "{{ psono_allow_registration }}"
+  allow_lost_password: "{{ psono_allow_lost_password }}"
+  authentication_methods:
+    - AUTHKEY
+psono_client_extra_conf: {}
+psono_client_conf: "{{ psono_client_base_config | combine(psono_client_extra_conf, recursive=True) }}"
+

roles/unmaintained/psono/handlers/main.yml

@@ -0,0 +1,4 @@
+---
+
+- name: restart psono-server
+  service: name=psono-server state=restarted

roles/unmaintained/psono/meta/main.yml

@@ -0,0 +1,9 @@
+---
+
+dependencies:
+  - role: mkdir
+  - role: postgresql_server
+    when: psono_db_server == 'localhost' or psono_db_server == '127.0.0.1'
+  - role: redis_server
+    when: psono_redis_server | urlsplit('hostname') == 'localhost' or psono_redis_server | urlsplit('hostname') == '127.0.0.1'
+  - role: nginx

roles/unmaintained/psono/tasks/archive_post.yml

@@ -0,0 +1,17 @@
+---
+
+- name: Compress previous version
+  command: tar cf {{ psono_root_dir }}/archives/{{ item.component }}_{{ item.version }}.txz ./
+  environment:
+    XZ_OPT: -T0
+  args:
+    chdir: "{{ psono_server_root_dir }}/archives/{{ item.component }}_{{ item.version }}"
+    warn: False
+  loop:
+    - component: server
+      version: "{{ psono_server_current_version }}"
+    - component: client
+      version: "{{ psono_client_current_version }}"
+    - component: admin
+      version: "{{ psono_admin_current_version }}"
+  tags: psono

roles/unmaintained/psono/tasks/archive_pre.yml

@@ -0,0 +1,38 @@
+---
+
+- name: Create archive dir
+  file: path={{ psono_root_dir }}/archives/{{ item }} state=directory
+  loop:
+    - server_{{ psono_server_current_version }}
+    - client_{{ psono_client_current_version }}
+    - admin_{{ psono_admin_current_version }}
+  tags: psono
+
+- name: Archive previous version
+  synchronize:
+    src: "{{ psono_root_dir }}/{{ item.src }}"
+    dest: "{{ psono_root_dir }}/archives/{{ item.dest }}/"
+    recursive: True
+    delete: True
+  loop:
+    - src: server
+      dest: server_{{ psono_server_current_version }}
+    - src: client
+      dest: client_{{ psono_client_current_version }}
+    - src: admin
+      dest: admin_{{ psono_admin_current_version }}
+  delegate_to: "{{ inventory_hostname }}"
+  tags: psono
+
+- name: Archive database
+  command: >
+    /usr/pgsql-14/bin/pg_dump
+    --clean
+    --create
+    --host={{ psono_db_server }}
+    --port={{ psono_db_port }}
+    --username=sqladmin {{ psono_db_name }}
+    --file={{ psono_root_dir }}/archives/server_{{ psono_server_current_version }}/{{ psono_db_name }}.sql
+  environment:
+    - PGPASSWORD: "{{ pg_admin_pass }}"
+  tags: psono

roles/unmaintained/psono/tasks/cleanup.yml

@@ -0,0 +1,9 @@
+---
+
+- name: Remove temp files
+  file: path={{ item }} state=absent
+  loop:
+    - "{{ psono_root_dir }}/tmp/psono-server-v{{ psono_server_version }}.tar.gz"
+    - "{{ psono_root_dir }}/tmp/psono-server-v{{ psono_server_version }}"
+    - "{{ psono_root_dir }}/tmp/.psono_server"
+  tags: psono

roles/unmaintained/psono/tasks/conf.yml

@@ -0,0 +1,80 @@
+---
+
+- name: Check is secrets have been created
+  stat: path={{ psono_root_dir }}/meta/ansible_{{ item }}
+  register: psono_server_secrets
+  loop:
+    - SECRET_KEY
+    - ACTIVATION_LINK_SECRET
+    - DB_SECRET
+    - EMAIL_SECRET_SALT
+    - PRIVATE_KEY
+    - PUBLIC_KEY
+  tags: psono
+
+- when: psono_server_secrets.results | selectattr('stat.exists', 'equalto', True) | list | length < 6
+  tags: psono
+  block:
+  - name: Create temporary PSONO_HOME
+    file: path={{ psono_root_dir }}/tmp/.psono_server state=directory
+  
+  - name: Deploy a temp config
+    copy: src={{ psono_root_dir }}/server/app/configs/mainconfig/settings.yaml dest={{ psono_root_dir }}/tmp/.psono_server/ remote_src=True
+  
+  - name: Generate server's secrets
+    shell: |
+      {{ psono_root_dir }}/server/venv/bin/python3 \
+        {{ psono_root_dir }}/server/app/psono/manage.py \
+        generateserverkeys > {{ psono_root_dir }}/tmp/keys.tmp
+      {% for item in psono_server_secrets.results %}
+      [ -e {{ psono_root_dir }}/meta/ansible_{{ item.item }} ] || \
+        cat {{ psono_root_dir }}/tmp/keys.tmp | grep -P '^{{ item.item }}' | \
+        sed -e 's/^{{ item.item }}: //' | \
+        xargs > {{ psono_root_dir }}/meta/ansible_{{ item.item }}
+      chmod 600 {{ psono_root_dir }}/meta/ansible_{{ item.item }}
+      {% endfor %}
+      rm -f {{ psono_root_dir }}/tmp/keys.tmp
+    environment:
+      PSONO_HOME: "{{ psono_root_dir }}/tmp/"
+
+- name: Read secrets
+  command: cat {{ psono_root_dir }}/meta/ansible_{{ item }}
+  register: psono_tokens
+  loop:
+    - SECRET_KEY
+    - ACTIVATION_LINK_SECRET
+    - DB_SECRET
+    - EMAIL_SECRET_SALT
+    - PRIVATE_KEY
+    - PUBLIC_KEY
+  changed_when: False
+  tags: psono
+
+- name: Deploy configuration
+  template: src=settings.yaml.j2 dest={{ psono_root_dir }}/server/.psono_server/settings.yaml owner={{ psono_user }} group={{ psono_user }} mode=600
+  notify:
+    - restart psono-server
+  tags: psono
+
+- name: Migrate database
+  django_manage:
+    command: migrate
+    app_path: "{{ psono_root_dir }}/server/app/psono"
+    virtualenv: "{{ psono_root_dir }}/server/venv"
+  environment:
+    - PSONO_HOME: "{{ psono_root_dir }}/server"
+  when: psono_server_install_mode != 'none'
+  notify: restart psono-server
+  tags: psono
+
+- name: Deploy client and admin conf file
+  template: src=webclient.json.j2 dest={{ psono_root_dir }}/{{ item }}/config.json
+  loop:
+    - client
+    - admin
+  tags: psono
+
+- name: Deploy nginx configuration
+  template: src=nginx.conf.j2 dest=/etc/nginx/ansible_conf.d/31-psono.conf
+  notify: reload nginx
+  tags: psono

roles/unmaintained/psono/tasks/directories.yml

@@ -0,0 +1,20 @@
+---
+
+- name: Create directories
+  file: path={{ item.path }} state=directory owner={{ item.owner | default(omit) }} group={{ item.group | default(omit) }} mode={{ item.mode | default(omit) }}
+  loop:
+    - path: "{{ psono_root_dir }}/client"
+    - path: "{{ psono_root_dir }}/admin"
+    - path: "{{ psono_root_dir }}/server/app"
+    - path: "{{ psono_root_dir }}/server/venv"
+    - path: "{{ psono_root_dir }}/meta"
+      mode: 700
+    - path: "{{ psono_root_dir }}/tmp"
+      mode: 700
+    - path: "{{ psono_root_dir }}/backup"
+      mode: 700
+    - path: "{{ psono_root_dir }}/server/.psono_server"
+      owner: "{{ psono_user }}"
+      group: "{{ psono_user }}"
+      mode: 700
+  tags: psono

roles/unmaintained/psono/tasks/facts.yml

@@ -0,0 +1,80 @@
+---
+
+- name: Set initial install modes
+  block:
+    - set_fact: psono_server_install_mode='none'
+    - set_fact: psono_server_current_version=''
+    - set_fact: psono_client_install_mode='none'
+    - set_fact: psono_client_current_version=''
+    - set_fact: psono_admin_install_mode='none'
+    - set_fact: psono_admin_current_version=''
+  tags: psono
+
+- name: Check if server is installed
+  stat: path={{ psono_root_dir }}/meta/ansible_server_version
+  register: psono_server_version_file
+  tags: psono
+
+- when: psono_server_version_file.stat.exists
+  block:
+    - name: Check installed version
+      slurp: src={{ psono_root_dir }}/meta/ansible_server_version
+      register: psono_server_current_version
+    - set_fact: psono_server_current_version={{ psono_server_current_version.content | b64decode | trim }}
+    - set_fact: psono_server_install_mode='upgrade'
+      when: psono_server_current_version != psono_server_version
+  tags: psono
+
+- when: not psono_server_version_file.stat.exists
+  block:
+    - set_fact: psono_server_install_mode='install'
+  tags: psono
+
+- name: Check if client is installed
+  stat: path={{ psono_root_dir }}/meta/ansible_client_version
+  register: psono_client_version_file
+  tags: psono
+
+- when: psono_client_version_file.stat.exists
+  block:
+    - name: Check installed version
+      slurp: src={{ psono_root_dir }}/meta/ansible_client_version
+      register: psono_client_current_version
+    - set_fact: psono_client_current_version={{ psono_client_current_version.content | b64decode | trim }} 
+    - set_fact: psono_client_install_mode='upgrade'
+      when: psono_client_current_version != psono_client_version and psono_manage_upgrade
+  tags: psono
+
+- when: not psono_client_version_file.stat.exists
+  block:
+    - set_fact: psono_client_install_mode='install'
+  tags: psono
+
+- name: Check if admin is installed
+  stat: path={{ psono_root_dir }}/meta/ansible_admin_version
+  register: psono_admin_version_file
+  tags: psono
+
+- when: psono_admin_version_file.stat.exists
+  block:
+    - name: Check installed version
+      slurp: src={{ psono_root_dir }}/meta/ansible_admin_version
+      register: psono_admin_current_version
+    - set_fact: psono_admin_current_version={{ psono_admin_current_version.content | b64decode | trim }}
+    - set_fact: psono_admin_install_mode='upgrade'
+      when: psono_admin_current_version != psono_admin_version and psono_manage_upgrade
+  tags: psono
+
+- when: not psono_admin_version_file.stat.exists
+  block:
+    - set_fact: psono_admin_install_mode='install'
+  tags: psono
+
+- when: psono_db_pass is not defined
+  tags: psono
+  block:
+    - import_tasks: ../includes/get_rand_pass.yml
+      vars:
+        - pass_file: "{{ psono_root_dir }}/meta/ansible_dbpass"
+    - set_fact: psono_db_pass={{ rand_pass }}
+

roles/unmaintained/psono/tasks/install.yml

@@ -0,0 +1,164 @@
+---
+
+- name: Install needed tools
+  yum:
+    name:
+      - git
+      - gcc
+      - openssl-devel
+      - libffi-devel
+      - openldap-devel
+      - python3-devel
+      - python3-pip
+      - python3-virtualenv
+      - python-setuptools
+      - postgresql-devel
+      - postgresql11
+  tags: psono
+
+- when: psono_server_install_mode != 'none'
+  tags: psono
+  block:
+    - name: Download psono
+      get_url:
+        url: "{{ item.url }}"
+        dest: "{{ psono_root_dir }}/tmp"
+        checksum: sha1:{{ item.sha1 }}
+      loop:
+        - url: "{{ psono_server_archive_url }}"
+          sha1: "{{ psono_server_archive_sha1 }}"
+    
+    - name: Extract server archive
+      unarchive:
+        src: "{{ psono_root_dir }}/tmp/psono-server-v{{ psono_server_version }}.tar.gz"
+        dest: "{{ psono_root_dir }}/tmp/"
+        remote_src: True
+    
+    - name: Move files to their final location
+      synchronize:
+        src: "{{ psono_root_dir }}/tmp/psono-server-v{{ psono_server_version }}/"
+        dest: "{{ psono_root_dir }}/server/app/"
+        recursive: True
+        delete: True
+      delegate_to: "{{ inventory_hostname }}"
+      notify: restart psono-server
+
+- name: Create the PostgreSQL role
+  postgresql_user:
+    db: postgres
+    name: "{{ psono_db_user }}"
+    password: "{{ psono_db_pass }}"
+    login_host: "{{ psono_db_server }}"
+    login_user: sqladmin
+    login_password: "{{ pg_admin_pass }}"
+  tags: psono
+
+- name: Create the PostgreSQL database
+  postgresql_db:
+    name: "{{ psono_db_name }}"
+    encoding: UTF-8
+    lc_collate: C
+    lc_ctype: C
+    template: template0
+    owner: "{{ psono_db_user }}"
+    login_host: "{{ psono_db_server }}"
+    login_user: sqladmin
+    login_password: "{{ pg_admin_pass }}"
+  tags: psono
+
+- name: Enable required PostgreSQL extensions
+  postgresql_ext:
+    name: "{{ item }}"
+    db: "{{ psono_db_name }}"
+    login_host: "{{ psono_db_server }}"
+    login_user: sqladmin
+    login_password: "{{ pg_admin_pass }}"
+  loop:
+    - pgcrypto
+    - ltree
+  tags: psono
+
+- name: Create the virtualenv
+  pip:
+    name:
+      - gunicorn
+    state: "{{ (psono_server_install_mode == 'none') | ternary('present', 'latest') }}"
+    virtualenv: "{{ psono_root_dir }}/server/venv"
+    virtualenv_command: /usr/bin/virtualenv-3
+    virtualenv_python: /usr/bin/python3
+  tags: psono
+
+- name: Install python modules in the virtualenv
+  pip:
+    requirements: "{{ psono_root_dir }}/server/app/requirements.txt"
+    state: "{{ (psono_server_install_mode == 'none') | ternary('present', 'latest') }}"
+    virtualenv: "{{ psono_root_dir }}/server/venv"
+    virtualenv_command: /usr/bin/virtualenv-3
+    virtualenv_python: /usr/bin/python3
+  tags: psono
+
+- name: Deploy systemd units
+  template: src={{ item }}.j2 dest=/etc/systemd/system/{{ item }}
+  loop:
+    - psono-server.service
+    - psono-cleartoken.service
+    - psono-cleartoken.timer
+  register: psono_units
+  notify: restart psono-server
+  tags: psono
+
+- name: Reload systemd
+  systemd: daemon_reload=True
+  when: psono_units.results | selectattr('changed','equalto',True) | list | length > 0
+  tags: psono
+
+- when: psono_client_install_mode != 'none'
+  tags: psono
+  block:
+    - name: Download psono client
+      get_url:
+        url: "{{ item.url }}"
+        dest: "{{ psono_root_dir }}/tmp/client.zip"
+        checksum: sha1:{{ item.sha1 }}
+      loop:
+        - url: "{{ psono_client_archive_url }}"
+          sha1: "{{ psono_client_archive_sha1 }}"
+    
+    - name: Remove previous version
+      file: path={{ psono_root_dir }}/client state=absent
+    - file: path={{ psono_root_dir }}/client state=directory
+    
+    - name: Extract archive
+      unarchive:
+        src: "{{ psono_root_dir }}/tmp/client.zip"
+        dest: "{{ psono_root_dir }}/client/"
+        remote_src: True
+
+- when: psono_admin_install_mode != 'none'
+  tags: psono
+  block:
+    - name: Download psono admin
+      get_url:
+        url: "{{ item.url }}"
+        dest: "{{ psono_root_dir }}/tmp/admin.zip"
+        checksum: sha1:{{ item.sha1 }}
+      loop:
+        - url: "{{ psono_admin_archive_url }}"
+          sha1: "{{ psono_admin_archive_sha1 }}"
+    
+    - name: Remove previous version
+      file: path={{ psono_root_dir }}/admin state=absent
+    - file: path={{ psono_root_dir }}/admin state=directory
+    
+    - name: Extract archive
+      unarchive:
+        src: "{{ psono_root_dir }}/tmp/admin.zip"
+        dest: "{{ psono_root_dir }}/admin/"
+        remote_src: True
+  
+- name: Install backup pre/post hooks
+  template: src={{ item }}-backup.sh.j2 dest=/etc/backup/{{ item }}.d/psono.sh mode=700
+  loop:
+    - pre
+    - post
+  tags: psono

roles/unmaintained/psono/tasks/iptables.yml

@@ -0,0 +1,11 @@
+---
+
+- name:  Handle psono port in the firewall
+  iptables_raw:
+    name: psono_server_port
+    state: "{{ (psono_server_src_ip | length > 0) | ternary('present','absent') }}"
+    rules: "-A INPUT -m state --state NEW -p tcp --dport {{ psono_server_port }} -s {{ psono_server_src_ip | join(',') }} -j ACCEPT"
+  when: iptables_manage | default(True)
+  tags: firewall,psono
+
+

roles/unmaintained/psono/tasks/main.yml

@@ -0,0 +1,15 @@
+---
+
+- include: user.yml
+- include: directories.yml
+- include: facts.yml
+- include: archive_pre.yml
+  when: psono_server_install_mode == 'upgrade' or psono_client_install_mode == 'upgrade' or psono_admin_install_mode == 'upgrade'
+- include: install.yml
+- include: conf.yml
+- include: iptables.yml
+- include: service.yml
+- include: archive_post.yml
+  when: psono_server_install_mode == 'upgrade' or psono_client_install_mode == 'upgrade' or psono_admin_install_mode == 'upgrade'
+- include: write_version.yml
+- include: cleanup.yml

roles/unmaintained/psono/tasks/service.yml

@@ -0,0 +1,9 @@
+---
+
+- name: Start and enable psono-server
+  service: name=psono-server state=started enabled=True
+  tags: psono
+
+- name: Start and enable psono timer
+  systemd: name=psono-cleartoken.timer state=started enabled=True
+  tags: psono

roles/unmaintained/psono/tasks/user.yml

@@ -0,0 +1,5 @@
+---
+
+- name: Create psono user account
+  user: name={{ psono_user }} home={{ psono_root_dir }}/server system=True
+  tags: psono

roles/unmaintained/psono/tasks/write_version.yml

@@ -0,0 +1,12 @@
+---
+
+- name: Write version
+  copy: content={{ item.version }} dest={{ psono_root_dir }}/meta/{{ item.file }}
+  loop:
+    - version: "{{ psono_server_version }}"
+      file: ansible_server_version
+    - version: "{{ psono_client_version }}"
+      file: ansible_client_version
+    - version: "{{ psono_admin_version }}"
+      file: ansible_admin_version
+  tags: psono

roles/unmaintained/psono/templates/httpd.conf.j2

@@ -0,0 +1,8 @@
+<Location /server>
+  ProxyPass http://localhost:{{ psono_server_port }}
+{% if psono_server_src_ip | length < 1 %}
+  Require all denied
+{% else %}
+  Require ip {{ psono_server_src_ip | join(' ') }}
+{% endif %}
+</Location>

roles/unmaintained/psono/templates/nginx.conf.j2

@@ -0,0 +1,67 @@
+server {
+  listen 443 ssl http2;
+  server_name {{ psono_public_url | urlsplit('hostname') }};
+
+  include /etc/nginx/nsible_conf.d/acme.inc;
+
+{% if psono_cert_path is defined and psono_key_path is defined %}
+  ssl_certificate     {{ psono_cert_path }};
+  ssl_certificate_key {{ psono_key_path }};
+{% elif psono_letsencrypt_cert is defined and bitwarden_letsencrypt_cert == True %}
+  ssl_certificate     /var/lib/dehydrated/certificates/certs/{{ psono_public_url | urlsplit('hostname') }}/fullchain.pem;
+  ssl_certificate_key /var/lib/dehydrated/certificates/certs/{{ psono_public_url | urlsplit('hostname') }}/privkey.pem;
+{% elif psono_letsencrypt_cert is string %}
+  ssl_certificate     /var/lib/dehydrated/certificates/certs/{{ psono_letsencrypt_cert }}/fullchain.pem;
+  ssl_certificate_key /var/lib/dehydrated/certificates/certs/{{ psono_letsencrypt_cert }}/privkey.pem;
+{% endif %}
+
+  root {{ psono_root_dir }}/client;
+
+  if ($request_method !~ ^(GET|POST|HEAD|PUT|DELETE)$ ) {
+    return 405;
+  }
+
+  location @proxy {
+    proxy_pass http://localhost:{{ psono_server_port }};
+  }
+
+  location /portal {
+    alias {{ psono_root_dir }}/admin;
+  }
+
+  location / {
+    try_files $uri $uri/index.html @proxy;
+  }
+
+  add_header X-Frame-Options "DENY";
+  add_header X-Content-Type-Options "nosniff";
+  add_header X-XSS-Protection "1; mode=block";
+  add_header Strict-Transport-Security "$hsts_header";
+
+  # Send info about the original request to the backend
+  proxy_set_header X-Forwarded-For "$proxy_add_x_forwarded_for";
+  proxy_set_header X-Real-IP "$remote_addr";
+  proxy_set_header X-Forwarded-Proto "$scheme";
+  proxy_set_header X-Forwarded-Host "$host";
+  proxy_set_header Host "$host";
+
+  # Handle websocket proxying
+  proxy_set_header Upgrade $http_upgrade;
+  proxy_set_header Connection $connection_upgrade;
+  proxy_http_version 1.1;
+
+  # Set the timeout to read responses from the backend
+  proxy_read_timeout 60s;
+
+  # Enable Keep Alive to the backend
+  proxy_socket_keepalive on;
+
+  # Disable buffering large files
+  proxy_max_temp_file_size 5m;
+
+  allow 127.0.0.1;
+{% for ip in psono_web_src_ip %}
+  allow {{ ip }};
+{% endfor %}
+  deny all;
+}

roles/unmaintained/psono/templates/post-backup.sh.j2

@@ -0,0 +1,3 @@
+#!/bin/bash -e
+
+rm -f {{ psono_root_dir }}/backup/*

roles/unmaintained/psono/templates/pre-backup.sh.j2

@@ -0,0 +1,11 @@
+#!/bin/sh
+
+set -eo pipefail
+
+PGPASSWORD='{{ psono_db_pass }}' /usr/pgsql-11/bin/pg_dump \
+  --clean \
+  --create \
+  --username={{ psono_db_user }} \
+  --host={{ psono_db_server }} \
+  {{ psono_db_name }} | \
+  zstd -T0 -c > {{ psono_root_dir }}/backup/{{ psono_db_name }}.sql.zst

roles/unmaintained/psono/templates/psono-cleartoken.service.j2

@@ -0,0 +1,9 @@
+[Unit]
+Description=Psono cleartoken
+
+[Service]
+Type=oneshot
+PrivateTmp=yes
+User={{ psono_user }}
+Group={{ psono_user }}
+ExecStart={{ psono_root_dir }}/server/venv/bin/python3 {{ psono_root_dir }}server/app/psono/manage.py cleartoken

roles/unmaintained/psono/templates/psono-cleartoken.timer.j2

@@ -0,0 +1,9 @@
+[Unit]
+Description=Psono cleartoken
+
+[Timer]
+OnCalendar=daily
+Persistent=true
+
+[Install]
+WantedBy=timers.target

roles/unmaintained/psono/templates/psono-server.service.j2

@@ -0,0 +1,21 @@
+[Unit]
+Description=Psono password manager API server
+After=redis.service postgresql.service postgresql11.service
+
+[Service]
+User={{ psono_user }}
+WorkingDirectory={{ psono_root_dir }}/server/app/psono
+ExecStart={{ psono_root_dir }}/server/venv/bin/gunicorn -b 0.0.0.0:{{ psono_server_port }} wsgi
+PrivateTmp=yes
+PrivateDevices=yes
+ProtectSystem=full
+ProtectHome=yes
+NoNewPrivileges=yes
+MemoryLimit=1024M
+SyslogIdentifier=psono-server
+Restart=on-failure
+StartLimitInterval=0
+RestartSec=30
+
+[Install]
+WantedBy=multi-user.target

roles/unmaintained/psono/templates/settings.yaml.j2

@@ -0,0 +1,56 @@
+# {{ ansible_managed }}
+
+{% for token in ['SECRET_KEY', 'ACTIVATION_LINK_SECRET', 'DB_SECRET', 'EMAIL_SECRET_SALT', 'PRIVATE_KEY', 'PUBLIC_KEY'] %}
+{{ token }}: '{{ psono_tokens.results | selectattr('item','equalto',token) | map(attribute='stdout') | first | string }}'
+{% endfor %}
+DEBUG: False
+{% if psono_allowed_hosts is defined and psono_allowed_hosts | length > 0 %}
+ALLOWED_HOSTS:
+{{ psono_allowed_hosts | to_nice_yaml(indent=2) }}
+{% endif %}
+{% if psono_allowed_domains is defined and psono_allowed_domains | length > 0 %}
+ALLOWED_DOMAINS:
+{{ psono_allowed_domains | to_nice_yaml(indent=2) }}
+{% endif %}
+ALLOW_REGISTRATION: {{ psono_allow_registration | ternary('True', 'False') }}
+{% if psono_email_filter is defined and psono_email_server | length > 0 %}
+REGISTRATION_EMAIL_FILTER:
+{% for domain in psono_email_filter %}
+  - {{ domain }}
+{% endfor %}
+{% endif %}
+ALLOW_LOST_PASSWORD: {{ psono_allow_lost_password | ternary('True', 'False') }}
+HOST_URL: '{{ psono_public_url }}'
+EMAIL_FROM: '{{ psono_from_email }}'
+EMAIL_HOST: 'localhost'
+CACHE_ENABLE: True
+CACHE_REDIS: True
+CACHE_REDIS_LOCATION: '{{ psono_redis_server }}'
+MANAGEMENT_ENABLED: True
+{% if ntp_servers is defined and ntp_servers | length > 0 %}
+TIME_SERVER: '{{ ntp_servers | first }}'
+{% endif %}
+DATABASES:
+    default:
+        'ENGINE': 'django.db.backends.postgresql_psycopg2'
+        'NAME': '{{ psono_db_name }}'
+        'USER': '{{ psono_db_user }}'
+        'PASSWORD': '{{ psono_db_pass }}'
+        'HOST': '{{ psono_db_server }}'
+        'PORT': '{{ psono_db_port }}'
+
+TEMPLATES: [
+    {    
+        'BACKEND': 'django.template.backends.django.DjangoTemplates',
+        'DIRS': ['{{ psono_root_dir }}/server/app/psono/templates'],
+        'APP_DIRS': True,
+        'OPTIONS': {
+            'context_processors': [
+                'django.template.context_processors.debug',
+                'django.template.context_processors.request',
+                'django.contrib.auth.context_processors.auth',
+                'django.contrib.messages.context_processors.messages',
+            ],
+        },
+    },
+]

roles/unmaintained/psono/templates/webclient.json.j2

@@ -0,0 +1 @@
+{{ psono_client_conf | to_nice_json(indent=4) }}