Merge branch 'master' of github.com:bdebyl/deploy_home
This commit is contained in:
Bastian de Byl
1
.gitignore
vendored
1
.gitignore
vendored
@@ -1,2 +1,3 @@
|
|||||||
.ansible-vaultpass
|
.ansible-vaultpass
|
||||||
.venv/*
|
.venv/*
|
||||||
|
.git-crypt-backup/
|
||||||
|
|||||||
@@ -17,6 +17,8 @@ This is a home infrastructure deployment repository using Ansible for automated
|
|||||||
- `make vault` - Edit encrypted Ansible vault file
|
- `make vault` - Edit encrypted Ansible vault file
|
||||||
- `make list-tags` - List all available Ansible tags
|
- `make list-tags` - List all available Ansible tags
|
||||||
- `make list-tasks` - List all Ansible tasks
|
- `make list-tasks` - List all Ansible tasks
|
||||||
|
- `make git-crypt-backup` - Backup git-crypt symmetric key (encrypted with GPG)
|
||||||
|
- `make git-crypt-restore` - Restore git-crypt symmetric key from backup
|
||||||
|
|
||||||
### Environment Setup
|
### Environment Setup
|
||||||
The project uses Python virtualenv for dependency management:
|
The project uses Python virtualenv for dependency management:
|
||||||
@@ -54,6 +56,9 @@ Containers are organized in `ansible/roles/podman/tasks/containers/`:
|
|||||||
- Ansible vault for encrypted secrets management
|
- Ansible vault for encrypted secrets management
|
||||||
- Password sourced from external password manager
|
- Password sourced from external password manager
|
||||||
- Git-crypt for repository-level encryption (see `.gitattributes`)
|
- Git-crypt for repository-level encryption (see `.gitattributes`)
|
||||||
|
- Symmetric key can be backed up locally in `.git-crypt-backup/` (encrypted with GPG)
|
||||||
|
- Use `make git-crypt-backup` to create a local encrypted backup
|
||||||
|
- Use `make git-crypt-restore` to recover from git-crypt corruption
|
||||||
- SSH key-based authentication to target hosts
|
- SSH key-based authentication to target hosts
|
||||||
- Caddy provides automatic HTTPS with LetsEncrypt certificates
|
- Caddy provides automatic HTTPS with LetsEncrypt certificates
|
||||||
- Built-in security headers and IP-based access restrictions
|
- Built-in security headers and IP-based access restrictions
|
||||||
|
|||||||
15
Makefile
15
Makefile
@@ -31,6 +31,7 @@ EXTRA_VARS?=
|
|||||||
|
|
||||||
${VENV}:
|
${VENV}:
|
||||||
python3 -m venv ${VENV}
|
python3 -m venv ${VENV}
|
||||||
|
${VENV_BIN}/python3 -m pip install --upgrade pip
|
||||||
${PIP}: ${VENV}
|
${PIP}: ${VENV}
|
||||||
|
|
||||||
${ANSIBLE} ${ANSIBLE_VAULT} ${LINT_YAML}: ${VENV} requirements.txt
|
${ANSIBLE} ${ANSIBLE_VAULT} ${LINT_YAML}: ${VENV} requirements.txt
|
||||||
@@ -69,3 +70,17 @@ vault: ${ANSIBLE_VAULT} ${VAULT_FILE}
|
|||||||
lint: ${LINT_YAML} ${SKIP_FILE}
|
lint: ${LINT_YAML} ${SKIP_FILE}
|
||||||
@printf "Running yamllint...\n"
|
@printf "Running yamllint...\n"
|
||||||
-@${LINT_YAML} ${YAML_FILES}
|
-@${LINT_YAML} ${YAML_FILES}
|
||||||
|
|
||||||
|
# Git-crypt management
|
||||||
|
git-crypt-backup:
|
||||||
|
@printf "Backing up git-crypt symmetric key...\n"
|
||||||
|
@mkdir -p .git-crypt-backup
|
||||||
|
@gpg --batch --yes -e -r 70A4AA02555DBD559189B4E0F32BE05EADAA54FC -o .git-crypt-backup/symmetric-key.gpg .git/git-crypt/keys/default
|
||||||
|
@printf "Backup created at .git-crypt-backup/symmetric-key.gpg\n"
|
||||||
|
|
||||||
|
git-crypt-restore:
|
||||||
|
@printf "Restoring git-crypt symmetric key from backup...\n"
|
||||||
|
@mkdir -p .git/git-crypt/keys
|
||||||
|
@gpg --batch --yes -d .git-crypt-backup/symmetric-key.gpg > .git/git-crypt/keys/default
|
||||||
|
@chmod 600 .git/git-crypt/keys/default
|
||||||
|
@printf "Key restored. Run 'git-crypt unlock' or just checkout files.\n"
|
||||||
|
|||||||
@@ -98,3 +98,13 @@
|
|||||||
include_tasks: podman/systemd-generate.yml
|
include_tasks: podman/systemd-generate.yml
|
||||||
vars:
|
vars:
|
||||||
container_name: skudak-cloud
|
container_name: skudak-cloud
|
||||||
|
|
||||||
|
- name: disable nextcloud signup link in config
|
||||||
|
become: true
|
||||||
|
ansible.builtin.lineinfile:
|
||||||
|
path: "{{ cloud_skudak_path }}/config/config.php"
|
||||||
|
regexp: "^\\s*'simpleSignUpLink\\.shown'\\s*=>"
|
||||||
|
line: " 'simpleSignUpLink.shown' => false,"
|
||||||
|
insertbefore: '^\);'
|
||||||
|
create: false
|
||||||
|
failed_when: false
|
||||||
|
|||||||
@@ -62,13 +62,13 @@
|
|||||||
- import_tasks: containers/home/cloud.yml
|
- import_tasks: containers/home/cloud.yml
|
||||||
vars:
|
vars:
|
||||||
db_image: docker.io/library/mariadb:10.6
|
db_image: docker.io/library/mariadb:10.6
|
||||||
image: docker.io/library/nextcloud:31.0.6-apache
|
image: docker.io/library/nextcloud:32.0.1-apache
|
||||||
tags: cloud
|
tags: cloud
|
||||||
|
|
||||||
- import_tasks: containers/skudak/cloud.yml
|
- import_tasks: containers/skudak/cloud.yml
|
||||||
vars:
|
vars:
|
||||||
db_image: docker.io/library/mariadb:10.6
|
db_image: docker.io/library/mariadb:10.6
|
||||||
image: docker.io/library/nextcloud:31.0.6-apache
|
image: docker.io/library/nextcloud:32.0.1-apache
|
||||||
tags: skudak, skudak-cloud
|
tags: skudak, skudak-cloud
|
||||||
|
|
||||||
- import_tasks: containers/debyltech/fulfillr.yml
|
- import_tasks: containers/debyltech/fulfillr.yml
|
||||||
|
|||||||
@@ -1,2 +1,2 @@
|
|||||||
ansible==11.0.0
|
ansible==12.2.0
|
||||||
yamllint==1.37.1
|
yamllint==1.37.1
|
||||||
|
|||||||
Reference in New Issue
Block a user