testing

- Added Makefile
- Added UFW firewall

dev/vars/webserver.yml

@@ -25,10 +25,15 @@ webserver:
   ### Traefik ###
   ###############
   #TRAEFIK_VERSION: latest
+  #TRAEFIK_ROOT_DOMAIN: local.freeitathens.org
   #TRAEFIK_DOMAIN: traefik.local.freeitathens.org
   #TRAEFIK_DASHBOARD: true
   #TRAEFIK_EXPOSED_DEFAULT: false
+  #TRAEFIK_WEB_ENABLED: true
   TRAEFIK_DEBUG: true
+  TRAEFIK_ACME_PROVIDER: dreamhost
+  TRAEFIK_ACME_CASERVER: https://acme-v02.api.letsencrypt.org/directory
+  TRAEFIK_ACME_EMAIL: frita@example.org
 
   #################
   ### WordPress ###

dev/webserver.yml

@@ -4,5 +4,6 @@
   vars_files:
     - vars/webserver.yml
   roles:
+    - common
     - docker
     - webserver

forward-ssh.sh

@@ -1,12 +1,12 @@
 #!/bin/bash
 
 # Finds the SSH private key under ./.vagrant and connects to
-# the Vagrant box port forwarding localhost ports: 8443, 80, 443
+# the Vagrant box, port forwarding localhost ports: 8443, 80, 443
 PRIVATE_KEY="$(find .vagrant -name "private_key")"
 HOST_IP="$(vagrant ssh -c "hostname -I | cut -d' ' -f2" 2>/dev/null)"
+MATCH_PATTERN="ssh -fNT -i ${PRIVATE_KEY}.*vagrant@"
 
-if [ "$(pgrep -afc "$PRIVATE_KEY")" -eq 0 ]; then
+function ssh_connect {
-  set -x
   sudo ssh -fNT -i "$PRIVATE_KEY" \
     -L 8443:localhost:8443 \
     -L 80:localhost:80 \
@@ -14,10 +14,13 @@ if [ "$(pgrep -afc "$PRIVATE_KEY")" -eq 0 ]; then
     -o UserKnownHostsFile=/dev/null \
     -o StrictHostKeyChecking=no \
       vagrant@"${HOST_IP::-1}" 2>/dev/null
-  set +x
+}
+
+set -x
+if [ "$(pgrep -afc "$MATCH_PATTERN")" -eq 0 ]; then
+  ssh_connect
 else
-  echo "ERROR: SSH process already running"
+  pgrep -f "$MATCH_PATTERN" | xargs sudo kill -9
-  pgrep -af "$PRIVATE_KEY"
+  ssh_connect
-  echo -e "\nKill process:\n\tsudo kill -9 \"\$(pgrep -f \"$PRIVATE_KEY\")\""
-  exit 1
 fi
+set +x

roles/common/tasks/main.yml

@@ -0,0 +1,30 @@
+- name: Create Ansible's temporary remote directory
+  ansible.builtin.file:
+    path: "~/.ansible/tmp"
+    state: directory
+    mode: 0700
+
+- name: Install the Uncomplicated Firewall
+  ansible.builtin.apt:
+    name: ufw
+    state: present
+    update_cache: true
+
+- name: Deny incoming traffic by default
+  community.general.ufw:
+    default: deny
+    direction: incoming
+
+- name: Allow outgoing traffic by default
+  community.general.ufw:
+    default: allow
+    direction: outgoing
+
+- name: Allow OpenSSH with rate limiting
+  community.general.ufw:
+    name: ssh
+    rule: limit
+
+- name: Enable firewall
+  community.general.ufw:
+    state: enabled

roles/docker/tasks/main.yml

@@ -2,7 +2,6 @@
   ansible.builtin.apt:
     name: ['docker.io', 'docker-compose']
     state: present
-    update_cache: true
 
 - name: Create docker-compose root
   ansible.builtin.file:

roles/webserver/defaults/main.yml

@@ -1 +1,4 @@
 webserver_root: "{{ docker_compose_root }}/webserver"
+mariadb_trust:
+  - "172.16.0.0/12"
+  - "192.168.0.0/16"

roles/webserver/files/docker-compose.yml

@@ -17,11 +17,16 @@ services:
       - --providers.docker=true
       - --providers.docker.exposedbydefault=${TRAEFIK_EXPOSED_DEFAULT:-false}
       - --entrypoints.web.address=:80
+      - --entrypoints.websecure.address=:443
+      - --entrypoints.local.address=:8443
       - --entrypoints.web.http.redirections.entrypoint.to=websecure
       - --entrypoints.web.http.redirections.entrypoint.scheme=https
       - --entrypoints.web.http.redirections.entrypoint.permanent=true
-      - --entrypoints.websecure.address=:443
+      - --certificatesresolvers.letsencrypt.acme.email=${TRAEFIK_ACME_EMAIL}
-      - --entrypoints.local.address=:8443
+      - --certificatesresolvers.letsencrypt.acme.storage=acme.json
+      - --certificatesresolvers.letsencrypt.acme.dnschallenge.provider=${TRAEFIK_ACME_PROVIDER}
+      - --certificatesresolvers.letsencrypt.acme.dnschallenge.delaybeforecheck=0
+      - --certificatesresolvers.letsencrypt.acme.caserver=${TRAEFIK_ACME_CASERVER:-https://acme-staging-v02.api.letsencrypt.org/directory}
     ports:
       - 80:80
       - 443:443
@@ -33,7 +38,9 @@ services:
       traefik.http.routers.api.entrypoints: local
       traefik.http.routers.api.service: api@internal
       traefik.http.routers.api.tls: true
-      traefik.enable: true
+      traefik.http.routers.api.tls.domains[0].main: ${TRAEFIK_ROOT_DOMAIN:-local.freeitathens.org}
+      traefik.http.routers.api.tls.domains[0].sans: "*.${TRAEFIK_ROOT_DOMAIN:-local.freeitathens.org}"
+      traefik.enable: ${TRAEFIK_WEB_ENABLED:-true}
     networks:
       - traefik
 
@@ -48,10 +55,13 @@ services:
     labels:
       traefik.http.routers.wordpress.rule: Host(`${WORDPRESS_DOMAIN:-www.local.freeitathens.org}`)
       traefik.http.routers.wordpress.entrypoints: websecure
-      traefik.http.routers.wordpress.tls.certresolver: letsencrypt
+      traefik.http.routers.wordpress.tls: true
+      traefik.http.services.wordpress.loadbalancer.server.port: 80
       traefik.docker.network: traefik
-      traefik.enable: true
+      traefik.enable: ${WORDPRESS_WEB_ENABLED:-true}
     volumes:
       - wordpress:/var/www/html
+    networks:
+      - traefik
     extra_hosts:
       - host.docker.internal:host-gateway

roles/webserver/handlers/main.yml

@@ -3,3 +3,9 @@
   args:
     chdir: "{{ webserver_root }}"
   listen: composeup_webserver
+
+- name: Restart MariaDB
+  ansible.builtin.service:
+    name: mariadb
+    state: restarted
+  listen: restart_mariadb

roles/webserver/tasks/main.yml

@@ -3,6 +3,13 @@
     name: mariadb-server
     state: present
 
+- name: Change the bind-address to allow Docker
+  ansible.builtin.lineinfile:
+    path: /etc/mysql/mariadb.conf.d/50-server.cnf
+    regex: "^bind-address"
+    line: "bind-address            = 0.0.0.0"
+  notify: restart_mariadb
+
 - name: Install MySQL Support for Python 3
   ansible.builtin.apt:
     name: python3-pymysql
@@ -20,8 +27,9 @@
   community.mysql.mysql_user:
     name: "{{ item.name }}"
     password: "{{ item.pass }}"
-    priv: "{{ item.name }}.*:ALL,GRANT"
+    host: '%'
     state: present
+    priv: "{{ item.name }}.*:ALL"
     login_unix_socket: /var/run/mysqld/mysqld.sock
   loop: "{{ databases }}"
   no_log: "{{ item.pass is defined }}"
@@ -45,3 +53,20 @@
     dest: "{{ webserver_root }}/.env"
     mode: 0600
   notify: composeup_webserver
+
+- name: Allow MariaDB database connections
+  community.general.ufw:
+    rule: allow
+    port: 3306
+    proto: tcp
+    src: "{{ item }}"
+  loop: "{{ mariadb_trust }}"
+
+- name: Add HTTP and HTTPS firewall rule
+  community.general.ufw:
+    rule: allow
+    port: "{{ item }}"
+    proto: tcp
+  loop:
+    - "80"
+    - "443"

webserver.yml

@@ -2,5 +2,6 @@
   hosts: all
   become: true
   roles:
+    - common
     - docker
     - webserver