425 lines
16 KiB
YAML
425 lines
16 KiB
YAML
---
|
|
-
|
|
hosts: all
|
|
become: yes
|
|
tags: [host]
|
|
tasks:
|
|
-
|
|
include_role: { name: host }
|
|
vars:
|
|
ssh_pubkey_dir: "{{ playbook_dir }}/../../.ssh"
|
|
-
|
|
hosts: docker_hosts
|
|
become: yes
|
|
tags: [docker]
|
|
tasks:
|
|
-
|
|
include_role: { name: docker }
|
|
vars:
|
|
registry_mirror_ip: "10.0.0.1"
|
|
registry_mirrors:
|
|
-
|
|
upstream: docker.io
|
|
mirror: "https://dockerhub.oci.code.tiararodney.com"
|
|
-
|
|
upstream: ghcr.io
|
|
mirror: "https://ghcr.oci.code.tiararodney.com"
|
|
-
|
|
hosts: proxy
|
|
become: yes
|
|
tasks:
|
|
-
|
|
include_role:
|
|
name: restic
|
|
apply: { tags: [restic] }
|
|
tags: [restic]
|
|
vars:
|
|
host_id: proxy
|
|
-
|
|
hosts: idp
|
|
become: yes
|
|
tasks:
|
|
-
|
|
include_role:
|
|
name: restic
|
|
apply: { tags: [restic] }
|
|
tags: [restic]
|
|
vars:
|
|
host_id: idp
|
|
-
|
|
hosts: localhost
|
|
connection: local
|
|
gather_facts: false
|
|
tags: [letsencrypt, apache]
|
|
tasks:
|
|
-
|
|
name: Create letsencrypt certificate archive
|
|
command:
|
|
cmd: "tar czf /tmp/letsencrypt.tar.gz --dereference -C {{ (playbook_dir + '/../../letsencrypt') | realpath }} ."
|
|
creates: /tmp/letsencrypt.tar.gz
|
|
-
|
|
hosts: wg_peers
|
|
become: yes
|
|
tags: [wireguard]
|
|
tasks:
|
|
-
|
|
include_role: { name: wireguard }
|
|
-
|
|
include_role: { name: wireguard, tasks_from: generate-keys }
|
|
-
|
|
hosts: proxy
|
|
become: yes
|
|
tags: [wireguard]
|
|
tasks:
|
|
-
|
|
name: Build WireGuard peer list
|
|
set_fact:
|
|
wg_peers:
|
|
-
|
|
public_key: "{{ hostvars[groups['idp'][0]]['wg_public_key'] }}"
|
|
allowed_ips: "10.0.0.2/32"
|
|
when: groups['idp'][0] in hostvars and 'wg_public_key' in hostvars[groups['idp'][0]]
|
|
-
|
|
name: Append client peers
|
|
set_fact:
|
|
wg_peers: "{{ wg_peers + wg_client_peers }}"
|
|
when: wg_peers is defined
|
|
-
|
|
include_role: { name: wireguard, tasks_from: deploy-wireguard }
|
|
vars:
|
|
wg_address: "10.0.0.1/24"
|
|
when: wg_peers is defined
|
|
-
|
|
name: Display proxy WireGuard public key
|
|
debug:
|
|
msg: "Proxy WG public key: {{ wg_public_key }}"
|
|
when: wg_public_key is defined
|
|
-
|
|
hosts: idp
|
|
become: yes
|
|
tags: [wireguard]
|
|
tasks:
|
|
-
|
|
name: Build WireGuard peer list
|
|
set_fact:
|
|
wg_peers:
|
|
-
|
|
public_key: "{{ hostvars[groups['proxy'][0]]['wg_public_key'] }}"
|
|
allowed_ips: "10.0.0.1/32"
|
|
endpoint: "{{ hostvars[groups['proxy'][0]]['wg_endpoint'] }}:51820"
|
|
persistent_keepalive: true
|
|
when: groups['proxy'][0] in hostvars and 'wg_public_key' in hostvars[groups['proxy'][0]]
|
|
-
|
|
name: Append client peers
|
|
set_fact:
|
|
wg_peers: "{{ wg_peers + wg_client_peers }}"
|
|
when: wg_peers is defined
|
|
-
|
|
include_role: { name: wireguard, tasks_from: deploy-wireguard }
|
|
vars:
|
|
wg_address: "10.0.0.2/24"
|
|
when: wg_peers is defined
|
|
-
|
|
hosts: proxy
|
|
become: yes
|
|
vars:
|
|
chat_domain: chat.tiararodney.com
|
|
authentik_url: https://accounts.tiararodney.com
|
|
authentik_internal_url: http://10.0.0.2:9000
|
|
tasks:
|
|
-
|
|
include_role:
|
|
name: host
|
|
tasks_from: setup-swap
|
|
apply: { tags: [host, swap] }
|
|
tags: [host, swap]
|
|
-
|
|
name: Ensure accounts.tiararodney.com resolves to localhost for mod_auth_openidc
|
|
tags: [apache, bugzilla]
|
|
lineinfile:
|
|
path: /etc/hosts
|
|
regexp: "accounts\\.tiararodney\\.com"
|
|
line: "127.0.0.1 accounts.tiararodney.com"
|
|
-
|
|
include_role:
|
|
name: dnsmasq
|
|
apply: { tags: [dnsmasq] }
|
|
tags: [dnsmasq]
|
|
vars:
|
|
dns_records:
|
|
- { domain: tiararodney.com, ip: "10.0.0.1" }
|
|
-
|
|
include_role:
|
|
name: apache
|
|
apply: { tags: [apache] }
|
|
tags: [apache]
|
|
vars:
|
|
letsencrypt_archive: /tmp/letsencrypt.tar.gz
|
|
-
|
|
include_role:
|
|
name: docker_registry
|
|
apply: { tags: [docker-registry] }
|
|
tags: [docker-registry]
|
|
vars:
|
|
hostname: dockerhub.oci.code.tiararodney.com
|
|
-
|
|
include_role:
|
|
name: docker_registry
|
|
apply: { tags: [docker-registry] }
|
|
tags: [docker-registry]
|
|
vars:
|
|
hostname: ghcr.oci.code.tiararodney.com
|
|
install_dir: /opt/docker-registry-ghcr
|
|
port: 5051
|
|
remote_url: "https://ghcr.io"
|
|
-
|
|
include_role:
|
|
name: restic
|
|
tasks_from: restore-restic
|
|
apply: { tags: [registry-restore, never] }
|
|
tags: [registry-restore, never]
|
|
vars:
|
|
host_id: proxy
|
|
restore_include: /var/backups/docker-registry
|
|
-
|
|
include_role:
|
|
name: docker_registry
|
|
tasks_from: restore-registry
|
|
apply: { tags: [registry-restore, never] }
|
|
tags: [registry-restore, never]
|
|
-
|
|
include_role:
|
|
name: apache
|
|
tasks_from: deploy-static-site
|
|
apply: { tags: [blog] }
|
|
tags: [blog]
|
|
vars:
|
|
name: blog
|
|
server_name: blog.tiararodney.com
|
|
document_root: /var/www/blog.tiararodney.com
|
|
ssl_cert: "{{ ssl_cert_tiararodney }}"
|
|
ssl_key: "{{ ssl_key_tiararodney }}"
|
|
-
|
|
include_role:
|
|
name: apache
|
|
tasks_from: deploy-static-site
|
|
apply: { tags: [spec] }
|
|
tags: [spec]
|
|
vars:
|
|
name: spec
|
|
server_name: specs.code.tiararodney.com
|
|
document_root: /var/www/specs.code.tiararodney.com
|
|
directory_index: "README.html README.md README.txt"
|
|
ssl_cert: "{{ ssl_cert_tiararodney }}"
|
|
ssl_key: "{{ ssl_key_tiararodney }}"
|
|
-
|
|
include_role:
|
|
name: kellnr
|
|
apply: { tags: [kellnr] }
|
|
tags: [kellnr]
|
|
vars:
|
|
version: "6.0.0-rc.2"
|
|
hostname: crates.code.tiararodney.com
|
|
admin_pwd: "{{ vault_kellnr_admin_pwd }}"
|
|
-
|
|
include_role:
|
|
name: devpi
|
|
apply: { tags: [devpi] }
|
|
tags: [devpi]
|
|
vars:
|
|
hostname: pypi.code.tiararodney.com
|
|
-
|
|
include_role:
|
|
name: prosody
|
|
apply: { tags: [prosody] }
|
|
tags: [prosody]
|
|
vars:
|
|
version: "13.0"
|
|
domain: "{{ chat_domain }}"
|
|
admin_jid: "{{ vault_xmpp_admin_user }}@{{ chat_domain }}"
|
|
bind_address: "10.0.0.1"
|
|
ssl_cert: /etc/letsencrypt/live/tiararodney.com/fullchain.pem
|
|
ssl_key: /etc/letsencrypt/live/tiararodney.com/privkey.pem
|
|
oauth_client_id: "{{ vault_xmpp_oauth_client_id }}"
|
|
oauth_userinfo_url: "{{ authentik_internal_url }}/application/o/userinfo/"
|
|
oauth_ropc_client_id: "{{ vault_xmpp_ropc_client_id }}"
|
|
oauth_ropc_client_secret: "{{ vault_xmpp_ropc_client_secret }}"
|
|
oauth_token_url: "{{ authentik_internal_url }}/application/o/token/"
|
|
session_timeout: 1800
|
|
smtp_host: "{{ vault_prosody_smtp_hostname }}"
|
|
smtp_username: "{{ vault_prosody_smtp_username }}"
|
|
smtp_password: "{{ vault_prosody_smtp_password }}"
|
|
default_contacts:
|
|
-
|
|
jid: "{{ vault_xmpp_admin_user }}@{{ chat_domain }}"
|
|
name: Tiara
|
|
-
|
|
include_role:
|
|
name: conversejs
|
|
apply: { tags: [conversejs] }
|
|
tags: [conversejs]
|
|
vars:
|
|
version: "12.0.0"
|
|
domain: "{{ chat_domain }}"
|
|
oauth_client_id: "{{ vault_xmpp_oauth_client_id }}"
|
|
oauth_authorize_url: "{{ authentik_url }}/application/o/authorize/"
|
|
oauth_token_url: "{{ authentik_url }}/application/o/token/"
|
|
-
|
|
include_role:
|
|
name: apache
|
|
tasks_from: deploy-reverse-proxy
|
|
apply: { tags: [prosody, xmpp-upload] }
|
|
tags: [prosody, xmpp-upload]
|
|
vars:
|
|
vhost_name: xmpp-upload
|
|
server_name: "upload.{{ chat_domain }}"
|
|
ssl_cert: "{{ ssl_cert_tiararodney }}"
|
|
ssl_key: "{{ ssl_key_tiararodney }}"
|
|
backend_port: 5280
|
|
-
|
|
include_role:
|
|
name: comentario
|
|
apply: { tags: [comentario] }
|
|
tags: [comentario]
|
|
vars:
|
|
version: "latest"
|
|
domain: comments.tiararodney.com
|
|
oauth_issuer_url: "{{ authentik_url }}/application/o/comentario"
|
|
oauth_client_id: "{{ vault_comentario_oauth_client_id }}"
|
|
oauth_client_secret: "{{ vault_comentario_oauth_client_secret }}"
|
|
smtp_host: "{{ vault_comentario_smtp_hostname }}"
|
|
smtp_username: "{{ vault_comentario_smtp_username }}"
|
|
smtp_password: "{{ vault_comentario_smtp_password }}"
|
|
-
|
|
include_role:
|
|
name: bugzilla
|
|
apply: { tags: [bugzilla] }
|
|
tags: [bugzilla]
|
|
vars:
|
|
version: "5.0.4.1"
|
|
domain: bugs.code.tiararodney.com
|
|
db_password: "{{ vault_bugzilla_db_password }}"
|
|
admin_email: "me@tiararodney.com"
|
|
admin_pwd: "{{ vault_bugzilla_admin_pwd }}"
|
|
oauth_issuer_url: "{{ authentik_url }}/application/o/bugs"
|
|
oauth_authorize_url: "{{ authentik_url }}/application/o/authorize/"
|
|
oauth_token_url: "{{ authentik_url }}/application/o/token/"
|
|
oauth_userinfo_url: "{{ authentik_url }}/application/o/userinfo/"
|
|
oauth_jwks_url: "{{ authentik_url }}/application/o/bugs/jwks/"
|
|
oauth_client_id: "{{ vault_bugzilla_oauth_client_id }}"
|
|
oauth_client_secret: "{{ vault_bugzilla_oauth_client_secret }}"
|
|
oauth_crypto_passphrase: "{{ vault_bugzilla_oidc_passphrase }}"
|
|
smtp_host: "{{ vault_bugzilla_smtp_hostname }}"
|
|
smtp_username: "{{ vault_bugzilla_smtp_username }}"
|
|
smtp_password: "{{ vault_bugzilla_smtp_password }}"
|
|
-
|
|
include_role:
|
|
name: apache
|
|
tasks_from: deploy-reverse-proxy
|
|
apply: { tags: [authentik] }
|
|
tags: [authentik]
|
|
vars:
|
|
vhost_name: accounts
|
|
server_name: accounts.tiararodney.com
|
|
ssl_cert: "{{ ssl_cert_tiararodney }}"
|
|
ssl_key: "{{ ssl_key_tiararodney }}"
|
|
backend_host: "10.0.0.2"
|
|
backend_port: 9000
|
|
websocket: true
|
|
restricted_locations:
|
|
-
|
|
path: "/if/admin/"
|
|
allowed_ips: ["10.0.0.0/24"]
|
|
-
|
|
hosts: idp
|
|
become: yes
|
|
tags: [authentik]
|
|
tasks:
|
|
-
|
|
include_role:
|
|
name: host
|
|
tasks_from: setup-zram
|
|
apply: { tags: [host, swap, zram] }
|
|
tags: [host, swap, zram]
|
|
-
|
|
include_role: { name: authentik }
|
|
vars:
|
|
version: "2026.2.1"
|
|
domain: "accounts.tiararodney.com"
|
|
pg_password: "{{ vault_pg_password }}"
|
|
secret_key: "{{ vault_secret_key }}"
|
|
bind_address: "10.0.0.2"
|
|
smtp_host: "{{ vault_authentik_smtp_hostname }}"
|
|
smtp_username: "{{ vault_authentik_smtp_username }}"
|
|
smtp_password: "{{ vault_authentik_smtp_password }}"
|
|
oauth_applications:
|
|
-
|
|
name: Chat
|
|
slug: chat
|
|
client_type: public
|
|
client_id: "{{ vault_xmpp_oauth_client_id }}"
|
|
redirect_uris:
|
|
- "https://chat.tiararodney.com/"
|
|
-
|
|
name: Chat XMPP
|
|
slug: chat-xmpp
|
|
client_id: "{{ vault_xmpp_ropc_client_id }}"
|
|
client_secret: "{{ vault_xmpp_ropc_client_secret }}"
|
|
redirect_uris:
|
|
- "https://chat.tiararodney.com/"
|
|
-
|
|
name: Comments
|
|
slug: comments
|
|
client_id: "{{ vault_comentario_oauth_client_id }}"
|
|
client_secret: "{{ vault_comentario_oauth_client_secret }}"
|
|
redirect_uris:
|
|
- "https://comments.tiararodney.com/api/oauth/oidc/callback/authentik"
|
|
-
|
|
name: Bugs
|
|
slug: bugs
|
|
client_id: "{{ vault_bugzilla_oauth_client_id }}"
|
|
client_secret: "{{ vault_bugzilla_oauth_client_secret }}"
|
|
redirect_uris:
|
|
- "https://bugs.code.tiararodney.com/oidc-callback"
|
|
social_login_sources:
|
|
-
|
|
name: Google Account
|
|
slug: google
|
|
provider_type: google
|
|
client_id: "{{ vault_social_google_client_id }}"
|
|
client_secret: "{{ vault_social_google_client_secret }}"
|
|
-
|
|
name: Microsoft Account
|
|
slug: microsoft
|
|
provider_type: entraid
|
|
client_id: "{{ vault_social_microsoft_client_id }}"
|
|
client_secret: "{{ vault_social_microsoft_client_secret }}"
|
|
-
|
|
name: Apple ID
|
|
slug: apple
|
|
provider_type: apple
|
|
client_id: "{{ vault_social_apple_client_id }}"
|
|
client_secret: "{{ vault_social_apple_client_secret }}"
|
|
-
|
|
name: Facebook Account
|
|
slug: facebook
|
|
provider_type: facebook
|
|
client_id: "{{ vault_social_facebook_client_id }}"
|
|
client_secret: "{{ vault_social_facebook_client_secret }}"
|
|
-
|
|
name: X (formerly Twitter) Account
|
|
slug: twitter
|
|
provider_type: twitter
|
|
client_id: "{{ vault_social_twitter_client_id }}"
|
|
client_secret: "{{ vault_social_twitter_client_secret }}"
|
|
-
|
|
hosts: proxy
|
|
become: yes
|
|
tasks:
|
|
-
|
|
name: Trigger registry backups
|
|
tags: [registry-backup, never]
|
|
command: "{{ item }}"
|
|
loop:
|
|
- /etc/restic/pre-backup.d/docker-registry.sh
|
|
- /etc/restic/pre-backup.d/docker-registry-ghcr.sh
|