Skip to content

♻️ Ansible inventory with bunch of dockerized services

Notifications You must be signed in to change notification settings

Mayurifag/mayurifag.ru

Repository files navigation

Ansible playbook for provisioning mayurifag.ru

Linters

Description

DONT USE THIS REPOSITORY NO MATTER WHAT due to security reasons (i.e. there is no firewall rules, not much services monitoring, no custom fail2ban rules and there is the most important part: it uses docker without much security measures).

Playbook is fine only for my personal usage!

Requires

DNS

Obviously, A record for your TLD + wildcard/subdomain configuration in Cloudflare or your favourite DNS provider.

VPS

  • Debian 10-12 (Ubuntu works, though requires some/many interventions)
  • Large folder for docker data (Done by VPS via large disk)
  • ssh authorization key for root user (Done by VPS or ssh-copy-id [email protected])
  • Be sure that you have open ports for needed applications (some vps providers have default blocked ports or blocked them all)

Your PC

  • Ansible python3 -m pip install --user ansible
  • (only MacOS) - passlib python3 -m pip install --user passlib (to use crypto module from ansible)

Instructions

Initial setup

git clone https://github.com/Mayurifag/mayurifag.ru.git
cd mayurifag.ru
cp -rfp inventories/sample inventories/my-provision
# ... change my-provision ...
ansible-galaxy install -r requirements.yml

Production deployment

TL;DR

Maybe first you'll need to ssh and exec:

apt-get --allow-releaseinfo-change update
# or
do-release-upgrade
make deploy-prod
# or
make deploy-tag netdata # or other tag

Optional in-before steps

  • Remove old remote host identification
ssh-keygen -R mayurifag.ru ; ssh-keygen -R $(host mayurifag.ru | awk '/has address/ {print $4}')
  • Generate new ssh key and add it to your inventory vars file
ssh-keygen -t rsa -b 4096 -C "[email protected]" -f ~/Desktop/mayurifag.ru # rsa here, but you can use ed25519
xclip -sel clip < ~/Desktop/mayurifag.ru.pub
vi inventories/my-provision/group_vars/sample.yml # add key here in section
keepassxc # Make new ssh agent entry
  • Make new ssh config section. You need to change it after deploy.
vi ~/.ssh/config

# ~/.ssh/config
Host *
    Protocol 2
    ServerAliveInterval 120
    ServerAliveCountMax 2

[...]

Host mayurifag-prod
    HostName mayurifag.ru
    User root # Change user and port
    Port 22   # after deployment

Applications List

Name Default endpoint App. Port
3proxy socks5://mayurifag.local:1080 or 3128 1080/3128
Blocky [DNS] -> ip:53 53
Dockovpn http://dockovpn.mayurifag.local 1194/8080
Hemmelig http://secret.mayurifag.local 3000
mayurifag.github.io http://mayurifag.local 8005
Navidrome http://mus.mayurifag.local 80
Netdata http://netdata.mayurifag.local 19999
Nextcloud All-in-One http://nextcloud.mayurifag.local 11000
Portainer http://portainer.mayurifag.local 9000
Shadowsocks-rust https://ss.mayurifag.local/xray (uses TLS) 1080
Traefik Dashboard http://traefik.mayurifag.local 8080
Vaultwarden http://pw.mayurifag.local 80
Whattocommit http://commit.mayurifag.local 8080
Wireguard-Easy http://wg.mayurifag.local 58172

TODO

Work is not in progress

The work is not in progress now, because I am okay with current implementation, but still I think there are some things existing for further development if I'll need to deploy my services once again.

High priority

Medium priority

Low priority

Older implementation

There is branch old-implementation-with-mailserver without docker. I decided to re-write roles from scratch with all XP I got so far and include docker containers for better maintainability. But still there are some ideas I want to migrate into newer implementation.

Based on / inspired / helpful