diff --git a/ansible/roles/podman/defaults/main.yml b/ansible/roles/podman/defaults/main.yml index b470bf9..8c68086 100644 --- a/ansible/roles/podman/defaults/main.yml +++ b/ansible/roles/podman/defaults/main.yml @@ -1,6 +1,7 @@ --- bookstack_path: "{{ podman_volumes }}/bookstack" cloud_path: "{{ podman_volumes }}/cloud" +cloud_skudak_path: "{{ podman_volumes }}/skudakcloud" debyltech_path: "{{ podman_volumes }}/debyltech" drone_path: "{{ podman_volumes }}/drone" factorio_path: "{{ podman_volumes }}/factorio" @@ -23,6 +24,7 @@ assistant_server_name: assistant.bdebyl.net bookstack_server_name: wiki.skudakrennsport.com ci_server_name: ci.bdebyl.net cloud_server_name: cloud.bdebyl.net +cloud_skudak_server_name: cloud.skudakrennsport.com fulfillr_server_name: fulfillr.debyltech.com home_server_name: home.bdebyl.net logs_server_name: logs.bdebyl.net diff --git a/ansible/roles/podman/tasks/configuration-nginx-http.yml b/ansible/roles/podman/tasks/configuration-nginx-http.yml index 8900238..1e3a05d 100644 --- a/ansible/roles/podman/tasks/configuration-nginx-http.yml +++ b/ansible/roles/podman/tasks/configuration-nginx-http.yml @@ -65,6 +65,7 @@ - "{{ bookstack_server_name }}.conf" - "{{ ci_server_name }}.http.conf" - "{{ cloud_server_name }}.conf" + - "{{ cloud_skudak_server_name }}.conf" - "{{ fulfillr_server_name }}.conf" - "{{ home_server_name }}.conf" - "{{ logs_server_name }}.conf" @@ -88,6 +89,7 @@ - "{{ bookstack_server_name }}.conf" - "{{ ci_server_name }}.http.conf" - "{{ cloud_server_name }}.conf" + - "{{ cloud_skudak_server_name }}.conf" - "{{ fulfillr_server_name }}.conf" - "{{ home_server_name }}.conf" - "{{ logs_server_name }}.conf" diff --git a/ansible/roles/podman/tasks/configuration-nginx-https.yml b/ansible/roles/podman/tasks/configuration-nginx-https.yml index 5b3824a..15241a9 100644 --- a/ansible/roles/podman/tasks/configuration-nginx-https.yml +++ b/ansible/roles/podman/tasks/configuration-nginx-https.yml @@ -37,6 +37,7 @@ - "{{ bookstack_server_name }}.https.conf" - "{{ ci_server_name }}.https.conf" - "{{ cloud_server_name }}.https.conf" + - "{{ cloud_skudak_server_name }}.https.conf" - "{{ fulfillr_server_name }}.https.conf" - "{{ parts_server_name }}.https.conf" - "{{ photos_server_name }}.https.conf" @@ -57,6 +58,7 @@ - "{{ bookstack_server_name }}.https.conf" - "{{ ci_server_name }}.https.conf" - "{{ cloud_server_name }}.https.conf" + - "{{ cloud_skudak_server_name }}.https.conf" - "{{ fulfillr_server_name }}.https.conf" - "{{ parts_server_name }}.https.conf" - "{{ photos_server_name }}.https.conf" diff --git a/ansible/roles/podman/tasks/container-cloud-skudak.yml b/ansible/roles/podman/tasks/container-cloud-skudak.yml new file mode 100644 index 0000000..14be5bc --- /dev/null +++ b/ansible/roles/podman/tasks/container-cloud-skudak.yml @@ -0,0 +1,100 @@ +--- +- name: create required skudak cloud volumes + become: true + ansible.builtin.file: + path: "{{ item }}" + state: directory + owner: "{{ podman_subuid.stdout }}" + group: "{{ podman_subuid.stdout }}" + mode: 0755 + notify: restorecon podman + loop: + - "{{ cloud_skudak_path }}/apps" + - "{{ cloud_skudak_path }}/config" + - "{{ cloud_skudak_path }}/data" + - "{{ cloud_skudak_path }}/mysql" + +- name: unshare chown the skudak cloud volumes + become: true + become_user: "{{ podman_user }}" + changed_when: false + ansible.builtin.command: | + podman unshare chown -R 33:33 {{ cloud_skudak_path }}/apps {{ cloud_skudak_path }}/data {{ cloud_skudak_path}}/config + +- name: get user/group id from unshare + become: true + ansible.builtin.stat: + path: "{{ cloud_skudak_path }}/data" + register: cloud_skudak_owner + +- name: mount cloud cifs + become: true + ansible.posix.mount: + src: "{{ cloud_skudak_cifs_src }}" + path: "{{ cloud_skudak_path }}/data" + fstype: cifs + opts: "username=skucloud,password={{ cloud_skudak_cifs_pass }},uid={{ cloud_skudak_owner.stat.uid }},gid={{ cloud_skudak_owner.stat.uid }},file_mode=0770,dir_mode=0770" + state: mounted + +- name: flush handlers + ansible.builtin.meta: flush_handlers + +- import_tasks: podman/podman-check.yml + vars: + container_name: skudak-cloud-db + container_image: "{{ db_image }}" + +- name: create skudak-cloud-db container + become: true + become_user: "{{ podman_user }}" + containers.podman.podman_container: + name: skudak-cloud-db + image: "{{ db_image }}" + restart_policy: on-failure:3 + log_driver: journald + network: + - shared + env: + MYSQL_ROOT_PASSWORD: "{{ cloud_skudak_db_root_pass }}" + MYSQL_DATABASE: skucloud + MYSQL_PASSWORD: "{{ cloud_skudak_db_pass }}" + MYSQL_USER: skucloud + volumes: + - "{{ cloud_skudak_path }}/mysql:/var/lib/mysql" + +- name: create systemd startup job for skudak-cloud-db + include_tasks: podman/systemd-generate.yml + vars: + container_name: skudak-cloud-db + +- import_tasks: podman/podman-check.yml + vars: + container_name: skudak-cloud + container_image: "{{ image }}" + +- name: create skudak cloud container + become: true + become_user: "{{ podman_user }}" + containers.podman.podman_container: + name: skudak-cloud + image: "{{ image }}" + restart_policy: on-failure:3 + log_driver: journald + network: + - shared + env: + MYSQL_PASSWORD: "{{ cloud_skudak_db_pass }}" + MYSQL_DATABASE: skucloud + MYSQL_HOST: skudak-cloud-db + MYSQL_USER: skucloud + volumes: + - "{{ cloud_skudak_path }}/apps:/var/www/html/custom_apps" + - "{{ cloud_skudak_path }}/data:/var/www/html/data" + - "{{ cloud_skudak_path }}/config:/var/www/html/config" + ports: + - "8090:80" + +- name: create systemd startup job for cloud + include_tasks: podman/systemd-generate.yml + vars: + container_name: skudak-cloud diff --git a/ansible/roles/podman/tasks/container-cloud.yml b/ansible/roles/podman/tasks/container-cloud.yml index c393092..802fe53 100644 --- a/ansible/roles/podman/tasks/container-cloud.yml +++ b/ansible/roles/podman/tasks/container-cloud.yml @@ -19,7 +19,7 @@ become_user: "{{ podman_user }}" changed_when: false ansible.builtin.command: | - podman unshare chown -R 33:33 {{ cloud_path }}/data {{ cloud_path}}/config + podman unshare chown -R 33:33 {{ cloud_path }}/apps {{ cloud_path }}/data {{ cloud_path}}/config - name: get user/group id from unshare become: true @@ -33,7 +33,7 @@ src: "{{ cloud_cifs_src }}" path: "{{ cloud_path }}/data" fstype: cifs - opts: "username=cloud,password={{ cloud_cifs_pass }},uid={{ cloud_owner.stat.uid }},gid={{ cloud_owner.stat.uid }}" + opts: "username=cloud,password={{ cloud_cifs_pass }},uid={{ cloud_owner.stat.uid }},gid={{ cloud_owner.stat.uid }},file_mode=0770,dir_mode=0770" state: mounted - name: flush handlers diff --git a/ansible/roles/podman/tasks/main.yml b/ansible/roles/podman/tasks/main.yml index daa945b..f2faf89 100644 --- a/ansible/roles/podman/tasks/main.yml +++ b/ansible/roles/podman/tasks/main.yml @@ -49,6 +49,12 @@ image: docker.io/library/nextcloud:24.0.5-apache tags: cloud +- import_tasks: container-cloud-skudak.yml + vars: + db_image: docker.io/library/mariadb:10.5 + image: docker.io/library/nextcloud:24.0.5-apache + tags: skucloud + - import_tasks: container-fulfillr.yml vars: image: "{{ aws_ecr_endpoint }}/fulfillr:20231005.1415" diff --git a/ansible/roles/podman/templates/nginx/sites/cloud.skudakrennsport.com.conf.j2 b/ansible/roles/podman/templates/nginx/sites/cloud.skudakrennsport.com.conf.j2 new file mode 100644 index 0000000..0196336 --- /dev/null +++ b/ansible/roles/podman/templates/nginx/sites/cloud.skudakrennsport.com.conf.j2 @@ -0,0 +1,16 @@ +server { + modsecurity on; + modsecurity_rules_file /etc/nginx/modsec_includes.conf; + + listen 80; + server_name {{ cloud_skudak_server_name }}; + + location '/.well-known/acme-challenge' { + default_type "text/plain"; + root /srv/http/letsencrypt; + } + + location / { + return 302 https://$host$request_uri; + } +} \ No newline at end of file diff --git a/ansible/roles/podman/templates/nginx/sites/cloud.skudakrennsport.com.https.conf.j2 b/ansible/roles/podman/templates/nginx/sites/cloud.skudakrennsport.com.https.conf.j2 new file mode 100644 index 0000000..3a4f65c --- /dev/null +++ b/ansible/roles/podman/templates/nginx/sites/cloud.skudakrennsport.com.https.conf.j2 @@ -0,0 +1,42 @@ +upstream skucloud { + server 127.0.0.1:8090; +} + +server { + modsecurity on; + modsecurity_rules_file /etc/nginx/modsec_includes.conf; + + resolver 127.0.0.1 127.0.0.53 9.9.9.9 valid=60s; + + listen 443 ssl http2; + server_name {{ cloud_skudak_server_name }}; + client_max_body_size 500M; + + ssl_certificate /etc/letsencrypt/live/{{ cloud_skudak_server_name }}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/{{ cloud_skudak_server_name }}/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/{{ cloud_skudak_server_name }}/fullchain.pem; + ssl_dhparam /etc/nginx/ssl/dhparam.pem; + + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + ssl_prefer_server_ciphers off; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_session_cache shared:SSL:10m; + ssl_session_tickets off; + ssl_session_timeout 1d; + ssl_stapling on; + ssl_stapling_verify on; + + location / { + add_header Referrer-Policy "same-origin" always; + add_header Strict-Transport-Security "max-age=630720000; includeSubDomains" always; + add_header X-Content-Type-Options "nosniff" always; + + proxy_set_header Host $http_host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Upgrade $http_upgrade; + + proxy_buffering off; + proxy_http_version 1.1; + proxy_pass http://skucloud; + } +} \ No newline at end of file diff --git a/ansible/roles/ssl/tasks/certbot.yml b/ansible/roles/ssl/tasks/certbot.yml index 78c5f95..608d1ef 100644 --- a/ansible/roles/ssl/tasks/certbot.yml +++ b/ansible/roles/ssl/tasks/certbot.yml @@ -11,6 +11,7 @@ - "{{ bookstack_server_name }}" - "{{ ci_server_name }}" - "{{ cloud_server_name }}" + - "{{ cloud_skudak_server_name }}" - "{{ fulfillr_server_name }}" - "{{ parts_server_name }}" - "{{ photos_server_name }}" diff --git a/ansible/vars/vault.yml b/ansible/vars/vault.yml index 45d1628..4c9763f 100644 Binary files a/ansible/vars/vault.yml and b/ansible/vars/vault.yml differ