diff --git a/ansible/roles/podman/tasks/containers/base/conf-nginx-https.yml b/ansible/roles/podman/tasks/containers/base/conf-nginx-https.yml index 15241a9..b950390 100644 --- a/ansible/roles/podman/tasks/containers/base/conf-nginx-https.yml +++ b/ansible/roles/podman/tasks/containers/base/conf-nginx-https.yml @@ -34,6 +34,7 @@ group: "{{ podman_user }}" mode: 0644 loop: + - "{{ assistant_server_name }}.https.conf" - "{{ bookstack_server_name }}.https.conf" - "{{ ci_server_name }}.https.conf" - "{{ cloud_server_name }}.https.conf" @@ -55,6 +56,7 @@ group: "{{ podman_user }}" state: link loop: + - "{{ assistant_server_name }}.https.conf" - "{{ bookstack_server_name }}.https.conf" - "{{ ci_server_name }}.https.conf" - "{{ cloud_server_name }}.https.conf" diff --git a/ansible/roles/podman/tasks/firewall.yml b/ansible/roles/podman/tasks/firewall.yml index e1a1126..11231f6 100644 --- a/ansible/roles/podman/tasks/firewall.yml +++ b/ansible/roles/podman/tasks/firewall.yml @@ -30,6 +30,11 @@ # Zomboid - 16261/udp - 16262/udp + # crafty + - 8443/tcp + # minecraft + - 25565/tcp + - 25565/udp notify: restart firewalld tags: firewall diff --git a/ansible/roles/podman/tasks/main.yml b/ansible/roles/podman/tasks/main.yml index 8248757..22193cf 100644 --- a/ansible/roles/podman/tasks/main.yml +++ b/ansible/roles/podman/tasks/main.yml @@ -22,7 +22,7 @@ - import_tasks: containers/home/hass.yml vars: - image: ghcr.io/home-assistant/home-assistant:2024.6.4 + image: ghcr.io/home-assistant/home-assistant:2024.8.2 tags: hass - import_tasks: containers/home/partkeepr.yml @@ -47,24 +47,24 @@ - import_tasks: containers/home/photos.yml vars: db_image: docker.io/library/mariadb:10.8 - image: docker.io/photoprism/photoprism:231021-ce + image: docker.io/photoprism/photoprism:240711-ce tags: photos - import_tasks: containers/home/cloud.yml vars: db_image: docker.io/library/mariadb:10.6 - image: docker.io/library/nextcloud:28.0.1-apache + image: docker.io/library/nextcloud:28.0.4-apache tags: cloud - import_tasks: containers/skudak/cloud.yml vars: db_image: docker.io/library/mariadb:10.6 - image: docker.io/library/nextcloud:28.0.1-apache + image: docker.io/library/nextcloud:28.0.4-apache tags: skudak, skudak-cloud - import_tasks: containers/debyltech/fulfillr.yml vars: - image: "{{ aws_ecr_endpoint }}/fulfillr:20240101.1715" + image: "{{ aws_ecr_endpoint }}/fulfillr:20241010.0018" tags: debyltech, fulfillr - import_tasks: containers/home/nosql.yml diff --git a/ansible/roles/podman/templates/fulfillr/production.json.j2 b/ansible/roles/podman/templates/fulfillr/production.json.j2 index 86b63d6..ec5270a 100644 --- a/ansible/roles/podman/templates/fulfillr/production.json.j2 +++ b/ansible/roles/podman/templates/fulfillr/production.json.j2 @@ -1,6 +1,6 @@ { "snipcart_api_key": "{{ snipcart_api_key }}", - "shippo_api_key": "{{ shippo_api_key }}", + "easypost_api_key": "{{ easypost_api_key }}", "label_file_type": "PNG", "aws": { "access_key": "{{ fulfillr_access_key }}", diff --git a/ansible/roles/podman/templates/nginx/sites/assistant.bdebyl.net.conf.j2 b/ansible/roles/podman/templates/nginx/sites/assistant.bdebyl.net.conf.j2 index 567037c..ef3e268 100644 --- a/ansible/roles/podman/templates/nginx/sites/assistant.bdebyl.net.conf.j2 +++ b/ansible/roles/podman/templates/nginx/sites/assistant.bdebyl.net.conf.j2 @@ -1,24 +1,13 @@ -upstream hass { - server 127.0.0.1:8123; -} server { - resolver 192.168.1.10 ipv6=off; - modsecurity on; - modsecurity_rules_file /etc/nginx/modsec_includes.conf; - listen 80; server_name {{ assistant_server_name }}; + location '/.well-known/acme-challenge' { + default_type "text/plain"; + root /srv/http/letsencrypt; + } + location / { - allow 192.168.0.0/16; - allow 127.0.0.1; - deny all; - - proxy_set_header X-Forwarded-For $remote_addr; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_buffering off; - proxy_pass http://hass; + return 301 https://$host$request_uri; } } diff --git a/ansible/roles/podman/templates/nginx/sites/assistant.bdebyl.net.https.conf.j2 b/ansible/roles/podman/templates/nginx/sites/assistant.bdebyl.net.https.conf.j2 new file mode 100644 index 0000000..59d6bcc --- /dev/null +++ b/ansible/roles/podman/templates/nginx/sites/assistant.bdebyl.net.https.conf.j2 @@ -0,0 +1,60 @@ +upstream assistant { + server 127.0.0.1:8123; +} + +geo $local_access { + default 0; + 192.168.1.1 1; +} + +server { + modsecurity on; + modsecurity_rules_file /etc/nginx/modsec_includes.conf; + + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name assistant.bdebyl.net; + + ssl_certificate /etc/letsencrypt/live/{{ assistant_server_name }}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/{{ assistant_server_name }}/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/{{ assistant_server_name }}/fullchain.pem; + ssl_dhparam /etc/nginx/ssl/dhparam.pem; + + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + ssl_prefer_server_ciphers off; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_session_cache shared:SSL:10m; + ssl_session_tickets off; + ssl_session_timeout 1d; + ssl_stapling on; + ssl_stapling_verify on; + + resolver 9.9.9.9 valid=60s ipv6=off; + + location / { + if ($local_access = 1) { + access_log off; + } + add_header Allow "GET, POST, HEAD" always; + add_header Referrer-Policy "same-origin" always; + add_header Strict-Transport-Security "max-age=630720000; includeSubDomains" always; + add_header X-Content-Type-Options "nosniff" always; + + # Sent from upstream: + # add_header X-Frame-Options "SAMEORIGIN"; + # add_header X-XSS-Protection "1; mode=block"; + + proxy_set_header Host $http_host; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_buffering off; + proxy_http_version 1.1; + proxy_pass http://assistant; + proxy_redirect off; + + chunked_transfer_encoding off; + } +} \ No newline at end of file diff --git a/ansible/roles/podman/templates/nginx/sites/fulfillr.debyltech.com.https.conf.j2 b/ansible/roles/podman/templates/nginx/sites/fulfillr.debyltech.com.https.conf.j2 index 065beff..20bb807 100644 --- a/ansible/roles/podman/templates/nginx/sites/fulfillr.debyltech.com.https.conf.j2 +++ b/ansible/roles/podman/templates/nginx/sites/fulfillr.debyltech.com.https.conf.j2 @@ -3,7 +3,7 @@ geo $whitelisted { 192.168.0.0/16 1; } -upstream fulfillr { +upstream fulfillr-api { server 127.0.0.1:9054; } @@ -34,7 +34,7 @@ server { return 302 $scheme://bdebyl.net$request_uri; } - location / { + location /api { add_header Referrer-Policy "same-origin" always; # add_header Strict-Transport-Security "max-age=630720000; includeSubDomains" always; add_header X-Content-Type-Options "nosniff" always; @@ -49,7 +49,7 @@ server { proxy_buffering off; proxy_http_version 1.1; - proxy_pass http://fulfillr; + proxy_pass http://fulfillr-api; proxy_redirect off; chunked_transfer_encoding off; diff --git a/ansible/vars/vault.yml b/ansible/vars/vault.yml index 7d7355c..b152d30 100644 Binary files a/ansible/vars/vault.yml and b/ansible/vars/vault.yml differ