cspark
/
Client-Ansible-Setup
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add current client server configuration to git

This commit is contained in:
cspark-dev 2024-02-22 12:06:50 +00:00
commit 26f9c17055
70 changed files with 6672 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
.gitignore vendored Executable file
View File

@ -0,0 +1,4 @@
**/*.enc
hosts
prox-server-firewall-setup.yml
prox-server-setup.yml

6
ansible.cfg Executable file
View File

@ -0,0 +1,6 @@
[defaults]
inventory = hosts
[privilege_escalation]
become_method=doas
become_ask_pass=True

127
home_resources/.bashrc Executable file
View File

@ -0,0 +1,127 @@
# {{ ansible_managed }}
# ~/.bashrc: executed by bash(1) for non-login shells.
# see /usr/share/doc/bash/examples/startup-files (in the package bash-doc)
# for examples
# If not running interactively, don't do anything
case $- in
*i*) ;;
*) return;;
esac
# don't put duplicate lines or lines starting with space in the history.
# See bash(1) for more options
HISTCONTROL=ignoreboth
# append to the history file, don't overwrite it
shopt -s histappend
# for setting history length see HISTSIZE and HISTFILESIZE in bash(1)
HISTSIZE=1000
HISTFILESIZE=2000
# check the window size after each command and, if necessary,
# update the values of LINES and COLUMNS.
shopt -s checkwinsize
# If set, the pattern "**" used in a pathname expansion context will
# match all files and zero or more directories and subdirectories.
#shopt -s globstar
# make less more friendly for non-text input files, see lesspipe(1)
#[ -x /usr/bin/lesspipe ] && eval "$(SHELL=/bin/sh lesspipe)"
# set variable identifying the chroot you work in (used in the prompt below)
if [ -z "${debian_chroot:-}" ] && [ -r /etc/debian_chroot ]; then
debian_chroot=$(cat /etc/debian_chroot)
fi
# set a fancy prompt (non-color, unless we know we "want" color)
case "$TERM" in
xterm-color|*-256color) color_prompt=yes;;
esac
# uncomment for a colored prompt, if the terminal has the capability; turned
# off by default to not distract the user: the focus in a terminal window
# should be on the output of commands, not on the prompt
force_color_prompt=yes
if [ -n "$force_color_prompt" ]; then
if [ -x /usr/bin/tput ] && tput setaf 1 >&/dev/null; then
# We have color support; assume it's compliant with Ecma-48
# (ISO/IEC-6429). (Lack of such support is extremely rare, and such
# a case would tend to support setf rather than setaf.)
color_prompt=yes
else
color_prompt=
fi
fi
if [ "$color_prompt" = yes ]; then
PS1='${debian_chroot:+($debian_chroot)}\[\033[01;32m\]\u@\h\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\$ '
else
PS1='${debian_chroot:+($debian_chroot)}\u@\h:\w\$ '
fi
unset color_prompt force_color_prompt
# If this is an xterm set the title to user@host:dir
case "$TERM" in
xterm*|rxvt*)
PS1="\[\e]0;${debian_chroot:+($debian_chroot)}\u@\h: \w\a\]$PS1"
;;
*)
;;
esac
# enable color support of ls and also add handy aliases
if [ -x /usr/bin/dircolors ]; then
test -r ~/.dircolors && eval "$(dircolors -b ~/.dircolors)" || eval "$(dircolors -b)"
alias ls='ls --color=auto'
#alias dir='dir --color=auto'
#alias vdir='vdir --color=auto'
#alias grep='grep --color=auto'
#alias fgrep='fgrep --color=auto'
#alias egrep='egrep --color=auto'
fi
# colored GCC warnings and errors
export GCC_COLORS='error=01;31:warning=01;35:note=01;36:caret=01;32:locus=01:quote=01'
# some more ls aliases
#alias ll='ls -l'
#alias la='ls -A'
#alias l='ls -CF'
# Alias definitions.
# You may want to put all your additions into a separate file like
# ~/.bash_aliases, instead of adding them here directly.
# See /usr/share/doc/bash-doc/examples in the bash-doc package.
if [ -f ~/.bash_aliases ]; then
. ~/.bash_aliases
fi
# enable programmable completion features (you don't need to enable
# this, if it's already enabled in /etc/bash.bashrc and /etc/profile
# sources /etc/bash.bashrc).
if ! shopt -oq posix; then
if [ -f /usr/share/bash-completion/bash_completion ]; then
. /usr/share/bash-completion/bash_completion
elif [ -f /etc/bash_completion ]; then
. /etc/bash_completion
fi
fi
export PATH="/usr/sbin:${PATH}"
export ANSIBLECONF_DIR="{{ ansibleconf_directory }}"
export EDITOR=vim
neofetch
# List all open ports and their associated programs
ss -tulpn
# List ZFS pools status
zpool status

57
home_resources/.local/bin/spark_ansible-editvault.sh Executable file
View File

@ -0,0 +1,57 @@
#!/bin/bash
# {{ ansible_managed }}
if [ -z $1 ]; then
echo "No ansible vault provided."
exit 1
fi
USBKEYVAR=/dev/disk/by-uuid/{{ usbkey_uuid }}
USBKEYSLOCATION={{ usbkey_keysdir }}
# Figure out if path given is relative or absolute, assign variables accordingly
if [[ "$(echo $1 | cut -c 1)" == "/" ]]; then
# Absolute
ABSOLUTELOCATION=$1
else
# Relative
ABSOLUTELOCATION="$(pwd)/$1"
fi
# Probably cleaner to do this in awk or the like but good enough!
# FILEPARENTDIR="$(echo $ABSOLUTELOCATION | cut -d / --fields=$(echo $ABSOLUTELOCATION | grep -o / | wc -l))"
FILENAME="$(echo $ABSOLUTELOCATION | cut -d / --fields=$(($(echo $ABSOLUTELOCATION | grep -o / | wc -l) + 1))-)"
if [ -e $USBKEYVAR ]; then
echo "USB Key detected, will mount if not already."
if doas mount $USBKEYVAR; then
echo "Mounted USB Key, proceeding..."
else
echo "Failed to mount USB Key, assuming its already mounted and proceeding..."
fi
if [[ "$FILENAME" == *"server"* ]]; then
echo "Detected as a server vault, decrypting accordingly..."
if ansible-vault edit --vault-password-file $USBKEYSLOCATION/serversecrets $ABSOLUTELOCATION; then
echo "Ansible Vault edit success!"
else
echo "Ansible Vault edit failure!"
fi
elif [[ "$FILENAME" == *"service"* ]]; then
echo "Detected as a service vault, decrypting accordingly..."
if ansible-vault edit --vault-password-file $USBKEYSLOCATION/servicesecrets $ABSOLUTELOCATION; then
echo "Ansible Vault edit success!"
else
echo "Ansible Vault edit failure!"
fi
else
echo "Does not appear to be a server or service vault, please make sure the vault file includes either 'server' or 'service' in the name to identify!"
fi
if doas umount $USBKEYVAR; then
echo "Unmounted USB Key."
else
echo "Failed to unmount USB Key!"
fi
else
echo "USB Key not detected, please check if plugged in!"
exit 1
fi

57
home_resources/.local/bin/spark_ansible-playbook.sh Executable file
View File

@ -0,0 +1,57 @@
#!/bin/bash
# {{ ansible_managed }}
if [ -z $1 ]; then
echo "No ansible playbook provided."
exit 1
fi
USBKEYVAR=/dev/disk/by-uuid/{{ usbkey_uuid }}
USBKEYSLOCATION={{ usbkey_keysdir }}
# Figure out if path given is relative or absolute, assign variables accordingly
if [[ "$(echo $1 | cut -c 1)" == "/" ]]; then
# Absolute
ABSOLUTELOCATION=$1
else
# Relative
ABSOLUTELOCATION="$(pwd)/$1"
fi
# Probably cleaner to do this in awk or the like but good enough!
FILEPARENTDIR="$(echo $ABSOLUTELOCATION | cut -d / --fields=$(echo $ABSOLUTELOCATION | grep -o / | wc -l))"
FILENAME="$(echo $ABSOLUTELOCATION | cut -d / --fields=$(($(echo $ABSOLUTELOCATION | grep -o / | wc -l) + 1))-)"
if [ -e $USBKEYVAR ]; then
echo "USB Key detected, will mount if not already."
if doas mount $USBKEYVAR; then
echo "Mounted USB Key, proceeding..."
else
echo "Failed to mount USB Key, assuming its already mounted and proceeding..."
fi
if [[ "$FILENAME" == *"server"* ]]; then
echo "Detected as a server playbook file, decrypting accordingly..."
if ansible-playbook -e @$ANSIBLECONF_DIR/serversecrets.enc --vault-password-file $USBKEYSLOCATION/serversecrets $ABSOLUTELOCATION; then
echo "Ansible Playbook success!"
else
echo "Ansible Playbook failure!"
fi
elif [[ "$FILENAME" == *"service"* ]]; then
echo "Detected as a service playbook file, decrypting accordingly..."
if ansible-playbook -e @$ANSIBLECONF_DIR/serversecrets.enc --vault-password-file $USBKEYSLOCATION/serversecrets -e @$ANSIBLECONF_DIR/services/$FILEPARENTDIR/servicesecrets.enc --vault-password-file $USBKEYSLOCATION/servicesecrets $ABSOLUTELOCATION; then
echo "Ansible Playbook success!"
else
echo "Ansible Playbook failure!"
fi
else
echo "Does not appear to be a server or service playbook file, please make sure the playbook file includes either 'server' or 'service' in the name to identify!"
fi
if doas umount $USBKEYVAR; then
echo "Unmounted USB Key."
else
echo "Failed to unmount USB Key!"
fi
else
echo "USB Key not detected, please check if plugged in!"
exit 1
fi

57
home_resources/.local/bin/spark_ansible-viewvault.sh Executable file
View File

@ -0,0 +1,57 @@
#!/bin/bash
# {{ ansible_managed }}
if [ -z $1 ]; then
echo "No ansible vault provided."
exit 1
fi
USBKEYVAR=/dev/disk/by-uuid/{{ usbkey_uuid }}
USBKEYSLOCATION={{ usbkey_keysdir }}
# Figure out if path given is relative or absolute, assign variables accordingly
if [[ "$(echo $1 | cut -c 1)" == "/" ]]; then
# Absolute
ABSOLUTELOCATION=$1
else
# Relative
ABSOLUTELOCATION="$(pwd)/$1"
fi
# Probably cleaner to do this in awk or the like but good enough!
# FILEPARENTDIR="$(echo $ABSOLUTELOCATION | cut -d / --fields=$(echo $ABSOLUTELOCATION | grep -o / | wc -l))"
FILENAME="$(echo $ABSOLUTELOCATION | cut -d / --fields=$(($(echo $ABSOLUTELOCATION | grep -o / | wc -l) + 1))-)"
if [ -e $USBKEYVAR ]; then
echo "USB Key detected, will mount if not already."
if doas mount $USBKEYVAR; then
echo "Mounted USB Key, proceeding..."
else
echo "Failed to mount USB Key, assuming its already mounted and proceeding..."
fi
if [[ "$FILENAME" == *"server"* ]]; then
echo "Detected as a server vault, decrypting accordingly..."
if ansible-vault view --vault-password-file $USBKEYSLOCATION/serversecrets $ABSOLUTELOCATION; then
echo "Ansible Vault view success!"
else
echo "Ansible Vault view failure!"
fi
elif [[ "$FILENAME" == *"service"* ]]; then
echo "Detected as a service vault, decrypting accordingly..."
if ansible-vault view --vault-password-file $USBKEYSLOCATION/servicesecrets $ABSOLUTELOCATION; then
echo "Ansible Vault view success!"
else
echo "Ansible Vault view failure!"
fi
else
echo "Does not appear to be a server or service vault, please make sure the vault file includes either 'server' or 'service' in the name to identify!"
fi
if doas umount $USBKEYVAR; then
echo "Unmounted USB Key."
else
echo "Failed to unmount USB Key!"
fi
else
echo "USB Key not detected, please check if plugged in!"
exit 1
fi

14
home_resources/.ssh/config Executable file
View File

@ -0,0 +1,14 @@
# {{ ansible_managed }}
Host {{ proxy_server_hostname }}
Hostname {{ proxy_server_ip }}
Port {{ proxy_server_ssh_port }}
User {{ proxy_server_username }}
PubKeyAuthentication yes
IdentityFile ~/.ssh/id_ed25519_{{ proxy_server_hostname }}
Host {{ proxy_server_hostname }}-defaultport
Hostname {{ proxy_server_ip }}
Port 22
User {{ proxy_server_username }}
PubKeyAuthentication yes
IdentityFile ~/.ssh/id_ed25519_{{ proxy_server_hostname }}

18
prox-server-ansible-playbooks-generate.yml Executable file
View File

@ -0,0 +1,18 @@
- hosts: localhost
tasks:
- name: Generate hosts file
template:
src: "ansible_resources/hosts"
dest: "hosts"
mode: '0777'
- name: Generate proxy server playbooks
template:
src: "ansible_resources/{{ item }}"
dest: "{{ item }}"
mode: '0777'
loop:
- prox-server-setup.yml
- prox-server-firewall-setup.yml
- name: Debug Finish message
debug:
msg: Ansible playbook has finished!

121
proxy_resources/.bashrc Executable file
View File

@ -0,0 +1,121 @@
# {{ ansible_managed }}
# ~/.bashrc: executed by bash(1) for non-login shells.
# see /usr/share/doc/bash/examples/startup-files (in the package bash-doc)
# for examples
# If not running interactively, don't do anything
case $- in
*i*) ;;
*) return;;
esac
# don't put duplicate lines or lines starting with space in the history.
# See bash(1) for more options
HISTCONTROL=ignoreboth
# append to the history file, don't overwrite it
shopt -s histappend
# for setting history length see HISTSIZE and HISTFILESIZE in bash(1)
HISTSIZE=1000
HISTFILESIZE=2000
# check the window size after each command and, if necessary,
# update the values of LINES and COLUMNS.
shopt -s checkwinsize
# If set, the pattern "**" used in a pathname expansion context will
# match all files and zero or more directories and subdirectories.
#shopt -s globstar
# make less more friendly for non-text input files, see lesspipe(1)
#[ -x /usr/bin/lesspipe ] && eval "$(SHELL=/bin/sh lesspipe)"
# set variable identifying the chroot you work in (used in the prompt below)
if [ -z "${debian_chroot:-}" ] && [ -r /etc/debian_chroot ]; then
debian_chroot=$(cat /etc/debian_chroot)
fi
# set a fancy prompt (non-color, unless we know we "want" color)
case "$TERM" in
xterm-color|*-256color) color_prompt=yes;;
esac
# uncomment for a colored prompt, if the terminal has the capability; turned
# off by default to not distract the user: the focus in a terminal window
# should be on the output of commands, not on the prompt
force_color_prompt=yes
if [ -n "$force_color_prompt" ]; then
if [ -x /usr/bin/tput ] && tput setaf 1 >&/dev/null; then
# We have color support; assume it's compliant with Ecma-48
# (ISO/IEC-6429). (Lack of such support is extremely rare, and such
# a case would tend to support setf rather than setaf.)
color_prompt=yes
else
color_prompt=
fi
fi
if [ "$color_prompt" = yes ]; then
PS1='${debian_chroot:+($debian_chroot)}\[\033[01;32m\]\u@\h\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\$ '
else
PS1='${debian_chroot:+($debian_chroot)}\u@\h:\w\$ '
fi
unset color_prompt force_color_prompt
# If this is an xterm set the title to user@host:dir
case "$TERM" in
xterm*|rxvt*)
PS1="\[\e]0;${debian_chroot:+($debian_chroot)}\u@\h: \w\a\]$PS1"
;;
*)
;;
esac
# enable color support of ls and also add handy aliases
if [ -x /usr/bin/dircolors ]; then
test -r ~/.dircolors && eval "$(dircolors -b ~/.dircolors)" || eval "$(dircolors -b)"
alias ls='ls --color=auto'
#alias dir='dir --color=auto'
#alias vdir='vdir --color=auto'
#alias grep='grep --color=auto'
#alias fgrep='fgrep --color=auto'
#alias egrep='egrep --color=auto'
fi
# colored GCC warnings and errors
export GCC_COLORS='error=01;31:warning=01;35:note=01;36:caret=01;32:locus=01:quote=01'
# some more ls aliases
#alias ll='ls -l'
#alias la='ls -A'
#alias l='ls -CF'
# Alias definitions.
# You may want to put all your additions into a separate file like
# ~/.bash_aliases, instead of adding them here directly.
# See /usr/share/doc/bash-doc/examples in the bash-doc package.
if [ -f ~/.bash_aliases ]; then
. ~/.bash_aliases
fi
# enable programmable completion features (you don't need to enable
# this, if it's already enabled in /etc/bash.bashrc and /etc/profile
# sources /etc/bash.bashrc).
if ! shopt -oq posix; then
if [ -f /usr/share/bash-completion/bash_completion ]; then
. /usr/share/bash-completion/bash_completion
elif [ -f /etc/bash_completion ]; then
. /etc/bash_completion
fi
fi
export PATH="/usr/sbin:${PATH}"
neofetch
# List all open ports and their associated programs
ss -tulpn

82
proxy_resources/etc/haproxy/haproxy.cfg Executable file
View File

@ -0,0 +1,82 @@
# {{ ansible_managed }}
frontend ft_smtp
bind {{ proxy_server_ip }}:25
mode tcp
timeout client 1m
log global
option tcplog
default_backend bk_smtp
backend bk_smtp
mode tcp
log global
# option tcplog
timeout server 1m
timeout connect 7s
server postfix 10.0.0.2:25 send-proxy
frontend ft_smtps
bind {{ proxy_server_ip }}:465
mode tcp
timeout client 1m
log global
option tcplog
default_backend bk_smtps
backend bk_smtps
mode tcp
log global
# option tcplog
timeout server 1m
timeout connect 7s
server postfix 10.0.0.2:465 send-proxy
frontend ft_submission
bind {{ proxy_server_ip }}:587
mode tcp
timeout client 1m
log global
option tcplog
default_backend bk_submission
backend bk_submission
mode tcp
log global
# option tcplog
timeout server 1m
timeout connect 7s
server postfix 10.0.0.2:587 send-proxy
frontend ft_imaps
bind {{ proxy_server_ip }}:993
mode tcp
timeout client 1m
default_backend bk_imaps
backend bk_imaps
mode tcp
balance leastconn
stick store-request src
stick-table type ip size 200k expire 30m
timeout server 1m
timeout connect 7s
server imaps1 10.0.0.2:993 send-proxy-v2
frontend ft_imap
bind {{ proxy_server_ip }}:143
mode tcp
timeout client 1m
default_backend bk_imap
backend bk_imap
mode tcp
balance leastconn
stick store-request src
stick-table type ip size 200k expire 30m
timeout server 1m
timeout connect 7s
server imap1 10.0.0.2:143 send-proxy-v2

194
proxy_resources/etc/nginx/nginx.conf Executable file
View File

@ -0,0 +1,194 @@
# {{ ansible_managed }}
user www-data;
worker_processes auto;
pid /run/nginx.pid;
error_log /var/log/nginx/error.log;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 768;
# multi_accept on;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
types_hash_max_size 2048;
# server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
##
# Gzip Settings
##
gzip on;
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
# Minecraft server and other non NGinx standard protocol proxying handled here
#stream {
# This appears to work in the sense that the port is available when checking with telnet, but doesn't appear to be working in Minecraft
# map $ssl_preread_server_name $name {
# minecraft.{{ domain_name }} 10.0.0.2:25565;
# }
# server {
# listen 25565;
# listen [::]:25565;
#
# proxy_pass $name;
# ssl_preread on;
# }
# Minecraft
# upstream minecraft {
# server 10.0.0.7:54376;
# }
#
# server {
# listen 25565;
#
# proxy_pass minecraft;
# }
# NOW HANDLED BY HAPROXY
# For now instead of mail proxy, we will just reverse proxy the tcp traffic itself
# upstream smtp {
# server 10.0.0.2:25; # Cleartext Unsecure SMTP
# }
# server {
# listen 25;
#
# proxy_pass smtp;
# }
#
# upstream esmtp {
# server 10.0.0.2:465; # ESMTP Implicit TLS
# }
# server {
# listen 465;
#
# proxy_pass esmtp;
# }
#
# upstream smtp_starttls {
# server 10.0.0.2:587; # SMTP Explicit TLS
# }
# server {
# listen 587;
#
# proxy_pass smtp_starttls;
# }
#
# upstream imaps {
# server 10.0.0.2:993; # IMAPS Implicit TLS
# }
# server {
# listen 993;
#
# proxy_pass imaps;
# }
#
# upstream imap_starttls {
# server 10.0.0.2:143; # IMAP Explicit TLS
# }
# server {
# listen 143;
#
# proxy_pass imap_starttls;
# }
#}
# Mail Proxy configuration
#mail {
# # See sample authentication script at:
# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
# # auth_http localhost/auth.php;
#
# server_name mail.{{ domain_name }};
# auth_http http://127.0.0.1:8000;
# proxy_smtp_auth on;
# smtp_auth plain;
# xclient off;
#
# proxy_pass_error_message on;
#
# # ssl_certificate /etc/letsencrypt/live/mail.{{ domain_name }}/fullchain.pem; # managed by Certbot
# # ssl_certificate_key /etc/letsencrypt/live/mail.{{ domain_name }}/privkey.pem; # managed by Certbot
# # ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
#
# server {
# listen 25;
# protocol smtp;
# proxy on;
# auth_http_header X-Auth-Port 25;
# }
#
# server {
# listen 465; #ssl;
# protocol smtp;
# proxy on;
# auth_http_header X-Auth-Port 465;
# }
#
# server {
# listen 587;
# protocol smtp;
# proxy on;
# # starttls on;
# auth_http_header X-Auth-Port 587;
# }
#
# server {
# listen 993; #ssl;
# protocol imap;
# proxy on;
# auth_http_header X-Auth-Port 993;
# }
#
# server {
# listen 143;
# protocol imap;
# proxy on;
# # starttls on;
# auth_http_header X-Auth-Port 143;
# }
#}

116
proxy_resources/etc/nginx/sites-available/chat.domain Executable file
View File

@ -0,0 +1,116 @@
# {{ ansible_managed }}
server {
server_name chat.{{ domain_name }} www.chat.{{ domain_name }};
location /january/ {
proxy_pass http://10.0.0.6:42599/;
proxy_set_header Host $host;
proxy_set_header Connection $http_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Scheme $scheme;
add_header 'Content-Security-Policy' 'upgrade-insecure-requests';
}
location /autumn/ {
proxy_pass http://10.0.0.6:6119/;
proxy_set_header Host $host;
proxy_set_header Connection $http_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Scheme $scheme;
add_header 'Content-Security-Policy' 'upgrade-insecure-requests';
}
location /vortex/ {
proxy_pass http://10.0.0.6:34902/;
proxy_set_header Host $host;
proxy_set_header Connection $http_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Scheme $scheme;
add_header 'Content-Security-Policy' 'upgrade-insecure-requests';
}
# /wsvortex is to be evaluated first before /ws
location /wsvortex {
proxy_pass http://10.0.0.6:34902/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
# Important, to prevent ws from sending data for a long time and causing timeout disconnection.
proxy_read_timeout 24h;
proxy_set_header Host $host;
proxy_set_header Connection $http_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Scheme $scheme;
add_header 'Content-Security-Policy' 'upgrade-insecure-requests';
}
location /ws {
proxy_pass http://10.0.0.6:60160/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
# Important, to prevent ws from sending data for a long time and causing timeout disconnection.
proxy_read_timeout 24h;
proxy_set_header Host $host;
proxy_set_header Connection $http_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Scheme $scheme;
add_header 'Content-Security-Policy' 'upgrade-insecure-requests';
}
location /api/ {
proxy_pass http://10.0.0.6:27271/;
proxy_set_header Host $host;
proxy_set_header Connection $http_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Scheme $scheme;
add_header 'Content-Security-Policy' 'upgrade-insecure-requests';
}
location / {
proxy_pass http://10.0.0.6:53244;
proxy_set_header Host $host;
proxy_set_header Connection $http_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Scheme $scheme;
add_header 'Content-Security-Policy' 'upgrade-insecure-requests';
}
listen 443 ssl http2; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/chat.{{ domain_name }}/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/chat.{{ domain_name }}/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = www.chat.{{ domain_name }}) {
return 301 https://$host$request_uri;
} # managed by Certbot
if ($host = chat.{{ domain_name }}) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name chat.{{ domain_name }} www.chat.{{ domain_name }};
return 404; # managed by Certbot
}

91
proxy_resources/etc/nginx/sites-available/default Executable file
View File

@ -0,0 +1,91 @@
##
# You should look at the following URL's in order to grasp a solid understanding
# of Nginx configuration files in order to fully unleash the power of Nginx.
# https://www.nginx.com/resources/wiki/start/
# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/
# https://wiki.debian.org/Nginx/DirectoryStructure
#
# In most cases, administrators will remove this file from sites-enabled/ and
# leave it as reference inside of sites-available where it will continue to be
# updated by the nginx packaging team.
#
# This file will automatically load configuration files provided by other
# applications, such as Drupal or Wordpress. These applications will be made
# available underneath a path with that package name, such as /drupal8.
#
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
##
# Default server configuration
#
server {
listen 80 default_server;
listen [::]:80 default_server;
# SSL configuration
#
# listen 443 ssl default_server;
# listen [::]:443 ssl default_server;
#
# Note: You should disable gzip for SSL traffic.
# See: https://bugs.debian.org/773332
#
# Read up on ssl_ciphers to ensure a secure configuration.
# See: https://bugs.debian.org/765782
#
# Self signed certs generated by the ssl-cert package
# Don't use them in a production server!
#
# include snippets/snakeoil.conf;
root /var/www/html;
# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;
server_name _;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
}
# pass PHP scripts to FastCGI server
#
#location ~ \.php$ {
# include snippets/fastcgi-php.conf;
#
# # With php-fpm (or other unix sockets):
# fastcgi_pass unix:/run/php/php7.4-fpm.sock;
# # With php-cgi (or other tcp sockets):
# fastcgi_pass 127.0.0.1:9000;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}
# Virtual Host configuration for example.com
#
# You can move that to a different file under sites-available/ and symlink that
# to sites-enabled/ to enable it.
#
#server {
# listen 80;
# listen [::]:80;
#
# server_name example.com;
#
# root /var/www/example.com;
# index index.html;
#
# location / {
# try_files $uri $uri/ =404;
# }
#}

47
proxy_resources/etc/nginx/sites-available/git.domain Executable file
View File

@ -0,0 +1,47 @@
# {{ ansible_managed }}
# Git Instance Proxy
server {
server_name git.{{ domain_name }} www.git.{{ domain_name }};
location / {
proxy_pass http://10.0.0.3:3000;
#proxy_set_header X-Forwarded-For $remote_addr;
#proxy_set_header Host $host; # so git knows domain
#proxy_http_version 1.1; # to keep alive
#proxy_set_header Connection ""; # to keep alive
include proxy_params;
}
listen [::]:443 ssl ipv6only=on;
listen 443 ssl;
ssl_certificate /etc/letsencrypt/live/{{ domain_name }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{ domain_name }}/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
}
server {
if ($host = www.git.{{ domain_name }}) {
return 301 https://$host$request_uri;
}
if ($host = git.{{ domain_name }}) {
return 301 https://$host$request_uri;
}
listen 80;
listen [::]:80;
server_name git.{{ domain_name }} www.git.{{ domain_name }};
return 404;
}

127
proxy_resources/etc/nginx/sites-available/invidious.domain Executable file
View File

@ -0,0 +1,127 @@
# {{ ansible_managed }}
# Invidious Instance Proxy
server {
server_name invidious.{{ domain_name }} www.invidious.{{ domain_name }};
location / {
proxy_pass http://10.0.0.3:3000;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $host; # so Invidious knows domain
proxy_http_version 1.1; # to keep alive
proxy_set_header Connection ""; # to keep alive
include proxy_params;
}
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/invidious.{{ domain_name }}-0001/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/invidious.{{ domain_name }}-0001/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
# Mail Server Frontend
#server {
# # SSL configuration
# #
# # listen 443 ssl default_server;
# # listen [::]:443 ssl default_server;
# #
# # Note: You should disable gzip for SSL traffic.
# # See: https://bugs.debian.org/773332
# #
# # Read up on ssl_ciphers to ensure a secure configuration.
# # See: https://bugs.debian.org/765782
# #
# # Self signed certs generated by the ssl-cert package
# # Don't use them in a production server!
# #
# # include snippets/snakeoil.conf;
#
# root /var/www/html;
#
# # Add index.php to the list if you are using PHP
# index index.html index.htm index.nginx-debian.html;
#
# server_name mail.{{ domain_name }} www.mail.{{ domain_name }};
#
# location / {
# # First attempt to serve request as file, then
# # as directory, then fall back to displaying a 404.
# try_files $uri $uri/ =404;
# }
#
# # pass PHP scripts to FastCGI server
# #
# #location ~ \.php$ {
# # include snippets/fastcgi-php.conf;
# #
# # # With php-fpm (or other unix sockets):
# # fastcgi_pass unix:/run/php/php7.4-fpm.sock;
# # # With php-cgi (or other tcp sockets):
# # fastcgi_pass 127.0.0.1:9000;
# #}
#
# # deny access to .htaccess files, if Apache's document root
# # concurs with nginx's one
# #
# #location ~ /\.ht {
# # deny all;
# #}
#
# listen [::]:443 ssl; # managed by Certbot
# listen 443 ssl; # managed by Certbot
# ssl_certificate /etc/letsencrypt/live/mail.{{ domain_name }}/fullchain.pem; # managed by Certbot
# ssl_certificate_key /etc/letsencrypt/live/mail.{{ domain_name }}/privkey.pem; # managed by Certbot
# include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
# ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
#
#
#}
server {
if ($host = www.invidious.{{ domain_name }}) {
return 301 https://$host$request_uri;
} # managed by Certbot
if ($host = invidious.{{ domain_name }}) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
listen [::]:80;
server_name invidious.{{ domain_name }} www.invidious.{{ domain_name }};
return 404; # managed by Certbot
}
#server {
# if ($host = www.mail.{{ domain_name }}) {
# return 301 https://$host$request_uri;
# } # managed by Certbot
#
#
# if ($host = mail.{{ domain_name }}) {
# return 301 https://$host$request_uri;
# } # managed by Certbot
#
#
# listen 80;
# listen [::]:80;
#
# server_name mail.{{ domain_name }} www.mail.{{ domain_name }};
# return 404; # managed by Certbot
#
#
#
#
#}

15
proxy_resources/etc/nginx/sites-available/mail.domain Executable file
View File

@ -0,0 +1,15 @@
# {{ ansible_managed }}
# Frontend proxy to do SSL certificate authentication on backend etc
server {
listen 80;
listen [::]:80;
server_name mail.{{ domain_name }};
location / {
proxy_pass http://10.0.0.2;
include proxy_params;
}
}

65
proxy_resources/etc/nginx/sites-available/nextcloud.domain Executable file
View File

@ -0,0 +1,65 @@
# {{ ansible_managed }}
server {
server_name nextcloud.{{ domain_name }} www.nextcloud.{{ domain_name }};
client_max_body_size 0;
underscores_in_headers on;
location / {
proxy_pass http://10.0.0.5:11000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
add_header Front-End-Https on;
add_header Strict-Transport-Security "max-age=15552000; includeSubDomains";
proxy_headers_hash_max_size 512;
proxy_headers_hash_bucket_size 64;
proxy_buffering off;
proxy_redirect off;
proxy_max_temp_file_size 0;
}
listen [::]:443 ssl; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/nextcloud.{{ domain_name }}/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/nextcloud.{{ domain_name }}/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
# The redirects for CalDAV or CardDAV does not work if Nextcloud is running behind a reverse proxy. The recommended solution is that your reverse proxy does the redirects.
location /.well-known/carddav {
return 301 $scheme://$host/remote.php/dav;
}
location /.well-known/caldav {
return 301 $scheme://$host/remote.php/dav;
}
}
server {
if ($host = www.nextcloud.{{ domain_name }}) {
return 301 https://$host$request_uri;
} # managed by Certbot
if ($host = nextcloud.{{ domain_name }}) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
listen [::]:80;
server_name nextcloud.{{ domain_name }} www.nextcloud.{{ domain_name }};
return 404; # managed by Certbot
}

49
proxy_resources/etc/nginx/sites-available/searxng.domain Executable file
View File

@ -0,0 +1,49 @@
# {{ ansible_managed }}
server {
server_name searxng.{{ domain_name }} www.searxng.{{ domain_name }};
location / {
proxy_pass http://10.0.0.4:8080;
proxy_set_header Host $host;
proxy_set_header Connection $http_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Scheme $scheme;
include proxy_params;
}
listen [::]:443 ssl; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/searxng.{{ domain_name }}/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/searxng.{{ domain_name }}/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = www.searxng.{{ domain_name }}) {
return 301 https://$host$request_uri;
} # managed by Certbot
if ($host = searxng.{{ domain_name }}) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
listen [::]:80;
server_name searxng.{{ domain_name }} www.searxng.{{ domain_name }};
return 404; # managed by Certbot
}

53
proxy_resources/etc/ssh/ssh_config Executable file
View File

@ -0,0 +1,53 @@
# {{ ansible_managed }}
# This is the ssh client system-wide configuration file. See
# ssh_config(5) for more information. This file provides defaults for
# users, and the values can be changed in per-user configuration files
# or on the command line.
# Configuration data is parsed as follows:
# 1. command line options
# 2. user-specific file
# 3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.
# Site-wide defaults for some commonly used options. For a comprehensive
# list of available options, their meanings and defaults, please see the
# ssh_config(5) man page.
Include /etc/ssh/ssh_config.d/*.conf
Host *
# ForwardAgent no
# ForwardX11 no
# ForwardX11Trusted yes
# HostbasedAuthentication no
# GSSAPIAuthentication no
# GSSAPIDelegateCredentials no
# GSSAPIKeyExchange no
# GSSAPITrustDNS no
# BatchMode no
# CheckHostIP yes
# AddressFamily any
# ConnectTimeout 0
# StrictHostKeyChecking ask
# IdentityFile ~/.ssh/id_rsa
# IdentityFile ~/.ssh/id_dsa
# IdentityFile ~/.ssh/id_ecdsa
# IdentityFile ~/.ssh/id_ed25519
# Port 22
# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc
# MACs hmac-md5,hmac-sha1,umac-64@openssh.com
# EscapeChar ~
# Tunnel no
# TunnelDevice any:any
# PermitLocalCommand no
# VisualHostKey no
# ProxyCommand ssh -q -W %h:%p gateway.example.com
# RekeyLimit 1G 1h
# UserKnownHostsFile ~/.ssh/known_hosts.d/%k
SendEnv LANG LC_*
HashKnownHosts yes
GSSAPIAuthentication yes

126
proxy_resources/etc/ssh/sshd_config Executable file
View File

@ -0,0 +1,126 @@
# {{ ansible_managed }}
# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
Include /etc/ssh/sshd_config.d/*.conf
Port {{ proxy_server_ssh_port }}
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key
# Ciphers and keying
#RekeyLimit default none
# Logging
#SyslogFacility AUTH
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
PermitRootLogin no
#PermitRootLogin prohibit-password
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
#PubkeyAuthentication yes
# Expect .ssh/authorized_keys2 to be disregarded by default in future.
#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
#AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
#PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM no
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
# no default banner path
#Banner none
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
# override default of no subsystems
Subsystem sftp /usr/lib/openssh/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server

48
proxy_resources/etc/wireguard/wg0.conf Executable file
View File

@ -0,0 +1,48 @@
# {{ ansible_managed }}
[Interface]
PrivateKey = {{ vpn_server_privkey }}
Address = 10.0.0.1/24
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
ListenPort = {{ proxy_server_vpn_port }}
# Mail Service
#[Peer]
#PublicKey = {{ mail_service_pubkey }}
#AllowedIPs = 10.0.0.2/32
# Git Service
[Peer]
PublicKey = {{ git_service_pubkey }}
AllowedIPs = 10.0.0.3/32
# Invidious Service
#[Peer]
#PublicKey = {{ invidious_service_pubkey }}
#AllowedIPs = 10.0.0.3/32
# Searxng Service
#[Peer]
#PublicKey = {{ searxng_service_pubkey }}
#AllowedIPs = 10.0.0.4/32
# Nextcloud Service
#[Peer]
#PublicKey = {{ nextcloud_service_pubkey }}
#AllowedIPs = 10.0.0.5/32
# Chat Service
#[Peer]
#PublicKey = {{ chat_service_pubkey }}
#AllowedIPs = 10.0.0.6/32
# Minecraft Service
#[Peer]
#PublicKey = {{ minecraft_service_pubkey }}
#AllowedIPs = 10.0.0.7/32
# User Key for Phone/Desktop/Laptop use
#[Peer]
#PublicKey = {{ user_pubkey }}
#AllowedIPs = 10.0.0.200/32

50
proxy_resources/home/mail-authserver.py Executable file
View File

@ -0,0 +1,50 @@
# {{ ansible_managed }}
from http import server
class HTTPRequestHandler(server.SimpleHTTPRequestHandler):
def end_headers(self):
# The idea is to use <RCPT TO> value to choose and connect to different mail server
# rcpt_to_header = self.headers['Auth-SMTP-To']
# rcpt_to = rcpt_to_header.split(":")[1][2:-1]
# Print all available headers and their value for debug
for k in self.headers:
print(k)
print("Value of header :", self.headers[k])
port_header = self.headers['X-Auth-Port']
# protocol = protocol_header.split(":")[0][2:-1]
# self.send_custom_headers(rcpt_to)
self.send_custom_headers(port_header)
server.SimpleHTTPRequestHandler.end_headers(self)
def send_custom_headers(self, port):
# This is a simple logic to choose mail server
# if rcpt.split("@")[1] == "eng.abc.com":
# port = "2525"
# elif rcpt.split("@")[1] == "hr.abc.com":
# port = "2526"
# Need to modify/create new program to list all headers that will be provided. If there is a port header/way to distinguish whether it is Implicit or Explicit TLS used we can use that to go to the correct port.
# We will do it based on protocol instead
# Will only allow Explicit TLS for now
# if protocol == "smtp":
# port = "3469"
# elif protocol == "imap":
# port = "6994"
# Authentication handled by backend for now for both IMAP and SMTP, may in the future do authentication here too
self.send_header("Auth-Status", "OK")
# Server IP
self.send_header("Auth-Server","{{ proxy_server_ip }}")
# Server port
self.send_header("Auth-Port", port)
# Debug Prints
print("Return Auth-Port:", port)
if __name__ == '__main__':
server.test(HandlerClass=HTTPRequestHandler)

3
root_resources/etc/doas.conf Executable file
View File

@ -0,0 +1,3 @@
# {{ ansible_managed }}
permit persist :wheel

7
root_resources/etc/resolv.conf Executable file
View File

@ -0,0 +1,7 @@
# {{ ansible_managed }}
search {{ domain_name }}
nameserver 192.168.1.254
# Google Public DNS
nameserver 8.8.8.8

238
root_resources/etc/samba/smb.conf Executable file
View File

@ -0,0 +1,238 @@
# {{ ansible_managed }}
#
# Sample configuration file for the Samba suite for Debian GNU/Linux.
#
#
# This is the main Samba configuration file. You should read the
# smb.conf(5) manual page in order to understand the options listed
# here. Samba has a huge number of configurable options most of which
# are not shown in this example
#
# Some options that are often worth tuning have been included as
# commented-out examples in this file.
# - When such options are commented with ";", the proposed setting
# differs from the default Samba behaviour
# - When commented with "#", the proposed setting is the default
# behaviour of Samba but the option is considered important
# enough to be mentioned here
#
# NOTE: Whenever you modify this file you should run the command
# "testparm" to check that you have not made any basic syntactic
# errors.
#======================= Global Settings =======================
[global]
## Browsing/Identification ###
# Change this to the workgroup/NT-domain name your Samba server will part of
workgroup = WORKGROUP
#### Networking ####
# The specific set of interfaces / networks to bind to
# This can be either the interface name or an IP address/netmask;
# interface names are normally preferred
; interfaces = 127.0.0.0/8 eth0
# Only bind to the named interfaces and/or networks; you must use the
# 'interfaces' option above to use this.
# It is recommended that you enable this feature if your Samba machine is
# not protected by a firewall or is a firewall itself. However, this
# option cannot handle dynamic or non-broadcast interfaces correctly.
; bind interfaces only = yes
#### Debugging/Accounting ####
# This tells Samba to use a separate log file for each machine
# that connects
log file = /var/log/samba/log.%m
# Cap the size of the individual log files (in KiB).
max log size = 1000
# We want Samba to only log to /var/log/samba/log.{smbd,nmbd}.
# Append syslog@1 if you want important messages to be sent to syslog too.
logging = file
# Do something sensible when Samba crashes: mail the admin a backtrace
panic action = /usr/share/samba/panic-action %d
####### Authentication #######
# Server role. Defines in which mode Samba will operate. Possible
# values are "standalone server", "member server", "classic primary
# domain controller", "classic backup domain controller", "active
# directory domain controller".
#
# Most people will want "standalone server" or "member server".
# Running as "active directory domain controller" will require first
# running "samba-tool domain provision" to wipe databases and create a
# new domain.
server role = standalone server
obey pam restrictions = yes
# This boolean parameter controls whether Samba attempts to sync the Unix
# password with the SMB password when the encrypted SMB password in the
# passdb is changed.
unix password sync = yes
# For Unix password sync to work on a Debian GNU/Linux system, the following
# parameters must be set (thanks to Ian Kahan <<kahan@informatik.tu-muenchen.de> for
# sending the correct chat script for the passwd program in Debian Sarge).
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
# This boolean controls whether PAM will be used for password changes
# when requested by an SMB client instead of the program listed in
# 'passwd program'. The default is 'no'.
pam password change = yes
# This option controls how unsuccessful authentication attempts are mapped
# to anonymous connections
map to guest = bad user
########## Domains ###########
#
# The following settings only takes effect if 'server role = classic
# primary domain controller', 'server role = classic backup domain controller'
# or 'domain logons' is set
#
# It specifies the location of the user's
# profile directory from the client point of view) The following
# required a [profiles] share to be setup on the samba server (see
# below)
; logon path = \\%N\profiles\%U
# Another common choice is storing the profile in the user's home directory
# (this is Samba's default)
# logon path = \\%N\%U\profile
# The following setting only takes effect if 'domain logons' is set
# It specifies the location of a user's home directory (from the client
# point of view)
; logon drive = H:
# logon home = \\%N\%U
# The following setting only takes effect if 'domain logons' is set
# It specifies the script to run during logon. The script must be stored
# in the [netlogon] share
# NOTE: Must be store in 'DOS' file format convention
; logon script = logon.cmd
# This allows Unix users to be created on the domain controller via the SAMR
# RPC pipe. The example command creates a user account with a disabled Unix
# password; please adapt to your needs
; add user script = /usr/sbin/adduser --quiet --disabled-password --gecos "" %u
# This allows machine accounts to be created on the domain controller via the
# SAMR RPC pipe.
# The following assumes a "machines" group exists on the system
; add machine script = /usr/sbin/useradd -g machines -c "%u machine account" -d /var/lib/samba -s /bin/false %u
# This allows Unix groups to be created on the domain controller via the SAMR
# RPC pipe.
; add group script = /usr/sbin/addgroup --force-badname %g
############ Misc ############
# Using the following line enables you to customise your configuration
# on a per machine basis. The %m gets replaced with the netbios name
# of the machine that is connecting
; include = /home/samba/etc/smb.conf.%m
# Some defaults for winbind (make sure you're not using the ranges
# for something else.)
; idmap config * : backend = tdb
; idmap config * : range = 3000-7999
; idmap config YOURDOMAINHERE : backend = tdb
; idmap config YOURDOMAINHERE : range = 100000-999999
; template shell = /bin/bash
# Setup usershare options to enable non-root users to share folders
# with the net usershare command.
# Maximum number of usershare. 0 means that usershare is disabled.
# usershare max shares = 100
# Allow users who've been granted usershare privileges to create
# public shares, not just authenticated ones
usershare allow guests = yes
#======================= Share Definitions =======================
#[homes]
# comment = Home Directories
# browseable = no
# By default, the home directories are exported read-only. Change the
# next parameter to 'no' if you want to be able to write to them.
# read only = yes
# File creation mask is set to 0700 for security reasons. If you want to
# create files with group=rw permissions, set next parameter to 0775.
# create mask = 0700
# Directory creation mask is set to 0700 for security reasons. If you want to
# create dirs. with group=rw permissions, set next parameter to 0775.
# directory mask = 0700
# By default, \\server\username shares can be connected to by anyone
# with access to the samba server.
# The following parameter makes sure that only "username" can connect
# to \\server\username
# This might need tweaking when using external authentication schemes
# valid users = %S
# Un-comment the following and create the netlogon directory for Domain Logons
# (you need to configure Samba to act as a domain controller too.)
;[netlogon]
; comment = Network Logon Service
; path = /home/samba/netlogon
; guest ok = yes
; read only = yes
# Un-comment the following and create the profiles directory to store
# users profiles (see the "logon path" option above)
# (you need to configure Samba to act as a domain controller too.)
# The path below should be writable by all users so that their
# profile directory may be created the first time they log on
;[profiles]
; comment = Users profiles
; path = /home/samba/profiles
; guest ok = no
; browseable = no
; create mask = 0600
; directory mask = 0700
#[printers]
# comment = All Printers
# browseable = no
# path = /var/spool/samba
# printable = yes
# guest ok = no
# read only = yes
# create mask = 0700
# Windows clients look for this share name as a source of downloadable
# printer drivers
#[print$]
# comment = Printer Drivers
# path = /var/lib/samba/printers
# browseable = yes
# read only = yes
# guest ok = no
# Uncomment to allow remote administration of Windows print drivers.
# You may need to replace 'lpadmin' with the name of the group your
# admin users are members of.
# Please note that you also need to set appropriate Unix permissions
# to the drivers directory for these users to have write rights in it
; write list = root, @lpadmin

53
root_resources/etc/ssh/ssh_config Executable file
View File

@ -0,0 +1,53 @@
# {{ ansible_managed }}
# This is the ssh client system-wide configuration file. See
# ssh_config(5) for more information. This file provides defaults for
# users, and the values can be changed in per-user configuration files
# or on the command line.
# Configuration data is parsed as follows:
# 1. command line options
# 2. user-specific file
# 3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.
# Site-wide defaults for some commonly used options. For a comprehensive
# list of available options, their meanings and defaults, please see the
# ssh_config(5) man page.
Include /etc/ssh/ssh_config.d/*.conf
Host *
# ForwardAgent no
# ForwardX11 no
# ForwardX11Trusted yes
# HostbasedAuthentication no
# GSSAPIAuthentication no
# GSSAPIDelegateCredentials no
# GSSAPIKeyExchange no
# GSSAPITrustDNS no
# BatchMode no
# CheckHostIP yes
# AddressFamily any
# ConnectTimeout 0
# StrictHostKeyChecking ask
# IdentityFile ~/.ssh/id_rsa
# IdentityFile ~/.ssh/id_dsa
# IdentityFile ~/.ssh/id_ecdsa
# IdentityFile ~/.ssh/id_ed25519
# Port 22
# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc
# MACs hmac-md5,hmac-sha1,umac-64@openssh.com
# EscapeChar ~
# Tunnel no
# TunnelDevice any:any
# PermitLocalCommand no
# VisualHostKey no
# ProxyCommand ssh -q -W %h:%p gateway.example.com
# RekeyLimit 1G 1h
# UserKnownHostsFile ~/.ssh/known_hosts.d/%k
SendEnv LANG LC_*
HashKnownHosts yes
GSSAPIAuthentication yes

126
root_resources/etc/ssh/sshd_config Executable file
View File

@ -0,0 +1,126 @@
# {{ ansible_managed }}
# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
Include /etc/ssh/sshd_config.d/*.conf
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key
# Ciphers and keying
#RekeyLimit default none
# Logging
#SyslogFacility AUTH
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
PermitRootLogin no
#PermitRootLogin prohibit-password
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
#PubkeyAuthentication yes
# Expect .ssh/authorized_keys2 to be disregarded by default in future.
#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
#AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
#PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM no
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
# no default banner path
#Banner none
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
# override default of no subsystems
Subsystem sftp /usr/lib/openssh/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server

11
root_resources/etc/wireguard/wg0.conf Executable file
View File

@ -0,0 +1,11 @@
# {{ ansible_managed }}
[Interface]
Address = 10.0.0.2/32
PrivateKey = {{ backend_server_privkey }}
DNS = 1.1.1.1
[Peer]
PublicKey = {{ vpn_server_pubkey }}
Endpoint = {{ domain_name }}:51820
AllowedIPs = 10.0.0.1/32, 11.5.0.2/32 # Only any packets to/from our VPN/Proxy server or all Docker containers will be tunneled by the VPN

301
server-firewall-setup.yml Executable file
View File

@ -0,0 +1,301 @@
- hosts: localhost
ignore_errors: true
become: 'yes'
tasks:
- name: Apply default doas configuration allowing wheel group users to elevate commands with prompt
become: yes
template:
src: root_resources/etc/doas.conf
dest: "/etc/doas.conf"
- name: Temporarily disable doas pass prompt as doas persist does not work within scripts
become: yes
replace:
path: /etc/doas.conf
regexp: 'persist'
replace: 'nopass'
# Telnet/SSH Configuration
- name: Accept inbound SSH only on internal network
ansible.builtin.iptables:
chain: INPUT
protocol: tcp
source: 192.168.1.0/24
destination_port: 22
jump: ACCEPT
- name: Allow all outbound telnet, SSH on default port and SSH proxy server port
ansible.builtin.iptables:
chain: OUTPUT
protocol: tcp
destination_port: "{{ item }}"
jump: ACCEPT
loop:
- 23
- 22
- "{{ proxy_server_ssh_port }}"
# Policy Configuration
- name: Drop incoming/outgoing/forward traffic by default
ansible.builtin.iptables:
chain: "{{ item }}"
policy: DROP
loop:
- INPUT
- OUTPUT
- FORWARD
- name: Allow inbound/outbound already established/related connections to bypass firewall rules
ansible.builtin.iptables:
chain: "{{ item }}"
ctstate: ESTABLISHED,RELATED
jump: ACCEPT
loop:
- INPUT
- OUTPUT
# Loopback Configuration
- name: Allow inbound loopback traffic
ansible.builtin.iptables:
chain: INPUT
in_interface: lo
jump: ACCEPT
- name: Allow outbound loopback traffic
ansible.builtin.iptables:
chain: OUTPUT
out_interface: lo
jump: ACCEPT
# DNS Configuration
- name: Accept inbound TCP/UDP DNS/TCP WHOIS lookup requests only from gateway or Google Public DNS
ansible.builtin.iptables:
chain: INPUT
protocol: "{{ item.protocol }}"
source: "{{ item.source }}"
destination_port: "{{ item.port }}"
jump: ACCEPT
loop:
- { source: 192.168.1.254, protocol: tcp, port: 53 }
- { source: 192.168.1.254, protocol: udp, port: 53 }
- { source: 8.8.8.8, protocol: tcp, port: 53 }
- { source: 8.8.8.8, protocol: udp, port: 53 }
- { source: 192.168.1.254, protocol: tcp, port: 43 }
- { source: 8.8.8.8, protocol: tcp, port: 43 }
- name: Accept outbound TCP/UDP DNS/TCP WHOIS lookup requests only from gateway or Google Public DNS
ansible.builtin.iptables:
chain: OUTPUT
protocol: "{{ item.protocol }}"
destination: "{{ item.destination }}"
destination_port: "{{ item.port }}"
jump: ACCEPT
loop:
- { destination: 192.168.1.254, protocol: tcp, port: 53 }
- { destination: 192.168.1.254, protocol: udp, port: 53 }
- { destination: 8.8.8.8, protocol: tcp, port: 53 }
- { destination: 8.8.8.8, protocol: udp, port: 53 }
- { destination: 192.168.1.254, protocol: tcp, port: 43 }
- { destination: 8.8.8.8, protocol: tcp, port: 43 }
# ICMP Configuration
- name: Allow all outbound pinging
ansible.builtin.iptables:
chain: OUTPUT
protocol: icmp
jump: ACCEPT
# SMB/SAMBA Service
- name: Accept inbound SMB/NETBIOS SSN/NETBIOS DGM/NETBIOS NS only from internal network
ansible.builtin.iptables:
chain: INPUT
protocol: tcp
source: 192.168.1.0/24
destination_port: "{{ item }}"
jump: ACCEPT
loop:
- 445
- 139
- 138
- 137
- name: Allow outbound SMB/NETBIOS SSN/NETBIOS DGM/NETBIOS NS only to internal network
ansible.builtin.iptables:
chain: OUTPUT
protocol: tcp
destination: 192.168.1.0/24
destination_port: "{{ item }}"
jump: ACCEPT
loop:
- 445
- 139
- 138
- 137
# VPN to Proxy Server Configuration
- name: Accept inbound Wireguard connections only from proxy server
ansible.builtin.iptables:
chain: INPUT
protocol: udp
source: "{{ proxy_server_ip }}"
destination_port: "{{ proxy_server_vpn_port }}"
jump: ACCEPT
- name: Allow all outbound Wireguard connections
ansible.builtin.iptables:
chain: OUTPUT
protocol: udp
destination_port: "{{ proxy_server_vpn_port }}"
jump: ACCEPT
# Docker
- name: Accept inbound HTTPS only from Github Container Registry
ansible.builtin.iptables:
chain: INPUT
protocol: tcp
source: 140.82.121.34
destination_port: 443
jump: ACCEPT
- name: Allow outbound HTTPS only to Github Container Registry
ansible.builtin.iptables:
chain: OUTPUT
protocol: tcp
destination: 140.82.121.34
destination_port: 443
jump: ACCEPT
# SERVICES FIREWALL CONFIGURATION NOW HANDLED ON A PER CONTAINER BASIS VIA GLUTUN VPN CLIENT (as now using VPNs within in the containers)
# # Mail Service
# - name: Allow source (Inbound) local network traffic to the Mail service ports
# ansible.builtin.iptables:
# chain: DOCKER-USER
# source: 192.168.1.0/24
# protocol: tcp
# destination_port: "{{ item }}"
# jump: ACCEPT
# loop:
# - 25 # SMTP Cleartext 25
# - 465 # ESMTP Implicit TLS 465
# - 587 # SMTP+STARTTLS Explicit TLS 587
# - 993 # IMAPS Implicit TLS 993
# - 143 # IMAPS IMAP+STARTTLS Explicit TLS 143
#
# - name: Allow source (Inbound) proxy server traffic to the Mail service ports
# ansible.builtin.iptables:
# chain: DOCKER-USER
# source: "{{ proxy_server_ip }}"
# protocol: tcp
# destination_port: "{{ item }}"
# jump: ACCEPT
# loop:
# - 25 # SMTP Cleartext 25
# - 465 # ESMTP Implicit TLS 465
# - 587 # SMTP+STARTTLS Explicit TLS 587
# - 993 # IMAPS Implicit TLS 993
# - 143 # IMAPS IMAP+STARTTLS Explicit TLS 143
# - name: Allow destination (Outbound) proxy server Mail container traffic to the Mail service ports
# ansible.builtin.iptables:
# chain: DOCKER-USER
# destination: "{{ proxy_server_ip }}"
# protocol: tcp
# destination_port: "{{ item }}"
# jump: ACCEPT
# loop:
# - 25 # SMTP Cleartext 25
# - 465 # ESMTP Implicit TLS 465
# - 587 # SMTP+STARTTLS Explicit TLS 587
# - 993 # IMAPS Implicit TLS 993
# - 143 # IMAPS IMAP+STARTTLS Explicit TLS 143
#
# - name: Deny any other traffic on Mail service ports
# ansible.builtin.iptables:
# chain: DOCKER-USER
# protocol: tcp
# destination_port: "{{ item }}"
# jump: DROP
# loop:
# - 25 # SMTP Cleartext 25
# - 465 # ESMTP Implicit TLS 465
# - 587 # SMTP+STARTTLS Explicit TLS 587
# - 993 # IMAPS Implicit TLS 993
# - 143 # IMAPS IMAP+STARTTLS Explicit TLS 143
#
# # Invidious Service
# - name: Allow source (Inbound) local network traffic to the Invidious service only on service port 3000
# ansible.builtin.iptables:
# chain: DOCKER-USER
# source: 192.168.1.0/24
# protocol: tcp
# destination_port: 3000
# jump: ACCEPT
# - name: Allow destination (Outbound) local network traffic to the Invidious service only on service port 3000
# ansible.builtin.iptables:
# chain: DOCKER-USER
# destination: 192.168.1.0/24
# protocol: tcp
# destination_port: 3000
# jump: ACCEPT
#
# - name: Allow source (Inbound) proxy server traffic to the Invidious service only on service port 3000
# ansible.builtin.iptables:
# chain: DOCKER-USER
# source: "{{ proxy_server_ip }}"
# protocol: tcp
# destination_port: 3000
# jump: ACCEPT
# - name: Allow destination (Outbound) proxy server traffic to the Invidious service only on service port 3000
# ansible.builtin.iptables:
# chain: DOCKER-USER
# destination: "{{ proxy_server_ip }}"
# protocol: tcp
# destination_port: 3000
# jump: ACCEPT
#
# - name: Deny any other traffic on Invidious port 3000
# ansible.builtin.iptables:
# chain: DOCKER-USER
# protocol: tcp
# destination_port: 3000
# jump: DROP
#
# # Minecraft Service
# - name: Allow source (Inbound) local network traffic to the Invidious service only on service port 25565
# ansible.builtin.iptables:
# chain: DOCKER-USER
# source: 192.168.1.0/24
# protocol: tcp
# destination_port: 25565
# jump: ACCEPT
# - name: Allow destination (Outbound) local network traffic to the Invidious service only on service port 25565
# ansible.builtin.iptables:
# chain: DOCKER-USER
# destination: 192.168.1.0/24
# protocol: tcp
# destination_port: 25565
# jump: ACCEPT
#
# - name: Allow source (Inbound) proxy server traffic to the Invidious service only on service port 25565
# ansible.builtin.iptables:
# chain: DOCKER-USER
# source: "{{ proxy_server_ip }}"
# protocol: tcp
# destination_port: 25565
# jump: ACCEPT
# - name: Allow destination (Outbound) proxy server traffic to the Invidious service only on service port 25565
# ansible.builtin.iptables:
# chain: DOCKER-USER
# destination: "{{ proxy_server_ip }}"
# protocol: tcp
# destination_port: 25565
# jump: ACCEPT
#
# - name: Deny any other traffic on Minecraft port 25565
# ansible.builtin.iptables:
# chain: DOCKER-USER
# protocol: tcp
# destination_port: 25565
# jump: DROP
#
- name: Reset doas configuration back to default
become: yes
template:
src: root_resources/etc/doas.conf
dest: "/etc/doas.conf"
- name: Debug Finish message
debug:
msg: Ansible playbook has finished!

248
server-setup.yml Executable file
View File

@ -0,0 +1,248 @@
- hosts: localhost
ignore_errors: true
vars:
# Packages to install
packages:
# System
- linux-headers-amd64
- build-essential
- ssh
- mount
- vim
- neofetch
- htop
- doas
- systemd-resolved
# File Server
# - zfsutils-linux
# - samba
# USB Key
# - exfat-fuse
# - exfat-utils
- exfatprogs
# Docker
- ca-certificates
- curl
- gnupg
# TLS Certificates for Docker containers
- certbot
# VPN Client to Proxy server
# Now handled in the docker containers themselves via gluetun however wireguard tools still used for generating keys
# - wireguard
- wireguard-tools
# Firewall
- iptables-persistent
available_servicedirs: []
tasks:
- name: Apply default doas configuration allowing wheel group users to elevate commands with prompt
become: yes
template:
src: root_resources/etc/doas.conf
dest: "/etc/doas.conf"
- name: Temporarily disable doas pass prompt as doas persist does not work within scripts
become: yes
replace:
path: /etc/doas.conf
regexp: 'persist'
replace: 'nopass'
# System Setup
- name: Ensure .bashrc is updated
template:
src: home_resources/.bashrc
dest: "~/.bashrc"
- name: Add contrib
become: yes
replace:
dest: /etc/apt/sources.list
regexp: '^(deb(?!.* contrib).*)'
replace: '\1 contrib'
# Custom Helper Scripts
- name: Create the local bin dir if it does not exist
ansible.builtin.file:
path: "~/.local/bin"
state: directory
mode: '0755'
- name: Ensure custom scripts are added to local bin dir
template:
src: "home_resources/.local/bin/{{ item }}"
dest: "~/.local/bin/{{ item }}"
mode: '0777'
loop:
- spark_ansible-playbook.sh
- spark_ansible-editvault.sh
- spark_ansible-viewvault.sh
# DNS Config
- name: Ensure DNS configuration is updated
become: yes
template:
src: root_resources/etc/resolv.conf
dest: "/etc/resolv.conf"
# Package Config
- name: Ensure list of packages is installed
become: yes
apt:
name: '{{ packages }}'
state: present
update_cache: true
- name: Enable Systemd Resolved for DNS queries
become: yes
ansible.builtin.systemd:
name: systemd-resolved
enabled: yes
state: started
- name: Ensure USB key mountpoint exists
become: yes
ansible.builtin.file:
path: "{{ usbkey_mountdir }}"
state: directory
# FStab Config
- name: Mount up USB key by UUID
become: yes
ansible.posix.mount:
path: '{{ usbkey_mountdir }}'
src: UUID={{ usbkey_uuid }}
fstype: exfat
opts: nofail,dmask=0000,fmask=0111,gid=1000,uid=1000
state: present
# SSH Server Setup
- name: Enable SSH
become: yes
ansible.builtin.systemd:
name: ssh
enabled: yes
state: started
- name: Ensure ssh configuration directory exists
ansible.builtin.file:
path: "~/.ssh"
state: directory
owner: "{{ admin_user_name }}"
group: "{{ admin_user_name }}"
mode: '1700'
- name: Ensure local ssh configuration is updated
template:
src: home_resources/.ssh/config
dest: "~/.ssh/config"
- name: Ensure sshd configuration is updated
become: yes
template:
src: root_resources/etc/ssh/sshd_config
dest: "/etc/ssh/sshd_config"
# Wireguard VPN Client Setup
# Now handled in the docker containers themselves via gluetun
# - name: Ensure wireguard client configuration is updated
# template:
# src: root_resources/etc/wireguard/wg0.conf
# dest: "/etc/wireguard/wg0.conf"
# - name: Ensure wireguard can find resolvconf on SystemD init systems # (This is for SystemD init systems, on systemd systems resolvectl is used instead)
# ansible.builtin.file:
# src: /usr/bin/resolvectl
# dest: "/usr/local/bin/resolvconf"
# state: link
# - name: Enable wireguard client
# ansible.builtin.systemd:
# name: wg-quick@wg0
# enabled: yes
# state: started
# Docker Setup
- name: Add Docker GPG apt Key
become: yes
apt_key:
url: https://download.docker.com/linux/debian/gpg
state: present
- name: Add Docker Repository
become: yes
apt_repository:
repo: deb https://download.docker.com/linux/debian bullseye stable
state: present
- name: Install docker packages
become: yes
apt:
pkg:
- docker-ce
- docker-ce-cli
- containerd.io
- docker-buildx-plugin
- docker-compose-plugin
state: present
update_cache: true
# Each respective service will have a user associated to it to ensure it'll be able to only edit the files in their folder in the service directory
# Services Configuration - Groups
- name: "Create admin user {{ admin_user_name }}"
become: yes
ansible.builtin.user:
name: "{{ admin_user_name }}"
state: present
groups: wheel,docker
append: yes
- name : Find all service directories available in ansible configuration
find:
paths: "{{ ansibleconf_directory }}/services"
file_type: directory
use_regex: yes
patterns: ['service_']
recurse: no
register: findoutput
- name: Add found ansible configuration service directories to service directories variable
#no_log: true
set_fact:
available_servicedirs: "{{ available_servicedirs + [item.path | split('/') | last]}}"
with_items: "{{ findoutput.files }}"
- name: Automatically create service users based on found ansible conf service directories
become: yes
ansible.builtin.user:
name: "{{ item }}"
state: present
groups: docker
append: yes
loop: "{{ available_servicedirs }}"
# Services Configuration - Permissions
# Services
- name: Ensure service directory exists
become: yes
ansible.builtin.file:
path: "{{ services_directory }}"
state: directory
owner: root
group: root
mode: '1755'
- name: Automatically create all services directory based on found ansible conf service directories
become: yes
ansible.builtin.file:
path: "{{ services_directory }}/{{ item }}"
state: directory
owner: "{{ item }}"
group: "{{ item }}"
mode: '1700'
loop: "{{ available_servicedirs }}"
- name: Reset doas configuration back to default
become: yes
template:
src: root_resources/etc/doas.conf
dest: "/etc/doas.conf"
# End
- name: Debug Finish message
debug:
msg: Ansible playbook has finished!

47
serversecrets.example Executable file
View File

@ -0,0 +1,47 @@
# Server secrets example, to be encrypted with ansible vault and called serversecrets.enc
admin_user_name: admin
# Ansible Configuration Directory - Where all the ansible playbooks are stored
ansibleconf_directory: ~/client-ansible-setup
# Services Directory - Where all service data and docker configuration will be deployed
services_directory: /services
domain_name: ***.com
# Primarily used in resources
proxy_server_hostname: ***
proxy_server_username: ***
proxy_server_ip: 127.0.0.1
proxy_server_ssh_port: 22
proxy_server_vpn_port: 51820
# VPN Config
# VPN Server Private Key
vpn_server_privkey: ***
# VPN Server Public Key
vpn_server_pubkey: ***
# VPN Client Private Keys
mail_service_privkey: ***
invidious_service_privkey: ***
searxng_service_privkey: ***
nextcloud_service_privkey: ***
chat_service_privkey: ***
minecraft_service_privkey: ***
user_privkey: ***
# VPN Client Public Keys
mail_service_pubkey: ***
invidious_service_pubkey: ***
searxng_service_pubkey: ***
nextcloud_service_pubkey: ***
chat_service_pubkey: ***
minecraft_service_pubkey: ***
user_pubkey: ***
# USB Encryption Key
usbkey_uuid: ***
usbkey_mountdir: /mnt
usbkey_keysdir: /mnt/keys

19
services/network-conf.yml Executable file
View File

@ -0,0 +1,19 @@
# We will create a network that will be tunneled via the VPN
# Dummy Service Config
# NOW HANDLED BY GLUTUN VPN CLIENT CONTAINERS INSTEAD
services:
hello_world:
image: hello-world:latest
networks:
bridge-vpn:
ipv4_address: 11.5.0.255
networks:
bridge-vpn:
driver: bridge
driver_opts:
com.docker.network.bridge.name: bridge-vpn
com.docker.network.driver.enable_ip_masquerade: 0
ipam:
config:
- subnet: 11.5.0.0/16
gateway: 11.5.0.1

124
services/old_chat/.env Executable file
View File

@ -0,0 +1,124 @@
##
## Quark configuration
##
# MongoDB
MONGODB=mongodb://127.0.0.1
# Redis
REDIS_URI=redis://127.0.0.1/
# Hostname used for Caddy
# This should in most cases match REVOLT_APP_URL
HOSTNAME=https://chat.{{ domain_name }}
# URL to where the Revolt app is publicly accessible
REVOLT_APP_URL=https://chat.{{ domain_name }}
# URL to where the API is publicly accessible
REVOLT_PUBLIC_URL=https://chat.{{ domain_name }}/api
VITE_API_URL=https://chat.{{ domain_name }}/api
# URL to where the WebSocket server is publicly accessible
REVOLT_EXTERNAL_WS_URL=wss://chat.{{ domain_name }}/ws
# URL to where Autumn is publicly available
AUTUMN_PUBLIC_URL=https://chat.{{ domain_name }}/autumn
# URL to where January is publicly available
JANUARY_PUBLIC_URL=https://chat.{{ domain_name }}/january
# URL to where Vortex is publicly available
VOSO_PUBLIC_URL=https://chat.{{ domain_name }}/vortex
VOSO_WS_HOST=wss://chat.{{ domain_name }}/wsvortex
VOSO_MANAGE_TOKEN={{ service_chat_voso_manage_token }}
##
## hCaptcha Settings
##
# If you are sure that you don't want to use hCaptcha, set to 1.
REVOLT_UNSAFE_NO_CAPTCHA=1
# hCaptcha API key (This is the "Secret key" from your User Settings page)
# REVOLT_HCAPTCHA_KEY=0x0000000000000000000000000000000000000000
# hCaptcha site key
# REVOLT_HCAPTCHA_SITEKEY=10000000-ffff-ffff-ffff-000000000001
##
## Email Settings
##
# If you are sure that you don't want to use email verification, set to 1.
REVOLT_UNSAFE_NO_EMAIL=1
# SMTP host
# REVOLT_SMTP_HOST=smtp.example.com
# SMTP username
# REVOLT_SMTP_USERNAME=noreply@example.com
# SMTP password
# REVOLT_SMTP_PASSWORD=CHANGEME
# SMTP From header
# REVOLT_SMTP_FROM=Revolt <noreply@example.com>
##
## Application Settings
##
# Whether to only allow users to sign up if they have an invite code
REVOLT_INVITE_ONLY=1
# Maximum number of people that can be in a group chat
REVOLT_MAX_GROUP_SIZE=150
# Maximum number of servers a user can be in
REVOLT_MAX_SERVER_COUNT=100
# VAPID keys for push notifications
# Generate using this guide: https://gitlab.insrt.uk/revolt/delta/-/wikis/vapid
# --> Please replace these keys before going into production! <--
REVOLT_VAPID_PRIVATE_KEY={{ service_chat_revolt_vapid_private_key }}
REVOLT_VAPID_PUBLIC_KEY={{ service_chat_revolt_vapid_public_key }}
##
## Autumn configuration
##
AUTUMN_LOCAL_STORAGE_PATH=./data
# Shall use local files for autumn file server instead
# S3 Region
#AUTUMN_S3_REGION=minio
# S3 Endpoint
#AUTUMN_S3_ENDPOINT=http://127.0.0.1:19999
# MinIO Root User
#MINIO_ROOT_USER=minioautumn
# MinIO Root Password
#MINIO_ROOT_PASSWORD=f1iZ2wg7elGu7HIXISdT0BdpM9n8K4va66iLEji5fB0=
# AWS Access Key ID
#AWS_ACCESS_KEY_ID=minioautumn
# AWS Secret Key
#AWS_SECRET_ACCESS_KEY=f1iZ2wg7elGu7HIXISdT0BdpM9n8K4va66iLEji5fB0=
##
## Vortex configuration
##
MANAGE_TOKEN={{ service_chat_voso_manage_token }}
RTC_IPS=0.0.0.0,{{ proxy_server_ip }}
RTC_MIN_PORT=13000
RTC_MAX_PORT=13010
WS_URL=wss://chat.{{ domain_name }}/wsvortex

46
services/old_chat/deploy-service.yml Executable file
View File

@ -0,0 +1,46 @@
- hosts: localhost
become: 'yes'
vars:
ansible_become_method: doas
tasks:
- name: Create necessary directories
ansible.builtin.file:
path: "{{ item }}"
owner: spool1_chat
group: spool1_chat
state: directory
loop:
- /spool1/services/chat/data
- /spool1/services/chat/data/db
- /spool1/services/chat/data/files
# - name: Create necessary autumn/file server directories
# ansible.builtin.file:
# path: "/spool1/services/chat/data/files/{{ item }}"
# owner: root
# group: root
# state: directory
# loop:
# - attachments
# - avatars
# - backgrounds
# - icons
# - banners
# - emojis
- name: Copy docker compose config and other chat files
ansible.builtin.template:
src: "{{ item }}"
dest: "/spool1/services/chat/{{ item }}"
owner: spool1_chat
group: spool1_chat
loop:
- docker-compose.yml
- post-rules.txt
- .env
- vapid_key_guide
- name: Debug Finish message
debug:
msg: Ansible playbook has finished!

137
services/old_chat/docker-compose.yml Executable file
View File

@ -0,0 +1,137 @@
# {{ ansible_managed }}
version: "3.8"
services:
# Gluetun is used to connect container to VPN
chat-gluetun:
image: qmcgaw/gluetun
cap_add:
- NET_ADMIN
environment:
- VPN_SERVICE_PROVIDER=custom
- VPN_TYPE=wireguard
- VPN_ENDPOINT_IP={{ proxy_server_ip }}
- VPN_ENDPOINT_PORT={{ proxy_server_vpn_port }}
- WIREGUARD_PUBLIC_KEY={{ vpn_server_pubkey }}
- WIREGUARD_PRIVATE_KEY={{ chat_service_privkey }}
- WIREGUARD_ADDRESSES=10.0.0.6/32
# WebRTC Voice ports ranging from 13000 to 13010
- FIREWALL_VPN_INPUT_PORTS=5000,8000,9000,3000,7000,8080,53244,27271,60160,6119,42599,34902,13000,13001,13002,13003,13004,13005,13006,13007,13008,13009,13010
- FIREWALL_INPUT_PORTS=5000,8000,9000,3000,7000,8080,19999,53244,27271,60160,6119,42599,34902,13000,13001,13002,13003,13004,13005,13006,13007,13008,13009,13010
- HTTP_CONTROL_SERVER_ADDRESS=:13200 # To ensure no conflicts with the API/Delta port
volumes:
# Custom IPTables forwarding rules to forward TCP(web) traffic from port 11000 to port 80
- ./post-rules.txt:/iptables/post-rules.txt
ports:
- "53244:53244" # Default/Chat APP (Internal Container Port 5000)
- "27271:27271" # API/Delta (Internal Container Port 8000)
- "60160:60160" # Websocket/Bonfire (Internal Container Port 9000)
- "6119:6119" # Autumn (Internal Container Port 3000)
- "42599:42599" # January (Internal Container Port 7000)
- "34902:34902" # Vortex (Internal Container Port 8080)
- "13000-13010:13000-13010" # Vortex WebRTC
# MongoDB database
chat-database:
network_mode: "service:chat-gluetun"
image: mongo
restart: always
volumes:
- ./data/db:/data/db
# Redis server
chat-redis:
network_mode: "service:chat-gluetun"
image: eqalpha/keydb
restart: always
# API server (delta)
chat-api:
network_mode: "service:chat-gluetun"
image: ghcr.io/revoltchat/server:master
env_file: .env
depends_on:
- chat-database
- chat-redis
restart: always
# Events service (quark)
chat-events:
network_mode: "service:chat-gluetun"
image: ghcr.io/revoltchat/bonfire:master
env_file: .env
depends_on:
- chat-database
- chat-redis
restart: always
# Web App (revite)
chat-web:
network_mode: "service:chat-gluetun"
image: ghcr.io/revoltchat/client:master
env_file: .env
restart: always
# File server (autumn)
chat-autumn:
network_mode: "service:chat-gluetun"
image: ghcr.io/revoltchat/autumn:master
env_file: .env
depends_on:
- chat-database
# - chat-createbuckets
environment:
- AUTUMN_MONGO_URI=mongodb://127.0.0.1
# Using bind mounts/local storage instead of storage server
volumes:
- ./data/files:/data
restart: always
# Metadata and image proxy (january)
chat-january:
network_mode: "service:chat-gluetun"
image: ghcr.io/revoltchat/january:master
restart: always
# Voice service (vortex)
chat-vortex:
network_mode: "service:chat-gluetun"
image: ghcr.io/revoltchat/vortex:0.3.0-alpha.1
env_file: .env
depends_on:
- chat-api
restart: always
# Shall use local files for autumn file server instead
# # S3-compatible storage server
# chat-minio:
# network_mode: "service:chat-gluetun"
# image: minio/minio
# command: server --address ":19999" --console-address ":19998" /data
# env_file: .env
# volumes:
# - ./data/minio:/data
# restart: always
# # Create buckets for minio.
# chat-createbuckets:
# network_mode: "service:chat-gluetun"
# image: minio/mc
# depends_on:
# - chat-minio
# env_file: .env
# entrypoint: >
# /bin/sh -c "
# while ! curl -s --output /dev/null --connect-timeout 1 http://127.0.0.1:19999; do echo 'Waiting minio...' && sleep 0.1; done;
# /usr/bin/mc alias set minio http://127.0.0.1:19999 $MINIO_ROOT_USER $MINIO_ROOT_PASSWORD;
# /usr/bin/mc mb minio/attachments;
# /usr/bin/mc mb minio/avatars;
# /usr/bin/mc mb minio/backgrounds;
# /usr/bin/mc mb minio/icons;
# /usr/bin/mc mb minio/banners;
# /usr/bin/mc mb minio/emojis;
# exit 0;
# "

18
services/old_chat/post-rules.txt Executable file
View File

@ -0,0 +1,18 @@
iptables -t nat -A OUTPUT -d 10.0.0.6 -p tcp --dport 5000 -j DNAT --to-destination 10.0.0.6:53244
iptables -t nat -A OUTPUT -p tcp --dport 53244 -j REDIRECT --to-port 5000
iptables -t nat -A PREROUTING -t nat -p tcp --dport 53244 -j REDIRECT --to-port 5000
iptables -t nat -A OUTPUT -d 10.0.0.6 -p tcp --dport 8000 -j DNAT --to-destination 10.0.0.6:27271
iptables -t nat -A OUTPUT -p tcp --dport 27271 -j REDIRECT --to-port 8000
iptables -t nat -A PREROUTING -t nat -p tcp --dport 27271 -j REDIRECT --to-port 8000
iptables -t nat -A OUTPUT -d 10.0.0.6 -p tcp --dport 9000 -j DNAT --to-destination 10.0.0.6:60160
iptables -t nat -A OUTPUT -p tcp --dport 60160 -j REDIRECT --to-port 9000
iptables -t nat -A PREROUTING -t nat -p tcp --dport 60160 -j REDIRECT --to-port 9000
iptables -t nat -A OUTPUT -d 10.0.0.6 -p tcp --dport 3000 -j DNAT --to-destination 10.0.0.6:6119
iptables -t nat -A OUTPUT -p tcp --dport 6119 -j REDIRECT --to-port 3000
iptables -t nat -A PREROUTING -t nat -p tcp --dport 6119 -j REDIRECT --to-port 3000
iptables -t nat -A OUTPUT -d 10.0.0.6 -p tcp --dport 7000 -j DNAT --to-destination 10.0.0.6:42599
iptables -t nat -A OUTPUT -p tcp --dport 42599 -j REDIRECT --to-port 7000
iptables -t nat -A PREROUTING -t nat -p tcp --dport 42599 -j REDIRECT --to-port 7000
iptables -t nat -A OUTPUT -d 10.0.0.6 -p tcp --dport 8080 -j DNAT --to-destination 10.0.0.6:34902
iptables -t nat -A OUTPUT -p tcp --dport 34902 -j REDIRECT --to-port 8080
iptables -t nat -A PREROUTING -t nat -p tcp --dport 34902 -j REDIRECT --to-port 8080

4
services/old_chat/servicesecrets.example Executable file
View File

@ -0,0 +1,4 @@
# Example service secrets for revolt chat docker service, to be encrypted with ansible vault and called servicesecrets.enc
service_chat_voso_manage_token: ***
service_chat_revolt_vapid_private_key: ***
service_chat_revolt_vapid_public_key: ***

19
services/old_chat/vapid_key_guide Executable file
View File

@ -0,0 +1,19 @@
vapid
VAPID keys are used to ensure that nobody else can communicate with your clients.
You can generate a private VAPID key by running:
openssl ecparam -name prime256v1 -genkey -noout -out vapid_private.pem
This creates a PEM private key. In order to use this with the server, you must first base64 encode it, then you can pass it in using an environment variable. (Make sure to remove any newlines)
base64 vapid_private.pem
To convert this to a public key, we run:
openssl ec -in vapid_private.pem -outform DER|tail -c 65|base64|tr '/+' '_-'|tr -d '\n'
The output of this command is what the clients will be receiving.

6
services/service_git/ansible.cfg Executable file
View File

@ -0,0 +1,6 @@
[defaults]
inventory = hosts
[privilege_escalation]
become_method=doas
become_ask_pass=True

25
services/service_git/deploy-service.yml Executable file
View File

@ -0,0 +1,25 @@
- hosts: localhost
become: 'yes'
vars:
ansible_become_method: doas
tasks:
- name: Create necessary directories
ansible.builtin.file:
path: "{{ item }}"
owner: service_git
group: service_git
state: directory
loop:
- "{{ services_directory }}/service_git/postgres-data"
- name: Copy docker compose config and other git files
ansible.builtin.template:
src: "{{ item }}"
dest: "{{ services_directory }}/service_git/{{ item }}"
owner: service_git
group: service_git
loop:
- docker-compose.yml
- name: Debug Finish message
debug:
msg: Ansible playbook has finished!

67
services/service_git/docker-compose.yml Normal file
View File

@ -0,0 +1,67 @@
version: "3"
services:
# Gluetun is used to connect container to VPN
forgejo-gluetun:
image: qmcgaw/gluetun
cap_add:
- NET_ADMIN
environment:
- VPN_SERVICE_PROVIDER=custom
- VPN_TYPE=wireguard
- VPN_ENDPOINT_IP={{ proxy_server_ip }}
- VPN_ENDPOINT_PORT={{ proxy_server_vpn_port }}
- WIREGUARD_PUBLIC_KEY={{ vpn_server_pubkey }}
- WIREGUARD_PRIVATE_KEY={{ git_service_privkey }}
- WIREGUARD_ADDRESSES=10.0.0.3/32
- FIREWALL_VPN_INPUT_PORTS=3000,22,222,5432
ports:
- "3000:3000"
- "222:22"
networks:
forgejo:
forgejo:
image: codeberg.org/forgejo/forgejo:1.21
network_mode: "service:forgejo-gluetun"
environment:
# Service git UID and GID
- USER_UID=1006
- USER_GID=1007
- FORGEJO__database__DB_TYPE=postgres
- FORGEJO__database__HOST=11.1.0.22:5432
- FORGEJO__database__NAME=forgejo
- FORGEJO__database__USER=forgejo
- FORGEJO__database__PASSWD={{ service_git_postgres_pass }}
restart: always
volumes:
- ./forgejo-data:/data
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro
depends_on:
- forgejo-db
forgejo-db:
image: postgres:16-alpine
restart: always
environment:
- POSTGRES_DB=forgejo
- POSTGRES_USER=forgejo
- POSTGRES_PASSWORD={{ service_git_postgres_pass }}
volumes:
- ./postgres-data:/var/lib/postgresql/data
networks:
forgejo:
ipv4_address: 11.1.0.22
networks:
forgejo:
driver: bridge
driver_opts:
com.docker.network.bridge.name: forgejo
# com.docker.network.driver.enable_ip_masquerade: 0
ipam:
config:
- subnet: 11.1.0.0/16
# gateway: 11.5.0.1

2
services/service_git/servicesecrets.example Executable file
View File

@ -0,0 +1,2 @@
# Example service secrets for git docker service, to be encrypted with ansible vault and called servicesecrets.enc
service_git_postgres_pass: ***

36
services/service_invidious/deploy-service.yml Executable file
View File

@ -0,0 +1,36 @@
- hosts: localhost
become: 'yes'
vars:
ansible_become_method: doas
tasks:
- name: Create necessary directories
ansible.builtin.file:
path: "{{ item }}"
owner: service_invidious
group: service_invidious
state: directory
loop:
- "{{ services_directory }}/service_invidious/invidious"
- "{{ services_directory }}/service_invidious/postgresdata"
- name: Copy docker compose config and other invidious files
ansible.builtin.template:
src: "{{ item }}"
dest: "{{ services_directory }}/service_invidious/invidious/{{ item }}"
owner: service_invidious
group: service_invidious
loop:
- docker-compose.yml
- name: Copy postgresql config and other database files
ansible.builtin.template:
src: "{{ item }}"
dest: "{{ services_directory }}/service_invidious/postgres-data/{{ item }}"
owner: systemd-coredump
group: systemd-coredump
loop:
- postgresql.conf
- name: Debug Finish message
debug:
msg: Ansible playbook has finished!

97
services/service_invidious/docker-compose.yml Executable file
View File

@ -0,0 +1,97 @@
# {{ ansible_managed }}
version: "3"
services:
# Gluetun is used to connect container to VPN
invidious-gluetun:
image: qmcgaw/gluetun
cap_add:
- NET_ADMIN
environment:
- VPN_SERVICE_PROVIDER=custom
- VPN_TYPE=wireguard
- VPN_ENDPOINT_IP={{ proxy_server_ip }}
- VPN_ENDPOINT_PORT={{ proxy_server_vpn_port }}
- WIREGUARD_PUBLIC_KEY={{ vpn_server_pubkey }}
- WIREGUARD_PRIVATE_KEY={{ invidious_service_privkey }}
- WIREGUARD_ADDRESSES=10.0.0.3/32
- FIREWALL_VPN_INPUT_PORTS=3000,5432
ports:
- "3000:3000"
networks:
invidious:
invidious:
network_mode: "service:invidious-gluetun"
image: quay.io/invidious/invidious:latest
# image: quay.io/invidious/invidious:latest-arm64 # ARM64/AArch64 devices
# UID/GID referring to the spool1_invidious user
user: 1004:1005
# port: 3000
# external_port: 443
restart: unless-stopped
environment:
# Please read the following file for a comprehensive list of all available
# configuration options and their associated syntax:
# https://github.com/iv-org/invidious/blob/master/config/config.example.yml
INVIDIOUS_CONFIG: |
db:
dbname: invidious
user: invidious
password: "{{ service_invidious_postgres_password }}"
# host: invidious-db
host: 11.1.0.22
port: 5432
check_tables: true
# external_port:
# domain:
# https_only: false
# statistics_enabled: false
hmac_key: "{{ service_invidious_postgres_password }}"
healthcheck:
test: wget -nv --tries=1 --spider http://127.0.0.1:3000/api/v1/comments/jNQXAC9IVRw || exit 1
interval: 30s
timeout: 5s
retries: 2
logging:
options:
max-size: "1G"
max-file: "4"
depends_on:
- invidious-db
invidious-db:
image: docker.io/library/postgres:14
restart: unless-stopped
volumes:
- type: bind
source: {{ services_directory }}/service_invidious/postgres-data
target: /var/lib/postgresql/data
- ./config/sql:/config/sql
- ./docker/init-invidious-db.sh:/docker-entrypoint-initdb.d/init-invidious-db.sh
environment:
POSTGRES_DB: invidious
POSTGRES_USER: invidious
POSTGRES_PASSWORD: "{{ service_invidious_postgres_password }}"
healthcheck:
test: ["CMD-SHELL", "pg_isready -U $$POSTGRES_USER -d $$POSTGRES_DB"]
networks:
invidious:
ipv4_address: 11.1.0.22
networks:
invidious:
driver: bridge
driver_opts:
com.docker.network.bridge.name: invidious
# com.docker.network.driver.enable_ip_masquerade: 0
ipam:
config:
- subnet: 11.1.0.0/16
# gateway: 11.5.0.1
# volumes:
# postgresdata:

800
services/service_invidious/postgresql.conf Executable file
View File

@ -0,0 +1,800 @@
# {{ ansible_managed }}
# -----------------------------
# PostgreSQL configuration file
# -----------------------------
#
# This file consists of lines of the form:
#
# name = value
#
# (The "=" is optional.) Whitespace may be used. Comments are introduced with
# "#" anywhere on a line. The complete list of parameter names and allowed
# values can be found in the PostgreSQL documentation.
#
# The commented-out settings shown in this file represent the default values.
# Re-commenting a setting is NOT sufficient to revert it to the default value;
# you need to reload the server.
#
# This file is read on server startup and when the server receives a SIGHUP
# signal. If you edit the file on a running system, you have to SIGHUP the
# server for the changes to take effect, run "pg_ctl reload", or execute
# "SELECT pg_reload_conf()". Some parameters, which are marked below,
# require a server shutdown and restart to take effect.
#
# Any parameter can also be given as a command-line option to the server, e.g.,
# "postgres -c log_connections=on". Some parameters can be changed at run time
# with the "SET" SQL command.
#
# Memory units: B = bytes Time units: us = microseconds
# kB = kilobytes ms = milliseconds
# MB = megabytes s = seconds
# GB = gigabytes min = minutes
# TB = terabytes h = hours
# d = days
#------------------------------------------------------------------------------
# FILE LOCATIONS
#------------------------------------------------------------------------------
# The default values of these variables are driven from the -D command-line
# option or PGDATA environment variable, represented here as ConfigDir.
#data_directory = 'ConfigDir' # use data in another directory
# (change requires restart)
#hba_file = 'ConfigDir/pg_hba.conf' # host-based authentication file
# (change requires restart)
#ident_file = 'ConfigDir/pg_ident.conf' # ident configuration file
# (change requires restart)
# If external_pid_file is not explicitly set, no extra PID file is written.
#external_pid_file = '' # write an extra PID file
# (change requires restart)
#------------------------------------------------------------------------------
# CONNECTIONS AND AUTHENTICATION
#------------------------------------------------------------------------------
# - Connection Settings -
listen_addresses = '*'
# comma-separated list of addresses;
# defaults to 'localhost'; use '*' for all
# (change requires restart)
#port = 5432 # (change requires restart)
max_connections = 300 # (change requires restart)
#superuser_reserved_connections = 3 # (change requires restart)
#unix_socket_directories = '/var/run/postgresql' # comma-separated list of directories
# (change requires restart)
#unix_socket_group = '' # (change requires restart)
#unix_socket_permissions = 0777 # begin with 0 to use octal notation
# (change requires restart)
#bonjour = off # advertise server via Bonjour
# (change requires restart)
#bonjour_name = '' # defaults to the computer name
# (change requires restart)
# - TCP settings -
# see "man tcp" for details
#tcp_keepalives_idle = 0 # TCP_KEEPIDLE, in seconds;
# 0 selects the system default
#tcp_keepalives_interval = 0 # TCP_KEEPINTVL, in seconds;
# 0 selects the system default
#tcp_keepalives_count = 0 # TCP_KEEPCNT;
# 0 selects the system default
#tcp_user_timeout = 0 # TCP_USER_TIMEOUT, in milliseconds;
# 0 selects the system default
#client_connection_check_interval = 0 # time between checks for client
# disconnection while running queries;
# 0 for never
# - Authentication -
#authentication_timeout = 1min # 1s-600s
#password_encryption = scram-sha-256 # scram-sha-256 or md5
#db_user_namespace = off
# GSSAPI using Kerberos
#krb_server_keyfile = 'FILE:${sysconfdir}/krb5.keytab'
#krb_caseins_users = off
# - SSL -
#ssl = off
#ssl_ca_file = ''
#ssl_cert_file = 'server.crt'
#ssl_crl_file = ''
#ssl_crl_dir = ''
#ssl_key_file = 'server.key'
#ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' # allowed SSL ciphers
#ssl_prefer_server_ciphers = on
#ssl_ecdh_curve = 'prime256v1'
#ssl_min_protocol_version = 'TLSv1.2'
#ssl_max_protocol_version = ''
#ssl_dh_params_file = ''
#ssl_passphrase_command = ''
#ssl_passphrase_command_supports_reload = off
#------------------------------------------------------------------------------
# RESOURCE USAGE (except WAL)
#------------------------------------------------------------------------------
# - Memory -
shared_buffers = 512MB # min 128kB
# (change requires restart)
#huge_pages = try # on, off, or try
# (change requires restart)
#huge_page_size = 0 # zero for system default
# (change requires restart)
#temp_buffers = 8MB # min 800kB
#max_prepared_transactions = 0 # zero disables the feature
# (change requires restart)
# Caution: it is not advisable to set max_prepared_transactions nonzero unless
# you actively intend to use prepared transactions.
#work_mem = 4MB # min 64kB
#hash_mem_multiplier = 1.0 # 1-1000.0 multiplier on hash table work_mem
#maintenance_work_mem = 64MB # min 1MB
#autovacuum_work_mem = -1 # min 1MB, or -1 to use maintenance_work_mem
#logical_decoding_work_mem = 64MB # min 64kB
#max_stack_depth = 2MB # min 100kB
#shared_memory_type = mmap # the default is the first option
# supported by the operating system:
# mmap
# sysv
# windows
# (change requires restart)
dynamic_shared_memory_type = posix # the default is the first option
# supported by the operating system:
# posix
# sysv
# windows
# mmap
# (change requires restart)
#min_dynamic_shared_memory = 0MB # (change requires restart)
# - Disk -
#temp_file_limit = -1 # limits per-process temp file space
# in kilobytes, or -1 for no limit
# - Kernel Resources -
#max_files_per_process = 1000 # min 64
# (change requires restart)
# - Cost-Based Vacuum Delay -
#vacuum_cost_delay = 0 # 0-100 milliseconds (0 disables)
#vacuum_cost_page_hit = 1 # 0-10000 credits
#vacuum_cost_page_miss = 2 # 0-10000 credits
#vacuum_cost_page_dirty = 20 # 0-10000 credits
#vacuum_cost_limit = 200 # 1-10000 credits
# - Background Writer -
#bgwriter_delay = 200ms # 10-10000ms between rounds
#bgwriter_lru_maxpages = 100 # max buffers written/round, 0 disables
#bgwriter_lru_multiplier = 2.0 # 0-10.0 multiplier on buffers scanned/round
#bgwriter_flush_after = 512kB # measured in pages, 0 disables
# - Asynchronous Behavior -
#backend_flush_after = 0 # measured in pages, 0 disables
#effective_io_concurrency = 1 # 1-1000; 0 disables prefetching
#maintenance_io_concurrency = 10 # 1-1000; 0 disables prefetching
#max_worker_processes = 8 # (change requires restart)
#max_parallel_workers_per_gather = 2 # taken from max_parallel_workers
#max_parallel_maintenance_workers = 2 # taken from max_parallel_workers
#max_parallel_workers = 8 # maximum number of max_worker_processes that
# can be used in parallel operations
#parallel_leader_participation = on
#old_snapshot_threshold = -1 # 1min-60d; -1 disables; 0 is immediate
# (change requires restart)
#------------------------------------------------------------------------------
# WRITE-AHEAD LOG
#------------------------------------------------------------------------------
# - Settings -
#wal_level = replica # minimal, replica, or logical
# (change requires restart)
#fsync = on # flush data to disk for crash safety
# (turning this off can cause
# unrecoverable data corruption)
#synchronous_commit = on # synchronization level;
# off, local, remote_write, remote_apply, or on
#wal_sync_method = fsync # the default is the first option
# supported by the operating system:
# open_datasync
# fdatasync (default on Linux and FreeBSD)
# fsync
# fsync_writethrough
# open_sync
#full_page_writes = on # recover from partial page writes
#wal_log_hints = off # also do full page writes of non-critical updates
# (change requires restart)
#wal_compression = off # enable compression of full-page writes
#wal_init_zero = on # zero-fill new WAL files
#wal_recycle = on # recycle WAL files
#wal_buffers = -1 # min 32kB, -1 sets based on shared_buffers
# (change requires restart)
#wal_writer_delay = 200ms # 1-10000 milliseconds
#wal_writer_flush_after = 1MB # measured in pages, 0 disables
#wal_skip_threshold = 2MB
#commit_delay = 0 # range 0-100000, in microseconds
#commit_siblings = 5 # range 1-1000
# - Checkpoints -
#checkpoint_timeout = 5min # range 30s-1d
#checkpoint_completion_target = 0.9 # checkpoint target duration, 0.0 - 1.0
#checkpoint_flush_after = 256kB # measured in pages, 0 disables
#checkpoint_warning = 30s # 0 disables
max_wal_size = 1GB
min_wal_size = 80MB
# - Archiving -
#archive_mode = off # enables archiving; off, on, or always
# (change requires restart)
#archive_command = '' # command to use to archive a logfile segment
# placeholders: %p = path of file to archive
# %f = file name only
# e.g. 'test ! -f /mnt/server/archivedir/%f && cp %p /mnt/server/archivedir/%f'
#archive_timeout = 0 # force a logfile segment switch after this
# number of seconds; 0 disables
# - Archive Recovery -
# These are only used in recovery mode.
#restore_command = '' # command to use to restore an archived logfile segment
# placeholders: %p = path of file to restore
# %f = file name only
# e.g. 'cp /mnt/server/archivedir/%f %p'
#archive_cleanup_command = '' # command to execute at every restartpoint
#recovery_end_command = '' # command to execute at completion of recovery
# - Recovery Target -
# Set these only when performing a targeted recovery.
#recovery_target = '' # 'immediate' to end recovery as soon as a
# consistent state is reached
# (change requires restart)
#recovery_target_name = '' # the named restore point to which recovery will proceed
# (change requires restart)
#recovery_target_time = '' # the time stamp up to which recovery will proceed
# (change requires restart)
#recovery_target_xid = '' # the transaction ID up to which recovery will proceed
# (change requires restart)
#recovery_target_lsn = '' # the WAL LSN up to which recovery will proceed
# (change requires restart)
#recovery_target_inclusive = on # Specifies whether to stop:
# just after the specified recovery target (on)
# just before the recovery target (off)
# (change requires restart)
#recovery_target_timeline = 'latest' # 'current', 'latest', or timeline ID
# (change requires restart)
#recovery_target_action = 'pause' # 'pause', 'promote', 'shutdown'
# (change requires restart)
#------------------------------------------------------------------------------
# REPLICATION
#------------------------------------------------------------------------------
# - Sending Servers -
# Set these on the primary and on any standby that will send replication data.
#max_wal_senders = 10 # max number of walsender processes
# (change requires restart)
#max_replication_slots = 10 # max number of replication slots
# (change requires restart)
#wal_keep_size = 0 # in megabytes; 0 disables
#max_slot_wal_keep_size = -1 # in megabytes; -1 disables
#wal_sender_timeout = 60s # in milliseconds; 0 disables
#track_commit_timestamp = off # collect timestamp of transaction commit
# (change requires restart)
# - Primary Server -
# These settings are ignored on a standby server.
#synchronous_standby_names = '' # standby servers that provide sync rep
# method to choose sync standbys, number of sync standbys,
# and comma-separated list of application_name
# from standby(s); '*' = all
#vacuum_defer_cleanup_age = 0 # number of xacts by which cleanup is delayed
# - Standby Servers -
# These settings are ignored on a primary server.
#primary_conninfo = '' # connection string to sending server
#primary_slot_name = '' # replication slot on sending server
#promote_trigger_file = '' # file name whose presence ends recovery
#hot_standby = on # "off" disallows queries during recovery
# (change requires restart)
#max_standby_archive_delay = 30s # max delay before canceling queries
# when reading WAL from archive;
# -1 allows indefinite delay
#max_standby_streaming_delay = 30s # max delay before canceling queries
# when reading streaming WAL;
# -1 allows indefinite delay
#wal_receiver_create_temp_slot = off # create temp slot if primary_slot_name
# is not set
#wal_receiver_status_interval = 10s # send replies at least this often
# 0 disables
#hot_standby_feedback = off # send info from standby to prevent
# query conflicts
#wal_receiver_timeout = 60s # time that receiver waits for
# communication from primary
# in milliseconds; 0 disables
#wal_retrieve_retry_interval = 5s # time to wait before retrying to
# retrieve WAL after a failed attempt
#recovery_min_apply_delay = 0 # minimum delay for applying changes during recovery
# - Subscribers -
# These settings are ignored on a publisher.
#max_logical_replication_workers = 4 # taken from max_worker_processes
# (change requires restart)
#max_sync_workers_per_subscription = 2 # taken from max_logical_replication_workers
#------------------------------------------------------------------------------
# QUERY TUNING
#------------------------------------------------------------------------------
# - Planner Method Configuration -
#enable_async_append = on
#enable_bitmapscan = on
#enable_gathermerge = on
#enable_hashagg = on
#enable_hashjoin = on
#enable_incremental_sort = on
#enable_indexscan = on
#enable_indexonlyscan = on
#enable_material = on
#enable_memoize = on
#enable_mergejoin = on
#enable_nestloop = on
#enable_parallel_append = on
#enable_parallel_hash = on
#enable_partition_pruning = on
#enable_partitionwise_join = off
#enable_partitionwise_aggregate = off
#enable_seqscan = on
#enable_sort = on
#enable_tidscan = on
# - Planner Cost Constants -
#seq_page_cost = 1.0 # measured on an arbitrary scale
#random_page_cost = 4.0 # same scale as above
#cpu_tuple_cost = 0.01 # same scale as above
#cpu_index_tuple_cost = 0.005 # same scale as above
#cpu_operator_cost = 0.0025 # same scale as above
#parallel_setup_cost = 1000.0 # same scale as above
#parallel_tuple_cost = 0.1 # same scale as above
#min_parallel_table_scan_size = 8MB
#min_parallel_index_scan_size = 512kB
#effective_cache_size = 4GB
#jit_above_cost = 100000 # perform JIT compilation if available
# and query more expensive than this;
# -1 disables
#jit_inline_above_cost = 500000 # inline small functions if query is
# more expensive than this; -1 disables
#jit_optimize_above_cost = 500000 # use expensive JIT optimizations if
# query is more expensive than this;
# -1 disables
# - Genetic Query Optimizer -
#geqo = on
#geqo_threshold = 12
#geqo_effort = 5 # range 1-10
#geqo_pool_size = 0 # selects default based on effort
#geqo_generations = 0 # selects default based on effort
#geqo_selection_bias = 2.0 # range 1.5-2.0
#geqo_seed = 0.0 # range 0.0-1.0
# - Other Planner Options -
#default_statistics_target = 100 # range 1-10000
#constraint_exclusion = partition # on, off, or partition
#cursor_tuple_fraction = 0.1 # range 0.0-1.0
#from_collapse_limit = 8
#jit = on # allow JIT compilation
#join_collapse_limit = 8 # 1 disables collapsing of explicit
# JOIN clauses
#plan_cache_mode = auto # auto, force_generic_plan or
# force_custom_plan
#------------------------------------------------------------------------------
# REPORTING AND LOGGING
#------------------------------------------------------------------------------
# - Where to Log -
#log_destination = 'stderr' # Valid values are combinations of
# stderr, csvlog, syslog, and eventlog,
# depending on platform. csvlog
# requires logging_collector to be on.
# This is used when logging to stderr:
#logging_collector = off # Enable capturing of stderr and csvlog
# into log files. Required to be on for
# csvlogs.
# (change requires restart)
# These are only used if logging_collector is on:
#log_directory = 'log' # directory where log files are written,
# can be absolute or relative to PGDATA
#log_filename = 'postgresql-%Y-%m-%d_%H%M%S.log' # log file name pattern,
# can include strftime() escapes
#log_file_mode = 0600 # creation mode for log files,
# begin with 0 to use octal notation
#log_rotation_age = 1d # Automatic rotation of logfiles will
# happen after that time. 0 disables.
#log_rotation_size = 10MB # Automatic rotation of logfiles will
# happen after that much log output.
# 0 disables.
#log_truncate_on_rotation = off # If on, an existing log file with the
# same name as the new log file will be
# truncated rather than appended to.
# But such truncation only occurs on
# time-driven rotation, not on restarts
# or size-driven rotation. Default is
# off, meaning append to existing files
# in all cases.
# These are relevant when logging to syslog:
#syslog_facility = 'LOCAL0'
#syslog_ident = 'postgres'
#syslog_sequence_numbers = on
#syslog_split_messages = on
# This is only relevant when logging to eventlog (Windows):
# (change requires restart)
#event_source = 'PostgreSQL'
# - When to Log -
#log_min_messages = warning # values in order of decreasing detail:
# debug5
# debug4
# debug3
# debug2
# debug1
# info
# notice
# warning
# error
# log
# fatal
# panic
#log_min_error_statement = error # values in order of decreasing detail:
# debug5
# debug4
# debug3
# debug2
# debug1
# info
# notice
# warning
# error
# log
# fatal
# panic (effectively off)
#log_min_duration_statement = -1 # -1 is disabled, 0 logs all statements
# and their durations, > 0 logs only
# statements running at least this number
# of milliseconds
#log_min_duration_sample = -1 # -1 is disabled, 0 logs a sample of statements
# and their durations, > 0 logs only a sample of
# statements running at least this number
# of milliseconds;
# sample fraction is determined by log_statement_sample_rate
#log_statement_sample_rate = 1.0 # fraction of logged statements exceeding
# log_min_duration_sample to be logged;
# 1.0 logs all such statements, 0.0 never logs
#log_transaction_sample_rate = 0.0 # fraction of transactions whose statements
# are logged regardless of their duration; 1.0 logs all
# statements from all transactions, 0.0 never logs
# - What to Log -
#debug_print_parse = off
#debug_print_rewritten = off
#debug_print_plan = off
#debug_pretty_print = on
#log_autovacuum_min_duration = -1 # log autovacuum activity;
# -1 disables, 0 logs all actions and
# their durations, > 0 logs only
# actions running at least this number
# of milliseconds.
#log_checkpoints = off
#log_connections = off
#log_disconnections = off
#log_duration = off
#log_error_verbosity = default # terse, default, or verbose messages
#log_hostname = off
#log_line_prefix = '%m [%p] ' # special values:
# %a = application name
# %u = user name
# %d = database name
# %r = remote host and port
# %h = remote host
# %b = backend type
# %p = process ID
# %P = process ID of parallel group leader
# %t = timestamp without milliseconds
# %m = timestamp with milliseconds
# %n = timestamp with milliseconds (as a Unix epoch)
# %Q = query ID (0 if none or not computed)
# %i = command tag
# %e = SQL state
# %c = session ID
# %l = session line number
# %s = session start timestamp
# %v = virtual transaction ID
# %x = transaction ID (0 if none)
# %q = stop here in non-session
# processes
# %% = '%'
# e.g. '<%u%%%d> '
#log_lock_waits = off # log lock waits >= deadlock_timeout
#log_recovery_conflict_waits = off # log standby recovery conflict waits
# >= deadlock_timeout
#log_parameter_max_length = -1 # when logging statements, limit logged
# bind-parameter values to N bytes;
# -1 means print in full, 0 disables
#log_parameter_max_length_on_error = 0 # when logging an error, limit logged
# bind-parameter values to N bytes;
# -1 means print in full, 0 disables
#log_statement = 'none' # none, ddl, mod, all
#log_replication_commands = off
#log_temp_files = -1 # log temporary files equal or larger
# than the specified size in kilobytes;
# -1 disables, 0 logs all temp files
log_timezone = 'Etc/UTC'
#------------------------------------------------------------------------------
# PROCESS TITLE
#------------------------------------------------------------------------------
#cluster_name = '' # added to process titles if nonempty
# (change requires restart)
#update_process_title = on
#------------------------------------------------------------------------------
# STATISTICS
#------------------------------------------------------------------------------
# - Query and Index Statistics Collector -
#track_activities = on
#track_activity_query_size = 1024 # (change requires restart)
#track_counts = on
#track_io_timing = off
#track_wal_io_timing = off
#track_functions = none # none, pl, all
#stats_temp_directory = 'pg_stat_tmp'
# - Monitoring -
#compute_query_id = auto
#log_statement_stats = off
#log_parser_stats = off
#log_planner_stats = off
#log_executor_stats = off
#------------------------------------------------------------------------------
# AUTOVACUUM
#------------------------------------------------------------------------------
#autovacuum = on # Enable autovacuum subprocess? 'on'
# requires track_counts to also be on.
#autovacuum_max_workers = 3 # max number of autovacuum subprocesses
# (change requires restart)
#autovacuum_naptime = 1min # time between autovacuum runs
#autovacuum_vacuum_threshold = 50 # min number of row updates before
# vacuum
#autovacuum_vacuum_insert_threshold = 1000 # min number of row inserts
# before vacuum; -1 disables insert
# vacuums
#autovacuum_analyze_threshold = 50 # min number of row updates before
# analyze
#autovacuum_vacuum_scale_factor = 0.2 # fraction of table size before vacuum
#autovacuum_vacuum_insert_scale_factor = 0.2 # fraction of inserts over table
# size before insert vacuum
#autovacuum_analyze_scale_factor = 0.1 # fraction of table size before analyze
#autovacuum_freeze_max_age = 200000000 # maximum XID age before forced vacuum
# (change requires restart)
#autovacuum_multixact_freeze_max_age = 400000000 # maximum multixact age
# before forced vacuum
# (change requires restart)
#autovacuum_vacuum_cost_delay = 2ms # default vacuum cost delay for
# autovacuum, in milliseconds;
# -1 means use vacuum_cost_delay
#autovacuum_vacuum_cost_limit = -1 # default vacuum cost limit for
# autovacuum, -1 means use
# vacuum_cost_limit
#------------------------------------------------------------------------------
# CLIENT CONNECTION DEFAULTS
#------------------------------------------------------------------------------
# - Statement Behavior -
#client_min_messages = notice # values in order of decreasing detail:
# debug5
# debug4
# debug3
# debug2
# debug1
# log
# notice
# warning
# error
#search_path = '"$user", public' # schema names
#row_security = on
#default_table_access_method = 'heap'
#default_tablespace = '' # a tablespace name, '' uses the default
#default_toast_compression = 'pglz' # 'pglz' or 'lz4'
#temp_tablespaces = '' # a list of tablespace names, '' uses
# only default tablespace
#check_function_bodies = on
#default_transaction_isolation = 'read committed'
#default_transaction_read_only = off
#default_transaction_deferrable = off
#session_replication_role = 'origin'
#statement_timeout = 0 # in milliseconds, 0 is disabled
#lock_timeout = 0 # in milliseconds, 0 is disabled
#idle_in_transaction_session_timeout = 0 # in milliseconds, 0 is disabled
#idle_session_timeout = 0 # in milliseconds, 0 is disabled
#vacuum_freeze_table_age = 150000000
#vacuum_freeze_min_age = 50000000
#vacuum_failsafe_age = 1600000000
#vacuum_multixact_freeze_table_age = 150000000
#vacuum_multixact_freeze_min_age = 5000000
#vacuum_multixact_failsafe_age = 1600000000
#bytea_output = 'hex' # hex, escape
#xmlbinary = 'base64'
#xmloption = 'content'
#gin_pending_list_limit = 4MB
# - Locale and Formatting -
datestyle = 'iso, mdy'
#intervalstyle = 'postgres'
timezone = 'Etc/UTC'
#timezone_abbreviations = 'Default' # Select the set of available time zone
# abbreviations. Currently, there are
# Default
# Australia (historical usage)
# India
# You can create your own file in
# share/timezonesets/.
#extra_float_digits = 1 # min -15, max 3; any value >0 actually
# selects precise output mode
#client_encoding = sql_ascii # actually, defaults to database
# encoding
# These settings are initialized by initdb, but they can be changed.
lc_messages = 'en_US.utf8' # locale for system error message
# strings
lc_monetary = 'en_US.utf8' # locale for monetary formatting
lc_numeric = 'en_US.utf8' # locale for number formatting
lc_time = 'en_US.utf8' # locale for time formatting
# default configuration for text search
default_text_search_config = 'pg_catalog.english'
# - Shared Library Preloading -
#local_preload_libraries = ''
#session_preload_libraries = ''
#shared_preload_libraries = '' # (change requires restart)
#jit_provider = 'llvmjit' # JIT library to use
# - Other Defaults -
#dynamic_library_path = '$libdir'
#extension_destdir = '' # prepend path when loading extensions
# and shared objects (added by Debian)
#gin_fuzzy_search_limit = 0
#------------------------------------------------------------------------------
# LOCK MANAGEMENT
#------------------------------------------------------------------------------
#deadlock_timeout = 1s
#max_locks_per_transaction = 64 # min 10
# (change requires restart)
#max_pred_locks_per_transaction = 64 # min 10
# (change requires restart)
#max_pred_locks_per_relation = -2 # negative values mean
# (max_pred_locks_per_transaction
# / -max_pred_locks_per_relation) - 1
#max_pred_locks_per_page = 2 # min 0
#------------------------------------------------------------------------------
# VERSION AND PLATFORM COMPATIBILITY
#------------------------------------------------------------------------------
# - Previous PostgreSQL Versions -
#array_nulls = on
#backslash_quote = safe_encoding # on, off, or safe_encoding
#escape_string_warning = on
#lo_compat_privileges = off
#quote_all_identifiers = off
#standard_conforming_strings = on
#synchronize_seqscans = on
# - Other Platforms and Clients -
#transform_null_equals = off
#------------------------------------------------------------------------------
# ERROR HANDLING
#------------------------------------------------------------------------------
#exit_on_error = off # terminate session on any error?
#restart_after_crash = on # reinitialize after backend crash?
#data_sync_retry = off # retry or panic on failure to fsync
# data?
# (change requires restart)
#recovery_init_sync_method = fsync # fsync, syncfs (Linux 5.8+)
#------------------------------------------------------------------------------
# CONFIG FILE INCLUDES
#------------------------------------------------------------------------------
# These options allow settings to be loaded from files other than the
# default postgresql.conf. Note that these are directives, not variable
# assignments, so they can usefully be given more than once.
#include_dir = '...' # include files ending in '.conf' from
# a directory, e.g., 'conf.d'
#include_if_exists = '...' # include file only if it exists
#include = '...' # include file
#------------------------------------------------------------------------------
# CUSTOMIZED OPTIONS
#------------------------------------------------------------------------------
# Add settings for extensions here

2
services/service_invidious/servicesecrets.example Executable file
View File

@ -0,0 +1,2 @@
# Example service secrets for invidious docker service, to be encrypted with ansible vault and called servicesecrets.enc
service_invidious_postgres_pass: ***

32
services/service_mail/certbot-docker-compose-initrenew.yml Executable file
View File

@ -0,0 +1,32 @@
# {{ ansible_managed }}
# Docker Compose to create certificate for mail domain
# Do not run this and mailserver at same time (Uses the same VPN config and hostname)
# TODO: Would be nice at some point to be able to use a different port exposed on mail.{{ domain_name }} for privacy aside from the default port 80. Could not get it working though, certbot has issues even when proxying from one port to port 80. Seems to be an issue with Gluetun and Certbot being only able to bind to ipv6 port 80.
services:
# Gluetun is used to connect container to VPN
certbot-gluetun:
image: qmcgaw/gluetun
cap_add:
- NET_ADMIN
environment:
- VPN_SERVICE_PROVIDER=custom
- VPN_TYPE=wireguard
- VPN_ENDPOINT_IP={{ proxy_server_ip }}
- VPN_ENDPOINT_PORT={{ proxy_server_vpn_port }}
- WIREGUARD_PUBLIC_KEY={{ vpn_server_pubkey }}
- WIREGUARD_PRIVATE_KEY={{ mail_service_privkey }}
- WIREGUARD_ADDRESSES=10.0.0.2/32
- FIREWALL_VPN_INPUT_PORTS=80,443
ports:
- "80:80" # HTTP
certbot:
image: certbot/certbot
network_mode: "service:certbot-gluetun"
volumes:
- ./data/certbot/certs:/etc/letsencrypt
- ./data/certbot/logs:/var/log/letsencrypt
- /etc/localtime:/etc/localtime:ro
entrypoint: sh -c "sleep 15 && certbot certonly --standalone -d mail.{{ domain_name }} --noninteractive --agree-tos --email alerts@{{ domain_name }} --no-eff-email"

123
services/service_mail/data/config/dovecot-masteroverride.conf Executable file
View File

@ -0,0 +1,123 @@
# {{ ansible_managed }}
#default_process_limit = 100
#default_client_limit = 1000
mail_max_userip_connections = 100
# Default VSZ (virtual memory size) limit for service processes. This is mainly
# intended to catch and kill processes that leak memory before they eat up
# everything.
#default_vsz_limit = 256M
# Login user is internally used by login processes. This is the most untrusted
# user in Dovecot system. It shouldn't have access to anything at all.
#default_login_user = dovenull
# Internal user is used by unprivileged processes. It should be separate from
# login user, so that login processes can't disturb other processes.
#default_internal_user = dovecot
service imap-login {
inet_listener imap {
port = 143
haproxy = yes
}
inet_listener imaps {
port = 993
ssl = yes
haproxy = yes
}
# Number of connections to handle before starting a new process. Typically
# the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0
# is faster. <doc/wiki/LoginProcess.txt>
service_count = 1
# Number of processes to always keep waiting for more connections.
#process_min_avail = 0
# If you set service_count=0, you probably need to grow this.
#vsz_limit = $default_vsz_limit
}
#service pop3-login {
# inet_listener pop3 {
# #port = 110
# }
# inet_listener pop3s {
# port = 995
# ssl = yes
# }
#}
!include lmtp-master.inc
service imap {
# Most of the memory goes to mmap()ing files. You may need to increase this
# limit if you have huge mailboxes.
#vsz_limit = $default_vsz_limit
# Max. number of IMAP processes (connections)
#process_limit = 1024
}
#service pop3 {
# Max. number of POP3 processes (connections)
#process_limit = 1024
#}
service auth {
# auth_socket_path points to this userdb socket by default. It's typically
# used by dovecot-lda, doveadm, possibly imap process, etc. Users that have
# full permissions to this socket are able to get a list of all usernames and
# get the results of everyone's userdb lookups.
#
# The default 0666 mode allows anyone to connect to the socket, but the
# userdb lookups will succeed only if the userdb returns an "uid" field that
# matches the caller process's UID. Also if caller's uid or gid matches the
# socket's uid or gid the lookup succeeds. Anything else causes a failure.
#
# To give the caller full permissions to lookup all users, set the mode to
# something else than 0666 and Dovecot lets the kernel enforce the
# permissions (e.g. 0777 allows everyone full permissions).
unix_listener auth-userdb {
mode = 0666
user = docker
group = docker
}
unix_listener auth-master {
mode = 0600
user = docker
group = docker
}
# Postfix smtp-auth
unix_listener /dev/shm/sasl-auth.sock {
mode = 0660
user = postfix
group = postfix
}
# Auth process is run as this user.
#user = $default_internal_user
}
service auth-worker {
# Auth worker process is run as root by default, so that it can access
# /etc/shadow. If this isn't necessary, the user should be changed to
# $default_internal_user.
#user = root
}
service dict {
# If dict proxy is used, mail processes should have access to its socket.
# For example: mode=0660, group=vmail and global mail_access_groups=vmail
unix_listener dict {
#mode = 0600
#user =
#group =
}
}
!include chroot.inc

20
services/service_mail/data/config/postfix-main.cf Executable file
View File

@ -0,0 +1,20 @@
# {{ ansible_managed }}
# SASL
# specify SASL type
smtpd_sasl_auth_enable = yes
# specify SASL type
smtpd_sasl_type = dovecot
# path to the SASL socket relative to postfix spool directory i.e. /var/spool/postfix
smtpd_sasl_path = /dev/shm/sasl-auth.sock
# SASL default policy
smtpd_sasl_security_options = noanonymous
# postfix appends the domain name for SASL logins that do not have the domain part
smtpd_sasl_local_domain = $mydomain
# for legacy application compatibility
broken_sasl_auth_clients = yes

10
services/service_mail/data/config/postfix-master.cf Executable file
View File

@ -0,0 +1,10 @@
# {{ ansible_managed }}
# SMTP configuration for haproxy
smtp/inet/postscreen_upstream_proxy_protocol=haproxy
smtp/inet/postscreen_cache_map=btree:$data_directory/postscreen_25_cache
smtp/inet/syslog_name=postfix/25
submission/inet/smtpd_upstream_proxy_protocol=haproxy
smtps/inet/smtpd_upstream_proxy_protocol=haproxy

26
services/service_mail/data/config/rspamd/override.d/dkim_signing.conf Executable file
View File

@ -0,0 +1,26 @@
# {{ ansible_managed }}
# documentation: https://rspamd.com/doc/modules/dkim_signing.html
enabled = true;
sign_authenticated = true;
sign_local = true;
use_domain = "header";
use_redis = false; # don't change unless Redis also provides the DKIM keys
use_esld = true;
# Rspamd will then check whether your private key matches your public key, and you can check possible mismatches by looking at /var/log/supervisor/rspamd.log
check_pubkey = true; # you wan't to use this in the beginning
# allow_hdrfrom_mismatch = true;
# allow_username_mismatch = true;
domain {
{{ domain_name }} {
path = "/tmp/docker-mailserver/rspamd/dkim/rsa-2048-mail-{{ domain_name }}.private.txt";
selector = "mail";
}
}

31
services/service_mail/data/config/user-patches.sh Executable file
View File

@ -0,0 +1,31 @@
#!/bin/bash
# {{ ansible_managed }}
# This user patches script runs right before starting the daemons.
# That means, all the other configuration is in place, so the script
# can make final adjustments.
# If you modify any supervisord configuration, make sure to run
# "supervisorctl update" or "supervisorctl reload" afterwards.
# For more information, see
# https://docker-mailserver.github.io/docker-mailserver/edge/config/advanced/override-defaults/user-patches/
echo 'patching /etc/postfix/maps/sender_header_filter.pcre'
sed -i '1i\
/^Received: .*/ IGNORE
' /etc/postfix/maps/sender_header_filter.pcre
echo 'patching /etc/dovecot/conf.d/10-master.conf'
cp -f /tmp/docker-mailserver/dovecot-masteroverride.conf /etc/dovecot/conf.d/10-master.conf
echo 'patching /etc/dovecot/dovecot.conf'
echo -e 'haproxy_trusted_networks = {{ vpn_server_ip }}\nhaproxy_timeout = 3s' >> /etc/dovecot/dovecot.conf
#echo 'patching /etc/postfix/master.cf'
#cp -f /tmp/docker-mailserver/postfix-masteroverride.cf /etc/postfix/master.cf
#echo 'patching /etc/postfix/main.cf'
#cp -f /tmp/docker-mailserver/postfix-mainoverride.cf /etc/postfix/main.cf
echo 'user-patches.sh successfully executed'

47
services/service_mail/deploy-service.yml Executable file
View File

@ -0,0 +1,47 @@
- hosts: localhost
become: 'yes'
vars:
ansible_become_method: doas
tasks:
- name: Create necessary directories
ansible.builtin.file:
path: "{{ item }}"
owner: service_mail
group: service_mail
state: directory
loop:
- "{{ services_directory }}/service_mail/data"
- "{{ services_directory }}/service_mail/data/mail-data"
- "{{ services_directory }}/service_mail/data/mail-state"
- "{{ services_directory }}/service_mail/data/mail-logs"
- "{{ services_directory }}/service_mail/data/config"
- "{{ services_directory }}/service_mail/data/config/rspamd/"
- "{{ services_directory }}/service_mail/data/config/rspamd/override.d/"
- "{{ services_directory }}/service_mail/data/certbot/certs"
- "{{ services_directory }}/service_mail/data/certbot/logs"
- name: Copy configuration files
ansible.builtin.template:
src: "data/config/{{ item }}"
dest: "{{ services_directory }}/service_mail/data/config/{{ item }}"
owner: service_mail
group: service_mail
loop:
- dovecot-masteroverride.conf
- postfix-master.cf
- postfix-main.cf
- user-patches.sh
- rspamd/override.d/dkim_signing.conf
- name: Copy docker compose config and other files
ansible.builtin.template:
src: "{{ item }}"
dest: "{{ services_directory }}/service_mail/{{ item }}"
owner: service_mail
group: service_mail
loop:
- docker-compose.yml
- certbot-docker-compose-initrenew.yml
- myconfig.org
- name: Debug Finish message
debug:
msg: Ansible playbook has finished!

59
services/service_mail/docker-compose.yml Executable file
View File

@ -0,0 +1,59 @@
# {{ ansible_managed }}
services:
# Gluetun is used to connect container to VPN
mailserver-gluetun:
image: qmcgaw/gluetun
cap_add:
- NET_ADMIN
environment:
- VPN_SERVICE_PROVIDER=custom
- VPN_TYPE=wireguard
- VPN_ENDPOINT_IP={{ proxy_server_ip }}
- VPN_ENDPOINT_PORT={{ proxy_server_vpn_port }}
- WIREGUARD_PUBLIC_KEY={{ vpn_server_pubkey }}
- WIREGUARD_PRIVATE_KEY={{ mail_service_privkey }}
- WIREGUARD_ADDRESSES=10.0.0.2/32
- FIREWALL_VPN_INPUT_PORTS=25,465,587,993,143
ports:
- "25:25" # Cleartext
- "465:465" # ESMTP Implicit TLS / Appears to be used
- "587:587" # SMTP+STARTTLS Explicit TLS / Appears to be used
- "993:993" # IMAPS Implicit TLS / Appears to not be used
- "143:143" # IMAPS IMAP+STARTTLS Explicit TLS / Appears to be used
mailserver:
network_mode: "service:mailserver-gluetun"
image: ghcr.io/docker-mailserver/docker-mailserver:latest
container_name: mailserver
# Provide the FQDN of your mail server here (Your DNS MX record should point to this value)
# hostname: mail.{{ domain_name }}
volumes:
- ./data/mail-data/:/var/mail/
- ./data/mail-state/:/var/mail-state/
- ./data/mail-logs/:/var/log/mail/
- ./data/config/:/tmp/docker-mailserver/
- ./data/certbot/certs/:/etc/letsencrypt
- /etc/localtime:/etc/localtime:ro
environment:
- OVERRIDE_HOSTNAME=mail.{{ domain_name }}
# SSL Configuration
# Having issues with letsencrypt SSL_TYPE not being able to find the paths so just adding the keys manually
# - SSL_TYPE=letsencrypt
- SSL_TYPE=manual
# Values should match the file paths inside the container:
- SSL_CERT_PATH=/etc/letsencrypt/live/mail.{{ domain_name }}/fullchain.pem
- SSL_KEY_PATH=/etc/letsencrypt/live/mail.{{ domain_name }}/privkey.pem
- ENABLE_SASLAUTHD=1
- ENABLE_FAIL2BAN=1
- ENABLE_RSPAMD=1
- ENABLE_OPENDKIM=0
- ENABLE_OPENDMARC=0
- ENABLE_POLICYD_SPF=0
- ENABLE_AMAVIS=0
- ENABLE_SPAMASSASSIN=0
- ENABLE_CLAMAV=0
cap_add:
- NET_ADMIN # For Fail2Ban to work
restart: always

25
services/service_mail/myconfig.org Executable file
View File

@ -0,0 +1,25 @@
# {{ ansible_managed }}
Sending
SMTP+STARTTLS Explicit TLS on port 587
ESMTP Implicit TLS on port 465
Overall, DMS's default configuration for SMTP looks like this:
┏━━━━ Outbound Submission ━━━━┓
┌────────────────────┐ ┌┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┐
Me -- cleartext --> ┤(25) (25)├ --- cleartext ---> ┊ ┊
Me -- TLS ---> ┤(465) My MTA │ ┊ Third-party MTA ┊
Me -- STARTTLS ---> ┤(587) │ ┊ ┊
│ (25)├ <---cleartext ---- ┊ ┊
└────────────────────┘ └┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┘
┗━━━━━━━━━━ Inbound Submission ━━━━━━━━━━┛
Retrieval
IMAP+STARTTLS Explicit TLS on port 143
IMAPS Implicit TLS on port 993
POP3 Disabled by default.

1
services/service_mail/servicesecrets.example Executable file
View File

@ -0,0 +1 @@
# Example service secrets for mail docker service, to be encrypted with ansible vault and called servicesecrets.enc

26
services/service_minecraft/deploy-service.yml Executable file
View File

@ -0,0 +1,26 @@
- hosts: localhost
become: 'yes'
vars:
ansible_become_method: doas
tasks:
- name: Create necessary directories
ansible.builtin.file:
path: "{{ item }}"
owner: service_minecraft
group: service_minecraft
state: directory
loop:
- "{{ services_directory }}/service_minecraft/data"
- name: Copy docker compose config and other files
ansible.builtin.template:
src: "{{ item }}"
dest: "{{ services_directory }}/service_minecraft/{{ item }}"
owner: service_minecraft
group: service_minecraft
loop:
- docker-compose.yml
- post-rules.txt
- name: Debug Finish message
debug:
msg: Ansible playbook has finished!

43
services/service_minecraft/docker-compose.yml Executable file
View File

@ -0,0 +1,43 @@
# {{ ansible_managed }}
version: "3.8"
services:
# Gluetun is used to connect container to VPN
mc-gluetun:
image: qmcgaw/gluetun
cap_add:
- NET_ADMIN
environment:
- VPN_SERVICE_PROVIDER=custom
- VPN_TYPE=wireguard
- VPN_ENDPOINT_IP={{ proxy_server_ip }}
- VPN_ENDPOINT_PORT={{ proxy_server_vpn_port }}
- WIREGUARD_PUBLIC_KEY={{ vpn_server_pubkey }}
- WIREGUARD_PRIVATE_KEY={{ minecraft_service_privkey }}
- WIREGUARD_ADDRESSES=10.0.0.7/32
- FIREWALL_VPN_INPUT_PORTS=25565
ports:
- "54376:54376"
volumes:
# Custom IPTables forwarding rules to forward TCP(web) traffic from port 54376 to port 25565
- ./post-rules.txt:/iptables/post-rules.txt
mc:
image: itzg/minecraft-server
tty: true
stdin_open: true
environment:
UID: "1006" # spool1_minecraft user
GID: "1007" # spool1_minecraft group
EULA: "TRUE"
MEMORY: "1G"
INIT_MEMORY: "1G"
MAX_MEMORY: "1G"
ENABLE_ROLLING_LOGS: true
volumes:
# attach the relative directory 'data' to the container's /data path
# - ./data:/data
#
- ./data:/data

3
services/service_minecraft/post-rules.txt Executable file
View File

@ -0,0 +1,3 @@
iptables -t nat -A OUTPUT -d 10.0.0.7 -p tcp --dport 25565 -j DNAT --to-destination 10.0.0.7:54376
iptables -t nat -A OUTPUT -p tcp --dport 54376 -j REDIRECT --to-port 25565
iptables -t nat -A PREROUTING -t nat -p tcp --dport 54376 -j REDIRECT --to-port 25565

1
services/service_minecraft/servicesecrets.example Executable file
View File

@ -0,0 +1 @@
# Example service secrets for minecraft docker service, to be encrypted with ansible vault and called servicesecrets.enc

26
services/service_nextcloud/deploy-service.yml Executable file
View File

@ -0,0 +1,26 @@
- hosts: localhost
become: 'yes'
vars:
ansible_become_method: doas
tasks:
- name: Create necessary directories
ansible.builtin.file:
path: "{{ item }}"
owner: service_nextcloud
group: service_nextcloud
state: directory
loop:
- "{{ services_directory }}/service_nextcloud/nextcloud-database"
- name: Copy docker compose config and other nextcloud files
ansible.builtin.template:
src: "{{ item }}"
dest: "{{ services_directory }}/service_nextcloud/{{ item }}"
owner: service_nextcloud
group: service_nextcloud
loop:
- docker-compose.yml
- post-rules.txt
- name: Debug Finish message
debug:
msg: Ansible playbook has finished!

68
services/service_nextcloud/docker-compose.yml Executable file
View File

@ -0,0 +1,68 @@
# {{ ansible_managed }}
version: '2'
services:
# Gluetun is used to connect container to VPN
nextcloud-gluetun:
image: qmcgaw/gluetun
cap_add:
- NET_ADMIN
environment:
- VPN_SERVICE_PROVIDER=custom
- VPN_TYPE=wireguard
- VPN_ENDPOINT_IP={{ proxy_server_ip }}
- VPN_ENDPOINT_PORT={{ proxy_server_vpn_port }}
- WIREGUARD_PUBLIC_KEY={{ vpn_server_pubkey }}
- WIREGUARD_PRIVATE_KEY={{ nextcloud_service_privkey }}
- WIREGUARD_ADDRESSES=10.0.0.5/32
- FIREWALL_VPN_INPUT_PORTS=11000,80
- FIREWALL_INPUT_PORTS=11000,80,9000,6379,5432
volumes:
# Custom IPTables forwarding rules to forward TCP(web) traffic from port 11000 to port 80
- ./post-rules.txt:/iptables/post-rules.txt
ports:
- "11000:11000"
nextcloud-cache:
network_mode: "service:nextcloud-gluetun"
image: redis:alpine
restart: always
mem_limit: 2048m
mem_reservation: 512m
command: redis-server --requirepass {{ service_nextcloud_postgres_pass }}
nextcloud-db:
network_mode: "service:nextcloud-gluetun"
image: postgres:alpine
restart: always
volumes:
- ./nextcloud-database:/var/lib/postgresql/data:Z
- /etc/localtime:/etc/localtime:ro
environment:
- POSTGRES_PASSWORD={{ service_nextcloud_postgres_pass }}
- POSTGRES_DB=nextcloud
- POSTGRES_USER=nextcloud
nextcloud:
network_mode: "service:nextcloud-gluetun"
image: nextcloud
restart: always
# links:
# - nextcloud-db
volumes:
- ./nextcloud:/var/www/html
environment:
- REDIS_HOST=127.0.0.1
- REDIS_HOST_PASSWORD={{ service_nextcloud_postgres_pass }}
- POSTGRES_PASSWORD={{ service_nextcloud_postgres_pass }}
- POSTGRES_DB=nextcloud
- POSTGRES_USER=nextcloud
- POSTGRES_HOST=127.0.0.1
# For reverse proxies
- TRUSTED_PROXIES=10.0.0.1
- OVERWRITEHOST=nextcloud.{{ domain_name }}
- OVERWRITEPROTOCOL=https
- OVERWRITECLIURL=https://nextcloud.{{ domain_name }}

3
services/service_nextcloud/post-rules.txt Executable file
View File

@ -0,0 +1,3 @@
iptables -t nat -A OUTPUT -d 10.0.0.5 -p tcp --dport 80 -j DNAT --to-destination 10.0.0.5:11000
iptables -t nat -A OUTPUT -p tcp --dport 11000 -j REDIRECT --to-port 80
iptables -t nat -A PREROUTING -t nat -p tcp --dport 11000 -j REDIRECT --to-port 80

2
services/service_nextcloud/servicesecrets.example Executable file
View File

@ -0,0 +1,2 @@
# Example service secrets for nextcloud docker service, to be encrypted with ansible vault and called servicesecrets.enc
service_nextcloud_postgres_pass: ***

37
services/service_searxng/deploy-service.yml Executable file
View File

@ -0,0 +1,37 @@
- hosts: localhost
become: 'yes'
vars:
ansible_become_method: doas
tasks:
- name: Create necessary directories
ansible.builtin.file:
path: "{{ item }}"
owner: root
group: root
state: directory
mode: 0755
loop:
- "{{ services_directory }}/service_searxng/searxng-data"
- name: Copy docker compose config
ansible.builtin.template:
src: "{{ item }}"
dest: "{{ services_directory }}/service_searxng/{{ item }}"
owner: service_searxng
group: service_searxng
loop:
- docker-compose.yml
- name: Copy searxng configuration files
ansible.builtin.template:
src: "{{ item }}"
dest: "{{ services_directory }}/service_searxng/searxng-data/{{ item }}"
owner: root
group: root
mode: 0644
loop:
- settings.yml
- limiter.toml
- name: Debug Finish message
debug:
msg: Ansible playbook has finished!

65
services/service_searxng/docker-compose.yml Executable file
View File

@ -0,0 +1,65 @@
# {{ ansible_managed }}
version: '3.7'
services:
# Gluetun is used to connect container to VPN
searxng-gluetun:
image: qmcgaw/gluetun
cap_add:
- NET_ADMIN
environment:
- VPN_SERVICE_PROVIDER=custom
- VPN_TYPE=wireguard
- VPN_ENDPOINT_IP={{ proxy_server_ip }}
- VPN_ENDPOINT_PORT={{ proxy_server_vpn_port }}
- WIREGUARD_PUBLIC_KEY={{ vpn_server_pubkey }}
- WIREGUARD_PRIVATE_KEY={{ searxng_service_privkey }}
- WIREGUARD_ADDRESSES=10.0.0.4/32
- FIREWALL_VPN_INPUT_PORTS=8080
ports:
- "8080:8080"
searxng-redis:
network_mode: "service:searxng-gluetun"
container_name: redis
image: "redis:alpine"
command: redis-server --save "" --appendonly "no"
tmpfs:
- /var/lib/redis
cap_drop:
- ALL
cap_add:
- SETGID
- SETUID
- DAC_OVERRIDE
# If you want to change container listen port from default 8080 https://github.com/searxng/searxng-docker/issues/20
# Set environment variable BIND_ADDRESS, example:
# environment:
# BIND_ADDRESS=0.0.0.0:1234
# Then you can expose the newly changed port on gluetun
searxng:
network_mode: "service:searxng-gluetun"
container_name: searxng
image: searxng/searxng:latest
# UID/GID of spool1_searxng
# user: 1008:1009
# UID/GID of root
user: 0:0
volumes:
- ./searxng-data:/etc/searxng:rw
environment:
- SEARXNG_BASE_URL=http://${SEARXNG_HOSTNAME:-localhost}/
cap_drop:
- ALL
cap_add:
- CHOWN
- SETGID
- SETUID
logging:
driver: "json-file"
options:
max-size: "1m"
max-file: "1"

42
services/service_searxng/limiter.toml Executable file
View File

@ -0,0 +1,42 @@
# {{ ansible_managed }}
[real_ip]
# Number of values to trust for X-Forwarded-For.
x_for = 1
# The prefix defines the number of leading bits in an address that are compared
# to determine whether or not an address is part of a (client) network.
ipv4_prefix = 32
ipv6_prefix = 48
[botdetection.ip_limit]
# To get unlimited access in a local network, by default link-lokal addresses
# (networks) are not monitored by the ip_limit
filter_link_local = false
# activate link_token method in the ip_limit method
link_token = false
[botdetection.ip_lists]
# In the limiter, the ip_lists method has priority over all other methods -> if
# an IP is in the pass_ip list, it has unrestricted access and it is also not
# checked if e.g. the "user agent" suggests a bot (e.g. curl).
block_ip = [
# '93.184.216.34', # IPv4 of example.org
# '257.1.1.1', # invalid IP --> will be ignored, logged in ERROR class
]
pass_ip = [
# '192.168.0.0/16', # IPv4 private network
# 'fe80::/10' # IPv6 linklocal / wins over botdetection.ip_limit.filter_link_local
]
# Activate passlist of (hardcoded) IPs from the SearXNG organization,
# e.g. `check.searx.space`.
pass_searxng_org = true

2
services/service_searxng/servicesecrets.example Executable file
View File

@ -0,0 +1,2 @@
# Example service secrets for searxng docker service, to be encrypted with ansible vault and called servicesecrets.enc
service_searxng_secret_key: ***

2017
services/service_searxng/settings.yml Executable file
View File

File diff suppressed because it is too large Load Diff

3
vpnkeys/genkey.sh Executable file
View File

@ -0,0 +1,3 @@
#!/bin/sh
privkey=$(wg genkey) sh -c 'echo "server_privkey: $privkey\nserver_pubkey: $(echo $privkey | wg pubkey)"' > newkey_out