samsapti/lab-ansible
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

Add Tor

Browse source
This commit is contained in:
Sam A. 2024-02-10 20:03:04 +01:00
parent 4f849f27f7
commit d91cb37303
Signed by: samsapti
GPG key ID: CBBBE7371E81C4EA
11 changed files with 81 additions and 19 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
group_vars/publicservers/vars.yml
View file

@ -5,6 +5,10 @@ apps_include:
- caddy - caddy
- searxng - searxng
- website - website
- tor
- watchtower - watchtower
searxng_secret_key: "{{ vault_searxng_secret_key }}" searxng_secret_key: "{{ vault_searxng_secret_key }}"
tor_keys:
website: "{{ vault_tor_keys.website }}"

29
group_vars/publicservers/vault.yml
View file

@ -1,11 +1,20 @@
$ANSIBLE_VAULT;1.1;AES256 $ANSIBLE_VAULT;1.1;AES256
61623537323039313538373562663036346638653365326439373333333236613163633764343665 39313134383263306437313135636165303961346434393336396463376463646236316231343062
3434613163333131343732316662303065646462343135300a613630313234316663336437643662 3263336330376430646239383932333030333332333937320a326537393533633133663939666463
61323861313833383830303732306433653339326231313466643131616438353836666661306564 37376165336632383734386366336536366638646338316361643339383933613731323834313835
6535383837633264650a393133636536643434326537636633366665313164373463633862343034 3433613962613932660a663135343061346363313561396532376137366262633732323664343538
36613030393538373464353166616164363430663361343534623135376563303663633266666332 38656230366438356531336266346663633361633838383136663465343563326539313139656465
32383336326563333535646265643638376661356631356434303963646532356133306266353736 38396437656362623235646134636663393835336633326635633332656331356635313930333336
37363639613166353038383736633034656637623638656662393539633538663432346665316136 38643131383263373535323832346361336337336632343561323033636630393037356137353736
63653130303762323562663562623065326263356561626330636337366164353634323062303062 61343139666435393533396464643633613066303738643866393164333630623765306134323436
66356531636261313462656265343731396333393263653733333530386439356665323765393030 31636266393337353461616565653537356136623030383132373130313365343639316164356430
3231663733393164383865336531333932393863666636336539 39353739346638636132336636303134306533613364636362646135636265393337623431643431
35363739393832646535623938623434643765633039313335626433376630633932336231366331
34373362353965373636326563323238366664663431363634303735613366373164336363646466
30356336343434393564396135333366623463623162623565353336353239343235383235646238
34623134313431363438373766386533316663323330666138636135386364663034623362366337
39346233376336626131366635336332636164373637633736303835613335343666653765333666
36653135386262393832636235386462663832666365306364396537363763656135636434666536
32643030373564646138393362613835646236323038613366336163373863366536316635373635
33336231313963386438396131386335333163343766323931376662396534356566373061366462
393562646466376565653062366130376135

8
roles/apps/defaults/main.yml
View file

@ -6,6 +6,7 @@ apps_base_domain: "{{ base_domain }}"
apps_local_domain: local.{{ apps_base_domain }} apps_local_domain: local.{{ apps_base_domain }}
apps_shared_docker_network: apps_network apps_shared_docker_network: apps_network
apps_postfix_docker_network: postfix_network apps_postfix_docker_network: postfix_network
apps_tor_docker_network: tor_network
apps_vars: apps_vars:
caddy: caddy:
@ -35,6 +36,8 @@ apps_vars:
extra_tasks: true extra_tasks: true
domain: ipfs.{{ apps_local_domain }} domain: ipfs.{{ apps_local_domain }}
gateway_domain: ipfs-gateway.{{ apps_base_domain }} gateway_domain: ipfs-gateway.{{ apps_base_domain }}
port: 5001
gateway_port: 8080
version: v0.25.0 version: v0.25.0
monerod: monerod:
@ -42,6 +45,7 @@ apps_vars:
sender: false sender: false
extra_tasks: true extra_tasks: true
domain: xmr.{{ apps_local_domain }} domain: xmr.{{ apps_local_domain }}
port: 18089
version: latest version: latest
nextcloud: nextcloud:
@ -49,6 +53,7 @@ apps_vars:
sender: true sender: true
extra_tasks: true extra_tasks: true
domain: cloud.{{ apps_base_domain }} domain: cloud.{{ apps_base_domain }}
port: 80
version: 28-apache version: 28-apache
redis_version: 7-alpine redis_version: 7-alpine
@ -57,6 +62,7 @@ apps_vars:
sender: false sender: false
extra_tasks: true extra_tasks: true
domain: search.{{ apps_base_domain }} domain: search.{{ apps_base_domain }}
port: 8080
version: latest version: latest
redis_version: 7-alpine redis_version: 7-alpine
@ -78,6 +84,7 @@ apps_vars:
extra_tasks: false extra_tasks: false
domain: samsapti.dev domain: samsapti.dev
onion: mldhltdackluvnqso7vk2azcg3ghjxbpw4im6alubymqkonb4kppqcqd.onion onion: mldhltdackluvnqso7vk2azcg3ghjxbpw4im6alubymqkonb4kppqcqd.onion
port: 80
version: latest version: latest
restic: restic:
@ -95,4 +102,5 @@ apps_vars:
apps_include: "{{ apps_vars | dict2items | map(attribute='key') | list }}" apps_include: "{{ apps_vars | dict2items | map(attribute='key') | list }}"
apps_backup: "{{ apps_vars | dict2items | selectattr('value.backup', 'true') | map(attribute='key') | list | intersect(apps_include) }}" apps_backup: "{{ apps_vars | dict2items | selectattr('value.backup', 'true') | map(attribute='key') | list | intersect(apps_include) }}"
apps_proxied: "{{ apps_vars | dict2items | selectattr('value.domain', 'defined') | map(attribute='key') | list | intersect(apps_include) }}" apps_proxied: "{{ apps_vars | dict2items | selectattr('value.domain', 'defined') | map(attribute='key') | list | intersect(apps_include) }}"
apps_torified: "{{ apps_vars | dict2items | selectattr('value.onion', 'defined') | map(attribute='key') | list | intersect(apps_include) }}"
apps_senders: "{{ apps_vars | dict2items | selectattr('key', 'in', apps_include) | selectattr('value.sender', 'true') | map(attribute='value.domain') | list }}" apps_senders: "{{ apps_vars | dict2items | selectattr('key', 'in', apps_include) | selectattr('value.sender', 'true') | map(attribute='value.domain') | list }}"

6
roles/apps/tasks/main.yml
View file

@ -16,6 +16,12 @@
state: present state: present
when: "'postfix' in apps_include" when: "'postfix' in apps_include"
- name: Create Docker network for Tor
community.docker.docker_network:
name: "{{ apps_tor_docker_network }}"
state: present
when: "'tor' in apps_include"
- name: Create base directory for apps - name: Create base directory for apps
ansible.builtin.file: ansible.builtin.file:
path: "{{ apps_data_root }}" path: "{{ apps_data_root }}"

10
roles/apps/templates/caddy/Caddyfile.j2
View file

@ -1,7 +1,7 @@
{# code: language=ansible-jinja #} {# code: language=ansible-jinja #}
# THIS FILE IS MANAGED BY ANSIBLE # THIS FILE IS MANAGED BY ANSIBLE
{% if 'searxng' in apps_include %} {% if 'searxng' in apps_proxied %}
{{ apps_vars.searxng.domain }} { {{ apps_vars.searxng.domain }} {
tls {{ tls_email }} tls {{ tls_email }}
@ -67,7 +67,7 @@
handle { handle {
encode zstd gzip encode zstd gzip
reverse_proxy searxng:8080 { reverse_proxy searxng:{{ apps_vars.searxng.port }} {
header_up X-Forwarded-Port {http.request.port} header_up X-Forwarded-Port {http.request.port}
header_up X-Forwarded-Proto {http.request.scheme} header_up X-Forwarded-Proto {http.request.scheme}
header_up X-Real-IP {remote_host} header_up X-Real-IP {remote_host}
@ -76,7 +76,7 @@
} }
{% endif %} {% endif %}
{% if 'website' in apps_include %} {% if 'website' in apps_proxied %}
{{ apps_base_domain }}, {{ apps_base_domain }},
www.{{ apps_base_domain }}, www.{{ apps_base_domain }},
www.{{ apps_vars.website.domain }} { www.{{ apps_vars.website.domain }} {
@ -104,10 +104,12 @@ www.{{ apps_vars.website.domain }} {
header { header {
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
{% if 'tor' in apps_include and 'website' in apps_torified %}
Onion-Location "http://{{ apps_vars.website.onion }}{uri}" Onion-Location "http://{{ apps_vars.website.onion }}{uri}"
{% endif %}
-Server -Server
} }
reverse_proxy website:80 reverse_proxy website:{{ apps_vars.website.port }}
} }
{% endif %} {% endif %}

4
roles/apps/templates/compose-files/nextcloud.yml.j2
View file

@ -36,10 +36,12 @@ services:
PHP_UPLOAD_LIMIT: 16G PHP_UPLOAD_LIMIT: 16G
networks: networks:
default: default:
{{ apps_postfix_docker_network }}:
{{ apps_shared_docker_network }}: {{ apps_shared_docker_network }}:
aliases: aliases:
- nextcloud - nextcloud
{% if 'postfix' in apps_include %}
{{ apps_postfix_docker_network }}:
{% endif %}
volumes: volumes:
- "./data/app:/var/www/html:rw" - "./data/app:/var/www/html:rw"
- "./data/apache2/remoteip.conf:/etc/apache2/conf-enabled/remoteip.conf:ro" - "./data/apache2/remoteip.conf:/etc/apache2/conf-enabled/remoteip.conf:ro"

22
roles/apps/templates/compose-files/tor.yml.j2 Normal file
View file

@ -0,0 +1,22 @@
{# code: language=ansible-jinja #}
# THIS FILE IS MANAGED BY ANSIBLE
version: "3.8"
services:
app:
image: goldy/tor-hidden-service:{{ apps_vars.tor.version }}
restart: always
environment:
{% for app in apps_torified|sort %}
{{ app | upper }}_TOR_SERVICE_HOSTS: 80:{{ app }}:{{ apps_vars[app].port }}
{{ app | upper }}_TOR_SERVICE_VERSION: '3'
{{ app | upper }}_TOR_SERVICE_KEY: |
{{ tor_keys[app] | indent(width=8) }}
{% endfor %}
networks:
- {{ apps_tor_docker_network }}
networks:
{{ apps_tor_docker_network }}:
external: true

9
roles/apps/templates/compose-files/website.yml.j2
View file

@ -11,7 +11,16 @@ services:
{{ apps_shared_docker_network }}: {{ apps_shared_docker_network }}:
aliases: aliases:
- website - website
{% if 'tor' in apps_include %}
{{ apps_tor_docker_network }}:
aliases:
- website
{% endif %}
networks: networks:
{{ apps_shared_docker_network }}: {{ apps_shared_docker_network }}:
external: true external: true
{% if 'tor' in apps_include %}
{{ apps_tor_docker_network }}:
external: true
{% endif %}

4
roles/apps/templates/nginx/conf.d/ipfs.conf.j2
View file

@ -5,7 +5,7 @@ server {
server_name {{ apps_vars.ipfs.domain }}; server_name {{ apps_vars.ipfs.domain }};
listen 8080; listen 8080;
set $upstream http://ipfs:5001; set $upstream http://ipfs:{{ apps_vars.ipfs.port }};
proxy_set_header Host $host; proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;
@ -25,7 +25,7 @@ server {
listen 8080; listen 8080;
server_name ~^([\w-]+\.(ipfs|ipns)\.)?{{ apps_vars.ipfs.gateway_domain | replace('.', '\.') }}$; server_name ~^([\w-]+\.(ipfs|ipns)\.)?{{ apps_vars.ipfs.gateway_domain | replace('.', '\.') }}$;
set $upstream http://ipfs:8080; set $upstream http://ipfs:{{ apps_vars.ipfs.gateway_port }};
proxy_set_header Host $host; proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;

2
roles/apps/templates/nginx/conf.d/monerod.conf.j2
View file

@ -5,7 +5,7 @@ server {
server_name {{ apps_vars.monerod.domain }}; server_name {{ apps_vars.monerod.domain }};
listen 8080; listen 8080;
set $upstream http://monerod:18089; set $upstream http://monerod:{{ apps_vars.monerod.port }};
proxy_set_header Host $host; proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;

2
roles/apps/templates/nginx/conf.d/nextcloud.conf.j2
View file

@ -5,7 +5,7 @@ server {
server_name {{ apps_vars.nextcloud.domain }}; server_name {{ apps_vars.nextcloud.domain }};
listen 8080; listen 8080;
set $upstream http://nextcloud:80; set $upstream http://nextcloud:{{ apps_vars.nextcloud.port }};
proxy_set_header Host $host; proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;