ansible & docker stuff

master
Paul Walko 2019-03-16 20:59:25 -04:00
parent e044608eaf
commit 7c993f05e5
No known key found for this signature in database
GPG Key ID: C123D8B2B64B2169
9 changed files with 398 additions and 0 deletions

1
.gitignore vendored Normal file
View File

@ -0,0 +1 @@
**/htpasswd

3
vps/hosts.cfg Normal file
View File

@ -0,0 +1,3 @@
[irc-etc]
# User must be changed from root to admin user after initial run
joe@peugeot.seaturtle.pw

104
vps/scaleway-setup.yml Normal file
View File

@ -0,0 +1,104 @@
---
- hosts: irc-etc
become: yes
handlers:
- name: Restart ssh
service:
name: ssh
state: restarted
tasks:
- name: ping host
ping:
- name: Allow passwordless sudo
lineinfile:
path: /etc/sudoers
state: present
regexp: '^%sudo'
line: '%sudo ALL=(ALL) NOPASSWD:ALL'
validate: 'visudo -cf %s'
- name: Create admin user
user:
name: joe
groups: sudo
shell: /bin/bash
- name: Create normal user
user:
name: pew
shell: /bin/bash
- name: Add authorized ssh key from localhost
authorized_key:
user: "{{ item }}"
state: present
key: "{{ lookup('file', lookup('env','HOME') + '/.ssh/id_rsa.pub') }}"
with_items:
- joe
- pew
- name: Disable password ssh
lineinfile: dest=/etc/ssh/sshd_config
regexp="^PasswordAuthentication"
line="PasswordAuthentication no"
state=present
notify: Restart ssh
# May have to be done manually
- name: Disallow root SSH access
lineinfile: dest=/etc/ssh/sshd_config
regexp="^PermitRootLogin"
line="PermitRootLogin no"
state=present
notify: Restart ssh
- name: Update apt and upgrade packages
apt:
update_cache: yes
upgrade: yes
- name: Install packages
apt:
pkg:
- apt-transport-https
- ca-certificates
- curl
- git
- gnupg
- htop
- iodine
- mosh
- oidentd
- software-properties-common
- tmux
- weechat
- zsh
state: latest
- name: Add Docker and Syncthing GPG key
apt_key:
url: https://download.docker.com/linux/ubuntu/gpg
- name: Add Docker and Syncthing APT repository
apt_repository:
repo: deb [arch=amd64] https://download.docker.com/linux/debian {{ansible_lsb.codename}} stable
- name: Update apt
apt:
update_cache: yes
# May require a reboot
- name: Install Docker & Synthing
apt:
pkg:
- docker-ce
- docker-compose
state: latest
- name: Add admin user to docker group
user:
name: joe
groups: docker
append: yes

View File

@ -0,0 +1,50 @@
version: '3'
services:
letsencrypt:
restart: unless-stopped
image: linuxserver/letsencrypt
cap_add:
- NET_ADMIN
environment:
PUID: 1000
PGID: 1000
EMAIL: sysadmin@seaturtle.pw
# URL field must be working since nginx only starts if letsencrypt works
URL: seaturtle.pw
SUBDOMAINS: seaturtle
EXTRA_DOMAINS: www.paul.walko.org,paul.walko.org
VALIDATION: html # TODO Switch to dns + gandi api once pr is merged
TZ: America/New_York
volumes:
# nginx persistent storage
- /home/joe/docker/nginx/config:/config
# RO settings
- ./htpasswd:/secrets/htpasswd # Create once deployed
- ./nginx.conf:/config/nginx/nginx.conf:ro
- ./ssl.conf:/config/nginx/ssl.conf:ro
- ./site-confs:/config/nginx/site-confs:ro
- ./jail.local:/config/jail2ban/jail.local:ro
ports:
- 128.173.88.78:80:80
- 128.173.88.78:443:443
- 2607:b400:0006:cc80:0000:0aff:fe62:000b:80:80
- 2607:b400:0006:cc80:0000:0aff:fe62:000b:443:443
syncthing:
restart: unless-stopped
image: linuxserver/syncthing
environment:
PUID: 1000
PGID: 1000
TZ: America/Eastern
UMASK_SET: <022>
volumes:
- /home/joe/docker/syncthing/config:/config
- /home/joe/docker/syncthing/sync:/sync
ports:
- 22000:22000
- 21027:21027/udp
networks:
pew-net

View File

@ -0,0 +1,46 @@
# This is the custom version of the jail.conf for fail2ban
# Feel free to modify this and add additional filters
# Then you can drop the new filter conf files into the fail2ban-filters
# folder and restart the container
[DEFAULT]
# "bantime" is the number of seconds that a host is banned.
bantime = 600
# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = 600
# "maxretry" is the number of failures before a host get banned.
maxretry = 5
[ssh]
enabled = false
[nginx-http-auth]
enabled = true
filter = nginx-http-auth
port = http,https
logpath = /config/log/nginx/error.log
[nginx-badbots]
enabled = true
port = http,https
filter = nginx-badbots
logpath = /config/log/nginx/access.log
maxretry = 2
[nginx-botsearch]
enabled = true
port = http,https
filter = nginx-botsearch
logpath = /config/log/nginx/access.log

101
vps/services/web/nginx.conf Normal file
View File

@ -0,0 +1,101 @@
## Version 2018/01/29 - Changelog: https://github.com/linuxserver/docker-letsencrypt/commits/master/root/defaults/nginx.conf
user abc;
worker_processes 4;
pid /run/nginx.pid;
include /etc/nginx/modules/*.conf;
events {
worker_connections 768;
# multi_accept on;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
client_max_body_size 0;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# Logging Settings
##
access_log /config/log/nginx/access.log;
error_log /config/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
gzip_disable "msie6";
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
##
# nginx-naxsi config
##
# Uncomment it if you installed nginx-naxsi
##
#include /etc/nginx/naxsi_core.rules;
##
# nginx-passenger config
##
# Uncomment it if you installed nginx-passenger
##
#passenger_root /usr;
#passenger_ruby /usr/bin/ruby;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /config/nginx/site-confs/default;
include /config/nginx/site-confs/*.enabled;
}
#mail {
# # See sample authentication script at:
# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
# # auth_http localhost/auth.php;
# # pop3_capabilities "TOP" "USER";
# # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
# server {
# listen localhost:110;
# protocol pop3;
# proxy on;
# }
#
# server {
# listen localhost:143;
# protocol imap;
# proxy on;
# }
#}
daemon off;

View File

@ -0,0 +1,16 @@
## Based on version below; but heavily modified for LUUG
## Version 2018/09/12 - Changelog: https://github.com/linuxserver/docker-letsencrypt/commits/master/root/defaults/default
# This is the main file that will be pe present no matter what
# Individual sites are specified in /config/nginx/sites/*.enabled
# Redirect HTTP traffic to HTTPS
server {
listen 80;
listen [::]:80 default_server:
server_name _;
return 301 https://$host$request_uri;
}
# Enabled sites are included in /config/nginx/nginx.conf

View File

@ -0,0 +1,41 @@
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name seaturtle.pw paul.walko.org www.paul.walko.org;
# ssl conf
include /config/nginx/ssl.conf;
client_max_body_size 1M;
# Main site
location / {
proxy_pass https://paulwalko.github.io;
}
location /files {
autoindex on;
}
location /sync {
auth_basic "Restricted Content";
auth_basic_user_file /secrets/htpasswd;
autoindex on;
}
location /syncthing {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass https://syncthing:8384/;
}
location /weechat {
proxy_pass http://127.0.0.1:9001/weechat;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_read_timeout 604800;
proxy_set_header X-RealIP $remote_addr;
}
}

36
vps/services/web/ssl.conf Normal file
View File

@ -0,0 +1,36 @@
## Version 2018/05/31 - Changelog: https://github.com/linuxserver/docker-letsencrypt/commits/master/root/defaults/ssl.conf
# session settings
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
# Diffie-Hellman parameter for DHE cipher suites
ssl_dhparam /config/nginx/dhparams.pem;
# ssl certs
#ssl_certificate /config/keys/letsencrypt/fullchain.pem;
#ssl_certificate_key /config/keys/letsencrypt/privkey.pem;
ssl_certificate /etc/letsencrypt/live/seaturtle.pw/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/seaturtle.pw/privkey.pem;
# protocols
ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
# HSTS, remove # from the line below to enable HSTS
#add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
# OCSP Stapling
ssl_stapling on;
ssl_stapling_verify on;
# Optional additional headers
#add_header Content-Security-Policy "upgrade-insecure-requests";
#add_header X-Frame-Options "SAMEORIGIN" always;
#add_header X-XSS-Protection "1; mode=block" always;
#add_header X-Content-Type-Options "nosniff" always;
#add_header X-UA-Compatible "IE=Edge" always;
#add_header Cache-Control "no-transform" always;
#add_header Referrer-Policy "same-origin" always;