diff --git a/.gitignore b/.gitignore index 33b954c..b593a85 100644 --- a/.gitignore +++ b/.gitignore @@ -1,38 +1 @@ -# Local .terraform directories -**/.terraform/* - -# .tfstate files -*.tfstate -*.tfstate.* - -# Crash log files -crash.log -crash.*.log - -# Exclude all .tfvars files, which are likely to contain sensitive data, such as -# password, private keys, and other secrets. These should not be part of version -# control as they are data points which are potentially sensitive and subject -# to change depending on the environment. -*.tfvars -*.tfvars.json - -# Ignore override files as they are usually used to override resources locally and so -# are not checked in -override.tf -override.tf.json -*_override.tf -*_override.tf.json - -# Include override files you do wish to add to version control using negated pattern -# !example_override.tf - -# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan -# example: *tfplan* - -# Ignore CLI configuration files -.terraformrc -terraform.rc -.terraform.lock.hcl -*.tfbackend - .vault_password diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..3e7c747 --- /dev/null +++ b/Makefile @@ -0,0 +1,8 @@ +all: + ansible-playbook playbooks/all.yml + +backup: + ansible-playbook playbooks/backup.yml + +%: + ansible-playbook playbooks/all.yml --tags "$@" diff --git a/README.md b/README.md index 4888ae3..fd87e3e 100644 --- a/README.md +++ b/README.md @@ -1,23 +1,59 @@ -# Max +# Homeservers -Max is our VM running all of our web servers, provisioned with Terraform and configured with Ansible. +This repository contains Ansible scripts to setup our home servers. +The `common` role executes some common OS tasks. +The `docker` role installs Docker. +The other roles are specifically for the various services we run. ## Running services -All services below are implemented using Docker: +All services below are running under Docker, except NSD and Borg. +- Authoritative DNS using [NSD](https://www.nlnetlabs.nl/projects/nsd/about/) (ns.pizzapim.nl) - Reverse proxy using [Traefik](https://doc.traefik.io/traefik/) -- Git server using [Forgejo](https://forgejo.org/) ([git.pim.kunis.nl](https://git.pim.kunis.nl)) -- Static website using [Jekyll](https://jekyllrb.com/) ([pim.kunis.nl](https://pim.kunis.nl)) +- Git server using [Forgejo](https://forgejo.org/) ([git.pizzapim.nl](https://git.pizzapim.nl)) +- Static website using [Jekyll](https://jekyllrb.com/) ([pizzapim.nl](https://pizzapim.nl)) - File sychronisation using [Syncthing](https://syncthing.net/) - Microblogging server using [Mastodon](https://joinmastodon.org/) ([social.pizzapim.nl](https://social.pizzapim.nl)) -- Calendar and contact synchronisation using [Radicale](https://radicale.org/v3.html) ([dav.pim.kunis.nl](https://dav.pim.kunis.nl)) +- Calendar and contact synchronisation using [Radicale](https://radicale.org/v3.html) ([dav.pizzapim.nl](https://dav.pizzapim.nl)) - KMS server using [vlmcsd](https://github.com/Wind4/vlmcsd) - Cloud file storage using [Seafile](https://www.seafile.com) -- Disposable mail server using [Inbucket](https://inbucket.org) -- Digital toolbox using [Cyberchef](https://cyberchef.geokunis2.nl) +- Inbucket disposable webmail, Mailinator alternative (https://inbucket.org) - Jitsi Meet (https://meet.jit.si) +- Backups using [Borg](https://www.borgbackup.org/) and [Borgmatic](https://torsion.org/borgmatic/) - RSS feed reader using [FreshRSS](https://miniflux.app/) - Metrics using [Prometheus](https://prometheus.io/) -- Latex editor using [Overleaf](https://www.overleaf.com/) ([latex.pim.kunis.nl](https://latex.pim.kunis.nl)) -- Markdown editor using [Hedgedoc](https://hedgedoc.org/) + +## Possible future services + +- matrix +- peertube? +- Pixelfed? +- Prometheus +- Concourse CI? + +## TODO + +- Clear view of what services + which versions we are running. This way, we can track security updates better. +- Host tobb website? +- Move from Ubuntu to Debian +- move Mastodon to pim.kunis.nl +- Podman +- Replace watchtower with Podman features +- Move nginx static content server to this repo +- Move dataserver to its own repo + +### NSD + +#### ZSK Rollover + +Could make automatic key rollovers with cron or some other tool. + +#### Idempotency + +Currently I always resign zones. +But for idempotency I should probably only do it if the zone has changed or the keys have changed. + +### Firewall + +A little more difficult because of docker networking but probably doable. diff --git a/ansible/ansible.cfg b/ansible.cfg similarity index 74% rename from ansible/ansible.cfg rename to ansible.cfg index 5f42fc7..b598c64 100644 --- a/ansible/ansible.cfg +++ b/ansible.cfg @@ -1,4 +1,5 @@ [defaults] +# (pathspec) Colon separated paths in which Ansible will search for Roles. roles_path=~/.ansible/roles:/usr/share/ansible/roles:/etc/ansible/roles:roles inventory=inventory vault_password_file=util/secret-service-client.sh diff --git a/ansible/inventory/hosts.yml b/ansible/inventory/hosts.yml deleted file mode 100644 index bf163f0..0000000 --- a/ansible/inventory/hosts.yml +++ /dev/null @@ -1,5 +0,0 @@ -all: - hosts: - max: - ansible_user: root - ansible_host: max.dmz diff --git a/ansible/max.yml b/ansible/max.yml deleted file mode 100644 index b45bdd2..0000000 --- a/ansible/max.yml +++ /dev/null @@ -1,36 +0,0 @@ -- name: Wait for servers to come up - hosts: max - gather_facts: no - roles: - - 'cloudinit-wait' - -- name: Start services - hosts: max - pre_tasks: - - name: Create base service directory - file: - path: "{{ base_service_dir }}" - state: directory - - name: Delete externally managed environment file - shell: - cmd: "rm /usr/lib/python*/EXTERNALLY-MANAGED" - register: rm - changed_when: "rm.rc == 0" - failed_when: "false" - roles: - - {role: 'setup-apt', tags: 'setup-apt'} - - {role: 'watchtower', tags: 'watchtower'} - - {role: 'forgejo', tags: 'forgejo'} - - {role: 'syncthing', tags: 'syncthing'} - - {role: 'kms', tags: 'kms'} - - {role: 'cyberchef', tags: 'cyberchef'} - - {role: 'radicale', tags: 'radicale'} - - {role: 'mastodon', tags: 'mastodon'} - - {role: 'seafile', tags: 'seafile'} - - {role: 'jitsi', tags: 'jitsi'} - - {role: 'freshrss', tags: 'freshrss'} - - {role: 'static', tags: 'static'} - - {role: 'inbucket', tags: 'inbucket'} - - {role: 'prometheus', tags: 'prometheus'} - - {role: 'overleaf', tags: 'overleaf'} - - {role: 'hedgedoc', tags: 'hedgedoc'} diff --git a/ansible/requirements.yml b/ansible/requirements.yml deleted file mode 100644 index b799430..0000000 --- a/ansible/requirements.yml +++ /dev/null @@ -1,9 +0,0 @@ -- name: setup-apt - src: https://github.com/sunscrapers/ansible-role-apt.git - scm: git -- name: cloudinit-wait - src: https://git.pim.kunis.nl/pim/ansible-role-cloudinit-wait - scm: git -- name: docker - src: https://git.pim.kunis.nl/pim/ansible-role-docker - scm: git diff --git a/ansible/roles/cyberchef/files/docker-compose.yml b/ansible/roles/cyberchef/files/docker-compose.yml deleted file mode 100644 index 8fc3dca..0000000 --- a/ansible/roles/cyberchef/files/docker-compose.yml +++ /dev/null @@ -1,22 +0,0 @@ -version: "3.7" - -services: - cyberchef-server: - image: mpepping/cyberchef - container_name: cyberchef - restart: always - labels: - - traefik.enable=true - - traefik.http.routers.cyberchef.entrypoints=websecure - - traefik.http.routers.cyberchef.rule=Host(`cyberchef.geokunis2.nl`) - - traefik.http.routers.cyberchef.tls=true - - traefik.http.routers.cyberchef.tls.certresolver=letsencrypt - - traefik.http.services.cyberchef.loadbalancer.server.port=8000 - - traefik.http.routers.cyberchef.service=cyberchef - - traefik.docker.network=traefik - networks: - - traefik - -networks: - traefik: - external: true diff --git a/ansible/roles/cyberchef/meta/main.yml b/ansible/roles/cyberchef/meta/main.yml deleted file mode 100644 index cb0cd84..0000000 --- a/ansible/roles/cyberchef/meta/main.yml +++ /dev/null @@ -1,2 +0,0 @@ -dependencies: - - role: traefik diff --git a/ansible/roles/cyberchef/tasks/main.yml b/ansible/roles/cyberchef/tasks/main.yml deleted file mode 100644 index 34ec717..0000000 --- a/ansible/roles/cyberchef/tasks/main.yml +++ /dev/null @@ -1,13 +0,0 @@ -- name: Create app directory - file: - path: "{{ service_dir }}" - state: directory -- name: Copy Docker Compose script - copy: - src: "{{ role_path }}/files/docker-compose.yml" - dest: "{{ service_dir }}/docker-compose.yml" -- name: Start the Docker Compose - docker_compose: - project_src: "{{ service_dir }}" - pull: true - remove_orphans: true diff --git a/ansible/roles/forgejo/meta/main.yml b/ansible/roles/forgejo/meta/main.yml deleted file mode 100644 index cb0cd84..0000000 --- a/ansible/roles/forgejo/meta/main.yml +++ /dev/null @@ -1,2 +0,0 @@ -dependencies: - - role: traefik diff --git a/ansible/roles/freshrss/meta/main.yml b/ansible/roles/freshrss/meta/main.yml deleted file mode 100644 index cb0cd84..0000000 --- a/ansible/roles/freshrss/meta/main.yml +++ /dev/null @@ -1,2 +0,0 @@ -dependencies: - - role: traefik diff --git a/ansible/roles/hedgedoc/meta/main.yml b/ansible/roles/hedgedoc/meta/main.yml deleted file mode 100644 index cb0cd84..0000000 --- a/ansible/roles/hedgedoc/meta/main.yml +++ /dev/null @@ -1,2 +0,0 @@ -dependencies: - - role: traefik diff --git a/ansible/roles/hedgedoc/tasks/main.yml b/ansible/roles/hedgedoc/tasks/main.yml deleted file mode 100644 index aa5d846..0000000 --- a/ansible/roles/hedgedoc/tasks/main.yml +++ /dev/null @@ -1,22 +0,0 @@ -- name: Create service directory - file: - path: "{{ service_dir }}" - state: directory -- name: Copy Docker Compose script - template: - src: "{{ role_path }}/templates/docker-compose.yml.j2" - dest: "{{ service_dir }}/docker-compose.yml" -- name: Create data directory - file: - path: "{{ data_dir }}" - state: directory -- name: Create uploads directory - file: - path: "{{ data_dir }}/uploads" - state: directory - mode: 0777 -- name: Start the Docker Compose - docker_compose: - project_src: "{{ service_dir }}" - pull: true - remove_orphans: true diff --git a/ansible/roles/hedgedoc/templates/docker-compose.yml.j2 b/ansible/roles/hedgedoc/templates/docker-compose.yml.j2 deleted file mode 100644 index 2926b4a..0000000 --- a/ansible/roles/hedgedoc/templates/docker-compose.yml.j2 +++ /dev/null @@ -1,51 +0,0 @@ -version: '3' - -networks: - traefik: - external: true - internal: - external: false - -services: - database: - image: postgres:13.4-alpine - container_name: hedgedoc-database - environment: - - POSTGRES_USER=hedgedoc - - POSTGRES_PASSWORD=password - - POSTGRES_DB=hedgedoc - volumes: - - {{ data_dir }}/database:/var/lib/postgresql/data - restart: always - networks: - - internal - - app: - image: quay.io/hedgedoc/hedgedoc:1.9.7 - container_name: hedgedoc - environment: - - CMD_DB_URL=postgres://hedgedoc:password@database:5432/hedgedoc - - CMD_DOMAIN={{ hedgedoc_domain }} - - CMD_PORT=3000 - - CMD_URL_ADDPORT=false - - CMD_ALLOW_ANONYMOUS=true - - CMD_ALLOW_EMAIL_REGISTER=false - - CMD_PROTOCOL_USESSL=true - - CMD_SESSION_SECRET={{ session_secret }} - volumes: - - {{ data_dir }}/uploads:/hedgedoc/public/uploads - restart: always - depends_on: - - database - networks: - - traefik - - internal - labels: - - traefik.enable=true - - traefik.http.routers.hedgedoc.entrypoints=websecure - - traefik.http.routers.hedgedoc.rule=Host(`{{ hedgedoc_domain }}`) - - traefik.http.routers.hedgedoc.tls=true - - traefik.http.routers.hedgedoc.tls.certresolver=letsencrypt - - treafik.http.routers.hedgedoc.service=hedgedoc - - traefik.http.services.hedgedoc.loadbalancer.server.port=3000 - - traefik.docker.network=traefik diff --git a/ansible/roles/hedgedoc/vars/main.yml b/ansible/roles/hedgedoc/vars/main.yml deleted file mode 100644 index 10f93d8..0000000 --- a/ansible/roles/hedgedoc/vars/main.yml +++ /dev/null @@ -1,14 +0,0 @@ -service_name: hedgedoc -data_dir: "{{ base_data_dir }}/{{ service_name }}" -service_dir: "{{ base_service_dir }}/{{ service_name }}" -hedgedoc_domain: "md.{{ domain_name_pim }}" -session_secret: !vault | - $ANSIBLE_VAULT;1.1;AES256 - 30633835386265643561343033326536653166343630396139303137613138383233666565666330 - 3032613865333836656566626435383165396539323837350a376331306464643766373839386638 - 65653865343539633636323833343964636332636461386434386432306230343833343431363134 - 6563373138626637650a633932313862326231666330343662343765666166373961376237396434 - 33396131353830323063326266623862353731653665626466653335656434303033353333353164 - 61613535373037646565386131383631366338616565373261396136616433393462313537313861 - 35313661616365373231373963323865393635626132343138363230313431636333363130346239 - 32656335333635613736 diff --git a/ansible/roles/jitsi/meta/main.yml b/ansible/roles/jitsi/meta/main.yml deleted file mode 100644 index cb0cd84..0000000 --- a/ansible/roles/jitsi/meta/main.yml +++ /dev/null @@ -1,2 +0,0 @@ -dependencies: - - role: traefik diff --git a/ansible/roles/mastodon/meta/main.yml b/ansible/roles/mastodon/meta/main.yml deleted file mode 100644 index cb0cd84..0000000 --- a/ansible/roles/mastodon/meta/main.yml +++ /dev/null @@ -1,2 +0,0 @@ -dependencies: - - role: traefik diff --git a/ansible/roles/overleaf/meta/main.yml b/ansible/roles/overleaf/meta/main.yml deleted file mode 100644 index cb0cd84..0000000 --- a/ansible/roles/overleaf/meta/main.yml +++ /dev/null @@ -1,2 +0,0 @@ -dependencies: - - role: traefik diff --git a/ansible/roles/overleaf/tasks/main.yml b/ansible/roles/overleaf/tasks/main.yml deleted file mode 100644 index 84256ce..0000000 --- a/ansible/roles/overleaf/tasks/main.yml +++ /dev/null @@ -1,13 +0,0 @@ -- name: Create service directory - file: - path: "{{ service_dir }}" - state: directory -- name: Copy Docker Compose script - template: - src: "{{ role_path }}/templates/docker-compose.yml.j2" - dest: "{{ service_dir }}/docker-compose.yml" -- name: Start the Docker Compose - docker_compose: - project_src: "{{ service_dir }}" - pull: true - remove_orphans: true diff --git a/ansible/roles/overleaf/templates/docker-compose.yml.j2 b/ansible/roles/overleaf/templates/docker-compose.yml.j2 deleted file mode 100644 index d4c9546..0000000 --- a/ansible/roles/overleaf/templates/docker-compose.yml.j2 +++ /dev/null @@ -1,107 +0,0 @@ -version: '2.2' - -networks: - traefik: - external: true - internal: - external: false - -services: - sharelatex: - restart: always - image: sharelatex/sharelatex - container_name: overleaf - networks: - - traefik - - internal - depends_on: - overleaf-mongodb: - condition: service_healthy - overleaf-redis: - condition: service_started - links: - - overleaf-mongodb - - overleaf-redis - stop_grace_period: 60s - volumes: - - {{ data_dir }}/overleaf/sharelatex_data:/var/lib/sharelatex - labels: - - traefik.enable=true - - traefik.http.routers.overleaf.entrypoints=websecure - - traefik.http.routers.overleaf.rule=Host(`latex.pim.kunis.nl`) - - traefik.http.routers.overleaf.tls=true - - traefik.http.routers.overleaf.tls.certresolver=letsencrypt - - treafik.http.routers.overleaf.service=overleaf - - traefik.http.services.overleaf.loadbalancer.server.port=80 - - traefik.docker.network=traefik - environment: - SHARELATEX_APP_NAME: Overleaf Community Edition - - SHARELATEX_MONGO_URL: mongodb://overleaf-mongodb:27017/sharelatex - - # Same property, unfortunately with different names in - # different locations - SHARELATEX_REDIS_HOST: overleaf-redis - REDIS_HOST: overleaf-redis - - ENABLED_LINKED_FILE_TYPES: 'project_file,project_output_file' - - # Enables Thumbnail generation using ImageMagick - ENABLE_CONVERSIONS: 'true' - - # Disables email confirmation requirement - EMAIL_CONFIRMATION_DISABLED: 'true' - - # temporary fix for LuaLaTex compiles - # see https://github.com/overleaf/overleaf/issues/695 - TEXMFVAR: /var/lib/sharelatex/tmp/texmf-var - - ## Set for SSL via nginx-proxy - #VIRTUAL_HOST: 103.112.212.22 - - SHARELATEX_SITE_URL: https://latex.pim.kunis.nl - # SHARELATEX_NAV_TITLE: Our ShareLaTeX Instance - # SHARELATEX_HEADER_IMAGE_URL: http://somewhere.com/mylogo.png - SHARELATEX_ADMIN_EMAIL: pim@kunis.nl - - # SHARELATEX_LEFT_FOOTER: '[{"text": "Powered by ShareLaTeX 2016"},{"text": "Another page I want to link to can be found here"} ]' - # SHARELATEX_RIGHT_FOOTER: '[{"text": "Hello I am on the Right"} ]' - - SHARELATEX_EMAIL_FROM_ADDRESS: "noreply@kunis.nl" - - SHARELATEX_EMAIL_SMTP_HOST: "smtp.tweak.nl" - SHARELATEX_EMAIL_SMTP_PORT: 587 - SHARELATEX_EMAIL_SMTP_USER: "" - SHARELATEX_EMAIL_SMTP_PASS: "" - # SHARELATEX_EMAIL_SMTP_TLS_REJECT_UNAUTH: true - # SHARELATEX_EMAIL_SMTP_IGNORE_TLS: false - # SHARELATEX_EMAIL_SMTP_NAME: '127.0.0.1' - # SHARELATEX_EMAIL_SMTP_LOGGER: true - # SHARELATEX_CUSTOM_EMAIL_FOOTER: "This system is run by department x" - - overleaf-mongodb: - restart: always - image: mongo:4.4 - container_name: overleaf-mongodb - networks: - - internal - expose: - - 27017 - volumes: - - {{ data_dir }}/overleaf/mongo_data:/data/db - healthcheck: - test: echo 'db.stats().ok' | mongo localhost:27017/test --quiet - interval: 10s - timeout: 10s - retries: 5 - - overleaf-redis: - restart: always - image: redis:5 - container_name: overleaf-redis - networks: - - internal - expose: - - 6379 - volumes: - - {{ data_dir }}/overleaf/redis_data:/data diff --git a/ansible/roles/overleaf/vars/main.yml b/ansible/roles/overleaf/vars/main.yml deleted file mode 100644 index 927a1e8..0000000 --- a/ansible/roles/overleaf/vars/main.yml +++ /dev/null @@ -1,3 +0,0 @@ -service_name: overleaf -data_dir: "{{ base_data_dir}}/{{service_name}}" -service_dir: "{{ base_service_dir}}/{{service_name}}" diff --git a/ansible/roles/radicale/meta/main.yml b/ansible/roles/radicale/meta/main.yml deleted file mode 100644 index cb0cd84..0000000 --- a/ansible/roles/radicale/meta/main.yml +++ /dev/null @@ -1,2 +0,0 @@ -dependencies: - - role: traefik diff --git a/ansible/roles/seafile/meta/main.yml b/ansible/roles/seafile/meta/main.yml deleted file mode 100644 index cb0cd84..0000000 --- a/ansible/roles/seafile/meta/main.yml +++ /dev/null @@ -1,2 +0,0 @@ -dependencies: - - role: traefik diff --git a/ansible/roles/static/files/security.txt b/ansible/roles/static/files/security.txt deleted file mode 100644 index b1800e5..0000000 --- a/ansible/roles/static/files/security.txt +++ /dev/null @@ -1 +0,0 @@ -testje diff --git a/ansible/roles/static/meta/main.yml b/ansible/roles/static/meta/main.yml deleted file mode 100644 index cb0cd84..0000000 --- a/ansible/roles/static/meta/main.yml +++ /dev/null @@ -1,2 +0,0 @@ -dependencies: - - role: traefik diff --git a/ansible/roles/traefik/meta/main.yml b/ansible/roles/traefik/meta/main.yml deleted file mode 100644 index 6ad37f8..0000000 --- a/ansible/roles/traefik/meta/main.yml +++ /dev/null @@ -1,2 +0,0 @@ -dependencies: - - role: docker diff --git a/ansible/roles/watchtower/meta/main.yml b/ansible/roles/watchtower/meta/main.yml deleted file mode 100644 index 6ad37f8..0000000 --- a/ansible/roles/watchtower/meta/main.yml +++ /dev/null @@ -1,2 +0,0 @@ -dependencies: - - role: docker diff --git a/inventory/group_vars/all.yml b/inventory/group_vars/all.yml new file mode 100644 index 0000000..80201a8 --- /dev/null +++ b/inventory/group_vars/all.yml @@ -0,0 +1,8 @@ +borg_public_key: "AAAAC3NzaC1lZDI1NTE5AAAAIBTag7YToG5W+H2kEUz40kOH+7cs0Lp3owFFKkmHBiWM" +dataserver_public_key: "AAAAC3NzaC1lZDI1NTE5AAAAIJsLVptkoOwmxs6DnenN8u7Q1Tm/Psh0QdI6vjrTgb6D" +kingston1tb_mount_point: "/mnt/kingston1TB" +backup_location: "{{ kingston1tb_mount_point }}/homeserver_backup" + +admin_public_keys: + - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINUZp4BCxf7uLa1QWonx/Crf8tYZ5MKIZ+EuaBa82LrV user@user-laptop" + - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOodpLr+FDRyKyHjucHizNLVFHZ5AQmE9GmxMnOsSoaw pimkunis@thinkpadpim" diff --git a/inventory/group_vars/dataserver.yml b/inventory/group_vars/dataserver.yml new file mode 100644 index 0000000..813eb06 --- /dev/null +++ b/inventory/group_vars/dataserver.yml @@ -0,0 +1 @@ +kingston1tb_uuid: "622a8d81-aa2f-460b-a563-c3cdb6285609" diff --git a/ansible/inventory/host_vars/max.yml b/inventory/group_vars/homeserver.yml similarity index 70% rename from ansible/inventory/host_vars/max.yml rename to inventory/group_vars/homeserver.yml index d77112b..3df3da5 100644 --- a/ansible/inventory/host_vars/max.yml +++ b/inventory/group_vars/homeserver.yml @@ -1,6 +1,5 @@ -base_data_dir: /mnt/data +base_data_dir: /data base_service_dir: /srv -domain_name_pim: pim.kunis.nl # Additional open ports jitsi_videobridge_port: 54562 @@ -8,8 +7,6 @@ git_ssh_port: 56287 prometheus_port: 8081 traefik_api_port: 8080 internal_forgejo_port: 3000 # Needed to pull from a repository from another docker container. +internal_matrix_port: 3001 # Needed for proxying through NGINX -docker_daemon_config: - default-address-pools: - - base: "10.204.0.0/16" - size: 24 +domain_name_pim: pim.kunis.nl diff --git a/inventory/hosts.yml b/inventory/hosts.yml new file mode 100644 index 0000000..6391b99 --- /dev/null +++ b/inventory/hosts.yml @@ -0,0 +1,12 @@ +all: + children: + homeserver: + hosts: + max: + ansible_user: root + ansible_host: max.lan + dataserver: + hosts: + lewis: + ansible_user: root + ansible_host: lewis.lan diff --git a/playbooks/all.yml b/playbooks/all.yml new file mode 100644 index 0000000..05468b3 --- /dev/null +++ b/playbooks/all.yml @@ -0,0 +1,23 @@ +- name: Setup homeserver + hosts: homeserver + roles: + - {role: 'ssh', tags: 'ssh'} + - {role: 'watchtower', tags: 'watchtower'} + - {role: 'borg', tags: 'borg'} + - {role: 'nsd', tags: 'nsd'} + - {role: 'forgejo', tags: 'forgejo'} + - {role: 'syncthing', tags: 'syncthing'} + - {role: 'kms', tags: 'kms'} + - {role: 'radicale', tags: 'radicale'} + - {role: 'mastodon', tags: 'mastodon'} + - {role: 'seafile', tags: 'seafile'} + - {role: 'jitsi', tags: 'jitsi'} + - {role: 'freshrss', tags: 'freshrss'} + - {role: 'static', tags: 'static'} + - {role: 'inbucket', tags: 'inbucket'} + - {role: 'prometheus', tags: 'prometheus'} + - {role: 'matrix', tags: 'matrix'} +- name: Setup dataserver + hosts: dataserver + roles: + - {role: 'dataserver', tags: 'dataserver'} diff --git a/playbooks/backup.yml b/playbooks/backup.yml new file mode 100644 index 0000000..23e7a72 --- /dev/null +++ b/playbooks/backup.yml @@ -0,0 +1,7 @@ +- name: Create backup + hosts: homeserver + + tasks: + - name: Create backup + command: + cmd: systemctl start backup.service diff --git a/roles/borg/files/backup.timer b/roles/borg/files/backup.timer new file mode 100644 index 0000000..cc54943 --- /dev/null +++ b/roles/borg/files/backup.timer @@ -0,0 +1,10 @@ +[Unit] +Description=Backup data daily + +[Timer] +OnCalendar=*-*-* 3:00:00 +Persistent=true +RandomizedDelaySec=1h + +[Install] +WantedBy=timers.target diff --git a/roles/borg/files/id_ed25519 b/roles/borg/files/id_ed25519 new file mode 100644 index 0000000..1dd2cb2 --- /dev/null +++ b/roles/borg/files/id_ed25519 @@ -0,0 +1,25 @@ +$ANSIBLE_VAULT;1.1;AES256 +39646436383433653539316135323332303832633864366363313031636534353531386638323037 +6364366663313964633239613261373733333736316534390a306262373634303536353365396138 +35626433353935633534353636613232623531303765636139363139646265653361353164656363 +3465316438373734330a636563346263633332353962353033336565356435353739646263343339 +38633832343230393631633434323231313438336537383930646562356264346534663235323035 +31643861306134663662353938643861393861333838633338613131363136333766353131313666 +30393437616539643263386331343166636434323435666636386562353239373330336462653636 +38306161393634356636613334323038366365626138326365303063313564653365313063643432 +66306664356662326638363736366462343636393466303432323661323431393337306132386531 +65663736643565363634373461666631356439373935353734636535636538626630666462653636 +33363730626662313336633132393437666533363136643464653462646561393861376464366238 +35383136333939653265366336356234613166353162366365346462633639396335653432353964 +35303964633339356531343437393231303936623465383265666134316335666531636337383563 +30326530396439363438396439313264643765366663343439646333326664633231626662666463 +38616235353730346239396265306230623135626332636330666461333864306664346637396233 +61343535396230363938306162313938363063353934323764656538666337656431363634333739 +62373234356131373931333736373136343166636465643065643337386539376361383965343762 +33633837626637393832366332343332303361306230626131346539323538383365316535666532 +30666439643263653835666430393439396239333464336133316264323234643361336434343763 +61306133373335353563646331303562326139613133356139366632363738316461633739333161 +33666531653239626362363364346566373430656538356166346363333531656433393034333232 +65353139623435383330353864336132313031656362386538626464313264333231653831373834 +33363632616430303763616366356131323265313337323836396264623539316436616333383933 +62653865623831626330 diff --git a/roles/borg/meta/main.yml b/roles/borg/meta/main.yml new file mode 100644 index 0000000..9711b33 --- /dev/null +++ b/roles/borg/meta/main.yml @@ -0,0 +1,2 @@ +dependencies: + - role: common diff --git a/roles/borg/tasks/main.yml b/roles/borg/tasks/main.yml new file mode 100644 index 0000000..052fa2f --- /dev/null +++ b/roles/borg/tasks/main.yml @@ -0,0 +1,38 @@ +- name: Install borg + apt: + pkg: + - borgbackup + - borgmatic +- name: Create borg service directory + file: + path: "{{ service_dir }}" + state: directory +- name: Copy borg backup configuration + template: + src: "{{ role_path }}/templates/backup.yml.j2" + dest: "{{ service_dir }}/backup.yml" +- name: Copy private key + copy: + src: "{{ role_path }}/files/id_ed25519" + dest: "{{ service_dir }}/id_ed25519" + mode: 0600 +- name: Copy systemd timer backup service + template: + src: "{{ role_path }}/templates/backup.service.j2" + dest: "/etc/systemd/system/backup.service" + register: service +- name: Copy systemd timer backup timer + copy: + src: "{{ role_path }}/files/backup.timer" + dest: "/etc/systemd/system/backup.timer" + register: timer +- name: Enable systemd timer + systemd: + name: backup.timer + enabled: true + state: started + daemon_reload: "{{ 'yes' if service.changed or timer.changed else 'no' }}" +- name: Restore backup + command: + cmd: "borgmatic extract --archive latest --destination / --config {{ service_dir }}/backup.yml" + creates: /data diff --git a/roles/borg/templates/backup.service.j2 b/roles/borg/templates/backup.service.j2 new file mode 100644 index 0000000..99fb1b3 --- /dev/null +++ b/roles/borg/templates/backup.service.j2 @@ -0,0 +1,6 @@ +[Unit] +Description=Backup data using borgmatic + +[Service] +ExecStart=/usr/bin/borgmatic --config {{ service_dir }}/backup.yml +Type=oneshot diff --git a/roles/borg/templates/backup.yml.j2 b/roles/borg/templates/backup.yml.j2 new file mode 100644 index 0000000..1e7a9a1 --- /dev/null +++ b/roles/borg/templates/backup.yml.j2 @@ -0,0 +1,17 @@ +location: + source_directories: + - {{ base_data_dir }} + repositories: + - ssh://root@lewis.lan/{{ backup_location }} +retention: + keep_daily: 7 + keep_weekly: 4 + keep_monthly: 6 +storage: + ssh_command: ssh -i {{ service_dir }}/id_ed25519 + unknown_unencrypted_repo_access_is_ok: true +hooks: + before_everything: + - systemctl stop docker docker.socket + after_everything: + - systemctl start docker diff --git a/ansible/roles/cyberchef/vars/main.yml b/roles/borg/vars/main.yml similarity index 70% rename from ansible/roles/cyberchef/vars/main.yml rename to roles/borg/vars/main.yml index 471684a..63faed1 100644 --- a/ansible/roles/cyberchef/vars/main.yml +++ b/roles/borg/vars/main.yml @@ -1,2 +1,2 @@ -service_name: cyberchef +service_name: borg service_dir: "{{ base_service_dir }}/{{ service_name }}" diff --git a/roles/common/files/resolv.conf b/roles/common/files/resolv.conf new file mode 100644 index 0000000..863bc57 --- /dev/null +++ b/roles/common/files/resolv.conf @@ -0,0 +1,4 @@ +nameserver 192.168.30.1 +nameserver 1.1.1.1 +nameserver 1.0.0.1 +search lan diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml new file mode 100644 index 0000000..4639a90 --- /dev/null +++ b/roles/common/tasks/main.yml @@ -0,0 +1,26 @@ +- name: APT upgrade + apt: + autoremove: true + upgrade: yes + state: latest + update_cache: yes + cache_valid_time: 86400 # One day +- name: Create base service directory + file: + path: "{{ base_service_dir }}" + state: directory +- name: Disable systemd-resolved + systemd: + name: systemd-resolved + enabled: false + state: stopped +- name: Copy resolv.conf + copy: + src: "{{ role_path }}/files/resolv.conf" + dest: /etc/resolv.conf + follow: true +- name: Add dataserver to known hosts + known_hosts: + name: "lewis.lan" + key: "lewis.lan ssh-ed25519 {{ dataserver_public_key }}" + state: present diff --git a/roles/dataserver/files/ssh_host_ed25519_key b/roles/dataserver/files/ssh_host_ed25519_key new file mode 100644 index 0000000..1629458 --- /dev/null +++ b/roles/dataserver/files/ssh_host_ed25519_key @@ -0,0 +1,25 @@ +$ANSIBLE_VAULT;1.1;AES256 +38633038656332643033396338303864343332636434633331366266383235316235313236646361 +6634313931303637616535373966316165656564366437330a393465356237626631303063363061 +62323737343635316139636664663937333233323737376238656566633037613938383737306132 +6237633230623962320a643433323532646261366532346234653332323336653162366433626465 +31386461393535303730333865356364646137386634643630353831383039353763396536313439 +30333335623364306166346232303862633636633066323062313531363234396362653232316261 +36666132623030323332623334323632636639646239363032626364646334643461346662616366 +39656266643937663531656137353031353130366238326535383261333539353439353566313537 +38353632353039643530613766313033313063333331333733613939383731663262623766626266 +64363061306166353633333634363332633461346538316661666364626639366132356434343631 +61373432633863643237386435386633366161393934646562343261386335353638353033343932 +62393633366163613064393966663830646237613265396462376238396639363566363865303861 +36343666326632626166323430303137323236346137346131623636653236353061343633383437 +61396534636166353038626162376335363137636164616631646261366332303135306237356432 +61626261656332666536343039316333303431653931666233363366613166663266663130656633 +39316363326532653665626136393135373863383234326638303466353930653038303433643536 +30666237363230306634333162396562623034386232666465343631306433373764626634613635 +63343965623163356536626162613863373033396565366361353538323933656165653932653937 +34666538353139636366333765363733336134396566613134303530633666326165306131353535 +33653133663166333964326330366530643730363861626261666366383334613661303762636663 +34376531343732346630643466616638323537633665373333346162306361393836326533636630 +61656335306337643930613662613832626530653630343566643661356666313331316438366538 +37333166636639363838303665626137643731626338356662656338393335343239376635303633 +35663237653238313133 diff --git a/roles/dataserver/tasks/main.yml b/roles/dataserver/tasks/main.yml new file mode 100644 index 0000000..8d5d72e --- /dev/null +++ b/roles/dataserver/tasks/main.yml @@ -0,0 +1,44 @@ +- name: Add admins' authorized keys + authorized_key: + key: "{{ item }}" + user: "{{ ansible_user_id }}" + loop: "{{ admin_public_keys }}" +- name: Copy host public key + template: + src: "{{ role_path }}/templates/ssh_host_ed25519_key.pub.j2" + dest: "/etc/ssh/ssh_host_ed25519_key.pub" + mode: 0644 +- name: Copy host private key + copy: + src: "{{ role_path }}/files/ssh_host_ed25519_key" + dest: "/etc/ssh/ssh_host_ed25519_key" + mode: 0600 +- name: APT upgrade + apt: + autoremove: true + upgrade: yes + state: latest + update_cache: yes + cache_valid_time: 86400 # One day +- name: Create extra disk moint point + file: + path: "{{ kingston1tb_mount_point }}" + state: directory +- name: Mount extra disk + ansible.posix.mount: + path: "{{kingston1tb_mount_point }}" + src: "UUID={{ kingston1tb_uuid }}" + fstype: ext4 + passno: 1 + state: present +- name: Install borg + apt: + name: borgbackup +- name: Add Borg public key + authorized_key: + key: "ssh-ed25519 {{ borg_public_key }} root@max" + user: "{{ ansible_user_id }}" +- name: Create Borg repository + command: + cmd: "borg init -e none {{ backup_location }}" + creates: "{{ backup_location }}" diff --git a/roles/dataserver/templates/ssh_host_ed25519_key.pub.j2 b/roles/dataserver/templates/ssh_host_ed25519_key.pub.j2 new file mode 100644 index 0000000..08b6b21 --- /dev/null +++ b/roles/dataserver/templates/ssh_host_ed25519_key.pub.j2 @@ -0,0 +1 @@ +ssh-ed25519 {{ dataserver_public_key }} root@lewis diff --git a/roles/docker/files/daemon.json b/roles/docker/files/daemon.json new file mode 100644 index 0000000..10fc298 --- /dev/null +++ b/roles/docker/files/daemon.json @@ -0,0 +1,7 @@ +{ +"default-address-pools": +[ +{"base":"10.204.0.0/16","size":24} + +] +} diff --git a/roles/docker/tasks/main.yml b/roles/docker/tasks/main.yml new file mode 100644 index 0000000..3acc420 --- /dev/null +++ b/roles/docker/tasks/main.yml @@ -0,0 +1,41 @@ +- name: Install Docker prerequisites + apt: + pkg: + - ca-certificates + - curl + - gnupg + - lsb-release + - python3-pip +- name: Add Docker APT key + apt_key: + url: https://download.docker.com/linux/ubuntu/gpg + keyring: /etc/apt/keyrings/docker.gpg +- name: Add Docker repository + apt_repository: + repo: "deb [signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu {{ ansible_distribution_release }} stable" + register: apt_repository +- name: Update APT cache + apt: + update_cache: true + when: apt_repository.changed +- name: Install Docker packages + apt: + pkg: + - docker-ce + - docker-ce-cli + - containerd.io + - docker-compose-plugin +- name: Install Docker modules for Python + pip: + name: + - docker + - docker-compose +- name: Copy daemon.json + copy: + src: "{{ role_path }}/files/daemon.json" + dest: /etc/docker/daemon.json +- name: Start Docker + systemd: + name: docker + enabled: true + state: started diff --git a/roles/firewall/tasks/main.yml b/roles/firewall/tasks/main.yml new file mode 100644 index 0000000..6b6bcb4 --- /dev/null +++ b/roles/firewall/tasks/main.yml @@ -0,0 +1,16 @@ +- name: Install firewalld + apt: + pkg: + - firewalld + state: latest + update_cache: true +- name: Allow SSH + firewalld: + service: ssh + permanent: yes + state: enabled +- name: Start firewalld + systemd: + enabled: true + name: sshd + state: started diff --git a/roles/forgejo/meta/main.yml b/roles/forgejo/meta/main.yml new file mode 100644 index 0000000..6b03734 --- /dev/null +++ b/roles/forgejo/meta/main.yml @@ -0,0 +1,4 @@ +dependencies: + - role: common + - role: docker + - role: traefik diff --git a/ansible/roles/forgejo/tasks/main.yml b/roles/forgejo/tasks/main.yml similarity index 100% rename from ansible/roles/forgejo/tasks/main.yml rename to roles/forgejo/tasks/main.yml diff --git a/ansible/roles/forgejo/templates/app.ini.j2 b/roles/forgejo/templates/app.ini.j2 similarity index 97% rename from ansible/roles/forgejo/templates/app.ini.j2 rename to roles/forgejo/templates/app.ini.j2 index b427df5..d0ef2ec 100644 --- a/ansible/roles/forgejo/templates/app.ini.j2 +++ b/roles/forgejo/templates/app.ini.j2 @@ -4,7 +4,6 @@ RUN_USER = git [repository] ROOT = /data/git/repositories -DEFAULT_BRANCH = master [repository.local] LOCAL_COPY_PATH = /data/gitea/tmp/local-repo @@ -39,7 +38,6 @@ CHARSET = utf8 [indexer] ISSUE_INDEXER_PATH = /data/gitea/indexers/issues.bleve -ISSUE_INDEXER_TYPE = db [session] PROVIDER_CONFIG = /data/gitea/sessions diff --git a/ansible/roles/forgejo/templates/docker-compose.yml.j2 b/roles/forgejo/templates/docker-compose.yml.j2 similarity index 100% rename from ansible/roles/forgejo/templates/docker-compose.yml.j2 rename to roles/forgejo/templates/docker-compose.yml.j2 index fcd41f5..921dc80 100644 --- a/ansible/roles/forgejo/templates/docker-compose.yml.j2 +++ b/roles/forgejo/templates/docker-compose.yml.j2 @@ -12,10 +12,10 @@ services: - USER_UID=1000 - USER_GID=1000 restart: always - networks: - - traefik ports: - "{{ internal_forgejo_port }}:3000" + networks: + - traefik volumes: - {{ data_dir }}:/data - {{ service_dir }}/conf:/data/gitea/conf diff --git a/ansible/roles/forgejo/vars/main.yml b/roles/forgejo/vars/main.yml similarity index 99% rename from ansible/roles/forgejo/vars/main.yml rename to roles/forgejo/vars/main.yml index 7cad12e..38d58cc 100644 --- a/ansible/roles/forgejo/vars/main.yml +++ b/roles/forgejo/vars/main.yml @@ -3,6 +3,7 @@ data_dir: "{{ base_data_dir }}/{{ service_name }}" service_dir: "{{ base_service_dir }}/{{ service_name }}" git_domain: "git.{{ domain_name_pim }}" + forgejo: root_url: "https://{{ git_domain }}" mailer_host: "smtp.tweak.nl" diff --git a/roles/freshrss/meta/main.yml b/roles/freshrss/meta/main.yml new file mode 100644 index 0000000..6b03734 --- /dev/null +++ b/roles/freshrss/meta/main.yml @@ -0,0 +1,4 @@ +dependencies: + - role: common + - role: docker + - role: traefik diff --git a/ansible/roles/freshrss/tasks/main.yml b/roles/freshrss/tasks/main.yml similarity index 100% rename from ansible/roles/freshrss/tasks/main.yml rename to roles/freshrss/tasks/main.yml diff --git a/ansible/roles/freshrss/templates/docker-compose.yml.j2 b/roles/freshrss/templates/docker-compose.yml.j2 similarity index 77% rename from ansible/roles/freshrss/templates/docker-compose.yml.j2 rename to roles/freshrss/templates/docker-compose.yml.j2 index 5c15b8f..8876319 100644 --- a/ansible/roles/freshrss/templates/docker-compose.yml.j2 +++ b/roles/freshrss/templates/docker-compose.yml.j2 @@ -11,8 +11,10 @@ services: options: max-size: 10m volumes: - - {{ data_dir }}/data:/var/www/FreshRSS/data - - {{ data_dir }}/extensions:/var/www/FreshRSS/extensions + # Recommended volume for FreshRSS persistent data such as configuration and SQLite databases + - /data/freshrss/data:/var/www/FreshRSS/data + # Optional volume for storing third-party extensions + - /data/freshrss/extensions:/var/www/FreshRSS/extensions environment: TZ: Europe/Amsterdam CRON_MIN: '2,32' diff --git a/ansible/roles/freshrss/vars/main.yml b/roles/freshrss/vars/main.yml similarity index 100% rename from ansible/roles/freshrss/vars/main.yml rename to roles/freshrss/vars/main.yml diff --git a/ansible/roles/inbucket/files/docker-compose.yml b/roles/inbucket/files/docker-compose.yml similarity index 100% rename from ansible/roles/inbucket/files/docker-compose.yml rename to roles/inbucket/files/docker-compose.yml diff --git a/ansible/roles/syncthing/meta/main.yml b/roles/inbucket/meta/main.yml similarity index 62% rename from ansible/roles/syncthing/meta/main.yml rename to roles/inbucket/meta/main.yml index 6ad37f8..7f5b1d3 100644 --- a/ansible/roles/syncthing/meta/main.yml +++ b/roles/inbucket/meta/main.yml @@ -1,2 +1,4 @@ dependencies: + - role: common - role: docker + \ No newline at end of file diff --git a/ansible/roles/inbucket/tasks/main.yml b/roles/inbucket/tasks/main.yml similarity index 100% rename from ansible/roles/inbucket/tasks/main.yml rename to roles/inbucket/tasks/main.yml diff --git a/ansible/roles/inbucket/vars/main.yml b/roles/inbucket/vars/main.yml similarity index 100% rename from ansible/roles/inbucket/vars/main.yml rename to roles/inbucket/vars/main.yml diff --git a/roles/jitsi/meta/main.yml b/roles/jitsi/meta/main.yml new file mode 100644 index 0000000..6b03734 --- /dev/null +++ b/roles/jitsi/meta/main.yml @@ -0,0 +1,4 @@ +dependencies: + - role: common + - role: docker + - role: traefik diff --git a/ansible/roles/jitsi/tasks/main.yml b/roles/jitsi/tasks/main.yml similarity index 100% rename from ansible/roles/jitsi/tasks/main.yml rename to roles/jitsi/tasks/main.yml diff --git a/ansible/roles/jitsi/templates/docker-compose.yml.j2 b/roles/jitsi/templates/docker-compose.yml.j2 similarity index 100% rename from ansible/roles/jitsi/templates/docker-compose.yml.j2 rename to roles/jitsi/templates/docker-compose.yml.j2 diff --git a/ansible/roles/jitsi/vars/main.yml b/roles/jitsi/vars/main.yml similarity index 100% rename from ansible/roles/jitsi/vars/main.yml rename to roles/jitsi/vars/main.yml diff --git a/ansible/roles/kms/files/docker-compose.yml b/roles/kms/files/docker-compose.yml similarity index 100% rename from ansible/roles/kms/files/docker-compose.yml rename to roles/kms/files/docker-compose.yml diff --git a/roles/kms/meta/main.yml b/roles/kms/meta/main.yml new file mode 100644 index 0000000..7f5b1d3 --- /dev/null +++ b/roles/kms/meta/main.yml @@ -0,0 +1,4 @@ +dependencies: + - role: common + - role: docker + \ No newline at end of file diff --git a/ansible/roles/kms/tasks/main.yml b/roles/kms/tasks/main.yml similarity index 100% rename from ansible/roles/kms/tasks/main.yml rename to roles/kms/tasks/main.yml diff --git a/ansible/roles/kms/vars/main.yml b/roles/kms/vars/main.yml similarity index 100% rename from ansible/roles/kms/vars/main.yml rename to roles/kms/vars/main.yml diff --git a/ansible/roles/mastodon/files/.env.production b/roles/mastodon/files/.env.production similarity index 100% rename from ansible/roles/mastodon/files/.env.production rename to roles/mastodon/files/.env.production diff --git a/roles/mastodon/meta/main.yml b/roles/mastodon/meta/main.yml new file mode 100644 index 0000000..6b03734 --- /dev/null +++ b/roles/mastodon/meta/main.yml @@ -0,0 +1,4 @@ +dependencies: + - role: common + - role: docker + - role: traefik diff --git a/ansible/roles/mastodon/tasks/main.yml b/roles/mastodon/tasks/main.yml similarity index 100% rename from ansible/roles/mastodon/tasks/main.yml rename to roles/mastodon/tasks/main.yml diff --git a/ansible/roles/mastodon/templates/docker-compose.yml.j2 b/roles/mastodon/templates/docker-compose.yml.j2 similarity index 100% rename from ansible/roles/mastodon/templates/docker-compose.yml.j2 rename to roles/mastodon/templates/docker-compose.yml.j2 diff --git a/ansible/roles/mastodon/vars/main.yml b/roles/mastodon/vars/main.yml similarity index 100% rename from ansible/roles/mastodon/vars/main.yml rename to roles/mastodon/vars/main.yml diff --git a/roles/matrix/files/matrix.log.config b/roles/matrix/files/matrix.log.config new file mode 100644 index 0000000..e5cc93a --- /dev/null +++ b/roles/matrix/files/matrix.log.config @@ -0,0 +1,32 @@ +version: 1 + +formatters: + precise: + + format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s' + + +handlers: + + + console: + class: logging.StreamHandler + formatter: precise + + + +loggers: + synapse.storage.SQL: + # beware: increasing this to DEBUG will make synapse log sensitive + # information such as access tokens. + level: INFO + + +root: + level: INFO + + + handlers: [console] + + +disable_existing_loggers: false \ No newline at end of file diff --git a/roles/matrix/files/matrix.signing.key b/roles/matrix/files/matrix.signing.key new file mode 100644 index 0000000..84cc79b --- /dev/null +++ b/roles/matrix/files/matrix.signing.key @@ -0,0 +1,8 @@ +$ANSIBLE_VAULT;1.1;AES256 +38363633306139626564313833363364653037613238396266303133663231643739373237666662 +6639636136303666353639353632373530326263633264350a616465313137663731393464383263 +65373565343462633733366636343766656666396531383638363232363565646364663035353333 +3236383136353065660a353631326630623165366631666639343864633531383238643131373363 +64303565363439343064393039323265623364633738373163373339376134643966333032326564 +61646536633335633938336438663430643461623230666163636561303430393732663062393461 +346332333463636566326364663465306565 diff --git a/roles/matrix/tasks/main.yml b/roles/matrix/tasks/main.yml new file mode 100644 index 0000000..4ce0826 --- /dev/null +++ b/roles/matrix/tasks/main.yml @@ -0,0 +1,31 @@ +- name: Create app directory + file: + path: "{{ service_dir }}" + state: directory +- name: Copy signing key + copy: + src: "{{ role_path }}/files/matrix.log.config" + dest: "{{ service_dir }}/matrix.log.config" +- name: Copy Docker Compose script + template: + src: "{{ role_path }}/templates/docker-compose.yml.j2" + dest: "{{ service_dir }}/docker-compose.yml" +- name: Copy homeserver.yaml + template: + src: "{{ role_path }}/templates/homeserver.yaml.j2" + dest: "{{ service_dir }}/homeserver.yaml" + register: homeserver +- name: Copy signing key + copy: + src: "{{ role_path }}/files/matrix.signing.key" + dest: "{{ service_dir }}/matrix.signing.key" +- name: Create data directory + file: + path: "{{ data_dir }}" + state: directory +- name: Start the Docker Compose + docker_compose: + project_src: "{{ service_dir }}" + pull: true + remove_orphans: true + restarted: "{{ homeserver.changed }}" diff --git a/roles/matrix/templates/docker-compose.yml.j2 b/roles/matrix/templates/docker-compose.yml.j2 new file mode 100644 index 0000000..0449299 --- /dev/null +++ b/roles/matrix/templates/docker-compose.yml.j2 @@ -0,0 +1,41 @@ +version: '3' + +services: + synapse: + image: docker.io/matrixdotorg/synapse:v1.77.0 + restart: unless-stopped + environment: + - SYNAPSE_CONFIG_PATH=/data/homeserver.yaml + volumes: + - /data/matrix/uploads:/data/uploads + - /data/matrix/media:/data/media + - /srv/matrix/homeserver.yaml:/data/homeserver.yaml + - /srv/matrix/matrix.log.config:/data/matrix.log.config + - /srv/matrix/matrix.signing.key:/data/matrix.signing.key + depends_on: + - db + networks: + - traefik + ports: + - "{{ internal_matrix_port }}:8008" + labels: + - traefik.enable=true + - traefik.http.routers.matrix.entryPoints=websecure + - traefik.http.routers.matrix.rule=Host(`{{ matrix_domain }}`) + - traefik.http.routers.matrix.tls=true + - traefik.http.routers.matrix.tls.certResolver=letsencrypt + - traefik.http.routers.matrix.service=matrix + - traefik.http.services.matrix.loadbalancer.server.port=8008 + + db: + image: docker.io/postgres:12-alpine + environment: + - POSTGRES_USER=synapse + - POSTGRES_PASSWORD={{ database_password }} + - POSTGRES_INITDB_ARGS=--encoding=UTF-8 --lc-collate=C --lc-ctype=C + volumes: + - /data/matrix/schemas:/var/lib/postgresql/data + +networks: + traefik: + external: true diff --git a/roles/matrix/templates/homeserver.yaml.j2 b/roles/matrix/templates/homeserver.yaml.j2 new file mode 100644 index 0000000..0b84c3c --- /dev/null +++ b/roles/matrix/templates/homeserver.yaml.j2 @@ -0,0 +1,35 @@ +# Configuration file for Synapse. +# +# For more information on how to configure Synapse, including a complete accounting of +# each option, go to docs/usage/configuration/config_documentation.md or +# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html +server_name: "{{ matrix_domain }}" +pid_file: /data/homeserver.pid +listeners: + - port: 8008 + tls: false + type: http + x_forwarded: true + resources: + - names: [client, federation] + compress: false +database: + name: psycopg2 + args: + user: synapse + password: "{{ database_password }}" + host: db + cp_min: 5 + cp_max: 10 +log_config: "/data/matrix.log.config" +media_store_path: "/data/media" +registration_shared_secret: "{{ registration_shared_secret }}" +report_stats: false +macaroon_secret_key: "{{ macaroon_secret_key }}" +form_secret: "{{ form_secret }}" +signing_key_path: "/data/matrix.signing.key" +trusted_key_servers: + - server_name: "matrix.org" + + +# vim:ft=yaml diff --git a/roles/matrix/vars/main.yml b/roles/matrix/vars/main.yml new file mode 100644 index 0000000..637e90c --- /dev/null +++ b/roles/matrix/vars/main.yml @@ -0,0 +1,41 @@ +service_name: matrix +data_dir: "{{ base_data_dir }}/{{ service_name }}" +service_dir: "{{ base_service_dir }}/{{ service_name }}" + +matrix_domain: "matrix.{{ domain_name_pim }}" + +registration_shared_secret: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 66643364393432353763666361383331316635356431636530663162643134653939306438366533 + 3463393262623364336430363638356439393461393237650a626630633963343530643565323633 + 35613636386365393035666366636534306266613935653136666430366330323032653164363066 + 6531323364383131360a616465336164303030643132336264646333346666626138386331636164 + 65366438356238383234386662363631316334613439613739303165613363636261643934656665 + 32653764373939373739666263653261343036636365316566623934343261653436613962343335 + 343132326461336338323938326264666630 +macaroon_secret_key: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 61656638626162383134356238393031346464623930363636376136633038623836323737633463 + 3733383661663339313965636134373037366235613562340a376334666266623438313066346166 + 64333564613438313861396632633464386236356236313461373461613632346538343837343264 + 3363623135613063300a333932363036353063653931616361363934633239653732343737373536 + 31366265383939303664623565633435626530316430323036663261353334336264306162653361 + 38306437616333316638396161393164393766356566323362343565663630306465663133333733 + 343039623366313961393136356239373837 +form_secret: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 38646165646636353331323565343033396431623338633734653838633032363930323637656637 + 3931643733343537343534386137313737383562346534300a353535633239626332393831613661 + 39366230313234663930363962386336646639393566356437623937393062353134303138363734 + 6430653164656339660a613234313464653138313331333137646331323338346230643630636466 + 35383837356633303061663362626439653030333063383532373663316330373737323736326562 + 37313034363262346333343166343231316264303934366565643466396164333166643561373365 + 656533393033356363303933353231376466 +database_password: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 38393732313834343631626234353261653536646434343561613264626162363839303432333133 + 3635333330626263666430353931666635393738643163300a633231343334666331373936333565 + 36376164396464623233613033636562626630623730633730666333363437613234636638356630 + 3336373235336232630a353732653331623963313865333765633965353630363733386534313639 + 38643839323733393031373139376662326134653965646366663631396464393861636538313563 + 3934363539366139346633626433396438663739393332663030 diff --git a/roles/nsd/files/keys/Kgeokunis2.nl.ksk.key b/roles/nsd/files/keys/Kgeokunis2.nl.ksk.key new file mode 100644 index 0000000..26bd681 --- /dev/null +++ b/roles/nsd/files/keys/Kgeokunis2.nl.ksk.key @@ -0,0 +1 @@ +geokunis2.nl. IN DNSKEY 257 3 15 8DFshejNxv4d9ZkSRY53kEay06aOhHm77EOYNSZFp/w= ;{id = 64014 (ksk), size = 256b} diff --git a/roles/nsd/files/keys/Kgeokunis2.nl.ksk.private b/roles/nsd/files/keys/Kgeokunis2.nl.ksk.private new file mode 100644 index 0000000..4b74954 --- /dev/null +++ b/roles/nsd/files/keys/Kgeokunis2.nl.ksk.private @@ -0,0 +1,10 @@ +$ANSIBLE_VAULT;1.1;AES256 +33306239336639653065343862633935396534373739613332356638343037646530333331343835 +6464303336356534653431663938383732383863366238320a663430613133363134336264343734 +31343731373239613330633935636137646133616334353565663061356566666465326261306362 +3463633863626666330a383461656632346361646365383234653963333561366463373331346539 +30633237346532633634636537663936353337353331393663363363363566663738643632363761 +66323032383862306635656130366261303161636232633561313630316537626262356532313131 +63616437633333346431303539306433613130373934393036356563316365373966346536353764 +39343038373162303933653335393432636332613038366531353432346332333936656464626536 +64633030353336616561656539313863306534633863633835333531306533313930 diff --git a/roles/nsd/files/keys/Kpizzapim.nl.ksk.key b/roles/nsd/files/keys/Kpizzapim.nl.ksk.key new file mode 100644 index 0000000..92f07c1 --- /dev/null +++ b/roles/nsd/files/keys/Kpizzapim.nl.ksk.key @@ -0,0 +1 @@ +pizzapim.nl. IN DNSKEY 257 3 15 PL2LJmmaooqVFVIrvdFzS+X0YiEgz+fLlr7jm54nX/E= ;{id = 47515 (ksk), size = 256b} diff --git a/roles/nsd/files/keys/Kpizzapim.nl.ksk.private b/roles/nsd/files/keys/Kpizzapim.nl.ksk.private new file mode 100644 index 0000000..bc136ed --- /dev/null +++ b/roles/nsd/files/keys/Kpizzapim.nl.ksk.private @@ -0,0 +1,10 @@ +$ANSIBLE_VAULT;1.1;AES256 +36343534663736653462386238363734646238306365393233633530663039656335623961663131 +6436373566336464336330326438656137646536656333370a386539613239343962373562653264 +66616530343235333964343332386234666266643933393531323066666164623862633962376666 +3230333539393335630a653532396665383536633164643534303461636135653737616137313034 +33653838653538623934353631393636363937333831313036643334343261363836393235313235 +36613966343431333364336437393430653366643263643130376437663164353361633735616332 +35656666353037643739356133303064633166323535323265323134363963316566323165643165 +36656264353962346530323830623432616238653966613433616235336539396461376162316564 +61643465323165643961303639653466663961333531663133636666643437333233 diff --git a/roles/nsd/files/nsd.conf b/roles/nsd/files/nsd.conf new file mode 100644 index 0000000..60c65a4 --- /dev/null +++ b/roles/nsd/files/nsd.conf @@ -0,0 +1,24 @@ +server: + ip-address: enp3s0 + server-count: 1 + verbosity: 1 + hide-version: yes + zonesdir: "/etc/nsd/zones" + ip-transparent: yes + ip-freebind: yes + +zone: + name: pizzapim.nl + zonefile: pizzapim.nl.signed + provide-xfr: 87.253.155.96/27 NOKEY + provide-xfr: 157.97.168.160/27 NOKEY + +zone: + name: geokunis2.nl + zonefile: geokunis2.nl.signed + provide-xfr: 87.253.155.96/27 NOKEY + provide-xfr: 157.97.168.160/27 NOKEY + +zone: + name: pim.kunis.nl + zonefile: pim.kunis.nl diff --git a/roles/nsd/files/zones/geokunis2.nl b/roles/nsd/files/zones/geokunis2.nl new file mode 100644 index 0000000..9a7279e --- /dev/null +++ b/roles/nsd/files/zones/geokunis2.nl @@ -0,0 +1,26 @@ +$ORIGIN geokunis2.nl. +$TTL 60 + +geokunis2.nl. IN SOA ns.geokunis2.nl. niels.kunis.nl. 2023021700 1800 3600 1209600 3600 + NS ns.geokunis2.nl. + NS ns0.transip.net. + NS ns1.transip.nl. + NS ns2.transip.eu. + A 84.245.14.149 + AAAA 2a02:58:19a:f730:b62e:99ff:fe77:1bda +; MX 0 . +; TXT "v=spf1 -all" + CAA 0 issue "letsencrypt.org" +mail IN A 84.245.14.149 + MX 10 mail.geokunis2.nl +jenl IN A 217.123.41.225 +wg IN A 84.245.14.149 +wg IN AAAA 2a02:58:19a:f710:45aa:5179:2b45:376d +wg4 IN A 84.245.14.149 +wg6 IN AAAA 2a02:58:19a:f710:45aa:5179:2b45:376d +kms IN A 84.245.14.149 +files IN A 84.245.14.149 +files IN AAAA 2a02:58:19a:f730:b62e:99ff:fe77:1bda +_dmarc IN TXT "v=DMARC1; p=reject; fo=0; adkim=s; aspf=s; pct=100; rf=afrf; sp=reject" +ns A 84.245.14.149 + AAAA 2a02:58:19a:f730:b62e:99ff:fe77:1bda diff --git a/roles/nsd/files/zones/pim.kunis.nl b/roles/nsd/files/zones/pim.kunis.nl new file mode 100644 index 0000000..3c61f54 --- /dev/null +++ b/roles/nsd/files/zones/pim.kunis.nl @@ -0,0 +1,20 @@ +$ORIGIN pim.kunis.nl. +$TTL 60 + +pim.kunis.nl. IN SOA ns.pim.kunis.nl. pim.kunis.nl. 2023022500 1800 3600 1209600 3600 + + NS ns.pim.kunis.nl. + A 84.245.14.149 + TXT "v=spf1 ~all" + +_dmarc IN TXT "v=DMARC1; p=reject; aspf=s; adkim=s; rua=mailto:wpux1bq8@ag.eu.dmarcian.com;" + +www IN A 84.245.14.149 +ns IN A 84.245.14.149 + +social IN CNAME www.pim.kunis.nl. +dav IN CNAME www.pim.kunis.nl. +git IN CNAME www.pim.kunis.nl. +meet IN CNAME www.pim.kunis.nl. +rss IN CNAME www.pim.kunis.nl. +matrix IN CNAME www.pim.kunis.nl. diff --git a/roles/nsd/files/zones/pizzapim.nl b/roles/nsd/files/zones/pizzapim.nl new file mode 100644 index 0000000..3892920 --- /dev/null +++ b/roles/nsd/files/zones/pizzapim.nl @@ -0,0 +1,19 @@ +$ORIGIN pizzapim.nl. +$TTL 60 + +pizzapim.nl. IN SOA ns.pizzapim.nl. pim.kunis.nl. 2023020900 1800 3600 1209600 3600 + + NS ns.pizzapim.nl. + NS ns0.transip.net. + NS ns1.transip.nl. + NS ns2.transip.eu. + A 84.245.14.149 + TXT "v=spf1 ~all" + CAA 0 issue "letsencrypt.org" + +_dmarc IN TXT "v=DMARC1; p=reject; aspf=s; adkim=s; rua=mailto:wpux1bq8@ag.eu.dmarcian.com;" + +social IN A 84.245.14.149 + AAAA 2a02:58:19a:f730:b62e:99ff:fe77:1bda +ns IN A 84.245.14.149 + AAAA 2a02:58:19a:f730:b62e:99ff:fe77:1bda diff --git a/roles/nsd/meta/main.yml b/roles/nsd/meta/main.yml new file mode 100644 index 0000000..9711b33 --- /dev/null +++ b/roles/nsd/meta/main.yml @@ -0,0 +1,2 @@ +dependencies: + - role: common diff --git a/roles/nsd/tasks/main.yml b/roles/nsd/tasks/main.yml new file mode 100644 index 0000000..9f556d4 --- /dev/null +++ b/roles/nsd/tasks/main.yml @@ -0,0 +1,70 @@ +- name: Install nsd + apt: + pkg: + - nsd + - ldnsutils +- name: Copy nsd.conf + copy: + src: "{{ role_path }}/files/nsd.conf" + dest: /etc/nsd/nsd.conf +- name: Create zones directory + file: + path: /etc/nsd/zones + state: directory +- name: Copy zone files + copy: + src: "{{ role_path }}/files/zones/" + dest: /etc/nsd/zones +- name: Create keys directory + file: + path: /etc/nsd/keys + state: directory +- name: Copy KSK private keys + template: + src: "{{ item }}" + dest: "/etc/nsd/keys/{{ item | basename }}" + with_fileglob: + - "{{ role_path }}/files/keys/*.ksk.private" +- name: Copy KSK keys + copy: + src: "{{ item }}" + dest: "/etc/nsd/keys/{{ item | basename }}" + with_fileglob: + - "{{ role_path }}/files/keys/*.ksk.key" +- name: Check if ZSKs exist + stat: + path: "/etc/nsd/keys/K{{ item | basename }}.zsk.key" + register: zsks_exists + with_fileglob: + - "{{ role_path }}/files/zones/*" +- name: Create ZSK + command: + cmd: "ldns-keygen -a ED25519 {{ item.item | basename }}" + chdir: /etc/nsd/keys + register: create_zsk + when: not item.stat.exists and (item.item | basename) in sign_zones + with_items: "{{ zsks_exists.results }}" +- name: Rename ZSK key + command: + cmd: "mv {{ item.stdout }}.key K{{ item.item.item | basename }}.zsk.key" + chdir: /etc/nsd/keys + when: item.changed and (item.item | basename) in sign_zones + with_items: "{{ create_zsk.results }}" +- name: Rename ZSK private key + command: + cmd: "mv {{ item.stdout }}.private K{{ item.item.item | basename }}.zsk.private" + chdir: /etc/nsd/keys + when: item.changed and (item.item | basename) in sign_zones + with_items: "{{ create_zsk.results }}" +- name: Sign zones + command: + cmd: "ldns-signzone {{ item | basename }} /etc/nsd/keys/K{{ item | basename }}.zsk /etc/nsd/keys/K{{ item | basename }}.ksk" + chdir: /etc/nsd/zones + when: (item | basename) in sign_zones + with_fileglob: + - "{{ role_path }}/files/zones/*" +- name: Restart NSD + systemd: + name: nsd + enabled: true + state: reloaded diff --git a/roles/nsd/vars/main.yml b/roles/nsd/vars/main.yml new file mode 100644 index 0000000..45cb37c --- /dev/null +++ b/roles/nsd/vars/main.yml @@ -0,0 +1,3 @@ +sign_zones: + - geokunis2.nl + - pizzapim.nl diff --git a/ansible/roles/inbucket/meta/main.yml b/roles/prometheus/meta/main.yml similarity index 64% rename from ansible/roles/inbucket/meta/main.yml rename to roles/prometheus/meta/main.yml index 6ad37f8..090690b 100644 --- a/ansible/roles/inbucket/meta/main.yml +++ b/roles/prometheus/meta/main.yml @@ -1,2 +1,3 @@ dependencies: + - role: common - role: docker diff --git a/ansible/roles/prometheus/tasks/main.yml b/roles/prometheus/tasks/main.yml similarity index 100% rename from ansible/roles/prometheus/tasks/main.yml rename to roles/prometheus/tasks/main.yml diff --git a/ansible/roles/prometheus/templates/docker-compose.yml.j2 b/roles/prometheus/templates/docker-compose.yml.j2 similarity index 100% rename from ansible/roles/prometheus/templates/docker-compose.yml.j2 rename to roles/prometheus/templates/docker-compose.yml.j2 diff --git a/ansible/roles/prometheus/templates/prometheus.yml.j2 b/roles/prometheus/templates/prometheus.yml.j2 similarity index 100% rename from ansible/roles/prometheus/templates/prometheus.yml.j2 rename to roles/prometheus/templates/prometheus.yml.j2 diff --git a/ansible/roles/prometheus/vars/main.yml b/roles/prometheus/vars/main.yml similarity index 100% rename from ansible/roles/prometheus/vars/main.yml rename to roles/prometheus/vars/main.yml diff --git a/ansible/roles/radicale/files/radicale.conf b/roles/radicale/files/radicale.conf similarity index 89% rename from ansible/roles/radicale/files/radicale.conf rename to roles/radicale/files/radicale.conf index eb9df16..360d314 100644 --- a/ansible/roles/radicale/files/radicale.conf +++ b/roles/radicale/files/radicale.conf @@ -9,7 +9,7 @@ stock = utf-8 [auth] realm = Radicale - Password Required type = htpasswd -htpasswd_filename = /config/users +htpasswd_filename = /radicale/users htpasswd_encryption = md5 [rights] diff --git a/ansible/roles/radicale/files/users b/roles/radicale/files/users similarity index 100% rename from ansible/roles/radicale/files/users rename to roles/radicale/files/users diff --git a/roles/radicale/meta/main.yml b/roles/radicale/meta/main.yml new file mode 100644 index 0000000..6b03734 --- /dev/null +++ b/roles/radicale/meta/main.yml @@ -0,0 +1,4 @@ +dependencies: + - role: common + - role: docker + - role: traefik diff --git a/ansible/roles/radicale/tasks/main.yml b/roles/radicale/tasks/main.yml similarity index 93% rename from ansible/roles/radicale/tasks/main.yml rename to roles/radicale/tasks/main.yml index 5ac19d6..48afa89 100644 --- a/ansible/roles/radicale/tasks/main.yml +++ b/roles/radicale/tasks/main.yml @@ -13,7 +13,7 @@ - name: Copy radicale.conf copy: src: "{{ role_path }}/files/radicale.conf" - dest: "{{ service_dir }}/config/config" + dest: "{{ service_dir }}/config/radicale.conf" - name: Copy users file copy: src: "{{ role_path }}/files/users" diff --git a/ansible/roles/radicale/templates/docker-compose.yml.j2 b/roles/radicale/templates/docker-compose.yml.j2 similarity index 58% rename from ansible/roles/radicale/templates/docker-compose.yml.j2 rename to roles/radicale/templates/docker-compose.yml.j2 index 70e0b29..e8a51fd 100644 --- a/ansible/roles/radicale/templates/docker-compose.yml.j2 +++ b/roles/radicale/templates/docker-compose.yml.j2 @@ -1,28 +1,18 @@ -version: '3.7' +version: '3' + +networks: + traefik: + external: true services: radicale: - image: tomsquest/docker-radicale + restart: always + image: mailu/radicale:1.9 container_name: radicale - init: true - read_only: true - security_opt: - - no-new-privileges:true - cap_drop: - - ALL - cap_add: - - SETUID - - SETGID - - CHOWN - - KILL - healthcheck: - test: curl -f http://127.0.0.1:5232 || exit 1 - interval: 30s - retries: 3 - restart: unless-stopped volumes: - {{ data_dir }}:/data - - {{ service_dir }}/config:/config:ro + - {{ service_dir }}/config:/radicale + command: radicale -S -C /radicale/radicale.conf networks: - traefik labels: @@ -33,7 +23,3 @@ services: - traefik.http.routers.radicale.tls.certresolver=letsencrypt - traefik.http.routers.radicale.service=radicale - traefik.http.services.radicale.loadbalancer.server.port=5232 - -networks: - traefik: - external: true diff --git a/ansible/roles/radicale/vars/main.yml b/roles/radicale/vars/main.yml similarity index 100% rename from ansible/roles/radicale/vars/main.yml rename to roles/radicale/vars/main.yml diff --git a/roles/seafile/meta/main.yml b/roles/seafile/meta/main.yml new file mode 100644 index 0000000..6b03734 --- /dev/null +++ b/roles/seafile/meta/main.yml @@ -0,0 +1,4 @@ +dependencies: + - role: common + - role: docker + - role: traefik diff --git a/ansible/roles/seafile/tasks/main.yml b/roles/seafile/tasks/main.yml similarity index 100% rename from ansible/roles/seafile/tasks/main.yml rename to roles/seafile/tasks/main.yml diff --git a/ansible/roles/seafile/templates/docker-compose.yml.j2 b/roles/seafile/templates/docker-compose.yml.j2 similarity index 100% rename from ansible/roles/seafile/templates/docker-compose.yml.j2 rename to roles/seafile/templates/docker-compose.yml.j2 diff --git a/ansible/roles/seafile/vars/main.yml b/roles/seafile/vars/main.yml similarity index 100% rename from ansible/roles/seafile/vars/main.yml rename to roles/seafile/vars/main.yml diff --git a/roles/ssh/files/ssh_config b/roles/ssh/files/ssh_config new file mode 100644 index 0000000..9ea50e1 --- /dev/null +++ b/roles/ssh/files/ssh_config @@ -0,0 +1,54 @@ +# This is the ssh client system-wide configuration file. See +# ssh_config(5) for more information. This file provides defaults for +# users, and the values can be changed in per-user configuration files +# or on the command line. + +# Configuration data is parsed as follows: +# 1. command line options +# 2. user-specific file +# 3. system-wide file +# Any configuration value is only changed the first time it is set. +# Thus, host-specific definitions should be at the beginning of the +# configuration file, and defaults at the end. + +# Site-wide defaults for some commonly used options. For a comprehensive +# list of available options, their meanings and defaults, please see the +# ssh_config(5) man page. + +Include /etc/ssh/ssh_config.d/*.conf + +Host * +# ForwardAgent no +# ForwardX11 no +# ForwardX11Trusted yes +# PasswordAuthentication yes +# HostbasedAuthentication no +# GSSAPIAuthentication no +# GSSAPIDelegateCredentials no +# GSSAPIKeyExchange no +# GSSAPITrustDNS no +# BatchMode no +# CheckHostIP yes +# AddressFamily any +# ConnectTimeout 0 +# StrictHostKeyChecking ask +# IdentityFile ~/.ssh/id_rsa +# IdentityFile ~/.ssh/id_dsa +# IdentityFile ~/.ssh/id_ecdsa +# IdentityFile ~/.ssh/id_ed25519 +# Port 22 +# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc +# MACs hmac-md5,hmac-sha1,umac-64@openssh.com +# EscapeChar ~ +# Tunnel no +# TunnelDevice any:any +# PermitLocalCommand no +# VisualHostKey no +# ProxyCommand ssh -q -W %h:%p gateway.example.com +# RekeyLimit 1G 1h +# UserKnownHostsFile ~/.ssh/known_hosts.d/%k + SendEnv LANG LC_* + +# set HashKnownHosts to no to make known_hosts human readable and reviewable. +# HashKnownHosts yes +# GSSAPIAuthentication yes diff --git a/roles/ssh/files/sshd_config b/roles/ssh/files/sshd_config new file mode 100644 index 0000000..e532138 --- /dev/null +++ b/roles/ssh/files/sshd_config @@ -0,0 +1,41 @@ +Include /etc/ssh/sshd_config.d/*.conf + +HostKey /etc/ssh/ssh_host_ed25519_key + +# Ciphers and keying +HostKeyAlgorithms ssh-ed25519 +CASignatureAlgorithms ssh-ed25519 +HostbasedAcceptedKeyTypes ssh-ed25519 +HostKeyAlgorithms ssh-ed25519 +KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org +Ciphers chacha20-poly1305@openssh.com +MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com + +# To disable tunneled clear text passwords, change to no here! +PasswordAuthentication no +PermitEmptyPasswords no + +# Change to yes to enable challenge-response passwords (beware issues with +# some PAM modules and threads) +KbdInteractiveAuthentication no + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the KbdInteractiveAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via KbdInteractiveAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and KbdInteractiveAuthentication to 'no'. +UsePAM yes + +X11Forwarding yes +PrintMotd no + +# Allow client to pass locale environment variables +AcceptEnv LANG LC_* + +# override default of no subsystems +Subsystem sftp /usr/lib/openssh/sftp-server + diff --git a/roles/ssh/meta/main.yml b/roles/ssh/meta/main.yml new file mode 100644 index 0000000..9711b33 --- /dev/null +++ b/roles/ssh/meta/main.yml @@ -0,0 +1,2 @@ +dependencies: + - role: common diff --git a/roles/ssh/tasks/main.yml b/roles/ssh/tasks/main.yml new file mode 100644 index 0000000..9c7311c --- /dev/null +++ b/roles/ssh/tasks/main.yml @@ -0,0 +1,16 @@ +- name: Copy sshd config + copy: + src: "{{ role_path }}/files/sshd_config" + dest: /etc/ssh/sshd_config + register: sshd_config +- name: Copy ssh config + copy: + src: "{{ role_path }}/files/ssh_config" + dest: /etc/ssh/ssh_config + register: ssh_config +- name: Restart SSH service + systemd: + enabled: true + name: sshd + state: reloaded + when: sshd_config.changed diff --git a/roles/static/files/matrix/client b/roles/static/files/matrix/client new file mode 100644 index 0000000..4db647f --- /dev/null +++ b/roles/static/files/matrix/client @@ -0,0 +1,5 @@ +{ + "m.homeserver": { + "base_url": "https://matrix.pim.kunis.nl" + } +} diff --git a/roles/static/files/matrix/server b/roles/static/files/matrix/server new file mode 100644 index 0000000..341190b --- /dev/null +++ b/roles/static/files/matrix/server @@ -0,0 +1,3 @@ +{ + "m.server": "matrix.pim.kunis.nl:443" +} diff --git a/roles/static/meta/main.yml b/roles/static/meta/main.yml new file mode 100644 index 0000000..6b03734 --- /dev/null +++ b/roles/static/meta/main.yml @@ -0,0 +1,4 @@ +dependencies: + - role: common + - role: docker + - role: traefik diff --git a/ansible/roles/static/tasks/main.yml b/roles/static/tasks/main.yml similarity index 89% rename from ansible/roles/static/tasks/main.yml rename to roles/static/tasks/main.yml index 5f0cba5..ec53b20 100644 --- a/ansible/roles/static/tasks/main.yml +++ b/roles/static/tasks/main.yml @@ -17,10 +17,10 @@ cmd: "docker run --rm --volume=\"{{ service_dir }}/git:/srv/jekyll:Z\" -it jekyll/minimal jekyll build" chdir: "{{ service_dir }}" when: repo.changed -- name: Copy security.txt +- name: Copy Matrix static files copy: - src: "{{ role_path }}/files/security.txt" - dest: "{{ service_dir }}/security.txt" + src: "{{ role_path }}/files/matrix/" + dest: "{{ service_dir }}/matrix/" - name: Copy docker compose file template: src: "{{ role_path }}/templates/docker-compose.yml.j2" diff --git a/ansible/roles/static/templates/docker-compose.yml.j2 b/roles/static/templates/docker-compose.yml.j2 similarity index 59% rename from ansible/roles/static/templates/docker-compose.yml.j2 rename to roles/static/templates/docker-compose.yml.j2 index 773d584..ebaa0c0 100644 --- a/ansible/roles/static/templates/docker-compose.yml.j2 +++ b/roles/static/templates/docker-compose.yml.j2 @@ -12,15 +12,24 @@ services: - {{ service_dir }}/security.txt:/var/www/blog/security.txt networks: - traefik + extra_hosts: + - "host.docker.internal:host-gateway" labels: - traefik.enable=true - traefik.http.routers.blog.entrypoints=websecure - - "traefik.http.routers.blog.rule=(Host(`{{ domain_name_pim }}`) || Path(`/security.txt`, `/.well-known/security.txt`))" + - "traefik.http.routers.blog.rule=(Host(`{{ domain_name_pim }}`) || Path(`/security.txt`, `/.well-known/security.txt`, `/_matrix`, `/.well-known/matrix/`))" - traefik.http.routers.blog.tls=true - traefik.http.routers.blog.tls.certresolver=letsencrypt - traefik.http.routers.blog.service=blog - traefik.http.services.blog.loadbalancer.server.port=80 + - traefik.http.routers.matrix-fed.entrypoints=matrix + - traefik.http.routers.matrix-fed.rule=Host(`matrix.pim.kunis.nl`) + - traefik.http.routers.matrix-fed.tls=true + - traefik.http.routers.matrix-fed.tls.certresolver=letsencrypt + - traefik.http.routers.matrix-fed.service=matrix-fed + - traefik.http.services.matrix-fed.loadbalancer.server.port=8448 + networks: traefik: external: true diff --git a/ansible/roles/static/templates/nginx.conf.j2 b/roles/static/templates/nginx.conf.j2 similarity index 52% rename from ansible/roles/static/templates/nginx.conf.j2 rename to roles/static/templates/nginx.conf.j2 index 10a84d1..e626efd 100644 --- a/ansible/roles/static/templates/nginx.conf.j2 +++ b/roles/static/templates/nginx.conf.j2 @@ -10,6 +10,31 @@ server { } } +server { + # For the federation port + listen 8448 http2 default_server; + listen [::]:8448 http2 default_server; + + server_name matrix.pim.kunis.nl; + + location ~ ^(/_matrix|/_synapse/client) { + # note: do not add a path (even a single /) after the port in `proxy_pass`, + # otherwise nginx will canonicalise the URI and cause signature verification + # errors. + proxy_pass http://host.docker.internal:{{ internal_matrix_port }}; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Host $host; + + # Nginx by default only allows file uploads up to 1M in size + # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml + client_max_body_size 50M; + + # Synapse responses may be chunked, which is an HTTP/1.1 feature. + proxy_http_version 1.1; + } +} + server { listen 80; server_name {{ domain_name_pim }}; diff --git a/ansible/roles/static/vars/main.yml b/roles/static/vars/main.yml similarity index 51% rename from ansible/roles/static/vars/main.yml rename to roles/static/vars/main.yml index 912dd02..8838234 100644 --- a/ansible/roles/static/vars/main.yml +++ b/roles/static/vars/main.yml @@ -1,3 +1,3 @@ service_name: static service_dir: "{{ base_service_dir }}/{{ service_name }}" -git_origin: "http://git.pim.kunis.nl/pim/static.git" +git_origin: "http://localhost:{{ internal_forgejo_port }}/pim/static.git" diff --git a/ansible/roles/syncthing/files/cert.pem b/roles/syncthing/files/cert.pem similarity index 100% rename from ansible/roles/syncthing/files/cert.pem rename to roles/syncthing/files/cert.pem diff --git a/ansible/roles/syncthing/files/key.pem b/roles/syncthing/files/key.pem similarity index 100% rename from ansible/roles/syncthing/files/key.pem rename to roles/syncthing/files/key.pem diff --git a/ansible/roles/kms/meta/main.yml b/roles/syncthing/meta/main.yml similarity index 64% rename from ansible/roles/kms/meta/main.yml rename to roles/syncthing/meta/main.yml index 6ad37f8..090690b 100644 --- a/ansible/roles/kms/meta/main.yml +++ b/roles/syncthing/meta/main.yml @@ -1,2 +1,3 @@ dependencies: + - role: common - role: docker diff --git a/ansible/roles/syncthing/tasks/main.yml b/roles/syncthing/tasks/main.yml similarity index 100% rename from ansible/roles/syncthing/tasks/main.yml rename to roles/syncthing/tasks/main.yml diff --git a/ansible/roles/syncthing/templates/config.xml.j2 b/roles/syncthing/templates/config.xml.j2 similarity index 100% rename from ansible/roles/syncthing/templates/config.xml.j2 rename to roles/syncthing/templates/config.xml.j2 diff --git a/ansible/roles/syncthing/templates/docker-compose.yml.j2 b/roles/syncthing/templates/docker-compose.yml.j2 similarity index 100% rename from ansible/roles/syncthing/templates/docker-compose.yml.j2 rename to roles/syncthing/templates/docker-compose.yml.j2 diff --git a/ansible/roles/syncthing/vars/main.yml b/roles/syncthing/vars/main.yml similarity index 100% rename from ansible/roles/syncthing/vars/main.yml rename to roles/syncthing/vars/main.yml diff --git a/ansible/roles/traefik/files/services.toml b/roles/traefik/files/services.toml similarity index 77% rename from ansible/roles/traefik/files/services.toml rename to roles/traefik/files/services.toml index 6dbc3b5..ca5bb05 100644 --- a/ansible/roles/traefik/files/services.toml +++ b/roles/traefik/files/services.toml @@ -3,4 +3,4 @@ [http.services.esrom] [http.services.esrom.loadBalancer] [[http.services.esrom.loadBalancer.servers]] - url = "http://esrom.dmz:80/" + url = "http://192.168.30.2:80/" diff --git a/ansible/roles/prometheus/meta/main.yml b/roles/traefik/meta/main.yml similarity index 64% rename from ansible/roles/prometheus/meta/main.yml rename to roles/traefik/meta/main.yml index 6ad37f8..090690b 100644 --- a/ansible/roles/prometheus/meta/main.yml +++ b/roles/traefik/meta/main.yml @@ -1,2 +1,3 @@ dependencies: + - role: common - role: docker diff --git a/ansible/roles/traefik/tasks/main.yml b/roles/traefik/tasks/main.yml similarity index 87% rename from ansible/roles/traefik/tasks/main.yml rename to roles/traefik/tasks/main.yml index 0341de3..9ba3f0f 100644 --- a/ansible/roles/traefik/tasks/main.yml +++ b/roles/traefik/tasks/main.yml @@ -2,14 +2,10 @@ file: path: "{{ service_dir }}" state: directory -- name: Create data directory - file: - path: "{{ data_dir }}" - state: directory - name: Create acme file copy: content: "" - dest: "{{ data_dir }}/acme.json" + dest: "{{ service_dir }}/acme.json" force: no mode: 0600 - name: Copy Docker Compose script diff --git a/ansible/roles/traefik/templates/docker-compose.yml.j2 b/roles/traefik/templates/docker-compose.yml.j2 similarity index 88% rename from ansible/roles/traefik/templates/docker-compose.yml.j2 rename to roles/traefik/templates/docker-compose.yml.j2 index 6306437..6740d71 100644 --- a/ansible/roles/traefik/templates/docker-compose.yml.j2 +++ b/roles/traefik/templates/docker-compose.yml.j2 @@ -14,11 +14,12 @@ services: - "80:80" - "{{ git_ssh_port }}:{{ git_ssh_port }}" - "{{ traefik_api_port }}:{{ traefik_api_port }}" + - "8448:8448" volumes: - /var/run/docker.sock:/var/run/docker.sock - {{ service_dir }}/traefik.toml:/etc/traefik/traefik.toml - {{ service_dir }}/services.toml:/etc/traefik/services.toml - - {{ data_dir }}/acme.json:/acme.json + - {{ service_dir }}/acme.json:/acme.json networks: - traefik labels: @@ -30,6 +31,6 @@ services: - traefik.http.routers.esrom.tls=true - traefik.http.routers.esrom.tls.certresolver=letsencrypt - - traefik.http.routers.traefik.rule=Host(`max.dmz`) + - traefik.http.routers.traefik.rule=Host(`max.lan`) - traefik.http.routers.traefik.entrypoints=internal - traefik.http.routers.traefik.service=api@internal diff --git a/ansible/roles/traefik/templates/traefik.toml.j2 b/roles/traefik/templates/traefik.toml.j2 similarity index 94% rename from ansible/roles/traefik/templates/traefik.toml.j2 rename to roles/traefik/templates/traefik.toml.j2 index 4f265c7..f3e592b 100644 --- a/ansible/roles/traefik/templates/traefik.toml.j2 +++ b/roles/traefik/templates/traefik.toml.j2 @@ -15,6 +15,8 @@ loglevel = "DEBUG" address = ":{{ jitsi_videobridge_port }}/udp" [entryPoints.internal] address = ":{{ traefik_api_port }}" + [entryPoints.matrix] + address = ":8448" [api] insecure = false diff --git a/ansible/roles/traefik/vars/main.yml b/roles/traefik/vars/main.yml similarity index 60% rename from ansible/roles/traefik/vars/main.yml rename to roles/traefik/vars/main.yml index 0569770..2e1116f 100644 --- a/ansible/roles/traefik/vars/main.yml +++ b/roles/traefik/vars/main.yml @@ -1,3 +1,2 @@ service_name: traefik service_dir: "{{ base_service_dir }}/{{ service_name }}" -data_dir: "{{ base_data_dir }}/{{ service_name }}" diff --git a/ansible/roles/watchtower/files/docker-compose.yml b/roles/watchtower/files/docker-compose.yml similarity index 58% rename from ansible/roles/watchtower/files/docker-compose.yml rename to roles/watchtower/files/docker-compose.yml index 6811cf2..28f892e 100644 --- a/ansible/roles/watchtower/files/docker-compose.yml +++ b/roles/watchtower/files/docker-compose.yml @@ -4,5 +4,5 @@ services: image: containrrr/watchtower volumes: - /var/run/docker.sock:/var/run/docker.sock - command: --schedule "0 0 4 * * *" --cleanup --include-stopped --no-startup-message + command: --schedule "0 0 4 * * *" --include-restarting --cleanup --include-stopped --no-startup-message restart: always diff --git a/roles/watchtower/meta/main.yml b/roles/watchtower/meta/main.yml new file mode 100644 index 0000000..7f5b1d3 --- /dev/null +++ b/roles/watchtower/meta/main.yml @@ -0,0 +1,4 @@ +dependencies: + - role: common + - role: docker + \ No newline at end of file diff --git a/ansible/roles/watchtower/tasks/main.yml b/roles/watchtower/tasks/main.yml similarity index 100% rename from ansible/roles/watchtower/tasks/main.yml rename to roles/watchtower/tasks/main.yml diff --git a/ansible/roles/watchtower/vars/main.yml b/roles/watchtower/vars/main.yml similarity index 100% rename from ansible/roles/watchtower/vars/main.yml rename to roles/watchtower/vars/main.yml diff --git a/terraform/main.tf b/terraform/main.tf deleted file mode 100644 index 9239f9d..0000000 --- a/terraform/main.tf +++ /dev/null @@ -1,25 +0,0 @@ -terraform { - backend "pg" { - schema_name = "max" - conn_str = "postgres://terraform@10.42.0.1/terraform_state" - } - - required_providers { - libvirt = { - source = "dmacvicar/libvirt" - } - } -} - -provider "libvirt" { - uri = "qemu+ssh://root@atlas.hyp/system" -} - -module "debian" { - source = "git::https://git.pim.kunis.nl/home/tf-modules.git//debian" - name = "max" - domain_name = "tf-max" - memory = 1024 * 8 - mac = "CA:FE:C0:FF:EE:03" - disk_size = 1024 * 1024 * 1024 * 30 -} diff --git a/ansible/util/secret-service-client.sh b/util/secret-service-client.sh similarity index 84% rename from ansible/util/secret-service-client.sh rename to util/secret-service-client.sh index cb1a98c..37c9a82 100755 --- a/ansible/util/secret-service-client.sh +++ b/util/secret-service-client.sh @@ -4,6 +4,7 @@ pass=`secret-tool lookup ansible_vault homeservers` retval=$? if [ $retval -ne 0 ]; then + echo Provide password: read -s pass fi echo $pass