samsapti
/
pi-ansible
Archived
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add local domain to some services for TLS

This commit is contained in:
Sam A. 2023-09-23 19:27:36 +02:00
parent 00bbe5751a
commit eb8db1725b
Signed by: samsapti
GPG Key ID: CBBBE7371E81C4EA
8 changed files with 62 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
group_vars/all/vars.yml
View File

@ -24,11 +24,9 @@ open_ports:
- { port: '53', proto: 'tcp', comment: 'Pi-hole (not port-forwarded)' }
- { port: '53', proto: 'udp', comment: 'Pi-hole (not port-forwarded)' }
- { port: '80', proto: 'tcp', comment: 'HTTP' }
- { port: '81', proto: 'tcp', comment: 'Pi-hole (not port-forwarded)' }
- { port: '443', proto: 'tcp', comment: 'HTTPS' }
- { port: '443', proto: 'udp', comment: 'HTTPS' }
- { port: '4001', proto: 'tcp', comment: 'IPFS Kubo P2P' }
- { port: '4001', proto: 'udp', comment: 'IPFS Kubo P2P' }
- { port: '5001', proto: 'tcp', comment: 'IPFS Kubo RPC API (not port-forwarded)' }
- { port: '18080', proto: 'tcp', comment: 'monerod P2P' }
- { port: '18089', proto: 'tcp', comment: 'monerod RPC' }

2
inventory
View File

@ -1,2 +1,2 @@
# Raspberry Pi 4B
pi.servers.sapti.me ansible_python_interface=/usr/bin/python3
ssh.local.sapti.me ansible_python_interface=/usr/bin/python3

5
roles/docker_services/defaults/main.yml
View File

@ -1,6 +1,7 @@
# vim: ft=yaml.ansible
---
base_domain: sapti.me
local_domain: local.{{ base_domain }}
base_volume: "{{ ssd_mount_point }}/apps"
mass_data_volume: "{{ hdd_mount_point }}/apps"
@ -22,7 +23,8 @@ services:
version: latest
ipfs:
domain: ipfs-gateway.{{ base_domain }}
domain: ipfs.{{ local_domain }}
gateway_domain: ipfs-gateway.{{ base_domain }}
volume: "{{ base_volume }}/ipfs"
version: v0.19.2 # https://github.com/ipfs/kubo/issues/9901
@ -42,6 +44,7 @@ services:
version: latest
pihole:
domain: pi-hole.{{ local_domain }}
volume: "{{ base_volume }}/pi-hole"
docker_ipv4: 172.18.3.2
version: '2023.05.2'

2
roles/docker_services/files/ipfs/ipfs-config.sh
View File

@ -2,7 +2,7 @@
set -ex
ipfs config --json API.HTTPHeaders.Access-Control-Allow-Origin '["http://'$LAN_IP':5001"]'
ipfs config --json API.HTTPHeaders.Access-Control-Allow-Origin '["https://'$LOCAL_DOMAIN'"]'
ipfs config --json API.HTTPHeaders.Access-Control-Allow-Methods '["PUT", "POST"]'
ipfs config --json Gateway.PublicGateways '{

2
roles/docker_services/files/pihole/forward-records.conf
View File

@ -1,3 +1,5 @@
private-domain: local.sapti.me
forward-zone:
name: "."
forward-tls-upstream: yes

5
roles/docker_services/tasks/services/ipfs.yml
View File

@ -29,9 +29,9 @@
restart_policy: always
default_host_ip: ''
env:
IPFS_DOMAIN: "{{ services.ipfs.domain }}"
IPFS_DOMAIN: "{{ services.ipfs.gateway_domain }}"
IPFS_PROFILE: server
LAN_IP: "{{ ansible_default_ipv4.address }}"
LOCAL_DOMAIN: "{{ services.ipfs.domain }}"
networks:
- name: services
aliases:
@ -43,4 +43,3 @@
published_ports:
- 4001:4001/tcp
- 4001:4001/udp
- 5001:5001/tcp

10
roles/docker_services/tasks/services/pihole.yml
View File

@ -55,13 +55,17 @@
PIHOLE_DNS_: unbound
WEBPASSWORD: "{{ secrets.pihole.web_pw }}"
TZ: "{{ timezone }}"
networks:
default:
services:
aliases:
- pihole
volumes:
- "{{ services.pihole.volume }}/pihole:/etc/pihole:rw"
- "{{ services.pihole.volume }}/dnsmasq.d:/etc/dnsmasq.d:rw"
ports:
- 53:53/tcp
- 53:53/udp
- 81:80/tcp
depends_on:
- unbound
@ -70,3 +74,7 @@
restart: always
volumes:
- "{{ services.pihole.volume }}/unbound/forward-records.conf:/opt/unbound/etc/unbound/forward-records.conf:ro"
networks:
services:
external: true

58
roles/docker_services/templates/Caddyfile.j2
View File

@ -2,20 +2,6 @@
admin off
}
{{ services.nextcloud.domain }} {
tls {{ secrets.tls_email }}
rewrite /.well-known/caldav /remote.php/dav
rewrite /.well-known/carddav /remote.php/dav
header {
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
-Server
}
reverse_proxy nextcloud:80
}
{{ services.emby.domain }} {
tls {{ secrets.tls_email }}
@ -27,7 +13,22 @@
reverse_proxy emby:8096
}
{{ services.ipfs.domain }}, *.ipfs.{{ services.ipfs.domain }}, *.ipns.{{ services.ipfs.domain }} {
{{ services.ipfs.domain }} {
tls {{ secrets.tls_email }} {
dns njalla {{ secrets.caddy.njalla_api_token }}
}
header {
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
-Server
}
reverse_proxy ipfs_kubo:5001
}
{{ services.ipfs.gateway_domain }},
*.ipfs.{{ services.ipfs.gateway_domain }},
*.ipns.{{ services.ipfs.gateway_domain }} {
tls {{ secrets.tls_email }} {
dns njalla {{ secrets.caddy.njalla_api_token }}
}
@ -50,3 +51,30 @@
reverse_proxy monerod:18089
}
{{ services.nextcloud.domain }} {
tls {{ secrets.tls_email }}
rewrite /.well-known/caldav /remote.php/dav
rewrite /.well-known/carddav /remote.php/dav
header {
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
-Server
}
reverse_proxy nextcloud:80
}
{{ services.pihole.domain }} {
tls {{ secrets.tls_email }} {
dns njalla {{ secrets.caddy.njalla_api_token }}
}
header {
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
-Server
}
reverse_proxy pihole:80
}