Skip to content

Commit

Permalink
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
♻️ (services): Each service has its own Ansible role
Browse files Browse the repository at this point in the history
theobori committed Apr 30, 2024
1 parent cc565bb commit 487b492
Showing 64 changed files with 511 additions and 425 deletions.
2 changes: 1 addition & 1 deletion .ansible-lint-ignore
Original file line number Diff line number Diff line change
@@ -2,4 +2,4 @@ main.yml name[play]
roles/magic/tasks/backup.yml no-changed-when
roles/magic/tasks/base.yml latest[git]
roles/magic/tasks/base.yml no-changed-when
roles/tor/tasks/main.yml no-changed-when
roles/service/tasks/main.yml no-changed-when
2 changes: 1 addition & 1 deletion README.md
Original file line number Diff line number Diff line change
@@ -75,7 +75,7 @@ And then add a rule for `ufw` that allow you SSH connections.
- **`knockd_opts`**: knockd CLI arguments used by the service

#### Domain
- **`fqdn`**: The server FQDN, must be formatted as "domain.tld"
- **`domain`**: The server domain, must be formatted as "domain.tld"

#### Etherpad
- **`etherpad_db_user`**: Etherpad database username (should be encrypted)
1 change: 1 addition & 0 deletions group_vars/all/directory.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
base_dir: /usr/local/services
2 changes: 1 addition & 1 deletion group_vars/all/domain.yml
Original file line number Diff line number Diff line change
@@ -1 +1 @@
fqdn: theobori.cafe
domain: theobori.cafe
2 changes: 1 addition & 1 deletion group_vars/all/tor.yml
Original file line number Diff line number Diff line change
@@ -1 +1 @@
tor_unix_socket: unix:/var/run/{{ fqdn }}.sock
tor_unix_socket: unix:/var/run/{{ domain }}.sock
209 changes: 105 additions & 104 deletions main.yml
Original file line number Diff line number Diff line change
@@ -2,117 +2,118 @@
- hosts: all
become: true
roles:
- role: base
tags: base

- role: nickjj.docker
tags: ["docker"]
docker__users: [
"{{ ansible_ssh_user }}"
]
ignore_errors: true

- role: weareinteractive.ufw
tags: ufw
ufw_enabled: true
ufw_packages: ["ufw"]
ufw_rules:
- logging: "full"
- rule: allow
to_port: '443'
- rule: allow
to_port: '80'
- rule: allow
to_port: '25'
- rule: allow
to_port: '110'
- rule: allow
to_port: '143'
- rule: allow
to_port: '465'
- rule: allow
to_port: '587'
- rule: allow
to_port: '993'
# Gitea SSH exception
- rule: allow
to_port: '22'
- rule: allow
to_port: '995'
- rule: allow
to_port: '4190'
proto: tcp
# Delete default rule
- rule: allow
name: Anywhere
delete: true
ufw_manage_config: true
ufw_config:
IPV6: "true"
DEFAULT_INPUT_POLICY: DROP
DEFAULT_OUTPUT_POLICY: ACCEPT
DEFAULT_FORWARD_POLICY: DROP
DEFAULT_APPLICATION_POLICY: SKIP
MANAGE_BUILTINS: "no"
IPT_SYSCTL: /etc/ufw/sysctl.conf
IPT_MODULES: ""

- role: shell
tags: shell

- role: profile
tags: profile

- role: geerlingguy.certbot
tags: certbot
vars:
certbot_install_method: package
certbot_auto_renew: true
certbot_auto_renew_user: "{{ ansible_user | default(lookup('env', 'USER')) }}"
certbot_auto_renew_hour: "3"
certbot_auto_renew_minute: "30"
certbot_create_if_missing: true
certbot_admin_email: nagi@tilde.team

certbot_certs:
- domains:
- mail.{{ fqdn }}
- domains:
- news.{{ fqdn }}
- domains:
- cringe.{{ fqdn }}
- domains:
- status.{{ fqdn }}
- domains:
- search.{{ fqdn }}
- domains:
- etherpad.{{ fqdn }}
- domains:
- cloud.{{ fqdn }}
- domains:
- password.{{ fqdn }}
- domains:
- services.{{ fqdn }}
- domains:
- bin.{{ fqdn }}
- domains:
- books.{{ fqdn }}
- domains:
- "{{ fqdn }}"
- www.{{ fqdn }}

- role: services
tags: services

- role: magic
tags: magic
# - role: base
# tags: base

# - role: nickjj.docker
# tags: ["docker"]
# docker__users: [
# "{{ ansible_ssh_user }}"
# ]
# ignore_errors: true

# - role: weareinteractive.ufw
# tags: ufw
# ufw_enabled: true
# ufw_packages: ["ufw"]
# ufw_rules:
# - logging: "full"
# - rule: allow
# to_port: '443'
# - rule: allow
# to_port: '80'
# - rule: allow
# to_port: '25'
# - rule: allow
# to_port: '110'
# - rule: allow
# to_port: '143'
# - rule: allow
# to_port: '465'
# - rule: allow
# to_port: '587'
# - rule: allow
# to_port: '993'
# # Gitea SSH exception
# - rule: allow
# to_port: '22'
# - rule: allow
# to_port: '995'
# - rule: allow
# to_port: '4190'
# proto: tcp
# # Delete default rule
# - rule: allow
# name: Anywhere
# delete: true
# ufw_manage_config: true
# ufw_config:
# IPV6: "true"
# DEFAULT_INPUT_POLICY: DROP
# DEFAULT_OUTPUT_POLICY: ACCEPT
# DEFAULT_FORWARD_POLICY: DROP
# DEFAULT_APPLICATION_POLICY: SKIP
# MANAGE_BUILTINS: "no"
# IPT_SYSCTL: /etc/ufw/sysctl.conf
# IPT_MODULES: ""

# - role: shell
# tags: shell

# - role: profile
# tags: profile

# - role: magic
# tags: magic

- role: nginx
tags: nginx

- role: tor
tags: tor

- role: calibre_web
tags: calibre_web

- role: duplicati

Check failure on line 78 in main.yml

GitHub Actions / Ansible Lint

syntax-check[specific]

the role 'duplicati' was not found in /home/runner/work/ansible-playbook/ansible-playbook/roles:/home/runner/.cache/ansible-compat/315b30/roles:/home/runner/work/ansible-playbook/ansible-playbook/roles:/home/runner/.ansible/roles:/usr/share/ansible/roles:/etc/ansible/roles:/home/runner/work/ansible-playbook/ansible-playbook
tags: duplicati

- role: etherpad
tags: etherpad

- role: gitea
tags: gitea

- role: etherpad
tags: etherpad

- role: nextcloud
tags: nextcloud

- role: personal_website
tags: personal_website

- role: private_bin
tags: private_bin

- role: proxitok
tags: proxitok

- role: searxng
tags: searxng

- role: personal_services
tags: personal_services

- role: ssp
tags: ssp

- role: tt_rss
tags: tt_rss

- role: uptime_kuma
tags: uptime_kuma

- role: vitalk.secure-ssh
tags: ssh
ssh_user: "{{ ansible_ssh_user }}"
Original file line number Diff line number Diff line change
@@ -26,4 +26,4 @@ services:
- ldap_net
ports:
- 127.0.0.1:8083:8083
restart: always
restart: unless-stopped
12 changes: 12 additions & 0 deletions roles/calibre_web/tasks/main.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
- name: Include service role
ansible.builtin.include_role:
name: "service"
vars:
service_name: "calibre-web"
service_fqdn: "books.{{ domain }}"
service_nginx_port: "8083"
service_certbot: true
service_nginx: true
service_tor: true
service_docker_compose: true
service_systemd_service: true
Original file line number Diff line number Diff line change
@@ -1,10 +1,10 @@
server {
include listen-443;
server_name {{ item.name }};
server_name {{ server_name }};

include ssl_params;
ssl_certificate /etc/letsencrypt/live/{{ item.name }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{ item.name }}/privkey.pem;
ssl_certificate /etc/letsencrypt/live/{{ server_name }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{ server_name }}/privkey.pem;

client_max_body_size 20M;

@@ -13,6 +13,6 @@ server {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Scheme $scheme;

proxy_pass http://localhost:{{ item.port }}/;
proxy_pass http://localhost:{{ server_port }}/;
}
}
File renamed without changes.
18 changes: 18 additions & 0 deletions roles/etherpad/tasks/main.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
- name: Include service role
ansible.builtin.include_role:
name: "service"
vars:
service_name: "etherpad"
service_fqdn: "etherpad.{{ domain }}"
service_nginx_port: "9001"
service_certbot: true
service_nginx: true
service_tor: true
service_docker_compose: true
service_systemd_service: true

- name: Copy etherpad environment files
ansible.builtin.template:
src: ".env.j2"
dest: "{{ base_dir }}/etherpad/.env"
mode: "0640"
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
POSTGRES_PASSWORD={{ etherpad_db_password }}
POSTGRES_USER={{ etherpad_db_user }}
DEFAULT_PAD_TEXT={{ fqdn }} notepad
TITLE={{ fqdn }}
DEFAULT_PAD_TEXT={{ domain }} notepad
TITLE={{ domain }}
ADMIN_PASSWORD={{ etherpad_admin_password }}
POSTGRES_DB=etherpad
Original file line number Diff line number Diff line change
@@ -1,16 +1,16 @@
server {
include listen-443;
server_name {{ item.name }};
server_name {{ server_name }};

include ssl_params;
ssl_certificate /etc/letsencrypt/live/{{ item.name }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{ item.name }}/privkey.pem;
ssl_certificate /etc/letsencrypt/live/{{ server_name }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{ server_name }}/privkey.pem;

include header_params;
add_header Content-Security-Policy "default-src 'none'; frame-src 'self'; img-src 'self' data:; connect-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; script-src-elem 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; style-src-elem 'self' 'unsafe-hashes' 'sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=' 'sha256-13Xtc89MSfsDPErm3syFx70NQqw9DB0exK2LYLR9Bes=' 'sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU='; font-src 'self'; frame-ancestors 'self'; base-uri 'self'; form-action 'self'; object-src 'self'";

location / {
include proxy_params;
proxy_pass http://localhost:{{ item.port }}/;
proxy_pass http://localhost:{{ server_port }}/;
}
}
File renamed without changes.
20 changes: 20 additions & 0 deletions roles/gitea/tasks/main.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
- name: Include service role
ansible.builtin.include_role:
name: "service"
vars:
service_name: "gitea"
service_fqdn: "git.{{ domain }}"
service_nginx_port: "3002"
service_docker_compose: true
service_systemd_service: true
service_certbot: true
service_nginx: true
service_tor: true

- name: Create the Gitea log directory if not exists
ansible.builtin.file:
path: /usr/local/services/gitea/log
state: directory
owner: "1000"
group: "1000"
mode: "0755"
File renamed without changes.
Original file line number Diff line number Diff line change
@@ -1,10 +1,10 @@
server {
include listen-443;
server_name {{ item.name }};
server_name {{ server_name }};

include ssl_params;
ssl_certificate /etc/letsencrypt/live/{{ item.name }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{ item.name }}/privkey.pem;
ssl_certificate /etc/letsencrypt/live/{{ server_name }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{ server_name }}/privkey.pem;

add_header Content-Security-Policy "default-src 'none'; connect-src 'self'; manifest-src 'self' data:; style-src 'self' 'unsafe-inline'; style-src-elem 'self'; script-src-elem 'self' 'unsafe-inline'; font-src data:; form-action 'self'; img-src 'self' data: https:; script-src 'self'; worker-src 'self'";
add_header Strict-Transport-Security "max-age=63072000" always;
@@ -17,6 +17,6 @@ server {
include proxy_params;
proxy_set_header X-Real-IP $remote_addr;

proxy_pass http://localhost:{{ item.port }}/;
proxy_pass http://localhost:{{ server_port }}/;
}
}
File renamed without changes.
13 changes: 13 additions & 0 deletions roles/ldap/tasks/main.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
- name: Include service role
ansible.builtin.include_role:
name: "service"
vars:
service_docker_compose: true
service_systemd_service: true
service_name: "ldap"

- name: Copy ldap environment files
ansible.builtin.template:
src: ".env.j2"
dest: "{{ base_dir }}/ldap/.env"
mode: "0640"
3 changes: 3 additions & 0 deletions roles/ldap/templates/.env.j2
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
LDAP_BASE_DN="dc={{ domain | split('.') | first }},dc={{ domain | split('.') | last }}"
LDAP_DOMAIN="{{ domain }}"
LDAP_ADMIN_PASSWORD="{{ ldap_admin_password }}"
Loading

0 comments on commit 487b492

Please sign in to comment.