Add playbook

.gitignore

@@ -0,0 +1,2 @@
+ansible.cfg
+roles

group_vars/all/vault

@@ -0,0 +1,8 @@
+$ANSIBLE_VAULT;1.1;AES256
+30613534346431333631646634333061336363386330343564323661356666663233656137343132
+3034323166623230643138663761386234393537626262300a373139366231623230343361353937
+37663037323733623561356130373834396136336433636338646635666330666437323564636537
+3731636465626463300a613263333138613230346639646337313332366262613630643164666431
+34636632643161383436326338646366323031363237343965336633343131353165613961653063
+65316162613535353432613962353535333631326166383035366532366564653435613835356634
+396466653535653563393632313736613735

group_vars/main/main.yml

@@ -0,0 +1,22 @@
+ansible_python_interpreter: /usr/bin/python3
+ansible_user: root
+ansible_port: 233
+
+apt_packages:
+  - vim
+  - tmux
+  - screen
+  - htop
+  - bash-completion
+  - net-tools
+  - python3-setuptools
+  - jq
+
+pip_install_packages:
+  - name: docker
+  - name: docker-compose
+
+caddy_user: caddy
+caddy_setcap: false
+caddy_systemd_capabilities_enabled: true
+caddy_config: "{{ lookup('template', 'templates/Caddyfile.j2') }}"

inventory.yml

@@ -0,0 +1,7 @@
+---
+all:
+  children:
+    main:
+      hosts:
+        invidious.io:
+          ansible_host: 188.34.196.170

main.yml

@@ -0,0 +1,89 @@
+---
+- hosts: main
+  handlers:
+    - name: restart ssh
+      systemd:
+        name: sshd
+        state: restarted
+
+  tasks:
+    - name: SSH config
+      template:
+        src: sshd_config.j2
+        dest: /etc/ssh/sshd_config
+        mode: 0644
+      notify: restart ssh
+      tags: [ssh,base]
+
+    - name: SSH keys
+      template:
+        src: authorized_keys.j2
+        dest: /root/.ssh/authorized_keys
+        mode: 0600
+      tags: [ssh,base]
+
+    - name: Install packages
+      apt:
+        name: "{{ apt_packages }}"
+      tags: [apt,base]
+
+    - name: unattended-upgrades
+      import_role:
+        name: jvn.unattended-upgrades
+      tags: [unattended-upgrades]
+
+    - name: pip
+      import_role:
+        name: geerlingguy.pip
+      tags: [pip,docker]
+
+    - name: docker
+      import_role:
+        name: geerlingguy.docker
+      tags: [dockerd,docker]
+
+    - name: Create Invidious API container
+      community.docker.docker_container:
+        name: api
+        image: quay.io/invidious/instances:latest
+        pull: true
+        restart_policy: unless-stopped
+        published_ports:
+          - "127.0.0.1:3000:3000"
+      tags: [api,instances,docker]
+
+    - name: Create Invidious redirect container
+      community.docker.docker_container:
+        name: redirect
+        image: quay.io/invidious/invidious-redirect:latest
+        pull: true
+        restart_policy: unless-stopped
+        published_ports:
+          - "127.0.0.1:8080:80"
+      tags: [redirect,docker]
+
+    - name: Create wikijs compose folder
+      file:
+        path: /root/compose/wikijs/
+        state: directory
+        recurse: true
+        mode: 0755
+      tags: [wikijs,docker]
+
+    - name: Template wikijs docker compose
+      template:
+        src: docker-compose-wikijs.yml
+        dest: /root/compose/wikijs/docker-compose.yml
+        mode: 0600
+      tags: [wikijs,docker]
+
+    - name: Compose wikijs
+      community.docker.docker_compose:
+        project_src: /root/compose/wikijs
+        pull: true
+      tags: [wikijs,docker]
+
+    - name: caddy
+      import_role:
+        name: caddy_ansible.caddy_ansible
+      tags: [ caddy ]

requirements.yml

@@ -0,0 +1,9 @@
+roles:
+  - name: jvn.unattended-upgrades
+    version: v1.10.0
+  - name: geerlingguy.pip
+    version: 2.0.0
+  - name: geerlingguy.docker
+    version: 3.0.0
+  - name: caddy_ansible.caddy_ansible
+    version: TODO (wait for MRs)

templates/Caddyfile.j2

@@ -0,0 +1,66 @@
+# {{ ansible_managed }}
+
+(common) {
+  encode gzip
+  log {
+    output file /var/log/caddy/access.log {
+      roll_size 500mb
+      roll_keep 5
+    }
+    format filter {
+      wrap json
+      fields {
+        common_log delete
+        request>remote_addr ip_mask {
+          ipv4 24
+          ipv6 32
+        }
+      }
+    }
+  }
+}
+
+www.invidio.us {
+  import common
+  redir https://invidious.io{uri}
+}
+invidious.io {
+  import common
+  root * /var/www/invidious.io
+  file_server
+}
+git.invidious.io {
+  import common
+  redir https://github.com/iv-org/invidious
+}
+
+invidio.us {
+  import common
+  redir https://redirect.invidious.io{uri}
+  header /api* content-type "application/json"
+  respond /api* "{\"error\":\"This server no longer hosts the Invidious API.\"}" 410
+}
+redirect.invidious.io {
+  import common
+  reverse_proxy http://127.0.0.1:8080
+}
+
+instances.invidio.us {
+  import common
+  redir https://api.invidious.io{uri}
+}
+api.invidious.io {
+  import common
+  reverse_proxy http://127.0.0.1:3000
+  header /static* Cache-Control "max-age=86400"
+}
+
+uptime.invidio.us {
+  import common
+  redir https://uptime.invidious.io{uri}
+}
+
+docs.invidious.io {
+  import common
+  reverse_proxy http://127.0.0.1:3001
+}

templates/authorized_keys.j2

@@ -0,0 +1,4 @@
+# {{ ansible_managed }}
+
+no-port-forwarding,no-X11-forwarding,no-agent-forwarding ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGfkXt+RnduQ6CKIuoe0GbLZM76O/lyWippAisuv0Qlk perflyst
+# TODO: thefrenchghosty creates new keys

templates/docker-compose-wikijs.yml

@@ -0,0 +1,32 @@
+version: "3"
+services:
+
+  db:
+    image: docker.io/postgres:11-alpine
+    environment:
+      POSTGRES_DB: wikijs
+      POSTGRES_PASSWORD: "{{ vault_wikijs_db_password }}"
+      POSTGRES_USER: wikijs
+    logging:
+      driver: "none"
+    restart: unless-stopped
+    volumes:
+      - db-data:/var/lib/postgresql/data
+
+  wiki:
+    image: requarks/wiki:2.5
+    depends_on:
+      - db
+    environment:
+      DB_TYPE: postgres
+      DB_HOST: db
+      DB_PORT: 5432
+      DB_USER: wikijs
+      DB_PASS: "{{ vault_wikijs_db_password }}"
+      DB_NAME: wikijs
+    restart: unless-stopped
+    ports:
+      - "127.0.0.1:3001:3000"
+
+volumes:
+  db-data:

templates/sshd_config.j2

@@ -0,0 +1,27 @@
+Protocol 2
+Port {{ ansible_port }}
+ListenAddress {{ ansible_default_ipv4.address }}
+ListenAddress {{ ansible_default_ipv6.address }}
+
+HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_ed25519_key
+
+PermitRootLogin without-password
+StrictModes yes
+MaxAuthTries 2
+AllowUsers root
+
+PubkeyAuthentication yes
+AuthenticationMethods publickey
+AuthorizedKeysFile     .ssh/authorized_keys
+PasswordAuthentication no
+PermitEmptyPasswords no
+
+IgnoreRhosts yes
+UsePAM yes
+ChallengeResponseAuthentication no
+PrintMotd no
+X11Forwarding no
+AllowTcpForwarding no
+
+Subsystem sftp /usr/lib/openssh/sftp-server