From cfecd0afd87a110d2bffe98138e9b5c6e19fdc7f Mon Sep 17 00:00:00 2001 From: Lino Silva Date: Mon, 20 Mar 2023 14:56:20 +0000 Subject: [PATCH] feat: Add swag container --- inventory/my-cluster/group_vars/all.yml | 11 ++ inventory/my-cluster/host_vars/swag | 5 + inventory/my-cluster/hosts.ini | 23 ++-- playbook-swag.yml | 19 +++ roles/swag/install-app/tasks/main.yml | 57 +++++++++ .../templates/authelia.subdomain.conf | 39 ++++++ .../templates/bazarr.subdomain.conf | 56 +++++++++ .../templates/changedetection.subdomain.conf | 46 +++++++ .../templates/cloud.subdomain.conf | 38 ++++++ .../swag/install-app/templates/cloudflare.ini | 2 + .../templates/dashboard.subdomain.conf | 112 ++++++++++++++++++ .../install-app/templates/docker-compose.yml | 32 +++++ .../templates/frigate.subdomain.conf | 42 +++++++ .../templates/gitea.subdomain.conf | 51 ++++++++ .../templates/homeassistant.subdomain.conf | 64 ++++++++++ .../templates/immich.subdomain.conf | 42 +++++++ .../templates/lidarr.subdomain.conf | 56 +++++++++ .../templates/mealie.subdomain.conf | 45 +++++++ .../templates/metube.subdomain.conf | 46 +++++++ .../templates/minio.subdomain.conf | 42 +++++++ .../templates/overseerr.subdomain.conf | 56 +++++++++ .../templates/paperless.subdomain.conf | 45 +++++++ .../install-app/templates/plex.subdomain.conf | 64 ++++++++++ .../templates/portainer.subdomain.conf | 58 +++++++++ .../templates/prowlarr.subdomain.conf | 54 +++++++++ .../templates/proxmox-backups.subdomain.conf | 42 +++++++ .../templates/proxmox.subdomain.conf | 42 +++++++ .../templates/radarr.subdomain.conf | 56 +++++++++ .../templates/sonarr.subdomain.conf | 56 +++++++++ .../templates/transmission.subdomain.conf | 66 +++++++++++ .../templates/vaultwarden.subdomain.conf | 100 ++++++++++++++++ roles/swag/install-docker/tasks/main.yml | 31 +++++ roles/swag/provision/create/tasks/main.yml | 28 +++++ roles/swag/provision/delete/tasks/main.yml | 26 ++++ .../swag/provision/enable-ssh/tasks/main.yml | 8 ++ roles/swag/provision/start/tasks/main.yml | 8 ++ roles/swag/update/tasks/main.yml | 6 + 37 files changed, 1564 insertions(+), 10 deletions(-) create mode 100644 inventory/my-cluster/host_vars/swag create mode 100644 playbook-swag.yml create mode 100644 roles/swag/install-app/tasks/main.yml create mode 100644 roles/swag/install-app/templates/authelia.subdomain.conf create mode 100644 roles/swag/install-app/templates/bazarr.subdomain.conf create mode 100644 roles/swag/install-app/templates/changedetection.subdomain.conf create mode 100644 roles/swag/install-app/templates/cloud.subdomain.conf create mode 100644 roles/swag/install-app/templates/cloudflare.ini create mode 100644 roles/swag/install-app/templates/dashboard.subdomain.conf create mode 100644 roles/swag/install-app/templates/docker-compose.yml create mode 100755 roles/swag/install-app/templates/frigate.subdomain.conf create mode 100644 roles/swag/install-app/templates/gitea.subdomain.conf create mode 100644 roles/swag/install-app/templates/homeassistant.subdomain.conf create mode 100755 roles/swag/install-app/templates/immich.subdomain.conf create mode 100644 roles/swag/install-app/templates/lidarr.subdomain.conf create mode 100644 roles/swag/install-app/templates/mealie.subdomain.conf create mode 100644 roles/swag/install-app/templates/metube.subdomain.conf create mode 100755 roles/swag/install-app/templates/minio.subdomain.conf create mode 100644 roles/swag/install-app/templates/overseerr.subdomain.conf create mode 100644 roles/swag/install-app/templates/paperless.subdomain.conf create mode 100644 roles/swag/install-app/templates/plex.subdomain.conf create mode 100644 roles/swag/install-app/templates/portainer.subdomain.conf create mode 100644 roles/swag/install-app/templates/prowlarr.subdomain.conf create mode 100755 roles/swag/install-app/templates/proxmox-backups.subdomain.conf create mode 100755 roles/swag/install-app/templates/proxmox.subdomain.conf create mode 100644 roles/swag/install-app/templates/radarr.subdomain.conf create mode 100644 roles/swag/install-app/templates/sonarr.subdomain.conf create mode 100644 roles/swag/install-app/templates/transmission.subdomain.conf create mode 100644 roles/swag/install-app/templates/vaultwarden.subdomain.conf create mode 100644 roles/swag/install-docker/tasks/main.yml create mode 100644 roles/swag/provision/create/tasks/main.yml create mode 100644 roles/swag/provision/delete/tasks/main.yml create mode 100644 roles/swag/provision/enable-ssh/tasks/main.yml create mode 100644 roles/swag/provision/start/tasks/main.yml create mode 100644 roles/swag/update/tasks/main.yml diff --git a/inventory/my-cluster/group_vars/all.yml b/inventory/my-cluster/group_vars/all.yml index b14bba8..4da05b3 100644 --- a/inventory/my-cluster/group_vars/all.yml +++ b/inventory/my-cluster/group_vars/all.yml @@ -81,3 +81,14 @@ cloudflare_api_key: !vault | 6631393564333230370a303634643030346166383235643666356164393232643832333238313664 38346161306138653735303861646638653830633938326566663136393862643264353437623963 3462616435653132623563316231343739333761653365333437 + +dns_cloudflare_api_key: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 61306235353261303235646331356666643339393164333762303730646563646633626466306436 + 6565303031366262303161323536323236613861373536330a346564306238633461363765623030 + 33343566363163623532386463616431313865316563616162336633353162316134363266363263 + 6331353838343662380a303565643337653164613637323131363037613861306535326538333030 + 64313165343933343535623731393536396332613336316239363764653565346535666531656433 + 6131646439656638323561643264613834356662363332323835 + +dns_cloudflare_email: cloudflare@lino.cooking \ No newline at end of file diff --git a/inventory/my-cluster/host_vars/swag b/inventory/my-cluster/host_vars/swag new file mode 100644 index 0000000..e2bd184 --- /dev/null +++ b/inventory/my-cluster/host_vars/swag @@ -0,0 +1,5 @@ +--- + +ansible_user: root +ansible_host: 10.0.2.15 +ansible_ssh_pass: "{{ proxmox_api_password }}" diff --git a/inventory/my-cluster/hosts.ini b/inventory/my-cluster/hosts.ini index 14006a7..07410ab 100644 --- a/inventory/my-cluster/hosts.ini +++ b/inventory/my-cluster/hosts.ini @@ -1,3 +1,5 @@ +frigate + [master] mipha epona @@ -5,17 +7,14 @@ yuga [node] revali -daruk -tingle -impa +; daruk +; tingle +; impa [k3s_cluster:children] master node -[lxc] -frigate - [lxc:children] k3s_cluster @@ -23,7 +22,7 @@ k3s_cluster mipha epona revali -daruk +; daruk yuga [pihole] @@ -31,6 +30,10 @@ epona-pihole revali-pihole urbosa-pihole -[raspi] -tingle -impa +; [raspi] +; tingle +; impa + +[ingress] +swag +authelia diff --git a/playbook-swag.yml b/playbook-swag.yml new file mode 100644 index 0000000..d21fed7 --- /dev/null +++ b/playbook-swag.yml @@ -0,0 +1,19 @@ +--- +- hosts: localhost + become: yes + roles: + - role: swag/provision/delete + - role: swag/provision/create + - role: swag/provision/start + +- hosts: mipha + become: yes + roles: + - role: swag/provision/enable-ssh + +- hosts: swag + become: yes + roles: + - role: swag/update + - role: swag/install-docker + - role: swag/install-app diff --git a/roles/swag/install-app/tasks/main.yml b/roles/swag/install-app/tasks/main.yml new file mode 100644 index 0000000..9ea3804 --- /dev/null +++ b/roles/swag/install-app/tasks/main.yml @@ -0,0 +1,57 @@ +--- +- name: Create directory for docker-compose + ansible.builtin.file: + path: /root/docker/swag/ + state: directory + mode: "0755" + +- name: Copy docker-compose file + template: + src: "docker-compose.yml" + dest: /root/docker/swag/docker-compose.yml + owner: root + group: root + mode: 0755 + +- name: Run docker-compose + ansible.builtin.shell: + args: + cmd: docker compose up -d + chdir: /root/docker/swag/ + +- name: Wait for config folder to be created + wait_for: + path: "/data/config/dns-conf/" + delay: 10 + timeout: 30 + state: present + +- name: Copy cloudflare.ini + template: + src: "cloudflare.ini" + dest: /data/config/dns-conf/cloudflare.ini + owner: root + group: root + mode: 0755 + +- name: Copy proxy confs + copy: + src: "{{ item }}" + dest: /data/config/nginx/proxy-confs/ + owner: root + group: root + mode: 0755 + with_fileglob: + - "templates/*.conf" + +- name: Stop swag + ansible.builtin.shell: + args: + cmd: docker compose down + chdir: /root/docker/swag/ + +- name: Start swag + ansible.builtin.shell: + args: + cmd: docker compose up -d + chdir: /root/docker/swag/ diff --git a/roles/swag/install-app/templates/authelia.subdomain.conf b/roles/swag/install-app/templates/authelia.subdomain.conf new file mode 100644 index 0000000..5aa1209 --- /dev/null +++ b/roles/swag/install-app/templates/authelia.subdomain.conf @@ -0,0 +1,39 @@ +## Version 2023/02/12 +# make sure that your authelia container is named authelia +# make sure that your dns has a cname set for authelia +# the default authelia-server and authelia-location confs included with swag rely on +# a built-in subfolder proxy at "/authelia" and enabling this proxy conf is not necessary. +# But if you'd like to use authelia via subdomain, you can enable this proxy and set +# the $authelia_backed variable in the authelia-server.conf. + +server { + listen 443 ssl; + listen [::]:443 ssl; + + server_name authelia.*; + + include /config/nginx/ssl.conf; + + client_max_body_size 0; + + location / { + + include /config/nginx/proxy.conf; + include /config/nginx/resolver.conf; + set $upstream_app authelia; + set $upstream_port 9091; + set $upstream_proto http; + proxy_pass $upstream_proto://$upstream_app:$upstream_port; + + } + + location ~ (/authelia)?/api { + include /config/nginx/proxy.conf; + include /config/nginx/resolver.conf; + set $upstream_app authelia; + set $upstream_port 9091; + set $upstream_proto http; + proxy_pass $upstream_proto://$upstream_app:$upstream_port; + + } +} diff --git a/roles/swag/install-app/templates/bazarr.subdomain.conf b/roles/swag/install-app/templates/bazarr.subdomain.conf new file mode 100644 index 0000000..0c58a46 --- /dev/null +++ b/roles/swag/install-app/templates/bazarr.subdomain.conf @@ -0,0 +1,56 @@ +## Version 2023/02/05 +# make sure that your bazarr container is named bazarr +# make sure that your dns has a cname set for bazarr + +server { + listen 443 ssl; + listen [::]:443 ssl; + + server_name bazarr.*; + + include /config/nginx/ssl.conf; + + client_max_body_size 0; + + # enable for ldap auth (requires ldap-location.conf in the location block) + #include /config/nginx/ldap-server.conf; + + # enable for Authelia (requires authelia-location.conf in the location block) + include /config/nginx/authelia-server.conf; + + # enable for Authentik (requires authentik-location.conf in the location block) + #include /config/nginx/authentik-server.conf; + + location / { + # enable the next two lines for http auth + #auth_basic "Restricted"; + #auth_basic_user_file /config/nginx/.htpasswd; + + # enable for ldap auth (requires ldap-server.conf in the server block) + #include /config/nginx/ldap-location.conf; + + # enable for Authelia (requires authelia-server.conf in the server block) + include /config/nginx/authelia-location.conf; + + # enable for Authentik (requires authentik-server.conf in the server block) + #include /config/nginx/authentik-location.conf; + + include /config/nginx/proxy.conf; + include /config/nginx/resolver.conf; + set $upstream_app bazarr; + set $upstream_port 6767; + set $upstream_proto http; + proxy_pass $upstream_proto://$upstream_app:$upstream_port; + + } + + location ~ (/bazarr)?/api { + include /config/nginx/proxy.conf; + include /config/nginx/resolver.conf; + set $upstream_app bazarr; + set $upstream_port 6767; + set $upstream_proto http; + proxy_pass $upstream_proto://$upstream_app:$upstream_port; + + } +} diff --git a/roles/swag/install-app/templates/changedetection.subdomain.conf b/roles/swag/install-app/templates/changedetection.subdomain.conf new file mode 100644 index 0000000..bed436f --- /dev/null +++ b/roles/swag/install-app/templates/changedetection.subdomain.conf @@ -0,0 +1,46 @@ +## Version 2023/02/05 +# make sure that your changedetection container is named changedetection +# make sure that your dns has a cname set for changedetection + +server { + listen 443 ssl; + listen [::]:443 ssl; + + server_name changedetection.*; + + include /config/nginx/ssl.conf; + + client_max_body_size 0; + + # enable for ldap auth (requires ldap-location.conf in the location block) + #include /config/nginx/ldap-server.conf; + + # enable for Authelia (requires authelia-location.conf in the location block) + include /config/nginx/authelia-server.conf; + + # enable for Authentik (requires authentik-location.conf in the location block) + #include /config/nginx/authentik-server.conf; + + location / { + # enable the next two lines for http auth + #auth_basic "Restricted"; + #auth_basic_user_file /config/nginx/.htpasswd; + + # enable for ldap auth (requires ldap-server.conf in the server block) + #include /config/nginx/ldap-location.conf; + + # enable for Authelia (requires authelia-server.conf in the server block) + include /config/nginx/authelia-location.conf; + + # enable for Authentik (requires authentik-server.conf in the server block) + #include /config/nginx/authentik-location.conf; + + include /config/nginx/proxy.conf; + include /config/nginx/resolver.conf; + set $upstream_app changedetection; + set $upstream_port 5000; + set $upstream_proto http; + proxy_pass $upstream_proto://$upstream_app:$upstream_port; + + } +} diff --git a/roles/swag/install-app/templates/cloud.subdomain.conf b/roles/swag/install-app/templates/cloud.subdomain.conf new file mode 100644 index 0000000..2ed7861 --- /dev/null +++ b/roles/swag/install-app/templates/cloud.subdomain.conf @@ -0,0 +1,38 @@ +## Version 2023/02/05 +# make sure that your nextcloud container is named nextcloud +# make sure that your dns has a cname set for nextcloud +# assuming this container is called "swag", edit your nextcloud container's config +# located at /config/www/nextcloud/config/config.php and add the following lines before the ");": +# 'trusted_proxies' => ['swag'], +# 'overwrite.cli.url' => 'https://nextcloud.example.com/', +# 'overwritehost' => 'nextcloud.example.com', +# 'overwriteprotocol' => 'https', +# +# Also don't forget to add your domain name to the trusted domains array. It should look somewhat like this: +# array ( +# 0 => '192.168.0.1:444', # This line may look different on your setup, don't modify it. +# 1 => 'nextcloud.example.com', +# ), + +server { + listen 443 ssl; + listen [::]:443 ssl; + + server_name cloud.*; + + include /config/nginx/ssl.conf; + + client_max_body_size 0; + + location / { + include /config/nginx/proxy.conf; + include /config/nginx/resolver.conf; + set $upstream_app nextcloud; + set $upstream_port 80; + set $upstream_proto http; + proxy_pass $upstream_proto://$upstream_app:$upstream_port; + + proxy_hide_header X-Frame-Options; + proxy_max_temp_file_size 2048m; + } +} diff --git a/roles/swag/install-app/templates/cloudflare.ini b/roles/swag/install-app/templates/cloudflare.ini new file mode 100644 index 0000000..ac39662 --- /dev/null +++ b/roles/swag/install-app/templates/cloudflare.ini @@ -0,0 +1,2 @@ +dns_cloudflare_email = {{ dns_cloudflare_email }} +dns_cloudflare_api_key = {{ dns_cloudflare_api_key }} \ No newline at end of file diff --git a/roles/swag/install-app/templates/dashboard.subdomain.conf b/roles/swag/install-app/templates/dashboard.subdomain.conf new file mode 100644 index 0000000..0f25211 --- /dev/null +++ b/roles/swag/install-app/templates/dashboard.subdomain.conf @@ -0,0 +1,112 @@ +## Version 2022/03/19 +# Make sure that your dns has a cname set for dashboard + +server { + listen 81; + + server_name _; + + root /dashboard/www; + index index.php; + + client_max_body_size 0; + + # enable for ldap auth, fill in ldap details in ldap.conf + #include /config/nginx/ldap.conf; + + # enable for Authelia + include /config/nginx/authelia-server.conf; + + location / { + # enable the next two lines for http auth + #auth_basic "Restricted"; + #auth_basic_user_file /config/nginx/.htpasswd; + + # enable the next two lines for ldap auth + #auth_request /auth; + #error_page 401 =200 /ldaplogin; + + # enable for Authelia + include /config/nginx/authelia-location.conf; + + allow 10.0.0.0/8; + allow 172.16.0.0/12; + allow 192.168.0.0/16; + deny all; + + try_files $uri $uri/ /index.php?$args =404; + } + location ~ \.php$ { + allow 10.0.0.0/8; + allow 172.16.0.0/12; + allow 192.168.0.0/16; + deny all; + + fastcgi_split_path_info ^(.+\.php)(/.+)$; + fastcgi_pass 127.0.0.1:9000; + fastcgi_index index.php; + include /etc/nginx/fastcgi_params; + } +} + +server { + listen 443 ssl; + listen [::]:443 ssl; + + server_name dashboard.*; + + root /dashboard/www; + index index.php; + + include /config/nginx/ssl.conf; + + client_max_body_size 0; + + # enable for ldap auth, fill in ldap details in ldap.conf + #include /config/nginx/ldap.conf; + + # enable for Authelia + include /config/nginx/authelia-server.conf; + + location / { + # enable the next two lines for http auth + #auth_basic "Restricted"; + #auth_basic_user_file /config/nginx/.htpasswd; + + # enable the next two lines for ldap auth + #auth_request /auth; + #error_page 401 =200 /ldaplogin; + + # enable for Authelia + include /config/nginx/authelia-location.conf; + + allow 10.0.0.0/8; + allow 172.16.0.0/12; + allow 192.168.0.0/16; + deny all; + + try_files $uri $uri/ /index.php?$args =404; + } + location ~ \.php$ { + # enable the next two lines for http auth + #auth_basic "Restricted"; + #auth_basic_user_file /config/nginx/.htpasswd; + + # enable the next two lines for ldap auth + #auth_request /auth; + #error_page 401 =200 /ldaplogin; + + # enable for Authelia + include /config/nginx/authelia-location.conf; + + allow 10.0.0.0/8; + allow 172.16.0.0/12; + allow 192.168.0.0/16; + deny all; + + fastcgi_split_path_info ^(.+\.php)(/.+)$; + fastcgi_pass 127.0.0.1:9000; + fastcgi_index index.php; + include /etc/nginx/fastcgi_params; + } +} diff --git a/roles/swag/install-app/templates/docker-compose.yml b/roles/swag/install-app/templates/docker-compose.yml new file mode 100644 index 0000000..dc12dc6 --- /dev/null +++ b/roles/swag/install-app/templates/docker-compose.yml @@ -0,0 +1,32 @@ +version: "3.1" +services: + swag: + image: ghcr.io/linuxserver/swag + container_name: swag + cap_add: + - NET_ADMIN + environment: + - PUID=1000 + - PGID=1000 + - TZ=Europe/Lisbon + - URL=lino.cooking + - SUBDOMAINS=wildcard + - VALIDATION=dns + - DNSPLUGIN=cloudflare + - CERTPROVIDER=letsencrypt + - EMAIL=okulto+swag@gmail.com + - ONLY_SUBDOMAINS=false + - MAXMINDDB_LICENSE_KEY=5sfHzlxz9pXsvrlz + - DOCKER_MODS=linuxserver/mods:swag-dashboard + volumes: + - /data/config:/config + ports: + - 443:443 + - 80:80 + restart: unless-stopped + networks: + - reverse-proxy + +networks: + reverse-proxy: + external: true \ No newline at end of file diff --git a/roles/swag/install-app/templates/frigate.subdomain.conf b/roles/swag/install-app/templates/frigate.subdomain.conf new file mode 100755 index 0000000..88578b1 --- /dev/null +++ b/roles/swag/install-app/templates/frigate.subdomain.conf @@ -0,0 +1,42 @@ +server { + listen 443 ssl; + listen [::]:443 ssl; + + server_name frigate.*; + + include /config/nginx/ssl.conf; + + client_max_body_size 0; + + # enable for ldap auth (requires ldap-location.conf in the location block) + #include /config/nginx/ldap-server.conf; + + # enable for Authelia (requires authelia-location.conf in the location block) + include /config/nginx/authelia-server.conf; + + # enable for Authentik (requires authentik-location.conf in the location block) + #include /config/nginx/authentik-server.conf; + + location / { + # enable the next two lines for http auth + #auth_basic "Restricted"; + #auth_basic_user_file /config/nginx/.htpasswd; + + # enable for ldap auth (requires ldap-server.conf in the server block) + #include /config/nginx/ldap-location.conf; + + # enable for Authelia (requires authelia-server.conf in the server block) + include /config/nginx/authelia-location.conf; + + # enable for Authentik (requires authentik-server.conf in the server block) + #include /config/nginx/authentik-location.conf; + + include /config/nginx/proxy.conf; + include /config/nginx/resolver.conf; + set $upstream_app 10.0.2.14; + set $upstream_port 5000; + set $upstream_proto http; + proxy_pass $upstream_proto://$upstream_app:$upstream_port; + + } +} diff --git a/roles/swag/install-app/templates/gitea.subdomain.conf b/roles/swag/install-app/templates/gitea.subdomain.conf new file mode 100644 index 0000000..9a783c4 --- /dev/null +++ b/roles/swag/install-app/templates/gitea.subdomain.conf @@ -0,0 +1,51 @@ +## Version 2023/02/05 +# make sure that your gitea container is named gitea +# make sure that your dns has a cname set for gitea +# edit the following parameters in /data/gitea/conf/app.ini +# [server] +# SSH_DOMAIN = gitea.server.com +# ROOT_URL = https://gitea.server.com/ +# DOMAIN = gitea.server.com + +server { + listen 443 ssl; + listen [::]:443 ssl; + + server_name gitea.*; + + include /config/nginx/ssl.conf; + + client_max_body_size 0; + + # enable for ldap auth (requires ldap-location.conf in the location block) + #include /config/nginx/ldap-server.conf; + + # enable for Authelia (requires authelia-location.conf in the location block) + include /config/nginx/authelia-server.conf; + + # enable for Authentik (requires authentik-location.conf in the location block) + #include /config/nginx/authentik-server.conf; + + location / { + # enable the next two lines for http auth + #auth_basic "Restricted"; + #auth_basic_user_file /config/nginx/.htpasswd; + + # enable for ldap auth (requires ldap-server.conf in the server block) + #include /config/nginx/ldap-location.conf; + + # enable for Authelia (requires authelia-server.conf in the server block) + include /config/nginx/authelia-location.conf; + + # enable for Authentik (requires authentik-server.conf in the server block) + #include /config/nginx/authentik-location.conf; + + include /config/nginx/proxy.conf; + include /config/nginx/resolver.conf; + set $upstream_app gitea; + set $upstream_port 3000; + set $upstream_proto http; + proxy_pass $upstream_proto://$upstream_app:$upstream_port; + + } +} diff --git a/roles/swag/install-app/templates/homeassistant.subdomain.conf b/roles/swag/install-app/templates/homeassistant.subdomain.conf new file mode 100644 index 0000000..5fc4ad5 --- /dev/null +++ b/roles/swag/install-app/templates/homeassistant.subdomain.conf @@ -0,0 +1,64 @@ +## Version 2023/02/05 +# make sure that your homeassistant container is named homeassistant +# make sure that your dns has a cname set for homeassistant + +# As of homeassistant 2021.7.0, it is now required to define the network range your proxy resides in, this is done in Homeassitants configuration.yaml +# https://www.home-assistant.io/integrations/http/#trusted_proxies +# Example below uses the default dockernetwork ranges, you may need to update this if you dont use defaults. +# +# http: +# use_x_forwarded_for: true +# trusted_proxies: +# - 172.16.0.0/12 + +server { + listen 443 ssl; + listen [::]:443 ssl; + + server_name homeassistant.*; + + include /config/nginx/ssl.conf; + + client_max_body_size 0; + + # enable for ldap auth (requires ldap-location.conf in the location block) + #include /config/nginx/ldap-server.conf; + + # enable for Authelia (requires authelia-location.conf in the location block) + #include /config/nginx/authelia-server.conf; + + # enable for Authentik (requires authentik-location.conf in the location block) + #include /config/nginx/authentik-server.conf; + + location / { + # enable the next two lines for http auth + #auth_basic "Restricted"; + #auth_basic_user_file /config/nginx/.htpasswd; + + # enable for ldap auth (requires ldap-server.conf in the server block) + #include /config/nginx/ldap-location.conf; + + # enable for Authelia (requires authelia-server.conf in the server block) + #include /config/nginx/authelia-location.conf; + + # enable for Authentik (requires authentik-server.conf in the server block) + #include /config/nginx/authentik-location.conf; + + include /config/nginx/proxy.conf; + include /config/nginx/resolver.conf; + set $upstream_app 10.0.2.100; + set $upstream_port 8123; + set $upstream_proto http; + proxy_pass $upstream_proto://$upstream_app:$upstream_port; + + } + + location ~ ^/(api|local|media)/ { + include /config/nginx/proxy.conf; + include /config/nginx/resolver.conf; + set $upstream_app 10.0.2.100; + set $upstream_port 8123; + set $upstream_proto http; + proxy_pass $upstream_proto://$upstream_app:$upstream_port; + } +} diff --git a/roles/swag/install-app/templates/immich.subdomain.conf b/roles/swag/install-app/templates/immich.subdomain.conf new file mode 100755 index 0000000..6dd1c9d --- /dev/null +++ b/roles/swag/install-app/templates/immich.subdomain.conf @@ -0,0 +1,42 @@ +server { + listen 443 ssl; + listen [::]:443 ssl; + + server_name immich.*; + + include /config/nginx/ssl.conf; + + client_max_body_size 0; + + # enable for ldap auth (requires ldap-location.conf in the location block) + #include /config/nginx/ldap-server.conf; + + # enable for Authelia (requires authelia-location.conf in the location block) + #include /config/nginx/authelia-server.conf; + + # enable for Authentik (requires authentik-location.conf in the location block) + #include /config/nginx/authentik-server.conf; + + location / { + # enable the next two lines for http auth + #auth_basic "Restricted"; + #auth_basic_user_file /config/nginx/.htpasswd; + + # enable for ldap auth (requires ldap-server.conf in the server block) + #include /config/nginx/ldap-location.conf; + + # enable for Authelia (requires authelia-server.conf in the server block) + #include /config/nginx/authelia-location.conf; + + # enable for Authentik (requires authentik-server.conf in the server block) + #include /config/nginx/authentik-location.conf; + + include /config/nginx/proxy.conf; + include /config/nginx/resolver.conf; + set $upstream_app immich_proxy; + set $upstream_port 8080; + set $upstream_proto http; + proxy_pass $upstream_proto://$upstream_app:$upstream_port; + + } +} diff --git a/roles/swag/install-app/templates/lidarr.subdomain.conf b/roles/swag/install-app/templates/lidarr.subdomain.conf new file mode 100644 index 0000000..3f94970 --- /dev/null +++ b/roles/swag/install-app/templates/lidarr.subdomain.conf @@ -0,0 +1,56 @@ +## Version 2023/02/05 +# make sure that your lidarr container is named lidarr +# make sure that your dns has a cname set for lidarr + +server { + listen 443 ssl; + listen [::]:443 ssl; + + server_name lidarr.*; + + include /config/nginx/ssl.conf; + + client_max_body_size 0; + + # enable for ldap auth (requires ldap-location.conf in the location block) + #include /config/nginx/ldap-server.conf; + + # enable for Authelia (requires authelia-location.conf in the location block) + include /config/nginx/authelia-server.conf; + + # enable for Authentik (requires authentik-location.conf in the location block) + #include /config/nginx/authentik-server.conf; + + location / { + # enable the next two lines for http auth + #auth_basic "Restricted"; + #auth_basic_user_file /config/nginx/.htpasswd; + + # enable for ldap auth (requires ldap-server.conf in the server block) + #include /config/nginx/ldap-location.conf; + + # enable for Authelia (requires authelia-server.conf in the server block) + include /config/nginx/authelia-location.conf; + + # enable for Authentik (requires authentik-server.conf in the server block) + #include /config/nginx/authentik-location.conf; + + include /config/nginx/proxy.conf; + include /config/nginx/resolver.conf; + set $upstream_app lidarr; + set $upstream_port 8686; + set $upstream_proto http; + proxy_pass $upstream_proto://$upstream_app:$upstream_port; + + } + + location ~ (/lidarr)?/api { + include /config/nginx/proxy.conf; + include /config/nginx/resolver.conf; + set $upstream_app lidarr; + set $upstream_port 8686; + set $upstream_proto http; + proxy_pass $upstream_proto://$upstream_app:$upstream_port; + + } +} diff --git a/roles/swag/install-app/templates/mealie.subdomain.conf b/roles/swag/install-app/templates/mealie.subdomain.conf new file mode 100644 index 0000000..f3ff14f --- /dev/null +++ b/roles/swag/install-app/templates/mealie.subdomain.conf @@ -0,0 +1,45 @@ +## Version 2023/02/05 +# Ensure your DNS has a CNAME set for mealie and that mealie container is named. + +server { + listen 443 ssl; + listen [::]:443 ssl; + + server_name recipes.*; + + include /config/nginx/ssl.conf; + + client_max_body_size 0; + + # enable for ldap auth (requires ldap-location.conf in the location block) + #include /config/nginx/ldap-server.conf; + + # enable for Authelia (requires authelia-location.conf in the location block) + #include /config/nginx/authelia-server.conf; + + # enable for Authentik (requires authentik-location.conf in the location block) + #include /config/nginx/authentik-server.conf; + + location / { + # enable the next two lines for http auth + #auth_basic "Restricted"; + #auth_basic_user_file /config/nginx/.htpasswd; + + # enable for ldap auth (requires ldap-server.conf in the server block) + #include /config/nginx/ldap-location.conf; + + # enable for Authelia (requires authelia-server.conf in the server block) + #include /config/nginx/authelia-location.conf; + + # enable for Authentik (requires authentik-server.conf in the server block) + #include /config/nginx/authentik-location.conf; + + include /config/nginx/proxy.conf; + include /config/nginx/resolver.conf; + set $upstream_app mealie; + set $upstream_port 80; + set $upstream_proto http; + proxy_pass $upstream_proto://$upstream_app:$upstream_port; + + } +} diff --git a/roles/swag/install-app/templates/metube.subdomain.conf b/roles/swag/install-app/templates/metube.subdomain.conf new file mode 100644 index 0000000..515223b --- /dev/null +++ b/roles/swag/install-app/templates/metube.subdomain.conf @@ -0,0 +1,46 @@ +## Version 2023/02/05 +# make sure that your metube container is named metube +# make sure that your dns has a cname set for metube + +server { + listen 443 ssl; + listen [::]:443 ssl; + + server_name yt.*; + + include /config/nginx/ssl.conf; + + client_max_body_size 0; + + # enable for ldap auth (requires ldap-location.conf in the location block) + #include /config/nginx/ldap-server.conf; + + # enable for Authelia (requires authelia-location.conf in the location block) + #include /config/nginx/authelia-server.conf; + + # enable for Authentik (requires authentik-location.conf in the location block) + #include /config/nginx/authentik-server.conf; + + location / { + # enable the next two lines for http auth + #auth_basic "Restricted"; + #auth_basic_user_file /config/nginx/.htpasswd; + + # enable for ldap auth (requires ldap-server.conf in the server block) + #include /config/nginx/ldap-location.conf; + + # enable for Authelia (requires authelia-server.conf in the server block) + #include /config/nginx/authelia-location.conf; + + # enable for Authentik (requires authentik-server.conf in the server block) + #include /config/nginx/authentik-location.conf; + + include /config/nginx/proxy.conf; + include /config/nginx/resolver.conf; + set $upstream_app metube; + set $upstream_port 8081; + set $upstream_proto http; + proxy_pass $upstream_proto://$upstream_app:$upstream_port; + + } +} diff --git a/roles/swag/install-app/templates/minio.subdomain.conf b/roles/swag/install-app/templates/minio.subdomain.conf new file mode 100755 index 0000000..36e7c03 --- /dev/null +++ b/roles/swag/install-app/templates/minio.subdomain.conf @@ -0,0 +1,42 @@ +server { + listen 443 ssl; + listen [::]:443 ssl; + + server_name minio.*; + + include /config/nginx/ssl.conf; + + client_max_body_size 0; + + # enable for ldap auth (requires ldap-location.conf in the location block) + #include /config/nginx/ldap-server.conf; + + # enable for Authelia (requires authelia-location.conf in the location block) + include /config/nginx/authelia-server.conf; + + # enable for Authentik (requires authentik-location.conf in the location block) + #include /config/nginx/authentik-server.conf; + + location / { + # enable the next two lines for http auth + #auth_basic "Restricted"; + #auth_basic_user_file /config/nginx/.htpasswd; + + # enable for ldap auth (requires ldap-server.conf in the server block) + #include /config/nginx/ldap-location.conf; + + # enable for Authelia (requires authelia-server.conf in the server block) + include /config/nginx/authelia-location.conf; + + # enable for Authentik (requires authentik-server.conf in the server block) + #include /config/nginx/authentik-location.conf; + + include /config/nginx/proxy.conf; + include /config/nginx/resolver.conf; + set $upstream_app minio; + set $upstream_port 80; + set $upstream_proto http; + proxy_pass $upstream_proto://$upstream_app:$upstream_port; + + } +} diff --git a/roles/swag/install-app/templates/overseerr.subdomain.conf b/roles/swag/install-app/templates/overseerr.subdomain.conf new file mode 100644 index 0000000..8849e3e --- /dev/null +++ b/roles/swag/install-app/templates/overseerr.subdomain.conf @@ -0,0 +1,56 @@ +## Version 2023/02/12 +# make sure that your overseerr container is named overseerr +# make sure that your dns has a cname set for overseerr + +server { + listen 443 ssl; + listen [::]:443 ssl; + + server_name overseerr.*; + + include /config/nginx/ssl.conf; + + client_max_body_size 0; + + # enable for ldap auth (requires ldap-location.conf in the location block) + #include /config/nginx/ldap-server.conf; + + # enable for Authelia (requires authelia-location.conf in the location block) + include /config/nginx/authelia-server.conf; + + # enable for Authentik (requires authentik-location.conf in the location block) + #include /config/nginx/authentik-server.conf; + + location / { + # enable the next two lines for http auth + #auth_basic "Restricted"; + #auth_basic_user_file /config/nginx/.htpasswd; + + # enable for ldap auth (requires ldap-server.conf in the server block) + #include /config/nginx/ldap-location.conf; + + # enable for Authelia (requires authelia-server.conf in the server block) + include /config/nginx/authelia-location.conf; + + # enable for Authentik (requires authentik-server.conf in the server block) + #include /config/nginx/authentik-location.conf; + + include /config/nginx/proxy.conf; + include /config/nginx/resolver.conf; + set $upstream_app overseerr; + set $upstream_port 5055; + set $upstream_proto http; + proxy_pass $upstream_proto://$upstream_app:$upstream_port; + + } + + location ~ (/overseerr)?/api { + include /config/nginx/proxy.conf; + include /config/nginx/resolver.conf; + set $upstream_app overseerr; + set $upstream_port 5055; + set $upstream_proto http; + proxy_pass $upstream_proto://$upstream_app:$upstream_port; + + } +} diff --git a/roles/swag/install-app/templates/paperless.subdomain.conf b/roles/swag/install-app/templates/paperless.subdomain.conf new file mode 100644 index 0000000..fe62997 --- /dev/null +++ b/roles/swag/install-app/templates/paperless.subdomain.conf @@ -0,0 +1,45 @@ +## Version 2023/02/05 +# Ensure your DNS has a CNAME set for mealie and that mealie container is named. + +server { + listen 443 ssl; + listen [::]:443 ssl; + + server_name paperless.*; + + include /config/nginx/ssl.conf; + + client_max_body_size 0; + + # enable for ldap auth (requires ldap-location.conf in the location block) + #include /config/nginx/ldap-server.conf; + + # enable for Authelia (requires authelia-location.conf in the location block) + include /config/nginx/authelia-server.conf; + + # enable for Authentik (requires authentik-location.conf in the location block) + #include /config/nginx/authentik-server.conf; + + location / { + # enable the next two lines for http auth + #auth_basic "Restricted"; + #auth_basic_user_file /config/nginx/.htpasswd; + + # enable for ldap auth (requires ldap-server.conf in the server block) + #include /config/nginx/ldap-location.conf; + + # enable for Authelia (requires authelia-server.conf in the server block) + include /config/nginx/authelia-location.conf; + + # enable for Authentik (requires authentik-server.conf in the server block) + #include /config/nginx/authentik-location.conf; + + include /config/nginx/proxy.conf; + include /config/nginx/resolver.conf; + set $upstream_app paperless-app; + set $upstream_port 8000; + set $upstream_proto http; + proxy_pass $upstream_proto://$upstream_app:$upstream_port; + + } +} diff --git a/roles/swag/install-app/templates/plex.subdomain.conf b/roles/swag/install-app/templates/plex.subdomain.conf new file mode 100644 index 0000000..a975e43 --- /dev/null +++ b/roles/swag/install-app/templates/plex.subdomain.conf @@ -0,0 +1,64 @@ +## Version 2023/02/05 +# make sure that your plex container is named plex +# make sure that your dns has a cname set for plex +# if plex is running in bridge mode and the container is named "plex", the below config should work as is +# if not, replace the line "set $upstream_app plex;" with "set $upstream_app ;" +# or "set $upstream_app ;" for host mode, HOSTIP being the IP address of plex +# in plex server settings, under network, fill in "Custom server access URLs" with your domain (ie. "https://plex.yourdomain.url:443") + +server { + listen 443 ssl; + listen [::]:443 ssl; + + server_name plex.*; + + include /config/nginx/ssl.conf; + + client_max_body_size 0; + proxy_redirect off; + proxy_buffering off; + + # enable for ldap auth (requires ldap-location.conf in the location block) + #include /config/nginx/ldap-server.conf; + + # enable for Authelia (requires authelia-location.conf in the location block) + #include /config/nginx/authelia-server.conf; + + # enable for Authentik (requires authentik-location.conf in the location block) + #include /config/nginx/authentik-server.conf; + + location / { + # enable the next two lines for http auth + #auth_basic "Restricted"; + #auth_basic_user_file /config/nginx/.htpasswd; + + # enable for ldap auth (requires ldap-server.conf in the server block) + #include /config/nginx/ldap-location.conf; + + # enable for Authelia (requires authelia-server.conf in the server block) + #include /config/nginx/authelia-location.conf; + + # enable for Authentik (requires authentik-server.conf in the server block) + #include /config/nginx/authentik-location.conf; + + include /config/nginx/proxy.conf; + include /config/nginx/resolver.conf; + set $upstream_app 10.0.2.10; + set $upstream_port 32400; + set $upstream_proto http; + proxy_pass $upstream_proto://$upstream_app:$upstream_port; + + proxy_set_header X-Plex-Client-Identifier $http_x_plex_client_identifier; + proxy_set_header X-Plex-Device $http_x_plex_device; + proxy_set_header X-Plex-Device-Name $http_x_plex_device_name; + proxy_set_header X-Plex-Platform $http_x_plex_platform; + proxy_set_header X-Plex-Platform-Version $http_x_plex_platform_version; + proxy_set_header X-Plex-Product $http_x_plex_product; + proxy_set_header X-Plex-Token $http_x_plex_token; + proxy_set_header X-Plex-Version $http_x_plex_version; + proxy_set_header X-Plex-Nocache $http_x_plex_nocache; + proxy_set_header X-Plex-Provides $http_x_plex_provides; + proxy_set_header X-Plex-Device-Vendor $http_x_plex_device_vendor; + proxy_set_header X-Plex-Model $http_x_plex_model; + } +} diff --git a/roles/swag/install-app/templates/portainer.subdomain.conf b/roles/swag/install-app/templates/portainer.subdomain.conf new file mode 100644 index 0000000..d72d471 --- /dev/null +++ b/roles/swag/install-app/templates/portainer.subdomain.conf @@ -0,0 +1,58 @@ +## Version 2023/02/12 +# make sure that your portainer container is named portainer +# make sure that your dns has a cname set for portainer + +server { + listen 443 ssl; + listen [::]:443 ssl; + + server_name portainer.*; + + include /config/nginx/ssl.conf; + + client_max_body_size 0; + + # enable for ldap auth (requires ldap-location.conf in the location block) + #include /config/nginx/ldap-server.conf; + + # enable for Authelia (requires authelia-location.conf in the location block) + include /config/nginx/authelia-server.conf; + + # enable for Authentik (requires authentik-location.conf in the location block) + #include /config/nginx/authentik-server.conf; + + location / { + # enable the next two lines for http auth + #auth_basic "Restricted"; + #auth_basic_user_file /config/nginx/.htpasswd; + + # enable for ldap auth (requires ldap-server.conf in the server block) + #include /config/nginx/ldap-location.conf; + + # enable for Authelia (requires authelia-server.conf in the server block) + include /config/nginx/authelia-location.conf; + + # enable for Authentik (requires authentik-server.conf in the server block) + #include /config/nginx/authentik-location.conf; + + include /config/nginx/proxy.conf; + include /config/nginx/resolver.conf; + set $upstream_app portainer; + set $upstream_port 9000; + set $upstream_proto http; + proxy_pass $upstream_proto://$upstream_app:$upstream_port; + + proxy_hide_header X-Frame-Options; # Possibly not needed after Portainer 1.20.0 + } + + location ~ (/portainer)?/api { + include /config/nginx/proxy.conf; + include /config/nginx/resolver.conf; + set $upstream_app portainer; + set $upstream_port 9000; + set $upstream_proto http; + proxy_pass $upstream_proto://$upstream_app:$upstream_port; + + proxy_hide_header X-Frame-Options; # Possibly not needed after Portainer 1.20.0 + } +} diff --git a/roles/swag/install-app/templates/prowlarr.subdomain.conf b/roles/swag/install-app/templates/prowlarr.subdomain.conf new file mode 100644 index 0000000..7fcedf0 --- /dev/null +++ b/roles/swag/install-app/templates/prowlarr.subdomain.conf @@ -0,0 +1,54 @@ +## Version 2023/02/05 +# make sure that your prowlarr container is named prowlarr +# make sure that your dns has a cname set for prowlarr + +server { + listen 443 ssl; + listen [::]:443 ssl; + + server_name prowlarr.*; + + include /config/nginx/ssl.conf; + + client_max_body_size 0; + + # enable for ldap auth (requires ldap-location.conf in the location block) + #include /config/nginx/ldap-server.conf; + + # enable for Authelia (requires authelia-location.conf in the location block) + include /config/nginx/authelia-server.conf; + + # enable for Authentik (requires authentik-location.conf in the location block) + #include /config/nginx/authentik-server.conf; + + location / { + # enable the next two lines for http auth + #auth_basic "Restricted"; + #auth_basic_user_file /config/nginx/.htpasswd; + + # enable for ldap auth (requires ldap-server.conf in the server block) + #include /config/nginx/ldap-location.conf; + + # enable for Authelia (requires authelia-server.conf in the server block) + include /config/nginx/authelia-location.conf; + + # enable for Authentik (requires authentik-server.conf in the server block) + #include /config/nginx/authentik-location.conf; + + include /config/nginx/proxy.conf; + include /config/nginx/resolver.conf; + set $upstream_app prowlarr; + set $upstream_port 9696; + set $upstream_proto http; + proxy_pass $upstream_proto://$upstream_app:$upstream_port; + } + + location ~ (/prowlarr)?(/[0-9]+)?/api { + include /config/nginx/proxy.conf; + include /config/nginx/resolver.conf; + set $upstream_app prowlarr; + set $upstream_port 9696; + set $upstream_proto http; + proxy_pass $upstream_proto://$upstream_app:$upstream_port; + } +} diff --git a/roles/swag/install-app/templates/proxmox-backups.subdomain.conf b/roles/swag/install-app/templates/proxmox-backups.subdomain.conf new file mode 100755 index 0000000..50cf6a9 --- /dev/null +++ b/roles/swag/install-app/templates/proxmox-backups.subdomain.conf @@ -0,0 +1,42 @@ +server { + listen 443 ssl; + listen [::]:443 ssl; + + server_name proxmox-backup.*; + + include /config/nginx/ssl.conf; + + client_max_body_size 0; + + # enable for ldap auth (requires ldap-location.conf in the location block) + #include /config/nginx/ldap-server.conf; + + # enable for Authelia (requires authelia-location.conf in the location block) + include /config/nginx/authelia-server.conf; + + # enable for Authentik (requires authentik-location.conf in the location block) + #include /config/nginx/authentik-server.conf; + + location / { + # enable the next two lines for http auth + #auth_basic "Restricted"; + #auth_basic_user_file /config/nginx/.htpasswd; + + # enable for ldap auth (requires ldap-server.conf in the server block) + #include /config/nginx/ldap-location.conf; + + # enable for Authelia (requires authelia-server.conf in the server block) + include /config/nginx/authelia-location.conf; + + # enable for Authentik (requires authentik-server.conf in the server block) + #include /config/nginx/authentik-location.conf; + + include /config/nginx/proxy.conf; + include /config/nginx/resolver.conf; + set $upstream_app 10.0.2.102; + set $upstream_port 8007; + set $upstream_proto https; + proxy_pass $upstream_proto://$upstream_app:$upstream_port; + + } +} diff --git a/roles/swag/install-app/templates/proxmox.subdomain.conf b/roles/swag/install-app/templates/proxmox.subdomain.conf new file mode 100755 index 0000000..b43d82f --- /dev/null +++ b/roles/swag/install-app/templates/proxmox.subdomain.conf @@ -0,0 +1,42 @@ +server { + listen 443 ssl; + listen [::]:443 ssl; + + server_name proxmox.*; + + include /config/nginx/ssl.conf; + + client_max_body_size 0; + + # enable for ldap auth (requires ldap-location.conf in the location block) + #include /config/nginx/ldap-server.conf; + + # enable for Authelia (requires authelia-location.conf in the location block) + include /config/nginx/authelia-server.conf; + + # enable for Authentik (requires authentik-location.conf in the location block) + #include /config/nginx/authentik-server.conf; + + location / { + # enable the next two lines for http auth + #auth_basic "Restricted"; + #auth_basic_user_file /config/nginx/.htpasswd; + + # enable for ldap auth (requires ldap-server.conf in the server block) + #include /config/nginx/ldap-location.conf; + + # enable for Authelia (requires authelia-server.conf in the server block) + include /config/nginx/authelia-location.conf; + + # enable for Authentik (requires authentik-server.conf in the server block) + #include /config/nginx/authentik-location.conf; + + include /config/nginx/proxy.conf; + include /config/nginx/resolver.conf; + set $upstream_app 10.0.2.2; + set $upstream_port 8006; + set $upstream_proto https; + proxy_pass $upstream_proto://$upstream_app:$upstream_port; + + } +} diff --git a/roles/swag/install-app/templates/radarr.subdomain.conf b/roles/swag/install-app/templates/radarr.subdomain.conf new file mode 100644 index 0000000..f0853d6 --- /dev/null +++ b/roles/swag/install-app/templates/radarr.subdomain.conf @@ -0,0 +1,56 @@ +## Version 2023/02/05 +# make sure that your radarr container is named radarr +# make sure that your dns has a cname set for radarr + +server { + listen 443 ssl; + listen [::]:443 ssl; + + server_name radarr.*; + + include /config/nginx/ssl.conf; + + client_max_body_size 0; + + # enable for ldap auth (requires ldap-location.conf in the location block) + #include /config/nginx/ldap-server.conf; + + # enable for Authelia (requires authelia-location.conf in the location block) + include /config/nginx/authelia-server.conf; + + # enable for Authentik (requires authentik-location.conf in the location block) + #include /config/nginx/authentik-server.conf; + + location / { + # enable the next two lines for http auth + #auth_basic "Restricted"; + #auth_basic_user_file /config/nginx/.htpasswd; + + # enable for ldap auth (requires ldap-server.conf in the server block) + #include /config/nginx/ldap-location.conf; + + # enable for Authelia (requires authelia-server.conf in the server block) + include /config/nginx/authelia-location.conf; + + # enable for Authentik (requires authentik-server.conf in the server block) + #include /config/nginx/authentik-location.conf; + + include /config/nginx/proxy.conf; + include /config/nginx/resolver.conf; + set $upstream_app radarr; + set $upstream_port 7878; + set $upstream_proto http; + proxy_pass $upstream_proto://$upstream_app:$upstream_port; + + } + + location ~ (/radarr)?/api { + include /config/nginx/proxy.conf; + include /config/nginx/resolver.conf; + set $upstream_app radarr; + set $upstream_port 7878; + set $upstream_proto http; + proxy_pass $upstream_proto://$upstream_app:$upstream_port; + + } +} diff --git a/roles/swag/install-app/templates/sonarr.subdomain.conf b/roles/swag/install-app/templates/sonarr.subdomain.conf new file mode 100644 index 0000000..bb81c33 --- /dev/null +++ b/roles/swag/install-app/templates/sonarr.subdomain.conf @@ -0,0 +1,56 @@ +## Version 2023/02/05 +# make sure that your sonarr container is named sonarr +# make sure that your dns has a cname set for sonarr + +server { + listen 443 ssl; + listen [::]:443 ssl; + + server_name sonarr.*; + + include /config/nginx/ssl.conf; + + client_max_body_size 0; + + # enable for ldap auth (requires ldap-location.conf in the location block) + #include /config/nginx/ldap-server.conf; + + # enable for Authelia (requires authelia-location.conf in the location block) + include /config/nginx/authelia-server.conf; + + # enable for Authentik (requires authentik-location.conf in the location block) + #include /config/nginx/authentik-server.conf; + + location / { + # enable the next two lines for http auth + #auth_basic "Restricted"; + #auth_basic_user_file /config/nginx/.htpasswd; + + # enable for ldap auth (requires ldap-server.conf in the server block) + #include /config/nginx/ldap-location.conf; + + # enable for Authelia (requires authelia-server.conf in the server block) + include /config/nginx/authelia-location.conf; + + # enable for Authentik (requires authentik-server.conf in the server block) + #include /config/nginx/authentik-location.conf; + + include /config/nginx/proxy.conf; + include /config/nginx/resolver.conf; + set $upstream_app sonarr; + set $upstream_port 8989; + set $upstream_proto http; + proxy_pass $upstream_proto://$upstream_app:$upstream_port; + + } + + location ~ (/sonarr)?/api { + include /config/nginx/proxy.conf; + include /config/nginx/resolver.conf; + set $upstream_app sonarr; + set $upstream_port 8989; + set $upstream_proto http; + proxy_pass $upstream_proto://$upstream_app:$upstream_port; + + } +} diff --git a/roles/swag/install-app/templates/transmission.subdomain.conf b/roles/swag/install-app/templates/transmission.subdomain.conf new file mode 100644 index 0000000..0da88e3 --- /dev/null +++ b/roles/swag/install-app/templates/transmission.subdomain.conf @@ -0,0 +1,66 @@ +## Version 2023/02/05 +# Make sure that DNS has a cname set for transmission +# +# Some Transmission Chrome extensions cannot handle HTTP/2 proxies as they +# rely on the HTTP Status Text to determine if they should add the +# X-Transmission-Session-Id header or not. HTTP/2 does not return this text +# so jQuery responses are empty. This causes RPCs to fail. +# +# If your extension is affected, you can remove http2 from the default server +# in /config/nginx/site-confs/default or listen on a different port that has +# no http2 servers defined. Better yet, submit a bug report with the +# extension developer to fix their extensions to support HTTP/2. + +server { + listen 443 ssl; + listen [::]:443 ssl; + + server_name transmission.*; + + include /config/nginx/ssl.conf; + + client_max_body_size 0; + + # enable for ldap auth (requires ldap-location.conf in the location block) + #include /config/nginx/ldap-server.conf; + + # enable for Authelia (requires authelia-location.conf in the location block) + include /config/nginx/authelia-server.conf; + + # enable for Authentik (requires authentik-location.conf in the location block) + #include /config/nginx/authentik-server.conf; + + location / { + # enable the next two lines for http auth + #auth_basic "Restricted"; + #auth_basic_user_file /config/nginx/.htpasswd; + + # enable for ldap auth (requires ldap-server.conf in the server block) + #include /config/nginx/ldap-location.conf; + + # enable for Authelia (requires authelia-server.conf in the server block) + include /config/nginx/authelia-location.conf; + + # enable for Authentik (requires authentik-server.conf in the server block) + #include /config/nginx/authentik-location.conf; + + include /config/nginx/proxy.conf; + include /config/nginx/resolver.conf; + set $upstream_app transmission; + set $upstream_port 9091; + set $upstream_proto http; + proxy_pass $upstream_proto://$upstream_app:$upstream_port; + + proxy_pass_header X-Transmission-Session-Id; + } + + location ~ (/transmission)?/rpc { + include /config/nginx/proxy.conf; + include /config/nginx/resolver.conf; + set $upstream_app transmission; + set $upstream_port 9091; + set $upstream_proto http; + proxy_pass $upstream_proto://$upstream_app:$upstream_port; + + } +} diff --git a/roles/swag/install-app/templates/vaultwarden.subdomain.conf b/roles/swag/install-app/templates/vaultwarden.subdomain.conf new file mode 100644 index 0000000..fbc66d4 --- /dev/null +++ b/roles/swag/install-app/templates/vaultwarden.subdomain.conf @@ -0,0 +1,100 @@ +## Version 2023/02/13 +# make sure that your vaultwarden container is named vaultwarden +# make sure that your dns has a cname set for vaultwarden +# set the environment variable WEBSOCKET_ENABLED=true on your vaultwarden container + +server { + listen 443 ssl; + listen [::]:443 ssl; + + server_name pwds.*; + + include /config/nginx/ssl.conf; + + client_max_body_size 128M; + + # enable for ldap auth (requires ldap-location.conf in the location block) + #include /config/nginx/ldap-server.conf; + + # enable for Authelia (requires authelia-location.conf in the location block) + #include /config/nginx/authelia-server.conf; + + # enable for Authentik (requires authentik-location.conf in the location block) + #include /config/nginx/authentik-server.conf; + + location / { + # enable the next two lines for http auth + #auth_basic "Restricted"; + #auth_basic_user_file /config/nginx/.htpasswd; + + # enable for ldap auth (requires ldap-server.conf in the server block) + #include /config/nginx/ldap-location.conf; + + # enable for Authelia (requires authelia-server.conf in the server block) + #include /config/nginx/authelia-location.conf; + + # enable for Authentik (requires authentik-server.conf in the server block) + #include /config/nginx/authentik-location.conf; + + include /config/nginx/proxy.conf; + include /config/nginx/resolver.conf; + set $upstream_app vaultwarden; + set $upstream_port 80; + set $upstream_proto http; + proxy_pass $upstream_proto://$upstream_app:$upstream_port; + + } + + location ~ (/pwds)?/admin { + # enable the next two lines for http auth + #auth_basic "Restricted"; + #auth_basic_user_file /config/nginx/.htpasswd; + + # enable for ldap auth (requires ldap-server.conf in the server block) + #include /config/nginx/ldap-location.conf; + + # enable for Authelia (requires authelia-server.conf in the server block) + #include /config/nginx/authelia-location.conf; + + # enable for Authentik (requires authentik-server.conf in the server block) + #include /config/nginx/authentik-location.conf; + + include /config/nginx/proxy.conf; + include /config/nginx/resolver.conf; + set $upstream_app vaultwarden; + set $upstream_port 80; + set $upstream_proto http; + proxy_pass $upstream_proto://$upstream_app:$upstream_port; + + } + + location ~ (/pwds)?/api { + include /config/nginx/proxy.conf; + include /config/nginx/resolver.conf; + set $upstream_app vaultwarden; + set $upstream_port 80; + set $upstream_proto http; + proxy_pass $upstream_proto://$upstream_app:$upstream_port; + + } + + location ~ (/pwds)?/notifications/hub { + include /config/nginx/proxy.conf; + include /config/nginx/resolver.conf; + set $upstream_app vaultwarden; + set $upstream_port 3012; + set $upstream_proto http; + proxy_pass $upstream_proto://$upstream_app:$upstream_port; + + } + + location ~ (/pwds)?/notifications/hub/negotiate { + include /config/nginx/proxy.conf; + include /config/nginx/resolver.conf; + set $upstream_app vaultwarden; + set $upstream_port 80; + set $upstream_proto http; + proxy_pass $upstream_proto://$upstream_app:$upstream_port; + + } +} diff --git a/roles/swag/install-docker/tasks/main.yml b/roles/swag/install-docker/tasks/main.yml new file mode 100644 index 0000000..e149f35 --- /dev/null +++ b/roles/swag/install-docker/tasks/main.yml @@ -0,0 +1,31 @@ +--- +- name: Get convenience script + uri: + url: "https://get.docker.com" + method: GET + dest: /tmp/get-docker.sh + mode: a+x + creates: /tmp/get-docker.sh + +- name: Execute script + ansible.builtin.shell: /tmp/get-docker.sh + +- name: Ensure group "docker" exists + ansible.builtin.group: + name: docker + state: present + +- name: Add root user to docker group + ansible.builtin.user: + name: root + groups: docker + append: yes + +- name: Enable docker on startup + ansible.builtin.shell: | + systemctl enable docker.service + systemctl enable containerd.service + +- name: Create reverse-proxy network + ansible.builtin.shell: | + docker network create reverse-proxy diff --git a/roles/swag/provision/create/tasks/main.yml b/roles/swag/provision/create/tasks/main.yml new file mode 100644 index 0000000..5ebc423 --- /dev/null +++ b/roles/swag/provision/create/tasks/main.yml @@ -0,0 +1,28 @@ +--- +- name: Create container + community.general.proxmox: + vmid: 606 + node: mipha + api_user: root@pam + api_password: "{{ proxmox_api_password }}" + api_host: 10.0.2.2 + password: "{{ lxc_password }}" + hostname: swag + ostemplate: "hyrule-8tb-nfs:vztmpl/debian-11-standard_11.3-1_amd64.tar.zst" + netif: "{'net0':'name=eth0,\ + gw=10.0.0.1,\ + ip=10.0.2.15/21,\ + hwaddr=cc:c6:cf:de:17:75,\ + bridge=vmbr0'}" + cores: 1 + memory: 6144 + unprivileged: no + swap: 0 + searchdomain: "home" + onboot: 1 + mounts: '{"mp0":"local-lvm:5,mp=/data,backup=1"}' + features: + - nesting=1 + - keyctl=1 + disk: local-lvm:30 + force: yes diff --git a/roles/swag/provision/delete/tasks/main.yml b/roles/swag/provision/delete/tasks/main.yml new file mode 100644 index 0000000..546c6e3 --- /dev/null +++ b/roles/swag/provision/delete/tasks/main.yml @@ -0,0 +1,26 @@ +--- +- name: Stop container + community.general.proxmox: + vmid: 606 + api_user: root@pam + api_password: "{{ proxmox_api_password }}" + api_host: 10.0.2.2 + state: stopped + ignore_errors: true + timeout: 90 + +- name: Remove containers + community.general.proxmox: + vmid: 606 + api_user: root@pam + api_password: "{{ proxmox_api_password }}" + api_host: 10.0.2.2 + state: absent + ignore_errors: true + timeout: 90 + +- name: Remove .ssh/known_hosts lines + ansible.builtin.lineinfile: + path: /Users/lino.silva/.ssh/known_hosts + state: absent + regexp: "^10.0.2.15" diff --git a/roles/swag/provision/enable-ssh/tasks/main.yml b/roles/swag/provision/enable-ssh/tasks/main.yml new file mode 100644 index 0000000..88dae36 --- /dev/null +++ b/roles/swag/provision/enable-ssh/tasks/main.yml @@ -0,0 +1,8 @@ +--- +# Unable to use ansible.builtin.lineinfile, because we need to run this through the proxmox host (because SSH is not enabled duh) + +- name: Allow SSH into LXC + ansible.builtin.command: lxc-attach -n 606 -- sed -i "s/#PermitRootLogin prohibit-password/PermitRootLogin yes/g" /etc/ssh/sshd_config + +- name: Restart SSH Service + ansible.builtin.command: lxc-attach -n 606 service ssh restart diff --git a/roles/swag/provision/start/tasks/main.yml b/roles/swag/provision/start/tasks/main.yml new file mode 100644 index 0000000..2bc8d4d --- /dev/null +++ b/roles/swag/provision/start/tasks/main.yml @@ -0,0 +1,8 @@ +--- +- name: Start deployments + community.general.proxmox: + vmid: 606 + api_user: root@pam + api_password: "{{ proxmox_api_password }}" + api_host: 10.0.2.2 + state: started diff --git a/roles/swag/update/tasks/main.yml b/roles/swag/update/tasks/main.yml new file mode 100644 index 0000000..8227bf4 --- /dev/null +++ b/roles/swag/update/tasks/main.yml @@ -0,0 +1,6 @@ +--- +- name: Update all packages to their latest version + become: true + ansible.builtin.apt: + update_cache: yes + upgrade: full