Compare commits
	
		
			9 Commits
		
	
	
		
	
	| Author | SHA1 | Date | |
|---|---|---|---|
| d954c64e23 | |||
| ccf6b10a0e | |||
| bd8eca0466 | |||
| 56c3721a5e | |||
| 77c9b12186 | |||
| 3102c621f0 | |||
| e3f03edf3f | |||
| f481a965dd | |||
| a0aa289c05 | 
							
								
								
									
										33
									
								
								.github/workflows/vagrant.yml
									
									
									
									
										vendored
									
									
								
							
							
						
						
									
										33
									
								
								.github/workflows/vagrant.yml
									
									
									
									
										vendored
									
									
								
							| @@ -3,22 +3,17 @@ name: homelab-ci | |||||||
| on: | on: | ||||||
|   push: |   push: | ||||||
|     branches: |     branches: | ||||||
|       - main |       - github_actions | ||||||
|       - testing |       # - main | ||||||
|  |       # - testing | ||||||
|  |  | ||||||
| jobs: | jobs: | ||||||
|   homelab-ci: |   homelab-ci: | ||||||
|     runs-on: macos-13 |     runs-on: macos-latest | ||||||
|  |  | ||||||
|     steps: |     steps: | ||||||
|       - uses: actions/checkout@v3 |       - uses: actions/checkout@v3 | ||||||
|  |  | ||||||
|       - name: Setup tmate session |  | ||||||
|         uses: mxschmitt/action-tmate@v3 |  | ||||||
|         with: |  | ||||||
|           detached: true |  | ||||||
|           limit-access-to-actor: true |  | ||||||
|  |  | ||||||
|       - name: Cache Vagrant boxes |       - name: Cache Vagrant boxes | ||||||
|         uses: actions/cache@v3 |         uses: actions/cache@v3 | ||||||
|         with: |         with: | ||||||
| @@ -27,23 +22,19 @@ jobs: | |||||||
|           restore-keys: | |           restore-keys: | | ||||||
|             ${{ runner.os }}-vagrant- |             ${{ runner.os }}-vagrant- | ||||||
|  |  | ||||||
|       - name: Install Tools |  | ||||||
|         run: brew install nmap tree |  | ||||||
|  |  | ||||||
|       - name: Install VirtualBox |  | ||||||
|         run: brew install --cask virtualbox |  | ||||||
|  |  | ||||||
|       - name: Install Vagrant |  | ||||||
|         run: brew install --cask vagrant |  | ||||||
|  |  | ||||||
|       - name: Install Ansible |       - name: Install Ansible | ||||||
|         run: brew install ansible |         run: brew install ansible@7 | ||||||
|  |  | ||||||
|       - name: Software Versions |       - name: Software Versions | ||||||
|         run: | |         run: | | ||||||
|           printf "VirtualBox "; vboxmanage --version |           printf "VirtualBox " | ||||||
|  |           vboxmanage --version | ||||||
|           vagrant --version |           vagrant --version | ||||||
|  |           export PATH="/usr/local/opt/ansible@7/bin:$PATH" | ||||||
|           ansible --version |           ansible --version | ||||||
|  |  | ||||||
|       - name: Vagrant Up with Dockerbox Playbook |       - name: Vagrant Up with Dockerbox Playbook | ||||||
|         run: ./scripts/github-vagrant.sh |         run: | | ||||||
|  |           export PATH="/usr/local/opt/ansible@7/bin:$PATH" | ||||||
|  |           PLAYBOOK=dockerbox vagrant up | ||||||
|  |           vagrant ssh -c "docker ps" | ||||||
|   | |||||||
							
								
								
									
										3
									
								
								.gitignore
									
									
									
									
										vendored
									
									
								
							
							
						
						
									
										3
									
								
								.gitignore
									
									
									
									
										vendored
									
									
								
							| @@ -1,4 +1,5 @@ | |||||||
|  | .ansible* | ||||||
|  | /environments/ | ||||||
| .playbook | .playbook | ||||||
| .vagrant* | .vagrant* | ||||||
| .vscode | .vscode | ||||||
| /environments/ |  | ||||||
							
								
								
									
										3
									
								
								Vagrantfile
									
									
									
									
										vendored
									
									
								
							
							
						
						
									
										3
									
								
								Vagrantfile
									
									
									
									
										vendored
									
									
								
							| @@ -36,7 +36,6 @@ Vagrant.configure("2") do |config| | |||||||
|   config.vm.provider :virtualbox do |vbox| |   config.vm.provider :virtualbox do |vbox| | ||||||
|     vbox.cpus   = VAGRANT_CPUS |     vbox.cpus   = VAGRANT_CPUS | ||||||
|     vbox.memory = VAGRANT_MEM |     vbox.memory = VAGRANT_MEM | ||||||
|     vbox.gui    = true |  | ||||||
|   end |   end | ||||||
|  |  | ||||||
|   # Provision with Ansible |   # Provision with Ansible | ||||||
| @@ -44,6 +43,6 @@ Vagrant.configure("2") do |config| | |||||||
|     ENV['ANSIBLE_ROLES_PATH'] = File.dirname(__FILE__) + "/roles" |     ENV['ANSIBLE_ROLES_PATH'] = File.dirname(__FILE__) + "/roles" | ||||||
|     ansible.compatibility_mode = "2.0" |     ansible.compatibility_mode = "2.0" | ||||||
|     ansible.playbook = "dev/" + PLAYBOOK + ".yml" |     ansible.playbook = "dev/" + PLAYBOOK + ".yml" | ||||||
|     ansible.raw_arguments = ["--diff", "-vvvv"] |     ansible.raw_arguments = ["--diff"] | ||||||
|   end |   end | ||||||
| end | end | ||||||
|   | |||||||
| @@ -4,8 +4,12 @@ manage_network: false | |||||||
|  |  | ||||||
| # Import my GPG key for git signature verification | # Import my GPG key for git signature verification | ||||||
| root_gpgkeys: | root_gpgkeys: | ||||||
|  |   - name: kris@lamoureux.io | ||||||
|  |     id: 42A3A92C5DA0F3E5F71A3710105B748C1362EB96 | ||||||
|  |   # Older key, but still in use | ||||||
|   - name: kris@lamoureux.io |   - name: kris@lamoureux.io | ||||||
|     id: FBF673CEEC030F8AECA814E73EDA9C3441EDA925 |     id: FBF673CEEC030F8AECA814E73EDA9C3441EDA925 | ||||||
|  |     server: keyserver.ubuntu.com | ||||||
|  |  | ||||||
| # proxy | # proxy | ||||||
| proxy: | proxy: | ||||||
|   | |||||||
							
								
								
									
										14
									
								
								dev/host_vars/podman.yml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										14
									
								
								dev/host_vars/podman.yml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,14 @@ | |||||||
|  | # base | ||||||
|  | allow_reboot: false | ||||||
|  | manage_network: false | ||||||
|  |  | ||||||
|  | users: | ||||||
|  |   kris: | ||||||
|  |     uid: 1001 | ||||||
|  |     gid: 1001 | ||||||
|  |     home: true | ||||||
|  |  | ||||||
|  | # podman | ||||||
|  | user_namespaces: | ||||||
|  |   - kris | ||||||
|  |  | ||||||
							
								
								
									
										8
									
								
								dev/podman.yml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										8
									
								
								dev/podman.yml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,8 @@ | |||||||
|  | - name: Install Podman server | ||||||
|  |   hosts: all | ||||||
|  |   become: true | ||||||
|  |   vars_files: | ||||||
|  |     - host_vars/podman.yml | ||||||
|  |   roles: | ||||||
|  |     - base | ||||||
|  |     - podman | ||||||
| @@ -4,4 +4,5 @@ | |||||||
|   roles: |   roles: | ||||||
|     - base |     - base | ||||||
|     - jenkins |     - jenkins | ||||||
|  |     - proxy | ||||||
|     - docker |     - docker | ||||||
|   | |||||||
| @@ -3,9 +3,9 @@ | |||||||
|   become: true |   become: true | ||||||
|   roles: |   roles: | ||||||
|     - base |     - base | ||||||
|  |     - jenkins | ||||||
|     - docker |     - docker | ||||||
|  |     - mariadb | ||||||
|     - traefik |     - traefik | ||||||
|     - nextcloud |     - nextcloud | ||||||
|     - jenkins |     - proxy | ||||||
|     - prometheus |  | ||||||
|     - nginx |  | ||||||
|   | |||||||
| @@ -26,7 +26,7 @@ | |||||||
|   ansible.builtin.template: |   ansible.builtin.template: | ||||||
|     src: smb.conf.j2 |     src: smb.conf.j2 | ||||||
|     dest: /etc/samba/smb.conf |     dest: /etc/samba/smb.conf | ||||||
|     mode: "700" |     mode: "644" | ||||||
|   notify: restart_samba |   notify: restart_samba | ||||||
|  |  | ||||||
| - name: Start smbd and enable on boot | - name: Start smbd and enable on boot | ||||||
|   | |||||||
| @@ -80,8 +80,10 @@ | |||||||
|     state: present |     state: present | ||||||
|     uid: "{{ item.value.uid }}" |     uid: "{{ item.value.uid }}" | ||||||
|     group: "{{ item.value.gid }}" |     group: "{{ item.value.gid }}" | ||||||
|  |     groups: "{{ item.value.groups | default([]) }}" | ||||||
|     shell: "{{ item.value.shell | default('/bin/bash') }}" |     shell: "{{ item.value.shell | default('/bin/bash') }}" | ||||||
|     create_home: "{{ item.value.home | default(false) }}" |     create_home: "{{ item.value.home | default(false) }}" | ||||||
|  |     home: "{{ item.value.homedir | default('/home/' + item.key) }}" | ||||||
|     system: "{{ item.value.system | default(false) }}" |     system: "{{ item.value.system | default(false) }}" | ||||||
|   loop: "{{ users | dict2items }}" |   loop: "{{ users | dict2items }}" | ||||||
|   loop_control: |   loop_control: | ||||||
|   | |||||||
| @@ -18,6 +18,28 @@ | |||||||
|     src: /etc/wireguard/privatekey |     src: /etc/wireguard/privatekey | ||||||
|   register: wgkey |   register: wgkey | ||||||
|  |  | ||||||
|  | - name: Check if WireGuard preshared key file exists | ||||||
|  |   ansible.builtin.stat: | ||||||
|  |     path: /etc/wireguard/presharedkey-{{ item.name }} | ||||||
|  |   loop: "{{ wireguard.peers }}" | ||||||
|  |   loop_control: | ||||||
|  |     label: "{{ item.name }}" | ||||||
|  |   register: presharedkey_files | ||||||
|  |  | ||||||
|  | - name: Grab WireGuard preshared key for configuration | ||||||
|  |   ansible.builtin.slurp: | ||||||
|  |     src: /etc/wireguard/presharedkey-{{ item.item.name }} | ||||||
|  |   register: wgshared | ||||||
|  |   loop: "{{ presharedkey_files.results }}" | ||||||
|  |   loop_control: | ||||||
|  |     label: "{{ item.item.name }}" | ||||||
|  |   when: item.stat.exists | ||||||
|  |  | ||||||
|  | - name: Grab WireGuard private key for configuration | ||||||
|  |   ansible.builtin.slurp: | ||||||
|  |     src: /etc/wireguard/privatekey | ||||||
|  |   register: wgkey | ||||||
|  |  | ||||||
| - name: Install WireGuard configuration | - name: Install WireGuard configuration | ||||||
|   ansible.builtin.template: |   ansible.builtin.template: | ||||||
|     src: wireguard.j2 |     src: wireguard.j2 | ||||||
|   | |||||||
| @@ -1,4 +1,6 @@ | |||||||
| [Interface] | # {{ ansible_managed }} | ||||||
|  |  | ||||||
|  | [Interface] # {{ ansible_hostname }} | ||||||
| PrivateKey = {{ wgkey['content'] | b64decode | trim }} | PrivateKey = {{ wgkey['content'] | b64decode | trim }} | ||||||
| Address = {{ wireguard.address }} | Address = {{ wireguard.address }} | ||||||
| {% if wireguard.listenport is defined %} | {% if wireguard.listenport is defined %} | ||||||
| @@ -6,8 +8,26 @@ ListenPort = {{ wireguard.listenport }} | |||||||
| {% endif %} | {% endif %} | ||||||
|  |  | ||||||
| {% for peer in wireguard.peers %} | {% for peer in wireguard.peers %} | ||||||
|  | {% if peer.name is defined %} | ||||||
|  | [Peer] # {{ peer.name }} | ||||||
|  | {% else %} | ||||||
| [Peer] | [Peer] | ||||||
|  | {% endif %} | ||||||
| PublicKey = {{ peer.publickey }} | PublicKey = {{ peer.publickey }} | ||||||
|  | {% if peer.presharedkey is defined %} | ||||||
|  | PresharedKey = {{ peer.presharedkey }} | ||||||
|  | {% else %} | ||||||
|  | {% set preshared_key = ( | ||||||
|  |     wgshared.results | ||||||
|  |     | selectattr('item.item.name', 'equalto', peer.name) | ||||||
|  |     | first | ||||||
|  |   ).content | ||||||
|  |   | default(none) | ||||||
|  | %} | ||||||
|  | {% if preshared_key is not none %} | ||||||
|  | PresharedKey = {{ preshared_key | b64decode | trim }} | ||||||
|  | {% endif %} | ||||||
|  | {% endif %} | ||||||
| {% if peer.endpoint is defined %} | {% if peer.endpoint is defined %} | ||||||
| Endpoint = {{ peer.endpoint }} | Endpoint = {{ peer.endpoint }} | ||||||
| {% endif %} | {% endif %} | ||||||
|   | |||||||
| @@ -24,15 +24,21 @@ | |||||||
|  |  | ||||||
| - name: Install/uninstall Docker from Debian repositories | - name: Install/uninstall Docker from Debian repositories | ||||||
|   ansible.builtin.apt: |   ansible.builtin.apt: | ||||||
|     name: ['docker.io', 'docker-compose', 'containerd', 'runc'] |     name: ["docker.io", "docker-compose", "containerd", "runc"] | ||||||
|     state: "{{ 'absent' if docker_official else 'present' }}" |     state: "{{ 'absent' if docker_official else 'present' }}" | ||||||
|     autoremove: true |     autoremove: true | ||||||
|     update_cache: true |     update_cache: true | ||||||
|  |  | ||||||
| - name: Install/uninstall Docker from Docker repositories | - name: Install/uninstall Docker from Docker repositories | ||||||
|   ansible.builtin.apt: |   ansible.builtin.apt: | ||||||
|     name: ['docker-ce', 'docker-ce-cli', 'containerd.io', |     name: | ||||||
|            'docker-buildx-plugin', 'docker-compose-plugin'] |       [ | ||||||
|  |         "docker-ce", | ||||||
|  |         "docker-ce-cli", | ||||||
|  |         "containerd.io", | ||||||
|  |         "docker-buildx-plugin", | ||||||
|  |         "docker-compose-plugin", | ||||||
|  |       ] | ||||||
|     state: "{{ 'present' if docker_official else 'absent' }}" |     state: "{{ 'present' if docker_official else 'absent' }}" | ||||||
|     autoremove: true |     autoremove: true | ||||||
|     update_cache: true |     update_cache: true | ||||||
| @@ -135,14 +141,6 @@ | |||||||
|     label: "{{ item.name }}" |     label: "{{ item.name }}" | ||||||
|   when: docker_compose_deploy is defined and item.env is defined |   when: docker_compose_deploy is defined and item.env is defined | ||||||
|  |  | ||||||
| - name: Add users to docker group |  | ||||||
|   ansible.builtin.user: |  | ||||||
|     name: "{{ item }}" |  | ||||||
|     groups: docker |  | ||||||
|     append: true |  | ||||||
|   loop: "{{ docker_users }}" |  | ||||||
|   when: docker_users is defined |  | ||||||
|  |  | ||||||
| - name: Start Docker and enable on boot | - name: Start Docker and enable on boot | ||||||
|   ansible.builtin.service: |   ansible.builtin.service: | ||||||
|     name: docker |     name: docker | ||||||
|   | |||||||
| @@ -15,7 +15,7 @@ services: | |||||||
|     networks: |     networks: | ||||||
|       - traefik |       - traefik | ||||||
|     labels: |     labels: | ||||||
|       - "traefik.http.routers.{{ jellyfin_router }}.rule=Host(`{{ jellyfin_domain }}`)" |       - "traefik.http.routers.{{ jellyfin_router }}.rule=Host({{ jellyfin_domains }})" | ||||||
| {% if traefik_http_only %} | {% if traefik_http_only %} | ||||||
|       - "traefik.http.routers.{{ jellyfin_router }}.entrypoints=web" |       - "traefik.http.routers.{{ jellyfin_router }}.entrypoints=web" | ||||||
| {% else %} | {% else %} | ||||||
|   | |||||||
| @@ -16,10 +16,12 @@ | |||||||
|     regex: "^bind-address" |     regex: "^bind-address" | ||||||
|     line: "bind-address            = {{ ansible_facts.docker0.ipv4.address }}" |     line: "bind-address            = {{ ansible_facts.docker0.ipv4.address }}" | ||||||
|   notify: restart_mariadb |   notify: restart_mariadb | ||||||
|  |   when: ansible_facts.docker0 is defined | ||||||
|  |  | ||||||
| - name: Flush handlers to ensure MariaDB restarts immediately | - name: Flush handlers to ensure MariaDB restarts immediately | ||||||
|   ansible.builtin.meta: flush_handlers |   ansible.builtin.meta: flush_handlers | ||||||
|   tags: restart_mariadb |   tags: restart_mariadb | ||||||
|  |   when: ansible_facts.docker0 is defined | ||||||
|  |  | ||||||
| - name: Allow database connections from Docker | - name: Allow database connections from Docker | ||||||
|   community.general.ufw: |   community.general.ufw: | ||||||
|   | |||||||
							
								
								
									
										62
									
								
								roles/podman/tasks/main.yml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										62
									
								
								roles/podman/tasks/main.yml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,62 @@ | |||||||
|  | - name: Install Podman | ||||||
|  |   ansible.builtin.apt: | ||||||
|  |     name: ["podman", "podman-compose", "podman-docker"] | ||||||
|  |     state: present | ||||||
|  |  | ||||||
|  | - name: Get user info for namespace users | ||||||
|  |   ansible.builtin.getent: | ||||||
|  |     database: passwd | ||||||
|  |     key: "{{ item }}" | ||||||
|  |   loop: "{{ user_namespaces }}" | ||||||
|  |   register: user_info | ||||||
|  |  | ||||||
|  | - name: Configure /etc/subuid for rootless users | ||||||
|  |   ansible.builtin.lineinfile: | ||||||
|  |     path: "/etc/subuid" | ||||||
|  |     line: | ||||||
|  |       "{{ item.item }}:{{ 100000 + | ||||||
|  |       ((item.ansible_facts.getent_passwd[item.item][1] | int - 1000) * 65536) | ||||||
|  |       }}:65536" | ||||||
|  |     regexp: "^{{ item.item }}:" | ||||||
|  |     create: true | ||||||
|  |     backup: true | ||||||
|  |     mode: "0644" | ||||||
|  |   loop: "{{ user_info.results }}" | ||||||
|  |  | ||||||
|  | - name: Configure /etc/subgid for rootless users | ||||||
|  |   ansible.builtin.lineinfile: | ||||||
|  |     path: "/etc/subgid" | ||||||
|  |     line: | ||||||
|  |       "{{ item.item }}:{{ 100000 + | ||||||
|  |       ((item.ansible_facts.getent_passwd[item.item][1] | int - 1000) * 65536) | ||||||
|  |       }}:65536" | ||||||
|  |     regexp: "^{{ item.item }}:" | ||||||
|  |     create: true | ||||||
|  |     backup: true | ||||||
|  |     mode: "0644" | ||||||
|  |   loop: "{{ user_info.results }}" | ||||||
|  |  | ||||||
|  | - name: Create nodocker file to disable Docker CLI emulation message | ||||||
|  |   ansible.builtin.file: | ||||||
|  |     path: /etc/containers/nodocker | ||||||
|  |     state: touch | ||||||
|  |     owner: root | ||||||
|  |     group: root | ||||||
|  |     mode: "0644" | ||||||
|  |  | ||||||
|  | - name: Create global containers config directory | ||||||
|  |   ansible.builtin.file: | ||||||
|  |     path: /etc/containers | ||||||
|  |     state: directory | ||||||
|  |     mode: "0755" | ||||||
|  |  | ||||||
|  | - name: Configure global containers.conf for rootless | ||||||
|  |   ansible.builtin.copy: | ||||||
|  |     content: | | ||||||
|  |       [engine] | ||||||
|  |       cgroup_manager = "cgroupfs" | ||||||
|  |       events_logger = "journald" | ||||||
|  |       runtime = "crun" | ||||||
|  |     dest: /etc/containers/containers.conf | ||||||
|  |     mode: "0644" | ||||||
|  |     backup: true | ||||||
| @@ -45,10 +45,11 @@ | |||||||
|   register: nginx_sites |   register: nginx_sites | ||||||
|  |  | ||||||
| - name: Generate self-signed certificate | - name: Generate self-signed certificate | ||||||
|   ansible.builtin.command: 'openssl req -newkey rsa:4096 -x509 -sha256 -days 3650 -nodes \ |   ansible.builtin.command: | ||||||
|           -subj   "/C=US/ST=Local/L=Local/O=Org/OU=IT/CN=example.com" \ |     'openssl req -newkey rsa:4096 -x509 -sha256 -days 3650 -nodes \ | ||||||
|           -keyout /etc/ssl/private/nginx-selfsigned.key \ |     -subj   "/C=US/ST=Local/L=Local/O=Org/OU=IT/CN=example.com" \ | ||||||
|           -out    /etc/ssl/certs/nginx-selfsigned.crt' |     -keyout /etc/ssl/private/nginx-selfsigned.key \ | ||||||
|  |     -out    /etc/ssl/certs/nginx-selfsigned.crt' | ||||||
|   args: |   args: | ||||||
|     creates: /etc/ssl/certs/nginx-selfsigned.crt |     creates: /etc/ssl/certs/nginx-selfsigned.crt | ||||||
|   when: proxy.production is not defined or not proxy.production |   when: proxy.production is not defined or not proxy.production | ||||||
| @@ -56,15 +57,22 @@ | |||||||
|  |  | ||||||
| - name: Install LE's certbot | - name: Install LE's certbot | ||||||
|   ansible.builtin.apt: |   ansible.builtin.apt: | ||||||
|     name: ['certbot', 'python3-certbot-dns-cloudflare'] |     name: ["certbot", "python3-certbot-dns-cloudflare"] | ||||||
|     state: present |     state: present | ||||||
|   when: proxy.production is defined and proxy.production |   when: proxy.production is defined and proxy.production | ||||||
|  |  | ||||||
|  | - name: Grab Cloudflare API token for configuration | ||||||
|  |   ansible.builtin.slurp: | ||||||
|  |     src: /root/.cloudflare-api | ||||||
|  |   register: cfapi | ||||||
|  |   when: proxy.production is defined and proxy.production and proxy.dns_cloudflare is defined | ||||||
|  |  | ||||||
| - name: Install Cloudflare API token | - name: Install Cloudflare API token | ||||||
|   ansible.builtin.template: |   ansible.builtin.template: | ||||||
|     src: cloudflare.ini.j2 |     src: cloudflare.ini.j2 | ||||||
|     dest: /root/.cloudflare.ini |     dest: /root/.cloudflare.ini | ||||||
|     mode: "400" |     mode: "400" | ||||||
|  |   diff: false | ||||||
|   when: proxy.production is defined and proxy.production and proxy.dns_cloudflare is defined |   when: proxy.production is defined and proxy.production and proxy.dns_cloudflare is defined | ||||||
|  |  | ||||||
| - name: Create nginx post renewal hook directory | - name: Create nginx post renewal hook directory | ||||||
| @@ -78,19 +86,19 @@ | |||||||
|   ansible.builtin.copy: |   ansible.builtin.copy: | ||||||
|     src: reload-nginx.sh |     src: reload-nginx.sh | ||||||
|     dest: /etc/letsencrypt/renewal-hooks/post/reload-nginx.sh |     dest: /etc/letsencrypt/renewal-hooks/post/reload-nginx.sh | ||||||
|     mode: '0755' |     mode: "0755" | ||||||
|   when: proxy.production is defined and proxy.production |   when: proxy.production is defined and proxy.production | ||||||
|  |  | ||||||
| - name: Run Cloudflare DNS-01 challenges on wildcard domains | - name: Run Cloudflare DNS-01 challenges on wildcard domains | ||||||
|   ansible.builtin.shell: '/usr/bin/certbot certonly \ |   ansible.builtin.shell: '/usr/bin/certbot certonly \ | ||||||
|             --non-interactive \ |     --non-interactive \ | ||||||
|             --agree-tos \ |     --agree-tos \ | ||||||
|             --email "{{ proxy.dns_cloudflare.email }}" \ |     --email "{{ proxy.dns_cloudflare.email }}" \ | ||||||
|             --dns-cloudflare \ |     --dns-cloudflare \ | ||||||
|             --dns-cloudflare-credentials /root/.cloudflare.ini \ |     --dns-cloudflare-credentials /root/.cloudflare.ini \ | ||||||
|             -d "*.{{ item }}" \ |     -d "*.{{ item }}" \ | ||||||
|             -d "{{ item }}" \ |     -d "{{ item }}" \ | ||||||
|             {{ proxy.dns_cloudflare.opts | default("") }}' |     {{ proxy.dns_cloudflare.opts | default("") }}' | ||||||
|   args: |   args: | ||||||
|     creates: "/etc/letsencrypt/live/{{ item }}/fullchain.pem" |     creates: "/etc/letsencrypt/live/{{ item }}/fullchain.pem" | ||||||
|   loop: "{{ proxy.dns_cloudflare.wildcard_domains }}" |   loop: "{{ proxy.dns_cloudflare.wildcard_domains }}" | ||||||
|   | |||||||
| @@ -1,2 +1,2 @@ | |||||||
| # Cloudflare API token used by Certbot | # Cloudflare API token used by Certbot | ||||||
| dns_cloudflare_api_token = {{ proxy.dns_cloudflare.api_token }} | dns_cloudflare_api_token = {{ cfapi['content'] | b64decode | trim }} | ||||||
|   | |||||||
| @@ -28,14 +28,20 @@ server { | |||||||
|   ssl_certificate     /etc/ssl/certs/nginx-selfsigned.crt; |   ssl_certificate     /etc/ssl/certs/nginx-selfsigned.crt; | ||||||
|   ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key; |   ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key; | ||||||
| {% endif %} | {% endif %} | ||||||
| {% if item.hsts is defined %} |  | ||||||
|   add_header Strict-Transport-Security "max-age={{ item.hsts }}" always; |  | ||||||
| {% endif %} |  | ||||||
| {% if item.client_max_body_size is defined %} | {% if item.client_max_body_size is defined %} | ||||||
|   client_max_body_size {{ item.client_max_body_size }}; |   client_max_body_size {{ item.client_max_body_size }}; | ||||||
| {% endif %} | {% endif %} | ||||||
|   location / { |   location / { | ||||||
| {% if item.restrict is defined and item.restrict  %} | {% if item.hsts is defined %} | ||||||
|  |     add_header Strict-Transport-Security "max-age={{ item.hsts }}" always; | ||||||
|  | {% endif %} | ||||||
|  | {% if item.allowedips is defined %} | ||||||
|  | {% for ip in item.allowedips %} | ||||||
|  |     allow {{ ip }}; | ||||||
|  | {% endfor %} | ||||||
|  |     deny all; | ||||||
|  | {% endif %} | ||||||
|  | {% if item.restrict is defined and item.restrict %} | ||||||
|     auth_basic "{{ item.restrict_name | default('Restricted Access') }}"; |     auth_basic "{{ item.restrict_name | default('Restricted Access') }}"; | ||||||
|     auth_basic_user_file {{ item.restrict_file | default('/etc/nginx/.htpasswd') }}; |     auth_basic_user_file {{ item.restrict_file | default('/etc/nginx/.htpasswd') }}; | ||||||
|     proxy_set_header Authorization ""; |     proxy_set_header Authorization ""; | ||||||
| @@ -43,6 +49,7 @@ server { | |||||||
|     proxy_set_header Host $host; |     proxy_set_header Host $host; | ||||||
|     proxy_set_header X-Real-IP $remote_addr; |     proxy_set_header X-Real-IP $remote_addr; | ||||||
|     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; |     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | ||||||
|  |     proxy_set_header X-Forwarded-Proto $scheme; | ||||||
|     proxy_pass {{ item.proxy_pass }}; |     proxy_pass {{ item.proxy_pass }}; | ||||||
| {% if item.proxy_ssl_verify is defined and item.proxy_ssl_verify is false %} | {% if item.proxy_ssl_verify is defined and item.proxy_ssl_verify is false %} | ||||||
|     proxy_ssl_verify off; |     proxy_ssl_verify off; | ||||||
|   | |||||||
| @@ -1,45 +0,0 @@ | |||||||
| #!/bin/bash |  | ||||||
|  |  | ||||||
| # Defaults |  | ||||||
| TIMEOUT=600 |  | ||||||
| ELAPSED=0 |  | ||||||
| INITIAL_SLEEP=60 |  | ||||||
| SLEEP_DURATION=30 |  | ||||||
| SSH_AVAILABLE=0 |  | ||||||
| DEBUG_ID="[homelab-ci]" |  | ||||||
|  |  | ||||||
| # Run Vagrant Up in the background |  | ||||||
| PLAYBOOK=dockerbox vagrant up & |  | ||||||
| VAGRANT_UP_PID=$! |  | ||||||
|  |  | ||||||
| # Initial delay |  | ||||||
| echo "$DEBUG_ID Waiting for VM to start..." |  | ||||||
| sleep $INITIAL_SLEEP |  | ||||||
|  |  | ||||||
| # Loop until timeout or breaks |  | ||||||
| while [[ $ELAPSED -lt $TIMEOUT ]]; do |  | ||||||
| 	VAGRANT_SSH_CONFIG=$(mktemp) |  | ||||||
| 	vagrant ssh-config > "$VAGRANT_SSH_CONFIG" |  | ||||||
| 	echo "$DEBUG_ID SSH config at $VAGRANT_SSH_CONFIG" |  | ||||||
| 	cat "$VAGRANT_SSH_CONFIG" |  | ||||||
| 	echo "$DEBUG_ID Vagrant status" |  | ||||||
| 	vagrant status |  | ||||||
|  |  | ||||||
| 	# SSH attempt |  | ||||||
| 	set -x |  | ||||||
| 	ssh -vvv -F "$VAGRANT_SSH_CONFIG" default 'cat /etc/os-release' && set +x; break \ |  | ||||||
| 	|| echo "$DEBUG_ID SSH connection failed, retrying in $SLEEP_DURATION seconds..." |  | ||||||
| 	set +x |  | ||||||
|  |  | ||||||
| 	# Sleep and start again |  | ||||||
| 	sleep $SLEEP_DURATION |  | ||||||
| 	((ELAPSED+=SLEEP_DURATION)) |  | ||||||
| done |  | ||||||
|  |  | ||||||
| # Success? |  | ||||||
| if [[ $SSH_AVAILABLE -ne 1 ]]; then |  | ||||||
| 	echo "$DEBUG_ID Timeout reached without successful SSH connection." |  | ||||||
| fi |  | ||||||
|  |  | ||||||
| # Ensure the Vagrant up process completes |  | ||||||
| wait $VAGRANT_UP_PID |  | ||||||
		Reference in New Issue
	
	Block a user