Compare commits
6 Commits
f46be75cc1
...
master
| Author | SHA1 | Date | |
|---|---|---|---|
57d90ef8a1
|
|||
|
cea6cddf54
|
|||
|
b0ca4dc906
|
|||
|
a68ef1fffc
|
|||
|
36d4ca2e6d
|
|||
|
0b23966f6e
|
1
.gitignore
vendored
1
.gitignore
vendored
@@ -1,4 +1,5 @@
|
|||||||
.vagrant
|
.vagrant
|
||||||
|
.vscode
|
||||||
.playbook
|
.playbook
|
||||||
/*.yml
|
/*.yml
|
||||||
/*.yaml
|
/*.yaml
|
||||||
|
|||||||
2
Vagrantfile
vendored
2
Vagrantfile
vendored
@@ -20,7 +20,7 @@ else
|
|||||||
end
|
end
|
||||||
|
|
||||||
Vagrant.configure("2") do |config|
|
Vagrant.configure("2") do |config|
|
||||||
config.vm.box = "debian/bullseye64"
|
config.vm.box = "debian/contrib-buster64"
|
||||||
config.vm.network "private_network", type: "dhcp"
|
config.vm.network "private_network", type: "dhcp"
|
||||||
config.vm.synced_folder ".", "/vagrant", disabled: true
|
config.vm.synced_folder ".", "/vagrant", disabled: true
|
||||||
config.vm.synced_folder "./scratch", "/vagrant/scratch"
|
config.vm.synced_folder "./scratch", "/vagrant/scratch"
|
||||||
|
|||||||
@@ -5,6 +5,6 @@
|
|||||||
- host_vars/bitwarden.yml
|
- host_vars/bitwarden.yml
|
||||||
roles:
|
roles:
|
||||||
- base
|
- base
|
||||||
- proxy
|
|
||||||
- docker
|
- docker
|
||||||
|
- traefik
|
||||||
- bitwarden
|
- bitwarden
|
||||||
|
|||||||
@@ -2,9 +2,6 @@
|
|||||||
allow_reboot: false
|
allow_reboot: false
|
||||||
manage_network: false
|
manage_network: false
|
||||||
|
|
||||||
# nginx proxy
|
|
||||||
proxy: helloworld
|
|
||||||
|
|
||||||
# docker
|
# docker
|
||||||
docker_users:
|
docker_users:
|
||||||
- vagrant
|
- vagrant
|
||||||
@@ -16,9 +13,6 @@ traefik_domain: traefik.vm.krislamo.org
|
|||||||
traefik_auth: admin:$apr1$T1l.BCFz$Jyg8msXYEAUi3LLH39I9d1 # admin:admin
|
traefik_auth: admin:$apr1$T1l.BCFz$Jyg8msXYEAUi3LLH39I9d1 # admin:admin
|
||||||
#traefik_acme_email: realemail@example.com # Let's Encrypt settings
|
#traefik_acme_email: realemail@example.com # Let's Encrypt settings
|
||||||
#traefik_production: true
|
#traefik_production: true
|
||||||
traefik_ports:
|
|
||||||
- "8000:80"
|
|
||||||
- "4430:443"
|
|
||||||
|
|
||||||
# bitwarden
|
# bitwarden
|
||||||
# Get Installation ID & Key at https://bitwarden.com/host/
|
# Get Installation ID & Key at https://bitwarden.com/host/
|
||||||
|
|||||||
@@ -20,7 +20,7 @@
|
|||||||
- docker
|
- docker
|
||||||
- traefik
|
- traefik
|
||||||
- nextcloud
|
- nextcloud
|
||||||
- gitea
|
# - gitea
|
||||||
- jenkins
|
- jenkins
|
||||||
- prometheus
|
- prometheus
|
||||||
- nginx
|
- nginx
|
||||||
|
|||||||
1
roles/.gitignore
vendored
1
roles/.gitignore
vendored
@@ -11,7 +11,6 @@
|
|||||||
!nextcloud*/
|
!nextcloud*/
|
||||||
!nginx*/
|
!nginx*/
|
||||||
!prometheus*/
|
!prometheus*/
|
||||||
!proxy/*
|
|
||||||
!rsnapshot*/
|
!rsnapshot*/
|
||||||
!traefik*/
|
!traefik*/
|
||||||
!unifi*/
|
!unifi*/
|
||||||
|
|||||||
@@ -47,7 +47,6 @@
|
|||||||
labels:
|
labels:
|
||||||
traefik.http.routers.gitea.rule: "Host(`{{ gitea_domain }}`)"
|
traefik.http.routers.gitea.rule: "Host(`{{ gitea_domain }}`)"
|
||||||
traefik.http.routers.gitea.entrypoints: websecure
|
traefik.http.routers.gitea.entrypoints: websecure
|
||||||
traefik.http.routers.gitea.tls.certresolver: letsencrypt
|
|
||||||
traefik.http.routers.gitea.middlewares: "securehttps@file"
|
traefik.http.routers.gitea.middlewares: "securehttps@file"
|
||||||
traefik.http.services.gitea.loadbalancer.server.port: "3000"
|
traefik.http.services.gitea.loadbalancer.server.port: "3000"
|
||||||
traefik.docker.network: traefik
|
traefik.docker.network: traefik
|
||||||
|
|||||||
@@ -20,7 +20,6 @@
|
|||||||
labels:
|
labels:
|
||||||
traefik.http.routers.jenkins.rule: "Host(`{{ jenkins_domain }}`)"
|
traefik.http.routers.jenkins.rule: "Host(`{{ jenkins_domain }}`)"
|
||||||
traefik.http.routers.jenkins.entrypoints: websecure
|
traefik.http.routers.jenkins.entrypoints: websecure
|
||||||
traefik.http.routers.jenkins.tls.certresolver: letsencrypt
|
|
||||||
traefik.http.routers.jenkins.middlewares: "securehttps@file"
|
traefik.http.routers.jenkins.middlewares: "securehttps@file"
|
||||||
traefik.docker.network: traefik
|
traefik.docker.network: traefik
|
||||||
traefik.enable: "true"
|
traefik.enable: "true"
|
||||||
|
|||||||
@@ -32,7 +32,6 @@
|
|||||||
labels:
|
labels:
|
||||||
traefik.http.routers.nextcloud.rule: "Host(`{{ nextcloud_domain }}`)"
|
traefik.http.routers.nextcloud.rule: "Host(`{{ nextcloud_domain }}`)"
|
||||||
traefik.http.routers.nextcloud.entrypoints: websecure
|
traefik.http.routers.nextcloud.entrypoints: websecure
|
||||||
traefik.http.routers.nextcloud.tls.certresolver: letsencrypt
|
|
||||||
traefik.http.routers.nextcloud.middlewares: "securehttps@file,nextcloud-webdav"
|
traefik.http.routers.nextcloud.middlewares: "securehttps@file,nextcloud-webdav"
|
||||||
traefik.http.middlewares.nextcloud-webdav.redirectregex.regex: "https://(.*)/.well-known/(card|cal)dav"
|
traefik.http.middlewares.nextcloud-webdav.redirectregex.regex: "https://(.*)/.well-known/(card|cal)dav"
|
||||||
traefik.http.middlewares.nextcloud-webdav.redirectregex.replacement: "https://${1}/remote.php/dav/"
|
traefik.http.middlewares.nextcloud-webdav.redirectregex.replacement: "https://${1}/remote.php/dav/"
|
||||||
|
|||||||
@@ -1,7 +1,36 @@
|
|||||||
- import_tasks: proxy.yml
|
- name: Create nginx root
|
||||||
tags: proxy
|
file:
|
||||||
when: proxy is defined
|
path: "{{ nginx_root }}"
|
||||||
|
state: directory
|
||||||
|
|
||||||
- import_tasks: webserver.yml
|
- name: Generate deploy keys
|
||||||
tags: nginx
|
openssh_keypair:
|
||||||
when: nginx_domain is defined
|
path: "{{ nginx_repo_key }}"
|
||||||
|
state: present
|
||||||
|
|
||||||
|
- name: Clone static website files
|
||||||
|
git:
|
||||||
|
repo: "{{ nginx_repo_url }}"
|
||||||
|
dest: "{{ nginx_html }}"
|
||||||
|
version: "{{ nginx_repo_branch }}"
|
||||||
|
key_file: "{{ nginx_repo_key }}"
|
||||||
|
separate_git_dir: "{{ nginx_repo_dest }}"
|
||||||
|
|
||||||
|
- name: Start nginx container
|
||||||
|
docker_container:
|
||||||
|
name: "{{ nginx_name }}"
|
||||||
|
image: nginx:{{ nginx_version }}
|
||||||
|
state: started
|
||||||
|
restart_policy: always
|
||||||
|
networks_cli_compatible: true
|
||||||
|
networks:
|
||||||
|
- name: traefik
|
||||||
|
volumes:
|
||||||
|
- "{{ nginx_html }}:/usr/share/nginx/html:ro"
|
||||||
|
labels:
|
||||||
|
traefik.http.routers.nginx.rule: "Host(`{{ nginx_domain }}`)"
|
||||||
|
#traefik.http.middlewares.nginxauth.basicauth.users: "{{ nginx_auth }}"
|
||||||
|
traefik.http.routers.nginx.entrypoints: websecure
|
||||||
|
traefik.http.routers.nginx.middlewares: "securehttps@file"
|
||||||
|
traefik.docker.network: traefik
|
||||||
|
traefik.enable: "true"
|
||||||
|
|||||||
@@ -1,17 +0,0 @@
|
|||||||
- name: Install nginx
|
|
||||||
apt:
|
|
||||||
name: nginx
|
|
||||||
state: present
|
|
||||||
|
|
||||||
- name: Install nginx configuration
|
|
||||||
template:
|
|
||||||
src: nginx.conf.j2
|
|
||||||
dest: /etc/nginx/nginx.conf
|
|
||||||
mode: '0644'
|
|
||||||
register: nginx_conf
|
|
||||||
|
|
||||||
- name: Reload nginx
|
|
||||||
service:
|
|
||||||
name: nginx
|
|
||||||
state: reloaded
|
|
||||||
enabled: true
|
|
||||||
@@ -1,37 +0,0 @@
|
|||||||
- name: Create nginx root
|
|
||||||
file:
|
|
||||||
path: "{{ nginx_root }}"
|
|
||||||
state: directory
|
|
||||||
|
|
||||||
- name: Generate deploy keys
|
|
||||||
openssh_keypair:
|
|
||||||
path: "{{ nginx_repo_key }}"
|
|
||||||
state: present
|
|
||||||
|
|
||||||
- name: Clone static website files
|
|
||||||
git:
|
|
||||||
repo: "{{ nginx_repo_url }}"
|
|
||||||
dest: "{{ nginx_html }}"
|
|
||||||
version: "{{ nginx_repo_branch }}"
|
|
||||||
key_file: "{{ nginx_repo_key }}"
|
|
||||||
separate_git_dir: "{{ nginx_repo_dest }}"
|
|
||||||
|
|
||||||
- name: Start nginx container
|
|
||||||
docker_container:
|
|
||||||
name: "{{ nginx_name }}"
|
|
||||||
image: nginx:{{ nginx_version }}
|
|
||||||
state: started
|
|
||||||
restart_policy: always
|
|
||||||
networks_cli_compatible: true
|
|
||||||
networks:
|
|
||||||
- name: traefik
|
|
||||||
volumes:
|
|
||||||
- "{{ nginx_html }}:/usr/share/nginx/html:ro"
|
|
||||||
labels:
|
|
||||||
traefik.http.routers.nginx.rule: "Host(`{{ nginx_domain }}`)"
|
|
||||||
traefik.http.middlewares.nginxauth.basicauth.users: "{{ nginx_auth }}"
|
|
||||||
traefik.http.routers.nginx.entrypoints: websecure
|
|
||||||
traefik.http.routers.nginx.tls.certresolver: letsencrypt
|
|
||||||
traefik.http.routers.nginx.middlewares: "securehttps@file,nginxauth"
|
|
||||||
traefik.docker.network: traefik
|
|
||||||
traefik.enable: "true"
|
|
||||||
@@ -1,45 +0,0 @@
|
|||||||
user www-data;
|
|
||||||
worker_processes auto;
|
|
||||||
pid /run/nginx.pid;
|
|
||||||
include /etc/nginx/modules-enabled/*.conf;
|
|
||||||
|
|
||||||
events {
|
|
||||||
worker_connections 1024;
|
|
||||||
}
|
|
||||||
|
|
||||||
http {
|
|
||||||
include /etc/nginx/mime.types;
|
|
||||||
default_type application/octet-stream;
|
|
||||||
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
|
|
||||||
'$status $body_bytes_sent "$http_referer" '
|
|
||||||
'"$http_user_agent" "$http_x_forwarded_for"';
|
|
||||||
|
|
||||||
access_log /var/log/nginx/access.log main;
|
|
||||||
sendfile on;
|
|
||||||
#tcp_nopush on;
|
|
||||||
keepalive_timeout 65;
|
|
||||||
#gzip on;
|
|
||||||
|
|
||||||
include /etc/nginx/conf.d/*.conf;
|
|
||||||
}
|
|
||||||
|
|
||||||
## tcp LB and SSL passthrough for backend ##
|
|
||||||
stream {
|
|
||||||
upstream traefik {
|
|
||||||
server 127.0.0.1:4430 max_fails=3 fail_timeout=10s;
|
|
||||||
}
|
|
||||||
|
|
||||||
log_format basic '$remote_addr [$time_local] '
|
|
||||||
'$protocol $status $bytes_sent $bytes_received '
|
|
||||||
'$session_time "$upstream_addr" '
|
|
||||||
'"$upstream_bytes_sent" "$upstream_bytes_received" "$upstream_connect_time"';
|
|
||||||
|
|
||||||
access_log /var/log/nginx/traefik_access.log basic;
|
|
||||||
error_log /var/log/nginx/traefik_error.log;
|
|
||||||
|
|
||||||
server {
|
|
||||||
listen 443;
|
|
||||||
proxy_pass traefik;
|
|
||||||
proxy_next_upstream on;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
@@ -45,7 +45,6 @@
|
|||||||
traefik.http.routers.prometheus.rule: "Host(`{{ prom_domain }}`)"
|
traefik.http.routers.prometheus.rule: "Host(`{{ prom_domain }}`)"
|
||||||
traefik.http.routers.prometheus.entrypoints: websecure
|
traefik.http.routers.prometheus.entrypoints: websecure
|
||||||
traefik.http.routers.prometheus.middlewares: "securehttps@file,localonly"
|
traefik.http.routers.prometheus.middlewares: "securehttps@file,localonly"
|
||||||
traefik.http.routers.prometheus.tls.certresolver: letsencrypt
|
|
||||||
traefik.http.middlewares.localonly.ipwhitelist.sourcerange: "{{ traefik_localonly }}"
|
traefik.http.middlewares.localonly.ipwhitelist.sourcerange: "{{ traefik_localonly }}"
|
||||||
traefik.docker.network: traefik
|
traefik.docker.network: traefik
|
||||||
traefik.enable: "true"
|
traefik.enable: "true"
|
||||||
@@ -65,7 +64,6 @@
|
|||||||
labels:
|
labels:
|
||||||
traefik.http.routers.grafana.rule: "Host(`{{ grafana_domain }}`)"
|
traefik.http.routers.grafana.rule: "Host(`{{ grafana_domain }}`)"
|
||||||
traefik.http.routers.grafana.entrypoints: websecure
|
traefik.http.routers.grafana.entrypoints: websecure
|
||||||
traefik.http.routers.grafana.tls.certresolver: letsencrypt
|
|
||||||
traefik.http.routers.grafana.middlewares: "securehttps@file"
|
traefik.http.routers.grafana.middlewares: "securehttps@file"
|
||||||
traefik.docker.network: traefik
|
traefik.docker.network: traefik
|
||||||
traefik.enable: "true"
|
traefik.enable: "true"
|
||||||
|
|||||||
@@ -1,5 +0,0 @@
|
|||||||
- name: Reload nginx
|
|
||||||
service:
|
|
||||||
name: nginx
|
|
||||||
state: reloaded
|
|
||||||
listen: reload_nginx
|
|
||||||
@@ -1,12 +0,0 @@
|
|||||||
- name: Install nginx
|
|
||||||
apt:
|
|
||||||
name: nginx
|
|
||||||
state: present
|
|
||||||
update_cache: true
|
|
||||||
|
|
||||||
- name: Install nginx configuration
|
|
||||||
template:
|
|
||||||
src: nginx.conf.j2
|
|
||||||
dest: /etc/nginx/nginx.conf
|
|
||||||
mode: '0644'
|
|
||||||
notify: reload_nginx
|
|
||||||
@@ -41,10 +41,9 @@
|
|||||||
- name: traefik
|
- name: traefik
|
||||||
labels:
|
labels:
|
||||||
traefik.http.routers.traefik.rule: "Host(`{{ traefik_domain }}`)"
|
traefik.http.routers.traefik.rule: "Host(`{{ traefik_domain }}`)"
|
||||||
traefik.http.middlewares.auth.basicauth.users: "{{ traefik_auth }}"
|
#traefik.http.middlewares.auth.basicauth.users: "{{ traefik_auth }}"
|
||||||
traefik.http.middlewares.localonly.ipwhitelist.sourcerange: "{{ traefik_localonly }}"
|
#traefik.http.middlewares.localonly.ipwhitelist.sourcerange: "{{ traefik_localonly }}"
|
||||||
traefik.http.routers.traefik.tls.certresolver: letsencrypt
|
traefik.http.routers.traefik.middlewares: "securehttps@file"
|
||||||
traefik.http.routers.traefik.middlewares: "securehttps@file,auth@docker,localonly"
|
|
||||||
traefik.http.routers.traefik.service: "api@internal"
|
traefik.http.routers.traefik.service: "api@internal"
|
||||||
traefik.http.routers.traefik.entrypoints: websecure
|
traefik.http.routers.traefik.entrypoints: websecure
|
||||||
traefik.http.routers.traefik.tls: "true"
|
traefik.http.routers.traefik.tls: "true"
|
||||||
|
|||||||
Reference in New Issue
Block a user