Add IPFS node

2023-07-02 02:09:57 +02:00 · 2023-07-02 02:09:57 +02:00 · 13d7075a08
parent 77effd7bf4
commit 13d7075a08
6 changed files with 93 additions and 4 deletions
--- a/provision.sh
+++ b/provision.sh
@ -7,6 +7,8 @@ usage() {
    printf '$ %s\n' "$0 [-h|--help]"
    printf '$ %s\n' "$0 [--dry] os"
    printf '$ %s\n' "$0 [--dry] docker"
+    printf '$ %s\n' "$0 [--dry] firewall"
+    printf '$ %s\n' "$0 [--dry] ssh"
    printf '$ %s\n' "$0 [--dry] users [-i|--init]"
    printf '$ %s\n' "$0 [--dry] reboot [-f|--force]"
    printf '$ %s\n' "$0 [--dry] services [-d|--down] [SINGLE_SERVICE]"
--- a/roles/docker_services/defaults/main.yml
+++ b/roles/docker_services/defaults/main.yml
@ -21,6 +21,11 @@ services:
    data_volume: "{{ mass_data_volume }}/emby"
    version: latest

+  ipfs:
+    domain: ipfs-gateway.{{ base_domain }}
+    volume: "{{ base_volume }}/ipfs"
+    version: v0.19.2  # https://github.com/ipfs/kubo/issues/9901
+
  monerod:
    domain: xmr.{{ base_domain }}
    volume: "{{ base_volume }}/monerod"
--- a/roles/docker_services/files/ipfs/ipfs-config.sh
+++ b/roles/docker_services/files/ipfs/ipfs-config.sh
@ -0,0 +1,20 @@
+#!/bin/sh
+
+set -ex
+
+ipfs config --json API.HTTPHeaders.Access-Control-Allow-Origin '["http://'$LAN_IP':5001"]'
+ipfs config --json API.HTTPHeaders.Access-Control-Allow-Methods '["PUT", "POST"]'
+
+ipfs config --json Gateway.PublicGateways '{
+        "'$IPFS_DOMAIN'": {
+            "UseSubdomains": false,
+            "Paths": ["/ipfs", "/ipns"]
+        }
+    }'
+
+ipfs config --json DNS.Resolvers '{
+        ".": "https://anycast.censurfridns.dk/dns-query"
+    }'
+
+ipfs config --json Datastore.StorageMax '"100GB"'
+ipfs config --json Datastore.GCPeriod '"10m"'
--- a/roles/docker_services/tasks/services/ipfs.yml
+++ b/roles/docker_services/tasks/services/ipfs.yml
@ -0,0 +1,45 @@
+# vim: ft=yaml.ansible
+---
+- name: Create IPFS Kubo volume directories
+  ansible.builtin.file:
+    name: "{{ dir }}"
+    owner: root
+    mode: u=rwx,g=rx,o=rx
+    state: directory
+  loop:
+    - "{{ services.ipfs.volume }}/data"
+    - "{{ services.ipfs.volume }}/staging"
+  loop_control:
+    loop_var: dir
+
+- name: Copy ipfs-config.sh
+  ansible.builtin.copy:
+    src: ipfs/ipfs-config.sh
+    dest: "{{ services.ipfs.volume }}/ipfs-config.sh"
+    owner: root
+    mode: u=rwx,g=rx,o=rx
+
+- name: Deploy IPFS Kubo Docker container
+  community.docker.docker_container:
+    name: ipfs_kubo
+    state: "{{ 'absent' if stop is defined and stop else 'started' }}"
+    restart: "{{ stop is undefined or not stop }}"
+    image: ipfs/kubo:{{ services.ipfs.version }}
+    restart_policy: always
+    default_host_ip: ''
+    env:
+      IPFS_DOMAIN: "{{ services.ipfs.domain }}"
+      IPFS_PROFILE: server
+      LAN_IP: "{{ ansible_default_ipv4.address }}"
+    networks:
+      - name: services
+        aliases:
+          - ipfs_kubo
+    volumes:
+      - "{{ services.ipfs.volume }}/ipfs-config.sh:/container-init.d/ipfs-config.sh:ro"
+      - "{{ services.ipfs.volume }}/data:/data/ipfs:rw"
+      - "{{ services.ipfs.volume }}/staging:/export:rw"
+    published_ports:
+      - 4001:4001/tcp
+      - 4001:4001/udp
+      - 5001:5001/tcp
--- a/roles/docker_services/templates/Caddyfile.j2
+++ b/roles/docker_services/templates/Caddyfile.j2
@ -27,6 +27,18 @@
    reverse_proxy emby:8096
 }

+{{ services.ipfs.domain }} {
+    tls {{ secrets.tls_email }}
+
+    header {
+        Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
+        -Server
+    }
+
+    reverse_proxy ipfs_kubo:8080
+
+}
+
 {{ services.monerod.domain }}:18089 {
    tls {{ secrets.tls_email }}

--- a/roles/os_config/tasks/firewall.yml
+++ b/roles/os_config/tasks/firewall.yml
@ -7,13 +7,18 @@
    proto: "{{ item.proto | default('tcp') }}"
  loop:
    - port: '22'     # SSH
-    - port: '53'     # Pi-hole
+    - port: '53'     # Pi-hole (not port-forwarded)
      proto: tcp
-    - port: '53'     # Pi-hole
+    - port: '53'     # Pi-hole (not port-forwarded)
      proto: udp
    - port: '80'     # HTTP
-    - port: '81'     # Pi-hole
+    - port: '81'     # Pi-hole (not port-forwarded)
    - port: '443'    # HTTPS
+    - port: '4001'   # IPFS Kubo P2P
+      proto: tcp
+    - port: '4001'   # IPFS Kubo P2P
+      proto: udp
+    - port: '5001'   # IPFS Kubo RPC API (not port-forwarded)
    - port: '18080'  # monerod P2P
    - port: '18089'  # monerod RPC
    - port: '51820'  # Wireguard
@ -21,5 +26,5 @@

 - name: Enable UFW
  community.general.ufw:
-    state: enabled
    policy: deny
+    state: enabled