From a8b27a72208d5bf1d3683d3a1978ab868dc7678f Mon Sep 17 00:00:00 2001 From: Mathias Teier Date: Fri, 1 Jan 2021 16:09:53 +0100 Subject: [PATCH] Init --- .gitignore | 4 + LICENSE | 21 ++++ README.md | 18 +++ docker/playbook-install-docker.yml | 23 ++++ init-nextcloud.sh | 6 + init-nummus.sh | 6 + mariadb/docker-compose.yml | 17 +++ mariadb/start.yml | 27 +++++ mariadb/stop.yml | 6 + mariadb/teardown.yml | 6 + minecraft/Dockerfile | 12 ++ minecraft/docker-compose.yml | 21 ++++ minecraft/docker-entrypoint.sh | 4 + minecraft/eula.txt | 3 + minecraft/server.template.properties | 51 ++++++++ minecraft/start.yml | 51 ++++++++ minecraft/stop.yml | 6 + minecraft/teardown.yml | 6 + nextcloud/docker-compose.yml | 39 ++++++ nextcloud/init.yml | 52 ++++++++ nextcloud/nginx.conf | 175 +++++++++++++++++++++++++++ nextcloud/start.yml | 8 ++ nextcloud/stop.yml | 7 ++ nextcloud/teardown.yml | 6 + nginx/nginx.conf | 74 +++++++++++ nginx/playbook-nginx.yml | 43 +++++++ nginx/playbook-update-configs.yml | 24 ++++ nginx/sites/nextcloud | 33 +++++ nginx/sites/nummus | 34 ++++++ nginx/sites/website | 33 +++++ nummus/docker-compose.yml | 21 ++++ nummus/init.yml | 47 +++++++ nummus/start.yml | 8 ++ nummus/stop.yml | 6 + nummus/teardown.yml | 7 ++ starbound/Dockerfile | 6 + starbound/docker-compose.yml | 9 ++ starbound/docker-entrypoint.sh | 3 + starbound/restart.yml | 6 + starbound/start.yml | 60 +++++++++ starbound/stop.yml | 6 + starbound/teardown.yml | 6 + start-mariadb.sh | 5 + template.env | 4 + ufw/playbook-ufw.yml | 57 +++++++++ 45 files changed, 1067 insertions(+) create mode 100644 .gitignore create mode 100644 LICENSE create mode 100644 README.md create mode 100644 docker/playbook-install-docker.yml create mode 100644 init-nextcloud.sh create mode 100644 init-nummus.sh create mode 100644 mariadb/docker-compose.yml create mode 100644 mariadb/start.yml create mode 100644 mariadb/stop.yml create mode 100644 mariadb/teardown.yml create mode 100644 minecraft/Dockerfile create mode 100644 minecraft/docker-compose.yml create mode 100755 minecraft/docker-entrypoint.sh create mode 100644 minecraft/eula.txt create mode 100644 minecraft/server.template.properties create mode 100644 minecraft/start.yml create mode 100644 minecraft/stop.yml create mode 100644 minecraft/teardown.yml create mode 100644 nextcloud/docker-compose.yml create mode 100644 nextcloud/init.yml create mode 100644 nextcloud/nginx.conf create mode 100644 nextcloud/start.yml create mode 100644 nextcloud/stop.yml create mode 100644 nextcloud/teardown.yml create mode 100644 nginx/nginx.conf create mode 100644 nginx/playbook-nginx.yml create mode 100644 nginx/playbook-update-configs.yml create mode 100644 nginx/sites/nextcloud create mode 100644 nginx/sites/nummus create mode 100644 nginx/sites/website create mode 100644 nummus/docker-compose.yml create mode 100644 nummus/init.yml create mode 100644 nummus/start.yml create mode 100644 nummus/stop.yml create mode 100644 nummus/teardown.yml create mode 100644 starbound/Dockerfile create mode 100644 starbound/docker-compose.yml create mode 100644 starbound/docker-entrypoint.sh create mode 100644 starbound/restart.yml create mode 100644 starbound/start.yml create mode 100644 starbound/stop.yml create mode 100644 starbound/teardown.yml create mode 100644 start-mariadb.sh create mode 100644 template.env create mode 100644 ufw/playbook-ufw.yml diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..a8ca3c1 --- /dev/null +++ b/.gitignore @@ -0,0 +1,4 @@ +.env +minecraft/server.jar +starbound/binaries +!starbound/binaries/.gitkeep \ No newline at end of file diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..9acafc4 --- /dev/null +++ b/LICENSE @@ -0,0 +1,21 @@ +MIT License + +Copyright (c) 2021 Mathias Teier + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. \ No newline at end of file diff --git a/README.md b/README.md new file mode 100644 index 0000000..0f26ce7 --- /dev/null +++ b/README.md @@ -0,0 +1,18 @@ +# teier.eu server-configuration +This is the configuration for my private server. + +It's a basic Ansible + Docker-Compose setup with Minecraft, Starbound, Nextcloud and Nummus, the latter of both behind an nginx reverse proxy. + +Maybe it can help you setting up your own server, you're free to copy and modify my files. + +## Usage +Most functionality is achieved through ansible playbooks. If you want to use them for your own server, install Ansible on your management machine (e.g. your desktop computer), add your server to `/etc/ansible/hosts` and change the host in the playbook files. + +Mariadb, Nextcloud and Nummus need Database passwords, therefore copy the template.env file to .env, enter your passwords and run one of the shell files (e.g. `start-mariadb.sh`) + +## Minecraft +To use the minecraft server, just copy the `server.jar` from `minecraft.net` to the minecraft directory and run `ansible-playbook minecraft/start.yml` + +## Starbound +My Starbound container only works with the **GOG version!** +After installing Starboud on your gaming machine, archive all files from `~/GOG Games/Starbound/game/` into `starbound/binaries/binaries.tar.gz` and then run `ansible-playbook starbound/start.yml` \ No newline at end of file diff --git a/docker/playbook-install-docker.yml b/docker/playbook-install-docker.yml new file mode 100644 index 0000000..7ff9aeb --- /dev/null +++ b/docker/playbook-install-docker.yml @@ -0,0 +1,23 @@ +--- +- name: Update Server and install docker + hosts: teier.eu + gather_facts: yes + tasks: + - name: Upgrade system + apt: upgrade=dist update_cache=yes + - name: Install Docker + apt: name=docker state=latest + - name: Install Docker Compose + apt: name=docker-compose state=latest + - name: Install Pip + apt: name=python-pip state=latest + - name: Install Docker Py + shell: pip install docker + - name: Enabled Docker Service + service: + name: docker + enabled: yes + - name: Start Docker + service: + name: docker + state: started diff --git a/init-nextcloud.sh b/init-nextcloud.sh new file mode 100644 index 0000000..d68779c --- /dev/null +++ b/init-nextcloud.sh @@ -0,0 +1,6 @@ +#!/bin/bash +source ./.env + +[ -z "$MARIADB_ROOT_PASSWORD" ] && echo "MARIADB_ROOT_PASSWORD not set" && exit 1 +[ -z "$NEXTCLOUD_DB_PASSWORD" ] && echo "NEXTCLOUD_DB_PASSWORD not set" && exit 1 +ansible-playbook nextcloud/init.yml \ No newline at end of file diff --git a/init-nummus.sh b/init-nummus.sh new file mode 100644 index 0000000..fff16ec --- /dev/null +++ b/init-nummus.sh @@ -0,0 +1,6 @@ +#!/bin/bash +source ./.env + +[ -z "$MARIADB_ROOT_PASSWORD" ] && echo "MARIADB_ROOT_PASSWORD not set" && exit 1 +[ -z "$NUMMUS_DB_PASSWORD" ] && echo "NUMMUS_DB_PASSWORD not set" && exit 1 +ansible-playbook nummus/init.yml \ No newline at end of file diff --git a/mariadb/docker-compose.yml b/mariadb/docker-compose.yml new file mode 100644 index 0000000..444319c --- /dev/null +++ b/mariadb/docker-compose.yml @@ -0,0 +1,17 @@ +version: '2.4' +services: + mariadb: + image: mariadb:10.5.8 + environment: + MYSQL_ROOT_PASSWORD: ${MARIADB_ROOT_PASSWORD} + networks: + - mariadb_net + volumes: + - /var/lib/mysql:/var/lib/mysql + ports: + - 3306:3306 +networks: + mariadb_net: + name: mariadb_net + driver: bridge + \ No newline at end of file diff --git a/mariadb/start.yml b/mariadb/start.yml new file mode 100644 index 0000000..efb10d7 --- /dev/null +++ b/mariadb/start.yml @@ -0,0 +1,27 @@ +--- +- hosts: teier.eu + gather_facts: no + tasks: + - name: Check dc directory + stat: + path: /dc/mariadb + register: mariadb_dc_dir_stat + + - name: Create mariadb dc directory + file: + path: /dc/mariadb + state: directory + mode: 0755 + group: root + owner: root + when: mariadb_dc_dir_stat.islnk is not defined + + - name: Copy compose file + copy: + src: docker-compose.yml + dest: /dc/mariadb + + - name: Start mariadb + shell: "cd /dc/mariadb && docker-compose up -d" + environment: + MARIADB_ROOT_PASSWORD: "{{ lookup('env', 'MARIADB_ROOT_PASSWORD') }}" \ No newline at end of file diff --git a/mariadb/stop.yml b/mariadb/stop.yml new file mode 100644 index 0000000..a83188b --- /dev/null +++ b/mariadb/stop.yml @@ -0,0 +1,6 @@ +--- +- hosts: teier.eu + gather_facts: no + tasks: + - name: Stop Mariadb + shell: "cd /dc/mariadb && docker-compose stop" \ No newline at end of file diff --git a/mariadb/teardown.yml b/mariadb/teardown.yml new file mode 100644 index 0000000..d05493f --- /dev/null +++ b/mariadb/teardown.yml @@ -0,0 +1,6 @@ +--- +- hosts: teier.eu + gather_facts: no + tasks: + - name: Teardown mariadb + shell: "cd /dc/mariadb && docker-compose down" \ No newline at end of file diff --git a/minecraft/Dockerfile b/minecraft/Dockerfile new file mode 100644 index 0000000..e4479d7 --- /dev/null +++ b/minecraft/Dockerfile @@ -0,0 +1,12 @@ +FROM debian:buster-slim +RUN mkdir -p /usr/share/man/man1 +RUN apt update +RUN apt install -y default-jre +RUN apt install -y bash +RUN apt install -y gettext-base +COPY ./server.jar /minecraft/ +COPY ./docker-entrypoint.sh /minecraft/ +COPY ./eula.txt /minecraft/ +COPY ./server.template.properties /minecraft/ +EXPOSE 25565 +ENTRYPOINT ["/bin/bash", "/minecraft/docker-entrypoint.sh"] diff --git a/minecraft/docker-compose.yml b/minecraft/docker-compose.yml new file mode 100644 index 0000000..d4d62ab --- /dev/null +++ b/minecraft/docker-compose.yml @@ -0,0 +1,21 @@ +version: '2.4' +services: + minecraft: + build: + context: . + volumes: + - /var/minecraft/world:/minecraft/world + - /var/minecraft/ops.json:/minecraft/ops.json + - /var/minecraft/whitelist.json:/minecraft/whitelist.json + - /var/minecraft/banned-players.json:/minecraft/banned-player.json + - /var/minecraft/banned-ips.json:/minecraft/banned-ips.json + environment: + PORT: "25565" + ENABLE_COMMAND_BLOCK: "true" + MOTD: "Teiercloud Minecraft Server" + ENABLE_PVP: "true" + DIFFICULTY: "easy" + MAX_PLAYERS: "20" + ENABLED_WHITELIST: "true" + ports: + - 25565:25565 diff --git a/minecraft/docker-entrypoint.sh b/minecraft/docker-entrypoint.sh new file mode 100755 index 0000000..21cb9d3 --- /dev/null +++ b/minecraft/docker-entrypoint.sh @@ -0,0 +1,4 @@ +#!/bin/bash +envsubst /minecraft/server.properties +cd /minecraft +java -Xms3G -Xmx3G -jar server.jar nogui diff --git a/minecraft/eula.txt b/minecraft/eula.txt new file mode 100644 index 0000000..e5ff6d4 --- /dev/null +++ b/minecraft/eula.txt @@ -0,0 +1,3 @@ +#By changing the setting below to TRUE you are indicating your agreement to our EULA (https://account.mojang.com/documents/minecraft_eula). +#Tue Oct 22 14:50:17 UTC 2019 +eula=true diff --git a/minecraft/server.template.properties b/minecraft/server.template.properties new file mode 100644 index 0000000..472e6ef --- /dev/null +++ b/minecraft/server.template.properties @@ -0,0 +1,51 @@ +enable-jmx-monitoring=false +rcon.port=25575 +level-seed=${LEVEL_SEED} +enable-command-block=${ENABLE_COMMAND_BLOCK} +gamemode=survival +enable-query=false +generator-settings= +level-name=world +motd=${MOTD} +query.port=${PORT} +pvp=${ENABLE_PVP} +generate-structures=true +difficulty=${DIFFICULTY} +network-compression-threshold=256 +max-tick-time=60000 +max-players=${MAX_PLAYERS} +use-native-transport=true +online-mode=true +enable-status=true +allow-flight=false +broadcast-rcon-to-ops=true +view-distance=10 +max-build-height=256 +server-ip= +allow-nether=true +server-port=${PORT} +enable-rcon=false +sync-chunk-writes=true +op-permission-level=4 +prevent-proxy-connections=false +resource-pack= +entity-broadcast-range-percentage=100 +player-idle-timeout=0 +rcon.password= +force-gamemode=false +debug=false +rate-limit=0 +hardcore=false +white-list=${ENABLE_WHITELIST} +broadcast-console-to-ops=true +spawn-npcs=true +spawn-animals=true +snooper-enabled=true +function-permission-level=2 +level-type=default +text-filtering-config= +spawn-monsters=true +enforce-whitelist=${ENABLE_WHITELIST} +spawn-protection=0 +resource-pack-sha1= +max-world-size=29999984 diff --git a/minecraft/start.yml b/minecraft/start.yml new file mode 100644 index 0000000..e84aa49 --- /dev/null +++ b/minecraft/start.yml @@ -0,0 +1,51 @@ +--- +- hosts: teier.eu + gather_facts: no + tasks: + - name: Check dc directory + stat: + path: /dc/minecraft + register: minecraft_dc_dir_stat + + - name: Create minecraft dc directory + file: + path: /dc/minecraft + state: directory + mode: 0755 + group: root + owner: root + when: minecraft_dc_dir_stat.islnk is not defined + + - name: Copy server.jar + copy: + src: server.jar + dest: /dc/minecraft/ + + - name: Copy properties template + copy: + src: server.template.properties + dest: /dc/minecraft/ + + - name: Copy EULA + copy: + src: eula.txt + dest: /dc/minecraft/ + + - name: Copy docker-entrypoint + copy: + src: docker-entrypoint.sh + dest: /dc/minecraft/ + + - name: Copy Dockerfile + copy: + src: Dockerfile + dest: /dc/minecraft/ + + - name: Copy compose file + copy: + src: docker-compose.yml + dest: /dc/minecraft/ + + - name: Start minecraft + shell: "cd /dc/minecraft && docker-compose up -d" + \ No newline at end of file diff --git a/minecraft/stop.yml b/minecraft/stop.yml new file mode 100644 index 0000000..6412482 --- /dev/null +++ b/minecraft/stop.yml @@ -0,0 +1,6 @@ +--- +- hosts: teier.eu + gather_facts: no + tasks: + - name: Stop Minecraft + shell: "cd /dc/minecraft && docker-compose stop" \ No newline at end of file diff --git a/minecraft/teardown.yml b/minecraft/teardown.yml new file mode 100644 index 0000000..11fa1da --- /dev/null +++ b/minecraft/teardown.yml @@ -0,0 +1,6 @@ +--- +- hosts: teier.eu + gather_facts: no + tasks: + - name: Teardown Minecraft + shell: "cd /dc/minecraft && docker-compose down --rmi local" \ No newline at end of file diff --git a/nextcloud/docker-compose.yml b/nextcloud/docker-compose.yml new file mode 100644 index 0000000..b1ed737 --- /dev/null +++ b/nextcloud/docker-compose.yml @@ -0,0 +1,39 @@ +version: '2.4' +services: + nextcloud: + image: nextcloud:fpm + environment: + MYSQL_DATABASE: nextcloud + MYSQL_USER: nextcloud + MYSQL_HOST: mariadb + MYSQL_PASSWORD: ${NEXTCLOUD_DB_PASSWORD} + TRUSTED_PROXIES: "cloud.teier.eu 138.201.74.231 172.0.0.1/8" + APACHE_DISABLE_REWRITE_IP: "1" + OVERWRITEHOST: "cloud.teier.eu" + OVERWRITEPROTOCOL: "https" + OVERWRITEWEBROOT: "/" + OVERWRITECONADDR: "138.201.74.231" + networks: + - "mariadb_net" + - "nextcloud_net" + volumes: + - /var/nextcloud:/var/www/html + web: + image: nginx + restart: always + ports: + - 8081:80 + networks: + - "nextcloud_net" + volumes: + - ./nginx.conf:/etc/nginx/nginx.conf:ro + volumes_from: + - nextcloud +networks: + nextcloud_net: + name: "nextcloud_net" + driver: bridge + mariadb_net: + name: "mariadb_net" + external: true + \ No newline at end of file diff --git a/nextcloud/init.yml b/nextcloud/init.yml new file mode 100644 index 0000000..e0681f8 --- /dev/null +++ b/nextcloud/init.yml @@ -0,0 +1,52 @@ +--- +- hosts: teier.eu + gather_facts: no + tasks: + - name: Install PyMySQL + shell: pip install PyMySQL + + - name: Create database for nextcloud + community.mysql.mysql_db: + login_user: root + login_password: "{{ lookup('env', 'MARIADB_ROOT_PASSWORD') }}" + name: nextcloud + state: present + + - name: Create database user for nextcloud + community.mysql.mysql_user: + login_user: root + login_password: "{{ lookup('env', 'MARIADB_ROOT_PASSWORD') }}" + name: nextcloud + password: "{{ lookup('env', 'NEXTCLOUD_DB_PASSWORD') }}" + host: "%" + priv: 'nextcloud.*:ALL' + state: present + + - name: Check dc directory + stat: + path: /dc/nextcloud + register: nextcloud_dc_dir_stat + + - name: Create nextcloud dc directory + file: + path: /dc/nextcloud + state: directory + mode: 0755 + group: root + owner: root + when: nextcloud_dc_dir_stat.islnk is not defined + + - name: Copy compose file + copy: + src: docker-compose.yml + dest: /dc/nextcloud + + - name: Copy nginx conf + copy: + src: nginx.conf + dest: /dc/nextcloud + + - name: Start nextcloud + shell: "cd /dc/nextcloud && docker-compose up -d" + environment: + NEXTCLOUD_DB_PASSWORD: "{{ lookup('env', 'NEXTCLOUD_DB_PASSWORD') }}" \ No newline at end of file diff --git a/nextcloud/nginx.conf b/nextcloud/nginx.conf new file mode 100644 index 0000000..d389c70 --- /dev/null +++ b/nextcloud/nginx.conf @@ -0,0 +1,175 @@ +worker_processes auto; + +error_log /var/log/nginx/error.log warn; +pid /var/run/nginx.pid; + + +events { + worker_connections 1024; +} + + +http { + include /etc/nginx/mime.types; + default_type application/octet-stream; + + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + access_log /var/log/nginx/access.log main; + + sendfile on; + #tcp_nopush on; + + keepalive_timeout 65; + + set_real_ip_from 10.0.0.0/8; + set_real_ip_from 172.16.0.0/12; + set_real_ip_from 192.168.0.0/16; + real_ip_header X-Real-IP; + + #gzip on; + + upstream php-handler { + server nextcloud:9000; + } + + server { + listen 80; + + server_name cloud.teier.eu; + + # Add headers to serve security related headers + # Before enabling Strict-Transport-Security headers please read into this + # topic first. + #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always; + # + # WARNING: Only add the preload option once you read about + # the consequences in https://hstspreload.org/. This option + # will add the domain to a hardcoded list that is shipped + # in all major browsers and getting removed from this list + # could take several months. + add_header Referrer-Policy "no-referrer" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-Download-Options "noopen" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Permitted-Cross-Domain-Policies "none" always; + add_header X-Robots-Tag "none" always; + add_header X-XSS-Protection "1; mode=block" always; + + # Remove X-Powered-By, which is an information leak + fastcgi_hide_header X-Powered-By; + + # Path to the root of your installation + root /var/www/html; + + location = /robots.txt { + allow all; + log_not_found off; + access_log off; + } + + # The following 2 rules are only needed for the user_webfinger app. + # Uncomment it if you're planning to use this app. + #rewrite ^/.well-known/host-meta /public.php?service=host-meta last; + #rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last; + + # The following rule is only needed for the Social app. + # Uncomment it if you're planning to use this app. + #rewrite ^/.well-known/webfinger /public.php?service=webfinger last; + + location = /.well-known/carddav { + return 301 $scheme://$host:$server_port/remote.php/dav; + } + + location = /.well-known/caldav { + return 301 $scheme://$host:$server_port/remote.php/dav; + } + + # set max upload size + client_max_body_size 10G; + fastcgi_buffers 64 4K; + + # Enable gzip but do not remove ETag headers + gzip on; + gzip_vary on; + gzip_comp_level 4; + gzip_min_length 256; + gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; + gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; + + # Uncomment if your server is build with the ngx_pagespeed module + # This module is currently not supported. + #pagespeed off; + + location / { + rewrite ^ /index.php; + } + + location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ { + deny all; + } + location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) { + deny all; + } + + location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) { + fastcgi_split_path_info ^(.+?\.php)(\/.*|)$; + set $path_info $fastcgi_path_info; + try_files $fastcgi_script_name =404; + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param PATH_INFO $path_info; + # fastcgi_param HTTPS on; + + # Avoid sending the security headers twice + fastcgi_param modHeadersAvailable true; + + # Enable pretty urls + fastcgi_param front_controller_active true; + fastcgi_pass php-handler; + fastcgi_intercept_errors on; + fastcgi_request_buffering off; + } + + location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) { + try_files $uri/ =404; + index index.php; + } + + # Adding the cache control header for js, css and map files + # Make sure it is BELOW the PHP block + location ~ \.(?:css|js|woff2?|svg|gif|map)$ { + try_files $uri /index.php$request_uri; + add_header Cache-Control "public, max-age=15778463"; + # Add headers to serve security related headers (It is intended to + # have those duplicated to the ones above) + # Before enabling Strict-Transport-Security headers please read into + # this topic first. + #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always; + # + # WARNING: Only add the preload option once you read about + # the consequences in https://hstspreload.org/. This option + # will add the domain to a hardcoded list that is shipped + # in all major browsers and getting removed from this list + # could take several months. + add_header Referrer-Policy "no-referrer" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-Download-Options "noopen" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Permitted-Cross-Domain-Policies "none" always; + add_header X-Robots-Tag "none" always; + add_header X-XSS-Protection "1; mode=block" always; + + # Optional: Don't log access to assets + access_log off; + } + + location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap|mp4|webm)$ { + try_files $uri /index.php$request_uri; + # Optional: Don't log access to other assets + access_log off; + } + } +} \ No newline at end of file diff --git a/nextcloud/start.yml b/nextcloud/start.yml new file mode 100644 index 0000000..171d526 --- /dev/null +++ b/nextcloud/start.yml @@ -0,0 +1,8 @@ +--- +- hosts: teier.eu + gather_facts: no + tasks: + - name: Start nextcloud + shell: "cd /dc/nextcloud && docker-compose up -d" + environment: + NEXTCLOUD_DB_PASSWORD: "{{ lookup('env', 'NEXTCLOUD_DB_PASSWORD') }}" \ No newline at end of file diff --git a/nextcloud/stop.yml b/nextcloud/stop.yml new file mode 100644 index 0000000..88b9132 --- /dev/null +++ b/nextcloud/stop.yml @@ -0,0 +1,7 @@ +--- +- hosts: teier.eu + gather_facts: no + tasks: + tasks: + - name: Stop nextcloud + shell: "cd /dc/nextcloud && docker-compose stop" \ No newline at end of file diff --git a/nextcloud/teardown.yml b/nextcloud/teardown.yml new file mode 100644 index 0000000..740f52d --- /dev/null +++ b/nextcloud/teardown.yml @@ -0,0 +1,6 @@ +--- +- hosts: teier.eu + gather_facts: no + tasks: + - name: Teardown nextcloud + shell: "cd /dc/nextcloud && docker-compose down" \ No newline at end of file diff --git a/nginx/nginx.conf b/nginx/nginx.conf new file mode 100644 index 0000000..5862089 --- /dev/null +++ b/nginx/nginx.conf @@ -0,0 +1,74 @@ +user www-data; +worker_processes auto; +pid /run/nginx.pid; +include /etc/nginx/modules-enabled/*.conf; + +events { + worker_connections 768; + # multi_accept on; +} + +http { + ## + # Basic Settings + ## + + sendfile on; + tcp_nopush on; + tcp_nodelay on; + keepalive_timeout 65; + types_hash_max_size 2048; + # server_tokens off; + + # server_names_hash_bucket_size 64; + # server_name_in_redirect off; + + include /etc/nginx/mime.types; + default_type application/octet-stream; + + #Headers + add_header X-Frame-Options "SAMEORIGIN"; + add_header Strict-Transport-Security "15552000"; + + ## + # SSL Settings + ## + + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE + ssl_prefer_server_ciphers on; + + ## + # Logging Settings + ## + + access_log /var/log/nginx/access.log; + error_log /var/log/nginx/error.log; + + ## + # Gzip Settings + ## + + gzip on; + + # gzip_vary on; + # gzip_proxied any; + # gzip_comp_level 6; + # gzip_buffers 16 8k; + # gzip_http_version 1.1; + # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; + + ## + # Virtual Host Configs + ## + + # CUSTOM + client_max_body_size 10G; + + map $http_connection $connection_upgrade { + "~*Upgrade" $http_connection; + default keep-alive; + } + + include /etc/nginx/conf.d/*.conf; + include /etc/nginx/sites-enabled/*; +} \ No newline at end of file diff --git a/nginx/playbook-nginx.yml b/nginx/playbook-nginx.yml new file mode 100644 index 0000000..ce95702 --- /dev/null +++ b/nginx/playbook-nginx.yml @@ -0,0 +1,43 @@ +--- +- name: Install nginx + hosts: teier.eu + gather_facts: yes + + tasks: + - name: Upgrade system + apt: upgrade=dist update_cache=yes + + - name: Install nginx + apt: name=nginx state=latest + + - name: Install certbot + apt: name=certbot state=latest + + - name: Stop Nginx for configuration and certificate approval + service: name=nginx state=stopped + + - name: Remove nginx site config + shell: "rm -f /etc/nginx/sites-enabled/*" + + - name: Get Certificate + shell: certbot certonly --standalone --preferred-challenges http -m mathias.teier@icloud.com --agree-tos -n -d teier.eu -d cloud.teier.eu -d nummus.teier.eu -d www.teier.eu + + - name: Install nginx server config + copy: + src: nginx.conf + dest: /etc/nginx/nginx.conf + + - name: Install nginx site configs + copy: + src: sites/ + dest: /etc/nginx/sites-enabled/ + + - name: Start nginx + service: name=nginx state=started + + - name: Add letsencrypt cronjob for cert renewal + cron: + name: renew_cert + day: "1,15" + hour: "2" + job: service nginx stop && certbot --renew && service nginx start diff --git a/nginx/playbook-update-configs.yml b/nginx/playbook-update-configs.yml new file mode 100644 index 0000000..40c23fc --- /dev/null +++ b/nginx/playbook-update-configs.yml @@ -0,0 +1,24 @@ +--- +- name: Update nginx configs + hosts: teier.eu + gather_facts: yes + + tasks: + - name: Stop Nginx for configuration + service: name=nginx state=stopped + + - name: Remove nginx site config + shell: "rm -f /etc/nginx/sites-enabled/*" + + - name: Install nginx server config + copy: + src: nginx.conf + dest: /etc/nginx/nginx.conf + + - name: Install nginx site configs + copy: + src: sites/ + dest: /etc/nginx/sites-enabled/ + + - name: Start nginx + service: name=nginx state=started \ No newline at end of file diff --git a/nginx/sites/nextcloud b/nginx/sites/nextcloud new file mode 100644 index 0000000..36cbe0f --- /dev/null +++ b/nginx/sites/nextcloud @@ -0,0 +1,33 @@ +server { + listen 80; + server_name cloud.teier.eu; + return 301 https://cloud.teier.eu:443$request_uri; +} + +server { + listen 443 ssl http2; + server_name cloud.teier.eu; + + ssl on; + ssl_certificate /etc/letsencrypt/live/teier.eu/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/teier.eu/privkey.pem; + + location / { + proxy_pass http://127.0.0.1:8081/; + + # Configuration for WebSockets + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + proxy_cache off; + + # Configuration for ServerSentEvents + proxy_buffering off; + + # Configuration for LongPolling or if your KeepAliveInterval is longer than 60 seconds + proxy_read_timeout 100s; + + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + } +} \ No newline at end of file diff --git a/nginx/sites/nummus b/nginx/sites/nummus new file mode 100644 index 0000000..b479f21 --- /dev/null +++ b/nginx/sites/nummus @@ -0,0 +1,34 @@ +server { + listen 80; + server_name nummus.teier.eu; + return 301 https://$server_name:443$request_uri; +} + +server { + listen 443; + server_name nummus.teier.eu; + + ssl on; + ssl_certificate /etc/letsencrypt/live/teier.eu/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/teier.eu/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/teier.eu/fullchain.pem; + + location / { + proxy_pass http://127.0.0.1:8082; + + # Configuration for WebSockets + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + proxy_cache off; + + # Configuration for ServerSentEvents + proxy_buffering off; + + # Configuration for LongPolling or if your KeepAliveInterval is longer than 60 seconds + proxy_read_timeout 100s; + + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + } +} diff --git a/nginx/sites/website b/nginx/sites/website new file mode 100644 index 0000000..283edb6 --- /dev/null +++ b/nginx/sites/website @@ -0,0 +1,33 @@ +server { + listen 80; + server_name teier.eu www.teier.eu; + return 301 https://www.teier.eu:443$request_uri; +} + +server { + listen 443 ssl http2; + server_name teier.eu www.teier.eu; + + ssl on; + ssl_certificate /etc/letsencrypt/live/teier.eu/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/teier.eu/privkey.pem; + + location / { + proxy_pass http://127.0.0.1:8080/; + proxy_redirect off; + + proxy_pass_header Authorization; + proxy_set_header Referer $http_referer; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Host $host; + proxy_http_version 1.1; + proxy_set_header Connection ""; + proxy_buffering off; + proxy_request_buffering off; + client_max_body_size 0; + proxy_read_timeout 36000s; + proxy_ssl_session_reuse off; + } +} \ No newline at end of file diff --git a/nummus/docker-compose.yml b/nummus/docker-compose.yml new file mode 100644 index 0000000..f627843 --- /dev/null +++ b/nummus/docker-compose.yml @@ -0,0 +1,21 @@ +version: '2.4' +services: + nummus: + image: glenroy37/nummus:0.1-alpha + environment: + DB_HOST: mariadb + DB_USER: nummus + DB_PASSWORD: ${NUMMUS_DB_PASSWORD} + DB_NAME: nummus + DETAILED_ERRORS: "false" + LOCALE: de-AT + USER_REGISTRATION_ENABLED: "false" + networks: + - mariadb_net + ports: + - 8082:80 +networks: + mariadb_net: + name: "mariadb_net" + external: true + \ No newline at end of file diff --git a/nummus/init.yml b/nummus/init.yml new file mode 100644 index 0000000..ae7001e --- /dev/null +++ b/nummus/init.yml @@ -0,0 +1,47 @@ +--- +- hosts: teier.eu + gather_facts: no + tasks: + - name: Install PyMySQL + shell: pip install PyMySQL + + - name: Create database for Nummus + community.mysql.mysql_db: + login_user: root + login_password: "{{ lookup('env', 'MARIADB_ROOT_PASSWORD') }}" + name: nummus + state: present + + - name: Create database user for Nummus + community.mysql.mysql_user: + login_user: root + login_password: "{{ lookup('env', 'MARIADB_ROOT_PASSWORD') }}" + host: "%" + name: "nummus" + password: "{{ lookup('env', 'NUMMUS_DB_PASSWORD') }}" + priv: 'nummus.*:ALL' + state: present + + - name: Check dc directory + stat: + path: /dc/nummus + register: nummus_dc_dir_stat + + - name: Create nummus dc directory + file: + path: /dc/nummus + state: directory + mode: 0755 + group: root + owner: root + when: nummus_dc_dir_stat.islnk is not defined + + - name: Copy compose file + copy: + src: docker-compose.yml + dest: /dc/nummus + + - name: Start nummus + shell: "cd /dc/nummus && docker-compose up -d" + environment: + NUMMUS_DB_PASSWORD: "{{ lookup('env', 'NUMMUS_DB_PASSWORD') }}" \ No newline at end of file diff --git a/nummus/start.yml b/nummus/start.yml new file mode 100644 index 0000000..26712dc --- /dev/null +++ b/nummus/start.yml @@ -0,0 +1,8 @@ +--- +- hosts: teier.eu + gather_facts: no + tasks: + - name: Start Nummus + shell: "cd /dc/nummus && docker-compose up -d" + environment: + NUMMUS_DB_PASSWORD: "{{ lookup('env', 'NUMMUS_DB_PASSWORD') }}" \ No newline at end of file diff --git a/nummus/stop.yml b/nummus/stop.yml new file mode 100644 index 0000000..f97e0a1 --- /dev/null +++ b/nummus/stop.yml @@ -0,0 +1,6 @@ +--- +- hosts: teier.eu + gather_facts: no + tasks: + - name: Stop Nummus + shell: "cd /dc/nummus && docker-compose stop" \ No newline at end of file diff --git a/nummus/teardown.yml b/nummus/teardown.yml new file mode 100644 index 0000000..8fef6f2 --- /dev/null +++ b/nummus/teardown.yml @@ -0,0 +1,7 @@ +--- +- hosts: teier.eu + gather_facts: no + tasks: + tasks: + - name: Start Nummus + shell: "cd /dc/nummus && docker-compose down" \ No newline at end of file diff --git a/starbound/Dockerfile b/starbound/Dockerfile new file mode 100644 index 0000000..a41a59b --- /dev/null +++ b/starbound/Dockerfile @@ -0,0 +1,6 @@ +FROM debian:buster-slim +COPY ./binaries/ /starbound/ +COPY ./docker-entrypoint.sh / +RUN apt install bash +EXPOSE 21025 +ENTRYPOINT ["/bin/bash", "/docker-entrypoint.sh"] \ No newline at end of file diff --git a/starbound/docker-compose.yml b/starbound/docker-compose.yml new file mode 100644 index 0000000..d6bdbe4 --- /dev/null +++ b/starbound/docker-compose.yml @@ -0,0 +1,9 @@ +version: '2.4' +services: + starbound: + build: + context: . + volumes: + - /var/starbound-storage:/starbound/storage + ports: + - 21025:21025 \ No newline at end of file diff --git a/starbound/docker-entrypoint.sh b/starbound/docker-entrypoint.sh new file mode 100644 index 0000000..eed9ce9 --- /dev/null +++ b/starbound/docker-entrypoint.sh @@ -0,0 +1,3 @@ +#!/bin/bash +cd /starbound/linux +./starbound_server \ No newline at end of file diff --git a/starbound/restart.yml b/starbound/restart.yml new file mode 100644 index 0000000..ea46c8e --- /dev/null +++ b/starbound/restart.yml @@ -0,0 +1,6 @@ +--- +- hosts: teier.eu + gather_facts: no + tasks: + - name: Restart starbound + shell: "cd /dc/starbound && docker-compose up -d" \ No newline at end of file diff --git a/starbound/start.yml b/starbound/start.yml new file mode 100644 index 0000000..c670d70 --- /dev/null +++ b/starbound/start.yml @@ -0,0 +1,60 @@ +--- +- hosts: teier.eu + gather_facts: no + tasks: + - name: Check dc directory + stat: + path: /dc/starbound + register: starbound_dc_dir_stat + + - name: Create starbound dc directory + file: + path: /dc/starbound + state: directory + mode: 0755 + group: root + owner: root + when: starbound_dc_dir_stat.islnk is not defined + + - name: Check binaries directory + stat: + path: /dc/starbound/binaries + register: starbound_binaries_dir_stat + + - name: Create starbound binaries directory + file: + path: /dc/starbound/binaries + state: directory + mode: 0755 + group: root + owner: root + when: starbound_binaries_dir_stat.islnk is not defined + + - name: Copy compose file + copy: + src: docker-compose.yml + dest: /dc/starbound + + - name: Copy Dockerfile + copy: + src: Dockerfile + dest: /dc/starbound + + - name: Copy Docker entrypoint + copy: + src: docker-entrypoint.sh + dest: /dc/starbound + + - name: Copy binaries + copy: + src: binaries/binaries.tar.gz + dest: /dc/starbound/binaries/binaries.tar.gz + + - name: Extract binaries + shell: "cd /dc/starbound/binaries && tar -xzf binaries.tar.gz" + + - name: Delete binaries archive + shell: "rm /dc/starbound/binaries/binaries.tar.gz" + + - name: Start starbound + shell: "cd /dc/starbound && docker-compose up -d" \ No newline at end of file diff --git a/starbound/stop.yml b/starbound/stop.yml new file mode 100644 index 0000000..49be7e7 --- /dev/null +++ b/starbound/stop.yml @@ -0,0 +1,6 @@ +--- +- hosts: teier.eu + gather_facts: no + tasks: + - name: Restart starbound + shell: "cd /dc/starbound && docker-compose stop" \ No newline at end of file diff --git a/starbound/teardown.yml b/starbound/teardown.yml new file mode 100644 index 0000000..cac321f --- /dev/null +++ b/starbound/teardown.yml @@ -0,0 +1,6 @@ +--- +- hosts: teier.eu + gather_facts: no + tasks: + - name: Restart starbound + shell: "cd /dc/starbound && docker-compose down --rmi local" \ No newline at end of file diff --git a/start-mariadb.sh b/start-mariadb.sh new file mode 100644 index 0000000..cb325be --- /dev/null +++ b/start-mariadb.sh @@ -0,0 +1,5 @@ +#!/bin/bash +source ./.env + +[ -z "$MARIADB_ROOT_PASSWORD" ] && echo "MARIADB_ROOT_PASSWORD not set" && exit 1 +ansible-playbook mariadb/start.yml \ No newline at end of file diff --git a/template.env b/template.env new file mode 100644 index 0000000..9cfe8d2 --- /dev/null +++ b/template.env @@ -0,0 +1,4 @@ +MARIADB_ROOT_PASSWORD= +NEXTCLOUD_DB_PASSWORD= +NUMMUS_DB_PASSWORD= +WORDPRESS_DB_PASSWORD= \ No newline at end of file diff --git a/ufw/playbook-ufw.yml b/ufw/playbook-ufw.yml new file mode 100644 index 0000000..d0e54cc --- /dev/null +++ b/ufw/playbook-ufw.yml @@ -0,0 +1,57 @@ +--- +- name: Configure UFW + hosts: teier.eu + gather_facts: yes + + tasks: + - name: Install ufw + apt: name=ufw state=latest + + - name: Set logging + community.general.ufw: + logging: 'on' + + - name: Allow SSH connections + community.general.ufw: + rule: allow + port: '4711' + proto: tcp + + - name: Allow web server access + community.general.ufw: + rule: allow + port: '443' + proto: tcp + + - name: Allow web server access + community.general.ufw: + rule: allow + port: '80' + proto: tcp + + - name: Allow Minecraft + community.general.ufw: + rule: allow + port: '25565' + proto: tcp + + - name: Allow Starbound + community.general.ufw: + rule: allow + port: '21025' + proto: tcp + + - name: Allow all access from RFC1918 networks to this host + community.general.ufw: + rule: allow + src: '{{ item }}' + loop: + - 10.0.0.0/8 + - 172.16.0.0/12 + - 192.168.0.0/16 + + - name: Deny everything else and enable UFW + community.general.ufw: + state: enabled + policy: deny +