borg

2024-04-27 23:41:11 -04:00 · 2024-04-27 23:41:11 -04:00 · 9ac6be27c5
commit 9ac6be27c5
parent f9d62cc8a7
28 changed files with 275 additions and 14 deletions
--- a/deploy-backup-notifications.yml
+++ b/deploy-backup-notifications.yml
@ -0,0 +1,4 @@
 - name: backup-notifications setup
  hosts: backup-notifications
  roles:
    - backup-notifications
--- a/deploy-borg.yml
+++ b/deploy-borg.yml
@ -0,0 +1,4 @@
 - name: borg setup
  hosts: borg
  roles:
    - borg
--- a/deploy-rainrainrain.yml
+++ b/deploy-rainrainrain.yml
@ -0,0 +1,4 @@
 - name: rainrainrain setup
  hosts: rainrainrain
  roles:
    - rainrainrain
--- a/group_vars/borg.yml
+++ b/group_vars/borg.yml
@ -0,0 +1,23 @@
 borg_password: "{{ lookup('env', 'BORG_ENCRYPTION_PASSWORD') }}"
 borg_repo: "{{ lookup('env', 'BORG_REPO') }}"
 borg_secret_key: "{{ lookup('env', 'BORG_SECRET_KEY') }}"
 borg_my_user: "root"
 borg_my_group: "root"
 borg_ssh_key: "/root/borg_ssh_key"
 backup_topic: "{{ lookup('env', 'BORG_BACKUP_TOPIC') }}"
 base_files:
  - /home
  - /root
  - /var
  - /etc
  - /boot
  - /opt
 extra_files:
  europa:
    - /mnt/ssd-01/owncloud
    - /mnt/ssd-01/borg/sync.sh
    - /mnt/ssd-01/borg/.config
    - /mnt/ssd-01/borg/.ssh
--- a/14
+++ b/14
@ -1,3 +1,11 @@
 [borg]
 nijika  ansible_user=root ansible_connection=ssh
 ryo  ansible_user=root ansible_connection=ssh
 levi  ansible_user=root ansible_connection=ssh
 mail.simponic.xyz ansible_user=root ansible_connection=ssh
 europa  ansible_user=root ansible_connection=ssh
 johan  ansible_user=root ansible_connection=ssh
 [prod]
 nijika  ansible_user=root ansible_connection=ssh
 ryo  ansible_user=root ansible_connection=ssh
@ -69,3 +77,9 @@ levi  ansible_user=root ansible_connection=ssh
 [ntfy]
 johan  ansible_user=root ansible_connection=ssh
 [backup-notifications]
 johan  ansible_user=root ansible_connection=ssh
 [rainrainrain]
 levi  ansible_user=root ansible_connection=ssh
--- a/roles/backup-notifications/tasks/main.yml
+++ b/roles/backup-notifications/tasks/main.yml
@ -0,0 +1,22 @@
 ---
 - name: ensure backup-notifications docker/compose exist
  file:
    path: /etc/docker/compose/backup-notifications
    state: directory
    owner: root
    group: root
    mode: 0700
 - name: build backup-notifications docker-compose.yml.j2
  template:
    src: ../templates/docker-compose.yml.j2
    dest: /etc/docker/compose/backup-notifications/docker-compose.yml
    owner: root
    group: root
    mode: u=rw,g=r,o=r
 - name: daemon-reload and enable backup-notifications
  ansible.builtin.systemd_service:
    state: restarted
    enabled: true
    name: docker-compose@backup-notifications
--- a/roles/backup-notifications/templates/docker-compose.yml.j2
+++ b/roles/backup-notifications/templates/docker-compose.yml.j2
@ -0,0 +1,14 @@
 version: "3"
 services:
  backup-notify:
    image: git.simponic.xyz/simponic/backup-notify:latest
    healthcheck:
      test: ["CMD", "wget", "--spider", "http://localhost:8080/health"]
      interval: 5s
      timeout: 10s
      retries: 5
    ports:
      - "127.0.0.1:31152:8080"
    volumes:
      - ./db:/app/db
--- a/roles/borg/tasks/main.yml
+++ b/roles/borg/tasks/main.yml
@ -0,0 +1,28 @@
 - name: copy key
  template:
    src: ../templates/borg_ssh_key.j2
    dest: /root/borg_ssh_key
    owner: root
    group: root
    mode: 0600
 - name: push borg
  import_role: 
    name: borgbase.ansible_role_borgbackup
  vars:
    borg_encryption_passphrase: "{{ borg_password }}"
    borg_repository: "{{ borg_repo }}"
    borg_user: "{{ borg_my_user }}"
    borg_group: "{{ borg_my_group }}"
    borgmatic_timer: cron
    borg_ssh_command: "ssh -o StrictHostKeyChecking=no -i {{ borg_ssh_key }}"
    borg_source_directories:
      "{{ base_files + (extra_files[inventory_hostname] | default([])) }}"
    borg_retention_policy:
      keep_hourly: 3
      keep_daily: 7
      keep_weekly: 4
      keep_monthly: 6
    borgmatic_hooks:
      after_backup:
        - "curl -d '{{ inventory_hostname }}' {{ backup_topic }}"
--- a/roles/borg/templates/borg_ssh_key.j2
+++ b/roles/borg/templates/borg_ssh_key.j2
@ -0,0 +1 @@
 {{ borg_secret_key | b64decode }}
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@ -15,9 +15,11 @@
      - curl
      - gnupg-agent
      - software-properties-common
      - sudo
      - systemd-timesyncd
    state: latest
    update_cache: yes
    upgrade: yes
 - name: enable systemd-timesyncd
  ansible.builtin.systemd_service: 
--- a/roles/nameservers/templates/db.rainrainra.in.j2
+++ b/roles/nameservers/templates/db.rainrainra.in.j2
@ -12,5 +12,4 @@ rainrainra.in.    IN      NS      {{ dns_primary_hostname }}.simponic.xyz.
 rainrainra.in.    IN      NS      {{ dns_replica_hostname }}.simponic.xyz.
 ; Other A records
-@               IN      A       129.123.76.14
+@               IN      A       23.95.214.176
 www             IN      A       129.123.76.14
--- a/roles/nameservers/templates/db.simponic.xyz.j2
+++ b/roles/nameservers/templates/db.simponic.xyz.j2
@ -29,6 +29,7 @@ chesshbot.simponic.xyz. 1 IN  A 129.123.76.14
 ;; CNAME Records
 secure.tunnel.simponic.xyz.	1	IN	CNAME	simponic.xyz.
 tunnel.simponic.xyz.	1	IN	CNAME	simponic.xyz.
 party.simponic.xyz.	1	IN	CNAME	simponic.xyz.
 static.simponic.xyz.	1	IN	CNAME	simponic.xyz.
 www.simponic.xyz.	1	IN	CNAME	simponic.xyz.
 s1._domainkey.simponic.xyz.	1	IN	CNAME	s1.domainkey.u25709709.wl210.sendgrid.net.
@ -37,6 +38,8 @@ headscale.simponic.xyz.	1	IN	CNAME	nijika.simponic.xyz.
 authelia.simponic.xyz.	1	IN	CNAME	nijika.simponic.xyz.
 git.simponic.xyz. 1 IN  CNAME nijika.simponic.xyz.
 lab.simponic.xyz.	1	IN	CNAME	simponic.tplinkdns.com.
 ;; MX Records
 simponic.xyz.	1	IN	MX	10 mail.simponic.xyz.
--- a/roles/private/files/johan/http.backups.internal.simponic.xyz.conf
+++ b/roles/private/files/johan/http.backups.internal.simponic.xyz.conf
@ -0,0 +1,13 @@
 server {
  listen 80;
  server_name backups.internal.simponic.xyz;
  location /.well-known/acme-challenge {
    root /var/www/letsencrypt;
    try_files $uri $uri/ =404;
  }
  location / {
    rewrite ^ https://backups.internal.simponic.xyz$request_uri? permanent;
  }
 }
--- a/roles/private/files/johan/https.backups.internal.simponic.xyz.conf
+++ b/roles/private/files/johan/https.backups.internal.simponic.xyz.conf
@ -0,0 +1,32 @@
 server {
  listen 443 ssl;
  server_name backups.internal.simponic.xyz;
  ssl_certificate         /etc/letsencrypt/live/backups.internal.simponic.xyz/fullchain.pem;
  ssl_certificate_key     /etc/letsencrypt/live/backups.internal.simponic.xyz/privkey.pem;
  ssl_trusted_certificate /etc/letsencrypt/live/backups.internal.simponic.xyz/fullchain.pem;
  ssl_session_cache shared:SSL:50m;
  ssl_session_timeout 5m;
  ssl_stapling on;
  ssl_stapling_verify on;
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
  ssl_dhparam /etc/nginx/dhparams.pem;
  ssl_prefer_server_ciphers on;
  location / {
    proxy_pass http://127.0.0.1:31152;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_set_header Host $server_name;
    proxy_buffering off;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
    add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
  }
 }
--- a/roles/private/tasks/main.yml
+++ b/roles/private/tasks/main.yml
@ -13,6 +13,13 @@
    proto: tcp
    from: 100.64.0.0/10
 - name: allow https from docker and other internal stuffs
  ufw:
    rule: allow
    port: '443'
    proto: tcp
    from: 172.16.0.0/12
 - name: restart ufw
  service: name=ufw state=restarted enabled=yes
--- a/roles/rainrainrain/tasks/main.yml
+++ b/roles/rainrainrain/tasks/main.yml
@ -0,0 +1,9 @@
 ---
 - name: clone static repo
  git:
    repo: https://git.simponic.xyz/simponic/rainrainra.in.git
    dest: /var/www/html/rainrainra.in
    recursive: yes
    clone: yes
    update: yes
--- a/roles/scurvy/templates/docker-compose.yml.j2
+++ b/roles/scurvy/templates/docker-compose.yml.j2
@ -17,7 +17,7 @@ services:
      - VPN_SERVICE_PROVIDER=mullvad
      - VPN_TYPE=openvpn
      - OPENVPN_USER={{ openvpn_user }}
-      - SERVER_CITIES=Salt Lake City UT
+      - SERVER_CITIES=Seattle WA
  qbittorrent:
    image: hotio/qbittorrent:latest
--- a/roles/static/tasks/main.yml
+++ b/roles/static/tasks/main.yml
@ -2,8 +2,8 @@
 - name: clone static repo
  git:
-    repo: https://git.simponic.xyz/simponic/static.simponic.xyz.git
+    repo: https://git.simponic.xyz/simponic/simponic.xyz.git
-    dest: /var/www/html/static.simponic.xyz
+    dest: /var/www/html/simponic.xyz
    recursive: yes
    clone: yes
    update: yes
--- a/roles/vpn/files/config/acl.json
+++ b/roles/vpn/files/config/acl.json
@ -23,18 +23,18 @@
    },
    {
      "action": "accept",
-      "src": ["group:sys", "10.128.0.0/9:*"],
+      "src": ["group:sys"],
      "dst": ["group:sys:*", "10.128.0.0/9:*"]
    },
    {
      "action": "accept",
-      "src": ["group:admin", "10.128.0.0/9:*"],
+      "src": ["group:admin"],
-      "dst": ["10.0.0.0/24:*", "10.128.0.0/9:*"]
+      "dst": ["group:admin:*", "10.128.0.0/9:*"]
    },
    {
      "action": "accept",
      "src": ["group:roomates"],
-      "dst": ["10.0.0.0/24:*"]
+      "dst": ["10.137.128.0/17:*"]
    },
    {
      "action": "accept",
--- a/roles/webservers/files/levi/http.party.simponic.xyz.conf
+++ b/roles/webservers/files/levi/http.party.simponic.xyz.conf
@ -0,0 +1,13 @@
 server {
  listen 80;
  server_name party.simponic.xyz;
  location /.well-known/acme-challenge {
    root /var/www/letsencrypt;
    try_files $uri $uri/ =404;
  }
  location / {
    rewrite ^ https://party.simponic.xyz$request_uri? permanent;
  }
 }
--- a/roles/webservers/files/levi/http.rainrainra.in.conf
+++ b/roles/webservers/files/levi/http.rainrainra.in.conf
@ -0,0 +1,13 @@
 server {
  listen 80;
  server_name rainrainra.in;
  location /.well-known/acme-challenge {
    root /var/www/letsencrypt;
    try_files $uri $uri/ =404;
  }
  location / {
    rewrite ^ https://rainrainra.in$request_uri? permanent;
  }
 }
--- a/roles/webservers/files/levi/https.ntfy.simponic.hatecomputers.club.conf
+++ b/roles/webservers/files/levi/https.ntfy.simponic.hatecomputers.club.conf
@ -24,5 +24,11 @@ server {
  location / {
    proxy_pass https://ntfy.internal.simponic.xyz;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_buffering off;
    proxy_set_header X-Real-IP $remote_addr;
    add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
  }
 }
--- a/roles/webservers/files/levi/https.party.simponic.xyz.conf
+++ b/roles/webservers/files/levi/https.party.simponic.xyz.conf
@ -0,0 +1,25 @@
 server {
  listen 443 ssl;
  server_name party.simponic.xyz;
  ssl_certificate         /etc/letsencrypt/live/party.simponic.xyz/fullchain.pem;
  ssl_certificate_key     /etc/letsencrypt/live/party.simponic.xyz/privkey.pem;
  ssl_trusted_certificate /etc/letsencrypt/live/party.simponic.xyz/fullchain.pem;
  ssl_session_cache shared:SSL:50m;
  ssl_session_timeout 5m;
  ssl_stapling on;
  ssl_stapling_verify on;
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
  ssl_dhparam /etc/nginx/dhparams.pem;
  ssl_prefer_server_ciphers on;
  root /var/www/html/party.simponic.xyz;
  location / {
    try_files $uri $uri/ $uri.html =404;
  }
 }
--- a/roles/webservers/files/levi/https.rainrainra.in.conf
+++ b/roles/webservers/files/levi/https.rainrainra.in.conf
@ -0,0 +1,25 @@
 server {
  listen 443 ssl;
  server_name rainrainra.in;
  ssl_certificate         /etc/letsencrypt/live/rainrainra.in/fullchain.pem;
  ssl_certificate_key     /etc/letsencrypt/live/rainrainra.in/privkey.pem;
  ssl_trusted_certificate /etc/letsencrypt/live/rainrainra.in/fullchain.pem;
  ssl_session_cache shared:SSL:50m;
  ssl_session_timeout 5m;
  ssl_stapling on;
  ssl_stapling_verify on;
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
  ssl_dhparam /etc/nginx/dhparams.pem;
  ssl_prefer_server_ciphers on;
  root /var/www/html/rainrainra.in;
  location / {
    try_files $uri $uri/ $uri.html =404;
  }
 }
--- a/roles/webservers/files/levi/https.simponic.hatecomputers.club.conf
+++ b/roles/webservers/files/levi/https.simponic.hatecomputers.club.conf
@ -17,7 +17,7 @@ server {
  ssl_dhparam /etc/nginx/dhparams.pem;
  ssl_prefer_server_ciphers on;
-  root /var/www/html/static.simponic.xyz;
+  root /var/www/html/simponic.xyz;
  location / {
    try_files $uri $uri/ $uri.html =404;
--- a/roles/webservers/files/levi/https.simponic.xyz.conf
+++ b/roles/webservers/files/levi/https.simponic.xyz.conf
@ -17,7 +17,7 @@ server {
  ssl_dhparam /etc/nginx/dhparams.pem;
  ssl_prefer_server_ciphers on;
-  root /var/www/html/static.simponic.xyz;
+  root /var/www/html/simponic.xyz;
  location / {
    try_files $uri $uri/ $uri.html =404;
--- a/roles/webservers/files/levi/https.static.simponic.xyz.conf
+++ b/roles/webservers/files/levi/https.static.simponic.xyz.conf
@ -17,7 +17,7 @@ server {
  ssl_dhparam /etc/nginx/dhparams.pem;
  ssl_prefer_server_ciphers on;
-  root /var/www/html/static.simponic.xyz;
+  root /var/www/html/simponic.xyz;
  location / {
    try_files $uri $uri/ $uri.html =404;
--- a/roles/webservers/tasks/main.yml
+++ b/roles/webservers/tasks/main.yml
@ -62,7 +62,7 @@
  loop: "{{ nginx_conf_files.files }}"
  register: extracted_domains
-# simponic.xyz
+# simponic.xyz & others
 - name: request simponic letsencrypt certificates
  shell: >
    letsencrypt certonly -n --webroot -w /var/www/letsencrypt -m {{ letsencrypt_email }} \
@ -70,7 +70,7 @@
  args:
    creates: "/etc/letsencrypt/live/{{ item.stdout }}"
  loop: "{{ extracted_domains.results }}"
-  when: '"simponic.xyz" in item.stdout'
+  when: 'not "hatecomputers.club" in item.stdout'
 # hatecomputers.club
 - name: build plugin template