Skip to content

Commit

Permalink
Add iptables, adjust crowdsec, lots of ansible-lint fixes
Browse files Browse the repository at this point in the history
notthebee committed Jan 21, 2022
1 parent aeffb46 commit ca87f0d
Showing 43 changed files with 417 additions and 263 deletions.
8 changes: 8 additions & 0 deletions .ansible-lint
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
---
skip_list:
- git-latest
- package-latest

warn_list:
- load-failure
- yaml
10 changes: 2 additions & 8 deletions .pre-commit-config.yaml
Original file line number Diff line number Diff line change
@@ -1,14 +1,8 @@
---
repos:
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: latest
hooks:
- id: check-yaml
- id: end-of-file-fixer
- id: trailing-whitespace

- repo: https://github.com/ansible/ansible-lint.git
rev: latest
rev: v5.3.2
hooks:
- id: ansible-lint
args: [--offline]
files: \.(yaml|yml)$
5 changes: 5 additions & 0 deletions .prettierrc.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
# .prettierrc or .prettierrc.yaml
trailingComma: "es5"
tabWidth: 4
semi: false
singleQuote: true
41 changes: 28 additions & 13 deletions group_vars/all/vars.yml
Original file line number Diff line number Diff line change
@@ -11,18 +11,25 @@ hostname: "{{ inventory_hostname }}"

timezone: Europe/Amsterdam


dot_nameservers: [185.95.218.42@853#dns.digitale-gesellschaft.ch, 94.140.15.140@853#dns-unfiltered.adguard.com]

ntp_timezone: "{{ timezone }}"

locale: en_US.UTF-8

lan_network: "{{ '.'.join(ansible_default_ipv4.address.split('.')[0:3]) }}.0/24"
lan_network: "192.168.2.0/24"

vpn_network: "10.1.1.0/24"

lan_gateway: "192.168.2.1"

dmz_network: "192.168.44.0/24"

dns_nameservers: ["{{ ansible_default_ipv4.gateway }}"]
dmz_gateway: "192.168.44.1"

fish_prompt_color: blue
dns_nameservers: ["1.1.1.1", "1.0.0.1"]

fish_prompt_color: blue

keyboard_layout: us

@@ -46,8 +53,8 @@ spindown_time: 600 # in seconds

colorscheme: nord

subdomains: {
'nextcloud': 'nextcloud',
subdomains: {
'nextcloud': 'nextcloud',
'vaultwarden': 'vaultwarden',
}

@@ -94,7 +101,7 @@ email_smtp_port: 465

email_smtp_port_startls: 587

# MSMTP
# MSMTP
msmtp_accounts:
- account: mailbox
host: "{{ email_smtp_host }}"
@@ -121,8 +128,6 @@ security_autoupdate_mail_to: "{{ email }}"

security_autoupdate_mail_on_error: true

# We have our own f2b rules
security_fail2ban_enabled: false

#
# Enable/disable functionality
@@ -222,7 +227,7 @@ samba_users:

samba_global_include: global-include.conf

samba_apple_extensions: yes
samba_apple_extensions: yes

samba_mitigate_cve_2017_7494: false

@@ -241,7 +246,7 @@ samba_shares:
path: "{{ mergerfs_root }}"
valid_users: "{{ username }}"
write_list: "{{ username }}"

- name: Downloads
guest_ok: no
public: no
@@ -252,7 +257,7 @@ samba_shares:
path: "{{ mergerfs_root }}/Downloads"
valid_users: "{{ username }}, {{ additional_users[0].name }}"
write_list: "{{ username }}, {{ additional_users[0].name }}"

- name: Media
guest_ok: no
public: no
@@ -286,6 +291,8 @@ samba_shares:
#
mergerfs_root: /mnt/storage

cache_root: /mnt/storage_cache

enable_mergerfs: yes

disks:
@@ -295,6 +302,7 @@ disks:

cache_disks:
- { path: /mnt/cache1, src: /dev/disk/by-label/Cache1, content: true }
- { path: /mnt/cache2, src: /dev/disk/by-label/Cache2, content: true }

parity_disks:
- { path: /mnt/parity1, src: /dev/disk/by-label/Parity1, content: true }
@@ -344,10 +352,17 @@ snapraid_config_excludes:
smartd_default_mail_recipients: [ "{{ email }}" ]

#
# CrowdSec
# Security
#
enable_crowdsec: true

enable_iptables: true

enable_fail2ban: true

# We have our own f2b rules
security_fail2ban_enabled: false

### BEGIN Secret variables (encrypt and put into vault.yml)
cloudflare_dns_token: ''
cloudflare_firewall_token: ''
11 changes: 3 additions & 8 deletions roles/containers/homeautomation/deconz/tasks/main.yml
Original file line number Diff line number Diff line change
@@ -14,6 +14,9 @@
name: "{{ container_name }}"
image: "deconzcommunity/deconz:stable"
pull: yes
networks:
- name: swag_internal_network
ipv4_address: 172.20.0.14
state: 'started'
labels:
"flame.type": "application"
@@ -43,11 +46,3 @@
"DEBUG_OTAU": "0"
restart_policy: unless-stopped
when: zigbee_dev.files | length > 0

- name: Add {{ container_name }} to the SWAG network (reverse-proxy)
docker_network:
name: swag_internal_network
connected:
- "{{ container_name }}"
appends: yes
when: enable_swag
7 changes: 5 additions & 2 deletions roles/containers/homeautomation/homeassistant/tasks/main.yml
Original file line number Diff line number Diff line change
@@ -4,15 +4,18 @@
name: "{{ container_name }}"
image: "homeassistant/home-assistant:stable"
pull: yes
networks:
- name: swag_internal_network
state: 'started'
network_mode: host
labels:
"flame.type": "application"
"flame.name": "{{ dashboard_name }}"
"flame.url": "{{ dashboard_url }}"
"flame.icon": "custom"
env:
"TZ": "{{ timezone }}"
ports:
8123:8123
volumes:
- "{{ docker_dir }}/{{ container_name }}:/config"
restart_policy: unless-stopped
restart_policy: unless-stopped
7 changes: 3 additions & 4 deletions roles/containers/media/jellyfin/tasks/main.yml
Original file line number Diff line number Diff line change
@@ -1,12 +1,11 @@
---
- name: Make sure that QuickSync packages are installed
become: yes
apt:
package:
name:
- vainfo
- intel-media-va-driver-non-free
state: latest
update_cache: yes
state: present

- name: Make sure the {{ container_name }} container is created and running
docker_container:
@@ -44,4 +43,4 @@
connected:
- "{{ container_name }}"
appends: yes
when: enable_swag
when: enable_swag
17 changes: 6 additions & 11 deletions roles/containers/services/nextcloud/tasks/main.yml
Original file line number Diff line number Diff line change
@@ -4,6 +4,8 @@
name: "nextcloud-mariadb"
image: "mariadb:latest"
pull: yes
networks:
- name: swag_public_macvlan
command: "--transaction-isolation=READ-COMMITTED --binlog-format=ROW --skip-innodb-read-only-compressed --innodb-read-only-compressed=OFF"
state: 'started'
labels:
@@ -26,6 +28,8 @@
- name: Make sure the Redis container is created and running
docker_container:
name: "nextcloud-redis"
networks:
- name: swag_public_macvlan
image: "redis:alpine"
pull: yes
state: 'started'
@@ -36,6 +40,8 @@
name: "{{ container_name }}"
image: "ghcr.io/linuxserver/nextcloud:php8"
pull: yes
networks:
- name: swag_public_macvlan
state: 'started'
env:
"PUID": "{{ guid }}"
@@ -47,17 +53,6 @@
- "{{ mergerfs_root }}/Nextcloud/{{ username }}:/data/{{ username }}"
restart_policy: unless-stopped

- name: Add {{ container_name }} to the SWAG network (reverse-proxy)
docker_network:
name: swag_network
connected:
- "{{ container_name }}"
- nextcloud-mariadb
- nextcloud-redis
appends: yes
when: enable_swag


- name: Schedule a Nextcloud library scan at midnight every day
cron:
name: Scan the Nextcloud library
15 changes: 4 additions & 11 deletions roles/containers/services/vaultwarden/tasks/main.yml
Original file line number Diff line number Diff line change
@@ -4,6 +4,8 @@
docker_container:
name: 'vaultwarden'
image: "vaultwarden/server"
networks:
- name: swag_public_macvlan
pull: true
state: 'started'
labels:
@@ -15,18 +17,9 @@
WEBSOCKET_ENABLED: "true"
INVITATIONS_ALLOWED: "false"
SIGNUPS_ALLOWED: "false"
DOMAIN: "{{ dashboard_url }}"
DOMAIN: "https://{{ subdomains['vaultwarden'] }}.{{ host }}"
LOG_FILE: "/data/vaultwarden.log"
TZ: "{{ timezone }}"
volumes:
- "{{ docker_dir }}/{{ container_name }}:/data"
restart_policy: unless-stopped


- name: Add {{ container_name }} to the SWAG network (reverse-proxy)
docker_network:
name: swag_network
connected:
- vaultwarden
appends: yes
when: enable_swag
restart_policy: unless-stopped
4 changes: 4 additions & 0 deletions roles/containers/system/authelia/handlers/main.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
- name: Restart the docker container
docker_container:
name: "{{ container_name }}"
restart: yes
21 changes: 9 additions & 12 deletions roles/containers/system/authelia/tasks/main.yml
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
---

- name: Make sure the {{ container_name }} container is created and running
docker_container:
name: "{{ container_name }}"
@@ -11,42 +11,39 @@
volumes:
- "{{ docker_dir }}/{{ container_name }}:/config"
restart_policy: unless-stopped
register: container

- name: Add {{ container_name }} to the SWAG network (reverse-proxy)
docker_network:
name: swag_network
name: swag_public_macvlan
connected:
- "{{ container_name }}"
appends: yes
when: enable_swag


- name: Create the configuration directory
file:
path: "{{ docker_dir }}/{{ container_name }}"
state: directory
owner: "{{ username }}"
group: "{{ username }}"
mode: 0755

- name: Install the configuration template
template:
src: configuration.yml.j2
dest: "{{ docker_dir }}/{{ container_name }}/configuration.yml"
owner: "{{ username }}"
group: "{{ username }}"
register: configuration

mode: 0644
notify:
- Restart the docker container

- name: Install the users template
template:
src: users_database.yml.j2
dest: "{{ docker_dir }}/{{ container_name }}/users_database.yml"
owner: "{{ username }}"
group: "{{ username }}"
mode: 0644
register: users

- name: Restart the docker container on change
docker_container:
name: "{{ container_name }}"
restart: yes
when: container.changed or configuration.changed or users.changed
Loading

0 comments on commit ca87f0d

Please sign in to comment.