diff --git a/.vscode/tasks.json b/.vscode/tasks.json index b39ea64..0bd6aa4 100644 --- a/.vscode/tasks.json +++ b/.vscode/tasks.json @@ -130,6 +130,16 @@ "panel": "dedicated" } }, + { + "label": "Deploy: immich", + "type": "shell", + "command": "make deploy-immich", + "group": "build", + "presentation": { + "reveal": "always", + "panel": "dedicated" + } + }, { "label": "Build & Push: postfix", "type": "shell", diff --git a/archive/anope/anope.yml b/archive/anope/anope.yml index 47714e3..af99d6d 100644 --- a/archive/anope/anope.yml +++ b/archive/anope/anope.yml @@ -1,5 +1,5 @@ - name: Nginx - hosts: pi + hosts: beepi become: true vars: uplink_password: !vault | diff --git a/archive/inspircd/inspircd.yml b/archive/inspircd/inspircd.yml index d40447a..40d941e 100644 --- a/archive/inspircd/inspircd.yml +++ b/archive/inspircd/inspircd.yml @@ -1,5 +1,5 @@ - name: Inspircd - hosts: pi + hosts: beepi become: true vars: inspircd_sendpass: !vault | diff --git a/archive/thelounge/thelounge.yml b/archive/thelounge/thelounge.yml index a258936..5db73b8 100644 --- a/archive/thelounge/thelounge.yml +++ b/archive/thelounge/thelounge.yml @@ -1,5 +1,5 @@ - name: Thelounge - hosts: pi + hosts: beepi become: true tasks: - name: Install nodejs diff --git a/playbooks/autodns/autodns.yml b/playbooks/autodns/autodns.yml index 844c03a..efed651 100644 --- a/playbooks/autodns/autodns.yml +++ b/playbooks/autodns/autodns.yml @@ -1,5 +1,5 @@ - name: Inspircd - hosts: pi + hosts: beepi become: true vars: njalla_api_token: !vault | diff --git a/playbooks/backup/backup.yml b/playbooks/backup/backup.yml index e174391..ff17140 100644 --- a/playbooks/backup/backup.yml +++ b/playbooks/backup/backup.yml @@ -1,5 +1,5 @@ - name: Backup - hosts: pi + hosts: beepi become: true vars: gpg_password: !vault | diff --git a/playbooks/fail2ban-ingress/fail2ban-ingress.yml b/playbooks/fail2ban-ingress/fail2ban-ingress.yml new file mode 100644 index 0000000..34e3992 --- /dev/null +++ b/playbooks/fail2ban-ingress/fail2ban-ingress.yml @@ -0,0 +1,29 @@ +- name: Fail2ban-ingress + hosts: animeistrash + become: true + + tasks: + - name: Install fail2ban + ansible.builtin.apt: + name: fail2ban + state: present + + - name: Create user + ansible.builtin.user: + name: fail2forward + create_home: true + + - name: Copy jail.local + ansible.builtin.template: + src: jail.local.j2 + dest: /etc/fail2ban/jail.local + owner: root + group: root + mode: '0644' + notify: Restart fail2ban + + handlers: + - name: Restart fail2ban + ansible.builtin.service: + name: fail2ban + state: restarted diff --git a/playbooks/fail2ban-ingress/jail.local.j2 b/playbooks/fail2ban-ingress/jail.local.j2 new file mode 100644 index 0000000..6f19ec6 --- /dev/null +++ b/playbooks/fail2ban-ingress/jail.local.j2 @@ -0,0 +1,27 @@ +[DEFAULT] +bantime = 24h +findtime = 10m +maxretry = 5 +banaction = ufw +bantime.increment = true +bantime.multipliers = 1 5 30 60 300 720 1440 2880 + +[sshd] +enabled = true +port = ssh,2222,4444 + +[nginx-http-auth] +enabled = true + +[nginx-limit-req] +enabled = true + +[postfix] +enabled = true +port = smtp,submission +logpath = /opt/beeserver/mail/mail-logs/mail.log + +[dovecot] +enabled = true +port = imaps,pop3s +logpath = /opt/beeserver/mail/mail-logs/mail.log \ No newline at end of file diff --git a/playbooks/fail2ban/fail2ban.yml b/playbooks/fail2ban/fail2ban.yml index 97baf7d..cb28ab6 100644 --- a/playbooks/fail2ban/fail2ban.yml +++ b/playbooks/fail2ban/fail2ban.yml @@ -1,5 +1,5 @@ - name: Fail2ban - hosts: pi + hosts: beepi become: true tasks: @@ -8,6 +8,27 @@ name: fail2ban state: present + - name: Create user + ansible.builtin.user: + name: fail2forward + create_home: true + + - name: Create key + ansible.builtin.user: + name: fail2forward + generate_ssh_key: true + ssh_key_bits: 2048 + ssh_key_file: .ssh/id_rsa + register: ssh_public_key + + - name: Save public key locally + ansible.builtin.copy: + content: "{{ ssh_public_key.ssh_public_key }}" + dest: ./fail2forward_id_rsa.pub + mode: '0644' + delegate_to: localhost + become: false + - name: Copy jail.local ansible.builtin.template: src: jail.local.j2 diff --git a/playbooks/gitea/gitea.yml b/playbooks/gitea/gitea.yml index c314f53..3a113df 100644 --- a/playbooks/gitea/gitea.yml +++ b/playbooks/gitea/gitea.yml @@ -1,5 +1,5 @@ - name: Inspircd - hosts: pi + hosts: beepi become: true vars: gitea_db_password: !vault | diff --git a/playbooks/immich/immich-db.container.j2 b/playbooks/immich/immich-db.container.j2 index 2cd8729..ce9b1c9 100644 --- a/playbooks/immich/immich-db.container.j2 +++ b/playbooks/immich/immich-db.container.j2 @@ -7,7 +7,7 @@ Image=ghcr.io/immich-app/postgres:14-vectorchord0.4.3 Network=immich.network Volume=immich-pgdata.volume:/var/lib/postgresql/data Environment=POSTGRES_USER=immich -Environment=POSTGRES_PASSWORD={{ pico_db_password }} +Environment=POSTGRES_PASSWORD={{ immich_db_password }} Environment=POSTGRES_DB=immich [Service] diff --git a/playbooks/immich/immich-server.container.j2 b/playbooks/immich/immich-server.container.j2 index 450975a..d03fd00 100644 --- a/playbooks/immich/immich-server.container.j2 +++ b/playbooks/immich/immich-server.container.j2 @@ -11,9 +11,10 @@ PublishPort=127.0.0.1:2283:2283 Volume=immich-upload.volume:/usr/src/app/upload Environment=DB_HOSTNAME=immich-db Environment=DB_USERNAME=immich -Environment=DB_PASSWORD={{ pico_db_password }} +Environment=DB_PASSWORD={{ immich_db_password }} Environment=DB_DATABASE_NAME=immich Environment=REDIS_HOSTNAME=immich-redis +Environment=IMMICH_MACHINE_LEARNING_ENABLED=false [Service] Restart=on-failure diff --git a/playbooks/immich/immich.yml b/playbooks/immich/immich.yml index 3c6b8b5..ed7e710 100644 --- a/playbooks/immich/immich.yml +++ b/playbooks/immich/immich.yml @@ -1,11 +1,8 @@ - name: Immich - hosts: pi + hosts: beepi become: true vars: - immich_user: immich - immich_home: /home/immich - quadlet_dir: "{{ immich_home }}/.config/containers/systemd" - pico_db_password: !vault | + immich_db_password: !vault | $ANSIBLE_VAULT;1.1;AES256 64666332336435616365303563636634373333346537643336626235316432643336303665646463 3735653065653561643635376237393666313137303661370a336664623937623061313663303835 @@ -14,46 +11,50 @@ 30633861353033656264663439623264383536376664613665613138623262623261 tasks: - - name: Install podman + - name: Install dependencies ansible.builtin.apt: - name: podman + name: "{{ item }}" state: present + loop: + - podman + - systemd-container + - passt - name: Create immich user ansible.builtin.user: - name: "{{ immich_user }}" - home: "{{ immich_home }}" + name: immich + home: /home/immich shell: /usr/sbin/nologin create_home: true register: immich_user_info - name: Enable linger ansible.builtin.command: - cmd: "loginctl enable-linger {{ immich_user }}" - creates: "/var/lib/systemd/linger/{{ immich_user }}" + cmd: "loginctl enable-linger immich" + creates: "/var/lib/systemd/linger/immich" - name: Create quadlet directory ansible.builtin.file: - path: "{{ quadlet_dir }}" + path: "/home/immich/.config/containers/systemd" state: directory - owner: "{{ immich_user }}" - group: "{{ immich_user }}" + owner: "immich" + group: "immich" mode: '0755' - - name: Deploy network + - name: Copy network ansible.builtin.copy: - dest: "{{ quadlet_dir }}/immich.network" + dest: "/home/immich/.config/containers/systemd/immich.network" content: "[Network]\n" - owner: "{{ immich_user }}" - group: "{{ immich_user }}" + owner: immich + group: immich mode: '0644' - - name: Deploy volumes + - name: Copy volumes ansible.builtin.copy: - dest: "{{ quadlet_dir }}/{{ item }}.volume" + dest: "/home/immich/.config/containers/systemd/{{ item }}.volume" content: "[Volume]\n" - owner: "{{ immich_user }}" - group: "{{ immich_user }}" + owner: immich + group: immich mode: '0644' loop: - immich-pgdata @@ -62,29 +63,30 @@ - name: Deploy db quadlet ansible.builtin.template: src: immich-db.container.j2 - dest: "{{ quadlet_dir }}/immich-db.container" - owner: "{{ immich_user }}" - group: "{{ immich_user }}" - mode: '0644' + dest: "/home/immich/.config/containers/systemd/immich-db.container" + owner: immich + group: immich + mode: '0600' - name: Deploy redis quadlet ansible.builtin.copy: src: immich-redis.container - dest: "{{ quadlet_dir }}/immich-redis.container" - owner: "{{ immich_user }}" - group: "{{ immich_user }}" + dest: "/home/immich/.config/containers/systemd/immich-redis.container" + owner: immich + group: immich mode: '0644' - name: Deploy server quadlet ansible.builtin.template: src: immich-server.container.j2 - dest: "{{ quadlet_dir }}/immich-server.container" - owner: "{{ immich_user }}" - group: "{{ immich_user }}" - mode: '0644' + dest: "/home/immich/.config/containers/systemd/immich-server.container" + owner: immich + group: immich + mode: '0600' - name: Reload user systemd - become_user: "{{ immich_user }}" + become: true + become_user: immich environment: XDG_RUNTIME_DIR: "/run/user/{{ immich_user_info.uid }}" DBUS_SESSION_BUS_ADDRESS: "unix:path=/run/user/{{ immich_user_info.uid }}/bus" @@ -92,8 +94,14 @@ daemon_reload: true scope: user + - name: Start user manager for immich + ansible.builtin.systemd: + name: "user@{{ immich_user_info.uid }}.service" + state: started + - name: Start immich-server - become_user: "{{ immich_user }}" + become: true + become_user: immich environment: XDG_RUNTIME_DIR: "/run/user/{{ immich_user_info.uid }}" DBUS_SESSION_BUS_ADDRESS: "unix:path=/run/user/{{ immich_user_info.uid }}/bus" @@ -101,3 +109,10 @@ name: immich-server.service state: started scope: user + + - name: Debug + ansible.builtin.debug: + msg: + - "Service status: systemctl --user --machine {{ immich_user_info.name }}@.host status immich-server" + - "Read logs: sudo journalctl _UID={{ immich_user_info.uid }} -n 200 --no-pager" + - "Shell: machinectl shell {{ immich_user_info.name }}@.host /bin/bash" diff --git a/playbooks/letsencrypt/letsencrypt.yml b/playbooks/letsencrypt/letsencrypt.yml index ffa4f05..b446add 100644 --- a/playbooks/letsencrypt/letsencrypt.yml +++ b/playbooks/letsencrypt/letsencrypt.yml @@ -1,5 +1,5 @@ - name: Letsencrypt - hosts: pi + hosts: beepi become: true tasks: - name: Install Certbot @@ -9,31 +9,14 @@ - name: Request root certificates changed_when: true - ansible.builtin.command: certbot certonly --nginx -m secretbumblebee@proton.me --agree-tos -n --domains secretbee.buzz - - - name: Request root certificates - changed_when: true - ansible.builtin.command: certbot certonly --nginx -m secretbumblebee@proton.me --agree-tos -n --domains lounge.secretbee.buzz - - - name: Request irc certificates - changed_when: true - ansible.builtin.command: certbot certonly --nginx -m secretbumblebee@proton.me --agree-tos -n --domains irc.secretbee.buzz - - - name: Request git certificates - changed_when: true - ansible.builtin.command: certbot certonly --nginx -m secretbumblebee@proton.me --agree-tos -n --domains git.secretbee.buzz - - - name: Request grafana certificates - changed_when: true - ansible.builtin.command: certbot certonly --nginx -m secretbumblebee@proton.me --agree-tos -n --domains grafana.secretbee.buzz - - - name: Request mail certificates - changed_when: true - ansible.builtin.command: certbot certonly --nginx -m secretbumblebee@proton.me --agree-tos -n --domains mail.secretbee.buzz - - - name: Request matrix certificates - changed_when: true - ansible.builtin.command: certbot certonly --nginx -m secretbumblebee@proton.me --agree-tos -n --domains matrix.secretbee.buzz + ansible.builtin.command: "certbot certonly --nginx -m secretbumblebee@proton.me --agree-tos -n --domains {{ item }}" + loop: + - secretbee.buzz + - git.secretbee.buzz + - grafana.secretbee.buzz + - mail.secretbee.buzz + - matrix.secretbee.buzz + - gallery.secretbee.buzz - name: Add post hook script ansible.builtin.copy: diff --git a/playbooks/mail/mail.yml b/playbooks/mail/mail.yml index 29d8faf..d863e47 100644 --- a/playbooks/mail/mail.yml +++ b/playbooks/mail/mail.yml @@ -1,5 +1,5 @@ - name: Mail - hosts: pi + hosts: beepi become: true vars: relay_password: !vault | diff --git a/playbooks/matrix/matrix.yml b/playbooks/matrix/matrix.yml index 520dcb8..ca4c9ff 100644 --- a/playbooks/matrix/matrix.yml +++ b/playbooks/matrix/matrix.yml @@ -1,5 +1,5 @@ - name: Matrix - hosts: pi + hosts: beepi become: true tasks: diff --git a/playbooks/monitoring/monitoring.yml b/playbooks/monitoring/monitoring.yml index 20002f9..e3e76a7 100644 --- a/playbooks/monitoring/monitoring.yml +++ b/playbooks/monitoring/monitoring.yml @@ -1,5 +1,5 @@ - name: Prometheus - hosts: pi + hosts: beepi become: true vars: grafana_secret: !vault | diff --git a/playbooks/nginx/nginx.yml b/playbooks/nginx/nginx.yml index ad47521..7990abb 100644 --- a/playbooks/nginx/nginx.yml +++ b/playbooks/nginx/nginx.yml @@ -1,5 +1,5 @@ - name: Nginx - hosts: pi + hosts: beepi become: true tasks: - name: Install nginx @@ -20,7 +20,7 @@ group: root mode: '0644' - - name: Copy upstreamc.onf + - name: Copy upstream.conf ansible.builtin.copy: src: upstream.conf dest: /etc/nginx/conf.d/upstream.conf diff --git a/playbooks/nginx/sites-enabled/gallery.secretbee.buzz b/playbooks/nginx/sites-enabled/gallery.secretbee.buzz new file mode 100644 index 0000000..7ad4b6c --- /dev/null +++ b/playbooks/nginx/sites-enabled/gallery.secretbee.buzz @@ -0,0 +1,52 @@ +server { + listen 80; + server_name gallery.secretbee.buzz; + + location / { + return 301 https://$host$request_uri; + } +} + +server { + listen 443 ssl; + server_name gallery.secretbee.buzz; + + ssl_certificate /etc/letsencrypt/live/gallery.secretbee.buzz/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/gallery.secretbee.buzz/privkey.pem; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers HIGH:!aNULL:!MD5; + + # allow large file uploads + client_max_body_size 50000M; + + # disable buffering uploads to prevent OOM on reverse proxy server and make uploads twice as fast (no pause) + proxy_request_buffering off; + + # increase body buffer to avoid limiting upload speed + client_body_buffer_size 1024k; + + # Set headers + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + # enable websockets: http://nginx.org/en/docs/http/websocket.html + proxy_http_version 1.1; + proxy_redirect off; + + # set timeout + proxy_read_timeout 600s; + proxy_send_timeout 600s; + send_timeout 600s; + + location / { + proxy_pass http://localhost:2283; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + } + + location /siri { + return 301 https://gallery.secretbee.buzz/s/siri; + } +} \ No newline at end of file diff --git a/playbooks/nginx/sites-enabled/secretbee.buzz b/playbooks/nginx/sites-enabled/secretbee.buzz index 86eee4c..9e91834 100644 --- a/playbooks/nginx/sites-enabled/secretbee.buzz +++ b/playbooks/nginx/sites-enabled/secretbee.buzz @@ -49,4 +49,8 @@ server { default_type "text/html"; try_files $uri $uri.html $uri/index.html index.html; } + + location /siri { + return 301 https://gallery.secretbee.buzz/s/siri; + } } diff --git a/playbooks/ufw/ufw.yml b/playbooks/ufw/ufw.yml index 83777b4..cbba976 100644 --- a/playbooks/ufw/ufw.yml +++ b/playbooks/ufw/ufw.yml @@ -1,5 +1,5 @@ - name: Ufw - hosts: pi + hosts: beepi become: true tasks: - name: Install ufw diff --git a/playbooks/wireguard/wireguard.yml b/playbooks/wireguard/wireguard.yml index 9b83954..2498f46 100644 --- a/playbooks/wireguard/wireguard.yml +++ b/playbooks/wireguard/wireguard.yml @@ -1,5 +1,5 @@ - name: Wireguard - hosts: pi + hosts: beepi become: true vars: wireguard_private_key: !vault |