diff --git a/Makefile b/Makefile index feca4c8..d010db0 100644 --- a/Makefile +++ b/Makefile @@ -22,7 +22,7 @@ VAULT_FILE=ansible/vars/vault.yml # Variables ANSIBLE_INVENTORY=ansible/inventories/home/hosts.yml -SSH_KEY=${HOME}/.ssh/id_rsa_home_ansible +#SSH_KEY=${HOME}/.ssh/id_rsa_home_ansible # Default to all ansible tags to run (passed via 'make deploy TAGS=sometag') TAGS?=all @@ -52,7 +52,7 @@ SKIP_FILE=./.lint-vars.sh # Targets deploy: ${ANSIBLE} ${VAULT_FILE} - ${ANSIBLE} --diff --private-key ${SSH_KEY} -t ${TAGS} --skip-tags ${SKIP_TAGS} -i ${ANSIBLE_INVENTORY} -l ${TARGET} --vault-password-file ${VAULT_PASS_FILE} ansible/deploy.yml + ${ANSIBLE} --diff -t ${TAGS} --skip-tags ${SKIP_TAGS} -i ${ANSIBLE_INVENTORY} -l ${TARGET} --vault-password-file ${VAULT_PASS_FILE} ansible/deploy.yml list-tags: ${ANSIBLE} ${VAULT_FILE} ${ANSIBLE} --list-tags -i ${ANSIBLE_INVENTORY} -l ${TARGET} --vault-password-file ${VAULT_PASS_FILE} ansible/deploy.yml @@ -61,7 +61,7 @@ list-tasks: ${ANSIBLE} ${VAULT_FILE} ${ANSIBLE} --list-tasks -i ${ANSIBLE_INVENTORY} -l ${TARGET} --vault-password-file ${VAULT_PASS_FILE} ansible/deploy.yml check: ${ANSIBLE} ${VAULT_FILE} - ${ANSIBLE} --check --diff --private-key ${SSH_KEY} -t ${TAGS} --skip-tags ${SKIP_TAGS} -i ${ANSIBLE_INVENTORY} -l ${TARGET} --vault-password-file ${VAULT_PASS_FILE} ansible/deploy.yml + ${ANSIBLE} --check --diff --private-key -t ${TAGS} --skip-tags ${SKIP_TAGS} -i ${ANSIBLE_INVENTORY} -l ${TARGET} --vault-password-file ${VAULT_PASS_FILE} ansible/deploy.yml vault: ${ANSIBLE_VAULT} ${VAULT_FILE} ${ANSIBLE_VAULT} edit --vault-password-file ${VAULT_PASS_FILE} ${VAULT_FILE} diff --git a/ansible/roles/podman/defaults/main.yml b/ansible/roles/podman/defaults/main.yml index 5fc7626..910c3dd 100644 --- a/ansible/roles/podman/defaults/main.yml +++ b/ansible/roles/podman/defaults/main.yml @@ -1,6 +1,7 @@ --- bookstack_path: "{{ podman_volumes }}/bookstack" cloud_path: "{{ podman_volumes }}/cloud" +debyltech_path: "{{ podman_volumes }}/debyltech" drone_path: "{{ podman_volumes }}/drone" graylog_path: "{{ podman_volumes }}/graylog" hass_path: "{{ podman_volumes }}/hass" @@ -8,12 +9,13 @@ nginx_path: "{{ podman_volumes }}/nginx" partkeepr_path: "{{ podman_volumes }}/partkeepr" photos_path: "{{ podman_volumes }}/photos" pihole_path: "{{ podman_volumes }}/pihole" -valheim_path: "{{ podman_volumes }}/valheim" +satisfactory_path: "{{ podman_volumes }}/satisfactory" drone_server_proto: "http" drone_runner_capacity: "8" # nginx and modsec configuration +api_debyltech_server_name: api.debyltech.com assistant_server_name: assistant.bdebyl.net bookstack_server_name: wiki.skudakrennsport.com ci_server_name: ci.bdebyl.net diff --git a/ansible/roles/podman/tasks/configuration-nginx-http.yml b/ansible/roles/podman/tasks/configuration-nginx-http.yml index 29bedf5..b9e07c0 100644 --- a/ansible/roles/podman/tasks/configuration-nginx-http.yml +++ b/ansible/roles/podman/tasks/configuration-nginx-http.yml @@ -71,6 +71,7 @@ - "{{ photos_server_name }}.conf" - "{{ pi_server_name }}.conf" - "{{ video_server_name }}.conf" + - "{{ api_debyltech_server_name }}.conf" notify: - restorecon podman - restart nginx @@ -95,6 +96,7 @@ - "{{ photos_server_name }}.conf" - "{{ pi_server_name }}.conf" - "{{ video_server_name }}.conf" + - "{{ api_debyltech_server_name }}.conf" notify: - restorecon podman - restart nginx diff --git a/ansible/roles/podman/tasks/configuration-nginx-https.yml b/ansible/roles/podman/tasks/configuration-nginx-https.yml index 1b3016b..10a0911 100644 --- a/ansible/roles/podman/tasks/configuration-nginx-https.yml +++ b/ansible/roles/podman/tasks/configuration-nginx-https.yml @@ -39,6 +39,7 @@ - "{{ cloud_server_name }}.https.conf" - "{{ parts_server_name }}.https.conf" - "{{ photos_server_name }}.https.conf" + - "{{ api_debyltech_server_name }}.https.conf" notify: - restorecon podman - restart nginx @@ -58,6 +59,7 @@ - "{{ cloud_server_name }}.https.conf" - "{{ parts_server_name }}.https.conf" - "{{ photos_server_name }}.https.conf" + - "{{ api_debyltech_server_name }}.https.conf" notify: - restorecon podman - restart nginx diff --git a/ansible/roles/podman/tasks/container-awsddns.yml b/ansible/roles/podman/tasks/container-awsddns.yml index cb01b51..a0d2d65 100644 --- a/ansible/roles/podman/tasks/container-awsddns.yml +++ b/ansible/roles/podman/tasks/container-awsddns.yml @@ -8,7 +8,7 @@ image: docker.io/bdebyl/awsddns:1.0.34 recreate: false restart: true - restart_policy: on-failure + restart_policy: on-failure:3 log_driver: journald env: AWS_ZONE_TTL: 60 @@ -34,7 +34,7 @@ image: docker.io/bdebyl/awsddns:1.0.34 recreate: false restart: true - restart_policy: on-failure + restart_policy: on-failure:3 log_driver: journald env: AWS_ZONE_TTL: 60 diff --git a/ansible/roles/podman/tasks/container-bookstack.yml b/ansible/roles/podman/tasks/container-bookstack.yml index c9c605c..c2edac9 100644 --- a/ansible/roles/podman/tasks/container-bookstack.yml +++ b/ansible/roles/podman/tasks/container-bookstack.yml @@ -34,7 +34,7 @@ image: docker.io/mysql:5.7.21 recreate: false restart: false - restart_policy: on-failure + restart_policy: on-failure:3 log_driver: journald network: - shared @@ -62,7 +62,7 @@ image: docker.io/solidnerd/bookstack:22.11.1 recreate: true restart: false - restart_policy: on-failure + restart_policy: on-failure:3 log_driver: journald network: - shared diff --git a/ansible/roles/podman/tasks/container-cloud.yml b/ansible/roles/podman/tasks/container-cloud.yml index 42bd23d..ea96787 100644 --- a/ansible/roles/podman/tasks/container-cloud.yml +++ b/ansible/roles/podman/tasks/container-cloud.yml @@ -52,7 +52,7 @@ image: docker.io/mariadb:10.5 recreate: false restart: false - restart_policy: on-failure + restart_policy: on-failure:3 log_driver: journald network: - shared @@ -79,7 +79,7 @@ image: docker.io/nextcloud:24.0.5-apache recreate: false restart: false - restart_policy: on-failure + restart_policy: on-failure:3 log_driver: journald network: - shared diff --git a/ansible/roles/podman/tasks/container-debyltech.yml b/ansible/roles/podman/tasks/container-debyltech.yml new file mode 100644 index 0000000..1db8958 --- /dev/null +++ b/ansible/roles/podman/tasks/container-debyltech.yml @@ -0,0 +1,51 @@ +--- +- name: create required debyltech volumes + become: true + ansible.builtin.file: + path: "{{ item }}" + state: directory + owner: "{{ podman_subuid.stdout }}" + group: "{{ podman_subuid.stdout }}" + mode: 0755 + notify: restorecon podman + loop: + - "{{ debyltech_path }}/api" + - "{{ debyltech_path }}/api/config" + tags: debyltech + +- name: template api.debyltech.com files + become: true + ansible.builtin.template: + src: "debyltech/{{ item }}.j2" + dest: "{{ debyltech_path }}/api/config/{{ item }}" + owner: "{{ podman_user }}" + group: "{{ podman_user }}" + mode: 0644 + loop: + - "config.json" + tags: debyltech + +- name: create api.debyltech.com container + become: true + become_user: "{{ podman_user }}" + containers.podman.podman_container: + name: apidebyltech + image: docker.io/debyltech/go-snipcart-webhook:0.1.34 + command: --config /conf/config.json --release + recreate: true + restart: true + restart_policy: on-failure:3 + log_driver: journald + network: + - shared + volumes: + - "{{ debyltech_path }}/api/config:/conf" + ports: + - "8040:8080" + tags: debyltech + +- name: create systemd startup job for api.debyltech.com + include_tasks: systemd-generate.yml + vars: + container_name: apidebyltech + tags: debyltech diff --git a/ansible/roles/podman/tasks/container-drone.yml b/ansible/roles/podman/tasks/container-drone.yml index 0475913..80a1984 100644 --- a/ansible/roles/podman/tasks/container-drone.yml +++ b/ansible/roles/podman/tasks/container-drone.yml @@ -22,9 +22,9 @@ containers.podman.podman_container: name: drone image: docker.io/drone/drone:2.16.0 - recreate: false + recreate: true restart: true - restart_policy: on-failure + restart_policy: on-failure:3 log_driver: journald network: - shared @@ -54,10 +54,10 @@ become_user: "{{ podman_user }}" containers.podman.podman_container: name: drone-runner - image: docker.io/drone/drone-runner-docker:1.8.1 + image: docker.io/drone/drone-runner-docker:1.8.3 recreate: false restart: true - restart_policy: on-failure + restart_policy: on-failure:3 log_driver: journald network: - shared diff --git a/ansible/roles/podman/tasks/container-graylog.yml b/ansible/roles/podman/tasks/container-graylog.yml index be5f263..6ac5c5b 100644 --- a/ansible/roles/podman/tasks/container-graylog.yml +++ b/ansible/roles/podman/tasks/container-graylog.yml @@ -51,7 +51,7 @@ image: docker.io/mongo:4.2 recreate: false restart: false - restart_policy: on-failure + restart_policy: on-failure:3 network: - shared volumes: @@ -72,7 +72,7 @@ image: docker.elastic.co/elasticsearch/elasticsearch-oss:7.10.2 recreate: false restart: false - restart_policy: on-failure + restart_policy: on-failure:3 network: - shared volumes: @@ -99,7 +99,7 @@ image: docker.io/graylog/graylog:4.3.11 recreate: true restart: true - restart_policy: on-failure + restart_policy: on-failure:3 sysctl: net.ipv6.conf.all.disable_ipv6: 1 net.ipv6.conf.default.disable_ipv6: 1 diff --git a/ansible/roles/podman/tasks/container-hass.yml b/ansible/roles/podman/tasks/container-hass.yml index 7f35eee..e0c7573 100644 --- a/ansible/roles/podman/tasks/container-hass.yml +++ b/ansible/roles/podman/tasks/container-hass.yml @@ -39,7 +39,7 @@ image: ghcr.io/home-assistant/home-assistant:stable recreate: false restart: true - restart_policy: on-failure + restart_policy: on-failure:3 log_driver: journald cap_add: - CAP_NET_RAW diff --git a/ansible/roles/podman/tasks/container-partkeepr.yml b/ansible/roles/podman/tasks/container-partkeepr.yml index 11f9c02..2481026 100644 --- a/ansible/roles/podman/tasks/container-partkeepr.yml +++ b/ansible/roles/podman/tasks/container-partkeepr.yml @@ -24,7 +24,7 @@ image: docker.io/mariadb:10.0 recreate: false restart: false - restart_policy: on-failure + restart_policy: on-failure:3 log_driver: journald network: - shared @@ -51,7 +51,7 @@ image: docker.io/bdebyl/partkeepr:0.1.10 recreate: false restart: false - restart_policy: on-failure + restart_policy: on-failure:3 log_driver: journald network: - shared diff --git a/ansible/roles/podman/tasks/container-photos.yml b/ansible/roles/podman/tasks/container-photos.yml index 52f58bd..6c2a384 100644 --- a/ansible/roles/podman/tasks/container-photos.yml +++ b/ansible/roles/podman/tasks/container-photos.yml @@ -35,7 +35,7 @@ image: docker.io/mariadb:10.8 recreate: false restart: false - restart_policy: on-failure + restart_policy: on-failure:3 log_driver: journald network: - shared @@ -63,7 +63,7 @@ image: docker.io/photoprism/photoprism:221118-jammy recreate: false restart: false - restart_policy: on-failure + restart_policy: on-failure:3 log_driver: journald network: - shared diff --git a/ansible/roles/podman/tasks/container-pihole.yml b/ansible/roles/podman/tasks/container-pihole.yml index 6086ab5..8e77fb4 100644 --- a/ansible/roles/podman/tasks/container-pihole.yml +++ b/ansible/roles/podman/tasks/container-pihole.yml @@ -25,7 +25,7 @@ image: docker.io/pihole/pihole:2022.04.3 recreate: false restart: true - restart_policy: on-failure + restart_policy: on-failure:3 log_driver: journald cap_add: - CAP_NET_BIND_SERVICE diff --git a/ansible/roles/podman/tasks/container-satisfactory.yml b/ansible/roles/podman/tasks/container-satisfactory.yml new file mode 100644 index 0000000..1c75096 --- /dev/null +++ b/ansible/roles/podman/tasks/container-satisfactory.yml @@ -0,0 +1,46 @@ +--- +- name: create satisfactory host directory volumes + become: true + ansible.builtin.file: + path: "{{ item }}" + state: directory + owner: "{{ podman_user }}" + group: "{{ podman_user }}" + mode: 0755 + notify: restorecon podman + loop: + - "{{ satisfactory_path }}/config" + tags: satisfactory + +- name: flush handlers + ansible.builtin.meta: flush_handlers + tags: satisfactory + +- name: create satisfactory server container + become: true + become_user: "{{ podman_user }}" + containers.podman.podman_container: + name: satisfactory + image: docker.io/wolveix/satisfactory-server:latest + recreate: true + restart: true + restart_policy: on-failure:3 + log_driver: journald + memory: 16g + memory_reservation: 12g + volumes: + - "{{ satisfactory_path }}/config:/config" + env: + MAXPLAYERS: 4 + STEAMBETA: "false" + ports: + - "7777:7777/udp" + - "15000:15000/udp" + - "15777:15777/udp" + tags: satisfactory + +- name: create systemd startup job for satisfactory + include_tasks: systemd-generate.yml + vars: + container_name: satisfactory + tags: satisfactory diff --git a/ansible/roles/podman/tasks/firewall.yml b/ansible/roles/podman/tasks/firewall.yml index 21cee42..af72177 100644 --- a/ansible/roles/podman/tasks/firewall.yml +++ b/ansible/roles/podman/tasks/firewall.yml @@ -18,6 +18,10 @@ - 53/udp - 6875/tcp - 80/tcp + # satisfactory + - 7777/udp + - 15000/udp + - 15777/udp notify: restart firewalld tags: firewall diff --git a/ansible/roles/podman/tasks/main.yml b/ansible/roles/podman/tasks/main.yml index e4e58f4..220cf6b 100644 --- a/ansible/roles/podman/tasks/main.yml +++ b/ansible/roles/podman/tasks/main.yml @@ -11,4 +11,6 @@ - import_tasks: container-bookstack.yml - import_tasks: container-photos.yml - import_tasks: container-cloud.yml +- import_tasks: container-debyltech.yml - import_tasks: container-nginx.yml +- import_tasks: container-satisfactory.yml diff --git a/ansible/roles/podman/templates/debyltech/config.json.j2 b/ansible/roles/podman/templates/debyltech/config.json.j2 new file mode 100644 index 0000000..c9a6b9a --- /dev/null +++ b/ansible/roles/podman/templates/debyltech/config.json.j2 @@ -0,0 +1,21 @@ +{ + "snipcart_api_key": "{{ snipcart_api_key }}", + "shippo_api_key": "{{ shippo_api_key }}", + "weight_unit": "g", + "dimension_unit": "cm", + "manufacture_country": "US", + "sender_address": { + "name": "de Byl Technologies LLC", + "address1": "176 Lull Rd", + "city": "Weare", + "state": "NH", + "country": "US", + "zip": "03281", + "email": "sales@debyltech.com" + }, + "default_parcel": { + "length": "10", + "width": "19", + "height": "16.5" + } +} diff --git a/ansible/roles/podman/templates/nginx/sites/api.debyltech.com.conf.j2 b/ansible/roles/podman/templates/nginx/sites/api.debyltech.com.conf.j2 new file mode 100644 index 0000000..7adde35 --- /dev/null +++ b/ansible/roles/podman/templates/nginx/sites/api.debyltech.com.conf.j2 @@ -0,0 +1,16 @@ +server { + modsecurity on; + modsecurity_rules_file /etc/nginx/modsec_includes.conf; + + listen 80; + server_name {{ api_debyltech_server_name }}; + + location '/.well-known/acme-challenge' { + default_type "text/plain"; + root /srv/http/letsencrypt; + } + + location / { + return 302 https://$host$request_uri; + } +} \ No newline at end of file diff --git a/ansible/roles/podman/templates/nginx/sites/api.debyltech.com.https.conf.j2 b/ansible/roles/podman/templates/nginx/sites/api.debyltech.com.https.conf.j2 new file mode 100644 index 0000000..5a57fa5 --- /dev/null +++ b/ansible/roles/podman/templates/nginx/sites/api.debyltech.com.https.conf.j2 @@ -0,0 +1,42 @@ +upstream apidebyltech { + server 127.0.0.1:8040; +} + +server { + modsecurity on; + modsecurity_rules_file /etc/nginx/modsec_includes.conf; + + resolver 127.0.0.1 127.0.0.53 9.9.9.9 valid=60s; + + listen 443 ssl http2; + server_name {{ api_debyltech_server_name }}; + client_max_body_size 500M; + + ssl_certificate /etc/letsencrypt/live/{{ api_debyltech_server_name }}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/{{ api_debyltech_server_name }}/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/{{ api_debyltech_server_name }}/fullchain.pem; + ssl_dhparam /etc/nginx/ssl/dhparam.pem; + + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + ssl_prefer_server_ciphers off; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_session_cache shared:SSL:10m; + ssl_session_tickets off; + ssl_session_timeout 1d; + ssl_stapling on; + ssl_stapling_verify on; + + location / { + add_header Referrer-Policy "same-origin" always; + add_header Strict-Transport-Security "max-age=630720000; includeSubDomains" always; + add_header X-Content-Type-Options "nosniff" always; + + proxy_set_header Host $http_host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Upgrade $http_upgrade; + + proxy_buffering off; + proxy_http_version 1.1; + proxy_pass http://apidebyltech; + } +} \ No newline at end of file diff --git a/ansible/roles/ssl/tasks/certbot.yml b/ansible/roles/ssl/tasks/certbot.yml index c2efce7..a0ed4f2 100644 --- a/ansible/roles/ssl/tasks/certbot.yml +++ b/ansible/roles/ssl/tasks/certbot.yml @@ -13,6 +13,7 @@ - "{{ cloud_server_name }}" - "{{ parts_server_name }}" - "{{ photos_server_name }}" + - "{{ api_debyltech_server_name }}" tags: ssl - name: set group ownership for /etc/letsencrypt/ diff --git a/ansible/vars/vault.yml b/ansible/vars/vault.yml index 0f70cb3..28cf17e 100644 Binary files a/ansible/vars/vault.yml and b/ansible/vars/vault.yml differ