Compare commits

...

2 Commits

Author SHA1 Message Date
9ac6be27c5 borg 2024-04-27 23:41:11 -04:00
f9d62cc8a7 ntfy 2024-04-12 16:57:00 -04:00
35 changed files with 407 additions and 16 deletions

View File

@ -0,0 +1,4 @@
- name: backup-notifications setup
hosts: backup-notifications
roles:
- backup-notifications

4
deploy-borg.yml Normal file
View File

@ -0,0 +1,4 @@
- name: borg setup
hosts: borg
roles:
- borg

4
deploy-ntfy.yml Normal file
View File

@ -0,0 +1,4 @@
- name: ntfy setup
hosts: ntfy
roles:
- ntfy

4
deploy-rainrainrain.yml Normal file
View File

@ -0,0 +1,4 @@
- name: rainrainrain setup
hosts: rainrainrain
roles:
- rainrainrain

23
group_vars/borg.yml Normal file
View File

@ -0,0 +1,23 @@
borg_password: "{{ lookup('env', 'BORG_ENCRYPTION_PASSWORD') }}"
borg_repo: "{{ lookup('env', 'BORG_REPO') }}"
borg_secret_key: "{{ lookup('env', 'BORG_SECRET_KEY') }}"
borg_my_user: "root"
borg_my_group: "root"
borg_ssh_key: "/root/borg_ssh_key"
backup_topic: "{{ lookup('env', 'BORG_BACKUP_TOPIC') }}"
base_files:
- /home
- /root
- /var
- /etc
- /boot
- /opt
extra_files:
europa:
- /mnt/ssd-01/owncloud
- /mnt/ssd-01/borg/sync.sh
- /mnt/ssd-01/borg/.config
- /mnt/ssd-01/borg/.ssh

View File

@ -1,3 +1,11 @@
[borg]
nijika ansible_user=root ansible_connection=ssh
ryo ansible_user=root ansible_connection=ssh
levi ansible_user=root ansible_connection=ssh
mail.simponic.xyz ansible_user=root ansible_connection=ssh
europa ansible_user=root ansible_connection=ssh
johan ansible_user=root ansible_connection=ssh
[prod]
nijika ansible_user=root ansible_connection=ssh
ryo ansible_user=root ansible_connection=ssh
@ -66,3 +74,12 @@ europa ansible_user=root ansible_connection=ssh
[hatecomputers]
levi ansible_user=root ansible_connection=ssh
[ntfy]
johan ansible_user=root ansible_connection=ssh
[backup-notifications]
johan ansible_user=root ansible_connection=ssh
[rainrainrain]
levi ansible_user=root ansible_connection=ssh

View File

@ -0,0 +1,22 @@
---
- name: ensure backup-notifications docker/compose exist
file:
path: /etc/docker/compose/backup-notifications
state: directory
owner: root
group: root
mode: 0700
- name: build backup-notifications docker-compose.yml.j2
template:
src: ../templates/docker-compose.yml.j2
dest: /etc/docker/compose/backup-notifications/docker-compose.yml
owner: root
group: root
mode: u=rw,g=r,o=r
- name: daemon-reload and enable backup-notifications
ansible.builtin.systemd_service:
state: restarted
enabled: true
name: docker-compose@backup-notifications

View File

@ -0,0 +1,14 @@
version: "3"
services:
backup-notify:
image: git.simponic.xyz/simponic/backup-notify:latest
healthcheck:
test: ["CMD", "wget", "--spider", "http://localhost:8080/health"]
interval: 5s
timeout: 10s
retries: 5
ports:
- "127.0.0.1:31152:8080"
volumes:
- ./db:/app/db

28
roles/borg/tasks/main.yml Normal file
View File

@ -0,0 +1,28 @@
- name: copy key
template:
src: ../templates/borg_ssh_key.j2
dest: /root/borg_ssh_key
owner: root
group: root
mode: 0600
- name: push borg
import_role:
name: borgbase.ansible_role_borgbackup
vars:
borg_encryption_passphrase: "{{ borg_password }}"
borg_repository: "{{ borg_repo }}"
borg_user: "{{ borg_my_user }}"
borg_group: "{{ borg_my_group }}"
borgmatic_timer: cron
borg_ssh_command: "ssh -o StrictHostKeyChecking=no -i {{ borg_ssh_key }}"
borg_source_directories:
"{{ base_files + (extra_files[inventory_hostname] | default([])) }}"
borg_retention_policy:
keep_hourly: 3
keep_daily: 7
keep_weekly: 4
keep_monthly: 6
borgmatic_hooks:
after_backup:
- "curl -d '{{ inventory_hostname }}' {{ backup_topic }}"

View File

@ -0,0 +1 @@
{{ borg_secret_key | b64decode }}

View File

@ -15,9 +15,11 @@
- curl
- gnupg-agent
- software-properties-common
- sudo
- systemd-timesyncd
state: latest
update_cache: yes
upgrade: yes
- name: enable systemd-timesyncd
ansible.builtin.systemd_service:

View File

@ -12,5 +12,4 @@ rainrainra.in. IN NS {{ dns_primary_hostname }}.simponic.xyz.
rainrainra.in. IN NS {{ dns_replica_hostname }}.simponic.xyz.
; Other A records
@ IN A 129.123.76.14
www IN A 129.123.76.14
@ IN A 23.95.214.176

View File

@ -29,6 +29,7 @@ chesshbot.simponic.xyz. 1 IN A 129.123.76.14
;; CNAME Records
secure.tunnel.simponic.xyz. 1 IN CNAME simponic.xyz.
tunnel.simponic.xyz. 1 IN CNAME simponic.xyz.
party.simponic.xyz. 1 IN CNAME simponic.xyz.
static.simponic.xyz. 1 IN CNAME simponic.xyz.
www.simponic.xyz. 1 IN CNAME simponic.xyz.
s1._domainkey.simponic.xyz. 1 IN CNAME s1.domainkey.u25709709.wl210.sendgrid.net.
@ -37,6 +38,8 @@ headscale.simponic.xyz. 1 IN CNAME nijika.simponic.xyz.
authelia.simponic.xyz. 1 IN CNAME nijika.simponic.xyz.
git.simponic.xyz. 1 IN CNAME nijika.simponic.xyz.
lab.simponic.xyz. 1 IN CNAME simponic.tplinkdns.com.
;; MX Records
simponic.xyz. 1 IN MX 10 mail.simponic.xyz.

22
roles/ntfy/tasks/main.yml Normal file
View File

@ -0,0 +1,22 @@
---
- name: ensure ntfy docker/compose exist
file:
path: /etc/docker/compose/ntfy
state: directory
owner: root
group: root
mode: 0700
- name: build ntfy docker-compose.yml.j2
template:
src: ../templates/docker-compose.yml.j2
dest: /etc/docker/compose/ntfy/docker-compose.yml
owner: root
group: root
mode: u=rw,g=r,o=r
- name: daemon-reload and enable ntfy
ansible.builtin.systemd_service:
state: restarted
enabled: true
name: docker-compose@ntfy

View File

@ -0,0 +1,15 @@
version: "2.1"
services:
ntfy:
image: binwiederhier/ntfy
container_name: ntfy
command:
- serve
environment:
- TZ=UTC
volumes:
- ./cache:/var/cache/ntfy
- ./conf:/etc/ntfy
ports:
- 127.0.0.1:22311:80
restart: unless-stopped

View File

@ -0,0 +1,13 @@
server {
listen 80;
server_name backups.internal.simponic.xyz;
location /.well-known/acme-challenge {
root /var/www/letsencrypt;
try_files $uri $uri/ =404;
}
location / {
rewrite ^ https://backups.internal.simponic.xyz$request_uri? permanent;
}
}

View File

@ -0,0 +1,13 @@
server {
listen 80;
server_name ntfy.internal.simponic.xyz;
location /.well-known/acme-challenge {
root /var/www/letsencrypt;
try_files $uri $uri/ =404;
}
location / {
rewrite ^ https://ntfy.internal.simponic.xyz$request_uri? permanent;
}
}

View File

@ -0,0 +1,32 @@
server {
listen 443 ssl;
server_name backups.internal.simponic.xyz;
ssl_certificate /etc/letsencrypt/live/backups.internal.simponic.xyz/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/backups.internal.simponic.xyz/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/backups.internal.simponic.xyz/fullchain.pem;
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 5m;
ssl_stapling on;
ssl_stapling_verify on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
ssl_dhparam /etc/nginx/dhparams.pem;
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://127.0.0.1:31152;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $server_name;
proxy_buffering off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
}
}

View File

@ -0,0 +1,32 @@
server {
listen 443 ssl;
server_name ntfy.internal.simponic.xyz;
ssl_certificate /etc/letsencrypt/live/ntfy.internal.simponic.xyz/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/ntfy.internal.simponic.xyz/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/ntfy.internal.simponic.xyz/fullchain.pem;
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 5m;
ssl_stapling on;
ssl_stapling_verify on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
ssl_dhparam /etc/nginx/dhparams.pem;
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://127.0.0.1:22311;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $server_name;
proxy_buffering off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
}
}

View File

@ -13,6 +13,13 @@
proto: tcp
from: 100.64.0.0/10
- name: allow https from docker and other internal stuffs
ufw:
rule: allow
port: '443'
proto: tcp
from: 172.16.0.0/12
- name: restart ufw
service: name=ufw state=restarted enabled=yes

View File

@ -0,0 +1,9 @@
---
- name: clone static repo
git:
repo: https://git.simponic.xyz/simponic/rainrainra.in.git
dest: /var/www/html/rainrainra.in
recursive: yes
clone: yes
update: yes

View File

@ -17,7 +17,7 @@ services:
- VPN_SERVICE_PROVIDER=mullvad
- VPN_TYPE=openvpn
- OPENVPN_USER={{ openvpn_user }}
- SERVER_CITIES=Salt Lake City UT
- SERVER_CITIES=Seattle WA
qbittorrent:
image: hotio/qbittorrent:latest

View File

@ -2,8 +2,8 @@
- name: clone static repo
git:
repo: https://git.simponic.xyz/simponic/static.simponic.xyz.git
dest: /var/www/html/static.simponic.xyz
repo: https://git.simponic.xyz/simponic/simponic.xyz.git
dest: /var/www/html/simponic.xyz
recursive: yes
clone: yes
update: yes

View File

@ -8,7 +8,7 @@ services:
volumes:
- ./data/:/data/
ports:
- 8652:80
- 127.0.0.1:8652:80
environment:
- DOMAIN=https://vaultwarden.internal.simponic.xyz
- LOGIN_RATELIMIT_MAX_BURST=10
@ -33,4 +33,4 @@ services:
- SMTP_PORT=587
- SMTP_USERNAME=info@simponic.xyz
- SMTP_PASSWORD={{ email_password }}
- SMTP_AUTH_MECHANISM="Plain"
- SMTP_AUTH_MECHANISM="Plain"

View File

@ -23,18 +23,18 @@
},
{
"action": "accept",
"src": ["group:sys", "10.128.0.0/9:*"],
"src": ["group:sys"],
"dst": ["group:sys:*", "10.128.0.0/9:*"]
},
{
"action": "accept",
"src": ["group:admin", "10.128.0.0/9:*"],
"dst": ["10.0.0.0/24:*", "10.128.0.0/9:*"]
"src": ["group:admin"],
"dst": ["group:admin:*", "10.128.0.0/9:*"]
},
{
"action": "accept",
"src": ["group:roomates"],
"dst": ["10.0.0.0/24:*"]
"dst": ["10.137.128.0/17:*"]
},
{
"action": "accept",

View File

@ -0,0 +1,13 @@
server {
listen 80;
server_name ntfy.simponic.hatecomputers.club;
location /.well-known/acme-challenge {
root /var/www/letsencrypt;
try_files $uri $uri/ =404;
}
location / {
rewrite ^ https://ntfy.simponic.hatecomputers.club$request_uri? permanent;
}
}

View File

@ -0,0 +1,13 @@
server {
listen 80;
server_name party.simponic.xyz;
location /.well-known/acme-challenge {
root /var/www/letsencrypt;
try_files $uri $uri/ =404;
}
location / {
rewrite ^ https://party.simponic.xyz$request_uri? permanent;
}
}

View File

@ -0,0 +1,13 @@
server {
listen 80;
server_name rainrainra.in;
location /.well-known/acme-challenge {
root /var/www/letsencrypt;
try_files $uri $uri/ =404;
}
location / {
rewrite ^ https://rainrainra.in$request_uri? permanent;
}
}

View File

@ -0,0 +1,34 @@
server {
listen 443 ssl;
allow 10.0.0.0/8;
allow 100.64.0.0/12;
deny all;
server_name ntfy.simponic.hatecomputers.club;
ssl_certificate /etc/letsencrypt/live/ntfy.simponic.hatecomputers.club/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/ntfy.simponic.hatecomputers.club/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/ntfy.simponic.hatecomputers.club/fullchain.pem;
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 5m;
ssl_stapling on;
ssl_stapling_verify on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
ssl_dhparam /etc/nginx/dhparams.pem;
ssl_prefer_server_ciphers on;
location / {
proxy_pass https://ntfy.internal.simponic.xyz;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_buffering off;
proxy_set_header X-Real-IP $remote_addr;
add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
}
}

View File

@ -0,0 +1,25 @@
server {
listen 443 ssl;
server_name party.simponic.xyz;
ssl_certificate /etc/letsencrypt/live/party.simponic.xyz/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/party.simponic.xyz/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/party.simponic.xyz/fullchain.pem;
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 5m;
ssl_stapling on;
ssl_stapling_verify on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
ssl_dhparam /etc/nginx/dhparams.pem;
ssl_prefer_server_ciphers on;
root /var/www/html/party.simponic.xyz;
location / {
try_files $uri $uri/ $uri.html =404;
}
}

View File

@ -0,0 +1,25 @@
server {
listen 443 ssl;
server_name rainrainra.in;
ssl_certificate /etc/letsencrypt/live/rainrainra.in/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/rainrainra.in/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/rainrainra.in/fullchain.pem;
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 5m;
ssl_stapling on;
ssl_stapling_verify on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
ssl_dhparam /etc/nginx/dhparams.pem;
ssl_prefer_server_ciphers on;
root /var/www/html/rainrainra.in;
location / {
try_files $uri $uri/ $uri.html =404;
}
}

View File

@ -17,7 +17,7 @@ server {
ssl_dhparam /etc/nginx/dhparams.pem;
ssl_prefer_server_ciphers on;
root /var/www/html/static.simponic.xyz;
root /var/www/html/simponic.xyz;
location / {
try_files $uri $uri/ $uri.html =404;

View File

@ -17,7 +17,7 @@ server {
ssl_dhparam /etc/nginx/dhparams.pem;
ssl_prefer_server_ciphers on;
root /var/www/html/static.simponic.xyz;
root /var/www/html/simponic.xyz;
location / {
try_files $uri $uri/ $uri.html =404;

View File

@ -17,7 +17,7 @@ server {
ssl_dhparam /etc/nginx/dhparams.pem;
ssl_prefer_server_ciphers on;
root /var/www/html/static.simponic.xyz;
root /var/www/html/simponic.xyz;
location / {
try_files $uri $uri/ $uri.html =404;

View File

@ -62,7 +62,7 @@
loop: "{{ nginx_conf_files.files }}"
register: extracted_domains
# simponic.xyz
# simponic.xyz & others
- name: request simponic letsencrypt certificates
shell: >
letsencrypt certonly -n --webroot -w /var/www/letsencrypt -m {{ letsencrypt_email }} \
@ -70,7 +70,7 @@
args:
creates: "/etc/letsencrypt/live/{{ item.stdout }}"
loop: "{{ extracted_domains.results }}"
when: '"simponic.xyz" in item.stdout'
when: 'not "hatecomputers.club" in item.stdout'
# hatecomputers.club
- name: build plugin template