testing

ROOT_URL should have HTTPS for the clone URL
Update TLS settings in nginx proxy
2022-10-23 03:46:27 -04:00 · 2022-09-18 15:21:16 -04:00 · 2022-08-27 18:56:12 -04:00 · 2022-08-19 01:27:55 -04:00 · 2022-08-19 00:51:05 -04:00 · 2022-08-18 23:32:37 -04:00
23 changed files with 187 additions and 16 deletions
--- a/dev/host_vars/proxy.yml
+++ b/dev/host_vars/proxy.yml
@@ -18,6 +18,8 @@ proxy:
      proxy_pass: "http://127.0.0.1:8080"
    - domain: "{{ gitea_domain }}"
      proxy_pass: "http://127.0.0.1:3000"
    - domain: "{{ kutt_domain }}"
      proxy_pass: "http://127.0.0.1:3030"
 # docker
 docker_users:
@@ -35,3 +37,16 @@ bitwarden_install_key: 1yB3Z2gRI0KnnH90C6p
 gitea_domain: "git.{{ base_domain }}"
 gitea_version: 1
 gitea_dbpass: password
 # kutt
 kutt_version: latest
 kutt_redis_version: 6
 kutt_postgres_version: 12
 kutt_domain: "kutt.{{ base_domain }}"
 kutt_dbpass: password
 kutt_jwt_secret: long&random
 kutt_mail_user: kutt-noreply@example.com
 kutt_mail_host: smtp.example.com
 kutt_mail_password: realpassword
 kutt_report_email: realemail@example.com
 kutt_admin_emails: realemail@example.com
--- a/dev/proxy.yml
+++ b/dev/proxy.yml
@@ -10,3 +10,4 @@
    - docker
    - gitea
    - bitwarden
    - kutt
--- a/dockerbox.yml
+++ b/dockerbox.yml
@@ -20,7 +20,6 @@
    - docker
    - traefik
    - nextcloud
    - gitea
    - jenkins
    - prometheus
    - nginx
--- a/proxy.yml
+++ b/proxy.yml
@@ -4,7 +4,7 @@
  roles:
    - base
    - jenkins
-    - postgresql
+    - mariadb
    - proxy
    - docker
    - gitea
--- a/roles/.gitignore
+++ b/roles/.gitignore
@@ -1,11 +1,14 @@
 # Sort roles: tail -n +6 roles/.gitignore | sort
 /*
 !.gitignore
 !requirements.yml
 # roles
 !base*/
 !bitwarden*/
 !docker*/
 !gitea*/
 !jenkins*/
 !kutt*/
 !libvirt*/
 !mariadb*/
 !minecraft*/
--- a/roles/base/defaults/main.yml
+++ b/roles/base/defaults/main.yml
@@ -3,6 +3,7 @@ network_type: static
 allow_reboot: true
 packages:
  - apache2-utils
  - cryptsetup
  - curl
  - dnsutils
--- a/roles/base/tasks/wireguard.yml
+++ b/roles/base/tasks/wireguard.yml
@@ -27,3 +27,10 @@
    name: wg-quick@wg0
    state: started
    enabled: true
 - name: Add WireGuard firewall rule
  ufw:
    rule: allow
    port: "{{ wireguard.listenport }}"
    proto: tcp
  when: wireguard.listenport is defined
--- a/roles/gitea/defaults/main.yml
+++ b/roles/gitea/defaults/main.yml
@@ -5,7 +5,7 @@ gitea_webport: "3000"
 gitea_ssh: "127.0.0.1:{{ gitea_sshport }}"
 gitea_web: "127.0.0.1:{{ gitea_webport }}"
 gitea_volume: "{{ gitea_name }}"
-gitea_rooturl: "http://{{ gitea_domain }}"
+gitea_rooturl: "https://{{ gitea_domain }}"
 gitea_signup: true
 # database settings
--- a/roles/kutt/defaults/main.yml
+++ b/roles/kutt/defaults/main.yml
@@ -0,0 +1,16 @@
 # container settings
 kutt_name: kutt
 kutt_default_domain: "{{ kutt_domain }}"
 kutt_webport: 3030
 kutt_web: "127.0.0.1:{{ kutt_webport }}"
 # database settings
 kutt_dbname: "{{ kutt_name }}"
 kutt_dbuser: "{{ kutt_name }}"
 kutt_postgres_volume: postgres_data
 # redis
 kutt_redis_volume: redis_data
 # host
 kutt_root: "{{ docker_compose_root }}/{{ kutt_name }}"
--- a/roles/kutt/handlers/main.yml
+++ b/roles/kutt/handlers/main.yml
@@ -0,0 +1,5 @@
 - name: Restart Kutt
  service:
    name: "{{ docker_compose_service }}@{{ kutt_name }}"
    state: restarted
  listen: restart_kutt
--- a/roles/kutt/tasks/main.yml
+++ b/roles/kutt/tasks/main.yml
@@ -0,0 +1,22 @@
 - name: Create Kutt directory
  file:
    path: "{{ kutt_root }}"
    state: directory
 - name: Install Kutt's docker-compose file
  template:
    src: docker-compose.yml.j2
    dest: "{{ kutt_root }}/docker-compose.yml"
  notify: restart_kutt
 - name: Install Kutt's docker-compose variables
  template:
    src: compose-env.j2
    dest: "{{ kutt_root }}/.env"
  notify: restart_kutt
 - name: Start and enable Gitea service
  service:
    name: "{{ docker_compose_service }}@{{ kutt_name }}"
    state: started
    enabled: true
--- a/roles/kutt/templates/compose-env.j2
+++ b/roles/kutt/templates/compose-env.j2
@@ -0,0 +1,17 @@
 # {{ ansible_managed }}
 kutt_version={{ kutt_version }}
 kutt_web={{ kutt_web }}
 kutt_domain={{ kutt_domain }}
 kutt_default_domain={{ kutt_default_domain }}
 kutt_jwt_secret={{ kutt_jwt_secret }}
 kutt_dbname={{ kutt_dbname }}
 kutt_dbuser={{ kutt_dbuser }}
 kutt_dbpass={{ kutt_dbpass }}
 kutt_mail_user={{ kutt_mail_user }}
 kutt_mail_host={{ kutt_mail_host }}
 kutt_mail_password={{ kutt_mail_password }}
 kutt_report_email={{ kutt_report_email }}
 kutt_admin_emails={{ kutt_admin_emails }}
 kutt_redis_version={{ kutt_redis_version }}
 kutt_postgres_version={{ kutt_postgres_version }}
 kutt_postgres_volume={{ kutt_postgres_volume }}
--- a/roles/kutt/templates/docker-compose.yml.j2
+++ b/roles/kutt/templates/docker-compose.yml.j2
@@ -0,0 +1,46 @@
 version: "3.7"
 services:
  kutt:
    image: kutt/kutt:${kutt_version}
    depends_on:
      - postgres
      - redis
    command: ["./wait-for-it.sh", "postgres:5432", "--", "npm", "start"]
    ports:
      - ${kutt_web}:3000
    environment:
      SITE_NAME: ${kutt_domain}
      DEFAULT_DOMAIN: ${kutt_default_domain}
      JWT_SECRET: ${kutt_jwt_secret}
      DB_HOST: postgres
      DB_NAME: ${kutt_dbname}
      DB_USER: ${kutt_dbuser}
      DB_PASSWORD: ${kutt_dbpass}
      REDIS_HOST: redis
      MAIL_USER: ${kutt_mail_user}
      MAIL_HOST: ${kutt_mail_host}
      MAIL_PORT: ${kutt_mail_port}
      MAIL_PASSWORD: ${kutt_mail_password}
      REPORT_EMAIL: ${kutt_report_email}
      ADMIN_EMAILS: ${kutt_admin_emails}
  redis:
    image: redis:${kutt_redis_version}
    volumes:
      - {{ kutt_redis_volume }}:/data
  postgres:
    image: postgres:${kutt_postgres_version}
    environment:
      POSTGRES_USER: ${kutt_dbuser}
      POSTGRES_PASSWORD: ${kutt_dbpass}
      POSTGRES_DB: ${kutt_dbname}
    volumes:
      - {{ kutt_postgres_volume }}:/var/lib/postgresql/data
 volumes:
  {{ kutt_redis_volume }}:
  {{ kutt_postgres_volume }}:
--- a/roles/nginx/tasks/main.yml
+++ b/roles/nginx/tasks/main.yml
@@ -29,9 +29,9 @@
      - "{{ nginx_html }}:/usr/share/nginx/html:ro"
    labels:
      traefik.http.routers.nginx.rule: "Host(`{{ nginx_domain }}`)"
-      traefik.http.middlewares.nginxauth.basicauth.users: "{{ nginx_auth }}"
+      #traefik.http.middlewares.nginxauth.basicauth.users: "{{ nginx_auth }}"
      traefik.http.routers.nginx.entrypoints: websecure
-      traefik.http.routers.nginx.tls.certresolver: letsencrypt
+      #traefik.http.routers.nginx.tls.certresolver: letsencrypt
-      traefik.http.routers.nginx.middlewares: "securehttps@file,nginxauth"
+      #traefik.http.routers.nginx.middlewares: "securehttps@file,nginxauth"
      traefik.docker.network: traefik
      traefik.enable: "true"
--- a/roles/proxy/tasks/main.yml
+++ b/roles/proxy/tasks/main.yml
@@ -10,6 +10,11 @@
    state: started
    enabled: true
 - name: Generate DH Parameters
  openssl_dhparam:
    path: /etc/ssl/dhparams.pem
    size: 4096
 - name: Install nginx base configuration
  template:
    src: nginx.conf.j2
@@ -78,7 +83,9 @@
            --email "{{ proxy.dns_cloudflare.email }}" \
            --dns-cloudflare \
            --dns-cloudflare-credentials /root/.cloudflare.ini \
-            -d "*.{{ item }}" {{ proxy.dns_cloudflare.opts | default("") }}'
+            -d "*.{{ item }}" \
            -d "{{ item }}" \
            {{ proxy.dns_cloudflare.opts | default("") }}'
  args:
    creates: "/etc/letsencrypt/live/{{ item }}/fullchain.pem"
  loop: "{{ proxy.dns_cloudflare.wildcard_domains }}"
--- a/roles/proxy/templates/nginx.conf.j2
+++ b/roles/proxy/templates/nginx.conf.j2
@@ -21,6 +21,14 @@ http {
  keepalive_timeout 65;
  server_names_hash_bucket_size 128;
  ssl_protocols TLSv1.2 TLSv1.3;
  ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
  ssl_prefer_server_ciphers off;
  ssl_dhparam /etc/ssl/dhparams.pem;
  ssl_session_cache shared:SSL:10m;
  ssl_session_timeout 1d;
  ssl_session_tickets off;
  include           /etc/nginx/conf.d/*.conf;
  include           /etc/nginx/sites-enabled/*;
 }
--- a/roles/proxy/templates/server-nginx.conf.j2
+++ b/roles/proxy/templates/server-nginx.conf.j2
@@ -1,12 +1,13 @@
 server {
  listen 80;
-
+  listen [::]:80;
  server_name {{ item.domain }};
  return 301 https://{{ item.domain }}$request_uri;
 }
 server {
-  listen              443 ssl;
+  listen              443      ssl http2;
  listen              [::]:443 ssl http2;
  server_name         {{ item.domain }};
  access_log          /var/log/nginx/{{ item.domain }}.log main;
 {% if proxy.production is defined and proxy.production and proxy.dns_cloudflare.wildcard_domains is defined and item.tls.cert is not defined %}
@@ -26,11 +27,25 @@ server {
 {% else %}
  ssl_certificate     /etc/ssl/certs/nginx-selfsigned.crt;
  ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
 {% endif %}
 {% if item.hsts is defined %}
  add_header Strict-Transport-Security "max-age={{ item.hsts }}" always;
 {% endif %}
 {% if item.client_max_body_size is defined %}
  client_max_body_size {{ item.client_max_body_size }};
 {% endif %}
  location / {
 {% if item.restrict is defined and item.restrict  %}
    auth_basic "{{ item.restrict_name | default('Restricted Access') }}";
    auth_basic_user_file {{ item.restrict_file | default('/etc/nginx/.htpasswd') }};
    proxy_set_header Authorization "";
 {% endif %}
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_pass {{ item.proxy_pass }};
 {% if item.proxy_ssl_verify is defined and item.proxy_ssl_verify is false %}
    proxy_ssl_verify off;
 {% endif %}
  }
 }
--- a/roles/traefik/defaults/main.yml
+++ b/roles/traefik/defaults/main.yml
@@ -3,8 +3,10 @@ traefik_dashboard: false
 traefik_root: "/opt/{{ traefik_name }}"
 traefik_localonly: "10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 127.0.0.0/8"
 traefik_production: false
 traefik_hsts_enable: false
 traefik_hsts_preload: false
 traefik_hsts_seconds: 0
 traefik_http_redirect: false
 traefik_ports:
  - "80:80"
  - "443:443"
--- a/roles/traefik/tasks/main.yml
+++ b/roles/traefik/tasks/main.yml
@@ -42,10 +42,10 @@
      - name: traefik
    labels:
      traefik.http.routers.traefik.rule: "Host(`{{ traefik_domain }}`)"
-      traefik.http.middlewares.auth.basicauth.users: "{{ traefik_auth }}"
+      #traefik.http.middlewares.auth.basicauth.users: "{{ traefik_auth }}"
-      traefik.http.middlewares.localonly.ipwhitelist.sourcerange: "{{ traefik_localonly }}"
+      #traefik.http.middlewares.localonly.ipwhitelist.sourcerange: "{{ traefik_localonly }}"
-      traefik.http.routers.traefik.tls.certresolver: letsencrypt
+      #traefik.http.routers.traefik.tls.certresolver: letsencrypt
-      traefik.http.routers.traefik.middlewares: "securehttps@file,auth@docker,localonly"
+      #traefik.http.routers.traefik.middlewares: "securehttps@file,auth@docker,localonly"
      traefik.http.routers.traefik.service: "api@internal"
      traefik.http.routers.traefik.entrypoints: websecure
      traefik.http.routers.traefik.tls: "true"
--- a/roles/traefik/templates/external.yml.j2
+++ b/roles/traefik/templates/external.yml.j2
@@ -10,10 +10,12 @@ http:
 {% elif item.middlewares is defined %}
      middlewares: "{{ item.middlewares }}"
 {% endif %}
 {% if traefik_acme_email is defined %}
      tls:
        certResolver: letsencrypt
        domains:
          - main: "{{ item.domain }}"
 {% endif %}
      entryPoints:
        - "websecure"
  services:
--- a/roles/traefik/templates/security.yml.j2
+++ b/roles/traefik/templates/security.yml.j2
@@ -11,6 +11,8 @@ http:
        sslRedirect: true
        browserXssFilter: true
        contentTypeNosniff: true
 {% if traefik_hsts_enable is defined and traefik_hsts_enable %}
        stsPreload: {{ traefik_hsts_preload }}
        stsSeconds: {{ traefik_hsts_seconds }}
 {% endif %}
        customFrameOptionsValue: SAMEORIGIN
--- a/roles/traefik/templates/traefik.yml.j2
+++ b/roles/traefik/templates/traefik.yml.j2
@@ -10,12 +10,14 @@ providers:
 entrypoints:
  web:
    address: ':80'
 {% if traefik_http_redirect is defined and traefik_http_redirect %}
    http:
      redirections:
        entrypoint:
          to: websecure
          scheme: https
          permanent: true
 {% endif %}
  websecure:
    address: ':443'
    http:
--- a/update-hosts.sh
+++ b/update-hosts.sh
@@ -14,6 +14,7 @@ HOST[8]="wordpress.${DOMAIN}"
 HOST[9]="site1.wordpress.${DOMAIN}"
 HOST[10]="site2.wordpress.${DOMAIN}"
 HOST[11]="unifi.${DOMAIN}"
 HOST[11]="kutt.${DOMAIN}"
 # Get Vagrantbox guest IP
 VAGRANT_OUTPUT=$(vagrant ssh -c "hostname -I | cut -d' ' -f2" 2>/dev/null)
Author	SHA1	Message	Date
Kris Lamoureux	3223c88773	testing	2022-10-23 03:46:27 -04:00
Kris Lamoureux	f68f57d0cf	ROOT_URL should have HTTPS for the clone URL	2022-09-18 15:21:16 -04:00
Kris Lamoureux	b9f9b0bf3c	Update TLS settings in nginx proxy	2022-08-27 18:56:12 -04:00
Kris Lamoureux	4f4a341b05	Add client_max_body_size for Nextcloud	2022-08-19 01:27:55 -04:00
Kris Lamoureux	cab6ab2d8e	Strip auth header and update external config	2022-08-19 00:51:05 -04:00
Kris Lamoureux	95f54b7f0a	Add Traefik toggles	2022-08-18 23:32:37 -04:00
Kris Lamoureux	7522c333da	Disable Traefik LE resolver and HSTS	2022-08-18 21:53:38 -04:00
Kris Lamoureux	344b79e97f	Add base domain to the wildcard certificate	2022-08-17 02:17:36 -04:00
Kris Lamoureux	e4fed78193	Remove basic auth on static nginx sites	2022-08-17 01:40:11 -04:00
Kris Lamoureux	85a6c3894a	Add basic auth and ignore backend SSL errors	2022-08-17 01:15:15 -04:00
Kris Lamoureux	7677bc25fa	Add WireGuard firewall rule	2022-08-13 00:19:24 -04:00
Kris Lamoureux	b255680a7a	Use host MariaDB in Gitea container	2022-08-11 21:04:07 -04:00