ntfy

2024-04-12 16:57:00 -04:00 · 2024-04-12 16:57:00 -04:00 · f9d62cc8a7
commit f9d62cc8a7
parent 64a2990c53
9 changed files with 132 additions and 2 deletions
--- a/deploy-ntfy.yml
+++ b/deploy-ntfy.yml
@ -0,0 +1,4 @@
+- name: ntfy setup
+  hosts: ntfy
+  roles:
+    - ntfy
--- a/3
+++ b/3
@ -66,3 +66,6 @@ europa  ansible_user=root ansible_connection=ssh

 [hatecomputers]
 levi  ansible_user=root ansible_connection=ssh
+
+[ntfy]
+johan  ansible_user=root ansible_connection=ssh
--- a/roles/ntfy/tasks/main.yml
+++ b/roles/ntfy/tasks/main.yml
@ -0,0 +1,22 @@
+---
+- name: ensure ntfy docker/compose exist
+  file:
+    path: /etc/docker/compose/ntfy
+    state: directory
+    owner: root
+    group: root
+    mode: 0700
+
+- name: build ntfy docker-compose.yml.j2
+  template:
+    src: ../templates/docker-compose.yml.j2
+    dest: /etc/docker/compose/ntfy/docker-compose.yml
+    owner: root
+    group: root
+    mode: u=rw,g=r,o=r
+
+- name: daemon-reload and enable ntfy
+  ansible.builtin.systemd_service:
+    state: restarted
+    enabled: true
+    name: docker-compose@ntfy
--- a/roles/ntfy/templates/docker-compose.yml.j2
+++ b/roles/ntfy/templates/docker-compose.yml.j2
@ -0,0 +1,15 @@
+version: "2.1"
+services:
+  ntfy:
+    image: binwiederhier/ntfy
+    container_name: ntfy
+    command:
+      - serve
+    environment:
+      - TZ=UTC
+    volumes:
+      - ./cache:/var/cache/ntfy
+      - ./conf:/etc/ntfy
+    ports:
+      - 127.0.0.1:22311:80
+    restart: unless-stopped
--- a/roles/private/files/johan/http.ntfy.internal.simponic.xyz.conf
+++ b/roles/private/files/johan/http.ntfy.internal.simponic.xyz.conf
@ -0,0 +1,13 @@
+server {
+  listen 80;
+  server_name ntfy.internal.simponic.xyz;
+
+  location /.well-known/acme-challenge {
+    root /var/www/letsencrypt;
+    try_files $uri $uri/ =404;
+  }
+
+  location / {
+    rewrite ^ https://ntfy.internal.simponic.xyz$request_uri? permanent;
+  }
+}
--- a/roles/private/files/johan/https.ntfy.internal.simponic.xyz.conf
+++ b/roles/private/files/johan/https.ntfy.internal.simponic.xyz.conf
@ -0,0 +1,32 @@
+server {
+  listen 443 ssl;
+  server_name ntfy.internal.simponic.xyz;
+
+  ssl_certificate         /etc/letsencrypt/live/ntfy.internal.simponic.xyz/fullchain.pem;
+  ssl_certificate_key     /etc/letsencrypt/live/ntfy.internal.simponic.xyz/privkey.pem;
+  ssl_trusted_certificate /etc/letsencrypt/live/ntfy.internal.simponic.xyz/fullchain.pem;
+
+  ssl_session_cache shared:SSL:50m;
+  ssl_session_timeout 5m;
+  ssl_stapling on;
+  ssl_stapling_verify on;
+
+  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+  ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
+
+  ssl_dhparam /etc/nginx/dhparams.pem;
+  ssl_prefer_server_ciphers on;
+
+  location / {
+    proxy_pass http://127.0.0.1:22311;
+    proxy_http_version 1.1;
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection "upgrade";
+    proxy_set_header Host $server_name;
+    proxy_buffering off;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
+    add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
+  }
+}
--- a/roles/vaultwarden/templates/docker-compose.yml.j2
+++ b/roles/vaultwarden/templates/docker-compose.yml.j2
@ -8,7 +8,7 @@ services:
    volumes:
      - ./data/:/data/
    ports:
-      - 8652:80
+      - 127.0.0.1:8652:80
    environment:
      - DOMAIN=https://vaultwarden.internal.simponic.xyz
      - LOGIN_RATELIMIT_MAX_BURST=10
@ -33,4 +33,4 @@ services:
      - SMTP_PORT=587
      - SMTP_USERNAME=info@simponic.xyz
      - SMTP_PASSWORD={{ email_password }}
-      - SMTP_AUTH_MECHANISM="Plain"
+      - SMTP_AUTH_MECHANISM="Plain"
--- a/roles/webservers/files/levi/http.ntfy.simponic.hatecomputers.club.conf
+++ b/roles/webservers/files/levi/http.ntfy.simponic.hatecomputers.club.conf
@ -0,0 +1,13 @@
+server {
+  listen 80;
+  server_name ntfy.simponic.hatecomputers.club;
+
+  location /.well-known/acme-challenge {
+    root /var/www/letsencrypt;
+    try_files $uri $uri/ =404;
+  }
+
+  location / {
+    rewrite ^ https://ntfy.simponic.hatecomputers.club$request_uri? permanent;
+  }
+}
--- a/roles/webservers/files/levi/https.ntfy.simponic.hatecomputers.club.conf
+++ b/roles/webservers/files/levi/https.ntfy.simponic.hatecomputers.club.conf
@ -0,0 +1,28 @@
+server {
+  listen 443 ssl;
+
+  allow  10.0.0.0/8;
+  allow  100.64.0.0/12;
+  deny   all;
+
+  server_name ntfy.simponic.hatecomputers.club;
+
+  ssl_certificate         /etc/letsencrypt/live/ntfy.simponic.hatecomputers.club/fullchain.pem;
+  ssl_certificate_key     /etc/letsencrypt/live/ntfy.simponic.hatecomputers.club/privkey.pem;
+  ssl_trusted_certificate /etc/letsencrypt/live/ntfy.simponic.hatecomputers.club/fullchain.pem;
+
+  ssl_session_cache shared:SSL:50m;
+  ssl_session_timeout 5m;
+  ssl_stapling on;
+  ssl_stapling_verify on;
+
+  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+  ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
+
+  ssl_dhparam /etc/nginx/dhparams.pem;
+  ssl_prefer_server_ciphers on;
+
+  location / {
+    proxy_pass https://ntfy.internal.simponic.xyz;
+  }
+}