diff --git a/.gitmodules b/.gitmodules index 4d9c8f1..b3c3712 100644 --- a/.gitmodules +++ b/.gitmodules @@ -43,3 +43,12 @@ [submodule "roles/darkhttpd"] path = roles/darkhttpd url = https://git.redxen.eu/RedXen/ansible-darkhttpd +[submodule "roles/git-clone"] + path = roles/git-clone + url = https://git.redxen.eu/RedXen/ansible-git-clone +[submodule "roles/murmur"] + path = roles/murmur + url = https://git.redxen.eu/RedXen/ansible-murmur +[submodule "roles/pleroma"] + path = roles/pleroma + url = https://git.redxen.eu/RedXen/ansible-pleroma diff --git a/backend.yml b/backend.yml index 6952263..8662437 100644 --- a/backend.yml +++ b/backend.yml @@ -13,8 +13,21 @@ - { name: "influxdb", enabled: true, action: restarted } overrides: - "influxdb" + postgres: + host: "{{ global.postgres.host }}" + port: "{{ global.postgres.port }}" + databases: + - grafana + - pleroma + - gitea + - murmur + redis: + host: "{{ global.redis.host }}" + port: "{{ global.redis.port }}" + influxdb: + storage: "/var/lib/influxdb" + port: "{{ global.influxdb.port }}" roles: - - vault - apt - postgresql - influxdb diff --git a/dns.yml b/dns.yml index 9029fae..5fd65f7 100644 --- a/dns.yml +++ b/dns.yml @@ -6,12 +6,52 @@ - { port: 53, ipv: "v4", proto: "udp" } - { port: 53, ipv: "v6", proto: "tcp" } - { port: 53, ipv: "v6", proto: "udp" } - systemd: - services: - - { name: "systemd-resolved", state: stopped } - - { name: "unbound", enabled: true, state: reloaded } - apt_packages: - - { package: "unbound", state: present } + systemd: + services: + - { name: "systemd-resolved", state: stopped } + - { name: "unbound", enabled: true, state: reloaded } + apt_packages: + - { package: "unbound", state: present } + unbound: + port: 53 + listen: + ipv4: "0.0.0.0" + ipv6: "::0" + forward: # NOTE: Specify in the specific order as you want them to be used + - { host: "dns.quad9.net", port: 853, ipa: "2620:fe::fe" } + - { host: "dns.quad9.net", port: 853, ipa: "9.9.9.9" } + - { host: "cloudflare-dns.com", port: 853, ipa: "2606:4700:4700::1111" } + - { host: "cloudflare-dns.com", port: 853, ipa: "1.1.1.1" } + internal: + local: + SRV: + - { service: "gitea", port: "{{ global.dev.gitea.port.http }}", group: "git" } + - { service: "seedown", port: "{{ global.seedbox.darkhttpd.port }}", group: "seedbox" } + - { service: "transmission", port: "{{ global.seedbox.transmission.port }}", group: "seedbox" } + - { service: "grafana", port: "{{ global.monitoring.grafana.port }}", group: "monitoring" } + A: # Wish these would support SRV, would ease a lot of configuration management + - { service: "postgres", group: "database" } + - { service: "redis", group: "database" } + - { service: "influxdb", group: "database" } + remote: + - { service: "homepage", port: "80", domain: "rxhome.s3-website.eu-central-1.amazonaws.com." } + public: + SRV: + - { service: "mumble", proto: "tcp", host: "redxen.eu", port: 2250 } + - { service: "minecraft", proto: "tcp", host: "redxen.eu", port: 25565 } + TXT: + - { name: "_amazonses.", content: "PAdK+hmtSCYH2lDwBdiCfJDxyhBj2UHJtwQzL7+kh50="} + - { name: "", content: "brave-ledger-verification=1f77ffecf7da410af2f4eeb5953ae13c5ee9ddfdfed5cae63458e63003b97444" } + CNAME: + - { name: "6jxdve2mevelrsc4lrp5ymhu2pku67v4._domainkey.", pointer: "6jxdve2mevelrsc4lrp5ymhu2pku67v4.dkim.amazonses.com" } + - { name: "jqo2wv2wek7sh26vmc2tdzc4gdco6uou._domainkey.", pointer: "jqo2wv2wek7sh26vmc2tdzc4gdco6uou.dkim.amazonses.com" } + - { name: "edzxe6qpinwhafgwlt6b44yarhhfn3xl._domainkey.", pointer: "edzxe6qpinwhafgwlt6b44yarhhfn3xl.dkim.amazonses.com" } + group: + A: + - { domain: "dev-stats", group: "frontend" } + - { domain: "dev-gitea", group: "frontend" } + - { domain: "dev-transmission", group: "frontend" } + - { domain: "dev-sd", group: "frontend" } roles: - apt - unbound diff --git a/frontend.yml b/frontend.yml index 7ed83ae..058210a 100644 --- a/frontend.yml +++ b/frontend.yml @@ -1,5 +1,30 @@ --- - hosts: frontend + vars: + apt_packages: + - { package: "haproxy", state: present } + systemd: + services: + - { name: "haproxy", enabled: true, action: reloaded, daemon_reload: true} + overrides: + - "haproxy" + haproxy: + socketroot: "/run/haproxy" + config: "/etc/haproxy/haproxy.cfg" + user: "nobody" + group: "nogroup" + ports: + https: 443 + tcp: + - {expose: 2442, proxy: 2443, group: "git"} # Gitea SSH + - {expose: 6400, proxy: 6401, group: "mumble"} # Mumble + #- {expose: 25565, proxy: 25575, group: "minecraft"} # Minecraft + public: + # These are load balanced, it doesn't matter what IP they point to + - {domain: "dev-stats", service: "grafana", httpchk: true} + - {domain: "dev-gitea", service: "gitea", httpchk: true} + - {domain: "dev-transmission", service: "transmission", httpchk: false} + - {domain: "dev-sd", service: "seedown", httpchk: true} roles: - apt - haproxy diff --git a/group_vars/all b/group_vars/all index 7d86f72..caf0674 100644 --- a/group_vars/all +++ b/group_vars/all @@ -1,87 +1,36 @@ -services: - haproxy: - ports: - https: 443 - tcp: - - {expose: 2442, proxy: 2443, group: "git"} # Gitea SSH - - {expose: 6400, proxy: 6401, group: "mumble"} # Mumble - #- {expose: 25565, proxy: 25575, group: "minecraft"} # Minecraft - public: - # These are load balanced, it doesn't matter what IP they point to - - {domain: "dev-stats", service: "grafana", httpchk: true} - - {domain: "dev-gitea", service: "gitea", httpchk: true} - - {domain: "dev-transmission", service: "transmission", httpchk: false} - - {domain: "dev-sd", service: "seedown", httpchk: true} - unbound: - internal: - local: - SRV: - - {service: "gitea", port: 3200, group: "git"} - - {service: "seedown", port: 8082, group: "seedbox"} - - {service: "transmission", port: 8081, group: "seedbox"} - - {service: "grafana", port: 3000, group: "monitoring"} - A: # Wish these would support SRV, would ease a lot of configuration management - - {service: "postgres", group: "database"} - - {service: "redis", group: "database"} - - {service: "influxdb", group: "database"} - remote: - - {service: "homepage", port: "80", domain: "rxhome.s3-website.eu-central-1.amazonaws.com."} - grafana: - domain: "dev-stats.redxen.eu" - port: 3000 - postgres: - host: "postgres.redxen.localhost" - port: 5432 - databases: - - grafana - - pleroma - - gitea - - murmur - redis: - host: "redis.redxen.localhost" - port: 6379 - gitea: - user: "git" - domain: "dev-gitea.redxen.eu" - port: - http: 3200 - ssh: 2443 - path: - data: "/mnt/gitea" # TODO: Replace with device UUIDs - config: "/etc/gitea" - mumble: - configpath: '/etc/mumble-server.ini' - port: 6401 - register: - host: "redxen.eu" - url: "redxen.eu" - influxdb: - port: 8086 - tor: - listen: - socks: - addr: "127.0.0.1" - port: 9050 - http: - addr: "127.0.0.1" - port: 7050 - wireguard: - interface: 'wg0' - port: 51820 - net: - v4: - addr: "172.22.12" - range: - serv: 24 - clnt: 32 - v6: - addr: "fd86:ea04:1115:" - range: - serv: 120 - clnt: 128 - peers: - - { bit: 2, pubkey: "Xb+ASR5NdnIB+dXWEA4H0V3d0LC0KocKeFeQDyqDqjk=" } - - { bit: 3, pubkey: "kz9vLMnPtfka11n1EJpzHb4966ieJSo4BU1P2joHLXo=" } - - { bit: 10, pubkey: "wpjMlhrcv173ER7rZ0KrmaqahcqZA/fm3ovpaGlRIRo=" } - - { bit: 12, pubkey: "2FRcncz/oSmqFQLrHqICi4fEkgxrCeS9P8TTv5gcfCw=" } - - { bit: 14, pubkey: "XYUXzDDXzo1uDadvJ8YW5X/ISCZSyu10d35i7mb0pAY=" } +global: + backend: + postgres: + host: "postgres.redxen.localhost" + port: 5432 + redis: + host: "redis.redxen.localhost" + port: 6379 + influxdb: + host: "influxdb.redxen.localhost" + port: 8086 + social: + murmur: + configpath: "/etc/murmur" + port: 6401 + seedbox: + darkhttpd: + port: 8082 + transmission: + port: 8081 + + # TODO: Migrate these VVVVV + monitoring: + grafana: + domain: "dev-stats.redxen.eu" + port: 3000 + dev: + gitea: + user: "git" + domain: "dev-gitea.redxen.eu" + port: + http: 3200 + ssh: 2443 + path: + data: "/mnt/gitea" # TODO: Replace with device UUIDs + config: "/etc/gitea" diff --git a/net.yml b/net.yml index de9b5a3..908d9ab 100644 --- a/net.yml +++ b/net.yml @@ -13,10 +13,37 @@ - { name: "tor@default", enabled: true, action: restarted } - { name: "wg-quick@wg0", enabled: true, action: restarted } firewall: - - { port: "{{ services.wireguard.port }}", ipv: "v4", proto: "tcp" } - - { port: "{{ services.wireguard.port }}", ipv: "v6", proto: "tcp" } + - { port: "{{ global.net.wireguard.port }}", ipv: "v4", proto: "tcp" } + - { port: "{{ global.net.wireguard.port }}", ipv: "v6", proto: "tcp" } + tor: + listen: + socks: + addr: "127.0.0.1" + port: 9050 + http: + addr: "127.0.0.1" + port: 7050 + wireguard: + interface: 'wg0' + port: 51820 + net: + v4: + addr: "172.22.12" + range: + serv: 24 + clnt: 32 + v6: + addr: "fd86:ea04:1115:" + range: + serv: 120 + clnt: 128 + peers: + - { bit: 2, pubkey: "Xb+ASR5NdnIB+dXWEA4H0V3d0LC0KocKeFeQDyqDqjk=" } + - { bit: 3, pubkey: "kz9vLMnPtfka11n1EJpzHb4966ieJSo4BU1P2joHLXo=" } + - { bit: 10, pubkey: "wpjMlhrcv173ER7rZ0KrmaqahcqZA/fm3ovpaGlRIRo=" } + - { bit: 12, pubkey: "2FRcncz/oSmqFQLrHqICi4fEkgxrCeS9P8TTv5gcfCw=" } + - { bit: 14, pubkey: "XYUXzDDXzo1uDadvJ8YW5X/ISCZSyu10d35i7mb0pAY=" } roles: - - vault - file - apt - wireguard diff --git a/roles/git-clone b/roles/git-clone new file mode 160000 index 0000000..40f81e7 --- /dev/null +++ b/roles/git-clone @@ -0,0 +1 @@ +Subproject commit 40f81e78cbaa6702f73ba1753b0cd8004072119c diff --git a/roles/haproxy b/roles/haproxy index cd4aae0..1904524 160000 --- a/roles/haproxy +++ b/roles/haproxy @@ -1 +1 @@ -Subproject commit cd4aae092400eb264ba7b80d88dc1eb2daea4770 +Subproject commit 190452473b532818b6b2321e8dac51c4bcd87582 diff --git a/roles/influxdb b/roles/influxdb index 7e7df77..cdcef9d 160000 --- a/roles/influxdb +++ b/roles/influxdb @@ -1 +1 @@ -Subproject commit 7e7df77d735411a707656a466d6a2a6d1519dc4b +Subproject commit cdcef9dc39313b786032df71ab52b7ec16dcb382 diff --git a/roles/murmur b/roles/murmur new file mode 160000 index 0000000..385fda1 --- /dev/null +++ b/roles/murmur @@ -0,0 +1 @@ +Subproject commit 385fda1e1b093c0478865238b6778d5cee85a8e1 diff --git a/roles/pleroma b/roles/pleroma new file mode 160000 index 0000000..90655e5 --- /dev/null +++ b/roles/pleroma @@ -0,0 +1 @@ +Subproject commit 90655e53d932ef0013065c0ebe0f1cb7b8c1a486 diff --git a/roles/postgresql b/roles/postgresql index 95c334a..4c83c16 160000 --- a/roles/postgresql +++ b/roles/postgresql @@ -1 +1 @@ -Subproject commit 95c334a0656ed77a6b29454dcbf36184c7d6bd4a +Subproject commit 4c83c16780f1c822d49c78b6d2ce180cd4120492 diff --git a/roles/systemd b/roles/systemd index 95fbf87..105f71e 160000 --- a/roles/systemd +++ b/roles/systemd @@ -1 +1 @@ -Subproject commit 95fbf873af3121d145f8da64c3121132cd21ce4d +Subproject commit 105f71efcdbab67788c8a847da7a4373d675c9ef diff --git a/roles/tor b/roles/tor index 8cc540e..eabc27e 160000 --- a/roles/tor +++ b/roles/tor @@ -1 +1 @@ -Subproject commit 8cc540e1d370b8875b2311f2eb3043b26aa7c515 +Subproject commit eabc27e0a6feae9803a09fcec16ab4ad140688ad diff --git a/roles/transmission b/roles/transmission index a035983..bed63f6 160000 --- a/roles/transmission +++ b/roles/transmission @@ -1 +1 @@ -Subproject commit a03598399e232309d913f6dcafca284769e82ef7 +Subproject commit bed63f6632c8307778aade1102d3cfc6564d6f1b diff --git a/roles/unbound b/roles/unbound index 5d359ca..23ed809 160000 --- a/roles/unbound +++ b/roles/unbound @@ -1 +1 @@ -Subproject commit 5d359caeea0655d5fa2efd8c4785fcbd8dc39fa5 +Subproject commit 23ed80914bd4e1a6845f38d97929359c97e1b667 diff --git a/roles/vault b/roles/vault deleted file mode 160000 index ac7941a..0000000 --- a/roles/vault +++ /dev/null @@ -1 +0,0 @@ -Subproject commit ac7941aab2f0a6c08f9a9d67de1322de054f44ed diff --git a/roles/wireguard b/roles/wireguard index 47ae9f1..6f146f5 160000 --- a/roles/wireguard +++ b/roles/wireguard @@ -1 +1 @@ -Subproject commit 47ae9f14ebfc98e8b31e33129277d75a53aa3f99 +Subproject commit 6f146f527c224557ec2fffc2af651372cb5b2b56 diff --git a/seedbox.yml b/seedbox.yml index 2054e2b..f546f1a 100644 --- a/seedbox.yml +++ b/seedbox.yml @@ -17,22 +17,28 @@ - { path: "/etc/ssh/authorized_keys", owner: "root", group: "root", mode: "655", state: directory } - { path: "{{ transmission.root_dir }}/downloads", owner: "root", group: "root", mode: "755", state: directory } - { path: "{{ transmission.root_dir }}/.config", owner: "root", group: "root", mode: "600", state: directory} + darkhttpd: - port: 8082 + port: "{{ global.seedbox.darkhttpd.port }}" path: "/etc/darkhttpd" # Where to build and run the daemon from servepath: "{{ transmission.root_dir }}/downloads" transmission: - port: - peer: 51413 - rpc: 8081 + peer: + host: + ipv4: "0.0.0.0" + ipv6: "::" + port: 51413 + rpc: + host: "{{ ansible_ens10.ipv4.address }}" + port: "{{ global.seedbox.transmission.port }}" root_dir: "/mnt/seedbox" # TODO: Use device UUIDs + blacklist: "https://github.com/sahsu/transmission-blocklist/releases/download/1.0.3/blocklist.gz" sftp_chroot: - { user: "seedbox", home: "{{ transmission.root_dir }}/downloads", key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsD58tySBudDE7dw4aDttDv7rLWCqZ2c6N+GnrbSzqAxTcMxxn3GZeozXuz4pkl8NrGEKFk22AlB1hUl0gqnpAr0roL72mXE1WmjVc4EvEVYXLdHnm+rEi/FqvEK8D5mj1vs/ALGqtKGmY1363a8JRR7jSlBa45HkdC7IyJP0stpIkcriPS4kj/lEW0+J5KZ4NuKocjTbyVDoX67fLwBeu/YG4pz0ETKKU1/5xfBN+AxeD8brWvMMwrQzqJoAoRfLKCuD2yTSTPxek/Oa3lbNLUBF6o114gyxsc7zAWMpyNCPvstZoLCdQYqZ0sqVvcFGt0vmlrCtcQozkDVChz1E3 none" } roles: - - vault - apt - darkhttpd - transmission diff --git a/social.yml b/social.yml new file mode 100644 index 0000000..2e44c21 --- /dev/null +++ b/social.yml @@ -0,0 +1,55 @@ +--- +- hosts: social + vars: + #git_clone: + # - { dest: "/home/repositories/pleroma", repo: "https://git.pleroma.social/pleroma/pleroma.git", branch: "develop" } + apt_packages: + - { package: "git", state: present } + #- { package: "gcc", state: present } + #- { package: "musl-dev", state: present } + # Pleroma (Elixir) + #- { package: "libncurses6", state: present } + #- { package: "postgresql-client", state: present } + #- { package: "elixir", state: present } + # Mumble + - { package: "libqt5sql5-psql", state: present } + - { package: "mumble-server", state: present } + systemd: + services: + #- { name: "pleroma", enabled: true, action: restarted } + - { name: "murmur", enabled: true, action: restarted } + overrides: + - "murmur" + murmur: + configpath: "{{ global.murmur.configpath }}" + name: "RedXen Community Mumble [High Bandwidth, User channels, 24/7]" + username: "root" + defaultchan: 1 + listen: + host: "{{ ansible_ens10.ipv4.address }} ::1" + port: "{{ global.murmur.port }}" + database: + host: "{{ global.postgres.host }}" + port: "{{ global.postgres.port }}" + driver: "QPSQL" + dbname: "murmur" + username: "murmur" + password: "{{ vault_postgres.dbpass[murmur.database.username]|default() }}" + register: + host: "redxen.eu" + url: "redxen.eu" + password: "{{ vault_murmur.registerpass|default() }}" + motd: | +

+

RedXen Community


+ [ Homepage ] [ Telegram ] [ Git ] [ Support us! ] [ IRC ]
+ Enjoy your stay!
+ Have a group that you want to represent or a question? Contact me at caskd@gmx.de
+
+ roles: + #- git-clone # NOTE: Uncomment when parse_trans supports OTP >= 21 + - apt + #- pleroma + - murmur + - file + - systemd