04.08.25

backup_docker_volumes.yml

@@ -0,0 +1,17 @@
+---
+- name: Backup Docker volumes from remote server
+  hosts: all
+#  become: yes
+  tasks:
+    - name: Ensure local backup directory exists
+      local_action: file
+        path=./backups
+        state=directory
+        mode=0755
+
+    - name: Synchronize /var/lib/docker/volumes to local ./backups
+      synchronize:
+        src: /var/lib/docker/volumes
+        dest: ./backups/
+        mode: pull
+        delete: no

docker-compose.yml

@@ -0,0 +1,103 @@
+# docker‑compose.yml (версия 3.8 – поддерживает named volumes и сетевые настройки)
+version: "3.8"
+
+services:
+  synapse:
+    image: matrixdotorg/synapse:latest
+    container_name: matrix_synapse
+    environment:
+      - SYNAPSE_SERVER_NAME=matrix.emsdata.ru
+      - SYNAPSE_REPORT_STATS=no
+      - TZ=Asia/Vladivostok
+    ports:
+      - "8008:8008"     # HTTP (без TLS), используемый 뒤 federation/client API
+      - "8448:8448"     # блок federation HTTPS (если понадобилось позже)
+    volumes:
+      - synapse_data:/data
+    restart: unless-stopped
+
+  drawio:
+    image: jgraph/drawio:latest
+    container_name: drawio
+    ports:
+      - "8080:8080"     # Draw.io в браузере: http://host:8080
+    restart: unless-stopped
+
+  static-nginx:
+    image: nginx:alpine
+    container_name: nginx_static
+    ports:
+      - "8081:8081"       # простой статический nginx без монтирования – откроется дефолтный index
+    restart: unless-stopped
+
+  npm-app:
+    image: 'jc21/nginx-proxy-manager:latest'
+    restart: unless-stopped
+    ports:
+      # These ports are in format <host-port>:<container-port>
+      - '80:80' # Public HTTP Port
+      - '443:443' # Public HTTPS Port
+      - '81:81' # Admin Web Port
+      # Add any other Stream port you want to expose
+      # - '21:21' # FTP
+    environment:
+      # Mysql/Maria connection parameters:
+      DB_MYSQL_HOST: "db"
+      DB_MYSQL_PORT: 3306
+      DB_MYSQL_USER: "npm"
+      DB_MYSQL_PASSWORD: "npm"
+      DB_MYSQL_NAME: "npm"
+      # Uncomment this if IPv6 is not enabled on your host
+      # DISABLE_IPV6: 'true'
+    volumes:
+      - ./npm_data:/data
+      - ./npm_letsencrypt:/etc/letsencrypt
+    depends_on:
+      - db
+
+  db:
+    image: 'jc21/mariadb-aria:latest'
+    restart: unless-stopped
+    environment:
+      MYSQL_ROOT_PASSWORD: 'npm'
+      MYSQL_DATABASE: 'npm'
+      MYSQL_USER: 'npm'
+      MYSQL_PASSWORD: 'npm'
+      MARIADB_AUTO_UPGRADE: '1'
+    volumes:
+      - ./mysql:/var/lib/mysql
+
+  gitea:
+    image: gitea/gitea:latest
+    container_name: gitea
+    environment:
+      - USER_UID=1000
+      - USER_GID=1000
+    volumes:
+      - ./gitea/data:/data
+    ports:
+      - "3000:3000"
+      - "2222:22"
+    restart: unless-stopped
+
+  wireguard:
+    image: lscr.io/linuxserver/wireguard:latest
+    container_name: wireguard_vpn
+    cap_add:
+      - NET_ADMIN
+      - SYS_MODULE
+    sysctls:
+      - net.ipv4.conf.all.src_valid_mark=1
+    ports:
+      - "51820:51820/udp"
+    volumes:
+      - wireguard_data:/config
+    restart: unless-stopped
+
+volumes:
+  synapse_data:
+  npm_data:
+  npm_letsencrypt:
+  wireguard_data:
+  nginx-site:
+  mysql:

first/docker-compose.yml

@@ -0,0 +1,79 @@
+# docker‑compose.yml (версия 3.8 – поддерживает named volumes и сетевые настройки)
+version: "3.8"
+
+services:
+  synapse:
+    image: matrixdotorg/synapse:latest
+    container_name: matrix_synapse
+    environment:
+      - SYNAPSE_SERVER_NAME=matrix.emsdata.ru
+      - SYNAPSE_REPORT_STATS=no
+      - TZ=Asia/Vladivostok
+    ports:
+      - "8008:8008"     # HTTP (без TLS), используемый 뒤 federation/client API
+      - "8448:8448"     # блок federation HTTPS (если понадобилось позже)
+    volumes:
+      - synapse_data:/data
+    restart: unless-stopped
+
+  drawio:
+    image: jgraph/drawio:latest
+    container_name: drawio
+    ports:
+      - "8080:8080"     # Draw.io в браузере: http://host:8080
+    restart: unless-stopped
+
+  static-nginx:
+    image: nginx:alpine
+    container_name: nginx_static
+    ports:
+      - "8081:8081"       # простой статический nginx без монтирования – откроется дефолтный index
+    volumes:
+      - ./nginx-site:/usr/share/nginx/html:ro
+    restart: unless-stopped
+
+  npm-app:
+    image: jc21/nginx-proxy-manager:latest
+    container_name: nginx_proxy_manager
+    ports:
+      - "81:81"  # админка (login: admin@example.com / password: changeme)
+      - "80:80"  # http proxy
+      - "443:443" # https proxy
+    volumes:
+      - npm_data:/data
+      - npm_letsencrypt:/etc/letsencrypt
+    restart: unless-stopped
+
+  gitea:
+    image: gitea/gitea:latest
+    container_name: gitea
+    environment:
+      - USER_UID=1000
+      - USER_GID=1000
+    volumes:
+      - ./gitea/data:/data
+    ports:
+      - "3000:3000"
+      - "2222:22"
+    restart: unless-stopped
+
+  wireguard:
+    image: lscr.io/linuxserver/wireguard:latest
+    container_name: wireguard_vpn
+    cap_add:
+      - NET_ADMIN
+      - SYS_MODULE
+    sysctls:
+      - net.ipv4.conf.all.src_valid_mark=1
+    ports:
+      - "51820:51820/udp"
+    volumes:
+      - wireguard_data:/config
+    restart: unless-stopped
+
+volumes:
+  synapse_data:
+  npm_data:
+  npm_letsencrypt:
+  wireguard_data:
+  nginx-site:

first_deploy_compose.yml

@@ -0,0 +1,40 @@
+- name: Deploy docker-compose stack
+  hosts: all
+  become: true
+
+  vars:
+    compose_dir: /opt/docker
+
+  tasks:
+    - name: Ensure compose directory exists
+      file:
+        path: "{{ compose_dir }}"
+        state: directory
+
+    - name: Copy docker-compose.yml
+      copy:
+        src: first/docker-compose.yml
+        dest: "{{ compose_dir }}/docker-compose.yml"
+
+#    - name: Copy config.json for Element
+#      copy:
+#        src: files/config.json
+#        dest: "{{ compose_dir }}/element/config.json"
+#        owner: "{{ ansible_user }}"
+#        group: "{{ ansible_user }}"
+#        mode: '0644'
+#      when: ansible_facts['os_family'] == "Debian"
+    - name: Pull package
+      command: docker compose pull
+      args:
+        chdir: "{{ compose_dir }}"
+
+    - name: Generate synapse
+      command: docker compose run --rm synapse generate
+      args:
+        chdir: "{{ compose_dir }}"
+
+    - name: Launch docker-compose
+      command: docker compose up -d
+      args:
+        chdir: "{{ compose_dir }}"

global/docker-compose.yml

@@ -0,0 +1,79 @@
+# docker‑compose.yml (версия 3.8 – поддерживает named volumes и сетевые настройки)
+version: "3.8"
+
+services:
+  synapse:
+    image: matrixdotorg/synapse:latest
+    container_name: matrix_synapse
+    environment:
+      - SYNAPSE_SERVER_NAME=matrix.emsdata.ru
+      - SYNAPSE_REPORT_STATS=no
+      - TZ=Asia/Vladivostok
+    ports:
+      - "8008:8008"     # HTTP (без TLS), используемый 뒤 federation/client API
+      - "8448:8448"     # блок federation HTTPS (если понадобилось позже)
+    volumes:
+      - synapse_data:/data
+    restart: unless-stopped
+
+  drawio:
+    image: jgraph/drawio:latest
+    container_name: drawio
+    ports:
+      - "8080:8080"     # Draw.io в браузере: http://host:8080
+    restart: unless-stopped
+
+  static-nginx:
+    image: nginx:alpine
+    container_name: nginx_static
+    ports:
+      - "8081:8081"       # простой статический nginx без монтирования – откроется дефолтный index
+    volumes:
+      - ./nginx-site:/usr/share/nginx/html:ro
+    restart: unless-stopped
+
+  npm-app:
+    image: jc21/nginx-proxy-manager:latest
+    container_name: nginx_proxy_manager
+    ports:
+      - "81:81"  # админка (login: admin@example.com / password: changeme)
+      - "80:80"  # http proxy
+      - "443:443" # https proxy
+    volumes:
+      - npm_data:/data
+      - npm_letsencrypt:/etc/letsencrypt
+    restart: unless-stopped
+
+  gitea:
+    image: gitea/gitea:latest
+    container_name: gitea
+    environment:
+      - USER_UID=1000
+      - USER_GID=1000
+    volumes:
+      - ./gitea/data:/data
+    ports:
+      - "3000:3000"
+      - "2222:22"
+    restart: unless-stopped
+
+  wireguard:
+    image: lscr.io/linuxserver/wireguard:latest
+    container_name: wireguard_vpn
+    cap_add:
+      - NET_ADMIN
+      - SYS_MODULE
+    sysctls:
+      - net.ipv4.conf.all.src_valid_mark=1
+    ports:
+      - "51820:51820/udp"
+    volumes:
+      - wireguard_data:/config
+    restart: unless-stopped
+
+volumes:
+  synapse_data:
+  npm_data:
+  npm_letsencrypt:
+  wireguard_data:
+  nginx-site:

global/synapse/_data/homeserver.yaml

@@ -0,0 +1,35 @@
+# Configuration file for Synapse.
+#
+# This is a YAML file: see [1] for a quick introduction. Note in particular
+# that *indentation is important*: all the elements of a list or dictionary
+# should have the same indentation.
+#
+# [1] https://docs.ansible.com/ansible/latest/reference_appendices/YAMLSyntax.html
+#
+# For more information on how to configure Synapse, including a complete accounting of
+# each option, go to docs/usage/configuration/config_documentation.md or
+# https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html
+server_name: "matrix.emsdata.ru"
+pid_file: /data/homeserver.pid
+listeners:
+  - port: 8008
+    tls: false
+    type: http
+    x_forwarded: true
+    resources:
+      - names: [client, federation]
+        compress: false
+database:
+  name: sqlite3
+  args:
+    database: /data/homeserver.db
+log_config: "/data/matrix.local.log.config"
+media_store_path: /mnt/media_store
+registration_shared_secret: "CKXLZlHyBol:m0.;ZTt2xo8kP8Sx=n2vlz3yAkD94.=I~WUyyO"
+report_stats: true
+macaroon_secret_key: "8Re-vQZ4jDF7J3CzWk7:REH7F-B&T7BaJCAQ+tOLvPYXNCm+LE"
+form_secret: "VIl0~Qhicl_O.HTDG07-ffEB+Vh&wS=3+F81@n8krCvl-FCGhq"
+signing_key_path: "/data/matrix.local.signing.key"
+trusted_key_servers:
+  - server_name: "matrix.org"
+

global/synapse/_data/matrix.local.log.config

@@ -0,0 +1,39 @@
+version: 1
+
+formatters:
+  precise:
+    
+    format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s'
+    
+
+handlers:
+
+
+  console:
+    class: logging.StreamHandler
+    formatter: precise
+
+loggers:
+    # This is just here so we can leave `loggers` in the config regardless of whether
+    # we configure other loggers below (avoid empty yaml dict error).
+    _placeholder:
+        level: "INFO"
+
+    
+    
+    synapse.storage.SQL:
+        # beware: increasing this to DEBUG will make synapse log sensitive
+        # information such as access tokens.
+        level: INFO
+    
+
+    
+
+root:
+    level: INFO
+
+
+    handlers: [console]
+
+
+disable_existing_loggers: false

global/synapse/_data/matrix.local.signing.key

@@ -0,0 +1,2 @@
+ed25519 a_OpCO qscj9MgiLTtRQIy2bmXYgTPGSMBfWisbrz1mqfFJ4uI
+

install-docker-compose-and-ufw-playbook.yaml

@@ -0,0 +1,21 @@
+---
+#- hosts: all
+#  remote_user: Student121
+#  become: yes
+#  tasks:
+#    - name: Copy file with owner and permissions
+#      ansible.builtin.copy:
+#        src: /home/ivan/git/homework2
+#        dest: /home/student121
+#        owner: student121
+#        group: student121
+#        mode: "0644"
+
+- name: Setup server with Docker and firewall
+  hosts: all
+  become: true
+  roles:
+    - docker
+    - firewall
+    - fail2ban
+    - rsync

inventory.ini

@@ -0,0 +1,2 @@
+[servers]
+myserver ansible_host=192.168.1.208 ansible_user=ivan

roles/docker/tasks/main.yml

@@ -0,0 +1,26 @@
+- name: Install required packages
+  apt:
+    name: [ "apt-transport-https", "ca-certificates", "curl", "software-properties-common" ]
+    update_cache: true
+
+- name: Add Docker GPG key
+  apt_key:
+    url: https://download.docker.com/linux/ubuntu/gpg
+    state: present
+
+- name: Add Docker repository
+  apt_repository:
+    repo: deb [arch=amd64] https://download.docker.com/linux/ubuntu focal stable
+
+- name: Install Docker
+  apt:
+    name: [ "docker-ce", "docker-compose" ]
+    state: latest
+    update_cache: true
+
+- name: Enable Docker service
+  systemd:
+    name: docker
+    enabled: true
+    state: started
+

roles/fail2ban/defaults/main.yml

@@ -0,0 +1,9 @@
+fail2ban_sshd_enabled: true
+fail2ban_nginx_enabled: true
+
+fail2ban_sshd_maxretry: 5
+fail2ban_sshd_bantime: 3600
+
+fail2ban_nginx_maxretry: 5
+fail2ban_nginx_bantime: 3600
+

roles/fail2ban/handlers/main.yml

@@ -0,0 +1,5 @@
+- name: Restart fail2ban
+  service:
+    name: fail2ban
+    state: restarted
+

roles/fail2ban/tasks/main.yml

@@ -0,0 +1,26 @@
+- name: Install fail2ban
+  apt:
+    name: fail2ban
+    state: present
+    update_cache: true
+
+- name: Configure jail.local
+  template:
+    src: jail.local.j2
+    dest: /etc/fail2ban/jail.local
+    mode: 0644
+  notify: Restart fail2ban
+
+- name: Configure nginx filter
+  template:
+    src: nginx.conf.j2
+    dest: /etc/fail2ban/filter.d/nginx-http-auth.conf
+    mode: 0644
+  when: fail2ban_nginx_enabled
+
+- name: Ensure fail2ban is running
+  service:
+    name: fail2ban
+    state: started
+    enabled: true
+

roles/fail2ban/templates/jail.local.j2

@@ -0,0 +1,14 @@
+[sshd]
+enabled = {{ 'true' if fail2ban_sshd_enabled else 'false' }}
+port = ssh
+logpath = %(sshd_log)s
+maxretry = {{ fail2ban_sshd_maxretry }}
+bantime = {{ fail2ban_sshd_bantime }}
+
+[nginx-http-auth]
+enabled = {{ 'true' if fail2ban_nginx_enabled else 'false' }}
+port = http,https
+logpath = /var/log/nginx/error.log
+maxretry = {{ fail2ban_nginx_maxretry }}
+bantime = {{ fail2ban_nginx_bantime }}
+

roles/fail2ban/templates/nginx.conf.j2

@@ -0,0 +1,4 @@
+[Definition]
+failregex = no user/password was provided for basic authentication.*client: <HOST>
+ignoreregex =
+

roles/firewall/tasks/main.yml

@@ -0,0 +1,23 @@
+- name: Install ufw
+  apt:
+    name: ufw
+    state: present
+
+- name: Allow SSH
+  ufw:
+    rule: allow
+    port: 22
+
+- name: Allow HTTP/HTTPS
+  ufw:
+    rule: allow
+    port: "{{ item }}"
+  loop:
+    - 80
+    - 443
+
+- name: Deny all others
+  ufw:
+    state: enabled
+    policy: deny
+

roles/rsync/defaults/main.yml

@@ -0,0 +1,3 @@
+rsync_packages:
+  - rsync
+

roles/rsync/tasks/main.yml

@@ -0,0 +1,6 @@
+- name: Install rsync
+  apt:
+    name: "{{ rsync_packages }}"
+    state: present
+    update_cache: true
+