--- - hosts: silence tasks: - name: requirements apt: name: - smokeping - infinoted - nginx - libnginx-mod-http-fancyindex - go-sendxmpp - syncthing - rsync - transmission-daemon - name: Setup nftables notify: restart nftables copy: dest: /etc/nftables.conf content: | #!/usr/sbin/nft -f table inet filter flush table inet filter table inet filter { chain input { type filter hook input priority 0; iif lo accept ct state established,related accept icmp type echo-request counter accept icmpv6 type echo-request counter accept ip saddr 192.168.1.0/24 accept ip6 saddr 2a01:e0a:15:ac20::/64 accept udp dport 51413 accept comment "transmission" tcp dport 51413 accept comment "transmission" # accept neighbour discovery otherwise ipv6 connectivity breaks: icmpv6 type {nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert} accept tcp dport {ssh, http, https} ct state new accept counter drop } } - name: Infinoted user user: name: infinoted shell: /usr/bin/false - name: Make infinoted files directory file: path: /home/infinoted/files/ state: directory owner: infinoted mode: 0700 - name: Setup infinoted notify: restart infinoted copy: dest: /etc/xdg/infinoted.conf content: | [infinoted] key-file=/home/infinoted/infinoted-key.pem certificate-file=/home/infinoted/infinoted-cert.pem security-policy=require-tls plugins=note-text;autosave root-directory=/home/infinoted/files/ [autosave] interval=10 - name: Setup infinoted service notify: restart infinoted copy: dest: /etc/systemd/system/infinoted.service content: | [Unit] Description=Infinoted Wants=network.target [Service] # Needs to run `infinoted --create-certificate --create-key` (and kill it) manually first. ExecStart=/usr/bin/infinoted Restart=always RestartSec=60 User=infinoted StartLimitIntervalSec=0 [Install] WantedBy=multi-user.target - name: Setup nginx notify: reload nginx copy: dest: /etc/nginx/conf.d/silence.conf content: | map $http_upgrade $connection_upgrade { default upgrade; '' close; } upstream grafana { server localhost:3000; } server { listen 80 default_server; listen [::]:80 default_server; server_name silence; location /c-dans-l-air/ { alias /srv/www/c-dans-l-air/; fancyindex on; fancyindex_default_sort date_desc; } location /smokeping/smokeping.cgi { fastcgi_intercept_errors on; root /usr/lib; include /etc/nginx/fastcgi_params; fastcgi_param SCRIPT_FILENAME /usr/lib/cgi-bin/smokeping.cgi; fastcgi_pass unix:/var/run/fcgiwrap.socket; } location ^~ /smokeping/ { alias /usr/share/smokeping/www/; index smokeping.cgi; gzip off; } location /grafana/ { proxy_set_header Host $http_host; proxy_pass http://grafana; } location /api/live/ { proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; proxy_set_header Host $http_host; proxy_pass http://grafana; } location /transmission { proxy_pass http://127.0.0.1:9091; proxy_pass_header X-Transmission-Session-Id; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } } handlers: - name: reload nginx systemd: name: nginx state: reloaded - name: restart nftables systemd: name: nftables state: restarted - name: restart infinoted systemd: name: infinoted state: restarted