diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml index 63496e9..93c2697 100644 --- a/group_vars/all/vars.yml +++ b/group_vars/all/vars.yml @@ -24,11 +24,9 @@ open_ports: - { port: '53', proto: 'tcp', comment: 'Pi-hole (not port-forwarded)' } - { port: '53', proto: 'udp', comment: 'Pi-hole (not port-forwarded)' } - { port: '80', proto: 'tcp', comment: 'HTTP' } - - { port: '81', proto: 'tcp', comment: 'Pi-hole (not port-forwarded)' } - { port: '443', proto: 'tcp', comment: 'HTTPS' } - { port: '443', proto: 'udp', comment: 'HTTPS' } - { port: '4001', proto: 'tcp', comment: 'IPFS Kubo P2P' } - { port: '4001', proto: 'udp', comment: 'IPFS Kubo P2P' } - - { port: '5001', proto: 'tcp', comment: 'IPFS Kubo RPC API (not port-forwarded)' } - { port: '18080', proto: 'tcp', comment: 'monerod P2P' } - { port: '18089', proto: 'tcp', comment: 'monerod RPC' } diff --git a/inventory b/inventory index ec89c6f..0b58eb0 100644 --- a/inventory +++ b/inventory @@ -1,2 +1,2 @@ # Raspberry Pi 4B -pi.servers.sapti.me ansible_python_interface=/usr/bin/python3 +ssh.local.sapti.me ansible_python_interface=/usr/bin/python3 diff --git a/roles/docker_services/defaults/main.yml b/roles/docker_services/defaults/main.yml index 59025a4..7c1dfb3 100644 --- a/roles/docker_services/defaults/main.yml +++ b/roles/docker_services/defaults/main.yml @@ -1,6 +1,7 @@ # vim: ft=yaml.ansible --- base_domain: sapti.me +local_domain: local.{{ base_domain }} base_volume: "{{ ssd_mount_point }}/apps" mass_data_volume: "{{ hdd_mount_point }}/apps" @@ -22,7 +23,8 @@ services: version: latest ipfs: - domain: ipfs-gateway.{{ base_domain }} + domain: ipfs.{{ local_domain }} + gateway_domain: ipfs-gateway.{{ base_domain }} volume: "{{ base_volume }}/ipfs" version: v0.19.2 # https://github.com/ipfs/kubo/issues/9901 @@ -42,6 +44,7 @@ services: version: latest pihole: + domain: pi-hole.{{ local_domain }} volume: "{{ base_volume }}/pi-hole" docker_ipv4: 172.18.3.2 version: '2023.05.2' diff --git a/roles/docker_services/files/ipfs/ipfs-config.sh b/roles/docker_services/files/ipfs/ipfs-config.sh index c90a7bf..3d62fdf 100644 --- a/roles/docker_services/files/ipfs/ipfs-config.sh +++ b/roles/docker_services/files/ipfs/ipfs-config.sh @@ -2,7 +2,7 @@ set -ex -ipfs config --json API.HTTPHeaders.Access-Control-Allow-Origin '["http://'$LAN_IP':5001"]' +ipfs config --json API.HTTPHeaders.Access-Control-Allow-Origin '["https://'$LOCAL_DOMAIN'"]' ipfs config --json API.HTTPHeaders.Access-Control-Allow-Methods '["PUT", "POST"]' ipfs config --json Gateway.PublicGateways '{ diff --git a/roles/docker_services/files/pihole/forward-records.conf b/roles/docker_services/files/pihole/forward-records.conf index e5fa4bc..a2446b6 100644 --- a/roles/docker_services/files/pihole/forward-records.conf +++ b/roles/docker_services/files/pihole/forward-records.conf @@ -1,3 +1,5 @@ +private-domain: local.sapti.me + forward-zone: name: "." forward-tls-upstream: yes diff --git a/roles/docker_services/tasks/services/ipfs.yml b/roles/docker_services/tasks/services/ipfs.yml index 77d745d..d3e5a25 100644 --- a/roles/docker_services/tasks/services/ipfs.yml +++ b/roles/docker_services/tasks/services/ipfs.yml @@ -29,9 +29,9 @@ restart_policy: always default_host_ip: '' env: - IPFS_DOMAIN: "{{ services.ipfs.domain }}" + IPFS_DOMAIN: "{{ services.ipfs.gateway_domain }}" IPFS_PROFILE: server - LAN_IP: "{{ ansible_default_ipv4.address }}" + LOCAL_DOMAIN: "{{ services.ipfs.domain }}" networks: - name: services aliases: @@ -43,4 +43,3 @@ published_ports: - 4001:4001/tcp - 4001:4001/udp - - 5001:5001/tcp diff --git a/roles/docker_services/tasks/services/pihole.yml b/roles/docker_services/tasks/services/pihole.yml index d7bd8f4..6efb47d 100644 --- a/roles/docker_services/tasks/services/pihole.yml +++ b/roles/docker_services/tasks/services/pihole.yml @@ -55,13 +55,17 @@ PIHOLE_DNS_: unbound WEBPASSWORD: "{{ secrets.pihole.web_pw }}" TZ: "{{ timezone }}" + networks: + default: + services: + aliases: + - pihole volumes: - "{{ services.pihole.volume }}/pihole:/etc/pihole:rw" - "{{ services.pihole.volume }}/dnsmasq.d:/etc/dnsmasq.d:rw" ports: - 53:53/tcp - 53:53/udp - - 81:80/tcp depends_on: - unbound @@ -70,3 +74,7 @@ restart: always volumes: - "{{ services.pihole.volume }}/unbound/forward-records.conf:/opt/unbound/etc/unbound/forward-records.conf:ro" + + networks: + services: + external: true diff --git a/roles/docker_services/templates/Caddyfile.j2 b/roles/docker_services/templates/Caddyfile.j2 index 9042816..193a577 100644 --- a/roles/docker_services/templates/Caddyfile.j2 +++ b/roles/docker_services/templates/Caddyfile.j2 @@ -2,20 +2,6 @@ admin off } -{{ services.nextcloud.domain }} { - tls {{ secrets.tls_email }} - - rewrite /.well-known/caldav /remote.php/dav - rewrite /.well-known/carddav /remote.php/dav - - header { - Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" - -Server - } - - reverse_proxy nextcloud:80 -} - {{ services.emby.domain }} { tls {{ secrets.tls_email }} @@ -27,7 +13,22 @@ reverse_proxy emby:8096 } -{{ services.ipfs.domain }}, *.ipfs.{{ services.ipfs.domain }}, *.ipns.{{ services.ipfs.domain }} { +{{ services.ipfs.domain }} { + tls {{ secrets.tls_email }} { + dns njalla {{ secrets.caddy.njalla_api_token }} + } + + header { + Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" + -Server + } + + reverse_proxy ipfs_kubo:5001 +} + +{{ services.ipfs.gateway_domain }}, +*.ipfs.{{ services.ipfs.gateway_domain }}, +*.ipns.{{ services.ipfs.gateway_domain }} { tls {{ secrets.tls_email }} { dns njalla {{ secrets.caddy.njalla_api_token }} } @@ -50,3 +51,30 @@ reverse_proxy monerod:18089 } + +{{ services.nextcloud.domain }} { + tls {{ secrets.tls_email }} + + rewrite /.well-known/caldav /remote.php/dav + rewrite /.well-known/carddav /remote.php/dav + + header { + Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" + -Server + } + + reverse_proxy nextcloud:80 +} + +{{ services.pihole.domain }} { + tls {{ secrets.tls_email }} { + dns njalla {{ secrets.caddy.njalla_api_token }} + } + + header { + Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" + -Server + } + + reverse_proxy pihole:80 +}