diff --git a/Makefile b/Makefile index 38d8e39..b509a00 100644 --- a/Makefile +++ b/Makefile @@ -32,6 +32,7 @@ configure: $(TAGS_ARGS) \ --inventory="$(INVENTORY)" \ --extra-vars='ansible_python_interpreter=/usr/bin/python3' \ + --ask-vault-pass \ $(PLAYBOOK) configure-apps: @@ -44,6 +45,7 @@ dry-run: $(TAGS_ARGS) \ --inventory="$(INVENTORY)" \ --extra-vars='ansible_python_interpreter=/usr/bin/python3' \ + --ask-vault-pass \ --check \ --diff \ $(PLAYBOOK) diff --git a/ansible/configuration.yml b/ansible/configuration.yml index 02dbb12..cadc4e1 100644 --- a/ansible/configuration.yml +++ b/ansible/configuration.yml @@ -1,5 +1,9 @@ --- - hosts: all + vars: + notes_port: 41080 + vars_files: + - vars/vars.yml tasks: @@ -34,6 +38,7 @@ name: antoiner77.caddy vars: caddy_config: '{{ lookup("template", "templates/Caddyfile.j2") }}' + caddy_update: False caddy_setcap: True caddy_systemd_capabilities_enabled: True caddy_systemd_capabilities: "CAP_NET_BIND_SERVICE" @@ -73,12 +78,12 @@ PROJECT_NAME: notes IMAGE_PREFIX: notes CONTAINER_PREFIX: notes - WEB_SERVER_PORT: 127.0.0.1:41080 + WEB_SERVER_PORT: '127.0.0.1:{{ notes_port }}' DATA_DIR: /home/notes/app/data CACHE_DIR: /home/notes/app/cache APP_ENV: prod SYMFONY_ENV: prod - SECRET_TOKEN: C56gRpAtBYS3V98A3ZjQZCXzJz9gBVdz + SECRET_TOKEN: '{{ notes.secret }}' DATABASE_HOST: notes-db DATABASE_PORT: 3306 DATABASE_NAME: notes diff --git a/ansible/files/av_id_rsa.pub b/ansible/files/av_id_rsa.pub index 03abf82..f99a873 100644 --- a/ansible/files/av_id_rsa.pub +++ b/ansible/files/av_id_rsa.pub @@ -1 +1,25 @@ -ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDxqDV6RWsmTgWmgKGwL0B9NdNH3zdRIo5dZrLK8rRvvOKVUwHxK8V0i0qaxBho/hVTuI2Jk3dt+/3/E7CsK9qxTci0272nIizkJd4nzicTIrT2K7NQQLrvhnNvDx3g2KGLqChcaDrICgHsCv2VTH1Cm64pvE4cqom0xJz/tG7ijqzBzGDybubC4TAItkNDmtp7F4Ia06yzfL2CExBz8zxeTG4oT0sy5e0j/NjxP2MYPrQW5tL60r65VFy9a1x+8dp6IqrZkM3z6oDER0Gzhl0zfB/EAp4KhN06Bs+2UyhaQbi4+owIUVNTP+amFicyZFSu6VAeVr4JWsmrsWaKYVMD av@sol +$ANSIBLE_VAULT;1.1;AES256 +39343035656562656632323766356561386665373036383564616331333333613765353737663632 +3531663835303562393063343231623464663232333532380a663838663938316566616532623065 +66336463643862626538366462346231386333366464323131363836326436373563623164336632 +6234353437383432380a396136653136616335343936343335633236373363353766666539396334 +36613836663831333838633231363731323234323761306630646632616238363662376462333039 +32373938343562313064663334383766653161613032623936646361316561666532356465623133 +32303663313834663834366363383265653939316336356239313364623366386631626536643439 +31333362353961353434333636343336323239363461663937313931616262316330376165393263 +63366665396431323034383939633365316134356564656136393032393864393636616234316231 +37616336396435626264643232343766616364306264376338313238356261653863336535363237 +34653638316161636431653465343536323331656230633332333139386132653433626662343837 +35396437633233363637376561303338386432643039626336376366373334613463663465613637 +36643734626163623738336435383032353837366532316566613864306430653336616637383262 +65646131643533323563393133373964633863636666633338616236386531323064396137376232 +37653333666566386563383235356232663338643161313635643661326339333661393135643030 +62356662623365376662646166316262353964383936373463393339623961376232653664306439 +36336231393434356661316336653033346430386366663138323832613532303265343136373836 +64666561616535623732326464643831363866326265343165356330646561653066393764336134 +30326436663066633163393163306265383834306634663639336437303965373063323335333537 +38643234623061376565636536323563623739313165343464316466363364613963636437363830 +33306632313839373132636130326331363538323763326333316165363633336561373030373963 +38313135343464303331343866646634393162393361333962356133376163393865373239323763 +31303336613937303031343532333036653133363439643864663661373639646566643831313662 +35613430333861376565 diff --git a/ansible/templates/Caddyfile.j2 b/ansible/templates/Caddyfile.j2 index 8d28562..b94ab23 100644 --- a/ansible/templates/Caddyfile.j2 +++ b/ansible/templates/Caddyfile.j2 @@ -5,7 +5,7 @@ status.vakhrushev.me, :29999 { } tls anwinged@ya.ru - basicauth / anton show-me-the-status + basicauth / {{ netdata.login }} {{ netdata.password }} } # Homepage @@ -22,10 +22,21 @@ homepage.vakhrushev.me, vakhrushev.me { # Notes app notes.vakhrushev.me { - proxy / 127.0.0.1:41080 { + proxy / 127.0.0.1:{{ notes_port }} { transparent } tls anwinged@ya.ru - basicauth / anton show-me-the-notes + basicauth / {{ notes.login }} {{ notes.password }} +} + +# Yandex Proxy Imager +preview.vakhrushev.me { + proxy /img https://webdav.yandex.ru { + transparent + header_upstream User-Agent "yandex-disk-previewer/1.0" + header_upstream Authorization "Basic {{ (yandex_disk.login ~ ':' ~ yandex_disk.password) | b64encode }}" + } + + tls anwinged@ya.ru } diff --git a/ansible/templates/vakhrushev.me.conf.j2 b/ansible/templates/vakhrushev.me.conf.j2 deleted file mode 100755 index a934096..0000000 --- a/ansible/templates/vakhrushev.me.conf.j2 +++ /dev/null @@ -1,38 +0,0 @@ -server { - server_name docker.vakhrushev.me; - return 301 https://docker.vakhrushev.me$request_uri; -} - -server { - server_name www.docker.vakhrushev.me; - return 301 https://docker.vakhrushev.me$request_uri; -} - -server { - listen 443 ssl http2; - server_name docker.vakhrushev.me; - - ssl on; - ssl_certificate {{ vars[nginx_ssl_name + "_ssl_certificate"] }}; - ssl_certificate_key {{ vars[nginx_ssl_name + "_ssl_key"] }}; - ssl_trusted_certificate {{ vars[nginx_ssl_name + "_ssl_certificate"] }}; - - ssl_session_cache shared:SSL:50m; - ssl_session_timeout 5m; - ssl_stapling on; - ssl_stapling_verify on; - - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; - - ssl_dhparam {{ vars[nginx_ssl_name + "_ssl_dhparam"] }}; - ssl_prefer_server_ciphers on; - - location / { - proxy_pass http://localhost:{{ nginx_proxy_params.port }}; - proxy_set_header Host $host; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Real-IP $remote_addr; - } -} diff --git a/ansible/vars/vars.yml b/ansible/vars/vars.yml new file mode 100644 index 0000000..224e2d6 --- /dev/null +++ b/ansible/vars/vars.yml @@ -0,0 +1,15 @@ +$ANSIBLE_VAULT;1.1;AES256 +35363437643463396366363661386530363562373533313237383533356662303136386265623638 +6365396330653231656162393964343866633865613437340a393261633963353661633864613664 +62616131366434666563353437316332306236643032313535343062343464363762373331663061 +3132396362326365640a306435646134306165383236383266343138626362656537386636643162 +36316630396361383666323262666566616264626166646265346431363730653364653432363561 +63326161323736663336373061353434626563316561633336353664316231666130323832623864 +39636534336634353734613836616134353531633335386636313537323163313166616533366163 +37373130336232376232613036643730326638333130313739643132333231646365313830333762 +63393837653463363332326334636662383738393730353438346534663931653063663062373139 +62346163346566376664333331336433316530386139623266376665333638666633346261393763 +62636464663766346537633161356164373631363834383931336432336162303232663534663136 +62373265373464656163353037313935383664343834336231653561633533373063313231386336 +65343533343436663264636232653832636164663166373739396435336639303437633364373262 +3332643634646535313331306131613166306461313030323862