bastian/deploy_home
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fixed subnets, drone proto & host, cleaned up vault

Browse Source
This commit is contained in:
Bastian de Byl
2022-10-06 20:50:05 -04:00
parent 50470a25d7
commit 5d12d516ae
12 changed files with 27 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
ansible/inventories/home/hosts.yml
View File

@@ -1,5 +1,5 @@
--- ---
all: all:
hosts: hosts:
home.bdebyl.net: galactica.lan:
ansible_user: fedora ansible_user: fedora

8
ansible/roles/podman/defaults/main.yml
View File

@@ -9,8 +9,8 @@ partkeepr_path: "{{ podman_volumes }}/partkeepr"
photos_path: "{{ podman_volumes }}/photos" photos_path: "{{ podman_volumes }}/photos"
pihole_path: "{{ podman_volumes }}/pihole" pihole_path: "{{ podman_volumes }}/pihole"
drone_server_proto: "https" drone_server_proto: "http"
drone_runner_capacity: "4" drone_runner_capacity: "8"
# nginx and modsec configuration # nginx and modsec configuration
assistant_server_name: assistant.bdebyl.net assistant_server_name: assistant.bdebyl.net
@@ -36,10 +36,10 @@ crs_path: "{{ install_path }}/coreruleset"
crs_rules_path: "{{ crs_path }}/rules" crs_rules_path: "{{ crs_path }}/rules"
modsec_whitelist_local_re: >- modsec_whitelist_local_re: >-
^SecRule.*REMOTE_ADDR.*192\.168\.1\.1/24.*$ ^SecRule.*REMOTE_ADDR.*192\.168\.0\.0/16.*$
modsec_whitelist_local: >- modsec_whitelist_local: >-
SecRule REMOTE_ADDR "@ipMatch 192.168.1.1/24" SecRule REMOTE_ADDR "@ipMatch 192.168.0.0/16"
"id:1,phase:1,nolog,allow,ctl:ruleEngine=Off" "id:1,phase:1,nolog,allow,ctl:ruleEngine=Off"
modsec_git_urls: modsec_git_urls:

6
ansible/roles/podman/tasks/container-drone.yml
View File

@@ -26,6 +26,8 @@
restart: true restart: true
restart_policy: on-failure restart_policy: on-failure
log_driver: journald log_driver: journald
network:
- shared
env: env:
DRONE_LOGS_DEBUG: "false" DRONE_LOGS_DEBUG: "false"
DRONE_RPC_DEBUG: "false" DRONE_RPC_DEBUG: "false"
@@ -57,9 +59,11 @@
restart: true restart: true
restart_policy: on-failure restart_policy: on-failure
log_driver: journald log_driver: journald
network:
- shared
env: env:
DRONE_RPC_SECRET: "{{ drone_rpc_secret }}" DRONE_RPC_SECRET: "{{ drone_rpc_secret }}"
DRONE_RPC_HOST: "{{ ci_server_name }}" DRONE_RPC_HOST: "drone"
DRONE_RPC_PROTO: "{{ drone_server_proto }}" DRONE_RPC_PROTO: "{{ drone_server_proto }}"
DRONE_RUNNER_CAPACITY: "{{ drone_runner_capacity }}" DRONE_RUNNER_CAPACITY: "{{ drone_runner_capacity }}"
volumes: volumes:

4
ansible/roles/podman/templates/nginx/sites/assistant.bdebyl.net.conf.j2
View File

@@ -2,7 +2,7 @@ upstream hass {
server 127.0.0.1:8123; server 127.0.0.1:8123;
} }
server { server {
resolver 192.168.1.12 ipv6=off; resolver 192.168.2.10 ipv6=off;
modsecurity on; modsecurity on;
modsecurity_rules_file /etc/nginx/modsec_includes.conf; modsecurity_rules_file /etc/nginx/modsec_includes.conf;
@@ -10,7 +10,7 @@ server {
server_name {{ assistant_server_name }}; server_name {{ assistant_server_name }};
location / { location / {
allow 192.168.1.0/24; allow 192.168.0.0/16;
allow 127.0.0.1; allow 127.0.0.1;
deny all; deny all;

2
ansible/roles/podman/templates/nginx/sites/ci.bdebyl.net.https.conf.j2
View File

@@ -4,7 +4,7 @@ upstream drone {
geo $local_access { geo $local_access {
default 0; default 0;
192.168.1.1 1; 192.168.2.1 1;
} }
server { server {

2
ansible/roles/podman/templates/nginx/sites/home.bdebyl.net.conf.j2
View File

@@ -1,6 +1,6 @@
geo $whitelisted { geo $whitelisted {
default 0; default 0;
192.168.1.0/24 1; 192.168.0.0/16 1;
} }
server { server {

4
ansible/roles/podman/templates/nginx/sites/logs.bdebyl.net.conf.j2
View File

@@ -4,7 +4,7 @@ upstream graylog {
geo $local_access { geo $local_access {
default 0; default 0;
192.168.1.0/24 1; 192.168.0.0/16 1;
} }
server { server {
@@ -18,7 +18,7 @@ server {
if ($local_access = 1) { if ($local_access = 1) {
access_log off; access_log off;
} }
allow 192.168.1.0/24; allow 192.168.0.0/16;
allow 127.0.0.1; allow 127.0.0.1;
deny all; deny all;

2
ansible/roles/podman/templates/nginx/sites/parts.bdebyl.net.conf.j2
View File

@@ -1,6 +1,6 @@
geo $whitelisted { geo $whitelisted {
default 0; default 0;
192.168.1.0/24 1; 192.168.0.0/16 1;
} }
server { server {

2
ansible/roles/podman/templates/nginx/sites/parts.bdebyl.net.https.conf.j2
View File

@@ -1,6 +1,6 @@
geo $whitelisted { geo $whitelisted {
default 0; default 0;
192.168.1.0/24 1; 192.168.0.0/16 1;
} }
upstream partkeepr { upstream partkeepr {

4
ansible/roles/podman/templates/nginx/sites/pi.bdebyl.net.conf.j2
View File

@@ -4,7 +4,7 @@ upstream pihole {
geo $local_access { geo $local_access {
default 0; default 0;
192.168.1.0/24 1; 192.168.0.0/16 1;
} }
server { server {
@@ -18,7 +18,7 @@ server {
if ($local_access = 1) { if ($local_access = 1) {
access_log off; access_log off;
} }
allow 192.168.1.0/24; allow 192.168.0.0/16;
allow 127.0.0.1; allow 127.0.0.1;
deny all; deny all;

2
ansible/roles/podman/templates/nginx/sites/video.bdebyl.net.conf.j2
View File

@@ -10,7 +10,7 @@ server {
server_name {{ video_server_name }}; server_name {{ video_server_name }};
location / { location / {
allow 192.168.1.0/24; allow 192.168.0.0/16;
allow 127.0.0.1; allow 127.0.0.1;
deny all; deny all;

BIN
ansible/vars/vault.yml
View File

Binary file not shown.