Viyurz/vps
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Compare commits

base: Viyurz:1514031f1e13d0c24b71796962df6d1ec7a58bdc
Branches Tags
Viyurz:main
..
compare: Viyurz:14b484dd37465a65e3657284d19ebec78dd9b30a
Branches Tags
Viyurz:main

No commits in common. "1514031f1e13d0c24b71796962df6d1ec7a58bdc" and "14b484dd37465a65e3657284d19ebec78dd9b30a" have entirely different histories.
1514031f1e ... 14b484dd37

47 changed files with 446 additions and 732 deletions
Show stats Expand all files Collapse all files

21
env.yml
View file

@ -1,5 +1,4 @@
domain: viyurz.fr
ldap_base_dn: dc=viyurz,dc=fr
timezone: "Europe/Paris"
host_uid: 1000
project_dir: "{{ ansible_env['HOME'] }}/docker-projects/{{ role_name }}"
@ -39,16 +38,14 @@ cifs_mounts:
projects:
- authelia
- coturn
- element
- etebase
- hedgedoc
- homepage
- lldap
- mailserver
- nginx
- postgres
- reverse-proxy
- searxng
- synapse
- syncthing
@ -57,10 +54,8 @@ projects:
projects_to_backup:
- authelia
- etebase
- hedgedoc
- lldap
- mailserver
- postgres
- synapse
@ -81,7 +76,6 @@ borg_prune_options: |
# Ports exposed to host
ports:
authelia: 9091
coturn_listening: 3478
coturn_tls_listening: 5349
coturn_relay_min: 49152
@ -90,7 +84,6 @@ ports:
etebase: 3735
hedgedoc: 8086
homepage: 8082
lldap: 17170
mailserver_smtp: 1025
mailserver_smtps: 1465
mailserver_imaps: 1993
@ -110,18 +103,17 @@ ports:
# UID in containers
users:
authelia: 1008
coturn: 666
etebase: 373
hedgedoc: 1004
hedgedoc_mysql: 1005
homepage: 8686
lldap: 1007
mailserver: 8
postgres: 70
searxng: 977
searxng_redis: 999
synapse: 991
synapse_postgres: 70
syncthing: 1001
syncthing_discosrv: 1002
syncthing_relaysrv: 1003
@ -135,17 +127,24 @@ volumes:
etebase_datadir: /mnt/etebasedata
hedgedoc_mysql_datadir: /mnt/hedgedoc/mysql-data
hedgedoc_configdir: /mnt/hedgedoc/config
lldap_datadir: /mnt/lldapdata
mailserver_datadir: /mnt/mailserverdata
mailserver_tls_certificate_file: "/etc/letsencrypt/live/mail.{{ domain }}/fullchain.pem"
mailserver_tls_certificate_key_file: "/etc/letsencrypt/live/mail.{{ domain }}/privkey.pem"
postgres_datadir: /mnt/postgresdata
synapse_datadir: /mnt/synapsedata
synapse_postgres_datadir: /mnt/synapsepgdata
syncthing_datadir: "{{ cifs_mounts['syncthing']['path'] }}"
uptime_kuma_datadir: /mnt/uptimekumadata
vaultwarden_datadir: /mnt/vwdata
# Service-specific variables
reverse_proxy:
ssl_certificate_file: "/etc/letsencrypt/live/{{ domain }}/fullchain.pem"
ssl_certificate_key_file: "/etc/letsencrypt/live/{{ domain }}/privkey.pem"
ssl_trusted_certificate_file: "/etc/letsencrypt/live/{{ domain }}/chain.pem"
resolver: "185.12.64.12 [a01:4ff:ff00::add:2] [2a01:4ff:ff00::add:1]"
synapse:
max_upload_size: 50M

1
playbooks/update-services.yml
View file

@ -7,7 +7,6 @@
hosts: localhost
vars:
run_backup: false
run_setup: true
run_update: true
vars_prompt:
- name: selected_projects

24
psql-create-db-user.sh
View file

@ -1,24 +0,0 @@
#!/bin/bash
read -rp "Database: " database
read -rp "User: " user
read -srp "Password: " password
echo ""
read -rp "Create database $database & user $user? [Y/n]: " answer
if ! [[ $answer =~ ^(Y|y)?$ ]]; then
exit 1
fi
stmts=(
"CREATE USER $user PASSWORD '$password'"
"CREATE DATABASE $database WITH OWNER = $user"
"GRANT ALL ON DATABASE $database TO $user"
)
for stmt in "${stmts[@]}"; do
docker exec postgres psql -c "$stmt"
done

24
roles/authelia/tasks/backup.yml
View file

@ -1,24 +0,0 @@
- name: "Backup PostgreSQL authelia database"
shell: >
docker exec postgres
pg_dump -c {{ role_name }} |
borg create
--compression lzma
"{{ borg_repodir }}::{{ role_name }}-{now:%Y-%m-%d_%H-%M-%S}"
-
--stdin-name dump_{{ role_name }}.sql
environment:
DOCKER_HOST: "{{ docker_host }}"
BORG_PASSCOMMAND: "cat {{ borg_passphrase_file }}"
become: true
- name: Prune borg repository
command:
cmd: |
borg prune
--glob-archives='{{ role_name }}-*'
{{ borg_prune_options }}
{{ borg_repodir }}
environment:
BORG_PASSCOMMAND: "cat {{ borg_passphrase_file }}"
become: true

14
roles/authelia/tasks/main.yml
View file

@ -1,14 +0,0 @@
- name: Include backup tasks
include_tasks:
file: backup.yml
when: run_backup | default(false) | bool
- name: Include setup tasks
include_tasks:
file: setup.yml
when: run_setup | default(false) | bool
- name: Include update tasks
include_tasks:
file: update.yml
when: run_update | default(false) | bool

23
roles/authelia/tasks/setup.yml
View file

@ -1,23 +0,0 @@
- name: "Create {{ project_dir }} project directory"
file:
path: "{{ project_dir }}"
state: directory
- name: Template docker-compose.yaml & configuration.yml to project directory
template:
src: "{{ item }}"
dest: "{{ project_dir }}/{{ item }}"
owner: "{{ host_uid }}"
group: "{{ host_uid }}"
mode: '640'
loop:
- docker-compose.yaml
- configuration.yml
register: authelia_template_configuration_result
# Separate task because template module cannot chown/chgrp to a non-existing user/group
- name: "Change group of homeserver.yaml to Authelia GID ({{ users['authelia'] + uid_shift }})"
file:
path: "{{ project_dir }}/configuration.yml"
group: "{{ users['authelia'] + uid_shift }}"
become: true

24
roles/authelia/tasks/update.yml
View file

@ -1,24 +0,0 @@
- name: Pull project services
community.docker.docker_compose:
project_src: "{{ project_dir }}"
recreate: never
pull: true
debug: true
when: docker_pull_images | bool
register: authelia_docker_compose_pull_result
- name: Display pulled image(s) name
set_fact:
authelia_pulled_images: "{{ authelia_pulled_images | default([]) + [item.pulled_image.name] }}"
loop: "{{ authelia_docker_compose_pull_result['actions'] | default([]) | selectattr('pulled_image', 'defined') }}"
- name: Include backup tasks
include_tasks:
file: backup.yml
# Make a backup if we didn't already make one and we pulled a new image
when: not run_backup and authelia_pulled_images is defined
- name: Create/Restart project services
community.docker.docker_compose:
project_src: "{{ project_dir }}"
restarted: "{{ authelia_template_configuration_result['changed'] | default(false) | bool }}"

72
roles/authelia/templates/configuration.yml
View file

@ -1,72 +0,0 @@
theme: 'auto'
totp:
issuer: '{{ domain }}'
identity_validation:
reset_password:
jwt_secret: '{{ authelia_secrets["jwt_secret"] }}'
authentication_backend:
refresh_interval: '1m'
ldap:
implementation: 'custom'
address: 'ldap://lldap:3890'
base_dn: '{{ ldap_base_dn }}'
users_filter: '(&({username_attribute}={input})(objectClass=person))'
groups_filter: '(member={dn})'
user: '{{ authelia_secrets["ldap_user"] }}'
password: '{{ authelia_secrets["ldap_password"] }}'
attributes:
distinguished_name: 'distinguishedName'
username: 'uid'
mail: 'mail'
member_of: 'memberOf'
group_name: 'cn'
password_policy:
standard:
enabled: true
min_length: 12
max_length: 128
require_uppercase: true
require_lowercase: true
require_number: true
require_special: true
access_control:
default_policy: 'deny'
rules:
- domain: 'auth.{{ domain }}'
policy: 'bypass'
- domain: 'ldap.{{ domain }}'
policy: 'two_factor'
subject: 'group:lldap_admin'
- domain: 'syncthing.{{ domain }}'
policy: 'two_factor'
subject: 'user:viyurz'
session:
cookies:
- name: 'authelia_session'
domain: '{{ domain }}'
authelia_url: 'https://auth.{{ domain }}'
storage:
encryption_key: '{{ authelia_secrets["encryption_key"] }}'
postgres:
address: postgres.{{ domain }}
database: authelia
username: '{{ authelia_secrets["postgres_user"] }}'
password: '{{ authelia_secrets["postgres_password"] }}'
notifier:
smtp:
address: 'submissions://mail.{{ domain }}:{{ ports["mailserver_smtps"] }}'
username: '{{ authelia_secrets["smtp_user"] }}'
password: '{{ authelia_secrets["smtp_password"] }}'
sender: 'Authelia <authelia@{{ domain }}>'
# identity_providers:

16
roles/authelia/templates/docker-compose.yaml
View file

@ -1,16 +0,0 @@
services:
authelia:
container_name: authelia
image: docker.io/authelia/authelia:4
restart: always
user: {{ users['authelia'] }}:{{ users['authelia'] }}
networks:
- authelia
ports:
- 127.0.0.1:{{ ports['authelia'] }}:9091
volumes:
- ./configuration.yml:/config/configuration.yml
networks:
authelia:
name: authelia

25
roles/lldap/tasks/backup.yml
View file

@ -1,25 +0,0 @@
- name: "Backup PostgreSQL lldap database & {{ volumes['lldap_datadir'] }} directory"
shell: >
docker exec postgres
pg_dump -c {{ role_name }} |
borg create
--compression lzma
"{{ borg_repodir }}::{{ role_name }}-{now:%Y-%m-%d_%H-%M-%S}"
"{{ volumes['lldap_datadir'] }}"
-
--stdin-name dump_{{ role_name }}.sql
environment:
DOCKER_HOST: "{{ docker_host }}"
BORG_PASSCOMMAND: "cat {{ borg_passphrase_file }}"
become: true
- name: Prune borg repository
command:
cmd: |
borg prune
--glob-archives='{{ role_name }}-*'
{{ borg_prune_options }}
{{ borg_repodir }}
environment:
BORG_PASSCOMMAND: "cat {{ borg_passphrase_file }}"
become: true

14
roles/lldap/tasks/main.yml
View file

@ -1,14 +0,0 @@
- name: Include backup tasks
include_tasks:
file: backup.yml
when: run_backup | default(false) | bool
- name: Include setup tasks
include_tasks:
file: setup.yml
when: run_setup | default(false) | bool
- name: Include update tasks
include_tasks:
file: update.yml
when: run_update | default(false) | bool

24
roles/lldap/tasks/setup.yml
View file

@ -1,24 +0,0 @@
- name: "Create {{ project_dir }} project directory"
file:
path: "{{ project_dir }}"
state: directory
- name: Template docker-compose.yaml & .env to project directory
template:
src: "{{ item }}"
dest: "{{ project_dir }}/{{ item }}"
owner: "{{ host_uid }}"
group: "{{ host_uid }}"
mode: '600'
loop:
- docker-compose.yaml
- .env
- name: "Create (if not exists) directory {{ volumes['lldap_datadir'] }} & set permissions"
file:
path: "{{ volumes['lldap_datadir'] }}"
state: directory
owner: "{{ users['lldap'] + uid_shift }}"
group: "{{ users['lldap'] + uid_shift }}"
mode: '700'
become: true

23
roles/lldap/tasks/update.yml
View file

@ -1,23 +0,0 @@
- name: Pull project services
community.docker.docker_compose:
project_src: "{{ project_dir }}"
recreate: never
pull: true
debug: true
when: docker_pull_images | bool
register: lldap_docker_compose_pull_result
- name: Display pulled image(s) name
set_fact:
lldap_pulled_images: "{{ lldap_pulled_images | default([]) + [item.pulled_image.name] }}"
loop: "{{ lldap_docker_compose_pull_result['actions'] | default([]) | selectattr('pulled_image', 'defined') }}"
- name: Include backup tasks
include_tasks:
file: backup.yml
# Make a backup if we didn't already make one and we pulled a new image
when: not run_backup and lldap_pulled_images is defined
- name: Create/Restart project services
community.docker.docker_compose:
project_src: "{{ project_dir }}"

7
roles/lldap/templates/.env
View file

@ -1,7 +0,0 @@
UID={{ users['lldap'] }}
GID={{ users['lldap'] }}
TZ={{ timezone }}
LLDAP_LDAP_BASE_DN={{ ldap_base_dn }}
LLDAP_JWT_SECRET='{{ lldap_secrets["jwt_secret"] }}'
LLDAP_KEY_SEED='{{ lldap_secrets["key_seed"] }}'
LLDAP_DATABASE_URL='postgres://{{ lldap_secrets["postgres_user"] }}:{{ lldap_secrets["postgres_password"] }}@postgres.{{ domain }}/lldap'

20
roles/lldap/templates/docker-compose.yaml
View file

@ -1,20 +0,0 @@
services:
lldap:
container_name: lldap
image: docker.io/lldap/lldap:latest-alpine-rootless
restart: always
user: {{ users['lldap'] }}:{{ users['lldap'] }}
env_file: .env
networks:
- authelia
- mailserver
ports:
- {{ ports['lldap'] }}:17170
volumes:
- {{ volumes['lldap_datadir'] }}:/data
networks:
authelia:
name: authelia
mailserver:
name: mailserver

2
roles/mailserver/templates/docker-compose.yaml
View file

@ -1,6 +1,6 @@
services:
mailserver:
image: docker.io/stalwartlabs/mail-server:v0.6.0
image: docker.io/stalwartlabs/mail-server:latest
container_name: mailserver
restart: always
ports:

60
roles/nginx/tasks/main.yml
View file

@ -1,60 +0,0 @@
- name:
become: true
block:
- name: Install package nginx
apt:
name: nginx
- name: Delete directories in /etc/nginx/
file:
path: "/etc/nginx/{{ item }}"
state: absent
loop:
- sites-enabled
- snippets
- name: Create directories in /etc/nginx/
file:
path: "/etc/nginx/{{ item }}"
state: directory
loop:
- sites-enabled
- snippets
- name: Template configuration files to /etc/nginx/
template:
src: "{{ item.src }}"
dest: "/etc/nginx/{{ item.path }}"
owner: root
group: root
mode: '644'
with_filetree: ../templates/
when: item.state == 'file'
- name: Get state of file /etc/nginx/dhparam.txt
stat:
path: /etc/nginx/dhparam.txt
register: nginx_stat_dhparam_result
- name: Download dhparam file from Mozilla
get_url:
url: https://ssl-config.mozilla.org/ffdhe2048.txt
dest: /etc/nginx/dhparam.txt
when: not nginx_stat_dhparam_result.stat.exists
- name: Set correct permissions on certificate directories
file:
path: "/etc/letsencrypt/{{ item }}/{{ domain }}"
state: directory
owner: root
group: root
mode: '750'
loop:
- live
- archive
- name: Start/Reload NGINX service
service:
name: nginx
state: reloaded
enabled: yes

38
roles/nginx/templates/nginx.conf
View file

@ -1,38 +0,0 @@
user www-data;
worker_processes auto;
worker_rlimit_nofile 1024;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 512;
multi_accept off;
}
http {
sendfile on;
tcp_nopush on;
tcp_nodelay on;
gzip off;
server_tokens off;
keepalive_timeout 30;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
include /etc/nginx/mime.types;
# Needed to support websocket connections
map $http_upgrade $connection_upgrade {
default upgrade;
'' "";
}
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/snippets/proxy.conf;
include /etc/nginx/snippets/ssl.conf;
include /etc/nginx/snippets/ssl-headers.conf;
include /etc/nginx/sites-enabled/*;
}

10
roles/nginx/templates/sites-enabled/authelia.conf
View file

@ -1,10 +0,0 @@
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name auth.{{ domain }};
location / {
proxy_pass http://127.0.0.1:{{ ports['authelia'] }};
}
}

15
roles/nginx/templates/sites-enabled/default.conf
View file

@ -1,15 +0,0 @@
# Redirect HTTP to HTTPS
server {
listen 80 default_server;
listen [::]:80 default_server;
return 308 https://$host$request_uri;
}
# Default HTTPS server
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
return 404;
}

9
roles/nginx/templates/sites-enabled/downloads.conf
View file

@ -1,9 +0,0 @@
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name dl.{{ domain }};
root /var/www/html;
autoindex on;
}

16
roles/nginx/templates/sites-enabled/element.conf
View file

@ -1,16 +0,0 @@
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name element.{{ domain }};
location / {
proxy_pass http://127.0.0.1:{{ ports['element'] }};
include /etc/nginx/snippets/ssl-headers.conf;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header Content-Security-Policy "frame-ancestors 'none'";
}
}

10
roles/nginx/templates/sites-enabled/etebase.conf
View file

@ -1,10 +0,0 @@
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name etebase.{{ domain }};
location / {
proxy_pass http://127.0.0.1:{{ ports['etebase'] }};
}
}

16
roles/nginx/templates/sites-enabled/hedgedoc.conf
View file

@ -1,16 +0,0 @@
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name hedgedoc.{{ domain }};
location / {
proxy_pass http://127.0.0.1:{{ ports['hedgedoc'] }};
}
location /socket.io/ {
proxy_pass http://127.0.0.1:{{ ports['hedgedoc'] }};
include /etc/nginx/snippets/websocket.conf;
}
}

25
roles/nginx/templates/sites-enabled/homepage.conf
View file

@ -1,25 +0,0 @@
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name {{ domain }};
location = /.well-known/matrix/server {
default_type application/json;
return 200 '{ "m.server": "matrix.{{ domain }}:443" }';
}
location = /.well-known/matrix/client {
default_type application/json;
include /etc/nginx/snippets/ssl-headers.conf;
add_header Access-Control-Allow-Origin '*';
return 200 '{ "m.homeserver": { "base_url": "https://matrix.{{ domain }}" } }';
}
location / {
proxy_pass http://127.0.0.1:{{ ports['homepage'] }};
}
}

12
roles/nginx/templates/sites-enabled/jmap.conf
View file

@ -1,12 +0,0 @@
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name jmap.{{ domain }};
location / {
proxy_pass https://127.0.0.1:{{ ports['mailserver_jmap'] }};
include /etc/nginx/snippets/websocket.conf;
}
}

14
roles/nginx/templates/sites-enabled/lldap.conf
View file

@ -1,14 +0,0 @@
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name ldap.{{ domain }};
include /etc/nginx/snippets/authelia-location.conf;
location / {
proxy_pass http://127.0.0.1:{{ ports['lldap'] }};
include /etc/nginx/snippets/authelia-authrequest.conf;
}
}

13
roles/nginx/templates/sites-enabled/searxng.conf
View file

@ -1,13 +0,0 @@
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name searx.{{ domain }};
location / {
proxy_pass http://127.0.0.1:{{ ports['searxng'] }};
include /etc/nginx/snippets/ssl-headers.conf;
add_header Content-Security-Policy "upgrade-insecure-requests; default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; form-action 'self' https://github.com/searxng/searxng/issues/new; font-src 'self'; frame-ancestors 'self'; base-uri 'self'; connect-src 'self' https://overpass-api.de; img-src 'self' data: https://*.tile.openstreetmap.org; frame-src https://www.youtube-nocookie.com https://player.vimeo.com https://www.dailymotion.com https://www.deezer.com https://www.mixcloud.com https://w.soundcloud.com https://embed.spotify.com";
}
}

12
roles/nginx/templates/sites-enabled/synapse.conf
View file

@ -1,12 +0,0 @@
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name matrix.{{ domain }};
location / {
proxy_pass http://127.0.0.1:{{ ports['synapse'] }};
client_max_body_size {{ synapse['max_upload_size'] }};
}
}

16
roles/nginx/templates/sites-enabled/syncthing-discovery.conf
View file

@ -1,16 +0,0 @@
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name stdisco.{{ domain }};
ssl_verify_client optional_no_ca;
location / {
proxy_pass http://127.0.0.1:{{ ports['syncthing_discosrv'] }};
proxy_set_header X-Client-Port $remote_port;
proxy_set_header X-SSL-Cert $ssl_client_cert;
include /etc/nginx/snippets/websocket.conf;
}
}

14
roles/nginx/templates/sites-enabled/syncthing.conf
View file

@ -1,14 +0,0 @@
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name syncthing.{{ domain }};
include /etc/nginx/snippets/authelia-location.conf;
location / {
proxy_pass http://127.0.0.1:{{ ports['syncthing_webui'] }};
include /etc/nginx/snippets/authelia-authrequest.conf;
}
}

12
roles/nginx/templates/sites-enabled/uptime-kuma.conf
View file

@ -1,12 +0,0 @@
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name status.{{ domain }};
location / {
proxy_pass http://127.0.0.1:{{ ports['uptime_kuma'] }};
include /etc/nginx/snippets/websocket.conf;
}
}

18
roles/nginx/templates/sites-enabled/vaultwarden.conf
View file

@ -1,18 +0,0 @@
upstream vaultwarden {
zone vaultwarden 64k;
server 127.0.0.1:{{ ports['vaultwarden'] }};
keepalive 2;
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name vw.{{ domain }};
location / {
proxy_pass http://vaultwarden;
include /etc/nginx/snippets/websocket.conf;
}
}

15
roles/nginx/templates/snippets/authelia-authrequest.conf
View file

@ -1,15 +0,0 @@
auth_request /internal/authelia/authz;
auth_request_set $user $upstream_http_remote_user;
auth_request_set $groups $upstream_http_remote_groups;
auth_request_set $name $upstream_http_remote_name;
auth_request_set $email $upstream_http_remote_email;
proxy_set_header Remote-User $user;
proxy_set_header Remote-Groups $groups;
proxy_set_header Remote-Email $email;
proxy_set_header Remote-Name $name;
auth_request_set $redirection_url $upstream_http_location;
error_page 401 =302 $redirection_url;

18
roles/nginx/templates/snippets/authelia-location.conf
View file

@ -1,18 +0,0 @@
location /internal/authelia/authz {
internal;
proxy_pass http://127.0.0.1:{{ ports['authelia'] }}/api/authz/auth-request;
proxy_set_header X-Original-Method $request_method;
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Content-Length "";
proxy_set_header Connection "";
proxy_pass_request_body off;
proxy_http_version 1.1;
proxy_cache_bypass $cookie_session;
proxy_no_cache $cookie_session;
proxy_buffers 4 32k;
client_body_buffer_size 128k;
}

10
roles/nginx/templates/snippets/proxy.conf
View file

@ -1,10 +0,0 @@
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Scheme $scheme;
proxy_set_header X-Forwarded-URI $request_uri;
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
proxy_set_header X-Real-IP $remote_addr;

18
roles/nginx/templates/snippets/ssl.conf
View file

@ -1,18 +0,0 @@
ssl_certificate /etc/letsencrypt/live/{{ domain }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{ domain }}/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/{{ domain }}/chain.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam
ssl_dhparam /etc/nginx/dhparam.txt;
ssl_prefer_server_ciphers on;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;

2
roles/nginx/templates/snippets/websocket.conf
View file

@ -1,2 +0,0 @@
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;

0
roles/nginx/templates/snippets/ssl-headers.conf → roles/reverse-proxy/files/ssl-headers.conf
View file

79
roles/reverse-proxy/tasks/main.yml Normal file
View file

@ -0,0 +1,79 @@
- name:
become: true
block:
- name: Install package nginx
apt:
name: nginx
- name: Template nginx.conf to /etc/nginx/nginx.conf
template:
src: nginx.conf
dest: /etc/nginx/nginx.conf
owner: root
group: root
mode: '644'
register: nginx_template_nginx_conf_result
- name: Template reverse-proxy.conf to /etc/nginx/sites-available/reverse-proxy.conf
template:
src: reverse-proxy.conf
dest: /etc/nginx/sites-available/reverse-proxy.conf
owner: root
group: root
mode: '644'
register: nginx_template_reverse_proxy_conf_result
- name: Copy ssl-headers.conf to /etc/nginx/conf.d/ssl-headers.conf
copy:
src: files/ssl-headers.conf
dest: /etc/nginx/conf.d/ssl-headers.conf
owner: root
group: root
mode: '644'
register: nginx_copy_ssl_headers_conf_result
- name: Remove all enabled NGINX sites
file:
state: "{{ item }}"
path: "/etc/nginx/sites-enabled"
owner: root
group: root
mode: '755'
loop:
- absent
- directory
- name: Enable reverse-proxy.conf site
file:
state: link
src: /etc/nginx/sites-available/reverse-proxy.conf
dest: /etc/nginx/sites-enabled/reverse-proxy.conf
- name: Get state of file /etc/nginx/dhparam.txt
stat:
path: /etc/nginx/dhparam.txt
register: nginx_stat_dhparam_result
- name: Download dhparam file from Mozilla
get_url:
url: https://ssl-config.mozilla.org/ffdhe2048.txt
dest: /etc/nginx/dhparam.txt
when: not nginx_stat_dhparam_result.stat.exists
- name: Set correct permissions on certificate directories
file:
path: "/etc/letsencrypt/{{ item }}/{{ domain }}"
state: directory
owner: root
group: root
mode: '750'
loop:
- live
- archive
- name: Start/Reload NGINX service
service:
name: nginx
# Reload if conf changed, if not make sure it is started
state: "{{ (nginx_template_nginx_conf_result['changed'] or nginx_template_reverse_proxy_conf_result['changed'] or nginx_copy_ssl_headers_conf_result['changed']) | ternary('reloaded', 'started') }}"
enabled: yes

84
roles/reverse-proxy/templates/nginx.conf Normal file
View file

@ -0,0 +1,84 @@
user www-data;
worker_processes auto;
worker_rlimit_nofile 1024;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 512;
multi_accept off;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
gzip off;
server_tokens off;
keepalive_timeout 30;
include /etc/nginx/mime.types;
##
# SSL Settings
##
ssl_certificate {{ reverse_proxy['ssl_certificate_file'] }};
ssl_certificate_key {{ reverse_proxy['ssl_certificate_key_file'] }};
ssl_trusted_certificate {{ reverse_proxy['ssl_trusted_certificate_file'] }};
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam
ssl_dhparam /etc/nginx/dhparam.txt;
ssl_prefer_server_ciphers on;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Headers
##
resolver {{ reverse_proxy['resolver'] }};
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Scheme $scheme;
# Needed to support websocket connections
# See: https://nginx.org/en/docs/http/websocket.html
# Instead of "close" as stated in the above link we send an empty value.
# Else all keepalive connections will not work.
map $http_upgrade $connection_upgrade {
default upgrade;
'' "";
}
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}

228
roles/reverse-proxy/templates/reverse-proxy.conf Normal file
View file

@ -0,0 +1,228 @@
# Redirect HTTP to HTTPS
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
return 308 https://$host$request_uri;
}
# Default HTTPS server
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
server_name _;
server_name_in_redirect off;
return 404;
}
# Homepage
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name {{ domain }};
location = /.well-known/matrix/server {
default_type application/json;
return 200 '{ "m.server": "matrix.{{ domain }}:443" }';
}
location = /.well-known/matrix/client {
default_type application/json;
include /etc/nginx/conf.d/ssl-headers.conf;
add_header Access-Control-Allow-Origin '*';
return 200 '{ "m.homeserver": { "base_url": "https://matrix.{{ domain }}" } }';
}
location / {
proxy_pass http://127.0.0.1:{{ ports['homepage'] }};
}
}
# Downloads
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name dl.{{ domain }};
root /var/www/html;
autoindex on;
}
# Element
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name element.{{ domain }};
location / {
proxy_pass http://127.0.0.1:{{ ports['element'] }};
include /etc/nginx/conf.d/ssl-headers.conf;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header Content-Security-Policy "frame-ancestors 'none'";
}
}
# Etebase
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name etebase.{{ domain }};
location / {
proxy_pass http://127.0.0.1:{{ ports['etebase'] }};
}
}
# Hedgedoc
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name hedgedoc.{{ domain }};
location / {
proxy_pass http://127.0.0.1:{{ ports['hedgedoc'] }};
}
location /socket.io/ {
proxy_pass http://127.0.0.1:{{ ports['hedgedoc'] }};
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
}
}
# JMAP
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name mail.{{ domain }};
location / {
proxy_pass https://127.0.0.1:{{ ports['mailserver_jmap'] }};
# Websocket
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
}
}
# SearXNG
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name searx.{{ domain }};
location / {
proxy_pass http://127.0.0.1:{{ ports['searxng'] }};
include /etc/nginx/conf.d/ssl-headers.conf;
add_header Content-Security-Policy "upgrade-insecure-requests; default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; form-action 'self' https://github.com/searxng/searxng/issues/new; font-src 'self'; frame-ancestors 'self'; base-uri 'self'; connect-src 'self' https://overpass-api.de; img-src 'self' data: https://*.tile.openstreetmap.org; frame-src https://www.youtube-nocookie.com https://player.vimeo.com https://www.dailymotion.com https://www.deezer.com https://www.mixcloud.com https://w.soundcloud.com https://embed.spotify.com";
}
}
# Synapse
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name matrix.{{ domain }};
location / {
proxy_pass http://127.0.0.1:{{ ports['synapse'] }};
# Nginx by default only allows file uploads up to 1M in size
# Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
client_max_body_size {{ synapse['max_upload_size'] }};
}
}
# Syncthing Discovery
upstream stdisco.{{ domain }} {
# Local IP address:port for discovery server
server 127.0.0.1:{{ ports['syncthing_discosrv'] }};
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name stdisco.{{ domain }};
ssl_verify_client optional_no_ca;
location / {
proxy_pass http://stdisco.{{ domain }};
proxy_set_header X-Client-Port $remote_port;
proxy_set_header X-SSL-Cert $ssl_client_cert;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
}
}
# Uptime Kuma
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name status.{{ domain }};
location / {
proxy_pass http://127.0.0.1:{{ ports['uptime_kuma'] }};
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
}
}
# Vaultwarden
upstream vaultwarden-default {
zone vaultwarden-default 64k;
server 127.0.0.1:{{ ports['vaultwarden'] }};
keepalive 2;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name vw.{{ domain }};
location / {
proxy_pass http://vaultwarden-default;
# Websocket
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
}
}

25
roles/synapse/tasks/backup.yml
View file

@ -1,15 +1,22 @@
- name: "Backup PostgreSQL synapse database & {{ volumes['synapse_datadir'] }} directory"
shell: >
docker exec postgres
pg_dump -c {{ role_name }} |
- name: Backup PostgreSQL database
community.docker.docker_container_exec:
container: synapse-postgres
docker_host: "{{ docker_host }}"
command: |
pg_dump -c
-d synapse
-U synapse
-f /var/lib/postgresql/data/synapse-dump.sql
- name: Create borg backup
command:
cmd: |
borg create
--compression lzma
--compression=lzma
"{{ borg_repodir }}::{{ role_name }}-{now:%Y-%m-%d_%H-%M-%S}"
"{{ volumes['synapse_datadir'] }}"
-
--stdin-name dump_{{ role_name }}.sql
{{ volumes['synapse_datadir'] }}/media_store
{{ volumes['synapse_postgres_datadir'] }}/synapse-dump.sql
environment:
DOCKER_HOST: "{{ docker_host }}"
BORG_PASSCOMMAND: "cat {{ borg_passphrase_file }}"
become: true

9
roles/synapse/tasks/update.yml
View file

@ -36,6 +36,15 @@
mode: '770'
become: true
- name: "Create directory {{ volumes['synapse_postgres_datadir'] }} with correct permissions"
file:
path: "{{ volumes['synapse_postgres_datadir'] }}"
state: directory
owner: "{{ users['synapse_postgres'] + uid_shift }}"
group: "{{ users['synapse_postgres'] + uid_shift }}"
mode: '700'
become: true
- name: Pull project services
community.docker.docker_compose:
project_src: "{{ project_dir }}"

13
roles/synapse/templates/docker-compose.yaml
View file

@ -1,4 +1,17 @@
services:
postgres:
container_name: synapse-postgres
image: docker.io/library/postgres:alpine
restart: always
user: {{ users['synapse_postgres'] }}:{{ users['synapse_postgres'] }}
environment:
LANG: C
POSTGRES_INITDB_ARGS: "--locale=C --encoding=UTF8"
POSTGRES_USER: synapse
POSTGRES_PASSWORD: {{ synapse_secrets['postgres_password'] }}
volumes:
- {{ volumes['synapse_postgres_datadir'] }}:/var/lib/postgresql/data
synapse:
container_name: synapse
image: docker.io/matrixdotorg/synapse:latest

6
roles/synapse/templates/homeserver.yaml
View file

@ -33,10 +33,10 @@ max_avatar_size: 2M
database:
name: psycopg2
args:
user: '{{ synapse_secrets["postgres_user"] }}'
password: '{{ synapse_secrets["postgres_password"] }}'
user: synapse
password: {{ synapse_secrets['postgres_password'] }}
dbname: synapse
host: 'postgres.{{ domain }}'
host: synapse-postgres
cp_min: 5
cp_max: 10

23
secrets.yml.example
View file

@ -1,5 +1,3 @@
# To generate random secret: openssl rand -base64 <length>
ansible_become_password:
borg_passphrase:
@ -8,38 +6,19 @@ cifs_credentials:
username:
password:
authelia_secrets:
# Encryption key for the database, must be saved
encryption_key:
jwt_secret:
# LDAP bind dn
ldap_user:
ldap_password:
postgres_user:
postgres_password:
smtp_user:
smtp_password:
# To generate random secret: openssl rand -base64 50
coturn_secrets:
static_auth_secret:
hedgedoc_secrets:
mysql_root_password:
lldap_secrets:
jwt_secret:
key_seed:
postgres_user:
postgres_password:
searxng_secrets:
searxng_secret:
synapse_secrets:
smtp_user:
smtp_pass:
postgres_user:
postgres_password:
turn_shared_secret: "{{ coturn_secrets['static_auth_secret'] }}"
macaroon_secret_key: