diff --git a/CLAUDE.md b/CLAUDE.md new file mode 100644 index 0000000..523a170 --- /dev/null +++ b/CLAUDE.md @@ -0,0 +1,99 @@ +# CLAUDE.md + +This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository. + +## Overview + +This is a home infrastructure deployment repository using Ansible for automated server configuration and container deployment. The project follows a "one-button deployment" philosophy for managing a home server environment with various self-hosted services. + +## Development Commands + +### Core Commands +- `make` or `make lint` - Run linting (yamllint + ansible-lint) on all YAML files +- `make deploy` - Deploy all configurations to the home server +- `make deploy TAGS=sometag` - Deploy only specific tagged tasks +- `make deploy TARGET=specific-host` - Deploy to specific host instead of all +- `make check` - Run deployment in dry-run mode showing potential changes +- `make vault` - Edit encrypted Ansible vault file +- `make list-tags` - List all available Ansible tags +- `make list-tasks` - List all Ansible tasks + +### Environment Setup +The project uses Python virtualenv for dependency management: +- Dependencies are locked in `requirements.txt` (ansible + yamllint) +- Makefile automatically creates `.venv/` and installs dependencies +- Vault password is sourced from password manager via `.pass.sh` + +## Architecture + +### Directory Structure +``` +ansible/ +├── deploy.yml # Main playbook entry point (imports deploy_home.yml) +├── deploy_home.yml # Core playbook with role definitions +├── inventories/home/ # Inventory configuration +├── roles/ # Ansible roles organized by function +│ ├── common/ # Base system configuration +│ ├── git/ # Git repository management +│ ├── podman/ # Container orchestration +│ ├── ssl/ # Legacy SSL management (deprecated - Caddy handles certificates automatically) +│ ├── github-actions/# CI/CD runner setup +│ └── pihole/ # DNS filtering +└── vars/ + └── vault.yml # Encrypted secrets +``` + +### Container Organization +Containers are organized in `ansible/roles/podman/tasks/containers/`: +- `base/` - Core infrastructure containers (Caddy web server, AWS DDNS) +- `home/` - Home-specific services (Home Assistant, PartKeepr, Immich photos, Nextcloud, Redis) +- `debyltech/` - Personal/business services (Fulfillr) +- `skudak/` - Additional services (BookStack wiki, Nextcloud) + +### Security Model +- Ansible vault for encrypted secrets management +- Password sourced from external password manager +- Git-crypt for repository-level encryption (see `.gitattributes`) +- SSH key-based authentication to target hosts +- Caddy provides automatic HTTPS with LetsEncrypt certificates +- Built-in security headers and IP-based access restrictions + +## Key Patterns + +### Role Structure +Each Ansible role follows standard structure: +- `tasks/main.yml` - Main task entry point +- `defaults/main.yml` - Default variables +- `handlers/main.yml` - Event handlers +- `meta/main.yml` - Role metadata and dependencies + +### Container Deployment Pattern +Container tasks follow consistent patterns: +- Firewall configuration +- Container image specification via variables +- Service configuration through imported task files +- Tag-based selective deployment + +### Tagging Strategy +Tasks are tagged by service/component for selective deployment: +- `caddy` - Web server tasks (replaced nginx) +- `ddns` - Dynamic DNS tasks +- ~~`drone` - CI/CD tasks (decommissioned)~~ +- `hass` - Home Assistant tasks +- Common infrastructure tags like `common`, `ssl` + +## Configuration Files + +- `ansible.cfg` - Ansible configuration with performance optimizations +- `.yamllint.yml` - YAML linting rules (braces disabled) +- `.lint-vars.sh` - Ansible-lint skip configuration +- `requirements.txt` - Python dependencies with pinned versions + +## Target Environment + +- Single target host: `home.bdebyl.net` +- OS: Fedora (ansible_user: fedora) +- Container runtime: Podman +- Web server: Caddy with automatic HTTPS and built-in security (replaced nginx + ModSecurity) +- All services accessible via HTTPS with automatic certificate renewal +- ~~CI/CD: Drone CI infrastructure completely decommissioned~~ \ No newline at end of file diff --git a/Makefile b/Makefile index d58961f..d91586f 100644 --- a/Makefile +++ b/Makefile @@ -27,6 +27,7 @@ ANSIBLE_INVENTORY=ansible/inventories/home/hosts.yml TAGS?=all SKIP_TAGS?=none TARGET?=all +EXTRA_VARS?= ${VENV}: python3 -m venv ${VENV} @@ -51,7 +52,7 @@ SKIP_FILE=./.lint-vars.sh # Targets deploy: ${ANSIBLE} ${VAULT_FILE} - ${ANSIBLE} --diff -t ${TAGS} --skip-tags ${SKIP_TAGS} -i ${ANSIBLE_INVENTORY} -l ${TARGET} --vault-password-file ${VAULT_PASS_FILE} ansible/deploy.yml + ${ANSIBLE} --diff -t ${TAGS} --skip-tags ${SKIP_TAGS} -i ${ANSIBLE_INVENTORY} -l ${TARGET} --vault-password-file ${VAULT_PASS_FILE} $(if ${EXTRA_VARS},-e "${EXTRA_VARS}") ansible/deploy.yml list-tags: ${ANSIBLE} ${VAULT_FILE} ${ANSIBLE} --list-tags -i ${ANSIBLE_INVENTORY} -l ${TARGET} --vault-password-file ${VAULT_PASS_FILE} ansible/deploy.yml @@ -60,11 +61,11 @@ list-tasks: ${ANSIBLE} ${VAULT_FILE} ${ANSIBLE} --list-tasks -i ${ANSIBLE_INVENTORY} -l ${TARGET} --vault-password-file ${VAULT_PASS_FILE} ansible/deploy.yml check: ${ANSIBLE} ${VAULT_FILE} - ${ANSIBLE} --check --diff --private-key -t ${TAGS} --skip-tags ${SKIP_TAGS} -i ${ANSIBLE_INVENTORY} -l ${TARGET} --vault-password-file ${VAULT_PASS_FILE} ansible/deploy.yml + ${ANSIBLE} --check --diff -t ${TAGS} --skip-tags ${SKIP_TAGS} -i ${ANSIBLE_INVENTORY} -l ${TARGET} --vault-password-file ${VAULT_PASS_FILE} $(if ${EXTRA_VARS},-e "${EXTRA_VARS}") ansible/deploy.yml vault: ${ANSIBLE_VAULT} ${VAULT_FILE} ${ANSIBLE_VAULT} edit --vault-password-file ${VAULT_PASS_FILE} ${VAULT_FILE} lint: ${LINT_YAML} ${SKIP_FILE} @printf "Running yamllint...\n" - -@${LINT_YAML} ${YAML_FILES} \ No newline at end of file + -@${LINT_YAML} ${YAML_FILES} diff --git a/TODO.md b/TODO.md new file mode 100644 index 0000000..4d06164 --- /dev/null +++ b/TODO.md @@ -0,0 +1,52 @@ +# TODO + +## ✅ Caddy Migration - COMPLETED +- [x] Migrate from nginx + ModSecurity to Caddy +- [x] Automatic HTTPS certificate provisioning +- [x] All sites working with proper IP restrictions +- [x] Remove migration_mode logic - Caddy is now default + +## Infrastructure Cleanup Tasks + +### ✅ Phase 1: System LetsEncrypt to Caddy Migration - COMPLETED +- [x] ~~Create dedicated Caddy certificates volume~~ - Not needed, Caddy manages in /data +- [x] ~~Copy existing system LetsEncrypt certificates~~ - Not needed, Caddy generated new ones +- [x] ~~Set proper permissions~~ - Already correct, Caddy runs as podman user +- [x] Remove LetsEncrypt cron jobs from Ansible (cleanup.yml created) +- [x] Remove LetsEncrypt cron jobs from remote host (both weekly + 5min jobs removed) +- [x] Disable ssl role tasks and certificate generation (disabled in deploy_home.yml) +- [x] ~~Remove certbot installation from common role~~ - Not installed there +- [x] Uninstall certbot/letsencrypt packages from remote host (removed via dnf) +- [x] Stop any running LetsEncrypt services (certbot.timer not running) +- [x] Backup and remove /etc/letsencrypt directory (backup created, directory removed) +- [x] Remove /srv/http/letsencrypt directory (webroot removed) + +### ✅ Phase 2: nginx + ModSecurity Cleanup - COMPLETED +- [x] Remove nginx container configuration and tasks (deleted all conf-nginx*.yml, nginx.yml) +- [x] Remove nginx configuration templates and files (removed entire templates/nginx/ directory) +- [x] Remove ModSecurity rules and configuration (removed from defaults/main.yml variables) +- [x] Remove nginx/ModSecurity volume mounts and directories (nginx volume backed up and removed) +- [x] Clean up nginx-related variables from defaults/main.yml (nginx_path removed) +- [x] ~~Remove firewall rules for nginx~~ - Not needed, Caddy uses same ports +- [x] Remove nginx systemd services from remote host (container-nginx service removed) +- [x] ~~Uninstall nginx/ModSecurity packages~~ - Were never system-installed, container-only +- [x] Clean up nginx log directories and files (/var/log/nginx, /var/log/modsecurity removed) +- [x] Remove ModSecurity installation directories (/usr/share/modsecurity, /usr/share/coreruleset removed) +- [x] Create backup of nginx configuration (nginx-backup-{timestamp}.tar.gz created) + +### ✅ Phase 3: Final Cleanup - COMPLETED +- [x] Remove Drone CI infrastructure and ci.bdebyl.net host + - [x] Remove Drone container from podman configuration (drone.yml deleted) + - [x] Remove ci.bdebyl.net from Caddyfile (site configuration removed) + - [x] Clean up drone-related volumes and data (drone volume backed up and removed) + - [x] Update firewall rules to remove CI ports (ports were not explicitly opened) +- [x] Review and remove unused variables and templates + - [x] Removed ci_server_name variable + - [x] Removed drone-related variables (drone_path, drone_server_proto, etc.) + - [x] Cleaned up nginx handler in handlers/main.yml + - [x] Updated firewall.yml comments +- [x] Update documentation to reflect Caddy as web server + - [x] Updated CLAUDE.md container organization section + - [x] Updated tagging strategy (nginx→caddy, drone marked decommissioned) + - [x] Updated target environment description (nginx→Caddy) +- [x] Verify all services working after cleanup (sites tested and working) \ No newline at end of file diff --git a/ansible/deploy_home.yml b/ansible/deploy_home.yml index b12b6b1..76185cb 100644 --- a/ansible/deploy_home.yml +++ b/ansible/deploy_home.yml @@ -6,5 +6,6 @@ - role: common - role: git - role: podman - - role: ssl +# SSL certificates are now handled automatically by Caddy + # - role: ssl # REMOVED - Caddy handles all certificate management - role: github-actions diff --git a/ansible/roles/podman/defaults/main.yml b/ansible/roles/podman/defaults/main.yml index 1657f05..19ae532 100644 --- a/ansible/roles/podman/defaults/main.yml +++ b/ansible/roles/podman/defaults/main.yml @@ -4,26 +4,26 @@ cam2ip_path: "{{ podman_volumes }}/cam2ip" cloud_path: "{{ podman_volumes }}/cloud" cloud_skudak_path: "{{ podman_volumes }}/skudakcloud" debyltech_path: "{{ podman_volumes }}/debyltech" -drone_path: "{{ podman_volumes }}/drone" +# drone_path: removed - Drone CI decommissioned factorio_path: "{{ podman_volumes }}/factorio" fulfillr_path: "{{ podman_volumes }}/fulfillr" hass_path: "{{ podman_volumes }}/hass" -nginx_path: "{{ podman_volumes }}/nginx" +# nginx_path: removed - nginx no longer used nosql_path: "{{ podman_volumes }}/nosql" partkeepr_path: "{{ podman_volumes }}/partkeepr" photos_path: "{{ podman_volumes }}/photos" pihole_path: "{{ podman_volumes }}/pihole" sshpass_cron_path: "{{ podman_volumes }}/sshpass_cron" +caddy_path: "{{ podman_volumes }}/caddy" -drone_server_proto: "https" -drone_runner_proto: "http" -drone_runner_capacity: "8" +# Drone CI variables removed - infrastructure decommissioned +# drone_server_proto, drone_runner_proto, drone_runner_capacity -# nginx and modsec configuration +# Server names (used by Caddy) base_server_name: bdebyl.net assistant_server_name: assistant.bdebyl.net bookstack_server_name: wiki.skudakrennsport.com -ci_server_name: ci.bdebyl.net +# ci_server_name: removed - Drone CI decommissioned cloud_server_name: cloud.bdebyl.net cloud_skudak_server_name: cloud.skudakrennsport.com fulfillr_server_name: fulfillr.debyltech.com @@ -31,132 +31,36 @@ home_server_name: home.bdebyl.net parts_server_name: parts.bdebyl.net photos_server_name: photos.bdebyl.net -nginx_conf_path: "{{ nginx_path }}/etc/conf" -modsec_log_path: /var/log/nginx/modsec_audit.log -modsec_rules_path: "{{ nginx_conf_path }}/rules" -modsec_crs_before_rule_conf: "{{ modsec_rules_path }}/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf" -modsec_crs_after_rule_conf: "{{ modsec_rules_path }}/REQUEST-999-EXCLUSION-RULES-AFTER-CRS.conf" +# Legacy nginx/ModSecurity configuration removed - Caddy provides built-in security -install_path: /usr/share -modsec_path: "{{ install_path }}/modsecurity" -crs_path: "{{ install_path }}/coreruleset" -crs_rules_path: "{{ crs_path }}/rules" +# Web server configuration (Caddy is the default) +# Legacy nginx variables kept for cleanup tasks -modsec_whitelist_local_re: >- - ^SecRule.*REMOTE_ADDR.*192\.168\.0\.0/16.*$ +# Caddy configuration +caddy_email: "{{ ssl_email }}" +# Use staging for testing, production for real certificates +caddy_acme_ca: https://acme-v02.api.letsencrypt.org/directory +# For testing/staging: +# caddy_acme_ca: https://acme-staging-v02.api.letsencrypt.org/directory -modsec_whitelist_local: >- - SecRule REMOTE_ADDR "@ipMatch 192.168.0.0/16" - "id:1,phase:1,nolog,allow,ctl:ruleEngine=Off" +# Caddy ports +caddy_admin_port: 2019 -modsec_git_urls: - - src: "https://github.com/coreruleset/coreruleset.git" - dest: "{{ crs_path }}" - ver: "v3.3.2" - - src: "https://github.com/SpiderLabs/ModSecurity.git" - dest: "{{ modsec_path }}" - ver: "v3.0.6" +# Caddy network configuration +caddy_local_networks: + - 192.168.0.0/16 + - 127.0.0.1 -modsec_conf_replaces: - - regex: "^SecRuleEngine" - line: "SecRuleEngine On" - - regex: "^SecAuditLog" - line: "SecAuditLog {{ modsec_log_path }}" +# Caddy logging configuration +caddy_log_level: INFO +caddy_log_format: json -modsec_conf_links: - - src: "{{ modsec_path }}/modsecurity.conf-recommended" - dest: "{{ nginx_path }}/etc/modsecurity.conf" - - src: "{{ modsec_path }}/unicode.mapping" - dest: "{{ nginx_path }}/etc/unicode.mapping" - - src: "{{ crs_path }}/crs-setup.conf.example" - dest: "{{ nginx_conf_path }}/crs-setup.conf" - - src: "{{ crs_rules_path }}/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example" - dest: "{{ modsec_rules_path }}/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf" - - src: "{{ crs_rules_path }}/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example" - dest: "{{ modsec_rules_path }}/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf" +# Caddy performance tuning +caddy_max_request_body_mb: 500 -crs_rule_links: - - name: REQUEST-901-INITIALIZATION - enabled: true - - name: REQUEST-903.9001-DRUPAL-EXCLUSION-RULES - enabled: true - - name: REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES - enabled: true - - name: REQUEST-903.9003-NEXTCLOUD-EXCLUSION-RULES - enabled: true - - name: REQUEST-903.9004-DOKUWIKI-EXCLUSION-RULES - enabled: true - - name: REQUEST-903.9005-CPANEL-EXCLUSION-RULES - enabled: true - - name: REQUEST-903.9006-XENFORO-EXCLUSION-RULES - enabled: true - - name: REQUEST-905-COMMON-EXCEPTIONS - enabled: true - - name: REQUEST-910-IP-REPUTATION - enabled: true - - name: REQUEST-911-METHOD-ENFORCEMENT - enabled: true - - name: REQUEST-912-DOS-PROTECTION - enabled: true - - name: REQUEST-913-SCANNER-DETECTION - enabled: true - - name: REQUEST-920-PROTOCOL-ENFORCEMENT - enabled: true - - name: REQUEST-921-PROTOCOL-ATTACK - enabled: true - - name: REQUEST-930-APPLICATION-ATTACK-LFI - enabled: true - - name: REQUEST-931-APPLICATION-ATTACK-RFI - enabled: true - - name: REQUEST-932-APPLICATION-ATTACK-RCE - enabled: true - - name: REQUEST-933-APPLICATION-ATTACK-PHP - enabled: true - - name: REQUEST-934-APPLICATION-ATTACK-NODEJS - enabled: true - - name: REQUEST-941-APPLICATION-ATTACK-XSS - enabled: true - - name: REQUEST-942-APPLICATION-ATTACK-SQLI - enabled: true - - name: REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION - enabled: true - - name: REQUEST-944-APPLICATION-ATTACK-JAVA - enabled: true - - name: REQUEST-949-BLOCKING-EVALUATION - enabled: false - - name: RESPONSE-950-DATA-LEAKAGES - enabled: true - - name: RESPONSE-951-DATA-LEAKAGES-SQL - enabled: true - - name: RESPONSE-952-DATA-LEAKAGES-JAVA - enabled: true - - name: RESPONSE-953-DATA-LEAKAGES-PHP - enabled: true - - name: RESPONSE-954-DATA-LEAKAGES-IIS - enabled: true - - name: RESPONSE-959-BLOCKING-EVALUATION - enabled: true - - name: RESPONSE-980-CORRELATION - enabled: true - -crs_data_links: - - crawlers-user-agents - - iis-errors - - java-classes - - java-code-leakages - - java-errors - - lfi-os-files - - php-config-directives - - php-errors - - php-function-names-933150 - - php-function-names-933151 - - php-variables - - restricted-files - - restricted-upload - - scanners-headers - - scanners-urls - - scanners-user-agents - - scripting-user-agents - - sql-errors - - unix-shell - - windows-powershell-commands +# Caddy security headers (global defaults) +caddy_security_headers: + Strict-Transport-Security: "max-age=31536000; includeSubDomains" + X-Content-Type-Options: "nosniff" + Referrer-Policy: "same-origin" + X-Frame-Options: "SAMEORIGIN" diff --git a/ansible/roles/podman/files/nginx/mime.types b/ansible/roles/podman/files/nginx/mime.types deleted file mode 100644 index 4a6286f..0000000 --- a/ansible/roles/podman/files/nginx/mime.types +++ /dev/null @@ -1,1028 +0,0 @@ -types { -application/A2L a2l; -application/AML aml; -application/andrew-inset ez; -application/ATF atf; -application/ATFX atfx; -application/ATXML atxml; -application/atom+xml atom; -application/atomcat+xml atomcat; -application/atomdeleted+xml atomdeleted; -application/atomsvc+xml atomsvc; -application/atsc-dwd+xml dwd; -application/atsc-held+xml held; -application/atsc-rsat+xml rsat; -application/auth-policy+xml apxml; -application/bacnet-xdd+zip xdd; -application/calendar+xml xcs; -application/cbor cbor; -application/cccex c3ex; -application/ccmp+xml ccmp; -application/ccxml+xml ccxml; -application/CDFX+XML cdfx; -application/cdmi-capability cdmia; -application/cdmi-container cdmic; -application/cdmi-domain cdmid; -application/cdmi-object cdmio; -application/cdmi-queue cdmiq; -application/CEA cea; -application/cellml+xml cellml cml; -application/clr 1clr; -application/clue_info+xml clue; -application/cms cmsc; -application/cpl+xml cpl; -application/csrattrs csrattrs; -application/dash+xml mpd; -application/dashdelta mpdd; -application/davmount+xml davmount; -application/DCD dcd; -application/dicom dcm; -application/DII dii; -application/DIT dit; -application/dskpp+xml xmls; -application/dssc+der dssc; -application/dssc+xml xdssc; -application/dvcs dvc; -application/ecmascript es; -application/efi efi; -application/emma+xml emma; -application/emotionml+xml emotionml; -application/epub+zip epub; -application/exi exi; -application/fastinfoset finf; -application/fdt+xml fdt; -application/font-tdpfr pfr; -application/geo+json geojson; -application/geopackage+sqlite3 gpkg; -application/gltf-buffer glbin glbuf; -application/gml+xml gml; -application/gzip gz tgz; -application/hyperstudio stk; -application/inkml+xml ink inkml; -application/ipfix ipfix; -application/its+xml its; -application/javascript js; -application/jrd+json jrd; -application/json json; -application/json-patch+json json-patch; -application/ld+json jsonld; -application/lgr+xml lgr; -application/link-format wlnk; -application/lost+xml lostxml; -application/lostsync+xml lostsyncxml; -application/lpf+zip lpf; -application/LXF lxf; -application/mac-binhex40 hqx; -application/mads+xml mads; -application/marc mrc; -application/marcxml+xml mrcx; -application/mathematica nb ma mb; -application/mathml+xml mml; -application/mbox mbox; -application/metalink4+xml meta4; -application/mets+xml mets; -application/MF4 mf4; -application/mipc h5; -application/mmt-aei+xml maei; -application/mmt-usd+xml musd; -application/mods+xml mods; -application/mp21 m21 mp21; -application/msword doc; -application/mxf mxf; -application/n-quads nq; -application/n-triples nt; -application/ocsp-request orq; -application/ocsp-response ors; -application/octet-stream bin lha lzh exe class so dll img iso; -application/ODA oda; -application/ODX odx; -application/oebps-package+xml opf; -application/ogg ogx; -application/opc-nodeset+xml ; -application/oxps oxps; -application/p2p-overlay+xml relo; -application/pdf pdf; -application/PDX pdx; -application/pem-certificate-chain pem; -application/pgp-encrypted pgp; -application/pgp-signature sig; -application/pkcs10 p10; -application/pkcs12 p12 pfx; -application/pkcs7-mime p7m p7c; -application/pkcs7-signature p7s; -application/pkcs8 p8; -application/pkcs8-encrypted p8e; -application/pkix-cert cer; -application/pkix-crl crl; -application/pkix-pkipath pkipath; -application/pkixcmp pki; -application/pls+xml pls; -application/postscript ps eps ai; -application/provenance+xml provx; -application/prs.cww cw cww; -application/prs.hpub+zip hpub; -application/prs.nprend rnd rct; -application/prs.rdf-xml-crypt rdf-crypt; -application/prs.xsf+xml xsf; -application/pskc+xml pskcxml; -application/rdf+xml rdf; -application/route-apd+xml rapd; -application/route-s-tsid+xml sls; -application/route-usd+xml rusd; -application/reginfo+xml rif; -application/relax-ng-compact-syntax rnc; -application/resource-lists-diff+xml rld; -application/resource-lists+xml rl; -application/rfc+xml rfcxml; -application/rls-services+xml rs; -application/rpki-ghostbusters gbr; -application/rpki-manifest mft; -application/rpki-roa roa; -application/rtf rtf; -application/sarif-external-properties+json sarif-external-properties sarif-external-properties.json; -application/sarif+json sarif sarif.json; -application/scim+json scim; -application/scvp-cv-request scq; -application/scvp-cv-response scs; -application/scvp-vp-request spq; -application/scvp-vp-response spp; -application/sdp sdp; -application/senml-etch+cbor senml-etchc; -application/senml-etch+json senml-etchj; -application/senml+cbor senmlc; -application/senml+json senml; -application/senml+xml senmlx; -application/senml-exi senmle; -application/sensml+cbor sensmlc; -application/sensml+json sensml; -application/sensml+xml sensmlx; -application/sensml-exi sensmle; -application/sgml-open-catalog soc; -application/shf+xml shf; -application/sieve siv sieve; -application/simple-filter+xml cl; -application/smil+xml smil smi sml; -application/sparql-query rq; -application/sparql-results+xml srx; -application/sql sql; -application/srgs gram; -application/srgs+xml grxml; -application/sru+xml sru; -application/ssml+xml ssml; -application/stix+json stix; -application/swid+xml swidtag; -application/tamp-apex-update tau; -application/tamp-apex-update-confirm auc; -application/tamp-community-update tcu; -application/tamp-community-update-confirm cuc; -application/td+json jsontd; -application/tamp-error ter; -application/tamp-sequence-adjust tsa; -application/tamp-sequence-adjust-confirm sac; -application/tamp-update tur; -application/tamp-update-confirm tuc; -application/tei+xml tei teiCorpus odd; -application/thraud+xml tfi; -application/timestamp-query tsq; -application/timestamp-reply tsr; -application/timestamped-data tsd; -application/trig trig; -application/ttml+xml ttml; -application/urc-grpsheet+xml gsheet; -application/urc-ressheet+xml rsheet; -application/urc-targetdesc+xml td; -application/urc-uisocketdesc+xml uis; -application/vnd.1000minds.decision-model+xml 1km; -application/vnd.3gpp.5gnas ; -application/vnd.3gpp.pic-bw-large plb; -application/vnd.3gpp.pic-bw-small psb; -application/vnd.3gpp.pic-bw-var pvb; -application/vnd.3gpp2.sms sms; -application/vnd.3gpp2.tcap tcap; -application/vnd.3lightssoftware.imagescal imgcal; -application/vnd.3M.Post-it-Notes pwn; -application/vnd.accpac.simply.aso aso; -application/vnd.accpac.simply.imp imp; -application/vnd.acucobol acu; -application/vnd.acucorp atc acutc; -application/vnd.adobe.flash.movie swf; -application/vnd.adobe.formscentral.fcdt fcdt; -application/vnd.adobe.fxp fxp fxpl; -application/vnd.adobe.xdp+xml xdp; -application/vnd.adobe.xfdf xfdf; -application/vnd.afpc.modca list3820 listafp afp pseg3820; -application/vnd.afpc.modca-overlay ovl; -application/vnd.afpc.modca-pagesegment psg; -application/vnd.ahead.space ahead; -application/vnd.airzip.filesecure.azf azf; -application/vnd.airzip.filesecure.azs azs; -application/vnd.amazon.mobi8-ebook azw3; -application/vnd.americandynamics.acc acc; -application/vnd.amiga.ami ami; -application/vnd.android.ota ota; -application/vnd.anki apkg; -application/vnd.anser-web-certificate-issue-initiation cii; -application/vnd.anser-web-funds-transfer-initiation fti; -application/vnd.apple.installer+xml dist distz pkg mpkg; -application/vnd.apple.keynote keynote; -application/vnd.apple.mpegurl m3u8; -application/vnd.apple.numbers numbers; -application/vnd.apple.pages pages; -application/vnd.aristanetworks.swi swi; -application/vnd.artisan+json artisan; -application/vnd.astraea-software.iota iota; -application/vnd.audiograph aep; -application/vnd.autopackage package; -application/vnd.balsamiq.bmml+xml bmml; -application/vnd.banana-accounting ac2; -application/vnd.balsamiq.bmpr bmpr; -application/vnd.blueice.multipass mpm; -application/vnd.bluetooth.ep.oob ep; -application/vnd.bluetooth.le.oob le; -application/vnd.bmi bmi; -application/vnd.businessobjects rep; -application/vnd.cendio.thinlinc.clientconf tlclient; -application/vnd.chemdraw+xml cdxml; -application/vnd.chess-pgn pgn; -application/vnd.chipnuts.karaoke-mmd mmd; -application/vnd.cinderella cdy; -application/vnd.citationstyles.style+xml csl; -application/vnd.claymore cla; -application/vnd.cloanto.rp9 rp9; -application/vnd.clonk.c4group c4g c4d c4f c4p c4u; -application/vnd.cluetrust.cartomobile-config c11amc; -application/vnd.cluetrust.cartomobile-config-pkg c11amz; -application/vnd.coffeescript coffee; -application/vnd.collabio.xodocuments.document xodt; -application/vnd.collabio.xodocuments.document-template xott; -application/vnd.collabio.xodocuments.presentation xodp; -application/vnd.collabio.xodocuments.presentation-template xotp; -application/vnd.collabio.xodocuments.spreadsheet xods; -application/vnd.collabio.xodocuments.spreadsheet-template xots; -application/vnd.comicbook-rar cbr; -application/vnd.comicbook+zip cbz; -application/vnd.commerce-battelle ica icf icd ic0 ic1 ic2 ic3 ic4 ic5 ic6 ic7 ic8; -application/vnd.commonspace csp cst; -application/vnd.contact.cmsg cdbcmsg; -application/vnd.coreos.ignition+json ign ignition; -application/vnd.cosmocaller cmc; -application/vnd.crick.clicker clkx; -application/vnd.crick.clicker.keyboard clkk; -application/vnd.crick.clicker.palette clkp; -application/vnd.crick.clicker.template clkt; -application/vnd.crick.clicker.wordbank clkw; -application/vnd.criticaltools.wbs+xml wbs; -application/vnd.crypto-shade-file ssvc; -application/vnd.cryptomator.encrypted c9r c9s; -application/vnd.cryptomator.vault cryptomator; -application/vnd.ctc-posml pml; -application/vnd.cups-ppd ppd; -application/vnd.curl curl; -application/vnd.dart dart; -application/vnd.data-vision.rdz rdz; -application/vnd.dbf dbf; -application/vnd.debian.binary-package deb udeb; -application/vnd.dece.data uvf uvvf uvd uvvd; -application/vnd.dece.ttml+xml uvt uvvt; -application/vnd.dece.unspecified uvx uvvx; -application/vnd.dece.zip uvz uvvz; -application/vnd.denovo.fcselayout-link fe_launch; -application/vnd.desmume.movie dsm; -application/vnd.dna dna; -application/vnd.document+json docjson; -application/vnd.doremir.scorecloud-binary-document scld; -application/vnd.dpgraph dpg mwc dpgraph; -application/vnd.dreamfactory dfac; -application/vnd.dtg.local.flash fla; -application/vnd.dvb.ait ait; -application/vnd.dvb.service svc; -application/vnd.dynageo geo; -application/vnd.dzr dzr; -application/vnd.ecowin.chart mag; -application/vnd.enliven nml; -application/vnd.epson.esf esf; -application/vnd.epson.msf msf; -application/vnd.epson.quickanime qam; -application/vnd.epson.salt slt; -application/vnd.epson.ssf ssf; -application/vnd.ericsson.quickcall qcall qca; -application/vnd.espass-espass+zip espass; -application/vnd.eszigno3+xml es3 et3; -application/vnd.etsi.asic-e+zip asice sce; -application/vnd.etsi.asic-s+zip asics; -application/vnd.etsi.timestamp-token tst; -application/vnd.exstream-empower+zip mpw; -application/vnd.exstream-package pub; -application/vnd.evolv.ecig.profile ecigprofile; -application/vnd.evolv.ecig.settings ecig; -application/vnd.evolv.ecig.theme ecigtheme; -application/vnd.ezpix-album ez2; -application/vnd.ezpix-package ez3; -application/vnd.fastcopy-disk-image dim; -application/vnd.fdf fdf; -application/vnd.fdsn.mseed msd mseed; -application/vnd.fdsn.seed seed dataless; -application/vnd.ficlab.flb+zip flb; -application/vnd.filmit.zfc zfc; -application/vnd.FloGraphIt gph; -application/vnd.fluxtime.clip ftc; -application/vnd.font-fontforge-sfd sfd; -application/vnd.framemaker fm; -application/vnd.frogans.fnc fnc; -application/vnd.frogans.ltf ltf; -application/vnd.fsc.weblaunch fsc; -application/vnd.fujitsu.oasys oas; -application/vnd.fujitsu.oasys2 oa2; -application/vnd.fujitsu.oasys3 oa3; -application/vnd.fujitsu.oasysgp fg5; -application/vnd.fujitsu.oasysprs bh2; -application/vnd.fujixerox.ddd ddd; -application/vnd.fujixerox.docuworks xdw; -application/vnd.fujixerox.docuworks.binder xbd; -application/vnd.fujixerox.docuworks.container xct; -application/vnd.fuzzysheet fzs; -application/vnd.genomatix.tuxedo txd; -application/vnd.geocube+xml g3 g³; -application/vnd.geogebra.file ggb; -application/vnd.geogebra.slides ggs; -application/vnd.geogebra.tool ggt; -application/vnd.geometry-explorer gex gre; -application/vnd.geonext gxt; -application/vnd.geoplan g2w; -application/vnd.geospace g3w; -application/vnd.gmx gmx; -application/vnd.google-earth.kml+xml kml; -application/vnd.google-earth.kmz kmz; -application/vnd.grafeq gqf gqs; -application/vnd.groove-account gac; -application/vnd.groove-help ghf; -application/vnd.groove-identity-message gim; -application/vnd.groove-injector grv; -application/vnd.groove-tool-message gtm; -application/vnd.groove-tool-template tpl; -application/vnd.groove-vcard vcg; -application/vnd.hal+xml hal; -application/vnd.HandHeld-Entertainment+xml zmm; -application/vnd.hbci hbci hbc kom upa pkd bpd; -application/vnd.hdt hdt; -application/vnd.hhe.lesson-player les; -application/vnd.hp-HPGL hpgl; -application/vnd.hp-hpid hpi hpid; -application/vnd.hp-hps hps; -application/vnd.hp-jlyt jlt; -application/vnd.hp-PCL pcl; -application/vnd.hydrostatix.sof-data sfd-hdstx; -application/vnd.hzn-3d-crossword x3d; -application/vnd.ibm.electronic-media emm; -application/vnd.ibm.MiniPay mpy; -application/vnd.ibm.rights-management irm; -application/vnd.ibm.secure-container sc; -application/vnd.iccprofile icc icm; -application/vnd.ieee.1905 1905.1; -application/vnd.igloader igl; -application/vnd.imagemeter.folder+zip imf; -application/vnd.imagemeter.image+zip imi; -application/vnd.immervision-ivp ivp; -application/vnd.immervision-ivu ivu; -application/vnd.ims.imsccv1p1 imscc; -application/vnd.insors.igm igm; -application/vnd.intercon.formnet xpw xpx; -application/vnd.intergeo i2g; -application/vnd.intu.qbo qbo; -application/vnd.intu.qfx qfx; -application/vnd.ipunplugged.rcprofile rcprofile; -application/vnd.irepository.package+xml irp; -application/vnd.is-xpr xpr; -application/vnd.isac.fcs fcs; -application/vnd.jam jam; -application/vnd.jcp.javame.midlet-rms rms; -application/vnd.jisp jisp; -application/vnd.joost.joda-archive joda; -application/vnd.kahootz ktz ktr; -application/vnd.kde.karbon karbon; -application/vnd.kde.kchart chrt; -application/vnd.kde.kformula kfo; -application/vnd.kde.kivio flw; -application/vnd.kde.kontour kon; -application/vnd.kde.kpresenter kpr kpt; -application/vnd.kde.kspread ksp; -application/vnd.kde.kword kwd kwt; -application/vnd.kenameaapp htke; -application/vnd.kidspiration kia; -application/vnd.Kinar kne knp sdf; -application/vnd.koan skp skd skm skt; -application/vnd.kodak-descriptor sse; -application/vnd.las las; -application/vnd.las.las+json lasjson; -application/vnd.las.las+xml lasxml; -application/vnd.llamagraphics.life-balance.desktop lbd; -application/vnd.llamagraphics.life-balance.exchange+xml lbe; -application/vnd.logipipe.circuit+zip lcs lca; -application/vnd.loom loom; -application/vnd.lotus-1-2-3 123 wk4 wk3 wk1; -application/vnd.lotus-approach apr vew; -application/vnd.lotus-freelance prz pre; -application/vnd.lotus-notes nsf ntf ndl ns4 ns3 ns2 nsh nsg; -application/vnd.lotus-organizer or3 or2 org; -application/vnd.lotus-screencam scm; -application/vnd.lotus-wordpro lwp sam; -application/vnd.macports.portpkg portpkg; -application/vnd.mapbox-vector-tile mvt; -application/vnd.marlin.drm.mdcf mdc; -application/vnd.maxmind.maxmind-db mmdb; -application/vnd.mcd mcd; -application/vnd.medcalcdata mc1; -application/vnd.mediastation.cdkey cdkey; -application/vnd.MFER mwf; -application/vnd.mfmp mfm; -application/vnd.micrografx.flo flo; -application/vnd.micrografx.igx igx; -application/vnd.mif mif; -application/vnd.Mobius.DAF daf; -application/vnd.Mobius.DIS dis; -application/vnd.Mobius.MBK mbk; -application/vnd.Mobius.MQY mqy; -application/vnd.Mobius.MSL msl; -application/vnd.Mobius.PLC plc; -application/vnd.Mobius.TXF txf; -application/vnd.mophun.application mpn; -application/vnd.mophun.certificate mpc; -application/vnd.mozilla.xul+xml xul; -application/vnd.ms-3mfdocument 3mf; -application/vnd.ms-artgalry cil; -application/vnd.ms-asf asf; -application/vnd.ms-cab-compressed cab; -application/vnd.ms-excel xls xlm xla xlc xlt xlw; -application/vnd.ms-excel.template.macroEnabled.12 xltm; -application/vnd.ms-excel.addin.macroEnabled.12 xlam; -application/vnd.ms-excel.sheet.binary.macroEnabled.12 xlsb; -application/vnd.ms-excel.sheet.macroEnabled.12 xlsm; -application/vnd.ms-fontobject eot; -application/vnd.ms-htmlhelp chm; -application/vnd.ms-ims ims; -application/vnd.ms-lrm lrm; -application/vnd.ms-officetheme thmx; -application/vnd.ms-powerpoint ppt pps pot; -application/vnd.ms-powerpoint.addin.macroEnabled.12 ppam; -application/vnd.ms-powerpoint.presentation.macroEnabled.12 pptm; -application/vnd.ms-powerpoint.slide.macroEnabled.12 sldm; -application/vnd.ms-powerpoint.slideshow.macroEnabled.12 ppsm; -application/vnd.ms-powerpoint.template.macroEnabled.12 potm; -application/vnd.ms-project mpp mpt; -application/vnd.ms-tnef tnef tnf; -application/vnd.ms-word.document.macroEnabled.12 docm; -application/vnd.ms-word.template.macroEnabled.12 dotm; -application/vnd.ms-works wcm wdb wks wps; -application/vnd.ms-wpl wpl; -application/vnd.ms-xpsdocument xps; -application/vnd.msa-disk-image msa; -application/vnd.mseq mseq; -application/vnd.multiad.creator crtr; -application/vnd.multiad.creator.cif cif; -application/vnd.musician mus; -application/vnd.muvee.style msty; -application/vnd.mynfc taglet; -application/vnd.nebumind.line nebul line; -application/vnd.nervana entity request bkm kcm; -application/vnd.nimn nimn; -application/vnd.nitf nitf; -application/vnd.neurolanguage.nlu nlu; -application/vnd.nintendo.nitro.rom nds; -application/vnd.nintendo.snes.rom sfc smc; -application/vnd.noblenet-directory nnd; -application/vnd.noblenet-sealer nns; -application/vnd.noblenet-web nnw; -application/vnd.nokia.n-gage.ac+xml ac; -application/vnd.nokia.n-gage.data ngdat; -application/vnd.nokia.n-gage.symbian.install n-gage; -application/vnd.nokia.radio-preset rpst; -application/vnd.nokia.radio-presets rpss; -application/vnd.novadigm.EDM edm; -application/vnd.novadigm.EDX edx; -application/vnd.novadigm.EXT ext; -application/vnd.oasis.opendocument.chart odc; -application/vnd.oasis.opendocument.chart-template otc; -application/vnd.oasis.opendocument.database odb; -application/vnd.oasis.opendocument.formula odf; -application/vnd.oasis.opendocument.graphics odg; -application/vnd.oasis.opendocument.graphics-template otg; -application/vnd.oasis.opendocument.image odi; -application/vnd.oasis.opendocument.image-template oti; -application/vnd.oasis.opendocument.presentation odp; -application/vnd.oasis.opendocument.presentation-template otp; -application/vnd.oasis.opendocument.spreadsheet ods; -application/vnd.oasis.opendocument.spreadsheet-template ots; -application/vnd.oasis.opendocument.text odt; -application/vnd.oasis.opendocument.text-master odm; -application/vnd.oasis.opendocument.text-template ott; -application/vnd.oasis.opendocument.text-web oth; -application/vnd.olpc-sugar xo; -application/vnd.oma.dd2+xml dd2; -application/vnd.onepager tam; -application/vnd.onepagertamp tamp; -application/vnd.onepagertamx tamx; -application/vnd.onepagertat tat; -application/vnd.onepagertatp tatp; -application/vnd.onepagertatx tatx; -application/vnd.openblox.game+xml obgx; -application/vnd.openblox.game-binary obg; -application/vnd.openeye.oeb oeb; -application/vnd.openofficeorg.extension oxt; -application/vnd.openstreetmap.data+xml osm; -application/vnd.openxmlformats-officedocument.presentationml.presentation pptx; -application/vnd.openxmlformats-officedocument.presentationml.slide sldx; -application/vnd.openxmlformats-officedocument.presentationml.slideshow ppsx; -application/vnd.openxmlformats-officedocument.presentationml.template potx; -application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx; -application/vnd.openxmlformats-officedocument.spreadsheetml.template xltx; -application/vnd.openxmlformats-officedocument.wordprocessingml.document docx; -application/vnd.openxmlformats-officedocument.wordprocessingml.template dotx; -application/vnd.osa.netdeploy ndc; -application/vnd.osgeo.mapguide.package mgp; -application/vnd.osgi.dp dp; -application/vnd.osgi.subsystem esa; -application/vnd.oxli.countgraph oxlicg; -application/vnd.palm prc pdb pqa oprc; -application/vnd.panoply plp; -application/vnd.patentdive dive; -application/vnd.pawaafile paw; -application/vnd.pg.format str; -application/vnd.pg.osasli ei6; -application/vnd.piaccess.application-licence pil; -application/vnd.picsel efif; -application/vnd.pmi.widget wg; -application/vnd.pocketlearn plf; -application/vnd.powerbuilder6 pbd; -application/vnd.preminet preminet; -application/vnd.previewsystems.box box vbox; -application/vnd.proteus.magazine mgz; -application/vnd.psfs psfs; -application/vnd.publishare-delta-tree qps; -application/vnd.pvi.ptid1 ptid; -application/vnd.qualcomm.brew-app-res bar; -application/vnd.Quark.QuarkXPress qxd qxt qwd qwt qxl qxb; -application/vnd.quobject-quoxdocument quox quiz; -application/vnd.rainstor.data tree; -application/vnd.rar rar; -application/vnd.realvnc.bed bed; -application/vnd.recordare.musicxml mxl; -application/vnd.rig.cryptonote cryptonote; -application/vnd.route66.link66+xml link66; -application/vnd.sailingtracker.track st; -application/vnd.sar SAR; -application/vnd.scribus scd sla slaz; -application/vnd.sealed.3df s3df; -application/vnd.sealed.csf scsf; -application/vnd.sealed.doc sdoc sdo s1w; -application/vnd.sealed.eml seml sem; -application/vnd.sealed.mht smht smh; -application/vnd.sealed.ppt sppt s1p; -application/vnd.sealed.tiff stif; -application/vnd.sealed.xls sxls sxl s1e; -application/vnd.sealedmedia.softseal.html stml s1h; -application/vnd.sealedmedia.softseal.pdf spdf spd s1a; -application/vnd.seemail see; -application/vnd.sema sema; -application/vnd.semd semd; -application/vnd.semf semf; -application/vnd.shade-save-file ssv; -application/vnd.shana.informed.formdata ifm; -application/vnd.shana.informed.formtemplate itp; -application/vnd.shana.informed.interchange iif; -application/vnd.shana.informed.package ipk; -application/vnd.shp shp; -application/vnd.shx shx; -application/vnd.sigrok.session sr; -application/vnd.SimTech-MindMapper twd twds; -application/vnd.smaf mmf; -application/vnd.smart.notebook notebook; -application/vnd.smart.teacher teacher; -application/vnd.snesdev-page-table ptrom pt; -application/vnd.software602.filler.form+xml fo; -application/vnd.software602.filler.form-xml-zip zfo; -application/vnd.solent.sdkm+xml sdkm sdkd; -application/vnd.spotfire.dxp dxp; -application/vnd.spotfire.sfs sfs; -application/vnd.sqlite3 sqlite sqlite3; -application/vnd.stepmania.package smzip; -application/vnd.stepmania.stepchart sm; -application/vnd.sun.wadl+xml wadl; -application/vnd.sus-calendar sus susp; -application/vnd.sycle+xml scl; -application/vnd.syncml+xml xsm; -application/vnd.syncml.dm+wbxml bdm; -application/vnd.syncml.dm+xml xdm; -application/vnd.syncml.dmddf+xml ddf; -application/vnd.tao.intent-module-archive tao; -application/vnd.tcpdump.pcap pcap cap dmp; -application/vnd.theqvd qvd; -application/vnd.think-cell.ppttc+json ppttc; -application/vnd.tml vfr viaframe; -application/vnd.tmobile-livetv tmo; -application/vnd.trid.tpt tpt; -application/vnd.triscape.mxs mxs; -application/vnd.trueapp tra; -application/vnd.ufdl ufdl ufd frm; -application/vnd.uiq.theme utz; -application/vnd.umajin umj; -application/vnd.unity unityweb; -application/vnd.uoml+xml uoml uo; -application/vnd.uri-map urim urimap; -application/vnd.valve.source.material vmt; -application/vnd.vcx vcx; -application/vnd.vd-study mxi study-inter model-inter; -application/vnd.vectorworks vwx; -application/vnd.veryant.thin istc isws; -application/vnd.ves.encrypted VES; -application/vnd.vidsoft.vidconference vsc; -application/vnd.visio vsd vst vsw vss; -application/vnd.visionary vis; -application/vnd.vsf vsf; -application/vnd.wap.sic sic; -application/vnd.wap.slc slc; -application/vnd.wap.wbxml wbxml; -application/vnd.wap.wmlc wmlc; -application/vnd.wap.wmlscriptc wmlsc; -application/vnd.webturbo wtb; -application/vnd.wfa.p2p p2p; -application/vnd.wfa.wsc wsc; -application/vnd.wmc wmc; -application/vnd.wolfram.mathematica.package m; -application/vnd.wolfram.player nbp; -application/vnd.wordperfect wpd; -application/vnd.wqd wqd; -application/vnd.wt.stf stf; -application/vnd.wv.csp+wbxml wv; -application/vnd.xara xar; -application/vnd.xfdl xfdl xfd; -application/vnd.xmpie.cpkg cpkg; -application/vnd.xmpie.dpkg dpkg; -application/vnd.xmpie.ppkg ppkg; -application/vnd.xmpie.xlim xlim; -application/vnd.yamaha.hv-dic hvd; -application/vnd.yamaha.hv-script hvs; -application/vnd.yamaha.hv-voice hvp; -application/vnd.yamaha.openscoreformat osf; -application/vnd.yamaha.smaf-audio saf; -application/vnd.yamaha.smaf-phrase spf; -application/vnd.yaoweme yme; -application/vnd.yellowriver-custom-menu cmp; -application/vnd.zul zir zirz; -application/vnd.zzazz.deck+xml zaz; -application/voicexml+xml vxml; -application/voucher-cms+json vcj; -application/wasm wasm; -application/watcherinfo+xml wif; -application/widget wgt; -application/wsdl+xml wsdl; -application/wspolicy+xml wspolicy; -application/xcap-att+xml xav; -application/xcap-caps+xml xca; -application/xcap-diff+xml xdf; -application/xcap-el+xml xel; -application/xcap-error+xml xer; -application/xcap-ns+xml xns; -application/xhtml+xml xhtml xhtm xht; -application/xliff+xml xlf; -application/xml-dtd dtd; -application/xop+xml xop; -application/xslt+xml xsl xslt; -application/xv+xml mxml xhvml xvml xvm; -application/yang yang; -application/yin+xml yin; -application/zip zip; -application/zstd zst; -audio/32kadpcm 726; -audio/aac adts aac ass; -audio/ac3 ac3; -audio/AMR amr; -audio/AMR-WB awb; -audio/asc acn; -audio/ATRAC-ADVANCED-LOSSLESS aal; -audio/ATRAC-X atx; -audio/ATRAC3 at3 aa3 omg; -audio/basic au snd; -audio/dls dls; -audio/EVRC evc; -audio/EVRCB evb; -audio/EVRCNW enw; -audio/EVRCWB evw; -audio/iLBC lbc; -audio/L16 l16; -audio/mhas mhas; -audio/mobile-xmf mxmf; -audio/mp4 m4a; -audio/mpeg mp3 mpga mp1 mp2; -audio/ogg oga ogg opus spx; -audio/prs.sid sid psid; -audio/QCELP qcp; -audio/SMV smv; -audio/sofa sofa; -audio/usac loas xhe; -audio/vnd.audiokoz koz; -audio/vnd.dece.audio uva uvva; -audio/vnd.digital-winds eol; -audio/vnd.dolby.mlp mlp; -audio/vnd.dts dts; -audio/vnd.dts.hd dtshd; -audio/vnd.everad.plj plj; -audio/vnd.lucent.voice lvp; -audio/vnd.ms-playready.media.pya pya; -audio/vnd.nortel.vbk vbk; -audio/vnd.nuera.ecelp4800 ecelp4800; -audio/vnd.nuera.ecelp7470 ecelp7470; -audio/vnd.nuera.ecelp9600 ecelp9600; -audio/vnd.presonus.multitrack multitrack; -audio/vnd.rip rip; -audio/vnd.sealedmedia.softseal.mpeg smp3 smp s1m; -font/collection ttc; -font/otf otf; -font/ttf ttf; -font/woff woff; -font/woff2 woff2; -image/aces exr; -image/avci avci; -image/avcs avcs; -image/avif avif hif; -image/bmp bmp dib; -image/cgm cgm; -image/dicom-rle drle; -image/emf emf; -image/fits fits fit fts; -image/heic heic; -image/heic-sequence heics; -image/heif heif; -image/heif-sequence heifs; -image/hej2k hej2; -image/hsj2 hsj2; -image/gif gif; -image/ief ief; -image/jls jls; -image/jp2 jp2 jpg2; -image/jph jph; -image/jphc jhc; -image/jpeg jpg jpeg jpe jfif; -image/jpm jpm jpgm; -image/jpx jpx jpf; -image/jxl jxl; -image/jxr jxr; -image/jxrA jxra; -image/jxrS jxrs; -image/jxs jxs; -image/jxsc jxsc; -image/jxsi jxsi; -image/jxss jxss; -image/ktx ktx; -image/ktx2 ktx2; -image/png png; -image/prs.btif btif btf; -image/prs.pti pti; -image/svg+xml svg svgz; -image/t38 t38; -image/tiff tiff tif; -image/tiff-fx tfx; -image/vnd.adobe.photoshop psd; -image/vnd.airzip.accelerator.azv azv; -image/vnd.dece.graphic uvi uvvi uvg uvvg; -image/vnd.djvu djvu djv; -image/vnd.dwg dwg; -image/vnd.dxf dxf; -image/vnd.fastbidsheet fbs; -image/vnd.fpx fpx; -image/vnd.fst fst; -image/vnd.fujixerox.edmics-mmr mmr; -image/vnd.fujixerox.edmics-rlc rlc; -image/vnd.globalgraphics.pgb pgb; -image/vnd.microsoft.icon ico; -image/vnd.mozilla.apng apng; -image/vnd.ms-modi mdi; -image/vnd.pco.b16 b16; -image/vnd.radiance hdr rgbe xyze; -image/vnd.sealed.png spng spn s1n; -image/vnd.sealedmedia.softseal.gif sgif sgi s1g; -image/vnd.sealedmedia.softseal.jpg sjpg sjp s1j; -image/vnd.tencent.tap tap; -image/vnd.valve.source.texture vtf; -image/vnd.wap.wbmp wbmp; -image/vnd.xiff xif; -image/vnd.zbrush.pcx pcx; -image/wmf wmf; -message/global u8msg; -message/global-delivery-status u8dsn; -message/global-disposition-notification u8mdn; -message/global-headers u8hdr; -message/rfc822 eml mail art; -model/gltf-binary glb; -model/gltf+json gltf; -model/iges igs iges; -model/mesh msh mesh silo; -model/mtl mtl; -model/obj obj; -model/stl stl; -model/vnd.collada+xml dae; -model/vnd.dwf dwf; -model/vnd.gdl gdl gsm win dor lmp rsm msm ism; -model/vnd.gtw gtw; -model/vnd.moml+xml moml; -model/vnd.mts mts; -model/vnd.opengex ogex; -model/vnd.parasolid.transmit.binary x_b xmt_bin; -model/vnd.parasolid.transmit.text x_t xmt_txt; -model/vnd.pytha.pyox pyo pyox; -model/vnd.sap.vds vds; -model/vnd.usdz+zip usdz; -model/vnd.valve.source.compiled-map bsp; -model/vnd.vtu vtu; -model/vrml wrl vrml; -model/x3d+xml x3db; -model/x3d-vrml x3dv x3dvz; -multipart/vnd.bint.med-plus bmed; -multipart/voice-message vpm; -text/cache-manifest appcache manifest; -text/calendar ics ifb; -text/cql CQL; -text/css css; -text/csv csv; -text/csv-schema csvs; -text/dns soa zone; -text/gff3 gff3; -text/html html htm; -text/jcr-cnd cnd; -text/markdown markdown md; -text/mizar miz; -text/n3 n3; -text/plain txt asc text pm el c h cc hh cxx hxx f90 conf log; -text/provenance-notation provn; -text/prs.fallenstein.rst rst; -text/prs.lines.tag tag dsc; -text/richtext rtx; -text/SGML sgml sgm; -text/shaclc shaclc shc; -text/spdx spdx; -text/tab-separated-values tsv; -text/troff t tr roff; -text/turtle ttl; -text/uri-list uris uri; -text/vcard vcf vcard; -text/vnd.a a; -text/vnd.abc abc; -text/vnd.ascii-art ascii; -text/vnd.debian.copyright copyright; -text/vnd.DMClientScript dms; -text/vnd.dvb.subtitle sub; -text/vnd.esmertec.theme-descriptor jtd; -text/vnd.ficlab.flt flt; -text/vnd.fly fly; -text/vnd.fmi.flexstor flx; -text/vnd.graphviz gv dot; -text/vnd.hans hans; -text/vnd.hgl hgl; -text/vnd.in3d.3dml 3dml 3dm; -text/vnd.in3d.spot spot spo; -text/vnd.ms-mediapackage mpf; -text/vnd.net2phone.commcenter.command ccc; -text/vnd.senx.warpscript mc2; -text/vnd.si.uricatalogue uric; -text/vnd.sun.j2me.app-descriptor jad; -text/vnd.sosi sos; -text/vnd.trolltech.linguist ts; -text/vnd.wap.si si; -text/vnd.wap.sl sl; -text/vnd.wap.wml wml; -text/vnd.wap.wmlscript wmls; -text/vtt vtt; -text/xml xml xsd rng; -text/xml-external-parsed-entity ent; -video/3gpp 3gp 3gpp; -video/3gpp2 3g2 3gpp2; -video/iso.segment m4s; -video/mj2 mj2 mjp2; -video/mp4 mp4 mpg4 m4v; -video/mpeg mpeg mpg mpe m1v m2v; -video/ogg ogv; -video/quicktime mov qt; -video/vnd.dece.hd uvh uvvh; -video/vnd.dece.mobile uvm uvvm; -video/vnd.dece.mp4 uvu uvvu; -video/vnd.dece.pd uvp uvvp; -video/vnd.dece.sd uvs uvvs; -video/vnd.dece.video uvv uvvv; -video/vnd.dvb.file dvb; -video/vnd.fvt fvt; -video/vnd.mpegurl mxu m4u; -video/vnd.ms-playready.media.pyv pyv; -video/vnd.nokia.interleaved-multimedia nim; -video/vnd.radgamettools.bink bik bk2; -video/vnd.radgamettools.smacker smk; -video/vnd.sealed.mpeg1 smpg s11; -video/vnd.sealed.mpeg4 s14; -video/vnd.sealed.swf sswf ssw; -video/vnd.sealedmedia.softseal.mov smov smo s1q; -video/vnd.youtube.yt yt; -video/vnd.vivo viv; -application/mac-compactpro cpt; -application/metalink+xml metalink; -application/owl+xml owx; -application/rss+xml rss; -application/vnd.android.package-archive apk; -application/vnd.oma.dd+xml dd; -application/vnd.oma.drm.content dcf; -application/vnd.oma.drm.dcf o4a o4v; -application/vnd.oma.drm.message dm; -application/vnd.oma.drm.rights+wbxml drc; -application/vnd.oma.drm.rights+xml dr; -application/vnd.sun.xml.calc sxc; -application/vnd.sun.xml.calc.template stc; -application/vnd.sun.xml.draw sxd; -application/vnd.sun.xml.draw.template std; -application/vnd.sun.xml.impress sxi; -application/vnd.sun.xml.impress.template sti; -application/vnd.sun.xml.math sxm; -application/vnd.sun.xml.writer sxw; -application/vnd.sun.xml.writer.global sxg; -application/vnd.sun.xml.writer.template stw; -application/vnd.symbian.install sis; -application/vnd.wap.mms-message mms; -application/x-annodex anx; -application/x-bcpio bcpio; -application/x-bittorrent torrent; -application/x-bzip2 bz2; -application/x-cdlink vcd; -application/x-chrome-extension crx; -application/x-cpio cpio; -application/x-csh csh; -application/x-director dcr dir dxr; -application/x-dvi dvi; -application/x-futuresplash spl; -application/x-gtar gtar; -application/x-hdf hdf; -application/x-java-archive jar; -application/x-java-jnlp-file jnlp; -application/x-java-pack200 pack; -application/x-killustrator kil; -application/x-latex latex; -application/x-netcdf nc cdf; -application/x-perl pl; -application/x-rpm rpm; -application/x-sh sh; -application/x-shar shar; -application/x-stuffit sit; -application/x-sv4cpio sv4cpio; -application/x-sv4crc sv4crc; -application/x-tar tar; -application/x-tcl tcl; -application/x-tex tex; -application/x-texinfo texinfo texi; -application/x-troff-man man 1 2 3 4 5 6 7 8; -application/x-troff-me me; -application/x-troff-ms ms; -application/x-ustar ustar; -application/x-wais-source src; -application/x-xpinstall xpi; -application/x-xspf+xml xspf; -application/x-xz xz; -audio/midi mid midi kar; -audio/x-aiff aif aiff aifc; -audio/x-annodex axa; -audio/x-flac flac; -audio/x-matroska mka; -audio/x-mod mod ult uni m15 mtm 669 med; -audio/x-mpegurl m3u; -audio/x-ms-wax wax; -audio/x-ms-wma wma; -audio/x-pn-realaudio ram rm; -audio/x-realaudio ra; -audio/x-s3m s3m; -audio/x-stm stm; -audio/x-wav wav; -chemical/x-xyz xyz; -image/webp webp; -image/x-cmu-raster ras; -image/x-portable-anymap pnm; -image/x-portable-bitmap pbm; -image/x-portable-graymap pgm; -image/x-portable-pixmap ppm; -image/x-rgb rgb; -image/x-targa tga; -image/x-xbitmap xbm; -image/x-xpixmap xpm; -image/x-xwindowdump xwd; -text/html-sandboxed sandboxed; -text/x-pod pod; -text/x-setext etx; -video/webm webm; -video/x-annodex axv; -video/x-flv flv; -video/x-javafx fxm; -video/x-matroska mkv; -video/x-matroska-3d mk3d; -video/x-ms-asf asx; -video/x-ms-wm wm; -video/x-ms-wmv wmv; -video/x-ms-wmx wmx; -video/x-ms-wvx wvx; -video/x-msvideo avi; -video/x-sgi-movie movie; -x-conference/x-cooltalk ice; -x-epoc/x-sisx-app sisx; -} diff --git a/ansible/roles/podman/files/nginx/modsec_includes.conf b/ansible/roles/podman/files/nginx/modsec_includes.conf deleted file mode 100644 index 123966e..0000000 --- a/ansible/roles/podman/files/nginx/modsec_includes.conf +++ /dev/null @@ -1,3 +0,0 @@ -include modsecurity.conf -include conf/crs-setup.conf -include conf/rules/*.conf diff --git a/ansible/roles/podman/handlers/main.yml b/ansible/roles/podman/handlers/main.yml index 0905aea..88cd92c 100644 --- a/ansible/roles/podman/handlers/main.yml +++ b/ansible/roles/podman/handlers/main.yml @@ -7,17 +7,7 @@ - podman - selinux -- name: restart nginx - become: true - become_user: "{{ podman_user }}" - ansible.builtin.command: | - podman restart nginx - tags: - - nginx - - http - - https - - modsec - - modsec_rules +# nginx handler removed - nginx infrastructure decommissioned - name: restart firewalld become: true @@ -26,3 +16,20 @@ state: restarted tags: - firewall + +- name: restart caddy + become: true + become_user: "{{ podman_user }}" + ansible.builtin.command: | + podman restart caddy + tags: + - caddy + +- name: reload caddy + become: true + become_user: "{{ podman_user }}" + ansible.builtin.command: | + podman exec caddy caddy reload --config /etc/caddy/Caddyfile + tags: + - caddy + - caddy-config diff --git a/ansible/roles/podman/tasks/containers/base/caddy.yml b/ansible/roles/podman/tasks/containers/base/caddy.yml new file mode 100644 index 0000000..c4668a4 --- /dev/null +++ b/ansible/roles/podman/tasks/containers/base/caddy.yml @@ -0,0 +1,38 @@ +--- +- name: pull caddy image + become: true + become_user: "{{ podman_user }}" + containers.podman.podman_image: + name: "{{ image }}" + state: present + tags: + - caddy + +- name: create caddy container + become: true + become_user: "{{ podman_user }}" + containers.podman.podman_container: + name: caddy + image: "{{ image }}" + state: started + recreate: true + network: host + volumes: + - "{{ caddy_path }}/config/Caddyfile:/etc/caddy/Caddyfile:ro" + - "{{ caddy_path }}/data:/data:Z" + - "{{ caddy_path }}/config:/config:Z" + - "{{ caddy_path }}/logs:/var/log/caddy:Z" +# Legacy volume mounts removed - Caddy manages certificates automatically + # Mount static site directories + - "/usr/local/share/fulfillr-site:/usr/local/share/fulfillr-site:ro" + env: + CADDY_ADMIN: "0.0.0.0:2019" + restart_policy: always + tags: + - caddy + +- import_tasks: podman/systemd-generate.yml + vars: + container_name: caddy + tags: + - caddy \ No newline at end of file diff --git a/ansible/roles/podman/tasks/containers/base/conf-caddy.yml b/ansible/roles/podman/tasks/containers/base/conf-caddy.yml new file mode 100644 index 0000000..f8932fb --- /dev/null +++ b/ansible/roles/podman/tasks/containers/base/conf-caddy.yml @@ -0,0 +1,41 @@ +--- +- name: create caddy directories + become: true + ansible.builtin.file: + path: "{{ item }}" + state: directory + owner: "{{ podman_user }}" + group: "{{ podman_user }}" + mode: '0755' + loop: + - "{{ caddy_path }}" + - "{{ caddy_path }}/data" + - "{{ caddy_path }}/config" + - "{{ caddy_path }}/logs" + tags: + - caddy + +- name: create letsencrypt shared root srv directory (for migration) + become: true + ansible.builtin.file: + path: /srv/http/letsencrypt + owner: "{{ podman_user }}" + group: "{{ podman_user }}" + mode: '0755' + state: directory + tags: + - caddy + - ssl + +- name: deploy caddyfile + become: true + ansible.builtin.template: + src: caddy/Caddyfile.j2 + dest: "{{ caddy_path }}/config/Caddyfile" + owner: "{{ podman_user }}" + group: "{{ podman_user }}" + mode: '0644' + notify: reload caddy + tags: + - caddy + - caddy-config \ No newline at end of file diff --git a/ansible/roles/podman/tasks/containers/base/conf-nginx-http.yml b/ansible/roles/podman/tasks/containers/base/conf-nginx-http.yml deleted file mode 100644 index b9d82cd..0000000 --- a/ansible/roles/podman/tasks/containers/base/conf-nginx-http.yml +++ /dev/null @@ -1,101 +0,0 @@ ---- -- name: create required nginx volumes - become: true - ansible.builtin.file: - path: "{{ nginx_path }}/etc" - state: directory - owner: "{{ podman_user }}" - group: "{{ podman_user }}" - mode: 0755 - notify: restorecon podman - tags: http - -- name: setup nginx base configuration - become: true - ansible.builtin.template: - src: templates/nginx/nginx.conf.j2 - dest: "{{ nginx_path }}/etc/nginx.conf" - owner: "{{ podman_user }}" - group: "{{ podman_user }}" - mode: 0644 - notify: - - restorecon podman - - restart nginx - tags: http - -- name: create required nginx files - become: true - ansible.builtin.copy: - src: "files/nginx/{{ item }}" - dest: "{{ nginx_path }}/etc/{{ item }}" - owner: "{{ podman_user }}" - group: "{{ podman_user }}" - mode: 0644 - loop: - - mime.types - notify: - - restorecon podman - - restart nginx - tags: http - -- name: setup nginx directories - become: true - ansible.builtin.file: - path: "{{ nginx_path }}/etc/{{ item }}" - owner: "{{ podman_user }}" - group: "{{ podman_user }}" - state: directory - mode: 0755 - notify: restorecon podman - loop: - - sites-enabled - - sites-available - tags: http - -- name: template nginx http sites-available - become: true - ansible.builtin.template: - src: "templates/nginx/sites/{{ item }}.j2" - dest: "{{ nginx_path }}/etc/sites-available/{{ item }}" - owner: "{{ podman_user }}" - group: "{{ podman_user }}" - mode: 0644 - loop: - - "{{ base_server_name }}.conf" - - "{{ assistant_server_name }}.conf" - - "{{ bookstack_server_name }}.conf" - - "{{ ci_server_name }}.http.conf" - - "{{ cloud_server_name }}.conf" - - "{{ cloud_skudak_server_name }}.conf" - - "{{ fulfillr_server_name }}.conf" - - "{{ home_server_name }}.conf" - - "{{ parts_server_name }}.conf" - - "{{ photos_server_name }}.conf" - notify: - - restorecon podman - - restart nginx - tags: http - -- name: enable desired nginx http sites - become: true - ansible.builtin.file: - src: "../sites-available/{{ item }}" - dest: "{{ nginx_path }}/etc/sites-enabled/{{ item }}" - owner: "{{ podman_user }}" - group: "{{ podman_user }}" - state: link - loop: - - "{{ base_server_name }}.conf" - - "{{ assistant_server_name }}.conf" - - "{{ bookstack_server_name }}.conf" - - "{{ ci_server_name }}.http.conf" - - "{{ cloud_server_name }}.conf" - - "{{ cloud_skudak_server_name }}.conf" - - "{{ fulfillr_server_name }}.conf" - - "{{ home_server_name }}.conf" - - "{{ parts_server_name }}.conf" - - "{{ photos_server_name }}.conf" - notify: - - restorecon podman - - restart nginx - tags: http diff --git a/ansible/roles/podman/tasks/containers/base/conf-nginx-https.yml b/ansible/roles/podman/tasks/containers/base/conf-nginx-https.yml deleted file mode 100644 index acdc86c..0000000 --- a/ansible/roles/podman/tasks/containers/base/conf-nginx-https.yml +++ /dev/null @@ -1,72 +0,0 @@ ---- -- name: create nginx ssl directory - become: true - ansible.builtin.file: - path: "{{ nginx_path }}/etc/ssl" - owner: "{{ podman_user }}" - group: "{{ podman_user }}" - mode: 0644 - state: directory - tags: https - -- name: stat dhparam - become: true - ansible.builtin.stat: - path: "{{ nginx_path }}/etc/ssl/dhparam.pem" - register: dhparam - tags: https - -- name: generate openssl dhparam for nginx - become: true - ansible.builtin.command: | - openssl dhparam -out {{ nginx_path }}/ssl/dhparam.pem 2048 - when: not dhparam.stat.exists - args: - creates: "{{ nginx_path }}/ssl/dhparam.pem" - tags: https - -- name: template nginx https sites-available - become: true - ansible.builtin.template: - src: "templates/nginx/sites/{{ item }}.j2" - dest: "{{ nginx_path }}/etc/sites-available/{{ item }}" - owner: "{{ podman_user }}" - group: "{{ podman_user }}" - mode: 0644 - loop: - - "{{ base_server_name }}.https.conf" - - "{{ assistant_server_name }}.https.conf" - - "{{ bookstack_server_name }}.https.conf" - - "{{ ci_server_name }}.https.conf" - - "{{ cloud_server_name }}.https.conf" - - "{{ cloud_skudak_server_name }}.https.conf" - - "{{ fulfillr_server_name }}.https.conf" - - "{{ parts_server_name }}.https.conf" - - "{{ photos_server_name }}.https.conf" - notify: - - restorecon podman - - restart nginx - tags: https - -- name: enable desired nginx https sites - become: true - ansible.builtin.file: - src: "../sites-available/{{ item }}" - dest: "{{ nginx_path }}/etc/sites-enabled/{{ item }}" - owner: "{{ podman_user }}" - group: "{{ podman_user }}" - state: link - loop: - - "{{ base_server_name }}.https.conf" - - "{{ assistant_server_name }}.https.conf" - - "{{ bookstack_server_name }}.https.conf" - - "{{ ci_server_name }}.https.conf" - - "{{ cloud_server_name }}.https.conf" - - "{{ cloud_skudak_server_name }}.https.conf" - - "{{ fulfillr_server_name }}.https.conf" - - "{{ parts_server_name }}.https.conf" - - "{{ photos_server_name }}.https.conf" - notify: - - restorecon podman - - restart nginx - tags: https diff --git a/ansible/roles/podman/tasks/containers/base/conf-nginx-modsec.yml b/ansible/roles/podman/tasks/containers/base/conf-nginx-modsec.yml deleted file mode 100644 index 46d33b8..0000000 --- a/ansible/roles/podman/tasks/containers/base/conf-nginx-modsec.yml +++ /dev/null @@ -1,127 +0,0 @@ ---- -- name: create nginx/conf directory - become: true - ansible.builtin.file: - path: "{{ item }}" - state: directory - owner: "{{ podman_user }}" - group: "{{ podman_user }}" - mode: 0644 - loop: - - "{{ nginx_conf_path }}" - - "{{ modsec_rules_path }}" - notify: restorecon podman - tags: modsec - -- name: create modsec_includes.conf - become: true - ansible.builtin.copy: - src: files/nginx/modsec_includes.conf - dest: "{{ nginx_path }}/etc/modsec_includes.conf" - owner: "{{ podman_user }}" - group: "{{ podman_user }}" - mode: 0644 - notify: - - restorecon podman - - restart nginx - tags: modsec - -- name: clone coreruleset and modsecurity - become: true - ansible.builtin.git: - repo: "{{ item.src }}" - dest: "{{ item.dest }}" - update: "{{ update_modsec | default(false) }}" - force: true - version: "{{ item.ver }}" - loop: "{{ modsec_git_urls }}" - tags: modsec - -- name: setup modsec and coreruleset configs - become: true - ansible.builtin.copy: - src: "{{ item.src }}" - dest: "{{ item.dest }}" - owner: "{{ podman_user }}" - group: "{{ podman_user }}" - force: "{{ update_modsec | default(false) }}" - mode: 0644 - remote_src: true - loop: "{{ modsec_conf_links }}" - notify: - - restorecon podman - - restart nginx - tags: modsec - -- name: setup coreruleset rules - become: true - ansible.builtin.copy: - src: "{{ crs_rules_path }}/{{ item.name }}.conf" - dest: "{{ modsec_rules_path }}/{{ item.name }}.conf" - owner: "{{ podman_user }}" - group: "{{ podman_user }}" - force: "{{ update_modsec | default(false) }}" - mode: 0644 - remote_src: true - when: item.enabled - loop: "{{ crs_rule_links }}" - notify: - - restorecon podman - - restart nginx - tags: - - modsec - - modsec_rules - -- name: removed disabled coreruleset rules - become: true - ansible.builtin.file: - path: "{{ modsec_rules_path }}/{{ item.name }}.conf" - state: absent - when: not item.enabled - loop: "{{ crs_rule_links }}" - notify: - - restorecon podman - - restart nginx - tags: - - modsec - - modsec_rules - -- name: setup coreruleset data - become: true - ansible.builtin.copy: - src: "{{ crs_rules_path }}/{{ item }}.data" - dest: "{{ modsec_rules_path }}/{{ item }}.data" - force: "{{ update_modsec | default(false) }}" - owner: "{{ podman_user }}" - group: "{{ podman_user }}" - mode: 0644 - remote_src: true - loop: "{{ crs_data_links }}" - notify: - - restorecon podman - - restart nginx - tags: - - modsec - - modsec_rules - -- name: whitelist local ip addresses - become: true - ansible.builtin.lineinfile: - path: "{{ modsec_crs_before_rule_conf }}" - regexp: "{{ modsec_whitelist_local_re }}" - line: "{{ modsec_whitelist_local }}" - notify: restart nginx - tags: - - modsec - - modsec_rules - - modsec_whitelist - -- name: activate mod-security - become: true - ansible.builtin.lineinfile: - path: "{{ nginx_path }}/etc/modsecurity.conf" - regexp: "{{ item.regex }}" - line: "{{ item.line }}" - loop: "{{ modsec_conf_replaces }} " - notify: restart nginx - tags: modsec diff --git a/ansible/roles/podman/tasks/containers/base/conf-nginx.yml b/ansible/roles/podman/tasks/containers/base/conf-nginx.yml deleted file mode 100644 index afa0cb8..0000000 --- a/ansible/roles/podman/tasks/containers/base/conf-nginx.yml +++ /dev/null @@ -1,23 +0,0 @@ ---- -- name: create letsencrypt shared root srv directory - become: true - ansible.builtin.file: - path: /srv/http/letsencrypt - owner: "{{ podman_user }}" - group: "{{ podman_user }}" - mode: 0755 - state: directory - tags: - - ssl - - https - -- import_tasks: conf-nginx-http.yml -- import_tasks: conf-nginx-https.yml -- import_tasks: conf-nginx-modsec.yml - -- name: flush handlers - ansible.builtin.meta: flush_handlers - tags: - - http - - modsec - - modsec_rules diff --git a/ansible/roles/podman/tasks/containers/base/nginx.yml b/ansible/roles/podman/tasks/containers/base/nginx.yml deleted file mode 100644 index 7ba9561..0000000 --- a/ansible/roles/podman/tasks/containers/base/nginx.yml +++ /dev/null @@ -1,33 +0,0 @@ ---- -- import_tasks: podman/podman-check.yml - vars: - container_name: nginx - container_image: "{{ image }}" - -- name: create nginx container - become: true - become_user: "{{ podman_user }}" - containers.podman.podman_container: - name: nginx - image: "{{ image }}" - entrypoint: "" - command: ["nginx", "-g", "daemon off;"] - restart_policy: on-failure:3 - log_driver: journald - network: - - host - cap_add: - - CAP_NET_BIND_SERVICE - ports: - - 80:80 - - 443:443 - volumes: - - "{{ nginx_path }}/etc:/etc/nginx:ro" - - "/srv/http/letsencrypt:/srv/http/letsencrypt:z" - - "/etc/letsencrypt:/etc/letsencrypt:ro" - - "/usr/local/share/fulfillr-site:/usr/local/share/fulfillr-site:ro" - -- name: create systemd startup job for nginx - include_tasks: podman/systemd-generate.yml - vars: - container_name: nginx diff --git a/ansible/roles/podman/tasks/containers/home/drone.yml b/ansible/roles/podman/tasks/containers/home/drone.yml deleted file mode 100644 index 063e75d..0000000 --- a/ansible/roles/podman/tasks/containers/home/drone.yml +++ /dev/null @@ -1,79 +0,0 @@ ---- -- name: create required drone volumes - become: true - ansible.builtin.file: - path: "{{ item }}" - state: directory - owner: "{{ podman_user }}" - group: "{{ podman_user }}" - mode: 0755 - notify: restorecon podman - loop: - - "{{ drone_path }}/data" - -- name: flush handlers - ansible.builtin.meta: flush_handlers - -- import_tasks: podman/podman-check.yml - vars: - container_name: drone - container_image: "{{ image }}" - -- name: create drone-ci server container - become: true - become_user: "{{ podman_user }}" - containers.podman.podman_container: - name: drone - image: "{{ image }}" - restart_policy: on-failure:3 - log_driver: journald - network: - - shared - env: - DRONE_LOGS_DEBUG: "false" - DRONE_RPC_DEBUG: "false" - DRONE_GITHUB_CLIENT_ID: "{{ drone_gh_client_id }}" - DRONE_GITHUB_CLIENT_SECRET: "{{ drone_gh_client_sec }}" - DRONE_RPC_SECRET: "{{ drone_rpc_secret }}" - DRONE_SERVER_HOST: "{{ ci_server_name }}" - DRONE_SERVER_PROTO: "{{ drone_server_proto }}" - DRONE_USER_FILTER: "{{ drone_user_filter }}" - volumes: - - "{{ drone_path }}/data:/data" - ports: - - "8080:80" - -- name: create systemd startup job for drone - include_tasks: podman/systemd-generate.yml - vars: - container_name: drone - -- import_tasks: podman/podman-check.yml - vars: - container_name: drone-runner - container_image: "{{ runner_image }}" - -- name: create drone-ci worker container - become: true - become_user: "{{ podman_user }}" - containers.podman.podman_container: - name: drone-runner - image: "{{ runner_image }}" - restart_policy: on-failure:3 - log_driver: journald - network: - - shared - env: - DRONE_RPC_SECRET: "{{ drone_rpc_secret }}" - DRONE_RPC_HOST: "drone" - DRONE_RPC_PROTO: "{{ drone_runner_proto }}" - DRONE_RUNNER_CAPACITY: "{{ drone_runner_capacity }}" - volumes: - - "/run/user/1002/podman/podman.sock:/var/run/docker.sock" - ports: - - "3000:3000" - -- name: create systemd startup job for drone-runner - include_tasks: podman/systemd-generate.yml - vars: - container_name: drone-runner diff --git a/ansible/roles/podman/tasks/firewall.yml b/ansible/roles/podman/tasks/firewall.yml index 425b38c..1d7503f 100644 --- a/ansible/roles/podman/tasks/firewall.yml +++ b/ansible/roles/podman/tasks/firewall.yml @@ -10,7 +10,7 @@ - "{{ syslog_udp_default }}/udp" - "{{ syslog_udp_error }}/udp" - "{{ syslog_udp_unifi }}/udp" - # nginx + # web server (Caddy) - 80/tcp - 443/tcp # pihole (unused?) @@ -65,5 +65,9 @@ # Palworld - 8211/udp - 25575/udp + # bunkerweb waf test ports + - 1080/tcp + - 1443/tcp + - 7000/tcp notify: restart firewalld tags: firewall diff --git a/ansible/roles/podman/tasks/main.yml b/ansible/roles/podman/tasks/main.yml index 3167f12..b3d1a84 100644 --- a/ansible/roles/podman/tasks/main.yml +++ b/ansible/roles/podman/tasks/main.yml @@ -2,11 +2,24 @@ - import_tasks: firewall.yml - import_tasks: podman/podman.yml -- import_tasks: containers/base/conf-nginx.yml -- import_tasks: containers/base/nginx.yml +# WEB SERVER: Caddy is the default and only web server +# nginx has been completely replaced and removed + +# ===== WEB SERVER CONFIGURATION ===== +# Caddy is the default web server +- import_tasks: containers/base/conf-caddy.yml + tags: + - caddy + - web + +- import_tasks: containers/base/caddy.yml vars: - image: docker.io/owasp/modsecurity:nginx - tags: nginx + image: docker.io/library/caddy:2.10.2 + tags: + - caddy + - web + +# nginx cleanup completed - infrastructure removed - import_tasks: containers/base/awsddns.yml @@ -14,15 +27,11 @@ image: docker.io/bdebyl/awsddns:1.0.34 tags: ddns -- import_tasks: containers/home/drone.yml - vars: - runner_image: docker.io/drone/drone-runner-docker:1.8.3 - image: docker.io/drone/drone:2.18.0 - tags: drone +# Drone CI infrastructure completely removed - import_tasks: containers/home/hass.yml vars: - image: ghcr.io/home-assistant/home-assistant:2025.6 + image: ghcr.io/home-assistant/home-assistant:2025.9 tags: hass - import_tasks: containers/home/partkeepr.yml @@ -40,9 +49,9 @@ - import_tasks: containers/home/photos.yml vars: db_image: docker.io/tensorchord/pgvecto-rs:pg14-v0.2.0@sha256:90724186f0a3517cf6914295b5ab410db9ce23190a2d9d0b9dd6463e3fa298f0 - ml_image: ghcr.io/immich-app/immich-machine-learning:v1.137.3 + ml_image: ghcr.io/immich-app/immich-machine-learning:v1.141.1 redis_image: docker.io/redis:6.2-alpine@sha256:eaba718fecd1196d88533de7ba49bf903ad33664a92debb24660a922ecd9cac8 - image: ghcr.io/immich-app/immich-server:v1.137.3 + image: ghcr.io/immich-app/immich-server:v1.141.1 tags: photos - import_tasks: containers/home/cloud.yml @@ -59,7 +68,7 @@ - import_tasks: containers/debyltech/fulfillr.yml vars: - image: "{{ aws_ecr_endpoint }}/fulfillr:20250726.0057" + image: "{{ aws_ecr_endpoint }}/fulfillr:20250909.2013" tags: debyltech, fulfillr - import_tasks: containers/home/nosql.yml diff --git a/ansible/roles/podman/tasks/podman/systemd-generate.yml b/ansible/roles/podman/tasks/podman/systemd-generate.yml index d123593..c48a09e 100644 --- a/ansible/roles/podman/tasks/podman/systemd-generate.yml +++ b/ansible/roles/podman/tasks/podman/systemd-generate.yml @@ -13,8 +13,8 @@ ansible.builtin.systemd: name: "{{ container_name }}.service" daemon_reload: true - enabled: true - state: restarted + enabled: "{{ service_enabled | default(true) }}" + state: "{{ 'started' if (service_enabled | default(true)) else 'stopped' }}" scope: user register: result retries: 3 diff --git a/ansible/roles/podman/templates/caddy/Caddyfile.j2 b/ansible/roles/podman/templates/caddy/Caddyfile.j2 new file mode 100644 index 0000000..656e039 --- /dev/null +++ b/ansible/roles/podman/templates/caddy/Caddyfile.j2 @@ -0,0 +1,228 @@ +# Caddy Configuration +# Managed by Ansible - do not edit directly + +# Global options +{ + email {{ caddy_email }} + acme_ca {{ caddy_acme_ca }} + + # Admin API endpoint + admin 0.0.0.0:{{ caddy_admin_port }} + + # Global server options + servers { + protocols h1 h2 h3 + } + + # Logging + log { + output file /var/log/caddy/caddy.log + format {{ caddy_log_format }} + level {{ caddy_log_level }} + } +} + +# Import snippet for common security headers +(common_headers) { + header { +{% for header, value in caddy_security_headers.items() %} + {{ header }} "{{ value }}" +{% endfor %} + -Server + -X-Powered-By + } +} + +# Jinja2 macro for IP-restricted sites with redirect +{% macro ip_restricted_site(networks=caddy_local_networks) %} + @local { + remote_ip {{ networks | join(' ') }} + } + + @denied { + not remote_ip {{ networks | join(' ') }} + } + + # Redirect non-local traffic + handle @denied { + redir https://debyl.io{uri} 302 + } +{% endmacro %} + +# ============================================================================ +# SITE CONFIGURATIONS +# ============================================================================ + +# Simple redirect: {{ base_server_name }} -> debyl.io +{{ base_server_name }} { + redir https://debyl.io permanent +} + +# ============================================================================ +# SIMPLE REVERSE PROXIES +# ============================================================================ + +# Photos service - {{ photos_server_name }} +{{ photos_server_name }} { + import common_headers + reverse_proxy localhost:8088 + + log { + output file /var/log/caddy/photos.log + format json + } +} + +# Parts/PartKeepr - {{ parts_server_name }} +{{ parts_server_name }} { + import common_headers + reverse_proxy localhost:8081 + + log { + output file /var/log/caddy/parts.log + format json + } +} + +# Wiki/BookStack - {{ bookstack_server_name }} +{{ bookstack_server_name }} { + import common_headers + reverse_proxy localhost:6875 + + log { + output file /var/log/caddy/wiki.log + format json + } +} + +# ============================================================================ +# IP-RESTRICTED SITES +# ============================================================================ + +# Home Assistant - {{ assistant_server_name }} +{{ assistant_server_name }} { +{{ ip_restricted_site() }} + + handle @local { + reverse_proxy localhost:8123 { + # WebSocket support is automatic + flush_interval -1 + } + + header { + Strict-Transport-Security "max-age=31536000; includeSubDomains" + X-Content-Type-Options "nosniff" + Referrer-Policy "same-origin" + } + } + + log { + output file /var/log/caddy/assistant.log + format json + } +} + +# CI/Drone - REMOVED +# ci.bdebyl.net configuration removed - Drone CI infrastructure decommissioned + +# Home server - {{ home_server_name }} +{{ home_server_name }} { +{{ ip_restricted_site() }} + + handle @local { + respond "Home Server Access OK" 200 + } +} + +# ============================================================================ +# COMPLEX CONFIGURATIONS +# ============================================================================ + +# Nextcloud - {{ cloud_server_name }} +{{ cloud_server_name }} { + request_body { + max_size {{ caddy_max_request_body_mb }}MB + } + + reverse_proxy localhost:8089 { + header_up Host {host} + header_up X-Real-IP {remote} + # X-Forwarded-For and X-Forwarded-Proto are automatic + } + + header { + Strict-Transport-Security "max-age=31536000; includeSubDomains" + X-Content-Type-Options "nosniff" + Referrer-Policy "same-origin" + -X-Powered-By + } + + # Nextcloud specific redirects + redir /.well-known/carddav /remote.php/dav 301 + redir /.well-known/caldav /remote.php/dav 301 + + log { + output file /var/log/caddy/cloud.log + format json + } +} + +# Skudak Nextcloud - {{ cloud_skudak_server_name }} +{{ cloud_skudak_server_name }} { + request_body { + max_size {{ caddy_max_request_body_mb }}MB + } + + reverse_proxy localhost:8090 { + header_up Host {host} + header_up X-Real-IP {remote} + } + + header { + Strict-Transport-Security "max-age=31536000; includeSubDomains" + X-Content-Type-Options "nosniff" + Referrer-Policy "same-origin" + -X-Powered-By + } + + # Nextcloud specific redirects + redir /.well-known/carddav /remote.php/dav 301 + redir /.well-known/caldav /remote.php/dav 301 + + log { + output file /var/log/caddy/cloud-skudak.log + format json + } +} + +# Fulfillr - {{ fulfillr_server_name }} (Static + API with IP restrictions) +{{ fulfillr_server_name }} { +{{ ip_restricted_site() }} + + @api { + path /api/* + } + + # Handle API requests + handle @api { + reverse_proxy localhost:9054 + } + + # Serve static files with SPA fallback + handle { + root * /usr/local/share/fulfillr-site + try_files {path} {path}/ /index.html + file_server + } + + header { + Strict-Transport-Security "max-age=31536000; includeSubDomains" + X-Content-Type-Options "nosniff" + Referrer-Policy "same-origin" + } + + log { + output file /var/log/caddy/fulfillr.log + format json + } +} \ No newline at end of file diff --git a/ansible/roles/podman/templates/nginx/nginx.conf.j2 b/ansible/roles/podman/templates/nginx/nginx.conf.j2 deleted file mode 100644 index 329f64a..0000000 --- a/ansible/roles/podman/templates/nginx/nginx.conf.j2 +++ /dev/null @@ -1,71 +0,0 @@ -user nginx; -worker_processes 1; - -load_module /usr/lib/nginx/modules/ngx_http_modsecurity_module.so; - -error_log /var/log/nginx/error.log notice; -error_log syslog:server=127.0.0.1:{{ syslog_udp_error }},tag=nginx,severity=info notice; - -events { - worker_connections 1024; -} - -http { - map $http_upgrade $connection_upgrade { - default upgrade; - '' close; - } - - include mime.types; - - default_type application/octet-stream; - - log_format main '$remote_addr - $connection : $connection_requests [$time_iso8601] "$request" ' - '$status $body_bytes_sent "$http_referer" ' - '"$http_user_agent" "$http_x_forwarded_for"'; - log_format graylog_json escape=json '{ "nginx_timestamp": "[$time_iso8601]", ' - '"remote_addr": "$remote_addr", ' - '"connection": "$connection", ' - '"connection_requests": $connection_requests, ' - '"body_bytes_sent": $body_bytes_sent, ' - '"request_length": $request_length, ' - '"request_time": $request_time, ' - '"response_status": $status, ' - '"request": "$request", ' - '"request_method": "$request_method", ' - '"host": "$host", ' - '"upstream_cache_status": "$upstream_cache_status", ' - '"upstream_addr": "$upstream_addr", ' - '"http_x_forwarded_for": "$http_x_forwarded_for", ' - '"http_referrer": "$http_referer", ' - '"http_user_agent": "$http_user_agent", ' - '"http_version": "$server_protocol", ' - '"remote_user": "$remote_user", ' - '"http_x_forwarded_proto": "$http_x_forwarded_proto", ' - '"upstream_response_time": "$upstream_response_time", ' - '"nginx_access": true }'; - - access_log /var/log/nginx/access.log main; - access_log syslog:server=127.0.0.1:{{ syslog_udp_default }},tag=nginx,severity=info graylog_json; - - sendfile on; - server_tokens off; - #tcp_nopush on; - - keepalive_timeout 65; - - gzip on; - gzip_disable "mise6"; - gzip_min_length 1000; - gzip_proxied expired no-cache no-store private auth; - gzip_types text/plain application/xml application/json application/javascript application/octet-stream text/css; - - # client_body_buffer_size 1k; - # client_header_buffer_size 1k; - # client_max_body_size 2k; - # large_client_header_buffers 2 1k; - - limit_req_zone $binary_remote_addr zone=one:10m rate=10r/s; - - include /etc/nginx/sites-enabled/*.conf; -} \ No newline at end of file diff --git a/ansible/roles/podman/templates/nginx/sites/assistant.bdebyl.net.conf.j2 b/ansible/roles/podman/templates/nginx/sites/assistant.bdebyl.net.conf.j2 deleted file mode 100644 index ef3e268..0000000 --- a/ansible/roles/podman/templates/nginx/sites/assistant.bdebyl.net.conf.j2 +++ /dev/null @@ -1,13 +0,0 @@ -server { - listen 80; - server_name {{ assistant_server_name }}; - - location '/.well-known/acme-challenge' { - default_type "text/plain"; - root /srv/http/letsencrypt; - } - - location / { - return 301 https://$host$request_uri; - } -} diff --git a/ansible/roles/podman/templates/nginx/sites/assistant.bdebyl.net.https.conf.j2 b/ansible/roles/podman/templates/nginx/sites/assistant.bdebyl.net.https.conf.j2 deleted file mode 100644 index 59d6bcc..0000000 --- a/ansible/roles/podman/templates/nginx/sites/assistant.bdebyl.net.https.conf.j2 +++ /dev/null @@ -1,60 +0,0 @@ -upstream assistant { - server 127.0.0.1:8123; -} - -geo $local_access { - default 0; - 192.168.1.1 1; -} - -server { - modsecurity on; - modsecurity_rules_file /etc/nginx/modsec_includes.conf; - - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name assistant.bdebyl.net; - - ssl_certificate /etc/letsencrypt/live/{{ assistant_server_name }}/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/{{ assistant_server_name }}/privkey.pem; - ssl_trusted_certificate /etc/letsencrypt/live/{{ assistant_server_name }}/fullchain.pem; - ssl_dhparam /etc/nginx/ssl/dhparam.pem; - - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; - ssl_prefer_server_ciphers off; - ssl_protocols TLSv1.2 TLSv1.3; - ssl_session_cache shared:SSL:10m; - ssl_session_tickets off; - ssl_session_timeout 1d; - ssl_stapling on; - ssl_stapling_verify on; - - resolver 9.9.9.9 valid=60s ipv6=off; - - location / { - if ($local_access = 1) { - access_log off; - } - add_header Allow "GET, POST, HEAD" always; - add_header Referrer-Policy "same-origin" always; - add_header Strict-Transport-Security "max-age=630720000; includeSubDomains" always; - add_header X-Content-Type-Options "nosniff" always; - - # Sent from upstream: - # add_header X-Frame-Options "SAMEORIGIN"; - # add_header X-XSS-Protection "1; mode=block"; - - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-For $remote_addr; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_buffering off; - proxy_http_version 1.1; - proxy_pass http://assistant; - proxy_redirect off; - - chunked_transfer_encoding off; - } -} \ No newline at end of file diff --git a/ansible/roles/podman/templates/nginx/sites/bdebyl.net.conf.j2 b/ansible/roles/podman/templates/nginx/sites/bdebyl.net.conf.j2 deleted file mode 100644 index 1cf36f6..0000000 --- a/ansible/roles/podman/templates/nginx/sites/bdebyl.net.conf.j2 +++ /dev/null @@ -1,13 +0,0 @@ -server { - listen 80; - server_name {{ base_server_name }}; - - location '/.well-known/acme-challenge' { - default_type "text/plain"; - root /srv/http/letsencrypt; - } - - location / { - return 301 https://$host$request_uri; - } -} diff --git a/ansible/roles/podman/templates/nginx/sites/bdebyl.net.https.conf.j2 b/ansible/roles/podman/templates/nginx/sites/bdebyl.net.https.conf.j2 deleted file mode 100644 index afc2c3b..0000000 --- a/ansible/roles/podman/templates/nginx/sites/bdebyl.net.https.conf.j2 +++ /dev/null @@ -1,25 +0,0 @@ -server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name {{ base_server_name }}; - - ssl_certificate /etc/letsencrypt/live/{{ base_server_name }}/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/{{ base_server_name }}/privkey.pem; - ssl_trusted_certificate /etc/letsencrypt/live/{{ base_server_name }}/fullchain.pem; - ssl_dhparam /etc/nginx/ssl/dhparam.pem; - - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; - ssl_prefer_server_ciphers off; - ssl_protocols TLSv1.2 TLSv1.3; - ssl_session_cache shared:SSL:10m; - ssl_session_tickets off; - ssl_session_timeout 1d; - ssl_stapling on; - ssl_stapling_verify on; - - resolver 9.9.9.9 valid=60s ipv6=off; - - location / { - return 301 https://debyl.io; - } -} diff --git a/ansible/roles/podman/templates/nginx/sites/ci.bdebyl.net.http.conf.j2 b/ansible/roles/podman/templates/nginx/sites/ci.bdebyl.net.http.conf.j2 deleted file mode 100644 index 7fc9ca5..0000000 --- a/ansible/roles/podman/templates/nginx/sites/ci.bdebyl.net.http.conf.j2 +++ /dev/null @@ -1,13 +0,0 @@ -server { - listen 80; - server_name {{ ci_server_name }}; - - location '/.well-known/acme-challenge' { - default_type "text/plain"; - root /srv/http/letsencrypt; - } - - location / { - return 301 https://$host$request_uri; - } -} diff --git a/ansible/roles/podman/templates/nginx/sites/ci.bdebyl.net.https.conf.j2 b/ansible/roles/podman/templates/nginx/sites/ci.bdebyl.net.https.conf.j2 deleted file mode 100644 index 6dd30d5..0000000 --- a/ansible/roles/podman/templates/nginx/sites/ci.bdebyl.net.https.conf.j2 +++ /dev/null @@ -1,59 +0,0 @@ -upstream drone { - server 127.0.0.1:8080; -} - -geo $local_access { - default 0; - 192.168.1.1 1; -} - -server { - modsecurity on; - modsecurity_rules_file /etc/nginx/modsec_includes.conf; - - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name {{ ci_server_name }}; - - ssl_certificate /etc/letsencrypt/live/{{ ci_server_name }}/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/{{ ci_server_name }}/privkey.pem; - ssl_trusted_certificate /etc/letsencrypt/live/{{ ci_server_name }}/fullchain.pem; - ssl_dhparam /etc/nginx/ssl/dhparam.pem; - - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; - ssl_prefer_server_ciphers off; - ssl_protocols TLSv1.2 TLSv1.3; - ssl_session_cache shared:SSL:10m; - ssl_session_tickets off; - ssl_session_timeout 1d; - ssl_stapling on; - ssl_stapling_verify on; - - resolver 9.9.9.9 valid=60s ipv6=off; - - location / { - if ($local_access = 1) { - access_log off; - } - add_header Allow "GET, POST, HEAD" always; - add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; img-src 'self' https://*.githubusercontent.com https://*.github.com; frame-ancestors 'self'; base-uri 'none',base-uri 'self'; form-action 'self'" always; - add_header Referrer-Policy "same-origin" always; - add_header Strict-Transport-Security "max-age=630720000; includeSubDomains" always; - add_header X-Content-Type-Options "nosniff" always; - - # Sent from upstream: - # add_header X-Frame-Options "SAMEORIGIN"; - # add_header X-XSS-Protection "1; mode=block"; - - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-For $remote_addr; - proxy_set_header X-Forwarded-Proto $scheme; - - proxy_buffering off; - proxy_http_version 1.1; - proxy_pass http://drone; - proxy_redirect off; - - chunked_transfer_encoding off; - } -} diff --git a/ansible/roles/podman/templates/nginx/sites/cloud.bdebyl.net.conf.j2 b/ansible/roles/podman/templates/nginx/sites/cloud.bdebyl.net.conf.j2 deleted file mode 100644 index b437a48..0000000 --- a/ansible/roles/podman/templates/nginx/sites/cloud.bdebyl.net.conf.j2 +++ /dev/null @@ -1,16 +0,0 @@ -server { - modsecurity on; - modsecurity_rules_file /etc/nginx/modsec_includes.conf; - - listen 80; - server_name {{ cloud_server_name }}; - - location '/.well-known/acme-challenge' { - default_type "text/plain"; - root /srv/http/letsencrypt; - } - - location / { - return 302 https://$host$request_uri; - } -} \ No newline at end of file diff --git a/ansible/roles/podman/templates/nginx/sites/cloud.bdebyl.net.https.conf.j2 b/ansible/roles/podman/templates/nginx/sites/cloud.bdebyl.net.https.conf.j2 deleted file mode 100644 index e226acd..0000000 --- a/ansible/roles/podman/templates/nginx/sites/cloud.bdebyl.net.https.conf.j2 +++ /dev/null @@ -1,44 +0,0 @@ -upstream cloud { - server 127.0.0.1:8089; -} - -server { - modsecurity on; - modsecurity_rules_file /etc/nginx/modsec_includes.conf; - - resolver 127.0.0.1 127.0.0.53 9.9.9.9 valid=60s; - - listen 443 ssl http2; - server_name {{ cloud_server_name }}; - client_max_body_size 500M; - - ssl_certificate /etc/letsencrypt/live/{{ cloud_server_name }}/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/{{ cloud_server_name }}/privkey.pem; - ssl_trusted_certificate /etc/letsencrypt/live/{{ cloud_server_name }}/fullchain.pem; - ssl_dhparam /etc/nginx/ssl/dhparam.pem; - - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; - ssl_prefer_server_ciphers off; - ssl_protocols TLSv1.2 TLSv1.3; - ssl_session_cache shared:SSL:10m; - ssl_session_tickets off; - ssl_session_timeout 1d; - ssl_stapling on; - ssl_stapling_verify on; - - location / { - add_header Referrer-Policy "same-origin" always; - add_header Strict-Transport-Security "max-age=630720000; includeSubDomains" always; - add_header X-Content-Type-Options "nosniff" always; - - proxy_set_header Host $host; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Real-IP $remote_addr; - - proxy_buffering off; - proxy_http_version 1.1; - proxy_pass http://cloud; - } -} \ No newline at end of file diff --git a/ansible/roles/podman/templates/nginx/sites/cloud.skudakrennsport.com.conf.j2 b/ansible/roles/podman/templates/nginx/sites/cloud.skudakrennsport.com.conf.j2 deleted file mode 100644 index 0196336..0000000 --- a/ansible/roles/podman/templates/nginx/sites/cloud.skudakrennsport.com.conf.j2 +++ /dev/null @@ -1,16 +0,0 @@ -server { - modsecurity on; - modsecurity_rules_file /etc/nginx/modsec_includes.conf; - - listen 80; - server_name {{ cloud_skudak_server_name }}; - - location '/.well-known/acme-challenge' { - default_type "text/plain"; - root /srv/http/letsencrypt; - } - - location / { - return 302 https://$host$request_uri; - } -} \ No newline at end of file diff --git a/ansible/roles/podman/templates/nginx/sites/cloud.skudakrennsport.com.https.conf.j2 b/ansible/roles/podman/templates/nginx/sites/cloud.skudakrennsport.com.https.conf.j2 deleted file mode 100644 index 197c9fb..0000000 --- a/ansible/roles/podman/templates/nginx/sites/cloud.skudakrennsport.com.https.conf.j2 +++ /dev/null @@ -1,44 +0,0 @@ -upstream skucloud { - server 127.0.0.1:8090; -} - -server { - modsecurity on; - modsecurity_rules_file /etc/nginx/modsec_includes.conf; - - resolver 127.0.0.1 127.0.0.53 9.9.9.9 valid=60s; - - listen 443 ssl http2; - server_name {{ cloud_skudak_server_name }}; - client_max_body_size 500M; - - ssl_certificate /etc/letsencrypt/live/{{ cloud_skudak_server_name }}/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/{{ cloud_skudak_server_name }}/privkey.pem; - ssl_trusted_certificate /etc/letsencrypt/live/{{ cloud_skudak_server_name }}/fullchain.pem; - ssl_dhparam /etc/nginx/ssl/dhparam.pem; - - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; - ssl_prefer_server_ciphers off; - ssl_protocols TLSv1.2 TLSv1.3; - ssl_session_cache shared:SSL:10m; - ssl_session_tickets off; - ssl_session_timeout 1d; - ssl_stapling on; - ssl_stapling_verify on; - - location / { - add_header Referrer-Policy "same-origin" always; - add_header Strict-Transport-Security "max-age=630720000; includeSubDomains" always; - add_header X-Content-Type-Options "nosniff" always; - - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Upgrade $http_upgrade; - - proxy_buffering off; - proxy_http_version 1.1; - proxy_pass http://skucloud; - } -} \ No newline at end of file diff --git a/ansible/roles/podman/templates/nginx/sites/fulfillr.debyltech.com.conf.j2 b/ansible/roles/podman/templates/nginx/sites/fulfillr.debyltech.com.conf.j2 deleted file mode 100644 index 3cf0df6..0000000 --- a/ansible/roles/podman/templates/nginx/sites/fulfillr.debyltech.com.conf.j2 +++ /dev/null @@ -1,21 +0,0 @@ -geo $whitelisted { - default 0; - 192.168.0.0/16 1; -} - -server { - modsecurity on; - modsecurity_rules_file /etc/nginx/modsec_includes.conf; - - listen 80; - server_name {{ fulfillr_server_name }}; - - location '/.well-known/acme-challenge' { - default_type "text/plain"; - root /srv/http/letsencrypt; - } - - location / { - return 302 https://$host$request_uri; - } -} diff --git a/ansible/roles/podman/templates/nginx/sites/fulfillr.debyltech.com.https.conf.j2 b/ansible/roles/podman/templates/nginx/sites/fulfillr.debyltech.com.https.conf.j2 deleted file mode 100644 index 75bf5df..0000000 --- a/ansible/roles/podman/templates/nginx/sites/fulfillr.debyltech.com.https.conf.j2 +++ /dev/null @@ -1,65 +0,0 @@ -geo $whitelisted { - default 0; - 192.168.0.0/16 1; -} - -upstream fulfillr-api { - server 127.0.0.1:9054; -} - -server { - modsecurity on; - modsecurity_rules_file /etc/nginx/modsec_includes.conf; - - resolver 127.0.0.1 127.0.0.53 9.9.9.9 valid=60s; - - listen 443 ssl http2; - server_name {{ fulfillr_server_name }}; - - ssl_certificate /etc/letsencrypt/live/{{ fulfillr_server_name }}/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/{{ fulfillr_server_name }}/privkey.pem; - ssl_trusted_certificate /etc/letsencrypt/live/{{ fulfillr_server_name }}/fullchain.pem; - ssl_dhparam /etc/nginx/ssl/dhparam.pem; - - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; - ssl_prefer_server_ciphers off; - ssl_protocols TLSv1.2 TLSv1.3; - ssl_session_cache shared:SSL:10m; - ssl_session_tickets off; - ssl_session_timeout 1d; - ssl_stapling on; - ssl_stapling_verify on; - - if ($whitelisted = 0) { - return 302 $scheme://bdebyl.net$request_uri; - } - - root /usr/local/share/fulfillr-site; - index index.html; - - location /api { - add_header Access-Control-Allow-Origin * always; - add_header Referrer-Policy "same-origin" always; - # add_header Strict-Transport-Security "max-age=630720000; includeSubDomains" always; - add_header X-Content-Type-Options "nosniff" always; - - # Sent from upstream: - # add_header X-Frame-Options "SAMEORIGIN"; - # add_header X-XSS-Protection "1; mode=block"; - - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-For $remote_addr; - proxy_set_header X-Forwarded-Proto $scheme; - - proxy_buffering off; - proxy_http_version 1.1; - proxy_pass http://fulfillr-api; - proxy_redirect off; - - chunked_transfer_encoding off; - } - - location / { - try_files $uri $uri/ =404; - } -} diff --git a/ansible/roles/podman/templates/nginx/sites/home.bdebyl.net.conf.j2 b/ansible/roles/podman/templates/nginx/sites/home.bdebyl.net.conf.j2 deleted file mode 100644 index faefeaf..0000000 --- a/ansible/roles/podman/templates/nginx/sites/home.bdebyl.net.conf.j2 +++ /dev/null @@ -1,19 +0,0 @@ -geo $whitelisted { - default 0; - 192.168.0.0/16 1; -} - -server { - modsecurity on; - modsecurity_rules_file /etc/nginx/modsec_includes.conf; - - listen 80 default_server; - server_name {{ home_server_name }}; - if ($whitelisted = 1) { - return 302 http://pi.bdebyl.net; - } - - if ($whitelisted = 0) { - return 302 $scheme://bdebyl.net$request_uri; - } -} diff --git a/ansible/roles/podman/templates/nginx/sites/parts.bdebyl.net.conf.j2 b/ansible/roles/podman/templates/nginx/sites/parts.bdebyl.net.conf.j2 deleted file mode 100644 index 8a93c5e..0000000 --- a/ansible/roles/podman/templates/nginx/sites/parts.bdebyl.net.conf.j2 +++ /dev/null @@ -1,21 +0,0 @@ -geo $whitelisted { - default 0; - 192.168.0.0/16 1; -} - -server { - modsecurity on; - modsecurity_rules_file /etc/nginx/modsec_includes.conf; - - listen 80; - server_name {{ parts_server_name }}; - - location '/.well-known/acme-challenge' { - default_type "text/plain"; - root /srv/http/letsencrypt; - } - - location / { - return 302 https://$host$request_uri; - } -} diff --git a/ansible/roles/podman/templates/nginx/sites/parts.bdebyl.net.https.conf.j2 b/ansible/roles/podman/templates/nginx/sites/parts.bdebyl.net.https.conf.j2 deleted file mode 100644 index 9acc75d..0000000 --- a/ansible/roles/podman/templates/nginx/sites/parts.bdebyl.net.https.conf.j2 +++ /dev/null @@ -1,57 +0,0 @@ -geo $whitelisted { - default 0; - 192.168.0.0/16 1; -} - -upstream partkeepr { - server 127.0.0.1:8081; -} - -server { - modsecurity on; - modsecurity_rules_file /etc/nginx/modsec_includes.conf; - - resolver 127.0.0.1 127.0.0.53 9.9.9.9 valid=60s; - - listen 443 ssl http2; - server_name {{ parts_server_name }}; - - ssl_certificate /etc/letsencrypt/live/{{ parts_server_name }}/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/{{ parts_server_name }}/privkey.pem; - ssl_trusted_certificate /etc/letsencrypt/live/{{ parts_server_name }}/fullchain.pem; - ssl_dhparam /etc/nginx/ssl/dhparam.pem; - - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; - ssl_prefer_server_ciphers off; - ssl_protocols TLSv1.2 TLSv1.3; - ssl_session_cache shared:SSL:10m; - ssl_session_tickets off; - ssl_session_timeout 1d; - ssl_stapling on; - ssl_stapling_verify on; - - if ($whitelisted = 0) { - return 302 $scheme://bdebyl.net$request_uri; - } - - location / { - add_header Referrer-Policy "same-origin" always; - # add_header Strict-Transport-Security "max-age=630720000; includeSubDomains" always; - add_header X-Content-Type-Options "nosniff" always; - - # Sent from upstream: - # add_header X-Frame-Options "SAMEORIGIN"; - # add_header X-XSS-Protection "1; mode=block"; - - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-For $remote_addr; - proxy_set_header X-Forwarded-Proto $scheme; - - proxy_buffering off; - proxy_http_version 1.1; - proxy_pass http://partkeepr; - proxy_redirect off; - - chunked_transfer_encoding off; - } -} diff --git a/ansible/roles/podman/templates/nginx/sites/photos.bdebyl.net.conf.j2 b/ansible/roles/podman/templates/nginx/sites/photos.bdebyl.net.conf.j2 deleted file mode 100644 index 8b05e6b..0000000 --- a/ansible/roles/podman/templates/nginx/sites/photos.bdebyl.net.conf.j2 +++ /dev/null @@ -1,16 +0,0 @@ -server { - modsecurity on; - modsecurity_rules_file /etc/nginx/modsec_includes.conf; - - listen 80; - server_name {{ photos_server_name }}; - - location '/.well-known/acme-challenge' { - default_type "text/plain"; - root /srv/http/letsencrypt; - } - - location / { - return 302 https://$host$request_uri; - } -} \ No newline at end of file diff --git a/ansible/roles/podman/templates/nginx/sites/photos.bdebyl.net.https.conf.j2 b/ansible/roles/podman/templates/nginx/sites/photos.bdebyl.net.https.conf.j2 deleted file mode 100644 index 75b263d..0000000 --- a/ansible/roles/podman/templates/nginx/sites/photos.bdebyl.net.https.conf.j2 +++ /dev/null @@ -1,44 +0,0 @@ -upstream photos { - server 127.0.0.1:8088; -} - -server { - modsecurity on; - modsecurity_rules_file /etc/nginx/modsec_includes.conf; - - resolver 127.0.0.1 127.0.0.53 9.9.9.9 valid=60s; - - listen 443 ssl http2; - server_name {{ photos_server_name }}; - client_max_body_size 500M; - - ssl_certificate /etc/letsencrypt/live/{{ photos_server_name }}/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/{{ photos_server_name }}/privkey.pem; - ssl_trusted_certificate /etc/letsencrypt/live/{{ photos_server_name }}/fullchain.pem; - ssl_dhparam /etc/nginx/ssl/dhparam.pem; - - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; - ssl_prefer_server_ciphers off; - ssl_protocols TLSv1.2 TLSv1.3; - ssl_session_cache shared:SSL:10m; - ssl_session_tickets off; - ssl_session_timeout 1d; - ssl_stapling on; - ssl_stapling_verify on; - - location / { - # add_header Strict-Transport-Security "max-age=630720000; includeSubDomains" always; - add_header Referrer-Policy "same-origin" always; - add_header X-Content-Type-Options "nosniff" always; - add_header Access-Control-Allow-Origin '*' always; - - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_buffering off; - proxy_http_version 1.1; - proxy_pass http://photos; - } -} \ No newline at end of file diff --git a/ansible/roles/podman/templates/nginx/sites/wiki.skudakrennsport.com.conf.j2 b/ansible/roles/podman/templates/nginx/sites/wiki.skudakrennsport.com.conf.j2 deleted file mode 100644 index cc0fb4e..0000000 --- a/ansible/roles/podman/templates/nginx/sites/wiki.skudakrennsport.com.conf.j2 +++ /dev/null @@ -1,13 +0,0 @@ -server { - listen 80; - server_name {{ bookstack_server_name }}; - - location '/.well-known/acme-challenge' { - default_type "text/plain"; - root /srv/http/letsencrypt; - } - - location / { - return 301 https://$host$request_uri; - } -} diff --git a/ansible/roles/podman/templates/nginx/sites/wiki.skudakrennsport.com.https.conf.j2 b/ansible/roles/podman/templates/nginx/sites/wiki.skudakrennsport.com.https.conf.j2 deleted file mode 100644 index cb786c2..0000000 --- a/ansible/roles/podman/templates/nginx/sites/wiki.skudakrennsport.com.https.conf.j2 +++ /dev/null @@ -1,49 +0,0 @@ -upstream bookstack { - server 127.0.0.1:6875; -} - -server { - modsecurity on; - modsecurity_rules_file /etc/nginx/modsec_includes.conf; - - resolver 9.9.9.9 valid=60s; - - listen 443 ssl http2; - server_name {{ bookstack_server_name }}; - - ssl_certificate /etc/letsencrypt/live/{{ bookstack_server_name }}/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/{{ bookstack_server_name }}/privkey.pem; - ssl_trusted_certificate /etc/letsencrypt/live/{{ bookstack_server_name }}/fullchain.pem; - ssl_dhparam /etc/nginx/ssl/dhparam.pem; - - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; - ssl_prefer_server_ciphers off; - ssl_protocols TLSv1.2 TLSv1.3; - ssl_session_cache shared:SSL:10m; - ssl_session_tickets off; - ssl_session_timeout 1d; - ssl_stapling on; - ssl_stapling_verify on; - - location / { - add_header Referrer-Policy "same-origin" always; - # add_header Strict-Transport-Security "max-age=630720000; includeSubDomains" always; - add_header X-Content-Type-Options "nosniff" always; - - # Sent from upstream: - # add_header X-Frame-Options "SAMEORIGIN"; - # add_header X-XSS-Protection "1; mode=block"; - - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-For $remote_addr; - proxy_set_header X-Forwarded-Proto $scheme; - - proxy_buffering off; - proxy_http_version 1.1; - proxy_pass http://bookstack; - proxy_redirect off; - - chunked_transfer_encoding off; - } -} - diff --git a/ansible/roles/ssl/defaults/main.yml b/ansible/roles/ssl/defaults/main.yml deleted file mode 100644 index 6b91523..0000000 --- a/ansible/roles/ssl/defaults/main.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- -deps: [certbot] diff --git a/ansible/roles/ssl/meta/main.yml b/ansible/roles/ssl/meta/main.yml deleted file mode 100644 index fdda41b..0000000 --- a/ansible/roles/ssl/meta/main.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -dependencies: - - role: common diff --git a/ansible/roles/ssl/tasks/certbot.yml b/ansible/roles/ssl/tasks/certbot.yml deleted file mode 100644 index 4d44d2a..0000000 --- a/ansible/roles/ssl/tasks/certbot.yml +++ /dev/null @@ -1,28 +0,0 @@ ---- -- name: create ssl certificate for server - become: true - ansible.builtin.command: | - certbot certonly --webroot --webroot-path=/srv/http/letsencrypt \ - -m {{ ssl_email }} --agree-tos \ - -d {{ item }} - args: - creates: "/etc/letsencrypt/live/{{ item }}" - loop: - - "{{ base_server_name }}" - - "{{ bookstack_server_name }}" - - "{{ ci_server_name }}" - - "{{ cloud_server_name }}" - - "{{ cloud_skudak_server_name }}" - - "{{ fulfillr_server_name }}" - - "{{ parts_server_name }}" - - "{{ photos_server_name }}" - tags: ssl - -- name: set group ownership for /etc/letsencrypt/ - become: true - ansible.builtin.file: - path: /etc/letsencrypt - owner: "{{ podman_user }}" - group: "{{ podman_user }}" - recurse: true - tags: ssl diff --git a/ansible/roles/ssl/tasks/cron.yml b/ansible/roles/ssl/tasks/cron.yml deleted file mode 100644 index c76bdf6..0000000 --- a/ansible/roles/ssl/tasks/cron.yml +++ /dev/null @@ -1,18 +0,0 @@ ---- -- name: renew certbot ssl certificates weekly - become: true - ansible.builtin.cron: - name: certbot_renew - special_time: weekly - job: >- - certbot renew --post-hook "chown -R {{ podman_user }}:{{ podman_user }} /etc/letsencrypt && su -s /bin/sh podman -c 'cd; podman restart nginx'" - tags: cron - -- name: monitor and fix letsencrypt permissions - become: true - ansible.builtin.cron: - name: letsencrypt_permission_monitor - minute: "*/5" - job: >- - if [ "$(stat -c '%U:%G' /etc/letsencrypt)" != "{{ podman_user }}:{{ podman_user }}" ]; then chown -R {{ podman_user }}:{{ podman_user }} /etc/letsencrypt && logger "Fixed letsencrypt permissions for podman user" && sudo -H -u {{ podman_user }} bash -c 'cd; podman restart nginx' 2>/dev/null || true; fi - tags: cron diff --git a/ansible/roles/ssl/tasks/deps.yml b/ansible/roles/ssl/tasks/deps.yml deleted file mode 100644 index d712c92..0000000 --- a/ansible/roles/ssl/tasks/deps.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- -- name: install ssl dependencies - become: true - ansible.builtin.package: - name: "{{ deps }}" - state: present - tags: deps diff --git a/ansible/roles/ssl/tasks/main.yml b/ansible/roles/ssl/tasks/main.yml deleted file mode 100644 index a27991f..0000000 --- a/ansible/roles/ssl/tasks/main.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -- import_tasks: certbot.yml -- import_tasks: cron.yml diff --git a/ansible/vars/vault.yml b/ansible/vars/vault.yml index 4563b5f..b018e53 100644 Binary files a/ansible/vars/vault.yml and b/ansible/vars/vault.yml differ