diff --git a/roles/flibusta/handlers/main.yml b/arhive_roles/flibusta/handlers/main.yml similarity index 100% rename from roles/flibusta/handlers/main.yml rename to arhive_roles/flibusta/handlers/main.yml diff --git a/roles/flibusta/tasks/main.yml b/arhive_roles/flibusta/tasks/main.yml similarity index 100% rename from roles/flibusta/tasks/main.yml rename to arhive_roles/flibusta/tasks/main.yml diff --git a/roles/flibusta/templates/docker-compose.yml.j2 b/arhive_roles/flibusta/templates/docker-compose.yml.j2 similarity index 100% rename from roles/flibusta/templates/docker-compose.yml.j2 rename to arhive_roles/flibusta/templates/docker-compose.yml.j2 diff --git a/roles/teamspeak/tasks/main.yml b/arhive_roles/teamspeak/tasks/main.yml similarity index 100% rename from roles/teamspeak/tasks/main.yml rename to arhive_roles/teamspeak/tasks/main.yml diff --git a/roles/teamspeak/templates/docker-compose.yml.j2 b/arhive_roles/teamspeak/templates/docker-compose.yml.j2 similarity index 100% rename from roles/teamspeak/templates/docker-compose.yml.j2 rename to arhive_roles/teamspeak/templates/docker-compose.yml.j2 diff --git a/group_vars/all.yml b/group_vars/all.yml index 4c9aeab..b35a48a 100644 --- a/group_vars/all.yml +++ b/group_vars/all.yml @@ -1,80 +1,13 @@ --- -# Общие настройки для всех хостов +# ============================================================================= +# ОБЩИЕ НАСТРОЙКИ (GLOBAL) +# ============================================================================= timezone: Asia/Yekaterinburg system_locale: ru_RU.UTF-8 x11_display_host: "192.168.1.101" - -# ------------ Сетевые адреса серверов ------------ -server_ips: - olimp: "192.168.1.200" - gateway: "192.168.1.201" - data: "192.168.1.202" - media: "192.168.1.203" - photo: "192.168.1.204" - nextcloud: "192.168.1.205" - talk: "192.168.1.206" - games: "192.168.1.207" - manage: "192.168.1.208" - git: "192.168.1.209" - ansible: "192.168.1.210" - torrent: "192.168.1.211" - -# ------------ Группы серверов для мониторинга ------------ -monitoring_groups: - # Все серверы с node_exporter - node_exporter_servers: - - "{{ server_ips.olimp }}" - - "{{ server_ips.gateway }}" - - "{{ server_ips.data }}" - - "{{ server_ips.media }}" - - "{{ server_ips.photo }}" - - "{{ server_ips.talk }}" - - "{{ server_ips.games }}" - - "{{ server_ips.manage }}" - - "{{ server_ips.git }}" - - "{{ server_ips.ansible }}" - - "{{ server_ips.torrent }}" - - # Серверы с Docker (cAdvisor) - #cadvisor_servers: - # - "{{ server_ips.gateway }}" - # - "{{ server_ips.data }}" - # - "{{ server_ips.media }}" - # - "{{ server_ips.photo }}" - # - "{{ server_ips.talk }}" - # - "{{ server_ips.games }}" - # - "{{ server_ips.manage }}" - - # Proxmox VE - proxmox_servers: - - "{{ server_ips.olimp }}" - - # Все серверы с Promtail - promtail_servers: - - "{{ server_ips.gateway }}" - - "{{ server_ips.data }}" - - "{{ server_ips.media }}" - - "{{ server_ips.photo }}" - - "{{ server_ips.talk }}" - - "{{ server_ips.games }}" - - "{{ server_ips.manage }}" - - "{{ server_ips.git }}" - - "{{ server_ips.ansible }}" - - "{{ server_ips.torrent }}" - -#------------ Порты для сервисов мониторинга ------------ -monitoring_ports: - node_exporter: 9100 - #cadvisor: 8080 - proxmox_exporter: 9223 - vmagent: 8429 - victoriametrics: 8428 - loki: 3100 - promtail: 9080 - -proxmox_node: "Olimp" admin_user: root +# Базовые пакеты для всех серверов base_packages: - curl - wget @@ -97,38 +30,101 @@ base_packages: - jq - unzip -system_scripts: [] +# Пользовательские директории custom_directories: - /opt/scripts - /etc/apt/keyrings +# SSH ключи (публичные части — безопасно хранить открыто) ssh_public_keys: - - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHvRBW+2Xpck2tznhWJyls5J/4wUoVYdyFM6JTU7uogK ansible@olimp" - - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCbvnGZxQEGYuScClONbkbfVn2+Uo1kYYztXqMf9ku1lHkw+7IZa00LOMwv7QGBRvrtBcw+TWqaMst5FZ3R6oWcQc+nkBEYoRXe4f3AuuFAl9C9F6sEYM8fX6mAHIlWQhFyVslazZtVTQwnfRV0rnbtCduCu9liywM3fShFqBVwq7Y4nBjG648Zq+VfCHpbBE9XkZaMDyeOXdtppmLetywnBS33mbXMDgH09PMlRz097xfZLkpFdSi8WtDOtKSBiEHtZ+H0EZ42Cda2xMnqlgVtPxWGUirvv6CvDyTmuMzrjALZoSKhl3iD6Szd1YOJcAw6bv9gbJKxPkZchrB65ZXT ZailonOlimp" - - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCy3BrhfJx6+ey4h4ZHgBNsuCbgKNwY83lhE/FuHdFxy4NmjiHSH4yXyPz3Qt+mz/VnSQ2rzzsY9xkDs/V+6e3LmXGuhhk65mwYKhWneWTAgprM6CN2PUi5d5P8MXUXDwgVR+XivfI4Y/Bpe8RvGyssuzgra38R5UKZCXKn9lrumkZKq9+GlMKUDLZp5C3/xA/GuI/C4Q+2BT1vOJSM86/7w5VPcd3IjYVTgNA4/V1fR9S/zB0OEkDfK2euqq2zTb6EzDxOGSYcXeH3t37bo0smKqnIehQmkbguLjsGYHEuP4ZE62DJwPZAMwRjn20wf6Nmzy9VQsDGl6Li4nl/TApouQSFbm4NjJOGN7KDT/R54Oq8VCi9rjHOvIg7vxZc3c+ckQGPNmj8FDoyy2Jj9Q1yEUdcSwdI4KvXn0VN2wlJTuN3pzStAI9wMhlUPx7w4DsAiftAvR8OLYSCch9khK146TYWtv4skqd9N0skNJMFVun9VuqT85IXqh6DVecY1fVyTd9qFgz3OfF0idQ4rMI2hxNAZjEZH2gTtb1eYT1UMeBzpBOuQbmWODgCK33Ec3nvV+XXj561Hj5Qpf9bg8i3TTM1dQImKE8macUPn9GwCdshdEJ9VlUwrB9z7SXTtLysgziTkpes5r84Cp/j5tem+7VLOln316d34nz0KU9/Qw== ansible@olimp" + - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID8/+/WFFYDu4ljy1j9+bWp6MiXZ9a0iodoPHq+nEpIr ansible@git" + - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCbvnGZxQEGYuScClONbkbfVn2+Uo1kYYztXqMf9ku1lHkw+7IZa00LOMwv7QGBRvrtBcw+TWqaMst5FZ3R6oWcQc+nkBEYoRXe4f3AuuFAl9C9F6sEYM8fX6mAHIlWQhFyVslazZtVTQwnfRV0rnbtCduCu9liywM3fShFqBVwq7Y4nBjG648Zq+VfCHpbBE9XkZaMDyeOXdtppmLetywnBS33mbXMDgH09PMlRz097xfZLkpFdSi8WtDOtKSBiEHtZ+H0EZ42Cda2xMnqlgVtPxWGUirvv6CvDyTmuMzrjALZoSKhl3iD6Szd1YOJcAw6bv9gbJKxPkZchrB65ZXT ZailonOlimp" + - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCy3BrhfJx6+ey4h4ZHgBNsuCbgKNwY83lhE/FuHdFxy4NmjiHSH4yXyPz3Qt+mz/VnSQ2rzzsY9xkDs/V+6e3LmXGuhhk65mwYKhWneWTAgprM6CN2PUi5d5P8MXUXDwgVR+XivfI4Y/Bpe8RvGyssuzgra38R5UKZCXKn9lrumkZKq9+GlMKUDLZp5C3/xA/GuI/C4Q+2BT1vOJSM86/7w5VPcd3IjYVTgNA4/V1fR9S/zB0OEkDfK2euqq2zTb6EzDxOGSYcXeH3t37bo0smKqnIehQmkbguLjsGYHEuP4ZE62DJwPZAMwRjn20wf6Nmzy9VQsDGl6Li4nl/TApouQSFbm4NjJOGN7KDT/R54Oq8VCi9rjHOvIg7vxZc3c+ckQGPNmj8FDoyy2Jj9Q1yEUdcSwdI4KvXn0VN2wlJTuN3pzStAI9wMhlUPx7w4DsAiftAvR8OLYSCch9khK146TYWtv4skqd9N0skNJMFVun9VuqT85IXqh6DVecY1fVyTd9qFgz3OfF0idQ4rMI2hxNAZjEZH2gTtb1eYT1UMeBzpBOuQbmWODgCK33Ec3nvV+XXj561Hj5Qpf9bg8i3TTM1dQImKE8macUPn9GwCdshdEJ9VlUwrB9z7SXTtLysgziTkpes5r84Cp/j5tem+7VLOln316d34nz0KU9/Qw== ansible@olimp" - -# Удаляем мусорные пакеты везде +# Пакеты для удаления cleanup_packages: - gparted +# ============================================================================= +# СЕТЕВЫЕ НАСТРОЙКИ +# ============================================================================= +server_ips: + olimp: "192.168.1.200" # Proxmox + gateway: "192.168.1.201" # NPM, Dashy, Heimdall + data: "192.168.1.202" # Bitwarden, Mealie, Bookstack + media: "192.168.1.203" # Jellyfin, Ampache, Calibre + photo: "192.168.1.204" # Immich + nextcloud: "192.168.1.205" # Nextcloud + talk: "192.168.1.206" # Matrix, Mumble, Snikket, TeamSpeak + games: "192.168.1.207" # Minecraft + manage: "192.168.1.208" # Grafana, Loki, MeshCentral + git: "192.168.1.209" # GitLab + ansible: "192.168.1.210" # Ansible + torrent: "192.168.1.211" # Qbittorrent, TorrServer + +# ============================================================================= +# МОНИТОРИНГ (VictoriaMetrics, Grafana, Loki) +# ============================================================================= +monitoring_ports: + node_exporter: 9100 + proxmox_exporter: 9223 + vmagent: 8429 + victoriametrics: 8428 + loki: 3100 + promtail: 9080 + +monitoring_groups: + node_exporter_servers: + - "{{ server_ips.olimp }}" + - "{{ server_ips.gateway }}" + - "{{ server_ips.data }}" + - "{{ server_ips.media }}" + - "{{ server_ips.photo }}" + - "{{ server_ips.talk }}" + - "{{ server_ips.games }}" + - "{{ server_ips.manage }}" + - "{{ server_ips.git }}" + - "{{ server_ips.ansible }}" + - "{{ server_ips.torrent }}" + proxmox_servers: + - "{{ server_ips.olimp }}" + promtail_servers: + - "{{ server_ips.gateway }}" + - "{{ server_ips.data }}" + - "{{ server_ips.media }}" + - "{{ server_ips.photo }}" + - "{{ server_ips.talk }}" + - "{{ server_ips.games }}" + - "{{ server_ips.manage }}" + - "{{ server_ips.git }}" + - "{{ server_ips.ansible }}" + - "{{ server_ips.torrent }}" + +# Proxmox Exporter pve_exporter_user: "pve_exporter@pve" pve_exporter_token_name: "grafana" -pve_exporter_token_value: "ae683c34-c539-4b08-b539-6c9b7e570411" - -# ------------ Мониторинг Docker ------------ -# cAdvisor на всех серверах с Docker -cadvisor_enabled: true -cadvisor_base_dir: "/opt/cadvisor" -cadvisor_config_dir: "{{ cadvisor_base_dir }}/config" -cadvisor_port: 8080 +pve_exporter_token_value: "{{ vault_pve_exporter_token }}" # VictoriaMetrics & Grafana victoriametrics_retention_months: 2 victoriametrics_version: v1.101.0 grafana_version: 11.2.0 +grafana_admin_user: admin +grafana_admin_password: "{{ vault_grafana_admin_password }}" +grafana_root_url: https://mon.zailon.ru -# ------------ gateway (192.168.1.201) ------------ +# Loki +loki_version: "2.9.2" +loki_retention_days: 30 + +# cAdvisor +cadvisor_enabled: true +cadvisor_base_dir: "/opt/cadvisor" +cadvisor_port: 8080 + +# ============================================================================= +# СЕРВИСЫ: GATEWAY (192.168.1.201) +# ============================================================================= npm_base_dir: "/opt/npm" npm_data_dir: "/opt/npm/data" npm_letsencrypt_dir: "/opt/npm/letsencrypt" @@ -142,7 +138,10 @@ dashy_config_dir: "{{ dashy_base_dir }}/config" dashy_port: "45132" dashy_domain: "start.zailon.ru" -# ------------ data (192.168.1.202) ------------ +# ============================================================================= +# СЕРВИСЫ: DATA (192.168.1.202) +# ============================================================================= +# Bitwarden bitwarden_base_dir: "/mnt/bitwarden" bitwarden_data_dir: "{{ bitwarden_base_dir }}/vw-data" bitwarden_port: "45131" @@ -157,22 +156,26 @@ bitwarden_smtp_password: "{{ vault_bitwarden_smtp_password }}" bitwarden_smtp_from: "zailon@bk.ru" bitwarden_domain: "https://bw.zailon.ru" +# Mealie mealie_base_dir: "/mnt/mealie" mealie_data_dir: "/mnt/mealie/data" mealie_port: "45132" mealie_db_type: "sqlite" mealie_db_password: "{{ vault_mealie_db_password }}" +# Bookstack bookstack_base_dir: "/mnt/bookstack" bookstack_config_dir: "/mnt/bookstack/config" bookstack_uploads_dir: "/mnt/bookstack/uploads" bookstack_db_dir: "/mnt/bookstack/db" bookstack_port: "45133" - -# ------------ media (192.168.1.203) ------------ +# ============================================================================= +# СЕРВИСЫ: MEDIA (192.168.1.203) +# ============================================================================= service_config_base: "/mnt/service" +# Jellyfin jellyfin_base_dir: "{{ service_config_base }}/jellyfin" jellyfin_config_dir: "{{ jellyfin_base_dir }}/config" jellyfin_cache_dir: "{{ jellyfin_base_dir }}/cache" @@ -181,11 +184,13 @@ jellyfin_media_path: "/mnt/video" jellyfin_port: "45131" jellyfin_hw_acceleration: true +# Audiobookshelf audiobookshelf_base_dir: "{{ service_config_base }}/audiobookshelf" audiobookshelf_config_dir: "{{ audiobookshelf_base_dir }}/config" audiobookshelf_db_dir: "{{ audiobookshelf_base_dir }}/db" audiobookshelf_port: "45132" +# Calibre Web calibre_base_dir: "{{ service_config_base }}/calibre" calibre_library_dir: "/mnt/books/calibre" calibre_config_dir: "{{ calibre_base_dir }}/config" @@ -197,21 +202,25 @@ calibre_web_enable_registration: false calibre_web_enable_webdav: true calibre_web_enable_opds: true +# Ampache ampache_base_dir: "{{ service_config_base }}/ampache" ampache_config_dir: "{{ ampache_base_dir }}/config" ampache_logs_dir: "{{ ampache_base_dir }}/logs" ampache_mysql_dir: "{{ ampache_base_dir }}/mysql" ampache_port: "45134" +# Flibusta flibusta_base_dir: "/mnt/service/flibusta" flibusta_source_archives_dir: "/mnt/books/flibusta" flibusta_web_port: "45137" flibusta_db_port: "45138" flibusta_db_user: "flibusta" -flibusta_db_password: "flibusta" +flibusta_db_password: "{{ vault_flibusta_db_password }}" flibusta_db_name: "flibusta" -# ------------ photo (192.168.1.204) ------------ +# ============================================================================= +# СЕРВИСЫ: PHOTO (192.168.1.204) +# ============================================================================= immich_base_dir: "/mnt/immich" immich_port: "45131" immich_db_username: "postgres" @@ -219,16 +228,19 @@ immich_db_password: "{{ vault_immich_db_password }}" immich_db_name: "immich" immich_version: "release" -# ------------ talk (192.168.1.206) ------------ +# ============================================================================= +# СЕРВИСЫ: TALK (192.168.1.206) +# ============================================================================= # Mumble mumble_base_dir: "/mnt/mumble" mumble_data_dir: "{{ mumble_base_dir }}/data" mumble_port: "45131" mumble_ice_port: "6502" +mumble_max_users: "100" mumble_server_password: "{{ vault_mumble_server_password }}" mumble_superuser_password: "{{ vault_mumble_superuser_password }}" -mumble_max_users: "100" -# Matrix + +# Matrix (Synapse) matrix_base_dir: "/mnt/matrix" matrix_data_dir: "{{ matrix_base_dir }}/data" matrix_config_dir: "{{ matrix_base_dir }}/config" @@ -246,6 +258,33 @@ matrix_synapse_secret: "{{ vault_matrix_synapse_secret }}" matrix_macaroon_secret: "{{ vault_matrix_macaroon_secret }}" matrix_form_secret: "{{ vault_matrix_form_secret }}" +# Snikket (XMPP) +snikket_base_dir: "/mnt/snikket" +snikket_data_dir: "{{ snikket_base_dir }}/snikket_data" +snikket_nginx_custom_dir: "{{ snikket_base_dir }}/nginx-custom" +snikket_backup_dir: "/backup/snikket" +snikket_domain: "chat.zailon.ru" +snikket_admin_email: "zailon@bk.ru" +snikket_external_ip: "188.73.191.202" +snikket_http_port: 8080 +snikket_https_port: 8443 +snikket_xmpp_port: 5222 +snikket_component_port: 5349 +snikket_turn_port: 3478 +snikket_turn_tls_port: 5349 +snikket_rtp_min_port: 50000 +snikket_rtp_max_port: 50100 +snikket_enable_acme: false +snikket_disable_tls: true +snikket_trusted_proxy: "*" +snikket_max_file_size: "500M" +snikket_image_tag: "dev" +snikket_create_initial_invite: false +snikket_backup_enabled: true +snikket_backup_retention_days: 30 +snikket_admin_password: "{{ vault_snikket_admin_password }}" +snikket_invite_token: "{{ vault_snikket_invite_token }}" + # TeamSpeak teamspeak_base_dir: "/mnt/teamspeak" teamspeak_data_dir: "{{ teamspeak_base_dir }}/data" @@ -253,9 +292,10 @@ teamspeak_logs_dir: "{{ teamspeak_base_dir }}/logs" teamspeak_query_port: "10011" teamspeak_voice_port: "9987" teamspeak_file_port: "30033" -# ------------ games (192.168.1.208) ------------ -# Minecraft +# ============================================================================= +# СЕРВИСЫ: GAMES (192.168.1.207) +# ============================================================================= minecraft_base_dir: "/mnt/minecraft" minecraft_data_dir: "{{ minecraft_base_dir }}/data" minecraft_port: "25565" @@ -269,7 +309,9 @@ minecraft_online_mode: "true" minecraft_mods: - "https://mediafilez.forgecdn.net/files/7178/775/create-1.21.1-6.0.8.jar" -# ------------ manage (192.168.1.208) ------------ +# ============================================================================= +# СЕРВИСЫ: MANAGE (192.168.1.208) +# ============================================================================= meshcentral_base_dir: "/opt/meshcentral" meshcentral_data_dir: "/mnt/mesh/meshcentral-data" meshcentral_files_dir: "/mnt/mesh/meshcentral-files" @@ -283,26 +325,22 @@ grafana_config_dir: "{{ grafana_base_dir }}/config" grafana_vm_data_dir: "{{ grafana_base_dir }}/victoriametrics" grafana_vmagent_tmp_dir: "{{ grafana_base_dir }}/vmagent/tmp" grafana_vmagent_config: "{{ grafana_base_dir }}/vmagent/vmagent.yaml" - grafana_port: 45132 -grafana_admin_user: admin -grafana_admin_password: 13qeadZC -grafana_root_url: https://mon.zailon.ru # Loki loki_base_dir: "/mnt/loki" loki_config_dir: "{{ loki_base_dir }}/config" loki_data_dir: "{{ loki_base_dir }}/data" loki_server_host: "{{ server_ips.manage }}" -loki_server_port: "{{ monitoring_ports.loki }}" # 3100 -loki_version: "2.9.2" -loki_retention_days: 30 +loki_server_port: "{{ monitoring_ports.loki }}" -# Promtail +# Promtail promtail_config_dir: "/etc/promtail" promtail_data_dir: "/var/lib/promtail" -# ------------ GitLab (192.168.1.209) ------------ +# ============================================================================= +# СЕРВИСЫ: GIT (192.168.1.209) +# ============================================================================= gitlab_base_dir: "/mnt/git" gitlab_config_dir: "{{ gitlab_base_dir }}/config" gitlab_logs_dir: "{{ gitlab_base_dir }}/logs" @@ -313,76 +351,98 @@ gitlab_ssh_port: "2222" gitlab_version: "17.5.5-ce.0" gitlab_hostname: "git.zailon.ru" gitlab_external_url: "https://git.zailon.ru" -gitlab_root_password: "ChangeMe123!" +gitlab_root_password: "{{ vault_gitlab_root_password }}" -# ------------ Torrent (192.168.1.211) ------------ +# ============================================================================= +# СЕРВИСЫ: TORRENT (192.168.1.211) +# ============================================================================= qbittorrent_base_dir: "/mnt/service/qbittorrent" qbittorrent_config_dir: "{{ qbittorrent_base_dir }}/appdata" qbittorrent_downloads_dir: "{{ qbittorrent_base_dir }}/downloads" qbittorrent_puid: 1000 -qbittorrent_pgid: 1000 +qbittorrent_pgid: 1003 qbittorrent_port_webui: 8080 qbittorrent_port_torrent: 6881 qbittorrent_smb_credentials_dir: "/etc/smb-creds" + +# Учётные данные для SMB-шар qbittorrent_smb_creds: olimp: username: "Olimp" - password: "13qeadZC" + password: "{{ vault_smb_olimp_password }}" file: "olimp" + qb: + username: "qb" + password: "{{ vault_samba_password_qb }}" + file: "qb" + +# Маунты SMB-шар qbittorrent_shares: - name: downloads src: "//192.168.1.101/Downloads" dest: "/mnt/downloads" credential: "olimp" - opts: "rw,uid={{ qbittorrent_puid }},gid={{ qbittorrent_pgid }},file_mode=0777,dir_mode=0777,iocharset=utf8,vers=3.0" + opts: "rw,uid={{ qbittorrent_puid }},gid={{ qbittorrent_pgid }},file_mode=0644,dir_mode=0755,vers=3.0,credentials=/etc/smb-creds/{{ qbittorrent_smb_creds.olimp.file }}" + - name: abook src: "//192.168.1.203/Abook" dest: "/mnt/abook" - opts: "rw,uid={{ qbittorrent_puid }},gid={{ qbittorrent_pgid }},file_mode=0777,dir_mode=0777,iocharset=utf8,vers=3.0,guest" + opts: "rw,uid={{ qbittorrent_puid }},gid={{ qbittorrent_pgid }},file_mode=0644,dir_mode=0755,vers=3.0,credentials=/etc/smb-creds/{{ qbittorrent_smb_creds.qb.file }}" + - name: music src: "//192.168.1.203/Music" dest: "/mnt/audio" - opts: "rw,uid={{ qbittorrent_puid }},gid={{ qbittorrent_pgid }},file_mode=0777,dir_mode=0777,iocharset=utf8,vers=3.0,guest" + opts: "rw,uid={{ qbittorrent_puid }},gid={{ qbittorrent_pgid }},file_mode=0644,dir_mode=0755,vers=3.0,credentials=/etc/smb-creds/{{ qbittorrent_smb_creds.qb.file }}" + - name: books src: "//192.168.1.203/Books" dest: "/mnt/books" - opts: "rw,uid={{ qbittorrent_puid }},gid={{ qbittorrent_pgid }},file_mode=0777,dir_mode=0777,iocharset=utf8,vers=3.0,guest" + opts: "rw,uid={{ qbittorrent_puid }},gid={{ qbittorrent_pgid }},file_mode=0644,dir_mode=0755,vers=3.0,credentials=/etc/smb-creds/{{ qbittorrent_smb_creds.qb.file }}" + - name: films src: "//192.168.1.203/Films" dest: "/mnt/video/films" - opts: "rw,uid={{ qbittorrent_puid }},gid={{ qbittorrent_pgid }},file_mode=0777,dir_mode=0777,iocharset=utf8,vers=3.0,guest" + opts: "rw,uid={{ qbittorrent_puid }},gid={{ qbittorrent_pgid }},file_mode=0644,dir_mode=0755,vers=3.0,credentials=/etc/smb-creds/{{ qbittorrent_smb_creds.qb.file }}" + - name: mult src: "//192.168.1.203/Mult" dest: "/mnt/video/mult" - opts: "rw,uid={{ qbittorrent_puid }},gid={{ qbittorrent_pgid }},file_mode=0777,dir_mode=0777,iocharset=utf8,vers=3.0,guest" + opts: "rw,uid={{ qbittorrent_puid }},gid={{ qbittorrent_pgid }},file_mode=0644,dir_mode=0755,vers=3.0,credentials=/etc/smb-creds/{{ qbittorrent_smb_creds.qb.file }}" + - name: anime src: "//192.168.1.203/Anime" dest: "/mnt/video/anime" - opts: "rw,uid={{ qbittorrent_puid }},gid={{ qbittorrent_pgid }},file_mode=0777,dir_mode=0777,iocharset=utf8,vers=3.0,guest" + opts: "rw,uid={{ qbittorrent_puid }},gid={{ qbittorrent_pgid }},file_mode=0644,dir_mode=0755,vers=3.0,credentials=/etc/smb-creds/{{ qbittorrent_smb_creds.qb.file }}" + - name: serial src: "//192.168.1.203/Serial" dest: "/mnt/video/serial" - opts: "rw,uid={{ qbittorrent_puid }},gid={{ qbittorrent_pgid }},file_mode=0777,dir_mode=0777,iocharset=utf8,vers=3.0,guest" + opts: "rw,uid={{ qbittorrent_puid }},gid={{ qbittorrent_pgid }},file_mode=0644,dir_mode=0755,vers=3.0,credentials=/etc/smb-creds/{{ qbittorrent_smb_creds.qb.file }}" + - name: mserials src: "//192.168.1.203/Mserials" dest: "/mnt/video/mserials" - opts: "rw,uid={{ qbittorrent_puid }},gid={{ qbittorrent_pgid }},file_mode=0777,dir_mode=0777,iocharset=utf8,vers=3.0,guest" + opts: "rw,uid={{ qbittorrent_puid }},gid={{ qbittorrent_pgid }},file_mode=0644,dir_mode=0755,vers=3.0,credentials=/etc/smb-creds/{{ qbittorrent_smb_creds.qb.file }}" + - name: doc src: "//192.168.1.203/Doc" dest: "/mnt/video/doc" - opts: "rw,uid={{ qbittorrent_puid }},gid={{ qbittorrent_pgid }},file_mode=0777,dir_mode=0777,iocharset=utf8,vers=3.0,guest" + opts: "rw,uid={{ qbittorrent_puid }},gid={{ qbittorrent_pgid }},file_mode=0644,dir_mode=0755,vers=3.0,credentials=/etc/smb-creds/{{ qbittorrent_smb_creds.qb.file }}" + - name: ztube src: "//192.168.1.203/Ztube" dest: "/mnt/video/ztube" - opts: "rw,uid={{ qbittorrent_puid }},gid={{ qbittorrent_pgid }},file_mode=0777,dir_mode=0777,iocharset=utf8,vers=3.0,guest" + opts: "rw,uid={{ qbittorrent_puid }},gid={{ qbittorrent_pgid }},file_mode=0644,dir_mode=0755,vers=3.0,credentials=/etc/smb-creds/{{ qbittorrent_smb_creds.qb.file }}" + - name: show src: "//192.168.1.203/Show" dest: "/mnt/video/show" - opts: "rw,uid={{ qbittorrent_puid }},gid={{ qbittorrent_pgid }},file_mode=0777,dir_mode=0777,iocharset=utf8,vers=3.0,guest" + opts: "rw,uid={{ qbittorrent_puid }},gid={{ qbittorrent_pgid }},file_mode=0644,dir_mode=0755,vers=3.0,credentials=/etc/smb-creds/{{ qbittorrent_smb_creds.qb.file }}" + - name: games src: "//192.168.1.207/Games" dest: "/mnt/games" - opts: "rw,uid={{ qbittorrent_puid }},gid={{ qbittorrent_pgid }},file_mode=0777,dir_mode=0777,iocharset=utf8,vers=3.0,guest" + opts: "rw,uid={{ qbittorrent_puid }},gid={{ qbittorrent_pgid }},file_mode=0644,dir_mode=0755,vers=3.0,credentials=/etc/smb-creds/{{ qbittorrent_smb_creds.qb.file }}" torrserver_base_dir: "/mnt/service/torrserver" torrserver_config_dir: "{{ torrserver_base_dir }}/config" diff --git a/inventories/hosts b/inventories/hosts index f03de4f..834861e 100644 --- a/inventories/hosts +++ b/inventories/hosts @@ -11,7 +11,7 @@ manage ansible_host=192.168.1.208 int_ip=192.168.1.208 ansible_python_i git ansible_host=192.168.1.209 int_ip=192.168.1.209 ansible_python_interpreter=/usr/bin/python3 ansible ansible_host=192.168.1.210 int_ip=192.168.1.210 ansible_python_interpreter=/usr/bin/python3 torrent ansible_host=192.168.1.211 int_ip=192.168.1.211 ansible_python_interpreter=/usr/bin/python3 -test ansible_host=192.168.1.212 int_ip=192.168.1.212 ansible_python_interpreter=/usr/bin/python3 +testtalk ansible_host=192.168.1.215 int_ip=192.168.1.215 ansible_python_interpreter=/usr/bin/python3 [pve-server] proxmox @@ -31,12 +31,14 @@ photo [talk-server] talk +[testtalk-server] +testtalk + #[cloud-server] #cloud [games-server] games -test [manage-server] manage diff --git a/olimp-deploy.yml b/olimp-deploy.yml index a7a7b44..b7adbb6 100644 --- a/olimp-deploy.yml +++ b/olimp-deploy.yml @@ -1,71 +1,106 @@ --- +# ============================================================================= +# OLIMP DEPLOY — Основной playbook развёртывания +# ============================================================================= + +# Все серверы (кроме Proxmox) - hosts: all:!pve-server + vars_files: + - vault.yml roles: - - {role: base_setup, tags: deploy_base} - - {role: system_cleanup, tags: deploy_cleanup} -# - {role: cadvisor, tags: deploy_cadvisor} - - {role: promtail, tags: deploy_promtail} + - { role: base_setup, tags: deploy_base } + - { role: system_cleanup, tags: deploy_cleanup } + - { role: promtail, tags: deploy_promtail } +# Proxmox VE - hosts: pve-server + vars_files: + - vault.yml roles: - - { role: proxmox_base_setup, tags: deploy_proxmox_base } - - { role: proxmox_monitoring, tags: deploy_proxmox_monitoring } + - { role: proxmox_base_setup, tags: deploy_proxmox_base } + - { role: proxmox_monitoring, tags: deploy_proxmox_monitoring } +# Gateway (NPM, Heimdall, Dashy) - hosts: gateway-server + vars_files: + - vault.yml roles: - - { role: docker, tags: deploy_docker } - - { role: npm, tags: deploy_npm } - - { role: heimdall, tags: deploy_heimdall } + - { role: docker, tags: deploy_docker } + - { role: npm, tags: deploy_npm } + - { role: heimdall, tags: deploy_heimdall } +# - { role: dashy, tags: deploy_dashy } +# Data (Bitwarden, Mealie, Bookstack) - hosts: data-server + vars_files: + - vault.yml roles: - - { role: docker, tags: deploy_docker } - - { role: mealie, tags: deploy_mealie } - - { role: bookstack, tags: deploy_bookstack } - - { role: bitwarden, tags: deploy_bitwarden } + - { role: docker, tags: deploy_docker } + - { role: mealie, tags: deploy_mealie } + - { role: bookstack, tags: deploy_bookstack } + - { role: bitwarden, tags: deploy_bitwarden } +# Media (Jellyfin, Ampache, Calibre, Flibusta) - hosts: media-server + vars_files: + - vault.yml roles: - - { role: docker, tags: deploy_docker } - - { role: ampache, tags: deploy_ampache } - - { role: audiobookshelf, tags: deploy_audiobookshelf } - - { role: calibre-web, tags: deploy_calibre_web } - - { role: jellyfin, tags: deploy_jellyfin } - - { role: flibusta, tags: deploy_flibusta } + - { role: docker, tags: deploy_docker } + - { role: ampache, tags: deploy_ampache } + - { role: audiobookshelf, tags: deploy_audiobookshelf } + - { role: calibre-web, tags: deploy_calibre_web } + - { role: jellyfin, tags: deploy_jellyfin } + - { role: flibusta, tags: deploy_flibusta } +# Photo (Immich) - hosts: photo-server + vars_files: + - vault.yml roles: - - { role: docker, tags: deploy_docker } - - { role: immich, tags: deploy_immich } + - { role: docker, tags: deploy_docker } + - { role: immich, tags: deploy_immich } +# Talk (Mumble, Snikket, Matrix, TeamSpeak) - hosts: talk-server vars_files: - vault.yml roles: - - { role: docker, tags: deploy_docker } - - { role: mumble, tags: deploy_mumble } - - { role: teamspeak, tags: deploy_teamspeak } - - { role: cadvisor, tags: deploy_cadvisor} + - { role: docker, tags: deploy_docker } + - { role: mumble, tags: deploy_mumble } + - { role: snikket, tags: deploy_snikket } + # - { role: teamspeak, tags: deploy_teamspeak } +# Games (Minecraft) - hosts: games-server + vars_files: + - vault.yml roles: - - { role: docker, tags: deploy_docker } -# - { role: minecraft, tags: deploy_minecraft } - + - { role: docker, tags: deploy_docker } + # - { role: minecraft, tags: deploy_minecraft } + +# Manage (Grafana, Loki, MeshCentral) - hosts: manage-server + vars_files: + - vault.yml roles: - - { role: docker, tags: deploy_docker } - - { role: meshcentral, tags: deploy_meshcentral } - - { role: grafana, tags: deploy_grafana } - - { role: loki, tags: deploy_loki } + - { role: docker, tags: deploy_docker } + - { role: meshcentral, tags: deploy_meshcentral } + - { role: grafana, tags: deploy_grafana } + - { role: loki, tags: deploy_loki } +# Git (GitLab) - hosts: git-server + vars_files: + - vault.yml roles: - - { role: docker, tags: deploy_docker } - - { role: gitlab, tags: deploy_gitlab } + - { role: docker, tags: deploy_docker } + - { role: gitlab, tags: deploy_gitlab } +# Torrent (Qbittorrent, TorrServer) - hosts: torrent-server + vars_files: + - vault.yml roles: - - { role: docker, tags: deploy_docker } - - { role: torrserver, tags: deploy_torrserver } - - { role: qbittorrent, tags: deploy_qbittorrent } \ No newline at end of file + - { role: docker, tags: deploy_docker } + - { role: torrserver, tags: deploy_torrserver } + - { role: qbittorrent, tags: deploy_qbittorrent } diff --git a/roles/snikket/defaults/main.yml b/roles/snikket/defaults/main.yml new file mode 100644 index 0000000..cb39190 --- /dev/null +++ b/roles/snikket/defaults/main.yml @@ -0,0 +1,47 @@ +--- +# Snikket defaults +snikket_enabled: true +snikket_base_dir: "/mnt/snikket" +snikket_data_dir: "{{ snikket_base_dir }}/snikket_data" +snikket_nginx_custom_dir: "{{ snikket_base_dir }}/nginx-custom" +snikket_backup_dir: "/backup/snikket" + +# Domain configuration +snikket_domain: "chat.zailon.ru" +snikket_admin_email: "zailon@bk.ru" +snikket_external_ip: "188.73.191.202" + +# Network settings +snikket_http_port: 8080 +snikket_https_port: 8443 +snikket_xmpp_port: 5222 +snikket_component_port: 5349 +snikket_turn_port: 3478 +snikket_turn_tls_port: 5349 + +# RTP media ports (ограниченный диапазон) +snikket_rtp_min_port: 50000 +snikket_rtp_max_port: 50100 +snikket_rtp_port_range: "{{ snikket_rtp_min_port }}-{{ snikket_rtp_max_port }}" + +# SSL/ACME settings (NPM manages SSL) +snikket_enable_acme: false +snikket_disable_tls: true +snikket_trusted_proxy: "*" + +# File upload settings +snikket_max_file_size: "500M" +snikket_file_cleanup_days: 30 + +# Docker settings +snikket_image_tag: "dev" +snikket_docker_restart_policy: "unless-stopped" + +# Initial admin invite +snikket_create_initial_invite: false +snikket_initial_invite_group: "default" +snikket_initial_invite_expires: 86400 + +# Backup settings +snikket_backup_enabled: true +snikket_backup_retention_days: 30 \ No newline at end of file diff --git a/roles/snikket/handlers/main.yml b/roles/snikket/handlers/main.yml new file mode 100644 index 0000000..455f74e --- /dev/null +++ b/roles/snikket/handlers/main.yml @@ -0,0 +1,11 @@ +--- +- name: Restart Snikket + community.docker.docker_compose_v2: + project_src: "{{ snikket_base_dir }}" + state: present + restarted: true + +- name: Reload Snikket Proxy + community.docker.docker_container_exec: + container: snikket-proxy + command: nginx -s reload \ No newline at end of file diff --git a/roles/snikket/tasks/main.yml b/roles/snikket/tasks/main.yml new file mode 100644 index 0000000..0fb5c82 --- /dev/null +++ b/roles/snikket/tasks/main.yml @@ -0,0 +1,137 @@ +--- +- name: Create Snikket base directory + file: + path: "{{ snikket_base_dir }}" + state: directory + mode: '0755' + owner: root + group: root + +- name: Create Snikket data directory + file: + path: "{{ snikket_data_dir }}" + state: directory + mode: '0755' + owner: '65534' + group: '65534' + +- name: Create nginx custom config directory + file: + path: "{{ snikket_nginx_custom_dir }}" + state: directory + mode: '0755' + +- name: Create backup directory + file: + path: "{{ snikket_backup_dir }}" + state: directory + mode: '0700' + owner: root + group: root + when: snikket_backup_enabled + +- name: Generate snikket.conf from template + template: + src: snikket.conf.j2 + dest: "{{ snikket_base_dir }}/snikket.conf" + mode: '0644' + owner: root + group: root + notify: Restart Snikket + +- name: Generate docker-compose.yml from template + template: + src: docker-compose.yml.j2 + dest: "{{ snikket_base_dir }}/docker-compose.yml" + mode: '0644' + owner: root + group: root + notify: Restart Snikket + +- name: Generate nginx custom config from template + template: + src: nginx-custom.conf.j2 + dest: "{{ snikket_nginx_custom_dir }}/snikket.conf" + mode: '0644' + owner: root + group: root + notify: Reload Snikket Proxy + +- name: Pull Snikket Docker images + community.docker.docker_compose_v2: + project_src: "{{ snikket_base_dir }}" + state: present + pull: always + +- name: Start Snikket services + community.docker.docker_compose_v2: + project_src: "{{ snikket_base_dir }}" + state: present + register: docker_start_result + +- name: Wait for Snikket to be ready + wait_for: + port: "{{ snikket_http_port }}" + host: "127.0.0.1" + timeout: 120 + delay: 10 + +- name: Create backup script + template: + src: backup.sh.j2 + dest: /usr/local/bin/snikket-backup.sh + mode: '0755' + owner: root + group: root + when: snikket_backup_enabled + +- name: Add backup to crontab + cron: + name: "Snikket backup" + job: "/usr/local/bin/snikket-backup.sh" + hour: "3" + minute: "0" + weekday: "0" + user: root + when: snikket_backup_enabled + +- name: Create initial admin invite (optional) + community.docker.docker_container_exec: + container: snikket + command: "create-invite --group {{ snikket_initial_invite_group }} --expires {{ snikket_initial_invite_expires }}" + register: invite_result + when: snikket_create_initial_invite + changed_when: "'invite' in invite_result.stdout.lower()" + +- name: Display invite link if created + debug: + msg: "🎉 Admin invite created: {{ invite_result.stdout | trim }}" + when: snikket_create_initial_invite and invite_result.stdout is defined + +- name: Health check - verify Snikket is responding + uri: + url: "https://{{ snikket_domain }}/login" + validate_certs: false + status_code: [200, 302] + register: health_check + retries: 5 + delay: 10 + until: health_check.status in [200, 302] + tags: skip_ansible_lint + +- name: Display deployment summary + debug: + msg: | + 🎉 Snikket deployment complete! + + Domain: https://{{ snikket_domain }} + XMPP: {{ snikket_domain }}:{{ snikket_xmpp_port }} + TURN: {{ snikket_domain }}:{{ snikket_turn_tls_port }} + + {% if snikket_create_initial_invite %} + Admin invite: {{ invite_result.stdout | trim }} + {% else %} + Create admin: docker exec snikket create-invite --admin --group default + {% endif %} + + Backup script: /usr/local/bin/snikket-backup.sh \ No newline at end of file diff --git a/roles/snikket/templates/backup.sh.j2 b/roles/snikket/templates/backup.sh.j2 new file mode 100644 index 0000000..70c206d --- /dev/null +++ b/roles/snikket/templates/backup.sh.j2 @@ -0,0 +1,31 @@ +#!/bin/bash + +set -e + +BACKUP_DIR="{{ snikket_backup_dir }}" +DATA_DIR="{{ snikket_data_dir }}" +CONFIG_DIR="{{ snikket_base_dir }}" +TIMESTAMP=$(date +%F-%H%M) +RETENTION_DAYS={{ snikket_backup_retention_days }} + +echo "[$(date)] Starting Snikket backup..." + +mkdir -p "$BACKUP_DIR" + +echo "Backing up data..." +tar czf "$BACKUP_DIR/snikket-data-$TIMESTAMP.tar.gz" \ + -C "$(dirname "$DATA_DIR")" \ + "$(basename "$DATA_DIR")" + +echo "Backing up configs..." +cp "$CONFIG_DIR/snikket.conf" "$BACKUP_DIR/snikket.conf-$TIMESTAMP" +cp "$CONFIG_DIR/docker-compose.yml" "$BACKUP_DIR/docker-compose.yml-$TIMESTAMP" +cp "{{ snikket_nginx_custom_dir }}/snikket.conf" "$BACKUP_DIR/nginx-custom.conf-$TIMESTAMP" + +echo "Cleaning up backups older than $RETENTION_DAYS days..." +find "$BACKUP_DIR" -name "snikket-*.tar.gz" -mtime +$RETENTION_DAYS -delete +find "$BACKUP_DIR" -name "*.conf-*" -mtime +$RETENTION_DAYS -delete + +echo "[$(date)] Backup completed successfully" +echo "Backup location: $BACKUP_DIR" +du -sh "$BACKUP_DIR" \ No newline at end of file diff --git a/roles/snikket/templates/docker-compose.yml.j2 b/roles/snikket/templates/docker-compose.yml.j2 new file mode 100644 index 0000000..59a0c2f --- /dev/null +++ b/roles/snikket/templates/docker-compose.yml.j2 @@ -0,0 +1,35 @@ +services: + snikket_proxy: + container_name: snikket-proxy + image: snikket/snikket-web-proxy:{{ snikket_image_tag }} + network_mode: host + env_file: {{ snikket_base_dir }}/snikket.conf + volumes: + - {{ snikket_data_dir }}:/snikket + - {{ snikket_nginx_custom_dir }}/snikket.conf:/etc/nginx/sites-enabled/snikket-custom:ro + restart: "{{ snikket_docker_restart_policy }}" + + snikket_portal: + container_name: snikket-portal + image: snikket/snikket-web-portal:{{ snikket_image_tag }} + network_mode: host + env_file: {{ snikket_base_dir }}/snikket.conf + restart: "{{ snikket_docker_restart_policy }}" + + snikket_certs: + container_name: snikket-certs + image: snikket/snikket-cert-manager:{{ snikket_image_tag }} + network_mode: host + env_file: {{ snikket_base_dir }}/snikket.conf + volumes: + - {{ snikket_data_dir }}:/snikket + restart: "{{ snikket_docker_restart_policy }}" + + snikket_server: + container_name: snikket + image: snikket/snikket-server:{{ snikket_image_tag }} + network_mode: host + env_file: {{ snikket_base_dir }}/snikket.conf + volumes: + - {{ snikket_data_dir }}:/snikket + restart: "{{ snikket_docker_restart_policy }}" \ No newline at end of file diff --git a/roles/snikket/templates/nginx-custom.conf.j2 b/roles/snikket/templates/nginx-custom.conf.j2 new file mode 100644 index 0000000..89b1a4e --- /dev/null +++ b/roles/snikket/templates/nginx-custom.conf.j2 @@ -0,0 +1,200 @@ +# Custom nginx config for Snikket - managed by Ansible + +server { + listen {{ snikket_http_port }}; + server_name _; + + location /register_api { + if ($request_method = OPTIONS) { + add_header 'Access-Control-Allow-Origin' '*'; + add_header 'Access-Control-Allow-Methods' 'POST, OPTIONS'; + add_header 'Access-Control-Allow-Headers' 'Content-Type'; + add_header 'Content-Length' 0; + return 204; + } + proxy_pass http://127.0.0.1:5280/register_api; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_http_version 1.1; + } + + location /admin_api { + if ($request_method = OPTIONS) { + add_header 'Access-Control-Allow-Origin' '*'; + add_header 'Access-Control-Allow-Methods' 'POST, OPTIONS'; + add_header 'Access-Control-Allow-Headers' 'Content-Type, Authorization'; + add_header 'Content-Length' 0; + return 204; + } + proxy_pass http://127.0.0.1:5280/admin_api; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_http_version 1.1; + } + + location /.well-known { + proxy_pass http://127.0.0.1:5280/.well-known; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + } + + location /upload { + proxy_pass http://127.0.0.1:5280/upload; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_http_version 1.1; + client_max_body_size {{ snikket_max_file_size }}; + proxy_request_buffering off; + } + + location /u/ { + proxy_pass http://127.0.0.1:5280/u/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + client_max_body_size {{ snikket_max_file_size }}; + } + + location /http-bind { + proxy_pass http://127.0.0.1:5280/http-bind; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + } + + location /xmpp-websocket { + proxy_pass http://127.0.0.1:5280/xmpp-websocket; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + } + + location / { + proxy_pass http://127.0.0.1:5765; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + } +} + +server { + listen {{ snikket_https_port }} ssl; + server_name _; + + ssl_certificate /snikket/letsencrypt/live/{{ snikket_domain }}/fullchain.pem; + ssl_certificate_key /snikket/letsencrypt/live/{{ snikket_domain }}/privkey.pem; + + location /register_api { + if ($request_method = OPTIONS) { + add_header 'Access-Control-Allow-Origin' '*'; + add_header 'Access-Control-Allow-Methods' 'POST, OPTIONS'; + add_header 'Access-Control-Allow-Headers' 'Content-Type'; + add_header 'Content-Length' 0; + return 204; + } + proxy_pass http://127.0.0.1:5280/register_api; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_http_version 1.1; + } + + location /admin_api { + if ($request_method = OPTIONS) { + add_header 'Access-Control-Allow-Origin' '*'; + add_header 'Access-Control-Allow-Methods' 'POST, OPTIONS'; + add_header 'Access-Control-Allow-Headers' 'Content-Type, Authorization'; + add_header 'Content-Length' 0; + return 204; + } + proxy_pass http://127.0.0.1:5280/admin_api; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_http_version 1.1; + } + + location /.well-known { + proxy_pass http://127.0.0.1:5280/.well-known; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + } + + location /upload { + proxy_pass http://127.0.0.1:5280/upload; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_http_version 1.1; + client_max_body_size {{ snikket_max_file_size }}; + proxy_request_buffering off; + } + + location /u/ { + proxy_pass http://127.0.0.1:5280/u/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + client_max_body_size {{ snikket_max_file_size }}; + } + + location /http-bind { + proxy_pass http://127.0.0.1:5280/http-bind; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + } + + location /xmpp-websocket { + proxy_pass http://127.0.0.1:5280/xmpp-websocket; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + } + + location / { + proxy_pass http://127.0.0.1:5765; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + } +} \ No newline at end of file diff --git a/roles/snikket/templates/snikket.conf.j2 b/roles/snikket/templates/snikket.conf.j2 new file mode 100644 index 0000000..236a82a --- /dev/null +++ b/roles/snikket/templates/snikket.conf.j2 @@ -0,0 +1,23 @@ +# Domain settings +SNIKKET_DOMAIN={{ snikket_domain }} +SNIKKET_ADMIN_EMAIL={{ snikket_admin_email }} + +# SSL/ACME settings +SNIKKET_ENABLE_ACME={{ snikket_enable_acme | lower }} +SNIKKET_DISABLE_TLS={{ snikket_disable_tls | lower }} + +# Network ports +SNIKKET_HTTP_PORT={{ snikket_http_port }} +SNIKKET_HTTPS_PORT={{ snikket_https_port }} +SNIKKET_XMPP_PORT={{ snikket_xmpp_port }} +SNIKKET_COMPONENT_PORT={{ snikket_component_port }} + +# External IP for TURN/NAT traversal +SNIKKET_EXTERNAL_IP={{ snikket_external_ip }} + +# Proxy settings +SNIKKET_TRUSTED_PROXY={{ snikket_trusted_proxy }} + +# TURN/RTP port range (ограниченный диапазон для безопасности) +TURN_MIN_PORT={{ snikket_rtp_min_port }} +TURN_MAX_PORT={{ snikket_rtp_max_port }} \ No newline at end of file diff --git a/vault.yml b/vault.yml index b98abbf..25ae8a7 100644 --- a/vault.yml +++ b/vault.yml @@ -1,77 +1,184 @@ $ANSIBLE_VAULT;1.1;AES256 -34666265626664393961373533636662386431343539643764613765343432376131616438633935 -3563373535626632326462303737626136306365303930330a393939303032313561356662623830 -34643665306462333339323866643136343036386536653435373032343561303231373261653938 -6232666461633337630a366264663361616535323130303930626462636137323432303935393835 -37616264623665633931303136616230666137363163323933633661373833326338366336373739 -61373038396636363136633664376633643935643330323139303864393233376231306537313363 -34373761356463383764376633343530366332336632373031303466663439666666656462663838 -32633632316331336563306438313265653265303962356265613632373732303663656330316537 -65323365366665333737623662353661623835613038386336323333613962383538613364666139 -38353434306163366666366233366334643132623633393330343430613561666234306462343436 -63323332316532363165623037383761393839353233306338613532646465336234336137656332 -36313463333561393233636138383065366631313632626161623432386335303265373065633536 -34383030316265353439366433313930343331666636383433313035626239393465636462376433 -66333661323336376430616133313362333130633061623063653832333730393836633230313535 -31313431376365313637356531316463393237656238646261373639313538356434386232333139 -63383138383037383135343064336663336561663464346339666230623936666464343836383261 -30626534376438633466353231366437653133653131363035663638316563343334646137626466 -30343865376133396134393765386464386535343432643230613730613431656235653135623161 -30386661373538636462623733316432346439396231353666346431326330346337386336663037 -61323962336266623531303030616566343930333436666536326335643930346532393733313665 -38373430313434336534643734663631363264633664323565313061386635633636323963303762 -35366638303138653464333732383661316432346435353464396136383030666261333064376535 -61663430373332393939316236396662663430323737623738376535663833653366356563656330 -34316665316363666165633135646565343964653533326361383933353336393762616431633837 -65396639663833653165306534353434323462646561323165353633626563343164356566396633 -30613336326632663533393362633363306665346536643332343632663837323366323663386465 -39626536333930643462656363636237346134303234613236313364613838383331363434366461 -62383361323539366262313639626533636565363161366639396537313132303962616330353164 -65346530616463346639396438366637636630636561393639393236653839386435363233346634 -37333030633862366236306533356264323837666539393136613262363962366237626237333531 -32663366656466343636383133346532616336313164626361613830666639353536633361373131 -31396138633564303062346330356637363236656561393838323730616562663666613066386265 -61376462653163336163343232633331383063363465666232353032626339316531653933366266 -36343433633231643864353064333731366536616638373634663266633434643362666263643832 -35663339376263613030646538376134366362313564376238363130633930613731373434646364 -39613361643735343166396632353064343438313339396233356336666462643836623566353933 -38376636376266643637386664316531316461376131376664336363653332313933393264363036 -64343165616235376264346365363333653839366239616363303633303435303361636330373163 -35616332666365303338666339313861373265633633633965396134666532363136313130316638 -65613035356136623239643730646335616562643639303135373963363332653234643564643638 -64326563656234323936373234316162363864306662393131393330646539386537333634393438 -32653736663861353637323061636361306331663532313932363566633764633236666534633938 -62346230646464356234303537313061336637653632323436366466643365333263383937336233 -30393138326638613433663537343639353962656264663465616432666661333162376666356163 -30396239646139366666656665643937653131666230616530333931396132383165363836326232 -64383263306338653365653039343366313939663833353239343639653238323831613931333865 -33656234326537636435353636636265313438343762386238333166623930366134643564323832 -63323165306333326432623939306133343333323336393632353134333235333330646666336662 -30313462663761396365323663386337636130663761626365623030323537626538323063326162 -30393766386165666433353235666263623531633635626236346238343734393266303131356434 -36343665616265343164316135343464366133306563323730323930396165663830313932353564 -36633761643134386134366432316430353364663332613838353661313532636261376638666362 -38373233306262653533346363373232633365313663373765346433623963633931346366356438 -37346339333037393639323439316632663934303236393831653231636135646337613536336165 -36343032363538333863643838346163623237663837393265616235343661313163323866323433 -63336530396634333466323834326364333733663038623865383362386432663830366664626231 -39613337363338326530613964356464643433303535343430343337373536386364373933303364 -30636535313436373034623936303432636533316639356465333863386666393730303436626335 -62303937366634343064366535366464313161663366316561663230383335333864393361646138 -37363933343065663739373061396530663030373134663132383432383434353464666630663166 -63613963623764613765653932613264343430396362306131623264323863316234313565323964 -38666161633637316633666462663830396631646538393966313466613861653662363064333461 -31356130666131393663666334666535366432666631626131363763626134666433316231626363 -37626165326264666263666335303332333236323736656637336533353830643361326136316664 -66633962666233353934356233383434313932373462373535666661643334343939393535333937 -32636533393161623634613934356166373264633030313035363236323837383163666662373966 -66663836653030326261356563393134396665626564613833333636393531633038373034613366 -32386331333837663964616364303264383062636439303139316264613332313134626565663632 -38353934663361363530646238373639646637336636613738376264356432643938656633656432 -35616561366530326330393934643938393138333533343939393037303438363666363333396234 -39626166316333666665363932336631376263663838313039316431373833643334366637316638 -38303633376237316332666631623165613264343931336438373536353234653030313336343436 -36636436373439326164663337626164626434393966373434636261643032666636633935636565 -33353835393163646566313138393662653966366236646635636332393034643136613437623032 -66613063613633356330363065323361366437623161306365643163636538353334373131323530 -35323336316333303961 +30656364373165646630643866396431353931356231643862656437333766663139353631626462 +3937373835636337666562383836333636363939353161390a353434396636316163353965343139 +33306138633737333530636436393332383464613437313234643836623936313034306130316361 +3933663032306661310a343365313236336536366639333264326365303239316537633131393261 +31653232386635303730383961663234313565306639313766383461306434646462353538646237 +63623733633664326439373537306336613663353563323133383834343830303732346538666339 +36366664666231623966396363396130376335396465396139643536636332343364613962303065 +30383866326232366336343066386161316562313866663637393738666636633965326132373839 +62363565646435366631346563616332666439356464646361623061316238303365313939616363 +35613932623134386364623332613833636533643736346561376634396465623830393565626665 +32336466383063643962613065653635643238336237636234323132316266336233326537643733 +32643134643333636333336537356232626563643436313338633565633035313137346337626137 +35613134356634393464643733353232623561353539623562323437616639663965633831653038 +61373834383462666437663365636537666665633835626634313466346534643235626663353335 +38613662626438396333653262333162326138623135333361326336376564643062313037353132 +30656537613433316263643530396332333338366531636662333335663261633135666662653063 +35343766656634316334313533376638653363336135643234313065313162353939636562343439 +63613534353164316663336461373065346562653964326231343837353262323063396533636163 +64336636313931386138313939343939393662393433326463366364326464643263613736633766 +31313665646164353336376236663134656631666538636638356161616238653461303531383732 +65336463303530363165383133633365376336636538346463383161303037383835626565633666 +63366532323737386635303337626139333133313930356233383362356164343062393732303366 +65636237393735346437613531663631333363333864313836616461653036666635326537636637 +37306537323139653034343130353735323037643231313163303634623161393465623164653532 +37333135396634363561656637303534616363636235653630313532663662306237346335373630 +62616561336530643562386561646638643039386338363031616262636531663435343733353961 +35386661323730626135346139313966656665313633366561366563656136326530313537346165 +62323066386139663536366538613834383561653932633038326266376235636339303735343839 +31376432646534656265613837373036316662316137316337316236623535316566653530666665 +64653433623935373338326532623166326537306137613933393234356530646134613136356363 +63383131656532646334346234616135646263306339613164383130333538363030613735623262 +35373735666362366363636439666666636633353139393438616234303734623862633730383764 +62303332376437636432323164323436643633653232366433343536383266663261343261626137 +37313838653038636664613462396565393632393837306266306339363039303339366332383261 +64663232306663393531616134643163656464336662383438313339643038356234356231303562 +36376162653862656434373037376138333664666263633733393766316430386435383532323634 +30383264353531653963356136373537643930306532663864366366643165373232626235613962 +66663431366632646137376564393531323663336164636631373833303963303735623238666165 +35633739343834373932303362383130303063616665366364656166613732326464343066626138 +65376337346538346464346632363065616363356362653064623565616463656462303437626163 +65616136626337663538343030373666363864383161313934353738316631313732616166323865 +32353031323038663866656532363430303139343932646264346230323633356534623632656263 +66363731313032363162366265376162393163663135336166633335633163336465386336643732 +35643135636233376162366462363731643764663338366663616134636335383331643863353930 +66303432343133326432663635663566646431353035333862313238653830613863353239616435 +61303535626230656632383433383238303536666631396131343864656238363631376461356337 +35333235636131663366633063646332666432646239636266656631363034313033633564323230 +62303531343533653265373037383938626435396563666237616438376464353733356239346439 +61346136303531363138313734623234386531666130376235313561666639666364636532366235 +64633965323961333036333736393162333066306265666366623430616366346339363630613464 +34303266353262316465366662336632323635373363666230646163323232333562303564646636 +34363732313331386331363039333266383138666634653939613166363764373331356435316564 +37396335666233653563646265613139353731643664363038303263326163663066623339663965 +64643863336136623465336661376333643739306334666532333334653138333730383437663265 +64353234356137373266623265326663346635613564613838336334363031616463666431383561 +36326366366233313061646265383061353662633162376537633138343534363139343063646237 +32616232313031353530633064356433643731383434333663326635386335613966356233653566 +66376237373431633362343737353733376632383839633630386136623961393035346136383534 +66616162363962313333383466303932386136353064393634653232393431326462323162613830 +37616337383432646563323833383333636463346531616430613938363536343335343737383033 +66666263626534363034623530656335313264303835346134646133323537386137366635353664 +35393032383934336265633861633138623337326631336139393963613236303439613537366261 +63373665313461356562313361643534363433653033623431383632656338636332636539383065 +39383338386563383231303166313839343965303462643132323034313630393662363164353363 +66366439656365323938383733653531303331663731373362303462393961373639623165646431 +65313865653032643439313136363261626361666337356138616366303333373833336665303161 +38666661303765643463373735333034313332313832366565316431383436343364313734643563 +63373065656135376431356264326136323236643765346233383562343666396133613336373337 +36653837616330356164383562303336343334336530303362633564316564623935646435383631 +64326436313563323039333665396161316331383266386264663530356337396238656131656664 +64313763653531303733366533636437613234616465636538356236323031323130333930666230 +66656665336237636438383562316334346434373965306466346432353339323034323065313631 +30303561346431643163636366356435363434353932653337643466646363333235643963633932 +38313839383262326162633362366636336261343063363965353838383038663665663331633366 +66326162663664353430633033623137326435656164633039313162363664316465623666663237 +62373934623435636635623838396538663235303164656130643962376561613964366462363863 +38366363363537336232366231616139353635653334306338303631663065623637623262623834 +31336161643539313031643934336565663631376435613866376535633838633961636461613065 +32373537653165396262396363313265306138653437653431333961643831376530653131323264 +36643339636166333530323931363763306632306531373736623762393636376135626635373137 +62616265313634313764346133326535363666663036646463613938646434383533363464333061 +31323936623030633237353236323265613837343165643061393836303765336239363431313233 +33336465613731663130356361666234333937616135653735303561356431373662343666656130 +35313232303133626334373063636562616537643337663933616538306530313530376534633436 +33633565643930316661333661633030623833393564613332323439356335323763356635393362 +31363136613134383762376636343963356436323366643434633162616361306362326536643638 +30303964313463626432626561656633383231333661666261353664326663393438613761316434 +34646138336230626639366330343664343434333733663230623538346162343762643938356437 +62353632616336363266616430646363623331626534336534636137626437636561633735393237 +32346637333338393936346236356162663330333434623165633937323335616565356239366335 +33343339393039636562343738366664643737346266643962386530373736323130363337356565 +63316264656161616265396534623662376630643763373763343838613164303035393532623033 +62346337343531306266393335636435656239356266393937353863643036643933366461343665 +61636435353237306233393237333764386135353532383162356536613261303630383564356561 +30333735363835383738303435343364363337616435326233373665396238616431303264393864 +62613762326235393639663832363632326531383331636661616638343662643462393761396330 +33306566353935386234356436303363653631643932343630653231643466393466393862666230 +31306130393539633163366364306334666362363266633361396465636637623338313464363837 +64386661323334346336333736366439376465373066376539636531343732653763303530316138 +38653734313939326535653935623736613639623331373832313138343233396533643739386539 +61643961633438643133666663613362646565346233643431383761343166376133316666326336 +36623238616138663937396433616266653136376564656332333739376135653039633365653962 +37663036313066393634353435313263623634313431386536333738343565396162316636393331 +33373535343962343135323032623730633532653232663166633934346561373038353231323063 +33633062316439316438356238386265353235303132616133623534383133613964333561616138 +62303934616336313730386363363933303530633162393132343536383663323035643066363439 +37313536376437356336636361353731336364396235643737326538306139663436373166633632 +66313738373235666131363637646361623138383835653635393862376139626630363539636335 +32643937663465336464303837383364333961376565666332663231633334393765623864346537 +33373463353634306163656332326661616433616566646133393462656237613662393363626330 +33343361616139626262613233376231306362353135373766396164373366626533643733346466 +38333138326662643834613333666239663732306132636531363335366531336562633237636365 +62346466313166346231353965656465653864396332613836333864643836326539646630643039 +38626464323066646539383031383966636133333333373433653537353639303264323936383631 +64373639623434663137636537313533343238376363376363353263616433313164343531353761 +35323964646631376463393765353564356136633063633363646566383334306263363936326261 +33616237383334346231333833386339613234616365383231663264363331363164326363653563 +32643065643235663139326231636433653962376666643066353538316563353065313039373134 +33313638666164366435336139626435626630613465373461656330343231636266386538616563 +31376633626461646132663537313432386332333232306464383364313466356135613033373662 +32636330383536623962653236326664363936326231613437633365313137323331323732343961 +62383333373234633462373931386433366266373439393761356462666161633035626265383539 +66613363323931666263643034656134393362616533623737653761613332373339363730623761 +31663837663361623531386465323137616632643735303563656632376230663961326436383635 +62656335356464653563376536303938656361656361353637323633396163613438326665313133 +62306162343366666238353138653835616638623639346464666565666137666663663231343462 +39336566316562386532383563396435623236393239376233323736636132656437353539636266 +37653465613231373263343036366432313963376338326632326430353633653833346435613837 +63653935343730383962376134623331366132363961353739393033336566633633396330623437 +63313866653236373966633433353364363165336135643635613164613639383862373238643165 +63666661313134363366393264643637653435646365396432353263633365336265626664653264 +62353263376166626131383132373535613537356231616466323738653630366466343539626463 +64373233373865396664363034663164616439366431353863303065353830666462373962316233 +33623763616134343337396531633239316638303765383630363266346539333338353864346431 +39613139303266653662333635333761313834356332363630306664343031666331316261393431 +37313231383638616437643532343530393030656339623466333561666162656462646165623166 +63353632623638323930366165636564383363346336306161336639353566306262356233663233 +37333961666532373739316539343930323761623361643432353537326563626638393331653462 +65343732303063656364333962323932306162613934303339613735363164653765643339646139 +39373939383365653062313762323332636366393733616265373763383932633030333866646465 +36336135396638313061386631323861656131656231383830366433346330653931306161653036 +61393432393632303432646432353463633637323761373834633666643763653936383430386363 +31323436396161633938346463653130366537353030633133636639363261653132333062323939 +32353936656565343836656231616561333964323163643366366136653333653034613766313235 +31656634343539623864326264656631636533316139626565336363303534613438303664353333 +30356163643836343537666235613161386232633062633865323239616464353431343063316332 +66396631393264333433343131613833306532386463613634306664396565656237663134626165 +62623937643232366538386263326463366235663938386362363134323338363133363663366532 +39306165386462623233386639393233323632313066373161653833383534633964336461333334 +64626136383030636237386637353630313433376439356364646638383561363636616237313332 +34656362663233646663656466623961663535663438376532386532333265386639646339326337 +63643037326333363732653638303763633362613335376536613836396132313736306335386666 +33346631616239306363313566386230613737626564656432366534646161363138376364336639 +62616239376263383061306432363338623831353932336363323261316263366461313430323464 +35663638656632316332343530636663333736376432336239663030383961623439653130383433 +62666461383930363765373462633566373861306438303561616361313630363638613833666663 +32653861393561633638633231653765643866643935393138343735366438383966623732656637 +62626238616161333539363031623534303862633433373030373563353930343536383830653636 +37303366643430633531646232373065353137623139663630363230666536666432313034363264 +38343033346231346332623764383663363333396466386463333232333633396261663033376130 +64623234353235656430303938313831396132366432316331316663336633303566373032386662 +35326431613835313831303430303461613730383638313463663062353864653633623161633338 +33396231316535323466613863386334666130323236353264313230346665633836636330613962 +66313138303163623031613265346437613434643237393662343234336132366638393165376632 +63353731653331633532663936663764323736313731626236386132626239616235656435363966 +64663431303130626137303862343531633932666566303161383134366236306132643837653133 +64366663633739393932353833353066336135373664313865313663623439636561373562626261 +33646135643436303131666665396464313933623163313838333234313261613630623836306535 +30336362303135653434383534356361323731336361656235666361373031323331353036376539 +33323834343236343834616138323531613661633262353938343135313038376132306563653237 +61366536306133623265336231353762373866373962383830663138653431333135313536356530 +31373762366465623430316134383032653861663538353061633165643061633863386135343934 +39336535356230623238346539313361366130363131316234623466653032333363356162396265 +65353634653735616333326130303864613962646636336331353934373164353334373138336633 +37376263386631633063356334366532306666333032333064353036663531623032376135663635 +33663065383131323434376163373731653262663238356666383136386664356166326463623639 +32336337396261663862373338623534363764373734633832316363346636363063353739333037 +62336363623536343363323735303732343131386533643366313135303762353661313763373266 +32656665626234656535626333383766356636613339306336333861663034393836333561613437 +35383266623230643662626166373330303366396261653035373933643833333164383962626263 +30376138363333663530393766653537393762633264353164656564376538396137343465646533 +62633839326132643565353437613862666431653961343464313932396562663239306561366333 +636263666430643837376530636562373465