diff --git a/proxy_resources/etc/wireguard/wg0.conf b/proxy_resources/etc/wireguard/wg0.conf index 246c909..00ab5cb 100755 --- a/proxy_resources/etc/wireguard/wg0.conf +++ b/proxy_resources/etc/wireguard/wg0.conf @@ -11,49 +11,65 @@ ListenPort = {{ proxy_server_vpn_port }} [Peer] PublicKey = {{ mail_service_pubkey }} AllowedIPs = 10.0.0.2/32 +PersistentKeepalive = 25 # Git Service [Peer] PublicKey = {{ git_service_pubkey }} AllowedIPs = 10.0.0.3/32 +PersistentKeepalive = 25 # Invidious Service [Peer] PublicKey = {{ invidious_service_pubkey }} AllowedIPs = 10.0.0.3/32 +PersistentKeepalive = 25 # Searxng Service [Peer] PublicKey = {{ searxng_service_pubkey }} AllowedIPs = 10.0.0.4/32 +PersistentKeepalive = 25 # Nextcloud Service [Peer] PublicKey = {{ nextcloud_service_pubkey }} AllowedIPs = 10.0.0.5/32 +PersistentKeepalive = 25 # Chat Service [Peer] PublicKey = {{ chat_service_pubkey }} AllowedIPs = 10.0.0.6/32 +PersistentKeepalive = 25 # Minecraft Service [Peer] PublicKey = {{ minecraft_service_pubkey }} AllowedIPs = 10.0.0.7/32 +PersistentKeepalive = 25 + +# Kimai Service +[Peer] +PublicKey = {{ kimai_service_pubkey }} +AllowedIPs = 10.0.0.8/32 +PersistentKeepalive = 25 # Connection to backend server for icinga2 [Peer] PublicKey = {{ icinga2_backend_pubkey }} AllowedIPs = 10.0.0.198/32 +PersistentKeepalive = 25 # Connection to backend server for cockpit [Peer] PublicKey = {{ cockpit_backend_pubkey }} AllowedIPs = 10.0.0.199/32 +PersistentKeepalive = 25 # User Key for Phone/Desktop/Laptop use [Peer] PublicKey = {{ user_pubkey }} AllowedIPs = 10.0.0.200/32 +PersistentKeepalive = 25 diff --git a/serversecrets.example b/serversecrets.example index 9ec67c9..67ab67f 100755 --- a/serversecrets.example +++ b/serversecrets.example @@ -31,6 +31,7 @@ searxng_service_privkey: temp nextcloud_service_privkey: temp chat_service_privkey: temp minecraft_service_privkey: temp +kimai_service_privkey: temp icinga2_backend_privkey: temp cockpit_backend_privkey: temp user_privkey: temp @@ -43,6 +44,7 @@ searxng_service_pubkey: temp nextcloud_service_pubkey: temp chat_service_pubkey: temp minecraft_service_pubkey: temp +kimai_service_pubkey: temp icinga2_backend_pubkey: temp cockpit_backend_pubkey: temp user_pubkey: temp diff --git a/services/service_kimai/ansible.cfg b/services/service_kimai/ansible.cfg new file mode 100755 index 0000000..b46bfad --- /dev/null +++ b/services/service_kimai/ansible.cfg @@ -0,0 +1,6 @@ +[defaults] +inventory = ../../hosts + +[privilege_escalation] +become_method=doas +become_ask_pass=True diff --git a/services/service_kimai/deploy-service.yml b/services/service_kimai/deploy-service.yml new file mode 100755 index 0000000..9d34da8 --- /dev/null +++ b/services/service_kimai/deploy-service.yml @@ -0,0 +1,26 @@ +- hosts: localhost + become: 'yes' + vars: + ansible_become_method: doas + tasks: + - name: Create necessary directories + ansible.builtin.file: + path: "{{ item }}" + owner: service_kimai + group: service_kimai + state: directory + loop: + - "{{ services_directory }}/service_kimai/kimai-data" + - "{{ services_directory }}/service_kimai/mysql-data" + - name: Copy docker compose config and other kimai files + ansible.builtin.template: + src: "{{ item }}" + dest: "{{ services_directory }}/service_kimai/{{ item }}" + owner: service_kimai + group: service_kimai + loop: + - docker-compose.yml + + - name: Debug Finish message + debug: + msg: Ansible playbook has finished! diff --git a/services/service_kimai/docker-compose.yml b/services/service_kimai/docker-compose.yml new file mode 100644 index 0000000..4bc3e3d --- /dev/null +++ b/services/service_kimai/docker-compose.yml @@ -0,0 +1,82 @@ +services: + + # Gluetun is used to connect container to VPN + kimai-gluetun: + image: qmcgaw/gluetun + cap_add: + - NET_ADMIN + environment: + - VPN_SERVICE_PROVIDER=custom + - VPN_TYPE=wireguard + - VPN_ENDPOINT_IP={{ proxy_server_ip }} + - VPN_ENDPOINT_PORT={{ proxy_server_vpn_port }} + - WIREGUARD_PUBLIC_KEY={{ vpn_server_pubkey }} + - WIREGUARD_PRIVATE_KEY={{ kimai_service_privkey }} + - WIREGUARD_ADDRESSES=10.0.0.8/32 + - FIREWALL_VPN_INPUT_PORTS=8001,3306 + ports: + - "8001:8001" + # networks: + # kimai: + deploy: + resources: + limits: + cpus: '0.10' + memory: 512M + + kimai: + image: kimai/kimai2:apache + network_mode: "service:kimai-gluetun" + environment: + - ADMINMAIL=admin@{{ domain_name }} + - ADMINPASS={{ service_kimai_admin_password }} + - "DATABASE_URL=mysql://kimaiuser:{{ service_kimai_mysql_password }}@127.0.0.1/kimai?charset=utf8mb4&serverVersion=8.3.0" + - TRUSTED_HOSTS=nginx,localhost,127.0.0.1 + restart: always + volumes: + - ./kimai-data:/opt/kimai/var/data + deploy: + resources: + limits: + cpus: '0.25' + memory: 512M + depends_on: + - kimai-db + + kimai-db: + image: mysql:8.4.0 + network_mode: "service:kimai-gluetun" + environment: + - MYSQL_DATABASE=kimai + - MYSQL_USER=kimaiuser + - MYSQL_PASSWORD={{ service_kimai_mysql_password }} + - MYSQL_ROOT_PASSWORD={{ service_kimai_mysql_root_password }} + command: --default-storage-engine innodb + restart: unless-stopped + healthcheck: + test: mysqladmin -p$$MYSQL_ROOT_PASSWORD ping -h localhost + interval: 20s + start_period: 10s + timeout: 10s + retries: 3 + volumes: + - ./mysql-data:/var/lib/mysql + # networks: + # kimai: + # ipv4_address: 12.1.0.22 + deploy: + resources: + limits: + cpus: '0.10' + memory: 512M + + #networks: + # kimai: + # driver: bridge + # driver_opts: + # com.docker.network.bridge.name: kimai + # # com.docker.network.driver.enable_ip_masquerade: 0 + # ipam: + # config: + # - subnet: 12.1.0.0/16 + # # gateway: 11.5.0.1 diff --git a/services/service_kimai/proxy_resources/etc/nginx/sites-available/kimai.domain b/services/service_kimai/proxy_resources/etc/nginx/sites-available/kimai.domain new file mode 100755 index 0000000..b9d66ac --- /dev/null +++ b/services/service_kimai/proxy_resources/etc/nginx/sites-available/kimai.domain @@ -0,0 +1,49 @@ +# {{ ansible_managed }} + +# Kimai Instance Proxy +server { + + server_name kimai.{{ domain_name }} www.kimai.{{ domain_name }}; + + location / { + proxy_pass http://10.0.0.8:8001; + #proxy_set_header X-Forwarded-For $remote_addr; + #proxy_set_header Host $host; # so kimai knows domain + #proxy_http_version 1.1; # to keep alive + #proxy_set_header Connection ""; # to keep alive + include proxy_params; + } + + client_max_body_size 512M; + + listen [::]:443 ssl; + listen 443 ssl; + ssl_certificate /etc/letsencrypt/live/{{ domain_name }}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/{{ domain_name }}/privkey.pem; + include /etc/letsencrypt/options-ssl-nginx.conf; + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; + + +} + +server { + if ($host = www.kimai.{{ domain_name }}) { + return 301 https://$host$request_uri; + } + + + if ($host = kimai.{{ domain_name }}) { + return 301 https://$host$request_uri; + } + + + listen 80; + listen [::]:80; + + server_name kimai.{{ domain_name }} www.kimai.{{ domain_name }}; + return 404; + + + + +} diff --git a/services/service_kimai/servicesecrets.example b/services/service_kimai/servicesecrets.example new file mode 100755 index 0000000..5abf64a --- /dev/null +++ b/services/service_kimai/servicesecrets.example @@ -0,0 +1,4 @@ +# Example service secrets for kimai docker service, to be encrypted with ansible vault and called servicesecrets.enc +service_kimai_admin_password: *** +service_kimai_mysql_password: *** +service_kimai_mysql_root_password: ***