ansible & docker stuff
parent
e044608eaf
commit
7c993f05e5
|
@ -0,0 +1 @@
|
|||
**/htpasswd
|
|
@ -0,0 +1,3 @@
|
|||
[irc-etc]
|
||||
# User must be changed from root to admin user after initial run
|
||||
joe@peugeot.seaturtle.pw
|
|
@ -0,0 +1,104 @@
|
|||
---
|
||||
- hosts: irc-etc
|
||||
become: yes
|
||||
handlers:
|
||||
- name: Restart ssh
|
||||
service:
|
||||
name: ssh
|
||||
state: restarted
|
||||
|
||||
tasks:
|
||||
- name: ping host
|
||||
ping:
|
||||
|
||||
- name: Allow passwordless sudo
|
||||
lineinfile:
|
||||
path: /etc/sudoers
|
||||
state: present
|
||||
regexp: '^%sudo'
|
||||
line: '%sudo ALL=(ALL) NOPASSWD:ALL'
|
||||
validate: 'visudo -cf %s'
|
||||
|
||||
- name: Create admin user
|
||||
user:
|
||||
name: joe
|
||||
groups: sudo
|
||||
shell: /bin/bash
|
||||
|
||||
- name: Create normal user
|
||||
user:
|
||||
name: pew
|
||||
shell: /bin/bash
|
||||
|
||||
- name: Add authorized ssh key from localhost
|
||||
authorized_key:
|
||||
user: "{{ item }}"
|
||||
state: present
|
||||
key: "{{ lookup('file', lookup('env','HOME') + '/.ssh/id_rsa.pub') }}"
|
||||
with_items:
|
||||
- joe
|
||||
- pew
|
||||
|
||||
- name: Disable password ssh
|
||||
lineinfile: dest=/etc/ssh/sshd_config
|
||||
regexp="^PasswordAuthentication"
|
||||
line="PasswordAuthentication no"
|
||||
state=present
|
||||
notify: Restart ssh
|
||||
|
||||
# May have to be done manually
|
||||
- name: Disallow root SSH access
|
||||
lineinfile: dest=/etc/ssh/sshd_config
|
||||
regexp="^PermitRootLogin"
|
||||
line="PermitRootLogin no"
|
||||
state=present
|
||||
notify: Restart ssh
|
||||
|
||||
- name: Update apt and upgrade packages
|
||||
apt:
|
||||
update_cache: yes
|
||||
upgrade: yes
|
||||
|
||||
- name: Install packages
|
||||
apt:
|
||||
pkg:
|
||||
- apt-transport-https
|
||||
- ca-certificates
|
||||
- curl
|
||||
- git
|
||||
- gnupg
|
||||
- htop
|
||||
- iodine
|
||||
- mosh
|
||||
- oidentd
|
||||
- software-properties-common
|
||||
- tmux
|
||||
- weechat
|
||||
- zsh
|
||||
state: latest
|
||||
|
||||
- name: Add Docker and Syncthing GPG key
|
||||
apt_key:
|
||||
url: https://download.docker.com/linux/ubuntu/gpg
|
||||
|
||||
- name: Add Docker and Syncthing APT repository
|
||||
apt_repository:
|
||||
repo: deb [arch=amd64] https://download.docker.com/linux/debian {{ansible_lsb.codename}} stable
|
||||
|
||||
- name: Update apt
|
||||
apt:
|
||||
update_cache: yes
|
||||
|
||||
# May require a reboot
|
||||
- name: Install Docker & Synthing
|
||||
apt:
|
||||
pkg:
|
||||
- docker-ce
|
||||
- docker-compose
|
||||
state: latest
|
||||
|
||||
- name: Add admin user to docker group
|
||||
user:
|
||||
name: joe
|
||||
groups: docker
|
||||
append: yes
|
|
@ -0,0 +1,50 @@
|
|||
version: '3'
|
||||
|
||||
services:
|
||||
letsencrypt:
|
||||
restart: unless-stopped
|
||||
image: linuxserver/letsencrypt
|
||||
cap_add:
|
||||
- NET_ADMIN
|
||||
environment:
|
||||
PUID: 1000
|
||||
PGID: 1000
|
||||
EMAIL: sysadmin@seaturtle.pw
|
||||
# URL field must be working since nginx only starts if letsencrypt works
|
||||
URL: seaturtle.pw
|
||||
SUBDOMAINS: seaturtle
|
||||
EXTRA_DOMAINS: www.paul.walko.org,paul.walko.org
|
||||
VALIDATION: html # TODO Switch to dns + gandi api once pr is merged
|
||||
TZ: America/New_York
|
||||
volumes:
|
||||
# nginx persistent storage
|
||||
- /home/joe/docker/nginx/config:/config
|
||||
# RO settings
|
||||
- ./htpasswd:/secrets/htpasswd # Create once deployed
|
||||
- ./nginx.conf:/config/nginx/nginx.conf:ro
|
||||
- ./ssl.conf:/config/nginx/ssl.conf:ro
|
||||
- ./site-confs:/config/nginx/site-confs:ro
|
||||
- ./jail.local:/config/jail2ban/jail.local:ro
|
||||
ports:
|
||||
- 128.173.88.78:80:80
|
||||
- 128.173.88.78:443:443
|
||||
- 2607:b400:0006:cc80:0000:0aff:fe62:000b:80:80
|
||||
- 2607:b400:0006:cc80:0000:0aff:fe62:000b:443:443
|
||||
|
||||
syncthing:
|
||||
restart: unless-stopped
|
||||
image: linuxserver/syncthing
|
||||
environment:
|
||||
PUID: 1000
|
||||
PGID: 1000
|
||||
TZ: America/Eastern
|
||||
UMASK_SET: <022>
|
||||
volumes:
|
||||
- /home/joe/docker/syncthing/config:/config
|
||||
- /home/joe/docker/syncthing/sync:/sync
|
||||
ports:
|
||||
- 22000:22000
|
||||
- 21027:21027/udp
|
||||
|
||||
networks:
|
||||
pew-net
|
|
@ -0,0 +1,46 @@
|
|||
# This is the custom version of the jail.conf for fail2ban
|
||||
# Feel free to modify this and add additional filters
|
||||
# Then you can drop the new filter conf files into the fail2ban-filters
|
||||
# folder and restart the container
|
||||
|
||||
[DEFAULT]
|
||||
|
||||
# "bantime" is the number of seconds that a host is banned.
|
||||
bantime = 600
|
||||
|
||||
# A host is banned if it has generated "maxretry" during the last "findtime"
|
||||
# seconds.
|
||||
findtime = 600
|
||||
|
||||
# "maxretry" is the number of failures before a host get banned.
|
||||
maxretry = 5
|
||||
|
||||
|
||||
[ssh]
|
||||
|
||||
enabled = false
|
||||
|
||||
|
||||
[nginx-http-auth]
|
||||
|
||||
enabled = true
|
||||
filter = nginx-http-auth
|
||||
port = http,https
|
||||
logpath = /config/log/nginx/error.log
|
||||
|
||||
|
||||
[nginx-badbots]
|
||||
|
||||
enabled = true
|
||||
port = http,https
|
||||
filter = nginx-badbots
|
||||
logpath = /config/log/nginx/access.log
|
||||
maxretry = 2
|
||||
|
||||
|
||||
[nginx-botsearch]
|
||||
|
||||
enabled = true
|
||||
port = http,https
|
||||
filter = nginx-botsearch
|
||||
logpath = /config/log/nginx/access.log
|
|
@ -0,0 +1,101 @@
|
|||
## Version 2018/01/29 - Changelog: https://github.com/linuxserver/docker-letsencrypt/commits/master/root/defaults/nginx.conf
|
||||
|
||||
user abc;
|
||||
worker_processes 4;
|
||||
pid /run/nginx.pid;
|
||||
include /etc/nginx/modules/*.conf;
|
||||
|
||||
events {
|
||||
worker_connections 768;
|
||||
# multi_accept on;
|
||||
}
|
||||
|
||||
http {
|
||||
|
||||
##
|
||||
# Basic Settings
|
||||
##
|
||||
|
||||
sendfile on;
|
||||
tcp_nopush on;
|
||||
tcp_nodelay on;
|
||||
keepalive_timeout 65;
|
||||
types_hash_max_size 2048;
|
||||
# server_tokens off;
|
||||
|
||||
# server_names_hash_bucket_size 64;
|
||||
# server_name_in_redirect off;
|
||||
|
||||
client_max_body_size 0;
|
||||
|
||||
include /etc/nginx/mime.types;
|
||||
default_type application/octet-stream;
|
||||
|
||||
##
|
||||
# Logging Settings
|
||||
##
|
||||
|
||||
access_log /config/log/nginx/access.log;
|
||||
error_log /config/log/nginx/error.log;
|
||||
|
||||
##
|
||||
# Gzip Settings
|
||||
##
|
||||
|
||||
gzip on;
|
||||
gzip_disable "msie6";
|
||||
|
||||
# gzip_vary on;
|
||||
# gzip_proxied any;
|
||||
# gzip_comp_level 6;
|
||||
# gzip_buffers 16 8k;
|
||||
# gzip_http_version 1.1;
|
||||
# gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
|
||||
|
||||
##
|
||||
# nginx-naxsi config
|
||||
##
|
||||
# Uncomment it if you installed nginx-naxsi
|
||||
##
|
||||
|
||||
#include /etc/nginx/naxsi_core.rules;
|
||||
|
||||
##
|
||||
# nginx-passenger config
|
||||
##
|
||||
# Uncomment it if you installed nginx-passenger
|
||||
##
|
||||
|
||||
#passenger_root /usr;
|
||||
#passenger_ruby /usr/bin/ruby;
|
||||
|
||||
##
|
||||
# Virtual Host Configs
|
||||
##
|
||||
include /etc/nginx/conf.d/*.conf;
|
||||
include /config/nginx/site-confs/default;
|
||||
include /config/nginx/site-confs/*.enabled;
|
||||
}
|
||||
|
||||
|
||||
#mail {
|
||||
# # See sample authentication script at:
|
||||
# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
|
||||
#
|
||||
# # auth_http localhost/auth.php;
|
||||
# # pop3_capabilities "TOP" "USER";
|
||||
# # imap_capabilities "IMAP4rev1" "UIDPLUS";
|
||||
#
|
||||
# server {
|
||||
# listen localhost:110;
|
||||
# protocol pop3;
|
||||
# proxy on;
|
||||
# }
|
||||
#
|
||||
# server {
|
||||
# listen localhost:143;
|
||||
# protocol imap;
|
||||
# proxy on;
|
||||
# }
|
||||
#}
|
||||
daemon off;
|
|
@ -0,0 +1,16 @@
|
|||
## Based on version below; but heavily modified for LUUG
|
||||
## Version 2018/09/12 - Changelog: https://github.com/linuxserver/docker-letsencrypt/commits/master/root/defaults/default
|
||||
|
||||
# This is the main file that will be pe present no matter what
|
||||
# Individual sites are specified in /config/nginx/sites/*.enabled
|
||||
|
||||
# Redirect HTTP traffic to HTTPS
|
||||
server {
|
||||
listen 80;
|
||||
listen [::]:80 default_server:
|
||||
server_name _;
|
||||
|
||||
return 301 https://$host$request_uri;
|
||||
}
|
||||
|
||||
# Enabled sites are included in /config/nginx/nginx.conf
|
|
@ -0,0 +1,41 @@
|
|||
server {
|
||||
listen 443 ssl;
|
||||
listen [::]:443 ssl;
|
||||
server_name seaturtle.pw paul.walko.org www.paul.walko.org;
|
||||
|
||||
# ssl conf
|
||||
include /config/nginx/ssl.conf;
|
||||
|
||||
client_max_body_size 1M;
|
||||
|
||||
# Main site
|
||||
location / {
|
||||
proxy_pass https://paulwalko.github.io;
|
||||
}
|
||||
|
||||
location /files {
|
||||
autoindex on;
|
||||
}
|
||||
|
||||
location /sync {
|
||||
auth_basic "Restricted Content";
|
||||
auth_basic_user_file /secrets/htpasswd;
|
||||
autoindex on;
|
||||
}
|
||||
|
||||
location /syncthing {
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_pass https://syncthing:8384/;
|
||||
}
|
||||
|
||||
location /weechat {
|
||||
proxy_pass http://127.0.0.1:9001/weechat;
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection "Upgrade";
|
||||
proxy_read_timeout 604800;
|
||||
proxy_set_header X-RealIP $remote_addr;
|
||||
}
|
||||
}
|
|
@ -0,0 +1,36 @@
|
|||
## Version 2018/05/31 - Changelog: https://github.com/linuxserver/docker-letsencrypt/commits/master/root/defaults/ssl.conf
|
||||
|
||||
# session settings
|
||||
ssl_session_timeout 1d;
|
||||
ssl_session_cache shared:SSL:50m;
|
||||
ssl_session_tickets off;
|
||||
|
||||
# Diffie-Hellman parameter for DHE cipher suites
|
||||
ssl_dhparam /config/nginx/dhparams.pem;
|
||||
|
||||
# ssl certs
|
||||
#ssl_certificate /config/keys/letsencrypt/fullchain.pem;
|
||||
#ssl_certificate_key /config/keys/letsencrypt/privkey.pem;
|
||||
ssl_certificate /etc/letsencrypt/live/seaturtle.pw/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/seaturtle.pw/privkey.pem;
|
||||
|
||||
# protocols
|
||||
ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
|
||||
ssl_prefer_server_ciphers on;
|
||||
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
|
||||
|
||||
# HSTS, remove # from the line below to enable HSTS
|
||||
#add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
|
||||
|
||||
# OCSP Stapling
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
|
||||
# Optional additional headers
|
||||
#add_header Content-Security-Policy "upgrade-insecure-requests";
|
||||
#add_header X-Frame-Options "SAMEORIGIN" always;
|
||||
#add_header X-XSS-Protection "1; mode=block" always;
|
||||
#add_header X-Content-Type-Options "nosniff" always;
|
||||
#add_header X-UA-Compatible "IE=Edge" always;
|
||||
#add_header Cache-Control "no-transform" always;
|
||||
#add_header Referrer-Policy "same-origin" always;
|
Loading…
Reference in New Issue