Add local domain to some services for TLS

This commit is contained in:
Sam A. 2023-09-23 19:27:36 +02:00
parent 00bbe5751a
commit eb8db1725b
Signed by: samsapti
GPG key ID: CBBBE7371E81C4EA
8 changed files with 62 additions and 24 deletions

View file

@ -24,11 +24,9 @@ open_ports:
- { port: '53', proto: 'tcp', comment: 'Pi-hole (not port-forwarded)' } - { port: '53', proto: 'tcp', comment: 'Pi-hole (not port-forwarded)' }
- { port: '53', proto: 'udp', comment: 'Pi-hole (not port-forwarded)' } - { port: '53', proto: 'udp', comment: 'Pi-hole (not port-forwarded)' }
- { port: '80', proto: 'tcp', comment: 'HTTP' } - { port: '80', proto: 'tcp', comment: 'HTTP' }
- { port: '81', proto: 'tcp', comment: 'Pi-hole (not port-forwarded)' }
- { port: '443', proto: 'tcp', comment: 'HTTPS' } - { port: '443', proto: 'tcp', comment: 'HTTPS' }
- { port: '443', proto: 'udp', comment: 'HTTPS' } - { port: '443', proto: 'udp', comment: 'HTTPS' }
- { port: '4001', proto: 'tcp', comment: 'IPFS Kubo P2P' } - { port: '4001', proto: 'tcp', comment: 'IPFS Kubo P2P' }
- { port: '4001', proto: 'udp', comment: 'IPFS Kubo P2P' } - { port: '4001', proto: 'udp', comment: 'IPFS Kubo P2P' }
- { port: '5001', proto: 'tcp', comment: 'IPFS Kubo RPC API (not port-forwarded)' }
- { port: '18080', proto: 'tcp', comment: 'monerod P2P' } - { port: '18080', proto: 'tcp', comment: 'monerod P2P' }
- { port: '18089', proto: 'tcp', comment: 'monerod RPC' } - { port: '18089', proto: 'tcp', comment: 'monerod RPC' }

View file

@ -1,2 +1,2 @@
# Raspberry Pi 4B # Raspberry Pi 4B
pi.servers.sapti.me ansible_python_interface=/usr/bin/python3 ssh.local.sapti.me ansible_python_interface=/usr/bin/python3

View file

@ -1,6 +1,7 @@
# vim: ft=yaml.ansible # vim: ft=yaml.ansible
--- ---
base_domain: sapti.me base_domain: sapti.me
local_domain: local.{{ base_domain }}
base_volume: "{{ ssd_mount_point }}/apps" base_volume: "{{ ssd_mount_point }}/apps"
mass_data_volume: "{{ hdd_mount_point }}/apps" mass_data_volume: "{{ hdd_mount_point }}/apps"
@ -22,7 +23,8 @@ services:
version: latest version: latest
ipfs: ipfs:
domain: ipfs-gateway.{{ base_domain }} domain: ipfs.{{ local_domain }}
gateway_domain: ipfs-gateway.{{ base_domain }}
volume: "{{ base_volume }}/ipfs" volume: "{{ base_volume }}/ipfs"
version: v0.19.2 # https://github.com/ipfs/kubo/issues/9901 version: v0.19.2 # https://github.com/ipfs/kubo/issues/9901
@ -42,6 +44,7 @@ services:
version: latest version: latest
pihole: pihole:
domain: pi-hole.{{ local_domain }}
volume: "{{ base_volume }}/pi-hole" volume: "{{ base_volume }}/pi-hole"
docker_ipv4: 172.18.3.2 docker_ipv4: 172.18.3.2
version: '2023.05.2' version: '2023.05.2'

View file

@ -2,7 +2,7 @@
set -ex set -ex
ipfs config --json API.HTTPHeaders.Access-Control-Allow-Origin '["http://'$LAN_IP':5001"]' ipfs config --json API.HTTPHeaders.Access-Control-Allow-Origin '["https://'$LOCAL_DOMAIN'"]'
ipfs config --json API.HTTPHeaders.Access-Control-Allow-Methods '["PUT", "POST"]' ipfs config --json API.HTTPHeaders.Access-Control-Allow-Methods '["PUT", "POST"]'
ipfs config --json Gateway.PublicGateways '{ ipfs config --json Gateway.PublicGateways '{

View file

@ -1,3 +1,5 @@
private-domain: local.sapti.me
forward-zone: forward-zone:
name: "." name: "."
forward-tls-upstream: yes forward-tls-upstream: yes

View file

@ -29,9 +29,9 @@
restart_policy: always restart_policy: always
default_host_ip: '' default_host_ip: ''
env: env:
IPFS_DOMAIN: "{{ services.ipfs.domain }}" IPFS_DOMAIN: "{{ services.ipfs.gateway_domain }}"
IPFS_PROFILE: server IPFS_PROFILE: server
LAN_IP: "{{ ansible_default_ipv4.address }}" LOCAL_DOMAIN: "{{ services.ipfs.domain }}"
networks: networks:
- name: services - name: services
aliases: aliases:
@ -43,4 +43,3 @@
published_ports: published_ports:
- 4001:4001/tcp - 4001:4001/tcp
- 4001:4001/udp - 4001:4001/udp
- 5001:5001/tcp

View file

@ -55,13 +55,17 @@
PIHOLE_DNS_: unbound PIHOLE_DNS_: unbound
WEBPASSWORD: "{{ secrets.pihole.web_pw }}" WEBPASSWORD: "{{ secrets.pihole.web_pw }}"
TZ: "{{ timezone }}" TZ: "{{ timezone }}"
networks:
default:
services:
aliases:
- pihole
volumes: volumes:
- "{{ services.pihole.volume }}/pihole:/etc/pihole:rw" - "{{ services.pihole.volume }}/pihole:/etc/pihole:rw"
- "{{ services.pihole.volume }}/dnsmasq.d:/etc/dnsmasq.d:rw" - "{{ services.pihole.volume }}/dnsmasq.d:/etc/dnsmasq.d:rw"
ports: ports:
- 53:53/tcp - 53:53/tcp
- 53:53/udp - 53:53/udp
- 81:80/tcp
depends_on: depends_on:
- unbound - unbound
@ -70,3 +74,7 @@
restart: always restart: always
volumes: volumes:
- "{{ services.pihole.volume }}/unbound/forward-records.conf:/opt/unbound/etc/unbound/forward-records.conf:ro" - "{{ services.pihole.volume }}/unbound/forward-records.conf:/opt/unbound/etc/unbound/forward-records.conf:ro"
networks:
services:
external: true

View file

@ -2,20 +2,6 @@
admin off admin off
} }
{{ services.nextcloud.domain }} {
tls {{ secrets.tls_email }}
rewrite /.well-known/caldav /remote.php/dav
rewrite /.well-known/carddav /remote.php/dav
header {
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
-Server
}
reverse_proxy nextcloud:80
}
{{ services.emby.domain }} { {{ services.emby.domain }} {
tls {{ secrets.tls_email }} tls {{ secrets.tls_email }}
@ -27,7 +13,22 @@
reverse_proxy emby:8096 reverse_proxy emby:8096
} }
{{ services.ipfs.domain }}, *.ipfs.{{ services.ipfs.domain }}, *.ipns.{{ services.ipfs.domain }} { {{ services.ipfs.domain }} {
tls {{ secrets.tls_email }} {
dns njalla {{ secrets.caddy.njalla_api_token }}
}
header {
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
-Server
}
reverse_proxy ipfs_kubo:5001
}
{{ services.ipfs.gateway_domain }},
*.ipfs.{{ services.ipfs.gateway_domain }},
*.ipns.{{ services.ipfs.gateway_domain }} {
tls {{ secrets.tls_email }} { tls {{ secrets.tls_email }} {
dns njalla {{ secrets.caddy.njalla_api_token }} dns njalla {{ secrets.caddy.njalla_api_token }}
} }
@ -50,3 +51,30 @@
reverse_proxy monerod:18089 reverse_proxy monerod:18089
} }
{{ services.nextcloud.domain }} {
tls {{ secrets.tls_email }}
rewrite /.well-known/caldav /remote.php/dav
rewrite /.well-known/carddav /remote.php/dav
header {
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
-Server
}
reverse_proxy nextcloud:80
}
{{ services.pihole.domain }} {
tls {{ secrets.tls_email }} {
dns njalla {{ secrets.caddy.njalla_api_token }}
}
header {
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
-Server
}
reverse_proxy pihole:80
}