noticket - add base site, update secrets

ansible/roles/podman/defaults/main.yml

@@ -22,6 +22,7 @@ drone_runner_proto: "http"
 drone_runner_capacity: "8"
 
 # nginx and modsec configuration
+base_server_name: bdebyl.net
 assistant_server_name: assistant.bdebyl.net
 bookstack_server_name: wiki.skudakrennsport.com
 ci_server_name: ci.bdebyl.net

ansible/roles/podman/tasks/containers/base/conf-nginx-http.yml

@@ -61,6 +61,7 @@
     group: "{{ podman_user }}"
     mode: 0644
   loop:
+    - "{{ base_server_name }}.conf"
     - "{{ assistant_server_name }}.conf"
     - "{{ bookstack_server_name }}.conf"
     - "{{ ci_server_name }}.http.conf"
@@ -85,6 +86,7 @@
     group: "{{ podman_user }}"
     state: link
   loop:
+    - "{{ base_server_name }}.conf"
     - "{{ assistant_server_name }}.conf"
     - "{{ bookstack_server_name }}.conf"
     - "{{ ci_server_name }}.http.conf"

ansible/roles/podman/tasks/containers/base/conf-nginx-https.yml

@@ -34,6 +34,7 @@
     group: "{{ podman_user }}"
     mode: 0644
   loop:
+    - "{{ base_server_name }}.https.conf"
     - "{{ assistant_server_name }}.https.conf"
     - "{{ bookstack_server_name }}.https.conf"
     - "{{ ci_server_name }}.https.conf"
@@ -56,6 +57,7 @@
     group: "{{ podman_user }}"
     state: link
   loop:
+    - "{{ base_server_name }}.https.conf"
     - "{{ assistant_server_name }}.https.conf"
     - "{{ bookstack_server_name }}.https.conf"
     - "{{ ci_server_name }}.https.conf"

ansible/roles/podman/tasks/firewall.yml

@@ -21,9 +21,12 @@
     # ???
     - 6875/tcp
     # Satisfactory
+    - 7777/tcp
     - 7777/udp
     - 15000/udp
+    - 15000/tcp
     - 15777/udp
+    - 15777/tcp
     # Factorio
     - 27015/tcp
     - 34197/udp

ansible/roles/podman/tasks/main.yml

@@ -47,9 +47,9 @@
 - import_tasks: containers/home/photos.yml
   vars:
     db_image: docker.io/tensorchord/pgvecto-rs:pg14-v0.2.0@sha256:90724186f0a3517cf6914295b5ab410db9ce23190a2d9d0b9dd6463e3fa298f0
-    ml_image: ghcr.io/immich-app/immich-machine-learning:v1.124.2
+    ml_image: ghcr.io/immich-app/immich-machine-learning:v1.125.7
     redis_image: docker.io/redis:6.2-alpine@sha256:eaba718fecd1196d88533de7ba49bf903ad33664a92debb24660a922ecd9cac8
-    image: ghcr.io/immich-app/immich-server:v1.124.2
+    image: ghcr.io/immich-app/immich-server:v1.125.7
   tags: photos
 
 - import_tasks: containers/home/cloud.yml

ansible/roles/podman/templates/nginx/sites/bdebyl.net.conf.j2

@@ -0,0 +1,13 @@
+server {
+  listen 80;
+  server_name {{ base_server_name }};
+ 
+  location '/.well-known/acme-challenge' {
+    default_type "text/plain";
+    root /srv/http/letsencrypt;
+  }
+ 
+  location / {
+    return 301 https://$host$request_uri;
+  }
+}

ansible/roles/podman/templates/nginx/sites/bdebyl.net.https.conf.j2

@@ -0,0 +1,25 @@
+server {
+  listen 443 ssl http2;
+  listen [::]:443 ssl http2;
+  server_name {{ base_server_name }};
+
+  ssl_certificate         /etc/letsencrypt/live/{{ base_server_name }}/fullchain.pem;
+  ssl_certificate_key     /etc/letsencrypt/live/{{ base_server_name }}/privkey.pem;
+  ssl_trusted_certificate /etc/letsencrypt/live/{{ base_server_name }}/fullchain.pem;
+  ssl_dhparam             /etc/nginx/ssl/dhparam.pem;
+
+  ssl_ciphers               ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+  ssl_prefer_server_ciphers off;
+  ssl_protocols             TLSv1.2 TLSv1.3;
+  ssl_session_cache         shared:SSL:10m;
+  ssl_session_tickets       off;
+  ssl_session_timeout       1d;
+  ssl_stapling              on;
+  ssl_stapling_verify       on;
+
+  resolver 9.9.9.9 valid=60s ipv6=off;
+
+  location / {
+    return 301 https://debyl.io;
+  }
+}

ansible/roles/ssl/tasks/certbot.yml

@@ -1,5 +1,5 @@
 ---
-- name: create ssl certificate for ci server
+- name: create ssl certificate for server
   become: true
   ansible.builtin.command: |
     certbot certonly --webroot --webroot-path=/srv/http/letsencrypt \
@@ -8,6 +8,7 @@
   args:
     creates: "/etc/letsencrypt/live/{{ item }}"
   loop:
+    - "{{ base_server_name }}"
     - "{{ bookstack_server_name }}"
     - "{{ ci_server_name }}"
     - "{{ cloud_server_name }}"