diff --git a/.gitignore b/.gitignore
index 33b954c..b593a85 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,38 +1 @@
-# Local .terraform directories
-**/.terraform/*
-
-# .tfstate files
-*.tfstate
-*.tfstate.*
-
-# Crash log files
-crash.log
-crash.*.log
-
-# Exclude all .tfvars files, which are likely to contain sensitive data, such as
-# password, private keys, and other secrets. These should not be part of version
-# control as they are data points which are potentially sensitive and subject
-# to change depending on the environment.
-*.tfvars
-*.tfvars.json
-
-# Ignore override files as they are usually used to override resources locally and so
-# are not checked in
-override.tf
-override.tf.json
-*_override.tf
-*_override.tf.json
-
-# Include override files you do wish to add to version control using negated pattern
-# !example_override.tf
-
-# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
-# example: *tfplan*
-
-# Ignore CLI configuration files
-.terraformrc
-terraform.rc
-.terraform.lock.hcl
-*.tfbackend
-
.vault_password
diff --git a/Makefile b/Makefile
new file mode 100644
index 0000000..3e7c747
--- /dev/null
+++ b/Makefile
@@ -0,0 +1,8 @@
+all:
+ ansible-playbook playbooks/all.yml
+
+backup:
+ ansible-playbook playbooks/backup.yml
+
+%:
+ ansible-playbook playbooks/all.yml --tags "$@"
diff --git a/README.md b/README.md
index 4888ae3..fd87e3e 100644
--- a/README.md
+++ b/README.md
@@ -1,23 +1,59 @@
-# Max
+# Homeservers
-Max is our VM running all of our web servers, provisioned with Terraform and configured with Ansible.
+This repository contains Ansible scripts to setup our home servers.
+The `common` role executes some common OS tasks.
+The `docker` role installs Docker.
+The other roles are specifically for the various services we run.
## Running services
-All services below are implemented using Docker:
+All services below are running under Docker, except NSD and Borg.
+- Authoritative DNS using [NSD](https://www.nlnetlabs.nl/projects/nsd/about/) (ns.pizzapim.nl)
- Reverse proxy using [Traefik](https://doc.traefik.io/traefik/)
-- Git server using [Forgejo](https://forgejo.org/) ([git.pim.kunis.nl](https://git.pim.kunis.nl))
-- Static website using [Jekyll](https://jekyllrb.com/) ([pim.kunis.nl](https://pim.kunis.nl))
+- Git server using [Forgejo](https://forgejo.org/) ([git.pizzapim.nl](https://git.pizzapim.nl))
+- Static website using [Jekyll](https://jekyllrb.com/) ([pizzapim.nl](https://pizzapim.nl))
- File sychronisation using [Syncthing](https://syncthing.net/)
- Microblogging server using [Mastodon](https://joinmastodon.org/) ([social.pizzapim.nl](https://social.pizzapim.nl))
-- Calendar and contact synchronisation using [Radicale](https://radicale.org/v3.html) ([dav.pim.kunis.nl](https://dav.pim.kunis.nl))
+- Calendar and contact synchronisation using [Radicale](https://radicale.org/v3.html) ([dav.pizzapim.nl](https://dav.pizzapim.nl))
- KMS server using [vlmcsd](https://github.com/Wind4/vlmcsd)
- Cloud file storage using [Seafile](https://www.seafile.com)
-- Disposable mail server using [Inbucket](https://inbucket.org)
-- Digital toolbox using [Cyberchef](https://cyberchef.geokunis2.nl)
+- Inbucket disposable webmail, Mailinator alternative (https://inbucket.org)
- Jitsi Meet (https://meet.jit.si)
+- Backups using [Borg](https://www.borgbackup.org/) and [Borgmatic](https://torsion.org/borgmatic/)
- RSS feed reader using [FreshRSS](https://miniflux.app/)
- Metrics using [Prometheus](https://prometheus.io/)
-- Latex editor using [Overleaf](https://www.overleaf.com/) ([latex.pim.kunis.nl](https://latex.pim.kunis.nl))
-- Markdown editor using [Hedgedoc](https://hedgedoc.org/)
+
+## Possible future services
+
+- matrix
+- peertube?
+- Pixelfed?
+- Prometheus
+- Concourse CI?
+
+## TODO
+
+- Clear view of what services + which versions we are running. This way, we can track security updates better.
+- Host tobb website?
+- Move from Ubuntu to Debian
+- move Mastodon to pim.kunis.nl
+- Podman
+- Replace watchtower with Podman features
+- Move nginx static content server to this repo
+- Move dataserver to its own repo
+
+### NSD
+
+#### ZSK Rollover
+
+Could make automatic key rollovers with cron or some other tool.
+
+#### Idempotency
+
+Currently I always resign zones.
+But for idempotency I should probably only do it if the zone has changed or the keys have changed.
+
+### Firewall
+
+A little more difficult because of docker networking but probably doable.
diff --git a/ansible/ansible.cfg b/ansible.cfg
similarity index 74%
rename from ansible/ansible.cfg
rename to ansible.cfg
index 5f42fc7..b598c64 100644
--- a/ansible/ansible.cfg
+++ b/ansible.cfg
@@ -1,4 +1,5 @@
[defaults]
+# (pathspec) Colon separated paths in which Ansible will search for Roles.
roles_path=~/.ansible/roles:/usr/share/ansible/roles:/etc/ansible/roles:roles
inventory=inventory
vault_password_file=util/secret-service-client.sh
diff --git a/ansible/inventory/hosts.yml b/ansible/inventory/hosts.yml
deleted file mode 100644
index bf163f0..0000000
--- a/ansible/inventory/hosts.yml
+++ /dev/null
@@ -1,5 +0,0 @@
-all:
- hosts:
- max:
- ansible_user: root
- ansible_host: max.dmz
diff --git a/ansible/max.yml b/ansible/max.yml
deleted file mode 100644
index b45bdd2..0000000
--- a/ansible/max.yml
+++ /dev/null
@@ -1,36 +0,0 @@
-- name: Wait for servers to come up
- hosts: max
- gather_facts: no
- roles:
- - 'cloudinit-wait'
-
-- name: Start services
- hosts: max
- pre_tasks:
- - name: Create base service directory
- file:
- path: "{{ base_service_dir }}"
- state: directory
- - name: Delete externally managed environment file
- shell:
- cmd: "rm /usr/lib/python*/EXTERNALLY-MANAGED"
- register: rm
- changed_when: "rm.rc == 0"
- failed_when: "false"
- roles:
- - {role: 'setup-apt', tags: 'setup-apt'}
- - {role: 'watchtower', tags: 'watchtower'}
- - {role: 'forgejo', tags: 'forgejo'}
- - {role: 'syncthing', tags: 'syncthing'}
- - {role: 'kms', tags: 'kms'}
- - {role: 'cyberchef', tags: 'cyberchef'}
- - {role: 'radicale', tags: 'radicale'}
- - {role: 'mastodon', tags: 'mastodon'}
- - {role: 'seafile', tags: 'seafile'}
- - {role: 'jitsi', tags: 'jitsi'}
- - {role: 'freshrss', tags: 'freshrss'}
- - {role: 'static', tags: 'static'}
- - {role: 'inbucket', tags: 'inbucket'}
- - {role: 'prometheus', tags: 'prometheus'}
- - {role: 'overleaf', tags: 'overleaf'}
- - {role: 'hedgedoc', tags: 'hedgedoc'}
diff --git a/ansible/requirements.yml b/ansible/requirements.yml
deleted file mode 100644
index b799430..0000000
--- a/ansible/requirements.yml
+++ /dev/null
@@ -1,9 +0,0 @@
-- name: setup-apt
- src: https://github.com/sunscrapers/ansible-role-apt.git
- scm: git
-- name: cloudinit-wait
- src: https://git.pim.kunis.nl/pim/ansible-role-cloudinit-wait
- scm: git
-- name: docker
- src: https://git.pim.kunis.nl/pim/ansible-role-docker
- scm: git
diff --git a/ansible/roles/cyberchef/files/docker-compose.yml b/ansible/roles/cyberchef/files/docker-compose.yml
deleted file mode 100644
index 8fc3dca..0000000
--- a/ansible/roles/cyberchef/files/docker-compose.yml
+++ /dev/null
@@ -1,22 +0,0 @@
-version: "3.7"
-
-services:
- cyberchef-server:
- image: mpepping/cyberchef
- container_name: cyberchef
- restart: always
- labels:
- - traefik.enable=true
- - traefik.http.routers.cyberchef.entrypoints=websecure
- - traefik.http.routers.cyberchef.rule=Host(`cyberchef.geokunis2.nl`)
- - traefik.http.routers.cyberchef.tls=true
- - traefik.http.routers.cyberchef.tls.certresolver=letsencrypt
- - traefik.http.services.cyberchef.loadbalancer.server.port=8000
- - traefik.http.routers.cyberchef.service=cyberchef
- - traefik.docker.network=traefik
- networks:
- - traefik
-
-networks:
- traefik:
- external: true
diff --git a/ansible/roles/cyberchef/meta/main.yml b/ansible/roles/cyberchef/meta/main.yml
deleted file mode 100644
index cb0cd84..0000000
--- a/ansible/roles/cyberchef/meta/main.yml
+++ /dev/null
@@ -1,2 +0,0 @@
-dependencies:
- - role: traefik
diff --git a/ansible/roles/cyberchef/tasks/main.yml b/ansible/roles/cyberchef/tasks/main.yml
deleted file mode 100644
index 34ec717..0000000
--- a/ansible/roles/cyberchef/tasks/main.yml
+++ /dev/null
@@ -1,13 +0,0 @@
-- name: Create app directory
- file:
- path: "{{ service_dir }}"
- state: directory
-- name: Copy Docker Compose script
- copy:
- src: "{{ role_path }}/files/docker-compose.yml"
- dest: "{{ service_dir }}/docker-compose.yml"
-- name: Start the Docker Compose
- docker_compose:
- project_src: "{{ service_dir }}"
- pull: true
- remove_orphans: true
diff --git a/ansible/roles/forgejo/meta/main.yml b/ansible/roles/forgejo/meta/main.yml
deleted file mode 100644
index cb0cd84..0000000
--- a/ansible/roles/forgejo/meta/main.yml
+++ /dev/null
@@ -1,2 +0,0 @@
-dependencies:
- - role: traefik
diff --git a/ansible/roles/freshrss/meta/main.yml b/ansible/roles/freshrss/meta/main.yml
deleted file mode 100644
index cb0cd84..0000000
--- a/ansible/roles/freshrss/meta/main.yml
+++ /dev/null
@@ -1,2 +0,0 @@
-dependencies:
- - role: traefik
diff --git a/ansible/roles/hedgedoc/meta/main.yml b/ansible/roles/hedgedoc/meta/main.yml
deleted file mode 100644
index cb0cd84..0000000
--- a/ansible/roles/hedgedoc/meta/main.yml
+++ /dev/null
@@ -1,2 +0,0 @@
-dependencies:
- - role: traefik
diff --git a/ansible/roles/hedgedoc/tasks/main.yml b/ansible/roles/hedgedoc/tasks/main.yml
deleted file mode 100644
index aa5d846..0000000
--- a/ansible/roles/hedgedoc/tasks/main.yml
+++ /dev/null
@@ -1,22 +0,0 @@
-- name: Create service directory
- file:
- path: "{{ service_dir }}"
- state: directory
-- name: Copy Docker Compose script
- template:
- src: "{{ role_path }}/templates/docker-compose.yml.j2"
- dest: "{{ service_dir }}/docker-compose.yml"
-- name: Create data directory
- file:
- path: "{{ data_dir }}"
- state: directory
-- name: Create uploads directory
- file:
- path: "{{ data_dir }}/uploads"
- state: directory
- mode: 0777
-- name: Start the Docker Compose
- docker_compose:
- project_src: "{{ service_dir }}"
- pull: true
- remove_orphans: true
diff --git a/ansible/roles/hedgedoc/templates/docker-compose.yml.j2 b/ansible/roles/hedgedoc/templates/docker-compose.yml.j2
deleted file mode 100644
index 2926b4a..0000000
--- a/ansible/roles/hedgedoc/templates/docker-compose.yml.j2
+++ /dev/null
@@ -1,51 +0,0 @@
-version: '3'
-
-networks:
- traefik:
- external: true
- internal:
- external: false
-
-services:
- database:
- image: postgres:13.4-alpine
- container_name: hedgedoc-database
- environment:
- - POSTGRES_USER=hedgedoc
- - POSTGRES_PASSWORD=password
- - POSTGRES_DB=hedgedoc
- volumes:
- - {{ data_dir }}/database:/var/lib/postgresql/data
- restart: always
- networks:
- - internal
-
- app:
- image: quay.io/hedgedoc/hedgedoc:1.9.7
- container_name: hedgedoc
- environment:
- - CMD_DB_URL=postgres://hedgedoc:password@database:5432/hedgedoc
- - CMD_DOMAIN={{ hedgedoc_domain }}
- - CMD_PORT=3000
- - CMD_URL_ADDPORT=false
- - CMD_ALLOW_ANONYMOUS=true
- - CMD_ALLOW_EMAIL_REGISTER=false
- - CMD_PROTOCOL_USESSL=true
- - CMD_SESSION_SECRET={{ session_secret }}
- volumes:
- - {{ data_dir }}/uploads:/hedgedoc/public/uploads
- restart: always
- depends_on:
- - database
- networks:
- - traefik
- - internal
- labels:
- - traefik.enable=true
- - traefik.http.routers.hedgedoc.entrypoints=websecure
- - traefik.http.routers.hedgedoc.rule=Host(`{{ hedgedoc_domain }}`)
- - traefik.http.routers.hedgedoc.tls=true
- - traefik.http.routers.hedgedoc.tls.certresolver=letsencrypt
- - treafik.http.routers.hedgedoc.service=hedgedoc
- - traefik.http.services.hedgedoc.loadbalancer.server.port=3000
- - traefik.docker.network=traefik
diff --git a/ansible/roles/hedgedoc/vars/main.yml b/ansible/roles/hedgedoc/vars/main.yml
deleted file mode 100644
index 10f93d8..0000000
--- a/ansible/roles/hedgedoc/vars/main.yml
+++ /dev/null
@@ -1,14 +0,0 @@
-service_name: hedgedoc
-data_dir: "{{ base_data_dir }}/{{ service_name }}"
-service_dir: "{{ base_service_dir }}/{{ service_name }}"
-hedgedoc_domain: "md.{{ domain_name_pim }}"
-session_secret: !vault |
- $ANSIBLE_VAULT;1.1;AES256
- 30633835386265643561343033326536653166343630396139303137613138383233666565666330
- 3032613865333836656566626435383165396539323837350a376331306464643766373839386638
- 65653865343539633636323833343964636332636461386434386432306230343833343431363134
- 6563373138626637650a633932313862326231666330343662343765666166373961376237396434
- 33396131353830323063326266623862353731653665626466653335656434303033353333353164
- 61613535373037646565386131383631366338616565373261396136616433393462313537313861
- 35313661616365373231373963323865393635626132343138363230313431636333363130346239
- 32656335333635613736
diff --git a/ansible/roles/jitsi/meta/main.yml b/ansible/roles/jitsi/meta/main.yml
deleted file mode 100644
index cb0cd84..0000000
--- a/ansible/roles/jitsi/meta/main.yml
+++ /dev/null
@@ -1,2 +0,0 @@
-dependencies:
- - role: traefik
diff --git a/ansible/roles/mastodon/meta/main.yml b/ansible/roles/mastodon/meta/main.yml
deleted file mode 100644
index cb0cd84..0000000
--- a/ansible/roles/mastodon/meta/main.yml
+++ /dev/null
@@ -1,2 +0,0 @@
-dependencies:
- - role: traefik
diff --git a/ansible/roles/overleaf/meta/main.yml b/ansible/roles/overleaf/meta/main.yml
deleted file mode 100644
index cb0cd84..0000000
--- a/ansible/roles/overleaf/meta/main.yml
+++ /dev/null
@@ -1,2 +0,0 @@
-dependencies:
- - role: traefik
diff --git a/ansible/roles/overleaf/tasks/main.yml b/ansible/roles/overleaf/tasks/main.yml
deleted file mode 100644
index 84256ce..0000000
--- a/ansible/roles/overleaf/tasks/main.yml
+++ /dev/null
@@ -1,13 +0,0 @@
-- name: Create service directory
- file:
- path: "{{ service_dir }}"
- state: directory
-- name: Copy Docker Compose script
- template:
- src: "{{ role_path }}/templates/docker-compose.yml.j2"
- dest: "{{ service_dir }}/docker-compose.yml"
-- name: Start the Docker Compose
- docker_compose:
- project_src: "{{ service_dir }}"
- pull: true
- remove_orphans: true
diff --git a/ansible/roles/overleaf/templates/docker-compose.yml.j2 b/ansible/roles/overleaf/templates/docker-compose.yml.j2
deleted file mode 100644
index d4c9546..0000000
--- a/ansible/roles/overleaf/templates/docker-compose.yml.j2
+++ /dev/null
@@ -1,107 +0,0 @@
-version: '2.2'
-
-networks:
- traefik:
- external: true
- internal:
- external: false
-
-services:
- sharelatex:
- restart: always
- image: sharelatex/sharelatex
- container_name: overleaf
- networks:
- - traefik
- - internal
- depends_on:
- overleaf-mongodb:
- condition: service_healthy
- overleaf-redis:
- condition: service_started
- links:
- - overleaf-mongodb
- - overleaf-redis
- stop_grace_period: 60s
- volumes:
- - {{ data_dir }}/overleaf/sharelatex_data:/var/lib/sharelatex
- labels:
- - traefik.enable=true
- - traefik.http.routers.overleaf.entrypoints=websecure
- - traefik.http.routers.overleaf.rule=Host(`latex.pim.kunis.nl`)
- - traefik.http.routers.overleaf.tls=true
- - traefik.http.routers.overleaf.tls.certresolver=letsencrypt
- - treafik.http.routers.overleaf.service=overleaf
- - traefik.http.services.overleaf.loadbalancer.server.port=80
- - traefik.docker.network=traefik
- environment:
- SHARELATEX_APP_NAME: Overleaf Community Edition
-
- SHARELATEX_MONGO_URL: mongodb://overleaf-mongodb:27017/sharelatex
-
- # Same property, unfortunately with different names in
- # different locations
- SHARELATEX_REDIS_HOST: overleaf-redis
- REDIS_HOST: overleaf-redis
-
- ENABLED_LINKED_FILE_TYPES: 'project_file,project_output_file'
-
- # Enables Thumbnail generation using ImageMagick
- ENABLE_CONVERSIONS: 'true'
-
- # Disables email confirmation requirement
- EMAIL_CONFIRMATION_DISABLED: 'true'
-
- # temporary fix for LuaLaTex compiles
- # see https://github.com/overleaf/overleaf/issues/695
- TEXMFVAR: /var/lib/sharelatex/tmp/texmf-var
-
- ## Set for SSL via nginx-proxy
- #VIRTUAL_HOST: 103.112.212.22
-
- SHARELATEX_SITE_URL: https://latex.pim.kunis.nl
- # SHARELATEX_NAV_TITLE: Our ShareLaTeX Instance
- # SHARELATEX_HEADER_IMAGE_URL: http://somewhere.com/mylogo.png
- SHARELATEX_ADMIN_EMAIL: pim@kunis.nl
-
- # SHARELATEX_LEFT_FOOTER: '[{"text": "Powered by ShareLaTeX 2016"},{"text": "Another page I want to link to can be found here"} ]'
- # SHARELATEX_RIGHT_FOOTER: '[{"text": "Hello I am on the Right"} ]'
-
- SHARELATEX_EMAIL_FROM_ADDRESS: "noreply@kunis.nl"
-
- SHARELATEX_EMAIL_SMTP_HOST: "smtp.tweak.nl"
- SHARELATEX_EMAIL_SMTP_PORT: 587
- SHARELATEX_EMAIL_SMTP_USER: ""
- SHARELATEX_EMAIL_SMTP_PASS: ""
- # SHARELATEX_EMAIL_SMTP_TLS_REJECT_UNAUTH: true
- # SHARELATEX_EMAIL_SMTP_IGNORE_TLS: false
- # SHARELATEX_EMAIL_SMTP_NAME: '127.0.0.1'
- # SHARELATEX_EMAIL_SMTP_LOGGER: true
- # SHARELATEX_CUSTOM_EMAIL_FOOTER: "This system is run by department x"
-
- overleaf-mongodb:
- restart: always
- image: mongo:4.4
- container_name: overleaf-mongodb
- networks:
- - internal
- expose:
- - 27017
- volumes:
- - {{ data_dir }}/overleaf/mongo_data:/data/db
- healthcheck:
- test: echo 'db.stats().ok' | mongo localhost:27017/test --quiet
- interval: 10s
- timeout: 10s
- retries: 5
-
- overleaf-redis:
- restart: always
- image: redis:5
- container_name: overleaf-redis
- networks:
- - internal
- expose:
- - 6379
- volumes:
- - {{ data_dir }}/overleaf/redis_data:/data
diff --git a/ansible/roles/overleaf/vars/main.yml b/ansible/roles/overleaf/vars/main.yml
deleted file mode 100644
index 927a1e8..0000000
--- a/ansible/roles/overleaf/vars/main.yml
+++ /dev/null
@@ -1,3 +0,0 @@
-service_name: overleaf
-data_dir: "{{ base_data_dir}}/{{service_name}}"
-service_dir: "{{ base_service_dir}}/{{service_name}}"
diff --git a/ansible/roles/radicale/meta/main.yml b/ansible/roles/radicale/meta/main.yml
deleted file mode 100644
index cb0cd84..0000000
--- a/ansible/roles/radicale/meta/main.yml
+++ /dev/null
@@ -1,2 +0,0 @@
-dependencies:
- - role: traefik
diff --git a/ansible/roles/seafile/meta/main.yml b/ansible/roles/seafile/meta/main.yml
deleted file mode 100644
index cb0cd84..0000000
--- a/ansible/roles/seafile/meta/main.yml
+++ /dev/null
@@ -1,2 +0,0 @@
-dependencies:
- - role: traefik
diff --git a/ansible/roles/static/files/security.txt b/ansible/roles/static/files/security.txt
deleted file mode 100644
index b1800e5..0000000
--- a/ansible/roles/static/files/security.txt
+++ /dev/null
@@ -1 +0,0 @@
-testje
diff --git a/ansible/roles/static/meta/main.yml b/ansible/roles/static/meta/main.yml
deleted file mode 100644
index cb0cd84..0000000
--- a/ansible/roles/static/meta/main.yml
+++ /dev/null
@@ -1,2 +0,0 @@
-dependencies:
- - role: traefik
diff --git a/ansible/roles/traefik/meta/main.yml b/ansible/roles/traefik/meta/main.yml
deleted file mode 100644
index 6ad37f8..0000000
--- a/ansible/roles/traefik/meta/main.yml
+++ /dev/null
@@ -1,2 +0,0 @@
-dependencies:
- - role: docker
diff --git a/ansible/roles/watchtower/meta/main.yml b/ansible/roles/watchtower/meta/main.yml
deleted file mode 100644
index 6ad37f8..0000000
--- a/ansible/roles/watchtower/meta/main.yml
+++ /dev/null
@@ -1,2 +0,0 @@
-dependencies:
- - role: docker
diff --git a/inventory/group_vars/all.yml b/inventory/group_vars/all.yml
new file mode 100644
index 0000000..80201a8
--- /dev/null
+++ b/inventory/group_vars/all.yml
@@ -0,0 +1,8 @@
+borg_public_key: "AAAAC3NzaC1lZDI1NTE5AAAAIBTag7YToG5W+H2kEUz40kOH+7cs0Lp3owFFKkmHBiWM"
+dataserver_public_key: "AAAAC3NzaC1lZDI1NTE5AAAAIJsLVptkoOwmxs6DnenN8u7Q1Tm/Psh0QdI6vjrTgb6D"
+kingston1tb_mount_point: "/mnt/kingston1TB"
+backup_location: "{{ kingston1tb_mount_point }}/homeserver_backup"
+
+admin_public_keys:
+ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINUZp4BCxf7uLa1QWonx/Crf8tYZ5MKIZ+EuaBa82LrV user@user-laptop"
+ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOodpLr+FDRyKyHjucHizNLVFHZ5AQmE9GmxMnOsSoaw pimkunis@thinkpadpim"
diff --git a/inventory/group_vars/dataserver.yml b/inventory/group_vars/dataserver.yml
new file mode 100644
index 0000000..813eb06
--- /dev/null
+++ b/inventory/group_vars/dataserver.yml
@@ -0,0 +1 @@
+kingston1tb_uuid: "622a8d81-aa2f-460b-a563-c3cdb6285609"
diff --git a/ansible/inventory/host_vars/max.yml b/inventory/group_vars/homeserver.yml
similarity index 70%
rename from ansible/inventory/host_vars/max.yml
rename to inventory/group_vars/homeserver.yml
index d77112b..3df3da5 100644
--- a/ansible/inventory/host_vars/max.yml
+++ b/inventory/group_vars/homeserver.yml
@@ -1,6 +1,5 @@
-base_data_dir: /mnt/data
+base_data_dir: /data
base_service_dir: /srv
-domain_name_pim: pim.kunis.nl
# Additional open ports
jitsi_videobridge_port: 54562
@@ -8,8 +7,6 @@ git_ssh_port: 56287
prometheus_port: 8081
traefik_api_port: 8080
internal_forgejo_port: 3000 # Needed to pull from a repository from another docker container.
+internal_matrix_port: 3001 # Needed for proxying through NGINX
-docker_daemon_config:
- default-address-pools:
- - base: "10.204.0.0/16"
- size: 24
+domain_name_pim: pim.kunis.nl
diff --git a/inventory/hosts.yml b/inventory/hosts.yml
new file mode 100644
index 0000000..6391b99
--- /dev/null
+++ b/inventory/hosts.yml
@@ -0,0 +1,12 @@
+all:
+ children:
+ homeserver:
+ hosts:
+ max:
+ ansible_user: root
+ ansible_host: max.lan
+ dataserver:
+ hosts:
+ lewis:
+ ansible_user: root
+ ansible_host: lewis.lan
diff --git a/playbooks/all.yml b/playbooks/all.yml
new file mode 100644
index 0000000..05468b3
--- /dev/null
+++ b/playbooks/all.yml
@@ -0,0 +1,23 @@
+- name: Setup homeserver
+ hosts: homeserver
+ roles:
+ - {role: 'ssh', tags: 'ssh'}
+ - {role: 'watchtower', tags: 'watchtower'}
+ - {role: 'borg', tags: 'borg'}
+ - {role: 'nsd', tags: 'nsd'}
+ - {role: 'forgejo', tags: 'forgejo'}
+ - {role: 'syncthing', tags: 'syncthing'}
+ - {role: 'kms', tags: 'kms'}
+ - {role: 'radicale', tags: 'radicale'}
+ - {role: 'mastodon', tags: 'mastodon'}
+ - {role: 'seafile', tags: 'seafile'}
+ - {role: 'jitsi', tags: 'jitsi'}
+ - {role: 'freshrss', tags: 'freshrss'}
+ - {role: 'static', tags: 'static'}
+ - {role: 'inbucket', tags: 'inbucket'}
+ - {role: 'prometheus', tags: 'prometheus'}
+ - {role: 'matrix', tags: 'matrix'}
+- name: Setup dataserver
+ hosts: dataserver
+ roles:
+ - {role: 'dataserver', tags: 'dataserver'}
diff --git a/playbooks/backup.yml b/playbooks/backup.yml
new file mode 100644
index 0000000..23e7a72
--- /dev/null
+++ b/playbooks/backup.yml
@@ -0,0 +1,7 @@
+- name: Create backup
+ hosts: homeserver
+
+ tasks:
+ - name: Create backup
+ command:
+ cmd: systemctl start backup.service
diff --git a/roles/borg/files/backup.timer b/roles/borg/files/backup.timer
new file mode 100644
index 0000000..cc54943
--- /dev/null
+++ b/roles/borg/files/backup.timer
@@ -0,0 +1,10 @@
+[Unit]
+Description=Backup data daily
+
+[Timer]
+OnCalendar=*-*-* 3:00:00
+Persistent=true
+RandomizedDelaySec=1h
+
+[Install]
+WantedBy=timers.target
diff --git a/roles/borg/files/id_ed25519 b/roles/borg/files/id_ed25519
new file mode 100644
index 0000000..1dd2cb2
--- /dev/null
+++ b/roles/borg/files/id_ed25519
@@ -0,0 +1,25 @@
+$ANSIBLE_VAULT;1.1;AES256
+39646436383433653539316135323332303832633864366363313031636534353531386638323037
+6364366663313964633239613261373733333736316534390a306262373634303536353365396138
+35626433353935633534353636613232623531303765636139363139646265653361353164656363
+3465316438373734330a636563346263633332353962353033336565356435353739646263343339
+38633832343230393631633434323231313438336537383930646562356264346534663235323035
+31643861306134663662353938643861393861333838633338613131363136333766353131313666
+30393437616539643263386331343166636434323435666636386562353239373330336462653636
+38306161393634356636613334323038366365626138326365303063313564653365313063643432
+66306664356662326638363736366462343636393466303432323661323431393337306132386531
+65663736643565363634373461666631356439373935353734636535636538626630666462653636
+33363730626662313336633132393437666533363136643464653462646561393861376464366238
+35383136333939653265366336356234613166353162366365346462633639396335653432353964
+35303964633339356531343437393231303936623465383265666134316335666531636337383563
+30326530396439363438396439313264643765366663343439646333326664633231626662666463
+38616235353730346239396265306230623135626332636330666461333864306664346637396233
+61343535396230363938306162313938363063353934323764656538666337656431363634333739
+62373234356131373931333736373136343166636465643065643337386539376361383965343762
+33633837626637393832366332343332303361306230626131346539323538383365316535666532
+30666439643263653835666430393439396239333464336133316264323234643361336434343763
+61306133373335353563646331303562326139613133356139366632363738316461633739333161
+33666531653239626362363364346566373430656538356166346363333531656433393034333232
+65353139623435383330353864336132313031656362386538626464313264333231653831373834
+33363632616430303763616366356131323265313337323836396264623539316436616333383933
+62653865623831626330
diff --git a/roles/borg/meta/main.yml b/roles/borg/meta/main.yml
new file mode 100644
index 0000000..9711b33
--- /dev/null
+++ b/roles/borg/meta/main.yml
@@ -0,0 +1,2 @@
+dependencies:
+ - role: common
diff --git a/roles/borg/tasks/main.yml b/roles/borg/tasks/main.yml
new file mode 100644
index 0000000..052fa2f
--- /dev/null
+++ b/roles/borg/tasks/main.yml
@@ -0,0 +1,38 @@
+- name: Install borg
+ apt:
+ pkg:
+ - borgbackup
+ - borgmatic
+- name: Create borg service directory
+ file:
+ path: "{{ service_dir }}"
+ state: directory
+- name: Copy borg backup configuration
+ template:
+ src: "{{ role_path }}/templates/backup.yml.j2"
+ dest: "{{ service_dir }}/backup.yml"
+- name: Copy private key
+ copy:
+ src: "{{ role_path }}/files/id_ed25519"
+ dest: "{{ service_dir }}/id_ed25519"
+ mode: 0600
+- name: Copy systemd timer backup service
+ template:
+ src: "{{ role_path }}/templates/backup.service.j2"
+ dest: "/etc/systemd/system/backup.service"
+ register: service
+- name: Copy systemd timer backup timer
+ copy:
+ src: "{{ role_path }}/files/backup.timer"
+ dest: "/etc/systemd/system/backup.timer"
+ register: timer
+- name: Enable systemd timer
+ systemd:
+ name: backup.timer
+ enabled: true
+ state: started
+ daemon_reload: "{{ 'yes' if service.changed or timer.changed else 'no' }}"
+- name: Restore backup
+ command:
+ cmd: "borgmatic extract --archive latest --destination / --config {{ service_dir }}/backup.yml"
+ creates: /data
diff --git a/roles/borg/templates/backup.service.j2 b/roles/borg/templates/backup.service.j2
new file mode 100644
index 0000000..99fb1b3
--- /dev/null
+++ b/roles/borg/templates/backup.service.j2
@@ -0,0 +1,6 @@
+[Unit]
+Description=Backup data using borgmatic
+
+[Service]
+ExecStart=/usr/bin/borgmatic --config {{ service_dir }}/backup.yml
+Type=oneshot
diff --git a/roles/borg/templates/backup.yml.j2 b/roles/borg/templates/backup.yml.j2
new file mode 100644
index 0000000..1e7a9a1
--- /dev/null
+++ b/roles/borg/templates/backup.yml.j2
@@ -0,0 +1,17 @@
+location:
+ source_directories:
+ - {{ base_data_dir }}
+ repositories:
+ - ssh://root@lewis.lan/{{ backup_location }}
+retention:
+ keep_daily: 7
+ keep_weekly: 4
+ keep_monthly: 6
+storage:
+ ssh_command: ssh -i {{ service_dir }}/id_ed25519
+ unknown_unencrypted_repo_access_is_ok: true
+hooks:
+ before_everything:
+ - systemctl stop docker docker.socket
+ after_everything:
+ - systemctl start docker
diff --git a/ansible/roles/cyberchef/vars/main.yml b/roles/borg/vars/main.yml
similarity index 70%
rename from ansible/roles/cyberchef/vars/main.yml
rename to roles/borg/vars/main.yml
index 471684a..63faed1 100644
--- a/ansible/roles/cyberchef/vars/main.yml
+++ b/roles/borg/vars/main.yml
@@ -1,2 +1,2 @@
-service_name: cyberchef
+service_name: borg
service_dir: "{{ base_service_dir }}/{{ service_name }}"
diff --git a/roles/common/files/resolv.conf b/roles/common/files/resolv.conf
new file mode 100644
index 0000000..863bc57
--- /dev/null
+++ b/roles/common/files/resolv.conf
@@ -0,0 +1,4 @@
+nameserver 192.168.30.1
+nameserver 1.1.1.1
+nameserver 1.0.0.1
+search lan
diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml
new file mode 100644
index 0000000..4639a90
--- /dev/null
+++ b/roles/common/tasks/main.yml
@@ -0,0 +1,26 @@
+- name: APT upgrade
+ apt:
+ autoremove: true
+ upgrade: yes
+ state: latest
+ update_cache: yes
+ cache_valid_time: 86400 # One day
+- name: Create base service directory
+ file:
+ path: "{{ base_service_dir }}"
+ state: directory
+- name: Disable systemd-resolved
+ systemd:
+ name: systemd-resolved
+ enabled: false
+ state: stopped
+- name: Copy resolv.conf
+ copy:
+ src: "{{ role_path }}/files/resolv.conf"
+ dest: /etc/resolv.conf
+ follow: true
+- name: Add dataserver to known hosts
+ known_hosts:
+ name: "lewis.lan"
+ key: "lewis.lan ssh-ed25519 {{ dataserver_public_key }}"
+ state: present
diff --git a/roles/dataserver/files/ssh_host_ed25519_key b/roles/dataserver/files/ssh_host_ed25519_key
new file mode 100644
index 0000000..1629458
--- /dev/null
+++ b/roles/dataserver/files/ssh_host_ed25519_key
@@ -0,0 +1,25 @@
+$ANSIBLE_VAULT;1.1;AES256
+38633038656332643033396338303864343332636434633331366266383235316235313236646361
+6634313931303637616535373966316165656564366437330a393465356237626631303063363061
+62323737343635316139636664663937333233323737376238656566633037613938383737306132
+6237633230623962320a643433323532646261366532346234653332323336653162366433626465
+31386461393535303730333865356364646137386634643630353831383039353763396536313439
+30333335623364306166346232303862633636633066323062313531363234396362653232316261
+36666132623030323332623334323632636639646239363032626364646334643461346662616366
+39656266643937663531656137353031353130366238326535383261333539353439353566313537
+38353632353039643530613766313033313063333331333733613939383731663262623766626266
+64363061306166353633333634363332633461346538316661666364626639366132356434343631
+61373432633863643237386435386633366161393934646562343261386335353638353033343932
+62393633366163613064393966663830646237613265396462376238396639363566363865303861
+36343666326632626166323430303137323236346137346131623636653236353061343633383437
+61396534636166353038626162376335363137636164616631646261366332303135306237356432
+61626261656332666536343039316333303431653931666233363366613166663266663130656633
+39316363326532653665626136393135373863383234326638303466353930653038303433643536
+30666237363230306634333162396562623034386232666465343631306433373764626634613635
+63343965623163356536626162613863373033396565366361353538323933656165653932653937
+34666538353139636366333765363733336134396566613134303530633666326165306131353535
+33653133663166333964326330366530643730363861626261666366383334613661303762636663
+34376531343732346630643466616638323537633665373333346162306361393836326533636630
+61656335306337643930613662613832626530653630343566643661356666313331316438366538
+37333166636639363838303665626137643731626338356662656338393335343239376635303633
+35663237653238313133
diff --git a/roles/dataserver/tasks/main.yml b/roles/dataserver/tasks/main.yml
new file mode 100644
index 0000000..8d5d72e
--- /dev/null
+++ b/roles/dataserver/tasks/main.yml
@@ -0,0 +1,44 @@
+- name: Add admins' authorized keys
+ authorized_key:
+ key: "{{ item }}"
+ user: "{{ ansible_user_id }}"
+ loop: "{{ admin_public_keys }}"
+- name: Copy host public key
+ template:
+ src: "{{ role_path }}/templates/ssh_host_ed25519_key.pub.j2"
+ dest: "/etc/ssh/ssh_host_ed25519_key.pub"
+ mode: 0644
+- name: Copy host private key
+ copy:
+ src: "{{ role_path }}/files/ssh_host_ed25519_key"
+ dest: "/etc/ssh/ssh_host_ed25519_key"
+ mode: 0600
+- name: APT upgrade
+ apt:
+ autoremove: true
+ upgrade: yes
+ state: latest
+ update_cache: yes
+ cache_valid_time: 86400 # One day
+- name: Create extra disk moint point
+ file:
+ path: "{{ kingston1tb_mount_point }}"
+ state: directory
+- name: Mount extra disk
+ ansible.posix.mount:
+ path: "{{kingston1tb_mount_point }}"
+ src: "UUID={{ kingston1tb_uuid }}"
+ fstype: ext4
+ passno: 1
+ state: present
+- name: Install borg
+ apt:
+ name: borgbackup
+- name: Add Borg public key
+ authorized_key:
+ key: "ssh-ed25519 {{ borg_public_key }} root@max"
+ user: "{{ ansible_user_id }}"
+- name: Create Borg repository
+ command:
+ cmd: "borg init -e none {{ backup_location }}"
+ creates: "{{ backup_location }}"
diff --git a/roles/dataserver/templates/ssh_host_ed25519_key.pub.j2 b/roles/dataserver/templates/ssh_host_ed25519_key.pub.j2
new file mode 100644
index 0000000..08b6b21
--- /dev/null
+++ b/roles/dataserver/templates/ssh_host_ed25519_key.pub.j2
@@ -0,0 +1 @@
+ssh-ed25519 {{ dataserver_public_key }} root@lewis
diff --git a/roles/docker/files/daemon.json b/roles/docker/files/daemon.json
new file mode 100644
index 0000000..10fc298
--- /dev/null
+++ b/roles/docker/files/daemon.json
@@ -0,0 +1,7 @@
+{
+"default-address-pools":
+[
+{"base":"10.204.0.0/16","size":24}
+
+]
+}
diff --git a/roles/docker/tasks/main.yml b/roles/docker/tasks/main.yml
new file mode 100644
index 0000000..3acc420
--- /dev/null
+++ b/roles/docker/tasks/main.yml
@@ -0,0 +1,41 @@
+- name: Install Docker prerequisites
+ apt:
+ pkg:
+ - ca-certificates
+ - curl
+ - gnupg
+ - lsb-release
+ - python3-pip
+- name: Add Docker APT key
+ apt_key:
+ url: https://download.docker.com/linux/ubuntu/gpg
+ keyring: /etc/apt/keyrings/docker.gpg
+- name: Add Docker repository
+ apt_repository:
+ repo: "deb [signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu {{ ansible_distribution_release }} stable"
+ register: apt_repository
+- name: Update APT cache
+ apt:
+ update_cache: true
+ when: apt_repository.changed
+- name: Install Docker packages
+ apt:
+ pkg:
+ - docker-ce
+ - docker-ce-cli
+ - containerd.io
+ - docker-compose-plugin
+- name: Install Docker modules for Python
+ pip:
+ name:
+ - docker
+ - docker-compose
+- name: Copy daemon.json
+ copy:
+ src: "{{ role_path }}/files/daemon.json"
+ dest: /etc/docker/daemon.json
+- name: Start Docker
+ systemd:
+ name: docker
+ enabled: true
+ state: started
diff --git a/roles/firewall/tasks/main.yml b/roles/firewall/tasks/main.yml
new file mode 100644
index 0000000..6b6bcb4
--- /dev/null
+++ b/roles/firewall/tasks/main.yml
@@ -0,0 +1,16 @@
+- name: Install firewalld
+ apt:
+ pkg:
+ - firewalld
+ state: latest
+ update_cache: true
+- name: Allow SSH
+ firewalld:
+ service: ssh
+ permanent: yes
+ state: enabled
+- name: Start firewalld
+ systemd:
+ enabled: true
+ name: sshd
+ state: started
diff --git a/roles/forgejo/meta/main.yml b/roles/forgejo/meta/main.yml
new file mode 100644
index 0000000..6b03734
--- /dev/null
+++ b/roles/forgejo/meta/main.yml
@@ -0,0 +1,4 @@
+dependencies:
+ - role: common
+ - role: docker
+ - role: traefik
diff --git a/ansible/roles/forgejo/tasks/main.yml b/roles/forgejo/tasks/main.yml
similarity index 100%
rename from ansible/roles/forgejo/tasks/main.yml
rename to roles/forgejo/tasks/main.yml
diff --git a/ansible/roles/forgejo/templates/app.ini.j2 b/roles/forgejo/templates/app.ini.j2
similarity index 97%
rename from ansible/roles/forgejo/templates/app.ini.j2
rename to roles/forgejo/templates/app.ini.j2
index b427df5..d0ef2ec 100644
--- a/ansible/roles/forgejo/templates/app.ini.j2
+++ b/roles/forgejo/templates/app.ini.j2
@@ -4,7 +4,6 @@ RUN_USER = git
[repository]
ROOT = /data/git/repositories
-DEFAULT_BRANCH = master
[repository.local]
LOCAL_COPY_PATH = /data/gitea/tmp/local-repo
@@ -39,7 +38,6 @@ CHARSET = utf8
[indexer]
ISSUE_INDEXER_PATH = /data/gitea/indexers/issues.bleve
-ISSUE_INDEXER_TYPE = db
[session]
PROVIDER_CONFIG = /data/gitea/sessions
diff --git a/ansible/roles/forgejo/templates/docker-compose.yml.j2 b/roles/forgejo/templates/docker-compose.yml.j2
similarity index 100%
rename from ansible/roles/forgejo/templates/docker-compose.yml.j2
rename to roles/forgejo/templates/docker-compose.yml.j2
index fcd41f5..921dc80 100644
--- a/ansible/roles/forgejo/templates/docker-compose.yml.j2
+++ b/roles/forgejo/templates/docker-compose.yml.j2
@@ -12,10 +12,10 @@ services:
- USER_UID=1000
- USER_GID=1000
restart: always
- networks:
- - traefik
ports:
- "{{ internal_forgejo_port }}:3000"
+ networks:
+ - traefik
volumes:
- {{ data_dir }}:/data
- {{ service_dir }}/conf:/data/gitea/conf
diff --git a/ansible/roles/forgejo/vars/main.yml b/roles/forgejo/vars/main.yml
similarity index 99%
rename from ansible/roles/forgejo/vars/main.yml
rename to roles/forgejo/vars/main.yml
index 7cad12e..38d58cc 100644
--- a/ansible/roles/forgejo/vars/main.yml
+++ b/roles/forgejo/vars/main.yml
@@ -3,6 +3,7 @@ data_dir: "{{ base_data_dir }}/{{ service_name }}"
service_dir: "{{ base_service_dir }}/{{ service_name }}"
git_domain: "git.{{ domain_name_pim }}"
+
forgejo:
root_url: "https://{{ git_domain }}"
mailer_host: "smtp.tweak.nl"
diff --git a/roles/freshrss/meta/main.yml b/roles/freshrss/meta/main.yml
new file mode 100644
index 0000000..6b03734
--- /dev/null
+++ b/roles/freshrss/meta/main.yml
@@ -0,0 +1,4 @@
+dependencies:
+ - role: common
+ - role: docker
+ - role: traefik
diff --git a/ansible/roles/freshrss/tasks/main.yml b/roles/freshrss/tasks/main.yml
similarity index 100%
rename from ansible/roles/freshrss/tasks/main.yml
rename to roles/freshrss/tasks/main.yml
diff --git a/ansible/roles/freshrss/templates/docker-compose.yml.j2 b/roles/freshrss/templates/docker-compose.yml.j2
similarity index 77%
rename from ansible/roles/freshrss/templates/docker-compose.yml.j2
rename to roles/freshrss/templates/docker-compose.yml.j2
index 5c15b8f..8876319 100644
--- a/ansible/roles/freshrss/templates/docker-compose.yml.j2
+++ b/roles/freshrss/templates/docker-compose.yml.j2
@@ -11,8 +11,10 @@ services:
options:
max-size: 10m
volumes:
- - {{ data_dir }}/data:/var/www/FreshRSS/data
- - {{ data_dir }}/extensions:/var/www/FreshRSS/extensions
+ # Recommended volume for FreshRSS persistent data such as configuration and SQLite databases
+ - /data/freshrss/data:/var/www/FreshRSS/data
+ # Optional volume for storing third-party extensions
+ - /data/freshrss/extensions:/var/www/FreshRSS/extensions
environment:
TZ: Europe/Amsterdam
CRON_MIN: '2,32'
diff --git a/ansible/roles/freshrss/vars/main.yml b/roles/freshrss/vars/main.yml
similarity index 100%
rename from ansible/roles/freshrss/vars/main.yml
rename to roles/freshrss/vars/main.yml
diff --git a/ansible/roles/inbucket/files/docker-compose.yml b/roles/inbucket/files/docker-compose.yml
similarity index 100%
rename from ansible/roles/inbucket/files/docker-compose.yml
rename to roles/inbucket/files/docker-compose.yml
diff --git a/ansible/roles/syncthing/meta/main.yml b/roles/inbucket/meta/main.yml
similarity index 62%
rename from ansible/roles/syncthing/meta/main.yml
rename to roles/inbucket/meta/main.yml
index 6ad37f8..7f5b1d3 100644
--- a/ansible/roles/syncthing/meta/main.yml
+++ b/roles/inbucket/meta/main.yml
@@ -1,2 +1,4 @@
dependencies:
+ - role: common
- role: docker
+
\ No newline at end of file
diff --git a/ansible/roles/inbucket/tasks/main.yml b/roles/inbucket/tasks/main.yml
similarity index 100%
rename from ansible/roles/inbucket/tasks/main.yml
rename to roles/inbucket/tasks/main.yml
diff --git a/ansible/roles/inbucket/vars/main.yml b/roles/inbucket/vars/main.yml
similarity index 100%
rename from ansible/roles/inbucket/vars/main.yml
rename to roles/inbucket/vars/main.yml
diff --git a/roles/jitsi/meta/main.yml b/roles/jitsi/meta/main.yml
new file mode 100644
index 0000000..6b03734
--- /dev/null
+++ b/roles/jitsi/meta/main.yml
@@ -0,0 +1,4 @@
+dependencies:
+ - role: common
+ - role: docker
+ - role: traefik
diff --git a/ansible/roles/jitsi/tasks/main.yml b/roles/jitsi/tasks/main.yml
similarity index 100%
rename from ansible/roles/jitsi/tasks/main.yml
rename to roles/jitsi/tasks/main.yml
diff --git a/ansible/roles/jitsi/templates/docker-compose.yml.j2 b/roles/jitsi/templates/docker-compose.yml.j2
similarity index 100%
rename from ansible/roles/jitsi/templates/docker-compose.yml.j2
rename to roles/jitsi/templates/docker-compose.yml.j2
diff --git a/ansible/roles/jitsi/vars/main.yml b/roles/jitsi/vars/main.yml
similarity index 100%
rename from ansible/roles/jitsi/vars/main.yml
rename to roles/jitsi/vars/main.yml
diff --git a/ansible/roles/kms/files/docker-compose.yml b/roles/kms/files/docker-compose.yml
similarity index 100%
rename from ansible/roles/kms/files/docker-compose.yml
rename to roles/kms/files/docker-compose.yml
diff --git a/roles/kms/meta/main.yml b/roles/kms/meta/main.yml
new file mode 100644
index 0000000..7f5b1d3
--- /dev/null
+++ b/roles/kms/meta/main.yml
@@ -0,0 +1,4 @@
+dependencies:
+ - role: common
+ - role: docker
+
\ No newline at end of file
diff --git a/ansible/roles/kms/tasks/main.yml b/roles/kms/tasks/main.yml
similarity index 100%
rename from ansible/roles/kms/tasks/main.yml
rename to roles/kms/tasks/main.yml
diff --git a/ansible/roles/kms/vars/main.yml b/roles/kms/vars/main.yml
similarity index 100%
rename from ansible/roles/kms/vars/main.yml
rename to roles/kms/vars/main.yml
diff --git a/ansible/roles/mastodon/files/.env.production b/roles/mastodon/files/.env.production
similarity index 100%
rename from ansible/roles/mastodon/files/.env.production
rename to roles/mastodon/files/.env.production
diff --git a/roles/mastodon/meta/main.yml b/roles/mastodon/meta/main.yml
new file mode 100644
index 0000000..6b03734
--- /dev/null
+++ b/roles/mastodon/meta/main.yml
@@ -0,0 +1,4 @@
+dependencies:
+ - role: common
+ - role: docker
+ - role: traefik
diff --git a/ansible/roles/mastodon/tasks/main.yml b/roles/mastodon/tasks/main.yml
similarity index 100%
rename from ansible/roles/mastodon/tasks/main.yml
rename to roles/mastodon/tasks/main.yml
diff --git a/ansible/roles/mastodon/templates/docker-compose.yml.j2 b/roles/mastodon/templates/docker-compose.yml.j2
similarity index 100%
rename from ansible/roles/mastodon/templates/docker-compose.yml.j2
rename to roles/mastodon/templates/docker-compose.yml.j2
diff --git a/ansible/roles/mastodon/vars/main.yml b/roles/mastodon/vars/main.yml
similarity index 100%
rename from ansible/roles/mastodon/vars/main.yml
rename to roles/mastodon/vars/main.yml
diff --git a/roles/matrix/files/matrix.log.config b/roles/matrix/files/matrix.log.config
new file mode 100644
index 0000000..e5cc93a
--- /dev/null
+++ b/roles/matrix/files/matrix.log.config
@@ -0,0 +1,32 @@
+version: 1
+
+formatters:
+ precise:
+
+ format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s'
+
+
+handlers:
+
+
+ console:
+ class: logging.StreamHandler
+ formatter: precise
+
+
+
+loggers:
+ synapse.storage.SQL:
+ # beware: increasing this to DEBUG will make synapse log sensitive
+ # information such as access tokens.
+ level: INFO
+
+
+root:
+ level: INFO
+
+
+ handlers: [console]
+
+
+disable_existing_loggers: false
\ No newline at end of file
diff --git a/roles/matrix/files/matrix.signing.key b/roles/matrix/files/matrix.signing.key
new file mode 100644
index 0000000..84cc79b
--- /dev/null
+++ b/roles/matrix/files/matrix.signing.key
@@ -0,0 +1,8 @@
+$ANSIBLE_VAULT;1.1;AES256
+38363633306139626564313833363364653037613238396266303133663231643739373237666662
+6639636136303666353639353632373530326263633264350a616465313137663731393464383263
+65373565343462633733366636343766656666396531383638363232363565646364663035353333
+3236383136353065660a353631326630623165366631666639343864633531383238643131373363
+64303565363439343064393039323265623364633738373163373339376134643966333032326564
+61646536633335633938336438663430643461623230666163636561303430393732663062393461
+346332333463636566326364663465306565
diff --git a/roles/matrix/tasks/main.yml b/roles/matrix/tasks/main.yml
new file mode 100644
index 0000000..4ce0826
--- /dev/null
+++ b/roles/matrix/tasks/main.yml
@@ -0,0 +1,31 @@
+- name: Create app directory
+ file:
+ path: "{{ service_dir }}"
+ state: directory
+- name: Copy signing key
+ copy:
+ src: "{{ role_path }}/files/matrix.log.config"
+ dest: "{{ service_dir }}/matrix.log.config"
+- name: Copy Docker Compose script
+ template:
+ src: "{{ role_path }}/templates/docker-compose.yml.j2"
+ dest: "{{ service_dir }}/docker-compose.yml"
+- name: Copy homeserver.yaml
+ template:
+ src: "{{ role_path }}/templates/homeserver.yaml.j2"
+ dest: "{{ service_dir }}/homeserver.yaml"
+ register: homeserver
+- name: Copy signing key
+ copy:
+ src: "{{ role_path }}/files/matrix.signing.key"
+ dest: "{{ service_dir }}/matrix.signing.key"
+- name: Create data directory
+ file:
+ path: "{{ data_dir }}"
+ state: directory
+- name: Start the Docker Compose
+ docker_compose:
+ project_src: "{{ service_dir }}"
+ pull: true
+ remove_orphans: true
+ restarted: "{{ homeserver.changed }}"
diff --git a/roles/matrix/templates/docker-compose.yml.j2 b/roles/matrix/templates/docker-compose.yml.j2
new file mode 100644
index 0000000..0449299
--- /dev/null
+++ b/roles/matrix/templates/docker-compose.yml.j2
@@ -0,0 +1,41 @@
+version: '3'
+
+services:
+ synapse:
+ image: docker.io/matrixdotorg/synapse:v1.77.0
+ restart: unless-stopped
+ environment:
+ - SYNAPSE_CONFIG_PATH=/data/homeserver.yaml
+ volumes:
+ - /data/matrix/uploads:/data/uploads
+ - /data/matrix/media:/data/media
+ - /srv/matrix/homeserver.yaml:/data/homeserver.yaml
+ - /srv/matrix/matrix.log.config:/data/matrix.log.config
+ - /srv/matrix/matrix.signing.key:/data/matrix.signing.key
+ depends_on:
+ - db
+ networks:
+ - traefik
+ ports:
+ - "{{ internal_matrix_port }}:8008"
+ labels:
+ - traefik.enable=true
+ - traefik.http.routers.matrix.entryPoints=websecure
+ - traefik.http.routers.matrix.rule=Host(`{{ matrix_domain }}`)
+ - traefik.http.routers.matrix.tls=true
+ - traefik.http.routers.matrix.tls.certResolver=letsencrypt
+ - traefik.http.routers.matrix.service=matrix
+ - traefik.http.services.matrix.loadbalancer.server.port=8008
+
+ db:
+ image: docker.io/postgres:12-alpine
+ environment:
+ - POSTGRES_USER=synapse
+ - POSTGRES_PASSWORD={{ database_password }}
+ - POSTGRES_INITDB_ARGS=--encoding=UTF-8 --lc-collate=C --lc-ctype=C
+ volumes:
+ - /data/matrix/schemas:/var/lib/postgresql/data
+
+networks:
+ traefik:
+ external: true
diff --git a/roles/matrix/templates/homeserver.yaml.j2 b/roles/matrix/templates/homeserver.yaml.j2
new file mode 100644
index 0000000..0b84c3c
--- /dev/null
+++ b/roles/matrix/templates/homeserver.yaml.j2
@@ -0,0 +1,35 @@
+# Configuration file for Synapse.
+#
+# For more information on how to configure Synapse, including a complete accounting of
+# each option, go to docs/usage/configuration/config_documentation.md or
+# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html
+server_name: "{{ matrix_domain }}"
+pid_file: /data/homeserver.pid
+listeners:
+ - port: 8008
+ tls: false
+ type: http
+ x_forwarded: true
+ resources:
+ - names: [client, federation]
+ compress: false
+database:
+ name: psycopg2
+ args:
+ user: synapse
+ password: "{{ database_password }}"
+ host: db
+ cp_min: 5
+ cp_max: 10
+log_config: "/data/matrix.log.config"
+media_store_path: "/data/media"
+registration_shared_secret: "{{ registration_shared_secret }}"
+report_stats: false
+macaroon_secret_key: "{{ macaroon_secret_key }}"
+form_secret: "{{ form_secret }}"
+signing_key_path: "/data/matrix.signing.key"
+trusted_key_servers:
+ - server_name: "matrix.org"
+
+
+# vim:ft=yaml
diff --git a/roles/matrix/vars/main.yml b/roles/matrix/vars/main.yml
new file mode 100644
index 0000000..637e90c
--- /dev/null
+++ b/roles/matrix/vars/main.yml
@@ -0,0 +1,41 @@
+service_name: matrix
+data_dir: "{{ base_data_dir }}/{{ service_name }}"
+service_dir: "{{ base_service_dir }}/{{ service_name }}"
+
+matrix_domain: "matrix.{{ domain_name_pim }}"
+
+registration_shared_secret: !vault |
+ $ANSIBLE_VAULT;1.1;AES256
+ 66643364393432353763666361383331316635356431636530663162643134653939306438366533
+ 3463393262623364336430363638356439393461393237650a626630633963343530643565323633
+ 35613636386365393035666366636534306266613935653136666430366330323032653164363066
+ 6531323364383131360a616465336164303030643132336264646333346666626138386331636164
+ 65366438356238383234386662363631316334613439613739303165613363636261643934656665
+ 32653764373939373739666263653261343036636365316566623934343261653436613962343335
+ 343132326461336338323938326264666630
+macaroon_secret_key: !vault |
+ $ANSIBLE_VAULT;1.1;AES256
+ 61656638626162383134356238393031346464623930363636376136633038623836323737633463
+ 3733383661663339313965636134373037366235613562340a376334666266623438313066346166
+ 64333564613438313861396632633464386236356236313461373461613632346538343837343264
+ 3363623135613063300a333932363036353063653931616361363934633239653732343737373536
+ 31366265383939303664623565633435626530316430323036663261353334336264306162653361
+ 38306437616333316638396161393164393766356566323362343565663630306465663133333733
+ 343039623366313961393136356239373837
+form_secret: !vault |
+ $ANSIBLE_VAULT;1.1;AES256
+ 38646165646636353331323565343033396431623338633734653838633032363930323637656637
+ 3931643733343537343534386137313737383562346534300a353535633239626332393831613661
+ 39366230313234663930363962386336646639393566356437623937393062353134303138363734
+ 6430653164656339660a613234313464653138313331333137646331323338346230643630636466
+ 35383837356633303061663362626439653030333063383532373663316330373737323736326562
+ 37313034363262346333343166343231316264303934366565643466396164333166643561373365
+ 656533393033356363303933353231376466
+database_password: !vault |
+ $ANSIBLE_VAULT;1.1;AES256
+ 38393732313834343631626234353261653536646434343561613264626162363839303432333133
+ 3635333330626263666430353931666635393738643163300a633231343334666331373936333565
+ 36376164396464623233613033636562626630623730633730666333363437613234636638356630
+ 3336373235336232630a353732653331623963313865333765633965353630363733386534313639
+ 38643839323733393031373139376662326134653965646366663631396464393861636538313563
+ 3934363539366139346633626433396438663739393332663030
diff --git a/roles/nsd/files/keys/Kgeokunis2.nl.ksk.key b/roles/nsd/files/keys/Kgeokunis2.nl.ksk.key
new file mode 100644
index 0000000..26bd681
--- /dev/null
+++ b/roles/nsd/files/keys/Kgeokunis2.nl.ksk.key
@@ -0,0 +1 @@
+geokunis2.nl. IN DNSKEY 257 3 15 8DFshejNxv4d9ZkSRY53kEay06aOhHm77EOYNSZFp/w= ;{id = 64014 (ksk), size = 256b}
diff --git a/roles/nsd/files/keys/Kgeokunis2.nl.ksk.private b/roles/nsd/files/keys/Kgeokunis2.nl.ksk.private
new file mode 100644
index 0000000..4b74954
--- /dev/null
+++ b/roles/nsd/files/keys/Kgeokunis2.nl.ksk.private
@@ -0,0 +1,10 @@
+$ANSIBLE_VAULT;1.1;AES256
+33306239336639653065343862633935396534373739613332356638343037646530333331343835
+6464303336356534653431663938383732383863366238320a663430613133363134336264343734
+31343731373239613330633935636137646133616334353565663061356566666465326261306362
+3463633863626666330a383461656632346361646365383234653963333561366463373331346539
+30633237346532633634636537663936353337353331393663363363363566663738643632363761
+66323032383862306635656130366261303161636232633561313630316537626262356532313131
+63616437633333346431303539306433613130373934393036356563316365373966346536353764
+39343038373162303933653335393432636332613038366531353432346332333936656464626536
+64633030353336616561656539313863306534633863633835333531306533313930
diff --git a/roles/nsd/files/keys/Kpizzapim.nl.ksk.key b/roles/nsd/files/keys/Kpizzapim.nl.ksk.key
new file mode 100644
index 0000000..92f07c1
--- /dev/null
+++ b/roles/nsd/files/keys/Kpizzapim.nl.ksk.key
@@ -0,0 +1 @@
+pizzapim.nl. IN DNSKEY 257 3 15 PL2LJmmaooqVFVIrvdFzS+X0YiEgz+fLlr7jm54nX/E= ;{id = 47515 (ksk), size = 256b}
diff --git a/roles/nsd/files/keys/Kpizzapim.nl.ksk.private b/roles/nsd/files/keys/Kpizzapim.nl.ksk.private
new file mode 100644
index 0000000..bc136ed
--- /dev/null
+++ b/roles/nsd/files/keys/Kpizzapim.nl.ksk.private
@@ -0,0 +1,10 @@
+$ANSIBLE_VAULT;1.1;AES256
+36343534663736653462386238363734646238306365393233633530663039656335623961663131
+6436373566336464336330326438656137646536656333370a386539613239343962373562653264
+66616530343235333964343332386234666266643933393531323066666164623862633962376666
+3230333539393335630a653532396665383536633164643534303461636135653737616137313034
+33653838653538623934353631393636363937333831313036643334343261363836393235313235
+36613966343431333364336437393430653366643263643130376437663164353361633735616332
+35656666353037643739356133303064633166323535323265323134363963316566323165643165
+36656264353962346530323830623432616238653966613433616235336539396461376162316564
+61643465323165643961303639653466663961333531663133636666643437333233
diff --git a/roles/nsd/files/nsd.conf b/roles/nsd/files/nsd.conf
new file mode 100644
index 0000000..60c65a4
--- /dev/null
+++ b/roles/nsd/files/nsd.conf
@@ -0,0 +1,24 @@
+server:
+ ip-address: enp3s0
+ server-count: 1
+ verbosity: 1
+ hide-version: yes
+ zonesdir: "/etc/nsd/zones"
+ ip-transparent: yes
+ ip-freebind: yes
+
+zone:
+ name: pizzapim.nl
+ zonefile: pizzapim.nl.signed
+ provide-xfr: 87.253.155.96/27 NOKEY
+ provide-xfr: 157.97.168.160/27 NOKEY
+
+zone:
+ name: geokunis2.nl
+ zonefile: geokunis2.nl.signed
+ provide-xfr: 87.253.155.96/27 NOKEY
+ provide-xfr: 157.97.168.160/27 NOKEY
+
+zone:
+ name: pim.kunis.nl
+ zonefile: pim.kunis.nl
diff --git a/roles/nsd/files/zones/geokunis2.nl b/roles/nsd/files/zones/geokunis2.nl
new file mode 100644
index 0000000..9a7279e
--- /dev/null
+++ b/roles/nsd/files/zones/geokunis2.nl
@@ -0,0 +1,26 @@
+$ORIGIN geokunis2.nl.
+$TTL 60
+
+geokunis2.nl. IN SOA ns.geokunis2.nl. niels.kunis.nl. 2023021700 1800 3600 1209600 3600
+ NS ns.geokunis2.nl.
+ NS ns0.transip.net.
+ NS ns1.transip.nl.
+ NS ns2.transip.eu.
+ A 84.245.14.149
+ AAAA 2a02:58:19a:f730:b62e:99ff:fe77:1bda
+; MX 0 .
+; TXT "v=spf1 -all"
+ CAA 0 issue "letsencrypt.org"
+mail IN A 84.245.14.149
+ MX 10 mail.geokunis2.nl
+jenl IN A 217.123.41.225
+wg IN A 84.245.14.149
+wg IN AAAA 2a02:58:19a:f710:45aa:5179:2b45:376d
+wg4 IN A 84.245.14.149
+wg6 IN AAAA 2a02:58:19a:f710:45aa:5179:2b45:376d
+kms IN A 84.245.14.149
+files IN A 84.245.14.149
+files IN AAAA 2a02:58:19a:f730:b62e:99ff:fe77:1bda
+_dmarc IN TXT "v=DMARC1; p=reject; fo=0; adkim=s; aspf=s; pct=100; rf=afrf; sp=reject"
+ns A 84.245.14.149
+ AAAA 2a02:58:19a:f730:b62e:99ff:fe77:1bda
diff --git a/roles/nsd/files/zones/pim.kunis.nl b/roles/nsd/files/zones/pim.kunis.nl
new file mode 100644
index 0000000..3c61f54
--- /dev/null
+++ b/roles/nsd/files/zones/pim.kunis.nl
@@ -0,0 +1,20 @@
+$ORIGIN pim.kunis.nl.
+$TTL 60
+
+pim.kunis.nl. IN SOA ns.pim.kunis.nl. pim.kunis.nl. 2023022500 1800 3600 1209600 3600
+
+ NS ns.pim.kunis.nl.
+ A 84.245.14.149
+ TXT "v=spf1 ~all"
+
+_dmarc IN TXT "v=DMARC1; p=reject; aspf=s; adkim=s; rua=mailto:wpux1bq8@ag.eu.dmarcian.com;"
+
+www IN A 84.245.14.149
+ns IN A 84.245.14.149
+
+social IN CNAME www.pim.kunis.nl.
+dav IN CNAME www.pim.kunis.nl.
+git IN CNAME www.pim.kunis.nl.
+meet IN CNAME www.pim.kunis.nl.
+rss IN CNAME www.pim.kunis.nl.
+matrix IN CNAME www.pim.kunis.nl.
diff --git a/roles/nsd/files/zones/pizzapim.nl b/roles/nsd/files/zones/pizzapim.nl
new file mode 100644
index 0000000..3892920
--- /dev/null
+++ b/roles/nsd/files/zones/pizzapim.nl
@@ -0,0 +1,19 @@
+$ORIGIN pizzapim.nl.
+$TTL 60
+
+pizzapim.nl. IN SOA ns.pizzapim.nl. pim.kunis.nl. 2023020900 1800 3600 1209600 3600
+
+ NS ns.pizzapim.nl.
+ NS ns0.transip.net.
+ NS ns1.transip.nl.
+ NS ns2.transip.eu.
+ A 84.245.14.149
+ TXT "v=spf1 ~all"
+ CAA 0 issue "letsencrypt.org"
+
+_dmarc IN TXT "v=DMARC1; p=reject; aspf=s; adkim=s; rua=mailto:wpux1bq8@ag.eu.dmarcian.com;"
+
+social IN A 84.245.14.149
+ AAAA 2a02:58:19a:f730:b62e:99ff:fe77:1bda
+ns IN A 84.245.14.149
+ AAAA 2a02:58:19a:f730:b62e:99ff:fe77:1bda
diff --git a/roles/nsd/meta/main.yml b/roles/nsd/meta/main.yml
new file mode 100644
index 0000000..9711b33
--- /dev/null
+++ b/roles/nsd/meta/main.yml
@@ -0,0 +1,2 @@
+dependencies:
+ - role: common
diff --git a/roles/nsd/tasks/main.yml b/roles/nsd/tasks/main.yml
new file mode 100644
index 0000000..9f556d4
--- /dev/null
+++ b/roles/nsd/tasks/main.yml
@@ -0,0 +1,70 @@
+- name: Install nsd
+ apt:
+ pkg:
+ - nsd
+ - ldnsutils
+- name: Copy nsd.conf
+ copy:
+ src: "{{ role_path }}/files/nsd.conf"
+ dest: /etc/nsd/nsd.conf
+- name: Create zones directory
+ file:
+ path: /etc/nsd/zones
+ state: directory
+- name: Copy zone files
+ copy:
+ src: "{{ role_path }}/files/zones/"
+ dest: /etc/nsd/zones
+- name: Create keys directory
+ file:
+ path: /etc/nsd/keys
+ state: directory
+- name: Copy KSK private keys
+ template:
+ src: "{{ item }}"
+ dest: "/etc/nsd/keys/{{ item | basename }}"
+ with_fileglob:
+ - "{{ role_path }}/files/keys/*.ksk.private"
+- name: Copy KSK keys
+ copy:
+ src: "{{ item }}"
+ dest: "/etc/nsd/keys/{{ item | basename }}"
+ with_fileglob:
+ - "{{ role_path }}/files/keys/*.ksk.key"
+- name: Check if ZSKs exist
+ stat:
+ path: "/etc/nsd/keys/K{{ item | basename }}.zsk.key"
+ register: zsks_exists
+ with_fileglob:
+ - "{{ role_path }}/files/zones/*"
+- name: Create ZSK
+ command:
+ cmd: "ldns-keygen -a ED25519 {{ item.item | basename }}"
+ chdir: /etc/nsd/keys
+ register: create_zsk
+ when: not item.stat.exists and (item.item | basename) in sign_zones
+ with_items: "{{ zsks_exists.results }}"
+- name: Rename ZSK key
+ command:
+ cmd: "mv {{ item.stdout }}.key K{{ item.item.item | basename }}.zsk.key"
+ chdir: /etc/nsd/keys
+ when: item.changed and (item.item | basename) in sign_zones
+ with_items: "{{ create_zsk.results }}"
+- name: Rename ZSK private key
+ command:
+ cmd: "mv {{ item.stdout }}.private K{{ item.item.item | basename }}.zsk.private"
+ chdir: /etc/nsd/keys
+ when: item.changed and (item.item | basename) in sign_zones
+ with_items: "{{ create_zsk.results }}"
+- name: Sign zones
+ command:
+ cmd: "ldns-signzone {{ item | basename }} /etc/nsd/keys/K{{ item | basename }}.zsk /etc/nsd/keys/K{{ item | basename }}.ksk"
+ chdir: /etc/nsd/zones
+ when: (item | basename) in sign_zones
+ with_fileglob:
+ - "{{ role_path }}/files/zones/*"
+- name: Restart NSD
+ systemd:
+ name: nsd
+ enabled: true
+ state: reloaded
diff --git a/roles/nsd/vars/main.yml b/roles/nsd/vars/main.yml
new file mode 100644
index 0000000..45cb37c
--- /dev/null
+++ b/roles/nsd/vars/main.yml
@@ -0,0 +1,3 @@
+sign_zones:
+ - geokunis2.nl
+ - pizzapim.nl
diff --git a/ansible/roles/inbucket/meta/main.yml b/roles/prometheus/meta/main.yml
similarity index 64%
rename from ansible/roles/inbucket/meta/main.yml
rename to roles/prometheus/meta/main.yml
index 6ad37f8..090690b 100644
--- a/ansible/roles/inbucket/meta/main.yml
+++ b/roles/prometheus/meta/main.yml
@@ -1,2 +1,3 @@
dependencies:
+ - role: common
- role: docker
diff --git a/ansible/roles/prometheus/tasks/main.yml b/roles/prometheus/tasks/main.yml
similarity index 100%
rename from ansible/roles/prometheus/tasks/main.yml
rename to roles/prometheus/tasks/main.yml
diff --git a/ansible/roles/prometheus/templates/docker-compose.yml.j2 b/roles/prometheus/templates/docker-compose.yml.j2
similarity index 100%
rename from ansible/roles/prometheus/templates/docker-compose.yml.j2
rename to roles/prometheus/templates/docker-compose.yml.j2
diff --git a/ansible/roles/prometheus/templates/prometheus.yml.j2 b/roles/prometheus/templates/prometheus.yml.j2
similarity index 100%
rename from ansible/roles/prometheus/templates/prometheus.yml.j2
rename to roles/prometheus/templates/prometheus.yml.j2
diff --git a/ansible/roles/prometheus/vars/main.yml b/roles/prometheus/vars/main.yml
similarity index 100%
rename from ansible/roles/prometheus/vars/main.yml
rename to roles/prometheus/vars/main.yml
diff --git a/ansible/roles/radicale/files/radicale.conf b/roles/radicale/files/radicale.conf
similarity index 89%
rename from ansible/roles/radicale/files/radicale.conf
rename to roles/radicale/files/radicale.conf
index eb9df16..360d314 100644
--- a/ansible/roles/radicale/files/radicale.conf
+++ b/roles/radicale/files/radicale.conf
@@ -9,7 +9,7 @@ stock = utf-8
[auth]
realm = Radicale - Password Required
type = htpasswd
-htpasswd_filename = /config/users
+htpasswd_filename = /radicale/users
htpasswd_encryption = md5
[rights]
diff --git a/ansible/roles/radicale/files/users b/roles/radicale/files/users
similarity index 100%
rename from ansible/roles/radicale/files/users
rename to roles/radicale/files/users
diff --git a/roles/radicale/meta/main.yml b/roles/radicale/meta/main.yml
new file mode 100644
index 0000000..6b03734
--- /dev/null
+++ b/roles/radicale/meta/main.yml
@@ -0,0 +1,4 @@
+dependencies:
+ - role: common
+ - role: docker
+ - role: traefik
diff --git a/ansible/roles/radicale/tasks/main.yml b/roles/radicale/tasks/main.yml
similarity index 93%
rename from ansible/roles/radicale/tasks/main.yml
rename to roles/radicale/tasks/main.yml
index 5ac19d6..48afa89 100644
--- a/ansible/roles/radicale/tasks/main.yml
+++ b/roles/radicale/tasks/main.yml
@@ -13,7 +13,7 @@
- name: Copy radicale.conf
copy:
src: "{{ role_path }}/files/radicale.conf"
- dest: "{{ service_dir }}/config/config"
+ dest: "{{ service_dir }}/config/radicale.conf"
- name: Copy users file
copy:
src: "{{ role_path }}/files/users"
diff --git a/ansible/roles/radicale/templates/docker-compose.yml.j2 b/roles/radicale/templates/docker-compose.yml.j2
similarity index 58%
rename from ansible/roles/radicale/templates/docker-compose.yml.j2
rename to roles/radicale/templates/docker-compose.yml.j2
index 70e0b29..e8a51fd 100644
--- a/ansible/roles/radicale/templates/docker-compose.yml.j2
+++ b/roles/radicale/templates/docker-compose.yml.j2
@@ -1,28 +1,18 @@
-version: '3.7'
+version: '3'
+
+networks:
+ traefik:
+ external: true
services:
radicale:
- image: tomsquest/docker-radicale
+ restart: always
+ image: mailu/radicale:1.9
container_name: radicale
- init: true
- read_only: true
- security_opt:
- - no-new-privileges:true
- cap_drop:
- - ALL
- cap_add:
- - SETUID
- - SETGID
- - CHOWN
- - KILL
- healthcheck:
- test: curl -f http://127.0.0.1:5232 || exit 1
- interval: 30s
- retries: 3
- restart: unless-stopped
volumes:
- {{ data_dir }}:/data
- - {{ service_dir }}/config:/config:ro
+ - {{ service_dir }}/config:/radicale
+ command: radicale -S -C /radicale/radicale.conf
networks:
- traefik
labels:
@@ -33,7 +23,3 @@ services:
- traefik.http.routers.radicale.tls.certresolver=letsencrypt
- traefik.http.routers.radicale.service=radicale
- traefik.http.services.radicale.loadbalancer.server.port=5232
-
-networks:
- traefik:
- external: true
diff --git a/ansible/roles/radicale/vars/main.yml b/roles/radicale/vars/main.yml
similarity index 100%
rename from ansible/roles/radicale/vars/main.yml
rename to roles/radicale/vars/main.yml
diff --git a/roles/seafile/meta/main.yml b/roles/seafile/meta/main.yml
new file mode 100644
index 0000000..6b03734
--- /dev/null
+++ b/roles/seafile/meta/main.yml
@@ -0,0 +1,4 @@
+dependencies:
+ - role: common
+ - role: docker
+ - role: traefik
diff --git a/ansible/roles/seafile/tasks/main.yml b/roles/seafile/tasks/main.yml
similarity index 100%
rename from ansible/roles/seafile/tasks/main.yml
rename to roles/seafile/tasks/main.yml
diff --git a/ansible/roles/seafile/templates/docker-compose.yml.j2 b/roles/seafile/templates/docker-compose.yml.j2
similarity index 100%
rename from ansible/roles/seafile/templates/docker-compose.yml.j2
rename to roles/seafile/templates/docker-compose.yml.j2
diff --git a/ansible/roles/seafile/vars/main.yml b/roles/seafile/vars/main.yml
similarity index 100%
rename from ansible/roles/seafile/vars/main.yml
rename to roles/seafile/vars/main.yml
diff --git a/roles/ssh/files/ssh_config b/roles/ssh/files/ssh_config
new file mode 100644
index 0000000..9ea50e1
--- /dev/null
+++ b/roles/ssh/files/ssh_config
@@ -0,0 +1,54 @@
+# This is the ssh client system-wide configuration file. See
+# ssh_config(5) for more information. This file provides defaults for
+# users, and the values can be changed in per-user configuration files
+# or on the command line.
+
+# Configuration data is parsed as follows:
+# 1. command line options
+# 2. user-specific file
+# 3. system-wide file
+# Any configuration value is only changed the first time it is set.
+# Thus, host-specific definitions should be at the beginning of the
+# configuration file, and defaults at the end.
+
+# Site-wide defaults for some commonly used options. For a comprehensive
+# list of available options, their meanings and defaults, please see the
+# ssh_config(5) man page.
+
+Include /etc/ssh/ssh_config.d/*.conf
+
+Host *
+# ForwardAgent no
+# ForwardX11 no
+# ForwardX11Trusted yes
+# PasswordAuthentication yes
+# HostbasedAuthentication no
+# GSSAPIAuthentication no
+# GSSAPIDelegateCredentials no
+# GSSAPIKeyExchange no
+# GSSAPITrustDNS no
+# BatchMode no
+# CheckHostIP yes
+# AddressFamily any
+# ConnectTimeout 0
+# StrictHostKeyChecking ask
+# IdentityFile ~/.ssh/id_rsa
+# IdentityFile ~/.ssh/id_dsa
+# IdentityFile ~/.ssh/id_ecdsa
+# IdentityFile ~/.ssh/id_ed25519
+# Port 22
+# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc
+# MACs hmac-md5,hmac-sha1,umac-64@openssh.com
+# EscapeChar ~
+# Tunnel no
+# TunnelDevice any:any
+# PermitLocalCommand no
+# VisualHostKey no
+# ProxyCommand ssh -q -W %h:%p gateway.example.com
+# RekeyLimit 1G 1h
+# UserKnownHostsFile ~/.ssh/known_hosts.d/%k
+ SendEnv LANG LC_*
+
+# set HashKnownHosts to no to make known_hosts human readable and reviewable.
+# HashKnownHosts yes
+# GSSAPIAuthentication yes
diff --git a/roles/ssh/files/sshd_config b/roles/ssh/files/sshd_config
new file mode 100644
index 0000000..e532138
--- /dev/null
+++ b/roles/ssh/files/sshd_config
@@ -0,0 +1,41 @@
+Include /etc/ssh/sshd_config.d/*.conf
+
+HostKey /etc/ssh/ssh_host_ed25519_key
+
+# Ciphers and keying
+HostKeyAlgorithms ssh-ed25519
+CASignatureAlgorithms ssh-ed25519
+HostbasedAcceptedKeyTypes ssh-ed25519
+HostKeyAlgorithms ssh-ed25519
+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org
+Ciphers chacha20-poly1305@openssh.com
+MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com
+
+# To disable tunneled clear text passwords, change to no here!
+PasswordAuthentication no
+PermitEmptyPasswords no
+
+# Change to yes to enable challenge-response passwords (beware issues with
+# some PAM modules and threads)
+KbdInteractiveAuthentication no
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the KbdInteractiveAuthentication and
+# PasswordAuthentication. Depending on your PAM configuration,
+# PAM authentication via KbdInteractiveAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and KbdInteractiveAuthentication to 'no'.
+UsePAM yes
+
+X11Forwarding yes
+PrintMotd no
+
+# Allow client to pass locale environment variables
+AcceptEnv LANG LC_*
+
+# override default of no subsystems
+Subsystem sftp /usr/lib/openssh/sftp-server
+
diff --git a/roles/ssh/meta/main.yml b/roles/ssh/meta/main.yml
new file mode 100644
index 0000000..9711b33
--- /dev/null
+++ b/roles/ssh/meta/main.yml
@@ -0,0 +1,2 @@
+dependencies:
+ - role: common
diff --git a/roles/ssh/tasks/main.yml b/roles/ssh/tasks/main.yml
new file mode 100644
index 0000000..9c7311c
--- /dev/null
+++ b/roles/ssh/tasks/main.yml
@@ -0,0 +1,16 @@
+- name: Copy sshd config
+ copy:
+ src: "{{ role_path }}/files/sshd_config"
+ dest: /etc/ssh/sshd_config
+ register: sshd_config
+- name: Copy ssh config
+ copy:
+ src: "{{ role_path }}/files/ssh_config"
+ dest: /etc/ssh/ssh_config
+ register: ssh_config
+- name: Restart SSH service
+ systemd:
+ enabled: true
+ name: sshd
+ state: reloaded
+ when: sshd_config.changed
diff --git a/roles/static/files/matrix/client b/roles/static/files/matrix/client
new file mode 100644
index 0000000..4db647f
--- /dev/null
+++ b/roles/static/files/matrix/client
@@ -0,0 +1,5 @@
+{
+ "m.homeserver": {
+ "base_url": "https://matrix.pim.kunis.nl"
+ }
+}
diff --git a/roles/static/files/matrix/server b/roles/static/files/matrix/server
new file mode 100644
index 0000000..341190b
--- /dev/null
+++ b/roles/static/files/matrix/server
@@ -0,0 +1,3 @@
+{
+ "m.server": "matrix.pim.kunis.nl:443"
+}
diff --git a/roles/static/meta/main.yml b/roles/static/meta/main.yml
new file mode 100644
index 0000000..6b03734
--- /dev/null
+++ b/roles/static/meta/main.yml
@@ -0,0 +1,4 @@
+dependencies:
+ - role: common
+ - role: docker
+ - role: traefik
diff --git a/ansible/roles/static/tasks/main.yml b/roles/static/tasks/main.yml
similarity index 89%
rename from ansible/roles/static/tasks/main.yml
rename to roles/static/tasks/main.yml
index 5f0cba5..ec53b20 100644
--- a/ansible/roles/static/tasks/main.yml
+++ b/roles/static/tasks/main.yml
@@ -17,10 +17,10 @@
cmd: "docker run --rm --volume=\"{{ service_dir }}/git:/srv/jekyll:Z\" -it jekyll/minimal jekyll build"
chdir: "{{ service_dir }}"
when: repo.changed
-- name: Copy security.txt
+- name: Copy Matrix static files
copy:
- src: "{{ role_path }}/files/security.txt"
- dest: "{{ service_dir }}/security.txt"
+ src: "{{ role_path }}/files/matrix/"
+ dest: "{{ service_dir }}/matrix/"
- name: Copy docker compose file
template:
src: "{{ role_path }}/templates/docker-compose.yml.j2"
diff --git a/ansible/roles/static/templates/docker-compose.yml.j2 b/roles/static/templates/docker-compose.yml.j2
similarity index 59%
rename from ansible/roles/static/templates/docker-compose.yml.j2
rename to roles/static/templates/docker-compose.yml.j2
index 773d584..ebaa0c0 100644
--- a/ansible/roles/static/templates/docker-compose.yml.j2
+++ b/roles/static/templates/docker-compose.yml.j2
@@ -12,15 +12,24 @@ services:
- {{ service_dir }}/security.txt:/var/www/blog/security.txt
networks:
- traefik
+ extra_hosts:
+ - "host.docker.internal:host-gateway"
labels:
- traefik.enable=true
- traefik.http.routers.blog.entrypoints=websecure
- - "traefik.http.routers.blog.rule=(Host(`{{ domain_name_pim }}`) || Path(`/security.txt`, `/.well-known/security.txt`))"
+ - "traefik.http.routers.blog.rule=(Host(`{{ domain_name_pim }}`) || Path(`/security.txt`, `/.well-known/security.txt`, `/_matrix`, `/.well-known/matrix/`))"
- traefik.http.routers.blog.tls=true
- traefik.http.routers.blog.tls.certresolver=letsencrypt
- traefik.http.routers.blog.service=blog
- traefik.http.services.blog.loadbalancer.server.port=80
+ - traefik.http.routers.matrix-fed.entrypoints=matrix
+ - traefik.http.routers.matrix-fed.rule=Host(`matrix.pim.kunis.nl`)
+ - traefik.http.routers.matrix-fed.tls=true
+ - traefik.http.routers.matrix-fed.tls.certresolver=letsencrypt
+ - traefik.http.routers.matrix-fed.service=matrix-fed
+ - traefik.http.services.matrix-fed.loadbalancer.server.port=8448
+
networks:
traefik:
external: true
diff --git a/ansible/roles/static/templates/nginx.conf.j2 b/roles/static/templates/nginx.conf.j2
similarity index 52%
rename from ansible/roles/static/templates/nginx.conf.j2
rename to roles/static/templates/nginx.conf.j2
index 10a84d1..e626efd 100644
--- a/ansible/roles/static/templates/nginx.conf.j2
+++ b/roles/static/templates/nginx.conf.j2
@@ -10,6 +10,31 @@ server {
}
}
+server {
+ # For the federation port
+ listen 8448 http2 default_server;
+ listen [::]:8448 http2 default_server;
+
+ server_name matrix.pim.kunis.nl;
+
+ location ~ ^(/_matrix|/_synapse/client) {
+ # note: do not add a path (even a single /) after the port in `proxy_pass`,
+ # otherwise nginx will canonicalise the URI and cause signature verification
+ # errors.
+ proxy_pass http://host.docker.internal:{{ internal_matrix_port }};
+ proxy_set_header X-Forwarded-For $remote_addr;
+ proxy_set_header X-Forwarded-Proto $scheme;
+ proxy_set_header Host $host;
+
+ # Nginx by default only allows file uploads up to 1M in size
+ # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
+ client_max_body_size 50M;
+
+ # Synapse responses may be chunked, which is an HTTP/1.1 feature.
+ proxy_http_version 1.1;
+ }
+}
+
server {
listen 80;
server_name {{ domain_name_pim }};
diff --git a/ansible/roles/static/vars/main.yml b/roles/static/vars/main.yml
similarity index 51%
rename from ansible/roles/static/vars/main.yml
rename to roles/static/vars/main.yml
index 912dd02..8838234 100644
--- a/ansible/roles/static/vars/main.yml
+++ b/roles/static/vars/main.yml
@@ -1,3 +1,3 @@
service_name: static
service_dir: "{{ base_service_dir }}/{{ service_name }}"
-git_origin: "http://git.pim.kunis.nl/pim/static.git"
+git_origin: "http://localhost:{{ internal_forgejo_port }}/pim/static.git"
diff --git a/ansible/roles/syncthing/files/cert.pem b/roles/syncthing/files/cert.pem
similarity index 100%
rename from ansible/roles/syncthing/files/cert.pem
rename to roles/syncthing/files/cert.pem
diff --git a/ansible/roles/syncthing/files/key.pem b/roles/syncthing/files/key.pem
similarity index 100%
rename from ansible/roles/syncthing/files/key.pem
rename to roles/syncthing/files/key.pem
diff --git a/ansible/roles/kms/meta/main.yml b/roles/syncthing/meta/main.yml
similarity index 64%
rename from ansible/roles/kms/meta/main.yml
rename to roles/syncthing/meta/main.yml
index 6ad37f8..090690b 100644
--- a/ansible/roles/kms/meta/main.yml
+++ b/roles/syncthing/meta/main.yml
@@ -1,2 +1,3 @@
dependencies:
+ - role: common
- role: docker
diff --git a/ansible/roles/syncthing/tasks/main.yml b/roles/syncthing/tasks/main.yml
similarity index 100%
rename from ansible/roles/syncthing/tasks/main.yml
rename to roles/syncthing/tasks/main.yml
diff --git a/ansible/roles/syncthing/templates/config.xml.j2 b/roles/syncthing/templates/config.xml.j2
similarity index 100%
rename from ansible/roles/syncthing/templates/config.xml.j2
rename to roles/syncthing/templates/config.xml.j2
diff --git a/ansible/roles/syncthing/templates/docker-compose.yml.j2 b/roles/syncthing/templates/docker-compose.yml.j2
similarity index 100%
rename from ansible/roles/syncthing/templates/docker-compose.yml.j2
rename to roles/syncthing/templates/docker-compose.yml.j2
diff --git a/ansible/roles/syncthing/vars/main.yml b/roles/syncthing/vars/main.yml
similarity index 100%
rename from ansible/roles/syncthing/vars/main.yml
rename to roles/syncthing/vars/main.yml
diff --git a/ansible/roles/traefik/files/services.toml b/roles/traefik/files/services.toml
similarity index 77%
rename from ansible/roles/traefik/files/services.toml
rename to roles/traefik/files/services.toml
index 6dbc3b5..ca5bb05 100644
--- a/ansible/roles/traefik/files/services.toml
+++ b/roles/traefik/files/services.toml
@@ -3,4 +3,4 @@
[http.services.esrom]
[http.services.esrom.loadBalancer]
[[http.services.esrom.loadBalancer.servers]]
- url = "http://esrom.dmz:80/"
+ url = "http://192.168.30.2:80/"
diff --git a/ansible/roles/prometheus/meta/main.yml b/roles/traefik/meta/main.yml
similarity index 64%
rename from ansible/roles/prometheus/meta/main.yml
rename to roles/traefik/meta/main.yml
index 6ad37f8..090690b 100644
--- a/ansible/roles/prometheus/meta/main.yml
+++ b/roles/traefik/meta/main.yml
@@ -1,2 +1,3 @@
dependencies:
+ - role: common
- role: docker
diff --git a/ansible/roles/traefik/tasks/main.yml b/roles/traefik/tasks/main.yml
similarity index 87%
rename from ansible/roles/traefik/tasks/main.yml
rename to roles/traefik/tasks/main.yml
index 0341de3..9ba3f0f 100644
--- a/ansible/roles/traefik/tasks/main.yml
+++ b/roles/traefik/tasks/main.yml
@@ -2,14 +2,10 @@
file:
path: "{{ service_dir }}"
state: directory
-- name: Create data directory
- file:
- path: "{{ data_dir }}"
- state: directory
- name: Create acme file
copy:
content: ""
- dest: "{{ data_dir }}/acme.json"
+ dest: "{{ service_dir }}/acme.json"
force: no
mode: 0600
- name: Copy Docker Compose script
diff --git a/ansible/roles/traefik/templates/docker-compose.yml.j2 b/roles/traefik/templates/docker-compose.yml.j2
similarity index 88%
rename from ansible/roles/traefik/templates/docker-compose.yml.j2
rename to roles/traefik/templates/docker-compose.yml.j2
index 6306437..6740d71 100644
--- a/ansible/roles/traefik/templates/docker-compose.yml.j2
+++ b/roles/traefik/templates/docker-compose.yml.j2
@@ -14,11 +14,12 @@ services:
- "80:80"
- "{{ git_ssh_port }}:{{ git_ssh_port }}"
- "{{ traefik_api_port }}:{{ traefik_api_port }}"
+ - "8448:8448"
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- {{ service_dir }}/traefik.toml:/etc/traefik/traefik.toml
- {{ service_dir }}/services.toml:/etc/traefik/services.toml
- - {{ data_dir }}/acme.json:/acme.json
+ - {{ service_dir }}/acme.json:/acme.json
networks:
- traefik
labels:
@@ -30,6 +31,6 @@ services:
- traefik.http.routers.esrom.tls=true
- traefik.http.routers.esrom.tls.certresolver=letsencrypt
- - traefik.http.routers.traefik.rule=Host(`max.dmz`)
+ - traefik.http.routers.traefik.rule=Host(`max.lan`)
- traefik.http.routers.traefik.entrypoints=internal
- traefik.http.routers.traefik.service=api@internal
diff --git a/ansible/roles/traefik/templates/traefik.toml.j2 b/roles/traefik/templates/traefik.toml.j2
similarity index 94%
rename from ansible/roles/traefik/templates/traefik.toml.j2
rename to roles/traefik/templates/traefik.toml.j2
index 4f265c7..f3e592b 100644
--- a/ansible/roles/traefik/templates/traefik.toml.j2
+++ b/roles/traefik/templates/traefik.toml.j2
@@ -15,6 +15,8 @@ loglevel = "DEBUG"
address = ":{{ jitsi_videobridge_port }}/udp"
[entryPoints.internal]
address = ":{{ traefik_api_port }}"
+ [entryPoints.matrix]
+ address = ":8448"
[api]
insecure = false
diff --git a/ansible/roles/traefik/vars/main.yml b/roles/traefik/vars/main.yml
similarity index 60%
rename from ansible/roles/traefik/vars/main.yml
rename to roles/traefik/vars/main.yml
index 0569770..2e1116f 100644
--- a/ansible/roles/traefik/vars/main.yml
+++ b/roles/traefik/vars/main.yml
@@ -1,3 +1,2 @@
service_name: traefik
service_dir: "{{ base_service_dir }}/{{ service_name }}"
-data_dir: "{{ base_data_dir }}/{{ service_name }}"
diff --git a/ansible/roles/watchtower/files/docker-compose.yml b/roles/watchtower/files/docker-compose.yml
similarity index 58%
rename from ansible/roles/watchtower/files/docker-compose.yml
rename to roles/watchtower/files/docker-compose.yml
index 6811cf2..28f892e 100644
--- a/ansible/roles/watchtower/files/docker-compose.yml
+++ b/roles/watchtower/files/docker-compose.yml
@@ -4,5 +4,5 @@ services:
image: containrrr/watchtower
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- command: --schedule "0 0 4 * * *" --cleanup --include-stopped --no-startup-message
+ command: --schedule "0 0 4 * * *" --include-restarting --cleanup --include-stopped --no-startup-message
restart: always
diff --git a/roles/watchtower/meta/main.yml b/roles/watchtower/meta/main.yml
new file mode 100644
index 0000000..7f5b1d3
--- /dev/null
+++ b/roles/watchtower/meta/main.yml
@@ -0,0 +1,4 @@
+dependencies:
+ - role: common
+ - role: docker
+
\ No newline at end of file
diff --git a/ansible/roles/watchtower/tasks/main.yml b/roles/watchtower/tasks/main.yml
similarity index 100%
rename from ansible/roles/watchtower/tasks/main.yml
rename to roles/watchtower/tasks/main.yml
diff --git a/ansible/roles/watchtower/vars/main.yml b/roles/watchtower/vars/main.yml
similarity index 100%
rename from ansible/roles/watchtower/vars/main.yml
rename to roles/watchtower/vars/main.yml
diff --git a/terraform/main.tf b/terraform/main.tf
deleted file mode 100644
index 9239f9d..0000000
--- a/terraform/main.tf
+++ /dev/null
@@ -1,25 +0,0 @@
-terraform {
- backend "pg" {
- schema_name = "max"
- conn_str = "postgres://terraform@10.42.0.1/terraform_state"
- }
-
- required_providers {
- libvirt = {
- source = "dmacvicar/libvirt"
- }
- }
-}
-
-provider "libvirt" {
- uri = "qemu+ssh://root@atlas.hyp/system"
-}
-
-module "debian" {
- source = "git::https://git.pim.kunis.nl/home/tf-modules.git//debian"
- name = "max"
- domain_name = "tf-max"
- memory = 1024 * 8
- mac = "CA:FE:C0:FF:EE:03"
- disk_size = 1024 * 1024 * 1024 * 30
-}
diff --git a/ansible/util/secret-service-client.sh b/util/secret-service-client.sh
similarity index 84%
rename from ansible/util/secret-service-client.sh
rename to util/secret-service-client.sh
index cb1a98c..37c9a82 100755
--- a/ansible/util/secret-service-client.sh
+++ b/util/secret-service-client.sh
@@ -4,6 +4,7 @@ pass=`secret-tool lookup ansible_vault homeservers`
retval=$?
if [ $retval -ne 0 ]; then
+ echo Provide password:
read -s pass
fi
echo $pass