173 lines
4.8 KiB
YAML
173 lines
4.8 KiB
YAML
---
|
|
|
|
- hosts: silence
|
|
tasks:
|
|
- name: requirements
|
|
apt:
|
|
name:
|
|
- smokeping
|
|
- infinoted
|
|
- nginx
|
|
- libnginx-mod-http-fancyindex
|
|
- go-sendxmpp
|
|
- syncthing
|
|
- rsync
|
|
- transmission-daemon
|
|
|
|
- name: Setup nftables
|
|
notify: restart nftables
|
|
copy:
|
|
dest: /etc/nftables.conf
|
|
content: |
|
|
#!/usr/sbin/nft -f
|
|
|
|
table inet filter
|
|
flush table inet filter
|
|
|
|
table inet filter {
|
|
chain input {
|
|
type filter hook input priority 0;
|
|
iif lo accept
|
|
ct state established,related accept
|
|
icmp type echo-request counter accept
|
|
icmpv6 type echo-request counter accept
|
|
ip saddr 192.168.1.0/24 accept
|
|
ip6 saddr 2a01:e0a:15:ac20::/64 accept
|
|
|
|
udp dport 51413 accept comment "transmission"
|
|
tcp dport 51413 accept comment "transmission"
|
|
|
|
# accept neighbour discovery otherwise ipv6 connectivity breaks:
|
|
icmpv6 type {nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert} accept
|
|
|
|
tcp dport {ssh, http, https} ct state new accept
|
|
|
|
counter drop
|
|
}
|
|
}
|
|
|
|
|
|
- name: Infinoted user
|
|
user:
|
|
name: infinoted
|
|
shell: /usr/bin/false
|
|
|
|
- name: Make infinoted files directory
|
|
file:
|
|
path: /home/infinoted/files/
|
|
state: directory
|
|
owner: infinoted
|
|
mode: 0700
|
|
|
|
- name: Setup infinoted
|
|
notify: restart infinoted
|
|
copy:
|
|
dest: /etc/xdg/infinoted.conf
|
|
content: |
|
|
[infinoted]
|
|
key-file=/home/infinoted/infinoted-key.pem
|
|
certificate-file=/home/infinoted/infinoted-cert.pem
|
|
security-policy=require-tls
|
|
plugins=note-text;autosave
|
|
root-directory=/home/infinoted/files/
|
|
|
|
[autosave]
|
|
interval=10
|
|
|
|
- name: Setup infinoted service
|
|
notify: restart infinoted
|
|
copy:
|
|
dest: /etc/systemd/system/infinoted.service
|
|
content: |
|
|
[Unit]
|
|
Description=Infinoted
|
|
Wants=network.target
|
|
|
|
[Service]
|
|
# Needs to run `infinoted --create-certificate --create-key` (and kill it) manually first.
|
|
ExecStart=/usr/bin/infinoted
|
|
Restart=always
|
|
RestartSec=60
|
|
User=infinoted
|
|
StartLimitIntervalSec=0
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|
|
|
|
- name: Setup nginx
|
|
notify: reload nginx
|
|
copy:
|
|
dest: /etc/nginx/conf.d/silence.conf
|
|
content: |
|
|
map $http_upgrade $connection_upgrade {
|
|
default upgrade;
|
|
'' close;
|
|
}
|
|
|
|
upstream grafana {
|
|
server localhost:3000;
|
|
}
|
|
|
|
server {
|
|
listen 80 default_server;
|
|
listen [::]:80 default_server;
|
|
server_name silence;
|
|
|
|
location /c-dans-l-air/ {
|
|
alias /srv/www/c-dans-l-air/;
|
|
fancyindex on;
|
|
fancyindex_default_sort date_desc;
|
|
}
|
|
|
|
location /smokeping/smokeping.cgi {
|
|
fastcgi_intercept_errors on;
|
|
root /usr/lib;
|
|
include /etc/nginx/fastcgi_params;
|
|
fastcgi_param SCRIPT_FILENAME /usr/lib/cgi-bin/smokeping.cgi;
|
|
fastcgi_pass unix:/var/run/fcgiwrap.socket;
|
|
}
|
|
|
|
location ^~ /smokeping/ {
|
|
alias /usr/share/smokeping/www/;
|
|
index smokeping.cgi;
|
|
gzip off;
|
|
}
|
|
|
|
location /grafana/ {
|
|
proxy_set_header Host $http_host;
|
|
proxy_pass http://grafana;
|
|
}
|
|
|
|
location /api/live/ {
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header Connection $connection_upgrade;
|
|
proxy_set_header Host $http_host;
|
|
proxy_pass http://grafana;
|
|
}
|
|
|
|
location /transmission {
|
|
proxy_pass http://127.0.0.1:9091;
|
|
proxy_pass_header X-Transmission-Session-Id;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
}
|
|
}
|
|
|
|
handlers:
|
|
- name: reload nginx
|
|
systemd:
|
|
name: nginx
|
|
state: reloaded
|
|
|
|
- name: restart nftables
|
|
systemd:
|
|
name: nftables
|
|
state: restarted
|
|
|
|
- name: restart infinoted
|
|
systemd:
|
|
name: infinoted
|
|
state: restarted
|