commit 9c9e8f09dad3539337d73c22d6ba80f7eb03b455 Author: ivan Date: Mon Aug 4 18:24:30 2025 +1000 04.08.25 diff --git a/backup_docker_volumes.yml b/backup_docker_volumes.yml new file mode 100644 index 0000000..8ef644e --- /dev/null +++ b/backup_docker_volumes.yml @@ -0,0 +1,17 @@ +--- +- name: Backup Docker volumes from remote server + hosts: all +# become: yes + tasks: + - name: Ensure local backup directory exists + local_action: file + path=./backups + state=directory + mode=0755 + + - name: Synchronize /var/lib/docker/volumes to local ./backups + synchronize: + src: /var/lib/docker/volumes + dest: ./backups/ + mode: pull + delete: no diff --git a/docker-compose.yml b/docker-compose.yml new file mode 100644 index 0000000..2f96a25 --- /dev/null +++ b/docker-compose.yml @@ -0,0 +1,103 @@ +# docker‑compose.yml (версия 3.8 – поддерживает named volumes и сетевые настройки) +version: "3.8" + +services: + synapse: + image: matrixdotorg/synapse:latest + container_name: matrix_synapse + environment: + - SYNAPSE_SERVER_NAME=matrix.emsdata.ru + - SYNAPSE_REPORT_STATS=no + - TZ=Asia/Vladivostok + ports: + - "8008:8008" # HTTP (без TLS), используемый 뒤 federation/client API + - "8448:8448" # блок federation HTTPS (если понадобилось позже) + volumes: + - synapse_data:/data + restart: unless-stopped + + drawio: + image: jgraph/drawio:latest + container_name: drawio + ports: + - "8080:8080" # Draw.io в браузере: http://host:8080 + restart: unless-stopped + + static-nginx: + image: nginx:alpine + container_name: nginx_static + ports: + - "8081:8081" # простой статический nginx без монтирования – откроется дефолтный index + restart: unless-stopped + + npm-app: + image: 'jc21/nginx-proxy-manager:latest' + restart: unless-stopped + ports: + # These ports are in format : + - '80:80' # Public HTTP Port + - '443:443' # Public HTTPS Port + - '81:81' # Admin Web Port + # Add any other Stream port you want to expose + # - '21:21' # FTP + environment: + # Mysql/Maria connection parameters: + DB_MYSQL_HOST: "db" + DB_MYSQL_PORT: 3306 + DB_MYSQL_USER: "npm" + DB_MYSQL_PASSWORD: "npm" + DB_MYSQL_NAME: "npm" + # Uncomment this if IPv6 is not enabled on your host + # DISABLE_IPV6: 'true' + volumes: + - ./npm_data:/data + - ./npm_letsencrypt:/etc/letsencrypt + depends_on: + - db + + db: + image: 'jc21/mariadb-aria:latest' + restart: unless-stopped + environment: + MYSQL_ROOT_PASSWORD: 'npm' + MYSQL_DATABASE: 'npm' + MYSQL_USER: 'npm' + MYSQL_PASSWORD: 'npm' + MARIADB_AUTO_UPGRADE: '1' + volumes: + - ./mysql:/var/lib/mysql + + gitea: + image: gitea/gitea:latest + container_name: gitea + environment: + - USER_UID=1000 + - USER_GID=1000 + volumes: + - ./gitea/data:/data + ports: + - "3000:3000" + - "2222:22" + restart: unless-stopped + + wireguard: + image: lscr.io/linuxserver/wireguard:latest + container_name: wireguard_vpn + cap_add: + - NET_ADMIN + - SYS_MODULE + sysctls: + - net.ipv4.conf.all.src_valid_mark=1 + ports: + - "51820:51820/udp" + volumes: + - wireguard_data:/config + restart: unless-stopped + +volumes: + synapse_data: + npm_data: + npm_letsencrypt: + wireguard_data: + nginx-site: + mysql: diff --git a/first/docker-compose.yml b/first/docker-compose.yml new file mode 100644 index 0000000..a73e7f7 --- /dev/null +++ b/first/docker-compose.yml @@ -0,0 +1,79 @@ +# docker‑compose.yml (версия 3.8 – поддерживает named volumes и сетевые настройки) +version: "3.8" + +services: + synapse: + image: matrixdotorg/synapse:latest + container_name: matrix_synapse + environment: + - SYNAPSE_SERVER_NAME=matrix.emsdata.ru + - SYNAPSE_REPORT_STATS=no + - TZ=Asia/Vladivostok + ports: + - "8008:8008" # HTTP (без TLS), используемый 뒤 federation/client API + - "8448:8448" # блок federation HTTPS (если понадобилось позже) + volumes: + - synapse_data:/data + restart: unless-stopped + + drawio: + image: jgraph/drawio:latest + container_name: drawio + ports: + - "8080:8080" # Draw.io в браузере: http://host:8080 + restart: unless-stopped + + static-nginx: + image: nginx:alpine + container_name: nginx_static + ports: + - "8081:8081" # простой статический nginx без монтирования – откроется дефолтный index + volumes: + - ./nginx-site:/usr/share/nginx/html:ro + restart: unless-stopped + + npm-app: + image: jc21/nginx-proxy-manager:latest + container_name: nginx_proxy_manager + ports: + - "81:81" # админка (login: admin@example.com / password: changeme) + - "80:80" # http proxy + - "443:443" # https proxy + volumes: + - npm_data:/data + - npm_letsencrypt:/etc/letsencrypt + restart: unless-stopped + + gitea: + image: gitea/gitea:latest + container_name: gitea + environment: + - USER_UID=1000 + - USER_GID=1000 + volumes: + - ./gitea/data:/data + ports: + - "3000:3000" + - "2222:22" + restart: unless-stopped + + wireguard: + image: lscr.io/linuxserver/wireguard:latest + container_name: wireguard_vpn + cap_add: + - NET_ADMIN + - SYS_MODULE + sysctls: + - net.ipv4.conf.all.src_valid_mark=1 + ports: + - "51820:51820/udp" + volumes: + - wireguard_data:/config + restart: unless-stopped + +volumes: + synapse_data: + npm_data: + npm_letsencrypt: + wireguard_data: + nginx-site: diff --git a/first_deploy_compose.yml b/first_deploy_compose.yml new file mode 100644 index 0000000..c746877 --- /dev/null +++ b/first_deploy_compose.yml @@ -0,0 +1,40 @@ +- name: Deploy docker-compose stack + hosts: all + become: true + + vars: + compose_dir: /opt/docker + + tasks: + - name: Ensure compose directory exists + file: + path: "{{ compose_dir }}" + state: directory + + - name: Copy docker-compose.yml + copy: + src: first/docker-compose.yml + dest: "{{ compose_dir }}/docker-compose.yml" + +# - name: Copy config.json for Element +# copy: +# src: files/config.json +# dest: "{{ compose_dir }}/element/config.json" +# owner: "{{ ansible_user }}" +# group: "{{ ansible_user }}" +# mode: '0644' +# when: ansible_facts['os_family'] == "Debian" + - name: Pull package + command: docker compose pull + args: + chdir: "{{ compose_dir }}" + + - name: Generate synapse + command: docker compose run --rm synapse generate + args: + chdir: "{{ compose_dir }}" + + - name: Launch docker-compose + command: docker compose up -d + args: + chdir: "{{ compose_dir }}" diff --git a/global/docker-compose.yml b/global/docker-compose.yml new file mode 100644 index 0000000..a73e7f7 --- /dev/null +++ b/global/docker-compose.yml @@ -0,0 +1,79 @@ +# docker‑compose.yml (версия 3.8 – поддерживает named volumes и сетевые настройки) +version: "3.8" + +services: + synapse: + image: matrixdotorg/synapse:latest + container_name: matrix_synapse + environment: + - SYNAPSE_SERVER_NAME=matrix.emsdata.ru + - SYNAPSE_REPORT_STATS=no + - TZ=Asia/Vladivostok + ports: + - "8008:8008" # HTTP (без TLS), используемый 뒤 federation/client API + - "8448:8448" # блок federation HTTPS (если понадобилось позже) + volumes: + - synapse_data:/data + restart: unless-stopped + + drawio: + image: jgraph/drawio:latest + container_name: drawio + ports: + - "8080:8080" # Draw.io в браузере: http://host:8080 + restart: unless-stopped + + static-nginx: + image: nginx:alpine + container_name: nginx_static + ports: + - "8081:8081" # простой статический nginx без монтирования – откроется дефолтный index + volumes: + - ./nginx-site:/usr/share/nginx/html:ro + restart: unless-stopped + + npm-app: + image: jc21/nginx-proxy-manager:latest + container_name: nginx_proxy_manager + ports: + - "81:81" # админка (login: admin@example.com / password: changeme) + - "80:80" # http proxy + - "443:443" # https proxy + volumes: + - npm_data:/data + - npm_letsencrypt:/etc/letsencrypt + restart: unless-stopped + + gitea: + image: gitea/gitea:latest + container_name: gitea + environment: + - USER_UID=1000 + - USER_GID=1000 + volumes: + - ./gitea/data:/data + ports: + - "3000:3000" + - "2222:22" + restart: unless-stopped + + wireguard: + image: lscr.io/linuxserver/wireguard:latest + container_name: wireguard_vpn + cap_add: + - NET_ADMIN + - SYS_MODULE + sysctls: + - net.ipv4.conf.all.src_valid_mark=1 + ports: + - "51820:51820/udp" + volumes: + - wireguard_data:/config + restart: unless-stopped + +volumes: + synapse_data: + npm_data: + npm_letsencrypt: + wireguard_data: + nginx-site: diff --git a/global/synapse/_data/homeserver.db b/global/synapse/_data/homeserver.db new file mode 100644 index 0000000..6346e76 Binary files /dev/null and b/global/synapse/_data/homeserver.db differ diff --git a/global/synapse/_data/homeserver.db-shm b/global/synapse/_data/homeserver.db-shm new file mode 100644 index 0000000..fe9ac28 Binary files /dev/null and b/global/synapse/_data/homeserver.db-shm differ diff --git a/global/synapse/_data/homeserver.db-wal b/global/synapse/_data/homeserver.db-wal new file mode 100644 index 0000000..e69de29 diff --git a/global/synapse/_data/homeserver.yaml b/global/synapse/_data/homeserver.yaml new file mode 100644 index 0000000..052da98 --- /dev/null +++ b/global/synapse/_data/homeserver.yaml @@ -0,0 +1,35 @@ +# Configuration file for Synapse. +# +# This is a YAML file: see [1] for a quick introduction. Note in particular +# that *indentation is important*: all the elements of a list or dictionary +# should have the same indentation. +# +# [1] https://docs.ansible.com/ansible/latest/reference_appendices/YAMLSyntax.html +# +# For more information on how to configure Synapse, including a complete accounting of +# each option, go to docs/usage/configuration/config_documentation.md or +# https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html +server_name: "matrix.emsdata.ru" +pid_file: /data/homeserver.pid +listeners: + - port: 8008 + tls: false + type: http + x_forwarded: true + resources: + - names: [client, federation] + compress: false +database: + name: sqlite3 + args: + database: /data/homeserver.db +log_config: "/data/matrix.local.log.config" +media_store_path: /mnt/media_store +registration_shared_secret: "CKXLZlHyBol:m0.;ZTt2xo8kP8Sx=n2vlz3yAkD94.=I~WUyyO" +report_stats: true +macaroon_secret_key: "8Re-vQZ4jDF7J3CzWk7:REH7F-B&T7BaJCAQ+tOLvPYXNCm+LE" +form_secret: "VIl0~Qhicl_O.HTDG07-ffEB+Vh&wS=3+F81@n8krCvl-FCGhq" +signing_key_path: "/data/matrix.local.signing.key" +trusted_key_servers: + - server_name: "matrix.org" + diff --git a/global/synapse/_data/matrix.local.log.config b/global/synapse/_data/matrix.local.log.config new file mode 100644 index 0000000..832f0fa --- /dev/null +++ b/global/synapse/_data/matrix.local.log.config @@ -0,0 +1,39 @@ +version: 1 + +formatters: + precise: + + format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s' + + +handlers: + + + console: + class: logging.StreamHandler + formatter: precise + +loggers: + # This is just here so we can leave `loggers` in the config regardless of whether + # we configure other loggers below (avoid empty yaml dict error). + _placeholder: + level: "INFO" + + + + synapse.storage.SQL: + # beware: increasing this to DEBUG will make synapse log sensitive + # information such as access tokens. + level: INFO + + + + +root: + level: INFO + + + handlers: [console] + + +disable_existing_loggers: false \ No newline at end of file diff --git a/global/synapse/_data/matrix.local.signing.key b/global/synapse/_data/matrix.local.signing.key new file mode 100644 index 0000000..d8f1149 --- /dev/null +++ b/global/synapse/_data/matrix.local.signing.key @@ -0,0 +1,2 @@ +ed25519 a_OpCO qscj9MgiLTtRQIy2bmXYgTPGSMBfWisbrz1mqfFJ4uI + diff --git a/install-docker-compose-and-ufw-playbook.yaml b/install-docker-compose-and-ufw-playbook.yaml new file mode 100644 index 0000000..386035d --- /dev/null +++ b/install-docker-compose-and-ufw-playbook.yaml @@ -0,0 +1,21 @@ +--- +#- hosts: all +# remote_user: Student121 +# become: yes +# tasks: +# - name: Copy file with owner and permissions +# ansible.builtin.copy: +# src: /home/ivan/git/homework2 +# dest: /home/student121 +# owner: student121 +# group: student121 +# mode: "0644" + +- name: Setup server with Docker and firewall + hosts: all + become: true + roles: + - docker + - firewall + - fail2ban + - rsync diff --git a/inventory.ini b/inventory.ini new file mode 100644 index 0000000..08335ae --- /dev/null +++ b/inventory.ini @@ -0,0 +1,2 @@ +[servers] +myserver ansible_host=192.168.1.208 ansible_user=ivan diff --git a/roles/docker/tasks/main.yml b/roles/docker/tasks/main.yml new file mode 100644 index 0000000..f506964 --- /dev/null +++ b/roles/docker/tasks/main.yml @@ -0,0 +1,26 @@ +- name: Install required packages + apt: + name: [ "apt-transport-https", "ca-certificates", "curl", "software-properties-common" ] + update_cache: true + +- name: Add Docker GPG key + apt_key: + url: https://download.docker.com/linux/ubuntu/gpg + state: present + +- name: Add Docker repository + apt_repository: + repo: deb [arch=amd64] https://download.docker.com/linux/ubuntu focal stable + +- name: Install Docker + apt: + name: [ "docker-ce", "docker-compose" ] + state: latest + update_cache: true + +- name: Enable Docker service + systemd: + name: docker + enabled: true + state: started + diff --git a/roles/fail2ban/defaults/main.yml b/roles/fail2ban/defaults/main.yml new file mode 100644 index 0000000..cee32bc --- /dev/null +++ b/roles/fail2ban/defaults/main.yml @@ -0,0 +1,9 @@ +fail2ban_sshd_enabled: true +fail2ban_nginx_enabled: true + +fail2ban_sshd_maxretry: 5 +fail2ban_sshd_bantime: 3600 + +fail2ban_nginx_maxretry: 5 +fail2ban_nginx_bantime: 3600 + diff --git a/roles/fail2ban/handlers/main.yml b/roles/fail2ban/handlers/main.yml new file mode 100644 index 0000000..1fd4f27 --- /dev/null +++ b/roles/fail2ban/handlers/main.yml @@ -0,0 +1,5 @@ +- name: Restart fail2ban + service: + name: fail2ban + state: restarted + diff --git a/roles/fail2ban/tasks/main.yml b/roles/fail2ban/tasks/main.yml new file mode 100644 index 0000000..65bf5d4 --- /dev/null +++ b/roles/fail2ban/tasks/main.yml @@ -0,0 +1,26 @@ +- name: Install fail2ban + apt: + name: fail2ban + state: present + update_cache: true + +- name: Configure jail.local + template: + src: jail.local.j2 + dest: /etc/fail2ban/jail.local + mode: 0644 + notify: Restart fail2ban + +- name: Configure nginx filter + template: + src: nginx.conf.j2 + dest: /etc/fail2ban/filter.d/nginx-http-auth.conf + mode: 0644 + when: fail2ban_nginx_enabled + +- name: Ensure fail2ban is running + service: + name: fail2ban + state: started + enabled: true + diff --git a/roles/fail2ban/templates/jail.local.j2 b/roles/fail2ban/templates/jail.local.j2 new file mode 100644 index 0000000..e343391 --- /dev/null +++ b/roles/fail2ban/templates/jail.local.j2 @@ -0,0 +1,14 @@ +[sshd] +enabled = {{ 'true' if fail2ban_sshd_enabled else 'false' }} +port = ssh +logpath = %(sshd_log)s +maxretry = {{ fail2ban_sshd_maxretry }} +bantime = {{ fail2ban_sshd_bantime }} + +[nginx-http-auth] +enabled = {{ 'true' if fail2ban_nginx_enabled else 'false' }} +port = http,https +logpath = /var/log/nginx/error.log +maxretry = {{ fail2ban_nginx_maxretry }} +bantime = {{ fail2ban_nginx_bantime }} + diff --git a/roles/fail2ban/templates/nginx.conf.j2 b/roles/fail2ban/templates/nginx.conf.j2 new file mode 100644 index 0000000..e62a786 --- /dev/null +++ b/roles/fail2ban/templates/nginx.conf.j2 @@ -0,0 +1,4 @@ +[Definition] +failregex = no user/password was provided for basic authentication.*client: +ignoreregex = + diff --git a/roles/firewall/tasks/main.yml b/roles/firewall/tasks/main.yml new file mode 100644 index 0000000..36619c9 --- /dev/null +++ b/roles/firewall/tasks/main.yml @@ -0,0 +1,23 @@ +- name: Install ufw + apt: + name: ufw + state: present + +- name: Allow SSH + ufw: + rule: allow + port: 22 + +- name: Allow HTTP/HTTPS + ufw: + rule: allow + port: "{{ item }}" + loop: + - 80 + - 443 + +- name: Deny all others + ufw: + state: enabled + policy: deny + diff --git a/roles/rsync/defaults/main.yml b/roles/rsync/defaults/main.yml new file mode 100644 index 0000000..aa604ea --- /dev/null +++ b/roles/rsync/defaults/main.yml @@ -0,0 +1,3 @@ +rsync_packages: + - rsync + diff --git a/roles/rsync/tasks/main.yml b/roles/rsync/tasks/main.yml new file mode 100644 index 0000000..3cd1f9e --- /dev/null +++ b/roles/rsync/tasks/main.yml @@ -0,0 +1,6 @@ +- name: Install rsync + apt: + name: "{{ rsync_packages }}" + state: present + update_cache: true +