283 lines
9.9 KiB
YAML
Executable File
283 lines
9.9 KiB
YAML
Executable File
#!/usr/bin/env ansible-playbook
|
|
# vim:ft=ansible:
|
|
# Webservers
|
|
---
|
|
- hosts: web1.desu.ltd
|
|
module_defaults:
|
|
docker_container:
|
|
state: started
|
|
restart_policy: unless-stopped
|
|
pull: yes
|
|
tasks:
|
|
- name: ensure docker network
|
|
docker_network: name=web
|
|
tags: [ docker ]
|
|
- name: ensure docker nginx config
|
|
copy:
|
|
dest: /data/nginx-certbot/user_conf.d/vhosts.conf
|
|
mode: "0750"
|
|
content: |
|
|
server {
|
|
listen 443 ssl default_server;
|
|
server_name desu.ltd;
|
|
ssl_certificate /etc/letsencrypt/live/desu.ltd/fullchain.pem;
|
|
ssl_certificate_key /etc/letsencrypt/live/desu.ltd/privkey.pem;
|
|
ssl_trusted_certificate /etc/letsencrypt/live/desu.ltd/chain.pem;
|
|
ssl_dhparam /etc/letsencrypt/dhparams/dhparam.pem;
|
|
location / {
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_pass http://desultd:80;
|
|
}
|
|
}
|
|
server {
|
|
listen 443 ssl;
|
|
server_name www.9iron.club;
|
|
ssl_certificate /etc/letsencrypt/live/desu.ltd/fullchain.pem;
|
|
ssl_certificate_key /etc/letsencrypt/live/desu.ltd/privkey.pem;
|
|
ssl_trusted_certificate /etc/letsencrypt/live/desu.ltd/chain.pem;
|
|
ssl_dhparam /etc/letsencrypt/dhparams/dhparam.pem;
|
|
return 301 $scheme://9iron.club$request_uri;
|
|
}
|
|
server {
|
|
listen 443 ssl;
|
|
server_name 9iron.club;
|
|
ssl_certificate /etc/letsencrypt/live/desu.ltd/fullchain.pem;
|
|
ssl_certificate_key /etc/letsencrypt/live/desu.ltd/privkey.pem;
|
|
ssl_trusted_certificate /etc/letsencrypt/live/desu.ltd/chain.pem;
|
|
ssl_dhparam /etc/letsencrypt/dhparams/dhparam.pem;
|
|
location / {
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_pass http://9iron:80;
|
|
}
|
|
}
|
|
server {
|
|
listen 443 ssl;
|
|
server_name git.desu.ltd;
|
|
ssl_certificate /etc/letsencrypt/live/desu.ltd/fullchain.pem;
|
|
ssl_certificate_key /etc/letsencrypt/live/desu.ltd/privkey.pem;
|
|
ssl_trusted_certificate /etc/letsencrypt/live/desu.ltd/chain.pem;
|
|
ssl_dhparam /etc/letsencrypt/dhparams/dhparam.pem;
|
|
location / {
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_pass http://gitea:3000;
|
|
}
|
|
}
|
|
server {
|
|
listen 443 ssl;
|
|
server_name nc.desu.ltd;
|
|
ssl_certificate /etc/letsencrypt/live/desu.ltd/fullchain.pem;
|
|
ssl_certificate_key /etc/letsencrypt/live/desu.ltd/privkey.pem;
|
|
ssl_trusted_certificate /etc/letsencrypt/live/desu.ltd/chain.pem;
|
|
ssl_dhparam /etc/letsencrypt/dhparams/dhparam.pem;
|
|
add_header Strict-Transport-Security "max-age=31536000";
|
|
location / {
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_pass http://nextcloud:80;
|
|
}
|
|
location ^~ /.well-known {
|
|
location = /.well-known/carddav { return 301 /remote.php/dav/; }
|
|
location = /.well-known/caldav { return 301 /remote.php/dav/; }
|
|
location ^~ /.well-known { return 301 /index.php$uri; }
|
|
try_files $uri $uri/ =404;
|
|
}
|
|
}
|
|
server {
|
|
listen 443 ssl;
|
|
server_name srv.9iron.club;
|
|
ssl_certificate /etc/letsencrypt/live/desu.ltd/fullchain.pem;
|
|
ssl_certificate_key /etc/letsencrypt/live/desu.ltd/privkey.pem;
|
|
ssl_trusted_certificate /etc/letsencrypt/live/desu.ltd/chain.pem;
|
|
ssl_dhparam /etc/letsencrypt/dhparams/dhparam.pem;
|
|
location / {
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_pass http://srv:80;
|
|
}
|
|
}
|
|
tags: [ docker, ingress ]
|
|
- name: include tasks for apps
|
|
include_tasks: tasks/app/{{ task }}
|
|
with_items:
|
|
- gulagbot.yml
|
|
- redis.yml
|
|
loop_control:
|
|
loop_var: task
|
|
tags: [ always ]
|
|
- name: include tasks for web services
|
|
include_tasks: tasks/web/{{ task }}
|
|
with_items:
|
|
- 9iron.yml
|
|
- desultd.yml
|
|
- gitea.yml
|
|
- nextcloud.yml
|
|
- srv.yml
|
|
- ingress-generic.yml
|
|
loop_control:
|
|
loop_var: task
|
|
tags: [ always ]
|
|
roles:
|
|
- role: backup
|
|
vars:
|
|
backup_s3backup_list_extra:
|
|
- /app/gitea/gitea
|
|
- /data
|
|
- /var/www/nc.desu.ltd
|
|
- /var/www/srv.9iron.club
|
|
- /srv/desu.ltd
|
|
backup_s3backup_exclude_list_extra:
|
|
- /var/lib/gitea/log
|
|
- /data/gitea/data/gitea/log
|
|
tags: [ backup ]
|
|
- role: git
|
|
vars:
|
|
git_repos:
|
|
- repo: https://git.desu.ltd/salt/gitea-custom
|
|
dest: /data/gitea/data/gitea/custom
|
|
tags: [ web, git ]
|
|
- hosts: web2.desu.ltd
|
|
module_defaults:
|
|
docker_container:
|
|
state: started
|
|
restart_policy: unless-stopped
|
|
pull: yes
|
|
tasks:
|
|
- name: ensure docker network
|
|
docker_network: name=web
|
|
tags: [ docker ]
|
|
- name: ensure docker nginx config
|
|
copy:
|
|
dest: /data/nginx-certbot/user_conf.d/vhosts.conf
|
|
mode: "0750"
|
|
content: |
|
|
server {
|
|
listen 443 ssl default_server;
|
|
server_name cowfee.moe;
|
|
ssl_certificate /etc/letsencrypt/live/cowfee.moe/fullchain.pem;
|
|
ssl_certificate_key /etc/letsencrypt/live/cowfee.moe/privkey.pem;
|
|
ssl_trusted_certificate /etc/letsencrypt/live/cowfee.moe/chain.pem;
|
|
ssl_dhparam /etc/letsencrypt/dhparams/dhparam.pem;
|
|
location / {
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_pass http://pleroma:4000;
|
|
}
|
|
}
|
|
server {
|
|
listen 443 ssl;
|
|
server_name tube.cowfee.moe;
|
|
ssl_certificate /etc/letsencrypt/live/cowfee.moe/fullchain.pem;
|
|
ssl_certificate_key /etc/letsencrypt/live/cowfee.moe/privkey.pem;
|
|
ssl_trusted_certificate /etc/letsencrypt/live/cowfee.moe/chain.pem;
|
|
ssl_dhparam /etc/letsencrypt/dhparams/dhparam.pem;
|
|
location / {
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_pass http://peertube:9000;
|
|
}
|
|
}
|
|
tags: [ docker, ingress ]
|
|
- name: include tasks for apps
|
|
include_tasks: tasks/app/{{ task }}
|
|
with_items:
|
|
- redis.yml
|
|
loop_control:
|
|
loop_var: task
|
|
tags: [ always ]
|
|
- name: include tasks for web services
|
|
include_tasks: tasks/web/{{ task }}
|
|
with_items:
|
|
- peertube.yml
|
|
- pleroma.yml
|
|
- ingress-generic.yml
|
|
loop_control:
|
|
loop_var: task
|
|
tags: [ always ]
|
|
roles:
|
|
- role: backup
|
|
vars:
|
|
backup_s3backup_list_extra:
|
|
- /data
|
|
tags: [ backup ]
|
|
- hosts: web3.desu.ltd
|
|
module_defaults:
|
|
docker_container:
|
|
state: started
|
|
restart_policy: unless-stopped
|
|
pull: yes
|
|
tasks:
|
|
- name: ensure docker network
|
|
docker_network: name=web
|
|
tags: [ docker ]
|
|
- name: ensure docker nginx config
|
|
copy:
|
|
dest: /data/nginx-certbot/user_conf.d/vhosts.conf
|
|
mode: "0750"
|
|
content: |
|
|
server {
|
|
listen 443 ssl default_server;
|
|
server_name netbox.desu.ltd;
|
|
ssl_certificate /etc/letsencrypt/live/netbox.desu.ltd/fullchain.pem;
|
|
ssl_certificate_key /etc/letsencrypt/live/netbox.desu.ltd/privkey.pem;
|
|
ssl_trusted_certificate /etc/letsencrypt/live/netbox.desu.ltd/chain.pem;
|
|
ssl_dhparam /etc/letsencrypt/dhparams/dhparam.pem;
|
|
location / {
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_pass http://netbox:8080;
|
|
}
|
|
}
|
|
server {
|
|
listen 443 ssl;
|
|
server_name nagios.desu.ltd;
|
|
ssl_certificate /etc/letsencrypt/live/netbox.desu.ltd/fullchain.pem;
|
|
ssl_certificate_key /etc/letsencrypt/live/netbox.desu.ltd/privkey.pem;
|
|
ssl_trusted_certificate /etc/letsencrypt/live/netbox.desu.ltd/chain.pem;
|
|
ssl_dhparam /etc/letsencrypt/dhparams/dhparam.pem;
|
|
location / {
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_pass http://nagios:80;
|
|
}
|
|
}
|
|
server {
|
|
listen 443 ssl;
|
|
server_name movie.desu.ltd;
|
|
ssl_certificate /etc/letsencrypt/live/netbox.desu.ltd/fullchain.pem;
|
|
ssl_certificate_key /etc/letsencrypt/live/netbox.desu.ltd/privkey.pem;
|
|
ssl_trusted_certificate /etc/letsencrypt/live/netbox.desu.ltd/chain.pem;
|
|
ssl_dhparam /etc/letsencrypt/dhparams/dhparam.pem;
|
|
location / {
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_pass http://movienight:8089;
|
|
}
|
|
}
|
|
tags: [ docker, ingress ]
|
|
- name: include tasks for apps
|
|
include_tasks: tasks/app/{{ task }}
|
|
with_items:
|
|
- redis.yml
|
|
loop_control:
|
|
loop_var: task
|
|
tags: [ always ]
|
|
- name: include tasks for web services
|
|
include_tasks: tasks/web/{{ task }}
|
|
with_items:
|
|
- movienight.yml
|
|
- netbox.yml
|
|
- nagios.yml
|
|
- ingress-generic.yml
|
|
loop_control:
|
|
loop_var: task
|
|
tags: [ always ]
|
|
roles:
|
|
- role: backup
|
|
vars:
|
|
backup_s3backup_list_extra:
|
|
- /data
|
|
tags: [ backup ]
|