diff --git a/deploy-backup-notifications.yml b/deploy-backup-notifications.yml new file mode 100644 index 0000000..587ac62 --- /dev/null +++ b/deploy-backup-notifications.yml @@ -0,0 +1,4 @@ +- name: backup-notifications setup + hosts: backup-notifications + roles: + - backup-notifications diff --git a/deploy-borg.yml b/deploy-borg.yml new file mode 100644 index 0000000..271d77e --- /dev/null +++ b/deploy-borg.yml @@ -0,0 +1,4 @@ +- name: borg setup + hosts: borg + roles: + - borg diff --git a/deploy-rainrainrain.yml b/deploy-rainrainrain.yml new file mode 100644 index 0000000..deff3fe --- /dev/null +++ b/deploy-rainrainrain.yml @@ -0,0 +1,4 @@ +- name: rainrainrain setup + hosts: rainrainrain + roles: + - rainrainrain diff --git a/group_vars/borg.yml b/group_vars/borg.yml new file mode 100644 index 0000000..8be7df0 --- /dev/null +++ b/group_vars/borg.yml @@ -0,0 +1,23 @@ +borg_password: "{{ lookup('env', 'BORG_ENCRYPTION_PASSWORD') }}" +borg_repo: "{{ lookup('env', 'BORG_REPO') }}" +borg_secret_key: "{{ lookup('env', 'BORG_SECRET_KEY') }}" +borg_my_user: "root" +borg_my_group: "root" +borg_ssh_key: "/root/borg_ssh_key" + +backup_topic: "{{ lookup('env', 'BORG_BACKUP_TOPIC') }}" + +base_files: + - /home + - /root + - /var + - /etc + - /boot + - /opt + +extra_files: + europa: + - /mnt/ssd-01/owncloud + - /mnt/ssd-01/borg/sync.sh + - /mnt/ssd-01/borg/.config + - /mnt/ssd-01/borg/.ssh diff --git a/inventory b/inventory index 78f5c21..591871a 100644 --- a/inventory +++ b/inventory @@ -1,3 +1,11 @@ +[borg] +nijika ansible_user=root ansible_connection=ssh +ryo ansible_user=root ansible_connection=ssh +levi ansible_user=root ansible_connection=ssh +mail.simponic.xyz ansible_user=root ansible_connection=ssh +europa ansible_user=root ansible_connection=ssh +johan ansible_user=root ansible_connection=ssh + [prod] nijika ansible_user=root ansible_connection=ssh ryo ansible_user=root ansible_connection=ssh @@ -69,3 +77,9 @@ levi ansible_user=root ansible_connection=ssh [ntfy] johan ansible_user=root ansible_connection=ssh + +[backup-notifications] +johan ansible_user=root ansible_connection=ssh + +[rainrainrain] +levi ansible_user=root ansible_connection=ssh diff --git a/roles/backup-notifications/tasks/main.yml b/roles/backup-notifications/tasks/main.yml new file mode 100644 index 0000000..c649b2e --- /dev/null +++ b/roles/backup-notifications/tasks/main.yml @@ -0,0 +1,22 @@ +--- +- name: ensure backup-notifications docker/compose exist + file: + path: /etc/docker/compose/backup-notifications + state: directory + owner: root + group: root + mode: 0700 + +- name: build backup-notifications docker-compose.yml.j2 + template: + src: ../templates/docker-compose.yml.j2 + dest: /etc/docker/compose/backup-notifications/docker-compose.yml + owner: root + group: root + mode: u=rw,g=r,o=r + +- name: daemon-reload and enable backup-notifications + ansible.builtin.systemd_service: + state: restarted + enabled: true + name: docker-compose@backup-notifications diff --git a/roles/backup-notifications/templates/docker-compose.yml.j2 b/roles/backup-notifications/templates/docker-compose.yml.j2 new file mode 100644 index 0000000..79be2c9 --- /dev/null +++ b/roles/backup-notifications/templates/docker-compose.yml.j2 @@ -0,0 +1,14 @@ +version: "3" + +services: + backup-notify: + image: git.simponic.xyz/simponic/backup-notify:latest + healthcheck: + test: ["CMD", "wget", "--spider", "http://localhost:8080/health"] + interval: 5s + timeout: 10s + retries: 5 + ports: + - "127.0.0.1:31152:8080" + volumes: + - ./db:/app/db diff --git a/roles/borg/tasks/main.yml b/roles/borg/tasks/main.yml new file mode 100644 index 0000000..fd3be99 --- /dev/null +++ b/roles/borg/tasks/main.yml @@ -0,0 +1,28 @@ +- name: copy key + template: + src: ../templates/borg_ssh_key.j2 + dest: /root/borg_ssh_key + owner: root + group: root + mode: 0600 + +- name: push borg + import_role: + name: borgbase.ansible_role_borgbackup + vars: + borg_encryption_passphrase: "{{ borg_password }}" + borg_repository: "{{ borg_repo }}" + borg_user: "{{ borg_my_user }}" + borg_group: "{{ borg_my_group }}" + borgmatic_timer: cron + borg_ssh_command: "ssh -o StrictHostKeyChecking=no -i {{ borg_ssh_key }}" + borg_source_directories: + "{{ base_files + (extra_files[inventory_hostname] | default([])) }}" + borg_retention_policy: + keep_hourly: 3 + keep_daily: 7 + keep_weekly: 4 + keep_monthly: 6 + borgmatic_hooks: + after_backup: + - "curl -d '{{ inventory_hostname }}' {{ backup_topic }}" diff --git a/roles/borg/templates/borg_ssh_key.j2 b/roles/borg/templates/borg_ssh_key.j2 new file mode 100644 index 0000000..70d4cc9 --- /dev/null +++ b/roles/borg/templates/borg_ssh_key.j2 @@ -0,0 +1 @@ +{{ borg_secret_key | b64decode }} diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index cf29d0d..87c3bb8 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -15,9 +15,11 @@ - curl - gnupg-agent - software-properties-common + - sudo - systemd-timesyncd state: latest update_cache: yes + upgrade: yes - name: enable systemd-timesyncd ansible.builtin.systemd_service: diff --git a/roles/nameservers/templates/db.rainrainra.in.j2 b/roles/nameservers/templates/db.rainrainra.in.j2 index 38a522e..42f05c3 100644 --- a/roles/nameservers/templates/db.rainrainra.in.j2 +++ b/roles/nameservers/templates/db.rainrainra.in.j2 @@ -12,5 +12,4 @@ rainrainra.in. IN NS {{ dns_primary_hostname }}.simponic.xyz. rainrainra.in. IN NS {{ dns_replica_hostname }}.simponic.xyz. ; Other A records -@ IN A 129.123.76.14 -www IN A 129.123.76.14 +@ IN A 23.95.214.176 diff --git a/roles/nameservers/templates/db.simponic.xyz.j2 b/roles/nameservers/templates/db.simponic.xyz.j2 index 87441f5..c0d619c 100644 --- a/roles/nameservers/templates/db.simponic.xyz.j2 +++ b/roles/nameservers/templates/db.simponic.xyz.j2 @@ -29,6 +29,7 @@ chesshbot.simponic.xyz. 1 IN A 129.123.76.14 ;; CNAME Records secure.tunnel.simponic.xyz. 1 IN CNAME simponic.xyz. tunnel.simponic.xyz. 1 IN CNAME simponic.xyz. +party.simponic.xyz. 1 IN CNAME simponic.xyz. static.simponic.xyz. 1 IN CNAME simponic.xyz. www.simponic.xyz. 1 IN CNAME simponic.xyz. s1._domainkey.simponic.xyz. 1 IN CNAME s1.domainkey.u25709709.wl210.sendgrid.net. @@ -37,6 +38,8 @@ headscale.simponic.xyz. 1 IN CNAME nijika.simponic.xyz. authelia.simponic.xyz. 1 IN CNAME nijika.simponic.xyz. git.simponic.xyz. 1 IN CNAME nijika.simponic.xyz. +lab.simponic.xyz. 1 IN CNAME simponic.tplinkdns.com. + ;; MX Records simponic.xyz. 1 IN MX 10 mail.simponic.xyz. diff --git a/roles/private/files/johan/http.backups.internal.simponic.xyz.conf b/roles/private/files/johan/http.backups.internal.simponic.xyz.conf new file mode 100644 index 0000000..47b9ef8 --- /dev/null +++ b/roles/private/files/johan/http.backups.internal.simponic.xyz.conf @@ -0,0 +1,13 @@ +server { + listen 80; + server_name backups.internal.simponic.xyz; + + location /.well-known/acme-challenge { + root /var/www/letsencrypt; + try_files $uri $uri/ =404; + } + + location / { + rewrite ^ https://backups.internal.simponic.xyz$request_uri? permanent; + } +} diff --git a/roles/private/files/johan/https.backups.internal.simponic.xyz.conf b/roles/private/files/johan/https.backups.internal.simponic.xyz.conf new file mode 100644 index 0000000..799b0f7 --- /dev/null +++ b/roles/private/files/johan/https.backups.internal.simponic.xyz.conf @@ -0,0 +1,32 @@ +server { + listen 443 ssl; + server_name backups.internal.simponic.xyz; + + ssl_certificate /etc/letsencrypt/live/backups.internal.simponic.xyz/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/backups.internal.simponic.xyz/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/backups.internal.simponic.xyz/fullchain.pem; + + ssl_session_cache shared:SSL:50m; + ssl_session_timeout 5m; + ssl_stapling on; + ssl_stapling_verify on; + + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; + + ssl_dhparam /etc/nginx/dhparams.pem; + ssl_prefer_server_ciphers on; + + location / { + proxy_pass http://127.0.0.1:31152; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_set_header Host $server_name; + proxy_buffering off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto; + add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always; + } +} diff --git a/roles/private/tasks/main.yml b/roles/private/tasks/main.yml index d7adb76..a099852 100644 --- a/roles/private/tasks/main.yml +++ b/roles/private/tasks/main.yml @@ -13,6 +13,13 @@ proto: tcp from: 100.64.0.0/10 +- name: allow https from docker and other internal stuffs + ufw: + rule: allow + port: '443' + proto: tcp + from: 172.16.0.0/12 + - name: restart ufw service: name=ufw state=restarted enabled=yes diff --git a/roles/rainrainrain/tasks/main.yml b/roles/rainrainrain/tasks/main.yml new file mode 100644 index 0000000..87638c8 --- /dev/null +++ b/roles/rainrainrain/tasks/main.yml @@ -0,0 +1,9 @@ +--- + +- name: clone static repo + git: + repo: https://git.simponic.xyz/simponic/rainrainra.in.git + dest: /var/www/html/rainrainra.in + recursive: yes + clone: yes + update: yes diff --git a/roles/scurvy/templates/docker-compose.yml.j2 b/roles/scurvy/templates/docker-compose.yml.j2 index 838030c..a22ed9b 100644 --- a/roles/scurvy/templates/docker-compose.yml.j2 +++ b/roles/scurvy/templates/docker-compose.yml.j2 @@ -17,7 +17,7 @@ services: - VPN_SERVICE_PROVIDER=mullvad - VPN_TYPE=openvpn - OPENVPN_USER={{ openvpn_user }} - - SERVER_CITIES=Salt Lake City UT + - SERVER_CITIES=Seattle WA qbittorrent: image: hotio/qbittorrent:latest diff --git a/roles/static/tasks/main.yml b/roles/static/tasks/main.yml index 68c26f1..4e65376 100644 --- a/roles/static/tasks/main.yml +++ b/roles/static/tasks/main.yml @@ -2,8 +2,8 @@ - name: clone static repo git: - repo: https://git.simponic.xyz/simponic/static.simponic.xyz.git - dest: /var/www/html/static.simponic.xyz + repo: https://git.simponic.xyz/simponic/simponic.xyz.git + dest: /var/www/html/simponic.xyz recursive: yes clone: yes update: yes diff --git a/roles/vpn/files/config/acl.json b/roles/vpn/files/config/acl.json index b8cf1a5..4b91b39 100644 --- a/roles/vpn/files/config/acl.json +++ b/roles/vpn/files/config/acl.json @@ -23,18 +23,18 @@ }, { "action": "accept", - "src": ["group:sys", "10.128.0.0/9:*"], + "src": ["group:sys"], "dst": ["group:sys:*", "10.128.0.0/9:*"] }, { "action": "accept", - "src": ["group:admin", "10.128.0.0/9:*"], - "dst": ["10.0.0.0/24:*", "10.128.0.0/9:*"] + "src": ["group:admin"], + "dst": ["group:admin:*", "10.128.0.0/9:*"] }, { "action": "accept", "src": ["group:roomates"], - "dst": ["10.0.0.0/24:*"] + "dst": ["10.137.128.0/17:*"] }, { "action": "accept", diff --git a/roles/webservers/files/levi/http.party.simponic.xyz.conf b/roles/webservers/files/levi/http.party.simponic.xyz.conf new file mode 100644 index 0000000..0bbed95 --- /dev/null +++ b/roles/webservers/files/levi/http.party.simponic.xyz.conf @@ -0,0 +1,13 @@ +server { + listen 80; + server_name party.simponic.xyz; + + location /.well-known/acme-challenge { + root /var/www/letsencrypt; + try_files $uri $uri/ =404; + } + + location / { + rewrite ^ https://party.simponic.xyz$request_uri? permanent; + } +} diff --git a/roles/webservers/files/levi/http.rainrainra.in.conf b/roles/webservers/files/levi/http.rainrainra.in.conf new file mode 100644 index 0000000..5681819 --- /dev/null +++ b/roles/webservers/files/levi/http.rainrainra.in.conf @@ -0,0 +1,13 @@ +server { + listen 80; + server_name rainrainra.in; + + location /.well-known/acme-challenge { + root /var/www/letsencrypt; + try_files $uri $uri/ =404; + } + + location / { + rewrite ^ https://rainrainra.in$request_uri? permanent; + } +} diff --git a/roles/webservers/files/levi/https.ntfy.simponic.hatecomputers.club.conf b/roles/webservers/files/levi/https.ntfy.simponic.hatecomputers.club.conf index 5114af0..9a0c818 100644 --- a/roles/webservers/files/levi/https.ntfy.simponic.hatecomputers.club.conf +++ b/roles/webservers/files/levi/https.ntfy.simponic.hatecomputers.club.conf @@ -24,5 +24,11 @@ server { location / { proxy_pass https://ntfy.internal.simponic.xyz; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_buffering off; + proxy_set_header X-Real-IP $remote_addr; + add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always; } } diff --git a/roles/webservers/files/levi/https.party.simponic.xyz.conf b/roles/webservers/files/levi/https.party.simponic.xyz.conf new file mode 100644 index 0000000..1896024 --- /dev/null +++ b/roles/webservers/files/levi/https.party.simponic.xyz.conf @@ -0,0 +1,25 @@ +server { + listen 443 ssl; + server_name party.simponic.xyz; + + ssl_certificate /etc/letsencrypt/live/party.simponic.xyz/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/party.simponic.xyz/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/party.simponic.xyz/fullchain.pem; + + ssl_session_cache shared:SSL:50m; + ssl_session_timeout 5m; + ssl_stapling on; + ssl_stapling_verify on; + + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; + + ssl_dhparam /etc/nginx/dhparams.pem; + ssl_prefer_server_ciphers on; + + root /var/www/html/party.simponic.xyz; + + location / { + try_files $uri $uri/ $uri.html =404; + } +} diff --git a/roles/webservers/files/levi/https.rainrainra.in.conf b/roles/webservers/files/levi/https.rainrainra.in.conf new file mode 100644 index 0000000..84249dc --- /dev/null +++ b/roles/webservers/files/levi/https.rainrainra.in.conf @@ -0,0 +1,25 @@ +server { + listen 443 ssl; + server_name rainrainra.in; + + ssl_certificate /etc/letsencrypt/live/rainrainra.in/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/rainrainra.in/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/rainrainra.in/fullchain.pem; + + ssl_session_cache shared:SSL:50m; + ssl_session_timeout 5m; + ssl_stapling on; + ssl_stapling_verify on; + + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; + + ssl_dhparam /etc/nginx/dhparams.pem; + ssl_prefer_server_ciphers on; + + root /var/www/html/rainrainra.in; + + location / { + try_files $uri $uri/ $uri.html =404; + } +} diff --git a/roles/webservers/files/levi/https.simponic.hatecomputers.club.conf b/roles/webservers/files/levi/https.simponic.hatecomputers.club.conf index a59145b..fa0f6ab 100644 --- a/roles/webservers/files/levi/https.simponic.hatecomputers.club.conf +++ b/roles/webservers/files/levi/https.simponic.hatecomputers.club.conf @@ -17,7 +17,7 @@ server { ssl_dhparam /etc/nginx/dhparams.pem; ssl_prefer_server_ciphers on; - root /var/www/html/static.simponic.xyz; + root /var/www/html/simponic.xyz; location / { try_files $uri $uri/ $uri.html =404; diff --git a/roles/webservers/files/levi/https.simponic.xyz.conf b/roles/webservers/files/levi/https.simponic.xyz.conf index 09c59ce..8930168 100644 --- a/roles/webservers/files/levi/https.simponic.xyz.conf +++ b/roles/webservers/files/levi/https.simponic.xyz.conf @@ -17,7 +17,7 @@ server { ssl_dhparam /etc/nginx/dhparams.pem; ssl_prefer_server_ciphers on; - root /var/www/html/static.simponic.xyz; + root /var/www/html/simponic.xyz; location / { try_files $uri $uri/ $uri.html =404; diff --git a/roles/webservers/files/levi/https.static.simponic.xyz.conf b/roles/webservers/files/levi/https.static.simponic.xyz.conf index 6ac8806..ca72805 100644 --- a/roles/webservers/files/levi/https.static.simponic.xyz.conf +++ b/roles/webservers/files/levi/https.static.simponic.xyz.conf @@ -17,7 +17,7 @@ server { ssl_dhparam /etc/nginx/dhparams.pem; ssl_prefer_server_ciphers on; - root /var/www/html/static.simponic.xyz; + root /var/www/html/simponic.xyz; location / { try_files $uri $uri/ $uri.html =404; diff --git a/roles/webservers/tasks/main.yml b/roles/webservers/tasks/main.yml index 1eb53b0..7047baf 100644 --- a/roles/webservers/tasks/main.yml +++ b/roles/webservers/tasks/main.yml @@ -62,7 +62,7 @@ loop: "{{ nginx_conf_files.files }}" register: extracted_domains -# simponic.xyz +# simponic.xyz & others - name: request simponic letsencrypt certificates shell: > letsencrypt certonly -n --webroot -w /var/www/letsencrypt -m {{ letsencrypt_email }} \ @@ -70,7 +70,7 @@ args: creates: "/etc/letsencrypt/live/{{ item.stdout }}" loop: "{{ extracted_domains.results }}" - when: '"simponic.xyz" in item.stdout' + when: 'not "hatecomputers.club" in item.stdout' # hatecomputers.club - name: build plugin template