systems/infrastructure
1
Fork 0
Code Issues 1 Pull requests 19 Activity Actions

Compare commits

base: systems:master
Branches Tags
systems:master
systems:renovate/linode-2.x
systems:renovate/lscr.io-linuxserver-mastodon-4.x
systems:renovate/b2-0.x
systems:renovate/lscr.io-linuxserver-nextcloud-30.x
systems:renovate/aws-5.x
systems:renovate/code.forgejo.org-forgejo-forgejo-9.x
systems:renovate/cloudflare-4.x
systems:renovate/clickhouse-clickhouse-server-24.x
systems:renovate/traefik-3.x
systems:renovate/postgres-17.x
systems:gandi-dns
systems:renovate/ansible-lint-24.x
systems:renovate/lscr.io-linuxserver-nextcloud-29.x
systems:renovate/hcloud-1.x
systems:renovate/geerlingguy.docker-7.x
systems:renovate/mariadb-11.x
systems:renovate/geerlingguy.certbot-5.x
systems:renovate/yamllint-1.x
systems:renovate/mariadb-10.x
..
compare: systems:renovate/geerlingguy.certbot-5.x
Branches Tags
systems:renovate/linode-2.x
systems:renovate/lscr.io-linuxserver-mastodon-4.x
systems:renovate/b2-0.x
systems:renovate/lscr.io-linuxserver-nextcloud-30.x
systems:renovate/aws-5.x
systems:renovate/code.forgejo.org-forgejo-forgejo-9.x
systems:renovate/cloudflare-4.x
systems:master
systems:renovate/clickhouse-clickhouse-server-24.x
systems:renovate/traefik-3.x
systems:renovate/postgres-17.x
systems:gandi-dns
systems:renovate/ansible-lint-24.x
systems:renovate/lscr.io-linuxserver-nextcloud-29.x
systems:renovate/hcloud-1.x
systems:renovate/geerlingguy.docker-7.x
systems:renovate/mariadb-11.x
systems:renovate/geerlingguy.certbot-5.x
systems:renovate/yamllint-1.x
systems:renovate/mariadb-10.x

1 commit
master ... renovate/g

Author SHA1 Message Date
Renovate
4ac7f4e49a Update dependency geerlingguy.certbot to v5.2.0
All checks were successful
/ terraform (push) Successful in 1m1s
Details
/ ansible (push) Successful in 1m54s
Details
2024-07-31 08:00:20 +01:00
140 changed files with 875 additions and 409 deletions
Show stats Expand all files Collapse all files

1
.yamllint.yml
View file

@ -5,6 +5,7 @@ ignore: |
ansible/galaxy_collections ansible/galaxy_collections
ansible/group_vars/all/vps-hosts.yml ansible/group_vars/all/vps-hosts.yml
ansible/roles/traefik/files/traefik.yml ansible/roles/traefik/files/traefik.yml
ansible/roles/nebula/files/nebula.yml
env env
rules: rules:

2
README.md
View file

@ -26,3 +26,5 @@ Terraform secrets are stored in `terraform/.env`, and provisioned using `just up
## External configuration ## External configuration
This repository contains most of my infrastructure configuration, but not everything is configured here. Some things are external, for various reasons. This repository contains most of my infrastructure configuration, but not everything is configured here. Some things are external, for various reasons.
- [AdGuardHome](https://git.theorangeone.net/systems/adguardhome)

1
ansible/.ansible-lint
View file

@ -12,4 +12,5 @@ exclude_paths:
- galaxy_roles/ - galaxy_roles/
- galaxy_collections/ - galaxy_collections/
- ~/.ansible - ~/.ansible
- roles/nebula/files/nebula.yml
- roles/traefik/files/traefik.yml - roles/traefik/files/traefik.yml

5
ansible/ansible.cfg
View file

@ -5,11 +5,8 @@ retry_files_enabled = False
roles_path = $PWD/galaxy_roles:$PWD/roles roles_path = $PWD/galaxy_roles:$PWD/roles
collections_path = $PWD/galaxy_collections collections_path = $PWD/galaxy_collections
inventory = ./hosts inventory = ./hosts
interpreter_python = auto_silent
[privilege_escalation]
become = True
become_ask_pass = True become_ask_pass = True
interpreter_python = auto_silent
[ssh_connection] [ssh_connection]
pipelining = True pipelining = True

2
ansible/files/nginx-docker.conf
View file

@ -7,8 +7,6 @@ server {
server_name {{ server_name }}; server_name {{ server_name }};
set $upstream {{ upstream }}; set $upstream {{ upstream }};
access_log /var/log/nginx/{{ server_name|split|first }}.log main;
ssl_certificate {{ ssl_cert_path }}/fullchain.pem; ssl_certificate {{ ssl_cert_path }}/fullchain.pem;
ssl_certificate_key {{ ssl_cert_path }}/privkey.pem; ssl_certificate_key {{ ssl_cert_path }}/privkey.pem;
ssl_trusted_certificate {{ ssl_cert_path }}/chain.pem; ssl_trusted_certificate {{ ssl_cert_path }}/chain.pem;

2
ansible/galaxy-requirements.yml
View file

@ -17,6 +17,6 @@ roles:
- src: ironicbadger.snapraid - src: ironicbadger.snapraid
version: 1.0.0 version: 1.0.0
- src: geerlingguy.certbot - src: geerlingguy.certbot
version: 5.1.0 version: 5.2.0
- src: artis3n.tailscale - src: artis3n.tailscale
version: v4.5.0 version: v4.5.0

9
ansible/group_vars/all/nebula.yml Normal file
View file

@ -0,0 +1,9 @@
nebula:
cidr: 10.23.2.0/24
clients:
casey:
ip: 10.23.2.1
walker:
ip: 10.23.2.4
ingress:
ip: 10.23.2.5

1
ansible/group_vars/all/network.yml
View file

@ -1 +1,2 @@
private_ip: "{{ nebula.clients[hostname_slug].ip }}"
ssh_port: 7743 ssh_port: 7743

4
ansible/group_vars/all/tailscale.yml
View file

@ -5,7 +5,3 @@ tailscale_cidr: 100.64.0.0/24 # It's really /10, but I don't use that many IPs
tailscale_cidr_ipv6: fd7a:115c:a1e0::/120 # It's really /48, but I don't use that many IPs tailscale_cidr_ipv6: fd7a:115c:a1e0::/120 # It's really /48, but I don't use that many IPs
tailscale_port: 41641 tailscale_port: 41641
tailscale_nodes:
casey:
ip: 100.64.0.6

4
ansible/host_vars/casey/main.yml
View file

@ -1,4 +1,6 @@
private_ip: "{{ ansible_tailscale0.ipv4.address }}" nebula_is_lighthouse: true
nebula_listen_port: "{{ nebula_lighthouse_port }}"
nginx_https_redirect: true nginx_https_redirect: true
certbot_certs: certbot_certs:

4
ansible/host_vars/ingress.yml
View file

@ -1,2 +1,4 @@
private_ip: "{{ ansible_tailscale0.ipv4.address }}" # Listen on a static port so it can be opened in the firewall
nebula_listen_port: "{{ nebula_lighthouse_port }}"
nginx_https_redirect: true nginx_https_redirect: true

4
ansible/host_vars/walker/main.yml
View file

@ -1,5 +1,3 @@
private_ip: "{{ ansible_tailscale0.ipv4.address }}"
restic_backup_locations: restic_backup_locations:
- /opt - /opt
@ -8,6 +6,8 @@ nginx_https_redirect: true
certbot_certs: certbot_certs:
- domains: - domains:
- theorangeone.net - theorangeone.net
- domains:
- commento.theorangeone.net
- domains: - domains:
- plausible.theorangeone.net - plausible.theorangeone.net
- elbisualp.theorangeone.net - elbisualp.theorangeone.net

44
ansible/main.yml
View file

@ -9,10 +9,13 @@
- hosts: casey - hosts: casey
roles: roles:
- nginx - nginx
- geerlingguy.certbot - role: geerlingguy.certbot
become: true
- gateway - gateway
- nebula
- headscale - headscale
- restic - restic
- artis3n.tailscale
- glinet_vpn - glinet_vpn
- hosts: - hosts:
@ -23,6 +26,7 @@
- tang - tang
roles: roles:
- role: geerlingguy.ntp - role: geerlingguy.ntp
become: true
vars: vars:
ntp_timezone: "{{ timezone }}" ntp_timezone: "{{ timezone }}"
ntp_manage_config: true ntp_manage_config: true
@ -34,7 +38,8 @@
- renovate - renovate
- gitea-runner - gitea-runner
roles: roles:
- geerlingguy.docker - role: geerlingguy.docker
become: true
- docker_cleanup - docker_cleanup
- hosts: - hosts:
@ -49,23 +54,16 @@
roles: roles:
- traefik - traefik
- hosts:
- ingress
- walker
- casey
become: false # Forcefully run as current user
roles:
- artis3n.tailscale
- hosts: pve-docker - hosts: pve-docker
roles: roles:
- pve_docker - pve_docker
- yourls - yourls
- pve_nebula_route
- privatebin - privatebin
- vaultwarden - vaultwarden
- tandoor - tandoor
- mastodon - mastodon
- forgejo - gitea
- vikunja - vikunja
- authentik - authentik
- minio - minio
@ -75,18 +73,25 @@
roles: roles:
- nginx - nginx
- ingress - ingress
- nebula
- artis3n.tailscale
- hosts: pve - hosts: pve
roles: roles:
- ironicbadger.proxmox_nag_removal - role: ironicbadger.proxmox_nag_removal
become: true
- zfs - zfs
- ironicbadger.snapraid - pve_nebula_route
- prometheus.prometheus.node_exporter - role: ironicbadger.snapraid
become: true
- role: prometheus.prometheus.node_exporter
become: true
- hosts: forrest - hosts: forrest
roles: roles:
- prometheus - prometheus
- uptime_kuma - uptime_kuma
- pve_nebula_route
- pve_tailscale_route - pve_tailscale_route
- hosts: qbittorrent - hosts: qbittorrent
@ -98,11 +103,15 @@
- hosts: walker - hosts: walker
roles: roles:
- nginx - nginx
- geerlingguy.certbot - role: geerlingguy.certbot
become: true
- nebula
- coredns_docker_proxy - coredns_docker_proxy
- plausible - plausible
- restic - restic
- commento
- website - website
- artis3n.tailscale
- slides - slides
- comentario - comentario
@ -117,7 +126,7 @@
- hosts: gitea-runner - hosts: gitea-runner
roles: roles:
- forgejo_runner - gitea_runner
- hosts: renovate - hosts: renovate
roles: roles:
@ -126,5 +135,6 @@
- hosts: tang - hosts: tang
roles: roles:
- adguardhome - adguardhome
- prometheus.prometheus.node_exporter - role: prometheus.prometheus.node_exporter
become: true
- restic - restic

2
ansible/roles/adguardhome/handlers/main.yml
View file

@ -3,9 +3,11 @@
name: coredns name: coredns
state: restarted state: restarted
enabled: true enabled: true
become: true
- name: restart systemd-resolved - name: restart systemd-resolved
service: service:
name: systemd-resolved name: systemd-resolved
state: restarted state: restarted
enabled: true enabled: true
become: true

5
ansible/roles/adguardhome/tasks/main.yml
View file

@ -1,6 +1,7 @@
- name: Install adguardhome - name: Install adguardhome
kewlfft.aur.aur: kewlfft.aur.aur:
name: adguardhome-bin name: adguardhome-bin
become: true
- name: Disable resolved stub - name: Disable resolved stub
template: template:
@ -9,6 +10,7 @@
owner: root owner: root
mode: "0644" mode: "0644"
notify: restart systemd-resolved notify: restart systemd-resolved
become: true
- name: Use resolved resolv.conf - name: Use resolved resolv.conf
file: file:
@ -16,10 +18,12 @@
dest: /etc/resolv.conf dest: /etc/resolv.conf
state: link state: link
notify: restart systemd-resolved notify: restart systemd-resolved
become: true
- name: Install coredns - name: Install coredns
kewlfft.aur.aur: kewlfft.aur.aur:
name: coredns name: coredns
become: true
- name: Install coredns config file - name: Install coredns config file
template: template:
@ -28,3 +32,4 @@
owner: coredns owner: coredns
mode: "0644" mode: "0644"
notify: restart coredns notify: restart coredns
become: true

4
ansible/roles/authentik/files/docker-compose.yml
View file

@ -19,7 +19,7 @@ x-env: &env
services: services:
server: server:
image: ghcr.io/goauthentik/server:2024.8 image: ghcr.io/goauthentik/server:2024.6
restart: unless-stopped restart: unless-stopped
command: server command: server
user: "{{ docker_user.id }}" user: "{{ docker_user.id }}"
@ -42,7 +42,7 @@ services:
- traefik - traefik
worker: worker:
image: ghcr.io/goauthentik/server:2024.8 image: ghcr.io/goauthentik/server:2024.6
restart: unless-stopped restart: unless-stopped
command: worker command: worker
user: "{{ docker_user.id }}" user: "{{ docker_user.id }}"

2
ansible/roles/authentik/tasks/main.yml
View file

@ -7,6 +7,7 @@
state: directory state: directory
owner: "{{ docker_user.name }}" owner: "{{ docker_user.name }}"
mode: "{{ docker_compose_directory_mask }}" mode: "{{ docker_compose_directory_mask }}"
become: true
- name: Install compose file - name: Install compose file
template: template:
@ -16,3 +17,4 @@
owner: "{{ docker_user.name }}" owner: "{{ docker_user.name }}"
validate: docker-compose -f %s config validate: docker-compose -f %s config
notify: restart authentik notify: restart authentik
become: true

2
ansible/roles/base/files/ssh-jail.conf
View file

@ -4,4 +4,4 @@ bantime = 600
findtime = 30 findtime = 30
maxretry = 5 maxretry = 5
port = {{ ssh_port }},ssh port = {{ ssh_port }},ssh
ignoreip = {{ wireguard.cidr }},{{ pve_hosts.internal_cidr }},{{ pve_hosts.internal_cidr_ipv6 }},{{ tailscale_cidr }} ignoreip = {{ wireguard.cidr }},{{ nebula.cidr }},{{ pve_hosts.internal_cidr }},{{ pve_hosts.internal_cidr_ipv6 }},{{ tailscale_cidr }}

2
ansible/roles/base/files/sshd_config
View file

@ -2,7 +2,7 @@
# Change to a high/odd port if this server is exposed to the internet directly # Change to a high/odd port if this server is exposed to the internet directly
Port {{ ssh_port }} Port {{ ssh_port }}
AllowUsers {% if hostname_slug in pve_hosts %}{{ me.user }}@{{ pve_hosts.internal_cidr }}{% endif %} {{ me.user }}@{{ tailscale_cidr }} {{ ssh_extra_allowed_users }} AllowUsers {% if hostname_slug in pve_hosts %}{{ me.user }}@{{ pve_hosts.internal_cidr }}{% endif %} {% if hostname_slug in nebula.clients %}{{ me.user }}@{{ nebula.cidr }}{% endif %} {{ me.user }}@{{ tailscale_cidr }} {{ ssh_extra_allowed_users }}
# Bind to all interfaces (change to specific interface if needed) # Bind to all interfaces (change to specific interface if needed)
ListenAddress 0.0.0.0 ListenAddress 0.0.0.0

4
ansible/roles/base/tasks/fail2ban.yml
View file

@ -1,21 +1,25 @@
- name: Install fail2ban - name: Install fail2ban
package: package:
name: fail2ban name: fail2ban
become: true
- name: Enable fail2ban - name: Enable fail2ban
service: service:
name: fail2ban name: fail2ban
enabled: true enabled: true
become: true
- name: fail2ban SSH jail - name: fail2ban SSH jail
template: template:
src: files/ssh-jail.conf src: files/ssh-jail.conf
dest: /etc/fail2ban/jail.d/ssh.conf dest: /etc/fail2ban/jail.d/ssh.conf
mode: "0600" mode: "0600"
become: true
register: fail2ban_jail register: fail2ban_jail
- name: Restart fail2ban - name: Restart fail2ban
service: service:
name: fail2ban name: fail2ban
state: restarted state: restarted
become: true
when: fail2ban_jail.changed when: fail2ban_jail.changed

3
ansible/roles/base/tasks/logrotate.yml
View file

@ -1,11 +1,13 @@
- name: Install logrotate - name: Install logrotate
package: package:
name: logrotate name: logrotate
become: true
- name: Enable logrotate timer - name: Enable logrotate timer
service: service:
name: logrotate.timer name: logrotate.timer
enabled: true enabled: true
become: true
when: ansible_os_family == 'Archlinux' when: ansible_os_family == 'Archlinux'
- name: logrotate fail2ban config - name: logrotate fail2ban config
@ -13,3 +15,4 @@
src: files/fail2ban-logrotate src: files/fail2ban-logrotate
dest: /etc/logrotate.d/fail2ban dest: /etc/logrotate.d/fail2ban
mode: "0600" mode: "0600"
become: true

1
ansible/roles/base/tasks/packages.yml
View file

@ -1,6 +1,7 @@
- name: Install Base Packages - name: Install Base Packages
package: package:
name: "{{ item }}" name: "{{ item }}"
become: true
loop: loop:
- htop - htop
- neofetch - neofetch

5
ansible/roles/base/tasks/ssh.yml
View file

@ -1,11 +1,13 @@
- name: Install OpenSSH for Debian - name: Install OpenSSH for Debian
package: package:
name: openssh-server name: openssh-server
become: true
when: ansible_os_family == 'Debian' when: ansible_os_family == 'Debian'
- name: Install OpenSSH for Arch - name: Install OpenSSH for Arch
package: package:
name: openssh name: openssh
become: true
when: ansible_os_family == 'Archlinux' when: ansible_os_family == 'Archlinux'
- name: Define context - name: Define context
@ -20,6 +22,7 @@
validate: /usr/sbin/sshd -t -f %s validate: /usr/sbin/sshd -t -f %s
backup: true backup: true
mode: "644" mode: "644"
become: true
register: sshd_config register: sshd_config
- name: Set up authorized keys - name: Set up authorized keys
@ -35,9 +38,11 @@
service: service:
name: sshd name: sshd
enabled: true enabled: true
become: true
- name: Restart SSH Daemon - name: Restart SSH Daemon
service: service:
name: sshd name: sshd
state: reloaded state: reloaded
when: sshd_config.changed when: sshd_config.changed
become: true

2
ansible/roles/base/tasks/user.yml
View file

@ -5,9 +5,11 @@
comment: "{{ me.name }}" comment: "{{ me.name }}"
shell: /bin/bash shell: /bin/bash
system: true system: true
become: true
- name: Give user sudo access - name: Give user sudo access
user: user:
name: "{{ me.user }}" name: "{{ me.user }}"
groups: "{{ 'sudo' if ansible_os_family == 'Debian' else 'wheel' }}" groups: "{{ 'sudo' if ansible_os_family == 'Debian' else 'wheel' }}"
append: true append: true
become: true

2
ansible/roles/comentario/files/docker-compose.yml
View file

@ -1,6 +1,6 @@
services: services:
comentario: comentario:
image: registry.gitlab.com/comentario/comentario:v3.10.0 image: registry.gitlab.com/comentario/comentario:v3.9.0
restart: unless-stopped restart: unless-stopped
user: "{{ docker_user.id }}:{{ docker_user.id }}" user: "{{ docker_user.id }}:{{ docker_user.id }}"
depends_on: depends_on:

4
ansible/roles/comentario/tasks/main.yml
View file

@ -7,6 +7,7 @@
state: directory state: directory
owner: "{{ docker_user.name }}" owner: "{{ docker_user.name }}"
mode: "{{ docker_compose_directory_mask }}" mode: "{{ docker_compose_directory_mask }}"
become: true
- name: Install compose file - name: Install compose file
template: template:
@ -16,6 +17,7 @@
owner: "{{ docker_user.name }}" owner: "{{ docker_user.name }}"
validate: docker-compose -f %s config validate: docker-compose -f %s config
notify: restart comentario notify: restart comentario
become: true
- name: Install secrets - name: Install secrets
copy: copy:
@ -24,6 +26,7 @@
mode: "600" mode: "600"
owner: "{{ docker_user.name }}" owner: "{{ docker_user.name }}"
notify: restart comentario notify: restart comentario
become: true
- name: Install nginx config - name: Install nginx config
template: template:
@ -31,6 +34,7 @@
dest: /etc/nginx/http.d/comentario.conf dest: /etc/nginx/http.d/comentario.conf
mode: "0644" mode: "0644"
notify: reload nginx notify: reload nginx
become: true
vars: vars:
server_name: comentario.theorangeone.net server_name: comentario.theorangeone.net
upstream: comentario-comentario-1.docker:80 upstream: comentario-comentario-1.docker:80

3
ansible/roles/comentario/vars/main.yml
View file

@ -11,9 +11,6 @@ comentario_secrets:
gitlab: gitlab:
key: "{{ vault_comentario_gitlab_application_id }}" key: "{{ vault_comentario_gitlab_application_id }}"
secret: "{{ vault_comentario_gitlab_application_secret }}" secret: "{{ vault_comentario_gitlab_application_secret }}"
twitter:
key: "{{ vault_comentario_twitter_api_key }}"
secret: "{{ vault_comentario_twitter_api_secret }}"
smtpServer: smtpServer:
host: smtp.eu.mailgun.org host: smtp.eu.mailgun.org
port: 587 port: 587

66
ansible/roles/comentario/vars/vault.yml generated
View file

@ -1,38 +1,30 @@
$ANSIBLE_VAULT;1.1;AES256 $ANSIBLE_VAULT;1.1;AES256
36376264363334643335646564636336613234393261326366386234663464633966666133383933 33656462373736356363313738643335333930343461366666663532653264363963653732656366
3731363234333962306638323737336237343230653439650a343362336166626633666161313863 3034323730613334326462326332323763323665636165390a303639633036303831373966303037
33623130623239626532663063633436616665653135343266336330353538306265323739326262 37376233383138323265396531303739316330396230333464383963333035343735303866626334
3066643432643465350a643436366637623765663265316665386564663933663730383264396336 6562393435303264620a633139616164303337363863616138306531656365353964346638646165
39396139396238653065366663333533343336363631616332616362386639313766656136666532 35346539326339623364343662643038336238613535623964666562383662613661616564646433
63336131346563323733333139636233353465643766643562643632653062373737353364336536 30653432666538616565373832353434303565386333643735313866396436393732303466376237
64653162656233383136363339623933643834363931663830656364396637333632613838323461 64383236373364383338613530353830353334326331636436323766353565656664356138386532
38666362663831363363636363346164343032376366346530393864306332326339323836643062 62366266656461663330396562316439393038666534663564633037623237363532363637356336
66346265643039663636616464383330366539343832373839663361393661353861643364633534 63336633393666343064383735363664643936333130636465623139393838373134636265366439
38383461323031626161663938326339386634363165303238333365323235303535333765613734 64326538653236306437346165333934303134313032383135313335626136626162363831613430
30363032386333353962306131373466356137666334303230343561616639363238633630386330 30636436343162376637616262393633306330663362396638393166643131343564646162616530
32383537646430666331313530343033376238646334313335343661313665626631663331656638 62343735343832636661326265396262643136346366663337636335656137393231646438633338
31303637343263343566386634623362373366323136663032663966313836353136616564646563 61613137366661333462363134343732666330373864393636643665396435653064623030626466
66653938326539343130346439666264663962323661386131643432663237643334633837376163 65633536346531383565616130626461376566316535316339326363646336626266376330393939
62393330336434393232646163353539303831336638663135393734393064353964623032616233 33653438656438316532393665333939613334666464656635323566326439363964316535623233
32393037313965313933363236653537306634613265633764636436653332623339316132373964 38636236616637336230363032396635613563313966353334313365663434653138303764393938
39313334653831366533663661653934633338393539326564396236373462623262333530346436 37643561346338323934663936356563363833383435373933396138663334616563666562653935
66646266623666333034346634613365356333343934363963366137303030646638373466643564 33666631373964396265393233636631336632386537663663366439313137656661653265323162
66356265363634623363646266633137363966666361366463383266663032316665373430383031 64656333336165326563323333653036386334386566386664306638656130323665366136373732
33303530323561366531356133363035353732333135303762316337626330333530303563643935 34383532303363646334356534316630363133303031343665353465656239306338386238313262
35303465633536373833386435336638386662353032383861633965393564303839666463616263 30363438383164343661343730386162633430373765313834313739393638333963393234613564
39353934343965316134663634363135616338353734656361343433313837313639303931356233 30356134646431353132316565346331613137353431383863383866306632626336633764393036
39643135353661306461393962646238613062356361386533316362633233353235666262653738 66626466623034666335356539653136633331636365623061613433393335303535333433616137
33616465653435303736636165343239336139383162616463613232656639393338363766396434 65383231373230653838316630303736353237666431366134353534366564656338646265396162
32353965363537666366623066313461316463373130653637343430366231366263616261393564 61663366663532636635663337363063306466626463396630636236363736303963353062376163
36323038383238633239323365326334393132643832373033643432653032613665646666336338 63653530346335393934656531386139663136383132306564383937396364626365373839613766
30316565346630396537363431366337656236363462646435393731323866313366373438386265 62633264336335313932396164373363623061363262616330343735633862623234643365353035
61373366383865336334356638653065333839303663636266393933663833313931333133663966 36616231636461323832663837323232396636363561376563386530306339333431613935613263
35306163373462613335616265316563313062623139343061306465656463336162396266636437 30366335393834643066343763636561346336383463333535323932326663633338
36646439613433306464383133636466383430363363393762646534343133333732613530626162
31633430313039643636666365613232373335336235633832666139643937373766336563303266
34396137656436373438383035316133343132313130636536393536393862386531386531303761
64613337353463383032636636643963636235346262646366366539646233313939633864306335
38373465373863383964633038373334386632666236303436376438666132623964396434626439
38356235353430323236623962396461346438633962333163393535373362373164313132356232
63313639333862313565396165613265623135626635373134626137633638333561353732313036
3837

36
ansible/roles/commento/files/docker-compose.yml Normal file
View file

@ -0,0 +1,36 @@
services:
commento:
image: ghcr.io/souramoo/commentoplusplus:latest
restart: unless-stopped
depends_on:
- db
networks:
- default
- coredns
environment:
- COMMENTO_POSTGRES=postgres://commento:commento@db:5432/commento?sslmode=disable
- COMMENTO_ORIGIN=https://commento.theorangeone.net
- COMMENTO_GZIP_STATIC=true
- COMMENTO_FORBID_NEW_OWNERS=true
- COMMENTO_GITHUB_KEY={{ vault_commento_github_client_id }}
- COMMENTO_GITHUB_SECRET={{ vault_commento_github_client_secret }}
- COMMENTO_SMTP_HOST=smtp.eu.mailgun.org
- COMMENTO_SMTP_PORT=587
- COMMENTO_SMTP_USERNAME={{ vault_commento_smtp_username }}
- COMMENTO_SMTP_PASSWORD={{ vault_commento_smtp_password }}
- COMMENTO_SMTP_FROM_ADDRESS={{ vault_commento_from_email }}
- COMMENTO_GITLAB_KEY={{ vault_commento_gitlab_application_id }}
- COMMENTO_GITLAB_SECRET={{ vault_commento_gitlab_application_secret }}
db:
image: postgres:14-alpine
restart: unless-stopped
volumes:
- ./postgres:/var/lib/postgresql/data
environment:
- POSTGRES_PASSWORD=commento
- POSTGRES_USER=commento
networks:
coredns:
external: true

4
ansible/roles/commento/handlers/main.yml Normal file
View file

@ -0,0 +1,4 @@
- name: restart commento
shell:
chdir: /opt/commento
cmd: "{{ docker_update_command }}"

32
ansible/roles/commento/tasks/main.yml Normal file
View file

@ -0,0 +1,32 @@
- name: Include vault
include_vars: vault.yml
- name: Create install directory
file:
path: /opt/commento
state: directory
owner: "{{ docker_user.name }}"
mode: "{{ docker_compose_directory_mask }}"
become: true
- name: Install compose file
template:
src: files/docker-compose.yml
dest: /opt/commento/docker-compose.yml
mode: "{{ docker_compose_file_mask }}"
owner: "{{ docker_user.name }}"
validate: docker-compose -f %s config
notify: restart commento
become: true
- name: Install nginx config
template:
src: files/nginx-docker.conf
dest: /etc/nginx/http.d/commento.conf
mode: "0644"
notify: reload nginx
become: true
vars:
server_name: commento.theorangeone.net
upstream: commento-commento-1.docker:8080
ssl_cert_path: /etc/letsencrypt/live/commento.theorangeone.net

32
ansible/roles/commento/vars/vault.yml generated Normal file
View file

@ -0,0 +1,32 @@
$ANSIBLE_VAULT;1.1;AES256
35343736363532306236303339356634316461383639333836393761356165633662326332613666
3830323961313939316336393566363163646538623532310a363165666238653535353236383839
35363730353939656330346639323331393562393339393562383034663231396164333261646438
6564336362306636300a613634336337326534626263386466626238343130633864623862336563
66326262613330373035663863663532626437303435333432383839303331333538363139643633
64633465383135653265393033656135356166323238356130353633363030396366613164303033
63303832376462616464333031366337626564633135386230313538353166343532643035336636
31336531643766346438653333376364316162313765656330666330643261653433363339323665
30623164373931336238303265316665373361336338346336646439356538333266393934343139
34643433326330386564653461626264626231353863333935313665663462323234666463306266
38626538666262333934393733626562313432393566643435376163653432613363663035333165
36616431363563663235646433343564346164393034613436666362383233646636373163616666
36376133346634653738376137393265303261626562366666303137313338633237313834386432
66643264643532306364366562333837366636616237653033306538663435316163613266343565
31633437353963313733326339666331323061363963303132363262343966653433303835323337
31313363366631313930633061346265633261643238313762353932623230353938656264323437
39346634383135306135326338616664336435343235383863393830386662393036383161303465
33353261613537666464313437613335643830343336343535646665356333616266666233353065
64313131306663313064633631663536386531343733643534336631666266613165313330653962
35346262373437623333333234383531633238343463653862663236666337363738303463373664
62343363323465313561376232633630303965306238316161383139316133343233343033376262
63303264366536346234383063653838353638313561626433616462383339326631643533356639
39653762633733363237383762356134366264356437346430343830616233373732616261613231
62646639353132653038303536613738373137623236616631643738323737383637313633396135
37613037313437613836336332346162383832613938356638333564346237373032356438363464
31343464306131393362343433316666366632633036653262633361333165643735393231623932
31643261326266323232383630353534326662303965393161343938663131343263363461303430
31376161393038376262616333333362323033313436396164313438613532663564623633303365
32656630663834633039316561663231656131383535653766316138313138346363633537373164
62333532316135303366386261613131333364383031346364303938356631393865396133386633
636462653562653538636531356537353133

3
ansible/roles/coredns_docker_proxy/tasks/main.yml
View file

@ -2,6 +2,7 @@
docker_network: docker_network:
name: coredns name: coredns
internal: true internal: true
become: true
- name: Create install directory - name: Create install directory
file: file:
@ -9,6 +10,7 @@
state: directory state: directory
owner: "{{ docker_user.name }}" owner: "{{ docker_user.name }}"
mode: "{{ docker_compose_directory_mask }}" mode: "{{ docker_compose_directory_mask }}"
become: true
- name: Install compose file - name: Install compose file
template: template:
@ -18,3 +20,4 @@
owner: "{{ docker_user.name }}" owner: "{{ docker_user.name }}"
validate: docker-compose -f %s config validate: docker-compose -f %s config
notify: restart coredns notify: restart coredns
become: true

11
ansible/roles/db_auto_backup/files/docker-compose.yml
View file

@ -9,9 +9,6 @@ services:
- HEALTHCHECKS_ID={{ vault_db_auto_backup_healthchecks_id }} - HEALTHCHECKS_ID={{ vault_db_auto_backup_healthchecks_id }}
depends_on: depends_on:
- docker_proxy - docker_proxy
networks:
- default
- backup_private
docker_proxy: docker_proxy:
image: lscr.io/linuxserver/socket-proxy:latest image: lscr.io/linuxserver/socket-proxy:latest
@ -23,13 +20,5 @@ services:
- EXEC=1 - EXEC=1
volumes: volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro - /var/run/docker.sock:/var/run/docker.sock:ro
networks:
- backup_private
tmpfs:
- /run
logging: logging:
driver: none driver: none
networks:
backup_private:
internal: true

2
ansible/roles/db_auto_backup/tasks/main.yml
View file

@ -4,6 +4,7 @@
state: directory state: directory
owner: "{{ docker_user.name }}" owner: "{{ docker_user.name }}"
mode: "{{ docker_compose_directory_mask }}" mode: "{{ docker_compose_directory_mask }}"
become: true
- name: Install compose file - name: Install compose file
template: template:
@ -13,3 +14,4 @@
owner: "{{ docker_user.name }}" owner: "{{ docker_user.name }}"
validate: docker-compose -f %s config validate: docker-compose -f %s config
notify: restart db-auto-backup notify: restart db-auto-backup
become: true

9
ansible/roles/docker_cleanup/tasks/main.yml
View file

@ -1,6 +1,7 @@
- name: Install docker-compose - name: Install docker-compose
package: package:
name: docker-compose name: docker-compose
become: true
when: ansible_os_family != 'Debian' when: ansible_os_family != 'Debian'
- name: Install compose-switch - name: Install compose-switch
@ -8,6 +9,7 @@
url: "{{ docker_compose_url }}" url: "{{ docker_compose_url }}"
dest: "{{ docker_compose_path }}" dest: "{{ docker_compose_path }}"
mode: "0755" mode: "0755"
become: true
when: ansible_os_family == 'Debian' when: ansible_os_family == 'Debian'
- name: Create docker group - name: Create docker group
@ -15,6 +17,7 @@
name: "{{ docker_user.name }}" name: "{{ docker_user.name }}"
state: present state: present
gid: "{{ docker_user.id }}" gid: "{{ docker_user.id }}"
become: true
- name: Create docker user - name: Create docker user
user: user:
@ -22,18 +25,21 @@
uid: "{{ docker_user.id }}" uid: "{{ docker_user.id }}"
group: "{{ docker_user.name }}" group: "{{ docker_user.name }}"
create_home: false create_home: false
become: true
- name: Add user to docker user group - name: Add user to docker user group
user: user:
name: "{{ me.user }}" name: "{{ me.user }}"
groups: "{{ docker_user.name }}" groups: "{{ docker_user.name }}"
append: true append: true
become: true
- name: Add user to docker group - name: Add user to docker group
user: user:
name: "{{ me.user }}" name: "{{ me.user }}"
groups: docker groups: docker
append: true append: true
become: true
- name: Clean up docker containers - name: Clean up docker containers
cron: cron:
@ -41,8 +47,6 @@
hour: 1 hour: 1
minute: 0 minute: 0
job: docker system prune -af --volumes job: docker system prune -af --volumes
cron_file: docker_cleanup
user: root
- name: Install util scripts - name: Install util scripts
copy: copy:
@ -50,7 +54,6 @@
dest: "{{ me.home }}" dest: "{{ me.home }}"
mode: "755" mode: "755"
directory_mode: "755" directory_mode: "755"
owner: "{{ me.user }}"
- name: override docker service for zfs dependencies - name: override docker service for zfs dependencies
include_tasks: zfs-override.yml include_tasks: zfs-override.yml

2
ansible/roles/docker_cleanup/tasks/zfs-override.yml
View file

@ -3,6 +3,7 @@
path: /etc/systemd/system/docker.service.d path: /etc/systemd/system/docker.service.d
state: directory state: directory
mode: "0755" mode: "0755"
become: true
- name: Create override.conf - name: Create override.conf
copy: copy:
@ -11,3 +12,4 @@
owner: root owner: root
group: root group: root
mode: "0644" mode: "0644"
become: true

82
ansible/roles/forgejo_runner/files/config.yml
View file

@ -1,82 +0,0 @@
# based on https://gitea.com/gitea/act_runner/src/tag/v0.2.6/internal/pkg/config/config.example.yaml
log:
# The level of logging, can be trace, debug, info, warn, error, fatal
level: info
runner:
# Where to store the registration result.
file: /data/.runner
# Execute how many tasks concurrently at the same time.
capacity: "{{ ansible_processor_nproc }}"
# Extra environment variables to run jobs.
envs: {}
# Extra environment variables to run jobs from a file.
# It will be ignored if it's empty or the file doesn't exist.
env_file: /data/.env
# The timeout for a job to be finished.
# Please note that the Gitea instance also has a timeout (3h by default) for the job.
# So the job could be stopped by the Gitea instance if it's timeout is shorter than this.
timeout: 3h
# Whether skip verifying the TLS certificate of the Gitea instance.
insecure: false
# The timeout for fetching the job from the Gitea instance.
fetch_timeout: 5s
# The interval for fetching the job from the Gitea instance.
fetch_interval: 5s
# The labels of a runner are used to determine which jobs the runner can run, and how to run them.
# Like: ["macos-arm64:host", "ubuntu-latest:docker://node:16-bullseye", "ubuntu-22.04:docker://node:16-bullseye"]
# If it's empty when registering, it will ask for inputting labels.
# If it's empty when execute `daemon`, will use labels in `.runner` file.
# labels: []
cache:
# Enable cache server to use actions/cache.
enabled: true
# The directory to store the cache data.
# If it's empty, the cache data will be stored in /data/.cache/actcache.
dir: /data/cache/server
# The host of the cache server.
# It's not for the address to listen, but the address to connect from job containers.
# So 0.0.0.0 is a bad choice, leave it empty to detect automatically.
host: ""
# The port of the cache server.
# 0 means to use a random available port.
port: 0
# The external cache server URL. Valid only when enable is true.
# If it's specified, act_runner will use this URL as the ACTIONS_CACHE_URL rather than start a server by itself.
# The URL should generally end with "/".
external_server: ""
container:
# Specifies the network to which the container will connect.
# Could be host, bridge or the name of a custom network.
# If it's empty, act_runner will create a network automatically.
network: bridge
# Whether to use privileged mode or not when launching task containers (privileged mode is required for Docker-in-Docker).
privileged: false
# And other options to be used when the container is started (eg, --add-host=my.gitea.url:host-gateway).
options: ""
# The parent directory of a job's working directory.
# If it's empty, /workspace will be used.
workdir_parent: /workspace
# Volumes (including bind mounts) can be mounted to containers. Glob syntax is supported, see https://github.com/gobwas/glob
# You can specify multiple volumes. If the sequence is empty, no volumes can be mounted.
# For example, if you only allow containers to mount the `data` volume and all the json files in `/src`, you should change the config to:
# valid_volumes:
# - data
# - /src/*.json
# If you want to allow any volume, please use the following configuration:
# valid_volumes:
# - '**'
# overrides the docker client host with the specified one.
# If it's empty, act_runner will find an available docker host automatically.
# If it's "-", act_runner will find an available docker host automatically, but the docker host won't be mounted to the job containers and service containers.
# If it's not empty or "-", the specified docker host will be used. An error will be returned if it doesn't work.
docker_host: ""
force_pull: false
host:
# The parent directory of a job's working directory.
# If it's empty, /data/.cache/act/ will be used.
workdir_parent: /data/cache/actions

44
ansible/roles/forgejo_runner/files/docker-compose.yml
View file

@ -1,44 +0,0 @@
services:
forgejo-runner:
image: code.forgejo.org/forgejo/runner:3.5.1
user: "{{ docker_user.id }}"
volumes:
- /mnt/data:/data
- ./config.yml:/data/config.yml
environment:
- TZ={{ timezone }}
- DOCKER_HOST=tcp://docker_proxy:2375
restart: unless-stopped
command: forgejo-runner daemon
networks:
- default
- forgejo_private
depends_on:
- docker_proxy
docker_proxy:
image: lscr.io/linuxserver/socket-proxy:latest
restart: unless-stopped
environment:
- POST=1
- CONTAINERS=1
- INFO=1
- IMAGES=1
- VOLUMES=1
- NETWORKS=1
- ALLOW_START=1
- ALLOW_STOP=1
- ALLOW_RESTARTS=1
- EXEC=1
tmpfs:
- /run
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
networks:
- forgejo_private
logging:
driver: none
networks:
forgejo_private:
internal: true

4
ansible/roles/forgejo_runner/handlers/main.yml
View file

@ -1,4 +0,0 @@
- name: restart forgejo-runner
shell:
chdir: /opt/forgejo-runner
cmd: "{{ docker_update_command }}"

4
ansible/roles/gateway/files/nginx-fail2ban-jail.conf
View file

@ -6,9 +6,9 @@ maxretry = 100
filter = nginx-tcp filter = nginx-tcp
logpath = /var/log/nginx/ips.log logpath = /var/log/nginx/ips.log
port = http,https,8448 port = http,https,8448
ignoreip = {{ wireguard.cidr }},{{ pve_hosts.internal_cidr }},{{ pve_hosts.internal_cidr_ipv6 }},{{ vps_hosts.values()|sort|join(",") }},{{ tailscale_cidr }} ignoreip = {{ wireguard.cidr }},{{ nebula.cidr }},{{ pve_hosts.internal_cidr }},{{ pve_hosts.internal_cidr_ipv6 }},{{ vps_hosts.values()|sort|join(",") }},{{ tailscale_cidr }}
[traefik] [traefik]
enabled = true enabled = true
port = http,https,8448 port = http,https,8448
ignoreip = {{ wireguard.cidr }},{{ pve_hosts.internal_cidr }},{{ pve_hosts.internal_cidr_ipv6 }},{{ vps_hosts.values()|sort|join(",") }},{{ tailscale_cidr }} ignoreip = {{ wireguard.cidr }},{{ nebula.cidr }},{{ pve_hosts.internal_cidr }},{{ pve_hosts.internal_cidr_ipv6 }},{{ vps_hosts.values()|sort|join(",") }},{{ tailscale_cidr }}

3
ansible/roles/gateway/tasks/fail2ban.yml
View file

@ -3,6 +3,7 @@
src: files/nginx-fail2ban-filter.conf src: files/nginx-fail2ban-filter.conf
dest: /etc/fail2ban/filter.d/nginx-tcp.conf dest: /etc/fail2ban/filter.d/nginx-tcp.conf
mode: "0600" mode: "0600"
become: true
register: fail2ban_filter register: fail2ban_filter
- name: fail2ban jail - name: fail2ban jail
@ -10,10 +11,12 @@
src: files/nginx-fail2ban-jail.conf src: files/nginx-fail2ban-jail.conf
dest: /etc/fail2ban/jail.d/nginx.conf dest: /etc/fail2ban/jail.d/nginx.conf
mode: "0600" mode: "0600"
become: true
register: fail2ban_jail register: fail2ban_jail
- name: Restart fail2ban - name: Restart fail2ban
service: service:
name: fail2ban name: fail2ban
state: restarted state: restarted
become: true
when: fail2ban_filter.changed or fail2ban_jail.changed when: fail2ban_filter.changed or fail2ban_jail.changed

3
ansible/roles/gateway/tasks/nginx.yml
View file

@ -3,6 +3,7 @@
src: files/nginx.conf src: files/nginx.conf
dest: /etc/nginx/stream.d/gateway.conf dest: /etc/nginx/stream.d/gateway.conf
mode: "0644" mode: "0644"
become: true
register: nginx_config register: nginx_config
- name: Install CDN config - name: Install CDN config
@ -10,10 +11,12 @@
src: files/nginx-cdn.conf src: files/nginx-cdn.conf
dest: /etc/nginx/http.d/cdn.conf dest: /etc/nginx/http.d/cdn.conf
mode: "0644" mode: "0644"
become: true
register: nginx_config register: nginx_config
- name: Reload Nginx - name: Reload Nginx
service: service:
name: nginx name: nginx
state: reloaded state: reloaded
become: true
when: nginx_config.changed when: nginx_config.changed

4
ansible/roles/gateway/tasks/wireguard.yml
View file

@ -1,6 +1,7 @@
- name: Install wireguard tools - name: Install wireguard tools
package: package:
name: "{{ item }}" name: "{{ item }}"
become: true
loop: loop:
- wireguard-tools - wireguard-tools
- qrencode - qrencode
@ -11,18 +12,21 @@
dest: /etc/wireguard/wg0.conf dest: /etc/wireguard/wg0.conf
mode: "0600" mode: "0600"
backup: true backup: true
become: true
register: wireguard_conf register: wireguard_conf
- name: Enable wireguard - name: Enable wireguard
service: service:
name: wg-quick@wg0 name: wg-quick@wg0
enabled: true enabled: true
become: true
- name: Restart wireguard - name: Restart wireguard
service: service:
name: wg-quick@wg0 name: wg-quick@wg0
state: restarted state: restarted
when: wireguard_conf.changed when: wireguard_conf.changed
become: true
- name: Create wireguard client directory - name: Create wireguard client directory
file: file:

11
ansible/roles/forgejo/files/app.ini → ansible/roles/gitea/files/app.ini
View file

@ -1,4 +1,4 @@
APP_NAME = Forgejo APP_NAME = Gitea: Git with a cup of orange juice
[repository] [repository]
ROOT = /mnt/repositories ROOT = /mnt/repositories
@ -32,7 +32,7 @@ PASSWD = gitea
[session] [session]
PROVIDER = db PROVIDER = db
COOKIE_NAME = forgejo_session COOKIE_NAME = gitea_session
[log] [log]
LEVEL = warn LEVEL = warn
@ -42,8 +42,8 @@ INSTALL_LOCK = true
SECRET_KEY = {{ vault_secret_key }} SECRET_KEY = {{ vault_secret_key }}
INTERNAL_TOKEN = {{ vault_internal_token }} INTERNAL_TOKEN = {{ vault_internal_token }}
PASSWORD_HASH_ALGO = pbkdf2 PASSWORD_HASH_ALGO = pbkdf2
COOKIE_USERNAME = forgejo_username COOKIE_USERNAME = gitea_username
COOKIE_REMEMBER_NAME = forgejo_remember COOKIE_REMEMBER_NAME = gitea_remember
LOGIN_REMEMBER_DAYS = 30 LOGIN_REMEMBER_DAYS = 30
REVERSE_PROXY_TRUSTED_PROXIES = * REVERSE_PROXY_TRUSTED_PROXIES = *
@ -64,8 +64,9 @@ REPO_PAGING_NUM = 100
[ui] [ui]
SITEMAP_PAGING_NUM = 100 SITEMAP_PAGING_NUM = 100
FEED_PAGING_NUM = 100 FEED_PAGING_NUM = 100
DEFAULT_THEME = forgejo-auto DEFAULT_THEME = gitea-auto
ISSUE_PAGING_NUM = 100 ISSUE_PAGING_NUM = 100
THEME_COLOR_META_TAG = "#ff7f00"
FEED_MAX_COMMIT_NUM = 30 FEED_MAX_COMMIT_NUM = 30
SHOW_USER_EMAIL = false SHOW_USER_EMAIL = false
EXPLORE_PAGING_NUM = 100 EXPLORE_PAGING_NUM = 100

8
ansible/roles/forgejo/files/docker-compose.yml → ansible/roles/gitea/files/docker-compose.yml
View file

@ -1,6 +1,6 @@
services: services:
forgejo: gitea:
image: code.forgejo.org/forgejo/forgejo:8-rootless image: gitea/gitea:1.22-rootless
user: "{{ docker_user.id }}:{{ docker_user.id }}" user: "{{ docker_user.id }}:{{ docker_user.id }}"
environment: environment:
- TZ={{ timezone }} - TZ={{ timezone }}
@ -22,8 +22,8 @@ services:
- redis - redis
labels: labels:
- traefik.enable=true - traefik.enable=true
- traefik.http.routers.forgejo.rule=Host(`git.theorangeone.net`) - traefik.http.routers.gitea.rule=Host(`git.theorangeone.net`)
- traefik.http.services.forgejo-forgejo.loadbalancer.server.port=3000 - traefik.http.services.gitea-gitea.loadbalancer.server.port=3000
networks: networks:
- default - default
- traefik - traefik

2
ansible/roles/forgejo/files/footer.html → ansible/roles/gitea/files/footer.html
View file

@ -1,3 +1,3 @@
{{ if not .IsSigned }} {{ if not .SignedUserName}}
<script defer data-domain="git.theorangeone.net" src="https://elbisualp.theorangeone.net/js/script.js"></script> <script defer data-domain="git.theorangeone.net" src="https://elbisualp.theorangeone.net/js/script.js"></script>
{{ end }} {{ end }}

0
ansible/roles/forgejo/handlers/main.yml → ansible/roles/gitea/handlers/main.yml
View file

21
ansible/roles/forgejo/tasks/main.yml → ansible/roles/gitea/tasks/main.yml
View file

@ -7,6 +7,7 @@
state: directory state: directory
owner: "{{ docker_user.name }}" owner: "{{ docker_user.name }}"
mode: "{{ docker_compose_directory_mask }}" mode: "{{ docker_compose_directory_mask }}"
become: true
- name: Install compose file - name: Install compose file
template: template:
@ -16,6 +17,7 @@
owner: "{{ docker_user.name }}" owner: "{{ docker_user.name }}"
validate: docker-compose -f %s config validate: docker-compose -f %s config
notify: restart gitea notify: restart gitea
become: true
- name: Install config file - name: Install config file
template: template:
@ -24,6 +26,15 @@
mode: "{{ docker_compose_file_mask }}" mode: "{{ docker_compose_file_mask }}"
owner: "{{ docker_user.name }}" owner: "{{ docker_user.name }}"
notify: restart gitea notify: restart gitea
become: true
- name: Create public images directory
file:
path: "{{ app_data_dir }}/gitea/data/custom/public/assets/img"
state: directory
owner: "{{ docker_user.name }}"
mode: "{{ docker_compose_directory_mask }}"
become: true
- name: Create custom templates directory - name: Create custom templates directory
file: file:
@ -32,6 +43,15 @@
owner: "{{ docker_user.name }}" owner: "{{ docker_user.name }}"
mode: "{{ docker_compose_directory_mask }}" mode: "{{ docker_compose_directory_mask }}"
recurse: true recurse: true
become: true
- name: Install custom branding
unarchive:
src: https://git.theorangeone.net/api/packages/sys/generic/gitea-branding/latest/branding.zip
dest: "{{ app_data_dir }}/gitea/data/custom/public/assets/img"
remote_src: true
owner: "{{ docker_user.name }}"
become: true
- name: Install custom footer - name: Install custom footer
copy: copy:
@ -40,3 +60,4 @@
owner: "{{ docker_user.name }}" owner: "{{ docker_user.name }}"
mode: "{{ docker_compose_file_mask }}" mode: "{{ docker_compose_file_mask }}"
notify: restart gitea notify: restart gitea
become: true

0
ansible/roles/forgejo/vars/vault.yml → ansible/roles/gitea/vars/vault.yml generated
View file

17
ansible/roles/gitea_runner/files/docker-compose.yml Normal file
View file

@ -0,0 +1,17 @@
services:
act-runner:
image: vegardit/gitea-act-runner:latest
network_mode: host
volumes:
- /mnt/data:/data
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- TZ={{ timezone }}
- GITEA_INSTANCE_URL=https://git.theorangeone.net
- GITEA_RUNNER_REGISTRATION_TOKEN={{ vault_gitea_runner_registration_token }}
- GITEA_RUNNER_NAME={{ ansible_hostname }}
- GITEA_RUNNER_FETCH_INTERVAL=5s
- GITEA_RUNNER_MAX_PARALLEL_JOBS={{ ansible_processor_nproc }}
- GITEA_RUNNER_UID={{ docker_user.id }}
- GITEA_RUNNER_GID={{ docker_user.id }}
restart: unless-stopped

4
ansible/roles/gitea_runner/handlers/main.yml Normal file
View file

@ -0,0 +1,4 @@
- name: restart act-runner
shell:
chdir: /opt/act-runner
cmd: "{{ docker_update_command }}"

19
ansible/roles/forgejo_runner/tasks/main.yml → ansible/roles/gitea_runner/tasks/main.yml
View file

@ -1,23 +1,20 @@
- name: Include vault
include_vars: vault.yml
- name: Create install directory - name: Create install directory
file: file:
path: /opt/forgejo-runner path: /opt/act-runner
state: directory state: directory
owner: "{{ docker_user.name }}" owner: "{{ docker_user.name }}"
mode: "{{ docker_compose_directory_mask }}" mode: "{{ docker_compose_directory_mask }}"
become: true
- name: Install config file
template:
src: files/config.yml
dest: /opt/forgejo-runner/config.yml
mode: "600"
owner: "{{ docker_user.name }}"
notify: restart forgejo-runner
- name: Install compose file - name: Install compose file
template: template:
src: files/docker-compose.yml src: files/docker-compose.yml
dest: /opt/forgejo-runner/docker-compose.yml dest: /opt/act-runner/docker-compose.yml
mode: "{{ docker_compose_file_mask }}" mode: "{{ docker_compose_file_mask }}"
owner: "{{ docker_user.name }}" owner: "{{ docker_user.name }}"
validate: docker-compose -f %s config validate: docker-compose -f %s config
notify: restart forgejo-runner notify: restart act-runner
become: true

10
ansible/roles/gitea_runner/vars/vault.yml generated Normal file
View file

@ -0,0 +1,10 @@
$ANSIBLE_VAULT;1.1;AES256
39356636363738343339633132326666373534646563366335363336356362343438313030353466
6564373739333030393666333438386533316332626136350a626439316537343030323761383863
33666632636132386335393833636232373662626562326531666330373438613738613634643061
3864336432626338320a373866356363613166366239356630663534646566636131353530623266
66326334636361386338663739333134333761376239373133396534376139633364336433663362
30313736303539663839313830336164346536383066393635323366363433616264373165356431
35663832323132356538666333653135383332653232336336646265356665313165623035363561
65306666393331383661353961306531636266393765626363616265326566316163396531373638
3735

1
ansible/roles/glinet_vpn/handlers/main.yml
View file

@ -2,3 +2,4 @@
service: service:
name: wg-quick@glinet name: wg-quick@glinet
state: restarted state: restarted
become: true

4
ansible/roles/glinet_vpn/tasks/main.yml
View file

@ -4,6 +4,7 @@
- name: Install wireguard tools - name: Install wireguard tools
package: package:
name: "{{ item }}" name: "{{ item }}"
become: true
loop: loop:
- wireguard-tools - wireguard-tools
- qrencode - qrencode
@ -14,6 +15,7 @@
dest: /etc/wireguard/glinet.conf dest: /etc/wireguard/glinet.conf
mode: "0600" mode: "0600"
backup: true backup: true
become: true
notify: restart wireguard notify: restart wireguard
- name: Wireguard client config - name: Wireguard client config
@ -22,9 +24,11 @@
dest: "{{ me.home }}/glinet-vpn.conf" dest: "{{ me.home }}/glinet-vpn.conf"
mode: "0600" mode: "0600"
owner: "{{ me.user }}" owner: "{{ me.user }}"
become: true
notify: restart wireguard notify: restart wireguard
- name: Enable wireguard - name: Enable wireguard
service: service:
name: wg-quick@glinet name: wg-quick@glinet
enabled: true enabled: true
become: true

56
ansible/roles/headscale/files/headscale.yml
View file

@ -63,11 +63,9 @@ noise:
# IPv6: https://github.com/tailscale/tailscale/blob/22ebb25e833264f58d7c3f534a8b166894a89536/net/tsaddr/tsaddr.go#LL81C52-L81C71 # IPv6: https://github.com/tailscale/tailscale/blob/22ebb25e833264f58d7c3f534a8b166894a89536/net/tsaddr/tsaddr.go#LL81C52-L81C71
# IPv4: https://github.com/tailscale/tailscale/blob/22ebb25e833264f58d7c3f534a8b166894a89536/net/tsaddr/tsaddr.go#L33 # IPv4: https://github.com/tailscale/tailscale/blob/22ebb25e833264f58d7c3f534a8b166894a89536/net/tsaddr/tsaddr.go#L33
# Any other range is NOT supported, and it will cause unexpected issues. # Any other range is NOT supported, and it will cause unexpected issues.
prefixes: ip_prefixes:
v6: fd7a:115c:a1e0::/48 - fd7a:115c:a1e0::/48
v4: 100.64.0.0/10 - 100.64.0.0/10
allocation: sequential
# DERP is a relay system that Tailscale uses when a direct # DERP is a relay system that Tailscale uses when a direct
# connection cannot be established. # connection cannot be established.
@ -79,7 +77,7 @@ derp:
server: server:
# If enabled, runs the embedded DERP server and merges it into the rest of the DERP config # If enabled, runs the embedded DERP server and merges it into the rest of the DERP config
# The Headscale server_url defined above MUST be using https, DERP requires TLS to be in place # The Headscale server_url defined above MUST be using https, DERP requires TLS to be in place
enabled: false enabled: true
# Region ID to use for the embedded DERP server. # Region ID to use for the embedded DERP server.
# The local DERP prevails if the region ID collides with other region ID coming from # The local DERP prevails if the region ID collides with other region ID coming from
@ -97,8 +95,7 @@ derp:
stun_listen_addr: 0.0.0.0:3478 stun_listen_addr: 0.0.0.0:3478
# List of externally available DERP maps encoded in JSON # List of externally available DERP maps encoded in JSON
urls: urls: []
- https://controlplane.tailscale.com/derpmap/default
# Locally available DERP map files encoded in YAML # Locally available DERP map files encoded in YAML
# #
@ -131,25 +128,10 @@ ephemeral_node_inactivity_timeout: 30m
node_update_check_interval: 20s node_update_check_interval: 20s
# SQLite config # SQLite config
database: db_type: sqlite3
type: sqlite
gorm: # For production:
# Enable prepared statements. db_path: /var/lib/headscale/db.sqlite
prepare_stmt: true
# Enable parameterized queries.
parameterized_queries: true
# Skip logging "record not found" errors.
skip_err_record_not_found: true
# Threshold for slow queries in milliseconds.
slow_threshold: 3000
sqlite:
path: /var/lib/headscale/db.sqlite
write_ahead_log: true
# # Postgres config # # Postgres config
# If using a Unix socket to connect to Postgres, set the socket path in the 'host' field and leave 'port' blank. # If using a Unix socket to connect to Postgres, set the socket path in the 'host' field and leave 'port' blank.
@ -206,9 +188,7 @@ log:
# Path to a file containg ACL policies. # Path to a file containg ACL policies.
# ACLs can be defined as YAML or HUJSON. # ACLs can be defined as YAML or HUJSON.
# https://tailscale.com/kb/1018/acls/ # https://tailscale.com/kb/1018/acls/
policy: acl_policy_path: /etc/headscale/acls.json
mode: file
path: /etc/headscale/acls.json
## DNS ## DNS
# #
@ -219,13 +199,13 @@ policy:
# - https://tailscale.com/kb/1081/magicdns/ # - https://tailscale.com/kb/1081/magicdns/
# - https://tailscale.com/blog/2021-09-private-dns-with-magicdns/ # - https://tailscale.com/blog/2021-09-private-dns-with-magicdns/
# #
dns: dns_config:
# Whether to prefer using Headscale provided DNS or use local. # Whether to prefer using Headscale provided DNS or use local.
override_local_dns: false override_local_dns: false
# List of DNS servers to expose to clients. # List of DNS servers to expose to clients.
nameservers: nameservers:
global: [] - 1.1.1.1
# NextDNS (see https://tailscale.com/kb/1218/nextdns/). # NextDNS (see https://tailscale.com/kb/1218/nextdns/).
# "abc123" is example NextDNS ID, replace with yours. # "abc123" is example NextDNS ID, replace with yours.
@ -271,7 +251,7 @@ dns:
# `base_domain` must be a FQDNs, without the trailing dot. # `base_domain` must be a FQDNs, without the trailing dot.
# The FQDN of the hosts will be # The FQDN of the hosts will be
# `hostname.user.base_domain` (e.g., _myhost.myuser.example.com_). # `hostname.user.base_domain` (e.g., _myhost.myuser.example.com_).
base_domain: hs.sys.theorangeone.net base_domain: headscale.jakehoward.tech
# Unix socket used for the CLI to connect without authentication # Unix socket used for the CLI to connect without authentication
# Note: for production you will want to set this to something like: # Note: for production you will want to set this to something like:
@ -282,12 +262,12 @@ unix_socket_permission: "0770"
# headscale supports experimental OpenID connect support, # headscale supports experimental OpenID connect support,
# it is still being tested and might have some bugs, please # it is still being tested and might have some bugs, please
# help us test it. # help us test it.
# oidc: oidc:
# only_start_if_oidc_is_available: true only_start_if_oidc_is_available: true
# issuer: "{{ vault_oidc_issuer }}" issuer: "{{ vault_oidc_issuer }}"
# client_id: "{{ vault_oidc_client_id }}" client_id: "{{ vault_oidc_client_id }}"
# client_secret: "{{ vault_oidc_client_secret }}" client_secret: "{{ vault_oidc_client_secret }}"
# expiry: 0 expiry: 0
# Logtail configuration # Logtail configuration
# Logtail is Tailscales logging and auditing infrastructure, it allows the control panel # Logtail is Tailscales logging and auditing infrastructure, it allows the control panel

1
ansible/roles/headscale/handlers/main.yml
View file

@ -3,3 +3,4 @@
name: headscale name: headscale
state: restarted state: restarted
enabled: true enabled: true
become: true

4
ansible/roles/headscale/tasks/main.yml
View file

@ -4,6 +4,7 @@
- name: Install Headscale - name: Install Headscale
package: package:
name: headscale name: headscale
become: true
- name: Install headscale config file - name: Install headscale config file
template: template:
@ -12,6 +13,7 @@
owner: headscale owner: headscale
mode: "0600" mode: "0600"
notify: restart headscale notify: restart headscale
become: true
- name: Install ACLs - name: Install ACLs
template: template:
@ -20,10 +22,12 @@
owner: headscale owner: headscale
mode: "0600" mode: "0600"
notify: restart headscale notify: restart headscale
become: true
- name: Install nginx config - name: Install nginx config
template: template:
src: files/nginx.conf src: files/nginx.conf
dest: /etc/nginx/http.d/headscale.conf dest: /etc/nginx/http.d/headscale.conf
mode: "0644" mode: "0644"
become: true
notify: reload nginx notify: reload nginx

2
ansible/roles/http_proxy/files/squid.conf
View file

@ -2,7 +2,7 @@
# Recommended minimum configuration: # Recommended minimum configuration:
# #
acl hide_internal dst {{ wireguard.cidr }} {{ pve_hosts.internal_cidr }} {{ tailscale_cidr }} acl hide_internal dst {{ wireguard.cidr }} {{ nebula.cidr }} {{ pve_hosts.internal_cidr }} {{ tailscale_cidr }}
# Example rule allowing access from your local networks. # Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing # Adapt to list your (internal) IP networks from where browsing

1
ansible/roles/http_proxy/handlers/main.yml
View file

@ -2,3 +2,4 @@
service: service:
name: squid name: squid
state: restarted state: restarted
become: true

3
ansible/roles/http_proxy/tasks/main.yml
View file

@ -1,15 +1,18 @@
- name: Install squid - name: Install squid
package: package:
name: squid name: squid
become: true
- name: Squid config - name: Squid config
template: template:
src: files/squid.conf src: files/squid.conf
dest: /etc/squid/squid.conf dest: /etc/squid/squid.conf
mode: "0600" mode: "0600"
become: true
notify: restart squid notify: restart squid
- name: Enable squid - name: Enable squid
service: service:
name: squid name: squid
enabled: true enabled: true
become: true

12
ansible/roles/ingress/files/nftables.conf
View file

@ -17,6 +17,9 @@ table inet filter {
tcp dport {http, https, {{ ssh_port }}, 8443, 8448} accept tcp dport {http, https, {{ ssh_port }}, 8443, 8448} accept
# Allow nebula
udp dport {{ nebula_listen_port }} accept;
# Allow Tailscale # Allow Tailscale
udp dport {{ tailscale_port }} accept; udp dport {{ tailscale_port }} accept;
} }
@ -26,6 +29,7 @@ table inet filter {
policy accept policy accept
# NAT - because the proxmox machines may not have routes back # NAT - because the proxmox machines may not have routes back
ip saddr {{ nebula.cidr }} ip daddr {{ pve_hosts.internal_cidr }} counter masquerade
ip saddr {{ tailscale_cidr }} counter masquerade ip saddr {{ tailscale_cidr }} counter masquerade
} }
@ -33,8 +37,12 @@ table inet filter {
type filter hook forward priority mangle type filter hook forward priority mangle
policy drop policy drop
# Allow monitoring of Tailscale network # Allow traffic from nebula to proxmox network
ip saddr {{ pve_hosts.forrest.ip }}/32 ip daddr {{ tailscale_cidr }} accept ip saddr {{ nebula.cidr }} ip daddr {{ pve_hosts.internal_cidr }} accept
ip saddr {{ pve_hosts.internal_cidr }} ip daddr {{ nebula.cidr }} ct state related,established accept
# Allow monitoring of nebula network
ip saddr {{ pve_hosts.forrest.ip }}/32 ip daddr {{ nebula.cidr }} accept
# Allow Tailscale exit node # Allow Tailscale exit node
ip saddr {{ tailscale_cidr }} ip daddr 192.168.0.0/16 drop ip saddr {{ tailscale_cidr }} ip daddr 192.168.0.0/16 drop

3
ansible/roles/ingress/handlers/main.yml
View file

@ -2,11 +2,13 @@
service: service:
name: wg-quick@wg0 name: wg-quick@wg0
state: restarted state: restarted
become: true
- name: reload nginx - name: reload nginx
service: service:
name: nginx name: nginx
state: reloaded state: reloaded
become: true
- name: reload nftables - name: reload nftables
command: command:
@ -14,3 +16,4 @@
- nft - nft
- -f - -f
- /etc/nftables.conf - /etc/nftables.conf
become: true

3
ansible/roles/ingress/tasks/firewall.yml
View file

@ -1,6 +1,7 @@
- name: Install nftables - name: Install nftables
package: package:
name: nftables name: nftables
become: true
- name: Copy firewall config - name: Copy firewall config
template: template:
@ -8,6 +9,7 @@
dest: /etc/nftables.conf dest: /etc/nftables.conf
validate: nft -c -f %s validate: nft -c -f %s
mode: "644" mode: "644"
become: true
notify: reload nftables notify: reload nftables
- name: Enable nftables - name: Enable nftables
@ -15,3 +17,4 @@
name: nftables name: nftables
enabled: true enabled: true
state: started state: started
become: true

1
ansible/roles/ingress/tasks/nginx.yml
View file

@ -3,4 +3,5 @@
src: files/nginx.conf src: files/nginx.conf
dest: /etc/nginx/stream.d/ingress.conf dest: /etc/nginx/stream.d/ingress.conf
mode: "0644" mode: "0644"
become: true
notify: reload nginx notify: reload nginx

7
ansible/roles/ingress/tasks/wireguard.yml
View file

@ -1,6 +1,8 @@
- name: Install Wireguard - name: Install Wireguard
package: package:
name: wireguard name:
- wireguard
become: true
- name: Get wireguard credentials - name: Get wireguard credentials
set_fact: set_fact:
@ -12,12 +14,14 @@
dest: /etc/wireguard/wg0.conf dest: /etc/wireguard/wg0.conf
mode: "0600" mode: "0600"
backup: true backup: true
become: true
notify: restart wireguard notify: restart wireguard
- name: Enable wireguard - name: Enable wireguard
service: service:
name: wg-quick@wg0 name: wg-quick@wg0
enabled: true enabled: true
become: true
- name: Enable p2p communication - name: Enable p2p communication
sysctl: sysctl:
@ -27,3 +31,4 @@
state: present state: present
reload: true reload: true
sysctl_file: /etc/sysctl.d/99-sysctl.conf sysctl_file: /etc/sysctl.d/99-sysctl.conf
become: true

4
ansible/roles/jellyfin/tasks/main.yml
View file

@ -2,19 +2,23 @@
ansible.builtin.apt_key: ansible.builtin.apt_key:
url: https://repo.jellyfin.org/jellyfin_team.gpg.key url: https://repo.jellyfin.org/jellyfin_team.gpg.key
state: present state: present
become: true
- name: Add Jellyfin repository - name: Add Jellyfin repository
apt_repository: apt_repository:
repo: deb [arch=amd64] https://repo.jellyfin.org/debian {{ ansible_distribution_release }} main repo: deb [arch=amd64] https://repo.jellyfin.org/debian {{ ansible_distribution_release }} main
filename: jellyfin filename: jellyfin
state: present state: present
become: true
- name: Install jellyfin - name: Install jellyfin
package: package:
name: jellyfin name: jellyfin
become: true
- name: Set media dir permissions - name: Set media dir permissions
cron: cron:
name: Set media permissions name: Set media permissions
special_time: daily special_time: daily
job: chown -R jellyfin:jellyfin /mnt/media job: chown -R jellyfin:jellyfin /mnt/media
become: true

7
ansible/roles/mastodon/files/docker-compose.yml
View file

@ -1,22 +1,19 @@
services: services:
mastodon: mastodon:
image: lscr.io/linuxserver/mastodon:4.3.0 image: lscr.io/linuxserver/mastodon:4.2.10
environment: environment:
- TZ={{ timezone }} - TZ={{ timezone }}
- PUID={{ docker_user.id }} - PUID={{ docker_user.id }}
- PGID={{ docker_user.id }} - PGID={{ docker_user.id }}
- LOCAL_DOMAIN=theorangeone.net - LOCAL_DOMAIN=theorangeone.net
- WEB_DOMAIN=mastodon.theorangeone.net - WEB_DOMAIN=mastodon.theorangeone.net
- DATABASE_URL=postgresql://mastodon:mastodon@db:5432/mastodon - DATABASE_URL=postgresql://mastodon:mastodon@db/mastodon
- REDIS_URL=redis://redis - REDIS_URL=redis://redis
- SIDEKIQ_REDIS_URL=redis://redis/1 - SIDEKIQ_REDIS_URL=redis://redis/1
- SECRET_KEY_BASE={{ vault_secret_key_base }} - SECRET_KEY_BASE={{ vault_secret_key_base }}
- OTP_SECRET={{ vault_otp_secret }} - OTP_SECRET={{ vault_otp_secret }}
- VAPID_PRIVATE_KEY={{ vault_vapid_private_key }} - VAPID_PRIVATE_KEY={{ vault_vapid_private_key }}
- VAPID_PUBLIC_KEY={{ vault_vapid_public_key }} - VAPID_PUBLIC_KEY={{ vault_vapid_public_key }}
- ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY={{ vault_active_record_encryption_deterministic_key }}
- ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT={{ vault_active_record_encryption_key_derivation_salt }}
- ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY={{ vault_active_record_encryption_primary_key }}
- SINGLE_USER_MODE=true - SINGLE_USER_MODE=true
- DEFAULT_LOCALE=en - DEFAULT_LOCALE=en
- STREAMING_CLUSTER_NUM=1 - STREAMING_CLUSTER_NUM=1

4
ansible/roles/mastodon/tasks/main.yml
View file

@ -7,6 +7,7 @@
state: directory state: directory
owner: "{{ docker_user.name }}" owner: "{{ docker_user.name }}"
mode: "{{ docker_compose_directory_mask }}" mode: "{{ docker_compose_directory_mask }}"
become: true
- name: Install compose file - name: Install compose file
template: template:
@ -16,6 +17,7 @@
owner: "{{ docker_user.name }}" owner: "{{ docker_user.name }}"
validate: docker-compose -f %s config validate: docker-compose -f %s config
notify: restart mastodon notify: restart mastodon
become: true
- name: Install media cleanup script - name: Install media cleanup script
template: template:
@ -23,6 +25,7 @@
dest: /opt/mastodon/purge-media.sh dest: /opt/mastodon/purge-media.sh
mode: "0755" mode: "0755"
owner: "{{ docker_user.name }}" owner: "{{ docker_user.name }}"
become: true
- name: Schedule media cleanup - name: Schedule media cleanup
cron: cron:
@ -32,3 +35,4 @@
weekday: 1 weekday: 1
job: /opt/mastodon/purge-media.sh job: /opt/mastodon/purge-media.sh
user: "{{ me.user }}" user: "{{ me.user }}"
become: true

70
ansible/roles/mastodon/vars/vault.yml generated
View file

@ -1,42 +1,30 @@
$ANSIBLE_VAULT;1.1;AES256 $ANSIBLE_VAULT;1.1;AES256
61313731363564306234653163633231356330313936636631393536356434396530643065333731 63646161653431383335313735643535313434613362343161373961633539373932313338343633
3534663665643665613164343931646262643231356337350a333262356130636265643465323263 6637323935616636353731336531663635656532383166640a633335666633363136333433343266
34333463353131323930636566633462613561333733636230363066343834316664363036346635 37383237623837616464613561633931613230623633313533393464646464646566366330323365
6666363330383337340a316635663663343034613039353835633035633036646131303365626466 6563396262363238320a303433636266616635313536396132366239343230656432626639653230
38636438323537303134356162633666376236346635366161356430376366626637343362363039 63336165323337393664373635616532643935343363303766376533366661663366623939653564
33356332333362363834373137633130306161393430393830643363636463633234646634306265 35363335396266363532653038623038383836383236366466366339343433393338343566653834
34366438333132633937303661356134383831373765306339363161643132393737356434653832 30393761626537313531346466373136666565653731663430376664353737663039643263303533
31346166333539643161346130386565376630333435376661343666636239666138316337633463 35663836626462333262356330616131316432326139616165363831393036343235663736626661
37633237393063313633393732616364653930353661366136346139663030393530383533646265 35666264346563306133306565636261633766616135616366376430643763333031353534373033
34393236643439316364376236373431643536333561613135616338643538313238303530356136 35373739333562313639376264343562363130373531313563643834613533653034316536323339
34393864323365633166643434363262346233393938313463643162343761643831373639313830 39646337376462656362666330643831653730393562316661326433633334353963306664396264
31363837393934333064316463313562393939613034653762303764333730353165623765653430 30373238653832613861633263383663616538366361336163373861613538613132353963373666
32383961353162306431393331643262353635383761663330323239383732346535636138636634 34376464333462633839396263396335613233356261666661313763333033376434626463663133
64616631373765393033306562343433373733646331643930373663323837393438643331663062 32646130333635656665396335393232346661303861626566663931303637653065313031323936
39323564376436353032303362653261363730383062346664663462656230613238303430303561 64333931393165343761376630666462343136353335343632323435306261633232633662353137
63663461376139616237333864643461343130326637616264353132613930306238613634343636 32323863343365623566316537343062393638393434323134633535313531333135666535323439
62393835393336646133616438336266653762366163623032323131656638393234383532333237 35613439373737396562613834373638356534326438646330663564366436333962626135363833
34333030356638326139333636343865636335333665656534656466333135663562303637333136 63653731383163653932383632306239663365323237363562306639643662393530633430386164
62386134633330663364323730646134383534623835636633653236653232393232653163613435 61613137663734636666633966663366393832353166343239656335396630323138366338616430
64663437383233323435386163653933383634666630383862323831316166353837323461333961 37653036303735383664656530626630616437373762343263643661343464326466353234316363
39626563323364653731316361333534616361366435643266626164666463613836336639373835 64643733363435656365343537626364643430316630663666373932663564623835646336633034
64393038336333356431326532626463333332373465613364386461623533646266626264383332 65646264346439356161353838353064626230636664373035336433356530326632613035316434
61393338663162343831616566346133646166353431396139393237356332616437353538313236 31613434366530323263383337316432316432373835343164313963643733626362393334623266
35323263383036623761643430336462656430356164313561663437383530346434306438386533 65356131626135336337383139643838333134616137366530353730646634633364353333646563
34366262663261636365323235326532393436333962383032353236323761373239613836646564 66333134616639363932613238346538623764663831353031383834613230393936386432623434
33316433656636313261653364663966633431663762363133666631653835386131643061626161 37393935346238633338323432613638616466623264656434393761623363356330623632323261
39633065326130643134343139363266363362393938623261646231333833643034633638386162 36393064316263666432663633323535363035323535653834323064383437343530306166306239
37376263613839353365336563623830333338373339393830323834326234373833336237326365 37316236313533393062623066336561373138636339393631313866303433643832383230656532
63366664323136303638643237366265653235363266333738343437313636663163663134363262 3137
32663533363539313238663237366330633738613733363932653031356263643935666166363536
61383532373565383730363662613533333265636361333230333233396534353337653662363065
38393937396337633430303831353831376666623061356239363534333537323662306530303639
65303735343431623561356361373330343033643130393235336535623530303236356432353834
62376163646362616465643730353866333464666365336336383466653462346334646231633736
62336132343737303061396636313334333538396333626263396361386631313730363766653530
66663461616530326261343931343330313836633966646661626361643064316261313234386635
30306534396136656432653236343337656433396337393064313466653165396562393665363938
63393232646164333263313136303236353465636139376232626563613835303561653935316332
61373432613632663366383933343839363765396637306339363162616237366361306237336464
37353336306536396466356432393766623061363938633736323431313237663464646364666131
3737

2
ansible/roles/minio/tasks/main.yml
View file

@ -7,6 +7,7 @@
state: directory state: directory
owner: "{{ docker_user.name }}" owner: "{{ docker_user.name }}"
mode: "{{ docker_compose_directory_mask }}" mode: "{{ docker_compose_directory_mask }}"
become: true
- name: Install compose file - name: Install compose file
template: template:
@ -16,3 +17,4 @@
owner: "{{ docker_user.name }}" owner: "{{ docker_user.name }}"
validate: docker-compose -f %s config validate: docker-compose -f %s config
notify: restart minio notify: restart minio
become: true

2
ansible/roles/nebula/defaults/main.yml Normal file
View file

@ -0,0 +1,2 @@
nebula_is_lighthouse: false
nebula_listen_port: 0

18
ansible/roles/nebula/files/ca.crt Normal file
View file

@ -0,0 +1,18 @@
$ANSIBLE_VAULT;1.1;AES256
35346565636566303064316339396339363831623963306131303331366338643338326261626137
3031333365383139383466323931353339346534366136350a353034373561653238643039373766
37316638363166303162373739393934653936373639323038663639656138313035666132646136
6339386166383137320a363536336166343539633238336364663633306562313965636536303663
35376234336566626232383231326362393664386464346363643262393932316130623936383366
63313539653035383665373962376165336533396565643263666634333434663432386635663434
31613064653739363637643433653639343930623038626539353534393861646165366166616638
38313036303261336635666161383135353637633966646462376439313539383962343564626336
37343566306638626337316135663763343961653065616531396332303966643638646163393461
63353630393364666336633630653765613331386233386130366636393965323231373561333163
38613165623533396531383031316631346434333239616335373162333637363830636263613338
38316165343632313361633362383934653832306332663732303061333135393234306232636464
36346465633166303335363365336336383333636165633230626263633663356336366662313263
36353231623930653361313466643064356234656639616332326534306133396338363538366136
30643633626230613364353434323262333335363132303865646130653733623032346166653031
63653761393935333430636230353966353765626235336439383331333436623061373835616462
3661

20
ansible/roles/nebula/files/certs/casey.crt Normal file
View file

@ -0,0 +1,20 @@
$ANSIBLE_VAULT;1.1;AES256
63636434323163343761373034626236333037376261336634366531393035356435653037326238
3839323731623165633234613132376534646266373466310a356635313261333263366632336664
39326533333462373831663132633733666136623938313164313265326637333332616463386363
6634333536313132310a613766363630313933343365333633333663613035313362343437383534
32636433613365643633643536633862376231316135376437333835353164613839323562333430
39323331353639333539356165616661663262386363386239346664643364653137633332626661
35393332653530373162666365326135663633663265313634643135373562663763376530623038
63343231333933616237666465306461663634363261656237383236383663336235363161623265
30343366643637326135356636626564343436396635613566393636643264333933656265346333
61363335303737666238393665633265393835633838636561393534343437366639636361373761
34366334366236373633613037346463373632323265343034343335333436373733613465663464
65643863303037643338366537336562613232313331323366663835316437376535623635383463
38386539353834383236663766393563393063333233623661303335396534353166316230396566
34393034333864346534383665616666633836376439646632303566613633376138313961636637
37313635393739656161313466633231396539393666663635623034613765393438633735636666
33326635373966353633356166313138656462373962663666653961366438383936626338663439
36643039613061646531366462623064623837666633326532663232616139623737343732346130
64646337356266353261363438326237313833323765663336346635353236396638376530663033
306365363634643665646230366332653632

11
ansible/roles/nebula/files/certs/casey.key Normal file
View file

@ -0,0 +1,11 @@
$ANSIBLE_VAULT;1.1;AES256
31646561316237653338613966616162363239323863393862376136623639613730633339396230
3830343834383934333236633462663734366432666331620a393739313230656636653432646532
65386466633832623663386131393866666664303439613738303933656239393761653263386466
3561656162343632350a383737343661663037306461636264353239373865613861393034626237
37633134636638633539346534346365346332643939653737626136393961343864386438323731
39353663353362623563326230643961623231646361396561623431376139626236313362343938
38336138376133656130633161363766393861656466363565646264653963396539386266616631
66333965383862633061623961316334326134326630623064323562373937323338313838353066
38343830316665326663313331613561393238373161326637396630383030666137623633616365
6461333239666365363339613533323536613839356332373530

21
ansible/roles/nebula/files/certs/ingress.crt Normal file
View file

@ -0,0 +1,21 @@
$ANSIBLE_VAULT;1.1;AES256
62613762323836666136313634353965643132326439656165623938326130633631623939336434
3931613737633935363439316362613663363335626134340a306631376131363635326337333234
34373262383861626564383834306462306633376332353630666265303766333731613839333231
6666343965353866320a313930383762646431656433393433336436623064643864343639393465
37613062336430646130653833363130343266303833353739393839376235646433663236636532
31303439663030353934383862396234663633343932646234353566313833613038366262373862
62646262393431343638373936333339373230346134313661303138656563613463613836643634
33343236633235316364336438613932316431383839393136343662333365396639313931663461
33363336323532376566316532373832306662373538343361336239346163626330333736636566
33306435306136643563643465373964383336376566383539613530313830353961623861323936
64633336323438353238616663323338396536386161326132633466643135636162363536656665
39653734653839366362383034366437613734373830386533363138373036323231363764633335
34633163353237656266663035616463383165623634353062636464373361376438653230343661
35343434656335623533623836313335616162666665313064653730356537633666336163616132
31663432396564613538303662396538643131656137343434646333666634653938353363316363
38623730623532663133343937643663633961353034316234663931646331656636303739383464
37623264663038656632343262336165343635633566393535343663393163313234396463373766
35313337353833306262363532616265656461356536633430383234633464613839303562356565
39643738616262383734656535636566323831373035306166343039666334633264303435663865
39623533653333323766

11
ansible/roles/nebula/files/certs/ingress.key Normal file
View file

@ -0,0 +1,11 @@
$ANSIBLE_VAULT;1.1;AES256
37626435646463663062363233393732353239386231366436653663623035656339633136346138
3963626465363538653430343733663965373865376263330a373638663731656435646438646134
38663334363137666530653934356337326264356664343633623432613265643139353464666136
6236383631366130310a386265373334663831333137303538303737663062656239663839326338
35613739313935373362333933653636383033343164363964353935633061636635353464643831
64626363646136663166373632343830333634356565336138393436313864646333386561396663
65636436663830633661396531643838333938366236633762323231363966643035643539383438
30396136633264396561353034653161343536313461623532303265663531323937363737353566
32363564333536306166346165393662353234363131383733396338633839333439373538623362
3738616565663331353362633939343832323238383930643263

20
ansible/roles/nebula/files/certs/walker.crt Normal file
View file

@ -0,0 +1,20 @@
$ANSIBLE_VAULT;1.1;AES256
32636232306462356330643137616236306261373438653332326239343662363234313765356563
6361383264626665636130373539613936373036343061350a316438383266306538303836636138
39643434323831303337336230623463633138633436386539363531626633633364663031376131
3162363530393734380a303162386436396338383864333439313365383665666361313666373538
35666262616466663061383463653361303230653036643033376434303236656638343134316262
31303663396231623065316261353938613934303934613331393836663061653731316163663230
39653337373230386337383665303638346136353031373931616166663437313431353832633239
62343063323765636466353031353930636132373263306631616365623332646639333265653235
61636237326561613364303538323861393061303839383532323136306134633437363731616464
32633538376130613164646264666332303762386436383566663563346536663935323165323939
65666333363163373165316633383430653066663938303562613739303835316661623437613863
32383330336261356364353163666432353130343564366333626336306332643936623166386261
35656431366431663830336631346164333362376262663365623635376161373864303831306462
61326462343039376363663139636638663239306362353232366166623030376464336634643130
65373532393034623730663431373763636261393035346639653137383235633265386365613063
37303435363136613365633139316133386332373665626566346161343665626365656639346661
30396133366566306238303564633662306561303830613937666264303731666230356633373662
33656133323364313461353562373337356232666536643633336663326334353231613336646461
376435366338383534623436353434623334

11
ansible/roles/nebula/files/certs/walker.key Normal file
View file

@ -0,0 +1,11 @@
$ANSIBLE_VAULT;1.1;AES256
65626437643961386636343536313832353663373863313963383430363465333965363031653635
3038636237383665653135313962643434386135346630360a666239663139353063623436633038
38613062393337373232343338626334353033633738306138373464313739323334373637366334
3335623465633164310a646162376139373838643731326361373366623765323263643934616432
66626333653335343234393936653931306132333933616138616665626139396164386437633338
36653637346532376564306537643330343135313331343163326331363664663761616533353563
66643964313736653263666466643134656532643536343464356464663465313438643466643130
35643738313337663663343466353232396264356163343234653032333032336134666437306139
63653239363132396465376565306666363131366131376466356530386438653433613063646365
6432616539316163376162613630623066626539666135366664

59
ansible/roles/nebula/files/nebula.yml Normal file
View file

@ -0,0 +1,59 @@
pki:
ca: /etc/nebula/ca.crt
cert: /etc/nebula/{{ ansible_hostname }}.crt
key: /etc/nebula/{{ ansible_hostname }}.key
static_host_map:
"{{ nebula_lighthouse_ip }}": ["{{ nebula_lighthouse_public_ip }}:{{ nebula_lighthouse_port }}"]
lighthouse:
am_lighthouse: "{{ nebula_is_lighthouse | lower }}"
interval: 60
hosts:
{% if not nebula_is_lighthouse %}
- "{{ nebula_lighthouse_ip }}"
{% endif %}
listen:
host: 0.0.0.0
port: "{{ nebula_listen_port }}"
punchy:
punch: true
tun:
disabled: false
dev: nebula1
drop_local_broadcast: false
drop_multicast: false
tx_queue: 500
mtu: 1300
routes:
unsafe_routes:
{% if ansible_hostname != "ingress" %}
- route: "{{ pve_hosts.internal_cidr }}"
via: "{{ nebula.clients.ingress.ip }}"
{% endif %}
logging:
level: info
format: text
firewall:
conntrack:
tcp_timeout: 12m
udp_timeout: 3m
default_timeout: 10m
max_connections: 100000
outbound:
- port: any
proto: any
host: any
inbound:
- port: any
proto: any
host: any

5
ansible/roles/nebula/handlers/main.yml Normal file
View file

@ -0,0 +1,5 @@
- name: restart nebula
service:
name: nebula
state: restarted
become: true

65
ansible/roles/nebula/tasks/main.yml Normal file
View file

@ -0,0 +1,65 @@
- name: Create config directory
file:
path: /etc/nebula
state: directory
mode: "0700"
become: true
- name: Install nebula
package:
name: nebula
when: ansible_os_family == 'Archlinux'
become: true
- name: Manually install nebula
block:
- name: Install binaries
unarchive:
src: https://github.com/slackhq/nebula/releases/download/v{{ nebula_version }}/nebula-linux-amd64.tar.gz
dest: /usr/bin
remote_src: true
mode: "0755"
- name: Install service
get_url:
url: https://raw.githubusercontent.com/slackhq/nebula/v{{ nebula_version }}/dist/arch/nebula.service
dest: /usr/lib/systemd/system/nebula.service
mode: "0644"
when: ansible_os_family != 'Archlinux'
tags:
- skip_ansible_lint
notify: restart nebula
become: true
- name: Install config
template:
src: files/nebula.yml
dest: /etc/nebula/config.yml
mode: "0600"
become: true
notify: restart nebula
- name: Install CA certificate
template:
src: files/ca.crt
dest: /etc/nebula/ca.crt
mode: "0600"
become: true
notify: restart nebula
- name: Install client certificates
template:
src: files/certs/{{ item }}
dest: /etc/nebula/{{ item }}
mode: "0600"
loop:
- "{{ ansible_hostname }}.key"
- "{{ ansible_hostname }}.crt"
become: true
notify: restart nebula
- name: Enable service
service:
name: nebula
enabled: true
become: true

5
ansible/roles/nebula/vars/main.yml Normal file
View file

@ -0,0 +1,5 @@
nebula_lighthouse_public_ip: "{{ vps_hosts.casey_ip }}"
nebula_lighthouse_ip: "{{ nebula.clients.casey.ip }}"
nebula_lighthouse_port: 6328
nebula_version: 1.8.1

1
ansible/roles/nginx/handlers/main.yml
View file

@ -2,3 +2,4 @@
service: service:
name: nginx name: nginx
state: reloaded state: reloaded
become: true

8
ansible/roles/nginx/tasks/main.yml
View file

@ -1,6 +1,7 @@
- name: Install nginx - name: Install nginx
package: package:
name: nginx name: nginx
become: true
- name: Install nginx modules - name: Install nginx modules
package: package:
@ -10,6 +11,7 @@
- libnginx-mod-http-brotli-filter - libnginx-mod-http-brotli-filter
- libnginx-mod-stream - libnginx-mod-stream
when: ansible_os_family != 'Archlinux' when: ansible_os_family != 'Archlinux'
become: true
- name: Install nginx modules (on Arch) - name: Install nginx modules (on Arch)
kewlfft.aur.aur: kewlfft.aur.aur:
@ -18,10 +20,12 @@
- nginx-mod-headers-more - nginx-mod-headers-more
- nginx-mod-brotli - nginx-mod-brotli
when: ansible_os_family == 'Archlinux' when: ansible_os_family == 'Archlinux'
become: true
- name: Generate Diffie-Hellman parameters - name: Generate Diffie-Hellman parameters
community.crypto.openssl_dhparam: community.crypto.openssl_dhparam:
path: /etc/nginx/dhparams.pem path: /etc/nginx/dhparams.pem
become: true
- name: Create config directories - name: Create config directories
file: file:
@ -32,6 +36,7 @@
- http.d - http.d
- stream.d - stream.d
- includes - includes
become: true
- name: Copy config files - name: Copy config files
template: template:
@ -39,6 +44,7 @@
dest: /etc/nginx/includes/{{ item | basename }} dest: /etc/nginx/includes/{{ item | basename }}
mode: "0644" mode: "0644"
with_fileglob: files/includes/*.conf with_fileglob: files/includes/*.conf
become: true
notify: reload nginx notify: reload nginx
- name: Install config - name: Install config
@ -46,6 +52,7 @@
src: files/nginx.conf src: files/nginx.conf
dest: /etc/nginx/nginx.conf dest: /etc/nginx/nginx.conf
mode: "0644" mode: "0644"
become: true
notify: reload nginx notify: reload nginx
- name: Install HTTPS redirect - name: Install HTTPS redirect
@ -53,5 +60,6 @@
src: files/nginx-https-redirect.conf src: files/nginx-https-redirect.conf
dest: /etc/nginx/http.d/https-redirect.conf dest: /etc/nginx/http.d/https-redirect.conf
mode: "0644" mode: "0644"
become: true
notify: reload nginx notify: reload nginx
when: nginx_https_redirect when: nginx_https_redirect

2
ansible/roles/ntfy/tasks/main.yml
View file

@ -7,6 +7,7 @@
state: directory state: directory
owner: "{{ docker_user.name }}" owner: "{{ docker_user.name }}"
mode: "{{ docker_compose_directory_mask }}" mode: "{{ docker_compose_directory_mask }}"
become: true
- name: Install compose file - name: Install compose file
template: template:
@ -16,3 +17,4 @@
owner: "{{ docker_user.name }}" owner: "{{ docker_user.name }}"
validate: docker-compose -f %s config validate: docker-compose -f %s config
notify: restart ntfy notify: restart ntfy
become: true

3
ansible/roles/paccache/tasks/main.yml
View file

@ -1,15 +1,18 @@
- name: Install Pacman utils - name: Install Pacman utils
package: package:
name: pacman-contrib name: pacman-contrib
become: true
- name: Create hooks directory - name: Create hooks directory
file: file:
path: /etc/pacman.d/hooks/ path: /etc/pacman.d/hooks/
state: directory state: directory
mode: "0755" mode: "0755"
become: true
- name: Install pacman hook - name: Install pacman hook
template: template:
src: files/paccache.hook src: files/paccache.hook
dest: /etc/pacman.d/hooks/clean_package_cache.hook dest: /etc/pacman.d/hooks/clean_package_cache.hook
mode: "0644" mode: "0644"
become: true

5
ansible/roles/plausible/tasks/main.yml
View file

@ -7,6 +7,7 @@
state: directory state: directory
owner: "{{ docker_user.name }}" owner: "{{ docker_user.name }}"
mode: "{{ docker_compose_directory_mask }}" mode: "{{ docker_compose_directory_mask }}"
become: true
- name: Install clickhouse config - name: Install clickhouse config
template: template:
@ -14,6 +15,7 @@
dest: /opt/plausible/docker_related_config.xml dest: /opt/plausible/docker_related_config.xml
mode: "0644" mode: "0644"
notify: restart plausible notify: restart plausible
become: true
- name: Install clickhouse user config - name: Install clickhouse user config
template: template:
@ -21,6 +23,7 @@
dest: /opt/plausible/docker_related_user_config.xml dest: /opt/plausible/docker_related_user_config.xml
mode: "0644" mode: "0644"
notify: restart plausible notify: restart plausible
become: true
- name: Install compose file - name: Install compose file
template: template:
@ -30,6 +33,7 @@
owner: "{{ docker_user.name }}" owner: "{{ docker_user.name }}"
validate: docker-compose -f %s config validate: docker-compose -f %s config
notify: restart plausible notify: restart plausible
become: true
- name: Install nginx config - name: Install nginx config
template: template:
@ -37,6 +41,7 @@
dest: /etc/nginx/http.d/plausible.conf dest: /etc/nginx/http.d/plausible.conf
mode: "0644" mode: "0644"
notify: reload nginx notify: reload nginx
become: true
vars: vars:
server_name: plausible.theorangeone.net elbisualp.theorangeone.net server_name: plausible.theorangeone.net elbisualp.theorangeone.net
upstream: plausible-plausible-1.docker:8000 upstream: plausible-plausible-1.docker:8000

3
ansible/roles/privatebin/tasks/main.yml
View file

@ -4,6 +4,7 @@
state: directory state: directory
owner: "{{ docker_user.name }}" owner: "{{ docker_user.name }}"
mode: "{{ docker_compose_directory_mask }}" mode: "{{ docker_compose_directory_mask }}"
become: true
- name: Install compose file - name: Install compose file
template: template:
@ -13,6 +14,7 @@
owner: "{{ docker_user.name }}" owner: "{{ docker_user.name }}"
validate: docker-compose -f %s config validate: docker-compose -f %s config
notify: restart privatebin notify: restart privatebin
become: true
- name: Install config file - name: Install config file
template: template:
@ -21,3 +23,4 @@
mode: "{{ docker_compose_file_mask }}" mode: "{{ docker_compose_file_mask }}"
owner: "{{ docker_user.name }}" owner: "{{ docker_user.name }}"
notify: restart privatebin notify: restart privatebin
become: true

2
ansible/roles/prometheus/files/prometheus/prometheus.yml
View file

@ -120,7 +120,7 @@ scrape_configs:
metrics_path: /metrics metrics_path: /metrics
static_configs: static_configs:
- targets: - targets:
- "{{ tailscale_nodes.casey.ip }}:9090" - "{{ nebula.clients.casey.ip }}:9090"
metric_relabel_configs: metric_relabel_configs:
- source_labels: [__name__] - source_labels: [__name__]
regex: go_.+ regex: go_.+

2
ansible/roles/prometheus/tasks/grafana.yml
View file

@ -8,6 +8,7 @@
state: directory state: directory
owner: "{{ docker_user.name }}" owner: "{{ docker_user.name }}"
mode: "{{ docker_compose_directory_mask }}" mode: "{{ docker_compose_directory_mask }}"
become: true
- name: Install grafana compose file - name: Install grafana compose file
template: template:
@ -17,3 +18,4 @@
owner: "{{ docker_user.name }}" owner: "{{ docker_user.name }}"
validate: docker-compose -f %s config validate: docker-compose -f %s config
notify: restart grafana notify: restart grafana
become: true

2
ansible/roles/prometheus/tasks/main.yml
View file

@ -17,6 +17,7 @@
- "{{ vps_hosts.private_ipv6_range }}" - "{{ vps_hosts.private_ipv6_range }}"
register: routes register: routes
changed_when: false changed_when: false
become: true
- name: Add route to private services via ingress - name: Add route to private services via ingress
command: command:
@ -30,4 +31,5 @@
- "{{ pve_hosts.ingress.ipv6 }}" - "{{ pve_hosts.ingress.ipv6 }}"
- dev - dev
- eth0 - eth0
become: true
when: vps_hosts.private_ipv6_marker not in routes.stdout when: vps_hosts.private_ipv6_marker not in routes.stdout

6
ansible/roles/prometheus/tasks/prometheus.yml
View file

@ -4,6 +4,7 @@
state: directory state: directory
owner: "{{ docker_user.name }}" owner: "{{ docker_user.name }}"
mode: "{{ docker_compose_directory_mask }}" mode: "{{ docker_compose_directory_mask }}"
become: true
- name: Install prometheus config - name: Install prometheus config
template: template:
@ -12,6 +13,7 @@
mode: "{{ docker_compose_file_mask }}" mode: "{{ docker_compose_file_mask }}"
owner: "{{ docker_user.name }}" owner: "{{ docker_user.name }}"
notify: reload prometheus notify: reload prometheus
become: true
- name: Install prometheus compose file - name: Install prometheus compose file
template: template:
@ -21,6 +23,7 @@
owner: "{{ docker_user.name }}" owner: "{{ docker_user.name }}"
validate: docker-compose -f %s config validate: docker-compose -f %s config
notify: restart prometheus notify: restart prometheus
become: true
- name: Install blackbox config - name: Install blackbox config
template: template:
@ -29,6 +32,7 @@
mode: "{{ docker_compose_file_mask }}" mode: "{{ docker_compose_file_mask }}"
owner: "{{ docker_user.name }}" owner: "{{ docker_user.name }}"
notify: restart prometheus notify: restart prometheus
become: true
- name: Install alertmanager config - name: Install alertmanager config
template: template:
@ -37,6 +41,7 @@
mode: "{{ docker_compose_file_mask }}" mode: "{{ docker_compose_file_mask }}"
owner: "{{ docker_user.name }}" owner: "{{ docker_user.name }}"
notify: restart prometheus notify: restart prometheus
become: true
- name: Install prometheus alert rules - name: Install prometheus alert rules
copy: copy:
@ -45,3 +50,4 @@
mode: "{{ docker_compose_file_mask }}" mode: "{{ docker_compose_file_mask }}"
owner: "{{ docker_user.name }}" owner: "{{ docker_user.name }}"
notify: reload prometheus notify: reload prometheus
become: true

2
ansible/roles/pve_docker/files/nextcloud/config.php
View file

@ -19,7 +19,7 @@ $CONFIG = array (
0 => 'intersect.jakehoward.tech', 0 => 'intersect.jakehoward.tech',
), ),
'dbtype' => 'mysql', 'dbtype' => 'mysql',
'version' => '29.0.6.1', 'version' => '29.0.4.1',
'overwrite.cli.url' => 'https://intersect.jakehoward.tech', 'overwrite.cli.url' => 'https://intersect.jakehoward.tech',
'dbname' => 'nextcloud', 'dbname' => 'nextcloud',
'dbhost' => 'mariadb', 'dbhost' => 'mariadb',

2
ansible/roles/pve_docker/files/nextcloud/docker-compose.yml
View file

@ -1,6 +1,6 @@
services: services:
nextcloud: nextcloud:
image: lscr.io/linuxserver/nextcloud:29.0.6 image: lscr.io/linuxserver/nextcloud:29.0.4
environment: environment:
- PUID={{ docker_user.id }} - PUID={{ docker_user.id }}
- PGID={{ docker_user.id }} - PGID={{ docker_user.id }}

3
ansible/roles/pve_docker/files/synapse/docker-compose.yml
View file

@ -1,4 +1,5 @@
services: services:
synapse: synapse:
image: ghcr.io/element-hq/synapse:latest image: ghcr.io/element-hq/synapse:latest
restart: unless-stopped restart: unless-stopped
@ -16,7 +17,7 @@ services:
- db - db
labels: labels:
- traefik.enable=true - traefik.enable=true
- traefik.http.routers.synapse.rule=Host(`matrix.jakehoward.tech`) || Host(`matrix.theorangeone.net`) - traefik.http.routers.synapse.rule=Host(`matrix.jakehoward.tech`)
networks: networks:
- default - default
- traefik - traefik

2
ansible/roles/pve_docker/files/whoami/docker-compose.yml
View file

@ -4,7 +4,7 @@ services:
restart: unless-stopped restart: unless-stopped
labels: labels:
- traefik.enable=true - traefik.enable=true
- traefik.http.routers.whoami.rule=Host(`whoami.theorangeone.net`) || Host(`whoami-cdn.theorangeone.net`) || Host(`who.0rng.one`) - traefik.http.routers.whoami.rule=Host(`whoami.theorangeone.net`) || Host(`whoami-cdn.theorangeone.net`)
- traefik.http.routers.whoami-private.rule=Host(`whoami-private.theorangeone.net`) - traefik.http.routers.whoami-private.rule=Host(`whoami-private.theorangeone.net`)
- traefik.http.routers.whoami-private.middlewares=tailscale-only@file - traefik.http.routers.whoami-private.middlewares=tailscale-only@file

2
ansible/roles/pve_docker/tasks/calibre.yml
View file

@ -4,6 +4,7 @@
state: directory state: directory
owner: "{{ docker_user.name }}" owner: "{{ docker_user.name }}"
mode: "{{ docker_compose_directory_mask }}" mode: "{{ docker_compose_directory_mask }}"
become: true
- name: Install calibre compose file - name: Install calibre compose file
template: template:
@ -13,6 +14,7 @@
owner: "{{ docker_user.name }}" owner: "{{ docker_user.name }}"
validate: docker-compose -f %s config validate: docker-compose -f %s config
register: compose_file register: compose_file
become: true
- name: restart calibre - name: restart calibre
shell: shell:

2
ansible/roles/pve_docker/tasks/librespeed.yml
View file

@ -7,6 +7,7 @@
state: directory state: directory
owner: "{{ docker_user.name }}" owner: "{{ docker_user.name }}"
mode: "{{ docker_compose_directory_mask }}" mode: "{{ docker_compose_directory_mask }}"
become: true
- name: Install librespeed compose file - name: Install librespeed compose file
template: template:
@ -16,6 +17,7 @@
owner: "{{ docker_user.name }}" owner: "{{ docker_user.name }}"
validate: docker-compose -f %s config validate: docker-compose -f %s config
register: compose_file register: compose_file
become: true
- name: restart librespeed - name: restart librespeed
shell: shell:

Some files were not shown because too many files have changed in this diff Show more