diff options
| author | Elizabeth Hunt <me@liz.coffee> | 2025-04-29 18:12:29 -0700 |
|---|---|---|
| committer | Elizabeth Hunt <me@liz.coffee> | 2025-04-29 18:12:29 -0700 |
| commit | 3ddb82656d6d0c34f47962db25d37adf6ebb15e1 (patch) | |
| tree | 154c314d9a01a4a2aff8d41fae182ef7391583b1 /playbooks | |
| parent | c7c2393bc06c0e49612e9d05e55c30028c02cd4a (diff) | |
| download | infra-3ddb82656d6d0c34f47962db25d37adf6ebb15e1.tar.gz infra-3ddb82656d6d0c34f47962db25d37adf6ebb15e1.zip | |
password manager
Diffstat (limited to 'playbooks')
8 files changed, 84 insertions, 8 deletions
diff --git a/playbooks/passwd.yml b/playbooks/passwd.yml new file mode 100644 index 0000000..b8c9031 --- /dev/null +++ b/playbooks/passwd.yml @@ -0,0 +1,7 @@ +--- + +- name: passwd setup + hosts: passwd + become: true + roles: + - passwd diff --git a/playbooks/roles/bin/templates/stacks/docker-compose.yml b/playbooks/roles/bin/templates/stacks/docker-compose.yml index f218b74..2580fd6 100644 --- a/playbooks/roles/bin/templates/stacks/docker-compose.yml +++ b/playbooks/roles/bin/templates/stacks/docker-compose.yml @@ -15,7 +15,7 @@ services: timeout: 3s interval: 1m retries: 2 - start_timeout: 10s + start_period: 10s networks: - proxy deploy: diff --git a/playbooks/roles/mail/templates/stacks/docker-compose.yml b/playbooks/roles/mail/templates/stacks/docker-compose.yml index b4cc3e0..b1c3982 100644 --- a/playbooks/roles/mail/templates/stacks/docker-compose.yml +++ b/playbooks/roles/mail/templates/stacks/docker-compose.yml @@ -1,6 +1,6 @@ services: roundcube: - image: roundcube/roundcubemail:latest-nonroot + image: roundcube/roundcubemail:latest restart: always volumes: - {{ mail_base }}/volumes/data/roundcube/db:/var/roundcube/db @@ -19,7 +19,7 @@ services: - proxy - roundcube healthcheck: - test: ["CMD", "curl", "--fail", "http://localhost:8000"] + test: ["CMD", "curl", "--fail", "http://localhost:80"] timeout: 3s interval: 30s retries: 2 @@ -33,7 +33,7 @@ services: - traefik.http.routers.mail.tls.certResolver=letsencrypt - traefik.http.routers.mail.rule=Host(`{{ mail_domain }}`) - traefik.http.routers.mail.entrypoints=websecure - - traefik.http.services.mail.loadbalancer.server.port=8000 + - traefik.http.services.mail.loadbalancer.server.port=80 mailserver: image: ghcr.io/docker-mailserver/docker-mailserver:latest @@ -94,6 +94,7 @@ services: - ENABLE_SASLAUTHD=1 - ENABLE_MANAGESIEVE=1 - ENABLE_POSTGREY=1 + - ENABLE_FAIL2BAN=1 - SPOOF_PROTECTION=1 - ACCOUNT_PROVISIONER=LDAP diff --git a/playbooks/roles/outbound/templates/headscale/config/acl.json b/playbooks/roles/outbound/templates/headscale/config/acl.json index fe1197a..449207d 100644 --- a/playbooks/roles/outbound/templates/headscale/config/acl.json +++ b/playbooks/roles/outbound/templates/headscale/config/acl.json @@ -1,12 +1,17 @@ { "groups": { - "group:admin": ["liz"] + "group:internal": ["liz{{ oauth_user_suffix }}", "lucina{{ oauth_user_suffix }}", "riley{{ oauth_user_suffix }}"], }, "acls": [ { "action": "accept", "src": ["{{ auth_key_user }}"], "dst": ["{{ auth_key_user }}:*", "10.0.0.0/8:*"] + }, + { + "action": "accept", + "src": ["group:internal"], + "dst": ["10.0.0.0/8:*"] } ] } diff --git a/playbooks/roles/outbound/templates/headscale/config/config.yaml b/playbooks/roles/outbound/templates/headscale/config/config.yaml index 2586848..d3bff5a 100644 --- a/playbooks/roles/outbound/templates/headscale/config/config.yaml +++ b/playbooks/roles/outbound/templates/headscale/config/config.yaml @@ -125,9 +125,8 @@ dns: - {{ headscale_dns_for_connected_clients_1 }} - {{ headscale_dns_for_connected_clients_2 }} split: - {} - # foo.bar.com: - # - 1.1.1.1 + {{ domain }}: + - {{ loadbalancer_ip }} search_domains: [] unix_socket: /var/run/headscale/headscale.sock diff --git a/playbooks/roles/passwd/tasks/main.yml b/playbooks/roles/passwd/tasks/main.yml new file mode 100644 index 0000000..005aee0 --- /dev/null +++ b/playbooks/roles/passwd/tasks/main.yml @@ -0,0 +1,8 @@ +--- + +- name: Deploy passwd + ansible.builtin.import_tasks: manage-docker-swarm-service.yml + vars: + service_name: passwd + template_render_dir: "../templates" + service_destination_dir: "{{ passwd_base }}" diff --git a/playbooks/roles/passwd/templates/stacks/docker-compose.yml b/playbooks/roles/passwd/templates/stacks/docker-compose.yml new file mode 100644 index 0000000..7f2c373 --- /dev/null +++ b/playbooks/roles/passwd/templates/stacks/docker-compose.yml @@ -0,0 +1,56 @@ +--- + +services: + passwd: + image: vaultwarden/server:latest + volumes: + - {{ passwd_base }}/volumes/data:/data + environment: + - TZ={{ timezone }} + - DEPLOYMENT_TIME={{ now() }} + - DOMAIN=https://{{ passwd_domain }} + - SENDS_ALLOWED=true + - EMERGENCY_ACCESS_ALLOWED=true + - WEB_VAULT_ENABLED=true + + - SIGNUPS_ALLOWED=false + - SIGNUPS_VERIFY=true + - SIGNUPS_VERIFY_RESEND_TIME=3600 + - SIGNUPS_VERIFY_RESEND_LIMIT=5 + - SIGNUPS_DOMAINS_WHITELIST={{ domain }} + + - SMTP_HOST={{ mail_domain }} + - SMTP_FROM={{ info_mail }} + - SMTP_FROM_NAME=VaultWarden + - SMTP_SECURITY=force_tls + - SMTP_PORT=465 + - SMTP_USERNAME={{ info_mail_user }} + - SMTP_PASSWORD={{ info_mail_password }} + + - YUBICO_SECRET_KEY={{ yubico_secret_key }} + - YUBICO_CLIENT_ID={{ yubico_client_id }} + networks: + - proxy + healthcheck: + test: ["CMD", "/healthcheck.sh"] + start_period: 10s + deploy: + mode: replicated + update_config: + parallelism: 1 + failure_action: rollback + order: start-first + monitor: 90s + replicas: 1 + labels: + - traefik.enable=true + - traefik.swarm.network=proxy + - traefik.http.routers.passwd.tls=true + - traefik.http.routers.passwd.tls.certResolver=letsencrypt + - traefik.http.routers.passwd.rule=Host(`{{ passwd_domain }}`) + - traefik.http.routers.passwd.entrypoints=websecure + - traefik.http.services.passwd.loadbalancer.server.port=80 + +networks: + proxy: + external: true diff --git a/playbooks/roles/passwd/templates/volumes/data/.gitkeep b/playbooks/roles/passwd/templates/volumes/data/.gitkeep new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/playbooks/roles/passwd/templates/volumes/data/.gitkeep |