diff --git a/ansible/inventories/home/hosts.yml b/ansible/inventories/home/hosts.yml index 51a3845..2f68427 100644 --- a/ansible/inventories/home/hosts.yml +++ b/ansible/inventories/home/hosts.yml @@ -1,5 +1,5 @@ --- all: hosts: - home.bdebyl.net: + galactica.lan: ansible_user: fedora diff --git a/ansible/roles/podman/defaults/main.yml b/ansible/roles/podman/defaults/main.yml index 3ab90a0..478d6ad 100644 --- a/ansible/roles/podman/defaults/main.yml +++ b/ansible/roles/podman/defaults/main.yml @@ -9,8 +9,8 @@ partkeepr_path: "{{ podman_volumes }}/partkeepr" photos_path: "{{ podman_volumes }}/photos" pihole_path: "{{ podman_volumes }}/pihole" -drone_server_proto: "https" -drone_runner_capacity: "4" +drone_server_proto: "http" +drone_runner_capacity: "8" # nginx and modsec configuration assistant_server_name: assistant.bdebyl.net @@ -36,10 +36,10 @@ crs_path: "{{ install_path }}/coreruleset" crs_rules_path: "{{ crs_path }}/rules" modsec_whitelist_local_re: >- - ^SecRule.*REMOTE_ADDR.*192\.168\.1\.1/24.*$ + ^SecRule.*REMOTE_ADDR.*192\.168\.0\.0/16.*$ modsec_whitelist_local: >- - SecRule REMOTE_ADDR "@ipMatch 192.168.1.1/24" + SecRule REMOTE_ADDR "@ipMatch 192.168.0.0/16" "id:1,phase:1,nolog,allow,ctl:ruleEngine=Off" modsec_git_urls: diff --git a/ansible/roles/podman/tasks/container-drone.yml b/ansible/roles/podman/tasks/container-drone.yml index 5aa306d..04300f4 100644 --- a/ansible/roles/podman/tasks/container-drone.yml +++ b/ansible/roles/podman/tasks/container-drone.yml @@ -26,6 +26,8 @@ restart: true restart_policy: on-failure log_driver: journald + network: + - shared env: DRONE_LOGS_DEBUG: "false" DRONE_RPC_DEBUG: "false" @@ -57,9 +59,11 @@ restart: true restart_policy: on-failure log_driver: journald + network: + - shared env: DRONE_RPC_SECRET: "{{ drone_rpc_secret }}" - DRONE_RPC_HOST: "{{ ci_server_name }}" + DRONE_RPC_HOST: "drone" DRONE_RPC_PROTO: "{{ drone_server_proto }}" DRONE_RUNNER_CAPACITY: "{{ drone_runner_capacity }}" volumes: diff --git a/ansible/roles/podman/templates/nginx/sites/assistant.bdebyl.net.conf.j2 b/ansible/roles/podman/templates/nginx/sites/assistant.bdebyl.net.conf.j2 index 61269ef..83cfb1c 100644 --- a/ansible/roles/podman/templates/nginx/sites/assistant.bdebyl.net.conf.j2 +++ b/ansible/roles/podman/templates/nginx/sites/assistant.bdebyl.net.conf.j2 @@ -2,7 +2,7 @@ upstream hass { server 127.0.0.1:8123; } server { - resolver 192.168.1.12 ipv6=off; + resolver 192.168.2.10 ipv6=off; modsecurity on; modsecurity_rules_file /etc/nginx/modsec_includes.conf; @@ -10,7 +10,7 @@ server { server_name {{ assistant_server_name }}; location / { - allow 192.168.1.0/24; + allow 192.168.0.0/16; allow 127.0.0.1; deny all; diff --git a/ansible/roles/podman/templates/nginx/sites/ci.bdebyl.net.https.conf.j2 b/ansible/roles/podman/templates/nginx/sites/ci.bdebyl.net.https.conf.j2 index 6dd30d5..968f070 100644 --- a/ansible/roles/podman/templates/nginx/sites/ci.bdebyl.net.https.conf.j2 +++ b/ansible/roles/podman/templates/nginx/sites/ci.bdebyl.net.https.conf.j2 @@ -4,7 +4,7 @@ upstream drone { geo $local_access { default 0; - 192.168.1.1 1; + 192.168.2.1 1; } server { diff --git a/ansible/roles/podman/templates/nginx/sites/home.bdebyl.net.conf.j2 b/ansible/roles/podman/templates/nginx/sites/home.bdebyl.net.conf.j2 index 3c431a2..faefeaf 100644 --- a/ansible/roles/podman/templates/nginx/sites/home.bdebyl.net.conf.j2 +++ b/ansible/roles/podman/templates/nginx/sites/home.bdebyl.net.conf.j2 @@ -1,6 +1,6 @@ geo $whitelisted { default 0; - 192.168.1.0/24 1; + 192.168.0.0/16 1; } server { @@ -16,4 +16,4 @@ server { if ($whitelisted = 0) { return 302 $scheme://bdebyl.net$request_uri; } -} \ No newline at end of file +} diff --git a/ansible/roles/podman/templates/nginx/sites/logs.bdebyl.net.conf.j2 b/ansible/roles/podman/templates/nginx/sites/logs.bdebyl.net.conf.j2 index 508a3fa..a65077e 100644 --- a/ansible/roles/podman/templates/nginx/sites/logs.bdebyl.net.conf.j2 +++ b/ansible/roles/podman/templates/nginx/sites/logs.bdebyl.net.conf.j2 @@ -4,7 +4,7 @@ upstream graylog { geo $local_access { default 0; - 192.168.1.0/24 1; + 192.168.0.0/16 1; } server { @@ -18,7 +18,7 @@ server { if ($local_access = 1) { access_log off; } - allow 192.168.1.0/24; + allow 192.168.0.0/16; allow 127.0.0.1; deny all; @@ -29,4 +29,4 @@ server { proxy_buffering off; proxy_pass http://graylog; } -} \ No newline at end of file +} diff --git a/ansible/roles/podman/templates/nginx/sites/parts.bdebyl.net.conf.j2 b/ansible/roles/podman/templates/nginx/sites/parts.bdebyl.net.conf.j2 index c610646..8a93c5e 100644 --- a/ansible/roles/podman/templates/nginx/sites/parts.bdebyl.net.conf.j2 +++ b/ansible/roles/podman/templates/nginx/sites/parts.bdebyl.net.conf.j2 @@ -1,6 +1,6 @@ geo $whitelisted { default 0; - 192.168.1.0/24 1; + 192.168.0.0/16 1; } server { @@ -18,4 +18,4 @@ server { location / { return 302 https://$host$request_uri; } -} \ No newline at end of file +} diff --git a/ansible/roles/podman/templates/nginx/sites/parts.bdebyl.net.https.conf.j2 b/ansible/roles/podman/templates/nginx/sites/parts.bdebyl.net.https.conf.j2 index 93684d2..9acc75d 100644 --- a/ansible/roles/podman/templates/nginx/sites/parts.bdebyl.net.https.conf.j2 +++ b/ansible/roles/podman/templates/nginx/sites/parts.bdebyl.net.https.conf.j2 @@ -1,6 +1,6 @@ geo $whitelisted { default 0; - 192.168.1.0/24 1; + 192.168.0.0/16 1; } upstream partkeepr { @@ -54,4 +54,4 @@ server { chunked_transfer_encoding off; } -} \ No newline at end of file +} diff --git a/ansible/roles/podman/templates/nginx/sites/pi.bdebyl.net.conf.j2 b/ansible/roles/podman/templates/nginx/sites/pi.bdebyl.net.conf.j2 index 045f4a9..156e11a 100644 --- a/ansible/roles/podman/templates/nginx/sites/pi.bdebyl.net.conf.j2 +++ b/ansible/roles/podman/templates/nginx/sites/pi.bdebyl.net.conf.j2 @@ -4,7 +4,7 @@ upstream pihole { geo $local_access { default 0; - 192.168.1.0/24 1; + 192.168.0.0/16 1; } server { @@ -18,7 +18,7 @@ server { if ($local_access = 1) { access_log off; } - allow 192.168.1.0/24; + allow 192.168.0.0/16; allow 127.0.0.1; deny all; @@ -29,4 +29,4 @@ server { proxy_buffering off; proxy_pass http://pihole; } -} \ No newline at end of file +} diff --git a/ansible/roles/podman/templates/nginx/sites/video.bdebyl.net.conf.j2 b/ansible/roles/podman/templates/nginx/sites/video.bdebyl.net.conf.j2 index 36c1db0..e8d4e76 100644 --- a/ansible/roles/podman/templates/nginx/sites/video.bdebyl.net.conf.j2 +++ b/ansible/roles/podman/templates/nginx/sites/video.bdebyl.net.conf.j2 @@ -10,7 +10,7 @@ server { server_name {{ video_server_name }}; location / { - allow 192.168.1.0/24; + allow 192.168.0.0/16; allow 127.0.0.1; deny all; @@ -21,4 +21,4 @@ server { proxy_buffering off; proxy_pass http://shinobi; } -} \ No newline at end of file +} diff --git a/ansible/vars/vault.yml b/ansible/vars/vault.yml index 874e52d..cd95136 100644 Binary files a/ansible/vars/vault.yml and b/ansible/vars/vault.yml differ