15 files changed, 105 insertions, 17 deletions

diff --git a/create.py b/create.py
index 500c8be..842237d 100755
--- a/create.py
+++ b/create.py
@@ -153,18 +153,18 @@ class RoleGenerator:
                   - proxy
                 healthcheck:
                   test: ["CMD-SHELL", "curl", "--fail", "http://localhost:8000"]
-                  timeout: 5s
+                  timeout: 15s
                   interval: 30s
-                  retries: 2
-                  start_period: 8s
+                  retries: 3
+                  start_period: 10s
                 deploy:
                   mode: replicated
                   update_config:
                     parallelism: 1
                     failure_action: rollback
                     order: start-first
-                    delay: 15s
-                    monitor: 10s
+                    delay: 10s
+                    monitor: 45s
                   replicas: 1
                   labels:
                     - traefik.enable=true
diff --git a/deploy.yml b/deploy.yml
index 0b0712f..00b3852 100644
--- a/deploy.yml
+++ b/deploy.yml
@@ -47,3 +47,6 @@
 
 - name: bin
   ansible.builtin.import_playbook: playbooks/bin.yml
+
+- name: passwd
+  ansible.builtin.import_playbook: playbooks/passwd.yml
diff --git a/group_vars/mail.yml b/group_vars/mail.yml
index 22d72c7..c2f937b 100644
--- a/group_vars/mail.yml
+++ b/group_vars/mail.yml
@@ -35,11 +35,10 @@ roundcube_default_host: "ssl://{{ mail_domain }}"
 roundcube_default_port: 993
 roundcube_smtp_host: "ssl://{{ mail_domain }}"
 roundcube_smtp_port: 465
-roundcube_plugins: "archive,zipdownload,managesieve,markasjunk,enigma,roundcube_skins"
-roundcube_composer_plugins: "texxasrulez/roundcube_skins"
+roundcube_plugins: "archive,zipdownload,managesieve,markasjunk,enigma"
+roundcube_composer_plugins: ""
 
 roundcube_oauth2_auth_uri: "https://{{ idm_domain }}/ui/oauth2"
-roundcube_oauth2_user_uri: >
-  https://{{ idm_domain }}/oauth2/openid/roundcube/userinfo  
+roundcube_oauth2_user_uri: "https://{{ idm_domain }}/oauth2/openid/roundcube/userinfo"
 roundcube_oauth2_token_uri: "https://{{ idm_domain }}/oauth2/token"
 roundcube_oauth2_client_id: "roundcube"
diff --git a/group_vars/outbound.yml b/group_vars/outbound.yml
index 2c7c6c8..d9b65bb 100644
--- a/group_vars/outbound.yml
+++ b/group_vars/outbound.yml
@@ -18,3 +18,4 @@ generate_auth_key: '{{ homelab_build }}'
 auth_key_expiration: '2y'
 auth_key_user: 'pocketmonsters'
 
+oauth_user_suffix: '@idm.{{ domain }}'
diff --git a/group_vars/passwd.yml b/group_vars/passwd.yml
new file mode 100644
index 0000000..02fb0fd
--- /dev/null
+++ b/group_vars/passwd.yml
@@ -0,0 +1,4 @@
+---
+
+passwd_domain: passwd.liz.coffee
+passwd_base: "{{ swarm_base }}/passwd"
diff --git a/inventory b/inventory
index e45d7bb..a28ffea 100644
--- a/inventory
+++ b/inventory
@@ -55,3 +55,6 @@ swarm-one ansible_host=10.128.0.201 ansible_user=serve         ansible_connectio
 [mail]
 swarm-one ansible_host=10.128.0.201 ansible_user=serve         ansible_connection=ssh ansible_become_password='{{ swarm_become_password }}'
 
+[passwd]
+swarm-one ansible_host=10.128.0.201 ansible_user=serve         ansible_connection=ssh ansible_become_password='{{ swarm_become_password }}'
+
diff --git a/playbooks/passwd.yml b/playbooks/passwd.yml
new file mode 100644
index 0000000..b8c9031
--- /dev/null
+++ b/playbooks/passwd.yml
@@ -0,0 +1,7 @@
+---
+
+- name: passwd setup
+  hosts: passwd
+  become: true
+  roles:
+    - passwd
diff --git a/playbooks/roles/bin/templates/stacks/docker-compose.yml b/playbooks/roles/bin/templates/stacks/docker-compose.yml
index f218b74..2580fd6 100644
--- a/playbooks/roles/bin/templates/stacks/docker-compose.yml
+++ b/playbooks/roles/bin/templates/stacks/docker-compose.yml
@@ -15,7 +15,7 @@ services:
       timeout: 3s
       interval: 1m
       retries: 2
-      start_timeout: 10s
+      start_period: 10s
     networks:
       - proxy
     deploy:
diff --git a/playbooks/roles/mail/templates/stacks/docker-compose.yml b/playbooks/roles/mail/templates/stacks/docker-compose.yml
index b4cc3e0..b1c3982 100644
--- a/playbooks/roles/mail/templates/stacks/docker-compose.yml
+++ b/playbooks/roles/mail/templates/stacks/docker-compose.yml
@@ -1,6 +1,6 @@
 services:
   roundcube:
-    image: roundcube/roundcubemail:latest-nonroot
+    image: roundcube/roundcubemail:latest
     restart: always
     volumes:
       - {{ mail_base }}/volumes/data/roundcube/db:/var/roundcube/db
@@ -19,7 +19,7 @@ services:
       - proxy
       - roundcube
     healthcheck:
-      test: ["CMD", "curl", "--fail", "http://localhost:8000"]
+      test: ["CMD", "curl", "--fail", "http://localhost:80"]
       timeout: 3s
       interval: 30s
       retries: 2
@@ -33,7 +33,7 @@ services:
         - traefik.http.routers.mail.tls.certResolver=letsencrypt
         - traefik.http.routers.mail.rule=Host(`{{ mail_domain }}`)
         - traefik.http.routers.mail.entrypoints=websecure
-        - traefik.http.services.mail.loadbalancer.server.port=8000
+        - traefik.http.services.mail.loadbalancer.server.port=80
 
   mailserver:
     image: ghcr.io/docker-mailserver/docker-mailserver:latest
@@ -94,6 +94,7 @@ services:
       - ENABLE_SASLAUTHD=1
       - ENABLE_MANAGESIEVE=1
       - ENABLE_POSTGREY=1
+      - ENABLE_FAIL2BAN=1
 
       - SPOOF_PROTECTION=1
       - ACCOUNT_PROVISIONER=LDAP
diff --git a/playbooks/roles/outbound/templates/headscale/config/acl.json b/playbooks/roles/outbound/templates/headscale/config/acl.json
index fe1197a..449207d 100644
--- a/playbooks/roles/outbound/templates/headscale/config/acl.json
+++ b/playbooks/roles/outbound/templates/headscale/config/acl.json
@@ -1,12 +1,17 @@
 {
   "groups": {
-    "group:admin": ["liz"]
+    "group:internal": ["liz{{ oauth_user_suffix }}", "lucina{{ oauth_user_suffix }}", "riley{{ oauth_user_suffix }}"],
   },
   "acls": [
     {
       "action": "accept",
       "src": ["{{ auth_key_user }}"],
       "dst": ["{{ auth_key_user }}:*", "10.0.0.0/8:*"]
+    },
+    {
+      "action": "accept",
+      "src": ["group:internal"],
+      "dst": ["10.0.0.0/8:*"]
     }
   ]
 }
diff --git a/playbooks/roles/outbound/templates/headscale/config/config.yaml b/playbooks/roles/outbound/templates/headscale/config/config.yaml
index 2586848..d3bff5a 100644
--- a/playbooks/roles/outbound/templates/headscale/config/config.yaml
+++ b/playbooks/roles/outbound/templates/headscale/config/config.yaml
@@ -125,9 +125,8 @@ dns:
       - {{ headscale_dns_for_connected_clients_1 }}
       - {{ headscale_dns_for_connected_clients_2 }}
     split:
-      {}
-      # foo.bar.com:
-      #   - 1.1.1.1
+      {{ domain }}:
+        - {{ loadbalancer_ip }}
   search_domains: []
 
 unix_socket: /var/run/headscale/headscale.sock
diff --git a/playbooks/roles/passwd/tasks/main.yml b/playbooks/roles/passwd/tasks/main.yml
new file mode 100644
index 0000000..005aee0
--- /dev/null
+++ b/playbooks/roles/passwd/tasks/main.yml
@@ -0,0 +1,8 @@
+---
+
+- name: Deploy passwd
+  ansible.builtin.import_tasks: manage-docker-swarm-service.yml
+  vars:
+    service_name: passwd
+    template_render_dir: "../templates"
+    service_destination_dir: "{{ passwd_base }}"
diff --git a/playbooks/roles/passwd/templates/stacks/docker-compose.yml b/playbooks/roles/passwd/templates/stacks/docker-compose.yml
new file mode 100644
index 0000000..7f2c373
--- /dev/null
+++ b/playbooks/roles/passwd/templates/stacks/docker-compose.yml
@@ -0,0 +1,56 @@
+---
+
+services:
+  passwd:
+    image: vaultwarden/server:latest
+    volumes:
+      - {{ passwd_base }}/volumes/data:/data
+    environment:
+      - TZ={{ timezone }}
+      - DEPLOYMENT_TIME={{ now() }}
+      - DOMAIN=https://{{ passwd_domain }}
+      - SENDS_ALLOWED=true
+      - EMERGENCY_ACCESS_ALLOWED=true
+      - WEB_VAULT_ENABLED=true
+
+      - SIGNUPS_ALLOWED=false
+      - SIGNUPS_VERIFY=true
+      - SIGNUPS_VERIFY_RESEND_TIME=3600
+      - SIGNUPS_VERIFY_RESEND_LIMIT=5
+      - SIGNUPS_DOMAINS_WHITELIST={{ domain }}
+
+      - SMTP_HOST={{ mail_domain }}
+      - SMTP_FROM={{ info_mail }}
+      - SMTP_FROM_NAME=VaultWarden
+      - SMTP_SECURITY=force_tls
+      - SMTP_PORT=465
+      - SMTP_USERNAME={{ info_mail_user }}
+      - SMTP_PASSWORD={{ info_mail_password }}
+
+      - YUBICO_SECRET_KEY={{ yubico_secret_key }}
+      - YUBICO_CLIENT_ID={{ yubico_client_id }}
+    networks:
+      - proxy
+    healthcheck:
+      test: ["CMD", "/healthcheck.sh"]
+      start_period: 10s
+    deploy:
+      mode: replicated
+      update_config:
+        parallelism: 1
+        failure_action: rollback
+        order: start-first
+        monitor: 90s
+      replicas: 1
+      labels:
+        - traefik.enable=true
+        - traefik.swarm.network=proxy
+        - traefik.http.routers.passwd.tls=true
+        - traefik.http.routers.passwd.tls.certResolver=letsencrypt
+        - traefik.http.routers.passwd.rule=Host(`{{ passwd_domain }}`)
+        - traefik.http.routers.passwd.entrypoints=websecure
+        - traefik.http.services.passwd.loadbalancer.server.port=80
+
+networks:
+  proxy:
+    external: true
diff --git a/playbooks/roles/passwd/templates/volumes/data/.gitkeep b/playbooks/roles/passwd/templates/volumes/data/.gitkeep
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/playbooks/roles/passwd/templates/volumes/data/.gitkeep
diff --git a/secrets.txt b/secrets.txt
index ee74416..173d8f7 100644
--- a/secrets.txt
+++ b/secrets.txt
@@ -15,3 +15,5 @@ ses_smtp_password
 email_ldap_api_token
 roundcube_oauth2_client_basic_secret
 info_mail_password
+yubico_client_id
+yubico_secret_key