fixed subnets, drone proto & host, cleaned up vault

2022-10-06 20:50:05 -04:00
parent 50470a25d7
commit 5d12d516ae
12 changed files with 27 additions and 23 deletions
--- a/ansible/inventories/home/hosts.yml
+++ b/ansible/inventories/home/hosts.yml
@@ -1,5 +1,5 @@
 ---
 all:
  hosts:
-    home.bdebyl.net:
+    galactica.lan:
      ansible_user: fedora
--- a/ansible/roles/podman/defaults/main.yml
+++ b/ansible/roles/podman/defaults/main.yml
@@ -9,8 +9,8 @@ partkeepr_path: "{{ podman_volumes }}/partkeepr"
 photos_path: "{{ podman_volumes }}/photos"
 pihole_path: "{{ podman_volumes }}/pihole"
-drone_server_proto: "https"
+drone_server_proto: "http"
-drone_runner_capacity: "4"
+drone_runner_capacity: "8"
 # nginx and modsec configuration
 assistant_server_name: assistant.bdebyl.net
@@ -36,10 +36,10 @@ crs_path: "{{ install_path }}/coreruleset"
 crs_rules_path: "{{ crs_path }}/rules"
 modsec_whitelist_local_re: >-
-  ^SecRule.*REMOTE_ADDR.*192\.168\.1\.1/24.*$
+  ^SecRule.*REMOTE_ADDR.*192\.168\.0\.0/16.*$
 modsec_whitelist_local: >-
-  SecRule REMOTE_ADDR "@ipMatch 192.168.1.1/24"
+  SecRule REMOTE_ADDR "@ipMatch 192.168.0.0/16"
  "id:1,phase:1,nolog,allow,ctl:ruleEngine=Off"
 modsec_git_urls:
--- a/ansible/roles/podman/tasks/container-drone.yml
+++ b/ansible/roles/podman/tasks/container-drone.yml
@@ -26,6 +26,8 @@
    restart: true
    restart_policy: on-failure
    log_driver: journald
    network:
      - shared
    env:
      DRONE_LOGS_DEBUG: "false"
      DRONE_RPC_DEBUG: "false"
@@ -57,9 +59,11 @@
    restart: true
    restart_policy: on-failure
    log_driver: journald
    network:
      - shared
    env:
      DRONE_RPC_SECRET: "{{ drone_rpc_secret }}"
-      DRONE_RPC_HOST: "{{ ci_server_name }}"
+      DRONE_RPC_HOST: "drone"
      DRONE_RPC_PROTO: "{{ drone_server_proto }}"
      DRONE_RUNNER_CAPACITY: "{{ drone_runner_capacity }}"
    volumes:
--- a/ansible/roles/podman/templates/nginx/sites/assistant.bdebyl.net.conf.j2
+++ b/ansible/roles/podman/templates/nginx/sites/assistant.bdebyl.net.conf.j2
@@ -2,7 +2,7 @@ upstream hass {
  server 127.0.0.1:8123;
 }
 server {
-  resolver 192.168.1.12 ipv6=off;
+  resolver 192.168.2.10 ipv6=off;
  modsecurity on;
  modsecurity_rules_file /etc/nginx/modsec_includes.conf;
@@ -10,7 +10,7 @@ server {
  server_name {{ assistant_server_name }};
  location / {
-    allow 192.168.1.0/24;
+    allow 192.168.0.0/16;
    allow 127.0.0.1;
    deny all;
--- a/ansible/roles/podman/templates/nginx/sites/ci.bdebyl.net.https.conf.j2
+++ b/ansible/roles/podman/templates/nginx/sites/ci.bdebyl.net.https.conf.j2
@@ -4,7 +4,7 @@ upstream drone {
 geo $local_access {
  default 0;
-  192.168.1.1 1;
+  192.168.2.1 1;
 }
 server {
--- a/ansible/roles/podman/templates/nginx/sites/home.bdebyl.net.conf.j2
+++ b/ansible/roles/podman/templates/nginx/sites/home.bdebyl.net.conf.j2
@@ -1,6 +1,6 @@
 geo $whitelisted {
  default 0;
-  192.168.1.0/24 1;
+  192.168.0.0/16 1;
 }
 server {
@@ -16,4 +16,4 @@ server {
  if ($whitelisted = 0) {
    return 302 $scheme://bdebyl.net$request_uri;
  }
-}
+}
--- a/ansible/roles/podman/templates/nginx/sites/logs.bdebyl.net.conf.j2
+++ b/ansible/roles/podman/templates/nginx/sites/logs.bdebyl.net.conf.j2
@@ -4,7 +4,7 @@ upstream graylog {
 geo $local_access {
  default 0;
-  192.168.1.0/24 1;
+  192.168.0.0/16 1;
 }
 server {
@@ -18,7 +18,7 @@ server {
    if ($local_access = 1) {
      access_log off;
    }
-    allow 192.168.1.0/24;
+    allow 192.168.0.0/16;
    allow 127.0.0.1;
    deny all;
@@ -29,4 +29,4 @@ server {
    proxy_buffering off;
    proxy_pass http://graylog;
  }
-}
+}
--- a/ansible/roles/podman/templates/nginx/sites/parts.bdebyl.net.conf.j2
+++ b/ansible/roles/podman/templates/nginx/sites/parts.bdebyl.net.conf.j2
@@ -1,6 +1,6 @@
 geo $whitelisted {
  default 0;
-  192.168.1.0/24 1;
+  192.168.0.0/16 1;
 }
 server {
@@ -18,4 +18,4 @@ server {
  location / {
   return 302 https://$host$request_uri;
  }
-}
+}
--- a/ansible/roles/podman/templates/nginx/sites/parts.bdebyl.net.https.conf.j2
+++ b/ansible/roles/podman/templates/nginx/sites/parts.bdebyl.net.https.conf.j2
@@ -1,6 +1,6 @@
 geo $whitelisted {
  default 0;
-  192.168.1.0/24 1;
+  192.168.0.0/16 1;
 }
 upstream partkeepr {
@@ -54,4 +54,4 @@ server {
    chunked_transfer_encoding off;
  }
-}
+}
--- a/ansible/roles/podman/templates/nginx/sites/pi.bdebyl.net.conf.j2
+++ b/ansible/roles/podman/templates/nginx/sites/pi.bdebyl.net.conf.j2
@@ -4,7 +4,7 @@ upstream pihole {
 geo $local_access {
  default 0;
-  192.168.1.0/24 1;
+  192.168.0.0/16 1;
 }
 server {
@@ -18,7 +18,7 @@ server {
    if ($local_access = 1) {
      access_log off;
    }
-    allow 192.168.1.0/24;
+    allow 192.168.0.0/16;
    allow 127.0.0.1;
    deny all;
@@ -29,4 +29,4 @@ server {
    proxy_buffering off;
    proxy_pass http://pihole;
  }
-}
+}
--- a/ansible/roles/podman/templates/nginx/sites/video.bdebyl.net.conf.j2
+++ b/ansible/roles/podman/templates/nginx/sites/video.bdebyl.net.conf.j2
@@ -10,7 +10,7 @@ server {
  server_name {{ video_server_name }};
  location / {
-    allow 192.168.1.0/24;
+    allow 192.168.0.0/16;
    allow 127.0.0.1;
    deny all;
@@ -21,4 +21,4 @@ server {
    proxy_buffering off;
    proxy_pass http://shinobi;
  }
-}
+}
--- a/ansible/vars/vault.yml
+++ b/ansible/vars/vault.yml