From 8c66580dab1c07462db780c8becc2118cba74aa2 Mon Sep 17 00:00:00 2001 From: bee Date: Sat, 23 May 2026 17:48:04 +0200 Subject: [PATCH] matrix --- .gitignore | 4 +- .vscode/tasks.json | 30 +++ containers/opendkim/Containerfile | 5 + containers/postfix/Containerfile | 2 - containers/postfix/main.cf | 31 ---- playbooks/autodns/autodns.yml | 13 ++ playbooks/fail2ban/jail.local.j2 | 10 + playbooks/letsencrypt/letsencrypt.yml | 4 + playbooks/mail/99-local.conf.j2 | 27 +++ playbooks/mail/docker-compose.yml.j2 | 32 +++- playbooks/mail/mail.yml | 175 ++++++++++++++++++ playbooks/mail/main.cf.j2 | 60 ++++++ playbooks/mail/master.cf.j2 | 41 ++++ playbooks/mail/opendkim.conf.j2 | 6 + playbooks/mail/users.j2 | 1 + playbooks/matrix/docker-compose.yml.j2 | 25 +++ playbooks/matrix/matrix.yml | 47 +++++ playbooks/matrix/resolv.conf.j2 | 2 + playbooks/monitoring/docker-compose.yml.j2 | 9 +- .../nginx/sites-enabled/matrix.secretbee.buzz | 33 ++++ playbooks/ufw/ufw.yml | 6 + 21 files changed, 518 insertions(+), 45 deletions(-) create mode 100644 containers/opendkim/Containerfile delete mode 100644 containers/postfix/main.cf create mode 100644 playbooks/autodns/autodns.yml create mode 100644 playbooks/mail/99-local.conf.j2 create mode 100644 playbooks/mail/mail.yml create mode 100644 playbooks/mail/main.cf.j2 create mode 100644 playbooks/mail/master.cf.j2 create mode 100644 playbooks/mail/opendkim.conf.j2 create mode 100644 playbooks/mail/users.j2 create mode 100644 playbooks/matrix/docker-compose.yml.j2 create mode 100644 playbooks/matrix/matrix.yml create mode 100644 playbooks/matrix/resolv.conf.j2 create mode 100644 playbooks/nginx/sites-enabled/matrix.secretbee.buzz diff --git a/.gitignore b/.gitignore index 8d95a87..368f1df 100644 --- a/.gitignore +++ b/.gitignore @@ -1,4 +1,6 @@ registry/ .ansible/ .vscode/settings.json -.vault-password \ No newline at end of file +.vault-password +*.private +*.secret \ No newline at end of file diff --git a/.vscode/tasks.json b/.vscode/tasks.json index e69fe60..f3dc644 100644 --- a/.vscode/tasks.json +++ b/.vscode/tasks.json @@ -70,6 +70,26 @@ "panel": "dedicated" } }, + { + "label": "Deploy: mail", + "type": "shell", + "command": "make deploy-mail", + "group": "build", + "presentation": { + "reveal": "always", + "panel": "dedicated" + } + }, + { + "label": "Deploy: matrix", + "type": "shell", + "command": "make deploy-matrix", + "group": "build", + "presentation": { + "reveal": "always", + "panel": "dedicated" + } + }, { "label": "Build & Push: postfix", "type": "shell", @@ -79,6 +99,16 @@ "reveal": "always", "panel": "dedicated" } + }, + { + "label": "Build & Push: opendkim", + "type": "shell", + "command": "make push-opendkim", + "group": "build", + "presentation": { + "reveal": "always", + "panel": "dedicated" + } } ], "inputs": [ diff --git a/containers/opendkim/Containerfile b/containers/opendkim/Containerfile new file mode 100644 index 0000000..993ae9a --- /dev/null +++ b/containers/opendkim/Containerfile @@ -0,0 +1,5 @@ +FROM debian:bookworm-slim +RUN apt-get update \ + && apt-get install -y --no-install-recommends opendkim \ + && rm -rf /var/lib/apt/lists/* +CMD ["opendkim", "-f"] \ No newline at end of file diff --git a/containers/postfix/Containerfile b/containers/postfix/Containerfile index a1aed49..dc6969b 100644 --- a/containers/postfix/Containerfile +++ b/containers/postfix/Containerfile @@ -6,8 +6,6 @@ RUN apt-get update \ libsasl2-modules \ && rm -rf /var/lib/apt/lists/* -COPY main.cf /etc/postfix/main.cf - EXPOSE 25 587 CMD ["postfix", "start-fg"] diff --git a/containers/postfix/main.cf b/containers/postfix/main.cf deleted file mode 100644 index 4585cac..0000000 --- a/containers/postfix/main.cf +++ /dev/null @@ -1,31 +0,0 @@ -# Postfix main configuration -# https://www.postfix.org/postconf.5.html - -# --- Identity --- -myhostname = mail.secretbee.buzz -mydomain = secretbee.buzz -myorigin = $mydomain - -# --- Network --- -inet_interfaces = all -inet_protocols = ipv4 - -# --- Local delivery --- -mydestination = $myhostname, localhost.$mydomain, localhost - -# --- Relay --- -mynetworks = 127.0.0.0/8 -relayhost = - -# --- TLS (outbound) --- -smtp_tls_security_level = enforce -smtp_tls_loglevel = 1 -smtpd_tls_chain_files = - /etc/postfix/fullchain.pem - /etc/postfix/privkey.pem - -# --- Mailbox --- -home_mailbox = Maildir/ - -# --- Limits --- -message_size_limit = 52428800 diff --git a/playbooks/autodns/autodns.yml b/playbooks/autodns/autodns.yml new file mode 100644 index 0000000..844c03a --- /dev/null +++ b/playbooks/autodns/autodns.yml @@ -0,0 +1,13 @@ +- name: Inspircd + hosts: pi + become: true + vars: + njalla_api_token: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 65666463616462633533663835383164353566326437333336616266333864333465613732346633 + 6534633837373937393563633966343738316562653930610a346461613236653266303237306663 + 66663234313832373939346539386633316465373861663862646537303662313564363038303164 + 3865666132613130380a623737663837343438333837626338346565653735613435313164373663 + 33316231366334623461303263386136656234613133373361353262346366636133396134663838 + 3733353465643235653337306434396366623935303862633737 + tasks: \ No newline at end of file diff --git a/playbooks/fail2ban/jail.local.j2 b/playbooks/fail2ban/jail.local.j2 index eaeb831..53cf771 100644 --- a/playbooks/fail2ban/jail.local.j2 +++ b/playbooks/fail2ban/jail.local.j2 @@ -13,3 +13,13 @@ enabled = true [nginx-limit-req] enabled = true + +[postfix] +enabled = true +port = smtp,submission +logpath = /var/log/mail.log + +[dovecot] +enabled = true +port = imaps,pop3s +logpath = /var/log/mail.log \ No newline at end of file diff --git a/playbooks/letsencrypt/letsencrypt.yml b/playbooks/letsencrypt/letsencrypt.yml index e46af14..a228a2c 100644 --- a/playbooks/letsencrypt/letsencrypt.yml +++ b/playbooks/letsencrypt/letsencrypt.yml @@ -31,6 +31,10 @@ changed_when: true ansible.builtin.command: certbot certonly --nginx -m secretbumblebee@proton.me --agree-tos -n --domains mail.secretbee.buzz + - name: Request matrix certificates + changed_when: true + ansible.builtin.command: certbot certonly --nginx -m secretbumblebee@proton.me --agree-tos -n --domains matrix.secretbee.buzz + - name: Add post hook script ansible.builtin.copy: src: irc-post-hook.sh diff --git a/playbooks/mail/99-local.conf.j2 b/playbooks/mail/99-local.conf.j2 new file mode 100644 index 0000000..7fd31a6 --- /dev/null +++ b/playbooks/mail/99-local.conf.j2 @@ -0,0 +1,27 @@ +service auth { + inet_listener auth-inet { + port = 12345 + } +} + +service lmtp { + inet_listener lmtp { + port = 2424 + } +} + +auth_mechanisms = plain login + +passdb passwd-file { + passwd_file_path = /etc/dovecot/users +} + +userdb passwd-file { + passwd_file_path = /etc/dovecot/users +} + +mail_home = /var/vmail/%{user | domain}/%{user | username} +mail_path = ~/mail + +ssl = required +auth_allow_cleartext = no diff --git a/playbooks/mail/docker-compose.yml.j2 b/playbooks/mail/docker-compose.yml.j2 index ab7082f..3c43e35 100644 --- a/playbooks/mail/docker-compose.yml.j2 +++ b/playbooks/mail/docker-compose.yml.j2 @@ -6,32 +6,50 @@ services: dovecot: image: docker.io/dovecot/dovecot:latest container_name: dovecot - restart: unless-stopped + restart: always networks: - mail volumes: - - mail_data:/srv/vmail + - /opt/mail/99-local.conf:/etc/dovecot/conf.d/99-local.conf:ro + - /opt/mail/users:/etc/dovecot/users:ro + - mail-data:/srv/vmail ports: - "31143:31143" - "31993:31993" - "31110:31110" - "31995:31995" - - "1465:1465" - "31587:31587" - "31024:31024" - "34190:34190" - "8080:8080" - - "127.0.01:9110:9110" + - "127.0.0.1:2424:2424" + - "127.0.0.1:9110:9110" postfix: image: git.secretbee.buzz/bee/postfix:latest container_name: postfix - restart: unless-stopped + restart: always + pull_policy: always networks: - mail volumes: - - /etc/letsencrypt/live/mail.secretbee.buzz/fullchain.pem:/etc/postfix/fullchain.pem - - /etc/letsencrypt/live/mail.secretbee.buzz/privkey.pem:/etc/postfix/privkey.pem + - /etc/letsencrypt/live/mail.secretbee.buzz/fullchain.pem:/etc/postfix/fullchain.pem:ro + - /etc/letsencrypt/live/mail.secretbee.buzz/privkey.pem:/etc/postfix/privkey.pem:ro + - /opt/mail/main.cf:/etc/postfix/main.cf:ro + - /opt/mail/master.cf:/etc/postfix/master.cf:ro + ports: + - "25:25" + - "587:587" + + opendkim: + image: git.secretbee.buzz/bee/opendkim:latest + container_name: opendkim + restart: always + networks: + - mail + volumes: + - /opt/mail/opendkim.conf:/etc/opendkim.conf:ro + - /opt/mail/mail.private:/etc/opendkim/keys/mail.private:ro volumes: mail-data: \ No newline at end of file diff --git a/playbooks/mail/mail.yml b/playbooks/mail/mail.yml new file mode 100644 index 0000000..1c2984a --- /dev/null +++ b/playbooks/mail/mail.yml @@ -0,0 +1,175 @@ +- name: Mail + hosts: pi + become: true + vars: + dkim_key: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 36363638363937326662323932306438333134613966313739393938383337656262373736653065 + 3736633466613763373161666236336630306565323433630a643937313131616565313434356461 + 32643261666565383935396230306664366332313338613438323332343139303338373039303932 + 3539373239336637300a656264633864666261613962316563373663373735393864306334626664 + 33363734366265663234373131613864386236323632363534363166343134373065313938313033 + 66383935306133306233623738353561656261313330346333653865336463386163393637333733 + 37306237633638383830613262646237643531343362336637366663363864353865323565326137 + 35316134373436323461356630623661306564636135313533383533366265613934303834356431 + 61343464613830626339393238636439333265383439336136666231363933356566366466386135 + 64376162616562646235613332613931623861373036366530313966306235626338326238623233 + 34616536346533656436623232643236623838336232343132643561653030643538643137643861 + 65393964336531383638613436323831346131393865373830346637616330646133316430343536 + 65336233306537633761643261316230326237393037636236366638616139343936396533646136 + 34363763333263346439633366626166393631323838306565356464326431393130633432353866 + 64343639366232303930373564323038366639646365326537326634366336323835333364663264 + 38373237656264366437333564363164356663613539623466383931623834626236656131316362 + 39623431356536343563356561653465653638333539643132303463383332373831346535626438 + 62333230383134346264616432343461313332386230353433643534326161306462623130656534 + 63386661363436653830626334616431353464663236356435643435643732396364616539363663 + 31363730333036313163353939343066343130396166376638366561373134393965353838356666 + 64623961393761363835353865613762393766356532306131323437646261616362653630643133 + 34323263653763343562323063343234643064613537626334306261396537663030366330613766 + 64383533613736326562313362383066633437666438316535623131643431333636343030363363 + 66616433626536353135323937343862643930303963383066643032373931376636643831636139 + 61313530376566343635396430396230343836643632636335376362623962643638396434356264 + 38303233313461666135323632333637343363353534636334646532333763343433353931343936 + 37353530393561356636643865353866303637623433373737383535383565346532343738373862 + 38656366646433653636356432353963333531333538633364316261666334646639353165656130 + 62383637626537303433613836636431393637333234616632663739376464336134636261633164 + 34383939363136666263376634633733663366366432376134343333623639393131623234636537 + 63653838393530656131623536386166323963396434323736396234626239666333393765616633 + 38633535333836623861663161663565316631623862363561313237643735393933343238383262 + 36303531306566393961643836636438666539623835636234306536646335616231643134373032 + 31373364643738343131353066346464396565303630363230306435663136386138636266633436 + 61646630323066323833366262633735626438303436306161653033656232363761663762623932 + 63613733376434333164643036633961336534366238663566323538336665323131653735323265 + 36616361343732346531303030343565333638616261323137366361626465373231376162663830 + 61383664373238623536396336333264643235633162616665393463663561636461326565336334 + 30636430613232646265386133336437303339393338383332636262363165656432663764303263 + 66376436643865373632313162383433336536333862376665616535396437303762386265373631 + 39613865656235613465373864313462633838353039316161346166396632306638386533383865 + 30386365326161333066616432626236323263313163363238306161393265386332323733303763 + 62376430336630643161383130636230323538363464303838653733633837316663633565623863 + 62623364636262393065333636646433366365623662323238383336663764633864353863376337 + 35393737633639633035636534363865356631623035653839393338353366626561636430303066 + 39333563626561373365313232383633393364653463313866343235383734343234353637363432 + 38336237616530373134333334666132333636353235313565623265303435363537343731303339 + 64366464663061333661643337653262333663623764396138386533623239363739343232613436 + 63396666663931666138616566326462646362306530643334343230316334383837353065656232 + 33656431316164623164363130323735386136666238326361333431383732323933353238383266 + 66313430323362393931393132306234393031306534616565366261626336363430343664656530 + 32303661313662616232303964323337663736633238356462313131343430653638386137306531 + 66643562623534613739363138336265393232646162376665653165333533333965656263623439 + 65363665663030356530633863393864363831313637336133333163636564363965313265363263 + 36626134646238373530303132383734363166323937653030383639643637626332343863633961 + 36313065346537666232623232383333386561353139373133633033326235653738636439363139 + 30663365653935366266613933623838653133623435393633636537316163373461633863646133 + 30623463613231366438633431396330396363646664653534383531346163343037363764373436 + 62326166336639663434386261333261616334366465383132333231623034613364623661373865 + 65636435666235336339373335623934633861393764366535373365306336666131663330353031 + 32313762663363303739346365346263393733363864636637333666343561363332336132326264 + 32353166626266633564646362663862353433393535643938383131373737393366383038396430 + 36363738326630376432666637373562666366646536393363633365306637643564316234643430 + 61316234333165303532333963626635353538363832303833343532333934393264653864366339 + 63656431626132303761396361326464613563353632633633393261666366393536306133353765 + 37663337633363366139343237663565663232623266313530633630316238633566373336373065 + 35343133363234393137303631353932313561373466333438636263326566623336633235643965 + 32636536373231623565363939393764393964343265356235613134336263383131633330333838 + 63316361636234313836353264346334386639623861643239646163663462306630633064366261 + 39663639336439386439663039653462656338623237393033306539353435623039383333623163 + 39366563643731663835303763386365373232393435366664343264323035333631326331626437 + 36643130333138616631366465396635323666393339386438303161623364393433386431353665 + 32396239396333623061623563643933356130613166653933363636303937336665613763613265 + 39633635326339616539346664653065386531646661343438636565363939613633323266326462 + 65353339333233633931363830663835616661626663323961316562343739383063646164333939 + 34383163326664303130333434646633346563373630653532393264336132313264343134326132 + 30323934346531393931353365303430393461333065386636346139643731383866373636353234 + 30623665386331333639623639353766313633383539613864306336316562393533356237333331 + 32623838666535353462393762616236336663376537316163356461366238326637303164336666 + 31356234633832396436643663343961663763366266396464636661323064366338383634393731 + 30666135316430643038663936623832306435653161373435616138376162356232633636356238 + 64353433656366366266633932653264376232313633383163663066663132373733356662353932 + 62333239336163303632356231363164343039613431363664626662316265396338336162373239 + 31366539376566323032616335616263623162623934323034383364663436323366636139313838 + 64663839623266373338306439616337653237616365663463323739366431663839303839636663 + 61346534386435646632396566396535636136393337343039333364643433303165383761666437 + 36396232313965353334643664663464343537346430373334393461303965663230313836323966 + 65303930373664316234346364336430383838643164616338653034393836396166633866366131 + 65336237346635626362663439376339303439303263653238346563333738386266 + + tasks: + - name: Install podman + ansible.builtin.apt: + name: podman + state: present + + - name: Install podman-compose + ansible.builtin.apt: + name: podman-compose + state: present + + - name: Stop exim4 + ansible.builtin.service: + name: exim4 + state: stopped + enabled: false + + - name: Create mail directories + ansible.builtin.file: + path: "{{ item }}" + state: directory + mode: '0755' + loop: + - /opt/mail + + - name: Compose down + changed_when: true + failed_when: false + ansible.builtin.command: + cmd: podman-compose down + chdir: /opt/mail + + - name: Copy compose + ansible.builtin.template: + src: docker-compose.yml.j2 + dest: /opt/mail/docker-compose.yml + mode: '0644' + + - name: Copy Dovecot config + ansible.builtin.template: + src: 99-local.conf.j2 + dest: /opt/mail/99-local.conf + mode: '0644' + + - name: Copy main.cf + ansible.builtin.template: + src: main.cf.j2 + dest: /opt/mail/main.cf + mode: '0644' + + - name: Copy master.cf + ansible.builtin.template: + src: master.cf.j2 + dest: /opt/mail/master.cf + mode: '0644' + + - name: Copy Users + ansible.builtin.template: + src: users.j2 + dest: /opt/mail/users + mode: '0644' + + - name: Copy mail.private + ansible.builtin.copy: + src: mail.private + dest: /opt/mail/mail.private + mode: '0600' + + - name: Copy opendkim.conf + ansible.builtin.template: + src: opendkim.conf.j2 + dest: /opt/mail/opendkim.conf + mode: '0644' + + - name: Compose up + changed_when: true + ansible.builtin.command: + cmd: podman-compose up -d + chdir: /opt/mail diff --git a/playbooks/mail/main.cf.j2 b/playbooks/mail/main.cf.j2 new file mode 100644 index 0000000..60536e4 --- /dev/null +++ b/playbooks/mail/main.cf.j2 @@ -0,0 +1,60 @@ +# Postfix main configuration +# https://www.postfix.org/postconf.5.html + +# --- Identity --- +myhostname = mail.secretbee.buzz +mydomain = secretbee.buzz +myorigin = $mydomain + +# --- Network --- +inet_interfaces = all +inet_protocols = ipv4 + +# --- Local delivery --- +mydestination = $myhostname, localhost.$mydomain, localhost + +# --- Relay --- +mynetworks = 127.0.0.0/8 +relayhost = + +# --- Virtual mailboxes --- +virtual_mailbox_domains = $mydomain +virtual_transport = lmtp:inet:dovecot:2424 + +# --- TLS --- +smtp_tls_security_level = enforce +smtp_tls_loglevel = 1 +smtpd_tls_chain_files = + /etc/postfix/fullchain.pem + /etc/postfix/privkey.pem +smtpd_tls_loglevel = 1 + +# --- SASL (auth delegated to Dovecot) --- +smtpd_sasl_type = dovecot +smtpd_sasl_path = inet:dovecot:12345 +smtpd_sasl_auth_enable = yes +smtpd_sasl_security_options = noanonymous +smtpd_recipient_restrictions = + permit_sasl_authenticated, + permit_mynetworks, + reject_unauth_destination + +# --- Limits --- +message_size_limit = 52428800 + +disable_vrfy_command = yes +smtpd_helo_required = yes +smtpd_banner = $myhostname ESMTP +smtpd_helo_restrictions = + permit_mynetworks, + reject_invalid_helo_hostname, + reject_non_fqdn_helo_hostname +smtpd_sender_restrictions = + permit_mynetworks, + reject_non_fqdn_sender, + reject_unknown_sender_domain + +milter_protocol = 6 +milter_default_action = accept +smtpd_milters = inet:opendkim:8891 +non_smtpd_milters = inet:opendkim:8891 \ No newline at end of file diff --git a/playbooks/mail/master.cf.j2 b/playbooks/mail/master.cf.j2 new file mode 100644 index 0000000..3f06d5b --- /dev/null +++ b/playbooks/mail/master.cf.j2 @@ -0,0 +1,41 @@ +# ========================================================================== +# service type private unpriv chroot wakeup maxproc command + args +# (yes) (yes) (no) (never) (100) +# ========================================================================== + +# Port 25: inbound MX delivery — TLS optional, no auth required +smtp inet n - n - - smtpd + +# Port 587: authenticated submission — TLS + SASL required +submission inet n - n - - smtpd + -o syslog_name=postfix/submission + -o smtpd_tls_security_level=encrypt + -o smtpd_sasl_auth_enable=yes + -o smtpd_client_restrictions=permit_sasl_authenticated,reject + -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject + +pickup unix n - n 60 1 pickup +cleanup unix n - n - 0 cleanup +qmgr unix n - n 300 1 qmgr +tlsmgr unix - - n 1000? 1 tlsmgr +rewrite unix - - n - - trivial-rewrite +bounce unix - - n - 0 bounce +defer unix - - n - 0 bounce +trace unix - - n - 0 bounce +verify unix - - n - 1 verify +flush unix n - n 1000? 0 flush +proxymap unix - - n - - proxymap +proxywrite unix - - n - 1 proxymap +smtp unix - - n - - smtp +relay unix - - n - - smtp + -o syslog_name=postfix/$service_name +showq unix n - n - - showq +error unix - - n - - error +retry unix - - n - - error +discard unix - - n - - discard +local unix - n n - - local +virtual unix - n n - - virtual +lmtp unix - - n - - lmtp +anvil unix - - n - 1 anvil +scache unix - - n - 1 scache +postlog unix-dgram n - n - 1 postlogd diff --git a/playbooks/mail/opendkim.conf.j2 b/playbooks/mail/opendkim.conf.j2 new file mode 100644 index 0000000..62a1a22 --- /dev/null +++ b/playbooks/mail/opendkim.conf.j2 @@ -0,0 +1,6 @@ +Syslog yes +Domain secretbee.buzz +Selector mail +KeyFile /etc/opendkim/keys/mail.private +Socket inet:8891@0.0.0.0 +OversignHeaders From \ No newline at end of file diff --git a/playbooks/mail/users.j2 b/playbooks/mail/users.j2 new file mode 100644 index 0000000..f645076 --- /dev/null +++ b/playbooks/mail/users.j2 @@ -0,0 +1 @@ +bee@secretbee.buzz:{SHA512-CRYPT}$6$GRG/tBZAy62JjDXM$8DyA2Ii0aS2VPJlDs8ML.UjblfI1PYbG5VRmbSjeJB3nii8h9a3F5S7NDxieqBUOeVsa4LIfyp/6tC/dnDnpW.:::::: \ No newline at end of file diff --git a/playbooks/matrix/docker-compose.yml.j2 b/playbooks/matrix/docker-compose.yml.j2 new file mode 100644 index 0000000..f9396e1 --- /dev/null +++ b/playbooks/matrix/docker-compose.yml.j2 @@ -0,0 +1,25 @@ +services: + homeserver: + image: "forgejo.ellis.link/continuwuation/continuwuity:latest" + restart: always + command: /sbin/conduwuit + ports: + - 127.0.0.1:8008:8008 + volumes: + - db:/var/lib/continuwuity + - /opt/matrix/resolv.conf:/etc/resolv.conf + #- ./continuwuity.toml:/etc/continuwuity.toml + environment: + CONTINUWUITY_SERVER_NAME: matrix.secretbee.buzz + CONTINUWUITY_DATABASE_PATH: /var/lib/continuwuity + CONTINUWUITY_ADDRESS: 0.0.0.0 + CONTINUWUITY_PORT: 8008 + #CONTINUWUITY_CONFIG: '/etc/continuwuity.toml' # Uncomment if you mapped config toml above + CONTINUWUITY_WELL_KNOWN: | + { + client=https://secretbee.buzz, + server=secretbee.buzz:443 + } + +volumes: + db: diff --git a/playbooks/matrix/matrix.yml b/playbooks/matrix/matrix.yml new file mode 100644 index 0000000..417ba41 --- /dev/null +++ b/playbooks/matrix/matrix.yml @@ -0,0 +1,47 @@ +- name: Matrix + hosts: pi + become: true + + tasks: + - name: Install podman + ansible.builtin.apt: + name: podman + state: present + + - name: Install podman-compose + ansible.builtin.apt: + name: podman-compose + state: present + + - name: Create matrix directories + ansible.builtin.file: + path: "{{ item }}" + state: directory + mode: '0755' + loop: + - /opt/matrix + + - name: Compose down + changed_when: true + failed_when: false + ansible.builtin.command: + cmd: podman-compose down + chdir: /opt/matrix + + - name: Copy resolv.conf + ansible.builtin.template: + src: resolv.conf.j2 + dest: /opt/matrix/resolv.conf + mode: '0644' + + - name: Copy compose + ansible.builtin.template: + src: docker-compose.yml.j2 + dest: /opt/matrix/docker-compose.yml + mode: '0644' + + - name: Compose up + changed_when: true + ansible.builtin.command: + cmd: podman-compose up -d + chdir: /opt/matrix diff --git a/playbooks/matrix/resolv.conf.j2 b/playbooks/matrix/resolv.conf.j2 new file mode 100644 index 0000000..6ce9d15 --- /dev/null +++ b/playbooks/matrix/resolv.conf.j2 @@ -0,0 +1,2 @@ +nameserver 1.0.0.1 +nameserver 1.1.1.1 \ No newline at end of file diff --git a/playbooks/monitoring/docker-compose.yml.j2 b/playbooks/monitoring/docker-compose.yml.j2 index 2b83322..ef9a410 100644 --- a/playbooks/monitoring/docker-compose.yml.j2 +++ b/playbooks/monitoring/docker-compose.yml.j2 @@ -6,7 +6,7 @@ services: prometheus: image: docker.io/prom/prometheus container_name: prometheus - restart: unless-stopped + restart: always ports: - '127.0.0.1:9090:9090' volumes: @@ -18,7 +18,7 @@ services: grafana: image: docker.io/grafana/grafana container_name: grafana - restart: unless-stopped + restart: always ports: - '4000:4000' volumes: @@ -42,7 +42,7 @@ services: - loki-data:/loki - /opt/monitoring/local-config.yml:/etc/loki/local-config.yaml command: -config.file=/etc/loki/local-config.yaml - restart: unless-stopped + restart: always networks: - monitoring @@ -67,11 +67,12 @@ services: - --stability.level=experimental networks: - monitoring + restart: always podman-exporter: image: quay.io/navidys/prometheus-podman-exporter container_name: podman-exporter - restart: unless-stopped + restart: always privileged: true user: root ports: diff --git a/playbooks/nginx/sites-enabled/matrix.secretbee.buzz b/playbooks/nginx/sites-enabled/matrix.secretbee.buzz new file mode 100644 index 0000000..b4037f7 --- /dev/null +++ b/playbooks/nginx/sites-enabled/matrix.secretbee.buzz @@ -0,0 +1,33 @@ +server { + listen 80; + server_name matrix.secretbee.buzz; + + location / { + return 301 https://$host$request_uri; + } +} + +server { + listen 443 ssl; + server_name matrix.secretbee.buzz; + + limit_req zone=mylimit burst=20; + + add_header Strict-Transport-Security "max-age=31536000, includeSubDomains" always; + + ssl_certificate /etc/letsencrypt/live/matrix.secretbee.buzz/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/matrix.secretbee.buzz/privkey.pem; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers HIGH:!aNULL:!MD5; + + location / { + client_max_body_size 512M; + proxy_pass http://localhost:8008; + proxy_set_header Connection $http_connection; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + } +} diff --git a/playbooks/ufw/ufw.yml b/playbooks/ufw/ufw.yml index 9f3ba40..e9b27e5 100644 --- a/playbooks/ufw/ufw.yml +++ b/playbooks/ufw/ufw.yml @@ -17,6 +17,12 @@ name: OpenSSH route: true + - name: Allow samba + community.general.ufw: + rule: allow + name: samba + route: true + - name: UFW - Allow HTTP connections community.general.ufw: rule: allow