diff --git a/inventory/group_vars/homeserver.yml b/inventory/group_vars/homeserver.yml index 0517db2..3f33826 100644 --- a/inventory/group_vars/homeserver.yml +++ b/inventory/group_vars/homeserver.yml @@ -1,6 +1,10 @@ base_data_dir: /data base_service_dir: /srv + +# Additional open ports jitsi_videobridge_port: 54562 git_ssh_port: 56287 prometheus_port: 8081 traefik_api_port: 8080 + +domain_name_pim: pim.kunis.nl diff --git a/roles/blog/tasks/main.yml b/roles/blog/tasks/main.yml index 3b2c3a3..5684210 100644 --- a/roles/blog/tasks/main.yml +++ b/roles/blog/tasks/main.yml @@ -22,8 +22,8 @@ src: "{{ role_path }}/templates/docker-compose.yml.j2" dest: "{{ service_dir }}/docker-compose.yml" - name: Copy nginx config - copy: - src: "{{ role_path }}/files/nginx.conf" + template: + src: "{{ role_path }}/templates/nginx.conf.j2" dest: "{{ service_dir }}/nginx.conf" register: nginx_conf - name: Start docker compose diff --git a/roles/blog/templates/docker-compose.yml.j2 b/roles/blog/templates/docker-compose.yml.j2 index 5c5fb1c..0b312f0 100644 --- a/roles/blog/templates/docker-compose.yml.j2 +++ b/roles/blog/templates/docker-compose.yml.j2 @@ -14,9 +14,9 @@ services: labels: - traefik.enable=true - traefik.http.routers.blog.entrypoints=websecure - - traefik.http.routers.blog.rule=Host(`pizzapim.nl`) + - traefik.http.routers.blog.rule=Host(`{{ domain_name_pim }}`) - traefik.http.routers.blog.tls=true - - traefik.http.routers.blog.tls.certresolver=pizzapim + - traefik.http.routers.blog.tls.certresolver=letsencrypt - traefik.http.routers.blog.service=blog - traefik.http.services.blog.loadbalancer.server.port=80 diff --git a/roles/blog/files/nginx.conf b/roles/blog/templates/nginx.conf.j2 similarity index 89% rename from roles/blog/files/nginx.conf rename to roles/blog/templates/nginx.conf.j2 index 284340b..41469c8 100644 --- a/roles/blog/files/nginx.conf +++ b/roles/blog/templates/nginx.conf.j2 @@ -1,6 +1,6 @@ server { listen 80; - server_name pizzapim.nl; + server_name {{ domain_name_pim }}; index index.html index.htm; root /var/www/blog; diff --git a/roles/blog/vars/main.yml b/roles/blog/vars/main.yml index d477600..aa1f151 100644 --- a/roles/blog/vars/main.yml +++ b/roles/blog/vars/main.yml @@ -1,3 +1,3 @@ service_name: blog service_dir: "{{ base_service_dir }}/{{ service_name }}" -git_origin: https://git.pizzapim.nl/pim/blog.git +git_origin: https://git.pim.kunis.nl/pim/blog.git diff --git a/roles/forgejo/templates/app.ini.j2 b/roles/forgejo/templates/app.ini.j2 index dc5dde3..d0ef2ec 100644 --- a/roles/forgejo/templates/app.ini.j2 +++ b/roles/forgejo/templates/app.ini.j2 @@ -13,8 +13,8 @@ TEMP_PATH = /data/gitea/uploads [server] APP_DATA_PATH = /data/gitea -DOMAIN = git.pizzapim.nl -SSH_DOMAIN = git.pizzapim.nl +DOMAIN = {{ git_domain }} +SSH_DOMAIN = {{ git_domain }} HTTP_PORT = 3000 ROOT_URL = {{ forgejo.root_url }} DISABLE_SSH = false diff --git a/roles/forgejo/templates/docker-compose.yml.j2 b/roles/forgejo/templates/docker-compose.yml.j2 index 88dccec..91ecb6d 100644 --- a/roles/forgejo/templates/docker-compose.yml.j2 +++ b/roles/forgejo/templates/docker-compose.yml.j2 @@ -22,9 +22,9 @@ services: labels: - traefik.enable=true - traefik.http.routers.forgejo.entrypoints=websecure - - traefik.http.routers.forgejo.rule=Host(`git.pizzapim.nl`) + - traefik.http.routers.forgejo.rule=Host(`{{ git_domain }}`) - traefik.http.routers.forgejo.tls=true - - traefik.http.routers.forgejo.tls.certresolver=pizzapim + - traefik.http.routers.forgejo.tls.certresolver=letsencrypt - traefik.http.routers.forgejo.service=forgejo - traefik.http.services.forgejo.loadbalancer.server.port=3000 diff --git a/roles/forgejo/vars/main.yml b/roles/forgejo/vars/main.yml index f0ac50e..38d58cc 100644 --- a/roles/forgejo/vars/main.yml +++ b/roles/forgejo/vars/main.yml @@ -1,9 +1,11 @@ service_name: forgejo data_dir: "{{ base_data_dir }}/{{ service_name }}" service_dir: "{{ base_service_dir }}/{{ service_name }}" +git_domain: "git.{{ domain_name_pim }}" + forgejo: - root_url: "https://git.pizzapim.nl" + root_url: "https://{{ git_domain }}" mailer_host: "smtp.tweak.nl" mailer_from: "git@kunis.nl" lfs_jwt_secret: !vault | diff --git a/roles/miniflux/meta/main.yml b/roles/freshrss/meta/main.yml similarity index 100% rename from roles/miniflux/meta/main.yml rename to roles/freshrss/meta/main.yml diff --git a/roles/freshrss/templates/docker-compose.yml.j2 b/roles/freshrss/templates/docker-compose.yml.j2 index bab303b..8876319 100644 --- a/roles/freshrss/templates/docker-compose.yml.j2 +++ b/roles/freshrss/templates/docker-compose.yml.j2 @@ -26,10 +26,11 @@ services: labels: - traefik.enable=true - traefik.http.routers.freshrss.entrypoints=websecure - - traefik.http.routers.freshrss.rule=Host(`rss.pizzapim.nl`) + - traefik.http.routers.freshrss.rule=Host(`{{ rss_domain }}`) - traefik.http.routers.freshrss.tls=true - - traefik.http.routers.freshrss.tls.certresolver=pizzapim + - traefik.http.routers.freshrss.tls.certresolver=letsencrypt - traefik.http.routers.freshrss.service=freshrss + - traefik.http.services.freshrss.loadbalancer.server.port=80 networks: traefik: diff --git a/roles/freshrss/vars/main.yml b/roles/freshrss/vars/main.yml index f82e2bc..61af80d 100644 --- a/roles/freshrss/vars/main.yml +++ b/roles/freshrss/vars/main.yml @@ -1,6 +1,7 @@ service_name: freshrss service_dir: "{{ base_service_dir }}/{{ service_name }}" data_dir: "{{ base_data_dir }}/{{ service_name }}" +rss_domain: "rss.{{ domain_name_pim }}" admin_password: !vault | $ANSIBLE_VAULT;1.1;AES256 38363734333534376665616439306566613632303739373661333338356533653334323366326130 diff --git a/roles/jitsi/templates/docker-compose.yml.j2 b/roles/jitsi/templates/docker-compose.yml.j2 index 120fe05..9f42580 100644 --- a/roles/jitsi/templates/docker-compose.yml.j2 +++ b/roles/jitsi/templates/docker-compose.yml.j2 @@ -25,7 +25,7 @@ services: - traefik.http.routers.jitsi-web.entrypoints=websecure - traefik.http.routers.jitsi-web.rule=Host(`{{ public_domain }}`) - traefik.http.routers.jitsi-web.tls=true - - traefik.http.routers.jitsi-web.tls.certresolver=pizzapim + - traefik.http.routers.jitsi-web.tls.certresolver=letsencrypt - traefik.http.services.jitsi-web.loadbalancer.server.port=80 - traefik.http.routers.jitsi-web.service=jitsi-web - traefik.docker.network=traefik diff --git a/roles/jitsi/vars/main.yml b/roles/jitsi/vars/main.yml index 40453de..b9287a4 100644 --- a/roles/jitsi/vars/main.yml +++ b/roles/jitsi/vars/main.yml @@ -2,7 +2,7 @@ service_name: jitsi service_dir: "{{ base_service_dir }}/{{ service_name }}" data_dir: "{{ base_data_dir }}/{{ service_name }}" -public_domain: "meet.pizzapim.nl" +public_domain: "meet.{{ domain_name_pim }}" jvb_advertise_ips: "84.245.14.149,192.168.30.3" jvb_auth_password: !vault | diff --git a/roles/mastodon/templates/docker-compose.yml.j2 b/roles/mastodon/templates/docker-compose.yml.j2 index 1a01165..a8b1974 100644 --- a/roles/mastodon/templates/docker-compose.yml.j2 +++ b/roles/mastodon/templates/docker-compose.yml.j2 @@ -53,7 +53,7 @@ services: - traefik.http.routers.mastodon.entrypoints=websecure - traefik.http.routers.mastodon.rule=Host(`social.pizzapim.nl`) - traefik.http.routers.mastodon.tls=true - - traefik.http.routers.mastodon.tls.certresolver=pizzapim + - traefik.http.routers.mastodon.tls.certresolver=letsencrypt - traefik.http.services.mastodon.loadbalancer.server.port=3000 - traefik.http.routers.mastodon.service=mastodon - traefik.docker.network=traefik diff --git a/roles/miniflux/tasks/main.yml b/roles/miniflux/tasks/main.yml deleted file mode 100644 index 1930c55..0000000 --- a/roles/miniflux/tasks/main.yml +++ /dev/null @@ -1,17 +0,0 @@ -- name: Create app directory - file: - path: "{{ service_dir }}" - state: directory -- name: Copy Docker Compose script - template: - src: "{{ role_path }}/templates/docker-compose.yml.j2" - dest: "{{ service_dir }}/docker-compose.yml" -- name: Create data directory - file: - path: "{{ data_dir }}" - state: directory -- name: Start the Docker Compose - docker_compose: - project_src: "{{ service_dir }}" - pull: true - remove_orphans: true diff --git a/roles/miniflux/templates/docker-compose.yml.j2 b/roles/miniflux/templates/docker-compose.yml.j2 deleted file mode 100644 index 885ea48..0000000 --- a/roles/miniflux/templates/docker-compose.yml.j2 +++ /dev/null @@ -1,40 +0,0 @@ -version: '3.4' - -services: - miniflux: - image: miniflux/miniflux:latest - container_name: miniflux-web - depends_on: - - db - environment: - - DATABASE_URL=postgres://{{ database_user }}:{{ database_password }}@db/miniflux?sslmode=disable - networks: - - default - - traefik - labels: - - traefik.enable=true - - traefik.http.routers.miniflux.entrypoints=websecure - - traefik.http.routers.miniflux.rule=Host(`rss.pizzapim.nl`) - - traefik.http.routers.miniflux.tls=true - - traefik.http.routers.miniflux.tls.certresolver=pizzapim - - traefik.tcp.routers.miniflux.service=miniflux - - traefik.http.services.miniflux.loadbalancer.server.port=8080 - - db: - image: postgres:15 - container_name: miniflux_db - environment: - - POSTGRES_USER={{ database_user }} - - POSTGRES_PASSWORD={{ database_password }} - volumes: - - {{ data_dir }}:/var/lib/postgresql/data - healthcheck: - test: ["CMD", "pg_isready", "-U", "miniflux"] - interval: 10s - start_period: 30s - networks: - - default - -networks: - traefik: - external: true diff --git a/roles/miniflux/vars/main.yml b/roles/miniflux/vars/main.yml deleted file mode 100644 index d763742..0000000 --- a/roles/miniflux/vars/main.yml +++ /dev/null @@ -1,13 +0,0 @@ -service_name: miniflux -service_dir: "{{ base_service_dir }}/{{ service_name }}" -data_dir: "{{ base_data_dir }}/{{ service_name }}" - -database_user: miniflux -database_password: !vault | - $ANSIBLE_VAULT;1.1;AES256 - 61306531373964613837363565376137363538626632613564313266396231346233356130383531 - 3030336565333663643233303034336366326632386666650a303232373838353065333930643633 - 34326663363833303666666538386165613734303939343062376230366666346134626533396165 - 3837383263353264640a633865653865383866303431383762653363656133656135626238366539 - 64633732333230303339626234623534656463353232373234366161356364313566336637316339 - 6634373066326536393064643162663139323835303233333131 diff --git a/roles/nsd/files/nsd.conf b/roles/nsd/files/nsd.conf index f3460bf..60c65a4 100644 --- a/roles/nsd/files/nsd.conf +++ b/roles/nsd/files/nsd.conf @@ -18,3 +18,7 @@ zone: zonefile: geokunis2.nl.signed provide-xfr: 87.253.155.96/27 NOKEY provide-xfr: 157.97.168.160/27 NOKEY + +zone: + name: pim.kunis.nl + zonefile: pim.kunis.nl diff --git a/roles/nsd/files/zones/pim.kunis.nl b/roles/nsd/files/zones/pim.kunis.nl new file mode 100644 index 0000000..937ba4a --- /dev/null +++ b/roles/nsd/files/zones/pim.kunis.nl @@ -0,0 +1,22 @@ +$ORIGIN pim.kunis.nl. +$TTL 60 + +pim.kunis.nl. IN SOA ns.pim.kunis.nl. pim.kunis.nl. 2023020701 1800 3600 1209600 3600 + + NS ns.pim.kunis.nl. + A 84.245.14.149 + AAAA 2a02:58:19a:f730:b62e:99ff:fe77:1bda + TXT "v=spf1 ~all" + +_dmarc IN TXT "v=DMARC1; p=reject; aspf=s; adkim=s; rua=mailto:wpux1bq8@ag.eu.dmarcian.com;" + +www IN A 84.245.14.149 + AAAA 2a02:58:19a:f730:b62e:99ff:fe77:1bda +ns IN A 84.245.14.149 + AAAA 2a02:58:19a:f730:b62e:99ff:fe77:1bda + +social IN CNAME www.pim.kunis.nl. +dav IN CNAME www.pim.kunis.nl. +git IN CNAME www.pim.kunis.nl. +meet IN CNAME www.pim.kunis.nl. +rss IN CNAME www.pim.kunis.nl. diff --git a/roles/nsd/tasks/main.yml b/roles/nsd/tasks/main.yml index 2636079..9f556d4 100644 --- a/roles/nsd/tasks/main.yml +++ b/roles/nsd/tasks/main.yml @@ -42,24 +42,25 @@ cmd: "ldns-keygen -a ED25519 {{ item.item | basename }}" chdir: /etc/nsd/keys register: create_zsk - when: not item.stat.exists + when: not item.stat.exists and (item.item | basename) in sign_zones with_items: "{{ zsks_exists.results }}" - name: Rename ZSK key command: cmd: "mv {{ item.stdout }}.key K{{ item.item.item | basename }}.zsk.key" chdir: /etc/nsd/keys - when: item.changed + when: item.changed and (item.item | basename) in sign_zones with_items: "{{ create_zsk.results }}" - name: Rename ZSK private key command: cmd: "mv {{ item.stdout }}.private K{{ item.item.item | basename }}.zsk.private" chdir: /etc/nsd/keys - when: item.changed + when: item.changed and (item.item | basename) in sign_zones with_items: "{{ create_zsk.results }}" - name: Sign zones command: cmd: "ldns-signzone {{ item | basename }} /etc/nsd/keys/K{{ item | basename }}.zsk /etc/nsd/keys/K{{ item | basename }}.ksk" chdir: /etc/nsd/zones + when: (item | basename) in sign_zones with_fileglob: - "{{ role_path }}/files/zones/*" - name: Restart NSD diff --git a/roles/nsd/vars/main.yml b/roles/nsd/vars/main.yml new file mode 100644 index 0000000..45cb37c --- /dev/null +++ b/roles/nsd/vars/main.yml @@ -0,0 +1,3 @@ +sign_zones: + - geokunis2.nl + - pizzapim.nl diff --git a/roles/radicale/templates/docker-compose.yml.j2 b/roles/radicale/templates/docker-compose.yml.j2 index 8293759..e8a51fd 100644 --- a/roles/radicale/templates/docker-compose.yml.j2 +++ b/roles/radicale/templates/docker-compose.yml.j2 @@ -18,7 +18,8 @@ services: labels: - traefik.enable=true - traefik.http.routers.radicale.entrypoints=websecure - - traefik.http.routers.radicale.rule=Host(`dav.pizzapim.nl`) + - traefik.http.routers.radicale.rule=Host(`{{ dav_domain }}`) - traefik.http.routers.radicale.tls=true - - traefik.http.routers.radicale.tls.certresolver=pizzapim + - traefik.http.routers.radicale.tls.certresolver=letsencrypt - traefik.http.routers.radicale.service=radicale + - traefik.http.services.radicale.loadbalancer.server.port=5232 diff --git a/roles/radicale/vars/main.yml b/roles/radicale/vars/main.yml index 5c891bc..813adb5 100644 --- a/roles/radicale/vars/main.yml +++ b/roles/radicale/vars/main.yml @@ -1,3 +1,5 @@ service_name: radicale data_dir: "{{ base_data_dir }}/{{ service_name }}" service_dir: "{{ base_service_dir }}/{{ service_name }}" + +dav_domain: "dav.{{ domain_name_pim }}" diff --git a/roles/seafile/templates/docker-compose.yml.j2 b/roles/seafile/templates/docker-compose.yml.j2 index c37b880..7147cd8 100644 --- a/roles/seafile/templates/docker-compose.yml.j2 +++ b/roles/seafile/templates/docker-compose.yml.j2 @@ -39,7 +39,7 @@ services: - traefik.http.routers.seafile.entrypoints=websecure - traefik.http.routers.seafile.rule=Host(`files.geokunis2.nl`) - traefik.http.routers.seafile.tls=true - - traefik.http.routers.seafile.tls.certresolver=geokunis + - traefik.http.routers.seafile.tls.certresolver=letsencrypt - traefik.http.services.seafile.loadbalancer.server.port=80 - traefik.http.routers.seafile.service=seafile - traefik.docker.network=traefik diff --git a/roles/traefik/templates/docker-compose.yml.j2 b/roles/traefik/templates/docker-compose.yml.j2 index 1a85265..36c32b8 100644 --- a/roles/traefik/templates/docker-compose.yml.j2 +++ b/roles/traefik/templates/docker-compose.yml.j2 @@ -28,7 +28,7 @@ services: - traefik.http.routers.esrom.service=esrom@file - traefik.http.routers.esrom.rule=Host(`geokunis2.nl`) - traefik.http.routers.esrom.tls=true - - traefik.http.routers.esrom.tls.certresolver=geokunis + - traefik.http.routers.esrom.tls.certresolver=letsencrypt - traefik.http.routers.traefik.rule=Host(`max.lan`) - traefik.http.routers.traefik.entrypoints=internal diff --git a/roles/traefik/templates/traefik.toml.j2 b/roles/traefik/templates/traefik.toml.j2 index ca8823b..4f265c7 100644 --- a/roles/traefik/templates/traefik.toml.j2 +++ b/roles/traefik/templates/traefik.toml.j2 @@ -31,14 +31,8 @@ loglevel = "DEBUG" [providers.file] filename = "/etc/traefik/services.toml" -[certificatesResolvers.geokunis.acme] +[certificatesResolvers.letsencrypt.acme] email = "pim@kunis.nl" storage = "acme.json" - [certificatesResolvers.geokunis.acme.httpChallenge] - entryPoint = "web" - -[certificatesResolvers.pizzapim.acme] - email = "pim@kunis.nl" - storage = "acme.json" - [certificatesResolvers.pizzapim.acme.httpChallenge] + [certificatesResolvers.letsencrypt.acme.httpChallenge] entryPoint = "web"