diff --git a/ansible/roles/podman/tasks/configuration-nginx-https.yml b/ansible/roles/podman/tasks/configuration-nginx-https.yml index 1b3016b..5b3824a 100644 --- a/ansible/roles/podman/tasks/configuration-nginx-https.yml +++ b/ansible/roles/podman/tasks/configuration-nginx-https.yml @@ -37,6 +37,7 @@ - "{{ bookstack_server_name }}.https.conf" - "{{ ci_server_name }}.https.conf" - "{{ cloud_server_name }}.https.conf" + - "{{ fulfillr_server_name }}.https.conf" - "{{ parts_server_name }}.https.conf" - "{{ photos_server_name }}.https.conf" notify: @@ -56,6 +57,7 @@ - "{{ bookstack_server_name }}.https.conf" - "{{ ci_server_name }}.https.conf" - "{{ cloud_server_name }}.https.conf" + - "{{ fulfillr_server_name }}.https.conf" - "{{ parts_server_name }}.https.conf" - "{{ photos_server_name }}.https.conf" notify: diff --git a/ansible/roles/podman/tasks/container-awsddns.yml b/ansible/roles/podman/tasks/container-awsddns.yml index 489f294..0377158 100644 --- a/ansible/roles/podman/tasks/container-awsddns.yml +++ b/ansible/roles/podman/tasks/container-awsddns.yml @@ -52,3 +52,30 @@ include_tasks: podman/systemd-generate.yml vars: container_name: awsddns-skudak + +- import_tasks: podman/podman-check.yml + vars: + container_name: awsddns-fulfillr + container_image: "{{ image }}" + +- name: create fulfillr.debyltech.com awsddns server container + become: true + become_user: "{{ podman_user }}" + diff: false + containers.podman.podman_container: + name: awsddns-fulfillr + image: "{{ image }}" + restart_policy: on-failure:3 + log_driver: journald + env: + AWS_ZONE_TTL: 60 + AWS_ZONE_ID: "{{ fulfillr_zone_id }}" + AWS_ZONE_HOSTNAME: "{{ fulfillr_server_name }}" + AWS_ACCESS_KEY_ID: "{{ fulfillr_access_key }}" + AWS_SECRET_ACCESS_KEY: "{{ fulfillr_secret_key }}" + AWS_DEFAULT_REGION: "{{ fulfillr_region }}" + +- name: create systemd startup job for awsddns-fulfillr + include_tasks: podman/systemd-generate.yml + vars: + container_name: awsddns-fulfillr \ No newline at end of file diff --git a/ansible/roles/podman/tasks/main.yml b/ansible/roles/podman/tasks/main.yml index 6163925..f4a0e3d 100644 --- a/ansible/roles/podman/tasks/main.yml +++ b/ansible/roles/podman/tasks/main.yml @@ -51,7 +51,7 @@ - import_tasks: container-fulfillr.yml vars: - image: "{{ aws_ecr_endpoint }}/fulfillr:20230811.1904" + image: "{{ aws_ecr_endpoint }}/fulfillr:20230811.2059" tags: fulfillr - import_tasks: configuration-nginx.yml diff --git a/ansible/roles/podman/templates/nginx/sites/fulfillr.debyltech.com.conf.j2 b/ansible/roles/podman/templates/nginx/sites/fulfillr.debyltech.com.conf.j2 index 1fe3173..3cf0df6 100644 --- a/ansible/roles/podman/templates/nginx/sites/fulfillr.debyltech.com.conf.j2 +++ b/ansible/roles/podman/templates/nginx/sites/fulfillr.debyltech.com.conf.j2 @@ -1,24 +1,21 @@ -upstream fulfillr { - server 127.0.0.1:9054; +geo $whitelisted { + default 0; + 192.168.0.0/16 1; } + server { - resolver 192.168.1.10 ipv6=off; modsecurity on; modsecurity_rules_file /etc/nginx/modsec_includes.conf; listen 80; server_name {{ fulfillr_server_name }}; + location '/.well-known/acme-challenge' { + default_type "text/plain"; + root /srv/http/letsencrypt; + } + location / { - allow 192.168.0.0/16; - allow 127.0.0.1; - deny all; - - proxy_set_header X-Forwarded-For $remote_addr; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_buffering off; - proxy_pass http://fulfillr; + return 302 https://$host$request_uri; } } diff --git a/ansible/roles/podman/templates/nginx/sites/fulfillr.debyltech.com.https.conf.j2 b/ansible/roles/podman/templates/nginx/sites/fulfillr.debyltech.com.https.conf.j2 new file mode 100644 index 0000000..065beff --- /dev/null +++ b/ansible/roles/podman/templates/nginx/sites/fulfillr.debyltech.com.https.conf.j2 @@ -0,0 +1,57 @@ +geo $whitelisted { + default 0; + 192.168.0.0/16 1; +} + +upstream fulfillr { + server 127.0.0.1:9054; +} + +server { + modsecurity on; + modsecurity_rules_file /etc/nginx/modsec_includes.conf; + + resolver 127.0.0.1 127.0.0.53 9.9.9.9 valid=60s; + + listen 443 ssl http2; + server_name {{ fulfillr_server_name }}; + + ssl_certificate /etc/letsencrypt/live/{{ fulfillr_server_name }}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/{{ fulfillr_server_name }}/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/{{ fulfillr_server_name }}/fullchain.pem; + ssl_dhparam /etc/nginx/ssl/dhparam.pem; + + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + ssl_prefer_server_ciphers off; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_session_cache shared:SSL:10m; + ssl_session_tickets off; + ssl_session_timeout 1d; + ssl_stapling on; + ssl_stapling_verify on; + + if ($whitelisted = 0) { + return 302 $scheme://bdebyl.net$request_uri; + } + + location / { + add_header Referrer-Policy "same-origin" always; + # add_header Strict-Transport-Security "max-age=630720000; includeSubDomains" always; + add_header X-Content-Type-Options "nosniff" always; + + # Sent from upstream: + # add_header X-Frame-Options "SAMEORIGIN"; + # add_header X-XSS-Protection "1; mode=block"; + + proxy_set_header Host $http_host; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; + + proxy_buffering off; + proxy_http_version 1.1; + proxy_pass http://fulfillr; + proxy_redirect off; + + chunked_transfer_encoding off; + } +} diff --git a/ansible/roles/ssl/tasks/certbot.yml b/ansible/roles/ssl/tasks/certbot.yml index a0ed4f2..78c5f95 100644 --- a/ansible/roles/ssl/tasks/certbot.yml +++ b/ansible/roles/ssl/tasks/certbot.yml @@ -11,9 +11,9 @@ - "{{ bookstack_server_name }}" - "{{ ci_server_name }}" - "{{ cloud_server_name }}" + - "{{ fulfillr_server_name }}" - "{{ parts_server_name }}" - "{{ photos_server_name }}" - - "{{ api_debyltech_server_name }}" tags: ssl - name: set group ownership for /etc/letsencrypt/ diff --git a/ansible/vars/vault.yml b/ansible/vars/vault.yml index 7c01050..f426886 100644 Binary files a/ansible/vars/vault.yml and b/ansible/vars/vault.yml differ