From d029e0a0dd9acd3aa8be6073d04b9a5c779bc97e Mon Sep 17 00:00:00 2001
From: Jade Ellis <jade@ellis.link>
Date: Fri, 24 Jan 2025 17:50:19 +0000
Subject: [PATCH] Forgejo config

---
 servers/ansible/inventory.ini                 |   2 +-
 servers/ansible/playbook.yaml                 |  30 ++++-
 .../ansible/roles/ssh-port/handlers/main.yml  |   5 +
 servers/ansible/roles/ssh-port/tasks/main.yml | 126 ++++++++++++++++++
 servers/containers/conduwuit.Containerfile    |   1 -
 servers/containers/forgejo.container          |  49 +++++++
 servers/containers/image-camo.container       |  41 ++++++
 servers/containers/kanidm.container           |   4 +-
 servers/kanidm/data/server.toml               |   2 +-
 servers/stalwart/config.toml                  |   6 +-
 10 files changed, 253 insertions(+), 13 deletions(-)
 create mode 100644 servers/ansible/roles/ssh-port/handlers/main.yml
 create mode 100644 servers/ansible/roles/ssh-port/tasks/main.yml
 create mode 100644 servers/containers/forgejo.container
 create mode 100644 servers/containers/image-camo.container

diff --git a/servers/ansible/inventory.ini b/servers/ansible/inventory.ini
index 779931e3..92a9b149 100644
--- a/servers/ansible/inventory.ini
+++ b/servers/ansible/inventory.ini
@@ -1,2 +1,2 @@
 [personal]
-ns3763049.ip-213-32-25.eu     ansible_connection=ssh        ansible_user=ansible
\ No newline at end of file
+ns3763049.ip-213-32-25.eu     ansible_connection=ssh        ansible_user=ansible ansible_port=222
\ No newline at end of file
diff --git a/servers/ansible/playbook.yaml b/servers/ansible/playbook.yaml
index d7283fa5..4651c686 100644
--- a/servers/ansible/playbook.yaml
+++ b/servers/ansible/playbook.yaml
@@ -1,12 +1,13 @@
-- name: My first play
+- name: Set up servers
   hosts: personal
+  gather_facts: false
   tasks:
-    - name: Ping my hosts
-      ansible.builtin.ping:
+    # - name: Change SSH port
+    #   ansible.builtin.include_role: 
+    #     name: ssh-port
+    - name: Run deferred setup to gather facts
+      setup:
 
-    - name: Print message
-      ansible.builtin.debug:
-        msg: Hello world
     # - name: Copy conduwuit backup
     #   ansible.posix.synchronize:
     #     src: ./conduwuit-testing
@@ -17,6 +18,7 @@
         enabled: true
         state: started
     - name: Copy containers
+      become: true
       ansible.posix.synchronize:
         src: ../containers/
         dest: /etc/containers/systemd
@@ -24,19 +26,23 @@
     - name: Reload systemd generators
       ansible.builtin.command: sudo systemctl daemon-reload
     - name: Install logrotate
+      become: true
       ansible.builtin.package:
         name: logrotate
         state: present
     - name: Copy logrotate config
+      become: true
       ansible.posix.synchronize:
         src: ../logrotate.d/
         dest: /etc/logrotate.d
     - name: find files with possible suspect line endings or perms
+      become: true
       ansible.builtin.find:
         paths: /etc/logrotate.d
         patterns: '*'
       register: output
     - name: fix suspect line endings
+      become: true
       replace: path={{item.path}} regexp="\r"
       with_items: "{{ output.files }}"
     - name: fix logrotate permissions
@@ -56,6 +62,7 @@
         path: /var/log/traefik
         state: directory
     - name: Copy kanidm config
+      become: true
       ansible.posix.synchronize:
         src: ../kanidm/
         dest: /etc/kanidm
@@ -67,18 +74,25 @@
       file:
         path: /var/opt/kanidm_data
         state: directory
+    - name: Creates forgejo data directory
+      file:
+        path: /var/opt/forgejo_data
+        state: directory
     # - name: Generate Element Web config
     #   # run on localhost
     #   local_action: ansible.builtin.command cd ../element-web && node config.js
     - name: Copy Element Web config
+      become: true
       ansible.posix.synchronize:
         src: ../element-web/public/
         dest: /etc/element-web
     - name: Copy homepage config
+      become: true
       ansible.posix.synchronize:
         src: ../homepage/
         dest: /etc/homepage
     - name: Copy sentry relay config
+      become: true
       ansible.posix.synchronize:
         src: ../sentry-relay/
         dest: /etc/sentry-relay
@@ -87,16 +101,19 @@
         path: /var/opt/stalwart-mail
         state: directory
     - name: Copy stalwart config
+      become: true
       ansible.posix.synchronize:
         src: ../stalwart/
         dest: /etc/stalwart
     - name: Copy coturn config
+      become: true
       ansible.posix.synchronize:
         src: ../coturn/
         dest: /etc/coturn
     # Pull mautrix config:
     # rsync --rsync-path="sudo rsync" -r -t -z -P --include "*/" --include="*.yaml" --exclude="*" ansible@213.32.25.24:/var/opt/mautrix/ ./mautrix
     - name: Copy mautrix config
+      become: true
       ansible.posix.synchronize:
         src: ../mautrix/
         dest: /var/opt/mautrix
@@ -123,6 +140,7 @@
         path: /var/opt/freshrss-extensions
         state: directory
     - name: Copy freshrss config
+      become: true
       ansible.posix.synchronize:
         src: ../freshrss/
         dest: /etc/freshrss
diff --git a/servers/ansible/roles/ssh-port/handlers/main.yml b/servers/ansible/roles/ssh-port/handlers/main.yml
new file mode 100644
index 00000000..b92b1ce5
--- /dev/null
+++ b/servers/ansible/roles/ssh-port/handlers/main.yml
@@ -0,0 +1,5 @@
+    - name: Restart sshd
+      become: true
+      service:
+        name: sshd
+        state: restarted
\ No newline at end of file
diff --git a/servers/ansible/roles/ssh-port/tasks/main.yml b/servers/ansible/roles/ssh-port/tasks/main.yml
new file mode 100644
index 00000000..1ba34fc7
--- /dev/null
+++ b/servers/ansible/roles/ssh-port/tasks/main.yml
@@ -0,0 +1,126 @@
+---
+#   Copyright Red Hat, Inc. All Rights Reserved.
+#
+#   Licensed under the Apache License, Version 2.0 (the "License"); you may
+#   not use this file except in compliance with the License. You may obtain
+#   a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#   WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#   License for the specific language governing permissions and limitations
+#   under the License.
+#
+#   Author: David Moreau Simard <dms@redhat.com>
+
+# ansible_port can change throughout this role, keep a copy around
+- name: Set configured port fact
+  set_fact:
+    configured_port: "{{ ansible_port }}"
+
+# From localhost, check if we're able to reach {{ inventory_hostname }} on
+# port 22
+- name: Check if we're using the default SSH port
+  wait_for:
+    port: "22"
+    state: "started"
+    host: "{{ inventory_hostname }}"
+    connect_timeout: "5"
+    timeout: "5"
+  delegate_to: "localhost"
+  ignore_errors: true
+  register: default_ssh
+
+# If reachable, continue the following tasks with this port
+- name: Set inventory ansible_port to default
+  set_fact:
+    ansible_port: "22"
+  when: default_ssh is defined and
+        default_ssh.state is defined and
+        default_ssh.state == "started"
+  register: ssh_port_set
+
+# If unreachable on port 22, check if we're able to reach
+# {{ inventory_hostname }} on {{ ansible_port }} provided by the inventory
+# from localhost
+- name: Check if we're using the inventory-provided SSH port
+  wait_for:
+    port: "{{ ansible_port }}"
+    state: "started"
+    host: "{{ inventory_hostname }}"
+    connect_timeout: "5"
+    timeout: "10"
+  delegate_to: "localhost"
+  ignore_errors: true
+  register: configured_ssh
+  when: default_ssh is defined and
+        default_ssh.state is undefined
+
+# If {{ ansible_port }} is reachable, we don't need to do anything special
+- name: SSH port is configured properly
+  debug:
+    msg: "SSH port is configured properly"
+  when: configured_ssh is defined and
+        configured_ssh.state is defined and
+        configured_ssh.state == "started"
+  register: ssh_port_set
+
+# If the SSH port is neither the default or the configured, give up.
+- name: Fail if SSH port was not auto-detected (unknown)
+  fail:
+    msg: "The SSH port is neither 22 or {{ ansible_port }}."
+  when: ssh_port_set is undefined
+
+# Sanity check, make sure Ansible is able to connect to the host
+- name: Confirm host connection works
+  ping:
+
+- name: Setup alternate SSH port
+  become: true
+  lineinfile:
+    dest: "/etc/ssh/sshd_config"
+    regexp: "^#?Port"
+    line: "Port {{ configured_port }}"
+  notify: "Restart sshd"
+- name: Creates sshd socket override directory
+  become: true
+  file:
+    path: /etc/systemd/system/sshd.socket.d
+    state: directory
+- name: Setup alternate SSH port (systemd)
+  become: true
+  copy:
+    dest: "/etc/systemd/system/sshd.socket.d/override.conf"
+    content: |
+      [Socket]
+      ListenStream=
+      ListenStream={{ configured_port }}
+  notify: "Restart sshd"
+
+- name: Setup selinux for alternate SSH port
+  ignore_errors: true
+  seport:
+    ports: "{{ configured_port }}"
+    proto: "tcp"
+    setype: "ssh_port_t"
+    state: "present"
+
+
+# We notified "Restart sshd" if we modified the sshd config.
+# By calling flush_handlers, we make sure the handler is run *right now*
+- name: Ensure SSH is reloaded if need be
+  meta: flush_handlers
+
+# We're done, make sure ansible_port is set properly so that any tasks
+# after this use the right ansible_port.
+- name: Ensure we use the configured SSH port for the remainder of the role
+  set_fact:
+    ansible_port: "{{ configured_port }}"
+
+# Gather facts should be set to false when running this role since it will
+# fail if the Ansible SSH port is not set correctly.
+# We run setup to gather facts here once the SSH port is set up.
+- name: Run deferred setup to gather facts
+  setup:
\ No newline at end of file
diff --git a/servers/containers/conduwuit.Containerfile b/servers/containers/conduwuit.Containerfile
index 8dfbe776..c985f47d 100644
--- a/servers/containers/conduwuit.Containerfile
+++ b/servers/containers/conduwuit.Containerfile
@@ -92,7 +92,6 @@ EOF
 
 # Apply CPU-specific optimizations if TARGET_CPU is provided
 ARG TARGET_CPU=
-ARG TARGET_CPU
 RUN <<EOF
   set -o allexport
   . /etc/environment
diff --git a/servers/containers/forgejo.container b/servers/containers/forgejo.container
new file mode 100644
index 00000000..0f69788a
--- /dev/null
+++ b/servers/containers/forgejo.container
@@ -0,0 +1,49 @@
+[Unit]
+Description=Forgejo
+Wants=network-online.target
+After=network-online.target
+
+[Container]
+ContainerName=forgejo
+Environment=USER_UID=1000
+Environment=USER_GID=1000
+Image=codeberg.org/forgejo-experimental/forgejo:11
+AutoUpdate=registry
+Network=web.network
+# PublishPort=222:22
+PublishPort=22:22
+Volume=/var/opt/forgejo_data:/data
+
+Label="traefik.enable=true"
+Label="traefik.http.routers.forgejo.rule=Host(`forgejo.ellis.link`)"
+
+Label="traefik.http.routers.forgejo.entrypoints=https"
+Label="traefik.http.services.forgejo.loadbalancer.server.port=3000"
+
+
+Label="traefik.http.middlewares.cross-origin-embedder.headers.customResponseHeaders.Cross-Origin-Embedder-Policy=credentialless"
+
+Label="traefik.http.routers.forgejo.middlewares=cross-origin-embedder,default@file"
+
+Label="homepage.group=Public"
+Label="homepage.name=Forgejo"
+Label="homepage.href=https://forgejo.ellis.link/"
+# Label="homepage.siteMonitor=https://matrix.ellis.link/client/server.json" 
+Label="homepage.description=Git host"
+Label=kuma.__monitor=''
+
+StopTimeout=100
+
+[Service]
+
+Restart=always
+RestartSec=5
+
+TimeoutStopSec=2m
+TimeoutStartSec=2m
+
+# StartLimitInterval=1m
+StartLimitBurst=5
+
+[Install]
+WantedBy=default.target
\ No newline at end of file
diff --git a/servers/containers/image-camo.container b/servers/containers/image-camo.container
new file mode 100644
index 00000000..43d0bf66
--- /dev/null
+++ b/servers/containers/image-camo.container
@@ -0,0 +1,41 @@
+[Unit]
+Description=Image Camo
+Wants=network-online.target
+After=network-online.target
+
+[Container]
+ContainerName=image-camo
+NoNewPrivileges=true
+Image=ghcr.io/cactus/go-camo:latest
+AutoUpdate=registry
+
+Environment="GOCAMO_HMAC=woR9L9z6GszksKzRLfWkYVGvqW0hAyqUp8ZRUM8n"
+
+Label="traefik.enable=true"
+Label="traefik.http.routers.image-camo.rule=Host(`image-camo.ellis.link`)"
+
+Label="traefik.http.middlewares.cross-origin.headers.customResponseHeaders.Cross-Origin-Resource-Policy=cross-origin"
+
+Label="traefik.http.routers.image-camo.middlewares=default@file,cross-origin"
+
+Label="homepage.group=Services"
+Label="homepage.name=Go Camo"
+Label="homepage.siteMonitor=https://image-camo.ellis.link/healthcheck"
+Label="homepage.description=Image proxy"
+Label=kuma.__monitor=''
+
+StopTimeout=100
+
+[Service]
+
+Restart=always
+RestartSec=5
+
+TimeoutStopSec=2m
+TimeoutStartSec=2m
+
+# StartLimitInterval=1m
+StartLimitBurst=5
+
+[Install]
+WantedBy=default.target
\ No newline at end of file
diff --git a/servers/containers/kanidm.container b/servers/containers/kanidm.container
index 55a5df28..7cbab45a 100644
--- a/servers/containers/kanidm.container
+++ b/servers/containers/kanidm.container
@@ -10,7 +10,7 @@ After=network-online.target
 ContainerName=kanidm
 
 NoNewPrivileges=true
-Image=docker.io/kanidm/server:latest
+Image=docker.io/jadedblueeyes/kanidmd:latest
 
 ReadOnly=true
 # Volume=/run/podman/podman.sock:/var/run/docker.sock:z
@@ -20,7 +20,7 @@ Volume=traefik-certs.volume:/data/certs:ro
 Volume=/etc/kanidm/entrypoint.sh:/entrypoint.sh:ro,z
 Volume=/etc/kanidm/data/server.toml:/data/server.toml:ro,z
 
-Exec="/entrypoint.sh"
+# Exec="/entrypoint.sh"
 
 AutoUpdate=registry
 Network=web.network
diff --git a/servers/kanidm/data/server.toml b/servers/kanidm/data/server.toml
index 3095f1a8..baae3e44 100644
--- a/servers/kanidm/data/server.toml
+++ b/servers/kanidm/data/server.toml
@@ -18,7 +18,7 @@ ldapbindaddress = "[::]:3636"
 #   connected client. If you are not using a load balancer
 #   then you should leave this value as default.
 #   Defaults to false
-# trust_x_forward_for = false
+trust_x_forward_for = true
 #
 #   The path to the kanidm database.
 db_path = "/data/kanidm.db"
diff --git a/servers/stalwart/config.toml b/servers/stalwart/config.toml
index 4dd7dcaf..e13eb23e 100644
--- a/servers/stalwart/config.toml
+++ b/servers/stalwart/config.toml
@@ -3,9 +3,11 @@ authentication.fallback-admin.user = "admin"
 directory.internal.store = "rocksdb"
 directory.internal.type = "internal"
 
-certificate.default.cert = "%{file:/data/certs/*.ellis.link/cert.pem}%"
+certificate.default.cert = "%{file:/data/certs/mail.ellis.link/cert.pem}%"
 certificate.default.default = true
-certificate.default.private-key = "%{file:/data/certs/*.ellis.link/key.pem}%"
+certificate.default.private-key = "%{file:/data/certs/mail.ellis.link/key.pem}%"
+certificate.pissing.cert = "%{file:/data/certs/pissing.dev/cert.pem}%"
+certificate.pissing.private-key = "%{file:/data/certs/pissing.dev/key.pem}%"
 lookup.default.hostname = "mail.ellis.link"
 server.http.hsts = true
 server.http.permissive-cors = false