diff --git a/ansible/roles/podman/defaults/main.yml b/ansible/roles/podman/defaults/main.yml index 25478f4..80a52c6 100644 --- a/ansible/roles/podman/defaults/main.yml +++ b/ansible/roles/podman/defaults/main.yml @@ -3,21 +3,21 @@ bookstack_path: "{{ podman_volumes }}/bookstack" cloud_path: "{{ podman_volumes }}/cloud" debyltech_path: "{{ podman_volumes }}/debyltech" drone_path: "{{ podman_volumes }}/drone" +factorio_path: "{{ podman_volumes }}/factorio" +fulfillr_path: "{{ podman_volumes }}/fulfillr" graylog_path: "{{ podman_volumes }}/graylog" hass_path: "{{ podman_volumes }}/hass" nginx_path: "{{ podman_volumes }}/nginx" partkeepr_path: "{{ podman_volumes }}/partkeepr" photos_path: "{{ podman_volumes }}/photos" pihole_path: "{{ podman_volumes }}/pihole" -factorio_path: "{{ podman_volumes }}/factorio" -fulfillr_path: "{{ podman_volumes }}/fulfillr" sshpass_cron_path: "{{ podman_volumes }}/sshpass_cron" -drone_server_proto: "http" +drone_server_proto: "https" +drone_runner_proto: "http" drone_runner_capacity: "8" # nginx and modsec configuration -api_debyltech_server_name: api.debyltech.com assistant_server_name: assistant.bdebyl.net bookstack_server_name: wiki.skudakrennsport.com ci_server_name: ci.bdebyl.net @@ -27,8 +27,6 @@ home_server_name: home.bdebyl.net logs_server_name: logs.bdebyl.net parts_server_name: parts.bdebyl.net photos_server_name: photos.bdebyl.net -pi_server_name: pi.bdebyl.net -video_server_name: video.bdebyl.net nginx_conf_path: "{{ nginx_path }}/etc/conf" modsec_log_path: /var/log/nginx/modsec_audit.log diff --git a/ansible/roles/podman/tasks/configuration-nginx-http.yml b/ansible/roles/podman/tasks/configuration-nginx-http.yml index fef3635..8900238 100644 --- a/ansible/roles/podman/tasks/configuration-nginx-http.yml +++ b/ansible/roles/podman/tasks/configuration-nginx-http.yml @@ -61,7 +61,6 @@ group: "{{ podman_user }}" mode: 0644 loop: - - "{{ api_debyltech_server_name }}.conf" - "{{ assistant_server_name }}.conf" - "{{ bookstack_server_name }}.conf" - "{{ ci_server_name }}.http.conf" @@ -71,8 +70,6 @@ - "{{ logs_server_name }}.conf" - "{{ parts_server_name }}.conf" - "{{ photos_server_name }}.conf" - - "{{ pi_server_name }}.conf" - - "{{ video_server_name }}.conf" notify: - restorecon podman - restart nginx @@ -87,7 +84,6 @@ group: "{{ podman_user }}" state: link loop: - - "{{ api_debyltech_server_name }}.conf" - "{{ assistant_server_name }}.conf" - "{{ bookstack_server_name }}.conf" - "{{ ci_server_name }}.http.conf" @@ -97,8 +93,6 @@ - "{{ logs_server_name }}.conf" - "{{ parts_server_name }}.conf" - "{{ photos_server_name }}.conf" - - "{{ pi_server_name }}.conf" - - "{{ video_server_name }}.conf" notify: - restorecon podman - restart nginx diff --git a/ansible/roles/podman/tasks/configuration-nginx-https.yml b/ansible/roles/podman/tasks/configuration-nginx-https.yml index 10a0911..1b3016b 100644 --- a/ansible/roles/podman/tasks/configuration-nginx-https.yml +++ b/ansible/roles/podman/tasks/configuration-nginx-https.yml @@ -39,7 +39,6 @@ - "{{ cloud_server_name }}.https.conf" - "{{ parts_server_name }}.https.conf" - "{{ photos_server_name }}.https.conf" - - "{{ api_debyltech_server_name }}.https.conf" notify: - restorecon podman - restart nginx @@ -59,7 +58,6 @@ - "{{ cloud_server_name }}.https.conf" - "{{ parts_server_name }}.https.conf" - "{{ photos_server_name }}.https.conf" - - "{{ api_debyltech_server_name }}.https.conf" notify: - restorecon podman - restart nginx diff --git a/ansible/roles/podman/tasks/container-drone.yml b/ansible/roles/podman/tasks/container-drone.yml index bf0b58e..063e75d 100644 --- a/ansible/roles/podman/tasks/container-drone.yml +++ b/ansible/roles/podman/tasks/container-drone.yml @@ -66,7 +66,7 @@ env: DRONE_RPC_SECRET: "{{ drone_rpc_secret }}" DRONE_RPC_HOST: "drone" - DRONE_RPC_PROTO: "{{ drone_server_proto }}" + DRONE_RPC_PROTO: "{{ drone_runner_proto }}" DRONE_RUNNER_CAPACITY: "{{ drone_runner_capacity }}" volumes: - "/run/user/1002/podman/podman.sock:/var/run/docker.sock" diff --git a/ansible/roles/podman/tasks/main.yml b/ansible/roles/podman/tasks/main.yml index f8bca13..65e9c5c 100644 --- a/ansible/roles/podman/tasks/main.yml +++ b/ansible/roles/podman/tasks/main.yml @@ -10,7 +10,7 @@ - import_tasks: container-drone.yml vars: runner_image: docker.io/drone/drone-runner-docker:1.8.3 - image: docker.io/drone/drone:2.16.0 + image: docker.io/drone/drone:2.18.0 tags: drone - import_tasks: container-hass.yml diff --git a/ansible/roles/podman/tasks/podman/podman-check.yml b/ansible/roles/podman/tasks/podman/podman-check.yml index 2889979..d1a8985 100644 --- a/ansible/roles/podman/tasks/podman/podman-check.yml +++ b/ansible/roles/podman/tasks/podman/podman-check.yml @@ -10,6 +10,7 @@ debug: msg: "image '{{ container.containers[0]['ImageName'] }}' not equivalent to '{{ container_image }}'!" when: container.containers[0]["ImageName"] != container_image + ignore_errors: true - name: delete container if necessary become: true @@ -17,4 +18,5 @@ containers.podman.podman_container: name: "{{ container_name }}" state: absent - when: container.containers[0]["ImageName"] != container_image \ No newline at end of file + when: container.containers[0]["ImageName"] != container_image + ignore_errors: true \ No newline at end of file diff --git a/ansible/roles/podman/templates/nginx/sites/api.debyltech.com.conf.j2 b/ansible/roles/podman/templates/nginx/sites/api.debyltech.com.conf.j2 deleted file mode 100644 index 7adde35..0000000 --- a/ansible/roles/podman/templates/nginx/sites/api.debyltech.com.conf.j2 +++ /dev/null @@ -1,16 +0,0 @@ -server { - modsecurity on; - modsecurity_rules_file /etc/nginx/modsec_includes.conf; - - listen 80; - server_name {{ api_debyltech_server_name }}; - - location '/.well-known/acme-challenge' { - default_type "text/plain"; - root /srv/http/letsencrypt; - } - - location / { - return 302 https://$host$request_uri; - } -} \ No newline at end of file diff --git a/ansible/roles/podman/templates/nginx/sites/api.debyltech.com.https.conf.j2 b/ansible/roles/podman/templates/nginx/sites/api.debyltech.com.https.conf.j2 deleted file mode 100644 index 5a57fa5..0000000 --- a/ansible/roles/podman/templates/nginx/sites/api.debyltech.com.https.conf.j2 +++ /dev/null @@ -1,42 +0,0 @@ -upstream apidebyltech { - server 127.0.0.1:8040; -} - -server { - modsecurity on; - modsecurity_rules_file /etc/nginx/modsec_includes.conf; - - resolver 127.0.0.1 127.0.0.53 9.9.9.9 valid=60s; - - listen 443 ssl http2; - server_name {{ api_debyltech_server_name }}; - client_max_body_size 500M; - - ssl_certificate /etc/letsencrypt/live/{{ api_debyltech_server_name }}/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/{{ api_debyltech_server_name }}/privkey.pem; - ssl_trusted_certificate /etc/letsencrypt/live/{{ api_debyltech_server_name }}/fullchain.pem; - ssl_dhparam /etc/nginx/ssl/dhparam.pem; - - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; - ssl_prefer_server_ciphers off; - ssl_protocols TLSv1.2 TLSv1.3; - ssl_session_cache shared:SSL:10m; - ssl_session_tickets off; - ssl_session_timeout 1d; - ssl_stapling on; - ssl_stapling_verify on; - - location / { - add_header Referrer-Policy "same-origin" always; - add_header Strict-Transport-Security "max-age=630720000; includeSubDomains" always; - add_header X-Content-Type-Options "nosniff" always; - - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Upgrade $http_upgrade; - - proxy_buffering off; - proxy_http_version 1.1; - proxy_pass http://apidebyltech; - } -} \ No newline at end of file diff --git a/ansible/roles/podman/templates/nginx/sites/pi.bdebyl.net.conf.j2 b/ansible/roles/podman/templates/nginx/sites/pi.bdebyl.net.conf.j2 deleted file mode 100644 index 156e11a..0000000 --- a/ansible/roles/podman/templates/nginx/sites/pi.bdebyl.net.conf.j2 +++ /dev/null @@ -1,32 +0,0 @@ -upstream pihole { - server 127.0.0.1:8082; -} - -geo $local_access { - default 0; - 192.168.0.0/16 1; -} - -server { - modsecurity on; - modsecurity_rules_file /etc/nginx/modsec_includes.conf; - - listen 80; - server_name {{ pi_server_name }}; - - location / { - if ($local_access = 1) { - access_log off; - } - allow 192.168.0.0/16; - allow 127.0.0.1; - deny all; - - proxy_set_header X-Forwarded-For $remote_addr; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_buffering off; - proxy_pass http://pihole; - } -} diff --git a/ansible/roles/podman/templates/nginx/sites/video.bdebyl.net.conf.j2 b/ansible/roles/podman/templates/nginx/sites/video.bdebyl.net.conf.j2 deleted file mode 100644 index e8d4e76..0000000 --- a/ansible/roles/podman/templates/nginx/sites/video.bdebyl.net.conf.j2 +++ /dev/null @@ -1,24 +0,0 @@ -upstream shinobi { - server 127.0.0.1:8085; -} - -server { - modsecurity on; - modsecurity_rules_file /etc/nginx/modsec_includes.conf; - - listen 80; - server_name {{ video_server_name }}; - - location / { - allow 192.168.0.0/16; - allow 127.0.0.1; - deny all; - - proxy_set_header X-Forwarded-For $remote_addr; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_buffering off; - proxy_pass http://shinobi; - } -} diff --git a/ansible/vars/vault.yml b/ansible/vars/vault.yml index 469d602..04e9d5d 100644 Binary files a/ansible/vars/vault.yml and b/ansible/vars/vault.yml differ