This commit is contained in:
Elizabeth Hunt 2024-10-14 22:16:04 -04:00
parent e083b30ea2
commit 27213e690c
17 changed files with 44 additions and 57 deletions

View File

@ -3,3 +3,4 @@ headscale_oidc_secret: "{{ lookup('env', 'HEADSCALE_OIDC_SECRET') }}"
headscale_allowed_users:
- "elizabeth@simponic.xyz"
- "riley@simponic.xyz"
- "rain@simponic.xyz"

View File

@ -5,6 +5,7 @@ levi ansible_user=root ansible_connection=ssh
mail.simponic.xyz ansible_user=root ansible_connection=ssh
europa ansible_user=root ansible_connection=ssh
johan ansible_user=root ansible_connection=ssh
raspberrypi ansible_user=root ansible_connection=ssh
[prod]
nijika ansible_user=root ansible_connection=ssh
@ -80,6 +81,3 @@ johan ansible_user=root ansible_connection=ssh
[backup-notifications]
johan ansible_user=root ansible_connection=ssh
[rainrainrain]
levi ansible_user=root ansible_connection=ssh

View File

@ -37,6 +37,7 @@ s2._domainkey.simponic.xyz. 1 IN CNAME s2.domainkey.u25709709.wl210.sendgrid.net
headscale.simponic.xyz. 1 IN CNAME nijika.simponic.xyz.
authelia.simponic.xyz. 1 IN CNAME nijika.simponic.xyz.
git.simponic.xyz. 1 IN CNAME nijika.simponic.xyz.
frens.simponic.xyz. 1 IN CNAME europa.simponic.endpoints.hatecomputers.club.
lab.simponic.xyz. 1 IN CNAME simponic.tplinkdns.com.

View File

@ -2,7 +2,8 @@
"groups": {
"group:admin": ["elizabeth"],
"group:roomates": ["riley"],
"group:friends": ["riley"],
"group:friends": ["riley", "rain"],
"group:rain": ["rain"],
"group:sys": ["sys"]
},
"tagOwners": {
@ -24,7 +25,7 @@
{
"action": "accept",
"src": ["group:sys"],
"dst": ["group:sys:*", "10.128.0.0/9:*"]
"dst": ["group:sys:*", "10.128.0.0/9:*", "group:rain:*"]
},
{
"action": "accept",

View File

@ -0,0 +1,5 @@
server {
listen 80;
server_name *.rainrain.xyz;
return 301 https://$server_name$request_uri?;
}

View File

@ -1,13 +0,0 @@
server {
listen 80;
server_name rainrainra.in;
location /.well-known/acme-challenge {
root /var/www/letsencrypt;
try_files $uri $uri/ =404;
}
location / {
rewrite ^ https://rainrainra.in$request_uri? permanent;
}
}

View File

@ -1,5 +1,5 @@
server {
listen 443 ssl;
listen 4443 ssl;
allow 10.0.0.0/8;
allow 100.64.0.0/12;

View File

@ -1,5 +1,5 @@
server {
listen 443 ssl;
listen 4443 ssl;
server_name party.simponic.xyz;
ssl_certificate /etc/letsencrypt/live/party.simponic.xyz/fullchain.pem;

View File

@ -0,0 +1,19 @@
stream {
map $ssl_preread_server_name $name {
*.rainrain.xyz rainrainxyz;
default proxy;
}
upstream rainrainxyz {
server tailscale.rain.internal.simponic.xyz:443;
}
upstream proxy {
server 127.0.0.1:4443;
}
server {
listen 443;
proxy_pass $name;
ssl_preread on;
}
}

View File

@ -1,25 +0,0 @@
server {
listen 443 ssl;
server_name rainrainra.in;
ssl_certificate /etc/letsencrypt/live/rainrainra.in/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/rainrainra.in/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/rainrainra.in/fullchain.pem;
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 5m;
ssl_stapling on;
ssl_stapling_verify on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
ssl_dhparam /etc/nginx/dhparams.pem;
ssl_prefer_server_ciphers on;
root /var/www/html/rainrainra.in;
location / {
try_files $uri $uri/ $uri.html =404;
}
}

View File

@ -1,5 +1,5 @@
server {
listen 443 ssl;
listen 4443 ssl;
server_name secure.tunnel.simponic.xyz;
ssl_certificate /etc/letsencrypt/live/secure.tunnel.simponic.xyz/fullchain.pem;

View File

@ -1,5 +1,5 @@
server {
listen 443 ssl;
listen 4443 ssl;
server_name simponic.hatecomputers.club;
ssl_certificate /etc/letsencrypt/live/simponic.hatecomputers.club/fullchain.pem;

View File

@ -1,5 +1,5 @@
server {
listen 443 ssl;
listen 4443 ssl;
server_name simponic.xyz;
ssl_certificate /etc/letsencrypt/live/simponic.xyz/fullchain.pem;

View File

@ -1,5 +1,5 @@
server {
listen 443 ssl;
listen 4443 ssl;
server_name static.simponic.xyz;
ssl_certificate /etc/letsencrypt/live/static.simponic.xyz/fullchain.pem;

View File

@ -1,5 +1,5 @@
server {
listen 443 ssl;
listen 4443 ssl;
server_name tunnel.simponic.xyz;
ssl_certificate /etc/letsencrypt/live/tunnel.simponic.xyz/fullchain.pem;

View File

@ -1,8 +1,8 @@
user www-data;
worker_processes 4;
pid /run/nginx.pid;
load_module modules/ndk_http_module.so;
load_module modules/ngx_http_set_misc_module.so;
# load_module modules/ndk_http_module.so;
# load_module modules/ngx_http_set_misc_module.so;
events {
worker_connections 768;
@ -25,5 +25,6 @@ http {
gzip_disable "msie6";
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
include /etc/nginx/sites-enabled/*.conf;
}
include /etc/nginx/sites-enabled/*.servconf;

View File

@ -17,9 +17,6 @@
- name: install nginx
apt: name=nginx state=latest
- name: install libnginx-mod-http-set-misc
apt: name=libnginx-mod-http-set-misc state=latest
- name: install letsencrypt
apt: name=letsencrypt state=latest
@ -45,6 +42,7 @@
dest: "/etc/nginx/sites-enabled/"
with_fileglob:
- "files/{{ inventory_hostname }}/http.*.conf"
- "files/{{ inventory_hostname }}/https.*.conf"
- name: restart nginx to get letsencrypt certificate
service: name=nginx state=restarted enabled=yes
@ -70,7 +68,7 @@
args:
creates: "/etc/letsencrypt/live/{{ item.stdout }}"
loop: "{{ extracted_domains.results }}"
when: 'not "hatecomputers.club" in item.stdout'
when: 'not "hatecomputers.club" in item.stdout and not "rainrain" in item.stdout'
# hatecomputers.club
- name: build plugin template
@ -106,6 +104,7 @@
dest: "/etc/nginx/sites-enabled/"
with_fileglob:
- "files/{{ inventory_hostname }}/https.*.conf"
- "files/{{ inventory_hostname }}/https.*.servconf"
- name: reload nginx to activate sites
service: name=nginx state=restarted