diff --git a/ansible/roles/podman/defaults/main.yml b/ansible/roles/podman/defaults/main.yml index 523b06a..b7b8ef4 100644 --- a/ansible/roles/podman/defaults/main.yml +++ b/ansible/roles/podman/defaults/main.yml @@ -22,6 +22,7 @@ drone_runner_proto: "http" drone_runner_capacity: "8" # nginx and modsec configuration +base_server_name: bdebyl.net assistant_server_name: assistant.bdebyl.net bookstack_server_name: wiki.skudakrennsport.com ci_server_name: ci.bdebyl.net diff --git a/ansible/roles/podman/tasks/containers/base/conf-nginx-http.yml b/ansible/roles/podman/tasks/containers/base/conf-nginx-http.yml index 1e3a05d..8ea51aa 100644 --- a/ansible/roles/podman/tasks/containers/base/conf-nginx-http.yml +++ b/ansible/roles/podman/tasks/containers/base/conf-nginx-http.yml @@ -61,6 +61,7 @@ group: "{{ podman_user }}" mode: 0644 loop: + - "{{ base_server_name }}.conf" - "{{ assistant_server_name }}.conf" - "{{ bookstack_server_name }}.conf" - "{{ ci_server_name }}.http.conf" @@ -85,6 +86,7 @@ group: "{{ podman_user }}" state: link loop: + - "{{ base_server_name }}.conf" - "{{ assistant_server_name }}.conf" - "{{ bookstack_server_name }}.conf" - "{{ ci_server_name }}.http.conf" diff --git a/ansible/roles/podman/tasks/containers/base/conf-nginx-https.yml b/ansible/roles/podman/tasks/containers/base/conf-nginx-https.yml index b950390..acdc86c 100644 --- a/ansible/roles/podman/tasks/containers/base/conf-nginx-https.yml +++ b/ansible/roles/podman/tasks/containers/base/conf-nginx-https.yml @@ -34,6 +34,7 @@ group: "{{ podman_user }}" mode: 0644 loop: + - "{{ base_server_name }}.https.conf" - "{{ assistant_server_name }}.https.conf" - "{{ bookstack_server_name }}.https.conf" - "{{ ci_server_name }}.https.conf" @@ -56,6 +57,7 @@ group: "{{ podman_user }}" state: link loop: + - "{{ base_server_name }}.https.conf" - "{{ assistant_server_name }}.https.conf" - "{{ bookstack_server_name }}.https.conf" - "{{ ci_server_name }}.https.conf" diff --git a/ansible/roles/podman/tasks/firewall.yml b/ansible/roles/podman/tasks/firewall.yml index 11231f6..425b38c 100644 --- a/ansible/roles/podman/tasks/firewall.yml +++ b/ansible/roles/podman/tasks/firewall.yml @@ -21,9 +21,12 @@ # ??? - 6875/tcp # Satisfactory + - 7777/tcp - 7777/udp - 15000/udp + - 15000/tcp - 15777/udp + - 15777/tcp # Factorio - 27015/tcp - 34197/udp diff --git a/ansible/roles/podman/tasks/main.yml b/ansible/roles/podman/tasks/main.yml index b9bfa42..98098f6 100644 --- a/ansible/roles/podman/tasks/main.yml +++ b/ansible/roles/podman/tasks/main.yml @@ -47,9 +47,9 @@ - import_tasks: containers/home/photos.yml vars: db_image: docker.io/tensorchord/pgvecto-rs:pg14-v0.2.0@sha256:90724186f0a3517cf6914295b5ab410db9ce23190a2d9d0b9dd6463e3fa298f0 - ml_image: ghcr.io/immich-app/immich-machine-learning:v1.124.2 + ml_image: ghcr.io/immich-app/immich-machine-learning:v1.125.7 redis_image: docker.io/redis:6.2-alpine@sha256:eaba718fecd1196d88533de7ba49bf903ad33664a92debb24660a922ecd9cac8 - image: ghcr.io/immich-app/immich-server:v1.124.2 + image: ghcr.io/immich-app/immich-server:v1.125.7 tags: photos - import_tasks: containers/home/cloud.yml diff --git a/ansible/roles/podman/templates/nginx/sites/bdebyl.net.conf.j2 b/ansible/roles/podman/templates/nginx/sites/bdebyl.net.conf.j2 new file mode 100644 index 0000000..1cf36f6 --- /dev/null +++ b/ansible/roles/podman/templates/nginx/sites/bdebyl.net.conf.j2 @@ -0,0 +1,13 @@ +server { + listen 80; + server_name {{ base_server_name }}; + + location '/.well-known/acme-challenge' { + default_type "text/plain"; + root /srv/http/letsencrypt; + } + + location / { + return 301 https://$host$request_uri; + } +} diff --git a/ansible/roles/podman/templates/nginx/sites/bdebyl.net.https.conf.j2 b/ansible/roles/podman/templates/nginx/sites/bdebyl.net.https.conf.j2 new file mode 100644 index 0000000..afc2c3b --- /dev/null +++ b/ansible/roles/podman/templates/nginx/sites/bdebyl.net.https.conf.j2 @@ -0,0 +1,25 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name {{ base_server_name }}; + + ssl_certificate /etc/letsencrypt/live/{{ base_server_name }}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/{{ base_server_name }}/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/{{ base_server_name }}/fullchain.pem; + ssl_dhparam /etc/nginx/ssl/dhparam.pem; + + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + ssl_prefer_server_ciphers off; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_session_cache shared:SSL:10m; + ssl_session_tickets off; + ssl_session_timeout 1d; + ssl_stapling on; + ssl_stapling_verify on; + + resolver 9.9.9.9 valid=60s ipv6=off; + + location / { + return 301 https://debyl.io; + } +} diff --git a/ansible/roles/ssl/tasks/certbot.yml b/ansible/roles/ssl/tasks/certbot.yml index 608d1ef..4d44d2a 100644 --- a/ansible/roles/ssl/tasks/certbot.yml +++ b/ansible/roles/ssl/tasks/certbot.yml @@ -1,5 +1,5 @@ --- -- name: create ssl certificate for ci server +- name: create ssl certificate for server become: true ansible.builtin.command: | certbot certonly --webroot --webroot-path=/srv/http/letsencrypt \ @@ -8,6 +8,7 @@ args: creates: "/etc/letsencrypt/live/{{ item }}" loop: + - "{{ base_server_name }}" - "{{ bookstack_server_name }}" - "{{ ci_server_name }}" - "{{ cloud_server_name }}" diff --git a/ansible/vars/vault.yml b/ansible/vars/vault.yml index 08406fe..961f155 100644 Binary files a/ansible/vars/vault.yml and b/ansible/vars/vault.yml differ