Compare commits

..

No commits in common. "209ff57a4a4a9b8839f336b6b1a2bc665dd575ca" and "ed9100bc8f5f5c2034845ee86a9e6c67b1e6fc01" have entirely different histories.

20 changed files with 86 additions and 247 deletions

3
Vagrantfile vendored
View File

@ -30,9 +30,8 @@ Vagrant.configure("2") do |config|
config.vm.define :moxie do |moxie| # config.vm.define :moxie do |moxie| #
end end
# Disable Machine Name Prefix
config.vm.provider :libvirt do |libvirt| config.vm.provider :libvirt do |libvirt|
libvirt.cpus = 2
libvirt.memory = 4096
libvirt.default_prefix = "" libvirt.default_prefix = ""
end end

View File

@ -1,41 +0,0 @@
base_domain: vm.krislamo.org
# base
allow_reboot: false
manage_network: false
# proxy
proxy:
#production: true
dns_cloudflare:
opts: --test-cert
#email: realemail@example.com
#api_token: CLOUDFLARE_DNS01_API_TOKEN
wildcard_domains:
- "{{ base_domain }}"
servers:
- domain: "{{ bitwarden_domain }}"
proxy_pass: "http://127.0.0.1:8080"
- domain: "{{ gitea_domain }}"
proxy_pass: "http://127.0.0.1:3080"
# docker
docker_users:
- vagrant
# bitwarden
# Get Installation ID & Key at https://bitwarden.com/host/
bitwarden_domain: "vault.{{ base_domain }}"
bitwarden_dbpass: password
bitwarden_install_id: 4ea840a3-532e-4cb6-a472-abd900728b23
bitwarden_install_key: 1yB3Z2gRI0KnnH90C6p
#bitwarden_prodution: true
# gitea
gitea_domain: "git.{{ base_domain }}"
gitea_version: 1
gitea_dbversion: latest
gitea_dbpass: password
gitea_ports:
- "222:22"
- "3080:3000"

View File

@ -1,11 +0,0 @@
- name: Install Proxy Server
hosts: all
become: true
vars_files:
- host_vars/proxy.yml
roles:
- base
- proxy
- docker
- bitwarden
- gitea

1
roles/.gitignore vendored
View File

@ -11,7 +11,6 @@
!nextcloud*/ !nextcloud*/
!nginx*/ !nginx*/
!prometheus*/ !prometheus*/
!proxy*/
!rsnapshot*/ !rsnapshot*/
!traefik*/ !traefik*/
!unifi*/ !unifi*/

View File

@ -1,5 +1,4 @@
bitwarden_name: bitwarden bitwarden_name: bitwarden
bitwarden_root: "/opt/{{ bitwarden_name }}" bitwarden_root: "/opt/{{ bitwarden_name }}"
bitwarden_database: "{{ bitwarden_name }}"
bitwarden_standalone: false bitwarden_standalone: false
bitwarden_production: false bitwarden_production: false

View File

@ -11,7 +11,7 @@
- name: Download Bitwarden script - name: Download Bitwarden script
get_url: get_url:
url: "https://raw.githubusercontent.com/\ url: "https://raw.githubusercontent.com/\
bitwarden/self-host/master/bitwarden.sh" bitwarden/server/master/scripts/bitwarden.sh"
dest: "{{ bitwarden_root }}" dest: "{{ bitwarden_root }}"
mode: u+x mode: u+x
@ -31,7 +31,6 @@
template: template:
src: compose.override.yml.j2 src: compose.override.yml.j2
dest: "{{ bitwarden_root }}/bwdata/docker/docker-compose.override.yml" dest: "{{ bitwarden_root }}/bwdata/docker/docker-compose.override.yml"
when: traefik_version is defined
notify: notify:
- rebuild_bitwarden - rebuild_bitwarden
- start_bitwarden - start_bitwarden

View File

@ -14,9 +14,6 @@ send "y\r"
send "n\r" send "n\r"
{% endif %} {% endif %}
expect "Enter the database name for your Bitwarden instance (ex. vault):"
send "{{ bitwarden_database }}\r"
expect "Enter your installation id (get at https://bitwarden.com/host):" expect "Enter your installation id (get at https://bitwarden.com/host):"
send "{{ bitwarden_install_id }}\r" send "{{ bitwarden_install_id }}\r"

View File

@ -1,5 +1,3 @@
version: '3'
services: services:
nginx: nginx:
networks: networks:

View File

@ -0,0 +1 @@
deb [arch=amd64] https://download.docker.com/linux/debian buster stable

View File

@ -0,0 +1,38 @@
#!/bin/bash
# Github username and repo name
user="docker"
repo="compose"
# Retrieve the latest version number
addr="https://github.com/$user/$repo/releases/latest"
page=$(curl -s $addr | grep -o releases/tag/*.*\")
version=$(echo $page | awk '{print substr($1, 14, length($1) - 14)}')
# Download prep
url="https://github.com/$user/$repo/releases/download/$version"
file="docker-compose-$(uname -s)-$(uname -m)"
# Download latest Docker Compose if that version hasn't been downloaded
if [ ! -f /tmp/docker_compose_$version ]; then
curl -L $url/$file -o /tmp/docker-compose_$version
fi
# Is it already installed?
if installed=$(which docker-compose); then
new_chksum=$(sha256sum /tmp/docker-compose_$version)
old_chksum=$(sha256sum /usr/local/bin/docker-compose)
# If checksums are different, delete and install new version
if [ ! "$new_chksum" = "$old_chksum" ]; then
rm /usr/local/bin/docker-compose
mv /tmp/docker-compose_$version /usr/local/bin/docker-compose
chmod +x /usr/local/bin/docker-compose
fi
else
# It's not installed, so no need to remove
mv /tmp/docker-compose_$version /usr/local/bin/docker-compose
chmod +x /usr/local/bin/docker-compose
fi

View File

@ -1,6 +1,43 @@
- name: Install Docker # Copyright (C) 2019 Kris Lamoureux
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <https://www.gnu.org/licenses/>.
- name: Remove old versions of Docker
apt: apt:
name: ['docker.io', 'docker-compose'] name: ['docker', 'docker-engine', 'docker.io', 'containerd', 'runc']
state: absent
update_cache: true
- name: Install HTTPS capability for apt
apt:
name: ['apt-transport-https', 'ca-certificates',
'curl', 'gnupg2', 'software-properties-common']
state: present
- name: Install Docker's signing key
apt_key:
url: https://download.docker.com/linux/debian/gpg
id: 9DC858229FC7DD38854AE2D88D81803C0EBFCD88
state: present
- name: Install Docker's stable repository
template:
src: docker-ce.list
dest: /etc/apt/sources.list.d/docker-ce.list
- name: Install Docker CE
apt:
name: ['docker-ce', 'docker-ce-cli', 'containerd.io']
state: present state: present
update_cache: true update_cache: true
@ -12,6 +49,11 @@
loop: "{{ docker_users }}" loop: "{{ docker_users }}"
when: docker_users is defined when: docker_users is defined
- name: Install docker-compose
script: install-compose.sh
args:
creates: /usr/local/bin/docker-compose
- name: Start Docker and enable on boot - name: Start Docker and enable on boot
service: service:
name: docker name: docker

View File

@ -9,7 +9,6 @@
state: started state: started
restart_policy: always restart_policy: always
volumes: "{{ gitea_dbroot }}:/var/lib/mysql" volumes: "{{ gitea_dbroot }}:/var/lib/mysql"
container_default_behavior: "no_defaults"
networks_cli_compatible: true networks_cli_compatible: true
networks: networks:
- name: "{{ gitea_name }}" - name: "{{ gitea_name }}"
@ -19,13 +18,12 @@
MYSQL_USER: "{{ gitea_dbuser }}" MYSQL_USER: "{{ gitea_dbuser }}"
MYSQL_PASSWORD: "{{ gitea_dbpass }}" MYSQL_PASSWORD: "{{ gitea_dbpass }}"
- name: Start Gitea container (traefik routing) - name: Start Gitea container
docker_container: docker_container:
name: "{{ gitea_name }}" name: "{{ gitea_name }}"
image: gitea/gitea:{{ gitea_version }} image: gitea/gitea:{{ gitea_version }}
state: started state: started
restart_policy: always restart_policy: always
container_default_behavior: "no_defaults"
networks_cli_compatible: true networks_cli_compatible: true
ports: "{{ gitea_ports }}" ports: "{{ gitea_ports }}"
networks: networks:
@ -54,32 +52,3 @@
traefik.http.services.gitea.loadbalancer.server.port: "3000" traefik.http.services.gitea.loadbalancer.server.port: "3000"
traefik.docker.network: traefik traefik.docker.network: traefik
traefik.enable: "true" traefik.enable: "true"
when: traefik_version is defined
- name: Start Gitea container
docker_container:
name: "{{ gitea_name }}"
image: gitea/gitea:{{ gitea_version }}
state: started
restart_policy: always
container_default_behavior: "no_defaults"
networks_cli_compatible: true
ports: "{{ gitea_ports }}"
networks:
- name: "{{ gitea_name }}"
volumes:
- "{{ gitea_root }}:/data"
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro
env:
USER_UID: "1000"
USER_GID: "1000"
DB_TYPE: mysql
DB_HOST: "{{ gitea_dbname }}"
DB_NAME: "{{ gitea_dbname }}"
DB_USER: "{{ gitea_dbuser }}"
DB_PASSWD: "{{ gitea_dbpass }}"
ROOT_URL: "https://{{ gitea_domain }}/"
SSH_DOMAIN: "{{ gitea_domain }}"
DOMAIN: "{{ gitea_domain }}"
when: traefik_version is not defined

View File

@ -1,2 +0,0 @@
#!/bin/bash
systemctl reload nginx

View File

@ -1,5 +0,0 @@
- name: Reload nginx
service:
name: nginx
state: reloaded
listen: reload_nginx

View File

@ -1,85 +0,0 @@
- name: Install nginx
apt:
name: nginx
state: present
update_cache: true
- name: Start nginx and enable on boot
service:
name: nginx
state: started
enabled: true
- name: Install nginx base configuration
template:
src: nginx.conf.j2
dest: /etc/nginx/nginx.conf
mode: '0644'
notify: reload_nginx
- name: Install nginx sites configuration
template:
src: server-nginx.conf.j2
dest: "/etc/nginx/sites-available/{{ item.domain }}.conf"
mode: '0644'
loop: "{{ proxy.servers }}"
notify: reload_nginx
register: nginx_sites
- name: Enable nginx sites configuration
file:
src: "/etc/nginx/sites-available/{{ item.item.domain }}.conf"
dest: "/etc/nginx/sites-enabled/{{ item.item.domain }}.conf"
state: link
loop: "{{ nginx_sites.results }}"
when: item.changed
notify: reload_nginx
- name: Generate self-signed certificate
shell: 'openssl req -newkey rsa:4096 -x509 -sha256 -days 3650 -nodes \
-subj "/C=US/ST=Local/L=Local/O=Org/OU=IT/CN=example.com" \
-keyout /etc/ssl/private/nginx-selfsigned.key \
-out /etc/ssl/certs/nginx-selfsigned.crt'
args:
creates: /etc/ssl/certs/nginx-selfsigned.crt
when: proxy.production is not defined or not proxy.production
notify: reload_nginx
- name: Install LE's certbot
apt:
name: ['certbot', 'python3-certbot-dns-cloudflare']
state: present
when: proxy.production is defined and proxy.production
- name: Install Cloudflare API token
template:
src: cloudflare.ini.j2
dest: /root/.cloudflare.ini
mode: '0600'
when: proxy.production is defined and proxy.production and proxy.dns_cloudflare is defined
- name: Create nginx post renewal hook directory
file:
path: /etc/letsencrypt/renewal-hooks/post
state: directory
- name: Install nginx post renewal hook
copy:
src: reload-nginx.sh
dest: /etc/letsencrypt/renewal-hooks/post/reload-nginx.sh
mode: '0755'
when: proxy.production is defined and proxy.production
- name: Run Cloudflare DNS-01 challenges on wildcard domains
shell: '/usr/bin/certbot certonly \
--non-interactive \
--agree-tos \
--email "{{ proxy.dns_cloudflare.email }}" \
--dns-cloudflare \
--dns-cloudflare-credentials /root/.cloudflare.ini \
-d "*.{{ item }}" {{ proxy.dns_cloudflare.opts | default("") }}'
args:
creates: "/etc/letsencrypt/live/{{ item }}/fullchain.pem"
loop: "{{ proxy.dns_cloudflare.wildcard_domains }}"
when: proxy.production is defined and proxy.production and proxy.dns_cloudflare is defined
notify: reload_nginx

View File

@ -1,2 +0,0 @@
# Cloudflare API token used by Certbot
dns_cloudflare_api_token = {{ proxy.dns_cloudflare.api_token }}

View File

@ -1,26 +0,0 @@
user www-data;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] $status '
'"$request" $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
server_tokens off;
sendfile on;
tcp_nopush on;
keepalive_timeout 65;
server_names_hash_bucket_size 128;
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}

View File

@ -1,28 +0,0 @@
server {
listen 443 ssl;
server_name {{ item.domain }};
access_log /var/log/nginx/{{ item.domain }}.log main;
{% if proxy.production is defined and proxy.production and proxy.dns_cloudflare.wildcard_domains is defined and item.tls.cert is not defined %}
{% for wildcard in proxy.dns_cloudflare.wildcard_domains %}
{% set domain_regex = '^\*\.' + wildcard + '$' %}
{% if item.domain | regex_search(wildcard) %}
ssl_certificate /etc/letsencrypt/live/{{ wildcard }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{ wildcard }}/privkey.pem;
{% endif %}
{% endfor %}
{% elif proxy.production is defined and proxy.production and item.tls.cert is not defined %}
ssl_certificate /etc/letsencrypt/live/{{ item.domain }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{ item.domain }}/privkey.pem;
{% elif proxy.production is defined and proxy.production and item.tls.cert is defined %}
ssl_certificate {{ item.tls.cert }};
ssl_certificate_key {{ item.tls.key }};
{% else %}
ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
{% endif %}
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_pass {{ item.proxy_pass }};
}
}

View File

@ -9,6 +9,5 @@
name: "{{ traefik_name }}" name: "{{ traefik_name }}"
image: traefik:{{ traefik_version }} image: traefik:{{ traefik_version }}
state: started state: started
container_default_behavior: "no_defaults"
restart: yes restart: yes
listen: restart_traefik listen: restart_traefik

View File

@ -36,7 +36,6 @@
state: started state: started
restart_policy: always restart_policy: always
ports: "{{ traefik_ports }}" ports: "{{ traefik_ports }}"
container_default_behavior: "no_defaults"
networks_cli_compatible: "false" networks_cli_compatible: "false"
networks: networks:
- name: traefik - name: traefik