testing

Option to enable websockets for the noVNC console
2023-04-08 13:09:04 -04:00 · 2023-03-29 23:55:42 -04:00 · 2022-12-06 00:15:10 -05:00 · 2022-09-18 15:21:16 -04:00 · 2022-08-27 18:56:12 -04:00 · 2022-08-19 01:27:55 -04:00
65 changed files with 854 additions and 352 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -1,12 +1,3 @@
 .vagrant
 .playbook
-/*.yml
-/*.yaml
-!backup.yml
-!moxie.yml
-!docker.yml
-!dockerbox.yml
-!hypervisor.yml
-!minecraft.yml
-!unifi.yml
 /environments/
--- a/3
+++ b/3
@@ -30,8 +30,9 @@ Vagrant.configure("2") do |config|
  config.vm.define :moxie do |moxie| #
  end

-  # Disable Machine Name Prefix
  config.vm.provider :libvirt do |libvirt|
+    libvirt.cpus = 2
+    libvirt.memory = 4096
    libvirt.default_prefix = ""
  end

--- a/ansible.cfg
+++ b/ansible.cfg
@@ -1,3 +1,6 @@
 [defaults]
 inventory = ./environments/development
 interpreter_python = /usr/bin/python3
+
+[connection]
+pipelining = true
--- a/dev/dockerbox.yml
+++ b/dev/dockerbox.yml
@@ -7,8 +7,8 @@
    - base
    - docker
    - traefik
-    - nextcloud
-    - gitea
-    - jenkins
-    - prometheus
-    - nginx
+#    - nextcloud
+#    - gitea
+#    - jenkins
+#    - prometheus
+#    - nginx
--- a/dev/host_vars/mediawiki.yml
+++ b/dev/host_vars/mediawiki.yml
@@ -1,17 +0,0 @@
-# base
-allow_reboot: false
-manage_network: false
-
-# docker
-docker_users:
-  - vagrant
-
-# traefik
-traefik_version: latest
-traefik_dashboard: true
-traefik_domain: traefik.vm.krislamo.org
-traefik_auth: admin:$apr1$T1l.BCFz$Jyg8msXYEAUi3LLH39I9d1 # admin:admin
-#traefik_acme_email: realemail@example.com # Let's Encrypt settings
-#traefik_production: true
-
-# mediawiki
--- a/dev/host_vars/proxy.yml
+++ b/dev/host_vars/proxy.yml
@@ -0,0 +1,37 @@
+base_domain: vm.krislamo.org
+
+# base
+allow_reboot: false
+manage_network: false
+
+# proxy
+proxy:
+  #production: true
+  dns_cloudflare:
+    opts: --test-cert
+    #email: realemail@example.com
+    #api_token: CLOUDFLARE_DNS01_API_TOKEN
+    wildcard_domains:
+      - "{{ base_domain }}"
+  servers:
+    - domain: "{{ bitwarden_domain }}"
+      proxy_pass: "http://127.0.0.1:8080"
+    - domain: "{{ gitea_domain }}"
+      proxy_pass: "http://127.0.0.1:3000"
+
+# docker
+docker_users:
+  - vagrant
+
+# bitwarden
+# Get Installation ID & Key at https://bitwarden.com/host/
+bitwarden_domain: "vault.{{ base_domain }}"
+bitwarden_dbpass: password
+bitwarden_install_id: 4ea840a3-532e-4cb6-a472-abd900728b23
+bitwarden_install_key: 1yB3Z2gRI0KnnH90C6p
+#bitwarden_prodution: true
+
+# gitea
+gitea_domain: "git.{{ base_domain }}"
+gitea_version: 1
+gitea_dbpass: password
--- a/dev/mediawiki.yml
+++ b/dev/mediawiki.yml
@@ -1,10 +0,0 @@
- name: Install MediaWiki Server
-  hosts: all
-  become: true
-  vars_files:
-    - host_vars/mediawiki.yml
-  roles:
-    - base
-    - docker
-    - traefik
-    - mediawiki
--- a/dev/proxy.yml
+++ b/dev/proxy.yml
@@ -0,0 +1,12 @@
+- name: Install Proxy Server
+  hosts: all
+  become: true
+  vars_files:
+    - host_vars/proxy.yml
+  roles:
+    - base
+    - mariadb
+    - proxy
+    - docker
+    - gitea
+    - bitwarden
--- a/dockerbox.yml
+++ b/dockerbox.yml
@@ -20,7 +20,6 @@
    - docker
    - traefik
    - nextcloud
-    - gitea
    - jenkins
    - prometheus
    - nginx
--- a/proxy.yml
+++ b/proxy.yml
@@ -0,0 +1,11 @@
+- name: Install Proxy Server
+  hosts: proxyhosts
+  become: true
+  roles:
+    - base
+    - jenkins
+    - mariadb
+    - proxy
+    - docker
+    - gitea
+    - bitwarden
--- a/roles/.gitignore
+++ b/roles/.gitignore
@@ -7,11 +7,13 @@
 !gitea*/
 !jenkins*/
 !libvirt*/
-!mediawiki*/
+!mariadb*/
 !minecraft*/
 !nextcloud*/
 !nginx*/
+!postgresql*/
 !prometheus*/
+!proxy*/
 !rsnapshot*/
 !traefik*/
 !unifi*/
--- a/roles/base/defaults/main.yml
+++ b/roles/base/defaults/main.yml
@@ -3,6 +3,7 @@ network_type: static
 allow_reboot: true

 packages:
+  - apache2-utils
  - cryptsetup
  - curl
  - dnsutils
--- a/roles/base/files/buster-backports.list
+++ b/roles/base/files/buster-backports.list
@@ -1 +0,0 @@
-deb http://deb.debian.org/debian buster-backports main
--- a/roles/base/handlers/main.yml
+++ b/roles/base/handlers/main.yml
@@ -10,3 +10,9 @@
    name: wg-quick@wg0
    state: restarted
  listen: restart_wireguard
+
+- name: Restart Fail2ban
+  service:
+    name: fail2ban
+    state: restarted
+  listen: restart_fail2ban
--- a/roles/base/tasks/ansible.yml
+++ b/roles/base/tasks/ansible.yml
@@ -13,3 +13,11 @@
  loop:
    - aptitude
    - python3-docker
+    - python3-pymysql
+    - python3-psycopg2
+
+- name: Create Ansible's temporary remote directory
+  file:
+    path: "~/.ansible/tmp"
+    state: directory
+    mode: 0700
--- a/roles/base/tasks/firewall.yml
+++ b/roles/base/tasks/firewall.yml
@@ -0,0 +1,46 @@
+- name: Install the Uncomplicated Firewall
+  apt:
+    name: ufw
+    state: present
+
+- name: Install Fail2ban
+  apt:
+    name: fail2ban
+    state: present
+
+- name: Deny incoming traffic by default
+  ufw:
+    default: deny
+    direction: incoming
+
+- name: Allow outgoing traffic by default
+  ufw:
+    default: allow
+    direction: outgoing
+
+- name: Allow OpenSSH with rate limiting
+  ufw:
+    name: ssh
+    rule: limit
+
+- name: Remove Fail2ban defaults-debian.conf
+  file:
+    path: /etc/fail2ban/jail.d/defaults-debian.conf
+    state: absent
+
+- name: Install OpenSSH's Fail2ban jail
+  template:
+    src: fail2ban-ssh.conf.j2
+    dest: /etc/fail2ban/jail.d/sshd.conf
+  notify: restart_fail2ban
+
+- name: Install Fail2ban IP allow list
+  template:
+    src: fail2ban-allowlist.conf.j2
+    dest: /etc/fail2ban/jail.d/allowlist.conf
+  when: fail2ban_ignoreip is defined
+  notify: restart_fail2ban
+
+- name: Enable firewall
+  ufw:
+    state: enabled
--- a/roles/base/tasks/main.yml
+++ b/roles/base/tasks/main.yml
@@ -4,6 +4,9 @@
 - import_tasks: system.yml
  tags: system

+- import_tasks: firewall.yml
+  tags: firewall
+
 - import_tasks: network.yml
  tags: network
  when: manage_network
--- a/roles/base/tasks/network.yml
+++ b/roles/base/tasks/network.yml
@@ -12,8 +12,3 @@
    dest: "/etc/network/interfaces.d/{{ item.name }}"
  loop: "{{ interfaces }}"
  notify: reboot_host
-
- name: Install bridge utilities
-  apt:
-    name: bridge-utils
-    state: present
--- a/roles/base/tasks/system.yml
+++ b/roles/base/tasks/system.yml
@@ -10,12 +10,6 @@
    dest: /root/.ssh/authorized_keys
  when: authorized_keys is defined

- name: Install btrfs-tools
-  apt:
-    name: btrfs-tools
-    state: present
-  when: btrfs_support is defined and btrfs_support | bool == true
-
 - name: Manage filesystem mounts
  mount:
    path: "{{ item.path }}"
--- a/roles/base/tasks/wireguard.yml
+++ b/roles/base/tasks/wireguard.yml
@@ -1,25 +1,3 @@
-# Copyright (C) 2021  Kris Lamoureux
-#
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, version 3 of the License.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program.  If not, see <https://www.gnu.org/licenses/>.
-
- name: Add Debian Buster backports
-  copy:
-    src: buster-backports.list
-    dest: /etc/apt/sources.list.d/buster-backports.list
-    owner: root
-    group: root
-    mode: '0644'
-
 - name: Install WireGuard
  apt:
    name: wireguard
@@ -49,3 +27,10 @@
    name: wg-quick@wg0
    state: started
    enabled: true
+
+- name: Add WireGuard firewall rule
+  ufw:
+    rule: allow
+    port: "{{ wireguard.listenport }}"
+    proto: tcp
+  when: wireguard.listenport is defined
--- a/roles/base/templates/fail2ban-allowlist.conf.j2
+++ b/roles/base/templates/fail2ban-allowlist.conf.j2
@@ -0,0 +1,2 @@
+[DEFAULT]
+ignoreip = {% for host in fail2ban_ignoreip %}{{ host }}{% if not loop.last %} {% endif %}{% endfor %}
--- a/roles/base/templates/fail2ban-ssh.conf.j2
+++ b/roles/base/templates/fail2ban-ssh.conf.j2
@@ -0,0 +1,3 @@
+[sshd]
+mode = aggressive
+enabled = true
--- a/roles/bitwarden/defaults/main.yml
+++ b/roles/bitwarden/defaults/main.yml
@@ -1,4 +1,8 @@
 bitwarden_name: bitwarden
-bitwarden_root: "/opt/{{ bitwarden_name }}"
+bitwarden_root: "/var/lib/{{ bitwarden_name }}"
+bitwarden_logs_identity: "{{ bitwarden_root }}/bwdata/logs/identity/Identity"
+bitwarden_logs_identity_date: "{{ ansible_date_time.year }}{{ ansible_date_time.month }}{{ ansible_date_time.day }}"
+bitwarden_database: "{{ bitwarden_name }}"
+bitwarden_realips: "172.16.0.0/12"
 bitwarden_standalone: false
 bitwarden_production: false
--- a/roles/bitwarden/handlers/main.yml
+++ b/roles/bitwarden/handlers/main.yml
@@ -1,7 +1,16 @@
+- name: Stop Bitwarden for rebuild
+  service:
+    name: "{{ bitwarden_name }}"
+    state: stopped
+  listen: rebuild_bitwarden
+
 - name: Rebuild Bitwarden
  shell: "{{ bitwarden_root }}/bitwarden.sh rebuild"
  listen: rebuild_bitwarden

- name: Start Bitwarden
-  shell: "{{ bitwarden_root }}/bitwarden.sh start"
-  listen: start_bitwarden
+- name: Start Bitwarden after rebuild
+  service:
+    name: "{{ bitwarden_name }}"
+    state: started
+    enabled: true
+  listen: rebuild_bitwarden
--- a/roles/bitwarden/tasks/main.yml
+++ b/roles/bitwarden/tasks/main.yml
@@ -11,7 +11,7 @@
 - name: Download Bitwarden script
  get_url:
    url: "https://raw.githubusercontent.com/\
-          bitwarden/server/master/scripts/bitwarden.sh"
+          bitwarden/self-host/master/bitwarden.sh"
    dest: "{{ bitwarden_root }}"
    mode: u+x

@@ -25,35 +25,29 @@
  shell: "{{ bitwarden_root }}/bw_wrapper"
  args:
    creates: "{{ bitwarden_root }}/bwdata/config.yml"
-  notify: start_bitwarden

 - name: Install docker-compose override
  template:
    src: compose.override.yml.j2
    dest: "{{ bitwarden_root }}/bwdata/docker/docker-compose.override.yml"
-  notify:
-    - rebuild_bitwarden
-    - start_bitwarden
+  when: traefik_version is defined
+  notify: rebuild_bitwarden

 - name: Disable bitwarden-nginx HTTP on 80
  replace:
    path: "{{ bitwarden_root }}/bwdata/config.yml"
    regexp: "^http_port: 80$"
-    replace: "http_port: 8080"
+    replace: "http_port: 127.0.0.1:8080"
  when: not bitwarden_standalone
-  notify:
-    - rebuild_bitwarden
-    - start_bitwarden
+  notify: rebuild_bitwarden

 - name: Disable bitwarden-nginx HTTPS on 443
  replace:
    path: "{{ bitwarden_root }}/bwdata/config.yml"
    regexp: "^https_port: 443$"
-    replace: "https_port: 8443"
+    replace: "https_port: 127.0.0.1:8443"
  when: not bitwarden_standalone
-  notify:
-    - rebuild_bitwarden
-    - start_bitwarden
+  notify: rebuild_bitwarden

 - name: Disable Bitwarden managed Lets Encrypt
  replace:
@@ -61,9 +55,7 @@
    regexp: "^ssl_managed_lets_encrypt: true$"
    replace: "ssl_managed_lets_encrypt: false"
  when: not bitwarden_standalone or not bitwarden_production
-  notify:
-    - rebuild_bitwarden
-    - start_bitwarden
+  notify: rebuild_bitwarden

 - name: Disable Bitwarden managed SSL
  replace:
@@ -71,6 +63,42 @@
    regexp: "^ssl: true$"
    replace: "ssl: false"
  when: not bitwarden_standalone
-  notify:
-    - rebuild_bitwarden
-    - start_bitwarden
+  notify: rebuild_bitwarden
+
+- name: Define reverse proxy servers
+  lineinfile:
+    path: "{{ bitwarden_root }}/bwdata/config.yml"
+    line: "- {{ bitwarden_realips }}"
+    insertafter: "^real_ips"
+  notify: rebuild_bitwarden
+
+- name: Install Bitwarden systemd service
+  template:
+    src: bitwarden.service.j2
+    dest: "/etc/systemd/system/{{ bitwarden_name }}.service"
+  register: bitwarden_systemd
+  notify: rebuild_bitwarden
+
+- name: Create Bitwarden's initial logging directory
+  file:
+    path: "{{ bitwarden_logs_identity }}"
+    state: directory
+  register: bitwarden_logs
+
+- name: Create Bitwarden's initial log file
+  file:
+    path: "{{ bitwarden_logs_identity }}/{{ bitwarden_logs_identity_date }}.txt"
+    state: touch
+  when: bitwarden_logs.changed
+
+- name: Install Bitwarden's Fail2ban jail
+  template:
+    src: fail2ban-jail.conf.j2
+    dest: /etc/fail2ban/jail.d/bitwarden.conf
+  notify: restart_fail2ban
+
+- name: Reload systemd manager configuration
+  systemd:
+    daemon_reload: true
+  when: bitwarden_systemd.changed
+  notify: rebuild_bitwarden
--- a/roles/bitwarden/templates/bitwarden.service.j2
+++ b/roles/bitwarden/templates/bitwarden.service.j2
@@ -0,0 +1,13 @@
+[Unit]
+Description=Bitwarden Password Manager Server
+PartOf=docker.service
+After=docker.service
+
+[Service]
+Type=oneshot
+RemainAfterExit=true
+ExecStart={{ bitwarden_root }}/bitwarden.sh start
+ExecStop={{ bitwarden_root }}/bitwarden.sh stop
+
+[Install]
+WantedBy=multi-user.target
--- a/roles/bitwarden/templates/bw_wrapper.j2
+++ b/roles/bitwarden/templates/bw_wrapper.j2
@@ -14,6 +14,9 @@ send "y\r"
 send "n\r"
 {% endif %}

+expect "Enter the database name for your Bitwarden instance (ex. vault):"
+send "{{ bitwarden_database }}\r"
+
 expect "Enter your installation id (get at https://bitwarden.com/host):"
 send "{{ bitwarden_install_id }}\r"

--- a/roles/bitwarden/templates/compose.override.yml.j2
+++ b/roles/bitwarden/templates/compose.override.yml.j2
@@ -1,3 +1,5 @@
+version: '3'
+
 services:
  nginx:
    networks:
--- a/roles/bitwarden/templates/fail2ban-jail.conf.j2
+++ b/roles/bitwarden/templates/fail2ban-jail.conf.j2
@@ -0,0 +1,9 @@
+# {{ ansible_managed }}
+[bitwarden]
+enabled = true
+filter = bitwarden
+logpath = {{ bitwarden_root }}/bwdata/logs/identity/Identity/*
+maxretry = 10
+findtime = 3600
+bantime = 900
+action = iptables-allports
--- a/roles/docker/defaults/main.yml
+++ b/roles/docker/defaults/main.yml
@@ -0,0 +1,3 @@
+docker_compose_root: /var/lib/compose
+docker_compose: /usr/bin/docker-compose
+docker_compose_service: compose
--- a/roles/docker/docker-ce.list
+++ b/roles/docker/docker-ce.list
@@ -1 +0,0 @@
-deb [arch=amd64] https://download.docker.com/linux/debian buster stable
--- a/roles/docker/install-compose.sh
+++ b/roles/docker/install-compose.sh
@@ -1,38 +0,0 @@
-#!/bin/bash
-
-# Github username and repo name
-user="docker"
-repo="compose"
-
-# Retrieve the latest version number
-addr="https://github.com/$user/$repo/releases/latest"
-page=$(curl -s $addr | grep -o releases/tag/*.*\")
-version=$(echo $page | awk '{print substr($1, 14, length($1) - 14)}')
-
-# Download prep
-url="https://github.com/$user/$repo/releases/download/$version"
-file="docker-compose-$(uname -s)-$(uname -m)"
-
-# Download latest Docker Compose if that version hasn't been downloaded
-if [ ! -f /tmp/docker_compose_$version ]; then
-  curl -L $url/$file -o /tmp/docker-compose_$version
-fi
-
-# Is it already installed?
-if installed=$(which docker-compose); then
-
-  new_chksum=$(sha256sum /tmp/docker-compose_$version)
-  old_chksum=$(sha256sum /usr/local/bin/docker-compose)
-
-  # If checksums are different, delete and install new version
-  if [ ! "$new_chksum" = "$old_chksum" ]; then
-    rm /usr/local/bin/docker-compose
-    mv /tmp/docker-compose_$version /usr/local/bin/docker-compose
-    chmod +x /usr/local/bin/docker-compose
-  fi
-
-else
-  # It's not installed, so no need to remove
-  mv /tmp/docker-compose_$version /usr/local/bin/docker-compose
-  chmod +x /usr/local/bin/docker-compose
-fi
--- a/roles/docker/tasks/main.yml
+++ b/roles/docker/tasks/main.yml
@@ -1,45 +1,24 @@
-# Copyright (C) 2019  Kris Lamoureux
-#
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, version 3 of the License.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program.  If not, see <https://www.gnu.org/licenses/>.
-
- name: Remove old versions of Docker
+- name: Install Docker
  apt:
-    name: ['docker', 'docker-engine', 'docker.io', 'containerd', 'runc']
-    state: absent
+    name: ['docker.io', 'docker-compose']
+    state: present
    update_cache: true

- name: Install HTTPS capability for apt
-  apt:
-    name: ['apt-transport-https', 'ca-certificates',
-           'curl', 'gnupg2', 'software-properties-common']
-    state: present
+- name: Create docker-compose root
+  file:
+    path: "{{ docker_compose_root }}"
+    state: directory

- name: Install Docker's signing key
-  apt_key:
-    url: https://download.docker.com/linux/debian/gpg
-    id: 9DC858229FC7DD38854AE2D88D81803C0EBFCD88
-    state: present
-
- name: Install Docker's stable repository
+- name: Install docker-compose systemd service
  template:
-    src: docker-ce.list
-    dest: /etc/apt/sources.list.d/docker-ce.list
+    src: docker-compose.service.j2
+    dest: "/etc/systemd/system/{{ docker_compose_service }}@.service"
+  register: compose_systemd

- name: Install Docker CE
-  apt:
-    name: ['docker-ce', 'docker-ce-cli', 'containerd.io']
-    state: present
-    update_cache: true
+- name: Reload systemd manager configuration
+  systemd:
+    daemon_reload: true
+  when: compose_systemd.changed

 - name: Add users to docker group
  user:
@@ -49,11 +28,6 @@
  loop: "{{ docker_users }}"
  when: docker_users is defined

- name: Install docker-compose
-  script: install-compose.sh
-  args:
-    creates: /usr/local/bin/docker-compose
-
 - name: Start Docker and enable on boot
  service:
    name: docker
--- a/roles/docker/templates/docker-compose.service.j2
+++ b/roles/docker/templates/docker-compose.service.j2
@@ -0,0 +1,14 @@
+[Unit]
+Description=%i docker-compose service
+PartOf=docker.service
+After=docker.service
+
+[Service]
+Type=oneshot
+RemainAfterExit=true
+WorkingDirectory={{ docker_compose_root }}/%i
+ExecStart={{ docker_compose }} up -d --remove-orphans
+ExecStop={{ docker_compose }} down
+
+[Install]
+WantedBy=multi-user.target
--- a/roles/gitea/defaults/main.yml
+++ b/roles/gitea/defaults/main.yml
@@ -1,11 +1,22 @@
 # container settings
 gitea_name: gitea
-gitea_dbname: "{{ gitea_name }}-db"
-gitea_ports: "222:22"
+gitea_sshport: "222"
+gitea_webport: "3000"
+gitea_ssh: "127.0.0.1:{{ gitea_sshport }}"
+gitea_web: "127.0.0.1:{{ gitea_webport }}"
+gitea_volume: "{{ gitea_name }}"
+gitea_rooturl: "https://{{ gitea_domain }}"
+gitea_signup: true

 # database settings
-gitea_dbuser: "{{ gitea_dbname }}"
+gitea_dbtype: mysql
+gitea_dbhost: host.docker.internal
+gitea_dbname: "{{ gitea_name }}"
+gitea_dbuser: "{{ gitea_name }}"
+
+# proxy settings
+gitea_proxy_limit: "1"
+gitea_trusted_proxies: "172.16.0.0/12"

 # host
-gitea_root: "/opt/{{ gitea_name }}/data"
-gitea_dbroot: "/opt/{{ gitea_name }}/database"
+gitea_root: "{{ docker_compose_root }}/{{ gitea_name }}"
--- a/roles/gitea/handlers/main.yml
+++ b/roles/gitea/handlers/main.yml
@@ -0,0 +1,5 @@
+- name: Restart Gitea
+  service:
+    name: "{{ docker_compose_service }}@{{ gitea_name }}"
+    state: restarted
+  listen: restart_gitea
--- a/roles/gitea/tasks/main.yml
+++ b/roles/gitea/tasks/main.yml
@@ -1,54 +1,111 @@
- name: Create Gitea Network
-  docker_network:
-    name: "{{ gitea_name }}"
+- name: Create Gitea directory
+  file:
+    path: "{{ gitea_root }}"
+    state: directory

- name: Start Gitea's database container
-  docker_container:
+- name: Create Gitea database
+  mysql_db:
    name: "{{ gitea_dbname }}"
-    image: mariadb:{{ gitea_dbversion }}
-    state: started
-    restart_policy: always
-    volumes: "{{ gitea_dbroot }}:/var/lib/mysql"
-    networks_cli_compatible: true
-    networks:
-      - name: "{{ gitea_name }}"
-    env:
-      MYSQL_RANDOM_ROOT_PASSWORD: "true"
-      MYSQL_DATABASE: "{{ gitea_dbname }}"
-      MYSQL_USER: "{{ gitea_dbuser }}"
-      MYSQL_PASSWORD: "{{ gitea_dbpass }}"
+    state: present
+    login_unix_socket: /var/run/mysqld/mysqld.sock

- name: Start Gitea container
-  docker_container:
-    name: "{{ gitea_name }}"
-    image: gitea/gitea:{{ gitea_version }}
+- name: Create Gitea database user
+  mysql_user:
+    name: "{{ gitea_dbuser }}"
+    password: "{{ gitea_dbpass }}"
+    host: '%'
+    state: present
+    priv: "{{ gitea_dbname }}.*:ALL"
+    login_unix_socket: /var/run/mysqld/mysqld.sock
+
+- name: Create git user
+  user:
+    name: git
+    state: present
+
+- name: Git user uid
+  getent:
+    database: passwd
+    key: git
+
+- name: Git user gid
+  getent:
+    database: group
+    key: git
+
+- name: Create git's .ssh directory
+  file:
+    path: /home/git/.ssh
+    state: directory
+
+- name: Generate git's SSH keys
+  openssh_keypair:
+    path: /home/git/.ssh/id_rsa
+
+- name: Find git's public SSH key
+  slurp:
+    src: /home/git/.ssh/id_rsa.pub
+  register: git_rsapub
+
+- name: Get stats on git's authorized_keys file
+  stat:
+    path: /home/git/.ssh/authorized_keys
+  register: git_authkeys
+
+- name: Create git's authorized_keys file
+  file:
+    path: /home/git/.ssh/authorized_keys
+    state: touch
+  when: not git_authkeys.stat.exists
+
+- name: Add git's public SSH key to authorized_keys
+  lineinfile:
+    path: /home/git/.ssh/authorized_keys
+    regex: "^ssh-rsa"
+    line: "{{ git_rsapub['content'] | b64decode }}"
+
+- name: Create Gitea host script for SSH
+  template:
+    src: gitea.sh.j2
+    dest: /usr/local/bin/gitea
+    mode: 0755
+
+- name: Install Gitea's docker-compose file
+  template:
+    src: docker-compose.yml.j2
+    dest: "{{ gitea_root }}/docker-compose.yml"
+  notify: restart_gitea
+
+- name: Install Gitea's docker-compose variables
+  template:
+    src: compose-env.j2
+    dest: "{{ gitea_root }}/.env"
+  notify: restart_gitea
+
+- name: Create Gitea's logging directory
+  file:
+    name: /var/log/gitea
+    state: directory
+
+- name: Create Gitea's initial log file
+  file:
+    name: /var/log/gitea/gitea.log
+    state: touch
+
+- name: Install Gitea's Fail2ban filter
+  template:
+    src: fail2ban-filter.conf.j2
+    dest: /etc/fail2ban/filter.d/gitea.conf
+  notify: restart_fail2ban
+
+- name: Install Gitea's Fail2ban jail
+  template:
+    src: fail2ban-jail.conf.j2
+    dest: /etc/fail2ban/jail.d/gitea.conf
+  notify: restart_fail2ban
+
+- name: Start and enable Gitea service
+  service:
+    name: "{{ docker_compose_service }}@{{ gitea_name }}"
    state: started
-    restart_policy: always
-    networks_cli_compatible: true
-    ports: "{{ gitea_ports }}"
-    networks:
-      - name: "{{ gitea_name }}"
-      - name: traefik
-    volumes:
-      - "{{ gitea_root }}:/data"
-      - /etc/timezone:/etc/timezone:ro
-      - /etc/localtime:/etc/localtime:ro
-    env:
-      USER_UID: "1000"
-      USER_GID: "1000"
-      DB_TYPE: mysql
-      DB_HOST: "{{ gitea_dbname }}"
-      DB_NAME: "{{ gitea_dbname }}"
-      DB_USER: "{{ gitea_dbuser }}"
-      DB_PASSWD: "{{ gitea_dbpass }}"
-      ROOT_URL: "https://{{ gitea_domain }}/"
-      SSH_DOMAIN: "{{ gitea_domain }}"
-      DOMAIN: "{{ gitea_domain }}"
-    labels:
-      traefik.http.routers.gitea.rule: "Host(`{{ gitea_domain }}`)"
-      traefik.http.routers.gitea.entrypoints: websecure
-      traefik.http.routers.gitea.tls.certresolver: letsencrypt
-      traefik.http.routers.gitea.middlewares: "securehttps@file"
-      traefik.http.services.gitea.loadbalancer.server.port: "3000"
-      traefik.docker.network: traefik
-      traefik.enable: "true"
+    enabled: true
--- a/roles/gitea/templates/compose-env.j2
+++ b/roles/gitea/templates/compose-env.j2
@@ -0,0 +1,19 @@
+# {{ ansible_managed }}
+gitea_version={{ gitea_version }}
+gitea_name={{ gitea_name }}
+gitea_domain={{ gitea_domain }}
+gitea_rooturl={{ gitea_rooturl }}
+gitea_web={{ gitea_web }}
+gitea_ssh={{ gitea_ssh }}
+gitea_dbtype={{ gitea_dbtype }}
+gitea_dbhost={{ gitea_dbhost }}
+gitea_dbname={{ gitea_dbname }}
+gitea_dbuser={{ gitea_dbuser }}
+gitea_dbpass={{ gitea_dbpass }}
+gitea_proxy_limit={{ gitea_proxy_limit }}
+gitea_trusted_proxies={{ gitea_trusted_proxies }}
+{% if not gitea_signup %}
+gitea_disable_registration=true
+{% else %}
+gitea_disable_registration=false
+{% endif %}
--- a/roles/gitea/templates/docker-compose.yml.j2
+++ b/roles/gitea/templates/docker-compose.yml.j2
@@ -0,0 +1,36 @@
+version: '3.7'
+
+services:
+  gitea:
+    image: "gitea/gitea:${gitea_version}"
+    container_name: "${gitea_name}"
+    ports:
+      - "${gitea_ssh}:22"
+      - "${gitea_web}:3000"
+    extra_hosts:
+      - "host.docker.internal:host-gateway"
+    environment:
+      - USER_UID={{ getent_passwd.git[1] }}
+      - USER_GID={{ getent_group.git[1] }}
+      - GITEA__log__MODE=file
+      - GITEA__server__ROOT_URL=${gitea_rooturl}
+      - GITEA__server__DOMAIN=${gitea_domain}
+      - GITEA__server__SSH_DOMAIN=${gitea_domain}
+      - GITEA__database__DB_TYPE=${gitea_dbtype}
+      - GITEA__database__HOST=${gitea_dbhost}
+      - GITEA__database__NAME=${gitea_dbname}
+      - GITEA__database__USER=${gitea_dbuser}
+      - GITEA__database__PASSWD=${gitea_dbpass}
+      - GITEA__security__INSTALL_LOCK=true
+      - GITEA__security__REVERSE_PROXY_LIMIT=${gitea_proxy_limit}
+      - GITEA__security__REVERSE_PROXY_TRUSTED_PROXIES=${gitea_trusted_proxies}
+      - GITEA__service__DISABLE_REGISTRATION=${gitea_disable_registration}
+    volumes:
+      - {{ gitea_volume }}:/data
+      - /home/git/.ssh:/data/git/.ssh
+      - /var/log/gitea:/data/gitea/log
+      - /etc/timezone:/etc/timezone:ro
+      - /etc/localtime:/etc/localtime:ro
+
+volumes:
+  {{ gitea_volume }}:
--- a/roles/gitea/templates/fail2ban-filter.conf.j2
+++ b/roles/gitea/templates/fail2ban-filter.conf.j2
@@ -0,0 +1,4 @@
+# {{ ansible_managed }}
+[Definition]
+failregex =  .*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>
+ignoreregex =
--- a/roles/gitea/templates/fail2ban-jail.conf.j2
+++ b/roles/gitea/templates/fail2ban-jail.conf.j2
@@ -0,0 +1,18 @@
+# {{ ansible_managed }}
+[gitea]
+enabled = true
+filter = gitea
+logpath = /var/log/gitea/gitea.log
+maxretry = 10
+findtime = 3600
+bantime = 900
+action = iptables-allports
+
+[gitea-docker]
+enabled = true
+filter = gitea
+logpath = /var/log/gitea/gitea.log
+maxretry = 10
+findtime = 3600
+bantime = 900
+action = iptables-allports[chain="FORWARD"]
--- a/roles/gitea/templates/gitea.sh.j2
+++ b/roles/gitea/templates/gitea.sh.j2
@@ -0,0 +1,2 @@
+#!/bin/sh
+ssh -p {{ gitea_sshport }} -o StrictHostKeyChecking=no git@127.0.0.1 "SSH_ORIGINAL_COMMAND=\"$SSH_ORIGINAL_COMMAND\" $0 $@"
--- a/roles/jenkins/files/ansible.list
+++ b/roles/jenkins/files/ansible.list
@@ -1 +0,0 @@
-deb http://ppa.launchpad.net/ansible/ansible/ubuntu trusty main
--- a/roles/jenkins/tasks/agent.yml
+++ b/roles/jenkins/tasks/agent.yml
@@ -1,8 +1,3 @@
- name: Install GnuPG
-  apt:
-    name: gnupg
-    state: present
-
 - name: Create Jenkins user
  user:
    name: "{{ jenkins_user }}"
@@ -25,16 +20,6 @@
    validate: "visudo -cf %s"
    mode: 0440

- name: Install Ansible source
-  copy:
-    src: ansible.list
-    dest: /etc/apt/sources.list.d/ansible.list
-
- name: Add Ansible source key
-  apt_key:
-    keyserver: keyserver.ubuntu.com
-    id: 93C4A3FD7BB9C367
-
 - name: Install Ansible
  apt:
    name: ansible
--- a/roles/mariadb/defaults/main.yml
+++ b/roles/mariadb/defaults/main.yml
@@ -0,0 +1,3 @@
+mariadb_trust:
+  - "172.16.0.0/12"
+  - "192.168.0.0/16"
--- a/roles/mariadb/tasks/main.yml
+++ b/roles/mariadb/tasks/main.yml
@@ -0,0 +1,25 @@
+- name: Install MariaDB
+  apt:
+    name: mariadb-server
+    state: present
+
+- name: Change the bind-address to allow Docker
+  lineinfile:
+    path: /etc/mysql/mariadb.conf.d/50-server.cnf
+    regex: "^bind-address"
+    line: "bind-address            = 0.0.0.0"
+  register: mariadb_conf
+
+- name: Restart MariaDB
+  service:
+    name: mariadb
+    state: restarted
+  when: mariadb_conf.changed
+
+- name: Allow database connections
+  ufw:
+    rule: allow
+    port: "3306"
+    proto: tcp
+    src: "{{ item }}"
+  loop: "{{ mariadb_trust }}"
--- a/roles/mediawiki/defaults/main.yml
+++ b/roles/mediawiki/defaults/main.yml
@@ -1 +0,0 @@
-mediawiki_name: mediawiki
--- a/roles/mediawiki/tasks/main.yml
+++ b/roles/mediawiki/tasks/main.yml
@@ -1,51 +0,0 @@
- name: Create MediaWiki Network
-  docker_network:
-    name: "{{ mediawiki_name }}"
-
- name: Start MediaWiki's database container
-  docker_container:
-    name: "{{ mediawiki_dbname }}"
-    image: mariadb:{{ mediawiki_dbversion }}
-    state: started
-    restart_policy: always
-    volumes: "{{ mediawiki_dbroot }}:/var/lib/mysql"
-    networks_cli_compatible: true
-    networks:
-      - name: "{{ mediawiki_name }}"
-    env:
-      MYSQL_RANDOM_ROOT_PASSWORD: "true"
-      MYSQL_DATABASE: "{{ mediawiki_dbname }}"
-      MYSQL_USER: "{{ mediawiki_dbuser }}"
-      MYSQL_PASSWORD: "{{ mediawiki_dbpass }}"
-
- name: Start mediawiki container
-  docker_container:
-    name: "{{ mediawiki_name }}"
-    image: mediawiki/mediawiki:{{ mediawiki_version }}
-    state: started
-    restart_policy: always
-    networks_cli_compatible: true
-    ports: "{{ mediawiki_ports }}"
-    networks:
-      - name: "{{ mediawiki_name }}"
-      - name: traefik
-#    volumes:
-#    env:
-#      USER_UID: "1000"
-#      USER_GID: "1000"
-#      DB_TYPE: mysql
-#      DB_HOST: "{{ gitea_dbname }}"
-#      DB_NAME: "{{ gitea_dbname }}"
-#      DB_USER: "{{ gitea_dbuser }}"
-#      DB_PASSWD: "{{ gitea_dbpass }}"
-#      ROOT_URL: "https://{{ gitea_domain }}/"
-#      SSH_DOMAIN: "{{ gitea_domain }}"
-#      DOMAIN: "{{ gitea_domain }}"
-#    labels:
-#      traefik.http.routers.gitea.rule: "Host(`{{ gitea_domain }}`)"
-#      traefik.http.routers.gitea.entrypoints: websecure
-#      traefik.http.routers.gitea.tls.certresolver: letsencrypt
-#      traefik.http.routers.gitea.middlewares: "securehttps@file"
-#      traefik.http.services.gitea.loadbalancer.server.port: "3000"
-#      traefik.docker.network: traefik
-#      traefik.enable: "true"
--- a/roles/nginx/tasks/main.yml
+++ b/roles/nginx/tasks/main.yml
@@ -29,9 +29,9 @@
      - "{{ nginx_html }}:/usr/share/nginx/html:ro"
    labels:
      traefik.http.routers.nginx.rule: "Host(`{{ nginx_domain }}`)"
-      traefik.http.middlewares.nginxauth.basicauth.users: "{{ nginx_auth }}"
+      #traefik.http.middlewares.nginxauth.basicauth.users: "{{ nginx_auth }}"
      traefik.http.routers.nginx.entrypoints: websecure
-      traefik.http.routers.nginx.tls.certresolver: letsencrypt
-      traefik.http.routers.nginx.middlewares: "securehttps@file,nginxauth"
+      #traefik.http.routers.nginx.tls.certresolver: letsencrypt
+      #traefik.http.routers.nginx.middlewares: "securehttps@file,nginxauth"
      traefik.docker.network: traefik
      traefik.enable: "true"
--- a/roles/postgresql/defaults/main.yml
+++ b/roles/postgresql/defaults/main.yml
@@ -0,0 +1,5 @@
+postgresql_config: /etc/postgresql/13/main/pg_hba.conf
+postgresql_listen: "*"
+postgresql_trust:
+  - "172.16.0.0/12"
+  - "192.168.0.0/16"
--- a/roles/postgresql/tasks/main.yml
+++ b/roles/postgresql/tasks/main.yml
@@ -0,0 +1,43 @@
+- name: Install PostgreSQL
+  apt:
+    name: postgresql
+    state: present
+
+- name: Trust connections to PostgreSQL
+  postgresql_pg_hba:
+    dest: "{{ postgresql_config }}"
+    contype: host
+    databases: all
+    users: all
+    address: "{{ item }}"
+    method: trust
+  register: postgresql_hba
+  loop: "{{ postgresql_trust }}"
+
+- name: Change PostgreSQL listen addresses
+  postgresql_set:
+    name: listen_addresses
+    value: "{{ postgresql_listen }}"
+  become: true
+  become_user: postgres
+  register: postgresql_config
+
+- name: Reload PostgreSQL
+  service:
+    name: postgresql
+    state: reloaded
+  when: postgresql_hba.changed and not postgresql_config.changed
+
+- name: Restart PostgreSQL
+  service:
+    name: postgresql
+    state: restarted
+  when: postgresql_config.changed
+
+- name: Allow database connections
+  ufw:
+    rule: allow
+    port: "5432"
+    proto: tcp
+    src: "{{ item }}"
+  loop: "{{ postgresql_trust }}"
--- a/roles/proxy/files/reload-nginx.sh
+++ b/roles/proxy/files/reload-nginx.sh
@@ -0,0 +1,2 @@
+#!/bin/bash
+systemctl reload nginx
--- a/roles/proxy/handlers/main.yml
+++ b/roles/proxy/handlers/main.yml
@@ -0,0 +1,5 @@
+- name: Reload nginx
+  service:
+    name: nginx
+    state: reloaded
+  listen: reload_nginx
--- a/roles/proxy/tasks/main.yml
+++ b/roles/proxy/tasks/main.yml
@@ -0,0 +1,102 @@
+- name: Install nginx
+  apt:
+    name: nginx
+    state: present
+    update_cache: true
+
+- name: Start nginx and enable on boot
+  service:
+    name: nginx
+    state: started
+    enabled: true
+
+- name: Generate DH Parameters
+  openssl_dhparam:
+    path: /etc/ssl/dhparams.pem
+    size: 4096
+
+- name: Install nginx base configuration
+  template:
+    src: nginx.conf.j2
+    dest: /etc/nginx/nginx.conf
+    mode: '0644'
+  notify: reload_nginx
+
+- name: Install nginx sites configuration
+  template:
+    src: server-nginx.conf.j2
+    dest: "/etc/nginx/sites-available/{{ item.domain }}.conf"
+    mode: '0644'
+  loop: "{{ proxy.servers }}"
+  notify: reload_nginx
+  register: nginx_sites
+
+- name: Enable nginx sites configuration
+  file:
+    src: "/etc/nginx/sites-available/{{ item.item.domain }}.conf"
+    dest: "/etc/nginx/sites-enabled/{{ item.item.domain }}.conf"
+    state: link
+  loop: "{{ nginx_sites.results }}"
+  when: item.changed
+  notify: reload_nginx
+
+- name: Generate self-signed certificate
+  shell: 'openssl req -newkey rsa:4096 -x509 -sha256 -days 3650 -nodes \
+          -subj   "/C=US/ST=Local/L=Local/O=Org/OU=IT/CN=example.com" \
+          -keyout /etc/ssl/private/nginx-selfsigned.key \
+          -out    /etc/ssl/certs/nginx-selfsigned.crt'
+  args:
+    creates: /etc/ssl/certs/nginx-selfsigned.crt
+  when: proxy.production is not defined or not proxy.production
+  notify: reload_nginx
+
+- name: Install LE's certbot
+  apt:
+    name: ['certbot', 'python3-certbot-dns-cloudflare']
+    state: present
+  when: proxy.production is defined and proxy.production
+
+- name: Install Cloudflare API token
+  template:
+    src: cloudflare.ini.j2
+    dest: /root/.cloudflare.ini
+    mode: '0600'
+  when: proxy.production is defined and proxy.production and proxy.dns_cloudflare is defined
+
+- name: Create nginx post renewal hook directory
+  file:
+    path: /etc/letsencrypt/renewal-hooks/post
+    state: directory
+  when: proxy.production is defined and proxy.production
+
+- name: Install nginx post renewal hook
+  copy:
+    src: reload-nginx.sh
+    dest: /etc/letsencrypt/renewal-hooks/post/reload-nginx.sh
+    mode: '0755'
+  when: proxy.production is defined and proxy.production
+
+- name: Run Cloudflare DNS-01 challenges on wildcard domains
+  shell: '/usr/bin/certbot certonly \
+            --non-interactive \
+            --agree-tos \
+            --email "{{ proxy.dns_cloudflare.email }}" \
+            --dns-cloudflare \
+            --dns-cloudflare-credentials /root/.cloudflare.ini \
+            -d "*.{{ item }}" \
+            -d "{{ item }}" \
+            {{ proxy.dns_cloudflare.opts | default("") }}'
+  args:
+    creates: "/etc/letsencrypt/live/{{ item }}/fullchain.pem"
+  loop: "{{ proxy.dns_cloudflare.wildcard_domains }}"
+  when: proxy.production is defined and proxy.production and proxy.dns_cloudflare is defined
+  notify: reload_nginx
+
+- name: Add HTTP and HTTPS firewall rule
+  ufw:
+    rule: allow
+    port: "{{ item }}"
+    proto: tcp
+  loop:
+    - "80"
+    - "443"
--- a/roles/proxy/templates/cloudflare.ini.j2
+++ b/roles/proxy/templates/cloudflare.ini.j2
@@ -0,0 +1,2 @@
+# Cloudflare API token used by Certbot
+dns_cloudflare_api_token = {{ proxy.dns_cloudflare.api_token }}
--- a/roles/proxy/templates/nginx.conf.j2
+++ b/roles/proxy/templates/nginx.conf.j2
@@ -0,0 +1,34 @@
+user www-data;
+worker_processes auto;
+error_log /var/log/nginx/error.log;
+pid /run/nginx.pid;
+include /etc/nginx/modules-enabled/*.conf;
+
+events {
+  worker_connections 1024;
+}
+
+http {
+  include           /etc/nginx/mime.types;
+  default_type      application/octet-stream;
+  log_format        main '$remote_addr - $remote_user [$time_local]  $status '
+                         '"$request" $body_bytes_sent "$http_referer" '
+                         '"$http_user_agent" "$http_x_forwarded_for"';
+  access_log        /var/log/nginx/access.log  main;
+  server_tokens     off;
+  sendfile          on;
+  tcp_nopush        on;
+  keepalive_timeout 65;
+  server_names_hash_bucket_size 128;
+
+  ssl_protocols TLSv1.2 TLSv1.3;
+  ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+  ssl_prefer_server_ciphers off;
+  ssl_dhparam /etc/ssl/dhparams.pem;
+  ssl_session_cache shared:SSL:10m;
+  ssl_session_timeout 1d;
+  ssl_session_tickets off;
+
+  include           /etc/nginx/conf.d/*.conf;
+  include           /etc/nginx/sites-enabled/*;
+}
--- a/roles/proxy/templates/server-nginx.conf.j2
+++ b/roles/proxy/templates/server-nginx.conf.j2
@@ -0,0 +1,57 @@
+server {
+  listen 80;
+  listen [::]:80;
+  server_name {{ item.domain }};
+  return 301 https://{{ item.domain }}$request_uri;
+}
+
+server {
+  listen              443      ssl http2;
+  listen              [::]:443 ssl http2;
+  server_name         {{ item.domain }};
+  access_log          /var/log/nginx/{{ item.domain }}.log main;
+{% if proxy.production is defined and proxy.production and proxy.dns_cloudflare.wildcard_domains is defined and item.tls.cert is not defined %}
+{% for wildcard in proxy.dns_cloudflare.wildcard_domains %}
+{% set domain_regex = '^\*\.' + wildcard + '$' %}
+{% if item.domain | regex_search(wildcard) %}
+  ssl_certificate     /etc/letsencrypt/live/{{ wildcard }}/fullchain.pem;
+  ssl_certificate_key /etc/letsencrypt/live/{{ wildcard }}/privkey.pem;
+{% endif %}
+{% endfor %}
+{% elif proxy.production is defined and proxy.production and item.tls.cert is not defined %}
+  ssl_certificate     /etc/letsencrypt/live/{{ item.domain }}/fullchain.pem;
+  ssl_certificate_key /etc/letsencrypt/live/{{ item.domain }}/privkey.pem;
+{% elif proxy.production is defined and proxy.production and item.tls.cert is defined %}
+  ssl_certificate     {{ item.tls.cert }};
+  ssl_certificate_key {{ item.tls.key }};
+{% else %}
+  ssl_certificate     /etc/ssl/certs/nginx-selfsigned.crt;
+  ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
+{% endif %}
+{% if item.hsts is defined %}
+  add_header Strict-Transport-Security "max-age={{ item.hsts }}" always;
+{% endif %}
+{% if item.client_max_body_size is defined %}
+  client_max_body_size {{ item.client_max_body_size }};
+{% endif %}
+  location / {
+{% if item.restrict is defined and item.restrict  %}
+    auth_basic "{{ item.restrict_name | default('Restricted Access') }}";
+    auth_basic_user_file {{ item.restrict_file | default('/etc/nginx/.htpasswd') }};
+    proxy_set_header Authorization "";
+{% endif %}
+    proxy_set_header Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_pass {{ item.proxy_pass }};
+{% if item.proxy_ssl_verify is defined and item.proxy_ssl_verify is false %}
+    proxy_ssl_verify off;
+{% endif %}
+{% if item.websockets is defined and item.websockets %}
+    proxy_http_version 1.1;
+    proxy_set_header Connection $http_connection;
+    proxy_set_header Origin http://$host;
+    proxy_set_header Upgrade $http_upgrade;
+{% endif %}
+  }
+}
--- a/roles/traefik/defaults/main.yml
+++ b/roles/traefik/defaults/main.yml
@@ -1,10 +1,16 @@
+# container settings
 traefik_name: traefik
-traefik_dashboard: false
-traefik_root: "/opt/{{ traefik_name }}"
-traefik_localonly: "10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 127.0.0.0/8"
+traefik_standalone: true
+traefik_debug: false
+traefik_web_entry: "80:80"
+traefik_websecure_entry: "443:443"
+
+# review these options before pushing (if i can remember)
 traefik_production: false
+traefik_hsts_enable: false
 traefik_hsts_preload: false
 traefik_hsts_seconds: 0
-traefik_ports:
-  - "80:80"
-  - "443:443"
+traefik_http_redirect: false
+
+# host
+traefik_root: "{{ docker_compose_root }}/{{ traefik_name }}"
--- a/roles/traefik/handlers/main.yml
+++ b/roles/traefik/handlers/main.yml
@@ -4,10 +4,8 @@
    state: touch
  listen: reload_traefik

- name: Restart Traefik container
-  docker_container:
-    name: "{{ traefik_name }}"
-    image: traefik:{{ traefik_version }}
-    state: started
-    restart: yes
+- name: Restart Traefik
+  service:
+    name: "{{ docker_compose_service }}@{{ traefik_name }}"
+    state: restarted
  listen: restart_traefik
--- a/roles/traefik/tasks/main.yml
+++ b/roles/traefik/tasks/main.yml
@@ -1,14 +1,8 @@
- name: Create Traefik configuration directories
+- name: Create Traefik directories
  file:
    path: "{{ traefik_root }}/config/dynamic"
    state: directory

- name: Install static Traefik configuration
-  template:
-    src: traefik.yml.j2
-    dest: "{{ traefik_root }}/config/traefik.yml"
-  notify: restart_traefik
-
 - name: Install dynamic security configuration
  template:
    src: security.yml.j2
@@ -25,31 +19,26 @@
  loop: "{{ traefik_external }}"
  when: traefik_external is defined

- name: Create Traefik network
-  docker_network:
-    name: traefik
+- name: Install Traefik's docker-compose file
+  template:
+    src: docker-compose.yml.j2
+    dest: "{{ traefik_root }}/docker-compose.yml"
+  notify: restart_traefik

- name: Start Traefik container
-  docker_container:
-    name: "{{ traefik_name }}"
-    image: traefik:{{ traefik_version }}
+- name: Install Traefik's docker-compose variables
+  template:
+    src: compose-env.j2
+    dest: "{{ traefik_root }}/.env"
+  notify: restart_traefik
+
+- name: Install static Traefik configuration
+  template:
+    src: traefik.yml.j2
+    dest: "{{ traefik_root }}/config/traefik.yml"
+  notify: restart_traefik
+
+- name: Start and enable Traefik service
+  service:
+    name: "{{ docker_compose_service }}@{{ traefik_name }}"
    state: started
-    restart_policy: always
-    ports: "{{ traefik_ports }}"
-    networks_cli_compatible: "false"
-    networks:
-      - name: traefik
-    labels:
-      traefik.http.routers.traefik.rule: "Host(`{{ traefik_domain }}`)"
-      traefik.http.middlewares.auth.basicauth.users: "{{ traefik_auth }}"
-      traefik.http.middlewares.localonly.ipwhitelist.sourcerange: "{{ traefik_localonly }}"
-      traefik.http.routers.traefik.tls.certresolver: letsencrypt
-      traefik.http.routers.traefik.middlewares: "securehttps@file,auth@docker,localonly"
-      traefik.http.routers.traefik.service: "api@internal"
-      traefik.http.routers.traefik.entrypoints: websecure
-      traefik.http.routers.traefik.tls: "true"
-      traefik.docker.network: traefik
-      traefik.enable: "{{ traefik_dashboard | string }}"
-    volumes:
-      - /var/run/docker.sock:/var/run/docker.sock
-      - "{{ traefik_root }}/config:/etc/traefik"
+    enabled: true
--- a/roles/traefik/templates/compose-env.j2
+++ b/roles/traefik/templates/compose-env.j2
@@ -0,0 +1,8 @@
+# {{ ansible_managed }}
+traefik_version={{ traefik_version }}
+traefik_name={{ traefik_name }}
+traefik_domain={{ gitea_domain }}
+traefik_dashboard={{ traefik_dashboard | string | lower }}
+traefik_debug={{ traefik_debug | string | lower }}
+traefik_web_entry={{ traefik_web_entry }}
+traefik_websecure_entry={{ traefik_websecure_entry }}
--- a/roles/traefik/templates/docker-compose.yml.j2
+++ b/roles/traefik/templates/docker-compose.yml.j2
@@ -0,0 +1,42 @@
+version: '3.7'
+
+networks:
+  traefik:
+    name: traefik
+
+services:
+  traefik:
+    image: "traefik:${traefik_version}"
+    container_name: "${traefik_name}"
+    command:
+      - --api.dashboard=${traefik_dashboard:-false}
+      - --api.debug=${traefik_debug:-false}
+      - --providers.docker=true
+      - --entrypoints.web.address=:80
+{% if traefik_standalone %}
+      - --entrypoints.web.http.redirections.entrypoint.to=websecure
+      - --entrypoints.web.http.redirections.entrypoint.scheme=https
+      - --entrypoints.web.http.redirections.entrypoint.permanent=true
+      - --entrypoints.websecure.address=:443
+{% endif %}
+    ports:
+      - "${traefik_web_entry:-80:80}"
+{% if traefik_standalone %}
+      - "${traefik_websecure_entry:-443:443}"
+{% endif %}
+    networks:
+      - traefik
+    labels:
+      - "traefik.http.routers.traefik.rule=Host(`{{ traefik_domain }}`)"
+      - "traefik.http.routers.traefik.service=api@internal"
+{% if traefik_standalone %}
+      - "traefik.http.routers.traefik.entrypoints=websecure"
+      - "traefik.http.routers.traefik.tls=true"
+{% else %}
+      - "traefik.http.routers.traefik.entrypoints=web"
+{% endif %}
+      - "traefik.docker.network=traefik"
+      - "traefik.enable=${traefik_dashboard:-false}"
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - "{{ traefik_root }}/config:/etc/traefik"
--- a/roles/traefik/templates/external.yml.j2
+++ b/roles/traefik/templates/external.yml.j2
@@ -10,10 +10,12 @@ http:
 {% elif item.middlewares is defined %}
      middlewares: "{{ item.middlewares }}"
 {% endif %}
+{% if traefik_acme_email is defined %}
      tls:
        certResolver: letsencrypt
        domains:
          - main: "{{ item.domain }}"
+{% endif %}
      entryPoints:
        - "websecure"
  services:
--- a/roles/traefik/templates/security.yml.j2
+++ b/roles/traefik/templates/security.yml.j2
@@ -11,6 +11,8 @@ http:
        sslRedirect: true
        browserXssFilter: true
        contentTypeNosniff: true
+{% if traefik_hsts_enable is defined and traefik_hsts_enable %}
        stsPreload: {{ traefik_hsts_preload }}
        stsSeconds: {{ traefik_hsts_seconds }}
+{% endif %}
        customFrameOptionsValue: SAMEORIGIN
--- a/roles/traefik/templates/traefik.yml.j2
+++ b/roles/traefik/templates/traefik.yml.j2
@@ -10,12 +10,14 @@ providers:
 entrypoints:
  web:
    address: ':80'
+{% if traefik_http_redirect is defined and traefik_http_redirect %}
    http:
      redirections:
        entrypoint:
          to: websecure
          scheme: https
          permanent: true
+{% endif %}
  websecure:
    address: ':443'
    http:
Author	SHA1	Message	Date
Kris Lamoureux	6675f49a6e	testing	2023-04-08 13:09:04 -04:00
Kris Lamoureux	0c3503b10b	testing	2023-03-29 23:55:42 -04:00
Kris Lamoureux	c67a39982e	Option to enable websockets for the noVNC console	2022-12-06 00:15:10 -05:00
Kris Lamoureux	f68f57d0cf	ROOT_URL should have HTTPS for the clone URL	2022-09-18 15:21:16 -04:00
Kris Lamoureux	b9f9b0bf3c	Update TLS settings in nginx proxy	2022-08-27 18:56:12 -04:00
Kris Lamoureux	4f4a341b05	Add client_max_body_size for Nextcloud	2022-08-19 01:27:55 -04:00
Kris Lamoureux	cab6ab2d8e	Strip auth header and update external config	2022-08-19 00:51:05 -04:00
Kris Lamoureux	95f54b7f0a	Add Traefik toggles	2022-08-18 23:32:37 -04:00
Kris Lamoureux	7522c333da	Disable Traefik LE resolver and HSTS	2022-08-18 21:53:38 -04:00
Kris Lamoureux	344b79e97f	Add base domain to the wildcard certificate	2022-08-17 02:17:36 -04:00
Kris Lamoureux	e4fed78193	Remove basic auth on static nginx sites	2022-08-17 01:40:11 -04:00
Kris Lamoureux	85a6c3894a	Add basic auth and ignore backend SSL errors	2022-08-17 01:15:15 -04:00
Kris Lamoureux	7677bc25fa	Add WireGuard firewall rule	2022-08-13 00:19:24 -04:00
Kris Lamoureux	b255680a7a	Use host MariaDB in Gitea container	2022-08-11 21:04:07 -04:00
Kris Lamoureux	9eefad0e87	Install Fail2ban IP allow list	2022-06-28 23:43:58 -04:00
Kris Lamoureux	8362230eb4	Add nginx proxy server	2022-06-27 20:21:25 -04:00
Kris Lamoureux	82df91305a	Install aggressive Fail2ban jail for SSH	2022-06-18 19:47:02 -04:00
Kris Lamoureux	dd9f84d498	Create initial log files for fail2ban	2022-06-07 00:25:47 -04:00
Kris Lamoureux	b52ccabd22	Add Fail2ban to Gitea and Bitwarden	2022-05-28 02:31:41 -04:00
Kris Lamoureux	eccd6b7874	Add reverse proxy settings for Gitea and Bitwarden	2022-05-28 00:18:15 -04:00
Kris Lamoureux	3a92921932	Minor cleanup	2022-05-27 23:14:06 -04:00
Kris Lamoureux	330f2b5a91	Add X-Forwarded-For proxy header	2022-05-27 22:33:35 -04:00
Kris Lamoureux	45465ad26b	Add the ufw firewall	2022-05-27 16:29:27 -04:00
Kris Lamoureux	d7838563a1	Gitea SSH container passthrough	2022-05-27 02:28:51 -04:00
Kris Lamoureux	03a57d2531	Only create LE directory if production is true	2022-05-27 00:06:09 -04:00
Kris Lamoureux	e346180b13	Add Bitwarden systemd service	2022-05-27 00:03:49 -04:00
Kris Lamoureux	be6e1596c5	Rehaul Gitea role for compose and PostgreSQL	2022-05-27 00:02:45 -04:00
Kris Lamoureux	dc520a09e9	Add generic docker-compose systemd service	2022-05-26 23:50:14 -04:00
Kris Lamoureux	c0be314268	Add PostgreSQL server role	2022-05-26 23:49:06 -04:00
Kris Lamoureux	9aca035f2d	Redirect HTTP to HTTPS	2022-05-26 23:32:25 -04:00
Kris Lamoureux	209ff57a4a	Determine wildcard cert paths and tidy nginx role	2022-05-23 22:33:17 -04:00
Kris Lamoureux	9a4aece442	Use DNS-01 on Cloudflare for wildcard LE certs	2022-05-23 03:32:56 -04:00
Kris Lamoureux	acd2cefb1e	Setup nginx reverse proxy	2022-05-22 00:19:56 -04:00
Kris Lamoureux	cd11567164	Fix broken Bitwarden provision	2022-05-19 23:19:09 -04:00
Kris Lamoureux	1c321f6ef7	Use Debian repositories for Docker	2022-05-19 21:06:34 -04:00
				`@@ -1 +0,0 @@`
				`deb http://deb.debian.org/debian buster-backports main`
				`@@ -1 +0,0 @@`
				`deb [arch=amd64] https://download.docker.com/linux/debian buster stable`
				`@@ -1 +0,0 @@`
				`deb http://ppa.launchpad.net/ansible/ansible/ubuntu trusty main`