diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..b6de783 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +**/htpasswd diff --git a/vps/hosts.cfg b/vps/hosts.cfg new file mode 100644 index 0000000..f28e037 --- /dev/null +++ b/vps/hosts.cfg @@ -0,0 +1,3 @@ +[irc-etc] +# User must be changed from root to admin user after initial run +joe@peugeot.seaturtle.pw diff --git a/vps/scaleway-setup.yml b/vps/scaleway-setup.yml new file mode 100644 index 0000000..5e554ec --- /dev/null +++ b/vps/scaleway-setup.yml @@ -0,0 +1,104 @@ +--- +- hosts: irc-etc + become: yes + handlers: + - name: Restart ssh + service: + name: ssh + state: restarted + + tasks: + - name: ping host + ping: + + - name: Allow passwordless sudo + lineinfile: + path: /etc/sudoers + state: present + regexp: '^%sudo' + line: '%sudo ALL=(ALL) NOPASSWD:ALL' + validate: 'visudo -cf %s' + + - name: Create admin user + user: + name: joe + groups: sudo + shell: /bin/bash + + - name: Create normal user + user: + name: pew + shell: /bin/bash + + - name: Add authorized ssh key from localhost + authorized_key: + user: "{{ item }}" + state: present + key: "{{ lookup('file', lookup('env','HOME') + '/.ssh/id_rsa.pub') }}" + with_items: + - joe + - pew + + - name: Disable password ssh + lineinfile: dest=/etc/ssh/sshd_config + regexp="^PasswordAuthentication" + line="PasswordAuthentication no" + state=present + notify: Restart ssh + + # May have to be done manually + - name: Disallow root SSH access + lineinfile: dest=/etc/ssh/sshd_config + regexp="^PermitRootLogin" + line="PermitRootLogin no" + state=present + notify: Restart ssh + + - name: Update apt and upgrade packages + apt: + update_cache: yes + upgrade: yes + + - name: Install packages + apt: + pkg: + - apt-transport-https + - ca-certificates + - curl + - git + - gnupg + - htop + - iodine + - mosh + - oidentd + - software-properties-common + - tmux + - weechat + - zsh + state: latest + + - name: Add Docker and Syncthing GPG key + apt_key: + url: https://download.docker.com/linux/ubuntu/gpg + + - name: Add Docker and Syncthing APT repository + apt_repository: + repo: deb [arch=amd64] https://download.docker.com/linux/debian {{ansible_lsb.codename}} stable + +- name: Update apt + apt: + update_cache: yes + + # May require a reboot + - name: Install Docker & Synthing + apt: + pkg: + - docker-ce + - docker-compose + state: latest + + - name: Add admin user to docker group + user: + name: joe + groups: docker + append: yes diff --git a/vps/services/web/docker-compose.yml b/vps/services/web/docker-compose.yml new file mode 100644 index 0000000..7c5da3c --- /dev/null +++ b/vps/services/web/docker-compose.yml @@ -0,0 +1,50 @@ +version: '3' + +services: + letsencrypt: + restart: unless-stopped + image: linuxserver/letsencrypt + cap_add: + - NET_ADMIN + environment: + PUID: 1000 + PGID: 1000 + EMAIL: sysadmin@seaturtle.pw + # URL field must be working since nginx only starts if letsencrypt works + URL: seaturtle.pw + SUBDOMAINS: seaturtle + EXTRA_DOMAINS: www.paul.walko.org,paul.walko.org + VALIDATION: html # TODO Switch to dns + gandi api once pr is merged + TZ: America/New_York + volumes: + # nginx persistent storage + - /home/joe/docker/nginx/config:/config + # RO settings + - ./htpasswd:/secrets/htpasswd # Create once deployed + - ./nginx.conf:/config/nginx/nginx.conf:ro + - ./ssl.conf:/config/nginx/ssl.conf:ro + - ./site-confs:/config/nginx/site-confs:ro + - ./jail.local:/config/jail2ban/jail.local:ro + ports: + - 128.173.88.78:80:80 + - 128.173.88.78:443:443 + - 2607:b400:0006:cc80:0000:0aff:fe62:000b:80:80 + - 2607:b400:0006:cc80:0000:0aff:fe62:000b:443:443 + + syncthing: + restart: unless-stopped + image: linuxserver/syncthing + environment: + PUID: 1000 + PGID: 1000 + TZ: America/Eastern + UMASK_SET: <022> + volumes: + - /home/joe/docker/syncthing/config:/config + - /home/joe/docker/syncthing/sync:/sync + ports: + - 22000:22000 + - 21027:21027/udp + +networks: + pew-net diff --git a/vps/services/web/jail.local b/vps/services/web/jail.local new file mode 100644 index 0000000..07ba140 --- /dev/null +++ b/vps/services/web/jail.local @@ -0,0 +1,46 @@ +# This is the custom version of the jail.conf for fail2ban +# Feel free to modify this and add additional filters +# Then you can drop the new filter conf files into the fail2ban-filters +# folder and restart the container + +[DEFAULT] + +# "bantime" is the number of seconds that a host is banned. +bantime = 600 + +# A host is banned if it has generated "maxretry" during the last "findtime" +# seconds. +findtime = 600 + +# "maxretry" is the number of failures before a host get banned. +maxretry = 5 + + +[ssh] + +enabled = false + + +[nginx-http-auth] + +enabled = true +filter = nginx-http-auth +port = http,https +logpath = /config/log/nginx/error.log + + +[nginx-badbots] + +enabled = true +port = http,https +filter = nginx-badbots +logpath = /config/log/nginx/access.log +maxretry = 2 + + +[nginx-botsearch] + +enabled = true +port = http,https +filter = nginx-botsearch +logpath = /config/log/nginx/access.log diff --git a/vps/services/web/nginx.conf b/vps/services/web/nginx.conf new file mode 100644 index 0000000..a1e0fd4 --- /dev/null +++ b/vps/services/web/nginx.conf @@ -0,0 +1,101 @@ +## Version 2018/01/29 - Changelog: https://github.com/linuxserver/docker-letsencrypt/commits/master/root/defaults/nginx.conf + +user abc; +worker_processes 4; +pid /run/nginx.pid; +include /etc/nginx/modules/*.conf; + +events { + worker_connections 768; + # multi_accept on; +} + +http { + + ## + # Basic Settings + ## + + sendfile on; + tcp_nopush on; + tcp_nodelay on; + keepalive_timeout 65; + types_hash_max_size 2048; + # server_tokens off; + + # server_names_hash_bucket_size 64; + # server_name_in_redirect off; + + client_max_body_size 0; + + include /etc/nginx/mime.types; + default_type application/octet-stream; + + ## + # Logging Settings + ## + + access_log /config/log/nginx/access.log; + error_log /config/log/nginx/error.log; + + ## + # Gzip Settings + ## + + gzip on; + gzip_disable "msie6"; + + # gzip_vary on; + # gzip_proxied any; + # gzip_comp_level 6; + # gzip_buffers 16 8k; + # gzip_http_version 1.1; + # gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript; + + ## + # nginx-naxsi config + ## + # Uncomment it if you installed nginx-naxsi + ## + + #include /etc/nginx/naxsi_core.rules; + + ## + # nginx-passenger config + ## + # Uncomment it if you installed nginx-passenger + ## + + #passenger_root /usr; + #passenger_ruby /usr/bin/ruby; + + ## + # Virtual Host Configs + ## + include /etc/nginx/conf.d/*.conf; + include /config/nginx/site-confs/default; + include /config/nginx/site-confs/*.enabled; +} + + +#mail { +# # See sample authentication script at: +# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript +# +# # auth_http localhost/auth.php; +# # pop3_capabilities "TOP" "USER"; +# # imap_capabilities "IMAP4rev1" "UIDPLUS"; +# +# server { +# listen localhost:110; +# protocol pop3; +# proxy on; +# } +# +# server { +# listen localhost:143; +# protocol imap; +# proxy on; +# } +#} +daemon off; diff --git a/vps/services/web/site-confs/default b/vps/services/web/site-confs/default new file mode 100644 index 0000000..032968a --- /dev/null +++ b/vps/services/web/site-confs/default @@ -0,0 +1,16 @@ +## Based on version below; but heavily modified for LUUG +## Version 2018/09/12 - Changelog: https://github.com/linuxserver/docker-letsencrypt/commits/master/root/defaults/default + +# This is the main file that will be pe present no matter what +# Individual sites are specified in /config/nginx/sites/*.enabled + +# Redirect HTTP traffic to HTTPS +server { + listen 80; + listen [::]:80 default_server: + server_name _; + + return 301 https://$host$request_uri; +} + +# Enabled sites are included in /config/nginx/nginx.conf diff --git a/vps/services/web/site-confs/seaturtle.pw.enabled b/vps/services/web/site-confs/seaturtle.pw.enabled new file mode 100644 index 0000000..c46808a --- /dev/null +++ b/vps/services/web/site-confs/seaturtle.pw.enabled @@ -0,0 +1,41 @@ +server { + listen 443 ssl; + listen [::]:443 ssl; + server_name seaturtle.pw paul.walko.org www.paul.walko.org; + + # ssl conf + include /config/nginx/ssl.conf; + + client_max_body_size 1M; + + # Main site + location / { + proxy_pass https://paulwalko.github.io; + } + + location /files { + autoindex on; + } + + location /sync { + auth_basic "Restricted Content"; + auth_basic_user_file /secrets/htpasswd; + autoindex on; + } + + location /syncthing { + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass https://syncthing:8384/; + } + + location /weechat { + proxy_pass http://127.0.0.1:9001/weechat; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_read_timeout 604800; + proxy_set_header X-RealIP $remote_addr; + } +} diff --git a/vps/services/web/ssl.conf b/vps/services/web/ssl.conf new file mode 100644 index 0000000..a7c5faf --- /dev/null +++ b/vps/services/web/ssl.conf @@ -0,0 +1,36 @@ +## Version 2018/05/31 - Changelog: https://github.com/linuxserver/docker-letsencrypt/commits/master/root/defaults/ssl.conf + +# session settings +ssl_session_timeout 1d; +ssl_session_cache shared:SSL:50m; +ssl_session_tickets off; + +# Diffie-Hellman parameter for DHE cipher suites +ssl_dhparam /config/nginx/dhparams.pem; + +# ssl certs +#ssl_certificate /config/keys/letsencrypt/fullchain.pem; +#ssl_certificate_key /config/keys/letsencrypt/privkey.pem; +ssl_certificate /etc/letsencrypt/live/seaturtle.pw/fullchain.pem; +ssl_certificate_key /etc/letsencrypt/live/seaturtle.pw/privkey.pem; + +# protocols +ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3; +ssl_prefer_server_ciphers on; +ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA; + +# HSTS, remove # from the line below to enable HSTS +#add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; + +# OCSP Stapling +ssl_stapling on; +ssl_stapling_verify on; + +# Optional additional headers +#add_header Content-Security-Policy "upgrade-insecure-requests"; +#add_header X-Frame-Options "SAMEORIGIN" always; +#add_header X-XSS-Protection "1; mode=block" always; +#add_header X-Content-Type-Options "nosniff" always; +#add_header X-UA-Compatible "IE=Edge" always; +#add_header Cache-Control "no-transform" always; +#add_header Referrer-Policy "same-origin" always;