Use host MariaDB in Gitea container

2022-07-06 23:01:39 -04:00
16 changed files with 37 additions and 91 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,13 @@
 .vagrant
 .playbook
+/*.yml
+/*.yaml
+!backup.yml
+!moxie.yml
+!docker.yml
+!dockerbox.yml
+!hypervisor.yml
+!minecraft.yml
+!proxy.yml
+!unifi.yml
 /environments/
--- a/README.md
+++ b/README.md
@@ -1,39 +1,25 @@
-# Homelab
-This repository contains Ansible to automate Debian GNU/Linux servers, deploying
-server technologies that are either useful in a personal capacity or provide
-educational value on automating enterprise infrastructure.
+# Project Moxie

-Development is accomplished using Vagrant to allow easy reproducibility in an
-isolated virtual environment that be ran on your local machine.
+Project Moxie is a personal IT homelab project written in Ansible and executed by Jenkins. It is a growing collection of infrastructure as code (IaC) I write out of curiosity and for reference purposes, keeping a handful of beneficial projects managed and secured.

 ## Quick Start
-These steps assume a basic understanding of GNU/Linux, Hypervisors, Vagrant, and Ansible.
+
+To configure a local virtual machine for testing, follow these simple steps.

 ### Prerequisites
- [Vagrant](https://developer.hashicorp.com/vagrant/docs/installation)
- [Supported hypervisor](https://developer.hashicorp.com/vagrant/docs/providers)
- Ansible
+
+Vagrant and VirtualBox are used to develop Project Moxie. You will need to install these before continuing.

 ### Installation

 1. Clone this repository
   ```
-   git clone https://git.krislamo.org/kris/homelab
-   ```
-   OR download from the mirror on GitHub:
-   ```
-   git clone https://github.com/krislamo/homelab
+   git clone https://github.com/krislamo/moxie
   ```
+2. Set the `PLAYBOOK` environmental variable to a development playbook name in the `dev/` directory

-2. Find available playbooks for development
-   ```
-   cd homelab
-   ```
-   ```
-   find dev -maxdepth 1 -name "*.yml" -exec basename {} .yml \;
-   ```
+   The following `PLAYBOOK` names are available: `dockerbox`, `hypervisor`, `minecraft`, `bitwarden`, `nextcloud`, `nginx`

-3. Set the `PLAYBOOK` environmental variable to a value listed in the last step, e.g.,
   ```
   export PLAYBOOK=dockerbox
   ```
@@ -43,10 +29,11 @@ These steps assume a basic understanding of GNU/Linux, Hypervisors, Vagrant, and
   ```

 #### Copyright and License
-Copyright (C) 2020-2022  Kris Lamoureux
+Copyright (C) 2020-2021  Kris Lamoureux

 [![License: GPL v3](https://img.shields.io/badge/License-GPLv3-blue.svg)](https://www.gnu.org/licenses/gpl-3.0)

+
 This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.

 This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more details.
--- a/dockerbox.yml
+++ b/dockerbox.yml
@@ -20,6 +20,7 @@
    - docker
    - traefik
    - nextcloud
+    - gitea
    - jenkins
    - prometheus
    - nginx
--- a/proxy.yml
+++ b/proxy.yml
@@ -4,7 +4,7 @@
  roles:
    - base
    - jenkins
-    - mariadb
+    - postgresql
    - proxy
    - docker
    - gitea
--- a/roles/base/defaults/main.yml
+++ b/roles/base/defaults/main.yml
@@ -3,7 +3,6 @@ network_type: static
 allow_reboot: true

 packages:
-  - apache2-utils
  - cryptsetup
  - curl
  - dnsutils
--- a/roles/base/tasks/wireguard.yml
+++ b/roles/base/tasks/wireguard.yml
@@ -27,10 +27,3 @@
    name: wg-quick@wg0
    state: started
    enabled: true
-
- name: Add WireGuard firewall rule
-  ufw:
-    rule: allow
-    port: "{{ wireguard.listenport }}"
-    proto: tcp
-  when: wireguard.listenport is defined
--- a/roles/gitea/defaults/main.yml
+++ b/roles/gitea/defaults/main.yml
@@ -5,7 +5,7 @@ gitea_webport: "3000"
 gitea_ssh: "127.0.0.1:{{ gitea_sshport }}"
 gitea_web: "127.0.0.1:{{ gitea_webport }}"
 gitea_volume: "{{ gitea_name }}"
-gitea_rooturl: "https://{{ gitea_domain }}"
+gitea_rooturl: "http://{{ gitea_domain }}"
 gitea_signup: true

 # database settings
--- a/roles/nginx/tasks/main.yml
+++ b/roles/nginx/tasks/main.yml
@@ -29,9 +29,9 @@
      - "{{ nginx_html }}:/usr/share/nginx/html:ro"
    labels:
      traefik.http.routers.nginx.rule: "Host(`{{ nginx_domain }}`)"
-      #traefik.http.middlewares.nginxauth.basicauth.users: "{{ nginx_auth }}"
+      traefik.http.middlewares.nginxauth.basicauth.users: "{{ nginx_auth }}"
      traefik.http.routers.nginx.entrypoints: websecure
-      #traefik.http.routers.nginx.tls.certresolver: letsencrypt
-      #traefik.http.routers.nginx.middlewares: "securehttps@file,nginxauth"
+      traefik.http.routers.nginx.tls.certresolver: letsencrypt
+      traefik.http.routers.nginx.middlewares: "securehttps@file,nginxauth"
      traefik.docker.network: traefik
      traefik.enable: "true"
--- a/roles/proxy/tasks/main.yml
+++ b/roles/proxy/tasks/main.yml
@@ -10,11 +10,6 @@
    state: started
    enabled: true

- name: Generate DH Parameters
-  openssl_dhparam:
-    path: /etc/ssl/dhparams.pem
-    size: 4096
-
 - name: Install nginx base configuration
  template:
    src: nginx.conf.j2
@@ -83,9 +78,7 @@
            --email "{{ proxy.dns_cloudflare.email }}" \
            --dns-cloudflare \
            --dns-cloudflare-credentials /root/.cloudflare.ini \
-            -d "*.{{ item }}" \
-            -d "{{ item }}" \
-            {{ proxy.dns_cloudflare.opts | default("") }}'
+            -d "*.{{ item }}" {{ proxy.dns_cloudflare.opts | default("") }}'
  args:
    creates: "/etc/letsencrypt/live/{{ item }}/fullchain.pem"
  loop: "{{ proxy.dns_cloudflare.wildcard_domains }}"
--- a/roles/proxy/templates/nginx.conf.j2
+++ b/roles/proxy/templates/nginx.conf.j2
@@ -21,14 +21,6 @@ http {
  keepalive_timeout 65;
  server_names_hash_bucket_size 128;

-  ssl_protocols TLSv1.2 TLSv1.3;
-  ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
-  ssl_prefer_server_ciphers off;
-  ssl_dhparam /etc/ssl/dhparams.pem;
-  ssl_session_cache shared:SSL:10m;
-  ssl_session_timeout 1d;
-  ssl_session_tickets off;
-
  include           /etc/nginx/conf.d/*.conf;
  include           /etc/nginx/sites-enabled/*;
 }
--- a/roles/proxy/templates/server-nginx.conf.j2
+++ b/roles/proxy/templates/server-nginx.conf.j2
@@ -1,13 +1,12 @@
 server {
    listen 80;
-  listen [::]:80;
+
    server_name {{ item.domain }};
    return 301 https://{{ item.domain }}$request_uri;
 }

 server {
-  listen              443      ssl http2;
-  listen              [::]:443 ssl http2;
+  listen              443 ssl;
  server_name         {{ item.domain }};
  access_log          /var/log/nginx/{{ item.domain }}.log main;
 {% if proxy.production is defined and proxy.production and proxy.dns_cloudflare.wildcard_domains is defined and item.tls.cert is not defined %}
@@ -27,31 +26,11 @@ server {
 {% else %}
  ssl_certificate     /etc/ssl/certs/nginx-selfsigned.crt;
  ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
-{% endif %}
-{% if item.hsts is defined %}
-  add_header Strict-Transport-Security "max-age={{ item.hsts }}" always;
-{% endif %}
-{% if item.client_max_body_size is defined %}
-  client_max_body_size {{ item.client_max_body_size }};
 {% endif %}
  location / {
-{% if item.restrict is defined and item.restrict  %}
-    auth_basic "{{ item.restrict_name | default('Restricted Access') }}";
-    auth_basic_user_file {{ item.restrict_file | default('/etc/nginx/.htpasswd') }};
-    proxy_set_header Authorization "";
-{% endif %}
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_pass {{ item.proxy_pass }};
-{% if item.proxy_ssl_verify is defined and item.proxy_ssl_verify is false %}
-    proxy_ssl_verify off;
-{% endif %}
-{% if item.websockets is defined and item.websockets %}
-    proxy_http_version 1.1;
-    proxy_set_header Connection $http_connection;
-    proxy_set_header Origin http://$host;
-    proxy_set_header Upgrade $http_upgrade;
-{% endif %}
  }
 }
--- a/roles/traefik/defaults/main.yml
+++ b/roles/traefik/defaults/main.yml
@@ -3,10 +3,8 @@ traefik_dashboard: false
 traefik_root: "/opt/{{ traefik_name }}"
 traefik_localonly: "10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 127.0.0.0/8"
 traefik_production: false
-traefik_hsts_enable: false
 traefik_hsts_preload: false
 traefik_hsts_seconds: 0
-traefik_http_redirect: false
 traefik_ports:
  - "80:80"
  - "443:443"
--- a/roles/traefik/tasks/main.yml
+++ b/roles/traefik/tasks/main.yml
@@ -42,10 +42,10 @@
      - name: traefik
    labels:
      traefik.http.routers.traefik.rule: "Host(`{{ traefik_domain }}`)"
-      #traefik.http.middlewares.auth.basicauth.users: "{{ traefik_auth }}"
-      #traefik.http.middlewares.localonly.ipwhitelist.sourcerange: "{{ traefik_localonly }}"
-      #traefik.http.routers.traefik.tls.certresolver: letsencrypt
-      #traefik.http.routers.traefik.middlewares: "securehttps@file,auth@docker,localonly"
+      traefik.http.middlewares.auth.basicauth.users: "{{ traefik_auth }}"
+      traefik.http.middlewares.localonly.ipwhitelist.sourcerange: "{{ traefik_localonly }}"
+      traefik.http.routers.traefik.tls.certresolver: letsencrypt
+      traefik.http.routers.traefik.middlewares: "securehttps@file,auth@docker,localonly"
      traefik.http.routers.traefik.service: "api@internal"
      traefik.http.routers.traefik.entrypoints: websecure
      traefik.http.routers.traefik.tls: "true"
--- a/roles/traefik/templates/external.yml.j2
+++ b/roles/traefik/templates/external.yml.j2
@@ -10,12 +10,10 @@ http:
 {% elif item.middlewares is defined %}
      middlewares: "{{ item.middlewares }}"
 {% endif %}
-{% if traefik_acme_email is defined %}
      tls:
        certResolver: letsencrypt
        domains:
          - main: "{{ item.domain }}"
-{% endif %}
      entryPoints:
        - "websecure"
  services:
--- a/roles/traefik/templates/security.yml.j2
+++ b/roles/traefik/templates/security.yml.j2
@@ -11,8 +11,6 @@ http:
        sslRedirect: true
        browserXssFilter: true
        contentTypeNosniff: true
-{% if traefik_hsts_enable is defined and traefik_hsts_enable %}
        stsPreload: {{ traefik_hsts_preload }}
        stsSeconds: {{ traefik_hsts_seconds }}
-{% endif %}
        customFrameOptionsValue: SAMEORIGIN
--- a/roles/traefik/templates/traefik.yml.j2
+++ b/roles/traefik/templates/traefik.yml.j2
@@ -10,14 +10,12 @@ providers:
 entrypoints:
  web:
    address: ':80'
-{% if traefik_http_redirect is defined and traefik_http_redirect %}
    http:
      redirections:
        entrypoint:
          to: websecure
          scheme: https
          permanent: true
-{% endif %}
  websecure:
    address: ':443'
    http: