Use host MariaDB in Gitea container

dev/host_vars/proxy.yml

@@ -18,8 +18,6 @@ proxy:
       proxy_pass: "http://127.0.0.1:8080"
     - domain: "{{ gitea_domain }}"
       proxy_pass: "http://127.0.0.1:3000"
-    - domain: "{{ kutt_domain }}"
-      proxy_pass: "http://127.0.0.1:3030"
 
 # docker
 docker_users:
@@ -37,16 +35,3 @@ bitwarden_install_key: 1yB3Z2gRI0KnnH90C6p
 gitea_domain: "git.{{ base_domain }}"
 gitea_version: 1
 gitea_dbpass: password
-
-# kutt
-kutt_version: latest
-kutt_redis_version: 6
-kutt_postgres_version: 12
-kutt_domain: "kutt.{{ base_domain }}"
-kutt_dbpass: password
-kutt_jwt_secret: long&random
-kutt_mail_user: kutt-noreply@example.com
-kutt_mail_host: smtp.example.com
-kutt_mail_password: realpassword
-kutt_report_email: realemail@example.com
-kutt_admin_emails: realemail@example.com

dev/proxy.yml

@@ -10,4 +10,3 @@
     - docker
     - gitea
     - bitwarden
-    - kutt

dockerbox.yml

@@ -20,6 +20,7 @@
     - docker
     - traefik
     - nextcloud
+    - gitea
     - jenkins
     - prometheus
     - nginx

proxy.yml

@@ -4,7 +4,7 @@
   roles:
     - base
     - jenkins
-    - mariadb
+    - postgresql
     - proxy
     - docker
     - gitea

roles/.gitignore

@@ -1,14 +1,11 @@
-# Sort roles: tail -n +6 roles/.gitignore | sort
 /*
 !.gitignore
 !requirements.yml
-# roles
 !base*/
 !bitwarden*/
 !docker*/
 !gitea*/
 !jenkins*/
-!kutt*/
 !libvirt*/
 !mariadb*/
 !minecraft*/

roles/base/defaults/main.yml

@@ -3,7 +3,6 @@ network_type: static
 allow_reboot: true
 
 packages:
-  - apache2-utils
   - cryptsetup
   - curl
   - dnsutils

roles/base/tasks/wireguard.yml

@@ -27,10 +27,3 @@
     name: wg-quick@wg0
     state: started
     enabled: true
-
-- name: Add WireGuard firewall rule
-  ufw:
-    rule: allow
-    port: "{{ wireguard.listenport }}"
-    proto: tcp
-  when: wireguard.listenport is defined

roles/gitea/defaults/main.yml

@@ -5,7 +5,7 @@ gitea_webport: "3000"
 gitea_ssh: "127.0.0.1:{{ gitea_sshport }}"
 gitea_web: "127.0.0.1:{{ gitea_webport }}"
 gitea_volume: "{{ gitea_name }}"
-gitea_rooturl: "https://{{ gitea_domain }}"
+gitea_rooturl: "http://{{ gitea_domain }}"
 gitea_signup: true
 
 # database settings

roles/kutt/defaults/main.yml

@@ -1,16 +0,0 @@
-# container settings
-kutt_name: kutt
-kutt_default_domain: "{{ kutt_domain }}"
-kutt_webport: 3030
-kutt_web: "127.0.0.1:{{ kutt_webport }}"
-
-# database settings
-kutt_dbname: "{{ kutt_name }}"
-kutt_dbuser: "{{ kutt_name }}"
-kutt_postgres_volume: postgres_data
-
-# redis
-kutt_redis_volume: redis_data
-
-# host
-kutt_root: "{{ docker_compose_root }}/{{ kutt_name }}"

roles/kutt/handlers/main.yml

@@ -1,5 +0,0 @@
-- name: Restart Kutt
-  service:
-    name: "{{ docker_compose_service }}@{{ kutt_name }}"
-    state: restarted
-  listen: restart_kutt

roles/kutt/tasks/main.yml

@@ -1,22 +0,0 @@
-- name: Create Kutt directory
-  file:
-    path: "{{ kutt_root }}"
-    state: directory
-
-- name: Install Kutt's docker-compose file
-  template:
-    src: docker-compose.yml.j2
-    dest: "{{ kutt_root }}/docker-compose.yml"
-  notify: restart_kutt
-
-- name: Install Kutt's docker-compose variables
-  template:
-    src: compose-env.j2
-    dest: "{{ kutt_root }}/.env"
-  notify: restart_kutt
-
-- name: Start and enable Gitea service
-  service:
-    name: "{{ docker_compose_service }}@{{ kutt_name }}"
-    state: started
-    enabled: true

roles/kutt/templates/compose-env.j2

@@ -1,17 +0,0 @@
-# {{ ansible_managed }}
-kutt_version={{ kutt_version }}
-kutt_web={{ kutt_web }}
-kutt_domain={{ kutt_domain }}
-kutt_default_domain={{ kutt_default_domain }}
-kutt_jwt_secret={{ kutt_jwt_secret }}
-kutt_dbname={{ kutt_dbname }}
-kutt_dbuser={{ kutt_dbuser }}
-kutt_dbpass={{ kutt_dbpass }}
-kutt_mail_user={{ kutt_mail_user }}
-kutt_mail_host={{ kutt_mail_host }}
-kutt_mail_password={{ kutt_mail_password }}
-kutt_report_email={{ kutt_report_email }}
-kutt_admin_emails={{ kutt_admin_emails }}
-kutt_redis_version={{ kutt_redis_version }}
-kutt_postgres_version={{ kutt_postgres_version }}
-kutt_postgres_volume={{ kutt_postgres_volume }}

roles/kutt/templates/docker-compose.yml.j2

@@ -1,46 +0,0 @@
-version: "3.7"
-
-services:
-  kutt:
-    image: kutt/kutt:${kutt_version}
-    depends_on:
-      - postgres
-      - redis
-    command: ["./wait-for-it.sh", "postgres:5432", "--", "npm", "start"]
-    ports:
-      - ${kutt_web}:3000
-    environment:
-      SITE_NAME: ${kutt_domain}
-      DEFAULT_DOMAIN: ${kutt_default_domain}
-      JWT_SECRET: ${kutt_jwt_secret}
-
-      DB_HOST: postgres
-      DB_NAME: ${kutt_dbname}
-      DB_USER: ${kutt_dbuser}
-      DB_PASSWORD: ${kutt_dbpass}
-      REDIS_HOST: redis
-
-      MAIL_USER: ${kutt_mail_user}
-      MAIL_HOST: ${kutt_mail_host}
-      MAIL_PORT: ${kutt_mail_port}
-      MAIL_PASSWORD: ${kutt_mail_password}
-      REPORT_EMAIL: ${kutt_report_email}
-      ADMIN_EMAILS: ${kutt_admin_emails}
-
-  redis:
-    image: redis:${kutt_redis_version}
-    volumes:
-      - {{ kutt_redis_volume }}:/data
-
-  postgres:
-    image: postgres:${kutt_postgres_version}
-    environment:
-      POSTGRES_USER: ${kutt_dbuser}
-      POSTGRES_PASSWORD: ${kutt_dbpass}
-      POSTGRES_DB: ${kutt_dbname}
-    volumes:
-      - {{ kutt_postgres_volume }}:/var/lib/postgresql/data
-
-volumes:
-  {{ kutt_redis_volume }}:
-  {{ kutt_postgres_volume }}:

roles/nginx/tasks/main.yml

@@ -29,9 +29,9 @@
       - "{{ nginx_html }}:/usr/share/nginx/html:ro"
     labels:
       traefik.http.routers.nginx.rule: "Host(`{{ nginx_domain }}`)"
-      #traefik.http.middlewares.nginxauth.basicauth.users: "{{ nginx_auth }}"
+      traefik.http.middlewares.nginxauth.basicauth.users: "{{ nginx_auth }}"
       traefik.http.routers.nginx.entrypoints: websecure
-      #traefik.http.routers.nginx.tls.certresolver: letsencrypt
-      #traefik.http.routers.nginx.middlewares: "securehttps@file,nginxauth"
+      traefik.http.routers.nginx.tls.certresolver: letsencrypt
+      traefik.http.routers.nginx.middlewares: "securehttps@file,nginxauth"
       traefik.docker.network: traefik
       traefik.enable: "true"

roles/proxy/tasks/main.yml

@@ -10,11 +10,6 @@
     state: started
     enabled: true
 
-- name: Generate DH Parameters
-  openssl_dhparam:
-    path: /etc/ssl/dhparams.pem
-    size: 4096
-
 - name: Install nginx base configuration
   template:
     src: nginx.conf.j2
@@ -83,9 +78,7 @@
             --email "{{ proxy.dns_cloudflare.email }}" \
             --dns-cloudflare \
             --dns-cloudflare-credentials /root/.cloudflare.ini \
-            -d "*.{{ item }}" \
-            -d "{{ item }}" \
-            {{ proxy.dns_cloudflare.opts | default("") }}'
+            -d "*.{{ item }}" {{ proxy.dns_cloudflare.opts | default("") }}'
   args:
     creates: "/etc/letsencrypt/live/{{ item }}/fullchain.pem"
   loop: "{{ proxy.dns_cloudflare.wildcard_domains }}"

roles/proxy/templates/nginx.conf.j2

@@ -21,14 +21,6 @@ http {
   keepalive_timeout 65;
   server_names_hash_bucket_size 128;
 
-  ssl_protocols TLSv1.2 TLSv1.3;
-  ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
-  ssl_prefer_server_ciphers off;
-  ssl_dhparam /etc/ssl/dhparams.pem;
-  ssl_session_cache shared:SSL:10m;
-  ssl_session_timeout 1d;
-  ssl_session_tickets off;
-
   include           /etc/nginx/conf.d/*.conf;
   include           /etc/nginx/sites-enabled/*;
 }

roles/proxy/templates/server-nginx.conf.j2

@@ -1,13 +1,12 @@
 server {
     listen 80;
-  listen [::]:80;
+
     server_name {{ item.domain }};
     return 301 https://{{ item.domain }}$request_uri;
 }
 
 server {
-  listen              443      ssl http2;
-  listen              [::]:443 ssl http2;
+  listen              443 ssl;
   server_name         {{ item.domain }};
   access_log          /var/log/nginx/{{ item.domain }}.log main;
 {% if proxy.production is defined and proxy.production and proxy.dns_cloudflare.wildcard_domains is defined and item.tls.cert is not defined %}
@@ -27,25 +26,11 @@ server {
 {% else %}
   ssl_certificate     /etc/ssl/certs/nginx-selfsigned.crt;
   ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
-{% endif %}
-{% if item.hsts is defined %}
-  add_header Strict-Transport-Security "max-age={{ item.hsts }}" always;
-{% endif %}
-{% if item.client_max_body_size is defined %}
-  client_max_body_size {{ item.client_max_body_size }};
 {% endif %}
   location / {
-{% if item.restrict is defined and item.restrict  %}
-    auth_basic "{{ item.restrict_name | default('Restricted Access') }}";
-    auth_basic_user_file {{ item.restrict_file | default('/etc/nginx/.htpasswd') }};
-    proxy_set_header Authorization "";
-{% endif %}
     proxy_set_header Host $host;
     proxy_set_header X-Real-IP $remote_addr;
     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
     proxy_pass {{ item.proxy_pass }};
-{% if item.proxy_ssl_verify is defined and item.proxy_ssl_verify is false %}
-    proxy_ssl_verify off;
-{% endif %}
   }
 }

roles/traefik/defaults/main.yml

@@ -3,10 +3,8 @@ traefik_dashboard: false
 traefik_root: "/opt/{{ traefik_name }}"
 traefik_localonly: "10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 127.0.0.0/8"
 traefik_production: false
-traefik_hsts_enable: false
 traefik_hsts_preload: false
 traefik_hsts_seconds: 0
-traefik_http_redirect: false
 traefik_ports:
   - "80:80"
   - "443:443"

roles/traefik/tasks/main.yml

@@ -42,10 +42,10 @@
       - name: traefik
     labels:
       traefik.http.routers.traefik.rule: "Host(`{{ traefik_domain }}`)"
-      #traefik.http.middlewares.auth.basicauth.users: "{{ traefik_auth }}"
-      #traefik.http.middlewares.localonly.ipwhitelist.sourcerange: "{{ traefik_localonly }}"
-      #traefik.http.routers.traefik.tls.certresolver: letsencrypt
-      #traefik.http.routers.traefik.middlewares: "securehttps@file,auth@docker,localonly"
+      traefik.http.middlewares.auth.basicauth.users: "{{ traefik_auth }}"
+      traefik.http.middlewares.localonly.ipwhitelist.sourcerange: "{{ traefik_localonly }}"
+      traefik.http.routers.traefik.tls.certresolver: letsencrypt
+      traefik.http.routers.traefik.middlewares: "securehttps@file,auth@docker,localonly"
       traefik.http.routers.traefik.service: "api@internal"
       traefik.http.routers.traefik.entrypoints: websecure
       traefik.http.routers.traefik.tls: "true"

roles/traefik/templates/external.yml.j2

@@ -10,12 +10,10 @@ http:
 {% elif item.middlewares is defined %}
       middlewares: "{{ item.middlewares }}"
 {% endif %}
-{% if traefik_acme_email is defined %}
       tls:
         certResolver: letsencrypt
         domains:
           - main: "{{ item.domain }}"
-{% endif %}
       entryPoints:
         - "websecure"
   services:

roles/traefik/templates/security.yml.j2

@@ -11,8 +11,6 @@ http:
         sslRedirect: true
         browserXssFilter: true
         contentTypeNosniff: true
-{% if traefik_hsts_enable is defined and traefik_hsts_enable %}
         stsPreload: {{ traefik_hsts_preload }}
         stsSeconds: {{ traefik_hsts_seconds }}
-{% endif %}
         customFrameOptionsValue: SAMEORIGIN

roles/traefik/templates/traefik.yml.j2

@@ -10,14 +10,12 @@ providers:
 entrypoints:
   web:
     address: ':80'
-{% if traefik_http_redirect is defined and traefik_http_redirect %}
     http:
       redirections:
         entrypoint:
           to: websecure
           scheme: https
           permanent: true
-{% endif %}
   websecure:
     address: ':443'
     http:

update-hosts.sh

@@ -14,7 +14,6 @@ HOST[8]="wordpress.${DOMAIN}"
 HOST[9]="site1.wordpress.${DOMAIN}"
 HOST[10]="site2.wordpress.${DOMAIN}"
 HOST[11]="unifi.${DOMAIN}"
-HOST[11]="kutt.${DOMAIN}"
 
 # Get Vagrantbox guest IP
 VAGRANT_OUTPUT=$(vagrant ssh -c "hostname -I | cut -d' ' -f2" 2>/dev/null)