dustin
/
configpolicy
1
1
Fork 0
Code Issues Releases Activity

Compare commits

base: dustin:7fc3465d56f9b444360aafa1f50d7bdc990033d7
Branches Tags
dustin:master
dustin:unifi-restore
dustin:dynamic-inventory
dustin:frigate-exporter
dustin:nut0
dustin:nut-monitor
dustin:no-vault-in-inventory
dustin:wheelhost
dustin:chrony
dustin:step-ssh
dustin:btop
dustin:collectd-buildroot
dustin:ntfy
dustin:jenkins-master
...
compare: dustin:1a3f68e18b5abd8303412c352dbec5f560ea2270
Branches Tags
dustin:master
dustin:unifi-restore
dustin:dynamic-inventory
dustin:frigate-exporter
dustin:nut0
dustin:nut-monitor
dustin:no-vault-in-inventory
dustin:wheelhost
dustin:chrony
dustin:step-ssh
dustin:btop
dustin:collectd-buildroot
dustin:ntfy
dustin:jenkins-master

6 Commits
7fc3465d56 ... 1a3f68e18b

Author SHA1 Message Date
Dustin 1a3f68e18b Merge remote-tracking branch 'refs/remotes/origin/master' 2025-08-23 22:43:00 -05:00
Dustin 1c1bff3ec0 r/nextcloud: Fix a bunch of deployment warnings 
The Nextcloud administration overview page listed a bunch of deployment
configuration warnings that needed to be addressed:

* Set the default phone region
* Define a maintenance window starting at 0600 UTC
* Increase the PHP memory limit to 1GiB
* Increase the PHP OPCache interned strings buffer size
* Increase the allowed PHP OPcache memory limit
* Fix Apache rewrite rules for /.well-known paths
 2025-08-23 22:39:44 -05:00
Dustin 6cd576dd2b dch-proxy: Proxy for Authelia 
Authelia is now exposed to the public Internet, under the name
_auth.pyrocufflink.net_, which allows it to protect public websites as
well.
 2025-08-23 22:29:28 -05:00
Dustin 70909d1b13 websites: Enable PROXY protocol for HTTPS sites 
Since the reverse proxy does TLS pass-through instead of termination,
the original source address is lost.  Since the source address is
important for logging, rate limiting, and access control, we need to use
the HAProxy PROXY protocol to pass it along to the web server.

Since the PROXY protocol works at the TCP layer, _all_ connections must
use it. Fortunately, all of the sites hosted by the public web server
are in fact public and only accessed through HAProxy.  Similarly,
enabling it for one named virtual host enables it for all virtual hosts
on that port.  Thus, we only have to explicitly set it for one site, and
all the rest will use it as well.
 2025-08-23 22:21:54 -05:00
Dustin 717a8f90c6 websites: Remove formsubmit 
Nothing is using _formsubmit_ right now, but it's been moved to
Kubernetes anyway.
 2025-08-23 20:44:41 -05:00
Dustin f8d58ef0ed websites/dcow: Transition to static site 
We don't really use this site for screenshot sharing any more.  It's
cool to keep to look at old screenshots, so I've saved a static snapshot
of it that can be hosted by plain ol' Apache.
 2025-08-16 08:55:28 -05:00
11 changed files with 80 additions and 48 deletions
Show Stats Expand all files Collapse all files

7
group_vars/dch-proxy.yml
View File

@ -54,7 +54,7 @@ dch_proxy_sites:
matcher: dom
- backend: kubernetes
match: ntfy.pyrocufflink.net
- backend: kubernetes
- backend: web
match: darkchestofwonders.us
- backend: kubernetes
match: invoiceninja.pyrocufflink.net
@ -62,6 +62,9 @@ dch_proxy_sites:
match: dynk8s-provisioner.pyrocufflink.net
- backend: kubernetes
match: metrics.pyrocufflink.blue
- backend: kubernetes
match: auth.pyrocufflink
matcher: dom
dch_proxy_backends:
bitwarden:
@ -136,4 +139,4 @@ dch_proxy_backends:
servers:
- name: web0
host: 'web0.pyrocufflink.blue:443'
options: check
options: check send-proxy

9
roles/nextcloud/tasks/main.yml
View File

@ -36,6 +36,15 @@
group: apache
tags:
- config
- name: ensure php is configured for nextcloud
template:
src: php.ini.j2
dest: /etc/php.d/60-nextcloud.ini
mode: '0644'
notify:
- restart php-fpm
tags:
- php-config
- name: ensure php-fpm is configured for nextcloud
template:

2
roles/nextcloud/templates/config.php.j2
View File

@ -47,6 +47,8 @@ $CONFIG = array (
'ldapIgnoreNamingRules' => false,
'ldapProviderFactory' => 'OCA\\User_LDAP\\LDAPProviderFactory',
'maintenance' => {{ nextcloud_maintenance|bool|string|lower }},
'maintenance_window_start' => 6,
'default_phone_region' => 'US',
'theme' => '',
'trashbin_retention_obligation' => 'auto, 30',
'loglevel' => 2,

8
roles/nextcloud/templates/nextcloud.httpd.conf.j2
View File

@ -19,6 +19,10 @@ Dav off
<IfModule mod_rewrite.c>
Options -MultiViews
RewriteRule ^\.well-known/carddav /remote.php/dav [R=301,L]
RewriteRule ^\.well-known/caldav /remote.php/dav [R=301,L]
RewriteRule ^\.well-known/webfinger /index.php/.well-known/webfinger [R=301,L]
RewriteRule ^\.well-known/nodeinfo /index.php/.well-known/nodeinfo [R=301,L]
RewriteRule ^core/js/oc.js$ index.php [PT,E=PATH_INFO:$1]
RewriteRule ^core/preview.png$ index.php [PT,E=PATH_INFO:$1]
RewriteCond %{REQUEST_FILENAME} !\.(css|js|mjs|svg|gif|png|html|ttf|woff2?|ico|jpg|jpeg|map|webm|mp4)$
@ -56,7 +60,3 @@ Require all granted
<Directory /var/lib/nextcloud/data/>
Require all granted
</Directory>
Redirect 301 /.well-known/carddav /remote.php/carddav
Redirect 301 /.well-known/caldav /remote.php/caldav
Redirect 301 /.well-known/webdav /remote.php/webdav

4
roles/nextcloud/templates/php.ini.j2 Normal file
View File

@ -0,0 +1,4 @@
apc.enable_cli=1
memory_limit=1024M
opcache.interned_strings_buffer=100
opcache.memory_consumption=256

2
roles/nextcloud/templates/www.php-fpm.conf.j2
View File

@ -423,7 +423,7 @@ slowlog = /var/log/php-fpm/www-slow.log
;php_flag[display_errors] = off
php_admin_value[error_log] = /var/log/php-fpm/www-error.log
php_admin_flag[log_errors] = on
php_admin_value[memory_limit] = 512M
;php_admin_value[memory_limit] = 512M
; Set the following data paths to directories owned by the FPM process user.
;

9
roles/websites/darkchestofwonders.us/meta/main.yml
View File

@ -1,9 +0,0 @@
dependencies:
- role: cert
vars:
cert_src: websites/darkchestofwonders.us.cer
cert_dest: /etc/pki/tls/certs/darkchestofwonders.us.cer
cert_key_src: websites/darkchestofwonders.us.key
cert_key_dest: /etc/pki/tls/private/darkchestofwonders.us.key
tags:
- websites/darkchestofwonders.us

46
roles/websites/darkchestofwonders.us/tasks/main.yml
View File

@ -1,3 +1,49 @@
- name: ensure rsync is installed
package:
name: rsync
state: present
tags:
- install
- name: ensure app group exists
group:
name: webapp.dcow
state: present
- name: ensure app user exists
user:
name: webapp.dcow
group: webapp.dcow
home: /srv/www/darkchestofwonders.us
createhome: true
state: present
- name: ensure app home directory permissions are set
file:
path: /srv/www/darkchestofwonders.us
mode: u=rwx,go=rx
state: directory
- name: ensure app ssh home directory exists
file:
path: /srv/www/darkchestofwonders.us/.ssh
mode: '0700'
owner: webapp.dcow
group: webapp.dcow
setype: ssh_home_t
state: directory
- name: ensure publisher keys are trusted
authorized_key:
key: "{{ dcow_publisher_keys|join('\n') }}"
user: webapp.dcow
exclusive: true
- name: ensure authorized_keys file permissions are correct
file:
path: /srv/www/darkchestofwonders.us/.ssh/authorized_keys
mode: u=rw,go=
owner: webapp.dcow
group: webapp.dcow
setype: ssh_home_t
- name: ensure apache is configured to serve darkchestofwonders.us
template:
src=darkchestofwonders.us.httpd.conf.j2

35
roles/websites/darkchestofwonders.us/templates/darkchestofwonders.us.httpd.conf.j2
View File

@ -1,9 +1,5 @@
WSGIDaemonProcess dcow \
user=webapp.dcow \
group=webapp.dcow \
python-home=/srv/www/darkchestofwonders.us/venv \
lang=en_US.UTF-8 \
display-name=%{GROUP}
# vim: set ft=apache :
MDomain darkchestofwonders.us
<VirtualHost _default_:80>
ServerName darkchestofwonders.us
@ -16,34 +12,13 @@ RewriteRule (.*) https://%{SERVER_NAME}$1 [R=301,L]
ServerName darkchestofwonders.us
Include conf.d/ssl.include
SSLCertificateKeyFile /etc/pki/tls/private/darkchestofwonders.us.key
SSLCertificateFile /etc/pki/tls/certs/darkchestofwonders.us.cer
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
</IfModule>
ProxyRequests off
ProxyPass / http://k8s-ingress.pyrocufflink.blue/
ProxyPassReverse / http://k8s-ingress.pyrocufflink.blue/
ProxyPreserveHost on
<Location />
DocumentRoot /srv/www/darkchestofwonders.us/htdocs
<Directory /srv/www/darkchestofwonders.us/htdocs>
Require all granted
</Location>
<Location /upload>
<IfModule auth_gssapi_module>
AuthType GSSAPI
AuthName "{{ krb5_realm|lower }} Domain Authentication"
#KrbServiceName HTTP/{{ ansible_fqdn }}@{{ krb5_realm }}
GssapiCredStore keytab:/etc/httpd/httpd.keytab
GssapiBasicAuth On
Require valid-user
</IfModule>
<IfModule !auth_kerb_module>
Require all denied
</IfModule>
</Location>
</Directory>
</VirtualHost>

2
roles/websites/dustin.hatch.name/files/dustin.hatch.name.httpd.conf
View File

@ -11,6 +11,8 @@ RewriteRule (.*) https://%{SERVER_NAME}$1 [R=301,L]
<VirtualHost _default_:443>
ServerName dustin.hatch.name
RemoteIPProxyProtocol On
Include conf.d/ssl.include
<IfModule mod_headers.c>

4
websites.yml
View File

@ -6,8 +6,6 @@
- role: mod_md
tags:
- mod_md
- role: formsubmit
tags: formsubmit
- role: websites/pyrocufflink.net
tags: websites/pyrocufflink.net
- role: websites/dustin.hatch.name
@ -16,6 +14,8 @@
tags: websites/ebonfire.com
- role: websites/nratonpass.com
tags: websites/nratonpass.com
- role: websites/darkchestofwonders.us
tags: websites/darkchestofwonders.us
- role: websites/chmod777.sh
tags: websites/chmod777.sh
- role: websites/apps.du5t1n.xyz