testing

.gitignore

@@ -1,13 +1,3 @@
 .vagrant
 .playbook
-/*.yml
-/*.yaml
-!backup.yml
-!moxie.yml
-!docker.yml
-!dockerbox.yml
-!hypervisor.yml
-!minecraft.yml
-!proxy.yml
-!unifi.yml
 /environments/

dev/dockerbox.yml

@@ -8,7 +8,6 @@
     - docker
     - traefik
     - nextcloud
-    - gitea
     - jenkins
     - prometheus
     - nginx

dev/host_vars/dockerbox.yml

@@ -13,6 +13,7 @@ traefik_domain: traefik.vm.krislamo.org
 traefik_auth: admin:$apr1$T1l.BCFz$Jyg8msXYEAUi3LLH39I9d1 # admin:admin
 #traefik_acme_email: realemail@example.com # Let's Encrypt settings
 #traefik_production: true
+traefik_http_only: true # if behind reverse-proxy
 
 # nextcloud
 nextcloud_version: stable

dockerbox.yml

@@ -20,7 +20,6 @@
     - docker
     - traefik
     - nextcloud
-    - gitea
     - jenkins
     - prometheus
     - nginx

proxy.yml

@@ -4,7 +4,7 @@
   roles:
     - base
     - jenkins
-    - postgresql
+    - mariadb
     - proxy
     - docker
     - gitea

roles/base/defaults/main.yml

@@ -3,6 +3,7 @@ network_type: static
 allow_reboot: true
 
 packages:
+  - apache2-utils
   - cryptsetup
   - curl
   - dnsutils

roles/base/tasks/wireguard.yml

@@ -27,3 +27,10 @@
     name: wg-quick@wg0
     state: started
     enabled: true
+
+- name: Add WireGuard firewall rule
+  ufw:
+    rule: allow
+    port: "{{ wireguard.listenport }}"
+    proto: tcp
+  when: wireguard.listenport is defined

roles/gitea/defaults/main.yml

@@ -5,7 +5,7 @@ gitea_webport: "3000"
 gitea_ssh: "127.0.0.1:{{ gitea_sshport }}"
 gitea_web: "127.0.0.1:{{ gitea_webport }}"
 gitea_volume: "{{ gitea_name }}"
-gitea_rooturl: "http://{{ gitea_domain }}"
+gitea_rooturl: "https://{{ gitea_domain }}"
 gitea_signup: true
 
 # database settings

roles/nginx/tasks/main.yml

@@ -29,9 +29,9 @@
       - "{{ nginx_html }}:/usr/share/nginx/html:ro"
     labels:
       traefik.http.routers.nginx.rule: "Host(`{{ nginx_domain }}`)"
-      traefik.http.middlewares.nginxauth.basicauth.users: "{{ nginx_auth }}"
+      #traefik.http.middlewares.nginxauth.basicauth.users: "{{ nginx_auth }}"
       traefik.http.routers.nginx.entrypoints: websecure
-      traefik.http.routers.nginx.tls.certresolver: letsencrypt
-      traefik.http.routers.nginx.middlewares: "securehttps@file,nginxauth"
+      #traefik.http.routers.nginx.tls.certresolver: letsencrypt
+      #traefik.http.routers.nginx.middlewares: "securehttps@file,nginxauth"
       traefik.docker.network: traefik
       traefik.enable: "true"

roles/proxy/tasks/main.yml

@@ -10,6 +10,11 @@
     state: started
     enabled: true
 
+- name: Generate DH Parameters
+  openssl_dhparam:
+    path: /etc/ssl/dhparams.pem
+    size: 4096
+
 - name: Install nginx base configuration
   template:
     src: nginx.conf.j2
@@ -78,7 +83,9 @@
             --email "{{ proxy.dns_cloudflare.email }}" \
             --dns-cloudflare \
             --dns-cloudflare-credentials /root/.cloudflare.ini \
-            -d "*.{{ item }}" {{ proxy.dns_cloudflare.opts | default("") }}'
+            -d "*.{{ item }}" \
+            -d "{{ item }}" \
+            {{ proxy.dns_cloudflare.opts | default("") }}'
   args:
     creates: "/etc/letsencrypt/live/{{ item }}/fullchain.pem"
   loop: "{{ proxy.dns_cloudflare.wildcard_domains }}"

roles/proxy/templates/nginx.conf.j2

@@ -21,6 +21,14 @@ http {
   keepalive_timeout 65;
   server_names_hash_bucket_size 128;
 
+  ssl_protocols TLSv1.2 TLSv1.3;
+  ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+  ssl_prefer_server_ciphers off;
+  ssl_dhparam /etc/ssl/dhparams.pem;
+  ssl_session_cache shared:SSL:10m;
+  ssl_session_timeout 1d;
+  ssl_session_tickets off;
+
   include           /etc/nginx/conf.d/*.conf;
   include           /etc/nginx/sites-enabled/*;
 }

roles/proxy/templates/server-nginx.conf.j2

@@ -1,12 +1,13 @@
 server {
-    listen 80;
-
-    server_name {{ item.domain }};
-    return 301 https://{{ item.domain }}$request_uri;
+  listen 80;
+  listen [::]:80;
+  server_name {{ item.domain }};
+  return 301 https://{{ item.domain }}$request_uri;
 }
 
 server {
-  listen              443 ssl;
+  listen              443      ssl http2;
+  listen              [::]:443 ssl http2;
   server_name         {{ item.domain }};
   access_log          /var/log/nginx/{{ item.domain }}.log main;
 {% if proxy.production is defined and proxy.production and proxy.dns_cloudflare.wildcard_domains is defined and item.tls.cert is not defined %}
@@ -26,11 +27,31 @@ server {
 {% else %}
   ssl_certificate     /etc/ssl/certs/nginx-selfsigned.crt;
   ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
+{% endif %}
+{% if item.hsts is defined %}
+  add_header Strict-Transport-Security "max-age={{ item.hsts }}" always;
+{% endif %}
+{% if item.client_max_body_size is defined %}
+  client_max_body_size {{ item.client_max_body_size }};
 {% endif %}
   location / {
+{% if item.restrict is defined and item.restrict  %}
+    auth_basic "{{ item.restrict_name | default('Restricted Access') }}";
+    auth_basic_user_file {{ item.restrict_file | default('/etc/nginx/.htpasswd') }};
+    proxy_set_header Authorization "";
+{% endif %}
     proxy_set_header Host $host;
     proxy_set_header X-Real-IP $remote_addr;
     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
     proxy_pass {{ item.proxy_pass }};
+{% if item.proxy_ssl_verify is defined and item.proxy_ssl_verify is false %}
+    proxy_ssl_verify off;
+{% endif %}
+{% if item.websockets is defined and item.websockets %}
+    proxy_http_version 1.1;
+    proxy_set_header Connection $http_connection;
+    proxy_set_header Origin http://$host;
+    proxy_set_header Upgrade $http_upgrade;
+{% endif %}
   }
 }

roles/traefik/defaults/main.yml

@@ -1,10 +1,18 @@
+# Container settings
 traefik_name: traefik
-traefik_dashboard: false
-traefik_root: "/opt/{{ traefik_name }}"
+traefik_standalone: true
+traefik_http_only: false
+traefik_debug: false
+traefik_web_entry: "80:80"
+traefik_websecure_entry: "443:443"
 traefik_localonly: "10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 127.0.0.0/8"
+
+# HTTPS settings
 traefik_production: false
+traefik_hsts_enable: false
 traefik_hsts_preload: false
 traefik_hsts_seconds: 0
-traefik_ports:
-  - "80:80"
-  - "443:443"
+traefik_http_redirect: true
+
+# Host settings
+traefik_root: "{{ docker_compose_root }}/{{ traefik_name }}"

roles/traefik/handlers/main.yml

@@ -4,11 +4,8 @@
     state: touch
   listen: reload_traefik
 
-- name: Restart Traefik container
-  docker_container:
-    name: "{{ traefik_name }}"
-    image: traefik:{{ traefik_version }}
-    state: started
-    container_default_behavior: "no_defaults"
-    restart: yes
+- name: Restart Traefik
+  service:
+    name: "{{ docker_compose_service }}@{{ traefik_name }}"
+    state: restarted
   listen: restart_traefik

roles/traefik/tasks/main.yml

@@ -1,14 +1,8 @@
-- name: Create Traefik configuration directories
+- name: Create Traefik directories
   file:
     path: "{{ traefik_root }}/config/dynamic"
     state: directory
 
-- name: Install static Traefik configuration
-  template:
-    src: traefik.yml.j2
-    dest: "{{ traefik_root }}/config/traefik.yml"
-  notify: restart_traefik
-
 - name: Install dynamic security configuration
   template:
     src: security.yml.j2
@@ -25,32 +19,26 @@
   loop: "{{ traefik_external }}"
   when: traefik_external is defined
 
-- name: Create Traefik network
-  docker_network:
-    name: traefik
+- name: Install Traefik's docker-compose file
+  template:
+    src: docker-compose.yml.j2
+    dest: "{{ traefik_root }}/docker-compose.yml"
+  notify: restart_traefik
 
-- name: Start Traefik container
-  docker_container:
-    name: "{{ traefik_name }}"
-    image: traefik:{{ traefik_version }}
+- name: Install Traefik's docker-compose variables
+  template:
+    src: compose-env.j2
+    dest: "{{ traefik_root }}/.env"
+  notify: restart_traefik
+
+- name: Install static Traefik configuration
+  template:
+    src: traefik.yml.j2
+    dest: "{{ traefik_root }}/config/traefik.yml"
+  notify: restart_traefik
+
+- name: Start and enable Traefik service
+  service:
+    name: "{{ docker_compose_service }}@{{ traefik_name }}"
     state: started
-    restart_policy: always
-    ports: "{{ traefik_ports }}"
-    container_default_behavior: "no_defaults"
-    networks_cli_compatible: "false"
-    networks:
-      - name: traefik
-    labels:
-      traefik.http.routers.traefik.rule: "Host(`{{ traefik_domain }}`)"
-      traefik.http.middlewares.auth.basicauth.users: "{{ traefik_auth }}"
-      traefik.http.middlewares.localonly.ipwhitelist.sourcerange: "{{ traefik_localonly }}"
-      traefik.http.routers.traefik.tls.certresolver: letsencrypt
-      traefik.http.routers.traefik.middlewares: "securehttps@file,auth@docker,localonly"
-      traefik.http.routers.traefik.service: "api@internal"
-      traefik.http.routers.traefik.entrypoints: websecure
-      traefik.http.routers.traefik.tls: "true"
-      traefik.docker.network: traefik
-      traefik.enable: "{{ traefik_dashboard | string }}"
-    volumes:
-      - /var/run/docker.sock:/var/run/docker.sock
-      - "{{ traefik_root }}/config:/etc/traefik"
+    enabled: true

roles/traefik/templates/compose-env.j2

@@ -0,0 +1,8 @@
+# {{ ansible_managed }}
+traefik_version={{ traefik_version }}
+traefik_name={{ traefik_name }}
+traefik_domain={{ traefik_domain }}
+traefik_dashboard={{ traefik_dashboard | string | lower }}
+traefik_debug={{ traefik_debug | string | lower }}
+traefik_web_entry={{ traefik_web_entry }}
+traefik_websecure_entry={{ traefik_websecure_entry }}

roles/traefik/templates/docker-compose.yml.j2

@@ -0,0 +1,25 @@
+version: '3.7'
+
+networks:
+  traefik:
+    name: traefik
+
+services:
+  traefik:
+    image: "traefik:${traefik_version}"
+    container_name: "${traefik_name}"
+    ports:
+      - "${traefik_web_entry:-80:80}"
+{% if traefik_standalone and not traefik_http_only %}
+      - "${traefik_websecure_entry:-443:443}"
+{% endif %}
+    networks:
+      - traefik
+    labels:
+      - "traefik.http.routers.traefik.rule=Host(`{{ traefik_domain }}`)"
+      - "traefik.http.routers.traefik.service=api@internal"
+      - "traefik.docker.network=traefik"
+      - "traefik.enable=${traefik_dashboard:-false}"
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - "{{ traefik_root }}/config:/etc/traefik"

roles/traefik/templates/external.yml.j2

@@ -10,10 +10,12 @@ http:
 {% elif item.middlewares is defined %}
       middlewares: "{{ item.middlewares }}"
 {% endif %}
+{% if traefik_acme_email is defined %}
       tls:
         certResolver: letsencrypt
         domains:
           - main: "{{ item.domain }}"
+{% endif %}
       entryPoints:
         - "websecure"
   services:

roles/traefik/templates/security.yml.j2

@@ -11,6 +11,8 @@ http:
         sslRedirect: true
         browserXssFilter: true
         contentTypeNosniff: true
+{% if traefik_hsts_enable is defined and traefik_hsts_enable %}
         stsPreload: {{ traefik_hsts_preload }}
         stsSeconds: {{ traefik_hsts_seconds }}
+{% endif %}
         customFrameOptionsValue: SAMEORIGIN

roles/traefik/templates/traefik.yml.j2

@@ -10,16 +10,20 @@ providers:
 entrypoints:
   web:
     address: ':80'
+{% if traefik_http_redirect is defined and traefik_http_redirect and not traefik_http_only %}
     http:
       redirections:
         entrypoint:
           to: websecure
           scheme: https
           permanent: true
+{% endif %}
+{% if not traefik_http_only is defined or not traefik_http_only %}
   websecure:
     address: ':443'
     http:
       tls: {}
+{% endif %}
 
 {% if traefik_acme_email is defined %}
 certificatesResolvers: