diff --git a/ansible/deploy_home.yml b/ansible/deploy_home.yml index 5570dc5..126b711 100644 --- a/ansible/deploy_home.yml +++ b/ansible/deploy_home.yml @@ -6,3 +6,4 @@ - role: common - role: git - role: podman + - role: ssl diff --git a/ansible/roles/podman/defaults/main.yml b/ansible/roles/podman/defaults/main.yml index 3dc5804..7a4b779 100644 --- a/ansible/roles/podman/defaults/main.yml +++ b/ansible/roles/podman/defaults/main.yml @@ -5,6 +5,7 @@ graylog_path: "{{ podman_volumes }}/graylog" hass_path: "{{ podman_volumes }}/hass" nginx_path: "{{ podman_volumes }}/nginx" partkeepr_path: "{{ podman_volumes }}/partkeepr" +cloud_path: "{{ podman_volumes }}/cloud" pihole_path: "{{ podman_volumes }}/pihole" drone_server_proto: "https" @@ -15,6 +16,7 @@ ci_server_name: ci.bdebyl.net pi_server_name: pi.bdebyl.net assistant_server_name: assistant.bdebyl.net bookstack_server_name: wiki.skudakrennsport.com +cloud_server_name: cloud.bdebyl.net home_server_name: home.bdebyl.net parts_server_name: parts.bdebyl.net video_server_name: video.bdebyl.net diff --git a/ansible/roles/podman/meta/main.yml b/ansible/roles/podman/meta/main.yml index d00d780..fdda41b 100644 --- a/ansible/roles/podman/meta/main.yml +++ b/ansible/roles/podman/meta/main.yml @@ -1,4 +1,3 @@ --- dependencies: - role: common - - role: ssl diff --git a/ansible/roles/podman/tasks/configuration-nginx-http.yml b/ansible/roles/podman/tasks/configuration-nginx-http.yml index e0b2936..212ceac 100644 --- a/ansible/roles/podman/tasks/configuration-nginx-http.yml +++ b/ansible/roles/podman/tasks/configuration-nginx-http.yml @@ -68,6 +68,7 @@ - "{{ bookstack_server_name }}.conf" - "{{ video_server_name }}.conf" - "{{ parts_server_name }}.conf" + - "{{ cloud_server_name }}.conf" - "{{ logs_server_name }}.conf" notify: - restorecon podman @@ -86,6 +87,7 @@ - "{{ ci_server_name }}.http.conf" - "{{ pi_server_name }}.conf" - "{{ parts_server_name }}.conf" + - "{{ cloud_server_name }}.conf" - "{{ home_server_name }}.conf" - "{{ assistant_server_name }}.conf" - "{{ bookstack_server_name }}.conf" diff --git a/ansible/roles/podman/tasks/configuration-nginx-https.yml b/ansible/roles/podman/tasks/configuration-nginx-https.yml index 5189f75..9f703a1 100644 --- a/ansible/roles/podman/tasks/configuration-nginx-https.yml +++ b/ansible/roles/podman/tasks/configuration-nginx-https.yml @@ -36,6 +36,7 @@ loop: - "{{ ci_server_name }}.https.conf" - "{{ parts_server_name }}.https.conf" + - "{{ cloud_server_name }}.https.conf" - "{{ bookstack_server_name }}.https.conf" notify: - restorecon podman @@ -53,6 +54,7 @@ loop: - "{{ ci_server_name }}.https.conf" - "{{ parts_server_name }}.https.conf" + - "{{ cloud_server_name }}.https.conf" - "{{ bookstack_server_name }}.https.conf" notify: - restorecon podman diff --git a/ansible/roles/podman/tasks/container-cloud.yml b/ansible/roles/podman/tasks/container-cloud.yml new file mode 100644 index 0000000..84a4237 --- /dev/null +++ b/ansible/roles/podman/tasks/container-cloud.yml @@ -0,0 +1,108 @@ +--- +- name: create required cloud volumes + become: true + ansible.builtin.file: + path: "{{ item }}" + state: directory + owner: "{{ podman_subuid.stdout }}" + group: "{{ podman_user }}" + mode: 0755 + notify: restorecon podman + loop: + - "{{ cloud_path }}/mysql" + - "{{ cloud_path }}/storage" + tags: cloud + +- name: flush handlers + ansible.builtin.meta: flush_handlers + tags: cloud + +- name: mount cloud cifs + become: true + ansible.posix.mount: + src: "{{ cloud_cifs_src }}" + path: "{{ cloud_path }}/storage" + fstype: cifs + opts: "username=cloud,password={{ cloud_cifs_pass }},uid={{ podman_subuid.stdout }},gid={{ podman_subuid.stdout }}" + state: mounted + tags: cloud + +- name: create cloud-db container + become: true + become_user: "{{ podman_user }}" + containers.podman.podman_container: + name: cloud-db + image: docker.io/mariadb:10.8 + recreate: false + restart: false + restart_policy: on-failure + log_driver: journald + network: + - shared + env: + MARIADB_AUTO_UPGRADE: "1" + MYSQL_RANDOM_ROOT_PASSWORD: "yes" + MYSQL_DATABASE: cloud + MYSQL_USER: cloud + MYSQL_PASSWORD: "{{ cloud_db_pass }}" + volumes: + - "{{ cloud_path }}/mysql:/var/lib/mysql" + tags: cloud + +- name: create systemd startup job for cloud-db + include_tasks: systemd-generate.yml + vars: + container_name: cloud-db + tags: cloud + +- name: create cloud container + become: true + become_user: "{{ podman_user }}" + containers.podman.podman_container: + name: cloud + image: docker.io/photoprism/photoprism:220901-bookworm + recreate: false + restart: false + restart_policy: on-failure + log_driver: journald + network: + - shared + env: + PHOTOPRISM_ADMIN_PASSWORD: "{{ cloud_user_pass }}" + PHOTOPRISM_AUTH_MODE: "password" + PHOTOPRISM_SITE_URL: "http://localhost:2342/" + PHOTOPRISM_ORIGINALS_LIMIT: 5000 + PHOTOPRISM_HTTP_COMPRESSION: "gzip" + PHOTOPRISM_LOG_LEVEL: "info" + PHOTOPRISM_READONLY: "false" + PHOTOPRISM_EXPERIMENTAL: "false" + PHOTOPRISM_DISABLE_CHOWN: "false" + PHOTOPRISM_DISABLE_WEBDAV: "false" + PHOTOPRISM_DISABLE_SETTINGS: "false" + PHOTOPRISM_DISABLE_TENSORFLOW: "false" + PHOTOPRISM_DISABLE_FACES: "false" + PHOTOPRISM_DISABLE_CLASSIFICATION: "false" + PHOTOPRISM_DISABLE_RAW: "false" + PHOTOPRISM_RAW_PRESETS: "false" + PHOTOPRISM_JPEG_QUALITY: 85 + PHOTOPRISM_DETECT_NSFW: "false" + PHOTOPRISM_UPLOAD_NSFW: "true" + PHOTOPRISM_DATABASE_DRIVER: "mysql" + PHOTOPRISM_DATABASE_SERVER: "cloud-db:3306" + PHOTOPRISM_DATABASE_NAME: "cloud" + PHOTOPRISM_DATABASE_USER: "cloud" + PHOTOPRISM_DATABASE_PASSWORD: "{{ cloud_db_pass }}" + PHOTOPRISM_SITE_CAPTION: "AI-Powered Photos App" + PHOTOPRISM_SITE_DESCRIPTION: "" + PHOTOPRISM_SITE_AUTHOR: "Bastian D." + volumes: + - "{{ cloud_path }}/storage:/photoprism/" + ports: + - "8088:2342" + tags: cloud + +- name: create systemd startup job for cloud + include_tasks: systemd-generate.yml + vars: + container_name: cloud + tags: cloud diff --git a/ansible/roles/podman/tasks/main.yml b/ansible/roles/podman/tasks/main.yml index a3468ea..6032ceb 100644 --- a/ansible/roles/podman/tasks/main.yml +++ b/ansible/roles/podman/tasks/main.yml @@ -9,4 +9,5 @@ - import_tasks: container-graylog.yml - import_tasks: container-pihole.yml - import_tasks: container-bookstack.yml +- import_tasks: container-cloud.yml - import_tasks: container-nginx.yml diff --git a/ansible/roles/podman/tasks/podman.yml b/ansible/roles/podman/tasks/podman.yml index a6119c3..a633146 100644 --- a/ansible/roles/podman/tasks/podman.yml +++ b/ansible/roles/podman/tasks/podman.yml @@ -60,6 +60,16 @@ - podman - selinux +- name: selinux allow podman samba + become: true + ansible.posix.seboolean: + name: virt_use_samba + state: true + persistent: true + tags: + - podman + - selinux + - name: create podman system directories become: true become_user: "{{ podman_user }}" diff --git a/ansible/roles/podman/templates/nginx/sites/cloud.bdebyl.net.conf.j2 b/ansible/roles/podman/templates/nginx/sites/cloud.bdebyl.net.conf.j2 new file mode 100644 index 0000000..73e6b18 --- /dev/null +++ b/ansible/roles/podman/templates/nginx/sites/cloud.bdebyl.net.conf.j2 @@ -0,0 +1,21 @@ +geo $whitelisted { + default 0; + 192.168.1.0/24 1; +} + +server { + modsecurity on; + modsecurity_rules_file /etc/nginx/modsec_includes.conf; + + listen 80; + server_name {{ cloud_server_name }}; + + location '/.well-known/acme-challenge' { + default_type "text/plain"; + root /srv/http/letsencrypt; + } + + location / { + return 302 https://$host$request_uri; + } +} \ No newline at end of file diff --git a/ansible/roles/podman/templates/nginx/sites/cloud.bdebyl.net.https.conf.j2 b/ansible/roles/podman/templates/nginx/sites/cloud.bdebyl.net.https.conf.j2 new file mode 100644 index 0000000..bc6e1ed --- /dev/null +++ b/ansible/roles/podman/templates/nginx/sites/cloud.bdebyl.net.https.conf.j2 @@ -0,0 +1,47 @@ +geo $whitelisted { + default 0; + 192.168.1.0/24 1; +} + +upstream cloud { + server 127.0.0.1:8088; +} + +server { + modsecurity on; + modsecurity_rules_file /etc/nginx/modsec_includes.conf; + + resolver 127.0.0.1 127.0.0.53 9.9.9.9 valid=60s; + + listen 443 ssl http2; + server_name {{ cloud_server_name }}; + client_max_body_size 500M; + + ssl_certificate /etc/letsencrypt/live/{{ cloud_server_name }}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/{{ cloud_server_name }}/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/{{ cloud_server_name }}/fullchain.pem; + ssl_dhparam /etc/nginx/ssl/dhparam.pem; + + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + ssl_prefer_server_ciphers off; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_session_cache shared:SSL:10m; + ssl_session_tickets off; + ssl_session_timeout 1d; + ssl_stapling on; + ssl_stapling_verify on; + + location / { + add_header Referrer-Policy "same-origin" always; + # add_header Strict-Transport-Security "max-age=630720000; includeSubDomains" always; + add_header X-Content-Type-Options "nosniff" always; + + proxy_set_header Host $http_host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Upgrade $http_upgrade; + + proxy_buffering off; + proxy_http_version 1.1; + proxy_pass http://cloud; + } +} \ No newline at end of file diff --git a/ansible/roles/ssl/tasks/certbot.yml b/ansible/roles/ssl/tasks/certbot.yml index fca95c6..1ea298f 100644 --- a/ansible/roles/ssl/tasks/certbot.yml +++ b/ansible/roles/ssl/tasks/certbot.yml @@ -8,9 +8,10 @@ args: creates: "/etc/letsencrypt/live/{{ item }}" loop: - - "{{ ci_server_name }}" - - "{{ parts_server_name }}" - "{{ bookstack_server_name }}" + - "{{ ci_server_name }}" + - "{{ cloud_server_name }}" + - "{{ parts_server_name }}" tags: ssl - name: set group ownership for /etc/letsencrypt/ diff --git a/ansible/vars/vault.yml b/ansible/vars/vault.yml index c7a8492..fd36954 100644 Binary files a/ansible/vars/vault.yml and b/ansible/vars/vault.yml differ