#!/usr/bin/env ansible-playbook
# vim:ft=ansible:
# Webservers
---
- hosts: vm-general-1.ashburn.mgmt.desu.ltd
  gather_facts: no
  module_defaults:
    docker_container:
      restart_policy: unless-stopped
      pull: yes
  pre_tasks:
    - name: ensure docker network
      docker_network: name=web
      tags: [ docker ]
  tasks:
    - name: include tasks for applications
      include_tasks: tasks/{{ item }}
      with_items:
        # Applications
        - app/gitlab-runner.yml
        - app/redis.yml
        # Frontend web services
        - web/9iron.yml
        - web/desultd.yml
        - web/element-web.yml
        - web/gitea.yml
        - web/grafana.yml
        - web/netbox.yml
        - web/nextcloud.yml
        - web/synapse.yml
        # Backend web services
        - web/lidarr.yml
        - web/navidrome.yml
        - web/prowlarr.yml
        - web/radarr.yml
        - web/sonarr.yml
        - web/srv.yml
        - web/transmission.yml
        # Games
        - game/factorio.yml
        - game/minecraft-createfarming.yml
        - game/minecraft-magicpack.yml
        - game/minecraft-weedie.yml
        - game/zomboid.yml
        - game/satisfactory.yml
        - game/tmodloader-generic.yml
      tags: [ always ]
  roles:
    - role: backup
      vars:
        backup_s3backup_list_extra:
          - /app/gitea/gitea
          - /data
        backup_s3backup_exclude_list_extra:
          - /data/minecraft/magicpack/backups
          - /data/minecraft/direwolf20/backups
          - /data/minecraft/weedie/backups
          - /data/shared/media
          - /data/shared/downloads
          - /data/zomboid/ZomboidDedicatedServer/steamapps/workshop
      tags: [ backup ]
    - role: git
      vars:
        git_repos:
          - repo: https://git.desu.ltd/salt/gitea-custom
            dest: /data/gitea/data/gitea/custom
      tags: [ web, git ]
    - role: prometheus
      tags: [ prometheus, monitoring, no-test ]
    - role: nagios
      vars:
        # Definitions for contacts and checks are defined in inventory vars
        # See group_vars/all.yml if you need to change those
        nagios_matrix_server: "https://matrix.desu.ltd"
        nagios_matrix_room: "!NWNCKlNmOTcarMcMIh:desu.ltd"
        nagios_matrix_token: "{{ secret_nagios_matrix_token }}"
        nagios_data_dir: /data/nagios
        nagios_admin_pass: "{{ secret_nagios_admin_pass }}"
      tags: [ nagios, no-auto ]
    - role: ingress
      vars:
        ingress_head: |
          # Used by Grafana, required for its API or some shit
          map $http_upgrade $connection_upgrade {
            default upgrade;
            '' close;
          }
        ingress_servers:
          # desu.ltd
          - name: desu.ltd
            proxy_pass: http://desultd:80
            locations:
              - location: /.well-known/matrix/server
                contents: |
                  default_type application/json;
                  return 200 '{"m.server":"matrix.desu.ltd:443"}';
              - location: /.well-known/matrix/client
                contents: |
                  default_type application/json;
                  return 200 '{"m.homeserver":{"base_url":"https://matrix.desu.ltd"}}';
          - name: git.desu.ltd
            proxy_pass: http://gitea:3000
          - name: grafana.desu.ltd
            proxy_pass: http://grafana:3000
            locations:
              - location: "/api/live/"
                contents: |
                      proxy_http_version 1.1;
                      proxy_set_header Upgrade $http_upgrade;
                      proxy_set_header Connection $connection_upgrade;
                      proxy_set_header Host $host;
                      proxy_pass http://grafana:3000;
          - name: matrix.desu.ltd
            proxies:
              - location: "~* ^(\/_matrix|\/_synapse|\/client|\/health)"
                pass: http://synapse:8008
              - location: /
                pass: http://element:80
            directives:
              - "client_max_body_size 0"
          - name: nc.desu.ltd
            directives:
              - "add_header Strict-Transport-Security \"max-age=31536000\""
              - "client_max_body_size 0"
              - "keepalive_requests 99999"
              - "keepalive_timeout 600"
            proxy_pass: http://nextcloud:80
            locations:
              - location: "^~ /.well-known"
                contents: |
                  location = /.well-known/carddav { return 301 /remote.php/dav/; }
                  location = /.well-known/caldav  { return 301 /remote.php/dav/; }
                  location ^~ /.well-known        { return 301 /index.php$uri; }
                  try_files $uri $uri/ =404;
          - name: netbox.desu.ltd
            proxy_pass: http://netbox:8080
          - name: prometheus.desu.ltd
            directives:
              - "allow {{ common_home_address }}/{{ common_home_address_mask }}"
              - "allow 10.0.0.0/8"
              - "allow 172.16.0.0/12"
              - "allow 192.168.0.0/16"
              # TODO: Replace this with a dynamically-generated list of public IPs from inv
              - "allow 45.79.58.44/32"  # bastion1.dallas.mgmt.desu.ltd
              - "deny all"
            proxy_pass: http://prometheus:9090
          # desu.ltd media bullshit
          - name: prowlarr.media.desu.ltd
            directives:
              - "allow {{ common_home_address }}/{{ common_home_address_mask }}"
              - "deny all"
            proxy_pass: http://prowlarr:9696
          - name: sonarr.media.desu.ltd
            directives:
              - "allow {{ common_home_address }}/{{ common_home_address_mask }}"
              - "deny all"
            proxy_pass: http://sonarr:8989
          - name: radarr.media.desu.ltd
            directives:
              - "allow {{ common_home_address }}/{{ common_home_address_mask }}"
              - "deny all"
            proxy_pass: http://radarr:7878
          - name: transmission.media.desu.ltd
            directives:
              - "allow {{ common_home_address }}/{{ common_home_address_mask }}"
              - "deny all"
            proxy_pass: http://transmission:9091
          # 9iron
          - name: www.9iron.club
            directives:
              - "return 301 $scheme://9iron.club$request_uri"
          - name: 9iron.club
            proxy_pass: http://9iron:80
          - name: srv.9iron.club
            proxy_pass: http://srv:80
      tags: [ web, docker, ingress ]