aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--.gitignore1
-rw-r--r--credentials.ini.example3
-rw-r--r--inventory.yml3
-rw-r--r--iptables.rules1
m---------library/inwx-collection0
-rw-r--r--nginx.conf38
-rw-r--r--playbook.yml36
-rw-r--r--setup_webserver.yml1
8 files changed, 81 insertions, 2 deletions
diff --git a/.gitignore b/.gitignore
index e681fba..136f960 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,4 @@
*_secret.txt
*_apikey.txt
playbook.retry
+credentials.ini
diff --git a/credentials.ini.example b/credentials.ini.example
new file mode 100644
index 0000000..9b87321
--- /dev/null
+++ b/credentials.ini.example
@@ -0,0 +1,3 @@
+[inwx]
+user=...
+pass=...
diff --git a/inventory.yml b/inventory.yml
index ea577e3..913ea5f 100644
--- a/inventory.yml
+++ b/inventory.yml
@@ -6,3 +6,6 @@ all:
ansible_ssh_identity_file: ~/.ssh/id_ed25519
ansible_user: root
ansible_python_interpreter: /usr/bin/python3
+ localhost:
+ ansible_connection: local
+ ansible_python_interpreter: "{{ansible_playbook_python}}"
diff --git a/iptables.rules b/iptables.rules
index db68eb5..620c4d3 100644
--- a/iptables.rules
+++ b/iptables.rules
@@ -20,6 +20,7 @@ COMMIT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 23 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
+-A INPUT -p udp --dport 53 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
diff --git a/library/inwx-collection b/library/inwx-collection
new file mode 160000
+Subproject 0ac040da14cc9d834098addc03cd8d4d26647df
diff --git a/nginx.conf b/nginx.conf
index b4245fa..744bd01 100644
--- a/nginx.conf
+++ b/nginx.conf
@@ -370,5 +370,43 @@ http {
root /usr/share/nginx/html;
}
}
+
+ server {
+ listen 443 ssl http2;
+ listen [::]:443 ssl http2;
+ server_name dyndns.jaseg.de;
+ root /usr/share/nginx/html;
+
+ ssl_certificate "/etc/letsencrypt/live/dyndns.jaseg.de/fullchain.pem";
+ ssl_certificate_key "/etc/letsencrypt/live/dyndns.jaseg.de/privkey.pem";
+ ssl_dhparam "/etc/letsencrypt/ssl-dhparams.pem";
+ include /etc/letsencrypt/options-ssl-nginx.conf;
+
+ ssl_stapling on;
+ ssl_stapling_verify on;
+
+ resolver 67.207.67.2 67.207.67.3 valid=300s;
+ resolver_timeout 10s;
+
+ add_header Strict-Transport-Security "max-age=86400";
+
+ # Load configuration files for the default server block.
+ include /etc/nginx/default.d/*.conf;
+
+ location / {
+ include uwsgi_params;
+ uwsgi_pass unix:/run/uwsgi/dyndns.socket;
+ }
+
+ error_page 404 /404.html;
+ location = /40x.html {
+ root /usr/share/nginx/html;
+ }
+
+ error_page 500 502 503 504 /50x.html;
+ location = /50x.html {
+ root /usr/share/nginx/html;
+ }
+ }
}
diff --git a/playbook.yml b/playbook.yml
index 777d079..6b1f46f 100644
--- a/playbook.yml
+++ b/playbook.yml
@@ -1,4 +1,34 @@
-- name: Gerbolyze container setup playbook
+- name: DNS setup
+ hosts: localhost
+ module_defaults:
+ inwx:
+ username: "{{lookup('ini', 'user section=inwx file=credentials.ini')}}"
+ password: "{{lookup('ini', 'pass section=inwx file=credentials.ini')}}"
+ vars:
+ subdomains:
+ - git.jaseg.net
+ - blog.jaseg.net
+ - kochbuch.jaseg.net
+ - gerbolyze.jaseg.net
+ - tracespace.jaseg.net
+ - openjscad.jaseg.net
+ - pogojig.jaseg.net
+ - automation.jaseg.de
+ - dyndns.jaseg.de
+ fastmail_domains:
+ - jaseg.net
+ - jaseg.de
+ tasks:
+ - name: Gather wendelstein facts
+ setup:
+ delegate_to: wendelstein
+ delegate_facts: True
+
+ - name: Setup DNS
+ include_tasks: dns.yml
+
+
+- name: Wendelstein setup
hosts: wendelstein
tasks:
- name: Set hostname
@@ -12,7 +42,7 @@
- name: Install host requisites
dnf:
- name: nginx,uwsgi,python3-flask,python3-flask-wtf,uwsgi-plugin-python3,certbot,python3-certbot-nginx,libselinux-python,git,iptables-services,python3-pycryptodomex,zip,python3-uwsgidecorators
+ name: nginx,uwsgi,python3-flask,python3-flask-wtf,uwsgi-plugin-python3,certbot,python3-certbot-nginx,libselinux-python,git,iptables-services,python3-pycryptodomex,zip,python3-uwsgidecorators,nsd
state: latest
- name: Disable password-based root login
@@ -77,3 +107,5 @@
- name: Setup semi-public git server
include_tasks: setup_git.yml
+ - name: Setup private DynDNS service
+ include_tasks: setup_dyndns.yml
diff --git a/setup_webserver.yml b/setup_webserver.yml
index 748bef8..eb34a5b 100644
--- a/setup_webserver.yml
+++ b/setup_webserver.yml
@@ -58,6 +58,7 @@
- openjscad.jaseg.net
- pogojig.jaseg.net
- automation.jaseg.de
+ - dyndns.jaseg.de
- name: Copy final nginx config
copy: