Update to 2021-12-01 19:13

2025-10-30 18:31:28 +01:00 · 2021-12-01 19:13:34 +01:00
commit 4c4556c660
2153 changed files with 60999 additions and 0 deletions
--- a/roles/unmaintained/psono/templates/httpd.conf.j2
+++ b/roles/unmaintained/psono/templates/httpd.conf.j2
@@ -0,0 +1,8 @@
+<Location /server>
+  ProxyPass http://localhost:{{ psono_server_port }}
+{% if psono_server_src_ip | length < 1 %}
+  Require all denied
+{% else %}
+  Require ip {{ psono_server_src_ip | join(' ') }}
+{% endif %}
+</Location>
--- a/roles/unmaintained/psono/templates/nginx.conf.j2
+++ b/roles/unmaintained/psono/templates/nginx.conf.j2
@@ -0,0 +1,67 @@
+server {
+  listen 443 ssl http2;
+  server_name {{ psono_public_url | urlsplit('hostname') }};
+
+  include /etc/nginx/nsible_conf.d/acme.inc;
+
+{% if psono_cert_path is defined and psono_key_path is defined %}
+  ssl_certificate     {{ psono_cert_path }};
+  ssl_certificate_key {{ psono_key_path }};
+{% elif psono_letsencrypt_cert is defined and bitwarden_letsencrypt_cert == True %}
+  ssl_certificate     /var/lib/dehydrated/certificates/certs/{{ psono_public_url | urlsplit('hostname') }}/fullchain.pem;
+  ssl_certificate_key /var/lib/dehydrated/certificates/certs/{{ psono_public_url | urlsplit('hostname') }}/privkey.pem;
+{% elif psono_letsencrypt_cert is string %}
+  ssl_certificate     /var/lib/dehydrated/certificates/certs/{{ psono_letsencrypt_cert }}/fullchain.pem;
+  ssl_certificate_key /var/lib/dehydrated/certificates/certs/{{ psono_letsencrypt_cert }}/privkey.pem;
+{% endif %}
+
+  root {{ psono_root_dir }}/client;
+
+  if ($request_method !~ ^(GET|POST|HEAD|PUT|DELETE)$ ) {
+    return 405;
+  }
+
+  location @proxy {
+    proxy_pass http://localhost:{{ psono_server_port }};
+  }
+
+  location /portal {
+    alias {{ psono_root_dir }}/admin;
+  }
+
+  location / {
+    try_files $uri $uri/index.html @proxy;
+  }
+
+  add_header X-Frame-Options "DENY";
+  add_header X-Content-Type-Options "nosniff";
+  add_header X-XSS-Protection "1; mode=block";
+  add_header Strict-Transport-Security "$hsts_header";
+
+  # Send info about the original request to the backend
+  proxy_set_header X-Forwarded-For "$proxy_add_x_forwarded_for";
+  proxy_set_header X-Real-IP "$remote_addr";
+  proxy_set_header X-Forwarded-Proto "$scheme";
+  proxy_set_header X-Forwarded-Host "$host";
+  proxy_set_header Host "$host";
+
+  # Handle websocket proxying
+  proxy_set_header Upgrade $http_upgrade;
+  proxy_set_header Connection $connection_upgrade;
+  proxy_http_version 1.1;
+
+  # Set the timeout to read responses from the backend
+  proxy_read_timeout 60s;
+
+  # Enable Keep Alive to the backend
+  proxy_socket_keepalive on;
+
+  # Disable buffering large files
+  proxy_max_temp_file_size 5m;
+
+  allow 127.0.0.1;
+{% for ip in psono_web_src_ip %}
+  allow {{ ip }};
+{% endfor %}
+  deny all;
+}
--- a/roles/unmaintained/psono/templates/post-backup.sh.j2
+++ b/roles/unmaintained/psono/templates/post-backup.sh.j2
@@ -0,0 +1,3 @@
+#!/bin/bash -e
+
+rm -f {{ psono_root_dir }}/backup/*
--- a/roles/unmaintained/psono/templates/pre-backup.sh.j2
+++ b/roles/unmaintained/psono/templates/pre-backup.sh.j2
@@ -0,0 +1,11 @@
+#!/bin/sh
+
+set -eo pipefail
+
+PGPASSWORD='{{ psono_db_pass }}' /usr/pgsql-11/bin/pg_dump \
+  --clean \
+  --create \
+  --username={{ psono_db_user }} \
+  --host={{ psono_db_server }} \
+  {{ psono_db_name }} | \
+  zstd -T0 -c > {{ psono_root_dir }}/backup/{{ psono_db_name }}.sql.zst
--- a/roles/unmaintained/psono/templates/psono-cleartoken.service.j2
+++ b/roles/unmaintained/psono/templates/psono-cleartoken.service.j2
@@ -0,0 +1,9 @@
+[Unit]
+Description=Psono cleartoken
+
+[Service]
+Type=oneshot
+PrivateTmp=yes
+User={{ psono_user }}
+Group={{ psono_user }}
+ExecStart={{ psono_root_dir }}/server/venv/bin/python3 {{ psono_root_dir }}server/app/psono/manage.py cleartoken
--- a/roles/unmaintained/psono/templates/psono-cleartoken.timer.j2
+++ b/roles/unmaintained/psono/templates/psono-cleartoken.timer.j2
@@ -0,0 +1,9 @@
+[Unit]
+Description=Psono cleartoken
+
+[Timer]
+OnCalendar=daily
+Persistent=true
+
+[Install]
+WantedBy=timers.target
--- a/roles/unmaintained/psono/templates/psono-server.service.j2
+++ b/roles/unmaintained/psono/templates/psono-server.service.j2
@@ -0,0 +1,21 @@
+[Unit]
+Description=Psono password manager API server
+After=redis.service postgresql.service postgresql11.service
+
+[Service]
+User={{ psono_user }}
+WorkingDirectory={{ psono_root_dir }}/server/app/psono
+ExecStart={{ psono_root_dir }}/server/venv/bin/gunicorn -b 0.0.0.0:{{ psono_server_port }} wsgi
+PrivateTmp=yes
+PrivateDevices=yes
+ProtectSystem=full
+ProtectHome=yes
+NoNewPrivileges=yes
+MemoryLimit=1024M
+SyslogIdentifier=psono-server
+Restart=on-failure
+StartLimitInterval=0
+RestartSec=30
+
+[Install]
+WantedBy=multi-user.target
--- a/roles/unmaintained/psono/templates/settings.yaml.j2
+++ b/roles/unmaintained/psono/templates/settings.yaml.j2
@@ -0,0 +1,56 @@
+# {{ ansible_managed }}
+
+{% for token in ['SECRET_KEY', 'ACTIVATION_LINK_SECRET', 'DB_SECRET', 'EMAIL_SECRET_SALT', 'PRIVATE_KEY', 'PUBLIC_KEY'] %}
+{{ token }}: '{{ psono_tokens.results | selectattr('item','equalto',token) | map(attribute='stdout') | first | string }}'
+{% endfor %}
+DEBUG: False
+{% if psono_allowed_hosts is defined and psono_allowed_hosts | length > 0 %}
+ALLOWED_HOSTS:
+{{ psono_allowed_hosts | to_nice_yaml(indent=2) }}
+{% endif %}
+{% if psono_allowed_domains is defined and psono_allowed_domains | length > 0 %}
+ALLOWED_DOMAINS:
+{{ psono_allowed_domains | to_nice_yaml(indent=2) }}
+{% endif %}
+ALLOW_REGISTRATION: {{ psono_allow_registration | ternary('True', 'False') }}
+{% if psono_email_filter is defined and psono_email_server | length > 0 %}
+REGISTRATION_EMAIL_FILTER:
+{% for domain in psono_email_filter %}
+  - {{ domain }}
+{% endfor %}
+{% endif %}
+ALLOW_LOST_PASSWORD: {{ psono_allow_lost_password | ternary('True', 'False') }}
+HOST_URL: '{{ psono_public_url }}'
+EMAIL_FROM: '{{ psono_from_email }}'
+EMAIL_HOST: 'localhost'
+CACHE_ENABLE: True
+CACHE_REDIS: True
+CACHE_REDIS_LOCATION: '{{ psono_redis_server }}'
+MANAGEMENT_ENABLED: True
+{% if ntp_servers is defined and ntp_servers | length > 0 %}
+TIME_SERVER: '{{ ntp_servers | first }}'
+{% endif %}
+DATABASES:
+    default:
+        'ENGINE': 'django.db.backends.postgresql_psycopg2'
+        'NAME': '{{ psono_db_name }}'
+        'USER': '{{ psono_db_user }}'
+        'PASSWORD': '{{ psono_db_pass }}'
+        'HOST': '{{ psono_db_server }}'
+        'PORT': '{{ psono_db_port }}'
+
+TEMPLATES: [
+    {    
+        'BACKEND': 'django.template.backends.django.DjangoTemplates',
+        'DIRS': ['{{ psono_root_dir }}/server/app/psono/templates'],
+        'APP_DIRS': True,
+        'OPTIONS': {
+            'context_processors': [
+                'django.template.context_processors.debug',
+                'django.template.context_processors.request',
+                'django.contrib.auth.context_processors.auth',
+                'django.contrib.messages.context_processors.messages',
+            ],
+        },
+    },
+]
--- a/roles/unmaintained/psono/templates/webclient.json.j2
+++ b/roles/unmaintained/psono/templates/webclient.json.j2
@@ -0,0 +1 @@
+{{ psono_client_conf | to_nice_json(indent=4) }}
				`@@ -0,0 +1 @@`
				`{{ psono_client_conf \| to_nice_json(indent=4) }}`