diff --git a/playbooks/prod_web.yml b/playbooks/prod_web.yml index 8e3c9ab..d84f26d 100755 --- a/playbooks/prod_web.yml +++ b/playbooks/prod_web.yml @@ -15,6 +15,80 @@ restart_policy: unless-stopped pull: yes tasks: + - name: ensure docker network + docker_network: name=web + tags: [ docker ] + - name: ensure docker nginx config + copy: + dest: /data/nginx-certbot/user_conf.d/vhosts.conf + mode: "0750" + content: | + server { + listen 443 ssl default_server; + server_name desu.ltd; + ssl_certificate /etc/letsencrypt/live/desu.ltd/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/desu.ltd/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/desu.ltd/chain.pem; + ssl_dhparam /etc/letsencrypt/dhparams/dhparam.pem; + location / { + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_pass http://desultd:80; + } + } + server { + listen 443 ssl; + server_name 9iron.club; + ssl_certificate /etc/letsencrypt/live/desu.ltd/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/desu.ltd/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/desu.ltd/chain.pem; + ssl_dhparam /etc/letsencrypt/dhparams/dhparam.pem; + location / { + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_pass http://9iron:80; + } + } + server { + listen 443 ssl; + server_name git.desu.ltd; + ssl_certificate /etc/letsencrypt/live/desu.ltd/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/desu.ltd/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/desu.ltd/chain.pem; + ssl_dhparam /etc/letsencrypt/dhparams/dhparam.pem; + location / { + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_pass http://gitea:3000; + } + } + server { + listen 443 ssl; + server_name nc.desu.ltd; + ssl_certificate /etc/letsencrypt/live/desu.ltd/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/desu.ltd/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/desu.ltd/chain.pem; + ssl_dhparam /etc/letsencrypt/dhparams/dhparam.pem; + location / { + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_pass http://nextcloud:80; + } + } + server { + listen 443 ssl; + server_name srv.9iron.club; + ssl_certificate /etc/letsencrypt/live/desu.ltd/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/desu.ltd/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/desu.ltd/chain.pem; + ssl_dhparam /etc/letsencrypt/dhparams/dhparam.pem; + location / { + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_pass http://srv:80; + } + } + tags: [ docker, ingress ] - name: include tasks for apps include_tasks: tasks/app/{{ task }} with_items: @@ -28,6 +102,9 @@ - 9iron.yml - desultd.yml - gitea.yml + - nextcloud.yml + - srv.yml + - ingress-generic.yml loop_control: loop_var: task tags: [ always ] @@ -47,20 +124,12 @@ - /var/lib/gitea/log - /data/gitea/data/gitea/log tags: [ backup ] - - role: certbot - tags: [ web, certbot ] - - role: php - tags: [ web, php ] - - role: apache - tags: [ web, apache ] - role: git vars: git_repos: - repo: https://git.desu.ltd/salt/gitea-custom dest: /data/gitea/data/gitea/custom tags: [ web, git ] - - role: nextcloud - tags: [ web, nextcloud ] - hosts: web2.desu.ltd module_defaults: docker_container: diff --git a/playbooks/tasks/web/9iron.yml b/playbooks/tasks/web/9iron.yml index d5b979e..bfefc15 100644 --- a/playbooks/tasks/web/9iron.yml +++ b/playbooks/tasks/web/9iron.yml @@ -3,8 +3,9 @@ docker_container: name: 9iron image: rehashedsalt/9iron:latest - ports: - - 8001:80 + networks: + - name: web + aliases: [ "9iron" ] volumes: - /data/9iron/files:/var/www/html/files - /data/9iron/packs:/var/www/html/minecraft/packs diff --git a/playbooks/tasks/web/desultd.yml b/playbooks/tasks/web/desultd.yml index 6942c23..9a49ae7 100644 --- a/playbooks/tasks/web/desultd.yml +++ b/playbooks/tasks/web/desultd.yml @@ -3,8 +3,9 @@ docker_container: name: desultd image: rehashedsalt/desultd:latest - ports: - - 8002:80 + networks: + - name: web + aliases: [ "desultd" ] volumes: - /data/9iron/files:/var/www/html/files tags: [ docker, 9iron ] diff --git a/playbooks/tasks/web/gitea.yml b/playbooks/tasks/web/gitea.yml index a199253..9c14937 100644 --- a/playbooks/tasks/web/gitea.yml +++ b/playbooks/tasks/web/gitea.yml @@ -12,8 +12,10 @@ GITEA__database_USER: gitea-desultd GITEA__database_PASSWD: "{{ secret_gitea_db_pass }}" ports: - - 3000:3000 - 127.0.0.1:2222:22 + networks: + - name: web + aliases: [ "gitea" ] volumes: - /data/gitea/data:/data - /etc/timezone:/etc/timezone:ro diff --git a/playbooks/tasks/web/nextcloud.yml b/playbooks/tasks/web/nextcloud.yml new file mode 100644 index 0000000..f116134 --- /dev/null +++ b/playbooks/tasks/web/nextcloud.yml @@ -0,0 +1,14 @@ +# vim:ft=ansible: +- name: docker deploy nextcloud + docker_container: + name: nextcloud + image: nextcloud:21 + networks: + - name: web + aliases: [ "nextcloud" ] + volumes: + - /data/nextcloud/apps:/var/www/html/apps + - /data/nextcloud/config:/var/www/html/config + - /data/nextcloud/themes:/var/www/html/themes + - /srv/desu.ltd/nc:/var/www/html/data + tags: [ docker, nextcloud ] diff --git a/playbooks/tasks/web/srv.yml b/playbooks/tasks/web/srv.yml new file mode 100644 index 0000000..e5ea24f --- /dev/null +++ b/playbooks/tasks/web/srv.yml @@ -0,0 +1,13 @@ +# vim:ft=ansible: +- name: docker deploy nextcloud shim + docker_container: + # NOTE: We depend on the default configuration of Apache here, specifically + # the default to have server-generated indexes. Makes srv easier to navigate + name: srv + image: httpd:latest + networks: + - name: web + aliases: [ "srv" ] + volumes: + - /var/www/srv.9iron.club:/usr/local/apache2/htdocs + tags: [ docker, 9iron ]