reconfigure neko

host_vars/neko.yaml

@@ -6,35 +6,23 @@ firewall:
     interface: "eth0"
   - port: "http"
     proto: tcp
-    interface: "eth1"
+    interface: "eth0"
   - port: "https"
     proto: tcp
-    interface: "eth1"
+    interface: "eth0"
-  - port: "59000:59049"
+  - port: "59000:59009"
     proto: udp
-    interface: "eth1"
+    interface: "eth0"
   - port: "3478"
     proto: tcp
-    interface: "eth1"
+    interface: "eth0"
   - port: "3478"
     proto: any
-    interface: "eth1"
+    interface: "eth0"
   - port: "5349"
     proto: any
-    interface: "eth1"
+    interface: "eth0"
   - port: "9101"
     proto: tcp
     interface: "eth0"
-netplan:
-  default_gateway: ""
-  additionalinterfaces:
-    - name: "eth1"
-      dhcp4: false
-      dhcp6: false
-      denydns: true
-      addresses:
-        - '152.66.211.42/24'
-        - '2001:738:2001:207f:0:211:42:0/64'
-      gateway4: '152.66.211.254'
-      gateway6: 'fe80::'
 ...

infra.yaml

@@ -40,7 +40,6 @@
   roles:
     - common
     - docker
-    - neko
     - customfirewall
     - internalsmtp
 

inventory.yaml

@@ -16,7 +16,6 @@ all:
         monitoring:
         ytmirror:
         mastodon:
-        projectzomboid:
     mckay:
       hosts:
         guacamole:
@@ -25,7 +24,6 @@ all:
         backup:
         librespeed:
         plex:
-        vikunja:
     dockerwebhosts:
       hosts:
         matrix:
@@ -39,7 +37,6 @@ all:
         mastodon:
         librespeed:
         plex:
-        vikunja:
     nightlydocker:
       hosts:
         matrix:
@@ -52,8 +49,6 @@ all:
         mastodon:
         librespeed:
         plex:
-        vikunja:
     gameservers:
       hosts:
-        projectzomboid:
 ...

roles/neko/defaults/main.yaml

@@ -1,4 +0,0 @@
----
-datadog:
-  apikey: ""
-...

roles/neko/files/certbot

@@ -1,5 +0,0 @@
-#! /bin/bash
-systemctl stop haproxy
-certbot renew --standalone --cert-name neko.tormakristof.eu
-certbot renew --standalone --cert-name turn.tormakristof.eu
-systemctl start haproxy

roles/neko/files/datadog.list

@@ -1 +0,0 @@
-deb [signed-by=/usr/share/keyrings/datadog-archive-keyring.gpg] https://apt.datadoghq.com/ stable 7

roles/neko/files/haproxy.cfg

@@ -1,55 +0,0 @@
-global
-        log /dev/log    local0
-        log /dev/log    local1 notice
-        chroot /var/lib/haproxy
-        stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
-        stats timeout 30s
-        user haproxy
-        group haproxy
-        daemon
-
-        # Default SSL material locations
-        ca-base /etc/ssl/certs
-        crt-base /etc/ssl/private
-
-        # See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
-        ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
-        ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
-        ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
-
-defaults
-        log     global
-        mode    http
-        option  httplog
-        option  dontlognull
-        timeout connect 5000
-        timeout client  50000
-        timeout server  50000
-        errorfile 400 /etc/haproxy/errors/400.http
-        errorfile 403 /etc/haproxy/errors/403.http
-        errorfile 408 /etc/haproxy/errors/408.http
-        errorfile 500 /etc/haproxy/errors/500.http
-        errorfile 502 /etc/haproxy/errors/502.http
-        errorfile 503 /etc/haproxy/errors/503.http
-        errorfile 504 /etc/haproxy/errors/504.http
-
-frontend http-in
-   bind *:80
-   mode http
-   redirect scheme https code 301
-
-frontend https-front
-   bind :443
-   mode tcp
-   use_backend https-back
-
-backend https-back
-   mode tcp
-   balance roundrobin
-   server docker 127.0.0.1:8080 check
-
-listen stats # Define a listen section called "stats"
-        bind 127.0.0.1:9000 # Listen on localhost:9000
-        mode http
-        stats enable  # Enable stats page
-        stats uri /haproxy_stats  # Stats URI

roles/neko/tasks/main.yaml

@@ -1,73 +0,0 @@
----
-- name: "Install haproxy via apt"
-  ansible.builtin.apt:
-    update_cache: yes
-    state: present
-    name:
-     - haproxy
-
-- name: Copy haproxy configuration
-  ansible.builtin.copy:
-    src: haproxy.cfg
-    dest: /etc/haproxy/haproxy.cfg
-    mode: 0644
-    owner: root
-    group: root
-
-- name: Enable and stop haproxy
-  ansible.builtin.service:
-    name: haproxy
-    state: stopped
-    enabled: yes
-
-- name: "Install certbot via apt"
-  ansible.builtin.apt:
-    update_cache: yes
-    state: present
-    name:
-     - python3-certbot
-
-- name: Generate certificate for Neko domain
-  ansible.builtin.command:
-    cmd: certbot certonly --non-interactive --agree-tos -m tormakristof@tormakristof.eu --standalone -d neko.tormakristof.eu
-
-- name: Generate certificate for TURN domain
-  ansible.builtin.command:
-    cmd: certbot certonly --non-interactive --agree-tos -m tormakristof@tormakristof.eu --standalone -d turn.tormakristof.eu
-
-- name: Enable and start haproxy
-  ansible.builtin.service:
-    name: haproxy
-    state: started
-    enabled: yes
-
-- name: Copy certbot cronjob
-  ansible.builtin.copy:
-    src: certbot
-    dest: /etc/cron.weekly/certbot
-    mode: 0755
-    owner: root
-    group: root
-
-- name: Reset ufw rules to default
-  community.general.ufw:
-    state: reset
-
-- name: Enable ufw
-  community.general.ufw:
-    state: enabled
-
-- name: "Install haproxy exporter"
-  ansible.builtin.apt:
-    update_cache: yes
-    state: present
-    name:
-     - prometheus-haproxy-exporter
-
-- name: Allow node-exporter via ufw
-  community.general.ufw:
-    rule: allow
-    port: 9100
-    proto: tcp
-    src: 192.168.69.0/24
-...