Compare commits

..

1 Commits

43 changed files with 294 additions and 534 deletions

3
.gitignore vendored
View File

@ -1,2 +1 @@
.DS_Store
ansible/playbooks/wg_clients
.DS_Store

View File

@ -1,9 +1,5 @@
---
externals:
children:
nextcloud:
hosts:
c-service.sse.cloud.isti.cnr.it
rup_tests:
hosts:
liquid:

View File

@ -1,31 +1,30 @@
---
# Docker
wordpress_docker_tag: 7.0.0-php8.2-apache
mysql_docker_tag: 9.7.0
nginx_docker_tag: 1.31.1
#Common Docker
docker_network_name: wp_net
docker_base_volume_path: /usr/data/wp
# MYSQL Docker
db_name: automotive_db
db_user: automotive_db_u
mysql_docker_tag: 9.7.0
docker_mysql_hostname: web_db
db_name: automotive_test_db
db_user: automotive_test_db_u
db_password: "{{ automotive_mysql_user_password }}"
db_root_password: "{{ automotive_mysql_root_password }}"
#NGINX Docker
nginx_docker_tag: 1.31.1
nginx_server_name: automotive.sse.cloud.isti.cnr.it
ssl: true
#WORDPRESS Docker
wordpress_docker_tag: 7.0.0-php8.2-apache
docker_wordpress_hostname: automotive_test
# WORDPRESS
wordpress_debug : true
wordpress_debug_log: true
#******* CERTBOT for letsencrypt
certbot_create_method: standalone
#CERTBOT for letsencrypt
certbot_create_method: webroot
certbot_create_if_missing: true
certbot_admin_email: fabio.sinibaldi@isti.cnr.it
@ -36,5 +35,5 @@ certbot_certs:
- "{{ nginx_server_name }}"
#Certbot verbose level
certbot_create_extra_args: "-vvv"
certbot_create_extra_args: "-vvv --force-renewal"
certbot_testmode: false

View File

@ -2,28 +2,11 @@
wg_interface: wg0
wg_port: 51820
#wg_server_public_interface: eth0
wg_server_address: 192.168.98.1/32
wg_server_address: 192.168.99.1/32
#wg_server_private_key: "{{ wg_server_private_key }}"
wg_peers:
- name: fabio
ip: "192.168.98.11/32"
allowedIPs :
- "192.168.98.0/24"
- "10.22.0.0/16"
- name: lucio
ip: "192.168.98.12/32"
allowedIPs :
- "192.168.98.0/24"
- "10.22.0.0/16"
- name: roberto
ip: "192.168.98.13/32"
allowedIPs :
- "192.168.98.0/24"
- "10.22.0.0/16"
- name: giorgio
ip: "192.168.98.14/32"
allowedIPs :
- "192.168.98.0/24"
- "10.22.0.0/16"
- name: fabio_test
publicKey: "dzODOKndtafZSf2GqvClFdxrpwyNJnZ/AsZkNl+ovEE="
allowedIP: "192.168.99.4/32"

View File

@ -1,26 +0,0 @@
---
wg_interface: wg0
wg_port: 51820
#wg_server_public_interface: eth0
wg_server_address: 192.168.99.1/32
#wg_server_private_key: "{{ wg_server_private_key }}"
wg_peers:
- name: fabio_test
publicKey: "9a3tgXpF5CAOffbHZdW1QBEJgSLFnBDVbD1JaMPgzkM="
ip: "192.168.99.4/32"
allowedIPs :
- "192.168.99.0/24"
- "10.22.0.0/16"
- name: missing_key_test
ip: "192.168.99.5/32"
allowedIPs :
- "192.168.99.0/24"
- "10.22.0.0/16"
- name: forced_missing_key_test
forceRegeneration: True
ip: "192.168.99.6/32"
allowedIPs :
- "192.168.99.0/24"
- "10.22.0.0/16"

View File

@ -2,22 +2,22 @@
# SIFI
sifi:
children:
#opn:
#hosts:
# sifi_opnsense.sifi.isti.cnr.it:
opn:
hosts:
sifi_opnsense.sifi.isti.cnr.it:
# ns1.sifi.isti.cnr.it:
# ansible_host: 146.48.108.51 #[WAN public ip]
# ansible_host: 10.20.30.111
wireguard_server:
hosts:
vpn-1.sifi.sse.cloud.isti.cnr.it:
wireguarder.sifi.isti.cnr.it:
# ansible_host: 146.48.108.13
# nameserver:
# hosts:
#ns1.sifi.isti.cnr.it:
# ansible_host: 146.48.108.51
nameserver:
hosts:
ns1.sifi.isti.cnr.it:
ansible_host: 146.48.108.51
# dns1.internal.sifi.isti.cnr.it:
# ansible_host: 10.11.12.11
workers:
hosts:
dev-1.sifi.sse.cloud.isti.cnr.it:
worker1.internal.sifi.isti.cnr.it:

View File

@ -0,0 +1,5 @@
---
sse:
children:
testing:
tester.sse.cloud.isti.cnr.it:

View File

@ -1,15 +0,0 @@
---
vlab-1:
children:
yuno:
hosts:
yuno.sse.cloud.isti.cnr.it:
wireguard_server:
hosts:
vpn-1.sse.cloud.isti.cnr.it:
nextcloud:
hosts:
b-service_2:
ansible_host: 10.22.2.77
b-service_1:
ansible_host: 10.22.1.145

View File

@ -1,29 +0,0 @@
---
- name: Create and run container
hosts: all
become : true
vars:
image_name: ubuntu
image_tag: latest
image_hostname: ubuntu
image_network:
- wp_net
image_volumes:
- "/usr/data/wp/wordpress/:/var/www"
tasks:
- name: Pull Image
docker_image:
name: "{{ image_name }}:{{ image_tag }}"
source: pull
- name: Create container with pulled image
docker_container:
name: "{{ image_name }}"
image: "{{ image_name }}"
networks:
- name: "{{ image_network }}"
hostname: "{{ image_hostname }}"
volumes: "{{image_volumes}}"
restart: true

View File

@ -1,9 +0,0 @@
---
- name: Misc tests
hosts: web
tasks:
- name: Using dict2items
ansible.builtin.debug:
msg: "{{ item.name }}"
loop: "{{ certbot_certs }}"

View File

@ -1,8 +1,17 @@
---
- name: Install Nextcloud AIO Docker
hosts: nextcloud
hosts: all
become: true
vars:
pip_install_packages:
- name: docker
docker_version: "=5:28.2.2-1~ubuntu.24.04~noble"
docker_users:
- fabio
- ansible
roles:
- geerlingguy.pip
- geerlingguy.docker
- nextcloud_aio
# - nextcloud_aio

View File

@ -1 +1,19 @@
certbot_with_dockered_nginx : True
certbot_with_dockered_nginx : True
#CERTBOT for letsencrypt
certbot_create_method: webroot
certbot_create_if_missing: true
certbot_admin_email: fabio.sinibaldi@isti.cnr.it
certbot_webroot: "{{ docker_base_volume_path }}/www"
certbot_certs:
- name: "{{ ansible_hostname }}"
domains:
- "{{ inventory_hostname }}"
webroot: "{{ docker_base_volume_path }}/{{ ansible_hostname }}"
#Certbot verbose level
certbot_create_extra_args: "-vvv --force-renewal"
certbot_testmode: false

View File

@ -1,9 +1,18 @@
---
# Stop NGINX
- name: Stop NGINX
# Need to stop using port 80 for certbot webroot validation
# Needed also if not first run
- name: Gathering NGINX container state
docker_container_info:
name: nginx
register: nginx_info
- name: Stop NGINX if present
docker_container:
name: nginx
state: stopped
when:
- nginx_info.exists
# Manage certbot
@ -11,24 +20,23 @@
include_role:
name: geerlingguy.certbot
# - name: Copy fullchain files to nginx volume
# ansible.builtin.copy:
# src: "/etc/letsencrypt/live/{{ item.name }}/fullchain.pem"
# #TODO nginx configuration is not multi domain
# dest: "{{ docker_base_volume_path }}/nginx/ssl/fullchain.pem"
# remote_src: true
# mode: '0644'
# loop: "{{ certbot_certs }}"
- name: Copy fullchain files to nginx volume
ansible.builtin.copy:
src: "/etc/letsencrypt/live/{{ item.name }}/fullchain.pem"
#TODO nginx configuration is not multi domain
dest: "{{ docker_base_volume_path }}/nginx/ssl/fullchain.pem"
remote_src: true
mode: '0644'
loop: "{{ certbot_certs }}"
- name: Copy privkey files to nginx volume
ansible.builtin.copy:
src: "/etc/letsencrypt/live/{{ item.name }}/privkey.pem"
#TODO nginx configuration is not multi domain
dest: "{{ docker_base_volume_path }}/nginx/ssl/privatekey.pem"
remote_src: true
mode: '0644'
loop: "{{ certbot_certs }}"
# - name: Copy privkey files to nginx volume
# ansible.builtin.copy:
# src: "/etc/letsencrypt/live/{{ item.name }}/privkey.pem"
# #TODO nginx configuration is not multi domain
# dest: "{{ docker_base_volume_path }}/nginx/ssl/privatekey.pem"
# remote_src: true
# mode: '0644'
# loop: "{{ certbot_certs }}"
- name: Setting up Docker NGINX renewal hooks
@ -40,7 +48,7 @@
- pre
- post
- name: Removing systemctl hooks
- name: Removing systemctl hooks (defined by geerlingguy)
ansible.builtin.file:
path: "{{ item }}"
state: absent
@ -48,7 +56,11 @@
- "/etc/letsencrypt/renewal-hooks/pre/stop_services"
- "/etc/letsencrypt/renewal-hooks/post/start_services"
# Start NGINX
# Installs dockered NGINX if needed and start it
- name: Installing NGINX
include_task: install_nginx.yaml
- name: Start NGINX
docker_container:
name: nginx
include_task: start_nginx.yaml

View File

@ -7,12 +7,10 @@
- name: Copy nginx.conf to server
template:
src: templates/nginx.j2
src: "templates/nginx.conf.j2"
dest: "{{ docker_base_volume_path }}/nginx/conf/nginx.conf"
- include_tasks: nginx_http.yml
when: ssl is false
- include_tasks: nginx_https.yml
when: ssl is true
- name: Pull Nginx image
docker_image:
name: "nginx:{{ nginx_docker_tag }}"
source: pull

View File

@ -7,11 +7,11 @@
- "80:80"
- "443:443"
networks:
- name: "{{ docker_network_name }}"
- name: "{{ docker_nginx_network_name }}"
hostname: "{{ docker_nginx_hostname }}"
volumes:
- "{{ docker_base_volume_path }}/wordpress:/var/www/html"
- "{{ docker_base_volume_path }}/vaultwarden:/var/www/html"
- "{{ docker_base_volume_path }}/nginx/conf:/etc/nginx/conf.d"
- "{{ docker_base_volume_path }}/nginx/logs:/var/log/nginx"
- "{{ docker_base_volume_path }}/nginx/ssl:/etc/nginx/ssl/:ro"
restart: true
- "/etc/letsencrypt/live:/etc/nginx/ssl/:ro"
restart: true

View File

@ -1,9 +1,9 @@
#!/bin/sh
{% for item in certbot_certs %}
cp /etc/letsencrypt/live/{{ item.name }}/fullchain.pem {{ docker_base_volume_path }}/nginx/ssl/fullchain.pem
cp /etc/letsencrypt/live/{{ item.name }}/privkey.pem {{ docker_base_volume_path }}/nginx/ssl/private.pem
{% endfor %}
# {% for item in certbot_certs %}
# cp /etc/letsencrypt/live/{{ item.name }}/fullchain.pem {{ docker_base_volume_path }}/nginx/ssl/fullchain.pem
# cp /etc/letsencrypt/live/{{ item.name }}/privkey.pem {{ docker_base_volume_path }}/nginx/ssl/private.pem
# {% endfor %}
docker start nginx

View File

@ -0,0 +1,34 @@
{% for item in certbot_certs %}
server {
listen 80;
listen [::]:80;
server_name {{ item.name }};
location / {
return 301 https://$host$request_uri;
}
}
server {
listen 443 ssl;
server_name {{ item.name }};
root /var/www/html;
index index.php;
ssl_certificate /etc/nginx/ssl/{{ item.name }}/fullchain.pem;
ssl_certificate_key /etc/nginx/ssl/{{ item.name }}/privatekey.pem;
client_max_body_size 40M;
location / {
proxy_pass http://{{ docker_wordpress_hostname }}:80;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}

View File

@ -8,11 +8,8 @@
docker_container:
name: certbot
image: certbot/certbot
command: "certonly --standalone --non-interactive -v --dry-run -d {{ nginx_server_name}} --agree-tos -m {{ certbot_domain_mail }}"
networks:
- name: "{{ docker_network_name }}"
ports:
- "81:80"
hostname: certbot
volumes:
- "{{ docker_base_volume_path }}/certbot/logs:/var/log/letsencrypt"

View File

@ -1,3 +1,3 @@
docker_version: "*.*.*"
docker_sudo_users: []
#SPDX-License-Identifier: MIT-0
---
# defaults file for docker

View File

@ -1,4 +0,0 @@
nextcloud_docker_image_name: "ghcr.io/nextcloud-releases/all-in-one"
nextcloud_docker_image_tag: latest
nextcloud_docker_skip_domain_validation: "true"
nextcloud_docker_mastercontainer_volume_dir: /usr/data/nextcloud_aio_mastercontainer

View File

@ -0,0 +1,2 @@
dependencies:
- role: docker

View File

@ -1,31 +1,18 @@
---
- name: Pull docker image
docker_image:
name: "{{ nextcloud_docker_image_name }}"
tag: "{{ nextcloud_docker_image_tag }}"
source: pull
- name: Create volumes
debug:
msg:
- "TODO!!!"
- name: Create Master Container volume dir
file:
path: "{{ nextcloud_docker_mastercontainer_volume_dir }}"
state: directory
mode: "0766"
- name: Download compose file
become: true
become_user: docker
ansible.builtin.git:
repo: "https://gitea-s2i2s.isti.cnr.it/sinibaldi/SSE-Lab"
dest: SSE-Lab
- name: Create container
docker_container:
name: nextcloud-aio-mastercontainer
image: "{{ nextcloud_docker_image_name }}"
ports:
- "8080:8080"
- "80:80"
- "8443:8443"
env:
APACHE_PORT: "443"
APACHE_IP_BINDING: "0.0.0.0"
APACHE_ADDITIONAL_NETWORK: ""
SKIP_DOMAIN_VALIDATION: "{{ nextcloud_docker_skip_domain_validation }}"
volumes:
- nextcloud_aio_mastercontainer:/mnt/docker-aio-config
- /var/run/docker.sock:/var/run/docker.sock:ro
restart_policy : "always"
init : true
- name: create and start docker compose services
become: true
become_user: docker
community.docker.docker_compose_v2:
project_src: ~/SSE-Lab/dockerized/nextcloud-aio/compose.yaml

View File

@ -0,0 +1,5 @@
vaultwarden_docker_tag
docker_vaultwarden_network_name
docker_vaultwarden_hostname
docker_base_volume_path

View File

@ -0,0 +1,4 @@
---
- name: Instal and configure certbot
include_role:
name: geerlingguy.certbot

View File

@ -0,0 +1,17 @@
---
- name: Pull Vaultwarden server image
docker_image:
name: "vaultwarden/server:{{ vaultwarden_docker_tag }}"
source: pull
- name: Create container with Vaultwarden image
docker_container:
name: vaultwarden
image: vaultwarden
networks:
- name: "{{ docker_vaultwarden_network_name }}"
hostname: "{{ docker_vaultwarden_hostname }}"
ports:
- "80:"
volumes:
- "{{ docker_base_volume_path }}/vaultwarden:/data/"

View File

@ -1,20 +0,0 @@
---
- name: Check if config already exists
stat:
path: "/etc/wireguard/{{ wg_interface }}.conf"
register: interface_configuration
- name: Parse configuration
ansible.utils.cli_parse:
command: "cat /etc/wireguard/{{ wg_interface }}.conf "
parser:
name: ansible.netcommon.native
template_path: templates/wg_config_template.yaml
set_fact: existing_wg_config
when: interface_configuration.stat.exists
- name: Updating client configs info
set_fact:
wg_peers: "{{ wg_peers | community.general.lists_mergeby([{'name':item.key,'publicKey':item.value.publicKey}] ,'name')}}"
when: item.key in (wg_peers | map(attribute='name'))
loop: "{{ existing_wg_config | ansible.builtin.dict2items }}"

View File

@ -1,67 +0,0 @@
---
- name: Init generated Keys dict
set_fact:
generated_keys: []
- name : Gather needed key generation
set_fact:
generated_keys: "{{ generated_keys + [{'name': item.name}] }}"
when : item.publicKey is not defined or (item.forceRegeneration is defined and item.forceRegeneration)
loop: "{{ wg_peers }}"
- name : Generate private keys
command : wg genkey
register: privateKeyObjects
loop : "{{ generated_keys }}"
- name : Generate public keys
shell : echo "{{privateKeyObjects.results[ansible_loop.index0].stdout}}" | wg pubkey
register: publicKeyObjects
loop : "{{ generated_keys }}"
loop_control:
extended: true
- name: Registering generated keys
set_fact:
generated_keys: "{{ generated_keys | community.general.lists_mergeby ([{'privateKey' : privateKeyObjects.results[ansible_loop.index0].stdout, 'publicKey' : publicKeyObjects.results[ansible_loop.index0].stdout, 'name':item.name }],'name') }}"
loop: "{{ generated_keys }}"
loop_control:
extended: true
- name: Updating client configs info
set_fact:
wg_peers: "{{ wg_peers | community.general.lists_mergeby(generated_keys,'name')}}"
- name: Delete local configs directory
become: false
local_action : ansible.builtin.file
args:
path: "{{ playbook_dir }}/wg_clients/{{ inventory_hostname }}"
state: absent
- name: Re-create local configs directory
become: false
local_action : ansible.builtin.file
args:
path: "{{ playbook_dir }}/wg_clients/{{ inventory_hostname }}"
state: directory
mode: '0700'
- name : Generate client config file
become: false
local_action : ansible.builtin.template
args:
src: templates/wireguard_client.jinja
dest: "{{ playbook_dir }}/wg_clients/{{ inventory_hostname }}/{{ item.name }}.conf"
vars:
wg_client_public_key: "{{ item.publicKey }}"
wg_client_private_key: "{{ item.privateKey | default('')}}"
wg_client_address: "{{ item.ip }}"
allowed_ips : "{{ item.allowedIPs }}"
wg_server : "{{ inventory_hostname }}"
loop: "{{ wg_peers }}"

View File

@ -6,39 +6,39 @@
state: directory
mode: '0700'
- name: Check if server private key already exists
- name: Check if private key already exists
ansible.builtin.stat:
path: /etc/wireguard/privatekey
register: privatekey_file
register: privkey_file
- name: Generate server private key
- name: Generate private key
ansible.builtin.command: wg genkey
register: wg_private_key
when: not privatekey_file.stat.exists
when: not privkey_file.stat.exists
changed_when: true
- name: Save server private key
- name: Save private key
ansible.builtin.copy:
content: "{{ wg_private_key.stdout }}"
dest: /etc/wireguard/privatekey
owner: root
group: root
mode: '0600'
when: not privatekey_file.stat.exists
when: not privkey_file.stat.exists
- name: Read server private key
- name: Read private key
ansible.builtin.slurp:
src: /etc/wireguard/privatekey
register: private_key_content
- name: Generate server public key from private key
- name: Generate public key from private key
ansible.builtin.shell: echo "{{ private_key_content.content | b64decode | trim }}" | wg pubkey
register: wg_server_public_key
register: wg_public_key
changed_when: false
- name: Save server public key
- name: Save public key
ansible.builtin.copy:
content: "{{ wg_server_public_key.stdout }}"
content: "{{ wg_public_key.stdout }}"
dest: /etc/wireguard/publickey
owner: root
group: root
@ -46,4 +46,4 @@
- name: Display public key for reference
ansible.builtin.debug:
msg: "Public key for {{ inventory_hostname }}: {{ wg_server_public_key.stdout }}"
msg: "Public key for {{ inventory_hostname }}: {{ wg_public_key.stdout }}"

View File

@ -1,6 +1,4 @@
---
- include_tasks: install_wireguard.yaml
- include_tasks: gather_current_config.yaml
- include_tasks: generate_server_keys.yaml
- include_tasks: generate_client_configs.yaml
- include_tasks: generate_keys.yaml
- include_tasks: configure_server.yaml

View File

@ -0,0 +1,62 @@
---
- name: Install Wireguard Server
apt:
pkg:
- wireguard
state: latest
update_cache: true
- name: Create directory for wg keys
ansible.builtin.file:
path: /etc/wireguard/keys
state: directory
mode: '0755'
- name: Creating server privatekey and publickey
shell: wg genkey | tee privatekey | wg pubkey > publickey
args:
chdir: /etc/wireguard/keys
- name: Get Private Key [privatekey => var_privatekey]
shell: cat privatekey
register: var_privatekey
args:
chdir: /etc/wireguard/keys
#- name: Add WireGuard interface
# command: ip link add dev wg0 type wireguard
- name: Updating configuration
template:
src: wireguard_server.jinja
dest: /etc/wireguard/wg0.conf
#- name: Activating link
# command: ip link set up dev wg0
- name: Starting wg service
systemd:
state: started
name: wg-quick@wg0
enabled: yes
- name: Getting public key
shell: cat publickey
register: var_publickey
args:
chdir: /etc/wireguard/keys
- name: Check server public IP
shell: curl https://ipinfo.io/ip
register: var_server_ip
- name: Printing public key
debug:
msg: "Server {{ ansible_hostname }} reachable @{{var_server_ip}}. Public key is {{ var_publickey }}"

View File

@ -1,13 +0,0 @@
---
- example: "# Peer ID : fabio_test"
getval: '# Peer ID : (?P<peer_id>\S+)'
result:
"{{ peer_id }}":
name: "{{ peer_id }}"
shared: true
- example: "PublicKey = 9a3tgXpF5CAOffbHZdW1QBEJgSLFnBDVbD1JaMPgzkM="
getval: 'PublicKey = (?P<publicKey>\S+)'
result:
"{{ peer_id }}":
publicKey: "{{ publicKey }}"

View File

@ -1,18 +0,0 @@
[Interface]
{% if wg_client_private_key is defined and wg_client_private_key != None and wg_client_private_key != ''%}
PrivateKey = {{wg_client_private_key}}
{% else%}
# Public and private keys were pre generated by client
# Insert private key below and uncomment in order to use the present configuration
# PrivateKey =
{% endif %}
Address = {{wg_client_address}}
[Peer]
PublicKey = {{wg_server_public_key.stdout}}
AllowedIPs = {{ allowed_ips | join(', ') }}
Endpoint = {{ wg_server }}:{{ wg_port }}
PersistentKeepalive = 25

View File

@ -16,10 +16,10 @@ PostDown = iptables -t nat -D POSTROUTING ! -o {{wg_interface}} -m mark --mark 0
{% for peer in wg_peers %}
# Peer ID : {{ peer.name }}
# {{ peer.name }}
[Peer]
PublicKey = {{ peer.publicKey }}
AllowedIPs = {{ peer.ip }}
AllowedIPs = {{ peer.allowedIP }}
{% if peer.persistent_keepalive is defined %}
PersistentKeepalive = {{ peer.persistent_keepalive }}
{% endif %}

View File

@ -1,27 +0,0 @@
---
wordpress_docker_tag: latest
nginx_docker_tag: latest
mysql_docker_tag: latest
docker_network_name: wordpress_network
docker_wordpress_hostname: wordpress_host
docker_nginx_hostname: nginx_host
docker_mysql_hostname: mysql_host
docker_base_volume_path: /home/wordpress_docker
nginx_server_name: default_server
ssl: false
db_name: wordpress_database
db_user: wordpress_user
db_password: wordpress_password
db_root_password: wordpress_rootpassword
wordpress_debug : false
wordpress_debug_log: false

View File

@ -1,57 +0,0 @@
---
- name: Pull docker images
docker_image:
name: "{{ item.name }}"
tag: "{{ item.tag }}"
source: pull
loop:
- name : wordpress
tag: "{{ wordpress_docker_tag }}"
- name: mysql
tag : "{{ mysql_docker_tag }}"
- name: nginx
tag : "{{ nginx_docker_tag }}"
- name: Create docker network
docker_network:
name: "{{ docker_network_name }}"
state: present
- name: Create container with mysql image
docker_container:
name: mysql
image: mysql
networks:
- name: "{{ docker_network_name }}"
hostname: "{{ docker_mysql_hostname }}"
env:
MYSQL_DATABASE: "{{ db_name }}"
MYSQL_USER: "{{ db_user }}"
MYSQL_PASSWORD: "{{ db_password }}"
MYSQL_ROOT_PASSWORD: "{{ db_root_password }}"
volumes:
- "{{ docker_base_volume_path }}/temp_db_data:/var/tmp"
- name: Create container with Wordpress image
docker_container:
name: wordpress
image: wordpress
networks:
- name: "{{ docker_network_name }}"
hostname: "{{ docker_wordpress_hostname }}"
env:
WORDPRESS_DB_HOST: "{{ docker_mysql_hostname }}"
WORDPRESS_DB_NAME: "{{ db_name }}"
WORDPRESS_DB_USER: "{{ db_user }}"
WORDPRESS_DB_PASSWORD: "{{ db_password }}"
WORDPRESS_DEBUG: " {{ wordpress_debug }} "
WORDPRESS_DEBUG_LOG: " {{ wordpress_debug_log }} "
volumes:
- "{{ docker_base_volume_path }}/wordpress:/var/www/html"
restart: true
- include_tasks: nginx.yaml
when: ssl is true

View File

@ -1,15 +0,0 @@
---
- name: Start Nginx Container (HTTP)
docker_container:
name: nginx
image: nginx
ports:
- "80:80"
networks:
- name: "{{ docker_network_name }}"
hostname: "{{ docker_nginx_hostname }}"
volumes:
- "{{ docker_base_volume_path }}/wordpress:/var/www/html"
- "{{ docker_base_volume_path }}/nginx/conf:/etc/nginx/conf.d"
- "{{ docker_base_volume_path }}/nginx/logs:/var/log/nginx"
restart: true

View File

@ -15,22 +15,13 @@ server {
root /var/www/html;
index index.php;
# Needed to upload backups
ssl_certificate /etc/nginx/ssl/fullchain.pem;
ssl_certificate_key /etc/nginx/ssl/privatekey.pem;
client_max_body_size 40M;
# Try to support website restore plugin
proxy_read_timeout 600s;
keepalive_timeout 600s;
ssl_certificate /etc/nginx/ssl/fullchain.pem;
ssl_certificate_key /etc/nginx/ssl/privatekey.pem;
location / {
proxy_pass http://{{ docker_wordpress_hostname }}:80;
proxy_set_header Host $host;
@ -38,5 +29,4 @@ server {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}

View File

@ -0,0 +1,14 @@
---
- name: Install and configure Vaultwarden
hosts: web
become : True
roles:
- geerlingguy.docker
- vaultwarden
tasks:
- name: Install certbot and nginx
include_task: nginx_http.yaml
when:
- vaultwarden_with_nginx_https.yaml

View File

@ -2,9 +2,12 @@
- name: Install and configure Wordpress
hosts: web
become : True
collections:
- chrissayon.wordpress_docker
roles:
- geerlingguy.docker
- wordpress-docker
- chrissayon.wordpress_docker.network
- chrissayon.wordpress_docker.mysql
- chrissayon.wordpress_docker.wordpress
- certbot

View File

@ -37,15 +37,11 @@ Calls role nextcloud_aio, dependent on docker role.
- Downloads SSE-Lab Repo
- Runs compose up (using ansible plugins)
E.g.
```ansible-playbook -i inventories/ -l nextrup_copy_test playbooks/nextcloud.yaml```
E.g. `ansible-playbook -i inventories/ -l nextrup_copy_test playbooks/nextcloud.yaml`
### Bootstrap ###
Creates sudoer user ansible, necessitates of sudoer user.
Use
```ansible-playbook -i inventories playbooks/bootstrap.yml -l [TARGET_HOST] -e 'ansible_user=[REMOTE_USER]' -K```
Use `ansible-playbook -i inventories playbooks/bootstrap.yml -l [TARGET_HOST] -e 'ansible_user=[REMOTE_USER]' -K`
### NameServer ###
@ -60,72 +56,8 @@ Configures a OPNSense edge node features :
- Wireguard VPN
NB runs locally so python intepreter needs to be specified
E.g.
```ansible-playbook -i inventories/sifi.yaml playbooks/opnsense.yaml --extra-vars="ansible_python_interpreter=$(which python)"
```
### VPN Server ###
Configures a VPN Server (only wireguard supported at the moment) for the specified 'wg_peers'.
The server acts as a gateway into a site, tunneling each connection and allowing only traffic into allowed subnets.
Needed parameters and configuration example :
```
wg_interface: wg0
wg_port: 51820
wg_server_address: 192.168.99.1/32
wg_peers:
- name: fabio_test
publicKey: "9a3tgXpF5CAOffbHZdW1QBEJgSLFnBDVbD1JaMPgzkM="
ip: "192.168.99.4/32"
allowedIPs :
- "192.168.99.0/24"
- "10.22.0.0/16"
- name: missing_key_test
ip: "192.168.99.5/32"
allowedIPs :
- "192.168.99.0/24"
- "10.22.0.0/16"
- name: forced_missing_key_test
forceRegeneration: True
ip: "192.168.99.6/32"
allowedIPs :
- "192.168.99.0/24"
- "10.22.0.0/16"
```
#### Wg-peers items ####
Each item represents a client [**Peer**] with :
- *name* [**Mandatory**] : a unique label for the client configuration
- *publicKey*: public key used by the client. If missing, the playbook generates both public and private keys, if needed.
- *ip* [**Mandatory**]: reserved ip for the client
- *allowedIPs* [**Mandatory**]: subnets to which the server allows traffic to for the present client
- *forceRegeneration*: force regeneration of public / private keys pair.
#### Client configurations ####
The playbook generates client configurations at the following path
> "{{ playbook_dir }}/wg_clients/{{ inventory_hostname }}/{{ item.name }}.conf"
**NB** Client configurations are ready to be imported in wireguard client if the playbook generated both public and private keys. Otherwise only the client's public key is reported and the user is expected to fill the configuration properly with their private key.
#### Key pair generation policy ####
In order to configure peers to connect to the server, public/private key pairs are needed.
The playbook evalutes the need for key generation as following :
- If *forceRegeneration* is set to *True*, keys are generated
- If *publicKey* is declared, that key is used
- If a public Key is already configured on the server for that Peer's name, that key is used
- If no public key is declared nor found, a new private / public key pair is generated and reported in client's configuration
E.g. `ansible-playbook -i inventories/sifi.yaml playbooks/opnsense.yaml --extra-vars="ansible_python_interpreter=$(which python)"
`
## Inventories

View File

@ -1,10 +1,6 @@
# requirements.yml
---
roles:
- name: githubixx.ansible_role_wireguard
src: https://github.com/githubixx/ansible-role-wireguard.git
version: 19.0.0
# - name: bodsch.dns.bind
# version: