diff --git a/deploy.yml b/deploy.yml index ac23244..ee3c34e 100644 --- a/deploy.yml +++ b/deploy.yml @@ -26,3 +26,6 @@ - name: CI ansible.builtin.import_playbook: playbooks/deploy-drone.yml + +- name: Website for hatecomputers.club + ansible.builtin.import_playbook: playbooks/deploy-hatecomputers-club.yml diff --git a/group_vars/host_domains.yml b/group_vars/host_domains.yml index 24c457c..f79dfbf 100644 --- a/group_vars/host_domains.yml +++ b/group_vars/host_domains.yml @@ -9,3 +9,4 @@ host_domains: # - himmel.hatecomputers.club - git.hatecomputers.club - ci.hatecomputers.club + - hatecomputers.club diff --git a/inventory b/inventory index cc9a3b1..7abf733 100644 --- a/inventory +++ b/inventory @@ -33,5 +33,5 @@ himmel.int.infra.hatecomputers.club ansible_user=root ansible_connection=ssh [drone] himmel.int.infra.hatecomputers.club ansible_user=root ansible_connection=ssh -[hatecomputers.club] +[hatecomputers-club] himmel.int.infra.hatecomputers.club ansible_user=root ansible_connection=ssh diff --git a/playbooks/deploy-hatecomputers-club.yml b/playbooks/deploy-hatecomputers-club.yml new file mode 100644 index 0000000..01bb0bb --- /dev/null +++ b/playbooks/deploy-hatecomputers-club.yml @@ -0,0 +1,6 @@ +--- + +- name: hatecomputers.club setup + hosts: hatecomputers-club + roles: + - hatecomputers-club diff --git a/playbooks/roles/hatecomputers-club/tasks/main.yml b/playbooks/roles/hatecomputers-club/tasks/main.yml new file mode 100644 index 0000000..0a2e804 --- /dev/null +++ b/playbooks/roles/hatecomputers-club/tasks/main.yml @@ -0,0 +1,23 @@ +--- + +- name: Ensure hatecomputers-club docker/compose exist + ansible.builtin.file: + path: /etc/docker/compose/hatecomputers-club + state: directory + owner: root + group: root + mode: 0700 + +- name: Build hatecomputers-club docker-compose.yml.j2 + ansible.builtin.template: + src: docker-compose.yml.j2 + dest: /etc/docker/compose/hatecomputers-club/docker-compose.yml + owner: root + group: root + mode: 0700 + +- name: Enable hatecomputers-club + ansible.builtin.systemd_service: + state: restarted + enabled: true + name: docker-compose@hatecomputers-club diff --git a/playbooks/roles/hatecomputers-club/templates/docker-compose.yml.j2 b/playbooks/roles/hatecomputers-club/templates/docker-compose.yml.j2 new file mode 100644 index 0000000..fa33117 --- /dev/null +++ b/playbooks/roles/hatecomputers-club/templates/docker-compose.yml.j2 @@ -0,0 +1,14 @@ + +version: '3' + +services: + kanidm: + image: git.hatecomputers.club/hatecomputers/hatecomputers.club:main + restart: always + ports: + - 127.0.0.1:9696:8080 + environment: + - CLOUDFLARE_TOKEN={{ cloudflare_api_token }} + - CLOUDFLARE_ZONE={{ cloudflare_zone_id }} + volumes: + - ./db:/app/db diff --git a/playbooks/roles/nginx/templates/himmel.int.infra.hatecomputers.club/http.hatecomputers.club.conf b/playbooks/roles/nginx/templates/himmel.int.infra.hatecomputers.club/http.hatecomputers.club.conf new file mode 100644 index 0000000..a722f34 --- /dev/null +++ b/playbooks/roles/nginx/templates/himmel.int.infra.hatecomputers.club/http.hatecomputers.club.conf @@ -0,0 +1,8 @@ +server { + listen 80; + server_name hatecomputers.club; + + location / { + rewrite ^ https://hatecomputers.club$request_uri? permanent; + } +} diff --git a/playbooks/roles/nginx/templates/himmel.int.infra.hatecomputers.club/https.hatecomputers.club.conf b/playbooks/roles/nginx/templates/himmel.int.infra.hatecomputers.club/https.hatecomputers.club.conf new file mode 100644 index 0000000..a67a8ca --- /dev/null +++ b/playbooks/roles/nginx/templates/himmel.int.infra.hatecomputers.club/https.hatecomputers.club.conf @@ -0,0 +1,21 @@ +server { + server_name hatecomputers.club; + listen 443 ssl; + + ssl_dhparam /etc/nginx/dhparams.pem; + + ssl_session_timeout 1d; + ssl_session_tickets off; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305; + ssl_prefer_server_ciphers off; + + ssl_certificate /etc/letsencrypt/live/hatecomputers.club/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/hatecomputers.club/privkey.pem; + + location / { + proxy_pass http://127.0.0.1:9696; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header Host $host; + } +}