diff --git a/.vscode/tasks.json b/.vscode/tasks.json index c4feab9..b39ea64 100644 --- a/.vscode/tasks.json +++ b/.vscode/tasks.json @@ -100,6 +100,26 @@ "panel": "dedicated" } }, + { + "label": "Deploy: ufw-ingress", + "type": "shell", + "command": "make deploy-ufw-ingress", + "group": "build", + "presentation": { + "reveal": "always", + "panel": "dedicated" + } + }, + { + "label": "Deploy: wireguard-ingress", + "type": "shell", + "command": "make deploy-wireguard-ingress", + "group": "build", + "presentation": { + "reveal": "always", + "panel": "dedicated" + } + }, { "label": "Deploy: matrix", "type": "shell", diff --git a/inventory.yml b/inventory.yml index bd2afde..01a7e87 100644 --- a/inventory.yml +++ b/inventory.yml @@ -2,4 +2,7 @@ pi: hosts: beepi: ansible_host: beepi.local + ansible_python_interpreter: auto_silent + animeistrash: + ansible_host: animeistrash.org ansible_python_interpreter: auto_silent \ No newline at end of file diff --git a/playbooks/backup/backup.yml b/playbooks/backup/backup.yml index b07d77f..e174391 100644 --- a/playbooks/backup/backup.yml +++ b/playbooks/backup/backup.yml @@ -39,6 +39,12 @@ dest: /opt/backup/passphrase.txt mode: '0600' + - name: Set path + ansible.builtin.cron: + name: PATH + env: true + job: /usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin + - name: Schedule daily backup ansible.builtin.cron: name: beepi backup daily diff --git a/playbooks/backup/backupDaily.sh b/playbooks/backup/backupDaily.sh index 3a64224..49fa81d 100644 --- a/playbooks/backup/backupDaily.sh +++ b/playbooks/backup/backupDaily.sh @@ -8,7 +8,22 @@ declare -a arr=("gitea" "mail" "matrix" "monitoring") declare -a monitoring=("monitoring_prometheus-data" "monitoring_grafana-storage" "monitoring_loki-data" "monitoring_alloy-data") declare -a matrix=("matrix_db") -trap cleanup EXIT +restore() { + for i in "${arr[@]}"; do + cd /opt/beeserver/${i} + podman-compose up -d + done + + for j in "${monitoring[@]}"; do + rm -rf /opt/beeserver/monitoring/${j}.tar + done + + for j in "${matrix[@]}"; do + rm -rf /opt/beeserver/matrix/${j}.tar + done +} + +trap restore EXIT for i in "${arr[@]}" do @@ -33,17 +48,4 @@ do podman-compose up -d done -tar -czf - /opt/backup/beeserver | gpg --batch --passphrase-file /opt/backup/passphrase.txt -c -o /home/beeshare/raid/serverBackup/beeserver_daily_${now}.tar.gz.gpg - -function cleanup() -{ - for j in "${monitoring[@]}" - do - rm -rf /opt/beeserver/monitoring/${j}.tar - done - - for j in "${matrix[@]}" - do - rm -rf /opt/beeserver/matrix/${j}.tar - done -} \ No newline at end of file +tar -czf - /opt/backup/beeserver | gpg --batch --passphrase-file /opt/backup/passphrase.txt -c -o /home/beeshare/raid/serverBackup/beeserver_daily_${now}.tar.gz.gpg \ No newline at end of file diff --git a/playbooks/fail2ban/jail.local.j2 b/playbooks/fail2ban/jail.local.j2 index e7db6d4..6f19ec6 100644 --- a/playbooks/fail2ban/jail.local.j2 +++ b/playbooks/fail2ban/jail.local.j2 @@ -8,7 +8,7 @@ bantime.multipliers = 1 5 30 60 300 720 1440 2880 [sshd] enabled = true -port = ssh,2222 +port = ssh,2222,4444 [nginx-http-auth] enabled = true diff --git a/playbooks/immich/immich-db.container.j2 b/playbooks/immich/immich-db.container.j2 new file mode 100644 index 0000000..2cd8729 --- /dev/null +++ b/playbooks/immich/immich-db.container.j2 @@ -0,0 +1,17 @@ +[Unit] +Description=Immich Postgres + +[Container] +ContainerName=immich-db +Image=ghcr.io/immich-app/postgres:14-vectorchord0.4.3 +Network=immich.network +Volume=immich-pgdata.volume:/var/lib/postgresql/data +Environment=POSTGRES_USER=immich +Environment=POSTGRES_PASSWORD={{ pico_db_password }} +Environment=POSTGRES_DB=immich + +[Service] +Restart=on-failure + +[Install] +WantedBy=default.target diff --git a/playbooks/immich/immich-redis.container b/playbooks/immich/immich-redis.container new file mode 100644 index 0000000..614ca41 --- /dev/null +++ b/playbooks/immich/immich-redis.container @@ -0,0 +1,13 @@ +[Unit] +Description=Immich Redis + +[Container] +ContainerName=immich-redis +Image=docker.io/redis:6.2-alpine +Network=immich.network + +[Service] +Restart=on-failure + +[Install] +WantedBy=default.target diff --git a/playbooks/immich/immich-server.container.j2 b/playbooks/immich/immich-server.container.j2 new file mode 100644 index 0000000..450975a --- /dev/null +++ b/playbooks/immich/immich-server.container.j2 @@ -0,0 +1,22 @@ +[Unit] +Description=Immich Server +Requires=immich-db.service immich-redis.service +After=immich-db.service immich-redis.service + +[Container] +ContainerName=immich-server +Image=ghcr.io/immich-app/immich-server:release +Network=immich.network +PublishPort=127.0.0.1:2283:2283 +Volume=immich-upload.volume:/usr/src/app/upload +Environment=DB_HOSTNAME=immich-db +Environment=DB_USERNAME=immich +Environment=DB_PASSWORD={{ pico_db_password }} +Environment=DB_DATABASE_NAME=immich +Environment=REDIS_HOSTNAME=immich-redis + +[Service] +Restart=on-failure + +[Install] +WantedBy=default.target diff --git a/playbooks/immich/immich.yml b/playbooks/immich/immich.yml new file mode 100644 index 0000000..3c6b8b5 --- /dev/null +++ b/playbooks/immich/immich.yml @@ -0,0 +1,103 @@ +- name: Immich + hosts: pi + become: true + vars: + immich_user: immich + immich_home: /home/immich + quadlet_dir: "{{ immich_home }}/.config/containers/systemd" + pico_db_password: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 64666332336435616365303563636634373333346537643336626235316432643336303665646463 + 3735653065653561643635376237393666313137303661370a336664623937623061313663303835 + 37623866383831623433366132346232663862653566653139323630356466653134363035363836 + 3061376330316365310a393961343065633937336534306265663733653665383233383030326439 + 30633861353033656264663439623264383536376664613665613138623262623261 + + tasks: + - name: Install podman + ansible.builtin.apt: + name: podman + state: present + + - name: Create immich user + ansible.builtin.user: + name: "{{ immich_user }}" + home: "{{ immich_home }}" + shell: /usr/sbin/nologin + create_home: true + register: immich_user_info + + - name: Enable linger + ansible.builtin.command: + cmd: "loginctl enable-linger {{ immich_user }}" + creates: "/var/lib/systemd/linger/{{ immich_user }}" + + - name: Create quadlet directory + ansible.builtin.file: + path: "{{ quadlet_dir }}" + state: directory + owner: "{{ immich_user }}" + group: "{{ immich_user }}" + mode: '0755' + + - name: Deploy network + ansible.builtin.copy: + dest: "{{ quadlet_dir }}/immich.network" + content: "[Network]\n" + owner: "{{ immich_user }}" + group: "{{ immich_user }}" + mode: '0644' + + - name: Deploy volumes + ansible.builtin.copy: + dest: "{{ quadlet_dir }}/{{ item }}.volume" + content: "[Volume]\n" + owner: "{{ immich_user }}" + group: "{{ immich_user }}" + mode: '0644' + loop: + - immich-pgdata + - immich-upload + + - name: Deploy db quadlet + ansible.builtin.template: + src: immich-db.container.j2 + dest: "{{ quadlet_dir }}/immich-db.container" + owner: "{{ immich_user }}" + group: "{{ immich_user }}" + mode: '0644' + + - name: Deploy redis quadlet + ansible.builtin.copy: + src: immich-redis.container + dest: "{{ quadlet_dir }}/immich-redis.container" + owner: "{{ immich_user }}" + group: "{{ immich_user }}" + mode: '0644' + + - name: Deploy server quadlet + ansible.builtin.template: + src: immich-server.container.j2 + dest: "{{ quadlet_dir }}/immich-server.container" + owner: "{{ immich_user }}" + group: "{{ immich_user }}" + mode: '0644' + + - name: Reload user systemd + become_user: "{{ immich_user }}" + environment: + XDG_RUNTIME_DIR: "/run/user/{{ immich_user_info.uid }}" + DBUS_SESSION_BUS_ADDRESS: "unix:path=/run/user/{{ immich_user_info.uid }}/bus" + ansible.builtin.systemd: + daemon_reload: true + scope: user + + - name: Start immich-server + become_user: "{{ immich_user }}" + environment: + XDG_RUNTIME_DIR: "/run/user/{{ immich_user_info.uid }}" + DBUS_SESSION_BUS_ADDRESS: "unix:path=/run/user/{{ immich_user_info.uid }}/bus" + ansible.builtin.systemd: + name: immich-server.service + state: started + scope: user diff --git a/playbooks/ufw-ingress/ufw-ingress.yml b/playbooks/ufw-ingress/ufw-ingress.yml new file mode 100644 index 0000000..edf2007 --- /dev/null +++ b/playbooks/ufw-ingress/ufw-ingress.yml @@ -0,0 +1,57 @@ +- name: Ufw-ingress + hosts: animeistrash + become: true + tasks: + - name: Install ufw + ansible.builtin.apt: + name: ufw + state: present + + - name: Logging + community.general.ufw: + logging: "medium" + + - name: UFW - Allow SSH + community.general.ufw: + rule: allow + port: "22" + proto: tcp + + - name: UFW - Allow wireguard + community.general.ufw: + rule: allow + port: "41194" + proto: udp + + - name: UFW - Allow wireguard routing tcp + community.general.ufw: + rule: allow + interface_in: wg0 + route: true + proto: tcp + to_port: '{{ item }}' + loop: + - "25" # mail + - "465" # mail + - "587" # mail + - "993" # mail + - "2222" # gitbee ssh + - "8448" # matrix federation + - "4444" # backup ssh + - "80" + - "443" + + - name: UFW - Allow wireguard outgoing + community.general.ufw: + route: true + rule: allow + interface_out: wg0 + + - name: UFW - Enable and deny by default + community.general.ufw: + state: enabled + default: deny + + - name: UFW - Reload firewall + changed_when: true + ansible.builtin.command: ufw reload diff --git a/playbooks/ufw/ufw.yml b/playbooks/ufw/ufw.yml index 1caf064..83777b4 100644 --- a/playbooks/ufw/ufw.yml +++ b/playbooks/ufw/ufw.yml @@ -1,4 +1,4 @@ -- name: Nginx +- name: Ufw hosts: pi become: true tasks: @@ -71,17 +71,6 @@ - "2222" # gitbee ssh - "8448" # matrix federation - - name: UFW - Limiting - community.general.ufw: - rule: limit - port: '{{ item }}' - proto: tcp - route: true - loop: - - "465" # mail - - "587" # mail - - "993" # mail - - name: UFW - Allow podman forwarding community.general.ufw: rule: allow diff --git a/playbooks/wireguard/wg0.conf.server b/playbooks/wireguard-ingress/wg0.conf.j2 similarity index 58% rename from playbooks/wireguard/wg0.conf.server rename to playbooks/wireguard-ingress/wg0.conf.j2 index 694976a..45e0f29 100644 --- a/playbooks/wireguard/wg0.conf.server +++ b/playbooks/wireguard-ingress/wg0.conf.j2 @@ -3,15 +3,31 @@ PrivateKey = {{ wireguard_server_private_key }} Address = 10.10.1.1/24 ListenPort = 41194 PostUp = sysctl -w net.ipv4.ip_forward=1 + PreUp = iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 25 -j DNAT --to-destination 10.10.1.2:25 PostDown = iptables -t nat -D PREROUTING -i eth0 -p tcp --dport 25 -j DNAT --to-destination 10.10.1.2:25 + PreUp = iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 993 -j DNAT --to-destination 10.10.1.2:993 PostDown = iptables -t nat -D PREROUTING -i eth0 -p tcp --dport 993 -j DNAT --to-destination 10.10.1.2:993 -PreUp = iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 465 -j DNAT --to-destination 10.10.1.2:465 -PostDown = iptables -t nat -D PREROUTING -i eth0 -p tcp --dport 465 -j DNAT --to-destination 10.10.1.2:465 + PreUp = iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 587 -j DNAT --to-destination 10.10.1.2:587 PostDown = iptables -t nat -D PREROUTING -i eth0 -p tcp --dport 587 -j DNAT --to-destination 10.10.1.2:587 +PreUp = iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 465 -j DNAT --to-destination 10.10.1.2:465 +PostDown = iptables -t nat -D PREROUTING -i eth0 -p tcp --dport 465 -j DNAT --to-destination 10.10.1.2:465 + +PreUp = iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 10.10.1.2:80 +PostDown = iptables -t nat -D PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 10.10.1.2:80 + +PreUp = iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to-destination 10.10.1.2:443 +PostDown = iptables -t nat -D PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to-destination 10.10.1.2:443 + +PreUp = iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8448 -j DNAT --to-destination 10.10.1.2:8448 +PostDown = iptables -t nat -D PREROUTING -i eth0 -p tcp --dport 8448 -j DNAT --to-destination 10.10.1.2:8448 + +PreUp = iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 4444 -j DNAT --to-destination 10.10.1.2:4444 +PostDown = iptables -t nat -D PREROUTING -i eth0 -p tcp --dport 4444 -j DNAT --to-destination 10.10.1.2:4444 + #PreUp = iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE #PostDown = iptables -t nat -D POSTROUTING -o wg0 -j MASQUERADE diff --git a/playbooks/wireguard-ingress/wireguard-ingress.yml b/playbooks/wireguard-ingress/wireguard-ingress.yml new file mode 100644 index 0000000..6e0b265 --- /dev/null +++ b/playbooks/wireguard-ingress/wireguard-ingress.yml @@ -0,0 +1,31 @@ +- name: Wireguard-ingress + hosts: animeistrash + become: true + vars: + wireguard_server_private_key: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 34313837363964633333373936636462666138386538653939663435376666626230393564366630 + 6637333264303638383938326132336130343833393466370a623633623163303762616333663135 + 61666433393939303938623735666439663361633638613466393361626439326465303966303266 + 3239666637326337650a636433616264386162326535306461326233323961643664373134363634 + 35633238393933386231373535353635646462383763613362363761363935363965383836366431 + 3766343166643632306162343761613030653631353361373936 + tasks: + - name: Install wireguard + ansible.builtin.apt: + name: wireguard + state: present + + - name: Down wg0 + changed_when: true + ansible.builtin.command: wg-quick down wg0 + + - name: Copy wg0.conf + ansible.builtin.template: + src: wg0.conf.j2 + dest: /etc/wireguard/wg0.conf + mode: '0600' + + - name: Up wg0 + changed_when: true + ansible.builtin.command: wg-quick up wg0 diff --git a/playbooks/wireguard/wireguard.yml b/playbooks/wireguard/wireguard.yml index f208767..9b83954 100644 --- a/playbooks/wireguard/wireguard.yml +++ b/playbooks/wireguard/wireguard.yml @@ -10,14 +10,6 @@ 3138326563386233390a386237633630656436663062633264366562616632633035343733323331 64366538386364623938663836336661313632376131336338643432646338303738616438623361 6237653737666662336665326237623331383132653431343466 - wireguard_server_private_key: !vault | - $ANSIBLE_VAULT;1.1;AES256 - 38633732343939346261653834393536313335376166616661373266616266353938633363373464 - 3233646466303834656633656237643632666462323264360a333066313361323038366265316330 - 32626534313239353833653638353364313136333932386331373132356333663935366466653435 - 3636323037366333350a313761643565633165643938303330386431623237356262323332306533 - 34623734623661333266393930306439336533343566306635633638326334303364353036383036 - 3461343263306434386135356638623636393030646236346531 tasks: - name: Install wireguard ansible.builtin.apt: