22 changed files with 40 additions and 140 deletions
--- a/roles/base/handlers/main.yml
+++ b/roles/base/handlers/main.yml
@ -10,9 +10,3 @@
    name: wg-quick@wg0
    state: restarted
  listen: restart_wireguard
 - name: Restart Fail2ban
  service:
    name: fail2ban
    state: restarted
  listen: restart_fail2ban
--- a/roles/base/tasks/firewall.yml
+++ b/roles/base/tasks/firewall.yml
@ -1,28 +0,0 @@
 - name: Install the Uncomplicated Firewall
  apt:
    name: ufw
    state: present
 - name: Install Fail2ban
  apt:
    name: fail2ban
    state: present
 - name: Deny incoming traffic by default
  ufw:
    default: deny
    direction: incoming
 - name: Allow outgoing traffic by default
  ufw:
    default: allow
    direction: outgoing
 - name: Allow OpenSSH with rate limiting
  ufw:
    name: ssh
    rule: limit
 - name: Enable firewall
  ufw:
    state: enabled
--- a/roles/base/tasks/main.yml
+++ b/roles/base/tasks/main.yml
@ -4,9 +4,6 @@
 - import_tasks: system.yml
  tags: system
 - import_tasks: firewall.yml
  tags: firewall
 - import_tasks: network.yml
  tags: network
  when: manage_network
--- a/roles/base/tasks/network.yml
+++ b/roles/base/tasks/network.yml
@ -12,3 +12,8 @@
    dest: "/etc/network/interfaces.d/{{ item.name }}"
  loop: "{{ interfaces }}"
  notify: reboot_host
 - name: Install bridge utilities
  apt:
    name: bridge-utils
    state: present
--- a/roles/base/tasks/system.yml
+++ b/roles/base/tasks/system.yml
@ -10,6 +10,12 @@
    dest: /root/.ssh/authorized_keys
  when: authorized_keys is defined
 - name: Install btrfs-tools
  apt:
    name: btrfs-tools
    state: present
  when: btrfs_support is defined and btrfs_support | bool == true
 - name: Manage filesystem mounts
  mount:
    path: "{{ item.path }}"
--- a/roles/base/tasks/wireguard.yml
+++ b/roles/base/tasks/wireguard.yml
@ -1,3 +1,25 @@
 # Copyright (C) 2021  Kris Lamoureux
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, version 3 of the License.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <https://www.gnu.org/licenses/>.
 - name: Add Debian Buster backports
  copy:
    src: buster-backports.list
    dest: /etc/apt/sources.list.d/buster-backports.list
    owner: root
    group: root
    mode: '0644'
 - name: Install WireGuard
  apt:
    name: wireguard
--- a/roles/bitwarden/defaults/main.yml
+++ b/roles/bitwarden/defaults/main.yml
@ -1,6 +1,5 @@
 bitwarden_name: bitwarden
-bitwarden_root: "/var/lib/{{ bitwarden_name }}"
+bitwarden_root: "{{ docker_root }}/{{ bitwarden_name }}"
 bitwarden_database: "{{ bitwarden_name }}"
 bitwarden_realips: "172.16.0.0/12"
 bitwarden_standalone: false
 bitwarden_production: false
--- a/roles/bitwarden/tasks/main.yml
+++ b/roles/bitwarden/tasks/main.yml
@ -65,12 +65,6 @@
  when: not bitwarden_standalone
  notify: rebuild_bitwarden
 - name: Define reverse proxy servers
  lineinfile:
    path: "{{ bitwarden_root }}/bwdata/config.yml"
    line: "- {{ bitwarden_realips }}"
    insertafter: "^real_ips"
 - name: Install Bitwarden systemd service
  template:
    src: bitwarden.service.j2
@ -78,12 +72,6 @@
  register: bitwarden_systemd
  notify: rebuild_bitwarden
 - name: Install Bitwarden's Fail2ban jail
  template:
    src: fail2ban-jail.conf.j2
    dest: /etc/fail2ban/jail.d/bitwarden.conf
  notify: restart_fail2ban
 - name: Reload systemd manager configuration
  systemd:
    daemon_reload: true
--- a/roles/bitwarden/templates/fail2ban-jail.conf.j2
+++ b/roles/bitwarden/templates/fail2ban-jail.conf.j2
@ -1,9 +0,0 @@
 # {{ ansible_managed }}
 [bitwarden]
 enabled = true
 filter = bitwarden
 logpath = /var/lib/bitwarden/bwdata/logs/identity/Identity/*
 maxretry = 10
 findtime = 3600
 bantime = 900
 action = iptables-allports
--- a/roles/docker/defaults/main.yml
+++ b/roles/docker/defaults/main.yml
@ -1,3 +1,3 @@
-docker_compose_root: /var/lib/compose
+docker_root: /var/lib/docker-compose
 docker_compose: /usr/bin/docker-compose
 docker_compose_service: compose
--- a/roles/docker/tasks/main.yml
+++ b/roles/docker/tasks/main.yml
@ -6,7 +6,7 @@
 - name: Create docker-compose root
  file:
-    path: "{{ docker_compose_root }}"
+    path: "{{ docker_root }}"
    state: directory
 - name: Install docker-compose systemd service
--- a/roles/docker/templates/docker-compose.service.j2
+++ b/roles/docker/templates/docker-compose.service.j2
@ -6,7 +6,7 @@ After=docker.service
 [Service]
 Type=oneshot
 RemainAfterExit=true
-WorkingDirectory={{ docker_compose_root }}/%i
+WorkingDirectory={{ docker_root }}/%i
 ExecStart={{ docker_compose }} up -d --remove-orphans
 ExecStop={{ docker_compose }} down
--- a/roles/gitea/defaults/main.yml
+++ b/roles/gitea/defaults/main.yml
@ -14,9 +14,5 @@ gitea_dbhost: host.docker.internal
 gitea_dbname: "{{ gitea_name }}"
 gitea_dbuser: "{{ gitea_name }}"
 # proxy settings
 gitea_proxy_limit: "1"
 gitea_trusted_proxies: "172.16.0.0/12"
 # host
-gitea_root: "{{ docker_compose_root }}/{{ gitea_name }}"
+gitea_root: "{{ docker_root }}/{{ gitea_name }}"
--- a/roles/gitea/handlers/main.yml
+++ b/roles/gitea/handlers/main.yml
@ -1,5 +0,0 @@
 - name: Restart Gitea
  service:
    name: "{{ docker_compose_service }}@{{ gitea_name }}"
    state: restarted
  listen: restart_gitea
--- a/roles/gitea/tasks/main.yml
+++ b/roles/gitea/tasks/main.yml
@ -46,22 +46,16 @@
    src: /home/git/.ssh/id_rsa.pub
  register: git_rsapub
 - name: Get stats on git's authorized_keys file
  stat:
    path: /home/git/.ssh/authorized_keys
  register: git_authkeys
 - name: Create git's authorized_keys file
  file:
    path: /home/git/.ssh/authorized_keys
    state: touch
  when: not git_authkeys.stat.exists
 - name: Add git's public SSH key to authorized_keys
  lineinfile:
    path: /home/git/.ssh/authorized_keys
    regex: "^ssh-rsa"
    line: "{{ git_rsapub['content'] | b64decode }}"
    insertbefore: BOF
 - name: Create Gitea host script for SSH
  template:
@ -73,25 +67,11 @@
  template:
    src: docker-compose.yml.j2
    dest: "{{ gitea_root }}/docker-compose.yml"
  notify: restart_gitea
 - name: Install Gitea's docker-compose variables
  template:
    src: compose-env.j2
    dest: "{{ gitea_root }}/.env"
  notify: restart_gitea
 - name: Install Gitea's Fail2ban filter
  template:
    src: fail2ban-filter.conf.j2
    dest: /etc/fail2ban/filter.d/gitea.conf
  notify: restart_fail2ban
 - name: Install Gitea's Fail2ban jail
  template:
    src: fail2ban-jail.conf.j2
    dest: /etc/fail2ban/jail.d/gitea.conf
  notify: restart_fail2ban
 - name: Start and enable Gitea service
  service:
--- a/roles/gitea/templates/compose-env.j2
+++ b/roles/gitea/templates/compose-env.j2
@ -10,8 +10,6 @@ gitea_dbhost={{ gitea_dbhost }}
 gitea_dbname={{ gitea_dbname }}
 gitea_dbuser={{ gitea_dbuser }}
 gitea_dbpass={{ gitea_dbpass }}
 gitea_proxy_limit={{ gitea_proxy_limit }}
 gitea_trusted_proxies={{ gitea_trusted_proxies }}
 {% if not gitea_signup %}
 gitea_disable_registration=true
 {% else %}
--- a/roles/gitea/templates/docker-compose.yml.j2
+++ b/roles/gitea/templates/docker-compose.yml.j2
@ -12,7 +12,6 @@ services:
    environment:
      - USER_UID={{ getent_passwd.git[1] }}
      - USER_GID={{ getent_group.git[1] }}
      - GITEA__log__MODE=file
      - GITEA__server__ROOT_URL=${gitea_rooturl}
      - GITEA__server__DOMAIN=${gitea_domain}
      - GITEA__server__SSH_DOMAIN=${gitea_domain}
@ -21,13 +20,10 @@ services:
      - GITEA__database__NAME=${gitea_dbname}
      - GITEA__database__USER=${gitea_dbuser}
      - GITEA__database__PASSWD=${gitea_dbpass}
      - GITEA__security__REVERSE_PROXY_LIMIT=${gitea_proxy_limit}
      - GITEA__security__REVERSE_PROXY_TRUSTED_PROXIES=${gitea_trusted_proxies}
      - GITEA__service__DISABLE_REGISTRATION=${gitea_disable_registration}
    volumes:
      - {{ gitea_volume }}:/data
-      - /home/git/.ssh:/data/git/.ssh
+      - /home/git/.ssh/:/data/git/.ssh
      - /var/log/gitea:/data/gitea/log
      - /etc/timezone:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro
--- a/roles/gitea/templates/fail2ban-filter.conf.j2
+++ b/roles/gitea/templates/fail2ban-filter.conf.j2
@ -1,4 +0,0 @@
 # {{ ansible_managed }}
 [Definition]
 failregex =  .*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>
 ignoreregex =
--- a/roles/gitea/templates/fail2ban-jail.conf.j2
+++ b/roles/gitea/templates/fail2ban-jail.conf.j2
@ -1,18 +0,0 @@
 # {{ ansible_managed }}
 [gitea]
 enabled = true
 filter = gitea
 logpath = /var/log/gitea/gitea.log
 maxretry = 10
 findtime = 3600
 bantime = 900
 action = iptables-allports
 [gitea-docker]
 enabled = true
 filter = gitea
 logpath = /var/log/gitea/gitea.log
 maxretry = 10
 findtime = 3600
 bantime = 900
 action = iptables-allports[chain="FORWARD"]
--- a/roles/postgresql/tasks/main.yml
+++ b/roles/postgresql/tasks/main.yml
@ -32,10 +32,3 @@
    name: postgresql
    state: restarted
  when: postgresql_config.changed
 - name: Allow database connections from Docker
  ufw:
    rule: allow
    port: "5432"
    proto: tcp
    src: "172.16.0.0/12"
--- a/roles/proxy/tasks/main.yml
+++ b/roles/proxy/tasks/main.yml
@ -84,12 +84,3 @@
  loop: "{{ proxy.dns_cloudflare.wildcard_domains }}"
  when: proxy.production is defined and proxy.production and proxy.dns_cloudflare is defined
  notify: reload_nginx
 - name: Add HTTP and HTTPS firewall rule
  ufw:
    rule: allow
    port: "{{ item }}"
    proto: tcp
  loop:
    - "80"
    - "443"
--- a/roles/proxy/templates/server-nginx.conf.j2
+++ b/roles/proxy/templates/server-nginx.conf.j2
@ -30,7 +30,6 @@ server {
  location / {
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_pass {{ item.proxy_pass }};
  }
 }