systems
/
infrastructure
1
Fork 0
Code Issues 1 Pull Requests 12 Actions Activity

Compare commits

base: systems:07f822767925a3eb0a28d583886a77cff7da1172
Branches Tags
systems:master
systems:renovate/aws-5.x
systems:renovate/cloudflare-4.x
systems:renovate/ansible-lint-24.x
systems:renovate/linode-2.x
systems:renovate/clickhouse-clickhouse-server-24.x
systems:renovate/postgres-16.x
systems:renovate/traefik-3.x
systems:renovate/geerlingguy.docker-7.x
systems:renovate/yamllint-1.x
systems:renovate/mariadb-11.x
systems:renovate/mariadb-10.x
systems:renovate/clickhouse-clickhouse-server-22.x
..
compare: systems:3970841a8cd7210abbc2551c0ed29e2b639b1512
Branches Tags
systems:renovate/aws-5.x
systems:renovate/cloudflare-4.x
systems:renovate/ansible-lint-24.x
systems:renovate/linode-2.x
systems:master
systems:renovate/clickhouse-clickhouse-server-24.x
systems:renovate/postgres-16.x
systems:renovate/traefik-3.x
systems:renovate/geerlingguy.docker-7.x
systems:renovate/yamllint-1.x
systems:renovate/mariadb-11.x
systems:renovate/mariadb-10.x
systems:renovate/clickhouse-clickhouse-server-22.x

37 Commits
07f8227679 ... 3970841a8c

Author SHA1 Message Date
Renovate 3970841a8c Update postgres Docker tag to v16
/ ansible (push) Failing after 51s Details
/ terraform (push) Failing after 58s Details
2024-04-22 08:00:26 +01:00
Jake Howard ee96e6ab08
Rename forrest role to prometheus
/ ansible (push) Failing after 1m35s Details
/ terraform (push) Failing after 12m54s Details 
Makes organising much simpler
 2024-04-21 19:47:02 +01:00
Jake Howard ffbba254fb
Remove redundant quotes 2024-04-21 18:11:57 +01:00
Jake Howard c472411801
Deploy uptime-kuma 2024-04-21 18:11:39 +01:00
Jake Howard 7564911da3
Add IPv6 to blackbox
/ terraform (push) Failing after 3s Details
/ ansible (push) Failing after 2s Details 
This is needed to monitor private services
 2024-04-20 18:12:38 +01:00
Jake Howard 7ff44ee238
Add IPv6 to proxmox internal network 2024-04-20 18:00:08 +01:00
Jake Howard 7c8d224c4a
Add headscale ACLs
/ ansible (push) Failing after 39s Details
/ terraform (push) Failing after 46s Details 
Tags are managed entirely server side, so there's no priv esc issues.

This lets my devices do what they want, and server style devices can't do anything.
 2024-04-20 15:46:21 +01:00
Renovate 7bc0ebeb26 Update traefik Docker tag to v2.11
/ terraform (push) Failing after 2s Details
/ ansible (push) Failing after 2s Details
2024-04-15 17:43:05 +01:00
Jake Howard 33f9c544fd
Remove /tt-rss/ path from URL
/ terraform (push) Failing after 3s Details
/ ansible (push) Failing after 2s Details
2024-04-15 17:33:36 +01:00
Jake Howard b6583cc823
Update Nextcloud version in config
/ terraform (push) Failing after 2s Details
/ ansible (push) Failing after 2s Details
2024-04-15 15:28:16 +01:00
Jake Howard 9c02017fed
Unpin tandoor 2024-04-15 15:28:16 +01:00
Renovate 91ec56717f Update dependency artis3n.tailscale to v4.4.4
/ terraform (push) Failing after 16s Details
/ ansible (push) Failing after 13s Details
2024-04-15 15:07:14 +01:00
Renovate 3318656730 Update dependency geerlingguy.ntp to v2.4.0
/ ansible (push) Failing after 24s Details
/ terraform (push) Failing after 31s Details
2024-04-15 15:06:23 +01:00
Renovate 9d98d88089 Update lscr.io/linuxserver/nextcloud Docker tag to v28.0.4
/ terraform (push) Failing after 2s Details
/ ansible (push) Failing after 2s Details
2024-04-15 15:02:53 +01:00
Renovate c882e246ab Update Terraform gandi to v2.3.0
/ terraform (push) Failing after 3s Details
/ ansible (push) Failing after 3s Details
2024-04-15 14:40:48 +01:00
Renovate 67af033fcd Update dependency dokku_bot.ansible_dokku to v2024
/ terraform (push) Failing after 2s Details
/ ansible (push) Failing after 2s Details
2024-04-15 14:36:50 +01:00
Renovate cee3679504 Update Terraform b2 to v0.8.9
/ terraform (push) Failing after 2s Details
/ ansible (push) Failing after 2s Details
2024-04-15 14:27:12 +01:00
Renovate 5330fdc56f Update ghcr.io/goauthentik/server Docker tag to v2024
/ terraform (push) Failing after 2s Details
/ ansible (push) Failing after 2s Details
2024-04-15 14:11:11 +01:00
Renovate 2e0b562f5d Update matrixdotorg/synapse Docker tag to v1.104.0
/ terraform (push) Failing after 2s Details
/ ansible (push) Failing after 2s Details
2024-04-15 13:58:20 +01:00
Renovate 989a804bad Update wallabag/wallabag Docker tag to v2.6.9
/ terraform (push) Failing after 51s Details
/ ansible (push) Failing after 46s Details
2024-04-03 12:00:18 +01:00
Jake Howard 8424b3211b
Allow `ingress` to serve as tailscale exit node
/ terraform (push) Successful in 38s Details
/ ansible (push) Successful in 1m46s Details
2024-03-28 23:30:24 +00:00
Jake Howard b83e239123
Rename private domain
/ terraform (push) Successful in 33s Details
/ ansible (push) Successful in 1m35s Details
2024-03-23 12:55:54 +00:00
Jake Howard 5157940f20
Stop exposing homeassistant
/ terraform (push) Successful in 58s Details
/ ansible (push) Successful in 1m52s Details
2024-03-23 11:54:26 +00:00
Jake Howard eb6fe3a23b
Allow forrest to access internal services
/ terraform (push) Successful in 36s Details
/ ansible (push) Successful in 1m36s Details 
This is mostly for monitoring
 2024-03-22 18:13:25 +00:00
Jake Howard b2656bdf43
Make vaultwarden VPN only
/ terraform (push) Successful in 33s Details
/ ansible (push) Successful in 1m36s Details 
The first service to go dark...
 2024-03-21 23:20:27 +00:00
Jake Howard 124b83526d
Fix spacing
/ terraform (push) Successful in 35s Details
/ ansible (push) Successful in 2m0s Details
2024-03-20 17:59:32 +00:00
Jake Howard 0295507d0b
Increase frequency of snapshots
/ terraform (push) Failing after 34s Details
/ ansible (push) Successful in 1m34s Details
2024-03-19 21:31:27 +00:00
Jake Howard f88d224168
Allow only exposing services over Tailscale
/ terraform (push) Failing after 41s Details
/ ansible (push) Successful in 1m41s Details 
This works using public DNS, so doesn't need Tailscale's magic DNS to override my local.
 2024-03-07 22:30:10 +00:00
Jake Howard 451a114262
Add IPv6 support for internal DNS overrides 
CoreDNS 1.11.2 finally shipped!
 2024-03-07 20:02:39 +00:00
Jake Howard 119b3212a9
Remove robots.txt for gitea
/ terraform (push) Successful in 27s Details
/ ansible (push) Successful in 1m30s Details
2024-03-04 08:38:16 +00:00
Renovate fb0830e9fc Update actions/setup-python action to v5
/ terraform (push) Successful in 23s Details
/ ansible (push) Successful in 1m42s Details
2024-03-04 08:35:57 +00:00
Renovate 5aae711cb8 Update vaultwarden/server Docker tag to v1.30.5
/ terraform (push) Successful in 46s Details
/ ansible (push) Successful in 1m45s Details
2024-03-04 08:33:59 +00:00
Renovate f552332598 Update lscr.io/linuxserver/mastodon Docker tag to v4.2.8
/ ansible (push) Has been cancelled Details
/ terraform (push) Has been cancelled Details
2024-03-04 08:33:51 +00:00
Jake Howard 82451784a8
Deploy slides hosting
/ terraform (push) Successful in 50s Details
/ ansible (push) Successful in 1m49s Details
2024-03-03 21:39:22 +00:00
Jake Howard 000f3d3348
Add HSTS to all nginx requests 2024-03-03 21:37:07 +00:00
Jake Howard 0dcc3f7c30
Use regular version of nginx on Arch
/ terraform (push) Successful in 30s Details
/ ansible (push) Successful in 1m30s Details 
`nginx-mainline` requires modules be recompiled each time, and isn't handled automatically. It's still a very new and maintained release.
 2024-02-29 19:46:32 +00:00
Jake Howard 8a1e21c79d
Ensure headscale sees the correct IP
/ terraform (push) Successful in 49s Details
/ ansible (push) Successful in 1m48s Details
2024-02-29 17:41:29 +00:00
69 changed files with 425 additions and 137 deletions
Show Stats Expand all files Collapse all files

2
.gitea/workflows/ci.yml
View File

@ -19,7 +19,7 @@ jobs:
steps:
- uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v4
uses: actions/setup-python@v5
with:
python-version: 3.11
- uses: taiki-e/install-action@just

5
ansible/files/nginx-docker.conf
View File

@ -1,9 +1,8 @@
# {{ ansible_managed }}
server {
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name {{ server_name }};
set $upstream {{ upstream }};

6
ansible/galaxy-requirements.yml
View File

@ -10,15 +10,15 @@ roles:
- src: geerlingguy.docker
version: 6.2.0
- src: geerlingguy.ntp
version: 2.3.3
version: 2.4.0
- src: realorangeone.reflector
- src: ironicbadger.proxmox_nag_removal
version: 1.0.2
- src: ironicbadger.snapraid
version: 1.0.0
- src: dokku_bot.ansible_dokku
version: v2022.10.17
version: v2024.4.11
- src: geerlingguy.certbot
version: 5.1.0
- src: artis3n.tailscale
version: v4.4.2
version: v4.4.4

5
ansible/group_vars/all/pve.yml
View File

@ -1,5 +1,6 @@
pve_hosts:
internal_cidr: 10.23.1.0/24
internal_cidr_ipv6: fde3:15e9:e883::1/48
pve:
ip: 10.23.1.1
external_ip: 192.168.2.200
@ -7,15 +8,19 @@ pve_hosts:
ip: 10.23.1.11
forrest:
ip: 10.23.1.13
ipv6: fde3:15e9:e883::103
jellyfin:
ip: 10.23.1.101
dokku:
ip: 10.23.1.102
docker:
ip: 10.23.1.103
ipv6: fde3:15e9:e883::203
ingress:
ip: 10.23.1.10
external_ip: 192.168.2.201
external_ipv6: "{{ vault_ingress_ipv6 }}"
ipv6: fde3:15e9:e883::100
homeassistant:
ip: 192.168.2.203
qbittorrent:

1
ansible/group_vars/all/tailscale.yml
View File

@ -2,5 +2,6 @@
tailscale_up_skip: true
tailscale_cidr: 100.64.0.0/24 # It's really /10, but I don't use that many IPs
tailscale_cidr_ipv6: fd7a:115c:a1e0::/120 # It's really /48, but I don't use that many IPs
tailscale_port: 41641

83
ansible/group_vars/all/vault.yml generated
View File

@ -1,41 +1,44 @@
$ANSIBLE_VAULT;1.1;AES256
63376661396632313137666432623833393836313463393466663331306566633734313864386538
6365623730303762613261346138613733323664306361660a303762663233366462653363313038
64333230383538653136663630336664653435356438666261316366626238343535386431653930
3432393363373533340a613664306366383533326637626238336638376435313730666433393439
30623336653365383939333936346661383663383535633562353130363861386264336539303566
62636634366363306536633532336664336164373739643834366431626635393762323634626436
31333936376466616261376239643961616431333461386165393762656363353964353031356538
37353466353037306236323562396264633966353932633461353964616661666363313432396236
35343065666636663632376264346263623065383266383039373132336339343030633231623636
61383765636366326231346130386562323630326161663536636534666434343035653535303961
65336661366534613631343566623136626163363664303364306364313635633962333961333639
61666431393134313032633730623532383765636334666462303234313530316331646463623965
66323435313561623136636264393362323530343661303562623365636431633431636361343765
64366465613936363065303463323432646562343031363764616637623136633034383235656565
65623066653538313966376532373564633062326164643234376365623936376632623136363263
34363630613364393133343565383630623036376134353633373836636232653261633337323366
30376263613862663966396539663834313066303163663636366330316535373634346463666636
38663335336565616462613838346435353330643533326164353532646436643031666166636465
30653735396537376536613239613166323665393066616366303431336662646363613536373861
36643838633832303866363032396335626234623863656432336431666333373235373539666638
63383130363333646135333630323230393231396262363039666336326436613831633831313331
38333038353338643532343830346436353331313763323264303031396137376336643834363837
38633739613534613837643432663465366632383732333437633663643136376139363633636465
62623261663462333162313938376261386439633964626664393439356561306433333661366239
39633739333830303730353663663863623539376333373161663237663862623333626633343836
32386135636639306161303865643633616431373563626461386562626336643638336436333631
63656136363235393761366664626531313566646537343930663633393337643264633731366165
65326165376466333537653733303463363431383963343561366530343335353561613438643339
64646136336362393339323565353835376237346538396165653763343030373732633065643436
37336532313939306265303731663430613237666534616463343633313837323532666532363238
62376638343862356231323165326561653637666232646437316234376638366333313732373266
64633365613630306265303664366536616332323435356234616334323733363131366532363562
64613631333931626263356538633831396261653038633535643437643332396436653233646438
35613861363438333463643935636232346639353763323663396366356537633339353664616636
64386133653531313039306631386136353638333066353765613761353532393662633564666130
39306534383434333733396134393163633136376633633565326331373637393231613934623638
37626130353035326230656364393164633538356466623635366230643331663634636330363561
34326465643464376565346163393834616166366464313635396463396639353965303831353564
65313534646662636636613066653938396666303733623238613662393536643364323331363961
65613037313332346665
30343832393233616534663738346461303836323930373663613438353339353433636530323132
3139396237376638376536653263346165323066623864650a666264643966386463353161306664
61393739636336343338656635303462656232356162616666343238336161613730626363616133
3663623465366130640a306164396662343262623065366431306163636564646136653730306434
38346633376533646638396164613837663437356266646430373731383161626336373837303539
37373939393431336435636336663739633335326430373864653831613964646137323136303634
62346237313061356630323335306366643131366565343566376666643161666136376337666335
30633262616666326464326436623136366639363930663061343434396138366336646538363135
32393061663530333532666331376661623137343635646265613364346531383635366363613265
65366265666538396438643130396437636562653538303634316465623136333036646432383735
31643364323265363731383665316338366139343130346536303538623565633662653062323531
38323630623231633032386663343736616566303166386433633062653530386561366661653663
63353537623339323134386162376366313132393631613931663738356430623337333262633838
31316362666639326365663164626263356464623139376166333962356238353637623431623137
63633361336161373564306631646638386537303238616239646234646332393536316437336466
61666235343466333539363566613530313761326161346464356363633330373862653033303936
30666335633663393565303835306662666462633130353163383663333062633731306262613532
33303866643334343535663632353235313262623231656536313636646564653636396663326632
65353434633135363630356464636130303262363436633761353161356636646361626165316563
31666165646135643961383032313532623431376531393231613436376337386537393466343036
30633262316439303636393739393462653938313965643137373266323465663164653365376537
30333361626335623836303463613734663138396535656664353730383933386530346130353064
39653939623261306134323961353562623834333738613338396461343761346461386338333265
65343932623634663033623163666663303735656633663236366235343066336162303136373332
64383430653863333238656565383762623962636431323033396234646665616430383561366331
32643230303962623633663632376566626534633935653832656263333236396366653035633561
61646161356132383733636639653163346466316230303763623666376238653964376363656539
63386238373266653732316539643261363662356261383834636637373639656137303935613663
62653433646366326331636464303537386161383832376164303738353134653138393137313438
63376262343335313832306466313338396266386535373465313765356638396665356332363539
32643266636633343332653139636330656331313938613833333662666638366534346235613164
39373431336637633936376632303131306339653131636163303539653862326566663239646366
63643936343138663461303530623863663763633235373337616331326361386561663633373362
31623234353832373961306663633262396437336665616335643064656534306136636236633662
37646363386564336136396166306630653735313137373266326662376663626139373064326536
39666633666262666263663265626634346333316466366661313538383734636361376261663333
30636466306661353034623863616635666433646239343339613130633834303362633835366234
65346632636166393664333266333266313062313734323239666239396364623162363861613661
62623732633735666164663138323961666131656336633362373730306631633939343435323633
31363834393365303530313837356264633262643264393639306236303163353933303830393566
62316164393231326139623833666639623637616238383236303933323964386664623961336634
39363062613439666433623863613435626133303032393938613934353562356436656564336339
643332616661636236363164623461623466

2
ansible/group_vars/all/vps-hosts.yml
View File

@ -1,3 +1,5 @@
"vps_hosts":
"casey_ip": "213.219.38.11"
"private_ipv6_marker": "2a01:7e00:e000:7f7::1"
"private_ipv6_range": "2a01:7e00:e000:7f7::1/128"
"walker_ip": "192.248.168.230"

1
ansible/host_vars/pve-docker/main.yml
View File

@ -4,6 +4,7 @@ traefik_provider_jellyfin: true
traefik_provider_homeassistant: true
traefik_provider_grafana: true
traefik_provider_dokku: true
traefik_provider_uptime_kuma: true
with_fail2ban: true

2
ansible/host_vars/pve/main.yml
View File

@ -25,7 +25,7 @@ sanoid_datasets:
sanoid_templates:
production:
frequently: 2
frequently: 4
hourly: 48
daily: 28
monthly: 3

2
ansible/host_vars/walker/main.yml
View File

@ -11,3 +11,5 @@ certbot_certs:
- domains:
- plausible.theorangeone.net
- elbisualp.theorangeone.net
- domains:
- slides.jakehoward.tech

4
ansible/main.yml
View File

@ -95,7 +95,8 @@
- hosts: forrest
roles:
- forrest
- prometheus
- uptime_kuma
- pve_nebula_route
- pve_tailscale_route
@ -118,6 +119,7 @@
- website
- remark42
- artis3n.tailscale
- slides
- hosts: jellyfin
roles:

5
ansible/roles/adguardhome/files/Corefile
View File

@ -2,10 +2,6 @@
errors
cancel
view nov6 {
expr type() != 'AAAA'
}
forward . tls://9.9.9.9 tls://149.112.112.112 tls://2620:fe::fe tls://2620:fe::9 {
tls_servername dns.quad9.net
health_check 15s
@ -13,6 +9,7 @@
hosts {
{{ pve_hosts.ingress.external_ip }} pve.sys.theorangeone.net
{{ pve_hosts.ingress.external_ipv6 }} pve.sys.theorangeone.net
fallthrough
ttl 300
}

4
ansible/roles/authentik/files/docker-compose.yml
View File

@ -21,7 +21,7 @@ x-env: &env
services:
server:
image: ghcr.io/goauthentik/server:2023.10
image: ghcr.io/goauthentik/server:2024.2
restart: unless-stopped
command: server
user: "{{ docker_user.id }}"
@ -44,7 +44,7 @@ services:
- traefik
worker:
image: ghcr.io/goauthentik/server:2023.10
image: ghcr.io/goauthentik/server:2024.2
restart: unless-stopped
command: worker
user: "{{ docker_user.id }}"

2
ansible/roles/base/files/ssh-jail.conf
View File

@ -4,4 +4,4 @@ bantime = 600
findtime = 30
maxretry = 5
port = {{ ssh_port }},ssh
ignoreip = {{ wireguard.cidr }},{{ nebula.cidr }},{{ pve_hosts.internal_cidr }},{{ tailscale_cidr }}
ignoreip = {{ wireguard.cidr }},{{ nebula.cidr }},{{ pve_hosts.internal_cidr }},{{ pve_hosts.internal_cidr_ipv6 }},{{ tailscale_cidr }}

8
ansible/roles/forrest/tasks/main.yml
View File

@ -1,8 +0,0 @@
- name: Include vault
include_vars: vault.yml
- name: Grafana
include_tasks: grafana.yml
- name: Prometheus
include_tasks: prometheus.yml

3
ansible/roles/gateway/files/nginx-cdn.conf
View File

@ -4,8 +4,7 @@ proxy_cache_path /var/lib/nginx/cache levels=1:2 keys_zone=cdncache:20m max_size
{% for domain in cdn_domains %}
server {
listen 8800 ssl proxy_protocol;
http2 on;
listen 8800 ssl http2 proxy_protocol;
server_name {{ domain }};

4
ansible/roles/gateway/files/nginx-fail2ban-jail.conf
View File

@ -6,9 +6,9 @@ maxretry = 100
filter = nginx-tcp
logpath = /var/log/nginx/ips.log
port = http,https,8448
ignoreip = {{ wireguard.cidr }},{{ nebula.cidr }},{{ pve_hosts.internal_cidr }},{{ vps_hosts.values()|sort|join(",") }},{{ tailscale_cidr }}
ignoreip = {{ wireguard.cidr }},{{ nebula.cidr }},{{ pve_hosts.internal_cidr }},{{ pve_hosts.internal_cidr_ipv6 }},{{ vps_hosts.values()|sort|join(",") }},{{ tailscale_cidr }}
[traefik]
enabled = true
port = http,https,8448
ignoreip = {{ wireguard.cidr }},{{ nebula.cidr }},{{ pve_hosts.internal_cidr }},{{ vps_hosts.values()|sort|join(",") }},{{ tailscale_cidr }}
ignoreip = {{ wireguard.cidr }},{{ nebula.cidr }},{{ pve_hosts.internal_cidr }},{{ pve_hosts.internal_cidr_ipv6 }},{{ vps_hosts.values()|sort|join(",") }},{{ tailscale_cidr }}

14
ansible/roles/gateway/files/nginx.conf
View File

@ -21,6 +21,20 @@ map $ssl_preread_server_name $gateway_destination {
server {
listen 443;
listen 8448;
listen [::]:443;
listen [::]:8448;
proxy_pass $gateway_destination;
proxy_protocol on;
}
server {
listen [{{ vps_hosts.private_ipv6_marker }}]:443;
listen [{{ vps_hosts.private_ipv6_marker }}]:8448;
access_log off;
deny all;
# This is never used, but need to keep nginx happy
proxy_pass 127.0.0.1:80;
}

4
ansible/roles/gitea/files/robots.txt
View File

@ -1,4 +0,0 @@
User-agent: *
# Ignore mirrored repos
Disallow: /mirror/

9
ansible/roles/gitea/tasks/main.yml
View File

@ -28,15 +28,6 @@
notify: restart gitea
become: true
- name: Install robots.txt
template:
src: files/robots.txt
dest: "{{ app_data_dir }}/gitea/data/custom/robots.txt"
mode: "{{ docker_compose_file_mask }}"
owner: "{{ docker_user.name }}"
notify: restart gitea
become: true
- name: Create public images directory
file:
path: "{{ app_data_dir }}/gitea/data/custom/public/assets/img"

13
ansible/roles/headscale/files/acls.json Normal file
View File

@ -0,0 +1,13 @@
{
"tagOwners": {
"tag:client": []
},
"acls": [
{
"action": "accept",
"src": ["tag:client"],
"dst": ["*:*"]
}
]
}

2
ansible/roles/headscale/files/headscale.yml
View File

@ -188,7 +188,7 @@ log:
# Path to a file containg ACL policies.
# ACLs can be defined as YAML or HUJSON.
# https://tailscale.com/kb/1018/acls/
acl_policy_path: ""
acl_policy_path: /etc/headscale/acls.json
## DNS
#

7
ansible/roles/headscale/files/nginx.conf
View File

@ -3,8 +3,7 @@
limit_req_zone $binary_remote_addr zone=headscale:10m rate=1r/m;
server {
listen 8888 ssl proxy_protocol;
http2 on;
listen 8888 ssl http2 proxy_protocol;
server_name headscale.jakehoward.tech;
@ -13,6 +12,10 @@ server {
ssl_trusted_certificate /etc/letsencrypt/live/headscale.jakehoward.tech/chain.pem;
include includes/ssl.conf;
real_ip_header proxy_protocol;
set_real_ip_from 127.0.0.1;
location / {
proxy_pass http://localhost:8416;
}

11
ansible/roles/headscale/tasks/main.yml
View File

@ -11,7 +11,16 @@
src: files/headscale.yml
dest: /etc/headscale/config.yaml
owner: headscale
mode: "0644"
mode: "0600"
notify: restart headscale
become: true
- name: Install ACLs
template:
src: files/acls.json
dest: /etc/headscale/acls.json
owner: headscale
mode: "0600"
notify: restart headscale
become: true

9
ansible/roles/ingress/files/nftables.conf
View File

@ -30,7 +30,7 @@ table inet filter {
# NAT - because the proxmox machines may not have routes back
ip saddr {{ nebula.cidr }} ip daddr {{ pve_hosts.internal_cidr }} counter masquerade
ip saddr {{ tailscale_cidr }} ip daddr {{ pve_hosts.internal_cidr }} counter masquerade
ip saddr {{ tailscale_cidr }} counter masquerade
}
chain FORWARD {
@ -44,8 +44,9 @@ table inet filter {
# Allow monitoring of nebula network
ip saddr {{ pve_hosts.forrest.ip }}/32 ip daddr {{ nebula.cidr }} accept
# Allow traffic from Tailscale to proxmox network
ip saddr {{ tailscale_cidr }} ip daddr {{ pve_hosts.internal_cidr }} accept
ip saddr {{ pve_hosts.internal_cidr }} ip daddr {{ tailscale_cidr }} ct state related,established accept
# Allow Tailscale exit node
ip saddr {{ tailscale_cidr }} ip daddr 192.168.0.0/16 drop
ip saddr {{ tailscale_cidr }} accept
ip daddr {{ tailscale_cidr }} ct state related,established accept
}
}

2
ansible/roles/ingress/files/nginx.conf
View File

@ -9,6 +9,8 @@ access_log /var/log/nginx/access.log access;
server {
listen 443;
listen 8448;
listen [::]:443;
listen [::]:8448;
proxy_pass {{ pve_hosts.docker.ip }}:443;
proxy_protocol on;
proxy_socket_keepalive on;

2
ansible/roles/mastodon/files/docker-compose.yml
View File

@ -2,7 +2,7 @@ version: "2.3"
services:
mastodon:
image: lscr.io/linuxserver/mastodon:4.2.7
image: lscr.io/linuxserver/mastodon:4.2.8
environment:
- TZ={{ timezone }}
- PUID={{ docker_user.id }}

3
ansible/roles/nginx/files/includes/ssl.conf
View File

@ -8,8 +8,7 @@ ssl_dhparam dhparams.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
ssl_prefer_server_ciphers off;
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
#add_header Strict-Transport-Security "max-age=63072000" always;
more_set_headers "Strict-Transport-Security: max-age=2592000";
# OCSP stapling
ssl_stapling on;

6
ansible/roles/nginx/tasks/main.yml
View File

@ -1,6 +1,6 @@
- name: Install nginx
package:
name: "{{ 'nginx-mainline' if ansible_os_family == 'Archlinux' else 'nginx' }}"
name: nginx
become: true
- name: Install nginx modules
@ -17,8 +17,8 @@
kewlfft.aur.aur:
name: "{{ item }}"
loop:
- nginx-mainline-mod-headers-more
- nginx-mainline-mod-brotli
- nginx-mod-headers-more
- nginx-mod-brotli
when: ansible_os_family == 'Archlinux'
become: true

0
ansible/roles/forrest/files/grafana/docker-compose.yml → ansible/roles/prometheus/files/grafana/docker-compose.yml
View File

0
ansible/roles/forrest/files/prometheus/alert-rules.d/blackbox.yml → ansible/roles/prometheus/files/prometheus/alert-rules.d/blackbox.yml
View File

0
ansible/roles/forrest/files/prometheus/alertmanager.yml → ansible/roles/prometheus/files/prometheus/alertmanager.yml
View File

3
ansible/roles/forrest/files/prometheus/blackbox.yml → ansible/roles/prometheus/files/prometheus/blackbox.yml
View File

@ -2,8 +2,6 @@ modules:
http:
prober: http
timeout: 10s
http:
preferred_ip_protocol: ip4 # Docker network is v4 only
https_redir:
prober: http
@ -16,7 +14,6 @@ modules:
fail_if_header_not_matches:
- header: Location
regexp: ^https
preferred_ip_protocol: ip4 # Docker network is v4 only
icmp:
prober: icmp

2
ansible/roles/forrest/files/prometheus/docker-compose.yml → ansible/roles/prometheus/files/prometheus/docker-compose.yml
View File

@ -56,3 +56,5 @@ services:
networks:
grafana:
external: true
default:
enable_ipv6: true

0
ansible/roles/forrest/files/prometheus/prometheus.yml → ansible/roles/prometheus/files/prometheus/prometheus.yml
View File

0
ansible/roles/forrest/handlers/main.yml → ansible/roles/prometheus/handlers/main.yml
View File

0
ansible/roles/forrest/tasks/grafana.yml → ansible/roles/prometheus/tasks/grafana.yml
View File

35
ansible/roles/prometheus/tasks/main.yml Normal file
View File

@ -0,0 +1,35 @@
- name: Include vault
include_vars: vault.yml
- name: Grafana
include_tasks: grafana.yml
- name: Prometheus
include_tasks: prometheus.yml
- name: Get routes
command:
argv:
- ip
- -6
- route
- show
- "{{ vps_hosts.private_ipv6_range }}"
register: routes
changed_when: false
become: true
- name: Add route to private services via ingress
command:
argv:
- ip
- -6
- route
- add
- "{{ vps_hosts.private_ipv6_range }}"
- via
- "{{ pve_hosts.ingress.ipv6 }}"
- dev
- eth0
become: true
when: vps_hosts.private_ipv6_marker not in routes.stdout

0
ansible/roles/forrest/tasks/prometheus.yml → ansible/roles/prometheus/tasks/prometheus.yml
View File

0
ansible/roles/forrest/vars/vault.yml → ansible/roles/prometheus/vars/vault.yml generated
View File

2
ansible/roles/pve_docker/files/nextcloud/config.php
View File

@ -19,7 +19,7 @@ $CONFIG = array (
0 => 'intersect.jakehoward.tech',
),
'dbtype' => 'mysql',
'version' => '28.0.2.5',
'version' => '28.0.4.1',
'overwrite.cli.url' => 'https://intersect.jakehoward.tech',
'dbname' => 'nextcloud',
'dbhost' => 'mariadb',

2
ansible/roles/pve_docker/files/nextcloud/docker-compose.yml
View File

@ -2,7 +2,7 @@ version: "2.3"
services:
nextcloud:
image: lscr.io/linuxserver/nextcloud:28.0.2
image: lscr.io/linuxserver/nextcloud:28.0.4
environment:
- PUID={{ docker_user.id }}
- PGID={{ docker_user.id }}

2
ansible/roles/pve_docker/files/synapse/docker-compose.yml
View File

@ -3,7 +3,7 @@ version: "2.3"
services:
synapse:
image: matrixdotorg/synapse:v1.101.0
image: matrixdotorg/synapse:v1.104.0
restart: unless-stopped
environment:
- SYNAPSE_CONFIG_PATH=/etc/homeserver.yaml

4
ansible/roles/pve_docker/files/tt-rss/docker-compose.yml
View File

@ -7,7 +7,7 @@ x-app: &app
- TTRSS_DB_USER=tt-rss
- TTRSS_DB_NAME=tt-rss
- TTRSS_DB_PASS=tt-rss
- TTRSS_SELF_URL_PATH=https://tt-rss.jakehoward.tech/tt-rss/
- TTRSS_SELF_URL_PATH=https://tt-rss.jakehoward.tech
- TTRSS_ENABLE_REGISTRATION=false
- TTRSS_CHECK_FOR_UPDATES=false
- TTRSS_ENABLE_GZIP_OUTPUT=true
@ -16,6 +16,8 @@ x-app: &app
- OWNER_GID={{ docker_user.id }}
- PHP_WORKER_MAX_CHILDREN=50
- PHP_WORKER_MEMORY_LIMIT=512M
- APP_WEB_ROOT=/var/www/html/tt-rss
- APP_BASE=
volumes:
- ./tt-rss:/var/www/html
- "{{ app_data_dir }}/tt-rss/feed-icons:/var/www/html/tt-rss/feed-icons"

2
ansible/roles/pve_docker/files/wallabag/docker-compose.yml
View File

@ -2,7 +2,7 @@ version: "2.3"
services:
wallabag:
image: wallabag/wallabag:2.6.8
image: wallabag/wallabag:2.6.9
restart: unless-stopped
environment:
- SYMFONY__ENV__SECRET={{ wallabag_secret }}

3
ansible/roles/pve_docker/files/whoami/docker-compose.yml
View File

@ -7,6 +7,9 @@ services:
labels:
- traefik.enable=true
- traefik.http.routers.whoami.rule=Host(`whoami.theorangeone.net`) || Host(`whoami-cdn.theorangeone.net`)
- traefik.http.routers.whoami-private.rule=Host(`whoami-private.theorangeone.net`)
- traefik.http.routers.whoami-private.middlewares=tailscale-only@file
networks:
- default
- traefik

19
ansible/roles/slides/files/docker-compose.yml Normal file
View File

@ -0,0 +1,19 @@
version: "2.3"
services:
slides:
image: ghcr.io/realorangeone/slides:latest
restart: unless-stopped
environment:
- TZ={{ timezone }}
- PUID={{ docker_user.id }}
volumes:
- ./htpasswd:/etc/nginx/.htpasswd:ro
- ./slides:/srv
networks:
- default
- coredns
networks:
coredns:
external: true

4
ansible/roles/slides/handlers/main.yml Normal file
View File

@ -0,0 +1,4 @@
- name: restart slides
shell:
chdir: /opt/slides
cmd: "{{ docker_update_command }}"

47
ansible/roles/slides/tasks/main.yml Normal file
View File

@ -0,0 +1,47 @@
- name: Include vault
include_vars: vault.yml
- name: Create install directory
file:
path: /opt/slides
state: directory
owner: "{{ docker_user.name }}"
mode: "{{ docker_compose_directory_mask }}"
become: true
- name: Install compose file
template:
src: files/docker-compose.yml
dest: /opt/slides/docker-compose.yml
mode: "{{ docker_compose_file_mask }}"
owner: "{{ docker_user.name }}"
validate: docker-compose -f %s config
notify: restart slides
become: true
- name: Create credentials
htpasswd:
path: /opt/slides/htpasswd
name: "{{ item.user }}"
password: "{{ item.password }}"
owner: "{{ docker_user.name }}"
mode: "0600"
loop: "{{ webdav_credentials }}"
loop_control:
label: "{{ item.user }}"
notify: restart slides
become: true
- name: Install nginx config
template:
src: files/nginx-docker.conf
dest: /etc/nginx/http.d/slides.conf
mode: "0644"
notify: reload nginx
become: true
vars:
server_name: slides.jakehoward.tech
upstream: slides-slides-1.docker:80
ssl_cert_path: /etc/letsencrypt/live/slides.jakehoward.tech
location_extra: |
client_max_body_size 15m;

14
ansible/roles/slides/vars/vault.yml generated Normal file
View File

@ -0,0 +1,14 @@
$ANSIBLE_VAULT;1.1;AES256
39346133313638313030663139356637666666346665356161383332613836656131353830323530
6636613939346437633430316436363538623339643439300a363464383763613631333161613034
31336138386639306166313532633439343763363563616130633165323166376265303663643130
3634303836383737340a643834373666386261363533353936623335396633396366373230653932
38316662333932646636623839396630383339393135643533323832623330323666613465626431
36356663653861666362376265636162336531663266616432636635333537656661396263643631
36653462663365646338623434393738346566633266643634633430336235343531613631383562
30333165313438363966626264643732353833366662653164666631636465636538303961316465
62356132643837646638376334343935313338316266393261316538393561356264313932623236
62326235303139353034636365663434383439366163646635626563666434636564623336653634
35363834306534333531383131323830623438323736656234623263353930666130363132343464
32363433653066656364393732366366353033663332366166343139616433303439623631663537
65313539663333626333623966313864623639353031313131346635666138613032

2
ansible/roles/tandoor/files/docker-compose.yml
View File

@ -2,7 +2,7 @@ version: "2.3"
services:
tandoor:
image: vabene1111/recipes:1.5.13
image: vabene1111/recipes:latest
environment:
- TIMEZONE={{ timezone }}
- DEBUG=0

1
ansible/roles/traefik/defaults/main.yml
View File

@ -2,5 +2,6 @@ traefik_provider_jellyfin: false
traefik_provider_homeassistant: false
traefik_provider_grafana: false
traefik_provider_dokku: false
traefik_provider_uptime_kuma: false
with_fail2ban: false

2
ansible/roles/traefik/files/docker-compose.yml
View File

@ -2,7 +2,7 @@ version: "2.3"
services:
traefik:
image: traefik:v2.10
image: traefik:v2.11
user: "{{ docker_user.id }}"
environment:
- CF_DNS_API_TOKEN={{ vault_cloudflare_api_token }}

2
ansible/roles/traefik/files/fail2ban/traefik-jail.conf
View File

@ -6,5 +6,5 @@ maxretry = 5
filter = traefik
logpath = /tmp/traefik-logs/access.log
port = http,https
ignoreip = {{ wireguard.cidr }},{{ nebula.cidr }},{{ pve_hosts.internal_cidr }},{{ vps_hosts.values()|sort|join(",") }},{{ tailscale_cidr }}
ignoreip = {{ wireguard.cidr }},{{ nebula.cidr }},{{ pve_hosts.internal_cidr }},{{ pve_hosts.internal_cidr_ipv6 }},{{ vps_hosts.values()|sort|join(",") }},{{ tailscale_cidr }}
action = gateway

2
ansible/roles/traefik/files/file-provider-homeassistant.yml
View File

@ -3,6 +3,8 @@ http:
router-homeassistant:
rule: Host(`homeassistant.jakehoward.tech`)
service: service-homeassistant
middlewares:
- tailscale-only@file
services:
service-homeassistant:
loadBalancer:

17
ansible/roles/traefik/files/file-provider-main.yml
View File

@ -8,3 +8,20 @@ http:
headers:
customResponseHeaders:
Permissions-Policy: interest-cohort=()
tailscale-only:
ipWhiteList:
sourceRange:
- "{{ tailscale_cidr }}"
- "{{ tailscale_cidr_ipv6 }}"
- "{{ pve_hosts.forrest.ip }}"
- "{{ pve_hosts.forrest.ipv6 }}"
private-access:
ipWhiteList:
sourceRange:
- "{{ tailscale_cidr }}"
- "{{ tailscale_cidr_ipv6 }}"
- "{{ nebula.cidr }}"
- "{{ pve_hosts.internal_cidr }}"
- "{{ pve_hosts.internal_cidr_ipv6 }}"

10
ansible/roles/traefik/files/file-provider-uptime-kuma.yml Normal file
View File

@ -0,0 +1,10 @@
http:
routers:
router-uptime-kuma:
rule: Host(`uptime.jakehoward.tech`)
service: service-uptime-kuma
services:
service-uptime-kuma:
loadBalancer:
servers:
- url: http://{{ pve_hosts.forrest.ip }}:3001

10
ansible/roles/traefik/tasks/main.yml
View File

@ -101,6 +101,16 @@
when: traefik_provider_dokku
become: true
- name: Install dokku provider
template:
src: files/file-provider-uptime-kuma.yml
dest: /opt/traefik/traefik/conf/uptime-kuma.yml
mode: "{{ docker_compose_file_mask }}"
owner: "{{ docker_user.name }}"
notify: restart traefik
when: traefik_provider_uptime_kuma
become: true
- name: logrotate config
template:
src: files/logrotate.conf

18
ansible/roles/uptime_kuma/files/docker-compose.yml Normal file
View File

@ -0,0 +1,18 @@
version: "2.3"
services:
uptime-kuma:
image: louislam/uptime-kuma:1.23.11-alpine
environment:
- TZ={{ timezone }}
- PUID={{ docker_user.id }}
- PGID={{ docker_user.id }}
ports:
- "{{ pve_hosts.forrest.ip }}:3001:3001"
volumes:
- "{{ app_data_dir }}/uptime-kuma:/app/data"
restart: unless-stopped
networks:
default:
enable_ipv6: true

4
ansible/roles/uptime_kuma/handlers/main.yml Normal file
View File

@ -0,0 +1,4 @@
- name: restart uptime-kuma
shell:
chdir: /opt/uptime-kuma
cmd: "{{ docker_update_command }}"

17
ansible/roles/uptime_kuma/tasks/main.yml Normal file
View File

@ -0,0 +1,17 @@
- name: Create install directory
file:
path: /opt/uptime-kuma
state: directory
owner: "{{ docker_user.name }}"
mode: "{{ docker_compose_directory_mask }}"
become: true
- name: Install compose file
template:
src: files/docker-compose.yml
dest: /opt/uptime-kuma/docker-compose.yml
mode: "{{ docker_compose_file_mask }}"
owner: "{{ docker_user.name }}"
validate: docker-compose -f %s config
notify: restart uptime-kuma
become: true

4
ansible/roles/vaultwarden/files/docker-compose.yml
View File

@ -2,7 +2,7 @@ version: "2.3"
services:
vaultwarden:
image: vaultwarden/server:1.30.3-alpine
image: vaultwarden/server:1.30.5-alpine
restart: unless-stopped
user: "{{ docker_user.id }}:{{ docker_user.id }}"
volumes:
@ -22,7 +22,7 @@ services:
- traefik.http.middlewares.vaultwarden-ratelimit.ratelimit.average=5
- traefik.http.middlewares.vaultwarden-ratelimit.ratelimit.burst=200
- traefik.http.routers.vaultwarden.middlewares=vaultwarden-ratelimit
- traefik.http.routers.vaultwarden.middlewares=vaultwarden-ratelimit,tailscale-only@file
environment:
- SIGNUPS_ALLOWED=false
- DOMAIN=https://vaultwarden.jakehoward.tech

61
terraform/.terraform.lock.hcl
View File

@ -2,17 +2,17 @@
# Manual edits may be lost in future updates.
provider "registry.terraform.io/backblaze/b2" {
version = "0.8.7"
constraints = "0.8.7"
version = "0.8.9"
constraints = "0.8.9"
hashes = [
"h1:00oWKpRLaWlwNwebBlsy4ZDN9dsYPZv6G3VoYxz5SSE=",
"h1:GLJrlMQ3CxORGarOlpbdKNjfdVxwWF7D1Sa5Svtsi2Q=",
"h1:R+Ota2rVe+KaYwJIrlVGgRxtTGgkqXgsMRApg6r/+5M=",
"h1:hSsgVZdn6G7G8Zp03Ij9lLQYEQ0aWGy3j3loEsjkJMQ=",
"zh:832081241cdf62ea27af5e9999c7c94bbec1816dc552c53da1caa8a2ff7b987f",
"zh:c130917d8da3e85392fb3c8c7b2be3b2fd1d1eb5023993d33e3d0838e8375d05",
"zh:f9f7dbf09d818c5a05570d73facaf0bb840c541de07439b0891381df4c75875a",
"zh:fc142bb2370c541ae14ea4f8f8c5437efa07911a8c36be60820cba6671fa6c81",
"h1:2I1FrwnkverfdRHyoCMHeoLJcWIdoLw0uSyvFJDj+40=",
"h1:Gp0no9DUhxEAPPED0/AG8wSaaT6023dtA1Q8oIPmgz0=",
"h1:N5oxkisGmkDIdAmncwcmcN5KilDdOG1kJu2+k0ARj80=",
"h1:PSLTea0VOv61sttOED7lEvonSQuIik2CFDXyljVpeHU=",
"zh:3534b7737d5d555187faec4db6abeb202a90559f2f68e569e48b0acbbdaabe9d",
"zh:372e97f55308babb98e175e3464d7088c8182d649e899e3067bb042e655a62c8",
"zh:59935a938882daccf93a76ddfdd24113aac7349e0ae555028f340acb211cbaff",
"zh:da2d510b081ed9683acd201318f096ea6848843f325eaf8db555702244149532",
]
}
@ -52,22 +52,33 @@ provider "registry.terraform.io/cloudflare/cloudflare" {
}
provider "registry.terraform.io/go-gandi/gandi" {
version = "2.2.3"
constraints = "2.2.3"
version = "2.3.0"
constraints = "2.3.0"
hashes = [
"h1:2SFGp4KWheP2bjuD0sIzbcuM91uSFiMVr2qYBRUJ7HU=",
"zh:1059865208c4ce9a827d0e1fa09a74297476d064d5aebd598633b10036cdff5d",
"zh:1e912145a1819fc7516353369332a41558a3c6e9edac8bdcc09aa8c2735d29e3",
"zh:2977e335cb1df04baa200933679048a7b4151f48cbd551917abe45dc3b62f85d",
"zh:4211fa55947c3b7841931a2f944fe02fa50d2dca5fe850113d7dc5713574c0de",
"zh:509f2262f4d682504eb412eeb58968c23208ddab8ebd0b0371a9eb1332b57f33",
"zh:784ee8dd57193dfcb38fe06fedc2931b02a887ce887744ce92b856f121d6fb50",
"zh:81a9bcbae602d32d71fa8ff3b2140c3d86692736a4c3379ebcfa06c858fae549",
"zh:9e296c6b33a4b3042c030a44368a45c95a531b7c6c369db30a7fd2e9503bb4d8",
"zh:a030027413d3dc7695691917f328fecb9b15d6b9e0d72b35439534cc22abb782",
"zh:a5019df0ce14c20483f397eef4e91d9f60ad78644acb3134130c4ebbc26059b5",
"zh:d03f6bd478f2b57091f2e82dde17a4adfe0b423eaaa0f99c59838fc64dd965ab",
"zh:e1b23742e9d98391fb84a4fad4e577ca2827bb25c40e310f3faaa3dcbde3a508",
"h1:+QRivNRiQfXbOzSJwIKOmpqRLjfSbgGTVIot5HHaxzU=",
"h1:9kqWL+eFk/ogrQSltL9zVqjMcOqbvs3EgIJEeyNPb8U=",
"h1:Fv/rdRU74oVDL6Tmu63qNl3fUrlOfMVPUFeLaPfWAGY=",
"h1:GC+kfSRx3FdF0dhh0LZrWXV+hLSFQd3cQ3mjQ3lBloU=",
"h1:M6MNub0wFKc/2MKOns9uWsgkFEjqNx1oucz+wGemBRM=",
"h1:Os/cyXb2LCyYLvaQ7inZPBdgjR7Ie5AsyIIHvYaMZB4=",
"h1:PH6KI61eli5OL/aN3Oi7NV9qkNbjGLoOYjJK3gvULj4=",
"h1:ZYWkA1hdIjQySftM5bWAQjiH50V5qMl9nJroYzCoqb0=",
"h1:aRZN5KmJwfLJ+sSYo4xd6MHS2oNk3Zlk417md3e9ry0=",
"h1:iTw/xbYXtScXLdhbjzF15Bf9wWu/r41ZertHYl9vDec=",
"h1:q/JXh50l2WZKxRpVTXzWp7nToqaU4TXD883k6Xi+8Jk=",
"h1:sSjatD9sHwGI8jJYF7Ps7BTBbmmCmLAdlUPDs3i/vQA=",
"zh:0936d011cf75bb5162c6027d00575a586807adc9008f4152def157b6ad22bae9",
"zh:2170e671f04d3346ea416fcc404be6d05f637eab7df77e289a6898a928885f0b",
"zh:250329baae3cb09cfb88dd004d45f003ba76fbe7b8daf9d18fd640b93a2b7252",
"zh:2ccd9f253424738ca5fbbcb2127bf3713c20e87bfb3829f8c4565569424fd0bd",
"zh:3607b48bc4691cd209528f9ffe16a6cc666bd284b0d0bdfe8c4e1d538559a408",
"zh:3bc1d2b770fe0f50027da59c405b2468d1322243235367014f75f765124f458d",
"zh:6c8a9092847ee2e2890825432b54424c456638d494e49b7d1845f055214714f5",
"zh:8e0b62a330876005d52bcd65d7b1d9a679a7ac79c626e0f86661519e8f9b5698",
"zh:8f44f4d52583ff249e2001ea2a8b8841010489dd43e1a01a9ec3a6813d121c28",
"zh:9a617927d4a3a2897ff10999a19a6d1f0ef634b8c6b8fc3be12cf53948cfd9cf",
"zh:cab3c82c54e38e6001eed5b80a2d16b7824921f8f8b3909049e174c48e6e8804",
"zh:f78cc685aa4ba5056ea53a7f8ce585f87a911f0a8a387a44a33d7dfb69db7663",
]
}

10
terraform/casey_vps.tf
View File

@ -6,6 +6,16 @@ resource "linode_instance" "casey" {
private_ip = true
}
resource "linode_ipv6_range" "casey_extra" {
linode_id = linode_instance.casey.id
prefix_length = 64
}
locals {
private_ipv6_marker = cidrhost(linode_ipv6_range.casey_extra.id, 1)
private_ipv6_range = cidrsubnet(linode_ipv6_range.casey_extra.id, 64, 1)
}
resource "linode_firewall" "casey" {
label = "casey"
linodes = [linode_instance.casey.id]

2
terraform/context.tf
View File

@ -2,6 +2,8 @@ resource "local_file" "hosts" {
content = yamlencode({
vps_hosts : {
casey_ip : linode_instance.casey.ip_address,
private_ipv6_marker : local.private_ipv6_marker,
private_ipv6_range : local.private_ipv6_range,
walker_ip : vultr_instance.walker.main_ip,
}
})

20
terraform/jakehoward.tech.tf
View File

@ -127,7 +127,7 @@ resource "cloudflare_record" "jakehowardtech_calibre" {
resource "cloudflare_record" "jakehowardtech_homeassistant" {
zone_id = cloudflare_zone.jakehowardtech.id
name = "homeassistant"
value = cloudflare_record.sys_domain_pve.hostname
value = cloudflare_record.sys_domain_pve_private.hostname
type = "CNAME"
ttl = 1
}
@ -143,7 +143,7 @@ resource "cloudflare_record" "jakehowardtech_grafana" {
resource "cloudflare_record" "jakehowardtech_vaultwarden" {
zone_id = cloudflare_zone.jakehowardtech.id
name = "vaultwarden"
value = cloudflare_record.sys_domain_pve.hostname
value = cloudflare_record.sys_domain_pve_private.hostname
type = "CNAME"
ttl = 1
}
@ -253,6 +253,22 @@ resource "cloudflare_record" "jakehowardtech_headscale" {
ttl = 1
}
resource "cloudflare_record" "jakehowardtech_slides" {
zone_id = cloudflare_zone.jakehowardtech.id
name = "slides"
value = cloudflare_record.sys_domain_walker.hostname
type = "CNAME"
ttl = 1
}
resource "cloudflare_record" "jakehowardtech_uptime" {
zone_id = cloudflare_zone.jakehowardtech.id
name = "uptime"
value = cloudflare_record.sys_domain_pve.hostname
type = "CNAME"
ttl = 1
}
resource "cloudflare_record" "jakehowardtech_caa" {
zone_id = cloudflare_zone.jakehowardtech.id
name = "@"

8
terraform/sys_domains.tf
View File

@ -37,3 +37,11 @@ resource "cloudflare_record" "sys_domain_pve" {
type = "A"
ttl = 1
}
resource "cloudflare_record" "sys_domain_pve_private" {
zone_id = cloudflare_zone.theorangeonenet.id
name = "pve-private.sys"
value = local.private_ipv6_marker
type = "AAAA"
ttl = 1
}

4
terraform/terraform.tf
View File

@ -18,11 +18,11 @@ terraform {
}
gandi = {
source = "go-gandi/gandi"
version = "2.2.3"
version = "2.3.0"
}
b2 = {
source = "Backblaze/b2"
version = "0.8.7"
version = "0.8.9"
}
}
}

8
terraform/theorangeone.net.tf
View File

@ -26,6 +26,14 @@ resource "cloudflare_record" "theorangeonenet_whoami_cdn" {
ttl = 1
}
resource "cloudflare_record" "theorangeonenet_whoami_private" {
zone_id = cloudflare_zone.theorangeonenet.id
name = "whoami-private"
value = cloudflare_record.sys_domain_pve_private.hostname
type = "CNAME"
ttl = 1
}
resource "cloudflare_record" "theorangeonenet_mx1" {
zone_id = cloudflare_zone.theorangeonenet.id
name = "@"