Update Terraform aws to v5

Makes organising much simpler

ansible/group_vars/all/pve.yml

@@ -1,5 +1,6 @@
 pve_hosts:
   internal_cidr: 10.23.1.0/24
+  internal_cidr_ipv6: fde3:15e9:e883::1/48
   pve:
     ip: 10.23.1.1
     external_ip: 192.168.2.200
@@ -7,17 +8,19 @@ pve_hosts:
     ip: 10.23.1.11
   forrest:
     ip: 10.23.1.13
+    ipv6: fde3:15e9:e883::103
   jellyfin:
     ip: 10.23.1.101
   dokku:
     ip: 10.23.1.102
   docker:
     ip: 10.23.1.103
+    ipv6: fde3:15e9:e883::203
   ingress:
     ip: 10.23.1.10
     external_ip: 192.168.2.201
     external_ipv6: "{{ vault_ingress_ipv6 }}"
-    link_local: fe80::d4e4:22ff:fe8b:429d
+    ipv6: fde3:15e9:e883::100
   homeassistant:
     ip: 192.168.2.203
   qbittorrent:

ansible/host_vars/pve-docker/main.yml

@@ -4,6 +4,7 @@ traefik_provider_jellyfin: true
 traefik_provider_homeassistant: true
 traefik_provider_grafana: true
 traefik_provider_dokku: true
+traefik_provider_uptime_kuma: true
 
 with_fail2ban: true
 

ansible/main.yml

@@ -17,6 +17,7 @@
     - fail2ban_ssh
     - restic
     - artis3n.tailscale
+    - glinet_vpn
 
 - hosts:
     - pve
@@ -95,7 +96,8 @@
 
 - hosts: forrest
   roles:
-    - forrest
+    - prometheus
+    - uptime_kuma
     - pve_nebula_route
     - pve_tailscale_route
 

ansible/roles/base/files/ssh-jail.conf

@@ -4,4 +4,4 @@ bantime  = 600
 findtime = 30
 maxretry = 5
 port     = {{ ssh_port }},ssh
-ignoreip = {{ wireguard.cidr }},{{ nebula.cidr }},{{ pve_hosts.internal_cidr }},{{ tailscale_cidr }}
+ignoreip = {{ wireguard.cidr }},{{ nebula.cidr }},{{ pve_hosts.internal_cidr }},{{ pve_hosts.internal_cidr_ipv6 }},{{ tailscale_cidr }}

ansible/roles/db_auto_backup/files/docker-compose.yml

@@ -13,7 +13,7 @@ services:
       - docker_proxy
 
   docker_proxy:
-    image: tecnativa/docker-socket-proxy:latest
+    image: lscr.io/linuxserver/socket-proxy:latest
     restart: unless-stopped
     environment:
       - POST=1

ansible/roles/gateway/files/nginx-fail2ban-jail.conf

@@ -6,9 +6,9 @@ maxretry = 100
 filter   = nginx-tcp
 logpath  = /var/log/nginx/ips.log
 port     = http,https,8448
-ignoreip = {{ wireguard.cidr }},{{ nebula.cidr }},{{ pve_hosts.internal_cidr }},{{ vps_hosts.values()|sort|join(",") }},{{ tailscale_cidr }}
+ignoreip = {{ wireguard.cidr }},{{ nebula.cidr }},{{ pve_hosts.internal_cidr }},{{ pve_hosts.internal_cidr_ipv6 }},{{ vps_hosts.values()|sort|join(",") }},{{ tailscale_cidr }}
 
 [traefik]
 enabled = true
 port     = http,https,8448
-ignoreip = {{ wireguard.cidr }},{{ nebula.cidr }},{{ pve_hosts.internal_cidr }},{{ vps_hosts.values()|sort|join(",") }},{{ tailscale_cidr }}
+ignoreip = {{ wireguard.cidr }},{{ nebula.cidr }},{{ pve_hosts.internal_cidr }},{{ pve_hosts.internal_cidr_ipv6 }},{{ vps_hosts.values()|sort|join(",") }},{{ tailscale_cidr }}

ansible/roles/glinet_vpn/files/client.conf

@@ -0,0 +1,10 @@
+[Interface]
+Address = {{ client_cidr }}
+PrivateKey = {{ client_private_key }}
+
+[Peer]
+PublicKey = {{ server_public_key }}
+Endpoint = {{ server_public_ip }}:53
+AllowedIPs = 0.0.0.0/0 ::/0
+
+PersistentKeepalive = 25

ansible/roles/glinet_vpn/files/server.conf

@@ -0,0 +1,14 @@
+[Interface]
+Address = {{ server_ip }}
+PrivateKey = {{ server_private_key }}
+ListenPort = 53
+
+PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
+PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
+
+PostUp = ip6tables -A FORWARD -i %i -j ACCEPT; ip6tables -A FORWARD -o %i -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
+PostDown = ip6tables -D FORWARD -i %i -j ACCEPT; ip6tables -D FORWARD -o %i -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
+
+[Peer]
+PublicKey = {{ client_public_key }}
+AllowedIPs = {{ client_cidr }}

ansible/roles/glinet_vpn/handlers/main.yml

@@ -0,0 +1,5 @@
+- name: restart wireguard
+  service:
+    name: wg-quick@glinet
+    state: restarted
+  become: true

ansible/roles/glinet_vpn/tasks/main.yml

@@ -0,0 +1,34 @@
+- name: Include vault
+  include_vars: vault.yml
+
+- name: Install wireguard tools
+  package:
+    name: "{{ item }}"
+  become: true
+  loop:
+    - wireguard-tools
+    - qrencode
+
+- name: Wireguard server config
+  template:
+    src: files/server.conf
+    dest: /etc/wireguard/glinet.conf
+    mode: "0600"
+    backup: true
+  become: true
+  notify: restart wireguard
+
+- name: Wireguard client config
+  template:
+    src: files/client.conf
+    dest: "{{ me.home }}/glinet-vpn.conf"
+    mode: "0600"
+    owner: "{{ me.user }}"
+  become: true
+  notify: restart wireguard
+
+- name: Enable wireguard
+  service:
+    name: wg-quick@glinet
+    enabled: true
+  become: true

ansible/roles/glinet_vpn/vars/main.yml

@@ -0,0 +1,8 @@
+client_public_key: "{{ vault_client_public_key }}"
+client_private_key: "{{ vault_client_private_key }}"
+client_cidr: 10.23.4.2/24
+
+server_public_key: "{{ vault_server_public_key }}"
+server_private_key: "{{ vault_server_private_key }}"
+server_public_ip: "{{ ansible_default_ipv4.address }}"
+server_ip: 10.23.4.1

ansible/roles/glinet_vpn/vars/vault.yml

@@ -0,0 +1,19 @@
+$ANSIBLE_VAULT;1.1;AES256
+35366163656631633636333937333238346539653236323463316333356637623263326436623130
+3333616234643935306337386165623734333265663237610a326538636532643835373137316333
+30363133343035353235616639613637353435303863393130396261623063633836383430326530
+3634313639353264310a393266313230646132656561393737363834646566313765633235343139
+36303834353039303134393061386634373735316135656564386464363863376265633239313037
+62616535313239353233376163343437303933346264323266386533336138656135663664356164
+65643262303436343164613133333361393438616234616566336131636461383538326130623264
+62313134386430636665646539306661383039323339373838346164653836326536386332616634
+34313331623166356137363131356130623863313339663938386138643538323666616239656662
+36313534323237306631663931633830346565616139313864333762356330643131343630653535
+62323939376163363436336633386433323435316535623462353138386430333332653966383262
+33636534346466326631333362343638616332633163623533613364326665376565643739666261
+34646533613133313034366636623134613336623134356562393335313337336336623634336633
+66623365353866396564386536386330353537383866616665373762306530356333643265326537
+38353138626331623433643636623130613766616638343034633536306232316133303133356463
+36616665643264396137336234316466306238303461363531653461623834376361653334326235
+31366530636565383062313562663639393534373737363465656538393266363936333136636161
+3239303565613865633433313237393932306632633633373261

ansible/roles/headscale/files/acls.json

@@ -0,0 +1,13 @@
+{
+    "tagOwners": {
+        "tag:client": []
+
+    },
+    "acls": [
+        {
+            "action": "accept",
+            "src": ["tag:client"],
+            "dst": ["*:*"]
+        }
+    ]
+}

ansible/roles/headscale/files/headscale.yml

@@ -188,7 +188,7 @@ log:
 # Path to a file containg ACL policies.
 # ACLs can be defined as YAML or HUJSON.
 # https://tailscale.com/kb/1018/acls/
-acl_policy_path: ""
+acl_policy_path: /etc/headscale/acls.json
 
 ## DNS
 #

ansible/roles/headscale/tasks/main.yml

@@ -11,7 +11,16 @@
     src: files/headscale.yml
     dest: /etc/headscale/config.yaml
     owner: headscale
-    mode: "0644"
+    mode: "0600"
+  notify: restart headscale
+  become: true
+
+- name: Install ACLs
+  template:
+    src: files/acls.json
+    dest: /etc/headscale/acls.json
+    owner: headscale
+    mode: "0600"
   notify: restart headscale
   become: true
 

ansible/roles/prometheus/files/prometheus/blackbox.yml

@@ -2,8 +2,6 @@ modules:
   http:
     prober: http
     timeout: 10s
-    http:
-      preferred_ip_protocol: ip4  # Docker network is v4 only
 
   https_redir:
     prober: http
@@ -16,7 +14,6 @@ modules:
       fail_if_header_not_matches:
         - header: Location
           regexp: ^https
-      preferred_ip_protocol: ip4  # Docker network is v4 only
 
   icmp:
     prober: icmp

ansible/roles/prometheus/files/prometheus/docker-compose.yml

@@ -56,3 +56,5 @@ services:
 networks:
   grafana:
     external: true
+  default:
+    enable_ipv6: true

ansible/roles/prometheus/tasks/main.yml

@@ -28,7 +28,7 @@
       - add
       - "{{ vps_hosts.private_ipv6_range }}"
       - via
-      - "{{ pve_hosts.ingress.link_local }}"
+      - "{{ pve_hosts.ingress.ipv6 }}"
       - dev
       - eth0
   become: true

ansible/roles/renovate/files/docker-compose.yml

@@ -25,7 +25,7 @@ services:
       - ./redis:/data
 
   docker_proxy:
-    image: tecnativa/docker-socket-proxy:latest
+    image: lscr.io/linuxserver/socket-proxy:latest
     restart: unless-stopped
     environment:
       - POST=1

ansible/roles/traefik/defaults/main.yml

@@ -2,5 +2,6 @@ traefik_provider_jellyfin: false
 traefik_provider_homeassistant: false
 traefik_provider_grafana: false
 traefik_provider_dokku: false
+traefik_provider_uptime_kuma: false
 
 with_fail2ban: false

ansible/roles/traefik/files/docker-compose.yml

@@ -23,7 +23,7 @@ services:
       - proxy_private
 
   docker_proxy:
-    image: tecnativa/docker-socket-proxy:latest
+    image: lscr.io/linuxserver/socket-proxy:latest
     restart: unless-stopped
     environment:
       - CONTAINERS=1

ansible/roles/traefik/files/fail2ban/traefik-jail.conf

@@ -6,5 +6,5 @@ maxretry = 5
 filter   = traefik
 logpath = /tmp/traefik-logs/access.log
 port     = http,https
-ignoreip = {{ wireguard.cidr }},{{ nebula.cidr }},{{ pve_hosts.internal_cidr }},{{ vps_hosts.values()|sort|join(",") }},{{ tailscale_cidr }}
+ignoreip = {{ wireguard.cidr }},{{ nebula.cidr }},{{ pve_hosts.internal_cidr }},{{ pve_hosts.internal_cidr_ipv6 }},{{ vps_hosts.values()|sort|join(",") }},{{ tailscale_cidr }}
 action = gateway

ansible/roles/traefik/files/file-provider-main.yml

@@ -15,6 +15,7 @@ http:
           - "{{ tailscale_cidr }}"
           - "{{ tailscale_cidr_ipv6 }}"
           - "{{ pve_hosts.forrest.ip }}"
+          - "{{ pve_hosts.forrest.ipv6 }}"
 
     private-access:
       ipWhiteList:
@@ -23,3 +24,4 @@ http:
           - "{{ tailscale_cidr_ipv6 }}"
           - "{{ nebula.cidr }}"
           - "{{ pve_hosts.internal_cidr }}"
+          - "{{ pve_hosts.internal_cidr_ipv6 }}"

ansible/roles/traefik/files/file-provider-uptime-kuma.yml

@@ -0,0 +1,10 @@
+http:
+  routers:
+    router-uptime-kuma:
+      rule: Host(`uptime.jakehoward.tech`)
+      service: service-uptime-kuma
+  services:
+    service-uptime-kuma:
+      loadBalancer:
+        servers:
+          - url: http://{{ pve_hosts.forrest.ip }}:3001

ansible/roles/traefik/tasks/main.yml

@@ -101,6 +101,16 @@
   when: traefik_provider_dokku
   become: true
 
+- name: Install dokku provider
+  template:
+    src: files/file-provider-uptime-kuma.yml
+    dest: /opt/traefik/traefik/conf/uptime-kuma.yml
+    mode: "{{ docker_compose_file_mask }}"
+    owner: "{{ docker_user.name }}"
+  notify: restart traefik
+  when: traefik_provider_uptime_kuma
+  become: true
+
 - name: logrotate config
   template:
     src: files/logrotate.conf

ansible/roles/uptime_kuma/files/docker-compose.yml

@@ -0,0 +1,18 @@
+version: "2.3"
+
+services:
+  uptime-kuma:
+    image: louislam/uptime-kuma:1.23.13-alpine
+    environment:
+      - TZ={{ timezone }}
+      - PUID={{ docker_user.id }}
+      - PGID={{ docker_user.id }}
+    ports:
+      - "{{ pve_hosts.forrest.ip }}:3001:3001"
+    volumes:
+      - "{{ app_data_dir }}/uptime-kuma:/app/data"
+    restart: unless-stopped
+
+networks:
+  default:
+    enable_ipv6: true

ansible/roles/uptime_kuma/handlers/main.yml

@@ -0,0 +1,4 @@
+- name: restart uptime-kuma
+  shell:
+    chdir: /opt/uptime-kuma
+    cmd: "{{ docker_update_command }}"

ansible/roles/uptime_kuma/tasks/main.yml

@@ -0,0 +1,17 @@
+- name: Create install directory
+  file:
+    path: /opt/uptime-kuma
+    state: directory
+    owner: "{{ docker_user.name }}"
+    mode: "{{ docker_compose_directory_mask }}"
+  become: true
+
+- name: Install compose file
+  template:
+    src: files/docker-compose.yml
+    dest: /opt/uptime-kuma/docker-compose.yml
+    mode: "{{ docker_compose_file_mask }}"
+    owner: "{{ docker_user.name }}"
+    validate: docker-compose -f %s config
+  notify: restart uptime-kuma
+  become: true

terraform/.terraform.lock.hcl

@@ -83,38 +83,38 @@ provider "registry.terraform.io/go-gandi/gandi" {
 }
 
 provider "registry.terraform.io/hashicorp/aws" {
-  version     = "5.46.0"
-  constraints = "5.46.0"
+  version     = "5.47.0"
+  constraints = "5.47.0"
   hashes = [
-    "h1:5ZKYRgMGtlJmD1/6RZJdFARanH794PWc/s6nSwkFQaI=",
-    "h1:7Ezs9Mc4Q9E+2mnGmsKy83Xgb+hR1vJ3vKYpbh7CNa8=",
-    "h1:8A5GryYhkksQpyFMzFRf9r5sGQGjutgl1pVzVNdN/R0=",
-    "h1:9sAksRRzhp/6+DETkVHYLQkBZHphLhwy5wOUVgMyjhk=",
-    "h1:A9U3NAZnik9PWuJCMzSFFm1x2ogFkiVSyFu+cSNjnq8=",
-    "h1:GK1y1qAGcPHPZxz01Ko6v+815T7kZPXt6POBsLg9c/k=",
-    "h1:LsxgUPEX80bd4+2hj5y+jeK3kMSzFeu4qdVLF/9I6m0=",
-    "h1:YRVTvSucPHiuLbtUvkbjka1hULwe/2gtuknZKZwXyZo=",
-    "h1:bGEG0vS4seLpWWXVPnOqjhD1s6hkZB7etQIwOSSd00U=",
-    "h1:d0Mf33mbbQujZ/JaYkqmH5gZGvP+iEIWf9yBSiOwimE=",
-    "h1:gagAtniijwJRhsKRBWWZfmnPiqu4u1A5oI626+KA/1g=",
-    "h1:j0qG09doLdsct8rFSlPFVYHFVWL5H7+8j9PPJNDPfb0=",
-    "h1:t2QzxmqmIE5ZhEzmYqiB/i9tUarkx7yXohCQGCwimwY=",
-    "h1:z5z80MeL9wrHfVmfikGPwiXGcDM0nhOtL9EdF+PogUI=",
-    "zh:05ae6180a7f23071435f6e5e59c19af0b6c5da42ee600c6c1568c8660214d548",
-    "zh:0d878d1565d5e57ce6b34ec5f04b28662044a50c999ec5770c374aa1f1020de2",
-    "zh:25ef1467af2514d8011c44759307445f7057836ff87dfe4503c3e1c9776d5c1a",
-    "zh:26c006df6200f0063b827aab05bec94f9f3f77848e82ed72e48a51d1170d1961",
-    "zh:37cdf4292649a10f12858622826925e18ad4eca354c31f61d02c66895eb91274",
-    "zh:4315b0433c2fc512666c74e989e2d95240934ef370bea1c690d36cb02d30c4ce",
-    "zh:75df0b3f631b78aeff1832cc77d99b527c2a5e79d40f7aac40bdc4a66124dac2",
-    "zh:90693d936c9a556d2bf945de4920ff82052002eb73139bd7164fafd02920f0ef",
+    "h1:+/rfprjxG2nw+dBckcNAjnVplMI6iZRP5W5Rp/QuOOI=",
+    "h1:49aEnvHJ/M8BRGAXKzU6W3zSbf7HgIrjXkXjC5DGEWY=",
+    "h1:GZQJi9mfuKBkN5MCba5nHSG3kAJJf7OoxQcFgIpuPCw=",
+    "h1:Hgmp83b9O0IWM6fZe24mG68qLqADc+zJWr9j1k0Y0yo=",
+    "h1:QCSiGZUoSBrE6cKEfNgYMeWzMFKzhSxZm9+0LsFFgy8=",
+    "h1:T0tupfn2Ubj18Y7xmO0pFMvti1Qns2K6EGXenR6Hg30=",
+    "h1:YwFs04Ji9DNgFPsPzcI063GaAHSGWAjwza4hmRJ4/4s=",
+    "h1:bCETSNoRRe780zsdTWW86HvDl2ZU/YSAcI1Aazk5sI8=",
+    "h1:bZEm2TDCM7jmpNXK6QOWsT1YU8GiGGQaraUvwO887U8=",
+    "h1:omGP1+g5q6PzAZp6+iOtphnpOkw30kN1M4ep8OyqHvY=",
+    "h1:s3E1+BOjrtwcqDVWB0XKiM/sPQA5hCPK1DUvfz72eK4=",
+    "h1:tz5Qe3Jcnjnx8HrjI8JnfWxE+qxBU5n5xtZ5Xnd3CJI=",
+    "h1:wL18wmuA6Isu5XOtA8maC47FpHzcSKs0+FcTBghCx8Y=",
+    "h1:ziBVN+ogKy/r9gcTz0A93axxRZ2YD6Aaf5KPN5TYFUE=",
+    "zh:06037a14e47e8f82d0b3b326cd188566272b808b7970a9249a11db26d475b83d",
+    "zh:116b7dd58ca964a1056249d2b6550f399b0a6bc9a7920b7ee134242114432c9f",
+    "zh:1aa089c81459071c1d65ba7454f1122159e1fa1b5384e6e9ef85c8264f8a9ecb",
+    "zh:2c1471acba40c4944aa88dda761093c0c969db6408bdc1a4fb62417788cd6bb6",
+    "zh:3b950bea06ea4bf1ec359a97a4f1745b7efca7fc2da368843666020dd0ebc5d4",
+    "zh:7191c5c2fce834d584153dcd5269ed3042437f224d341ad85df06b2247bd09b2",
+    "zh:76d841b3f247f9bb3899dec3b4d871613a4ae8a83a581a827655d34b1bbee0ee",
+    "zh:7c656ce252fafc2c915dad43a0a7da17dba975207d75841a02f3f2b92d51ec25",
+    "zh:8ec97118cbdef64139c52b719e4e22443e67a1f37ea1597cd45b2e9b97332a35",
     "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425",
-    "zh:c9177ad09804c60fd2ed25950570407b6bdcdf0fcc309e1673b584f06a827fae",
-    "zh:ca8e8db24a4d62d92afd8d3d383b81a08693acac191a2e0a110fb46deeff56a3",
-    "zh:d5fa3a36e13957d63bfe9bbd6df0426a2422214403aac9f20b60c36f8d9ebec6",
-    "zh:e4ede44a112296c9cc77b15e439e41ee15c0e8b3a0dec94ae34df5ebba840e8b",
-    "zh:f2d4de8d8cde69caffede1544ebea74e69fcc4552e1b79ae053519a05c060706",
-    "zh:fc19e9266b1841d4a3aeefa8a5b5ad6988baed6540f85a373b6c2d0dc1ca5830",
+    "zh:a369deca7938236a7da59f7ad1fe18137f736764c9015ed10e88edb6e8505980",
+    "zh:a743882fb099401eae0c86d9388a6faadbbc27b2ac9477aeef643e5de4eec3f9",
+    "zh:d5f960f58aff06fc58e244fea6e665800384cacb8cd64a556f8e145b98650372",
+    "zh:e31ffcfd560132ffbff2f574928ba392e663202a750750ed39a8950031b75623",
+    "zh:ebd9061b92a772144564f35a63d5a08cb45e14a9d39294fda185f2e0de9c8e28",
   ]
 }
 

terraform/casey_vps.tf

@@ -101,15 +101,6 @@ resource "linode_firewall" "casey" {
     ipv4     = ["0.0.0.0/0"]
     ipv6     = ["::/0"]
   }
-
-  inbound {
-    label    = "allow-inbound-tailscale"
-    action   = "ACCEPT"
-    protocol = "UDP"
-    ports    = "41641"
-    ipv4     = ["0.0.0.0/0"]
-    ipv6     = ["::/0"]
-  }
 }
 
 resource "linode_rdns" "casey_reverse_ipv4" {

terraform/jakehoward.tech.tf

@@ -261,6 +261,14 @@ resource "cloudflare_record" "jakehowardtech_slides" {
   ttl     = 1
 }
 
+resource "cloudflare_record" "jakehowardtech_uptime" {
+  zone_id = cloudflare_zone.jakehowardtech.id
+  name    = "uptime"
+  value   = cloudflare_record.sys_domain_pve.hostname
+  type    = "CNAME"
+  ttl     = 1
+}
+
 resource "cloudflare_record" "jakehowardtech_caa" {
   zone_id = cloudflare_zone.jakehowardtech.id
   name    = "@"

terraform/terraform.tf

@@ -10,7 +10,7 @@ terraform {
     }
     aws = {
       source  = "hashicorp/aws"
-      version = "5.46.0"
+      version = "5.47.0"
     }
     linode = {
       source  = "linode/linode"