Browse Source

Merge branch 'master' of /tmp/spielplatz

remove-logs
Andreas Linz 3 years ago
parent
commit
981a054c8b
60 changed files with 2942 additions and 0 deletions
  1. +3
    -0
      .gitignore
  2. +34
    -0
      Makefile
  3. +29
    -0
      README.md
  4. +74
    -0
      Vagrantfile
  5. +2
    -0
      ansible.cfg
  6. +2
    -0
      build/caddy/.gitignore
  7. +30
    -0
      build/caddy/Makefile
  8. +27
    -0
      build/caddy/plugins.patch
  9. +2
    -0
      build/gitea/.gitignore
  10. +30
    -0
      build/gitea/Makefile
  11. +2
    -0
      build/grafana/.gitignore
  12. +14
    -0
      build/grafana/Makefile
  13. +2
    -0
      build/node_exporter/.gitignore
  14. +16
    -0
      build/node_exporter/Makefile
  15. +2
    -0
      build/pgweb/.gitignore
  16. +15
    -0
      build/pgweb/Makefile
  17. +4
    -0
      build/prometheus/.gitignore
  18. +14
    -0
      build/prometheus/Makefile
  19. +6
    -0
      hosts
  20. +29
    -0
      playbook.yml
  21. +10
    -0
      roles/caddy/defaults/main.yml
  22. +12
    -0
      roles/caddy/handlers/main.yml
  23. +81
    -0
      roles/caddy/tasks/main.yml
  24. +117
    -0
      roles/caddy/templates/Caddyfile.tmpl
  25. +54
    -0
      roles/caddy/templates/caddy.service.tmpl
  26. +3
    -0
      roles/caddy/templates/common.caddy.tmpl
  27. +8
    -0
      roles/common/defaults/main.yml
  28. +6
    -0
      roles/common/handlers/main.yml
  29. +42
    -0
      roles/common/tasks/main.yml
  30. +7
    -0
      roles/gitea/defaults/main.yml
  31. +7
    -0
      roles/gitea/handlers/main.yml
  32. +88
    -0
      roles/gitea/tasks/main.yml
  33. +52
    -0
      roles/gitea/templates/app.ini.tmpl
  34. +20
    -0
      roles/gitea/templates/gitea.service.tmpl
  35. +11
    -0
      roles/grafana/defaults/main.yml
  36. +7
    -0
      roles/grafana/handlers/main.yml
  37. +77
    -0
      roles/grafana/tasks/main.yml
  38. +406
    -0
      roles/grafana/templates/config.ini.tmpl
  39. +19
    -0
      roles/grafana/templates/grafana.service.tmpl
  40. +20
    -0
      roles/grafana/templates/jupyter.service.tmpl
  41. +605
    -0
      roles/grafana/templates/jupyter_notebook_config.py.tmpl
  42. +4
    -0
      roles/jupyter/defaults/main.yml
  43. +7
    -0
      roles/jupyter/handlers/main.yml
  44. +52
    -0
      roles/jupyter/tasks/main.yml
  45. +20
    -0
      roles/jupyter/templates/jupyter.service.tmpl
  46. +605
    -0
      roles/jupyter/templates/jupyter_notebook_config.py.tmpl
  47. +5
    -0
      roles/postgres/defaults/main.yml
  48. +7
    -0
      roles/postgres/handlers/main.yml
  49. +38
    -0
      roles/postgres/tasks/main.yml
  50. +24
    -0
      roles/postgres/tasks/pgweb.yml
  51. +18
    -0
      roles/postgres/templates/pgweb.service.tmpl
  52. +3
    -0
      roles/prometheus/defaults/main.yml
  53. +15
    -0
      roles/prometheus/handlers/main.yml
  54. +38
    -0
      roles/prometheus/tasks/main.yml
  55. +23
    -0
      roles/prometheus/tasks/node_exporter.yml
  56. +19
    -0
      roles/prometheus/templates/node_exporter.service.tmpl
  57. +20
    -0
      roles/prometheus/templates/prometheus.service.tmpl
  58. +27
    -0
      roles/prometheus/templates/prometheus.yml.tmpl
  59. +7
    -0
      vagrant_playbook.yml
  60. +21
    -0
      vault_vars.yml

+ 3
- 0
.gitignore View File

@ -0,0 +1,3 @@
/.vagrant/
/*.log
/vault.pass

+ 34
- 0
Makefile View File

@ -0,0 +1,34 @@
.PHONY: vm vagrant clean clean-all
APPS:=$(dir $(wildcard build/*/))
ANSIBLE_OPTS="--vault-password-file=./vault.pass"
all: vm
vm: playbook.yml Vagrantfile vagrant
ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook $(ANSIBLE_OPTS)\
--extra-vars='var_domain="klingt.vnet"'\
--private-key='./.vagrant/machines/default/virtualbox/private_key'\
--inventory-file='./.vagrant/provisioners/ansible/inventory/vagrant_ansible_inventory'\
--verbose\
playbook.yml
klingt.net: playbook.yml Vagrantfile
ansible-playbook $(ANSIBLE_OPTS)\
--vault-password-file='./vault.pass'\
--verbose\
playbook.yml
vagrant:
vagrant up
clean:
rm -f *.retry
clean-vm:
vagrant destroy -f
clean-all: clean clean-vm
@for app in $(APPS); do\
make -C "$$app" clean &> /dev/null;\
done

+ 29
- 0
README.md View File

@ -0,0 +1,29 @@
# Ansible
A [series of articles](https://www.digitalocean.com/community/tutorials/an-introduction-to-configuration-management) about configuration managment at the example of Ansible.
> By using a configuration management tool, the procedure necessary for bringing up a new server or updating an existing one will be all documented in the provisioning scripts.
## Terms
- **Inventory** stores information about your servers as INI file
- **Playbook** is the entry point for Ansible provisionings (imagine it as a set of tasks)
- **Task** defines a single procedure to be executed, e.g. updating the package cache
- **Module** typically is a abstraction of a system task (more generalized task?)
- **Role** is used to organize playbooks and other files for reuse
- **Play** names a complete provision process, from start to finish
- **Facts** are variables containing information about the system, e.g. OS, hostname etc.
- **Handlers** trigger service status changes
## Services
The following list of services should be configured and deployed automatically:
- [x] caddy
- [x] gitea
- [x] prometheus
- [x] grafana
- [x] jupyter
- [x] postgres
- [x] pgweb
- [x] ~~netdata~~, node_exporter

+ 74
- 0
Vagrantfile View File

@ -0,0 +1,74 @@
# -*- mode: ruby -*-
# vi: set ft=ruby :
# All Vagrant configuration is done below. The "2" in Vagrant.configure
# configures the configuration version (we support older styles for
# backwards compatibility). Please don't change it unless you know what
# you're doing.
Vagrant.configure("2") do |config|
# The most common configuration options are documented and commented below.
# For a complete reference, please see the online documentation at
# https://docs.vagrantup.com.
# Every Vagrant development environment requires a box. You can search for
# boxes at https://vagrantcloud.com/search.
config.vm.box = "ubuntu/xenial64"
# Disable automatic box update checking. If you disable this, then
# boxes will only be checked for updates when the user runs
# `vagrant box outdated`. This is not recommended.
# config.vm.box_check_update = false
# Create a forwarded port mapping which allows access to a specific port
# within the machine from a port on the host machine. In the example below,
# accessing "localhost:8080" will access port 80 on the guest machine.
# NOTE: This will enable public access to the opened port
# config.vm.network "forwarded_port", guest: 80, host: 8080
# Create a forwarded port mapping which allows access to a specific port
# within the machine from a port on the host machine and only allow access
# via 127.0.0.1 to disable public access
# config.vm.network "forwarded_port", guest: 80, host: 8080, host_ip: "127.0.0.1"
# Create a private network, which allows host-only access to the machine
# using a specific IP.
config.vm.network "private_network", ip: "10.111.111.111"
# Create a public network, which generally matched to bridged network.
# Bridged networks make the machine appear as another physical device on
# your network.
# config.vm.network "public_network"
# Share an additional folder to the guest VM. The first argument is
# the path on the host to the actual folder. The second argument is
# the path on the guest to mount the folder. And the optional third
# argument is a set of non-required options.
# config.vm.synced_folder "../data", "/vagrant_data"
# Provider-specific configuration so you can fine-tune various
# backing providers for Vagrant. These expose provider-specific options.
# Example for VirtualBox:
#
# config.vm.provider "virtualbox" do |vb|
# # Display the VirtualBox GUI when booting the machine
# vb.gui = true
#
# # Customize the amount of memory on the VM:
# vb.memory = "1024"
# end
#
# View the documentation for the provider you are using for more
# information on available options.
# Enable provisioning with a shell script. Additional provisioners such as
# Puppet, Chef, Ansible, Salt, and Docker are also available. Please see the
# documentation for more information about their specific syntax and use.
config.vm.provision "shell", inline: <<-SHELL
apt-get update
apt-get install -y python
SHELL
config.vm.provision "ansible" do |ansible|
ansible.playbook = "vagrant_playbook.yml"
end
end

+ 2
- 0
ansible.cfg View File

@ -0,0 +1,2 @@
[defaults]
inventory = ./hosts

+ 2
- 0
build/caddy/.gitignore View File

@ -0,0 +1,2 @@
/caddy
/caddy-src*/

+ 30
- 0
build/caddy/Makefile View File

@ -0,0 +1,30 @@
.PHONY: clean
VERSION :=v0.10.8
CADDY_SRC :=caddy-src-$(VERSION)
GOPATH :=$(shell pwd)/$(CADDY_SRC)/.go
all: caddy
caddy: $(CADDY_SRC) checkout-version patch $(GOPATH)
cd $(CADDY_SRC) && go get -v github.com/mholt/caddy/caddy
cp $(GOPATH)/bin/$@ $@
$(GOPATH): $(CADDY_SRC)
mkdir -p $@/src/github.com/mholt
ln -sf $(shell pwd)/$(CADDY_SRC) $(GOPATH)/src/github.com/mholt/caddy
patch: $(CADDY_SRC)
cd $(CADDY_SRC)\
&& git apply ../plugins.patch\
&& git revert --no-edit --no-commit 56453e9664aa2c24115eb52a4e933febb3cac1f7
$(CADDY_SRC):
git clone https://github.com/mholt/caddy.git $@
checkout-version: $(CADDY_SRC)
cd $(CADDY_SRC) && git checkout --force --quiet $(VERSION)
clean:
rm -f caddy
rm -rf caddy-*

+ 27
- 0
build/caddy/plugins.patch View File

@ -0,0 +1,27 @@
diff --git a/caddy/caddymain/run.go b/caddy/caddymain/run.go
index 7bfb587..d12721f 100644
--- a/caddy/caddymain/run.go
+++ b/caddy/caddymain/run.go
@@ -21,6 +21,22 @@ import (
"github.com/mholt/caddy/caddytls"
// This is where other plugins get plugged in (imported)
+
+ _ "github.com/SchumacherFM/mailout"
+ _ "github.com/caddyserver/forwardproxy"
+ _ "github.com/captncraig/caddy-realip"
+ _ "github.com/captncraig/cors"
+ _ "github.com/echocat/caddy-filter"
+ _ "github.com/hacdias/caddy-minify"
+ _ "github.com/hacdias/caddy-webdav"
+ _ "github.com/hacdias/filemanager"
+ _ "github.com/jung-kurt/caddy-cgi"
+ _ "github.com/miekg/caddy-prometheus"
+ _ "github.com/nicolasazrak/caddy-cache"
+ _ "github.com/pyed/ipfilter"
+ _ "github.com/restic/caddy"
+ _ "github.com/xuqingfeng/caddy-rate-limit"
+ _ "blitznote.com/src/caddy.upload"
)
func init() {

+ 2
- 0
build/gitea/.gitignore View File

@ -0,0 +1,2 @@
/gitea
/gitea-src*/

+ 30
- 0
build/gitea/Makefile View File

@ -0,0 +1,30 @@
.PHONY: clean
VERSION :=v1.1.4
GITEA_SRC :=gitea-src-$(VERSION)
GOPATH :=$(shell pwd)/$(GITEA_SRC)/.go
GITEA_BUILD_TAGS :=bindata
all: gitea
gitea: $(GITEA_SRC) checkout-version $(GOPATH) $(GOPATH)/bin/go-bindata
cd $(GOPATH)/src/code.gitea.io/gitea\
&& PATH=$(GOPATH)/bin:$$PATH TAGS=$(GITEA_BUILD_TAGS) make generate build
cp $(GITEA_SRC)/$@ $@
$(GOPATH): $(GITEA_SRC)
mkdir -p $@/src/code.gitea.io
ln -sf $(shell pwd)/$(GITEA_SRC) $(GOPATH)/src/code.gitea.io/gitea
$(GOPATH)/bin/go-bindata: $(GOPATH)
go get github.com/jteeuwen/go-bindata/...
$(GITEA_SRC):
git clone https://github.com/go-gitea/gitea.git $@
checkout-version: $(GITEA_SRC)
cd $(GITEA_SRC) && git checkout --force --quiet $(VERSION)
clean:
rm -f gitea
rm -rf gitea-*

+ 2
- 0
build/grafana/.gitignore View File

@ -0,0 +1,2 @@
/grafana-*/
/grafana

+ 14
- 0
build/grafana/Makefile View File

@ -0,0 +1,14 @@
.PHONY: grafana clean
VERSION:=4.4.1
all: grafana
grafana: grafana-$(VERSION)
ln -sfn $< $@
grafana-$(VERSION):
curl -Lsf 'https://s3-us-west-2.amazonaws.com/grafana-releases/release/grafana-$(VERSION).linux-x64.tar.gz' | tar -xvzf -
clean:
rm -f "grafana*"

+ 2
- 0
build/node_exporter/.gitignore View File

@ -0,0 +1,2 @@
/node_exporter
/.go/

+ 16
- 0
build/node_exporter/Makefile View File

@ -0,0 +1,16 @@
.PHONY: clean
VERSION:=0.14.0
GOPATH:=$(shell pwd)/.go
all: node_exporter
$(GOPATH):
mkdir -p $@
node_exporter: $(GOPATH)
go get -v github.com/prometheus/node_exporter
cp $(GOPATH)/bin/$@ $@
clean:
rm -rf "node_exporter*" .go

+ 2
- 0
build/pgweb/.gitignore View File

@ -0,0 +1,2 @@
/pgweb
/pgweb_*_amd64

+ 15
- 0
build/pgweb/Makefile View File

@ -0,0 +1,15 @@
.PHONY: clean
VERSION:=0.9.7
all: pgweb
pgweb: pgweb_linux_amd64
cp $< $@
chmod +x $@
pgweb_linux_amd64:
curl -Lsf 'https://github.com/sosedoff/pgweb/releases/download/v$(VERSION)/pgweb_linux_amd64.zip' | bsdtar -xvzf -
clean:
rm -f pgweb

+ 4
- 0
build/prometheus/.gitignore View File

@ -0,0 +1,4 @@
/prometheus-*-amd64/
/prometheus
/prometheus*.tar.gz
/prometheus*.yml

+ 14
- 0
build/prometheus/Makefile View File

@ -0,0 +1,14 @@
.PHONY: clean
VERSION=1.7.1
all: prometheus
prometheus: prometheus-$(VERSION).linux-amd64.tar.gz
tar --strip-components 1 -xvf $< -- prometheus-$(VERSION).linux-amd64/$@ prometheus-$(VERSION).linux-amd64/$@.yml
prometheus-$(VERSION).linux-amd64.tar.gz:
curl -Lsf 'https://github.com/prometheus/prometheus/releases/download/v$(VERSION)/prometheus-$(VERSION).linux-amd64.tar.gz' > $@
clean:
rm -f prometheus "prometheus-*.tar.gz"

+ 6
- 0
hosts View File

@ -0,0 +1,6 @@
---
[klingt-net]
klingt.net
# vim set: syntax=yaml

+ 29
- 0
playbook.yml View File

@ -0,0 +1,29 @@
---
# TODOs
# - cron for postgres backup (pg_dumpall | tar --use-compress-programm=pixz -cJf postgres-$(date foobar).tar.xz
- hosts: all
vars:
user_name: alinz
user_email: "{{ user_name }}@email-provider.com"
domain: "{{ var_domain | default('klingt.net') }}"
domain_version: unknown
caddy_email: "{{ user_email }}"
caddy_restic_user: alinz
jupyter_password: 'sha1:7ba04f8b7db3:b647b05c2e317857828f9f4fc929b08d485f9c76'
vars_files:
- vault_vars.yml
roles:
- common
- postgres
- gitea
- jupyter
- caddy
- prometheus
- grafana
tasks:
- name: Set version number
delegate_to: localhost
shell: git describe --always --tags
register: git_version
- set_fact:
domain_version: "{{ git_version.stdout }}"

+ 10
- 0
roles/caddy/defaults/main.yml View File

@ -0,0 +1,10 @@
caddy_user: caddy
caddy_group: caddy
caddy_path: /usr/bin/caddy
caddy_ca_url: https://acme-staging.api.letsencrypt.org/directory
caddy_prometheus_port: 9180
caddy_restic_path: "/home/{{ caddy_user }}/restic"
#caddy_email: user@email-provider.com
#caddy_restic_user: alinz
#caddy_restic_password: password
caddy_file_browser_root: "/var/caddy/files.{{ domain }}"

+ 12
- 0
roles/caddy/handlers/main.yml View File

@ -0,0 +1,12 @@
- name: Validate caddy configuration
listen: caddy-validate
become: true
become_user: "{{ caddy_user }}"
command: "{{ caddy_path }} -conf=/etc/caddy/Caddyfile -validate"
- name: Restart caddy
listen: restart-caddy
become: true
systemd:
daemon_reload: yes
name: caddy
state: restarted

+ 81
- 0
roles/caddy/tasks/main.yml View File

@ -0,0 +1,81 @@
- name: "Create group {{ caddy_group }}"
become: true
group:
name: "{{ caddy_group }}"
- name: Create caddy user
become: true
user:
name: "{{ caddy_user }}"
comment: "Caddy run user"
append: true
group: "{{ caddy_group }}"
shell: /bin/false
- name: Build caddy
command: make -C ./build/caddy
delegate_to: localhost
- name: Install caddy
become: true
copy:
src: ./build/caddy/caddy
dest: "{{ caddy_path }}"
mode: 0755
- name: Create caddy certificate directory
become: true
file:
name: "/home/{{ caddy_user }}/certs"
owner: "{{ caddy_user }}"
group: "{{ caddy_group }}"
state: directory
mode: 0700
- name: Create caddy restic path
become: true
file:
name: "{{ caddy_restic_path }}"
owner: "{{ caddy_user }}"
group: "{{ caddy_group }}"
state: directory
mode: 0700
- name: "Create {{ caddy_file_browser_root }} directory"
become: true
file:
name: "{{ caddy_file_browser_root }}/public"
owner: "{{ caddy_user }}"
group: "{{ caddy_group }}"
state: directory
mode: 0700
- name: Create caddy configuration directory
become: true
file:
name: "/etc/caddy"
owner: "{{ caddy_user }}"
group: "{{ caddy_group }}"
state: directory
mode: 0700
- name: Configure caddy
become: true
template:
src: "{{ item }}.tmpl"
dest: "/etc/caddy/{{ item }}"
owner: "{{ caddy_user }}"
group: "{{ caddy_group }}"
mode: 0600
with_items:
- Caddyfile
- common.caddy
notify:
- caddy-validate
- restart-caddy
- name: Install caddy systemd unit
become: true
template:
src: caddy.service.tmpl
dest: /etc/systemd/system/caddy.service
mode: 0600
- name: Start caddy
become: true
systemd:
daemon_reload: yes
name: caddy
state: started
enabled: true
notify: restart-caddy

+ 117
- 0
roles/caddy/templates/Caddyfile.tmpl View File

@ -0,0 +1,117 @@
git.{{ domain }}:80 {
import common.caddy
redir https://git.{{ domain }}{uri}
}
git.{{ domain }}:443 {
import common.caddy
tls self_signed
proxy / localhost:{{ gitea_port }} {
transparent
}
}
pg.{{ domain }}:80 {
import common.caddy
redir https://pg.{{ domain }}{uri}
}
pg.{{ domain }}:443 {
import common.caddy
tls self_signed
basicauth / {{ user_name }} {{ user_password }}
proxy / localhost:{{ pgweb_port }} {
transparent
}
}
prometheus.{{ domain }}:80 {
import common.caddy
redir https://prometheus.{{ domain }}{uri}
}
prometheus.{{ domain }}:443 {
import common.caddy
tls self_signed
basicauth / {{ user_name }} {{ user_password }}
proxy / localhost:{{ prometheus_port }} {
transparent
}
}
jupyter.{{ domain }}:80 {
import common.caddy
redir https://jupyter.{{ domain }}{uri}
}
jupyter.{{ domain }}:443 {
import common.caddy
tls self_signed
basicauth / {{ user_name }} {{ user_password }}
proxy / localhost:{{ jupyter_port }} {
transparent
}
}
grafana.{{ domain }}:80 {
import common.caddy
redir https://grafana.{{ domain }}{uri}
}
grafana.{{ domain }}:443 {
import common.caddy
tls self_signed
basicauth / {{ user_name }} {{ user_password }}
proxy / localhost:{{ grafana_port }} {
transparent
}
}
restic.{{ domain }}:80 {
import common.caddy
redir https://restic.{{ domain }}{uri}
}
restic.{{ domain }}:443 {
import common.caddy
tls self_signed
basicauth / {{ caddy_restic_user }} {{ caddy_restic_password }}
restic / {{ caddy_restic_path }}
}
files.{{ domain }}:80 {
import common.caddy
redir https://files.{{ domain }}{uri}
}
files.{{ domain }}:443 {
import common.caddy
tls self_signed
basicauth / {{ user_name }} {{ user_password }}
root {{ caddy_file_browser_root }}/public
upload / {
to {{ caddy_file_browser_root }}/public
filenames_form NFC
}
mime {
# video/x-matroska is not supported in firefox
.mkv video/webm
}
browse
}
webdav.{{ domain }}:80 {
import common.caddy
redir https://webdav.{{ domain }}{uri}
}
webdav.{{ domain }}:443 {
import common.caddy
tls self_signed
basicauth / {{ user_name }} {{ user_password }}
webdav {
scope {{ caddy_file_browser_root }}
}
}
proxy.{{ domain }}:443 {
tls self_signed
log stdout
forwardproxy {
basicauth {{ user_name }} {{ user_password }}
hide_ip
serve_pac
}
}

+ 54
- 0
roles/caddy/templates/caddy.service.tmpl View File

@ -0,0 +1,54 @@
[Unit]
Description=Caddy HTTP/2 web server
Documentation=https://caddyserver.com/docs
After=network-online.target
Wants=network-online.target systemd-networkd-wait-online.service
[Service]
Restart=on-abnormal
; User and group the process will run as.
User={{ caddy_user }}
Group={{ caddy_group }}
; Letsencrypt-issued certificates will be written to this directory.
Environment=CADDYPATH=/home/{{ caddy_user }}/certs
; Always set "-root" to something safe in case it gets forgotten in the Caddyfile.
ExecStart={{ caddy_path }}\
-log stdout\
-agree=true\
-conf=/etc/caddy/Caddyfile\
-email={{ caddy_email }}\
-ca='{{ caddy_ca_url }}'\
-root=/var/tmp
ExecReload=/bin/kill -USR1 $MAINPID
; Use graceful shutdown with a reasonable timeout
KillMode=mixed
KillSignal=SIGQUIT
TimeoutStopSec=5s
; Limit the number of file descriptors; see `man systemd.exec` for more limit settings.
LimitNOFILE=1048576
; Unmodified caddy is not expected to use more than that.
LimitNPROC=64
; Use private /tmp and /var/tmp, which are discarded after caddy stops.
PrivateTmp=true
; Use a minimal /dev
PrivateDevices=true
; Hide /home, /root, and /run/user. Nobody will steal your SSH-keys.
;ProtectHome=true
; Make /usr, /boot, /etc and possibly some more folders read-only.
ProtectSystem=full
; The following additional security directives only work with systemd v229 or later.
; They further retrict privileges that can be gained by caddy. Uncomment if you like.
; Note that you may have to add capabilities required by any plugins in use.
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
AmbientCapabilities=CAP_NET_BIND_SERVICE
NoNewPrivileges=true
[Install]
WantedBy=multi-user.target

+ 3
- 0
roles/caddy/templates/common.caddy.tmpl View File

@ -0,0 +1,3 @@
log stdout
prometheus
header / X-klingt-net-version "{{ domain_version }}"

+ 8
- 0
roles/common/defaults/main.yml View File

@ -0,0 +1,8 @@
#user_name: default_user
#user_password: ThisIsInsecure
#user_email: user@email-provider.com
locale: en_US.UTF-8
domain: klingt.net
domain_version: unknown-version
db_name: klingt-net
#db_password: password

+ 6
- 0
roles/common/handlers/main.yml View File

@ -0,0 +1,6 @@
- name: Restart journal process
listen: restart-journald
become: true
systemd:
name: systemd-journald
state: restarted

+ 42
- 0
roles/common/tasks/main.yml View File

@ -0,0 +1,42 @@
- name: "Generate {{ locale }}"
locale_gen:
name: "{{ locale }}"
state: present
- name: "Set {{ locale }}"
become: true
command: "update-locale LANG={{ locale }}"
- name: Set timezone to UTC
timezone:
name: Etc/UTC
- name: Create systemd-journald log path
become: true
file:
path: /var/log/journal
state: directory
mode: 0600
notify: restart-journald
- name: Update package index
apt: update_cache=yes package=sudo
become: true
- name: Check wheel group
become: true
group:
name: wheel
state: present
- name: Allow wheel to sudo (with password)
become: true
lineinfile:
dest: /etc/sudoers
state: present
backup: true
regexp: '^#\s*%wheel\s+ALL=\(ALL\)\s+ALL$'
line: '%wheel ALL=(ALL) ALL'
- name: "Create user {{ user_name }}"
become: true
user:
name: "{{ user_name }}"
comment: "{{ user_email }}"
append: true
groups: wheel
# http://docs.ansible.com/ansible/user_module.html
password: "{{ user_password }}"

+ 7
- 0
roles/gitea/defaults/main.yml View File

@ -0,0 +1,7 @@
gitea_user: gitea
gitea_group: gitea
gitea_db_name: gitea
gitea_path: /usr/bin/gitea
gitea_port: 10000
#gitea_db_password: password
#gitea_admin_password: password

+ 7
- 0
roles/gitea/handlers/main.yml View File

@ -0,0 +1,7 @@
- name: Restart gitea
listen: restart-gitea
become: true
systemd:
daemon_reload: true
name: gitea
state: restarted

+ 88
- 0
roles/gitea/tasks/main.yml View File

@ -0,0 +1,88 @@
# GITEA
- name: Build gitea
command: make -C ./build/gitea
delegate_to: localhost
- name: Install gitea
become: true
copy:
src: ./build/gitea/gitea
dest: "{{ gitea_path }}"
mode: 0755
- name: Install gitea systemd unit
become: true
template:
src: gitea.service.tmpl
dest: /etc/systemd/system/gitea.service
mode: 0600
notify: restart-gitea
- name: "Create group {{ gitea_group }}"
become: true
group:
name: "{{ gitea_group }}"
- name: "Create user {{ gitea_user }}"
become: true
user:
name: "{{ gitea_user }}"
comment: "Gitea run user"
append: true
group: "{{ gitea_group }}"
# needs a shell because of git
- name: Create gitea folder
become: true
become_user: "{{ gitea_user }}"
file:
path: "/home/{{ gitea_user }}/gitea/{{ item }}"
state: directory
mode: 0700
with_items:
- repos
- logs
- custom/conf
- name: Create postgres user gitea
become: true
become_user: postgres
postgresql_user:
name: gitea
password: "{{ gitea_db_password }}"
- name: "Create database {{ gitea_db_name }}"
become: true
become_user: "postgres"
postgresql_db:
name: gitea
owner: "{{ gitea_db_name }}"
state: present
- name: Create gitea configuration
become: true
template:
src: app.ini.tmpl
dest: /home/gitea/gitea/custom/conf/app.ini
mode: 0600
owner: "{{ gitea_user }}"
notify: restart-gitea
- name: Start gitea
become: true
systemd:
daemon_reload: yes
name: gitea
state: started
enabled: true
- name: Wait for Gitea to startup
uri:
url: "http://127.0.0.1:{{ gitea_port }}/"
status_code: 200
register: result
until: result.status == 200
retries: 3
delay: 1
- name: Check if gitea admin user was created
become: true
become_user: "{{ gitea_user }}"
command: "psql 'postgresql://{{ gitea_user }}:{{ gitea_db_password }}@localhost/{{ gitea_db_name }}' --no-align --tuples-only --quiet --command 'select exists (select 1 from \"user\" where is_admin);'"
register: gitea_admin_check
- name: "Create gitea admin user {{ user_name }}"
become: true
become_user: gitea
command: "gitea admin create-user --name {{ user_name }} --password {{ gitea_admin_password }} --email {{ user_email }} --admin --config ./gitea/custom/conf/app.ini"
args:
chdir: "/home/{{ gitea_user }}"
when: gitea_admin_check.stdout.strip() == 'f'

+ 52
- 0
roles/gitea/templates/app.ini.tmpl View File

@ -0,0 +1,52 @@
APP_NAME = Gitea
RUN_USER = {{ gitea_user }}
RUN_MODE = prod
[database]
DB_TYPE = postgres
HOST = 127.0.0.1:5432
NAME = {{ gitea_db_name }}
USER = {{ gitea_user }}
PASSWD = {{ gitea_db_password }}
SSL_MODE = disable
[repository]
ROOT = /home/{{ gitea_user }}/gitea/repos
[server]
SSH_DOMAIN = localhost
HTTP_PORT = {{ gitea_port }}
ROOT_URL = http://localhost:{{ gitea_port }}/
DISABLE_SSH = false
SSH_PORT = 22
LFS_START_SERVER = false
OFFLINE_MODE = false
[mailer]
ENABLED = false
[service]
REGISTER_EMAIL_CONFIRM = false
ENABLE_NOTIFY_MAIL = false
DISABLE_REGISTRATION = true
ENABLE_CAPTCHA = false
REQUIRE_SIGNIN_VIEW = false
DEFAULT_KEEP_EMAIL_PRIVATE = false
NO_REPLY_ADDRESS = noreply.example.org
[picture]
DISABLE_GRAVATAR = false
ENABLE_FEDERATED_AVATAR = false
[session]
PROVIDER = file
[log]
MODE = console
LEVEL = Info
ROOT_PATH = /home/gitea/gitea/logs
[security]
INSTALL_LOCK = true
# TODO change this
SECRET_KEY = {{ gitea_secret }}

+ 20
- 0
roles/gitea/templates/gitea.service.tmpl View File

@ -0,0 +1,20 @@
[Unit]
Description=gitea - A painless self-hosted Git service
Documentation=https://gitea.io/
After=postgresql.target
Wants=network-online.target systemd-networkd-wait-online.service sshd.service
[Service]
Restart=on-abnormal
ExecStart={{ gitea_path }} web --port {{ gitea_port }} --config /home/{{ gitea_user }}/gitea/custom/conf/app.ini
User={{ gitea_user }}
Group={{ gitea_group }}
WorkingDirectory=/home/{{ gitea_user }}/gitea
PrivateTmp=true
PrivateDevices=true
ProtectSystem=full
NoNewPrivileges=true
[Install]
WantedBy=multi-user.target

+ 11
- 0
roles/grafana/defaults/main.yml View File

@ -0,0 +1,11 @@
grafana_user: grafana
grafana_group: grafana
grafana_address: 127.0.0.1
grafana_port: 10002
grafana_db_name: grafana
grafana_db_password: ThisIsInsecure
grafana_domain: "grafana.{{ domain }}"
#grafana_password: password
node_exporter_path: /usr/bin/node_exporter
node_exporter_port: 9091
node_exporter_address: "127.0.0.1:{{ node_exporter_port }}"

+ 7
- 0
roles/grafana/handlers/main.yml View File

@ -0,0 +1,7 @@
- name: Restart grafana
listen: restart-grafana
become: true
systemd:
daemon_reload: true
name: grafana
state: restarted

+ 77
- 0
roles/grafana/tasks/main.yml View File

@ -0,0 +1,77 @@
- name: "Create group {{ grafana_group }}"
become: true
group:
name: "{{ grafana_group }}"
- name: Create grafana user
become: true
user:
name: "{{ grafana_user }}"
comment: "Grafana run user"
append: true
group: "{{ grafana_group }}"
shell: /bin/false
- name: Create postgres user grafana
become: true
become_user: postgres
postgresql_user:
name: grafana
password: "{{ grafana_db_password }}"
- name: Build grafana
command: make -C ./build/grafana
delegate_to: localhost
- name: Create grafana homepath
become: true
file:
path: /usr/share/grafana
state: directory
mode: 0755
- name: Install grafana
become: true
# copy does not scale for directories
synchronize:
src: "./build/grafana/grafana/{{ item.src }}"
dest: "{{ item.dest }}"
with_items:
- { src: 'bin/grafana-server', dest: '/usr/bin/grafana-server' }
- { src: 'conf', dest: '/usr/share/grafana' }
- { src: 'public', dest: '/usr/share/grafana' }
- name: Create grafana config path
become: true
file:
path: /etc/grafana
state: directory
mode: 0755
- name: Install grafana configuration
become: true
template:
src: config.ini.tmpl
dest: /etc/grafana/config.ini
mode: 0644
notify: restart-grafana
- name: Install grafana systemd unit
become: true
template:
src: grafana.service.tmpl
dest: /etc/systemd/system/grafana.service
mode: 0600
notify: restart-grafana
- name: Create postgres user grafana
become: true
become_user: postgres
postgresql_user:
name: grafana
password: "{{ grafana_db_password }}"
- name: "Create database {{ grafana_db_name }}"
become: true
become_user: "postgres"
postgresql_db:
name: grafana
owner: "{{ grafana_db_name }}"
state: present
- name: Start grafana
become: true
systemd:
daemon_reload: yes
name: grafana
state: started
enabled: true

+ 406
- 0
roles/grafana/templates/config.ini.tmpl View File

@ -0,0 +1,406 @@
##################### Grafana Configuration Example #####################
#
# Everything has defaults so you only need to uncomment things you want to
# change
# possible values : production, development
; app_mode = production
# instance name, defaults to HOSTNAME environment variable value or hostname if HOSTNAME var is empty
; instance_name = ${HOSTNAME}
#################################### Paths ####################################
[paths]
# Path to where grafana can store temp files, sessions, and the sqlite3 db (if that is used)
#
;data = /var/lib/grafana
#
# Directory where grafana can store logs
#
;logs = /var/log/grafana
#
# Directory where grafana will automatically scan and look for plugins
#
;plugins = /var/lib/grafana/plugins
#
#################################### Server ####################################
[server]
# Protocol (http, https, socket)
;protocol = http
# The ip address to bind to, empty will bind to all interfaces
http_addr = {{ grafana_address }}
# The http port to use
http_port = {{ grafana_port }}
# The public facing domain name used to access grafana from a browser
domain = {{ grafana_domain }}
# Redirect to correct domain if host header does not match domain
# Prevents DNS rebinding attacks
;enforce_domain = false
# The full public facing url you use in browser, used for redirects and emails
# If you use reverse proxy and sub path specify full url (with sub path)
root_url = http://{{ grafana_domain }}
# Log web requests
;router_logging = false
# the path relative working path
;static_root_path = public
# enable gzip
enable_gzip = true
# https certs & key file
;cert_file =
;cert_key =
# Unix socket path
;socket =
#################################### Database ####################################
[database]
# You can configure the database connection by specifying type, host, name, user and password
# as seperate properties or as on string using the url propertie.
# Either "mysql", "postgres" or "sqlite3", it's your choice
;type = sqlite3
;host = 127.0.0.1:3306
;name = grafana
;user = root
# If the password contains # or ; you have to wrap it with trippel quotes. Ex """#password;"""
;password =
# Use either URL or the previous fields to configure the database
# Example: mysql://user:secret@host:port/database
url = postgres://{{ grafana_user }}:{{ grafana_db_password }}@{{ postgres_host }}:{{ postgres_port }}/{{ grafana_db_name }}
# For "postgres" only, either "disable", "require" or "verify-full"
;ssl_mode = disable
# For "sqlite3" only, path relative to data_path setting
;path = grafana.db
# Max conn setting default is 0 (mean not set)
;max_idle_conn =
;max_open_conn =
#################################### Session ####################################
[session]
# Either "memory", "file", "redis", "mysql", "postgres", default is "file"
provider = memory
# Provider config options
# memory: not have any config yet
# file: session dir path, is relative to grafana data_path
# redis: config like redis server e.g. `addr=127.0.0.1:6379,pool_size=100,db=grafana`
# mysql: go-sql-driver/mysql dsn config string, e.g. `user:password@tcp(127.0.0.1:3306)/database_name`
# postgres: user=a password=b host=localhost port=5432 dbname=c sslmode=disable
;provider_config = sessions
# Session cookie name
;cookie_name = grafana_sess
# If you use session in https only, default is false
;cookie_secure = false
# Session life time, default is 86400
;session_life_time = 86400
#################################### Data proxy ###########################
[dataproxy]
# This enables data proxy logging, default is false
;logging = false
#################################### Analytics ####################################
[analytics]
# Server reporting, sends usage counters to stats.grafana.org every 24 hours.
# No ip addresses are being tracked, only simple counters to track
# running instances, dashboard and error counts. It is very helpful to us.
# Change this option to false to disable reporting.
;reporting_enabled = true
# Set to false to disable all checks to https://grafana.net
# for new vesions (grafana itself and plugins), check is used
# in some UI views to notify that grafana or plugin update exists
# This option does not cause any auto updates, nor send any information
# only a GET request to http://grafana.com to get latest versions
;check_for_updates = true
# Google Analytics universal tracking code, only enabled if you specify an id here
;google_analytics_ua_id =
#################################### Security ####################################
[security]
# default admin user, created on startup
;admin_user = admin
# default admin password, can be changed before first start of grafana, or in profile settings
admin_password = {{ grafana_password }}
# used for signing
;secret_key = SW2YcwTIb9zpOOhoPsMm
# Auto-login remember days
;login_remember_days = 7
;cookie_username = grafana_user
;cookie_remember_name = grafana_remember
# disable gravatar profile images
;disable_gravatar = false
# data source proxy whitelist (ip_or_domain:port separated by spaces)
;data_source_proxy_whitelist =
[snapshots]
# snapshot sharing options
external_enabled = false
;external_snapshot_url = https://snapshots-origin.raintank.io
;external_snapshot_name = Publish to snapshot.raintank.io
# remove expired snapshot
;snapshot_remove_expired = true
# remove snapshots after 90 days
;snapshot_TTL_days = 90
#################################### Users ####################################
[users]
# disable user signup / registration
allow_sign_up = false
# Allow non admin users to create organizations
allow_org_create = false
# Set to true to automatically assign new users to the default organization (id 1)
;auto_assign_org = true
# Default role new users will be automatically assigned (if disabled above is set to true)
;auto_assign_org_role = Viewer
# Background text for the user field on the login page
;login_hint = email or username
# Default UI theme ("dark" or "light")
;default_theme = dark
[auth]
# Set to true to disable (hide) the login form, useful if you use OAuth, defaults to false
;disable_login_form = false
# Set to true to disable the signout link in the side menu. useful if you use auth.proxy, defaults to false
;disable_signout_menu = false
#################################### Anonymous Auth ##########################
[auth.anonymous]
# enable anonymous access
;enabled = false
# specify organization name that should be used for unauthenticated users
;org_name = Main Org.
# specify role for unauthenticated users
;org_role = Viewer
#################################### Github Auth ##########################
[auth.github]
;enabled = false
;allow_sign_up = true
;client_id = some_id
;client_secret = some_secret
;scopes = user:email,read:org
;auth_url = https://github.com/login/oauth/authorize
;token_url = https://github.com/login/oauth/access_token
;api_url = https://api.github.com/user
;team_ids =
;allowed_organizations =
#################################### Google Auth ##########################
[auth.google]
;enabled = false
;allow_sign_up = true
;client_id = some_client_id
;client_secret = some_client_secret
;scopes = https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email
;auth_url = https://accounts.google.com/o/oauth2/auth
;token_url = https://accounts.google.com/o/oauth2/token
;api_url = https://www.googleapis.com/oauth2/v1/userinfo
;allowed_domains =
#################################### Generic OAuth ##########################
[auth.generic_oauth]
;enabled = false
;name = OAuth
;allow_sign_up = true
;client_id = some_id
;client_secret = some_secret
;scopes = user:email,read:org
;auth_url = https://foo.bar/login/oauth/authorize
;token_url = https://foo.bar/login/oauth/access_token
;api_url = https://foo.bar/user
;team_ids =
;allowed_organizations =
#################################### Grafana.com Auth ####################
[auth.grafana_com]
;enabled = false
;allow_sign_up = true
;client_id = some_id
;client_secret = some_secret
;scopes = user:email
;allowed_organizations =
#################################### Auth Proxy ##########################
[auth.proxy]
;enabled = false
;header_name = X-WEBAUTH-USER
;header_property = username
;auto_sign_up = true
;ldap_sync_ttl = 60
;whitelist = 192.168.1.1, 192.168.2.1
#################################### Basic Auth ##########################
[auth.basic]
;enabled = true
#################################### Auth LDAP ##########################
[auth.ldap]
;enabled = false
;config_file = /etc/grafana/ldap.toml
;allow_sign_up = true
#################################### SMTP / Emailing ##########################
[smtp]
;enabled = false
;host = localhost:25
;user =
# If the password contains # or ; you have to wrap it with trippel quotes. Ex """#password;"""
;password =
;cert_file =
;key_file =
;skip_verify = false
;from_address = admin@grafana.localhost
;from_name = Grafana
[emails]
;welcome_email_on_sign_up = false
#################################### Logging ##########################
[log]
# Either "console", "file", "syslog". Default is console and file
# Use space to separate multiple modes, e.g. "console file"
;mode = console
# Either "debug", "info", "warn", "error", "critical", default is "info"
;level = info
# optional settings to set different levels for specific loggers. Ex filters = sqlstore:debug
;filters =
# For "console" mode only
[log.console]
;level =
# log line format, valid options are text, console and json
;format = console
# For "file" mode only
[log.file]
;level =
# log line format, valid options are text, console and json
;format = text
# This enables automated log rotate(switch of following options), default is true
;log_rotate = true
# Max line number of single file, default is 1000000
;max_lines = 1000000
# Max size shift of single file, default is 28 means 1 << 28, 256MB
;max_size_shift = 28
# Segment log daily, default is true
;daily_rotate = true
# Expired days of log file(delete after max days), default is 7
;max_days = 7
[log.syslog]
;level =
# log line format, valid options are text, console and json
;format = text
# Syslog network type and address. This can be udp, tcp, or unix. If left blank, the default unix endpoints will be used.
;network =
;address =
# Syslog facility. user, daemon and local0 through local7 are valid.
;facility =
# Syslog tag. By default, the process' argv[0] is used.
;tag =
#################################### AMQP Event Publisher ##########################
[event_publisher]
;enabled = false
;rabbitmq_url = amqp://localhost/
;exchange = grafana_events
;#################################### Dashboard JSON files ##########################
[dashboards.json]
;enabled = false
;path = /var/lib/grafana/dashboards
#################################### Alerting ############################
[alerting]
# Disable alerting engine & UI features
;enabled = true
# Makes it possible to turn off alert rule execution but alerting UI is visible
;execute_alerts = true
#################################### Internal Grafana Metrics ##########################
# Metrics available at HTTP API Url /api/metrics
[metrics]
# Disable / Enable internal metrics
;enabled = true
# Publish interval
;interval_seconds = 10
# Send internal metrics to Graphite
[metrics.graphite]
# Enable by setting the address setting (ex localhost:2003)
;address =
;prefix = prod.grafana.%(instance_name)s.
#################################### Grafana.com integration ##########################
# Url used to to import dashboards directly from Grafana.com
[grafana_com]
;url = https://grafana.com
#################################### External image storage ##########################
[external_image_storage]
# Used for uploading images to public servers so they can be included in slack/email messages.
# you can choose between (s3, webdav)
;provider =
[external_image_storage.s3]
;bucket_url =
;access_key =
;secret_key =
[external_image_storage.webdav]
;url =
;public_url =
;username =
;password =

+ 19
- 0
roles/grafana/templates/grafana.service.tmpl View File

@ -0,0 +1,19 @@
[Unit]
Description=grafana - monitoring and metric analytics & dashboards
Documentation=https://grafana.org/
After=prometheus.target
Wants=network-online.target systemd-networkd-wait-online.service
[Service]
Restart=on-abnormal
ExecStart=/usr/bin/grafana-server -homepath=/usr/share/grafana -config=/etc/grafana/config.ini
User={{ grafana_user }}
Group={{ grafana_group }}
PrivateTmp=true
PrivateDevices=true
ProtectSystem=full
NoNewPrivileges=true
[Install]
WantedBy=multi-user.target

+ 20
- 0
roles/grafana/templates/jupyter.service.tmpl View File

@ -0,0 +1,20 @@
[Unit]
Description=jupyter - Python notebook server
Documentation=http://jupyter.github.io/
After=network-online.target
Wants=systemd-networkd-wait-online.service
[Service]
Restart=on-abnormal
ExecStart=/home/{{ jupyter_user }}/.local/bin/jupyter notebook
User={{ jupyter_user }}
Group={{ jupyter_group }}
WorkingDirectory=/home/{{ jupyter_user }}
PrivateTmp=true
PrivateDevices=true
ProtectSystem=full
NoNewPrivileges=true
[Install]
WantedBy=multi-user.target

+ 605
- 0
roles/grafana/templates/jupyter_notebook_config.py.tmpl View File

@ -0,0 +1,605 @@
# Configuration file for jupyter-notebook.
#------------------------------------------------------------------------------
# Application(SingletonConfigurable) configuration
#------------------------------------------------------------------------------
## This is an application.
## The date format used by logging formatters for %(asctime)s
#c.Application.log_datefmt = '%Y-%m-%d %H:%M:%S'
## The Logging format template
#c.Application.log_format = '[%(name)s]%(highlevel)s %(message)s'
## Set the log level by value or name.
#c.Application.log_level = 30
#------------------------------------------------------------------------------
# JupyterApp(Application) configuration
#------------------------------------------------------------------------------
## Base class for Jupyter applications
## Answer yes to any prompts.
c.JupyterApp.answer_yes = True
## Full path of a config file.
#c.JupyterApp.config_file = ''
## Specify a config file to load.
#c.JupyterApp.config_file_name = ''
## Generate default config file.
c.JupyterApp.generate_config = False
#------------------------------------------------------------------------------
# NotebookApp(JupyterApp) configuration
#------------------------------------------------------------------------------
## Set the Access-Control-Allow-Credentials: true header
#c.NotebookApp.allow_credentials = False
## Set the Access-Control-Allow-Origin header
#
# Use '*' to allow any origin to access your server.
#
# Takes precedence over allow_origin_pat.
#c.NotebookApp.allow_origin = ''
## Use a regular expression for the Access-Control-Allow-Origin header
#
# Requests from an origin matching the expression will get replies with:
#
# Access-Control-Allow-Origin: origin
#
# where `origin` is the origin of the request.
#
# Ignored if allow_origin is set.
#c.NotebookApp.allow_origin_pat = ''
## Whether to allow the user to run the notebook as root.
#c.NotebookApp.allow_root = False
## DEPRECATED use base_url
#c.NotebookApp.base_project_url = '/'
## The base URL for the notebook server.
#
# Leading and trailing slashes can be omitted, and will automatically be added.
#c.NotebookApp.base_url = '/'
## Specify what command to use to invoke a web browser when opening the notebook.
# If not specified, the default browser will be determined by the `webbrowser`
# standard library module, which allows setting of the BROWSER environment
# variable to override it.
#c.NotebookApp.browser = ''
## The full path to an SSL/TLS certificate file.
#c.NotebookApp.certfile = ''
## The full path to a certificate authority certificate for SSL/TLS client
# authentication.
#c.NotebookApp.client_ca = ''
## The config manager class to use
#c.NotebookApp.config_manager_class = 'notebook.services.config.manager.ConfigManager'
## The notebook manager class to use.
#c.NotebookApp.contents_manager_class = 'notebook.services.contents.largefilemanager.LargeFileManager'
## Extra keyword arguments to pass to `set_secure_cookie`. See tornado's
# set_secure_cookie docs for details.
#c.NotebookApp.cookie_options = {}
## The random bytes used to secure cookies. By default this is a new random
# number every time you start the Notebook. Set it to a value in a config file
# to enable logins to persist across server sessions.
#
# Note: Cookie secrets should be kept private, do not share config files with
# cookie_secret stored in plaintext (you can read the value from a file).
#c.NotebookApp.cookie_secret = b''
## The file where the cookie secret is stored.
#c.NotebookApp.cookie_secret_file = ''
## The default URL to redirect to from `/`
#c.NotebookApp.default_url = '/tree'
## Disable cross-site-request-forgery protection
#
# Jupyter notebook 4.3.1 introduces protection from cross-site request
# forgeries, requiring API requests to either:
#
# - originate from pages served by this server (validated with XSRF cookie and
# token), or - authenticate with a token
#
# Some anonymous compute resources still desire the ability to run code,
# completely without authentication. These services can disable all
# authentication and security checks, with the full knowledge of what that
# implies.
#c.NotebookApp.disable_check_xsrf = False
## Whether to enable MathJax for typesetting math/TeX
#
# MathJax is the javascript library Jupyter uses to render math/LaTeX. It is
# very large, so you may want to disable it if you have a slow internet
# connection, or for offline use of the notebook.
#
# When disabled, equations etc. will appear as their untransformed TeX source.
#c.NotebookApp.enable_mathjax = True
## extra paths to look for Javascript notebook extensions
#c.NotebookApp.extra_nbextensions_path = []
## Extra paths to search for serving static files.
#
# This allows adding javascript/css to be available from the notebook server
# machine, or overriding individual files in the IPython
#c.NotebookApp.extra_static_paths = []
## Extra paths to search for serving jinja templates.
#
# Can be used to override templates from notebook.templates.
#c.NotebookApp.extra_template_paths = []
##
#c.NotebookApp.file_to_run = ''
## Deprecated: Use minified JS file or not, mainly use during dev to avoid JS
# recompilation
#c.NotebookApp.ignore_minified_js = False
## (bytes/sec) Maximum rate at which messages can be sent on iopub before they
# are limited.
#c.NotebookApp.iopub_data_rate_limit = 1000000
## (msgs/sec) Maximum rate at which messages can be sent on iopub before they are
# limited.
#c.NotebookApp.iopub_msg_rate_limit = 1000
## The IP address the notebook server will listen on.
c.NotebookApp.ip = '0.0.0.0'
## Supply extra arguments that will be passed to Jinja environment.
#c.NotebookApp.jinja_environment_options = {}
## Extra variables to supply to jinja templates when rendering.
#c.NotebookApp.jinja_template_vars = {}
## The kernel manager class to use.
#c.NotebookApp.kernel_manager_class = 'notebook.services.kernels.kernelmanager.MappingKernelManager'
## The kernel spec manager class to use. Should be a subclass of
# `jupyter_client.kernelspec.KernelSpecManager`.
#
# The Api of KernelSpecManager is provisional and might change without warning
# between this version of Jupyter and the next stable one.
#c.NotebookApp.kernel_spec_manager_class = 'jupyter_client.kernelspec.KernelSpecManager'
## The full path to a private key file for usage with SSL/TLS.
#c.NotebookApp.keyfile = ''
## The login handler class to use.
#c.NotebookApp.login_handler_class = 'notebook.auth.login.LoginHandler'
## The logout handler class to use.
#c.NotebookApp.logout_handler_class = 'notebook.auth.logout.LogoutHandler'
## The MathJax.js configuration file that is to be used.
#c.NotebookApp.mathjax_config = 'TeX-AMS-MML_HTMLorMML-full,Safe'
## A custom url for MathJax.js. Should be in the form of a case-sensitive url to
# MathJax, for example: /static/components/MathJax/MathJax.js
#c.NotebookApp.mathjax_url = ''
## Dict of Python modules to load as notebook server extensions.Entry values can
# be used to enable and disable the loading ofthe extensions. The extensions
# will be loaded in alphabetical order.
#c.NotebookApp.nbserver_extensions = {}
## The directory to use for notebooks and kernels.
#c.NotebookApp.notebook_dir = ''
## Whether to open in a browser after starting. The specific browser used is
# platform dependent and determined by the python standard library `webbrowser`
# module, unless it is overridden using the --browser (NotebookApp.browser)
# configuration option.
c.NotebookApp.open_browser = False
## Hashed password to use for web authentication.
#
# To generate, type in a python/IPython shell:
#
# from notebook.auth import passwd; passwd()
#
# The string should be of the form type:salt:hashed-password.
c.NotebookApp.password = '{{ jupyter_password }}'
## Forces users to use a password for the Notebook server. This is useful in a
# multi user environment, for instance when everybody in the LAN can access each
# other's machine though ssh.
#
# In such a case, server the notebook server on localhost is not secure since
# any user can connect to the notebook server via ssh.
c.NotebookApp.password_required = True
## The port the notebook server will listen on.
c.NotebookApp.port = {{ jupyter_port }}
## The number of additional ports to try if the specified port is not available.
#c.NotebookApp.port_retries = 0
## DISABLED: use %pylab or %matplotlib in the notebook to enable matplotlib.
#c.NotebookApp.pylab = 'disabled'
## (sec) Time window used to check the message and data rate limits.
#c.NotebookApp.rate_limit_window = 3
## Reraise exceptions encountered loading server extensions?
#c.NotebookApp.reraise_server_extension_failures = False
## DEPRECATED use the nbserver_extensions dict instead
#c.NotebookApp.server_extensions = []
## The session manager class to use.
#c.NotebookApp.session_manager_class = 'notebook.services.sessions.sessionmanager.SessionManager'
## Supply SSL options for the tornado HTTPServer. See the tornado docs for
# details.
#c.NotebookApp.ssl_options = {}
## Supply overrides for terminado. Currently only supports "shell_command".
#c.NotebookApp.terminado_settings = {}
## Token used for authenticating first-time connections to the server.
#
# When no password is enabled, the default is to generate a new, random token.
#
# Setting to an empty string disables authentication altogether, which is NOT
# RECOMMENDED.
# c.NotebookApp.token = ''
## Supply overrides for the tornado.web.Application that the Jupyter notebook
# uses.
#c.NotebookApp.tornado_settings = {}
## Whether to trust or not X-Scheme/X-Forwarded-Proto and X-Real-Ip/X-Forwarded-
# For headerssent by the upstream reverse proxy. Necessary if the proxy handles
# SSL
#c.NotebookApp.trust_xheaders = False
## DEPRECATED, use tornado_settings
#c.NotebookApp.webapp_settings = {}
## The base URL for websockets, if it differs from the HTTP server (hint: it
# almost certainly doesn't).
#
# Should be in the form of an HTTP origin: ws[s]://hostname[:port]
#c.NotebookApp.websocket_url = ''
#------------------------------------------------------------------------------
# ConnectionFileMixin(LoggingConfigurable) configuration
#------------------------------------------------------------------------------
## Mixin for configurable classes that work with connection files
## JSON file in which to store connection info [default: kernel-<pid>.json]
#
# This file will contain the IP, ports, and authentication key needed to connect
# clients to this kernel. By default, this file will be created in the security
# dir of the current profile, but can be specified by absolute path.
#c.ConnectionFileMixin.connection_file = ''
## set the control (ROUTER) port [default: random]
#c.ConnectionFileMixin.control_port = 0
## set the heartbeat port [default: random]
#c.ConnectionFileMixin.hb_port = 0
## set the iopub (PUB) port [default: random]
#c.ConnectionFileMixin.iopub_port = 0
## Set the kernel's IP address [default localhost]. If the IP address is
# something other than localhost, then Consoles on other machines will be able
# to connect to the Kernel, so be careful!
#c.ConnectionFileMixin.ip = ''
## set the shell (ROUTER) port [default: random]
#c.ConnectionFileMixin.shell_port = 0
## set the stdin (ROUTER) port [default: random]
#c.ConnectionFileMixin.stdin_port = 0
##
#c.ConnectionFileMixin.transport = 'tcp'
#------------------------------------------------------------------------------
# KernelManager(ConnectionFileMixin) configuration
#------------------------------------------------------------------------------
## Manages a single kernel in a subprocess on this host.
#
# This version starts kernels with Popen.
## Should we autorestart the kernel if it dies.
#c.KernelManager.autorestart = True
## DEPRECATED: Use kernel_name instead.
#
# The Popen Command to launch the kernel. Override this if you have a custom
# kernel. If kernel_cmd is specified in a configuration file, Jupyter does not
# pass any arguments to the kernel, because it cannot make any assumptions about
# the arguments that the kernel understands. In particular, this means that the
# kernel does not receive the option --debug if it given on the Jupyter command
# line.
#c.KernelManager.kernel_cmd = []