#!/usr/bin/env ansible-playbook # vim:ft=ansible: # Webservers --- - hosts: vm-general-1.ashburn.mgmt.desu.ltd gather_facts: no module_defaults: docker_container: restart_policy: unless-stopped pull: yes pre_tasks: - name: ensure docker network docker_network: name=web tags: [ docker ] tasks: - name: include tasks for applications include_tasks: tasks/{{ item }} with_items: # Applications - app/gitlab-runner.yml - app/redis.yml # Frontend web services - web/9iron.yml - web/desultd.yml - web/element-web.yml - web/gitea.yml - web/grafana.yml - web/netbox.yml - web/nextcloud.yml - web/synapse.yml # Backend web services - web/lidarr.yml - web/navidrome.yml - web/prowlarr.yml - web/radarr.yml - web/sonarr.yml - web/srv.yml - web/transmission.yml # Games - game/factorio.yml - game/minecraft-createfarming.yml - game/minecraft-magicpack.yml - game/zomboid.yml tags: [ always ] roles: - role: backup vars: backup_s3backup_list_extra: - /app/gitea/gitea - /data backup_s3backup_exclude_list_extra: - /data/minecraft/magicpack/backups - /data/minecraft/direwolf20/backups - /data/shared/media - /data/shared/downloads - /data/zomboid/ZomboidDedicatedServer/steamapps/workshop tags: [ backup ] - role: git vars: git_repos: - repo: https://git.desu.ltd/salt/gitea-custom dest: /data/gitea/data/gitea/custom tags: [ web, git ] - role: prometheus tags: [ prometheus, monitoring, no-test ] - role: nagios vars: # Definitions for contacts and checks are defined in inventory vars # See group_vars/all.yml if you need to change those nagios_matrix_server: "https://matrix.desu.ltd" nagios_matrix_room: "!NWNCKlNmOTcarMcMIh:desu.ltd" nagios_matrix_token: "{{ secret_nagios_matrix_token }}" nagios_data_dir: /data/nagios nagios_admin_pass: "{{ secret_nagios_admin_pass }}" tags: [ nagios, no-auto ] - role: ingress vars: ingress_head: | # Used by Grafana, required for its API or some shit map $http_upgrade $connection_upgrade { default upgrade; '' close; } ingress_servers: # desu.ltd - name: desu.ltd proxy_pass: http://desultd:80 locations: - location: /.well-known/matrix/server contents: | default_type application/json; return 200 '{"m.server":"matrix.desu.ltd:443"}'; - location: /.well-known/matrix/client contents: | default_type application/json; return 200 '{"m.homeserver":{"base_url":"https://matrix.desu.ltd"}}'; - name: git.desu.ltd proxy_pass: http://gitea:3000 - name: grafana.desu.ltd proxy_pass: http://grafana:3000 locations: - location: "/api/live/" contents: | proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; proxy_set_header Host $host; proxy_pass http://grafana:3000; - name: matrix.desu.ltd proxies: - location: "~* ^(\/_matrix|\/_synapse|\/client|\/health)" pass: http://synapse:8008 - location: / pass: http://element:80 directives: - "client_max_body_size 0" - name: nagios.desu.ltd proxy_pass: http://nagios:80 - name: nc.desu.ltd directives: - "add_header Strict-Transport-Security \"max-age=31536000\"" - "client_max_body_size 0" proxy_pass: http://nextcloud:80 locations: - location: "^~ /.well-known" contents: | location = /.well-known/carddav { return 301 /remote.php/dav/; } location = /.well-known/caldav { return 301 /remote.php/dav/; } location ^~ /.well-known { return 301 /index.php$uri; } try_files $uri $uri/ =404; - name: netbox.desu.ltd proxy_pass: http://netbox:8080 - name: prometheus.desu.ltd directives: - "allow {{ common_home_address }}/{{ common_home_address_mask }}" - "allow 10.0.0.0/8" - "allow 172.16.0.0/12" - "allow 192.168.0.0/16" # TODO: Replace this with a dynamically-generated list of public IPs from inv - "allow 45.79.58.44/32" # bastion1.dallas.mgmt.desu.ltd - "deny all" proxy_pass: http://prometheus:9090 # desu.ltd media bullshit - name: music.desu.ltd directives: - "allow {{ common_home_address }}/{{ common_home_address_mask }}" - "deny all" proxy_pass: http://navidrome:4533 - name: lidarr.media.desu.ltd directives: - "allow {{ common_home_address }}/{{ common_home_address_mask }}" - "deny all" proxy_pass: http://lidarr:8686 - name: prowlarr.media.desu.ltd directives: - "allow {{ common_home_address }}/{{ common_home_address_mask }}" - "deny all" proxy_pass: http://prowlarr:9696 - name: sonarr.media.desu.ltd directives: - "allow {{ common_home_address }}/{{ common_home_address_mask }}" - "deny all" proxy_pass: http://sonarr:8989 - name: radarr.media.desu.ltd directives: - "allow {{ common_home_address }}/{{ common_home_address_mask }}" - "deny all" proxy_pass: http://radarr:7878 - name: transmission.media.desu.ltd directives: - "allow {{ common_home_address }}/{{ common_home_address_mask }}" - "deny all" proxy_pass: http://transmission:9091 # 9iron - name: www.9iron.club directives: - "return 301 $scheme://9iron.club$request_uri" - name: 9iron.club proxy_pass: http://9iron:80 - name: srv.9iron.club proxy_pass: http://srv:80 tags: [ web, docker, ingress ]