Compare commits
1 Commits
main
...
dockerbox_
Author | SHA1 | Date | |
---|---|---|---|
533dd40722 |
5
.github/workflows/vagrant.yml
vendored
5
.github/workflows/vagrant.yml
vendored
@ -3,9 +3,8 @@ name: homelab-ci
|
|||||||
on:
|
on:
|
||||||
push:
|
push:
|
||||||
branches:
|
branches:
|
||||||
- github_actions
|
- main
|
||||||
# - main
|
- testing
|
||||||
# - testing
|
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
homelab-ci:
|
homelab-ci:
|
||||||
|
3
.gitignore
vendored
3
.gitignore
vendored
@ -1,5 +1,4 @@
|
|||||||
.ansible*
|
|
||||||
/environments/
|
|
||||||
.playbook
|
.playbook
|
||||||
.vagrant*
|
.vagrant*
|
||||||
.vscode
|
.vscode
|
||||||
|
/environments/
|
@ -4,12 +4,8 @@ manage_network: false
|
|||||||
|
|
||||||
# Import my GPG key for git signature verification
|
# Import my GPG key for git signature verification
|
||||||
root_gpgkeys:
|
root_gpgkeys:
|
||||||
- name: kris@lamoureux.io
|
|
||||||
id: 42A3A92C5DA0F3E5F71A3710105B748C1362EB96
|
|
||||||
# Older key, but still in use
|
|
||||||
- name: kris@lamoureux.io
|
- name: kris@lamoureux.io
|
||||||
id: FBF673CEEC030F8AECA814E73EDA9C3441EDA925
|
id: FBF673CEEC030F8AECA814E73EDA9C3441EDA925
|
||||||
server: keyserver.ubuntu.com
|
|
||||||
|
|
||||||
# proxy
|
# proxy
|
||||||
proxy:
|
proxy:
|
||||||
@ -37,7 +33,7 @@ docker_compose_deploy:
|
|||||||
# Nextcloud
|
# Nextcloud
|
||||||
- name: nextcloud
|
- name: nextcloud
|
||||||
url: https://github.com/krislamo/nextcloud
|
url: https://github.com/krislamo/nextcloud
|
||||||
version: fe6d349749f178e91ae7ff726d557f48ebf84356
|
version: 0abc5cc6ba64ed94b7ddc6fd934f0fd62b8a6d11
|
||||||
env:
|
env:
|
||||||
DATA: ./data
|
DATA: ./data
|
||||||
|
|
||||||
|
@ -4,5 +4,4 @@
|
|||||||
roles:
|
roles:
|
||||||
- base
|
- base
|
||||||
- jenkins
|
- jenkins
|
||||||
- proxy
|
|
||||||
- docker
|
- docker
|
||||||
|
@ -3,9 +3,9 @@
|
|||||||
become: true
|
become: true
|
||||||
roles:
|
roles:
|
||||||
- base
|
- base
|
||||||
- jenkins
|
|
||||||
- docker
|
- docker
|
||||||
- mariadb
|
|
||||||
- traefik
|
- traefik
|
||||||
- nextcloud
|
- nextcloud
|
||||||
- proxy
|
- jenkins
|
||||||
|
- prometheus
|
||||||
|
- nginx
|
||||||
|
@ -26,7 +26,7 @@
|
|||||||
ansible.builtin.template:
|
ansible.builtin.template:
|
||||||
src: smb.conf.j2
|
src: smb.conf.j2
|
||||||
dest: /etc/samba/smb.conf
|
dest: /etc/samba/smb.conf
|
||||||
mode: "644"
|
mode: "700"
|
||||||
notify: restart_samba
|
notify: restart_samba
|
||||||
|
|
||||||
- name: Start smbd and enable on boot
|
- name: Start smbd and enable on boot
|
||||||
|
@ -80,10 +80,8 @@
|
|||||||
state: present
|
state: present
|
||||||
uid: "{{ item.value.uid }}"
|
uid: "{{ item.value.uid }}"
|
||||||
group: "{{ item.value.gid }}"
|
group: "{{ item.value.gid }}"
|
||||||
groups: "{{ item.value.groups | default([]) }}"
|
|
||||||
shell: "{{ item.value.shell | default('/bin/bash') }}"
|
shell: "{{ item.value.shell | default('/bin/bash') }}"
|
||||||
create_home: "{{ item.value.home | default(false) }}"
|
create_home: "{{ item.value.home | default(false) }}"
|
||||||
home: "{{ item.value.homedir | default('/home/' + item.key) }}"
|
|
||||||
system: "{{ item.value.system | default(false) }}"
|
system: "{{ item.value.system | default(false) }}"
|
||||||
loop: "{{ users | dict2items }}"
|
loop: "{{ users | dict2items }}"
|
||||||
loop_control:
|
loop_control:
|
||||||
|
@ -18,28 +18,6 @@
|
|||||||
src: /etc/wireguard/privatekey
|
src: /etc/wireguard/privatekey
|
||||||
register: wgkey
|
register: wgkey
|
||||||
|
|
||||||
- name: Check if WireGuard preshared key file exists
|
|
||||||
ansible.builtin.stat:
|
|
||||||
path: /etc/wireguard/presharedkey-{{ item.name }}
|
|
||||||
loop: "{{ wireguard.peers }}"
|
|
||||||
loop_control:
|
|
||||||
label: "{{ item.name }}"
|
|
||||||
register: presharedkey_files
|
|
||||||
|
|
||||||
- name: Grab WireGuard preshared key for configuration
|
|
||||||
ansible.builtin.slurp:
|
|
||||||
src: /etc/wireguard/presharedkey-{{ item.item.name }}
|
|
||||||
register: wgshared
|
|
||||||
loop: "{{ presharedkey_files.results }}"
|
|
||||||
loop_control:
|
|
||||||
label: "{{ item.item.name }}"
|
|
||||||
when: item.stat.exists
|
|
||||||
|
|
||||||
- name: Grab WireGuard private key for configuration
|
|
||||||
ansible.builtin.slurp:
|
|
||||||
src: /etc/wireguard/privatekey
|
|
||||||
register: wgkey
|
|
||||||
|
|
||||||
- name: Install WireGuard configuration
|
- name: Install WireGuard configuration
|
||||||
ansible.builtin.template:
|
ansible.builtin.template:
|
||||||
src: wireguard.j2
|
src: wireguard.j2
|
||||||
|
@ -1,6 +1,4 @@
|
|||||||
# {{ ansible_managed }}
|
[Interface]
|
||||||
|
|
||||||
[Interface] # {{ ansible_hostname }}
|
|
||||||
PrivateKey = {{ wgkey['content'] | b64decode | trim }}
|
PrivateKey = {{ wgkey['content'] | b64decode | trim }}
|
||||||
Address = {{ wireguard.address }}
|
Address = {{ wireguard.address }}
|
||||||
{% if wireguard.listenport is defined %}
|
{% if wireguard.listenport is defined %}
|
||||||
@ -8,26 +6,8 @@ ListenPort = {{ wireguard.listenport }}
|
|||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
{% for peer in wireguard.peers %}
|
{% for peer in wireguard.peers %}
|
||||||
{% if peer.name is defined %}
|
|
||||||
[Peer] # {{ peer.name }}
|
|
||||||
{% else %}
|
|
||||||
[Peer]
|
[Peer]
|
||||||
{% endif %}
|
|
||||||
PublicKey = {{ peer.publickey }}
|
PublicKey = {{ peer.publickey }}
|
||||||
{% if peer.presharedkey is defined %}
|
|
||||||
PresharedKey = {{ peer.presharedkey }}
|
|
||||||
{% else %}
|
|
||||||
{% set preshared_key = (
|
|
||||||
wgshared.results
|
|
||||||
| selectattr('item.item.name', 'equalto', peer.name)
|
|
||||||
| first
|
|
||||||
).content
|
|
||||||
| default(none)
|
|
||||||
%}
|
|
||||||
{% if preshared_key is not none %}
|
|
||||||
PresharedKey = {{ preshared_key | b64decode | trim }}
|
|
||||||
{% endif %}
|
|
||||||
{% endif %}
|
|
||||||
{% if peer.endpoint is defined %}
|
{% if peer.endpoint is defined %}
|
||||||
Endpoint = {{ peer.endpoint }}
|
Endpoint = {{ peer.endpoint }}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
@ -24,21 +24,15 @@
|
|||||||
|
|
||||||
- name: Install/uninstall Docker from Debian repositories
|
- name: Install/uninstall Docker from Debian repositories
|
||||||
ansible.builtin.apt:
|
ansible.builtin.apt:
|
||||||
name: ["docker.io", "docker-compose", "containerd", "runc"]
|
name: ['docker.io', 'docker-compose', 'containerd', 'runc']
|
||||||
state: "{{ 'absent' if docker_official else 'present' }}"
|
state: "{{ 'absent' if docker_official else 'present' }}"
|
||||||
autoremove: true
|
autoremove: true
|
||||||
update_cache: true
|
update_cache: true
|
||||||
|
|
||||||
- name: Install/uninstall Docker from Docker repositories
|
- name: Install/uninstall Docker from Docker repositories
|
||||||
ansible.builtin.apt:
|
ansible.builtin.apt:
|
||||||
name:
|
name: ['docker-ce', 'docker-ce-cli', 'containerd.io',
|
||||||
[
|
'docker-buildx-plugin', 'docker-compose-plugin']
|
||||||
"docker-ce",
|
|
||||||
"docker-ce-cli",
|
|
||||||
"containerd.io",
|
|
||||||
"docker-buildx-plugin",
|
|
||||||
"docker-compose-plugin",
|
|
||||||
]
|
|
||||||
state: "{{ 'present' if docker_official else 'absent' }}"
|
state: "{{ 'present' if docker_official else 'absent' }}"
|
||||||
autoremove: true
|
autoremove: true
|
||||||
update_cache: true
|
update_cache: true
|
||||||
@ -141,6 +135,14 @@
|
|||||||
label: "{{ item.name }}"
|
label: "{{ item.name }}"
|
||||||
when: docker_compose_deploy is defined and item.env is defined
|
when: docker_compose_deploy is defined and item.env is defined
|
||||||
|
|
||||||
|
- name: Add users to docker group
|
||||||
|
ansible.builtin.user:
|
||||||
|
name: "{{ item }}"
|
||||||
|
groups: docker
|
||||||
|
append: true
|
||||||
|
loop: "{{ docker_users }}"
|
||||||
|
when: docker_users is defined
|
||||||
|
|
||||||
- name: Start Docker and enable on boot
|
- name: Start Docker and enable on boot
|
||||||
ansible.builtin.service:
|
ansible.builtin.service:
|
||||||
name: docker
|
name: docker
|
||||||
|
@ -15,7 +15,7 @@ services:
|
|||||||
networks:
|
networks:
|
||||||
- traefik
|
- traefik
|
||||||
labels:
|
labels:
|
||||||
- "traefik.http.routers.{{ jellyfin_router }}.rule=Host({{ jellyfin_domains }})"
|
- "traefik.http.routers.{{ jellyfin_router }}.rule=Host(`{{ jellyfin_domain }}`)"
|
||||||
{% if traefik_http_only %}
|
{% if traefik_http_only %}
|
||||||
- "traefik.http.routers.{{ jellyfin_router }}.entrypoints=web"
|
- "traefik.http.routers.{{ jellyfin_router }}.entrypoints=web"
|
||||||
{% else %}
|
{% else %}
|
||||||
|
@ -45,11 +45,10 @@
|
|||||||
register: nginx_sites
|
register: nginx_sites
|
||||||
|
|
||||||
- name: Generate self-signed certificate
|
- name: Generate self-signed certificate
|
||||||
ansible.builtin.command:
|
ansible.builtin.command: 'openssl req -newkey rsa:4096 -x509 -sha256 -days 3650 -nodes \
|
||||||
'openssl req -newkey rsa:4096 -x509 -sha256 -days 3650 -nodes \
|
-subj "/C=US/ST=Local/L=Local/O=Org/OU=IT/CN=example.com" \
|
||||||
-subj "/C=US/ST=Local/L=Local/O=Org/OU=IT/CN=example.com" \
|
-keyout /etc/ssl/private/nginx-selfsigned.key \
|
||||||
-keyout /etc/ssl/private/nginx-selfsigned.key \
|
-out /etc/ssl/certs/nginx-selfsigned.crt'
|
||||||
-out /etc/ssl/certs/nginx-selfsigned.crt'
|
|
||||||
args:
|
args:
|
||||||
creates: /etc/ssl/certs/nginx-selfsigned.crt
|
creates: /etc/ssl/certs/nginx-selfsigned.crt
|
||||||
when: proxy.production is not defined or not proxy.production
|
when: proxy.production is not defined or not proxy.production
|
||||||
@ -57,22 +56,15 @@
|
|||||||
|
|
||||||
- name: Install LE's certbot
|
- name: Install LE's certbot
|
||||||
ansible.builtin.apt:
|
ansible.builtin.apt:
|
||||||
name: ["certbot", "python3-certbot-dns-cloudflare"]
|
name: ['certbot', 'python3-certbot-dns-cloudflare']
|
||||||
state: present
|
state: present
|
||||||
when: proxy.production is defined and proxy.production
|
when: proxy.production is defined and proxy.production
|
||||||
|
|
||||||
- name: Grab Cloudflare API token for configuration
|
|
||||||
ansible.builtin.slurp:
|
|
||||||
src: /root/.cloudflare-api
|
|
||||||
register: cfapi
|
|
||||||
when: proxy.production is defined and proxy.production and proxy.dns_cloudflare is defined
|
|
||||||
|
|
||||||
- name: Install Cloudflare API token
|
- name: Install Cloudflare API token
|
||||||
ansible.builtin.template:
|
ansible.builtin.template:
|
||||||
src: cloudflare.ini.j2
|
src: cloudflare.ini.j2
|
||||||
dest: /root/.cloudflare.ini
|
dest: /root/.cloudflare.ini
|
||||||
mode: "400"
|
mode: "400"
|
||||||
diff: false
|
|
||||||
when: proxy.production is defined and proxy.production and proxy.dns_cloudflare is defined
|
when: proxy.production is defined and proxy.production and proxy.dns_cloudflare is defined
|
||||||
|
|
||||||
- name: Create nginx post renewal hook directory
|
- name: Create nginx post renewal hook directory
|
||||||
@ -86,19 +78,19 @@
|
|||||||
ansible.builtin.copy:
|
ansible.builtin.copy:
|
||||||
src: reload-nginx.sh
|
src: reload-nginx.sh
|
||||||
dest: /etc/letsencrypt/renewal-hooks/post/reload-nginx.sh
|
dest: /etc/letsencrypt/renewal-hooks/post/reload-nginx.sh
|
||||||
mode: "0755"
|
mode: '0755'
|
||||||
when: proxy.production is defined and proxy.production
|
when: proxy.production is defined and proxy.production
|
||||||
|
|
||||||
- name: Run Cloudflare DNS-01 challenges on wildcard domains
|
- name: Run Cloudflare DNS-01 challenges on wildcard domains
|
||||||
ansible.builtin.shell: '/usr/bin/certbot certonly \
|
ansible.builtin.shell: '/usr/bin/certbot certonly \
|
||||||
--non-interactive \
|
--non-interactive \
|
||||||
--agree-tos \
|
--agree-tos \
|
||||||
--email "{{ proxy.dns_cloudflare.email }}" \
|
--email "{{ proxy.dns_cloudflare.email }}" \
|
||||||
--dns-cloudflare \
|
--dns-cloudflare \
|
||||||
--dns-cloudflare-credentials /root/.cloudflare.ini \
|
--dns-cloudflare-credentials /root/.cloudflare.ini \
|
||||||
-d "*.{{ item }}" \
|
-d "*.{{ item }}" \
|
||||||
-d "{{ item }}" \
|
-d "{{ item }}" \
|
||||||
{{ proxy.dns_cloudflare.opts | default("") }}'
|
{{ proxy.dns_cloudflare.opts | default("") }}'
|
||||||
args:
|
args:
|
||||||
creates: "/etc/letsencrypt/live/{{ item }}/fullchain.pem"
|
creates: "/etc/letsencrypt/live/{{ item }}/fullchain.pem"
|
||||||
loop: "{{ proxy.dns_cloudflare.wildcard_domains }}"
|
loop: "{{ proxy.dns_cloudflare.wildcard_domains }}"
|
||||||
|
@ -1,2 +1,2 @@
|
|||||||
# Cloudflare API token used by Certbot
|
# Cloudflare API token used by Certbot
|
||||||
dns_cloudflare_api_token = {{ cfapi['content'] | b64decode | trim }}
|
dns_cloudflare_api_token = {{ proxy.dns_cloudflare.api_token }}
|
||||||
|
@ -28,20 +28,14 @@ server {
|
|||||||
ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
|
ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
|
||||||
ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
|
ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
{% if item.hsts is defined %}
|
||||||
|
add_header Strict-Transport-Security "max-age={{ item.hsts }}" always;
|
||||||
|
{% endif %}
|
||||||
{% if item.client_max_body_size is defined %}
|
{% if item.client_max_body_size is defined %}
|
||||||
client_max_body_size {{ item.client_max_body_size }};
|
client_max_body_size {{ item.client_max_body_size }};
|
||||||
{% endif %}
|
{% endif %}
|
||||||
location / {
|
location / {
|
||||||
{% if item.hsts is defined %}
|
{% if item.restrict is defined and item.restrict %}
|
||||||
add_header Strict-Transport-Security "max-age={{ item.hsts }}" always;
|
|
||||||
{% endif %}
|
|
||||||
{% if item.allowedips is defined %}
|
|
||||||
{% for ip in item.allowedips %}
|
|
||||||
allow {{ ip }};
|
|
||||||
{% endfor %}
|
|
||||||
deny all;
|
|
||||||
{% endif %}
|
|
||||||
{% if item.restrict is defined and item.restrict %}
|
|
||||||
auth_basic "{{ item.restrict_name | default('Restricted Access') }}";
|
auth_basic "{{ item.restrict_name | default('Restricted Access') }}";
|
||||||
auth_basic_user_file {{ item.restrict_file | default('/etc/nginx/.htpasswd') }};
|
auth_basic_user_file {{ item.restrict_file | default('/etc/nginx/.htpasswd') }};
|
||||||
proxy_set_header Authorization "";
|
proxy_set_header Authorization "";
|
||||||
@ -49,7 +43,6 @@ server {
|
|||||||
proxy_set_header Host $host;
|
proxy_set_header Host $host;
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
|
||||||
proxy_pass {{ item.proxy_pass }};
|
proxy_pass {{ item.proxy_pass }};
|
||||||
{% if item.proxy_ssl_verify is defined and item.proxy_ssl_verify is false %}
|
{% if item.proxy_ssl_verify is defined and item.proxy_ssl_verify is false %}
|
||||||
proxy_ssl_verify off;
|
proxy_ssl_verify off;
|
||||||
|
Loading…
x
Reference in New Issue
Block a user