systems
/
infrastructure
1
Fork 0
Code Issues 1 Pull Requests 12 Actions Activity

Compare commits

base: systems:f556af8bc9d374706d15846f06e505ecd329a09b
Branches Tags
systems:master
systems:renovate/aws-5.x
systems:renovate/cloudflare-4.x
systems:renovate/ansible-lint-24.x
systems:renovate/linode-2.x
systems:renovate/clickhouse-clickhouse-server-24.x
systems:renovate/postgres-16.x
systems:renovate/traefik-3.x
systems:renovate/geerlingguy.docker-7.x
systems:renovate/yamllint-1.x
systems:renovate/mariadb-11.x
systems:renovate/mariadb-10.x
systems:renovate/clickhouse-clickhouse-server-22.x
..
compare: systems:be41038108ba92dcf38a5bd601913c223f75ef83
Branches Tags
systems:renovate/aws-5.x
systems:renovate/cloudflare-4.x
systems:renovate/ansible-lint-24.x
systems:renovate/linode-2.x
systems:master
systems:renovate/clickhouse-clickhouse-server-24.x
systems:renovate/postgres-16.x
systems:renovate/traefik-3.x
systems:renovate/geerlingguy.docker-7.x
systems:renovate/yamllint-1.x
systems:renovate/mariadb-11.x
systems:renovate/mariadb-10.x
systems:renovate/clickhouse-clickhouse-server-22.x

28 Commits
f556af8bc9 ... be41038108

Author SHA1 Message Date
Renovate be41038108 Update dependency ansible-lint to v24.2.3
/ terraform (push) Failing after 1m36s Details
/ ansible (push) Successful in 2m44s Details
2024-04-30 14:00:21 +01:00
Jake Howard c93c7b5c16
Use external DNS for uptime-kuma
/ terraform (push) Failing after 38s Details
/ ansible (push) Successful in 2m17s Details 
Keep the AGH logs cleaner
 2024-04-29 18:42:17 +01:00
Jake Howard 2a799d6b03
Scrape Uptime Kuma with prometheus
/ terraform (push) Failing after 1m43s Details
/ ansible (push) Successful in 2m29s Details
2024-04-29 14:28:58 +01:00
Jake Howard afa926c767
Remove blackbox monitoring 
Uptime-Kuma is great
 2024-04-29 14:12:21 +01:00
Jake Howard 5481554e15
Only install compose on debian
/ ansible (push) Successful in 2m11s Details
/ terraform (push) Failing after 11m55s Details 
The rest will get it through the system package manager
 2024-04-27 17:42:24 +01:00
Jake Howard e2a94b6302
Install hetzner provider 2024-04-27 16:54:32 +01:00
Renovate 6c8cab3ce7 Update louislam/uptime-kuma Docker tag to v1.23.13
/ terraform (push) Successful in 36s Details
/ ansible (push) Successful in 2m21s Details
2024-04-25 10:00:20 +01:00
Jake Howard 670ad78d44
Add wireguard config for glinet router
/ terraform (push) Successful in 44s Details
/ ansible (push) Successful in 1m34s Details
2024-04-23 22:19:57 +01:00
Jake Howard 8929a22ce5
Use LSIO docker socket proxy
/ terraform (push) Successful in 53s Details
/ ansible (push) Successful in 1m31s Details
2024-04-23 19:52:48 +01:00
Jake Howard ee96e6ab08
Rename forrest role to prometheus
/ ansible (push) Failing after 1m35s Details
/ terraform (push) Failing after 12m54s Details 
Makes organising much simpler
 2024-04-21 19:47:02 +01:00
Jake Howard ffbba254fb
Remove redundant quotes 2024-04-21 18:11:57 +01:00
Jake Howard c472411801
Deploy uptime-kuma 2024-04-21 18:11:39 +01:00
Jake Howard 7564911da3
Add IPv6 to blackbox
/ terraform (push) Failing after 3s Details
/ ansible (push) Failing after 2s Details 
This is needed to monitor private services
 2024-04-20 18:12:38 +01:00
Jake Howard 7ff44ee238
Add IPv6 to proxmox internal network 2024-04-20 18:00:08 +01:00
Jake Howard 7c8d224c4a
Add headscale ACLs
/ ansible (push) Failing after 39s Details
/ terraform (push) Failing after 46s Details 
Tags are managed entirely server side, so there's no priv esc issues.

This lets my devices do what they want, and server style devices can't do anything.
 2024-04-20 15:46:21 +01:00
Renovate 7bc0ebeb26 Update traefik Docker tag to v2.11
/ terraform (push) Failing after 2s Details
/ ansible (push) Failing after 2s Details
2024-04-15 17:43:05 +01:00
Jake Howard 33f9c544fd
Remove /tt-rss/ path from URL
/ terraform (push) Failing after 3s Details
/ ansible (push) Failing after 2s Details
2024-04-15 17:33:36 +01:00
Jake Howard b6583cc823
Update Nextcloud version in config
/ terraform (push) Failing after 2s Details
/ ansible (push) Failing after 2s Details
2024-04-15 15:28:16 +01:00
Jake Howard 9c02017fed
Unpin tandoor 2024-04-15 15:28:16 +01:00
Renovate 91ec56717f Update dependency artis3n.tailscale to v4.4.4
/ terraform (push) Failing after 16s Details
/ ansible (push) Failing after 13s Details
2024-04-15 15:07:14 +01:00
Renovate 3318656730 Update dependency geerlingguy.ntp to v2.4.0
/ ansible (push) Failing after 24s Details
/ terraform (push) Failing after 31s Details
2024-04-15 15:06:23 +01:00
Renovate 9d98d88089 Update lscr.io/linuxserver/nextcloud Docker tag to v28.0.4
/ terraform (push) Failing after 2s Details
/ ansible (push) Failing after 2s Details
2024-04-15 15:02:53 +01:00
Renovate c882e246ab Update Terraform gandi to v2.3.0
/ terraform (push) Failing after 3s Details
/ ansible (push) Failing after 3s Details
2024-04-15 14:40:48 +01:00
Renovate 67af033fcd Update dependency dokku_bot.ansible_dokku to v2024
/ terraform (push) Failing after 2s Details
/ ansible (push) Failing after 2s Details
2024-04-15 14:36:50 +01:00
Renovate cee3679504 Update Terraform b2 to v0.8.9
/ terraform (push) Failing after 2s Details
/ ansible (push) Failing after 2s Details
2024-04-15 14:27:12 +01:00
Renovate 5330fdc56f Update ghcr.io/goauthentik/server Docker tag to v2024
/ terraform (push) Failing after 2s Details
/ ansible (push) Failing after 2s Details
2024-04-15 14:11:11 +01:00
Renovate 2e0b562f5d Update matrixdotorg/synapse Docker tag to v1.104.0
/ terraform (push) Failing after 2s Details
/ ansible (push) Failing after 2s Details
2024-04-15 13:58:20 +01:00
Renovate 989a804bad Update wallabag/wallabag Docker tag to v2.6.9
/ terraform (push) Failing after 51s Details
/ ansible (push) Failing after 46s Details
2024-04-03 12:00:18 +01:00
51 changed files with 366 additions and 174 deletions
Show Stats Expand all files Collapse all files

2
ansible/dev-requirements.txt
View File

@ -1,4 +1,4 @@
ansible-lint==24.2.2
ansible-lint==24.2.3
yamllint==1.33.0
ansible
passlib

6
ansible/galaxy-requirements.yml
View File

@ -10,15 +10,15 @@ roles:
- src: geerlingguy.docker
version: 6.2.0
- src: geerlingguy.ntp
version: 2.3.3
version: 2.4.0
- src: realorangeone.reflector
- src: ironicbadger.proxmox_nag_removal
version: 1.0.2
- src: ironicbadger.snapraid
version: 1.0.0
- src: dokku_bot.ansible_dokku
version: v2022.10.17
version: v2024.4.11
- src: geerlingguy.certbot
version: 5.1.0
- src: artis3n.tailscale
version: v4.4.2
version: v4.4.4

5
ansible/group_vars/all/pve.yml
View File

@ -1,5 +1,6 @@
pve_hosts:
internal_cidr: 10.23.1.0/24
internal_cidr_ipv6: fde3:15e9:e883::1/48
pve:
ip: 10.23.1.1
external_ip: 192.168.2.200
@ -7,17 +8,19 @@ pve_hosts:
ip: 10.23.1.11
forrest:
ip: 10.23.1.13
ipv6: fde3:15e9:e883::103
jellyfin:
ip: 10.23.1.101
dokku:
ip: 10.23.1.102
docker:
ip: 10.23.1.103
ipv6: fde3:15e9:e883::203
ingress:
ip: 10.23.1.10
external_ip: 192.168.2.201
external_ipv6: "{{ vault_ingress_ipv6 }}"
link_local: fe80::d4e4:22ff:fe8b:429d
ipv6: fde3:15e9:e883::100
homeassistant:
ip: 192.168.2.203
qbittorrent:

1
ansible/host_vars/pve-docker/main.yml
View File

@ -4,6 +4,7 @@ traefik_provider_jellyfin: true
traefik_provider_homeassistant: true
traefik_provider_grafana: true
traefik_provider_dokku: true
traefik_provider_uptime_kuma: true
with_fail2ban: true

5
ansible/main.yml
View File

@ -17,6 +17,7 @@
- fail2ban_ssh
- restic
- artis3n.tailscale
- glinet_vpn
- hosts:
- pve
@ -43,6 +44,7 @@
become: true
vars:
docker_install_compose_plugin: "{{ ansible_os_family == 'Debian' }}"
docker_install_compose: "{{ ansible_os_family == 'Debian' }}"
docker_users:
- "{{ me.user }}"
- docker_cleanup
@ -95,7 +97,8 @@
- hosts: forrest
roles:
- forrest
- prometheus
- uptime_kuma
- pve_nebula_route
- pve_tailscale_route

4
ansible/roles/authentik/files/docker-compose.yml
View File

@ -21,7 +21,7 @@ x-env: &env
services:
server:
image: ghcr.io/goauthentik/server:2023.10
image: ghcr.io/goauthentik/server:2024.2
restart: unless-stopped
command: server
user: "{{ docker_user.id }}"
@ -44,7 +44,7 @@ services:
- traefik
worker:
image: ghcr.io/goauthentik/server:2023.10
image: ghcr.io/goauthentik/server:2024.2
restart: unless-stopped
command: worker
user: "{{ docker_user.id }}"

2
ansible/roles/base/files/ssh-jail.conf
View File

@ -4,4 +4,4 @@ bantime = 600
findtime = 30
maxretry = 5
port = {{ ssh_port }},ssh
ignoreip = {{ wireguard.cidr }},{{ nebula.cidr }},{{ pve_hosts.internal_cidr }},{{ tailscale_cidr }}
ignoreip = {{ wireguard.cidr }},{{ nebula.cidr }},{{ pve_hosts.internal_cidr }},{{ pve_hosts.internal_cidr_ipv6 }},{{ tailscale_cidr }}

2
ansible/roles/db_auto_backup/files/docker-compose.yml
View File

@ -13,7 +13,7 @@ services:
- docker_proxy
docker_proxy:
image: tecnativa/docker-socket-proxy:latest
image: lscr.io/linuxserver/socket-proxy:latest
restart: unless-stopped
environment:
- POST=1

52
ansible/roles/forrest/vars/vault.yml generated
View File

@ -1,52 +0,0 @@
$ANSIBLE_VAULT;1.1;AES256
36623535313964653161353330663436356239613837653837393939373034353031646535333535
6439313832316239616233306632373934616134616466380a316361363263373938636161666535
31613461333637373732626233623434316335353964353433643635653566613933393361336139
3864373963396264320a376634346331373762313733323961386566646338633936303631303566
66616534326430653266396635353932623661363533356537636662636537656434363562646230
30613831336561376639393466373739373138313931333163353061633465623362666564313631
66623235353531613737643937613430323934376433393836346339626137616561313062663234
63363736326439623661376132613136383465393761653236663631613339653066356436653630
66623865303735616335373231643233386639323838353534613337316161633765396234366533
33616631663530643764373937346262633734366339303837393737666665363465333239343933
35613962396534336232623833303034643639323931633966396439383463396261313862626335
31323434613838353961336136613966636635646632393839663664376632373834313265643338
30663132633362323831313231333164643665386535323231646262656631383631393539616639
34343563353064303833383236626136666264316236316537333965313162616637323966363335
32353936663162316564306337353861396634353935353935306135343665316262643831396537
61393266383538666563363261646534636632303332343662636631316663343930303766623638
35376565343638316339623061396536643636313966383633346231633631353032356661386132
66623439336338616666626431303635373833666137326234653161336434346133636261363662
39313732303736386137656664303365363234336265643064306562643435633838373864353862
33366635333630373162656630666232333563623066333461653963363961623435646631373561
64643738346138366566303233326663383835386132663034313461383161616164636332396332
37663131386135393833373461663432666264363065666630646164633134303439663435616235
35656234313761376532306264393637653433623863383830323935316332383338623134323366
31336665386137323132363962363335623635336131373930353635353663333366363266303138
35626262613261636561373730626635303836623561643436646430653365663432323938393863
63633331663462323163646237386262376337313330323036613434383165616530643362616131
63616562353964316634646434653138333266646633616631653663663838306163616633643234
61333230373237613436343662363434303766383336376232353066313231666330613761643366
36326638326439653966643430313366376661633636366565393461623438323366373333663633
61633763623631333665363333646433656166633364303836623566333336343761613435353138
37366165613263653564386334303030623333646164303662363065333831376334656537613130
33373864663237383064653461616165653834393063663332643235316139333539623463343161
38636564626466633631393938653066373764663935353763626133623762306164383831663061
34333065326666373337663931313763383739383763333235333939376133363236643136346233
62643833376631643036613963643939333133343036613332313866373032646332363231313139
61373365653665343066636162356336373833393363373866343436323639623435383831363335
30333033326638363930613030356664333233633339666366643062353634333161343838666231
32346332663538653937623136653438636463323463376263303962353562313833373937303066
65303037323030653434313164393766633134306435633263363335636561356264376665363639
35613731373437386566663266656266343639326334303239613862353963323436633836383766
35323930633039396535616265643234303639393035363865643236623838333337626135343665
36373038666332376663333565623362303631663830336131343438353764653831633433363436
36333839303433623966363561313564303037393165383732323763353232653564346138666438
30653836626139356133346538616135313034633966373036303461393562363336386633626365
33393565643730383634346238356462313435366538636234656237613864656165656439363061
32626235323362333239373631383830653035383164646364343461376562636564343063353139
61306535333466653937303635353962376162376431336563316130343530636431623537633332
65373333376338353930316561636530343062653964323463653632653332376432343237656465
63333437613064313438353134333566303033313339323162643061363836643931343135396130
32623435653533326563616263323938343332306362383034663139653965626231336637383939
313534343431303739396263303737303365

4
ansible/roles/gateway/files/nginx-fail2ban-jail.conf
View File

@ -6,9 +6,9 @@ maxretry = 100
filter = nginx-tcp
logpath = /var/log/nginx/ips.log
port = http,https,8448
ignoreip = {{ wireguard.cidr }},{{ nebula.cidr }},{{ pve_hosts.internal_cidr }},{{ vps_hosts.values()|sort|join(",") }},{{ tailscale_cidr }}
ignoreip = {{ wireguard.cidr }},{{ nebula.cidr }},{{ pve_hosts.internal_cidr }},{{ pve_hosts.internal_cidr_ipv6 }},{{ vps_hosts.values()|sort|join(",") }},{{ tailscale_cidr }}
[traefik]
enabled = true
port = http,https,8448
ignoreip = {{ wireguard.cidr }},{{ nebula.cidr }},{{ pve_hosts.internal_cidr }},{{ vps_hosts.values()|sort|join(",") }},{{ tailscale_cidr }}
ignoreip = {{ wireguard.cidr }},{{ nebula.cidr }},{{ pve_hosts.internal_cidr }},{{ pve_hosts.internal_cidr_ipv6 }},{{ vps_hosts.values()|sort|join(",") }},{{ tailscale_cidr }}

10
ansible/roles/glinet_vpn/files/client.conf Normal file
View File

@ -0,0 +1,10 @@
[Interface]
Address = {{ client_cidr }}
PrivateKey = {{ client_private_key }}
[Peer]
PublicKey = {{ server_public_key }}
Endpoint = {{ server_public_ip }}:53
AllowedIPs = 0.0.0.0/0 ::/0
PersistentKeepalive = 25

14
ansible/roles/glinet_vpn/files/server.conf Normal file
View File

@ -0,0 +1,14 @@
[Interface]
Address = {{ server_ip }}
PrivateKey = {{ server_private_key }}
ListenPort = 53
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
PostUp = ip6tables -A FORWARD -i %i -j ACCEPT; ip6tables -A FORWARD -o %i -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = ip6tables -D FORWARD -i %i -j ACCEPT; ip6tables -D FORWARD -o %i -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
[Peer]
PublicKey = {{ client_public_key }}
AllowedIPs = {{ client_cidr }}

5
ansible/roles/glinet_vpn/handlers/main.yml Normal file
View File

@ -0,0 +1,5 @@
- name: restart wireguard
service:
name: wg-quick@glinet
state: restarted
become: true

34
ansible/roles/glinet_vpn/tasks/main.yml Normal file
View File

@ -0,0 +1,34 @@
- name: Include vault
include_vars: vault.yml
- name: Install wireguard tools
package:
name: "{{ item }}"
become: true
loop:
- wireguard-tools
- qrencode
- name: Wireguard server config
template:
src: files/server.conf
dest: /etc/wireguard/glinet.conf
mode: "0600"
backup: true
become: true
notify: restart wireguard
- name: Wireguard client config
template:
src: files/client.conf
dest: "{{ me.home }}/glinet-vpn.conf"
mode: "0600"
owner: "{{ me.user }}"
become: true
notify: restart wireguard
- name: Enable wireguard
service:
name: wg-quick@glinet
enabled: true
become: true

8
ansible/roles/glinet_vpn/vars/main.yml Normal file
View File

@ -0,0 +1,8 @@
client_public_key: "{{ vault_client_public_key }}"
client_private_key: "{{ vault_client_private_key }}"
client_cidr: 10.23.4.2/24
server_public_key: "{{ vault_server_public_key }}"
server_private_key: "{{ vault_server_private_key }}"
server_public_ip: "{{ ansible_default_ipv4.address }}"
server_ip: 10.23.4.1

19
ansible/roles/glinet_vpn/vars/vault.yml generated Normal file
View File

@ -0,0 +1,19 @@
$ANSIBLE_VAULT;1.1;AES256
35366163656631633636333937333238346539653236323463316333356637623263326436623130
3333616234643935306337386165623734333265663237610a326538636532643835373137316333
30363133343035353235616639613637353435303863393130396261623063633836383430326530
3634313639353264310a393266313230646132656561393737363834646566313765633235343139
36303834353039303134393061386634373735316135656564386464363863376265633239313037
62616535313239353233376163343437303933346264323266386533336138656135663664356164
65643262303436343164613133333361393438616234616566336131636461383538326130623264
62313134386430636665646539306661383039323339373838346164653836326536386332616634
34313331623166356137363131356130623863313339663938386138643538323666616239656662
36313534323237306631663931633830346565616139313864333762356330643131343630653535
62323939376163363436336633386433323435316535623462353138386430333332653966383262
33636534346466326631333362343638616332633163623533613364326665376565643739666261
34646533613133313034366636623134613336623134356562393335313337336336623634336633
66623365353866396564386536386330353537383866616665373762306530356333643265326537
38353138626331623433643636623130613766616638343034633536306232316133303133356463
36616665643264396137336234316466306238303461363531653461623834376361653334326235
31366530636565383062313562663639393534373737363465656538393266363936333136636161
3239303565613865633433313237393932306632633633373261

13
ansible/roles/headscale/files/acls.json Normal file
View File

@ -0,0 +1,13 @@
{
"tagOwners": {
"tag:client": []
},
"acls": [
{
"action": "accept",
"src": ["tag:client"],
"dst": ["*:*"]
}
]
}

2
ansible/roles/headscale/files/headscale.yml
View File

@ -188,7 +188,7 @@ log:
# Path to a file containg ACL policies.
# ACLs can be defined as YAML or HUJSON.
# https://tailscale.com/kb/1018/acls/
acl_policy_path: ""
acl_policy_path: /etc/headscale/acls.json
## DNS
#

11
ansible/roles/headscale/tasks/main.yml
View File

@ -11,7 +11,16 @@
src: files/headscale.yml
dest: /etc/headscale/config.yaml
owner: headscale
mode: "0644"
mode: "0600"
notify: restart headscale
become: true
- name: Install ACLs
template:
src: files/acls.json
dest: /etc/headscale/acls.json
owner: headscale
mode: "0600"
notify: restart headscale
become: true

0
ansible/roles/forrest/files/grafana/docker-compose.yml → ansible/roles/prometheus/files/grafana/docker-compose.yml
View File

0
ansible/roles/forrest/files/prometheus/alert-rules.d/blackbox.yml → ansible/roles/prometheus/files/prometheus/alert-rules.d/blackbox.yml
View File

0
ansible/roles/forrest/files/prometheus/alertmanager.yml → ansible/roles/prometheus/files/prometheus/alertmanager.yml
View File

3
ansible/roles/forrest/files/prometheus/blackbox.yml → ansible/roles/prometheus/files/prometheus/blackbox.yml
View File

@ -2,8 +2,6 @@ modules:
http:
prober: http
timeout: 10s
http:
preferred_ip_protocol: ip4 # Docker network is v4 only
https_redir:
prober: http
@ -16,7 +14,6 @@ modules:
fail_if_header_not_matches:
- header: Location
regexp: ^https
preferred_ip_protocol: ip4 # Docker network is v4 only
icmp:
prober: icmp

22
ansible/roles/forrest/files/prometheus/docker-compose.yml → ansible/roles/prometheus/files/prometheus/docker-compose.yml
View File

@ -1,12 +1,5 @@
version: "2.3"
x-blackbox: &blackbox
image: prom/blackbox-exporter:latest
restart: unless-stopped
user: "{{ docker_user.id }}"
volumes:
- ./blackbox.yml:/etc/blackbox_exporter/config.yml:ro
services:
prometheus:
image: prom/prometheus:latest
@ -23,14 +16,11 @@ services:
- "{{ pve_hosts.forrest.ip }}:9090:9090"
blackbox:
<<: *blackbox
blackbox-external:
<<: *blackbox
# Don't use my internal DNS servers
dns:
- 9.9.9.9
- 149.112.112.112
image: prom/blackbox-exporter:latest
restart: unless-stopped
user: "{{ docker_user.id }}"
volumes:
- ./blackbox.yml:/etc/blackbox_exporter/config.yml:ro
alertmanager:
image: prom/alertmanager:latest
@ -56,3 +46,5 @@ services:
networks:
grafana:
external: true
default:
enable_ipv6: true

60
ansible/roles/forrest/files/prometheus/prometheus.yml → ansible/roles/prometheus/files/prometheus/prometheus.yml
View File

@ -41,48 +41,6 @@ scrape_configs:
static_configs:
- targets: ["{{ pve_hosts.homeassistant.ip }}:8123"]
- job_name: blackbox_http_external
scrape_interval: 1m
metrics_path: /probe
params:
module: [http]
static_configs:
- targets:
- https://0rng.one
- https://auth.jakehoward.tech/-/health/ready/
- https://bin.theorangeone.net
- https://git.theorangeone.net/api/healthz
- https://grafana.jakehoward.tech/api/health
- https://headscale.jakehoward.tech/health
- https://homeassistant.jakehoward.tech
- https://intersect.jakehoward.tech
- https://mastodon.theorangeone.net/health
- https://matrix.jakehoward.tech:8448/_matrix/federation/v1/version
- https://matrix.jakehoward.tech/_matrix/federation/v1/version
- https://media.jakehoward.tech
- https://minio.jakehoward.tech/minio/health/live
- https://notes.theorangeone.net
- https://ntfy.jakehoward.tech/v1/health
- https://plausible.theorangeone.net
- https://recipes.jakehoward.tech
- https://s3.jakehoward.tech/minio/health/live
- https://tasks.jakehoward.tech/health
- https://theorangeone.net
- https://tt-rss.jakehoward.tech
- https://vaultwarden.jakehoward.tech/alive
- https://whoami-cdn.theorangeone.net
- https://whoami.theorangeone.net
relabel_configs:
- source_labels: [__address__]
target_label: __param_target
- source_labels: [__param_target]
target_label: instance
- target_label: __address__
replacement: blackbox-external:9115
- source_labels: [instance]
regex: https?://([^/]+)/?.*
target_label: hostname
- job_name: blackbox_icmp
scrape_interval: 10m
metrics_path: /probe
@ -115,7 +73,7 @@ scrape_configs:
- source_labels: [__param_target]
target_label: instance
- target_label: __address__
replacement: blackbox-external:9115
replacement: blackbox:9115
- job_name: blackbox_healthcheck
scrape_interval: 10m
@ -167,3 +125,19 @@ scrape_configs:
- source_labels: [__name__]
regex: go_.+
action: drop
- job_name: uptime_kuma
basic_auth:
username: ""
password: "{{ vault_uptime_kuma_token }}"
metrics_path: /metrics
static_configs:
- targets:
- uptime.jakehoward.tech
metric_relabel_configs:
- source_labels: [__name__]
regex: nodejs_.+
action: drop
- source_labels: [__name__]
regex: process_.+
action: drop

0
ansible/roles/forrest/handlers/main.yml → ansible/roles/prometheus/handlers/main.yml
View File

0
ansible/roles/forrest/tasks/grafana.yml → ansible/roles/prometheus/tasks/grafana.yml
View File

2
ansible/roles/forrest/tasks/main.yml → ansible/roles/prometheus/tasks/main.yml
View File

@ -28,7 +28,7 @@
- add
- "{{ vps_hosts.private_ipv6_range }}"
- via
- "{{ pve_hosts.ingress.link_local }}"
- "{{ pve_hosts.ingress.ipv6 }}"
- dev
- eth0
become: true

0
ansible/roles/forrest/tasks/prometheus.yml → ansible/roles/prometheus/tasks/prometheus.yml
View File

55
ansible/roles/prometheus/vars/vault.yml generated Normal file
View File

@ -0,0 +1,55 @@
$ANSIBLE_VAULT;1.1;AES256
33643431356363646630383866316263343363653765613339633264643432646531623637643938
6536623536306263633239616234646636383635623532620a613333623433333566353135393233
62343564363234626563353031656430633335376464303633376336636132383936343265303665
3234636332313763340a326632303834633338333866313831616533393061336137613036393235
62343864316530646639363161626463643435353864373332323330623337666234386463626266
66353137303466353234373332666638303862393135666664616565666534633133376166646234
38643631366131396231343964656262636466653731333839643739313237383765646437353862
62323032313738636266616366333034363037343232373063363934306339663165346366396165
61303436393231393533653535383534386432383736613034313333336236643938393661323435
37326536643366323862633962316366316233643962303961613038316330643662636262316238
34666463353662663231373061643438386664373863666463653332326238616264393736326336
33646166356437653833343234653032636239386339383638333339346264646634613234663832
38636631386336633465623966653630353734316566626666376566376436373936636338373131
65646562356238396161323266316331623531353061346666633531663362646238653662393765
38636136386534366434333431626430303962366637316562383439653666306630656137633664
61326635643336623139306331323538366536613266613834326435656336623630326266643935
36356538343765616235353932613932333934623465633238353733633332353736326137653063
35666330653239306230323063383234373335366466626234336536366466626266376466346239
34623133643962656236666563663161623361383032336138626334653961353030666237396331
33613631346433376462356333623333643537656433643331353938303263656563633234376366
65653237366333323737323438613335333537343139653632323032313964313030663136313734
35353237316133306664636138376664343638356530336137323665626665336136343235373234
64353161393735356562396533396462356162333937616339336466616232666565613037626235
32313232646237663837353934323365333961306266663033353861346662383235386339313465
65623138376264343462636130303231626663313565343961616438356236373833363038626463
61333532313938636237613839643230646337323035336231383032323235633731343066663133
63653036383736623733653438333039393565643334396265616134353163646161396564633561
35663832373466316439646238356566333733343237343564326437356335316161633739343930
66666563623038386632363036646230333233303439616165303162636364386662633039316237
35633437643231336533626461656564303663633461643236626134643430656464346237356363
32346531386439613830343532636164396432626264623134666637653665343866643139326339
30346165663666313436393466353463303139393465373433663336313366643435363163316539
30353836383432343164633563643131396438353838313138623531643533306138323765613335
39373533393166643236376462613439653466383966376161316538636635383035333663643333
61393036356330653663376635643539366139313132383665383932656131346364666532383433
61626665396531316665396663653763333164623631376636386234633636373636323233336263
38333965346563363030396330303063313563643665353064356462666339396330396333363335
61633131383562303137386265313330336137353730626563653666316531363661613865326566
64613333633966333064383762306634323335353638646130366534386636363332373266393839
66636532303563393563633762366665616631656639643763366331336237663532303631313836
30373966616334633562353030373462373131666439666662393536323066643264616565306537
36396439363636613636386662623337643631646461653965663239313363636362333931656364
36653663663534623638356636653534393239336663353530346662396634383430333133313739
36333265653866306464646361323163363134643732303337333137653434643432643034366661
38656631366132613863626363613334656462363834323162383634616532633861663232326362
61373765306231626137363934643761316338363431626666363437373061366439306361396366
62383239316330636534303063333937336136346161633061656439353932373930633766383463
38353538353737613434316563386533373663613434653761356238633438383532316639343431
32353161633036333730386164393166633762386637653736616262383064333864363136353534
66643362313539333030663331313165353936663861616336306636633035323230653039313363
37393137636431313164346561353334613331663361383835643732663139373162363636316365
64376366643537643531333462346166653432313331316366396530633035616337396461393863
62343465316235663366616637393734343638626230623932663666323961643633383462646334
3034366430643531366664326330323639306631656462646238

2
ansible/roles/pve_docker/files/nextcloud/config.php
View File

@ -19,7 +19,7 @@ $CONFIG = array (
0 => 'intersect.jakehoward.tech',
),
'dbtype' => 'mysql',
'version' => '28.0.2.5',
'version' => '28.0.4.1',
'overwrite.cli.url' => 'https://intersect.jakehoward.tech',
'dbname' => 'nextcloud',
'dbhost' => 'mariadb',

2
ansible/roles/pve_docker/files/nextcloud/docker-compose.yml
View File

@ -2,7 +2,7 @@ version: "2.3"
services:
nextcloud:
image: lscr.io/linuxserver/nextcloud:28.0.2
image: lscr.io/linuxserver/nextcloud:28.0.4
environment:
- PUID={{ docker_user.id }}
- PGID={{ docker_user.id }}

2
ansible/roles/pve_docker/files/synapse/docker-compose.yml
View File

@ -3,7 +3,7 @@ version: "2.3"
services:
synapse:
image: matrixdotorg/synapse:v1.101.0
image: matrixdotorg/synapse:v1.104.0
restart: unless-stopped
environment:
- SYNAPSE_CONFIG_PATH=/etc/homeserver.yaml

4
ansible/roles/pve_docker/files/tt-rss/docker-compose.yml
View File

@ -7,7 +7,7 @@ x-app: &app
- TTRSS_DB_USER=tt-rss
- TTRSS_DB_NAME=tt-rss
- TTRSS_DB_PASS=tt-rss
- TTRSS_SELF_URL_PATH=https://tt-rss.jakehoward.tech/tt-rss/
- TTRSS_SELF_URL_PATH=https://tt-rss.jakehoward.tech
- TTRSS_ENABLE_REGISTRATION=false
- TTRSS_CHECK_FOR_UPDATES=false
- TTRSS_ENABLE_GZIP_OUTPUT=true
@ -16,6 +16,8 @@ x-app: &app
- OWNER_GID={{ docker_user.id }}
- PHP_WORKER_MAX_CHILDREN=50
- PHP_WORKER_MEMORY_LIMIT=512M
- APP_WEB_ROOT=/var/www/html/tt-rss
- APP_BASE=
volumes:
- ./tt-rss:/var/www/html
- "{{ app_data_dir }}/tt-rss/feed-icons:/var/www/html/tt-rss/feed-icons"

2
ansible/roles/pve_docker/files/wallabag/docker-compose.yml
View File

@ -2,7 +2,7 @@ version: "2.3"
services:
wallabag:
image: wallabag/wallabag:2.6.8
image: wallabag/wallabag:2.6.9
restart: unless-stopped
environment:
- SYMFONY__ENV__SECRET={{ wallabag_secret }}

2
ansible/roles/renovate/files/docker-compose.yml
View File

@ -25,7 +25,7 @@ services:
- ./redis:/data
docker_proxy:
image: tecnativa/docker-socket-proxy:latest
image: lscr.io/linuxserver/socket-proxy:latest
restart: unless-stopped
environment:
- POST=1

2
ansible/roles/tandoor/files/docker-compose.yml
View File

@ -2,7 +2,7 @@ version: "2.3"
services:
tandoor:
image: vabene1111/recipes:1.5.13
image: vabene1111/recipes:latest
environment:
- TIMEZONE={{ timezone }}
- DEBUG=0

1
ansible/roles/traefik/defaults/main.yml
View File

@ -2,5 +2,6 @@ traefik_provider_jellyfin: false
traefik_provider_homeassistant: false
traefik_provider_grafana: false
traefik_provider_dokku: false
traefik_provider_uptime_kuma: false
with_fail2ban: false

4
ansible/roles/traefik/files/docker-compose.yml
View File

@ -2,7 +2,7 @@ version: "2.3"
services:
traefik:
image: traefik:v2.10
image: traefik:v2.11
user: "{{ docker_user.id }}"
environment:
- CF_DNS_API_TOKEN={{ vault_cloudflare_api_token }}
@ -23,7 +23,7 @@ services:
- proxy_private
docker_proxy:
image: tecnativa/docker-socket-proxy:latest
image: lscr.io/linuxserver/socket-proxy:latest
restart: unless-stopped
environment:
- CONTAINERS=1

2
ansible/roles/traefik/files/fail2ban/traefik-jail.conf
View File

@ -6,5 +6,5 @@ maxretry = 5
filter = traefik
logpath = /tmp/traefik-logs/access.log
port = http,https
ignoreip = {{ wireguard.cidr }},{{ nebula.cidr }},{{ pve_hosts.internal_cidr }},{{ vps_hosts.values()|sort|join(",") }},{{ tailscale_cidr }}
ignoreip = {{ wireguard.cidr }},{{ nebula.cidr }},{{ pve_hosts.internal_cidr }},{{ pve_hosts.internal_cidr_ipv6 }},{{ vps_hosts.values()|sort|join(",") }},{{ tailscale_cidr }}
action = gateway

2
ansible/roles/traefik/files/file-provider-main.yml
View File

@ -15,6 +15,7 @@ http:
- "{{ tailscale_cidr }}"
- "{{ tailscale_cidr_ipv6 }}"
- "{{ pve_hosts.forrest.ip }}"
- "{{ pve_hosts.forrest.ipv6 }}"
private-access:
ipWhiteList:
@ -23,3 +24,4 @@ http:
- "{{ tailscale_cidr_ipv6 }}"
- "{{ nebula.cidr }}"
- "{{ pve_hosts.internal_cidr }}"
- "{{ pve_hosts.internal_cidr_ipv6 }}"

10
ansible/roles/traefik/files/file-provider-uptime-kuma.yml Normal file
View File

@ -0,0 +1,10 @@
http:
routers:
router-uptime-kuma:
rule: Host(`uptime.jakehoward.tech`)
service: service-uptime-kuma
services:
service-uptime-kuma:
loadBalancer:
servers:
- url: http://{{ pve_hosts.forrest.ip }}:3001

10
ansible/roles/traefik/tasks/main.yml
View File

@ -101,6 +101,16 @@
when: traefik_provider_dokku
become: true
- name: Install dokku provider
template:
src: files/file-provider-uptime-kuma.yml
dest: /opt/traefik/traefik/conf/uptime-kuma.yml
mode: "{{ docker_compose_file_mask }}"
owner: "{{ docker_user.name }}"
notify: restart traefik
when: traefik_provider_uptime_kuma
become: true
- name: logrotate config
template:
src: files/logrotate.conf

21
ansible/roles/uptime_kuma/files/docker-compose.yml Normal file
View File

@ -0,0 +1,21 @@
version: "2.3"
services:
uptime-kuma:
image: louislam/uptime-kuma:1.23.13-alpine
environment:
- TZ={{ timezone }}
- PUID={{ docker_user.id }}
- PGID={{ docker_user.id }}
dns:
- 9.9.9.9
- 149.112.112.112
ports:
- "{{ pve_hosts.forrest.ip }}:3001:3001"
volumes:
- "{{ app_data_dir }}/uptime-kuma:/app/data"
restart: unless-stopped
networks:
default:
enable_ipv6: true

4
ansible/roles/uptime_kuma/handlers/main.yml Normal file
View File

@ -0,0 +1,4 @@
- name: restart uptime-kuma
shell:
chdir: /opt/uptime-kuma
cmd: "{{ docker_update_command }}"

17
ansible/roles/uptime_kuma/tasks/main.yml Normal file
View File

@ -0,0 +1,17 @@
- name: Create install directory
file:
path: /opt/uptime-kuma
state: directory
owner: "{{ docker_user.name }}"
mode: "{{ docker_compose_directory_mask }}"
become: true
- name: Install compose file
template:
src: files/docker-compose.yml
dest: /opt/uptime-kuma/docker-compose.yml
mode: "{{ docker_compose_file_mask }}"
owner: "{{ docker_user.name }}"
validate: docker-compose -f %s config
notify: restart uptime-kuma
become: true

83
terraform/.terraform.lock.hcl
View File

@ -2,17 +2,17 @@
# Manual edits may be lost in future updates.
provider "registry.terraform.io/backblaze/b2" {
version = "0.8.7"
constraints = "0.8.7"
version = "0.8.9"
constraints = "0.8.9"
hashes = [
"h1:00oWKpRLaWlwNwebBlsy4ZDN9dsYPZv6G3VoYxz5SSE=",
"h1:GLJrlMQ3CxORGarOlpbdKNjfdVxwWF7D1Sa5Svtsi2Q=",
"h1:R+Ota2rVe+KaYwJIrlVGgRxtTGgkqXgsMRApg6r/+5M=",
"h1:hSsgVZdn6G7G8Zp03Ij9lLQYEQ0aWGy3j3loEsjkJMQ=",
"zh:832081241cdf62ea27af5e9999c7c94bbec1816dc552c53da1caa8a2ff7b987f",
"zh:c130917d8da3e85392fb3c8c7b2be3b2fd1d1eb5023993d33e3d0838e8375d05",
"zh:f9f7dbf09d818c5a05570d73facaf0bb840c541de07439b0891381df4c75875a",
"zh:fc142bb2370c541ae14ea4f8f8c5437efa07911a8c36be60820cba6671fa6c81",
"h1:2I1FrwnkverfdRHyoCMHeoLJcWIdoLw0uSyvFJDj+40=",
"h1:Gp0no9DUhxEAPPED0/AG8wSaaT6023dtA1Q8oIPmgz0=",
"h1:N5oxkisGmkDIdAmncwcmcN5KilDdOG1kJu2+k0ARj80=",
"h1:PSLTea0VOv61sttOED7lEvonSQuIik2CFDXyljVpeHU=",
"zh:3534b7737d5d555187faec4db6abeb202a90559f2f68e569e48b0acbbdaabe9d",
"zh:372e97f55308babb98e175e3464d7088c8182d649e899e3067bb042e655a62c8",
"zh:59935a938882daccf93a76ddfdd24113aac7349e0ae555028f340acb211cbaff",
"zh:da2d510b081ed9683acd201318f096ea6848843f325eaf8db555702244149532",
]
}
@ -52,22 +52,33 @@ provider "registry.terraform.io/cloudflare/cloudflare" {
}
provider "registry.terraform.io/go-gandi/gandi" {
version = "2.2.3"
constraints = "2.2.3"
version = "2.3.0"
constraints = "2.3.0"
hashes = [
"h1:2SFGp4KWheP2bjuD0sIzbcuM91uSFiMVr2qYBRUJ7HU=",
"zh:1059865208c4ce9a827d0e1fa09a74297476d064d5aebd598633b10036cdff5d",
"zh:1e912145a1819fc7516353369332a41558a3c6e9edac8bdcc09aa8c2735d29e3",
"zh:2977e335cb1df04baa200933679048a7b4151f48cbd551917abe45dc3b62f85d",
"zh:4211fa55947c3b7841931a2f944fe02fa50d2dca5fe850113d7dc5713574c0de",
"zh:509f2262f4d682504eb412eeb58968c23208ddab8ebd0b0371a9eb1332b57f33",
"zh:784ee8dd57193dfcb38fe06fedc2931b02a887ce887744ce92b856f121d6fb50",
"zh:81a9bcbae602d32d71fa8ff3b2140c3d86692736a4c3379ebcfa06c858fae549",
"zh:9e296c6b33a4b3042c030a44368a45c95a531b7c6c369db30a7fd2e9503bb4d8",
"zh:a030027413d3dc7695691917f328fecb9b15d6b9e0d72b35439534cc22abb782",
"zh:a5019df0ce14c20483f397eef4e91d9f60ad78644acb3134130c4ebbc26059b5",
"zh:d03f6bd478f2b57091f2e82dde17a4adfe0b423eaaa0f99c59838fc64dd965ab",
"zh:e1b23742e9d98391fb84a4fad4e577ca2827bb25c40e310f3faaa3dcbde3a508",
"h1:+QRivNRiQfXbOzSJwIKOmpqRLjfSbgGTVIot5HHaxzU=",
"h1:9kqWL+eFk/ogrQSltL9zVqjMcOqbvs3EgIJEeyNPb8U=",
"h1:Fv/rdRU74oVDL6Tmu63qNl3fUrlOfMVPUFeLaPfWAGY=",
"h1:GC+kfSRx3FdF0dhh0LZrWXV+hLSFQd3cQ3mjQ3lBloU=",
"h1:M6MNub0wFKc/2MKOns9uWsgkFEjqNx1oucz+wGemBRM=",
"h1:Os/cyXb2LCyYLvaQ7inZPBdgjR7Ie5AsyIIHvYaMZB4=",
"h1:PH6KI61eli5OL/aN3Oi7NV9qkNbjGLoOYjJK3gvULj4=",
"h1:ZYWkA1hdIjQySftM5bWAQjiH50V5qMl9nJroYzCoqb0=",
"h1:aRZN5KmJwfLJ+sSYo4xd6MHS2oNk3Zlk417md3e9ry0=",
"h1:iTw/xbYXtScXLdhbjzF15Bf9wWu/r41ZertHYl9vDec=",
"h1:q/JXh50l2WZKxRpVTXzWp7nToqaU4TXD883k6Xi+8Jk=",
"h1:sSjatD9sHwGI8jJYF7Ps7BTBbmmCmLAdlUPDs3i/vQA=",
"zh:0936d011cf75bb5162c6027d00575a586807adc9008f4152def157b6ad22bae9",
"zh:2170e671f04d3346ea416fcc404be6d05f637eab7df77e289a6898a928885f0b",
"zh:250329baae3cb09cfb88dd004d45f003ba76fbe7b8daf9d18fd640b93a2b7252",
"zh:2ccd9f253424738ca5fbbcb2127bf3713c20e87bfb3829f8c4565569424fd0bd",
"zh:3607b48bc4691cd209528f9ffe16a6cc666bd284b0d0bdfe8c4e1d538559a408",
"zh:3bc1d2b770fe0f50027da59c405b2468d1322243235367014f75f765124f458d",
"zh:6c8a9092847ee2e2890825432b54424c456638d494e49b7d1845f055214714f5",
"zh:8e0b62a330876005d52bcd65d7b1d9a679a7ac79c626e0f86661519e8f9b5698",
"zh:8f44f4d52583ff249e2001ea2a8b8841010489dd43e1a01a9ec3a6813d121c28",
"zh:9a617927d4a3a2897ff10999a19a6d1f0ef634b8c6b8fc3be12cf53948cfd9cf",
"zh:cab3c82c54e38e6001eed5b80a2d16b7824921f8f8b3909049e174c48e6e8804",
"zh:f78cc685aa4ba5056ea53a7f8ce585f87a911f0a8a387a44a33d7dfb69db7663",
]
}
@ -126,6 +137,28 @@ provider "registry.terraform.io/hashicorp/local" {
]
}
provider "registry.terraform.io/hetznercloud/hcloud" {
version = "1.46.1"
constraints = "1.46.1"
hashes = [
"h1:cDJWhw9W+qj4ner9QX/+FBB6YvK9pnTVOugSAM+ejcM=",
"zh:0d8fb959c331b7cd9a13800198d65f61c604221b2fb05e0681c9cd432a6e2242",
"zh:31ab652fb504bff3fdee0de8e06cb4c7d08805f4d3e8430dac6a4ee8a52b949f",
"zh:493770ce314fc4f7b9536da077b217aa5af77b1d8c969639a257fda3dbd3e38b",
"zh:4c25ee2977d359db15c044a8bfeb00f64ca94a6bdea00774307768a9bad97996",
"zh:605c8e776cb69b1928c516ab1a9be9ea793c9405f038f224de5586db4983e621",
"zh:8c9b966a881f177199738253003dc1ee4944034598be4dfbb5465f6d28349c66",
"zh:8e6ec6e0f0572222f5a2d5748948c229a426408418c6500707711b1ae82fff1c",
"zh:a63e3ac7f84f0ad0c27399fb2ae4469570d9b216bbc06a89edeca6ff569f0ea0",
"zh:b03e6050ce2054665d824a02fcbe450cdfad29c082cf1d8adb29f8c138023457",
"zh:b40e03710694792cff0eb5ca3f7dc80ff0befd2957b0af3b248d36a4ac77293e",
"zh:bbd264b083a3f5e80a90c02ea3ec377231d030f4d9035bb0f1627f3b09504b00",
"zh:de2b119e4c39b3454199c34f4ce0fd60af11bd9012c46e2c907db53fd5969278",
"zh:e845750317897e45ab68e71326a43a7f143e0b5312aa9eba4fec907a3800a7f2",
"zh:eebc0085e7fa25d4eaf4e47be00dd7f64259f725ed86581d0acef8b8fde31b49",
]
}
provider "registry.terraform.io/linode/linode" {
version = "1.30.0"
constraints = "1.30.0"

9
terraform/casey_vps.tf
View File

@ -101,15 +101,6 @@ resource "linode_firewall" "casey" {
ipv4 = ["0.0.0.0/0"]
ipv6 = ["::/0"]
}
inbound {
label = "allow-inbound-tailscale"
action = "ACCEPT"
protocol = "UDP"
ports = "41641"
ipv4 = ["0.0.0.0/0"]
ipv6 = ["::/0"]
}
}
resource "linode_rdns" "casey_reverse_ipv4" {

8
terraform/jakehoward.tech.tf
View File

@ -261,6 +261,14 @@ resource "cloudflare_record" "jakehowardtech_slides" {
ttl = 1
}
resource "cloudflare_record" "jakehowardtech_uptime" {
zone_id = cloudflare_zone.jakehowardtech.id
name = "uptime"
value = cloudflare_record.sys_domain_pve.hostname
type = "CNAME"
ttl = 1
}
resource "cloudflare_record" "jakehowardtech_caa" {
zone_id = cloudflare_zone.jakehowardtech.id
name = "@"

8
terraform/terraform.tf
View File

@ -18,11 +18,15 @@ terraform {
}
gandi = {
source = "go-gandi/gandi"
version = "2.2.3"
version = "2.3.0"
}
b2 = {
source = "Backblaze/b2"
version = "0.8.7"
version = "0.8.9"
}
hetzner = {
source = "hetznercloud/hcloud"
version = "1.46.1"
}
}
}

4
terraform/variables.tf
View File

@ -25,3 +25,7 @@ variable "backblaze_application_key" {
variable "backblaze_application_key_id" {
sensitive = true
}
variable "hetzner_token" {
sensitive = true
}