ember/continuwuity
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1

Forgejo config

Browse source
This commit is contained in:
Jade Ellis 2025-01-24 17:50:19 +00:00
parent 84144b2bc4
commit d029e0a0dd
No known key found for this signature in database
GPG key ID: 8705A2A3EBF77BD2
10 changed files with 253 additions and 13 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
servers/ansible/inventory.ini
View file

@ -1,2 +1,2 @@
[personal]
ns3763049.ip-213-32-25.eu ansible_connection=ssh ansible_user=ansible
ns3763049.ip-213-32-25.eu ansible_connection=ssh ansible_user=ansible ansible_port=222

30
servers/ansible/playbook.yaml
View file

@ -1,12 +1,13 @@
- name: My first play
- name: Set up servers
hosts: personal
gather_facts: false
tasks:
- name: Ping my hosts
ansible.builtin.ping:
# - name: Change SSH port
# ansible.builtin.include_role:
# name: ssh-port
- name: Run deferred setup to gather facts
setup:
- name: Print message
ansible.builtin.debug:
msg: Hello world
# - name: Copy conduwuit backup
# ansible.posix.synchronize:
# src: ./conduwuit-testing
@ -17,6 +18,7 @@
enabled: true
state: started
- name: Copy containers
become: true
ansible.posix.synchronize:
src: ../containers/
dest: /etc/containers/systemd
@ -24,19 +26,23 @@
- name: Reload systemd generators
ansible.builtin.command: sudo systemctl daemon-reload
- name: Install logrotate
become: true
ansible.builtin.package:
name: logrotate
state: present
- name: Copy logrotate config
become: true
ansible.posix.synchronize:
src: ../logrotate.d/
dest: /etc/logrotate.d
- name: find files with possible suspect line endings or perms
become: true
ansible.builtin.find:
paths: /etc/logrotate.d
patterns: '*'
register: output
- name: fix suspect line endings
become: true
replace: path={{item.path}} regexp="\r"
with_items: "{{ output.files }}"
- name: fix logrotate permissions
@ -56,6 +62,7 @@
path: /var/log/traefik
state: directory
- name: Copy kanidm config
become: true
ansible.posix.synchronize:
src: ../kanidm/
dest: /etc/kanidm
@ -67,18 +74,25 @@
file:
path: /var/opt/kanidm_data
state: directory
- name: Creates forgejo data directory
file:
path: /var/opt/forgejo_data
state: directory
# - name: Generate Element Web config
# # run on localhost
# local_action: ansible.builtin.command cd ../element-web && node config.js
- name: Copy Element Web config
become: true
ansible.posix.synchronize:
src: ../element-web/public/
dest: /etc/element-web
- name: Copy homepage config
become: true
ansible.posix.synchronize:
src: ../homepage/
dest: /etc/homepage
- name: Copy sentry relay config
become: true
ansible.posix.synchronize:
src: ../sentry-relay/
dest: /etc/sentry-relay
@ -87,16 +101,19 @@
path: /var/opt/stalwart-mail
state: directory
- name: Copy stalwart config
become: true
ansible.posix.synchronize:
src: ../stalwart/
dest: /etc/stalwart
- name: Copy coturn config
become: true
ansible.posix.synchronize:
src: ../coturn/
dest: /etc/coturn
# Pull mautrix config:
# rsync --rsync-path="sudo rsync" -r -t -z -P --include "*/" --include="*.yaml" --exclude="*" ansible@213.32.25.24:/var/opt/mautrix/ ./mautrix
- name: Copy mautrix config
become: true
ansible.posix.synchronize:
src: ../mautrix/
dest: /var/opt/mautrix
@ -123,6 +140,7 @@
path: /var/opt/freshrss-extensions
state: directory
- name: Copy freshrss config
become: true
ansible.posix.synchronize:
src: ../freshrss/
dest: /etc/freshrss

5
servers/ansible/roles/ssh-port/handlers/main.yml Normal file
View file

@ -0,0 +1,5 @@
- name: Restart sshd
become: true
service:
name: sshd
state: restarted

126
servers/ansible/roles/ssh-port/tasks/main.yml Normal file
View file

@ -0,0 +1,126 @@
---
# Copyright Red Hat, Inc. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# Author: David Moreau Simard <dms@redhat.com>
# ansible_port can change throughout this role, keep a copy around
- name: Set configured port fact
set_fact:
configured_port: "{{ ansible_port }}"
# From localhost, check if we're able to reach {{ inventory_hostname }} on
# port 22
- name: Check if we're using the default SSH port
wait_for:
port: "22"
state: "started"
host: "{{ inventory_hostname }}"
connect_timeout: "5"
timeout: "5"
delegate_to: "localhost"
ignore_errors: true
register: default_ssh
# If reachable, continue the following tasks with this port
- name: Set inventory ansible_port to default
set_fact:
ansible_port: "22"
when: default_ssh is defined and
default_ssh.state is defined and
default_ssh.state == "started"
register: ssh_port_set
# If unreachable on port 22, check if we're able to reach
# {{ inventory_hostname }} on {{ ansible_port }} provided by the inventory
# from localhost
- name: Check if we're using the inventory-provided SSH port
wait_for:
port: "{{ ansible_port }}"
state: "started"
host: "{{ inventory_hostname }}"
connect_timeout: "5"
timeout: "10"
delegate_to: "localhost"
ignore_errors: true
register: configured_ssh
when: default_ssh is defined and
default_ssh.state is undefined
# If {{ ansible_port }} is reachable, we don't need to do anything special
- name: SSH port is configured properly
debug:
msg: "SSH port is configured properly"
when: configured_ssh is defined and
configured_ssh.state is defined and
configured_ssh.state == "started"
register: ssh_port_set
# If the SSH port is neither the default or the configured, give up.
- name: Fail if SSH port was not auto-detected (unknown)
fail:
msg: "The SSH port is neither 22 or {{ ansible_port }}."
when: ssh_port_set is undefined
# Sanity check, make sure Ansible is able to connect to the host
- name: Confirm host connection works
ping:
- name: Setup alternate SSH port
become: true
lineinfile:
dest: "/etc/ssh/sshd_config"
regexp: "^#?Port"
line: "Port {{ configured_port }}"
notify: "Restart sshd"
- name: Creates sshd socket override directory
become: true
file:
path: /etc/systemd/system/sshd.socket.d
state: directory
- name: Setup alternate SSH port (systemd)
become: true
copy:
dest: "/etc/systemd/system/sshd.socket.d/override.conf"
content: |
[Socket]
ListenStream=
ListenStream={{ configured_port }}
notify: "Restart sshd"
- name: Setup selinux for alternate SSH port
ignore_errors: true
seport:
ports: "{{ configured_port }}"
proto: "tcp"
setype: "ssh_port_t"
state: "present"
# We notified "Restart sshd" if we modified the sshd config.
# By calling flush_handlers, we make sure the handler is run *right now*
- name: Ensure SSH is reloaded if need be
meta: flush_handlers
# We're done, make sure ansible_port is set properly so that any tasks
# after this use the right ansible_port.
- name: Ensure we use the configured SSH port for the remainder of the role
set_fact:
ansible_port: "{{ configured_port }}"
# Gather facts should be set to false when running this role since it will
# fail if the Ansible SSH port is not set correctly.
# We run setup to gather facts here once the SSH port is set up.
- name: Run deferred setup to gather facts
setup:

1
servers/containers/conduwuit.Containerfile
View file

@ -92,7 +92,6 @@ EOF
# Apply CPU-specific optimizations if TARGET_CPU is provided
ARG TARGET_CPU=
ARG TARGET_CPU
RUN <<EOF
set -o allexport
. /etc/environment

49
servers/containers/forgejo.container Normal file
View file

@ -0,0 +1,49 @@
[Unit]
Description=Forgejo
Wants=network-online.target
After=network-online.target
[Container]
ContainerName=forgejo
Environment=USER_UID=1000
Environment=USER_GID=1000
Image=codeberg.org/forgejo-experimental/forgejo:11
AutoUpdate=registry
Network=web.network
# PublishPort=222:22
PublishPort=22:22
Volume=/var/opt/forgejo_data:/data
Label="traefik.enable=true"
Label="traefik.http.routers.forgejo.rule=Host(`forgejo.ellis.link`)"
Label="traefik.http.routers.forgejo.entrypoints=https"
Label="traefik.http.services.forgejo.loadbalancer.server.port=3000"
Label="traefik.http.middlewares.cross-origin-embedder.headers.customResponseHeaders.Cross-Origin-Embedder-Policy=credentialless"
Label="traefik.http.routers.forgejo.middlewares=cross-origin-embedder,default@file"
Label="homepage.group=Public"
Label="homepage.name=Forgejo"
Label="homepage.href=https://forgejo.ellis.link/"
# Label="homepage.siteMonitor=https://matrix.ellis.link/client/server.json"
Label="homepage.description=Git host"
Label=kuma.__monitor=''
StopTimeout=100
[Service]
Restart=always
RestartSec=5
TimeoutStopSec=2m
TimeoutStartSec=2m
# StartLimitInterval=1m
StartLimitBurst=5
[Install]
WantedBy=default.target

41
servers/containers/image-camo.container Normal file
View file

@ -0,0 +1,41 @@
[Unit]
Description=Image Camo
Wants=network-online.target
After=network-online.target
[Container]
ContainerName=image-camo
NoNewPrivileges=true
Image=ghcr.io/cactus/go-camo:latest
AutoUpdate=registry
Environment="GOCAMO_HMAC=woR9L9z6GszksKzRLfWkYVGvqW0hAyqUp8ZRUM8n"
Label="traefik.enable=true"
Label="traefik.http.routers.image-camo.rule=Host(`image-camo.ellis.link`)"
Label="traefik.http.middlewares.cross-origin.headers.customResponseHeaders.Cross-Origin-Resource-Policy=cross-origin"
Label="traefik.http.routers.image-camo.middlewares=default@file,cross-origin"
Label="homepage.group=Services"
Label="homepage.name=Go Camo"
Label="homepage.siteMonitor=https://image-camo.ellis.link/healthcheck"
Label="homepage.description=Image proxy"
Label=kuma.__monitor=''
StopTimeout=100
[Service]
Restart=always
RestartSec=5
TimeoutStopSec=2m
TimeoutStartSec=2m
# StartLimitInterval=1m
StartLimitBurst=5
[Install]
WantedBy=default.target

4
servers/containers/kanidm.container
View file

@ -10,7 +10,7 @@ After=network-online.target
ContainerName=kanidm
NoNewPrivileges=true
Image=docker.io/kanidm/server:latest
Image=docker.io/jadedblueeyes/kanidmd:latest
ReadOnly=true
# Volume=/run/podman/podman.sock:/var/run/docker.sock:z
@ -20,7 +20,7 @@ Volume=traefik-certs.volume:/data/certs:ro
Volume=/etc/kanidm/entrypoint.sh:/entrypoint.sh:ro,z
Volume=/etc/kanidm/data/server.toml:/data/server.toml:ro,z
Exec="/entrypoint.sh"
# Exec="/entrypoint.sh"
AutoUpdate=registry
Network=web.network

2
servers/kanidm/data/server.toml
View file

@ -18,7 +18,7 @@ ldapbindaddress = "[::]:3636"
# connected client. If you are not using a load balancer
# then you should leave this value as default.
# Defaults to false
# trust_x_forward_for = false
trust_x_forward_for = true
#
# The path to the kanidm database.
db_path = "/data/kanidm.db"

6
servers/stalwart/config.toml
View file

@ -3,9 +3,11 @@ authentication.fallback-admin.user = "admin"
directory.internal.store = "rocksdb"
directory.internal.type = "internal"
certificate.default.cert = "%{file:/data/certs/*.ellis.link/cert.pem}%"
certificate.default.cert = "%{file:/data/certs/mail.ellis.link/cert.pem}%"
certificate.default.default = true
certificate.default.private-key = "%{file:/data/certs/*.ellis.link/key.pem}%"
certificate.default.private-key = "%{file:/data/certs/mail.ellis.link/key.pem}%"
certificate.pissing.cert = "%{file:/data/certs/pissing.dev/cert.pem}%"
certificate.pissing.private-key = "%{file:/data/certs/pissing.dev/key.pem}%"
lookup.default.hostname = "mail.ellis.link"
server.http.hsts = true
server.http.permissive-cors = false