Commit 520424c
Changed files (28)
roles
alias
apt
tasks
home
tasks
mirror-mirror
tasks
traefik
files
tasks
root
etc
caddy
systemd
system
roles/alias/defaults/main.yml
@@ -1,2 +0,0 @@
----
-alias_release_url: "https://gitlab.com/api/v4/projects/31646659/packages/generic/alias"
roles/alias/tasks/main.yml
@@ -1,52 +0,0 @@
----
- - name: optional software directories
- file:
- path: "{{ item.path }}"
- state: directory
- owner: "{{ item.owner }}"
- group: "{{ item.group }}"
- mode: '0755'
- become: True
- loop:
- - path: /opt/
- owner: "{{ ansible_env.USER }}"
- group: "{{ ansible_env.USER }}"
- - path: /opt/alias/
- owner: nobody
- group: nogroup
-
- - name: download software binaries
- get_url:
- url: "{{ item.url }}"
- dest: "{{ item.dest }}"
- mode: "{{ item.mode }}"
- owner: nobody
- group: nogroup
- loop:
- # TODO: don't assume arch
- - url: "{{ alias_release_url }}/{{ alias_version }}/arm64-alias"
- dest: /opt/alias/alias
- mode: '0755'
- become: True
-
- - name: deploy traefik dynamic config
- template:
- src: "{{ role_path }}/templates/alias.yaml.j2"
- dest: "{{ traefik.dirs.dynamic_config }}/alias.yaml"
- become: True
-
- - name: systemd service config
- template:
- src: "{{ role_path }}/templates/alias.service.j2"
- dest: "{{ systemd_path }}/alias.service"
- become: True
- vars:
- systemd_path: "/etc/systemd/system"
-
- - name: systemd service start
- systemd:
- state: started
- enabled: True
- daemon_reload: True
- name: alias
- become: True
roles/alias/templates/alias.service.j2
@@ -1,12 +0,0 @@
-[Unit]
-Description=alias service
-Documentation=https://github.com/tuesdays/alias
-
-[Service]
-ExecStart=/opt/alias/alias --port {{ alias.port }}
-Restart=on-failure
-User=nobody
-RestartSec=5
-
-[Install]
-WantedBy=multi-user.target
roles/alias/templates/alias.yaml.j2
@@ -1,15 +0,0 @@
----
-http:
- routers:
- alias:
- rule: "Host(`{{ alias.subdomain }}.{{ traefik.domain }}`)"
- service: "alias"
- entryPoints:
- - "websecure"
- tls:
- certResolver: "{{ traefik.acme_http_resolver }}"
- services:
- alias:
- loadBalancer:
- servers:
- - url: "http://{{ alias.address }}:{{ alias.port }}"
roles/apt/tasks/main.yml
@@ -1,47 +0,0 @@
----
- - name: apt update cache
- apt:
- update_cache: True
- cache_valid_time: 1800 #30m
- become: True
-
- - name: apt upgrade
- apt:
- name: "*"
- state: latest
- become: True
-
- - name: apt install tools
- apt:
- state: latest
- pkg: "{{ apt_pkgs }}"
- become: True
-
- - name: apt remove bloat
- apt:
- pkg: snapd*
- purge: True
- autoremove: True
- become: True
-
- - name: apt keys' add
- apt_key:
- keyserver: "{{ item.keyserver }}"
- id: "{{ item.id }}"
- state: present
- become: True
- loop: "{{ apt_keys }}"
-
- - name: apt ppa repo's add
- apt_repository:
- repo: "{{ item }}"
- update_cache: True
- become: True
- loop: "{{ apt_ppas }}"
-
- - name: apt install tools (from ppa's)
- apt:
- update_cache: True
- state: latest
- pkg: "{{ apt_ppa_pkgs }}"
- become: True
roles/home/tasks/main.yml
@@ -1,85 +0,0 @@
----
- - name: personal git config, global
- git_config:
- name: "{{ item.name }}"
- value: "{{ item.value }}"
- scope: global
- loop:
- - name: user.email
- value: bryon.fryer@gmail.com
- - name: user.name
- value: bryfry
- - name: color.ui
- value: "True"
-
- - name: git scan for remote host public keys
- local_action:
- module: shell
- cmd: "ssh-keyscan -t rsa github.com gitlab.com 2>/dev/null"
- changed_when: False
- register: ssh_scan
-
- - debug:
- var: ssh_scan
-
- - name: git scan add result to known hosts
- local_action:
- module: known_hosts
- key: "{{ item }}"
- name: "{{ item.split(' ')[0] }}"
- with_items: "{{ ssh_scan.stdout_lines }}"
-
- ## TODO Skip if existing or no ssh-add -l
- - name: git checkouts
- git:
- repo: "{{ item.repo }}"
- dest: "{{ git_dir }}/{{ item.dir }}"
- update: False
- vars:
- git_dir: "$HOME/git"
- ignore_errors: True
- loop: "{{ git_repos }}"
-
- - name: home directory dirs
- file:
- path: "{{ item }}"
- state: directory
- loop:
- - "$HOME/.ssh"
- - "$HOME/.ssh/config.d"
- - "$HOME/.elinks"
- - "$HOME/.doom.d"
-
- - name: home directory symlinks
- file:
- src: "{{ item.src }}"
- dest: "{{ item.dest }}"
- state: link
- vars:
- git_dir: "$HOME/git"
- home_repo: "{{ git_dir }}/home"
- loop:
- - src: "{{ home_repo }}/tmux.conf"
- dest: "$HOME/.tmux.conf"
- - src: "{{ home_repo }}/ssh_config_d"
- dest: "$HOME/.ssh/config"
- - src: "{{ home_repo }}/ssh_config"
- dest: "$HOME/.ssh/config.d/config"
- - src: "{{ home_repo }}/vimrc"
- dest: "$HOME/.vimrc"
- - src: "{{ home_repo }}/bash_aliases"
- dest: "$HOME/.bash_aliases"
- - src: "{{ home_repo }}/screenrc"
- dest: "$HOME/.screenrc"
- - src: "{{ home_repo }}/curlrc"
- dest: "$HOME/.curlrc"
- - src: "{{ home_repo }}/elinks.conf"
- dest: "$HOME/.elinks/elinks.conf"
- - src: "{{ home_repo }}/doom/config.el"
- dest: "$HOME/.doom.d/config.el"
- - src: "{{ home_repo }}/doom/init.el"
- dest: "$HOME/.doom.d/init.el"
- - src: "{{ home_repo }}/doom/packages.el"
- dest: "$HOME/.doom.d/packages.el"
- - src: "{{ home_repo }}/doom/custom.el"
- dest: "$HOME/.doom.d/custom.el"
roles/hostname/files/hosts
@@ -1,10 +0,0 @@
-127.0.0.1 localhost
-127.0.0.1 tmc
-
-# The following lines are desirable for IPv6 capable hosts
-::1 ip6-localhost ip6-loopback
-fe00::0 ip6-localnet
-ff00::0 ip6-mcastprefix
-ff02::1 ip6-allnodes
-ff02::2 ip6-allrouters
-ff02::3 ip6-allhosts
roles/hostname/tasks/main.yml
@@ -1,11 +0,0 @@
----
-- name: set hostname
- hostname:
- name: tmc
- become: True
-
-- name: set /etc/hosts
- copy:
- src: hosts
- dest: /etc/hosts
- become: True
roles/mirror-mirror/tasks/main.yml
@@ -1,51 +0,0 @@
----
- - name: optional software directories
- file:
- path: "{{ item.path }}"
- state: directory
- owner: "{{ item.owner }}"
- group: "{{ item.group }}"
- mode: '0755'
- become: True
- loop:
- - path: /opt/
- owner: "{{ ansible_env.USER }}"
- group: "{{ ansible_env.USER }}"
- - path: /opt/mirror-mirror/
- owner: nobody
- group: nogroup
-
- - name: download software binaries
- get_url:
- url: "{{ item.url }}"
- dest: "{{ item.dest }}"
- mode: "{{ item.mode }}"
- owner: nobody
- group: nogroup
- loop:
- - url: "https://github.com/ajpatri/mirror-mirror/releases/download/v0.1/mirror-mirror-v0.1-linux-{{ mm.arch }}"
- dest: /opt/mirror-mirror/mirror-mirror
- mode: '0755'
- become: True
-
- - name: deploy traefik dynamic config
- template:
- src: "{{ role_path }}/templates/mirror-mirror.yaml.j2"
- dest: "{{ traefik.dirs.dynamic_config }}/mirror-mirror.yaml"
- become: True
-
- - name: systemd service config
- template:
- src: "{{ role_path }}/templates/mirror-mirror.service.j2"
- dest: "{{ systemd_path }}/mirror-mirror.service"
- become: True
- vars:
- systemd_path: "/etc/systemd/system"
-
- - name: systemd service start
- systemd:
- state: started
- enabled: True
- daemon_reload: True
- name: mirror-mirror
- become: True
roles/mirror-mirror/templates/mirror-mirror.service.j2
@@ -1,12 +0,0 @@
-[Unit]
-Description=mirror-mirror service
-Documentation=https://github.com/ajpatri/mirror-mirror
-
-[Service]
-ExecStart=/opt/mirror-mirror/mirror-mirror -host {{ mm.address }} -port {{ mm.port }}
-Restart=on-failure
-User=nobody
-RestartSec=5
-
-[Install]
-WantedBy=multi-user.target
roles/mirror-mirror/templates/mirror-mirror.yaml.j2
@@ -1,15 +0,0 @@
----
-http:
- routers:
- mirror-mirror:
- rule: "Host(`{{ mm.subdomain }}.{{ traefik.domain }}`)"
- service: "mirror-mirror"
- entryPoints:
- - "websecure"
- tls:
- certResolver: "{{ traefik.acme_http_resolver }}"
- services:
- mirror-mirror:
- loadBalancer:
- servers:
- - url: "http://{{ mm.address }}:{{ mm.port }}"
roles/traefik/files/traefik.service
@@ -1,11 +0,0 @@
-[Unit]
-Description=traefik service
-Documentation=https://github.com/containous/traefik.git
-
-[Service]
-ExecStart=/opt/traefik/traefik
-Restart=on-failure
-RestartSec=5
-
-[Install]
-WantedBy=multi-user.target
roles/traefik/tasks/main.yml
@@ -1,55 +0,0 @@
----
- - name: fetch release
- get_url:
- url: "https://github.com/containous/traefik/releases/download/v{{ traefik.version }}/traefik_v{{ traefik.version }}_linux_{{ traefik.arch }}.tar.gz"
- dest: "/tmp/traefik_v{{ traefik.version }}_linux_{{ traefik.arch }}.tar.gz"
- checksum: "{{ traefik.checksum }}"
-
- - name: directories
- file:
- path: "{{ item.value }}"
- state: directory
- mode: '0755'
- become: True
- loop: "{{ traefik.dirs | dict2items }}"
-
- - name: extract release
- unarchive:
- src: "/tmp/traefik_v{{ traefik.version }}_linux_{{ traefik.arch }}.tar.gz"
- dest: "/opt/traefik/"
- remote_src: True
- become: True
-
- - name: deploy static config
- template:
- src: "{{ role_path }}/templates/traefik.yaml.j2"
- dest: "{{ traefik.dirs.config }}/traefik.yaml"
- become: True
-
- - name: deploy dynamic configs
- template:
- src: "{{ item.src }}"
- dest: "{{ item.dest }}"
- become: True
- loop:
- - src: "{{ role_path }}/templates/local-proxy.yaml.j2"
- dest: "{{ traefik.dirs.dynamic_config }}/local-proxy.yaml"
- - src: "{{ role_path }}/templates/srs.yaml.j2"
- dest: "{{ traefik.dirs.dynamic_config }}/srs.yaml"
-
-
- - name: systemd service config
- copy:
- src: "{{ role_path }}/files/traefik.service"
- dest: "{{ systemd_path }}/traefik.service"
- become: True
- vars:
- systemd_path: "/etc/systemd/system"
-
- - name: systemd service start
- systemd:
- name: traefik
- state: started
- enabled: True
- daemon_reload: True
- become: True
roles/traefik/templates/local-proxy.yaml.j2
@@ -1,23 +0,0 @@
----
-http:
- routers:
- local-proxy:
- rule: "Host(`{{ proxy.subdomain }}.{{ traefik.domain }}`)"
- service: "local-proxy"
- entryPoints:
- - "websecure"
- middlewares:
- - "proxy-auth"
- tls:
- certResolver: "{{ traefik.acme_http_resolver }}"
- services:
- local-proxy:
- loadBalancer:
- servers:
- - url: "http://{{ proxy.address }}:{{ proxy.port }}"
- middlewares:
- proxy-auth:
- basicAuth:
- users:
- - "root:$2b$10$U1E.Gu6EJ05AhhZ41s8juO17mTXRA6xeu/8OK9fjMO085apvmJrXW"
-
roles/traefik/templates/srs.yaml.j2
@@ -1,15 +0,0 @@
----
-http:
- routers:
- srs:
- rule: "Host(`{{ srs.subdomain }}.{{ traefik.domain }}`)"
- service: "srs"
- entryPoints:
- - "websecure"
- tls:
- certResolver: "{{ traefik.acme_http_resolver }}"
- services:
- srs:
- loadBalancer:
- servers:
- - url: "http://{{ srs.address }}:{{ srs.port }}"
roles/traefik/templates/tbd.yml
@@ -1,300 +0,0 @@
----
-http:
- routers:
- ctfd:
- rule: "Host(`c2t2.trustme.click`)"
- service: "ctfd"
- entryPoints:
- - "websecure"
- tls:
- certResolver: "tmc-acme-http"
- bchd_01:
- rule: "Host(`c2t2.trustme.click`) && PathPrefix(`/bchd_01/`)"
- service: "bchd_01"
- entryPoints:
- - "websecure"
- tls:
- certResolver: "tmc-acme-http"
- middlewares:
- - "strippy"
- bchd_02:
- rule: "Host(`c2t2.trustme.click`) && PathPrefix(`/bchd_02/`)"
- service: "bchd_02"
- entryPoints:
- - "websecure"
- tls:
- certResolver: "tmc-acme-http"
- middlewares:
- - "strippy"
- bchd_03:
- rule: "Host(`c2t2.trustme.click`) && PathPrefix(`/bchd_03/`)"
- service: "bchd_03"
- entryPoints:
- - "websecure"
- tls:
- certResolver: "tmc-acme-http"
- middlewares:
- - "strippy"
- bchd_04:
- rule: "Host(`c2t2.trustme.click`) && PathPrefix(`/bchd_04/`)"
- service: "bchd_04"
- entryPoints:
- - "websecure"
- tls:
- certResolver: "tmc-acme-http"
- middlewares:
- - "strippy"
- bchd_05:
- rule: "Host(`c2t2.trustme.click`) && PathPrefix(`/bchd_05/`)"
- service: "bchd_05"
- entryPoints:
- - "websecure"
- tls:
- certResolver: "tmc-acme-http"
- middlewares:
- - "strippy"
- bchd_06:
- rule: "Host(`c2t2.trustme.click`) && PathPrefix(`/bchd_06/`)"
- service: "bchd_06"
- entryPoints:
- - "websecure"
- tls:
- certResolver: "tmc-acme-http"
- middlewares:
- - "strippy"
- bchd_07:
- rule: "Host(`c2t2.trustme.click`) && PathPrefix(`/bchd_07/`)"
- service: "bchd_07"
- entryPoints:
- - "websecure"
- tls:
- certResolver: "tmc-acme-http"
- middlewares:
- - "strippy"
- bchd_08:
- rule: "Host(`c2t2.trustme.click`) && PathPrefix(`/bchd_08/`)"
- service: "bchd_08"
- entryPoints:
- - "websecure"
- tls:
- certResolver: "tmc-acme-http"
- middlewares:
- - "strippy"
- bchd_09:
- rule: "Host(`c2t2.trustme.click`) && PathPrefix(`/bchd_09/`)"
- service: "bchd_09"
- entryPoints:
- - "websecure"
- tls:
- certResolver: "tmc-acme-http"
- middlewares:
- - "strippy"
- bchd_10:
- rule: "Host(`c2t2.trustme.click`) && PathPrefix(`/bchd_10/`)"
- service: "bchd_10"
- entryPoints:
- - "websecure"
- tls:
- certResolver: "tmc-acme-http"
- middlewares:
- - "strippy"
- bchd_11:
- rule: "Host(`c2t2.trustme.click`) && PathPrefix(`/bchd_11/`)"
- service: "bchd_11"
- entryPoints:
- - "websecure"
- tls:
- certResolver: "tmc-acme-http"
- middlewares:
- - "strippy"
- bchd_12:
- rule: "Host(`c2t2.trustme.click`) && PathPrefix(`/bchd_12/`)"
- service: "bchd_12"
- entryPoints:
- - "websecure"
- tls:
- certResolver: "tmc-acme-http"
- middlewares:
- - "strippy"
- bchd_13:
- rule: "Host(`c2t2.trustme.click`) && PathPrefix(`/bchd_13/`)"
- service: "bchd_13"
- entryPoints:
- - "websecure"
- tls:
- certResolver: "tmc-acme-http"
- middlewares:
- - "strippy"
- bchd_14:
- rule: "Host(`c2t2.trustme.click`) && PathPrefix(`/bchd_14/`)"
- service: "bchd_14"
- entryPoints:
- - "websecure"
- tls:
- certResolver: "tmc-acme-http"
- middlewares:
- - "strippy"
- bchd_15:
- rule: "Host(`c2t2.trustme.click`) && PathPrefix(`/bchd_15/`)"
- service: "bchd_15"
- entryPoints:
- - "websecure"
- tls:
- certResolver: "tmc-acme-http"
- middlewares:
- - "strippy"
- bchd_16:
- rule: "Host(`c2t2.trustme.click`) && PathPrefix(`/bchd_16/`)"
- service: "bchd_16"
- entryPoints:
- - "websecure"
- tls:
- certResolver: "tmc-acme-http"
- middlewares:
- - "strippy"
- bchd_17:
- rule: "Host(`c2t2.trustme.click`) && PathPrefix(`/bchd_17/`)"
- service: "bchd_17"
- entryPoints:
- - "websecure"
- tls:
- certResolver: "tmc-acme-http"
- middlewares:
- - "strippy"
- bchd_18:
- rule: "Host(`c2t2.trustme.click`) && PathPrefix(`/bchd_18/`)"
- service: "bchd_18"
- entryPoints:
- - "websecure"
- tls:
- certResolver: "tmc-acme-http"
- middlewares:
- - "strippy"
- bchd_19:
- rule: "Host(`c2t2.trustme.click`) && PathPrefix(`/bchd_19/`)"
- service: "bchd_19"
- entryPoints:
- - "websecure"
- tls:
- certResolver: "tmc-acme-http"
- middlewares:
- - "strippy"
- bchd_20:
- rule: "Host(`c2t2.trustme.click`) && PathPrefix(`/bchd_20/`)"
- service: "bchd_20"
- entryPoints:
- - "websecure"
- tls:
- certResolver: "tmc-acme-http"
- middlewares:
- - "strippy"
-
- middlewares:
- strippy:
- stripPrefix:
- prefixes:
- - "/bchd_01/"
- - "/bchd_02/"
- - "/bchd_03/"
- - "/bchd_04/"
- - "/bchd_05/"
- - "/bchd_06/"
- - "/bchd_07/"
- - "/bchd_08/"
- - "/bchd_09/"
- - "/bchd_10/"
- - "/bchd_11/"
- - "/bchd_12/"
- - "/bchd_13/"
- - "/bchd_14/"
- - "/bchd_15/"
- - "/bchd_16/"
- - "/bchd_17/"
- - "/bchd_18/"
- - "/bchd_19/"
- - "/bchd_20/"
- services:
- ctfd:
- loadBalancer:
- servers:
- - url: "http://127.0.0.1:8000"
- bchd_01:
- loadBalancer:
- servers:
- - url: "http://127.0.0.1:2001"
- bchd_02:
- loadBalancer:
- servers:
- - url: "http://127.0.0.1:2002"
- bchd_03:
- loadBalancer:
- servers:
- - url: "http://127.0.0.1:2003"
- bchd_04:
- loadBalancer:
- servers:
- - url: "http://127.0.0.1:2004"
- bchd_05:
- loadBalancer:
- servers:
- - url: "http://127.0.0.1:2005"
- bchd_06:
- loadBalancer:
- servers:
- - url: "http://127.0.0.1:2006"
- bchd_07:
- loadBalancer:
- servers:
- - url: "http://127.0.0.1:2007"
- bchd_08:
- loadBalancer:
- servers:
- - url: "http://127.0.0.1:2008"
- bchd_09:
- loadBalancer:
- servers:
- - url: "http://127.0.0.1:2009"
- bchd_10:
- loadBalancer:
- servers:
- - url: "http://127.0.0.1:2010"
- bchd_11:
- loadBalancer:
- servers:
- - url: "http://127.0.0.1:2011"
- bchd_12:
- loadBalancer:
- servers:
- - url: "http://127.0.0.1:2012"
- bchd_13:
- loadBalancer:
- servers:
- - url: "http://127.0.0.1:2013"
- bchd_14:
- loadBalancer:
- servers:
- - url: "http://127.0.0.1:2014"
- bchd_15:
- loadBalancer:
- servers:
- - url: "http://127.0.0.1:2015"
- bchd_16:
- loadBalancer:
- servers:
- - url: "http://127.0.0.1:2016"
- bchd_17:
- loadBalancer:
- servers:
- - url: "http://127.0.0.1:2017"
- bchd_18:
- loadBalancer:
- servers:
- - url: "http://127.0.0.1:2018"
- bchd_19:
- loadBalancer:
- servers:
- - url: "http://127.0.0.1:2019"
- bchd_20:
- loadBalancer:
- servers:
- - url: "http://127.0.0.1:2020"
roles/traefik/templates/traefik.yaml.j2
@@ -1,29 +0,0 @@
-providers:
- file:
- directory: "{{ traefik.dirs.dynamic_config }}"
- watch: true
-
-log:
- filePath: "{{ traefik.dirs.log }}/traefik.log"
- level: "INFO"
-
-entryPoints:
- web:
- address: ":80"
- http:
- redirections:
- entryPoint:
- to: "websecure"
- scheme: "https"
- permanent: True
-
- websecure:
- address: ":443"
-
-certificatesResolvers:
- tmc-acme-http:
- acme:
- email: "admin@trustme.click"
- storage: "{{ traefik.dirs.certs }}/tmc.json"
- httpChallenge:
- entryPoint: web
roles/traefik/templates/ttyd.yml
@@ -1,22 +0,0 @@
----
-http:
- routers:
- tty:
- rule: "Host(`tty.trustme.click`)"
- service: "tty"
- entryPoints:
- - "websecure"
- middlewares:
- - "test-auth"
- tls:
- certResolver: "tmc-acme-http"
- middlewares:
- test-auth:
- basicAuth:
- users:
- - "bob:$apr1$WDYAWxn1$z1gxYShmNj9j.lfjVL/lq1"
- services:
- tty:
- loadBalancer:
- servers:
- - url: "http://127.0.0.1:2222"
roles/traefik/templates/tuesdays.yml
@@ -1,15 +0,0 @@
----
-http:
- routers:
- tuesdays:
- rule: "Host(`tuesdays.dev`) || Host(`luby.tuesdays.dev`) || Host(`blog.tuesdays.dev`) || Host(`tools.tuesdays.dev`)"
- service: "tuesdays"
- entryPoints:
- - "websecure"
- tls:
- certResolver: "tmc-acme-http"
- services:
- tuesdays:
- loadBalancer:
- servers:
- - url: "http://127.0.0.1:8888"
root/etc/caddy/Caddyfile
@@ -0,0 +1,61 @@
+{
+ debug
+
+ # Configure caddy-security.
+ order authenticate before respond
+ security {
+ oauth identity provider generic {
+ delay_start 3
+ realm generic
+ driver generic
+ # TODO: get values from environemnt variables
+ client_id 9cc959e7-64cc-429a-8a5e-763e97308698
+ client_secret UwtIJ3nhcXzpixfwzyOp9Z07eiHbsu6U
+ scopes openid email profile
+ base_auth_url https://id.trustme.click
+ metadata_url https://id.trustme.click/.well-known/openid-configuration
+ }
+
+ authentication portal myportal {
+ crypto default token lifetime 3600 # Seconds until you have to re-authenticate
+ enable identity provider generic
+ cookie insecure off
+ transform user {
+ match realm generic
+ action add role user
+ }
+ }
+
+ authorization policy mypolicy {
+ set auth url /caddy-security/oauth2/generic
+ allow roles user
+ inject headers with claims
+ }
+ }
+}
+
+
+
+trustme.click, *.trustme.click {
+ tls /etc/ssl/certs/trustme.click.crt /etc/ssl/private/trustme.click.key
+ respond "{host} reached"
+}
+
+id.trustme.click {
+ reverse_proxy unix//run/pocket-id/pocket-id.sock
+}
+
+secure.trustme.click {
+ @auth {
+ path /caddy-security/*
+ }
+
+ route @auth {
+ authenticate with myportal
+ }
+
+ route /* {
+ authorize with mypolicy
+ respond "login {host} reached"
+ }
+}
root/etc/systemd/system/caddy.service
@@ -0,0 +1,12 @@
+[Unit]
+Description=caddy
+Documentation=https://caddyserver.com/docs/
+After=network.target
+
+[Service]
+ExecStart=/usr/local/bin/caddy run --config /etc/caddy/Caddyfile
+ExecReload=/usr/local/bin/caddy reload --config /etc/caddy/Caddyfile
+Restart=on-failure
+
+[Install]
+WantedBy=multi-user.target
root/etc/systemd/system/pocket-id.service
@@ -0,0 +1,29 @@
+[Unit]
+Description=pocket-id
+After=network.target
+Wants=network.target
+
+[Service]
+Type=simple
+User=pocketid
+Group=pocketid
+
+# Creates /run/pocket-id owned by pocketid:pocketid
+RuntimeDirectory=pocket-id
+RuntimeDirectoryMode=0750
+EnvironmentFile=/etc/pocket-id/env
+WorkingDirectory=/var/lib/pocket-id
+ExecStart=/usr/local/bin/pocket-id
+
+Restart=on-failure
+RestartSec=2
+
+# Hardening
+NoNewPrivileges=true
+PrivateTmp=true
+ProtectSystem=strict
+ProtectHome=true
+ReadWritePaths=/run/pocket-id /var/lib/pocket-id
+
+[Install]
+WantedBy=multi-user.target
main.yml
@@ -1,17 +0,0 @@
----
-- hosts: localhost
-
- vars_files:
- - vars.yml
-
- gather_facts: True
-
- roles:
- - hostname
- - apt
- - home # git checkouts too
- - traefik
- - mirror-mirror
- - role: alias
- vars:
- alias_version: v2.1
min.yml
@@ -1,13 +0,0 @@
----
-- name: Minimal install (doom+apt)
- hosts: localhost
-
- vars_files:
- - vars.yml
-
- gather_facts: True
-
- roles:
- - hostname
- - apt
- - home # git checkouts too
nft.ruleset
@@ -0,0 +1,35 @@
+flush ruleset
+
+table inet filter {
+ chain input {
+ type filter hook input priority 0;
+ policy drop;
+
+ # baseline
+ iif "lo" accept
+ ct state established,related accept
+
+ # explicitly allow (and count) the ports you care about
+ tcp dport 22 ct state new limit rate 10/minute accept
+ tcp dport 80 counter accept
+ tcp dport 443 counter accept
+
+ ip6 nexthdr icmpv6 accept
+
+ # everything else inbound is allowed, but counted
+ counter comment "input dropped"
+ }
+
+ chain forward {
+ type filter hook forward priority 0;
+ policy drop;
+
+ ct state established,related accept
+ counter comment "forward dropped"
+ }
+
+ chain output {
+ type filter hook output priority 0;
+ policy accept;
+ }
+}
pocket-id.sh
@@ -0,0 +1,44 @@
+#!/bin/bash
+
+set -euo pipefail
+
+getent passwd pocketid >/dev/null || \
+sudo useradd \
+ --system \
+ --home /var/lib/pocket-id \
+ --shell /usr/sbin/nologin \
+ pocketid
+
+sudo install --directory \
+ --owner=pocketid \
+ --group=pocketid \
+ --mode=0750 \
+ /etc/pocket-id
+
+sudo install --directory \
+ --owner=pocketid \
+ --group=pocketid \
+ --mode=0750 \
+ /var/lib/pocket-id
+
+KEY=/etc/pocket-id/encryption_key
+ENV=/etc/pocket-id/env
+
+sudo install --owner=pocketid \
+ --group=pocketid \
+ --mode=0600 \
+ /dev/null \
+ "${KEY}"
+openssl rand -base64 32 | sudo tee "${KEY}"
+
+sudo install --owner=pocketid \
+ --group=pocketid \
+ --mode=0600 \
+ /dev/null \
+ "${ENV}"
+sudo tee "${ENV}" << 'EOF'
+APP_URL=https://id.trustme.click
+UNIX_SOCKET=/run/pocket-id/pocket-id.sock
+ENCRYPTION_KEY_FILE=/etc/pocket-id/encryption_key
+TRUST_PROXY=true
+EOF
README.md
@@ -14,22 +14,7 @@
}
```
-### Ansible
+### Rewrite in progress
-```bash
-(
- set -e
- sudo apt update
- sudo apt install -y python3-pip python3-venv git
- mkdir -p $HOME/git; cd $HOME/git
- git -C trustme.click pull || git clone git@github.com:bryfry/trustme.click.git
- cd trustme.click
- python3 -m venv .ansible
- source .ansible/bin/activate
- python3 -m pip install --upgrade pip wheel
- python3 -m pip install ansible
- source ~/.profile
- ansible-playbook main.yml
- deactivate
-)
-```
+- use `pocket-id.sh` to start
+- goal: full automated setup via golang
vars.yml
@@ -1,84 +0,0 @@
----
-apt_pkgs:
- - tmux
- - htop
- - curl
- - haveged # helps random number generation on small vms
- - software-properties-common # needed for ppa add repo
- - dirmngr # needed for ppa add-key
- - gpg-agent # needed for ppa add-key
- - nmap
- - jq
- - tree
- - gnupg
- - python3-venv
- - figlet
- - elinks
- - wireguard
- - zip
- - vim
- - j2cli
- - git
- - ripgrep
- - fd-find
- - python3-pip
- - gopls
- - colordiff
- # nvim build
- - cmake
- - gettext
-
-apt_keys:
-# github cli key id
-# https://github.com/cli/cli/blob/trunk/docs/install_linux.md#debian-ubuntu-linux-raspberry-pi-os-apt
- - keyserver: "keyserver.ubuntu.com"
- id: "23F3D4EA75716059"
-
-apt_ppas:
- - "deb https://cli.github.com/packages stable main"
-
-apt_ppa_pkgs:
- - gh
-
-git_repos:
- - repo: git@github.com:bryfry/home.git
- dir: home
- - repo: git@github.com:bryfry/docs.git
- dir: docs
- - repo: git@gitlab.com:bryfry/mdnotes.git
- dir: mdnotes
-
-traefik:
- version: 2.8.0
- checksum: sha256:8c570f09684db0a34e52dc2894c1312b7510daa6f86db8bbc4641e8698b381b8
- acme_http_resolver: "tmc-acme-http"
- domain: "trustme.click"
- arch: "arm64"
- dirs:
- log: "/var/log/traefik"
- config: "/etc/traefik"
- certs: "/etc/traefik/certs"
- dynamic_config: "/etc/traefik/traefik.d"
- install: "/opt/traefik"
-
-# mirror-mirror
-mm:
- subdomain: "ip"
- address: 127.0.0.1
- port: 28103 # = 0x6d6d = mm (ascii)
- arch: "arm64"
-alias:
- subdomain: "alias"
- address: 127.0.0.1
- port: 28104
-proxy:
- subdomain: "proxy"
- address: 127.0.0.1
- port: 8080
-srs:
- subdomain: "srs"
- address: 127.0.0.1
- port: 8001
-
-# doom
-nodejs_version: 18.12.1