This commit is contained in:
parent
6193aa097a
commit
dce0aefec1
@ -6,35 +6,23 @@ firewall:
|
||||
interface: "eth0"
|
||||
- port: "http"
|
||||
proto: tcp
|
||||
interface: "eth1"
|
||||
interface: "eth0"
|
||||
- port: "https"
|
||||
proto: tcp
|
||||
interface: "eth1"
|
||||
- port: "59000:59049"
|
||||
interface: "eth0"
|
||||
- port: "59000:59009"
|
||||
proto: udp
|
||||
interface: "eth1"
|
||||
interface: "eth0"
|
||||
- port: "3478"
|
||||
proto: tcp
|
||||
interface: "eth1"
|
||||
interface: "eth0"
|
||||
- port: "3478"
|
||||
proto: any
|
||||
interface: "eth1"
|
||||
interface: "eth0"
|
||||
- port: "5349"
|
||||
proto: any
|
||||
interface: "eth1"
|
||||
interface: "eth0"
|
||||
- port: "9101"
|
||||
proto: tcp
|
||||
interface: "eth0"
|
||||
netplan:
|
||||
default_gateway: ""
|
||||
additionalinterfaces:
|
||||
- name: "eth1"
|
||||
dhcp4: false
|
||||
dhcp6: false
|
||||
denydns: true
|
||||
addresses:
|
||||
- '152.66.211.42/24'
|
||||
- '2001:738:2001:207f:0:211:42:0/64'
|
||||
gateway4: '152.66.211.254'
|
||||
gateway6: 'fe80::'
|
||||
...
|
||||
|
@ -40,7 +40,6 @@
|
||||
roles:
|
||||
- common
|
||||
- docker
|
||||
- neko
|
||||
- customfirewall
|
||||
- internalsmtp
|
||||
|
||||
|
@ -16,7 +16,6 @@ all:
|
||||
monitoring:
|
||||
ytmirror:
|
||||
mastodon:
|
||||
projectzomboid:
|
||||
mckay:
|
||||
hosts:
|
||||
guacamole:
|
||||
@ -25,7 +24,6 @@ all:
|
||||
backup:
|
||||
librespeed:
|
||||
plex:
|
||||
vikunja:
|
||||
dockerwebhosts:
|
||||
hosts:
|
||||
matrix:
|
||||
@ -39,7 +37,6 @@ all:
|
||||
mastodon:
|
||||
librespeed:
|
||||
plex:
|
||||
vikunja:
|
||||
nightlydocker:
|
||||
hosts:
|
||||
matrix:
|
||||
@ -52,8 +49,6 @@ all:
|
||||
mastodon:
|
||||
librespeed:
|
||||
plex:
|
||||
vikunja:
|
||||
gameservers:
|
||||
hosts:
|
||||
projectzomboid:
|
||||
...
|
||||
|
@ -1,4 +0,0 @@
|
||||
---
|
||||
datadog:
|
||||
apikey: ""
|
||||
...
|
@ -1,5 +0,0 @@
|
||||
#! /bin/bash
|
||||
systemctl stop haproxy
|
||||
certbot renew --standalone --cert-name neko.tormakristof.eu
|
||||
certbot renew --standalone --cert-name turn.tormakristof.eu
|
||||
systemctl start haproxy
|
@ -1 +0,0 @@
|
||||
deb [signed-by=/usr/share/keyrings/datadog-archive-keyring.gpg] https://apt.datadoghq.com/ stable 7
|
@ -1,55 +0,0 @@
|
||||
global
|
||||
log /dev/log local0
|
||||
log /dev/log local1 notice
|
||||
chroot /var/lib/haproxy
|
||||
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
|
||||
stats timeout 30s
|
||||
user haproxy
|
||||
group haproxy
|
||||
daemon
|
||||
|
||||
# Default SSL material locations
|
||||
ca-base /etc/ssl/certs
|
||||
crt-base /etc/ssl/private
|
||||
|
||||
# See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
|
||||
ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
|
||||
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
|
||||
ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
|
||||
|
||||
defaults
|
||||
log global
|
||||
mode http
|
||||
option httplog
|
||||
option dontlognull
|
||||
timeout connect 5000
|
||||
timeout client 50000
|
||||
timeout server 50000
|
||||
errorfile 400 /etc/haproxy/errors/400.http
|
||||
errorfile 403 /etc/haproxy/errors/403.http
|
||||
errorfile 408 /etc/haproxy/errors/408.http
|
||||
errorfile 500 /etc/haproxy/errors/500.http
|
||||
errorfile 502 /etc/haproxy/errors/502.http
|
||||
errorfile 503 /etc/haproxy/errors/503.http
|
||||
errorfile 504 /etc/haproxy/errors/504.http
|
||||
|
||||
frontend http-in
|
||||
bind *:80
|
||||
mode http
|
||||
redirect scheme https code 301
|
||||
|
||||
frontend https-front
|
||||
bind :443
|
||||
mode tcp
|
||||
use_backend https-back
|
||||
|
||||
backend https-back
|
||||
mode tcp
|
||||
balance roundrobin
|
||||
server docker 127.0.0.1:8080 check
|
||||
|
||||
listen stats # Define a listen section called "stats"
|
||||
bind 127.0.0.1:9000 # Listen on localhost:9000
|
||||
mode http
|
||||
stats enable # Enable stats page
|
||||
stats uri /haproxy_stats # Stats URI
|
@ -1,73 +0,0 @@
|
||||
---
|
||||
- name: "Install haproxy via apt"
|
||||
ansible.builtin.apt:
|
||||
update_cache: yes
|
||||
state: present
|
||||
name:
|
||||
- haproxy
|
||||
|
||||
- name: Copy haproxy configuration
|
||||
ansible.builtin.copy:
|
||||
src: haproxy.cfg
|
||||
dest: /etc/haproxy/haproxy.cfg
|
||||
mode: 0644
|
||||
owner: root
|
||||
group: root
|
||||
|
||||
- name: Enable and stop haproxy
|
||||
ansible.builtin.service:
|
||||
name: haproxy
|
||||
state: stopped
|
||||
enabled: yes
|
||||
|
||||
- name: "Install certbot via apt"
|
||||
ansible.builtin.apt:
|
||||
update_cache: yes
|
||||
state: present
|
||||
name:
|
||||
- python3-certbot
|
||||
|
||||
- name: Generate certificate for Neko domain
|
||||
ansible.builtin.command:
|
||||
cmd: certbot certonly --non-interactive --agree-tos -m tormakristof@tormakristof.eu --standalone -d neko.tormakristof.eu
|
||||
|
||||
- name: Generate certificate for TURN domain
|
||||
ansible.builtin.command:
|
||||
cmd: certbot certonly --non-interactive --agree-tos -m tormakristof@tormakristof.eu --standalone -d turn.tormakristof.eu
|
||||
|
||||
- name: Enable and start haproxy
|
||||
ansible.builtin.service:
|
||||
name: haproxy
|
||||
state: started
|
||||
enabled: yes
|
||||
|
||||
- name: Copy certbot cronjob
|
||||
ansible.builtin.copy:
|
||||
src: certbot
|
||||
dest: /etc/cron.weekly/certbot
|
||||
mode: 0755
|
||||
owner: root
|
||||
group: root
|
||||
|
||||
- name: Reset ufw rules to default
|
||||
community.general.ufw:
|
||||
state: reset
|
||||
|
||||
- name: Enable ufw
|
||||
community.general.ufw:
|
||||
state: enabled
|
||||
|
||||
- name: "Install haproxy exporter"
|
||||
ansible.builtin.apt:
|
||||
update_cache: yes
|
||||
state: present
|
||||
name:
|
||||
- prometheus-haproxy-exporter
|
||||
|
||||
- name: Allow node-exporter via ufw
|
||||
community.general.ufw:
|
||||
rule: allow
|
||||
port: 9100
|
||||
proto: tcp
|
||||
src: 192.168.69.0/24
|
||||
...
|
File diff suppressed because it is too large
Load Diff
Loading…
Reference in New Issue
Block a user