aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--ansible.cfg2
-rw-r--r--inventory.ini1
-rw-r--r--memzero.yml13
-rw-r--r--roles/packages/tasks/main.yml30
-rw-r--r--roles/sshd/handlers/main.yml6
-rw-r--r--roles/sshd/tasks/main.yml13
-rw-r--r--roles/webserver/files/user_conf.d/memzero.conf43
-rw-r--r--roles/webserver/files/www/git/index.html1
-rw-r--r--roles/webserver/files/www/memzero/index.html1
-rw-r--r--roles/webserver/handlers/main.yml6
-rw-r--r--roles/webserver/tasks/main.yml49
11 files changed, 165 insertions, 0 deletions
diff --git a/ansible.cfg b/ansible.cfg
new file mode 100644
index 0000000..601c6ea
--- /dev/null
+++ b/ansible.cfg
@@ -0,0 +1,2 @@
+[defaults]
+inventory=inventory.ini \ No newline at end of file
diff --git a/inventory.ini b/inventory.ini
new file mode 100644
index 0000000..a7b0eb6
--- /dev/null
+++ b/inventory.ini
@@ -0,0 +1 @@
+memzero.de USER=johannst DATA_ROOT=/home/johannst/pods NETWORK=podnet
diff --git a/memzero.yml b/memzero.yml
new file mode 100644
index 0000000..720131b
--- /dev/null
+++ b/memzero.yml
@@ -0,0 +1,13 @@
+- name: Server setup
+ hosts: all
+
+ pre_tasks:
+ - name: Setup podman network
+ containers.podman.podman_network:
+ name: "{{ NETWORK }}"
+ driver: bridge
+
+ roles:
+ - sshd
+ - packages
+ - webserver \ No newline at end of file
diff --git a/roles/packages/tasks/main.yml b/roles/packages/tasks/main.yml
new file mode 100644
index 0000000..d3f0720
--- /dev/null
+++ b/roles/packages/tasks/main.yml
@@ -0,0 +1,30 @@
+---
+- name: Install EPEL
+ become: True
+ ansible.builtin.package:
+ name: epel-release
+ state: latest
+ when: ansible_facts['os_family'] == 'RedHat'
+
+#- name: Update all packages
+# become: True
+# ansible.builtin.package:
+# name: "*"
+# state: latest
+
+- name: Install packages
+ become: True
+ ansible.builtin.package:
+ name: "{{ item }}"
+ state: latest
+ loop:
+ - vim
+ - podman
+ - fish
+ - netcat
+
+- name: Set fish as default shell
+ become: True
+ ansible.builtin.user:
+ name: "{{ USER }}"
+ shell: /usr/bin/fish \ No newline at end of file
diff --git a/roles/sshd/handlers/main.yml b/roles/sshd/handlers/main.yml
new file mode 100644
index 0000000..429dd83
--- /dev/null
+++ b/roles/sshd/handlers/main.yml
@@ -0,0 +1,6 @@
+---
+- name: Restart sshd
+ become: True
+ ansible.builtin.service:
+ name: sshd
+ state: restarted \ No newline at end of file
diff --git a/roles/sshd/tasks/main.yml b/roles/sshd/tasks/main.yml
new file mode 100644
index 0000000..c4dd9ea
--- /dev/null
+++ b/roles/sshd/tasks/main.yml
@@ -0,0 +1,13 @@
+---
+- name: Configure sshd
+ become: True
+ lineinfile:
+ dest: "/etc/ssh/sshd_config"
+ regexp: "{{ item.regex }}"
+ line: "{{ item.line }}"
+ notify: Restart sshd
+ loop:
+ - { regex: '^(#\s*)?PermitEmptyPasswords' , line: 'PermitEmptyPasswords no' }
+ - { regex: '^(#\s*)?PermitRootLogin' , line: 'PermitRootLogin no' }
+ - { regex: '^(#\s*)?PasswordAuthentication', line: 'PasswordAuthentication no' }
+ - { regex: '^(#\s*)?UsePAM' , line: 'UsePAM yes' } \ No newline at end of file
diff --git a/roles/webserver/files/user_conf.d/memzero.conf b/roles/webserver/files/user_conf.d/memzero.conf
new file mode 100644
index 0000000..5419eb8
--- /dev/null
+++ b/roles/webserver/files/user_conf.d/memzero.conf
@@ -0,0 +1,43 @@
+server {
+ # Listen to port 443 on both IPv4 and IPv6.
+ listen 443 ssl;
+ listen [::]:443 ssl;
+
+ # Domain names this server should respond to.
+ server_name memzero.de www.memzero.de;
+
+ # Load the certificate files.
+ ssl_certificate /etc/letsencrypt/live/memzero/fullchain.pem;
+ ssl_certificate_key /etc/letsencrypt/live/memzero/privkey.pem;
+ ssl_trusted_certificate /etc/letsencrypt/live/memzero/chain.pem;
+
+ # Load the Diffie-Hellman parameter.
+ ssl_dhparam /etc/letsencrypt/dhparams/dhparam.pem;
+
+ root /www/memzero;
+}
+
+server {
+ # Listen to port 443 on both IPv4 and IPv6.
+ listen 443 ssl;
+ listen [::]:443 ssl;
+
+ # Domain names this server should respond to.
+ server_name git.memzero.de;
+
+ # Load the certificate files.
+ ssl_certificate /etc/letsencrypt/live/memzero/fullchain.pem;
+ ssl_certificate_key /etc/letsencrypt/live/memzero/privkey.pem;
+ ssl_trusted_certificate /etc/letsencrypt/live/memzero/chain.pem;
+
+ # Load the Diffie-Hellman parameter.
+ ssl_dhparam /etc/letsencrypt/dhparams/dhparam.pem;
+
+ root /www/git;
+}
+
+server {
+ # Drop any request that does not match any of the other server names.
+ listen 443 ssl default_server;
+ ssl_reject_handshake on;
+}
diff --git a/roles/webserver/files/www/git/index.html b/roles/webserver/files/www/git/index.html
new file mode 100644
index 0000000..a6978b1
--- /dev/null
+++ b/roles/webserver/files/www/git/index.html
@@ -0,0 +1 @@
+<h1>Hello git!</h1>
diff --git a/roles/webserver/files/www/memzero/index.html b/roles/webserver/files/www/memzero/index.html
new file mode 100644
index 0000000..4df77a4
--- /dev/null
+++ b/roles/webserver/files/www/memzero/index.html
@@ -0,0 +1 @@
+<h1>Hello memzero!</h1>
diff --git a/roles/webserver/handlers/main.yml b/roles/webserver/handlers/main.yml
new file mode 100644
index 0000000..3e327d5
--- /dev/null
+++ b/roles/webserver/handlers/main.yml
@@ -0,0 +1,6 @@
+---
+- name: Restart nginx
+ containers.podman.podman_container:
+ name: webserver
+ state: started
+ restart: yes \ No newline at end of file
diff --git a/roles/webserver/tasks/main.yml b/roles/webserver/tasks/main.yml
new file mode 100644
index 0000000..a849f2c
--- /dev/null
+++ b/roles/webserver/tasks/main.yml
@@ -0,0 +1,49 @@
+---
+- name: Copy webserver files
+ ansible.builtin.copy:
+ src: "{{ item }}"
+ dest: "{{ DATA_ROOT }}/nginx"
+ owner: "{{ USER }}"
+ group: "{{ USER }}"
+ loop:
+ - www
+ - user_conf.d
+ notify: Restart nginx
+
+- name: Setup nginx
+ containers.podman.podman_container:
+ name: webserver
+ image: docker.io/jonasal/nginx-certbot
+ network: "{{ NETWORK }}"
+ ports:
+ - "8080:80"
+ - "8443:443"
+ env:
+ CERTBOT_EMAIL: "johannes@memzero.de"
+ STAGING: "1"
+ DEBUG: "1"
+ volumes:
+ # Use 'Z' to privately relable selinux contexts.
+ - "{{ DATA_ROOT }}/nginx/user_conf.d:/etc/nginx/user_conf.d:ro,Z"
+ - "{{ DATA_ROOT }}/nginx/www:/www:ro,Z"
+
+# All services run in rootless-podman and nginx is the only entry point from
+# the outside acting as webserver and reverse proxy.
+# Since we dont want to lower the *unprivileged* port start (1024) we install
+# two forwarding routes from
+# 80 -> 8080
+# 443 -> 8443
+- name: Forward port 80/443 to 8080/8443
+ ansible.builtin.iptables:
+ table: nat
+ chain: PREROUTING
+ protocol: tcp
+ match: tcp
+ destination_port: "{{ item.from }}"
+ jump: REDIRECT
+ to_ports: "{{ item.to }}"
+ comment: "Redirect web traffic {{ item.from }} -> {{ item.to }}"
+ become: yes
+ loop:
+ - { from: 80 , to: 8080 }
+ - { from: 443, to: 8443 } \ No newline at end of file