teier
/
legacy-server-config
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Init

This commit is contained in:
Mathias Teier 2021-01-01 16:09:53 +01:00
commit a8b27a7220
No known key found for this signature in database
GPG Key ID: AF77EC46DA9525FE
45 changed files with 1067 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
.gitignore vendored Normal file
View File

@ -0,0 +1,4 @@
.env
minecraft/server.jar
starbound/binaries
!starbound/binaries/.gitkeep

21
LICENSE Normal file
View File

@ -0,0 +1,21 @@
MIT License
Copyright (c) 2021 Mathias Teier
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.

18
README.md Normal file
View File

@ -0,0 +1,18 @@
# teier.eu server-configuration
This is the configuration for my private server.
It's a basic Ansible + Docker-Compose setup with Minecraft, Starbound, Nextcloud and Nummus, the latter of both behind an nginx reverse proxy.
Maybe it can help you setting up your own server, you're free to copy and modify my files.
## Usage
Most functionality is achieved through ansible playbooks. If you want to use them for your own server, install Ansible on your management machine (e.g. your desktop computer), add your server to `/etc/ansible/hosts` and change the host in the playbook files.
Mariadb, Nextcloud and Nummus need Database passwords, therefore copy the template.env file to .env, enter your passwords and run one of the shell files (e.g. `start-mariadb.sh`)
## Minecraft
To use the minecraft server, just copy the `server.jar` from `minecraft.net` to the minecraft directory and run `ansible-playbook minecraft/start.yml`
## Starbound
My Starbound container only works with the **GOG version!**
After installing Starboud on your gaming machine, archive all files from `~/GOG Games/Starbound/game/` into `starbound/binaries/binaries.tar.gz` and then run `ansible-playbook starbound/start.yml`

23
docker/playbook-install-docker.yml Normal file
View File

@ -0,0 +1,23 @@
---
- name: Update Server and install docker
hosts: teier.eu
gather_facts: yes
tasks:
- name: Upgrade system
apt: upgrade=dist update_cache=yes
- name: Install Docker
apt: name=docker state=latest
- name: Install Docker Compose
apt: name=docker-compose state=latest
- name: Install Pip
apt: name=python-pip state=latest
- name: Install Docker Py
shell: pip install docker
- name: Enabled Docker Service
service:
name: docker
enabled: yes
- name: Start Docker
service:
name: docker
state: started

6
init-nextcloud.sh Normal file
View File

@ -0,0 +1,6 @@
#!/bin/bash
source ./.env
[ -z "$MARIADB_ROOT_PASSWORD" ] && echo "MARIADB_ROOT_PASSWORD not set" && exit 1
[ -z "$NEXTCLOUD_DB_PASSWORD" ] && echo "NEXTCLOUD_DB_PASSWORD not set" && exit 1
ansible-playbook nextcloud/init.yml

6
init-nummus.sh Normal file
View File

@ -0,0 +1,6 @@
#!/bin/bash
source ./.env
[ -z "$MARIADB_ROOT_PASSWORD" ] && echo "MARIADB_ROOT_PASSWORD not set" && exit 1
[ -z "$NUMMUS_DB_PASSWORD" ] && echo "NUMMUS_DB_PASSWORD not set" && exit 1
ansible-playbook nummus/init.yml

17
mariadb/docker-compose.yml Normal file
View File

@ -0,0 +1,17 @@
version: '2.4'
services:
mariadb:
image: mariadb:10.5.8
environment:
MYSQL_ROOT_PASSWORD: ${MARIADB_ROOT_PASSWORD}
networks:
- mariadb_net
volumes:
- /var/lib/mysql:/var/lib/mysql
ports:
- 3306:3306
networks:
mariadb_net:
name: mariadb_net
driver: bridge

27
mariadb/start.yml Normal file
View File

@ -0,0 +1,27 @@
---
- hosts: teier.eu
gather_facts: no
tasks:
- name: Check dc directory
stat:
path: /dc/mariadb
register: mariadb_dc_dir_stat
- name: Create mariadb dc directory
file:
path: /dc/mariadb
state: directory
mode: 0755
group: root
owner: root
when: mariadb_dc_dir_stat.islnk is not defined
- name: Copy compose file
copy:
src: docker-compose.yml
dest: /dc/mariadb
- name: Start mariadb
shell: "cd /dc/mariadb && docker-compose up -d"
environment:
MARIADB_ROOT_PASSWORD: "{{ lookup('env', 'MARIADB_ROOT_PASSWORD') }}"

6
mariadb/stop.yml Normal file
View File

@ -0,0 +1,6 @@
---
- hosts: teier.eu
gather_facts: no
tasks:
- name: Stop Mariadb
shell: "cd /dc/mariadb && docker-compose stop"

6
mariadb/teardown.yml Normal file
View File

@ -0,0 +1,6 @@
---
- hosts: teier.eu
gather_facts: no
tasks:
- name: Teardown mariadb
shell: "cd /dc/mariadb && docker-compose down"

12
minecraft/Dockerfile Normal file
View File

@ -0,0 +1,12 @@
FROM debian:buster-slim
RUN mkdir -p /usr/share/man/man1
RUN apt update
RUN apt install -y default-jre
RUN apt install -y bash
RUN apt install -y gettext-base
COPY ./server.jar /minecraft/
COPY ./docker-entrypoint.sh /minecraft/
COPY ./eula.txt /minecraft/
COPY ./server.template.properties /minecraft/
EXPOSE 25565
ENTRYPOINT ["/bin/bash", "/minecraft/docker-entrypoint.sh"]

21
minecraft/docker-compose.yml Normal file
View File

@ -0,0 +1,21 @@
version: '2.4'
services:
minecraft:
build:
context: .
volumes:
- /var/minecraft/world:/minecraft/world
- /var/minecraft/ops.json:/minecraft/ops.json
- /var/minecraft/whitelist.json:/minecraft/whitelist.json
- /var/minecraft/banned-players.json:/minecraft/banned-player.json
- /var/minecraft/banned-ips.json:/minecraft/banned-ips.json
environment:
PORT: "25565"
ENABLE_COMMAND_BLOCK: "true"
MOTD: "Teiercloud Minecraft Server"
ENABLE_PVP: "true"
DIFFICULTY: "easy"
MAX_PLAYERS: "20"
ENABLED_WHITELIST: "true"
ports:
- 25565:25565

4
minecraft/docker-entrypoint.sh Executable file
View File

@ -0,0 +1,4 @@
#!/bin/bash
envsubst </minecraft/server.template.properties >/minecraft/server.properties
cd /minecraft
java -Xms3G -Xmx3G -jar server.jar nogui

3
minecraft/eula.txt Normal file
View File

@ -0,0 +1,3 @@
#By changing the setting below to TRUE you are indicating your agreement to our EULA (https://account.mojang.com/documents/minecraft_eula).
#Tue Oct 22 14:50:17 UTC 2019
eula=true

51
minecraft/server.template.properties Normal file
View File

@ -0,0 +1,51 @@
enable-jmx-monitoring=false
rcon.port=25575
level-seed=${LEVEL_SEED}
enable-command-block=${ENABLE_COMMAND_BLOCK}
gamemode=survival
enable-query=false
generator-settings=
level-name=world
motd=${MOTD}
query.port=${PORT}
pvp=${ENABLE_PVP}
generate-structures=true
difficulty=${DIFFICULTY}
network-compression-threshold=256
max-tick-time=60000
max-players=${MAX_PLAYERS}
use-native-transport=true
online-mode=true
enable-status=true
allow-flight=false
broadcast-rcon-to-ops=true
view-distance=10
max-build-height=256
server-ip=
allow-nether=true
server-port=${PORT}
enable-rcon=false
sync-chunk-writes=true
op-permission-level=4
prevent-proxy-connections=false
resource-pack=
entity-broadcast-range-percentage=100
player-idle-timeout=0
rcon.password=
force-gamemode=false
debug=false
rate-limit=0
hardcore=false
white-list=${ENABLE_WHITELIST}
broadcast-console-to-ops=true
spawn-npcs=true
spawn-animals=true
snooper-enabled=true
function-permission-level=2
level-type=default
text-filtering-config=
spawn-monsters=true
enforce-whitelist=${ENABLE_WHITELIST}
spawn-protection=0
resource-pack-sha1=
max-world-size=29999984

51
minecraft/start.yml Normal file
View File

@ -0,0 +1,51 @@
---
- hosts: teier.eu
gather_facts: no
tasks:
- name: Check dc directory
stat:
path: /dc/minecraft
register: minecraft_dc_dir_stat
- name: Create minecraft dc directory
file:
path: /dc/minecraft
state: directory
mode: 0755
group: root
owner: root
when: minecraft_dc_dir_stat.islnk is not defined
- name: Copy server.jar
copy:
src: server.jar
dest: /dc/minecraft/
- name: Copy properties template
copy:
src: server.template.properties
dest: /dc/minecraft/
- name: Copy EULA
copy:
src: eula.txt
dest: /dc/minecraft/
- name: Copy docker-entrypoint
copy:
src: docker-entrypoint.sh
dest: /dc/minecraft/
- name: Copy Dockerfile
copy:
src: Dockerfile
dest: /dc/minecraft/
- name: Copy compose file
copy:
src: docker-compose.yml
dest: /dc/minecraft/
- name: Start minecraft
shell: "cd /dc/minecraft && docker-compose up -d"

6
minecraft/stop.yml Normal file
View File

@ -0,0 +1,6 @@
---
- hosts: teier.eu
gather_facts: no
tasks:
- name: Stop Minecraft
shell: "cd /dc/minecraft && docker-compose stop"

6
minecraft/teardown.yml Normal file
View File

@ -0,0 +1,6 @@
---
- hosts: teier.eu
gather_facts: no
tasks:
- name: Teardown Minecraft
shell: "cd /dc/minecraft && docker-compose down --rmi local"

39
nextcloud/docker-compose.yml Normal file
View File

@ -0,0 +1,39 @@
version: '2.4'
services:
nextcloud:
image: nextcloud:fpm
environment:
MYSQL_DATABASE: nextcloud
MYSQL_USER: nextcloud
MYSQL_HOST: mariadb
MYSQL_PASSWORD: ${NEXTCLOUD_DB_PASSWORD}
TRUSTED_PROXIES: "cloud.teier.eu 138.201.74.231 172.0.0.1/8"
APACHE_DISABLE_REWRITE_IP: "1"
OVERWRITEHOST: "cloud.teier.eu"
OVERWRITEPROTOCOL: "https"
OVERWRITEWEBROOT: "/"
OVERWRITECONADDR: "138.201.74.231"
networks:
- "mariadb_net"
- "nextcloud_net"
volumes:
- /var/nextcloud:/var/www/html
web:
image: nginx
restart: always
ports:
- 8081:80
networks:
- "nextcloud_net"
volumes:
- ./nginx.conf:/etc/nginx/nginx.conf:ro
volumes_from:
- nextcloud
networks:
nextcloud_net:
name: "nextcloud_net"
driver: bridge
mariadb_net:
name: "mariadb_net"
external: true

52
nextcloud/init.yml Normal file
View File

@ -0,0 +1,52 @@
---
- hosts: teier.eu
gather_facts: no
tasks:
- name: Install PyMySQL
shell: pip install PyMySQL
- name: Create database for nextcloud
community.mysql.mysql_db:
login_user: root
login_password: "{{ lookup('env', 'MARIADB_ROOT_PASSWORD') }}"
name: nextcloud
state: present
- name: Create database user for nextcloud
community.mysql.mysql_user:
login_user: root
login_password: "{{ lookup('env', 'MARIADB_ROOT_PASSWORD') }}"
name: nextcloud
password: "{{ lookup('env', 'NEXTCLOUD_DB_PASSWORD') }}"
host: "%"
priv: 'nextcloud.*:ALL'
state: present
- name: Check dc directory
stat:
path: /dc/nextcloud
register: nextcloud_dc_dir_stat
- name: Create nextcloud dc directory
file:
path: /dc/nextcloud
state: directory
mode: 0755
group: root
owner: root
when: nextcloud_dc_dir_stat.islnk is not defined
- name: Copy compose file
copy:
src: docker-compose.yml
dest: /dc/nextcloud
- name: Copy nginx conf
copy:
src: nginx.conf
dest: /dc/nextcloud
- name: Start nextcloud
shell: "cd /dc/nextcloud && docker-compose up -d"
environment:
NEXTCLOUD_DB_PASSWORD: "{{ lookup('env', 'NEXTCLOUD_DB_PASSWORD') }}"

175
nextcloud/nginx.conf Normal file
View File

@ -0,0 +1,175 @@
worker_processes auto;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
set_real_ip_from 10.0.0.0/8;
set_real_ip_from 172.16.0.0/12;
set_real_ip_from 192.168.0.0/16;
real_ip_header X-Real-IP;
#gzip on;
upstream php-handler {
server nextcloud:9000;
}
server {
listen 80;
server_name cloud.teier.eu;
# Add headers to serve security related headers
# Before enabling Strict-Transport-Security headers please read into this
# topic first.
#add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
#
# WARNING: Only add the preload option once you read about
# the consequences in https://hstspreload.org/. This option
# will add the domain to a hardcoded list that is shipped
# in all major browsers and getting removed from this list
# could take several months.
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Download-Options "noopen" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "none" always;
add_header X-XSS-Protection "1; mode=block" always;
# Remove X-Powered-By, which is an information leak
fastcgi_hide_header X-Powered-By;
# Path to the root of your installation
root /var/www/html;
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
# The following 2 rules are only needed for the user_webfinger app.
# Uncomment it if you're planning to use this app.
#rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
#rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;
# The following rule is only needed for the Social app.
# Uncomment it if you're planning to use this app.
#rewrite ^/.well-known/webfinger /public.php?service=webfinger last;
location = /.well-known/carddav {
return 301 $scheme://$host:$server_port/remote.php/dav;
}
location = /.well-known/caldav {
return 301 $scheme://$host:$server_port/remote.php/dav;
}
# set max upload size
client_max_body_size 10G;
fastcgi_buffers 64 4K;
# Enable gzip but do not remove ETag headers
gzip on;
gzip_vary on;
gzip_comp_level 4;
gzip_min_length 256;
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
# Uncomment if your server is build with the ngx_pagespeed module
# This module is currently not supported.
#pagespeed off;
location / {
rewrite ^ /index.php;
}
location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ {
deny all;
}
location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) {
deny all;
}
location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) {
fastcgi_split_path_info ^(.+?\.php)(\/.*|)$;
set $path_info $fastcgi_path_info;
try_files $fastcgi_script_name =404;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $path_info;
# fastcgi_param HTTPS on;
# Avoid sending the security headers twice
fastcgi_param modHeadersAvailable true;
# Enable pretty urls
fastcgi_param front_controller_active true;
fastcgi_pass php-handler;
fastcgi_intercept_errors on;
fastcgi_request_buffering off;
}
location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) {
try_files $uri/ =404;
index index.php;
}
# Adding the cache control header for js, css and map files
# Make sure it is BELOW the PHP block
location ~ \.(?:css|js|woff2?|svg|gif|map)$ {
try_files $uri /index.php$request_uri;
add_header Cache-Control "public, max-age=15778463";
# Add headers to serve security related headers (It is intended to
# have those duplicated to the ones above)
# Before enabling Strict-Transport-Security headers please read into
# this topic first.
#add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
#
# WARNING: Only add the preload option once you read about
# the consequences in https://hstspreload.org/. This option
# will add the domain to a hardcoded list that is shipped
# in all major browsers and getting removed from this list
# could take several months.
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Download-Options "noopen" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "none" always;
add_header X-XSS-Protection "1; mode=block" always;
# Optional: Don't log access to assets
access_log off;
}
location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap|mp4|webm)$ {
try_files $uri /index.php$request_uri;
# Optional: Don't log access to other assets
access_log off;
}
}
}

8
nextcloud/start.yml Normal file
View File

@ -0,0 +1,8 @@
---
- hosts: teier.eu
gather_facts: no
tasks:
- name: Start nextcloud
shell: "cd /dc/nextcloud && docker-compose up -d"
environment:
NEXTCLOUD_DB_PASSWORD: "{{ lookup('env', 'NEXTCLOUD_DB_PASSWORD') }}"

7
nextcloud/stop.yml Normal file
View File

@ -0,0 +1,7 @@
---
- hosts: teier.eu
gather_facts: no
tasks:
tasks:
- name: Stop nextcloud
shell: "cd /dc/nextcloud && docker-compose stop"

6
nextcloud/teardown.yml Normal file
View File

@ -0,0 +1,6 @@
---
- hosts: teier.eu
gather_facts: no
tasks:
- name: Teardown nextcloud
shell: "cd /dc/nextcloud && docker-compose down"

74
nginx/nginx.conf Normal file
View File

@ -0,0 +1,74 @@
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 768;
# multi_accept on;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
#Headers
add_header X-Frame-Options "SAMEORIGIN";
add_header Strict-Transport-Security "15552000";
##
# SSL Settings
##
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
##
# Virtual Host Configs
##
# CUSTOM
client_max_body_size 10G;
map $http_connection $connection_upgrade {
"~*Upgrade" $http_connection;
default keep-alive;
}
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}

43
nginx/playbook-nginx.yml Normal file
View File

@ -0,0 +1,43 @@
---
- name: Install nginx
hosts: teier.eu
gather_facts: yes
tasks:
- name: Upgrade system
apt: upgrade=dist update_cache=yes
- name: Install nginx
apt: name=nginx state=latest
- name: Install certbot
apt: name=certbot state=latest
- name: Stop Nginx for configuration and certificate approval
service: name=nginx state=stopped
- name: Remove nginx site config
shell: "rm -f /etc/nginx/sites-enabled/*"
- name: Get Certificate
shell: certbot certonly --standalone --preferred-challenges http -m mathias.teier@icloud.com --agree-tos -n -d teier.eu -d cloud.teier.eu -d nummus.teier.eu -d www.teier.eu
- name: Install nginx server config
copy:
src: nginx.conf
dest: /etc/nginx/nginx.conf
- name: Install nginx site configs
copy:
src: sites/
dest: /etc/nginx/sites-enabled/
- name: Start nginx
service: name=nginx state=started
- name: Add letsencrypt cronjob for cert renewal
cron:
name: renew_cert
day: "1,15"
hour: "2"
job: service nginx stop && certbot --renew && service nginx start

24
nginx/playbook-update-configs.yml Normal file
View File

@ -0,0 +1,24 @@
---
- name: Update nginx configs
hosts: teier.eu
gather_facts: yes
tasks:
- name: Stop Nginx for configuration
service: name=nginx state=stopped
- name: Remove nginx site config
shell: "rm -f /etc/nginx/sites-enabled/*"
- name: Install nginx server config
copy:
src: nginx.conf
dest: /etc/nginx/nginx.conf
- name: Install nginx site configs
copy:
src: sites/
dest: /etc/nginx/sites-enabled/
- name: Start nginx
service: name=nginx state=started

33
nginx/sites/nextcloud Normal file
View File

@ -0,0 +1,33 @@
server {
listen 80;
server_name cloud.teier.eu;
return 301 https://cloud.teier.eu:443$request_uri;
}
server {
listen 443 ssl http2;
server_name cloud.teier.eu;
ssl on;
ssl_certificate /etc/letsencrypt/live/teier.eu/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/teier.eu/privkey.pem;
location / {
proxy_pass http://127.0.0.1:8081/;
# Configuration for WebSockets
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_cache off;
# Configuration for ServerSentEvents
proxy_buffering off;
# Configuration for LongPolling or if your KeepAliveInterval is longer than 60 seconds
proxy_read_timeout 100s;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}

34
nginx/sites/nummus Normal file
View File

@ -0,0 +1,34 @@
server {
listen 80;
server_name nummus.teier.eu;
return 301 https://$server_name:443$request_uri;
}
server {
listen 443;
server_name nummus.teier.eu;
ssl on;
ssl_certificate /etc/letsencrypt/live/teier.eu/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/teier.eu/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/teier.eu/fullchain.pem;
location / {
proxy_pass http://127.0.0.1:8082;
# Configuration for WebSockets
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_cache off;
# Configuration for ServerSentEvents
proxy_buffering off;
# Configuration for LongPolling or if your KeepAliveInterval is longer than 60 seconds
proxy_read_timeout 100s;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}

33
nginx/sites/website Normal file
View File

@ -0,0 +1,33 @@
server {
listen 80;
server_name teier.eu www.teier.eu;
return 301 https://www.teier.eu:443$request_uri;
}
server {
listen 443 ssl http2;
server_name teier.eu www.teier.eu;
ssl on;
ssl_certificate /etc/letsencrypt/live/teier.eu/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/teier.eu/privkey.pem;
location / {
proxy_pass http://127.0.0.1:8080/;
proxy_redirect off;
proxy_pass_header Authorization;
proxy_set_header Referer $http_referer;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_buffering off;
proxy_request_buffering off;
client_max_body_size 0;
proxy_read_timeout 36000s;
proxy_ssl_session_reuse off;
}
}

21
nummus/docker-compose.yml Normal file
View File

@ -0,0 +1,21 @@
version: '2.4'
services:
nummus:
image: glenroy37/nummus:0.1-alpha
environment:
DB_HOST: mariadb
DB_USER: nummus
DB_PASSWORD: ${NUMMUS_DB_PASSWORD}
DB_NAME: nummus
DETAILED_ERRORS: "false"
LOCALE: de-AT
USER_REGISTRATION_ENABLED: "false"
networks:
- mariadb_net
ports:
- 8082:80
networks:
mariadb_net:
name: "mariadb_net"
external: true

47
nummus/init.yml Normal file
View File

@ -0,0 +1,47 @@
---
- hosts: teier.eu
gather_facts: no
tasks:
- name: Install PyMySQL
shell: pip install PyMySQL
- name: Create database for Nummus
community.mysql.mysql_db:
login_user: root
login_password: "{{ lookup('env', 'MARIADB_ROOT_PASSWORD') }}"
name: nummus
state: present
- name: Create database user for Nummus
community.mysql.mysql_user:
login_user: root
login_password: "{{ lookup('env', 'MARIADB_ROOT_PASSWORD') }}"
host: "%"
name: "nummus"
password: "{{ lookup('env', 'NUMMUS_DB_PASSWORD') }}"
priv: 'nummus.*:ALL'
state: present
- name: Check dc directory
stat:
path: /dc/nummus
register: nummus_dc_dir_stat
- name: Create nummus dc directory
file:
path: /dc/nummus
state: directory
mode: 0755
group: root
owner: root
when: nummus_dc_dir_stat.islnk is not defined
- name: Copy compose file
copy:
src: docker-compose.yml
dest: /dc/nummus
- name: Start nummus
shell: "cd /dc/nummus && docker-compose up -d"
environment:
NUMMUS_DB_PASSWORD: "{{ lookup('env', 'NUMMUS_DB_PASSWORD') }}"

8
nummus/start.yml Normal file
View File

@ -0,0 +1,8 @@
---
- hosts: teier.eu
gather_facts: no
tasks:
- name: Start Nummus
shell: "cd /dc/nummus && docker-compose up -d"
environment:
NUMMUS_DB_PASSWORD: "{{ lookup('env', 'NUMMUS_DB_PASSWORD') }}"

6
nummus/stop.yml Normal file
View File

@ -0,0 +1,6 @@
---
- hosts: teier.eu
gather_facts: no
tasks:
- name: Stop Nummus
shell: "cd /dc/nummus && docker-compose stop"

7
nummus/teardown.yml Normal file
View File

@ -0,0 +1,7 @@
---
- hosts: teier.eu
gather_facts: no
tasks:
tasks:
- name: Start Nummus
shell: "cd /dc/nummus && docker-compose down"

6
starbound/Dockerfile Normal file
View File

@ -0,0 +1,6 @@
FROM debian:buster-slim
COPY ./binaries/ /starbound/
COPY ./docker-entrypoint.sh /
RUN apt install bash
EXPOSE 21025
ENTRYPOINT ["/bin/bash", "/docker-entrypoint.sh"]

9
starbound/docker-compose.yml Normal file
View File

@ -0,0 +1,9 @@
version: '2.4'
services:
starbound:
build:
context: .
volumes:
- /var/starbound-storage:/starbound/storage
ports:
- 21025:21025

3
starbound/docker-entrypoint.sh Normal file
View File

@ -0,0 +1,3 @@
#!/bin/bash
cd /starbound/linux
./starbound_server

6
starbound/restart.yml Normal file
View File

@ -0,0 +1,6 @@
---
- hosts: teier.eu
gather_facts: no
tasks:
- name: Restart starbound
shell: "cd /dc/starbound && docker-compose up -d"

60
starbound/start.yml Normal file
View File

@ -0,0 +1,60 @@
---
- hosts: teier.eu
gather_facts: no
tasks:
- name: Check dc directory
stat:
path: /dc/starbound
register: starbound_dc_dir_stat
- name: Create starbound dc directory
file:
path: /dc/starbound
state: directory
mode: 0755
group: root
owner: root
when: starbound_dc_dir_stat.islnk is not defined
- name: Check binaries directory
stat:
path: /dc/starbound/binaries
register: starbound_binaries_dir_stat
- name: Create starbound binaries directory
file:
path: /dc/starbound/binaries
state: directory
mode: 0755
group: root
owner: root
when: starbound_binaries_dir_stat.islnk is not defined
- name: Copy compose file
copy:
src: docker-compose.yml
dest: /dc/starbound
- name: Copy Dockerfile
copy:
src: Dockerfile
dest: /dc/starbound
- name: Copy Docker entrypoint
copy:
src: docker-entrypoint.sh
dest: /dc/starbound
- name: Copy binaries
copy:
src: binaries/binaries.tar.gz
dest: /dc/starbound/binaries/binaries.tar.gz
- name: Extract binaries
shell: "cd /dc/starbound/binaries && tar -xzf binaries.tar.gz"
- name: Delete binaries archive
shell: "rm /dc/starbound/binaries/binaries.tar.gz"
- name: Start starbound
shell: "cd /dc/starbound && docker-compose up -d"

6
starbound/stop.yml Normal file
View File

@ -0,0 +1,6 @@
---
- hosts: teier.eu
gather_facts: no
tasks:
- name: Restart starbound
shell: "cd /dc/starbound && docker-compose stop"

6
starbound/teardown.yml Normal file
View File

@ -0,0 +1,6 @@
---
- hosts: teier.eu
gather_facts: no
tasks:
- name: Restart starbound
shell: "cd /dc/starbound && docker-compose down --rmi local"

5
start-mariadb.sh Normal file
View File

@ -0,0 +1,5 @@
#!/bin/bash
source ./.env
[ -z "$MARIADB_ROOT_PASSWORD" ] && echo "MARIADB_ROOT_PASSWORD not set" && exit 1
ansible-playbook mariadb/start.yml

4
template.env Normal file
View File

@ -0,0 +1,4 @@
MARIADB_ROOT_PASSWORD=
NEXTCLOUD_DB_PASSWORD=
NUMMUS_DB_PASSWORD=
WORDPRESS_DB_PASSWORD=

57
ufw/playbook-ufw.yml Normal file
View File

@ -0,0 +1,57 @@
---
- name: Configure UFW
hosts: teier.eu
gather_facts: yes
tasks:
- name: Install ufw
apt: name=ufw state=latest
- name: Set logging
community.general.ufw:
logging: 'on'
- name: Allow SSH connections
community.general.ufw:
rule: allow
port: '4711'
proto: tcp
- name: Allow web server access
community.general.ufw:
rule: allow
port: '443'
proto: tcp
- name: Allow web server access
community.general.ufw:
rule: allow
port: '80'
proto: tcp
- name: Allow Minecraft
community.general.ufw:
rule: allow
port: '25565'
proto: tcp
- name: Allow Starbound
community.general.ufw:
rule: allow
port: '21025'
proto: tcp
- name: Allow all access from RFC1918 networks to this host
community.general.ufw:
rule: allow
src: '{{ item }}'
loop:
- 10.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16
- name: Deny everything else and enable UFW
community.general.ufw:
state: enabled
policy: deny