https://github.com/julian-klode/ansible.jak-linux.org
Ansible stuff
https://github.com/julian-klode/ansible.jak-linux.org
Last synced: 3 months ago
JSON representation
Ansible stuff
- Host: GitHub
- URL: https://github.com/julian-klode/ansible.jak-linux.org
- Owner: julian-klode
- License: apache-2.0
- Created: 2018-11-24T17:51:34.000Z (over 6 years ago)
- Default Branch: main
- Last Pushed: 2025-02-25T14:56:08.000Z (4 months ago)
- Last Synced: 2025-02-25T15:44:04.831Z (3 months ago)
- Language: Jinja
- Size: 181 KB
- Stars: 7
- Watchers: 5
- Forks: 3
- Open Issues: 4
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# jak-linux.org configuration
This repository contains the ansible configuration for deploying
the machines in the jak-linux.org domain, and some related machines.# Variables
## Websites
For each host, the array `domains` configures the domains configured
on that host to be served by `nginx`. It also configures TLS
certificates, either using dummy ones or letsencrypt.Let's consider the following example:
```yaml
domains:
- cname: example.com
alias:
- www.example.com
nginx_add_locations:
# This is added to the server configuration
location ~ /iamfancy/ {
fastcgi_pass unix:/run/path/to/socket;
include fastcgi_params;
}
letsencrypt_email: [email protected]
```This configures a domain with the canonical domain `example.com`,
and redirects from `wwww.example.com`. It also sets up `/iamfancy`
to passthrough to a fastcgi socket. Content will be served from the
directory `/var/www/example.com`, and one certificate will be generated
with `example.com` and `wwww.example.com` as subject alternative names.Configured websites are TLS-only. They are configured with letsencrypt
certificates or dummy certificates, depending on whether they have the
role `letsencrypt` or `snake-oil-letsencrypt`. The latter is useful
for testing purposes.*Confinement*: The nginx server is confined using AppArmor to only
read the SSL keys, webdata, and other stuff it needs to operate.## Weechat
The `weechatserver` role configures a user called `weechat` and a
system `weechat` service that runs weechat inside of tmux. It also
installs `mosh` so you can connect to the running `weechat`.Furthermore, it also configures a weechat relay to listen on port
9000 on localhost. This can then be made available through nginx using
websockets, for example, including a rate limiting to 5 requests per
minute:```yaml
nginx_conf:
weechat:
# Rate limit weechat
limit_req_zone $binary_remote_addr zone=weechat:10m rate=5r/m;domains:
- cname: example.com
alias:
- www.example.com
nginx_add_locations: |
location /weechat {
proxy_pass http://localhost:9000/weechat; # Change the port to your relay's
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade; # These two lines ensure that the
proxy_set_header Connection "Upgrade"; # a WebSocket is used
proxy_read_timeout 604800; # Prevent idle disconnects
proxy_set_header X-Real-IP $remote_addr; # Let WeeChat see the client's IP
limit_req zone=weechat burst=1 nodelay; # Brute force prevention
}
```It is not exposed by default however.
*Confinement*: The weechat binary is confined to mostly ~/.weechat using
AppArmor, reducing the attack surface considerably.