diff --git a/ansible/group_vars/CD.yml b/ansible/group_vars/CD.yml new file mode 100644 index 0000000..f768389 --- /dev/null +++ b/ansible/group_vars/CD.yml @@ -0,0 +1,6 @@ +--- +# CI specific vars + +users: + - root +ssh_keys_users: ['drone'] diff --git a/ansible/group_vars/all.yml b/ansible/group_vars/all.yml new file mode 100644 index 0000000..808338f --- /dev/null +++ b/ansible/group_vars/all.yml @@ -0,0 +1,11 @@ +--- +# Specific variables for all group +ansible_python_interpreter: '/usr/bin/python3' +ssh_skip_ssh_config: true +users: + - username: kevin + oh_my_zsh: + theme: robbyrussell + - username: root + oh_my_zsh: + theme: robbyrussell diff --git a/ansible/group_vars/consul-server.yml b/ansible/group_vars/consul-server.yml new file mode 100644 index 0000000..415e5a2 --- /dev/null +++ b/ansible/group_vars/consul-server.yml @@ -0,0 +1,5 @@ +--- +# Consul server specific +consul_is_server: true +consul_is_ui: true +consul_bootstrap_expect: 1 diff --git a/ansible/group_vars/datacenter.yml b/ansible/group_vars/datacenter.yml new file mode 100644 index 0000000..abe8648 --- /dev/null +++ b/ansible/group_vars/datacenter.yml @@ -0,0 +1,17 @@ +--- +# dns_domain: "schleppe" +dns_nameservers: + - "1.1.1.1" + - "2606:4700:4700::1111" + - "2606:4700:4700::1001" + +default_user: "kevin" + +# Consul cluster +consul_datacenter: "schleppe" +consul_servers: + - "10.0.0.140" + - "10.0.0.141" + - "10.0.0.142" +consul_install_dnsmasq: false + diff --git a/ansible/group_vars/haproxy.yml b/ansible/group_vars/haproxy.yml new file mode 100644 index 0000000..6d53a1e --- /dev/null +++ b/ansible/group_vars/haproxy.yml @@ -0,0 +1,12 @@ +haproxy_traefik_ip: + - "10.24.1.1" + - "10.25.0.4" +haproxy_traefik_port: 80 +haproxy_cookie_value: "{{ inventory_hostname | default('server-1') }}" +haproxy_dynamic_cookie_key: "mysecretphrase" +haproxy_stats_auth: "admin:strongpassword" +haproxy_certs_dir: "/etc/haproxy/certs" + +certbot_cloudflare_secrets_dir: "/root/.secrets/certbot" +certbot_cloudflare_ini_path: "/root/.secrets/certbot/cloudflare.ini" +certbot_cloudflare_api_token: "REPLACE_WITH_REAL_TOKEN" diff --git a/ansible/group_vars/macos.yml b/ansible/group_vars/macos.yml new file mode 100644 index 0000000..eeffc19 --- /dev/null +++ b/ansible/group_vars/macos.yml @@ -0,0 +1,6 @@ +--- +# python path +ansible_python_interpreter: /usr/local/bin/python3 + +users: + - kevin \ No newline at end of file diff --git a/ansible/group_vars/minecraft.yml b/ansible/group_vars/minecraft.yml new file mode 100644 index 0000000..d680896 --- /dev/null +++ b/ansible/group_vars/minecraft.yml @@ -0,0 +1,6 @@ +--- +apt_packages: + - git + - build-essential + - openjdk-21-jdk +minecraft_version: 1.20.6 diff --git a/ansible/group_vars/proxmox-vm.yml b/ansible/group_vars/proxmox-vm.yml new file mode 100644 index 0000000..bc435d3 --- /dev/null +++ b/ansible/group_vars/proxmox-vm.yml @@ -0,0 +1,2 @@ +--- +proxmox_install_qemu_guest_agent: true diff --git a/ansible/group_vars/vinlottis-vm.yml b/ansible/group_vars/vinlottis-vm.yml new file mode 100644 index 0000000..b2d5b9b --- /dev/null +++ b/ansible/group_vars/vinlottis-vm.yml @@ -0,0 +1,2 @@ +--- +ssh_keys_users: ['kevin', 'kasper'] diff --git a/ansible/hetzner.ini b/ansible/hetzner.ini new file mode 100644 index 0000000..18c4527 --- /dev/null +++ b/ansible/hetzner.ini @@ -0,0 +1,48 @@ +#################### +# HOST DEFINITIONS # +#################### +localhost ansible_connection=local + +[eu] +web-eu-1 ansible_host=localhost ansible_port=2222 ansible_user=root +haproxy-hel-1 ansible_host=65.108.92.44 ansible_port=22 ansible_user=root +haproxy-hel-2 ansible_host=77.42.77.210 ansible_port=22 ansible_user=root +varnish-hel-1 ansible_host=65.108.92.44 ansible_port=22 ansible_user=root +varnish-hel-2 ansible_host=77.42.77.210 ansible_port=22 ansible_user=root + +[us] +web-us-1 ansible_host=localhost ansible_port=2222 ansible_user=root +haproxy-va-1 ansible_host=5.161.197.50 ansible_port=22 ansible_user=root +haproxy-va-2 ansible_host=178.156.219.175 ansible_port=22 ansible_user=root +varnish-va-1 ansible_host=5.161.197.50 ansible_port=22 ansible_user=root +varnish-va-2 ansible_host=178.156.219.175 ansible_port=22 ansible_user=root + +[haproxy] +haproxy-hel-1 +haproxy-hel-2 +haproxy-va-1 +haproxy-va-2 + +[varnish] +varnish-hel-1 +varnish-hel-2 +varnish-va-1 +varnish-va-2 + +[web] +web-eu-1 + +#################### +# BIGASS GROUPS # +#################### +[datacenter:children] +eu +us + +#################### +# VARS # +#################### +[all:vars] +sudoers=kevin +ssh_keys_users=['kevin'] +# view more vars at groups_vars/all.yml diff --git a/ansible/plays/base_server_setup.yml b/ansible/plays/base_server_setup.yml new file mode 100644 index 0000000..909b9ff --- /dev/null +++ b/ansible/plays/base_server_setup.yml @@ -0,0 +1,24 @@ +--- +- name: Check if vault is reachable for dynamic config + hosts: all + connection: local + gather_facts: false + pre_tasks: + - name: Check for vault env variables + set_fact: + has_vault: "{{ lookup('env', 'VAULT_ADDR') and lookup('env', 'VAULT_TOKEN') and lookup('env', 'HAS_VAULT') != 'FALSE' }}" + roles: + - { role: roles/vault-config, when: has_vault } + +- name: Basic setup, brute force protection, firewall and log shipping + hosts: all + roles: + - role: roles/apt + - role: roles/base # - Basic server setup and configuration + # - role: roles/fail2ban # - SSH Brute force protection + # - role: roles/prox-qemu-agent # - If proxmox vm insatll qemu agent + - role: roles/firewall # - Firewall, if firewall_enable is true + - role: roles/ssh # - Sets up the ssh role, with keys, ssh_config and sshd_config + - role: roles/oh-my-zsh + - role: roles/motd +# - role: roles/bacula diff --git a/ansible/plays/bind9.yml b/ansible/plays/bind9.yml new file mode 100644 index 0000000..e29d081 --- /dev/null +++ b/ansible/plays/bind9.yml @@ -0,0 +1,16 @@ +--- +- name: Check if vault is reachable for dynamic config + hosts: all + connection: local + gather_facts: false + pre_tasks: + - name: Check for vault env variables + set_fact: + has_vault: "{{ lookup('env', 'VAULT_ADDR') and lookup('env', 'VAULT_TOKEN') and lookup('env', 'HAS_VAULT') != 'FALSE' }}" + roles: + - { role: roles/vault-config, when: has_vault } + +- name: Install all bind9 service and transfer zone files + hosts: all + roles: + - role: roles/bind9 diff --git a/ansible/plays/consul.yml b/ansible/plays/consul.yml new file mode 100644 index 0000000..c7c4e25 --- /dev/null +++ b/ansible/plays/consul.yml @@ -0,0 +1,5 @@ +--- +- name: Consul + hosts: all + roles: + - role: roles/consul diff --git a/ansible/plays/cve-2024-3094.yml b/ansible/plays/cve-2024-3094.yml new file mode 100644 index 0000000..692da25 --- /dev/null +++ b/ansible/plays/cve-2024-3094.yml @@ -0,0 +1,6 @@ +--- +- name: patch xz-utils + hosts: all + roles: + - roles/xz_utils_patch + diff --git a/ansible/plays/docker.yml b/ansible/plays/docker.yml new file mode 100644 index 0000000..7b6d8c9 --- /dev/null +++ b/ansible/plays/docker.yml @@ -0,0 +1,5 @@ +--- +- name: Install docker on linux host + hosts: all + roles: + - role: roles/docker diff --git a/ansible/plays/firewall.yml b/ansible/plays/firewall.yml new file mode 100644 index 0000000..5f2e8a4 --- /dev/null +++ b/ansible/plays/firewall.yml @@ -0,0 +1,6 @@ +--- +- name: Install all ufw service and enable ports + hosts: all + roles: + - role: roles/firewall + diff --git a/ansible/plays/get_os.yml b/ansible/plays/get_os.yml new file mode 100644 index 0000000..d1be8c9 --- /dev/null +++ b/ansible/plays/get_os.yml @@ -0,0 +1,7 @@ +- hosts: all + tasks: + - debug: + msg: + - "ansible_distribution {{ hostvars[inventory_hostname].ansible_distribution }}" + - "major version {{ hostvars[inventory_hostname].ansible_distribution_major_version }}" + - "version {{ hostvars[inventory_hostname].ansible_distribution_version }}" \ No newline at end of file diff --git a/ansible/plays/gitea.yml b/ansible/plays/gitea.yml new file mode 100644 index 0000000..a98dafb --- /dev/null +++ b/ansible/plays/gitea.yml @@ -0,0 +1,5 @@ +--- +- name: Provision git server with gitea + hosts: all + roles: + - role: roles/gitea diff --git a/ansible/plays/haproxy.yml b/ansible/plays/haproxy.yml new file mode 100644 index 0000000..4578401 --- /dev/null +++ b/ansible/plays/haproxy.yml @@ -0,0 +1,7 @@ +--- +- name: Configure HAProxy edge + Certbot Cloudflare plugin + hosts: haproxy + + roles: + # - role: roles/certbot + - role: roles/haproxy diff --git a/ansible/plays/immich.yml b/ansible/plays/immich.yml new file mode 100644 index 0000000..ea6824e --- /dev/null +++ b/ansible/plays/immich.yml @@ -0,0 +1,7 @@ +--- +- name: Install and setup immich backup service + hosts: all + roles: + # - role: roles/docker + - role: roles/immich + diff --git a/ansible/plays/ip_list.yml b/ansible/plays/ip_list.yml new file mode 100644 index 0000000..5561b9f --- /dev/null +++ b/ansible/plays/ip_list.yml @@ -0,0 +1,6 @@ +- hosts: all + tasks: + - name: Print IPv4 addresse and hostname for all hosts + debug: + msg: '{{ ansible_default_ipv4.address }} - {{ ansible_hostname }}' + diff --git a/ansible/plays/minecraft.yml b/ansible/plays/minecraft.yml new file mode 100644 index 0000000..73db7ed --- /dev/null +++ b/ansible/plays/minecraft.yml @@ -0,0 +1,7 @@ +--- +- name: Setup minecraft requirements w/ latest server jar + hosts: all + roles: + - role: roles/apt + - role: roles/minecraft + diff --git a/ansible/plays/motd.yml b/ansible/plays/motd.yml new file mode 100644 index 0000000..3011dd0 --- /dev/null +++ b/ansible/plays/motd.yml @@ -0,0 +1,5 @@ +--- +- name: Generate motd figlet hostnames + hosts: all + roles: + - role: roles/motd diff --git a/ansible/plays/openssl_upgrade_3.0.7.yml b/ansible/plays/openssl_upgrade_3.0.7.yml new file mode 100644 index 0000000..ff7827c --- /dev/null +++ b/ansible/plays/openssl_upgrade_3.0.7.yml @@ -0,0 +1,13 @@ +--- +- name: Get openssl version + hosts: all + + tasks: + - name: Gather the package facts + ansible.builtin.package_facts: + manager: auto + + - name: Install openssl version 3.0.6 + ansible.builtin.package: + name: openssl=3.0.6 + state: present diff --git a/ansible/plays/openssl_version.yml b/ansible/plays/openssl_version.yml new file mode 100644 index 0000000..964ce94 --- /dev/null +++ b/ansible/plays/openssl_version.yml @@ -0,0 +1,11 @@ +--- +- name: Get openssl version + hosts: all + + tasks: + - name: Gather the package facts + ansible.builtin.package_facts: + manager: auto + + - name: print openssl version + debug: var=ansible_facts.packages.openssl[0].version diff --git a/ansible/plays/ping.yml b/ansible/plays/ping.yml new file mode 100644 index 0000000..b49854d --- /dev/null +++ b/ansible/plays/ping.yml @@ -0,0 +1,5 @@ +- hosts: all + + tasks: + - name: Ping all hosts + ping: diff --git a/ansible/plays/prox-node.yml b/ansible/plays/prox-node.yml new file mode 100644 index 0000000..05abc8c --- /dev/null +++ b/ansible/plays/prox-node.yml @@ -0,0 +1,19 @@ +--- +- name: Check if vault is reachable for dynamic config + hosts: all + connection: local + gather_facts: false + pre_tasks: + - name: Check for vault env variables + set_fact: + has_vault: "{{ lookup('env', 'VAULT_ADDR') and lookup('env', 'VAULT_TOKEN') }}" + TELEGRAF_TOKEN: "{{ lookup('env', 'TELEGRAF_TOKEN') }}" + roles: + - { role: roles/vault-config, when: has_vault } + +- name: Basic setup for proxmox vm clients + hosts: proxmox_nodes + roles: + # - role: roles/prox-telegraf-metrics + - role: roles/prox-templates + diff --git a/ansible/plays/ssh_config.yml b/ansible/plays/ssh_config.yml new file mode 100644 index 0000000..33c6085 --- /dev/null +++ b/ansible/plays/ssh_config.yml @@ -0,0 +1,7 @@ +--- +- name: create ssh config + hosts: all + roles: + - role: roles/ssh + ssh_skip_sshd_config: true + ssh_skip_ssh_keys: true diff --git a/ansible/plays/ssh_keys.yml b/ansible/plays/ssh_keys.yml new file mode 100644 index 0000000..16ee658 --- /dev/null +++ b/ansible/plays/ssh_keys.yml @@ -0,0 +1,10 @@ +--- +- name: Deploy ssh keys + hosts: all + roles: + - role: roles/ssh + ssh_skip_sshd_config: true + ssh_skip_ssh_config: true + ssh_keys_users: + - 'root' + diff --git a/ansible/plays/sshd_config.yml b/ansible/plays/sshd_config.yml new file mode 100644 index 0000000..4f08d3a --- /dev/null +++ b/ansible/plays/sshd_config.yml @@ -0,0 +1,7 @@ +--- +- name: create ssh server config + hosts: all + roles: + - role: roles/ssh + ssh_skip_ssh_config: true + ssh_skip_ssh_keys: true diff --git a/ansible/plays/syncthing.yml b/ansible/plays/syncthing.yml new file mode 100644 index 0000000..1614fa3 --- /dev/null +++ b/ansible/plays/syncthing.yml @@ -0,0 +1,5 @@ +--- +- name: Install & configure syncthing + hosts: all + roles: + - role: roles/syncthing diff --git a/ansible/plays/traefik.yml b/ansible/plays/traefik.yml new file mode 100644 index 0000000..6159a0a --- /dev/null +++ b/ansible/plays/traefik.yml @@ -0,0 +1,6 @@ +--- +- name: Install traefik binary & config + hosts: all + roles: + - role: roles/traefik + diff --git a/ansible/plays/upgrade.yml b/ansible/plays/upgrade.yml new file mode 100644 index 0000000..1ae0f08 --- /dev/null +++ b/ansible/plays/upgrade.yml @@ -0,0 +1,15 @@ +--- +- name: Upgrade all machines + hosts: all + + tasks: + - name: update debian hosts + become: true + apt: + upgrade: yes + update_cache: yes + cache_valid_time: 86400 + when: + - ansible_os_family == 'Debian' + + diff --git a/ansible/plays/varnish.yml b/ansible/plays/varnish.yml new file mode 100644 index 0000000..6d1ef2c --- /dev/null +++ b/ansible/plays/varnish.yml @@ -0,0 +1,9 @@ +--- +- name: Install and configure systemd for varnish + hosts: varnish + roles: + - role: roles/firewall + enable_80_ufw_port: true + enable_443_ufw_port: true + + - role: roles/varnish \ No newline at end of file diff --git a/ansible/plays/vault.yml b/ansible/plays/vault.yml new file mode 100644 index 0000000..f954e77 --- /dev/null +++ b/ansible/plays/vault.yml @@ -0,0 +1,7 @@ +--- +- name: Install all required packages, built and start service for vault + hosts: all + roles: + - role: roles/vault + - role: roles/firewall + enable_vault_ufw_port: true \ No newline at end of file diff --git a/ansible/plays/vim.yml b/ansible/plays/vim.yml new file mode 100644 index 0000000..ac11307 --- /dev/null +++ b/ansible/plays/vim.yml @@ -0,0 +1,6 @@ +--- +- name: Install vim + hosts: all + + roles: + - role: roles/vim diff --git a/ansible/plays/vinlottis.yml b/ansible/plays/vinlottis.yml new file mode 100644 index 0000000..53ad0c2 --- /dev/null +++ b/ansible/plays/vinlottis.yml @@ -0,0 +1,5 @@ +--- +- name: Install all required packages, built and start service for vinlottis + hosts: all + roles: + - role: roles/vinlottis diff --git a/ansible/plays/wireguard.yml b/ansible/plays/wireguard.yml new file mode 100644 index 0000000..a2556f2 --- /dev/null +++ b/ansible/plays/wireguard.yml @@ -0,0 +1,6 @@ +- name: Setup wireguard + hosts: all + roles: + - role: roles/docker + - role: roles/firewall + - role: roles/wireguard diff --git a/ansible/plays/xwiki.yml b/ansible/plays/xwiki.yml new file mode 100644 index 0000000..9596ca1 --- /dev/null +++ b/ansible/plays/xwiki.yml @@ -0,0 +1,21 @@ +--- +- name: Check if vault is reachable for dynamic config + hosts: all + connection: local + gather_facts: false + pre_tasks: + - name: Check for vault env variables + set_fact: + has_vault: "{{ lookup('env', 'VAULT_ADDR') and lookup('env', 'VAULT_TOKEN') }}" + XWIKI_DB_USER: "{{ lookup('env', 'XWIKI_DB_USER') }}" + XWIKI_DB_PASSWORD: "{{ lookup('env', 'XWIKI_DB_PASSWORD') }}" + XWIKI_DB_ROOT_PASSWORD: "{{ lookup('env', 'XWIKI_DB_ROOT_PASSWORD') }}" + roles: + - { role: roles/vault-config, when: has_vault } + +- name: Setup xwiki working directory and move docker-compose file + hosts: all + roles: + - role: roles/docker + - role: roles/firewall + - role: roles/xwiki diff --git a/ansible/plays/zsh.yml b/ansible/plays/zsh.yml new file mode 100644 index 0000000..9aec22c --- /dev/null +++ b/ansible/plays/zsh.yml @@ -0,0 +1,7 @@ +- name: Install oh-my-zsh + hosts: all + roles: + - role: roles/oh-my-zsh + oh_my_zsh: + theme: robbyrussell + diff --git a/ansible/roles/certbot/defaults/main.yml b/ansible/roles/certbot/defaults/main.yml new file mode 100644 index 0000000..9485767 --- /dev/null +++ b/ansible/roles/certbot/defaults/main.yml @@ -0,0 +1,3 @@ +certbot_packages: + - certbot + - python3-certbot-dns-cloudflare diff --git a/ansible/roles/certbot/handlers/main.yml b/ansible/roles/certbot/handlers/main.yml new file mode 100644 index 0000000..8a97e06 --- /dev/null +++ b/ansible/roles/certbot/handlers/main.yml @@ -0,0 +1,4 @@ +--- +- name: noop + debug: + msg: "Certbot role completed" diff --git a/ansible/roles/certbot/tasks/install.yml b/ansible/roles/certbot/tasks/install.yml new file mode 100644 index 0000000..961b0a9 --- /dev/null +++ b/ansible/roles/certbot/tasks/install.yml @@ -0,0 +1,8 @@ +--- +- apt: + update_cache: true + when: ansible_facts.os_family == "Debian" + +- package: + name: "{{ certbot_packages }}" + state: present diff --git a/ansible/roles/certbot/tasks/main.yml b/ansible/roles/certbot/tasks/main.yml new file mode 100644 index 0000000..73b32a1 --- /dev/null +++ b/ansible/roles/certbot/tasks/main.yml @@ -0,0 +1,3 @@ +--- +- import_tasks: install.yml +- import_tasks: secrets.yml diff --git a/ansible/roles/certbot/tasks/secrets.yml b/ansible/roles/certbot/tasks/secrets.yml new file mode 100644 index 0000000..4caaefd --- /dev/null +++ b/ansible/roles/certbot/tasks/secrets.yml @@ -0,0 +1,14 @@ +--- +- file: + path: "{{ certbot_cloudflare_secrets_dir }}" + state: directory + owner: root + group: root + mode: "0700" + +- template: + src: cloudflare.ini.j2 + dest: "{{ certbot_cloudflare_ini_path }}" + owner: root + group: root + mode: "0600" diff --git a/ansible/roles/certbot/templates/cloudflare.ini.j2 b/ansible/roles/certbot/templates/cloudflare.ini.j2 new file mode 100644 index 0000000..82d9d88 --- /dev/null +++ b/ansible/roles/certbot/templates/cloudflare.ini.j2 @@ -0,0 +1 @@ +dns_cloudflare_api_token = {{ certbot_cloudflare_api_token }} diff --git a/ansible/roles/docker/defaults/main.yml b/ansible/roles/docker/defaults/main.yml new file mode 100644 index 0000000..eb20f0f --- /dev/null +++ b/ansible/roles/docker/defaults/main.yml @@ -0,0 +1,15 @@ +clean_install_remove_packages: + - docker.io + - docker-doc + - docker-compose + - podman-docker + - containerd + - runc + +install_packages: + - docker-ce + - docker-ce-cli + - containerd.io + - docker-buildx-plugin + - docker-compose + # - docker-compose-plugin diff --git a/ansible/roles/docker/tasks/main.yml b/ansible/roles/docker/tasks/main.yml new file mode 100644 index 0000000..db19918 --- /dev/null +++ b/ansible/roles/docker/tasks/main.yml @@ -0,0 +1,62 @@ +--- +- name: Clean install by removing any docker package + package: name={{ item }} state=absent + with_items: "{{ clean_install_remove_packages }}" + +- name: Ensure curl & ca-certs are installed + package: + name: + - ca-certificates + - curl + - gnupg + state: latest + +# Map Ansible distro -> Docker repo distro segment +- name: Determine Docker repository distro (ubuntu/debian) + set_fact: + docker_repo_distro: >- + {{ + 'ubuntu' if ansible_distribution | lower == 'ubuntu' + else 'debian' if ansible_distribution | lower == 'debian' + else ansible_distribution | lower + }} + +# Prefer the suite/codename Ansible already knows; fall back to os-release. +- name: Determine OS suite/codename + set_fact: + docker_repo_codename: "{{ ansible_distribution_release | default(ansible_lsb.codename, true) }}" + +- name: Ensure docker keyring file exists + file: + path: /etc/apt/keyrings/docker.gpg + state: touch + +- name: Download docker gpg key and add to keyrings + shell: | + curl -fsSL "https://download.docker.com/linux/{{ docker_repo_distro }}/gpg" \ + | gpg --dearmor --yes -o /etc/apt/keyrings/docker.gpg + chmod a+r /etc/apt/keyrings/docker.gpg + args: + creates: /etc/apt/keyrings/docker.gpg + +- name: Sign and add docker deb source (Ubuntu/Debian) + copy: + dest: /etc/apt/sources.list.d/docker.list + mode: "0644" + content: | + deb [signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/{{ docker_repo_distro }} {{ docker_repo_codename }} stable + +- name: Update apt sources +# become: true + apt: + update_cache: yes + cache_valid_time: 10 + +- name: Install docker packages + package: name={{ item }} state=latest + with_items: "{{ install_packages }}" + +- name: Ensure group docker exists + user: + name: docker + state: present diff --git a/ansible/roles/haproxy/defaults/main.yml b/ansible/roles/haproxy/defaults/main.yml new file mode 100644 index 0000000..fc72d70 --- /dev/null +++ b/ansible/roles/haproxy/defaults/main.yml @@ -0,0 +1,3 @@ +haproxy_package_name: haproxy +haproxy_cfg_path: /etc/haproxy/haproxy.cfg +haproxy_service_name: haproxy diff --git a/ansible/roles/haproxy/handlers/main.yml b/ansible/roles/haproxy/handlers/main.yml new file mode 100644 index 0000000..3393e45 --- /dev/null +++ b/ansible/roles/haproxy/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: reload haproxy + service: + name: haproxy + state: reloaded diff --git a/ansible/roles/haproxy/tasks/config.yml b/ansible/roles/haproxy/tasks/config.yml new file mode 100644 index 0000000..ee19d1f --- /dev/null +++ b/ansible/roles/haproxy/tasks/config.yml @@ -0,0 +1,20 @@ +--- +- file: + path: "{{ haproxy_certs_dir }}" + state: directory + owner: root + group: root + mode: "0755" + +- template: + src: haproxy.cfg.j2 + dest: "{{ haproxy_cfg_path }}" + owner: root + group: root + mode: "0644" + validate: "haproxy -c -f %s" + notify: reload haproxy + +- service: + name: haproxy + state: started diff --git a/ansible/roles/haproxy/tasks/install.yml b/ansible/roles/haproxy/tasks/install.yml new file mode 100644 index 0000000..6151eed --- /dev/null +++ b/ansible/roles/haproxy/tasks/install.yml @@ -0,0 +1,8 @@ +--- +- package: + name: haproxy + state: present + +- service: + name: haproxy + enabled: true diff --git a/ansible/roles/haproxy/tasks/main.yml b/ansible/roles/haproxy/tasks/main.yml new file mode 100644 index 0000000..86ac268 --- /dev/null +++ b/ansible/roles/haproxy/tasks/main.yml @@ -0,0 +1,4 @@ +--- +- import_tasks: install.yml +- import_tasks: snakeoil.yml +- import_tasks: config.yml diff --git a/ansible/roles/haproxy/tasks/snakeoil.yml b/ansible/roles/haproxy/tasks/snakeoil.yml new file mode 100644 index 0000000..f47d589 --- /dev/null +++ b/ansible/roles/haproxy/tasks/snakeoil.yml @@ -0,0 +1,48 @@ +--- +# tasks/snakeoil.yml +- name: Ensure snakeoil certificate tooling is installed + ansible.builtin.package: + name: ssl-cert + state: present + +- name: Check whether HAProxy snakeoil PEM already exists + ansible.builtin.stat: + path: /etc/haproxy/certs/ssl-cert-snakeoil.pem + register: haproxy_pem + +# Validate cert structure if the file exists +- name: Validate certificate structure in HAProxy PEM + ansible.builtin.command: > + openssl x509 -in /etc/haproxy/certs/ssl-cert-snakeoil.pem -noout + register: pem_cert_check + changed_when: false + failed_when: false + when: haproxy_pem.stat.exists + +- name: Ensure HAProxy cert directory exists + ansible.builtin.file: + path: /etc/haproxy/certs + state: directory + owner: root + group: root + mode: "0755" + +- name: Decide if we must (re)create PEM (missing/empty/invalid) + ansible.builtin.set_fact: + haproxy_pem_needs_create: >- + {{ + (not haproxy_pem.stat.exists) + or ((pem_cert_check | default({'rc': 'undef'})).rc != 0) + }} + +# Generate the snakeoil cert/key if we need to (re)create bundle +- name: Generate default snakeoil cert/key + ansible.builtin.command: make-ssl-cert generate-default-snakeoil + when: haproxy_pem_needs_create + changed_when: true + +- name: Assemble HAProxy snakeoil PEM bundle (cert + key) + shell: + cmd: "cat /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/ssl/private/ssl-cert-snakeoil.key > /etc/haproxy/certs/ssl-cert-snakeoil.pem" + when: haproxy_pem_needs_create + notify: reload haproxy diff --git a/ansible/roles/haproxy/templates/haproxy.cfg.j2 b/ansible/roles/haproxy/templates/haproxy.cfg.j2 new file mode 100644 index 0000000..cdb4143 --- /dev/null +++ b/ansible/roles/haproxy/templates/haproxy.cfg.j2 @@ -0,0 +1,134 @@ +global + log /dev/log local0 + log /dev/log local1 notice + chroot /var/lib/haproxy + stats socket /run/haproxy/admin.sock mode 660 level admin + stats timeout 30s + user haproxy + group haproxy + daemon + + limited-quic + + # Default SSL material locations + ca-base /etc/ssl/certs + crt-base /etc/ssl/private + + # See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate + ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 + ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 + ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets + +defaults + log global + mode http + option httplog + option dontlognull + timeout connect 5000 + timeout client 50000 + timeout server 50000 + errorfile 400 /etc/haproxy/errors/400.http + errorfile 403 /etc/haproxy/errors/403.http + errorfile 408 /etc/haproxy/errors/408.http + errorfile 500 /etc/haproxy/errors/500.http + errorfile 502 /etc/haproxy/errors/502.http + errorfile 503 /etc/haproxy/errors/503.http + errorfile 504 /etc/haproxy/errors/504.http + +# Front door: public HTTP +frontend fe_http + bind :80 + + http-request set-header X-Forwarded-Proto https + option forwardfor + + default_backend be_traefik_http + +# Front door: public HTTPS +frontend fe_https + mode http + bind :443 ssl crt {{ haproxy_certs_dir }} alpn h2,http/1.1 + bind quic4@:443 ssl crt {{ haproxy_certs_dir }} alpn h3 + + # Add forwarding headers so Traefik/apps can know original client info + http-request set-header X-Forwarded-Proto https + option forwardfor + + # DISABLED: Advertise HTTP3 + # acl is_h2 ssl_fc_alpn -i h2 + # http-response set-header Alt-Svc "h3=\":443\"; ma=900" if is_h2 + + # ========================================================= + # Debug response headers (enabled via ?debug=1) + + # Read debug query parameter + http-request set-var(txn.debug) urlp(debug) + + # Define what "debug enabled" means + acl debug_enabled var(txn.debug) -m str -i 1 true yes on + + http-request set-var(txn.http_ver) req.ver + http-response add-header X-Debug-HTTP-Version %[var(txn.http_ver)] if debug_enabled + http-response add-header X-Debug-Served-By haproxy-https if debug_enabled + http-response add-header X-Debug-Frontend %[fe_name] if debug_enabled + http-response add-header X-Debug-Backend %[be_name] if debug_enabled + http-response add-header X-Debug-Server %[srv_name] if debug_enabled + + # Client & network + http-response add-header X-Debug-Client-IP %[src] if debug_enabled + # http-response add-header X-Debug-Client-Port %[sp] if debug_enabled + # http-response add-header X-Debug-XFF %[req.hdr(X-Forwarded-For)] if debug_enabled + + # TLS / HTTPS details + http-response add-header X-Debug-TLS %[ssl_fc] if debug_enabled + http-response add-header X-Debug-TLS-Version %[ssl_fc_protocol] if debug_enabled + http-response add-header X-Debug-TLS-Cipher %[ssl_fc_cipher] if debug_enabled + + # Request identity & correlation + http-response add-header X-Debug-Request-ID %[unique-id] if debug_enabled + http-response add-header X-Debug-Method %[method] if debug_enabled + + # Safety: prevent caching of debug responses + http-response add-header Cache-Control no-store if debug_enabled + + default_backend be_traefik_http + + +# Backend: Traefik VM +backend be_traefik_http + mode http + balance roundrobin + cookie LB_SERVER insert indirect nocache dynamic + dynamic-cookie-key {{ haproxy_dynamic_cookie_key }} + + # Health check: Traefik should respond with 404 for unknown host; that's still "alive". + # We'll just do a TCP check (simpler and reliable). + option tcp-check + + {% for ip in haproxy_traefik_ip %} + server traefik{{ loop.index }} {{ ip }}:{{ haproxy_traefik_port }} check cookie {{ haproxy_cookie_value }} + {% endfor %} + +# Frontend: HAProxy prometheus exporter metrics +frontend fe_metrics + bind :8405 + mode http + + http-request use-service prometheus-exporter if { path /metrics } + +# ============================ +# HAProxy Stats (metrics UI) +# ============================ +listen haproxy_stats + bind :8404 + mode http + + stats enable + stats uri /stats + stats refresh 10s + + # Optional basic auth + stats auth {{ haproxy_stats_auth }} + + # Show extra info (handy for debugging) + stats show-legends diff --git a/ansible/roles/haproxy/vars/main.yml b/ansible/roles/haproxy/vars/main.yml new file mode 100644 index 0000000..b8435fb --- /dev/null +++ b/ansible/roles/haproxy/vars/main.yml @@ -0,0 +1,2 @@ +--- +haproxy_service_name: haproxy diff --git a/ansible/roles/varnish/tasks/main.yml b/ansible/roles/varnish/tasks/main.yml new file mode 100644 index 0000000..a94ea58 --- /dev/null +++ b/ansible/roles/varnish/tasks/main.yml @@ -0,0 +1,57 @@ +--- + - name: update apt + become: true + apt: + update_cache: yes + cache_valid_time: 86400 + + - name: install required packages + package: + name: + - debian-archive-keyring + - curl + - gnupg + - apt-transport-https + + - name: add varnish apt key & repo + block: + - name: add varnish key + apt_key: + url: https://packagecloud.io/varnishcache/varnish60lts/gpgkey + state: present + + - name: add varnish repo + apt_repository: + repo: 'deb https://packagecloud.io/varnishcache/varnish60lts/{{ varnish_release }} {{ varnish_release_codename }} main' + state: present + + - name: add varnish repo src + apt_repository: + repo: 'deb-src https://packagecloud.io/varnishcache/varnish60lts/{{ varnish_release }} {{ varnish_release_codename }} main' + state: present + + - name: update apt + become: true + apt: + update_cache: yes + cache_valid_time: 86400 + + - name: install varnish package + package: + name: varnish + + - name: copy systemd template + template: + src: varnish-systemd.j2 + dest: /lib/systemd/system/varnish.service + owner: root + mode: 644 + + - name: restart systemd daemon + systemd: + daemon_reload: yes + + - name: restart varnish service + systemd: + name: varnish.service + state: reloaded diff --git a/ansible/roles/varnish/templates/varnish-systemd.j2 b/ansible/roles/varnish/templates/varnish-systemd.j2 new file mode 100644 index 0000000..034c542 --- /dev/null +++ b/ansible/roles/varnish/templates/varnish-systemd.j2 @@ -0,0 +1,44 @@ +[Unit] +Description=Varnish HTTP accelerator +Documentation=https://www.varnish-cache.org/docs/6.1/ man:varnishd + +[Service] +Type=simple + +# Maximum number of open files (for ulimit -n) +LimitNOFILE=131072 + +# Locked shared memory - should suffice to lock the shared memory log +# (varnishd -l argument) +# Default log size is 80MB vsl + 1M vsm + header -> 82MB +# unit is bytes +# LimitMEMLOCK=85983232 + +# Varnish default +LimitMEMLOCK=82000 + +# Enable this to avoid "fork failed" on reload. +TasksMax=infinity + +# Maximum size of the corefile. +LimitCORE=infinity + +ExecStart=/usr/sbin/varnishd \ + -j unix,user=vcache \ + -F \ + -a :80 \ + -a :443 \ + -p feature=+http2 \ + -T localhost:6082 \ + -f /etc/varnish/default.vcl \ + -S /etc/varnish/secret \ + -s malloc,256m + +ExecReload=/usr/share/varnish/varnishreload +ProtectSystem=full +ProtectHome=true +PrivateTmp=true +PrivateDevices=true + +[Install] +WantedBy=multi-user.target \ No newline at end of file