#!/usr/bin/env ansible-playbook # vim:ft=ansible: # Webservers --- - hosts: web1.desu.ltd module_defaults: docker_container: state: started restart_policy: unless-stopped pull: yes tasks: - name: ensure docker network docker_network: name=web tags: [ docker ] - name: ensure docker nginx config copy: dest: /data/nginx-certbot/user_conf.d/vhosts.conf mode: "0750" content: | server { listen 443 ssl default_server; server_name desu.ltd; ssl_certificate /etc/letsencrypt/live/desu.ltd/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/desu.ltd/privkey.pem; ssl_trusted_certificate /etc/letsencrypt/live/desu.ltd/chain.pem; ssl_dhparam /etc/letsencrypt/dhparams/dhparam.pem; location / { proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_pass http://desultd:80; } } server { listen 443 ssl; server_name www.9iron.club; ssl_certificate /etc/letsencrypt/live/desu.ltd/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/desu.ltd/privkey.pem; ssl_trusted_certificate /etc/letsencrypt/live/desu.ltd/chain.pem; ssl_dhparam /etc/letsencrypt/dhparams/dhparam.pem; return 301 $scheme://9iron.club$request_uri; } server { listen 443 ssl; server_name 9iron.club; ssl_certificate /etc/letsencrypt/live/desu.ltd/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/desu.ltd/privkey.pem; ssl_trusted_certificate /etc/letsencrypt/live/desu.ltd/chain.pem; ssl_dhparam /etc/letsencrypt/dhparams/dhparam.pem; location / { proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_pass http://9iron:80; } } server { listen 443 ssl; server_name git.desu.ltd; ssl_certificate /etc/letsencrypt/live/desu.ltd/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/desu.ltd/privkey.pem; ssl_trusted_certificate /etc/letsencrypt/live/desu.ltd/chain.pem; ssl_dhparam /etc/letsencrypt/dhparams/dhparam.pem; location / { proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_pass http://gitea:3000; } } server { listen 443 ssl; server_name nc.desu.ltd; ssl_certificate /etc/letsencrypt/live/desu.ltd/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/desu.ltd/privkey.pem; ssl_trusted_certificate /etc/letsencrypt/live/desu.ltd/chain.pem; ssl_dhparam /etc/letsencrypt/dhparams/dhparam.pem; add_header Strict-Transport-Security "max-age=31536000"; location / { proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_pass http://nextcloud:80; } location ^~ /.well-known { location = /.well-known/carddav { return 301 /remote.php/dav/; } location = /.well-known/caldav { return 301 /remote.php/dav/; } location ^~ /.well-known { return 301 /index.php$uri; } try_files $uri $uri/ =404; } } server { listen 443 ssl; server_name srv.9iron.club; ssl_certificate /etc/letsencrypt/live/desu.ltd/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/desu.ltd/privkey.pem; ssl_trusted_certificate /etc/letsencrypt/live/desu.ltd/chain.pem; ssl_dhparam /etc/letsencrypt/dhparams/dhparam.pem; location / { proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_pass http://srv:80; } } tags: [ docker, ingress ] - name: include tasks for apps include_tasks: tasks/app/{{ task }} with_items: - gulagbot.yml - redis.yml loop_control: loop_var: task tags: [ always ] - name: include tasks for web services include_tasks: tasks/web/{{ task }} with_items: - 9iron.yml - desultd.yml - gitea.yml - nextcloud.yml - srv.yml - ingress-generic.yml loop_control: loop_var: task tags: [ always ] roles: - role: backup vars: backup_s3backup_list_extra: - /app/gitea/gitea - /data - /var/www/nc.desu.ltd - /var/www/srv.9iron.club - /srv/desu.ltd backup_s3backup_exclude_list_extra: - /var/lib/gitea/log - /data/gitea/data/gitea/log tags: [ backup ] - role: git vars: git_repos: - repo: https://git.desu.ltd/salt/gitea-custom dest: /data/gitea/data/gitea/custom tags: [ web, git ] - hosts: web2.desu.ltd module_defaults: docker_container: state: started restart_policy: unless-stopped pull: yes tasks: - name: ensure docker network docker_network: name=web tags: [ docker ] - name: ensure docker nginx config copy: dest: /data/nginx-certbot/user_conf.d/vhosts.conf mode: "0750" content: | server { listen 443 ssl default_server; server_name cowfee.moe; ssl_certificate /etc/letsencrypt/live/cowfee.moe/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/cowfee.moe/privkey.pem; ssl_trusted_certificate /etc/letsencrypt/live/cowfee.moe/chain.pem; ssl_dhparam /etc/letsencrypt/dhparams/dhparam.pem; location / { proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_pass http://pleroma:4000; } } server { listen 443 ssl; server_name tube.cowfee.moe; ssl_certificate /etc/letsencrypt/live/cowfee.moe/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/cowfee.moe/privkey.pem; ssl_trusted_certificate /etc/letsencrypt/live/cowfee.moe/chain.pem; ssl_dhparam /etc/letsencrypt/dhparams/dhparam.pem; location / { proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_pass http://peertube:9000; } } tags: [ docker, ingress ] - name: include tasks for apps include_tasks: tasks/app/{{ task }} with_items: - redis.yml loop_control: loop_var: task tags: [ always ] - name: include tasks for web services include_tasks: tasks/web/{{ task }} with_items: - peertube.yml - pleroma.yml - ingress-generic.yml loop_control: loop_var: task tags: [ always ] roles: - role: backup vars: backup_s3backup_list_extra: - /data tags: [ backup ] - hosts: web3.desu.ltd module_defaults: docker_container: state: started restart_policy: unless-stopped pull: yes tasks: - name: ensure docker network docker_network: name=web tags: [ docker ] - name: ensure docker nginx config copy: dest: /data/nginx-certbot/user_conf.d/vhosts.conf mode: "0750" content: | server { listen 443 ssl default_server; server_name netbox.desu.ltd; ssl_certificate /etc/letsencrypt/live/netbox.desu.ltd/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/netbox.desu.ltd/privkey.pem; ssl_trusted_certificate /etc/letsencrypt/live/netbox.desu.ltd/chain.pem; ssl_dhparam /etc/letsencrypt/dhparams/dhparam.pem; location / { proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_pass http://netbox:8080; } } server { listen 443 ssl; server_name nagios.desu.ltd; ssl_certificate /etc/letsencrypt/live/netbox.desu.ltd/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/netbox.desu.ltd/privkey.pem; ssl_trusted_certificate /etc/letsencrypt/live/netbox.desu.ltd/chain.pem; ssl_dhparam /etc/letsencrypt/dhparams/dhparam.pem; location / { proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_pass http://nagios:80; } } server { listen 443 ssl; server_name movie.desu.ltd; ssl_certificate /etc/letsencrypt/live/netbox.desu.ltd/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/netbox.desu.ltd/privkey.pem; ssl_trusted_certificate /etc/letsencrypt/live/netbox.desu.ltd/chain.pem; ssl_dhparam /etc/letsencrypt/dhparams/dhparam.pem; location / { proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_pass http://movienight:8089; } } tags: [ docker, ingress ] - name: include tasks for apps include_tasks: tasks/app/{{ task }} with_items: - redis.yml loop_control: loop_var: task tags: [ always ] - name: include tasks for web services include_tasks: tasks/web/{{ task }} with_items: - movienight.yml - netbox.yml - nagios.yml - ingress-generic.yml loop_control: loop_var: task tags: [ always ] roles: - role: backup vars: backup_s3backup_list_extra: - /data tags: [ backup ]