This commit is contained in:
Elizabeth Hunt 2024-04-12 16:57:00 -04:00
parent 64a2990c53
commit f9d62cc8a7
9 changed files with 132 additions and 2 deletions

4
deploy-ntfy.yml Normal file
View File

@ -0,0 +1,4 @@
- name: ntfy setup
hosts: ntfy
roles:
- ntfy

View File

@ -66,3 +66,6 @@ europa ansible_user=root ansible_connection=ssh
[hatecomputers] [hatecomputers]
levi ansible_user=root ansible_connection=ssh levi ansible_user=root ansible_connection=ssh
[ntfy]
johan ansible_user=root ansible_connection=ssh

22
roles/ntfy/tasks/main.yml Normal file
View File

@ -0,0 +1,22 @@
---
- name: ensure ntfy docker/compose exist
file:
path: /etc/docker/compose/ntfy
state: directory
owner: root
group: root
mode: 0700
- name: build ntfy docker-compose.yml.j2
template:
src: ../templates/docker-compose.yml.j2
dest: /etc/docker/compose/ntfy/docker-compose.yml
owner: root
group: root
mode: u=rw,g=r,o=r
- name: daemon-reload and enable ntfy
ansible.builtin.systemd_service:
state: restarted
enabled: true
name: docker-compose@ntfy

View File

@ -0,0 +1,15 @@
version: "2.1"
services:
ntfy:
image: binwiederhier/ntfy
container_name: ntfy
command:
- serve
environment:
- TZ=UTC
volumes:
- ./cache:/var/cache/ntfy
- ./conf:/etc/ntfy
ports:
- 127.0.0.1:22311:80
restart: unless-stopped

View File

@ -0,0 +1,13 @@
server {
listen 80;
server_name ntfy.internal.simponic.xyz;
location /.well-known/acme-challenge {
root /var/www/letsencrypt;
try_files $uri $uri/ =404;
}
location / {
rewrite ^ https://ntfy.internal.simponic.xyz$request_uri? permanent;
}
}

View File

@ -0,0 +1,32 @@
server {
listen 443 ssl;
server_name ntfy.internal.simponic.xyz;
ssl_certificate /etc/letsencrypt/live/ntfy.internal.simponic.xyz/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/ntfy.internal.simponic.xyz/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/ntfy.internal.simponic.xyz/fullchain.pem;
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 5m;
ssl_stapling on;
ssl_stapling_verify on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
ssl_dhparam /etc/nginx/dhparams.pem;
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://127.0.0.1:22311;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $server_name;
proxy_buffering off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
}
}

View File

@ -8,7 +8,7 @@ services:
volumes: volumes:
- ./data/:/data/ - ./data/:/data/
ports: ports:
- 8652:80 - 127.0.0.1:8652:80
environment: environment:
- DOMAIN=https://vaultwarden.internal.simponic.xyz - DOMAIN=https://vaultwarden.internal.simponic.xyz
- LOGIN_RATELIMIT_MAX_BURST=10 - LOGIN_RATELIMIT_MAX_BURST=10
@ -33,4 +33,4 @@ services:
- SMTP_PORT=587 - SMTP_PORT=587
- SMTP_USERNAME=info@simponic.xyz - SMTP_USERNAME=info@simponic.xyz
- SMTP_PASSWORD={{ email_password }} - SMTP_PASSWORD={{ email_password }}
- SMTP_AUTH_MECHANISM="Plain" - SMTP_AUTH_MECHANISM="Plain"

View File

@ -0,0 +1,13 @@
server {
listen 80;
server_name ntfy.simponic.hatecomputers.club;
location /.well-known/acme-challenge {
root /var/www/letsencrypt;
try_files $uri $uri/ =404;
}
location / {
rewrite ^ https://ntfy.simponic.hatecomputers.club$request_uri? permanent;
}
}

View File

@ -0,0 +1,28 @@
server {
listen 443 ssl;
allow 10.0.0.0/8;
allow 100.64.0.0/12;
deny all;
server_name ntfy.simponic.hatecomputers.club;
ssl_certificate /etc/letsencrypt/live/ntfy.simponic.hatecomputers.club/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/ntfy.simponic.hatecomputers.club/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/ntfy.simponic.hatecomputers.club/fullchain.pem;
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 5m;
ssl_stapling on;
ssl_stapling_verify on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
ssl_dhparam /etc/nginx/dhparams.pem;
ssl_prefer_server_ciphers on;
location / {
proxy_pass https://ntfy.internal.simponic.xyz;
}
}