bee/beepi
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

ingress

Browse Source
This commit is contained in:
bee
2026-05-26 17:21:03 +02:00
parent af81ce3df8
commit 34d8d82dbf
14 changed files with 309 additions and 38 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.vscode/tasks.json
Vendored
+20
View File
@@ -100,6 +100,26 @@
"panel": "dedicated"
}
},
{
"label": "Deploy: ufw-ingress",
"type": "shell",
"command": "make deploy-ufw-ingress",
"group": "build",
"presentation": {
"reveal": "always",
"panel": "dedicated"
}
},
{
"label": "Deploy: wireguard-ingress",
"type": "shell",
"command": "make deploy-wireguard-ingress",
"group": "build",
"presentation": {
"reveal": "always",
"panel": "dedicated"
}
},
{
"label": "Deploy: matrix",
"type": "shell",
inventory.yml
+3
View File
@@ -2,4 +2,7 @@ pi:
hosts:
beepi:
ansible_host: beepi.local
ansible_python_interpreter: auto_silent
animeistrash:
ansible_host: animeistrash.org
ansible_python_interpreter: auto_silent
playbooks/backup/backup.yml
+6
View File
@@ -39,6 +39,12 @@
dest: /opt/backup/passphrase.txt
mode: '0600'
- name: Set path
ansible.builtin.cron:
name: PATH
env: true
job: /usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
- name: Schedule daily backup
ansible.builtin.cron:
name: beepi backup daily
playbooks/backup/backupDaily.sh
+17 -15
View File
@@ -8,7 +8,22 @@ declare -a arr=("gitea" "mail" "matrix" "monitoring")
declare -a monitoring=("monitoring_prometheus-data" "monitoring_grafana-storage" "monitoring_loki-data" "monitoring_alloy-data")
declare -a matrix=("matrix_db")
trap cleanup EXIT
restore() {
for i in "${arr[@]}"; do
cd /opt/beeserver/${i}
podman-compose up -d
done
for j in "${monitoring[@]}"; do
rm -rf /opt/beeserver/monitoring/${j}.tar
done
for j in "${matrix[@]}"; do
rm -rf /opt/beeserver/matrix/${j}.tar
done
}
trap restore EXIT
for i in "${arr[@]}"
do
@@ -33,17 +48,4 @@ do
podman-compose up -d
done
tar -czf - /opt/backup/beeserver | gpg --batch --passphrase-file /opt/backup/passphrase.txt -c -o /home/beeshare/raid/serverBackup/beeserver_daily_${now}.tar.gz.gpg
function cleanup()
{
for j in "${monitoring[@]}"
do
rm -rf /opt/beeserver/monitoring/${j}.tar
done
for j in "${matrix[@]}"
do
rm -rf /opt/beeserver/matrix/${j}.tar
done
}
tar -czf - /opt/backup/beeserver | gpg --batch --passphrase-file /opt/backup/passphrase.txt -c -o /home/beeshare/raid/serverBackup/beeserver_daily_${now}.tar.gz.gpg
playbooks/fail2ban/jail.local.j2
+1 -1
View File
@@ -8,7 +8,7 @@ bantime.multipliers = 1 5 30 60 300 720 1440 2880
[sshd]
enabled = true
port = ssh,2222
port = ssh,2222,4444
[nginx-http-auth]
enabled = true
playbooks/immich/immich-db.container.j2
+17
View File
@@ -0,0 +1,17 @@
[Unit]
Description=Immich Postgres
[Container]
ContainerName=immich-db
Image=ghcr.io/immich-app/postgres:14-vectorchord0.4.3
Network=immich.network
Volume=immich-pgdata.volume:/var/lib/postgresql/data
Environment=POSTGRES_USER=immich
Environment=POSTGRES_PASSWORD={{ pico_db_password }}
Environment=POSTGRES_DB=immich
[Service]
Restart=on-failure
[Install]
WantedBy=default.target
playbooks/immich/immich-redis.container
+13
View File
@@ -0,0 +1,13 @@
[Unit]
Description=Immich Redis
[Container]
ContainerName=immich-redis
Image=docker.io/redis:6.2-alpine
Network=immich.network
[Service]
Restart=on-failure
[Install]
WantedBy=default.target
playbooks/immich/immich-server.container.j2
+22
View File
@@ -0,0 +1,22 @@
[Unit]
Description=Immich Server
Requires=immich-db.service immich-redis.service
After=immich-db.service immich-redis.service
[Container]
ContainerName=immich-server
Image=ghcr.io/immich-app/immich-server:release
Network=immich.network
PublishPort=127.0.0.1:2283:2283
Volume=immich-upload.volume:/usr/src/app/upload
Environment=DB_HOSTNAME=immich-db
Environment=DB_USERNAME=immich
Environment=DB_PASSWORD={{ pico_db_password }}
Environment=DB_DATABASE_NAME=immich
Environment=REDIS_HOSTNAME=immich-redis
[Service]
Restart=on-failure
[Install]
WantedBy=default.target
playbooks/immich/immich.yml
+103
View File
@@ -0,0 +1,103 @@
- name: Immich
hosts: pi
become: true
vars:
immich_user: immich
immich_home: /home/immich
quadlet_dir: "{{ immich_home }}/.config/containers/systemd"
pico_db_password: !vault |
$ANSIBLE_VAULT;1.1;AES256
64666332336435616365303563636634373333346537643336626235316432643336303665646463
3735653065653561643635376237393666313137303661370a336664623937623061313663303835
37623866383831623433366132346232663862653566653139323630356466653134363035363836
3061376330316365310a393961343065633937336534306265663733653665383233383030326439
30633861353033656264663439623264383536376664613665613138623262623261
tasks:
- name: Install podman
ansible.builtin.apt:
name: podman
state: present
- name: Create immich user
ansible.builtin.user:
name: "{{ immich_user }}"
home: "{{ immich_home }}"
shell: /usr/sbin/nologin
create_home: true
register: immich_user_info
- name: Enable linger
ansible.builtin.command:
cmd: "loginctl enable-linger {{ immich_user }}"
creates: "/var/lib/systemd/linger/{{ immich_user }}"
- name: Create quadlet directory
ansible.builtin.file:
path: "{{ quadlet_dir }}"
state: directory
owner: "{{ immich_user }}"
group: "{{ immich_user }}"
mode: '0755'
- name: Deploy network
ansible.builtin.copy:
dest: "{{ quadlet_dir }}/immich.network"
content: "[Network]\n"
owner: "{{ immich_user }}"
group: "{{ immich_user }}"
mode: '0644'
- name: Deploy volumes
ansible.builtin.copy:
dest: "{{ quadlet_dir }}/{{ item }}.volume"
content: "[Volume]\n"
owner: "{{ immich_user }}"
group: "{{ immich_user }}"
mode: '0644'
loop:
- immich-pgdata
- immich-upload
- name: Deploy db quadlet
ansible.builtin.template:
src: immich-db.container.j2
dest: "{{ quadlet_dir }}/immich-db.container"
owner: "{{ immich_user }}"
group: "{{ immich_user }}"
mode: '0644'
- name: Deploy redis quadlet
ansible.builtin.copy:
src: immich-redis.container
dest: "{{ quadlet_dir }}/immich-redis.container"
owner: "{{ immich_user }}"
group: "{{ immich_user }}"
mode: '0644'
- name: Deploy server quadlet
ansible.builtin.template:
src: immich-server.container.j2
dest: "{{ quadlet_dir }}/immich-server.container"
owner: "{{ immich_user }}"
group: "{{ immich_user }}"
mode: '0644'
- name: Reload user systemd
become_user: "{{ immich_user }}"
environment:
XDG_RUNTIME_DIR: "/run/user/{{ immich_user_info.uid }}"
DBUS_SESSION_BUS_ADDRESS: "unix:path=/run/user/{{ immich_user_info.uid }}/bus"
ansible.builtin.systemd:
daemon_reload: true
scope: user
- name: Start immich-server
become_user: "{{ immich_user }}"
environment:
XDG_RUNTIME_DIR: "/run/user/{{ immich_user_info.uid }}"
DBUS_SESSION_BUS_ADDRESS: "unix:path=/run/user/{{ immich_user_info.uid }}/bus"
ansible.builtin.systemd:
name: immich-server.service
state: started
scope: user
playbooks/ufw-ingress/ufw-ingress.yml
+57
View File
@@ -0,0 +1,57 @@
- name: Ufw-ingress
hosts: animeistrash
become: true
tasks:
- name: Install ufw
ansible.builtin.apt:
name: ufw
state: present
- name: Logging
community.general.ufw:
logging: "medium"
- name: UFW - Allow SSH
community.general.ufw:
rule: allow
port: "22"
proto: tcp
- name: UFW - Allow wireguard
community.general.ufw:
rule: allow
port: "41194"
proto: udp
- name: UFW - Allow wireguard routing tcp
community.general.ufw:
rule: allow
interface_in: wg0
route: true
proto: tcp
to_port: '{{ item }}'
loop:
- "25" # mail
- "465" # mail
- "587" # mail
- "993" # mail
- "2222" # gitbee ssh
- "8448" # matrix federation
- "4444" # backup ssh
- "80"
- "443"
- name: UFW - Allow wireguard outgoing
community.general.ufw:
route: true
rule: allow
interface_out: wg0
- name: UFW - Enable and deny by default
community.general.ufw:
state: enabled
default: deny
- name: UFW - Reload firewall
changed_when: true
ansible.builtin.command: ufw reload
playbooks/ufw/ufw.yml
+1 -12
View File
@@ -1,4 +1,4 @@
- name: Nginx
- name: Ufw
hosts: pi
become: true
tasks:
@@ -71,17 +71,6 @@
- "2222" # gitbee ssh
- "8448" # matrix federation
- name: UFW - Limiting
community.general.ufw:
rule: limit
port: '{{ item }}'
proto: tcp
route: true
loop:
- "465" # mail
- "587" # mail
- "993" # mail
- name: UFW - Allow podman forwarding
community.general.ufw:
rule: allow
playbooks/wireguard/wg0.conf.server → playbooks/wireguard-ingress/wg0.conf.j2
+18 -2
View File
@@ -3,15 +3,31 @@ PrivateKey = {{ wireguard_server_private_key }}
Address = 10.10.1.1/24
ListenPort = 41194
PostUp = sysctl -w net.ipv4.ip_forward=1
PreUp = iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 25 -j DNAT --to-destination 10.10.1.2:25
PostDown = iptables -t nat -D PREROUTING -i eth0 -p tcp --dport 25 -j DNAT --to-destination 10.10.1.2:25
PreUp = iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 993 -j DNAT --to-destination 10.10.1.2:993
PostDown = iptables -t nat -D PREROUTING -i eth0 -p tcp --dport 993 -j DNAT --to-destination 10.10.1.2:993
PreUp = iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 465 -j DNAT --to-destination 10.10.1.2:465
PostDown = iptables -t nat -D PREROUTING -i eth0 -p tcp --dport 465 -j DNAT --to-destination 10.10.1.2:465
PreUp = iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 587 -j DNAT --to-destination 10.10.1.2:587
PostDown = iptables -t nat -D PREROUTING -i eth0 -p tcp --dport 587 -j DNAT --to-destination 10.10.1.2:587
PreUp = iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 465 -j DNAT --to-destination 10.10.1.2:465
PostDown = iptables -t nat -D PREROUTING -i eth0 -p tcp --dport 465 -j DNAT --to-destination 10.10.1.2:465
PreUp = iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 10.10.1.2:80
PostDown = iptables -t nat -D PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 10.10.1.2:80
PreUp = iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to-destination 10.10.1.2:443
PostDown = iptables -t nat -D PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to-destination 10.10.1.2:443
PreUp = iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8448 -j DNAT --to-destination 10.10.1.2:8448
PostDown = iptables -t nat -D PREROUTING -i eth0 -p tcp --dport 8448 -j DNAT --to-destination 10.10.1.2:8448
PreUp = iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 4444 -j DNAT --to-destination 10.10.1.2:4444
PostDown = iptables -t nat -D PREROUTING -i eth0 -p tcp --dport 4444 -j DNAT --to-destination 10.10.1.2:4444
#PreUp = iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE
#PostDown = iptables -t nat -D POSTROUTING -o wg0 -j MASQUERADE
playbooks/wireguard-ingress/wireguard-ingress.yml
+31
View File
@@ -0,0 +1,31 @@
- name: Wireguard-ingress
hosts: animeistrash
become: true
vars:
wireguard_server_private_key: !vault |
$ANSIBLE_VAULT;1.1;AES256
34313837363964633333373936636462666138386538653939663435376666626230393564366630
6637333264303638383938326132336130343833393466370a623633623163303762616333663135
61666433393939303938623735666439663361633638613466393361626439326465303966303266
3239666637326337650a636433616264386162326535306461326233323961643664373134363634
35633238393933386231373535353635646462383763613362363761363935363965383836366431
3766343166643632306162343761613030653631353361373936
tasks:
- name: Install wireguard
ansible.builtin.apt:
name: wireguard
state: present
- name: Down wg0
changed_when: true
ansible.builtin.command: wg-quick down wg0
- name: Copy wg0.conf
ansible.builtin.template:
src: wg0.conf.j2
dest: /etc/wireguard/wg0.conf
mode: '0600'
- name: Up wg0
changed_when: true
ansible.builtin.command: wg-quick up wg0
playbooks/wireguard/wireguard.yml
-8
View File
@@ -10,14 +10,6 @@
3138326563386233390a386237633630656436663062633264366562616632633035343733323331
64366538386364623938663836336661313632376131336338643432646338303738616438623361
6237653737666662336665326237623331383132653431343466
wireguard_server_private_key: !vault |
$ANSIBLE_VAULT;1.1;AES256
38633732343939346261653834393536313335376166616661373266616266353938633363373464
3233646466303834656633656237643632666462323264360a333066313361323038366265316330
32626534313239353833653638353364313136333932386331373132356333663935366466653435
3636323037366333350a313761643565633165643938303330386431623237356262323332306533
34623734623661333266393930306439336533343566306635633638326334303364353036383036
3461343263306434386135356638623636393030646236346531
tasks:
- name: Install wireguard
ansible.builtin.apt: