diff options
-rw-r--r-- | ansible.cfg | 2 | ||||
-rw-r--r-- | inventory.ini | 1 | ||||
-rw-r--r-- | memzero.yml | 13 | ||||
-rw-r--r-- | roles/packages/tasks/main.yml | 30 | ||||
-rw-r--r-- | roles/sshd/handlers/main.yml | 6 | ||||
-rw-r--r-- | roles/sshd/tasks/main.yml | 13 | ||||
-rw-r--r-- | roles/webserver/files/user_conf.d/memzero.conf | 43 | ||||
-rw-r--r-- | roles/webserver/files/www/git/index.html | 1 | ||||
-rw-r--r-- | roles/webserver/files/www/memzero/index.html | 1 | ||||
-rw-r--r-- | roles/webserver/handlers/main.yml | 6 | ||||
-rw-r--r-- | roles/webserver/tasks/main.yml | 49 |
11 files changed, 165 insertions, 0 deletions
diff --git a/ansible.cfg b/ansible.cfg new file mode 100644 index 0000000..601c6ea --- /dev/null +++ b/ansible.cfg @@ -0,0 +1,2 @@ +[defaults] +inventory=inventory.ini
\ No newline at end of file diff --git a/inventory.ini b/inventory.ini new file mode 100644 index 0000000..a7b0eb6 --- /dev/null +++ b/inventory.ini @@ -0,0 +1 @@ +memzero.de USER=johannst DATA_ROOT=/home/johannst/pods NETWORK=podnet diff --git a/memzero.yml b/memzero.yml new file mode 100644 index 0000000..720131b --- /dev/null +++ b/memzero.yml @@ -0,0 +1,13 @@ +- name: Server setup + hosts: all + + pre_tasks: + - name: Setup podman network + containers.podman.podman_network: + name: "{{ NETWORK }}" + driver: bridge + + roles: + - sshd + - packages + - webserver
\ No newline at end of file diff --git a/roles/packages/tasks/main.yml b/roles/packages/tasks/main.yml new file mode 100644 index 0000000..d3f0720 --- /dev/null +++ b/roles/packages/tasks/main.yml @@ -0,0 +1,30 @@ +--- +- name: Install EPEL + become: True + ansible.builtin.package: + name: epel-release + state: latest + when: ansible_facts['os_family'] == 'RedHat' + +#- name: Update all packages +# become: True +# ansible.builtin.package: +# name: "*" +# state: latest + +- name: Install packages + become: True + ansible.builtin.package: + name: "{{ item }}" + state: latest + loop: + - vim + - podman + - fish + - netcat + +- name: Set fish as default shell + become: True + ansible.builtin.user: + name: "{{ USER }}" + shell: /usr/bin/fish
\ No newline at end of file diff --git a/roles/sshd/handlers/main.yml b/roles/sshd/handlers/main.yml new file mode 100644 index 0000000..429dd83 --- /dev/null +++ b/roles/sshd/handlers/main.yml @@ -0,0 +1,6 @@ +--- +- name: Restart sshd + become: True + ansible.builtin.service: + name: sshd + state: restarted
\ No newline at end of file diff --git a/roles/sshd/tasks/main.yml b/roles/sshd/tasks/main.yml new file mode 100644 index 0000000..c4dd9ea --- /dev/null +++ b/roles/sshd/tasks/main.yml @@ -0,0 +1,13 @@ +--- +- name: Configure sshd + become: True + lineinfile: + dest: "/etc/ssh/sshd_config" + regexp: "{{ item.regex }}" + line: "{{ item.line }}" + notify: Restart sshd + loop: + - { regex: '^(#\s*)?PermitEmptyPasswords' , line: 'PermitEmptyPasswords no' } + - { regex: '^(#\s*)?PermitRootLogin' , line: 'PermitRootLogin no' } + - { regex: '^(#\s*)?PasswordAuthentication', line: 'PasswordAuthentication no' } + - { regex: '^(#\s*)?UsePAM' , line: 'UsePAM yes' }
\ No newline at end of file diff --git a/roles/webserver/files/user_conf.d/memzero.conf b/roles/webserver/files/user_conf.d/memzero.conf new file mode 100644 index 0000000..5419eb8 --- /dev/null +++ b/roles/webserver/files/user_conf.d/memzero.conf @@ -0,0 +1,43 @@ +server { + # Listen to port 443 on both IPv4 and IPv6. + listen 443 ssl; + listen [::]:443 ssl; + + # Domain names this server should respond to. + server_name memzero.de www.memzero.de; + + # Load the certificate files. + ssl_certificate /etc/letsencrypt/live/memzero/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/memzero/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/memzero/chain.pem; + + # Load the Diffie-Hellman parameter. + ssl_dhparam /etc/letsencrypt/dhparams/dhparam.pem; + + root /www/memzero; +} + +server { + # Listen to port 443 on both IPv4 and IPv6. + listen 443 ssl; + listen [::]:443 ssl; + + # Domain names this server should respond to. + server_name git.memzero.de; + + # Load the certificate files. + ssl_certificate /etc/letsencrypt/live/memzero/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/memzero/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/memzero/chain.pem; + + # Load the Diffie-Hellman parameter. + ssl_dhparam /etc/letsencrypt/dhparams/dhparam.pem; + + root /www/git; +} + +server { + # Drop any request that does not match any of the other server names. + listen 443 ssl default_server; + ssl_reject_handshake on; +} diff --git a/roles/webserver/files/www/git/index.html b/roles/webserver/files/www/git/index.html new file mode 100644 index 0000000..a6978b1 --- /dev/null +++ b/roles/webserver/files/www/git/index.html @@ -0,0 +1 @@ +<h1>Hello git!</h1> diff --git a/roles/webserver/files/www/memzero/index.html b/roles/webserver/files/www/memzero/index.html new file mode 100644 index 0000000..4df77a4 --- /dev/null +++ b/roles/webserver/files/www/memzero/index.html @@ -0,0 +1 @@ +<h1>Hello memzero!</h1> diff --git a/roles/webserver/handlers/main.yml b/roles/webserver/handlers/main.yml new file mode 100644 index 0000000..3e327d5 --- /dev/null +++ b/roles/webserver/handlers/main.yml @@ -0,0 +1,6 @@ +--- +- name: Restart nginx + containers.podman.podman_container: + name: webserver + state: started + restart: yes
\ No newline at end of file diff --git a/roles/webserver/tasks/main.yml b/roles/webserver/tasks/main.yml new file mode 100644 index 0000000..a849f2c --- /dev/null +++ b/roles/webserver/tasks/main.yml @@ -0,0 +1,49 @@ +--- +- name: Copy webserver files + ansible.builtin.copy: + src: "{{ item }}" + dest: "{{ DATA_ROOT }}/nginx" + owner: "{{ USER }}" + group: "{{ USER }}" + loop: + - www + - user_conf.d + notify: Restart nginx + +- name: Setup nginx + containers.podman.podman_container: + name: webserver + image: docker.io/jonasal/nginx-certbot + network: "{{ NETWORK }}" + ports: + - "8080:80" + - "8443:443" + env: + CERTBOT_EMAIL: "johannes@memzero.de" + STAGING: "1" + DEBUG: "1" + volumes: + # Use 'Z' to privately relable selinux contexts. + - "{{ DATA_ROOT }}/nginx/user_conf.d:/etc/nginx/user_conf.d:ro,Z" + - "{{ DATA_ROOT }}/nginx/www:/www:ro,Z" + +# All services run in rootless-podman and nginx is the only entry point from +# the outside acting as webserver and reverse proxy. +# Since we dont want to lower the *unprivileged* port start (1024) we install +# two forwarding routes from +# 80 -> 8080 +# 443 -> 8443 +- name: Forward port 80/443 to 8080/8443 + ansible.builtin.iptables: + table: nat + chain: PREROUTING + protocol: tcp + match: tcp + destination_port: "{{ item.from }}" + jump: REDIRECT + to_ports: "{{ item.to }}" + comment: "Redirect web traffic {{ item.from }} -> {{ item.to }}" + become: yes + loop: + - { from: 80 , to: 8080 } + - { from: 443, to: 8443 }
\ No newline at end of file |