Ansible playbook for provisioning mayurifag.ru

Requires

VPS

• DNS A records for your TLD and wildcard (*)
• Debian 12+
• Open ports on server provider' side

Mac/PC

• Ansible python3 -m pip install --user ansible
• (only MacOS) - passlib python3 -m pip install --user passlib (to use crypto module from ansible)
• Setup inventory (if key not added, be prepared to add ansible_ssh_pass and that after general server setup)

Instructions

Initial setup

git clone https://github.com/Mayurifag/mayurifag.ru.git
cd mayurifag.ru
cp -rfp inventories/sample inventories/my-provision
# Now you are required to change my-provision files.
# or ln from some place like that:
# ln -s /Volumes/exfat/OpenCloud/Personal/Software/dotfiles/my-provision/ inventories/my-provision
# Dont forget you are required to generate ssh key and copy public into provision
ansible-galaxy install -r requirements.yml

Production deployment

TL;DR

make boostrap # run once, its cleaning known_hosts and makes ssh configuration
make deploy "traefik,mus" # or make deploy-all if you are sure

Optional steps

• Make new ssh config section for convenience and using tmux by default

# ~/.ssh/config
Host change_that
    HostName change.that
    User admin_user # Change user
    Port 2222 # change port
    RequestTTY yes
    RemoteCommand tmux attach -d || tmux new-session -s main

Applications List

This list changed a lot through years, I'm trying to remove things I do not use.

Name	Subdomain	Auth	Watchtower
3proxy		app	+
3x-ui	3x	app
BentoPDF	pdf	ldap	+
ConvertX	convert	ldap	+
EchoIP	ip	none	+
Gitea	git	todo
Glance	rss	none	+
MkDocs	docs	ldap	+
Mini-QR	qr	ldap	+
mayurifag.github.io		ldap	+
mus	mus	ldap	+
Navidrome	navidrome	app	+
lldap	ldap	ldap	+
OPDShelf	opds	ldap	+
OpenCloud	cloud	ldap
Portainer	portainer	app	+
TG AI Manager	tg	ldap	+
Traefik / Crowdsec	traefik	ldap
Tinyauth	auth	ldap	+
Watchtower HTTP API	watchtower	app	+

Refer to POST_INSTALL.md for after deployment info.

TODO

• make commands should be refactored. I want to see for each deploy where things are deployed and have easy instrumentation to change that because for now i have 2 machines with different ip/domains.

On hold

• https://github.com/pranshuparmar/witr - wait debian repos to include it
• Bandwhich - will require downloading binary to root - wait for deb repo
• When Tinyauth will be an OIDC provider
  • make it work for opencloud
  • Portainer - setup automatic LDAP
• zerobyte - webapp for restic backups - wait until developed stable version
• Track finances selfhosted
  • Has to support auto import crypto, ibkr, russian brokers, banks, georgian banks - no way today
  • Save data to opencloud
  • https://github.com/we-promise/sure
• ufw
  • Waiting for https://github.com/shinebayar-g/ufw-docker-automated
  • Problem for docker is that on server reboot or else address of docker container is changing so rules have to be updated
  • Block everything. There are a lot of exceptions: ssh/web/dns/dhcp/ntp
  • open port if needed in each ansible role
  • IP Masquerading ?
  • research https://github.com/capnspacehook/whalewall (not updated though)

Thinking if I need it / probably wont do - ideas / notes

• Crowdsec iptables firewall - remediation component.
  • Crowdsec has to be inside traefik role - split tasks files though
  • https://www.crowdsec.net/blog/secure-docker-compose-stacks-with-crowdsec
  • see if there is solution to unban false positive and if not, add smth
  • whitelist my vps ips so at least ssh proxy jump will work in worst case
  • i need to remove generic rules and make configuration more permissive
• Add simple secret sharing app
  • Hemmelig - too much things, analytics and so on
  • also maybe url shorten like https://github.com/anhostfr/nah.pet
  • I also might need to share files
  • https://github.com/Luzifer/ots seems fine
• Watchtowerrr
  • use config.json for auth to dockerhub to prevent limits
• VPS security
  • Kernel params to have less /var/log/syslog noise - add to crowdsec btw
  • https://madaidans-insecurities.github.io/guides/linux-hardening.html
  • (wait for update) https://github.com/docker/docker-bench-security
  • (not sure) https://github.com/quay/clair
  • Make connection to docker through proxy fluencelabs/docker-socket-proxy
  • https://github.com/imthenachoman/How-To-Secure-A-Linux-Server
• Status page for services
  • Has to be free and allow deploy from ansible via API
  • maybe just main website check and self service to report docker unhealth
  • https://beszel.dev/
• tmux
  • Reliably fix scrolling and other annoying things
  • add dracula disk usage (used/total) or totally redesign it
  • tmux with nice priority https://x.com/SA5280/status/2001732941639282759