diff --git a/prox-server-setup.yml b/prox-server-setup.yml index dbbc7cb..e56701f 100755 --- a/prox-server-setup.yml +++ b/prox-server-setup.yml @@ -101,10 +101,10 @@ # src: proxy_resources/home/mail-authserver.py # dest: ~/mail-authserver.py # HAProxy Reverse Proxy Setup - #- name: Ensure HAProxy configuration is updated - # template: - # src: proxy_resources/etc/haproxy/haproxy.cfg - # dest: "/etc/haproxy/haproxy.cfg" + - name: Ensure HAProxy configuration is updated for mail and technitium DNS reverse proxying + template: + src: proxy_resources/etc/haproxy/haproxy.cfg + dest: "/etc/haproxy/haproxy.cfg" - name: Reset doas configuration back to default become: yes diff --git a/proxy_resources/etc/haproxy/haproxy.cfg b/proxy_resources/etc/haproxy/haproxy.cfg new file mode 100755 index 0000000..2ba2fd9 --- /dev/null +++ b/proxy_resources/etc/haproxy/haproxy.cfg @@ -0,0 +1,112 @@ +# {{ ansible_managed }} + +# Mail Configuration +frontend ft_smtp + bind {{ proxy_server_ip }}:25 + mode tcp + timeout client 1m + log global + option tcplog + default_backend bk_smtp + +backend bk_smtp + mode tcp + log global +# option tcplog + timeout server 1m + timeout connect 7s + server postfix 10.0.0.2:25 send-proxy + +frontend ft_smtps + bind {{ proxy_server_ip }}:465 + mode tcp + timeout client 1m + log global + option tcplog + default_backend bk_smtps + +backend bk_smtps + mode tcp + log global +# option tcplog + timeout server 1m + timeout connect 7s + server postfix 10.0.0.2:465 send-proxy + +frontend ft_submission + bind {{ proxy_server_ip }}:587 + mode tcp + timeout client 1m + log global + option tcplog + default_backend bk_submission + +backend bk_submission + mode tcp + log global +# option tcplog + timeout server 1m + timeout connect 7s + server postfix 10.0.0.2:587 send-proxy + + +frontend ft_imaps + bind {{ proxy_server_ip }}:993 + mode tcp + timeout client 1m + default_backend bk_imaps + +backend bk_imaps + mode tcp + balance leastconn + stick store-request src + stick-table type ip size 200k expire 30m + timeout server 1m + timeout connect 7s + server imaps1 10.0.0.2:993 send-proxy-v2 + +frontend ft_imap + bind {{ proxy_server_ip }}:143 + mode tcp + timeout client 1m + default_backend bk_imap + +backend bk_imap + mode tcp + balance leastconn + stick store-request src + stick-table type ip size 200k expire 30m + timeout server 1m + timeout connect 7s + server imap1 10.0.0.2:143 send-proxy-v2 + +# Technitium DNS Server Configuration +frontend ft_technitium_tcp + bind {{ proxy_server_ip }}:53 + mode tcp + timeout client 1m + default_backend bk_technitium_tcp + +backend bk_technitium_tcp + mode tcp + balance leastconn + stick store-request src + stick-table type ip size 200k expire 30m + timeout server 1m + timeout connect 7s + server 10.0.0.10:53 send-proxy-v2 + +frontend ft_technitium_udp + bind {{ proxy_server_ip }}:53 + mode udp + timeout client 1m + default_backend bk_technitium_udp + +backend bk_technitium_udp + mode udp + balance leastconn + stick store-request src + stick-table type ip size 200k expire 30m + timeout server 1m + timeout connect 7s + server 10.0.0.10:53 send-proxy-v2 diff --git a/proxy_resources/etc/wireguard/wg0.conf b/proxy_resources/etc/wireguard/wg0.conf index ded34dd..9f0ba46 100755 --- a/proxy_resources/etc/wireguard/wg0.conf +++ b/proxy_resources/etc/wireguard/wg0.conf @@ -55,6 +55,11 @@ PublicKey = {{ kimai_service_pubkey }} AllowedIPs = 10.0.0.8/32 PersistentKeepalive = 25 +# Technitium Service +[Peer] +PublicKey = {{ technitium_service_pubkey }} +AllowedIPs = 10.0.0.10/32 +PersistentKeepalive = 25 # Connection to backend server for nagios [Peer] diff --git a/serversecrets.example b/serversecrets.example index 7cefae9..170d63d 100755 --- a/serversecrets.example +++ b/serversecrets.example @@ -32,6 +32,7 @@ nextcloud_service_privkey: temp matrix_service_privkey: temp minecraft_service_privkey: temp kimai_service_privkey: temp +technitium_service_privkey: temp nagios_backend_privkey: temp cockpit_backend_privkey: temp user_privkey: temp @@ -45,6 +46,7 @@ nextcloud_service_pubkey: temp matrix_service_pubkey: temp minecraft_service_pubkey: temp kimai_service_pubkey: temp +technitium_service_pubkey: temp nagios_backend_pubkey: temp cockpit_backend_pubkey: temp user_pubkey: temp diff --git a/services/service_mail/prox-deploy-service.yml b/services/service_mail/prox-deploy-service.yml index a66de49..df32e91 100755 --- a/services/service_mail/prox-deploy-service.yml +++ b/services/service_mail/prox-deploy-service.yml @@ -11,12 +11,13 @@ regexp: 'persist' replace: 'nopass' - - name: Copy haproxy reverse proxy configuration to proxy - ansible.builtin.template: - src: "proxy_resources/etc/haproxy/haproxy.cfg" - dest: "/etc/haproxy/haproxy.cfg" - owner: root - group: root + # Haproxy is now handled globally again + #- name: Copy haproxy reverse proxy configuration to proxy + # ansible.builtin.template: + # src: "proxy_resources/etc/haproxy/haproxy.cfg" + # dest: "/etc/haproxy/haproxy.cfg" + # owner: root + # group: root - name: Enable HAProxy ansible.builtin.systemd: name: haproxy diff --git a/services/service_technitium/ansible.cfg b/services/service_technitium/ansible.cfg new file mode 100644 index 0000000..b46bfad --- /dev/null +++ b/services/service_technitium/ansible.cfg @@ -0,0 +1,6 @@ +[defaults] +inventory = ../../hosts + +[privilege_escalation] +become_method=doas +become_ask_pass=True diff --git a/services/service_technitium/deploy-service.yml b/services/service_technitium/deploy-service.yml new file mode 100644 index 0000000..710b39b --- /dev/null +++ b/services/service_technitium/deploy-service.yml @@ -0,0 +1,29 @@ +- hosts: localhost + become: 'yes' + vars: + ansible_become_method: doas + tasks: + - name: Create necessary directories + ansible.builtin.file: + path: "{{ item }}" + owner: service_technitium + group: service_technitium + state: directory + loop: + - "{{ services_directory }}/service_technitium/technitium-data" + - "{{ services_directory }}/service_technitium/unbound-data" + - "{{ services_directory }}/service_technitium/unbound-data/unbound" + + - name: Copy docker compose config and other git files + ansible.builtin.template: + src: "{{ item }}" + dest: "{{ services_directory }}/service_technitium/{{ item }}" + owner: service_technitium + group: service_technitium + loop: + - docker-compose.yml + - unbound-data/unbound/unbound.conf + + - name: Debug Finish message + debug: + msg: Ansible playbook has finished! diff --git a/services/service_technitium/docker-compose.yml b/services/service_technitium/docker-compose.yml new file mode 100644 index 0000000..83e606d --- /dev/null +++ b/services/service_technitium/docker-compose.yml @@ -0,0 +1,102 @@ +version: "3" +services: + + # Gluetun is used to connect container to VPN + invidious-gluetun: + image: qmcgaw/gluetun + cap_add: + - NET_ADMIN + environment: + - VPN_SERVICE_PROVIDER=custom + - VPN_TYPE=wireguard + - VPN_ENDPOINT_IP={{ proxy_server_ip }} + - VPN_ENDPOINT_PORT={{ proxy_server_vpn_port }} + - WIREGUARD_PUBLIC_KEY={{ vpn_server_pubkey }} + - WIREGUARD_PRIVATE_KEY={{ technitium_service_privkey }} + - WIREGUARD_ADDRESSES=10.0.0.10/32 + - FIREWALL_VPN_INPUT_PORTS=5380,53,5335,5432 + ports: + - "5380:5380" + - "53:53" + networks: + technitium: + deploy: + resources: + limits: + cpus: '0.10' + memory: 512M + + technitium: + network_mode: "service:invidious-gluetun" + container_name: technitium + hostname: technitium + image: technitium/dns-server:latest + # For DHCP deployments, use "host" network mode and remove all the port mappings, including the ports array by commenting them + # network_mode: "host" + #ports: + #- "5380:5380/tcp" #DNS web console (HTTP) + # - "53443:53443/tcp" #DNS web console (HTTPS) + #- "53:53/udp" #DNS service + #- "53:53/tcp" #DNS service + # - "853:853/udp" #DNS-over-QUIC service + # - "853:853/tcp" #DNS-over-TLS service + # - "443:443/udp" #DNS-over-HTTPS service (HTTP/3) + # - "443:443/tcp" #DNS-over-HTTPS service (HTTP/1.1, HTTP/2) + # - "80:80/tcp" #DNS-over-HTTP service (use with reverse proxy or certbot certificate renewal) + # - "8053:8053/tcp" #DNS-over-HTTP service (use with reverse proxy) + # - "67:67/udp" #DHCP service + environment: + - DNS_SERVER_DOMAIN=technitium #The primary domain name used by this DNS Server to identify itself. + - DNS_SERVER_ADMIN_PASSWORD={{ service_technitium_password }} #DNS web console admin user password. + # - DNS_SERVER_ADMIN_PASSWORD_FILE=password.txt #The path to a file that contains a plain text password for the DNS web console admin user. + # - DNS_SERVER_PREFER_IPV6=false #DNS Server will use IPv6 for querying whenever possible with this option enabled. + # - DNS_SERVER_WEB_SERVICE_LOCAL_ADDRESSES=172.17.0.1,127.0.0.1 #Comma separated list of network interface IP addresses that you want the web service to listen on for requests. The "172.17.0.1" address is the built-in Docker bridge. The "[::]" is the default value if not specified. Note! This must be used only with "host" network mode. + # - DNS_SERVER_WEB_SERVICE_HTTP_PORT=5380 #The TCP port number for the DNS web console over HTTP protocol. + # - DNS_SERVER_WEB_SERVICE_HTTPS_PORT=53443 #The TCP port number for the DNS web console over HTTPS protocol. + # - DNS_SERVER_WEB_SERVICE_ENABLE_HTTPS=false #Enables HTTPS for the DNS web console. + # - DNS_SERVER_WEB_SERVICE_USE_SELF_SIGNED_CERT=false #Enables self signed TLS certificate for the DNS web console. + # - DNS_SERVER_OPTIONAL_PROTOCOL_DNS_OVER_HTTP=false #Enables DNS server optional protocol DNS-over-HTTP on TCP port 8053 to be used with a TLS terminating reverse proxy like nginx. + # - DNS_SERVER_RECURSION=AllowOnlyForPrivateNetworks #Recursion options: Allow, Deny, AllowOnlyForPrivateNetworks, UseSpecifiedNetworkACL. + # - DNS_SERVER_RECURSION_NETWORK_ACL=192.168.10.0/24, !192.168.10.2 #Comma separated list of IP addresses or network addresses to allow access. Add ! character at the start to deny access, e.g. !192.168.10.0/24 will deny entire subnet. The ACL is processed in the same order its listed. If no networks match, the default policy is to deny all except loopback. Valid only for `UseSpecifiedNetworkACL` recursion option. + # - DNS_SERVER_RECURSION_DENIED_NETWORKS=1.1.1.0/24 #Comma separated list of IP addresses or network addresses to deny recursion. Valid only for `UseSpecifiedNetworkACL` recursion option. This option is obsolete and DNS_SERVER_RECURSION_NETWORK_ACL should be used instead. + # - DNS_SERVER_RECURSION_ALLOWED_NETWORKS=127.0.0.1, 192.168.1.0/24 #Comma separated list of IP addresses or network addresses to allow recursion. Valid only for `UseSpecifiedNetworkACL` recursion option. This option is obsolete and DNS_SERVER_RECURSION_NETWORK_ACL should be used instead. + - DNS_SERVER_ENABLE_BLOCKING=true #Sets the DNS server to block domain names using Blocked Zone and Block List Zone. + # - DNS_SERVER_ALLOW_TXT_BLOCKING_REPORT=false #Specifies if the DNS Server should respond with TXT records containing a blocked domain report for TXT type requests. + # - DNS_SERVER_BLOCK_LIST_URLS= #A comma separated list of block list URLs. + - DNS_SERVER_FORWARDERS=11.2.0.22 #Comma separated list of forwarder addresses. + # - DNS_SERVER_FORWARDER_PROTOCOL=Tcp #Forwarder protocol options: Udp, Tcp, Tls, Https, HttpsJson. + # - DNS_SERVER_LOG_USING_LOCAL_TIME=true #Enable this option to use local time instead of UTC for logging. + volumes: + - ./technitium-data:/etc/dns + sysctls: + - net.ipv4.ip_local_port_range=1024 65000 + depends_on: + - technitium-unbound + restart: unless-stopped + + # Unbound is a validating, recursive, and caching DNS resolver. Technitium will be configured to talk to this instead of a third party. + technitium-unbound: + container_name: technitium-unbound + image: mvance/unbound:latest + ports: + - 5335:5335/tcp + - 5335:5335/udp + volumes: + #- ./unbound-data/forward-records.conf:/opt/unbound/etc/unbound/forward-records.conf:ro + #- ./unbound-data/a-records.conf:/opt/unbound/etc/unbound/a-records.conf:ro + - ./unbound-data/unbound:/opt/unbound/etc/unbound/ + networks: + technitium: + ipv4_address: 11.2.0.22 + restart: unless-stopped + +networks: + technitium: + driver: bridge + driver_opts: + com.docker.network.bridge.name: technitium + # com.docker.network.driver.enable_ip_masquerade: 0 + ipam: + config: + - subnet: 11.2.0.0/16 + # gateway: 11.5.0.1 diff --git a/services/service_technitium/prox-deploy-service.yml b/services/service_technitium/prox-deploy-service.yml new file mode 100644 index 0000000..4391583 --- /dev/null +++ b/services/service_technitium/prox-deploy-service.yml @@ -0,0 +1,22 @@ +- hosts: + - "{{ proxy_server_hostname }}" + # - "{{ proxy_server_hostname }}"-defaultport + become: 'yes' + vars: + ansible_become_method: doas + tasks: + # Ensure NGinx site reverse proxy configuration is updated + - name: Ensure all NGinx site configurations are updated + template: + src: proxy_resources/etc/nginx/sites-available/technitium.domain + dest: "/etc/nginx/sites-available/technitium.{{ domain_name }}" + - name: Ensure NGinx site reverse proxy configuration is enabled + ansible.builtin.file: + src: "/etc/nginx/sites-available/technitium.{{ domain_name }}" + dest: "/etc/nginx/sites-enabled/technitium.{{ domain_name }}" + state: link + + - name: Debug Finish message + debug: + msg: Ansible playbook has finished! + diff --git a/services/service_technitium/proxy_resources/etc/nginx/sites-available/technitium.domain b/services/service_technitium/proxy_resources/etc/nginx/sites-available/technitium.domain new file mode 100755 index 0000000..0c55344 --- /dev/null +++ b/services/service_technitium/proxy_resources/etc/nginx/sites-available/technitium.domain @@ -0,0 +1,127 @@ +# {{ ansible_managed }} + +# Invidious Proxy +server { + + server_name technitium.{{ domain_name }} www.technitium.{{ domain_name }}; + + location / { + proxy_pass http://10.0.0.9:3000; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header Host $host; # so Invidious knows domain + proxy_http_version 1.1; # to keep alive + proxy_set_header Connection ""; # to keep alive + include proxy_params; + } + + listen [::]:443 ssl ipv6only=on; # managed by Certbot + listen 443 ssl; # managed by Certbot + ssl_certificate /etc/letsencrypt/live/{{ domain_name }}/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/{{ domain_name }}/privkey.pem; # managed by Certbot + include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot + + +} + +# Mail Server Frontend +#server { +# # SSL configuration +# # +# # listen 443 ssl default_server; +# # listen [::]:443 ssl default_server; +# # +# # Note: You should disable gzip for SSL traffic. +# # See: https://bugs.debian.org/773332 +# # +# # Read up on ssl_ciphers to ensure a secure configuration. +# # See: https://bugs.debian.org/765782 +# # +# # Self signed certs generated by the ssl-cert package +# # Don't use them in a production server! +# # +# # include snippets/snakeoil.conf; +# +# root /var/www/html; +# +# # Add index.php to the list if you are using PHP +# index index.html index.htm index.nginx-debian.html; +# +# server_name mail.{{ domain_name }} www.mail.{{ domain_name }}; +# +# location / { +# # First attempt to serve request as file, then +# # as directory, then fall back to displaying a 404. +# try_files $uri $uri/ =404; +# } +# +# # pass PHP scripts to FastCGI server +# # +# #location ~ \.php$ { +# # include snippets/fastcgi-php.conf; +# # +# # # With php-fpm (or other unix sockets): +# # fastcgi_pass unix:/run/php/php7.4-fpm.sock; +# # # With php-cgi (or other tcp sockets): +# # fastcgi_pass 127.0.0.1:9000; +# #} +# +# # deny access to .htaccess files, if Apache's document root +# # concurs with nginx's one +# # +# #location ~ /\.ht { +# # deny all; +# #} +# +# listen [::]:443 ssl; # managed by Certbot +# listen 443 ssl; # managed by Certbot +# ssl_certificate /etc/letsencrypt/live/mail.{{ domain_name }}/fullchain.pem; # managed by Certbot +# ssl_certificate_key /etc/letsencrypt/live/mail.{{ domain_name }}/privkey.pem; # managed by Certbot +# include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot +# ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot +# +# +#} + +server { + if ($host = www.invidious.{{ domain_name }}) { + return 301 https://$host$request_uri; + } # managed by Certbot + + + if ($host = invidious.{{ domain_name }}) { + return 301 https://$host$request_uri; + } # managed by Certbot + + + listen 80; + listen [::]:80; + + server_name invidious.{{ domain_name }} www.invidious.{{ domain_name }}; + return 404; # managed by Certbot + + + + +} +#server { +# if ($host = www.mail.{{ domain_name }}) { +# return 301 https://$host$request_uri; +# } # managed by Certbot +# +# +# if ($host = mail.{{ domain_name }}) { +# return 301 https://$host$request_uri; +# } # managed by Certbot +# +# +# listen 80; +# listen [::]:80; +# +# server_name mail.{{ domain_name }} www.mail.{{ domain_name }}; +# return 404; # managed by Certbot +# +# +# +# +#} diff --git a/services/service_technitium/servicesecrets.example b/services/service_technitium/servicesecrets.example new file mode 100644 index 0000000..8238c5c --- /dev/null +++ b/services/service_technitium/servicesecrets.example @@ -0,0 +1,2 @@ +# Example service secrets for technitium docker service, to be encrypted with ansible vault and called servicesecrets.enc +service_technitium_password: password123 diff --git a/services/service_technitium/unbound-data/unbound/unbound.conf b/services/service_technitium/unbound-data/unbound/unbound.conf new file mode 100644 index 0000000..af5f20b --- /dev/null +++ b/services/service_technitium/unbound-data/unbound/unbound.conf @@ -0,0 +1,67 @@ +server: + # {{ ansible_managed }}. For Pihole only + # If no logfile is specified, syslog is used + # logfile: "/var/log/unbound/unbound.log" + verbosity: 0 + + interface: 0.0.0.0 + port: 5335 + do-ip4: yes + do-udp: yes + do-tcp: yes + + # May be set to yes if you have IPv6 connectivity + do-ip6: no + + # You want to leave this to no unless you have *native* IPv6. With 6to4 and + # Terredo tunnels your web browser should favor IPv4 for the same reasons + prefer-ip6: no + + # Use this only when you downloaded the list of primary root servers! + # If you use the default dns-root-data package, unbound will find it automatically + #root-hints: "/var/lib/unbound/root.hints" + + # Trust glue only if it is within the server's authority + harden-glue: yes + + # Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS + harden-dnssec-stripped: yes + + # Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes + # see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details + use-caps-for-id: no + + # Reduce EDNS reassembly buffer size. + # IP fragmentation is unreliable on the Internet today, and can cause + # transmission failures when large DNS messages are sent via UDP. Even + # when fragmentation does work, it may not be secure; it is theoretically + # possible to spoof parts of a fragmented DNS message, without easy + # detection at the receiving end. Recently, there was an excellent study + # >>> Defragmenting DNS - Determining the optimal maximum UDP response size for DNS <<< + # by Axel Koolhaas, and Tjeerd Slokker (https://indico.dns-oarc.net/event/36/contributions/776/) + # in collaboration with NLnet Labs explored DNS using real world data from the + # the RIPE Atlas probes and the researchers suggested different values for + # IPv4 and IPv6 and in different scenarios. They advise that servers should + # be configured to limit DNS messages sent over UDP to a size that will not + # trigger fragmentation on typical network links. DNS servers can switch + # from UDP to TCP when a DNS response is too big to fit in this limited + # buffer size. This value has also been suggested in DNS Flag Day 2020. + edns-buffer-size: 1232 + + # Perform prefetching of close to expired message cache entries + # This only applies to domains that have been frequently queried + prefetch: yes + + # One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1. + num-threads: 1 + + # Ensure kernel buffer is large enough to not lose messages in traffic spikes + so-rcvbuf: 1m + + # Ensure privacy of local IP ranges + private-address: 192.168.0.0/16 + private-address: 169.254.0.0/16 + private-address: 172.16.0.0/12 + private-address: 10.0.0.0/8 + private-address: fd00::/8 + private-address: fe80::/10