An Ansible playbook used to deploy theobori.cafe on a Debian system
- Install the dependencies
- ansible
- ansible galaxy dependencies
ansible-galaxy install -r requirements.yml- Configure a vault password (a filepass is better)
- Configure an inventory
- Configure a playbook
- Inventory (if needed)
- Replace variables
- Encrypt the needed ones
- Run the playbook
ansible-playbook \
-i inventory.yml \
--vault-password-file .vault_pass \
main.ymlSome services are not restarted at runtime on purpose, because they need administrator configuration like Uptime-Kuma or Nextcloud. If you want to access them, you should do a SSH bridge with OpenSSH.
ssh \
-L ssh_local_port:127.0.0.1:ssh_remote_port -N \
-f ssh_user@ssh_serverIn this configuration, we are using knockd to manage the openSSH firewall (ufw) rules. It can be very risky. If you want to be safe you can exclude the knockd task by commenting the following line in roles/security/tasks/main.yml:
- include_tasks: knockd.ymlAnd then add a rule for ufw that allow you SSH connections.
nickjj.docker: Setup and configure Docker + docker-compose.weareinteractive.ufw: Setup the firewall and configure it.base: Install basics needed packages for the other roles.profile: Setup some default configuration for new users.security: Setup system security tools/services like ssh, knockd, etc.shell: Setup a shell environment with fish + tmux.service: Meta role to setup a service.nginx: Setup NGINX for the differents services created from theservicesrole.tor: Setup a tor hidden service for every services.magic: Setup the magic stuff, including shell scripts, cron jobs, etc. for backup and web server statistics reporting.service roles: Each service role likegiteais based on theservicerole.monitoring: Setup the monitoring stack based on Prometheus and Grafana.
ssh_identity_key_path: SSH public key used to auth.ssh_port: Change the default SSH port.
knockd_open_ssh_seq: Knockd open SSH (should be encrypted).knockd_close_ssh_seq: knockd close SSH (should be encrypted).knockd_tmp_open_ssh_seq: Temporary open SSH (should be encrypted).knockd_opts: knockd CLI arguments used by the service.
domain: The server domain, must be formatted as "domain.tld".
etherpad_db_user: Etherpad database username (should be encrypted).etherpad_db_password: Etherpad database password (should be encrypted).etherpad_admin_password: Etherpad admin password (should be encrypted).
tor_unix_socket: Tor UNIX socket path
ldap_admin_password: OpenLDAP administrator password (should be encrypted).ldap_auth_services_basedn: OpenLDAP base DN (should be encrypted).ldap_auth_services_binddn: OpenLDAP bind DN (should be encrypted).ldap_auth_services_bindpw: OpenLDAP bind password (should be encrypted).ldap_auth_services_login_attrib: OpenLDAP login attribute cn.
nextcloud_db_user: Nextcloud database user (should be encrypted).nextcloud_db_password: Nextcloud database password (should be encrypted).nextcloud_db_root_password: Nextcloud database root password (should be encrypted).nextcloud_redis_password: Nextcloud Redis password (should be encrypted).
ttrss_db_username: Tiny Tiny RSS database user (should be encrypted).ttrss_db_password: Tiny Tiny RSS database password (should be encrypted).
gitea_db_root_password: Gitea database root password (should be encrypted).gitea_db_user: Gitea database user (should be encrypted).gitea_db_password: Gitea database password (should be encrypted).
mailer_user: Mailer (SMTP) user (should be encrypted).mailer_password: Mailer (SMTP) password (should be encrypted).mailer_host: Mailer (SMTP) host (should be encrypted).mailer_from: Mailer (SMTP) source email address (should be encrypted).
ssp_secretkey: SSP secret key use to encrypt/decrypt the token (should be encrypted).
certbot_email: Email address used for certbot certificates (letsencrypt).
base_dir: Base directory for each service.
- Tor HTTP response security (with NGINX)
- Backup and web server statistics