testing
This commit is contained in:
parent
dfd93dd5f8
commit
59b598bb69
@ -32,12 +32,14 @@
|
||||
ansible.builtin.template:
|
||||
src: fail2ban-ssh.conf.j2
|
||||
dest: /etc/fail2ban/jail.d/sshd.conf
|
||||
mode: 0640
|
||||
notify: restart_fail2ban
|
||||
|
||||
- name: Install Fail2ban IP allow list
|
||||
ansible.builtin.template:
|
||||
src: fail2ban-allowlist.conf.j2
|
||||
dest: /etc/fail2ban/jail.d/allowlist.conf
|
||||
mode: 0640
|
||||
when: fail2ban_ignoreip is defined
|
||||
notify: restart_fail2ban
|
||||
|
||||
|
||||
@ -11,9 +11,10 @@
|
||||
ansible.builtin.template:
|
||||
src: msmtprc.j2
|
||||
dest: /root/.msmtprc
|
||||
mode: 0700
|
||||
mode: 0600
|
||||
|
||||
- name: Install /etc/aliases
|
||||
ansible.builtin.copy:
|
||||
dest: /etc/aliases
|
||||
content: "root: {{ mail.rootalias }}"
|
||||
mode: 0644
|
||||
|
||||
@ -1,24 +1,31 @@
|
||||
- ansible.builtin.import_tasks: ansible.yml
|
||||
- name: Import Ansible tasks
|
||||
ansible.builtin.import_tasks: ansible.yml
|
||||
tags: ansible
|
||||
|
||||
- ansible.builtin.import_tasks: system.yml
|
||||
- name: Import System tasks
|
||||
ansible.builtin.import_tasks: system.yml
|
||||
tags: system
|
||||
|
||||
- ansible.builtin.import_tasks: firewall.yml
|
||||
- name: Import Firewall tasks
|
||||
ansible.builtin.import_tasks: firewall.yml
|
||||
tags: firewall
|
||||
|
||||
- ansible.builtin.import_tasks: network.yml
|
||||
- name: Import Network tasks
|
||||
ansible.builtin.import_tasks: network.yml
|
||||
tags: network
|
||||
when: manage_network
|
||||
|
||||
- ansible.builtin.import_tasks: mail.yml
|
||||
- name: Import Mail tasks
|
||||
ansible.builtin.import_tasks: mail.yml
|
||||
tags: mail
|
||||
when: mail is defined
|
||||
|
||||
- ansible.builtin.import_tasks: ddclient.yml
|
||||
- name: Import ddclient tasks
|
||||
ansible.builtin.import_tasks: ddclient.yml
|
||||
tags: ddclient
|
||||
when: ddclient is defined
|
||||
|
||||
- ansible.builtin.import_tasks: wireguard.yml
|
||||
- name: Import WireGuard tasks
|
||||
ansible.builtin.import_tasks: wireguard.yml
|
||||
tags: wireguard
|
||||
when: wireguard is defined
|
||||
|
||||
@ -10,5 +10,6 @@
|
||||
ansible.builtin.template:
|
||||
src: "interface.j2"
|
||||
dest: "/etc/network/interfaces.d/{{ item.name }}"
|
||||
mode: 0400
|
||||
loop: "{{ interfaces }}"
|
||||
notify: reboot_host
|
||||
|
||||
@ -8,6 +8,7 @@
|
||||
ansible.builtin.template:
|
||||
src: authorized_keys.j2
|
||||
dest: /root/.ssh/authorized_keys
|
||||
mode: 0400
|
||||
when: authorized_keys is defined
|
||||
|
||||
- name: Manage filesystem mounts
|
||||
|
||||
@ -5,7 +5,9 @@
|
||||
update_cache: true
|
||||
|
||||
- name: Generate WireGuard keys
|
||||
ansible.builtin.shell: wg genkey | tee privatekey | wg pubkey > publickey
|
||||
ansible.builtin.shell: |
|
||||
set -o pipefail
|
||||
wg genkey | tee privatekey | wg pubkey > publickey
|
||||
args:
|
||||
chdir: /etc/wireguard/
|
||||
creates: /etc/wireguard/privatekey
|
||||
@ -19,8 +21,8 @@
|
||||
ansible.builtin.template:
|
||||
src: wireguard.j2
|
||||
dest: /etc/wireguard/wg0.conf
|
||||
notify:
|
||||
- restart_wireguard
|
||||
mode: 0400
|
||||
notify: restart_wireguard
|
||||
|
||||
- name: Start WireGuard interface
|
||||
ansible.builtin.service:
|
||||
|
||||
4
roles/docker/handlers/main.yml
Normal file
4
roles/docker/handlers/main.yml
Normal file
@ -0,0 +1,4 @@
|
||||
- name: Reload systemd manager configuration
|
||||
ansible.builtin.systemd:
|
||||
daemon_reload: true
|
||||
listen: compose_systemd
|
||||
@ -8,17 +8,14 @@
|
||||
ansible.builtin.file:
|
||||
path: "{{ docker_compose_root }}"
|
||||
state: directory
|
||||
mode: 0500
|
||||
|
||||
- name: Install docker-compose systemd service
|
||||
ansible.builtin.template:
|
||||
src: docker-compose.service.j2
|
||||
dest: "/etc/systemd/system/{{ docker_compose_service }}@.service"
|
||||
register: compose_systemd
|
||||
|
||||
- name: Reload systemd manager configuration
|
||||
ansible.builtin.systemd:
|
||||
daemon_reload: true
|
||||
when: compose_systemd.changed
|
||||
mode: 0400
|
||||
notify: compose_systemd
|
||||
|
||||
- name: Add users to docker group
|
||||
ansible.builtin.user:
|
||||
|
||||
@ -2,18 +2,19 @@
|
||||
ansible.builtin.file:
|
||||
path: "{{ jellyfin_root }}"
|
||||
state: directory
|
||||
mode: 0500
|
||||
|
||||
- name: Create jellyfin user
|
||||
ansible.builtin.user:
|
||||
name: jellyfin
|
||||
state: present
|
||||
|
||||
- name: jellyfin user uid
|
||||
- name: Get user jellyfin uid
|
||||
ansible.builtin.getent:
|
||||
database: passwd
|
||||
key: jellyfin
|
||||
|
||||
- name: jellyfin user gid
|
||||
- name: Get user jellyfin gid
|
||||
ansible.builtin.getent:
|
||||
database: group
|
||||
key: jellyfin
|
||||
@ -22,12 +23,14 @@
|
||||
ansible.builtin.template:
|
||||
src: docker-compose.yml.j2
|
||||
dest: "{{ jellyfin_root }}/docker-compose.yml"
|
||||
mode: 0400
|
||||
notify: restart_jellyfin
|
||||
|
||||
- name: Install Jellyfin's docker-compose variables
|
||||
ansible.builtin.template:
|
||||
src: compose-env.j2
|
||||
dest: "{{ jellyfin_root }}/.env"
|
||||
mode: 0400
|
||||
notify: restart_jellyfin
|
||||
|
||||
- name: Start and enable Jellyfin service
|
||||
|
||||
@ -36,12 +36,13 @@
|
||||
src: "/etc/nginx/sites-available/{{ item.item.domain }}.conf"
|
||||
dest: "/etc/nginx/sites-enabled/{{ item.item.domain }}.conf"
|
||||
state: link
|
||||
mode: 0400
|
||||
loop: "{{ nginx_sites.results }}"
|
||||
when: item.changed
|
||||
notify: reload_nginx
|
||||
|
||||
- name: Generate self-signed certificate
|
||||
ansible.builtin.shell: 'openssl req -newkey rsa:4096 -x509 -sha256 -days 3650 -nodes \
|
||||
ansible.builtin.command: 'openssl req -newkey rsa:4096 -x509 -sha256 -days 3650 -nodes \
|
||||
-subj "/C=US/ST=Local/L=Local/O=Org/OU=IT/CN=example.com" \
|
||||
-keyout /etc/ssl/private/nginx-selfsigned.key \
|
||||
-out /etc/ssl/certs/nginx-selfsigned.crt'
|
||||
@ -60,13 +61,14 @@
|
||||
ansible.builtin.template:
|
||||
src: cloudflare.ini.j2
|
||||
dest: /root/.cloudflare.ini
|
||||
mode: '0600'
|
||||
mode: 0400
|
||||
when: proxy.production is defined and proxy.production and proxy.dns_cloudflare is defined
|
||||
|
||||
- name: Create nginx post renewal hook directory
|
||||
ansible.builtin.file:
|
||||
path: /etc/letsencrypt/renewal-hooks/post
|
||||
state: directory
|
||||
mode: 0500
|
||||
when: proxy.production is defined and proxy.production
|
||||
|
||||
- name: Install nginx post renewal hook
|
||||
|
||||
@ -2,6 +2,7 @@
|
||||
ansible.builtin.file:
|
||||
path: "{{ traefik_root }}/config/dynamic"
|
||||
state: touch
|
||||
mode: 0500
|
||||
listen: reload_traefik
|
||||
|
||||
- name: Restart Traefik
|
||||
|
||||
@ -1,6 +1,7 @@
|
||||
- name: Create Traefik directories
|
||||
ansible.builtin.file:
|
||||
path: "{{ traefik_root }}/config/dynamic"
|
||||
mode: 0500
|
||||
state: directory
|
||||
|
||||
- name: Install dynamic security configuration
|
||||
@ -9,13 +10,14 @@
|
||||
dest: "{{ traefik_root }}/config/dynamic/security.yml"
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0600
|
||||
mode: 0400
|
||||
notify: reload_traefik
|
||||
|
||||
- name: Install dynamic non-docker configuration
|
||||
ansible.builtin.template:
|
||||
src: "external.yml.j2"
|
||||
dest: "{{ traefik_root }}/config/dynamic/{{ item.name }}.yml"
|
||||
mode: 0400
|
||||
loop: "{{ traefik_external }}"
|
||||
when: traefik_external is defined
|
||||
|
||||
@ -23,18 +25,21 @@
|
||||
ansible.builtin.template:
|
||||
src: docker-compose.yml.j2
|
||||
dest: "{{ traefik_root }}/docker-compose.yml"
|
||||
mode: 0400
|
||||
notify: restart_traefik
|
||||
|
||||
- name: Install Traefik's docker-compose variables
|
||||
ansible.builtin.template:
|
||||
src: compose-env.j2
|
||||
dest: "{{ traefik_root }}/.env"
|
||||
mode: 0400
|
||||
notify: restart_traefik
|
||||
|
||||
- name: Install static Traefik configuration
|
||||
ansible.builtin.template:
|
||||
src: traefik.yml.j2
|
||||
dest: "{{ traefik_root }}/config/traefik.yml"
|
||||
mode: 0400
|
||||
notify: restart_traefik
|
||||
|
||||
- name: Start and enable Traefik service
|
||||
|
||||
Loading…
Reference in New Issue
Block a user