cspark
/
Client-Ansible-Setup
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Init service technitium configuration

This commit is contained in:
cspark 2024-11-06 07:52:40 +00:00
parent a1527e8c45
commit a4a972dcfb
12 changed files with 485 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
prox-server-setup.yml
View File

@ -101,10 +101,10 @@
# src: proxy_resources/home/mail-authserver.py # src: proxy_resources/home/mail-authserver.py
# dest: ~/mail-authserver.py # dest: ~/mail-authserver.py
# HAProxy Reverse Proxy Setup # HAProxy Reverse Proxy Setup
#- name: Ensure HAProxy configuration is updated - name: Ensure HAProxy configuration is updated for mail and technitium DNS reverse proxying
# template: template:
# src: proxy_resources/etc/haproxy/haproxy.cfg src: proxy_resources/etc/haproxy/haproxy.cfg
# dest: "/etc/haproxy/haproxy.cfg" dest: "/etc/haproxy/haproxy.cfg"
- name: Reset doas configuration back to default - name: Reset doas configuration back to default
become: yes become: yes

112
proxy_resources/etc/haproxy/haproxy.cfg Executable file
View File

@ -0,0 +1,112 @@
# {{ ansible_managed }}
# Mail Configuration
frontend ft_smtp
bind {{ proxy_server_ip }}:25
mode tcp
timeout client 1m
log global
option tcplog
default_backend bk_smtp
backend bk_smtp
mode tcp
log global
# option tcplog
timeout server 1m
timeout connect 7s
server postfix 10.0.0.2:25 send-proxy
frontend ft_smtps
bind {{ proxy_server_ip }}:465
mode tcp
timeout client 1m
log global
option tcplog
default_backend bk_smtps
backend bk_smtps
mode tcp
log global
# option tcplog
timeout server 1m
timeout connect 7s
server postfix 10.0.0.2:465 send-proxy
frontend ft_submission
bind {{ proxy_server_ip }}:587
mode tcp
timeout client 1m
log global
option tcplog
default_backend bk_submission
backend bk_submission
mode tcp
log global
# option tcplog
timeout server 1m
timeout connect 7s
server postfix 10.0.0.2:587 send-proxy
frontend ft_imaps
bind {{ proxy_server_ip }}:993
mode tcp
timeout client 1m
default_backend bk_imaps
backend bk_imaps
mode tcp
balance leastconn
stick store-request src
stick-table type ip size 200k expire 30m
timeout server 1m
timeout connect 7s
server imaps1 10.0.0.2:993 send-proxy-v2
frontend ft_imap
bind {{ proxy_server_ip }}:143
mode tcp
timeout client 1m
default_backend bk_imap
backend bk_imap
mode tcp
balance leastconn
stick store-request src
stick-table type ip size 200k expire 30m
timeout server 1m
timeout connect 7s
server imap1 10.0.0.2:143 send-proxy-v2
# Technitium DNS Server Configuration
frontend ft_technitium_tcp
bind {{ proxy_server_ip }}:53
mode tcp
timeout client 1m
default_backend bk_technitium_tcp
backend bk_technitium_tcp
mode tcp
balance leastconn
stick store-request src
stick-table type ip size 200k expire 30m
timeout server 1m
timeout connect 7s
server 10.0.0.10:53 send-proxy-v2
frontend ft_technitium_udp
bind {{ proxy_server_ip }}:53
mode udp
timeout client 1m
default_backend bk_technitium_udp
backend bk_technitium_udp
mode udp
balance leastconn
stick store-request src
stick-table type ip size 200k expire 30m
timeout server 1m
timeout connect 7s
server 10.0.0.10:53 send-proxy-v2

5
proxy_resources/etc/wireguard/wg0.conf
View File

@ -55,6 +55,11 @@ PublicKey = {{ kimai_service_pubkey }}
AllowedIPs = 10.0.0.8/32 AllowedIPs = 10.0.0.8/32
PersistentKeepalive = 25 PersistentKeepalive = 25
# Technitium Service
[Peer]
PublicKey = {{ technitium_service_pubkey }}
AllowedIPs = 10.0.0.10/32
PersistentKeepalive = 25
# Connection to backend server for nagios # Connection to backend server for nagios
[Peer] [Peer]

2
serversecrets.example
View File

@ -32,6 +32,7 @@ nextcloud_service_privkey: temp
matrix_service_privkey: temp matrix_service_privkey: temp
minecraft_service_privkey: temp minecraft_service_privkey: temp
kimai_service_privkey: temp kimai_service_privkey: temp
technitium_service_privkey: temp
nagios_backend_privkey: temp nagios_backend_privkey: temp
cockpit_backend_privkey: temp cockpit_backend_privkey: temp
user_privkey: temp user_privkey: temp
@ -45,6 +46,7 @@ nextcloud_service_pubkey: temp
matrix_service_pubkey: temp matrix_service_pubkey: temp
minecraft_service_pubkey: temp minecraft_service_pubkey: temp
kimai_service_pubkey: temp kimai_service_pubkey: temp
technitium_service_pubkey: temp
nagios_backend_pubkey: temp nagios_backend_pubkey: temp
cockpit_backend_pubkey: temp cockpit_backend_pubkey: temp
user_pubkey: temp user_pubkey: temp

13
services/service_mail/prox-deploy-service.yml
View File

@ -11,12 +11,13 @@
regexp: 'persist' regexp: 'persist'
replace: 'nopass' replace: 'nopass'
- name: Copy haproxy reverse proxy configuration to proxy # Haproxy is now handled globally again
ansible.builtin.template: #- name: Copy haproxy reverse proxy configuration to proxy
src: "proxy_resources/etc/haproxy/haproxy.cfg" # ansible.builtin.template:
dest: "/etc/haproxy/haproxy.cfg" # src: "proxy_resources/etc/haproxy/haproxy.cfg"
owner: root # dest: "/etc/haproxy/haproxy.cfg"
group: root # owner: root
# group: root
- name: Enable HAProxy - name: Enable HAProxy
ansible.builtin.systemd: ansible.builtin.systemd:
name: haproxy name: haproxy

6
services/service_technitium/ansible.cfg Normal file
View File

@ -0,0 +1,6 @@
[defaults]
inventory = ../../hosts
[privilege_escalation]
become_method=doas
become_ask_pass=True

29
services/service_technitium/deploy-service.yml Normal file
View File

@ -0,0 +1,29 @@
- hosts: localhost
become: 'yes'
vars:
ansible_become_method: doas
tasks:
- name: Create necessary directories
ansible.builtin.file:
path: "{{ item }}"
owner: service_technitium
group: service_technitium
state: directory
loop:
- "{{ services_directory }}/service_technitium/technitium-data"
- "{{ services_directory }}/service_technitium/unbound-data"
- "{{ services_directory }}/service_technitium/unbound-data/unbound"
- name: Copy docker compose config and other git files
ansible.builtin.template:
src: "{{ item }}"
dest: "{{ services_directory }}/service_technitium/{{ item }}"
owner: service_technitium
group: service_technitium
loop:
- docker-compose.yml
- unbound-data/unbound/unbound.conf
- name: Debug Finish message
debug:
msg: Ansible playbook has finished!

102
services/service_technitium/docker-compose.yml Normal file
View File

@ -0,0 +1,102 @@
version: "3"
services:
# Gluetun is used to connect container to VPN
invidious-gluetun:
image: qmcgaw/gluetun
cap_add:
- NET_ADMIN
environment:
- VPN_SERVICE_PROVIDER=custom
- VPN_TYPE=wireguard
- VPN_ENDPOINT_IP={{ proxy_server_ip }}
- VPN_ENDPOINT_PORT={{ proxy_server_vpn_port }}
- WIREGUARD_PUBLIC_KEY={{ vpn_server_pubkey }}
- WIREGUARD_PRIVATE_KEY={{ technitium_service_privkey }}
- WIREGUARD_ADDRESSES=10.0.0.10/32
- FIREWALL_VPN_INPUT_PORTS=5380,53,5335,5432
ports:
- "5380:5380"
- "53:53"
networks:
technitium:
deploy:
resources:
limits:
cpus: '0.10'
memory: 512M
technitium:
network_mode: "service:invidious-gluetun"
container_name: technitium
hostname: technitium
image: technitium/dns-server:latest
# For DHCP deployments, use "host" network mode and remove all the port mappings, including the ports array by commenting them
# network_mode: "host"
#ports:
#- "5380:5380/tcp" #DNS web console (HTTP)
# - "53443:53443/tcp" #DNS web console (HTTPS)
#- "53:53/udp" #DNS service
#- "53:53/tcp" #DNS service
# - "853:853/udp" #DNS-over-QUIC service
# - "853:853/tcp" #DNS-over-TLS service
# - "443:443/udp" #DNS-over-HTTPS service (HTTP/3)
# - "443:443/tcp" #DNS-over-HTTPS service (HTTP/1.1, HTTP/2)
# - "80:80/tcp" #DNS-over-HTTP service (use with reverse proxy or certbot certificate renewal)
# - "8053:8053/tcp" #DNS-over-HTTP service (use with reverse proxy)
# - "67:67/udp" #DHCP service
environment:
- DNS_SERVER_DOMAIN=technitium #The primary domain name used by this DNS Server to identify itself.
- DNS_SERVER_ADMIN_PASSWORD={{ service_technitium_password }} #DNS web console admin user password.
# - DNS_SERVER_ADMIN_PASSWORD_FILE=password.txt #The path to a file that contains a plain text password for the DNS web console admin user.
# - DNS_SERVER_PREFER_IPV6=false #DNS Server will use IPv6 for querying whenever possible with this option enabled.
# - DNS_SERVER_WEB_SERVICE_LOCAL_ADDRESSES=172.17.0.1,127.0.0.1 #Comma separated list of network interface IP addresses that you want the web service to listen on for requests. The "172.17.0.1" address is the built-in Docker bridge. The "[::]" is the default value if not specified. Note! This must be used only with "host" network mode.
# - DNS_SERVER_WEB_SERVICE_HTTP_PORT=5380 #The TCP port number for the DNS web console over HTTP protocol.
# - DNS_SERVER_WEB_SERVICE_HTTPS_PORT=53443 #The TCP port number for the DNS web console over HTTPS protocol.
# - DNS_SERVER_WEB_SERVICE_ENABLE_HTTPS=false #Enables HTTPS for the DNS web console.
# - DNS_SERVER_WEB_SERVICE_USE_SELF_SIGNED_CERT=false #Enables self signed TLS certificate for the DNS web console.
# - DNS_SERVER_OPTIONAL_PROTOCOL_DNS_OVER_HTTP=false #Enables DNS server optional protocol DNS-over-HTTP on TCP port 8053 to be used with a TLS terminating reverse proxy like nginx.
# - DNS_SERVER_RECURSION=AllowOnlyForPrivateNetworks #Recursion options: Allow, Deny, AllowOnlyForPrivateNetworks, UseSpecifiedNetworkACL.
# - DNS_SERVER_RECURSION_NETWORK_ACL=192.168.10.0/24, !192.168.10.2 #Comma separated list of IP addresses or network addresses to allow access. Add ! character at the start to deny access, e.g. !192.168.10.0/24 will deny entire subnet. The ACL is processed in the same order its listed. If no networks match, the default policy is to deny all except loopback. Valid only for `UseSpecifiedNetworkACL` recursion option.
# - DNS_SERVER_RECURSION_DENIED_NETWORKS=1.1.1.0/24 #Comma separated list of IP addresses or network addresses to deny recursion. Valid only for `UseSpecifiedNetworkACL` recursion option. This option is obsolete and DNS_SERVER_RECURSION_NETWORK_ACL should be used instead.
# - DNS_SERVER_RECURSION_ALLOWED_NETWORKS=127.0.0.1, 192.168.1.0/24 #Comma separated list of IP addresses or network addresses to allow recursion. Valid only for `UseSpecifiedNetworkACL` recursion option. This option is obsolete and DNS_SERVER_RECURSION_NETWORK_ACL should be used instead.
- DNS_SERVER_ENABLE_BLOCKING=true #Sets the DNS server to block domain names using Blocked Zone and Block List Zone.
# - DNS_SERVER_ALLOW_TXT_BLOCKING_REPORT=false #Specifies if the DNS Server should respond with TXT records containing a blocked domain report for TXT type requests.
# - DNS_SERVER_BLOCK_LIST_URLS= #A comma separated list of block list URLs.
- DNS_SERVER_FORWARDERS=11.2.0.22 #Comma separated list of forwarder addresses.
# - DNS_SERVER_FORWARDER_PROTOCOL=Tcp #Forwarder protocol options: Udp, Tcp, Tls, Https, HttpsJson.
# - DNS_SERVER_LOG_USING_LOCAL_TIME=true #Enable this option to use local time instead of UTC for logging.
volumes:
- ./technitium-data:/etc/dns
sysctls:
- net.ipv4.ip_local_port_range=1024 65000
depends_on:
- technitium-unbound
restart: unless-stopped
# Unbound is a validating, recursive, and caching DNS resolver. Technitium will be configured to talk to this instead of a third party.
technitium-unbound:
container_name: technitium-unbound
image: mvance/unbound:latest
ports:
- 5335:5335/tcp
- 5335:5335/udp
volumes:
#- ./unbound-data/forward-records.conf:/opt/unbound/etc/unbound/forward-records.conf:ro
#- ./unbound-data/a-records.conf:/opt/unbound/etc/unbound/a-records.conf:ro
- ./unbound-data/unbound:/opt/unbound/etc/unbound/
networks:
technitium:
ipv4_address: 11.2.0.22
restart: unless-stopped
networks:
technitium:
driver: bridge
driver_opts:
com.docker.network.bridge.name: technitium
# com.docker.network.driver.enable_ip_masquerade: 0
ipam:
config:
- subnet: 11.2.0.0/16
# gateway: 11.5.0.1

22
services/service_technitium/prox-deploy-service.yml Normal file
View File

@ -0,0 +1,22 @@
- hosts:
- "{{ proxy_server_hostname }}"
# - "{{ proxy_server_hostname }}"-defaultport
become: 'yes'
vars:
ansible_become_method: doas
tasks:
# Ensure NGinx site reverse proxy configuration is updated
- name: Ensure all NGinx site configurations are updated
template:
src: proxy_resources/etc/nginx/sites-available/technitium.domain
dest: "/etc/nginx/sites-available/technitium.{{ domain_name }}"
- name: Ensure NGinx site reverse proxy configuration is enabled
ansible.builtin.file:
src: "/etc/nginx/sites-available/technitium.{{ domain_name }}"
dest: "/etc/nginx/sites-enabled/technitium.{{ domain_name }}"
state: link
- name: Debug Finish message
debug:
msg: Ansible playbook has finished!

127
services/service_technitium/proxy_resources/etc/nginx/sites-available/technitium.domain Executable file
View File

@ -0,0 +1,127 @@
# {{ ansible_managed }}
# Invidious Proxy
server {
server_name technitium.{{ domain_name }} www.technitium.{{ domain_name }};
location / {
proxy_pass http://10.0.0.9:3000;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $host; # so Invidious knows domain
proxy_http_version 1.1; # to keep alive
proxy_set_header Connection ""; # to keep alive
include proxy_params;
}
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/{{ domain_name }}/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/{{ domain_name }}/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
# Mail Server Frontend
#server {
# # SSL configuration
# #
# # listen 443 ssl default_server;
# # listen [::]:443 ssl default_server;
# #
# # Note: You should disable gzip for SSL traffic.
# # See: https://bugs.debian.org/773332
# #
# # Read up on ssl_ciphers to ensure a secure configuration.
# # See: https://bugs.debian.org/765782
# #
# # Self signed certs generated by the ssl-cert package
# # Don't use them in a production server!
# #
# # include snippets/snakeoil.conf;
#
# root /var/www/html;
#
# # Add index.php to the list if you are using PHP
# index index.html index.htm index.nginx-debian.html;
#
# server_name mail.{{ domain_name }} www.mail.{{ domain_name }};
#
# location / {
# # First attempt to serve request as file, then
# # as directory, then fall back to displaying a 404.
# try_files $uri $uri/ =404;
# }
#
# # pass PHP scripts to FastCGI server
# #
# #location ~ \.php$ {
# # include snippets/fastcgi-php.conf;
# #
# # # With php-fpm (or other unix sockets):
# # fastcgi_pass unix:/run/php/php7.4-fpm.sock;
# # # With php-cgi (or other tcp sockets):
# # fastcgi_pass 127.0.0.1:9000;
# #}
#
# # deny access to .htaccess files, if Apache's document root
# # concurs with nginx's one
# #
# #location ~ /\.ht {
# # deny all;
# #}
#
# listen [::]:443 ssl; # managed by Certbot
# listen 443 ssl; # managed by Certbot
# ssl_certificate /etc/letsencrypt/live/mail.{{ domain_name }}/fullchain.pem; # managed by Certbot
# ssl_certificate_key /etc/letsencrypt/live/mail.{{ domain_name }}/privkey.pem; # managed by Certbot
# include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
# ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
#
#
#}
server {
if ($host = www.invidious.{{ domain_name }}) {
return 301 https://$host$request_uri;
} # managed by Certbot
if ($host = invidious.{{ domain_name }}) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
listen [::]:80;
server_name invidious.{{ domain_name }} www.invidious.{{ domain_name }};
return 404; # managed by Certbot
}
#server {
# if ($host = www.mail.{{ domain_name }}) {
# return 301 https://$host$request_uri;
# } # managed by Certbot
#
#
# if ($host = mail.{{ domain_name }}) {
# return 301 https://$host$request_uri;
# } # managed by Certbot
#
#
# listen 80;
# listen [::]:80;
#
# server_name mail.{{ domain_name }} www.mail.{{ domain_name }};
# return 404; # managed by Certbot
#
#
#
#
#}

2
services/service_technitium/servicesecrets.example Normal file
View File

@ -0,0 +1,2 @@
# Example service secrets for technitium docker service, to be encrypted with ansible vault and called servicesecrets.enc
service_technitium_password: password123

67
services/service_technitium/unbound-data/unbound/unbound.conf Normal file
View File

@ -0,0 +1,67 @@
server:
# {{ ansible_managed }}. For Pihole only
# If no logfile is specified, syslog is used
# logfile: "/var/log/unbound/unbound.log"
verbosity: 0
interface: 0.0.0.0
port: 5335
do-ip4: yes
do-udp: yes
do-tcp: yes
# May be set to yes if you have IPv6 connectivity
do-ip6: no
# You want to leave this to no unless you have *native* IPv6. With 6to4 and
# Terredo tunnels your web browser should favor IPv4 for the same reasons
prefer-ip6: no
# Use this only when you downloaded the list of primary root servers!
# If you use the default dns-root-data package, unbound will find it automatically
#root-hints: "/var/lib/unbound/root.hints"
# Trust glue only if it is within the server's authority
harden-glue: yes
# Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
harden-dnssec-stripped: yes
# Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
# see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
use-caps-for-id: no
# Reduce EDNS reassembly buffer size.
# IP fragmentation is unreliable on the Internet today, and can cause
# transmission failures when large DNS messages are sent via UDP. Even
# when fragmentation does work, it may not be secure; it is theoretically
# possible to spoof parts of a fragmented DNS message, without easy
# detection at the receiving end. Recently, there was an excellent study
# >>> Defragmenting DNS - Determining the optimal maximum UDP response size for DNS <<<
# by Axel Koolhaas, and Tjeerd Slokker (https://indico.dns-oarc.net/event/36/contributions/776/)
# in collaboration with NLnet Labs explored DNS using real world data from the
# the RIPE Atlas probes and the researchers suggested different values for
# IPv4 and IPv6 and in different scenarios. They advise that servers should
# be configured to limit DNS messages sent over UDP to a size that will not
# trigger fragmentation on typical network links. DNS servers can switch
# from UDP to TCP when a DNS response is too big to fit in this limited
# buffer size. This value has also been suggested in DNS Flag Day 2020.
edns-buffer-size: 1232
# Perform prefetching of close to expired message cache entries
# This only applies to domains that have been frequently queried
prefetch: yes
# One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1.
num-threads: 1
# Ensure kernel buffer is large enough to not lose messages in traffic spikes
so-rcvbuf: 1m
# Ensure privacy of local IP ranges
private-address: 192.168.0.0/16
private-address: 169.254.0.0/16
private-address: 172.16.0.0/12
private-address: 10.0.0.0/8
private-address: fd00::/8
private-address: fe80::/10