From 8dc0d2a3f5b4a5b110b2957f5f0644ca2ec10909 Mon Sep 17 00:00:00 2001 From: Elewyn Date: Wed, 29 Apr 2026 15:49:37 +0200 Subject: [PATCH] feat: phase 5 complete - exposition externe et correctifs services, maj de la doc --- ansible/inventory/group_vars/all/vault.yml | 69 +++--- ansible/inventory/hosts.yml | 7 + ansible/playbooks/gateway.yml | 2 +- ansible/playbooks/nextcloud.yml | 17 ++ ansible/playbooks/templates/Caddyfile-vps.j2 | 7 + ansible/playbooks/templates/wg0-vps.conf.j2 | 13 ++ ansible/playbooks/templates/wg0.conf.j2 | 15 +- ansible/playbooks/vps.yml | 210 +++++++++++++++++++ ansible/site.yml | 3 + docker/forgejo/docker-compose.yml | 2 +- homelab.md | 27 +-- 11 files changed, 323 insertions(+), 49 deletions(-) create mode 100644 ansible/playbooks/templates/Caddyfile-vps.j2 create mode 100644 ansible/playbooks/templates/wg0-vps.conf.j2 create mode 100644 ansible/playbooks/vps.yml diff --git a/ansible/inventory/group_vars/all/vault.yml b/ansible/inventory/group_vars/all/vault.yml index caab6a3..270d81d 100644 --- a/ansible/inventory/group_vars/all/vault.yml +++ b/ansible/inventory/group_vars/all/vault.yml @@ -1,27 +1,44 @@ $ANSIBLE_VAULT;1.1;AES256 -64613363653338393162363864326531316465383137313239313439343664303939393164623533 -6430616230323436323065323164346537373235306166300a646366316163383464376165633538 -61343362613639343366353962353433323861626239376564663136323262323837333937356636 -6133633932396336620a613237343731623432336530373334613737343063396339663862663762 -33626662633865353634643036633333653133666235613737346161663766316465336563306165 -36633033353132646233383765396266393232346235393033313134376164363736633565623631 -35653235316562656232393331376136303135636363303832626236663936343939653835316437 -34393439666365333739386139363861616231323463616666663231353433663164346339343136 -65333337653330646463373834656131623165653832623738376430623131393838356364313366 -36623534303966353965383365306265326630363161646231336639663966383233373433633366 -31623635356234303938663362623232373739373966396230383562303436303736386163336463 -35383238376637333934363034363134313162646563343666623062366230303466656635353964 -32303432323666373962656638333838333933353163616330613765666539613932336338353033 -30363031303134626131333731323334623735386438393930663261616435306664633837653635 -36663362336231636461363331363033363434623763623131623338363964333638346463623839 -39666536633936396235323738353731323361656166396134646462626134643530343636386238 -33623864623437643132383130643962623762626130333536646131313031393333663662393733 -62643466346330316463393833343931633332613161613963646432613832323963623465633330 -36666466363130313536613861373665376633323432316337353431663665313762653663666135 -66623734363836373166643732646338643532343762653937326161313265326364626233373538 -33383235303531323966633839623763313637326231356165663365336231623564343734626639 -37313838366237333562643334386631353730386334373539356430313334656339303536323431 -35636431333932356535386461336138316432313337613463393965633733356164663866666463 -30313366313531326338323632626363636431643631326139663966613065376163366231613238 -66373130666461373566396334386534353139313239353163623735636461386162313134393837 -3733663963653135323065356163316434323465613266643837 +36666664316234333832666132313863623330363638666331383131353764376437353439616633 +3135373538623062626264636361356338633633666638350a633536313639353964326635373132 +63663332316137653133353138336335333131336231623536643734316166326161373934333938 +6166353164306332640a316465653934313031336565646166636365613264386538333464323263 +31353262646434623236303663396466383135326334373535356433383438646135663036383363 +66626635353462333164326230373936626563666438356234623637663461373066306363653036 +31666561356634316138623931666331316433383866316265666338373165653331643063373033 +30656236626534376239373632616231396536396132313936356130353331383933666538616162 +30393362353038366264616130333132346166643834353034653964386637383331313238353665 +31616432313037633933363163356437633065313234656361643064353466653238356461376661 +30376564646332336363333164653337326439313461376337643731636166386432373465623033 +64393639393837303733303366386234363033386230646533343235356464353833653530383733 +64316162306231323731356234336437626366353461316330373431333734373136623365623930 +39666533636433326265633235613131666432326163363464653838313561666364646436373661 +64313130653363346632316566663530613738343761373037336439346365643933356165383435 +32633135353364326231313933393033383362633062653562373530343164623933623835316534 +35393136373563653434376438633737636365373834373538353331303239643939343661343065 +64343233356561643838666463363566306237643032353333326535373035316136323737663063 +32376434303866373566653233656430303365623838363336626633663931396465373864336330 +64353334316435366466346663353133353966373339376661643037323466336134316563363537 +62666439666461386634373235383136656630373063316336616431353535616331383564346333 +32373035643431656433343862343038316430333530396339633664386537663064633933303534 +34653639623239376637336264643539646563353966626264363664336235643861303533633461 +33396465366334653234376231356466643565613466663932633461663330343434336236313635 +62346263343030613266363431643633363937623430323861646235633036666431376132363763 +61313361663266363337353462336434643031633436643564316564633763333134383234336632 +32666361313362373862383235346632616137646635353465343830656466356666663335636464 +39303863643135613738343339333239636136653535623834616337666666323234316163633639 +37393563373939333038396135323265386664306130373031653761303065623134343562346136 +63623164643536363737356631636665363063623063313063656263623339326335663632343232 +37663037353565656162663663616664356564613663353332356531666136313664326433303139 +31643365613864633363346436323938373839326531376537613863643461663534353330393864 +37346333653964643065386533643630646261613036353963626431336262396637333236393130 +39666566313631633762626135626461323239396236626663663337666265613337666232613561 +65306161303666623365636632656264323039626162356433336531336565613163383863643237 +33653434666231306664373966383936623361373363343237303630666336626337333631306433 +34646636366136623466336561623864303866343635386139306537333662333338356334393336 +66653231343839323161396338356435643238303036633139626663653264373364383666383435 +30343566656234393362643061383433343664383463353739363732363835663635343337643161 +65366435316238653631323561393836326137636361386264396163376166373438383239386234 +39646331393638646333386361316366376636333233363736613737613062653962373432306238 +34326265373862386635376335616137373932626662663965326266633063333565326434303130 +613832323738326232303464626462663538 diff --git a/ansible/inventory/hosts.yml b/ansible/inventory/hosts.yml index eafbde5..db7ce4c 100644 --- a/ansible/inventory/hosts.yml +++ b/ansible/inventory/hosts.yml @@ -26,3 +26,10 @@ all: hosts: vm-tools: ansible_host: 192.168.1.52 + + vps: + hosts: + vps-gateway: + ansible_host: 51.158.126.113 + ansible_user: Elewyn + ansible_ssh_private_key_file: ~/.ssh/homelab diff --git a/ansible/playbooks/gateway.yml b/ansible/playbooks/gateway.yml index bde4a93..f5a4634 100644 --- a/ansible/playbooks/gateway.yml +++ b/ansible/playbooks/gateway.yml @@ -38,7 +38,7 @@ dest: /etc/wireguard/wg0.conf mode: "0600" notify: restart wireguard - when: wireguard_configured | default(false) + when: vault_wireguard_configured | default(false) tags: [wireguard] # -- Caddy -- diff --git a/ansible/playbooks/nextcloud.yml b/ansible/playbooks/nextcloud.yml index d672c19..2db0f58 100644 --- a/ansible/playbooks/nextcloud.yml +++ b/ansible/playbooks/nextcloud.yml @@ -82,6 +82,23 @@ changed_when: false tags: [nextcloud] + - name: Attendre que Nextcloud soit pret + ansible.builtin.shell: > + docker exec nextcloud php occ status --output=json + register: nc_status + retries: 15 + delay: 10 + until: nc_status.rc == 0 + changed_when: false + tags: [nextcloud] + + - name: Ajout trusted_domain cloud.elewyn.dev + ansible.builtin.shell: > + docker exec nextcloud php occ config:system:set + trusted_domains 2 --value={{ vault_nextcloud_domain }} + changed_when: true + tags: [nextcloud] + - name: Ouverture port Nextcloud ansible.posix.firewalld: port: 8080/tcp diff --git a/ansible/playbooks/templates/Caddyfile-vps.j2 b/ansible/playbooks/templates/Caddyfile-vps.j2 new file mode 100644 index 0000000..dd43b97 --- /dev/null +++ b/ansible/playbooks/templates/Caddyfile-vps.j2 @@ -0,0 +1,7 @@ +forge.elewyn.dev { + reverse_proxy 192.168.1.50:3000 +} + +cloud.elewyn.dev { + reverse_proxy 192.168.1.51:8080 +} diff --git a/ansible/playbooks/templates/wg0-vps.conf.j2 b/ansible/playbooks/templates/wg0-vps.conf.j2 new file mode 100644 index 0000000..800762e --- /dev/null +++ b/ansible/playbooks/templates/wg0-vps.conf.j2 @@ -0,0 +1,13 @@ +[Interface] +Address = 10.0.0.1/24 +PrivateKey = {{ wg_vps_private_key }} +ListenPort = 51820 + +# Trafic sortant vers internet via le VPS +PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE +PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE + +[Peer] +# Gateway homelab +PublicKey = {{ wg_gateway_public_key }} +AllowedIPs = 10.0.0.2/32, 192.168.1.0/24 diff --git a/ansible/playbooks/templates/wg0.conf.j2 b/ansible/playbooks/templates/wg0.conf.j2 index f3e072f..d3d6b20 100644 --- a/ansible/playbooks/templates/wg0.conf.j2 +++ b/ansible/playbooks/templates/wg0.conf.j2 @@ -1,14 +1,13 @@ -# WireGuard - A configurer a la phase 5 (VPS) -# Generer les cles : wg genkey | tee privatekey | wg pubkey > publickey - [Interface] Address = 10.0.0.2/24 -PrivateKey = {{ wireguard_private_key }} +PrivateKey = {{ vault_wg_gateway_private_key }} ListenPort = 51820 +PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE +PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -D FORWARD -o wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE [Peer] -# VPS -PublicKey = {{ wireguard_vps_public_key }} -Endpoint = {{ wireguard_vps_ip }}:51820 -AllowedIPs = 10.0.0.1/32 +# VPS Scaleway +PublicKey = {{ vault_wg_vps_public_key }} +Endpoint = 51.158.126.113:51820 +AllowedIPs = 10.0.0.0/24 PersistentKeepalive = 25 diff --git a/ansible/playbooks/vps.yml b/ansible/playbooks/vps.yml new file mode 100644 index 0000000..0612093 --- /dev/null +++ b/ansible/playbooks/vps.yml @@ -0,0 +1,210 @@ +--- +# VPS Scaleway : point d'entree public +# - Hardening Debian +# - WireGuard (tunnel vers gateway homelab) +# - Caddy (reverse proxy + TLS Let's Encrypt) + +- name: Configuration VPS + hosts: vps + become: true + + vars: + wg_vps_private_key: "{{ vault_wg_vps_private_key }}" + wg_gateway_public_key: "{{ vault_wg_gateway_public_key }}" + + tasks: + # -- Hardening de base -- + - name: Mise a jour des paquets + ansible.builtin.apt: + update_cache: true + upgrade: dist + tags: [base] + + - name: Installation paquets utilitaires + ansible.builtin.apt: + name: + - vim + - curl + - wget + - ufw + - wireguard + - python3 + state: present + tags: [base] + + - name: Creation utilisateur {{ admin_user }} + ansible.builtin.user: + name: "{{ admin_user }}" + groups: sudo + shell: /bin/bash + create_home: true + password: "{{ vault_admin_password | password_hash('sha512') }}" + state: present + tags: [base] + + - name: Cle SSH pour {{ admin_user }} + ansible.posix.authorized_key: + user: "{{ admin_user }}" + key: "{{ lookup('file', '~/.ssh/homelab.pub') }}" + state: present + tags: [base] + + - name: Sudo sans mot de passe pour sudo group + ansible.builtin.lineinfile: + path: /etc/sudoers.d/sudo-nopasswd + line: "%sudo ALL=(ALL) NOPASSWD: ALL" + create: true + mode: "0440" + validate: "visudo -cf %s" + tags: [base] + + - name: Desactiver login root SSH + ansible.builtin.lineinfile: + path: /etc/ssh/sshd_config + regexp: "^#?PermitRootLogin" + line: "PermitRootLogin no" + notify: restart sshd + tags: [base] + + - name: Desactiver auth par mot de passe SSH + ansible.builtin.lineinfile: + path: /etc/ssh/sshd_config + regexp: "^#?PasswordAuthentication" + line: "PasswordAuthentication no" + notify: restart sshd + tags: [base] + + # -- Firewall UFW -- + - name: Autoriser SSH + community.general.ufw: + rule: allow + port: "22" + proto: tcp + tags: [firewall] + + - name: Autoriser HTTP + community.general.ufw: + rule: allow + port: "80" + proto: tcp + tags: [firewall] + + - name: Autoriser HTTPS + community.general.ufw: + rule: allow + port: "443" + proto: tcp + tags: [firewall] + + - name: Autoriser WireGuard + community.general.ufw: + rule: allow + port: "51820" + proto: udp + tags: [firewall] + + - name: Activer UFW + community.general.ufw: + state: enabled + policy: deny + tags: [firewall] + + # -- WireGuard -- + - name: Activation IP forwarding + ansible.posix.sysctl: + name: net.ipv4.ip_forward + value: "1" + sysctl_set: true + reload: true + tags: [wireguard] + + - name: Creation repertoire WireGuard + ansible.builtin.file: + path: /etc/wireguard + state: directory + mode: "0700" + tags: [wireguard] + + - name: Deploiement config WireGuard VPS + ansible.builtin.template: + src: wg0-vps.conf.j2 + dest: /etc/wireguard/wg0.conf + mode: "0600" + notify: restart wireguard + tags: [wireguard] + + - name: Activation WireGuard au boot + ansible.builtin.systemd: + name: wg-quick@wg0 + state: started + enabled: true + tags: [wireguard] + + # -- Caddy -- + - name: Installation des prerequis Caddy + ansible.builtin.apt: + name: + - debian-keyring + - debian-archive-keyring + - apt-transport-https + state: present + tags: [caddy] + + - name: Ajout cle GPG Caddy + ansible.builtin.shell: | + curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' \ + | gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg + args: + creates: /usr/share/keyrings/caddy-stable-archive-keyring.gpg + tags: [caddy] + + - name: Ajout repo Caddy + ansible.builtin.shell: | + curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' \ + | tee /etc/apt/sources.list.d/caddy-stable.list + args: + creates: /etc/apt/sources.list.d/caddy-stable.list + notify: apt update + tags: [caddy] + + - name: Installation Caddy + ansible.builtin.apt: + name: caddy + state: present + update_cache: true + tags: [caddy] + + - name: Deploiement Caddyfile + ansible.builtin.template: + src: Caddyfile-vps.j2 + dest: /etc/caddy/Caddyfile + mode: "0644" + notify: restart caddy + tags: [caddy] + + - name: Activation Caddy + ansible.builtin.systemd: + name: caddy + state: started + enabled: true + tags: [caddy] + + handlers: + - name: restart sshd + ansible.builtin.systemd: + name: sshd + state: restarted + + - name: restart wireguard + ansible.builtin.systemd: + name: wg-quick@wg0 + state: restarted + + - name: restart caddy + ansible.builtin.systemd: + name: caddy + state: restarted + + - name: apt update + ansible.builtin.apt: + update_cache: true diff --git a/ansible/site.yml b/ansible/site.yml index 06cfab9..cf6a05b 100644 --- a/ansible/site.yml +++ b/ansible/site.yml @@ -22,3 +22,6 @@ - name: Deploiement outils ansible.builtin.import_playbook: playbooks/tools.yml + +- name: Configuration VPS + ansible.builtin.import_playbook: playbooks/vps.yml diff --git a/docker/forgejo/docker-compose.yml b/docker/forgejo/docker-compose.yml index 8dda2f6..2b0a7ef 100644 --- a/docker/forgejo/docker-compose.yml +++ b/docker/forgejo/docker-compose.yml @@ -19,7 +19,7 @@ services: - FORGEJO__server__DOMAIN=${FORGEJO_DOMAIN:-forgejo.local} - FORGEJO__server__SSH_DOMAIN=${FORGEJO_DOMAIN:-forgejo.local} - FORGEJO__server__SSH_PORT=2222 - - FORGEJO__server__ROOT_URL=http://${FORGEJO_DOMAIN:-forgejo.local}:3000/ + - FORGEJO__server__ROOT_URL=https://${FORGEJO_DOMAIN:-forgejo.local}/ ports: - "3000:3000" - "2222:22" diff --git a/homelab.md b/homelab.md index 7326c9d..1ed3fd8 100644 --- a/homelab.md +++ b/homelab.md @@ -3,9 +3,8 @@ ## Infrastructure physique ### HPE ML110 - Proxmox (192.168.1.242) -- **CPU** : 16 x Intel Xeon Silver 4110 @ 2.10GHz (1 Socket) -- **RAM** : 32 Go (upgrade en commande : +16 Go HP PC4 1RX4 2666 MHz → 48 Go total) -- **CPU upgrade en commande** : Intel Xeon Gold 5120 (14 cores / 28 threads @ 2.20GHz) +- **CPU** : Intel Xeon Gold 5120 (14 cores / 28 threads @ 2.20GHz) +- **RAM** : 48 Go (HP PC4 1RX4 2666 MHz) - **Boot** : EFI - **Kernel** : Linux 6.5.11-8-pve - **Reseau** : vmbr0 (Linux bridge) @@ -20,7 +19,7 @@ ### QNAP TS-431P2 (192.168.1.208) - **CPU** : Alpine AL-314 (ARM Cortex-A15 quad-core) - **RAM** : 8 Go -- **Disques** : 4 baies, RAID 1, disque remplace + RAID reconstruit +- **Disques** : 4 baies, RAID 1 - **OS** : QTS (on ne touche pas) - **Services actuels** : Plex, bots Discord, NFS/SMB @@ -88,11 +87,13 @@ Template cloud-init : Rocky Linux 9 (VMID 9000) ## Architecture reseau cible (avec VPS) ``` -Internet --> [VPS Hetzner CX22 ~4 EUR/mois] +Internet --> [VPS Scaleway PLAY2-PICO - 51.158.126.113] | Caddy (reverse proxy + TLS Let's Encrypt) - | CrowdSec + | forge.elewyn.dev -> 192.168.1.50:3000 + | cloud.elewyn.dev -> 192.168.1.51:8080 | WireGuard tunnel (10.0.0.0/24) + VPS: 10.0.0.1 Gateway: 10.0.0.2 | [VM gateway - 192.168.1.254] | @@ -193,11 +194,11 @@ Internet --> [VPS Hetzner CX22 ~4 EUR/mois] - [x] NFS QNAP monte (nextcloud-data, backups crees sur QNAP) ### Phase 5 - Exposition externe -- [ ] Acheter NDD (~7 EUR/an) -- [ ] Louer VPS Hetzner CX22 (~4 EUR/mois) -- [ ] WireGuard VPS <-> gateway -- [ ] Caddy reverse proxy + TLS -- [ ] DNS Cloudflare +- [x] Acheter NDD elewyn.dev (~7 EUR/an) +- [x] Louer VPS Scaleway PLAY2-PICO (~4 EUR/mois) - 51.158.126.113 +- [x] WireGuard VPS <-> gateway (10.0.0.1 <-> 10.0.0.2) +- [x] Caddy reverse proxy + TLS Let's Encrypt +- [x] DNS Cloudflare (forge.elewyn.dev, cloud.elewyn.dev) ### Phase 6 - QNAP - [x] Creer shares NFS (nextcloud-data) @@ -217,7 +218,7 @@ Internet --> [VPS Hetzner CX22 ~4 EUR/mois] | Poste | Cout | |-------|------| -| NDD .fr | ~7 EUR/an | -| VPS Hetzner CX22 | ~48 EUR/an | +| NDD elewyn.dev | ~7 EUR/an | +| VPS Scaleway PLAY2-PICO | ~48 EUR/an | | Disque QNAP remplacement | ~20-30 EUR (une fois) | | **Total premiere annee** | **~80 EUR** |