From 1ef70ae1f07deb75959f107c0c5c03925a84ba67 Mon Sep 17 00:00:00 2001 From: Perflyst Date: Tue, 9 Mar 2021 13:42:28 +0100 Subject: [PATCH] Add playbook --- .gitignore | 2 + group_vars/all/vault | 8 +++ group_vars/main/main.yml | 22 +++++++ inventory.yml | 7 +++ main.yml | 89 +++++++++++++++++++++++++++++ requirements.yml | 9 +++ templates/Caddyfile.j2 | 66 +++++++++++++++++++++ templates/authorized_keys.j2 | 4 ++ templates/docker-compose-wikijs.yml | 32 +++++++++++ templates/sshd_config.j2 | 27 +++++++++ 10 files changed, 266 insertions(+) create mode 100644 .gitignore create mode 100644 group_vars/all/vault create mode 100644 group_vars/main/main.yml create mode 100644 inventory.yml create mode 100644 main.yml create mode 100644 requirements.yml create mode 100644 templates/Caddyfile.j2 create mode 100644 templates/authorized_keys.j2 create mode 100644 templates/docker-compose-wikijs.yml create mode 100644 templates/sshd_config.j2 diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..e009a5d --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +ansible.cfg +roles diff --git a/group_vars/all/vault b/group_vars/all/vault new file mode 100644 index 0000000..52f6b44 --- /dev/null +++ b/group_vars/all/vault @@ -0,0 +1,8 @@ +$ANSIBLE_VAULT;1.1;AES256 +30613534346431333631646634333061336363386330343564323661356666663233656137343132 +3034323166623230643138663761386234393537626262300a373139366231623230343361353937 +37663037323733623561356130373834396136336433636338646635666330666437323564636537 +3731636465626463300a613263333138613230346639646337313332366262613630643164666431 +34636632643161383436326338646366323031363237343965336633343131353165613961653063 +65316162613535353432613962353535333631326166383035366532366564653435613835356634 +396466653535653563393632313736613735 diff --git a/group_vars/main/main.yml b/group_vars/main/main.yml new file mode 100644 index 0000000..b4bcd41 --- /dev/null +++ b/group_vars/main/main.yml @@ -0,0 +1,22 @@ +ansible_python_interpreter: /usr/bin/python3 +ansible_user: root +ansible_port: 233 + +apt_packages: + - vim + - tmux + - screen + - htop + - bash-completion + - net-tools + - python3-setuptools + - jq + +pip_install_packages: + - name: docker + - name: docker-compose + +caddy_user: caddy +caddy_setcap: false +caddy_systemd_capabilities_enabled: true +caddy_config: "{{ lookup('template', 'templates/Caddyfile.j2') }}" diff --git a/inventory.yml b/inventory.yml new file mode 100644 index 0000000..ced6667 --- /dev/null +++ b/inventory.yml @@ -0,0 +1,7 @@ +--- +all: + children: + main: + hosts: + invidious.io: + ansible_host: 188.34.196.170 diff --git a/main.yml b/main.yml new file mode 100644 index 0000000..570d7fd --- /dev/null +++ b/main.yml @@ -0,0 +1,89 @@ +--- +- hosts: main + handlers: + - name: restart ssh + systemd: + name: sshd + state: restarted + + tasks: + - name: SSH config + template: + src: sshd_config.j2 + dest: /etc/ssh/sshd_config + mode: 0644 + notify: restart ssh + tags: [ssh,base] + + - name: SSH keys + template: + src: authorized_keys.j2 + dest: /root/.ssh/authorized_keys + mode: 0600 + tags: [ssh,base] + + - name: Install packages + apt: + name: "{{ apt_packages }}" + tags: [apt,base] + + - name: unattended-upgrades + import_role: + name: jvn.unattended-upgrades + tags: [unattended-upgrades] + + - name: pip + import_role: + name: geerlingguy.pip + tags: [pip,docker] + + - name: docker + import_role: + name: geerlingguy.docker + tags: [dockerd,docker] + + - name: Create Invidious API container + community.docker.docker_container: + name: api + image: quay.io/invidious/instances:latest + pull: true + restart_policy: unless-stopped + published_ports: + - "127.0.0.1:3000:3000" + tags: [api,instances,docker] + + - name: Create Invidious redirect container + community.docker.docker_container: + name: redirect + image: quay.io/invidious/invidious-redirect:latest + pull: true + restart_policy: unless-stopped + published_ports: + - "127.0.0.1:8080:80" + tags: [redirect,docker] + + - name: Create wikijs compose folder + file: + path: /root/compose/wikijs/ + state: directory + recurse: true + mode: 0755 + tags: [wikijs,docker] + + - name: Template wikijs docker compose + template: + src: docker-compose-wikijs.yml + dest: /root/compose/wikijs/docker-compose.yml + mode: 0600 + tags: [wikijs,docker] + + - name: Compose wikijs + community.docker.docker_compose: + project_src: /root/compose/wikijs + pull: true + tags: [wikijs,docker] + + - name: caddy + import_role: + name: caddy_ansible.caddy_ansible + tags: [ caddy ] diff --git a/requirements.yml b/requirements.yml new file mode 100644 index 0000000..892f0d9 --- /dev/null +++ b/requirements.yml @@ -0,0 +1,9 @@ +roles: + - name: jvn.unattended-upgrades + version: v1.10.0 + - name: geerlingguy.pip + version: 2.0.0 + - name: geerlingguy.docker + version: 3.0.0 + - name: caddy_ansible.caddy_ansible + version: TODO (wait for MRs) diff --git a/templates/Caddyfile.j2 b/templates/Caddyfile.j2 new file mode 100644 index 0000000..a82325d --- /dev/null +++ b/templates/Caddyfile.j2 @@ -0,0 +1,66 @@ +# {{ ansible_managed }} + +(common) { + encode gzip + log { + output file /var/log/caddy/access.log { + roll_size 500mb + roll_keep 5 + } + format filter { + wrap json + fields { + common_log delete + request>remote_addr ip_mask { + ipv4 24 + ipv6 32 + } + } + } + } +} + +www.invidio.us { + import common + redir https://invidious.io{uri} +} +invidious.io { + import common + root * /var/www/invidious.io + file_server +} +git.invidious.io { + import common + redir https://github.com/iv-org/invidious +} + +invidio.us { + import common + redir https://redirect.invidious.io{uri} + header /api* content-type "application/json" + respond /api* "{\"error\":\"This server no longer hosts the Invidious API.\"}" 410 +} +redirect.invidious.io { + import common + reverse_proxy http://127.0.0.1:8080 +} + +instances.invidio.us { + import common + redir https://api.invidious.io{uri} +} +api.invidious.io { + import common + reverse_proxy http://127.0.0.1:3000 + header /static* Cache-Control "max-age=86400" +} + +uptime.invidio.us { + import common + redir https://uptime.invidious.io{uri} +} + +docs.invidious.io { + import common + reverse_proxy http://127.0.0.1:3001 +} diff --git a/templates/authorized_keys.j2 b/templates/authorized_keys.j2 new file mode 100644 index 0000000..a7fced2 --- /dev/null +++ b/templates/authorized_keys.j2 @@ -0,0 +1,4 @@ +# {{ ansible_managed }} + +no-port-forwarding,no-X11-forwarding,no-agent-forwarding ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGfkXt+RnduQ6CKIuoe0GbLZM76O/lyWippAisuv0Qlk perflyst +# TODO: thefrenchghosty creates new keys diff --git a/templates/docker-compose-wikijs.yml b/templates/docker-compose-wikijs.yml new file mode 100644 index 0000000..b8cae7b --- /dev/null +++ b/templates/docker-compose-wikijs.yml @@ -0,0 +1,32 @@ +version: "3" +services: + + db: + image: docker.io/postgres:11-alpine + environment: + POSTGRES_DB: wikijs + POSTGRES_PASSWORD: "{{ vault_wikijs_db_password }}" + POSTGRES_USER: wikijs + logging: + driver: "none" + restart: unless-stopped + volumes: + - db-data:/var/lib/postgresql/data + + wiki: + image: requarks/wiki:2.5 + depends_on: + - db + environment: + DB_TYPE: postgres + DB_HOST: db + DB_PORT: 5432 + DB_USER: wikijs + DB_PASS: "{{ vault_wikijs_db_password }}" + DB_NAME: wikijs + restart: unless-stopped + ports: + - "127.0.0.1:3001:3000" + +volumes: + db-data: diff --git a/templates/sshd_config.j2 b/templates/sshd_config.j2 new file mode 100644 index 0000000..6e1599d --- /dev/null +++ b/templates/sshd_config.j2 @@ -0,0 +1,27 @@ +Protocol 2 +Port {{ ansible_port }} +ListenAddress {{ ansible_default_ipv4.address }} +ListenAddress {{ ansible_default_ipv6.address }} + +HostKey /etc/ssh/ssh_host_rsa_key +HostKey /etc/ssh/ssh_host_ed25519_key + +PermitRootLogin without-password +StrictModes yes +MaxAuthTries 2 +AllowUsers root + +PubkeyAuthentication yes +AuthenticationMethods publickey +AuthorizedKeysFile .ssh/authorized_keys +PasswordAuthentication no +PermitEmptyPasswords no + +IgnoreRhosts yes +UsePAM yes +ChallengeResponseAuthentication no +PrintMotd no +X11Forwarding no +AllowTcpForwarding no + +Subsystem sftp /usr/lib/openssh/sftp-server