roles/base/tasks/firewall.yml

@@ -1,23 +0,0 @@
-- name: Install the Uncomplicated Firewall
-  apt:
-    name: ufw
-    state: present
-
-- name: Deny incoming traffic by default
-  ufw:
-    default: deny
-    direction: incoming
-
-- name: Allow outgoing traffic by default
-  ufw:
-    default: allow
-    direction: outgoing
-
-- name: Allow OpenSSH with rate limiting
-  ufw:
-    name: ssh
-    rule: limit
-
-- name: Enable firewall
-  ufw:
-    state: enabled

roles/base/tasks/main.yml

@@ -4,9 +4,6 @@
 - import_tasks: system.yml
   tags: system
 
-- import_tasks: firewall.yml
-  tags: firewall
-
 - import_tasks: network.yml
   tags: network
   when: manage_network

roles/base/tasks/network.yml

@@ -12,3 +12,8 @@
     dest: "/etc/network/interfaces.d/{{ item.name }}"
   loop: "{{ interfaces }}"
   notify: reboot_host
+
+- name: Install bridge utilities
+  apt:
+    name: bridge-utils
+    state: present

roles/base/tasks/system.yml

@@ -10,6 +10,12 @@
     dest: /root/.ssh/authorized_keys
   when: authorized_keys is defined
 
+- name: Install btrfs-tools
+  apt:
+    name: btrfs-tools
+    state: present
+  when: btrfs_support is defined and btrfs_support | bool == true
+
 - name: Manage filesystem mounts
   mount:
     path: "{{ item.path }}"

roles/base/tasks/wireguard.yml

@@ -1,3 +1,25 @@
+# Copyright (C) 2021  Kris Lamoureux
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, version 3 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+- name: Add Debian Buster backports
+  copy:
+    src: buster-backports.list
+    dest: /etc/apt/sources.list.d/buster-backports.list
+    owner: root
+    group: root
+    mode: '0644'
+
 - name: Install WireGuard
   apt:
     name: wireguard

roles/bitwarden/defaults/main.yml

@@ -1,6 +1,5 @@
 bitwarden_name: bitwarden
-bitwarden_root: "/var/lib/{{ bitwarden_name }}"
+bitwarden_root: "{{ docker_root }}/{{ bitwarden_name }}"
 bitwarden_database: "{{ bitwarden_name }}"
-bitwarden_realips: "172.16.0.0/12"
 bitwarden_standalone: false
 bitwarden_production: false

roles/bitwarden/tasks/main.yml

@@ -65,12 +65,6 @@
   when: not bitwarden_standalone
   notify: rebuild_bitwarden
 
-- name: Define reverse proxy servers
-  lineinfile:
-    path: "{{ bitwarden_root }}/bwdata/config.yml"
-    line: "- {{ bitwarden_realips }}"
-    insertafter: "^real_ips"
-
 - name: Install Bitwarden systemd service
   template:
     src: bitwarden.service.j2

roles/docker/defaults/main.yml

@@ -1,3 +1,3 @@
-docker_compose_root: /var/lib/compose
+docker_root: /var/lib/docker-compose
 docker_compose: /usr/bin/docker-compose
 docker_compose_service: compose

roles/docker/tasks/main.yml

@@ -6,7 +6,7 @@
 
 - name: Create docker-compose root
   file:
-    path: "{{ docker_compose_root }}"
+    path: "{{ docker_root }}"
     state: directory
 
 - name: Install docker-compose systemd service

roles/docker/templates/docker-compose.service.j2

@@ -6,7 +6,7 @@ After=docker.service
 [Service]
 Type=oneshot
 RemainAfterExit=true
-WorkingDirectory={{ docker_compose_root }}/%i
+WorkingDirectory={{ docker_root }}/%i
 ExecStart={{ docker_compose }} up -d --remove-orphans
 ExecStop={{ docker_compose }} down
 

roles/gitea/defaults/main.yml

@@ -14,9 +14,5 @@ gitea_dbhost: host.docker.internal
 gitea_dbname: "{{ gitea_name }}"
 gitea_dbuser: "{{ gitea_name }}"
 
-# proxy settings
-gitea_proxy_limit: "1"
-gitea_trusted_proxies: "172.16.0.0/12"
-
 # host
-gitea_root: "{{ docker_compose_root }}/{{ gitea_name }}"
+gitea_root: "{{ docker_root }}/{{ gitea_name }}"

roles/gitea/handlers/main.yml

@@ -1,5 +0,0 @@
-- name: Restart Gitea
-  service:
-    name: "{{ docker_compose_service }}@{{ gitea_name }}"
-    state: restarted
-  listen: restart_gitea

roles/gitea/tasks/main.yml

@@ -46,22 +46,16 @@
     src: /home/git/.ssh/id_rsa.pub
   register: git_rsapub
 
-- name: Get stats on git's authorized_keys file
-  stat:
-    path: /home/git/.ssh/authorized_keys
-  register: git_authkeys
-
 - name: Create git's authorized_keys file
   file:
     path: /home/git/.ssh/authorized_keys
     state: touch
-  when: not git_authkeys.stat.exists
 
 - name: Add git's public SSH key to authorized_keys
   lineinfile:
     path: /home/git/.ssh/authorized_keys
-    regex: "^ssh-rsa"
     line: "{{ git_rsapub['content'] | b64decode }}"
+    insertbefore: BOF
 
 - name: Create Gitea host script for SSH
   template:
@@ -73,13 +67,11 @@
   template:
     src: docker-compose.yml.j2
     dest: "{{ gitea_root }}/docker-compose.yml"
-  notify: restart_gitea
 
 - name: Install Gitea's docker-compose variables
   template:
     src: compose-env.j2
     dest: "{{ gitea_root }}/.env"
-  notify: restart_gitea
 
 - name: Start and enable Gitea service
   service:

roles/gitea/templates/compose-env.j2

@@ -10,8 +10,6 @@ gitea_dbhost={{ gitea_dbhost }}
 gitea_dbname={{ gitea_dbname }}
 gitea_dbuser={{ gitea_dbuser }}
 gitea_dbpass={{ gitea_dbpass }}
-gitea_proxy_limit={{ gitea_proxy_limit }}
-gitea_trusted_proxies={{ gitea_trusted_proxies }}
 {% if not gitea_signup %}
 gitea_disable_registration=true
 {% else %}

roles/gitea/templates/docker-compose.yml.j2

@@ -20,8 +20,6 @@ services:
       - GITEA__database__NAME=${gitea_dbname}
       - GITEA__database__USER=${gitea_dbuser}
       - GITEA__database__PASSWD=${gitea_dbpass}
-      - GITEA__security__REVERSE_PROXY_LIMIT=${gitea_proxy_limit}
-      - GITEA__security__REVERSE_PROXY_TRUSTED_PROXIES=${gitea_trusted_proxies}
       - GITEA__service__DISABLE_REGISTRATION=${gitea_disable_registration}
     volumes:
       - {{ gitea_volume }}:/data

roles/postgresql/tasks/main.yml

@@ -32,10 +32,3 @@
     name: postgresql
     state: restarted
   when: postgresql_config.changed
-
-- name: Allow database connections from Docker
-  ufw:
-    rule: allow
-    port: "5432"
-    proto: tcp
-    src: "172.16.0.0/12"

roles/proxy/tasks/main.yml

@@ -84,12 +84,3 @@
   loop: "{{ proxy.dns_cloudflare.wildcard_domains }}"
   when: proxy.production is defined and proxy.production and proxy.dns_cloudflare is defined
   notify: reload_nginx
-
-- name: Add HTTP and HTTPS firewall rule
-  ufw:
-    rule: allow
-    port: "{{ item }}"
-    proto: tcp
-  loop:
-    - "80"
-    - "443"

roles/proxy/templates/server-nginx.conf.j2

@@ -30,7 +30,6 @@ server {
   location / {
     proxy_set_header Host $host;
     proxy_set_header X-Real-IP $remote_addr;
-    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
     proxy_pass {{ item.proxy_pass }};
   }
 }