bastian/deploy_home
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

noticket - add base site, update secrets

Browse Source
This commit is contained in:
Bastian de Byl
2025-02-03 12:34:41 -05:00
parent fc73da78ac
commit fced2a0038
9 changed files with 50 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
ansible/roles/podman/defaults/main.yml
View File

@@ -22,6 +22,7 @@ drone_runner_proto: "http"
drone_runner_capacity: "8" drone_runner_capacity: "8"
# nginx and modsec configuration # nginx and modsec configuration
base_server_name: bdebyl.net
assistant_server_name: assistant.bdebyl.net assistant_server_name: assistant.bdebyl.net
bookstack_server_name: wiki.skudakrennsport.com bookstack_server_name: wiki.skudakrennsport.com
ci_server_name: ci.bdebyl.net ci_server_name: ci.bdebyl.net

2
ansible/roles/podman/tasks/containers/base/conf-nginx-http.yml
View File

@@ -61,6 +61,7 @@
group: "{{ podman_user }}" group: "{{ podman_user }}"
mode: 0644 mode: 0644
loop: loop:
- "{{ base_server_name }}.conf"
- "{{ assistant_server_name }}.conf" - "{{ assistant_server_name }}.conf"
- "{{ bookstack_server_name }}.conf" - "{{ bookstack_server_name }}.conf"
- "{{ ci_server_name }}.http.conf" - "{{ ci_server_name }}.http.conf"
@@ -85,6 +86,7 @@
group: "{{ podman_user }}" group: "{{ podman_user }}"
state: link state: link
loop: loop:
- "{{ base_server_name }}.conf"
- "{{ assistant_server_name }}.conf" - "{{ assistant_server_name }}.conf"
- "{{ bookstack_server_name }}.conf" - "{{ bookstack_server_name }}.conf"
- "{{ ci_server_name }}.http.conf" - "{{ ci_server_name }}.http.conf"

2
ansible/roles/podman/tasks/containers/base/conf-nginx-https.yml
View File

@@ -34,6 +34,7 @@
group: "{{ podman_user }}" group: "{{ podman_user }}"
mode: 0644 mode: 0644
loop: loop:
- "{{ base_server_name }}.https.conf"
- "{{ assistant_server_name }}.https.conf" - "{{ assistant_server_name }}.https.conf"
- "{{ bookstack_server_name }}.https.conf" - "{{ bookstack_server_name }}.https.conf"
- "{{ ci_server_name }}.https.conf" - "{{ ci_server_name }}.https.conf"
@@ -56,6 +57,7 @@
group: "{{ podman_user }}" group: "{{ podman_user }}"
state: link state: link
loop: loop:
- "{{ base_server_name }}.https.conf"
- "{{ assistant_server_name }}.https.conf" - "{{ assistant_server_name }}.https.conf"
- "{{ bookstack_server_name }}.https.conf" - "{{ bookstack_server_name }}.https.conf"
- "{{ ci_server_name }}.https.conf" - "{{ ci_server_name }}.https.conf"

3
ansible/roles/podman/tasks/firewall.yml
View File

@@ -21,9 +21,12 @@
# ??? # ???
- 6875/tcp - 6875/tcp
# Satisfactory # Satisfactory
- 7777/tcp
- 7777/udp - 7777/udp
- 15000/udp - 15000/udp
- 15000/tcp
- 15777/udp - 15777/udp
- 15777/tcp
# Factorio # Factorio
- 27015/tcp - 27015/tcp
- 34197/udp - 34197/udp

4
ansible/roles/podman/tasks/main.yml
View File

@@ -47,9 +47,9 @@
- import_tasks: containers/home/photos.yml - import_tasks: containers/home/photos.yml
vars: vars:
db_image: docker.io/tensorchord/pgvecto-rs:pg14-v0.2.0@sha256:90724186f0a3517cf6914295b5ab410db9ce23190a2d9d0b9dd6463e3fa298f0 db_image: docker.io/tensorchord/pgvecto-rs:pg14-v0.2.0@sha256:90724186f0a3517cf6914295b5ab410db9ce23190a2d9d0b9dd6463e3fa298f0
ml_image: ghcr.io/immich-app/immich-machine-learning:v1.124.2 ml_image: ghcr.io/immich-app/immich-machine-learning:v1.125.7
redis_image: docker.io/redis:6.2-alpine@sha256:eaba718fecd1196d88533de7ba49bf903ad33664a92debb24660a922ecd9cac8 redis_image: docker.io/redis:6.2-alpine@sha256:eaba718fecd1196d88533de7ba49bf903ad33664a92debb24660a922ecd9cac8
image: ghcr.io/immich-app/immich-server:v1.124.2 image: ghcr.io/immich-app/immich-server:v1.125.7
tags: photos tags: photos
- import_tasks: containers/home/cloud.yml - import_tasks: containers/home/cloud.yml

13
ansible/roles/podman/templates/nginx/sites/bdebyl.net.conf.j2 Normal file
View File

@@ -0,0 +1,13 @@
server {
listen 80;
server_name {{ base_server_name }};
location '/.well-known/acme-challenge' {
default_type "text/plain";
root /srv/http/letsencrypt;
}
location / {
return 301 https://$host$request_uri;
}
}

25
ansible/roles/podman/templates/nginx/sites/bdebyl.net.https.conf.j2 Normal file
View File

@@ -0,0 +1,25 @@
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name {{ base_server_name }};
ssl_certificate /etc/letsencrypt/live/{{ base_server_name }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{ base_server_name }}/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/{{ base_server_name }}/fullchain.pem;
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_session_timeout 1d;
ssl_stapling on;
ssl_stapling_verify on;
resolver 9.9.9.9 valid=60s ipv6=off;
location / {
return 301 https://debyl.io;
}
}

3
ansible/roles/ssl/tasks/certbot.yml
View File

@@ -1,5 +1,5 @@
--- ---
- name: create ssl certificate for ci server - name: create ssl certificate for server
become: true become: true
ansible.builtin.command: | ansible.builtin.command: |
certbot certonly --webroot --webroot-path=/srv/http/letsencrypt \ certbot certonly --webroot --webroot-path=/srv/http/letsencrypt \
@@ -8,6 +8,7 @@
args: args:
creates: "/etc/letsencrypt/live/{{ item }}" creates: "/etc/letsencrypt/live/{{ item }}"
loop: loop:
- "{{ base_server_name }}"
- "{{ bookstack_server_name }}" - "{{ bookstack_server_name }}"
- "{{ ci_server_name }}" - "{{ ci_server_name }}"
- "{{ cloud_server_name }}" - "{{ cloud_server_name }}"

BIN
ansible/vars/vault.yml
View File

Binary file not shown.