Add local domain to some services for TLS

2023-09-23 19:27:36 +02:00 · 2023-09-23 19:27:36 +02:00 · eb8db1725b
parent 00bbe5751a
commit eb8db1725b
8 changed files with 62 additions and 24 deletions
--- a/group_vars/all/vars.yml
+++ b/group_vars/all/vars.yml
@ -24,11 +24,9 @@ open_ports:
  - { port: '53', proto: 'tcp', comment: 'Pi-hole (not port-forwarded)' }
  - { port: '53', proto: 'udp', comment: 'Pi-hole (not port-forwarded)' }
  - { port: '80', proto: 'tcp', comment: 'HTTP' }
  - { port: '81', proto: 'tcp', comment: 'Pi-hole (not port-forwarded)' }
  - { port: '443', proto: 'tcp', comment: 'HTTPS' }
  - { port: '443', proto: 'udp', comment: 'HTTPS' }
  - { port: '4001', proto: 'tcp', comment: 'IPFS Kubo P2P' }
  - { port: '4001', proto: 'udp', comment: 'IPFS Kubo P2P' }
  - { port: '5001', proto: 'tcp', comment: 'IPFS Kubo RPC API (not port-forwarded)' }
  - { port: '18080', proto: 'tcp', comment: 'monerod P2P' }
  - { port: '18089', proto: 'tcp', comment: 'monerod RPC' }
--- a/2
+++ b/2
@ -1,2 +1,2 @@
 # Raspberry Pi 4B
-pi.servers.sapti.me ansible_python_interface=/usr/bin/python3
+ssh.local.sapti.me ansible_python_interface=/usr/bin/python3
--- a/roles/docker_services/defaults/main.yml
+++ b/roles/docker_services/defaults/main.yml
@ -1,6 +1,7 @@
 # vim: ft=yaml.ansible
 ---
 base_domain: sapti.me
 local_domain: local.{{ base_domain }}
 base_volume: "{{ ssd_mount_point }}/apps"
 mass_data_volume: "{{ hdd_mount_point }}/apps"
@ -22,7 +23,8 @@ services:
    version: latest
  ipfs:
-    domain: ipfs-gateway.{{ base_domain }}
+    domain: ipfs.{{ local_domain }}
    gateway_domain: ipfs-gateway.{{ base_domain }}
    volume: "{{ base_volume }}/ipfs"
    version: v0.19.2  # https://github.com/ipfs/kubo/issues/9901
@ -42,6 +44,7 @@ services:
    version: latest
  pihole:
    domain: pi-hole.{{ local_domain }}
    volume: "{{ base_volume }}/pi-hole"
    docker_ipv4: 172.18.3.2
    version: '2023.05.2'
--- a/roles/docker_services/files/ipfs/ipfs-config.sh
+++ b/roles/docker_services/files/ipfs/ipfs-config.sh
@ -2,7 +2,7 @@
 set -ex
-ipfs config --json API.HTTPHeaders.Access-Control-Allow-Origin '["http://'$LAN_IP':5001"]'
+ipfs config --json API.HTTPHeaders.Access-Control-Allow-Origin '["https://'$LOCAL_DOMAIN'"]'
 ipfs config --json API.HTTPHeaders.Access-Control-Allow-Methods '["PUT", "POST"]'
 ipfs config --json Gateway.PublicGateways '{
--- a/roles/docker_services/files/pihole/forward-records.conf
+++ b/roles/docker_services/files/pihole/forward-records.conf
@ -1,3 +1,5 @@
 private-domain: local.sapti.me
 forward-zone:
    name: "."
    forward-tls-upstream: yes
--- a/roles/docker_services/tasks/services/ipfs.yml
+++ b/roles/docker_services/tasks/services/ipfs.yml
@ -29,9 +29,9 @@
    restart_policy: always
    default_host_ip: ''
    env:
-      IPFS_DOMAIN: "{{ services.ipfs.domain }}"
+      IPFS_DOMAIN: "{{ services.ipfs.gateway_domain }}"
      IPFS_PROFILE: server
-      LAN_IP: "{{ ansible_default_ipv4.address }}"
+      LOCAL_DOMAIN: "{{ services.ipfs.domain }}"
    networks:
      - name: services
        aliases:
@ -43,4 +43,3 @@
    published_ports:
      - 4001:4001/tcp
      - 4001:4001/udp
      - 5001:5001/tcp
--- a/roles/docker_services/tasks/services/pihole.yml
+++ b/roles/docker_services/tasks/services/pihole.yml
@ -55,13 +55,17 @@
            PIHOLE_DNS_: unbound
            WEBPASSWORD: "{{ secrets.pihole.web_pw }}"
            TZ: "{{ timezone }}"
          networks:
            default:
            services:
              aliases:
                - pihole
          volumes:
            - "{{ services.pihole.volume }}/pihole:/etc/pihole:rw"
            - "{{ services.pihole.volume }}/dnsmasq.d:/etc/dnsmasq.d:rw"
          ports:
            - 53:53/tcp
            - 53:53/udp
            - 81:80/tcp
          depends_on:
            - unbound
@ -70,3 +74,7 @@
          restart: always
          volumes:
            - "{{ services.pihole.volume }}/unbound/forward-records.conf:/opt/unbound/etc/unbound/forward-records.conf:ro"
      networks:
        services:
          external: true
--- a/roles/docker_services/templates/Caddyfile.j2
+++ b/roles/docker_services/templates/Caddyfile.j2
@ -2,20 +2,6 @@
    admin off
 }
 {{ services.nextcloud.domain }} {
    tls {{ secrets.tls_email }}
    rewrite /.well-known/caldav /remote.php/dav
    rewrite /.well-known/carddav /remote.php/dav
    header {
        Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
        -Server
    }
    reverse_proxy nextcloud:80
 }
 {{ services.emby.domain }} {
    tls {{ secrets.tls_email }}
@ -27,7 +13,22 @@
    reverse_proxy emby:8096
 }
-{{ services.ipfs.domain }},  *.ipfs.{{ services.ipfs.domain }}, *.ipns.{{ services.ipfs.domain }} {
+{{ services.ipfs.domain }} {
    tls {{ secrets.tls_email }} {
        dns njalla {{ secrets.caddy.njalla_api_token }}
    }
    header {
        Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
        -Server
    }
    reverse_proxy ipfs_kubo:5001
 }
 {{ services.ipfs.gateway_domain }},
 *.ipfs.{{ services.ipfs.gateway_domain }},
 *.ipns.{{ services.ipfs.gateway_domain }} {
    tls {{ secrets.tls_email }} {
        dns njalla {{ secrets.caddy.njalla_api_token }}
    }
@ -50,3 +51,30 @@
    reverse_proxy monerod:18089
 }
 {{ services.nextcloud.domain }} {
    tls {{ secrets.tls_email }}
    rewrite /.well-known/caldav /remote.php/dav
    rewrite /.well-known/carddav /remote.php/dav
    header {
        Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
        -Server
    }
    reverse_proxy nextcloud:80
 }
 {{ services.pihole.domain }} {
    tls {{ secrets.tls_email }} {
        dns njalla {{ secrets.caddy.njalla_api_token }}
    }
    header {
        Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
        -Server
    }
    reverse_proxy pihole:80
 }
`@ -1,2 +1,2 @@`
	`# Raspberry Pi 4B`	`# Raspberry Pi 4B`
	`pi.servers.sapti.me ansible_python_interface=/usr/bin/python3`	`ssh.local.sapti.me ansible_python_interface=/usr/bin/python3`