diff --git a/ansible/roles/podman/defaults/main.yml b/ansible/roles/podman/defaults/main.yml index 7a4b779..3ab90a0 100644 --- a/ansible/roles/podman/defaults/main.yml +++ b/ansible/roles/podman/defaults/main.yml @@ -1,26 +1,28 @@ --- bookstack_path: "{{ podman_volumes }}/bookstack" +cloud_path: "{{ podman_volumes }}/cloud" drone_path: "{{ podman_volumes }}/drone" graylog_path: "{{ podman_volumes }}/graylog" hass_path: "{{ podman_volumes }}/hass" nginx_path: "{{ podman_volumes }}/nginx" partkeepr_path: "{{ podman_volumes }}/partkeepr" -cloud_path: "{{ podman_volumes }}/cloud" +photos_path: "{{ podman_volumes }}/photos" pihole_path: "{{ podman_volumes }}/pihole" drone_server_proto: "https" drone_runner_capacity: "4" # nginx and modsec configuration -ci_server_name: ci.bdebyl.net -pi_server_name: pi.bdebyl.net assistant_server_name: assistant.bdebyl.net bookstack_server_name: wiki.skudakrennsport.com +ci_server_name: ci.bdebyl.net cloud_server_name: cloud.bdebyl.net home_server_name: home.bdebyl.net -parts_server_name: parts.bdebyl.net -video_server_name: video.bdebyl.net logs_server_name: logs.bdebyl.net +parts_server_name: parts.bdebyl.net +photos_server_name: photos.bdebyl.net +pi_server_name: pi.bdebyl.net +video_server_name: video.bdebyl.net nginx_conf_path: "{{ nginx_path }}/etc/conf" modsec_log_path: /var/log/nginx/modsec_audit.log diff --git a/ansible/roles/podman/tasks/configuration-nginx-http.yml b/ansible/roles/podman/tasks/configuration-nginx-http.yml index 212ceac..11bad1e 100644 --- a/ansible/roles/podman/tasks/configuration-nginx-http.yml +++ b/ansible/roles/podman/tasks/configuration-nginx-http.yml @@ -68,7 +68,7 @@ - "{{ bookstack_server_name }}.conf" - "{{ video_server_name }}.conf" - "{{ parts_server_name }}.conf" - - "{{ cloud_server_name }}.conf" + - "{{ photos_server_name }}.conf" - "{{ logs_server_name }}.conf" notify: - restorecon podman @@ -87,7 +87,7 @@ - "{{ ci_server_name }}.http.conf" - "{{ pi_server_name }}.conf" - "{{ parts_server_name }}.conf" - - "{{ cloud_server_name }}.conf" + - "{{ photos_server_name }}.conf" - "{{ home_server_name }}.conf" - "{{ assistant_server_name }}.conf" - "{{ bookstack_server_name }}.conf" diff --git a/ansible/roles/podman/tasks/configuration-nginx-https.yml b/ansible/roles/podman/tasks/configuration-nginx-https.yml index 9f703a1..161fffc 100644 --- a/ansible/roles/podman/tasks/configuration-nginx-https.yml +++ b/ansible/roles/podman/tasks/configuration-nginx-https.yml @@ -36,7 +36,7 @@ loop: - "{{ ci_server_name }}.https.conf" - "{{ parts_server_name }}.https.conf" - - "{{ cloud_server_name }}.https.conf" + - "{{ photos_server_name }}.https.conf" - "{{ bookstack_server_name }}.https.conf" notify: - restorecon podman @@ -54,7 +54,7 @@ loop: - "{{ ci_server_name }}.https.conf" - "{{ parts_server_name }}.https.conf" - - "{{ cloud_server_name }}.https.conf" + - "{{ photos_server_name }}.https.conf" - "{{ bookstack_server_name }}.https.conf" notify: - restorecon podman diff --git a/ansible/roles/podman/tasks/container-cloud.yml b/ansible/roles/podman/tasks/container-photos.yml similarity index 62% rename from ansible/roles/podman/tasks/container-cloud.yml rename to ansible/roles/podman/tasks/container-photos.yml index 84a4237..a9f6c8a 100644 --- a/ansible/roles/podman/tasks/container-cloud.yml +++ b/ansible/roles/podman/tasks/container-photos.yml @@ -1,5 +1,5 @@ --- -- name: create required cloud volumes +- name: create required photos volumes become: true ansible.builtin.file: path: "{{ item }}" @@ -9,29 +9,29 @@ mode: 0755 notify: restorecon podman loop: - - "{{ cloud_path }}/mysql" - - "{{ cloud_path }}/storage" - tags: cloud + - "{{ photos_path }}/mysql" + - "{{ photos_path }}/storage" + tags: photos - name: flush handlers ansible.builtin.meta: flush_handlers - tags: cloud + tags: photos -- name: mount cloud cifs +- name: mount photos cifs become: true ansible.posix.mount: - src: "{{ cloud_cifs_src }}" - path: "{{ cloud_path }}/storage" + src: "{{ photos_cifs_src }}" + path: "{{ photos_path }}/storage" fstype: cifs - opts: "username=cloud,password={{ cloud_cifs_pass }},uid={{ podman_subuid.stdout }},gid={{ podman_subuid.stdout }}" + opts: "username=photos,password={{ photos_cifs_pass }},uid={{ podman_subuid.stdout }},gid={{ podman_subuid.stdout }}" state: mounted - tags: cloud + tags: photos -- name: create cloud-db container +- name: create photos-db container become: true become_user: "{{ podman_user }}" containers.podman.podman_container: - name: cloud-db + name: photos-db image: docker.io/mariadb:10.8 recreate: false restart: false @@ -41,25 +41,25 @@ - shared env: MARIADB_AUTO_UPGRADE: "1" - MYSQL_RANDOM_ROOT_PASSWORD: "yes" - MYSQL_DATABASE: cloud - MYSQL_USER: cloud - MYSQL_PASSWORD: "{{ cloud_db_pass }}" + MYSQL_ROOT_PASSWORD: "{{ photos_db_root_pass }}" + MYSQL_DATABASE: photos + MYSQL_USER: photos + MYSQL_PASSWORD: "{{ photos_db_pass }}" volumes: - - "{{ cloud_path }}/mysql:/var/lib/mysql" - tags: cloud + - "{{ photos_path }}/mysql:/var/lib/mysql" + tags: photos -- name: create systemd startup job for cloud-db +- name: create systemd startup job for photos-db include_tasks: systemd-generate.yml vars: - container_name: cloud-db - tags: cloud + container_name: photos-db + tags: photos -- name: create cloud container +- name: create photos container become: true become_user: "{{ podman_user }}" containers.podman.podman_container: - name: cloud + name: photos image: docker.io/photoprism/photoprism:220901-bookworm recreate: false restart: false @@ -68,7 +68,7 @@ network: - shared env: - PHOTOPRISM_ADMIN_PASSWORD: "{{ cloud_user_pass }}" + PHOTOPRISM_ADMIN_PASSWORD: "{{ photos_user_pass }}" PHOTOPRISM_AUTH_MODE: "password" PHOTOPRISM_SITE_URL: "http://localhost:2342/" PHOTOPRISM_ORIGINALS_LIMIT: 5000 @@ -88,21 +88,21 @@ PHOTOPRISM_DETECT_NSFW: "false" PHOTOPRISM_UPLOAD_NSFW: "true" PHOTOPRISM_DATABASE_DRIVER: "mysql" - PHOTOPRISM_DATABASE_SERVER: "cloud-db:3306" - PHOTOPRISM_DATABASE_NAME: "cloud" - PHOTOPRISM_DATABASE_USER: "cloud" - PHOTOPRISM_DATABASE_PASSWORD: "{{ cloud_db_pass }}" + PHOTOPRISM_DATABASE_SERVER: "photos-db:3306" + PHOTOPRISM_DATABASE_NAME: "photos" + PHOTOPRISM_DATABASE_USER: "photos" + PHOTOPRISM_DATABASE_PASSWORD: "{{ photos_db_pass }}" PHOTOPRISM_SITE_CAPTION: "AI-Powered Photos App" PHOTOPRISM_SITE_DESCRIPTION: "" PHOTOPRISM_SITE_AUTHOR: "Bastian D." volumes: - - "{{ cloud_path }}/storage:/photoprism/" + - "{{ photos_path }}/storage:/photoprism/" ports: - "8088:2342" - tags: cloud + tags: photos -- name: create systemd startup job for cloud +- name: create systemd startup job for photos include_tasks: systemd-generate.yml vars: - container_name: cloud - tags: cloud + container_name: photos + tags: photos diff --git a/ansible/roles/podman/tasks/container-pihole.yml b/ansible/roles/podman/tasks/container-pihole.yml index 0d24c00..6086ab5 100644 --- a/ansible/roles/podman/tasks/container-pihole.yml +++ b/ansible/roles/podman/tasks/container-pihole.yml @@ -4,8 +4,7 @@ ansible.builtin.file: path: "{{ item }}" state: directory - owner: "{{ podman_user }}" - group: "{{ podman_user }}" + owner: "{{ podman_subuid.stdout }}" mode: 0755 notify: restorecon podman loop: diff --git a/ansible/roles/podman/tasks/firewall.yml b/ansible/roles/podman/tasks/firewall.yml index b1cb4c8..894cfeb 100644 --- a/ansible/roles/podman/tasks/firewall.yml +++ b/ansible/roles/podman/tasks/firewall.yml @@ -20,3 +20,20 @@ - 80/tcp notify: restart firewalld tags: firewall + +- name: unset non-required podman firewall rules + become: true + ansible.posix.firewalld: + port: "{{ item }}" + permanent: true + immediate: true + zone: "public" + state: disabled + loop: + - 9093/tcp + - 9092/tcp + - 9091/tcp + - 9091/udp + - 9092/udp + notify: restart firewalld + tags: firewall diff --git a/ansible/roles/podman/tasks/main.yml b/ansible/roles/podman/tasks/main.yml index 6032ceb..03a945f 100644 --- a/ansible/roles/podman/tasks/main.yml +++ b/ansible/roles/podman/tasks/main.yml @@ -9,5 +9,5 @@ - import_tasks: container-graylog.yml - import_tasks: container-pihole.yml - import_tasks: container-bookstack.yml -- import_tasks: container-cloud.yml +- import_tasks: container-photos.yml - import_tasks: container-nginx.yml diff --git a/ansible/roles/podman/templates/nginx/sites/cloud.bdebyl.net.conf.j2 b/ansible/roles/podman/templates/nginx/sites/photos.bdebyl.net.conf.j2 similarity index 74% rename from ansible/roles/podman/templates/nginx/sites/cloud.bdebyl.net.conf.j2 rename to ansible/roles/podman/templates/nginx/sites/photos.bdebyl.net.conf.j2 index 73e6b18..8b05e6b 100644 --- a/ansible/roles/podman/templates/nginx/sites/cloud.bdebyl.net.conf.j2 +++ b/ansible/roles/podman/templates/nginx/sites/photos.bdebyl.net.conf.j2 @@ -1,14 +1,9 @@ -geo $whitelisted { - default 0; - 192.168.1.0/24 1; -} - server { modsecurity on; modsecurity_rules_file /etc/nginx/modsec_includes.conf; listen 80; - server_name {{ cloud_server_name }}; + server_name {{ photos_server_name }}; location '/.well-known/acme-challenge' { default_type "text/plain"; diff --git a/ansible/roles/podman/templates/nginx/sites/cloud.bdebyl.net.https.conf.j2 b/ansible/roles/podman/templates/nginx/sites/photos.bdebyl.net.https.conf.j2 similarity index 81% rename from ansible/roles/podman/templates/nginx/sites/cloud.bdebyl.net.https.conf.j2 rename to ansible/roles/podman/templates/nginx/sites/photos.bdebyl.net.https.conf.j2 index bc6e1ed..720523f 100644 --- a/ansible/roles/podman/templates/nginx/sites/cloud.bdebyl.net.https.conf.j2 +++ b/ansible/roles/podman/templates/nginx/sites/photos.bdebyl.net.https.conf.j2 @@ -1,9 +1,4 @@ -geo $whitelisted { - default 0; - 192.168.1.0/24 1; -} - -upstream cloud { +upstream photos { server 127.0.0.1:8088; } @@ -14,12 +9,12 @@ server { resolver 127.0.0.1 127.0.0.53 9.9.9.9 valid=60s; listen 443 ssl http2; - server_name {{ cloud_server_name }}; + server_name {{ photos_server_name }}; client_max_body_size 500M; - ssl_certificate /etc/letsencrypt/live/{{ cloud_server_name }}/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/{{ cloud_server_name }}/privkey.pem; - ssl_trusted_certificate /etc/letsencrypt/live/{{ cloud_server_name }}/fullchain.pem; + ssl_certificate /etc/letsencrypt/live/{{ photos_server_name }}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/{{ photos_server_name }}/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/{{ photos_server_name }}/fullchain.pem; ssl_dhparam /etc/nginx/ssl/dhparam.pem; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; @@ -42,6 +37,6 @@ server { proxy_buffering off; proxy_http_version 1.1; - proxy_pass http://cloud; + proxy_pass http://photos; } } \ No newline at end of file diff --git a/ansible/roles/ssl/tasks/certbot.yml b/ansible/roles/ssl/tasks/certbot.yml index 1ea298f..fb7c54e 100644 --- a/ansible/roles/ssl/tasks/certbot.yml +++ b/ansible/roles/ssl/tasks/certbot.yml @@ -10,7 +10,7 @@ loop: - "{{ bookstack_server_name }}" - "{{ ci_server_name }}" - - "{{ cloud_server_name }}" + - "{{ photos_server_name }}" - "{{ parts_server_name }}" tags: ssl diff --git a/ansible/vars/vault.yml b/ansible/vars/vault.yml index fd36954..1ff343b 100644 Binary files a/ansible/vars/vault.yml and b/ansible/vars/vault.yml differ