Ansible stuff
Switch branches/tags
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.
playbook.yml configuration

This repository contains the ansible configuration for deploying the machines in the domain, and some related machines.



For each host, the array domains configures the domains configured on that host to be served by nginx. It also configures TLS certificates, either using dummy ones or letsencrypt.

Let's consider the following example:

  - cname:
      # This is added to the server configuration
      location ~ /iamfancy/ {
        fastcgi_pass    unix:/run/path/to/socket;
        include         fastcgi_params;

This configures a domain with the canonical domain, and redirects from It also sets up /iamfancy to passthrough to a fastcgi socket. Content will be served from the directory /var/www/, and one certificate will be generated with and as subject alternative names.

Configured websites are TLS-only. They are configured with letsencrypt certificates or dummy certificates, depending on whether they have the role letsencrypt or snake-oil-letsencrypt. The latter is useful for testing purposes.

Confinement: The nginx server is confined using AppArmor to only read the SSL keys, webdata, and other stuff it needs to operate.


The weechatserver role configures a user called weechat and a system weechat service that runs weechat inside of tmux. It also installs mosh so you can connect to the running weechat.

Furthermore, it also configures a weechat relay to listen on port 9000 on localhost. This can then be made available through nginx using websockets, for example, including a rate limiting to 5 requests per minute:

    # Rate limit weechat
    limit_req_zone $binary_remote_addr zone=weechat:10m rate=5r/m;

  - cname:
    nginx_add_locations: |
      location /weechat {
          proxy_pass http://localhost:9000/weechat; # Change the port to your relay's
          proxy_http_version 1.1;
          proxy_set_header Upgrade $http_upgrade;   # These two lines ensure that the
          proxy_set_header Connection "Upgrade";    # a WebSocket is used
          proxy_read_timeout 604800;                # Prevent idle disconnects
          proxy_set_header X-Real-IP $remote_addr;  # Let WeeChat see the client's IP
          limit_req zone=weechat burst=1 nodelay;   # Brute force prevention

It is not exposed by default however.

Confinement: The weechat binary is confined to mostly ~/.weechat using AppArmor, reducing the attack surface considerably.