borg

2024-04-27 23:41:11 -04:00 · 2024-04-27 23:41:11 -04:00 · 9ac6be27c5
commit 9ac6be27c5
parent f9d62cc8a7
28 changed files with 275 additions and 14 deletions
--- a/deploy-backup-notifications.yml
+++ b/deploy-backup-notifications.yml
@ -0,0 +1,4 @@
+- name: backup-notifications setup
+  hosts: backup-notifications
+  roles:
+    - backup-notifications
--- a/deploy-borg.yml
+++ b/deploy-borg.yml
@ -0,0 +1,4 @@
+- name: borg setup
+  hosts: borg
+  roles:
+    - borg
--- a/deploy-rainrainrain.yml
+++ b/deploy-rainrainrain.yml
@ -0,0 +1,4 @@
+- name: rainrainrain setup
+  hosts: rainrainrain
+  roles:
+    - rainrainrain
--- a/group_vars/borg.yml
+++ b/group_vars/borg.yml
@ -0,0 +1,23 @@
+borg_password: "{{ lookup('env', 'BORG_ENCRYPTION_PASSWORD') }}"
+borg_repo: "{{ lookup('env', 'BORG_REPO') }}"
+borg_secret_key: "{{ lookup('env', 'BORG_SECRET_KEY') }}"
+borg_my_user: "root"
+borg_my_group: "root"
+borg_ssh_key: "/root/borg_ssh_key"
+
+backup_topic: "{{ lookup('env', 'BORG_BACKUP_TOPIC') }}"
+
+base_files:
+  - /home
+  - /root
+  - /var
+  - /etc
+  - /boot
+  - /opt
+
+extra_files:
+  europa:
+    - /mnt/ssd-01/owncloud
+    - /mnt/ssd-01/borg/sync.sh
+    - /mnt/ssd-01/borg/.config
+    - /mnt/ssd-01/borg/.ssh
--- a/14
+++ b/14
@ -1,3 +1,11 @@
+[borg]
+nijika  ansible_user=root ansible_connection=ssh
+ryo  ansible_user=root ansible_connection=ssh
+levi  ansible_user=root ansible_connection=ssh
+mail.simponic.xyz ansible_user=root ansible_connection=ssh
+europa  ansible_user=root ansible_connection=ssh
+johan  ansible_user=root ansible_connection=ssh
+
 [prod]
 nijika  ansible_user=root ansible_connection=ssh
 ryo  ansible_user=root ansible_connection=ssh
@ -69,3 +77,9 @@ levi  ansible_user=root ansible_connection=ssh

 [ntfy]
 johan  ansible_user=root ansible_connection=ssh
+
+[backup-notifications]
+johan  ansible_user=root ansible_connection=ssh
+
+[rainrainrain]
+levi  ansible_user=root ansible_connection=ssh
--- a/roles/backup-notifications/tasks/main.yml
+++ b/roles/backup-notifications/tasks/main.yml
@ -0,0 +1,22 @@
+---
+- name: ensure backup-notifications docker/compose exist
+  file:
+    path: /etc/docker/compose/backup-notifications
+    state: directory
+    owner: root
+    group: root
+    mode: 0700
+
+- name: build backup-notifications docker-compose.yml.j2
+  template:
+    src: ../templates/docker-compose.yml.j2
+    dest: /etc/docker/compose/backup-notifications/docker-compose.yml
+    owner: root
+    group: root
+    mode: u=rw,g=r,o=r
+
+- name: daemon-reload and enable backup-notifications
+  ansible.builtin.systemd_service:
+    state: restarted
+    enabled: true
+    name: docker-compose@backup-notifications
--- a/roles/backup-notifications/templates/docker-compose.yml.j2
+++ b/roles/backup-notifications/templates/docker-compose.yml.j2
@ -0,0 +1,14 @@
+version: "3"
+
+services:
+  backup-notify:
+    image: git.simponic.xyz/simponic/backup-notify:latest
+    healthcheck:
+      test: ["CMD", "wget", "--spider", "http://localhost:8080/health"]
+      interval: 5s
+      timeout: 10s
+      retries: 5
+    ports:
+      - "127.0.0.1:31152:8080"
+    volumes:
+      - ./db:/app/db
--- a/roles/borg/tasks/main.yml
+++ b/roles/borg/tasks/main.yml
@ -0,0 +1,28 @@
+- name: copy key
+  template:
+    src: ../templates/borg_ssh_key.j2
+    dest: /root/borg_ssh_key
+    owner: root
+    group: root
+    mode: 0600
+
+- name: push borg
+  import_role: 
+    name: borgbase.ansible_role_borgbackup
+  vars:
+    borg_encryption_passphrase: "{{ borg_password }}"
+    borg_repository: "{{ borg_repo }}"
+    borg_user: "{{ borg_my_user }}"
+    borg_group: "{{ borg_my_group }}"
+    borgmatic_timer: cron
+    borg_ssh_command: "ssh -o StrictHostKeyChecking=no -i {{ borg_ssh_key }}"
+    borg_source_directories:
+      "{{ base_files + (extra_files[inventory_hostname] | default([])) }}"
+    borg_retention_policy:
+      keep_hourly: 3
+      keep_daily: 7
+      keep_weekly: 4
+      keep_monthly: 6
+    borgmatic_hooks:
+      after_backup:
+        - "curl -d '{{ inventory_hostname }}' {{ backup_topic }}"
--- a/roles/borg/templates/borg_ssh_key.j2
+++ b/roles/borg/templates/borg_ssh_key.j2
@ -0,0 +1 @@
+{{ borg_secret_key | b64decode }}
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@ -15,9 +15,11 @@
      - curl
      - gnupg-agent
      - software-properties-common
+      - sudo
      - systemd-timesyncd
    state: latest
    update_cache: yes
+    upgrade: yes

 - name: enable systemd-timesyncd
  ansible.builtin.systemd_service: 
--- a/roles/nameservers/templates/db.rainrainra.in.j2
+++ b/roles/nameservers/templates/db.rainrainra.in.j2
@ -12,5 +12,4 @@ rainrainra.in.    IN      NS      {{ dns_primary_hostname }}.simponic.xyz.
 rainrainra.in.    IN      NS      {{ dns_replica_hostname }}.simponic.xyz.

 ; Other A records
-@               IN      A       129.123.76.14
-www             IN      A       129.123.76.14
+@               IN      A       23.95.214.176
--- a/roles/nameservers/templates/db.simponic.xyz.j2
+++ b/roles/nameservers/templates/db.simponic.xyz.j2
@ -29,6 +29,7 @@ chesshbot.simponic.xyz. 1 IN  A 129.123.76.14
 ;; CNAME Records
 secure.tunnel.simponic.xyz.	1	IN	CNAME	simponic.xyz.
 tunnel.simponic.xyz.	1	IN	CNAME	simponic.xyz.
+party.simponic.xyz.	1	IN	CNAME	simponic.xyz.
 static.simponic.xyz.	1	IN	CNAME	simponic.xyz.
 www.simponic.xyz.	1	IN	CNAME	simponic.xyz.
 s1._domainkey.simponic.xyz.	1	IN	CNAME	s1.domainkey.u25709709.wl210.sendgrid.net.
@ -37,6 +38,8 @@ headscale.simponic.xyz.	1	IN	CNAME	nijika.simponic.xyz.
 authelia.simponic.xyz.	1	IN	CNAME	nijika.simponic.xyz.
 git.simponic.xyz. 1 IN  CNAME nijika.simponic.xyz.

+lab.simponic.xyz.	1	IN	CNAME	simponic.tplinkdns.com.
+
 ;; MX Records
 simponic.xyz.	1	IN	MX	10 mail.simponic.xyz.

--- a/roles/private/files/johan/http.backups.internal.simponic.xyz.conf
+++ b/roles/private/files/johan/http.backups.internal.simponic.xyz.conf
@ -0,0 +1,13 @@
+server {
+  listen 80;
+  server_name backups.internal.simponic.xyz;
+
+  location /.well-known/acme-challenge {
+    root /var/www/letsencrypt;
+    try_files $uri $uri/ =404;
+  }
+
+  location / {
+    rewrite ^ https://backups.internal.simponic.xyz$request_uri? permanent;
+  }
+}
--- a/roles/private/files/johan/https.backups.internal.simponic.xyz.conf
+++ b/roles/private/files/johan/https.backups.internal.simponic.xyz.conf
@ -0,0 +1,32 @@
+server {
+  listen 443 ssl;
+  server_name backups.internal.simponic.xyz;
+
+  ssl_certificate         /etc/letsencrypt/live/backups.internal.simponic.xyz/fullchain.pem;
+  ssl_certificate_key     /etc/letsencrypt/live/backups.internal.simponic.xyz/privkey.pem;
+  ssl_trusted_certificate /etc/letsencrypt/live/backups.internal.simponic.xyz/fullchain.pem;
+
+  ssl_session_cache shared:SSL:50m;
+  ssl_session_timeout 5m;
+  ssl_stapling on;
+  ssl_stapling_verify on;
+
+  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+  ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
+
+  ssl_dhparam /etc/nginx/dhparams.pem;
+  ssl_prefer_server_ciphers on;
+
+  location / {
+    proxy_pass http://127.0.0.1:31152;
+    proxy_http_version 1.1;
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection "upgrade";
+    proxy_set_header Host $server_name;
+    proxy_buffering off;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
+    add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
+  }
+}
--- a/roles/private/tasks/main.yml
+++ b/roles/private/tasks/main.yml
@ -13,6 +13,13 @@
    proto: tcp
    from: 100.64.0.0/10

+- name: allow https from docker and other internal stuffs
+  ufw:
+    rule: allow
+    port: '443'
+    proto: tcp
+    from: 172.16.0.0/12
+
 - name: restart ufw
  service: name=ufw state=restarted enabled=yes

--- a/roles/rainrainrain/tasks/main.yml
+++ b/roles/rainrainrain/tasks/main.yml
@ -0,0 +1,9 @@
+---
+
+- name: clone static repo
+  git:
+    repo: https://git.simponic.xyz/simponic/rainrainra.in.git
+    dest: /var/www/html/rainrainra.in
+    recursive: yes
+    clone: yes
+    update: yes
--- a/roles/scurvy/templates/docker-compose.yml.j2
+++ b/roles/scurvy/templates/docker-compose.yml.j2
@ -17,7 +17,7 @@ services:
      - VPN_SERVICE_PROVIDER=mullvad
      - VPN_TYPE=openvpn
      - OPENVPN_USER={{ openvpn_user }}
-      - SERVER_CITIES=Salt Lake City UT
+      - SERVER_CITIES=Seattle WA

  qbittorrent:
    image: hotio/qbittorrent:latest
--- a/roles/static/tasks/main.yml
+++ b/roles/static/tasks/main.yml
@ -2,8 +2,8 @@

 - name: clone static repo
  git:
-    repo: https://git.simponic.xyz/simponic/static.simponic.xyz.git
-    dest: /var/www/html/static.simponic.xyz
+    repo: https://git.simponic.xyz/simponic/simponic.xyz.git
+    dest: /var/www/html/simponic.xyz
    recursive: yes
    clone: yes
    update: yes
--- a/roles/vpn/files/config/acl.json
+++ b/roles/vpn/files/config/acl.json
@ -23,18 +23,18 @@
    },
    {
      "action": "accept",
-      "src": ["group:sys", "10.128.0.0/9:*"],
+      "src": ["group:sys"],
      "dst": ["group:sys:*", "10.128.0.0/9:*"]
    },
    {
      "action": "accept",
-      "src": ["group:admin", "10.128.0.0/9:*"],
-      "dst": ["10.0.0.0/24:*", "10.128.0.0/9:*"]
+      "src": ["group:admin"],
+      "dst": ["group:admin:*", "10.128.0.0/9:*"]
    },
    {
      "action": "accept",
      "src": ["group:roomates"],
-      "dst": ["10.0.0.0/24:*"]
+      "dst": ["10.137.128.0/17:*"]
    },
    {
      "action": "accept",
--- a/roles/webservers/files/levi/http.party.simponic.xyz.conf
+++ b/roles/webservers/files/levi/http.party.simponic.xyz.conf
@ -0,0 +1,13 @@
+server {
+  listen 80;
+  server_name party.simponic.xyz;
+
+  location /.well-known/acme-challenge {
+    root /var/www/letsencrypt;
+    try_files $uri $uri/ =404;
+  }
+
+  location / {
+    rewrite ^ https://party.simponic.xyz$request_uri? permanent;
+  }
+}
--- a/roles/webservers/files/levi/http.rainrainra.in.conf
+++ b/roles/webservers/files/levi/http.rainrainra.in.conf
@ -0,0 +1,13 @@
+server {
+  listen 80;
+  server_name rainrainra.in;
+
+  location /.well-known/acme-challenge {
+    root /var/www/letsencrypt;
+    try_files $uri $uri/ =404;
+  }
+
+  location / {
+    rewrite ^ https://rainrainra.in$request_uri? permanent;
+  }
+}
--- a/roles/webservers/files/levi/https.ntfy.simponic.hatecomputers.club.conf
+++ b/roles/webservers/files/levi/https.ntfy.simponic.hatecomputers.club.conf
@ -24,5 +24,11 @@ server {

  location / {
    proxy_pass https://ntfy.internal.simponic.xyz;
+    proxy_http_version 1.1;
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection "upgrade";
+    proxy_buffering off;
+    proxy_set_header X-Real-IP $remote_addr;
+    add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
  }
 }
--- a/roles/webservers/files/levi/https.party.simponic.xyz.conf
+++ b/roles/webservers/files/levi/https.party.simponic.xyz.conf
@ -0,0 +1,25 @@
+server {
+  listen 443 ssl;
+  server_name party.simponic.xyz;
+
+  ssl_certificate         /etc/letsencrypt/live/party.simponic.xyz/fullchain.pem;
+  ssl_certificate_key     /etc/letsencrypt/live/party.simponic.xyz/privkey.pem;
+  ssl_trusted_certificate /etc/letsencrypt/live/party.simponic.xyz/fullchain.pem;
+
+  ssl_session_cache shared:SSL:50m;
+  ssl_session_timeout 5m;
+  ssl_stapling on;
+  ssl_stapling_verify on;
+
+  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+  ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
+
+  ssl_dhparam /etc/nginx/dhparams.pem;
+  ssl_prefer_server_ciphers on;
+
+  root /var/www/html/party.simponic.xyz;
+
+  location / {
+    try_files $uri $uri/ $uri.html =404;
+  }
+}
--- a/roles/webservers/files/levi/https.rainrainra.in.conf
+++ b/roles/webservers/files/levi/https.rainrainra.in.conf
@ -0,0 +1,25 @@
+server {
+  listen 443 ssl;
+  server_name rainrainra.in;
+
+  ssl_certificate         /etc/letsencrypt/live/rainrainra.in/fullchain.pem;
+  ssl_certificate_key     /etc/letsencrypt/live/rainrainra.in/privkey.pem;
+  ssl_trusted_certificate /etc/letsencrypt/live/rainrainra.in/fullchain.pem;
+
+  ssl_session_cache shared:SSL:50m;
+  ssl_session_timeout 5m;
+  ssl_stapling on;
+  ssl_stapling_verify on;
+
+  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+  ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
+
+  ssl_dhparam /etc/nginx/dhparams.pem;
+  ssl_prefer_server_ciphers on;
+
+  root /var/www/html/rainrainra.in;
+
+  location / {
+    try_files $uri $uri/ $uri.html =404;
+  }
+}
--- a/roles/webservers/files/levi/https.simponic.hatecomputers.club.conf
+++ b/roles/webservers/files/levi/https.simponic.hatecomputers.club.conf
@ -17,7 +17,7 @@ server {
  ssl_dhparam /etc/nginx/dhparams.pem;
  ssl_prefer_server_ciphers on;

-  root /var/www/html/static.simponic.xyz;
+  root /var/www/html/simponic.xyz;

  location / {
    try_files $uri $uri/ $uri.html =404;
--- a/roles/webservers/files/levi/https.simponic.xyz.conf
+++ b/roles/webservers/files/levi/https.simponic.xyz.conf
@ -17,7 +17,7 @@ server {
  ssl_dhparam /etc/nginx/dhparams.pem;
  ssl_prefer_server_ciphers on;

-  root /var/www/html/static.simponic.xyz;
+  root /var/www/html/simponic.xyz;

  location / {
    try_files $uri $uri/ $uri.html =404;
--- a/roles/webservers/files/levi/https.static.simponic.xyz.conf
+++ b/roles/webservers/files/levi/https.static.simponic.xyz.conf
@ -17,7 +17,7 @@ server {
  ssl_dhparam /etc/nginx/dhparams.pem;
  ssl_prefer_server_ciphers on;

-  root /var/www/html/static.simponic.xyz;
+  root /var/www/html/simponic.xyz;

  location / {
    try_files $uri $uri/ $uri.html =404;
--- a/roles/webservers/tasks/main.yml
+++ b/roles/webservers/tasks/main.yml
@ -62,7 +62,7 @@
  loop: "{{ nginx_conf_files.files }}"
  register: extracted_domains

-# simponic.xyz
+# simponic.xyz & others
 - name: request simponic letsencrypt certificates
  shell: >
    letsencrypt certonly -n --webroot -w /var/www/letsencrypt -m {{ letsencrypt_email }} \
@ -70,7 +70,7 @@
  args:
    creates: "/etc/letsencrypt/live/{{ item.stdout }}"
  loop: "{{ extracted_domains.results }}"
-  when: '"simponic.xyz" in item.stdout'
+  when: 'not "hatecomputers.club" in item.stdout'

 # hatecomputers.club
 - name: build plugin template