feat: phase 5 complete - exposition externe et correctifs services, maj de la doc

2026-04-29 15:49:37 +02:00 · 2026-04-29 15:49:37 +02:00 · 8dc0d2a3f5
commit 8dc0d2a3f5
parent bd7bbf3392
11 changed files with 323 additions and 49 deletions
--- a/ansible/inventory/group_vars/all/vault.yml
+++ b/ansible/inventory/group_vars/all/vault.yml
@ -1,27 +1,44 @@
 $ANSIBLE_VAULT;1.1;AES256
-64613363653338393162363864326531316465383137313239313439343664303939393164623533
+36666664316234333832666132313863623330363638666331383131353764376437353439616633
-6430616230323436323065323164346537373235306166300a646366316163383464376165633538
+3135373538623062626264636361356338633633666638350a633536313639353964326635373132
-61343362613639343366353962353433323861626239376564663136323262323837333937356636
+63663332316137653133353138336335333131336231623536643734316166326161373934333938
-6133633932396336620a613237343731623432336530373334613737343063396339663862663762
+6166353164306332640a316465653934313031336565646166636365613264386538333464323263
-33626662633865353634643036633333653133666235613737346161663766316465336563306165
+31353262646434623236303663396466383135326334373535356433383438646135663036383363
-36633033353132646233383765396266393232346235393033313134376164363736633565623631
+66626635353462333164326230373936626563666438356234623637663461373066306363653036
-35653235316562656232393331376136303135636363303832626236663936343939653835316437
+31666561356634316138623931666331316433383866316265666338373165653331643063373033
-34393439666365333739386139363861616231323463616666663231353433663164346339343136
+30656236626534376239373632616231396536396132313936356130353331383933666538616162
-65333337653330646463373834656131623165653832623738376430623131393838356364313366
+30393362353038366264616130333132346166643834353034653964386637383331313238353665
-36623534303966353965383365306265326630363161646231336639663966383233373433633366
+31616432313037633933363163356437633065313234656361643064353466653238356461376661
-31623635356234303938663362623232373739373966396230383562303436303736386163336463
+30376564646332336363333164653337326439313461376337643731636166386432373465623033
-35383238376637333934363034363134313162646563343666623062366230303466656635353964
+64393639393837303733303366386234363033386230646533343235356464353833653530383733
-32303432323666373962656638333838333933353163616330613765666539613932336338353033
+64316162306231323731356234336437626366353461316330373431333734373136623365623930
-30363031303134626131333731323334623735386438393930663261616435306664633837653635
+39666533636433326265633235613131666432326163363464653838313561666364646436373661
-36663362336231636461363331363033363434623763623131623338363964333638346463623839
+64313130653363346632316566663530613738343761373037336439346365643933356165383435
-39666536633936396235323738353731323361656166396134646462626134643530343636386238
+32633135353364326231313933393033383362633062653562373530343164623933623835316534
-33623864623437643132383130643962623762626130333536646131313031393333663662393733
+35393136373563653434376438633737636365373834373538353331303239643939343661343065
-62643466346330316463393833343931633332613161613963646432613832323963623465633330
+64343233356561643838666463363566306237643032353333326535373035316136323737663063
-36666466363130313536613861373665376633323432316337353431663665313762653663666135
+32376434303866373566653233656430303365623838363336626633663931396465373864336330
-66623734363836373166643732646338643532343762653937326161313265326364626233373538
+64353334316435366466346663353133353966373339376661643037323466336134316563363537
-33383235303531323966633839623763313637326231356165663365336231623564343734626639
+62666439666461386634373235383136656630373063316336616431353535616331383564346333
-37313838366237333562643334386631353730386334373539356430313334656339303536323431
+32373035643431656433343862343038316430333530396339633664386537663064633933303534
-35636431333932356535386461336138316432313337613463393965633733356164663866666463
+34653639623239376637336264643539646563353966626264363664336235643861303533633461
-30313366313531326338323632626363636431643631326139663966613065376163366231613238
+33396465366334653234376231356466643565613466663932633461663330343434336236313635
-66373130666461373566396334386534353139313239353163623735636461386162313134393837
+62346263343030613266363431643633363937623430323861646235633036666431376132363763
-3733663963653135323065356163316434323465613266643837
+61313361663266363337353462336434643031633436643564316564633763333134383234336632
 32666361313362373862383235346632616137646635353465343830656466356666663335636464
 39303863643135613738343339333239636136653535623834616337666666323234316163633639
 37393563373939333038396135323265386664306130373031653761303065623134343562346136
 63623164643536363737356631636665363063623063313063656263623339326335663632343232
 37663037353565656162663663616664356564613663353332356531666136313664326433303139
 31643365613864633363346436323938373839326531376537613863643461663534353330393864
 37346333653964643065386533643630646261613036353963626431336262396637333236393130
 39666566313631633762626135626461323239396236626663663337666265613337666232613561
 65306161303666623365636632656264323039626162356433336531336565613163383863643237
 33653434666231306664373966383936623361373363343237303630666336626337333631306433
 34646636366136623466336561623864303866343635386139306537333662333338356334393336
 66653231343839323161396338356435643238303036633139626663653264373364383666383435
 30343566656234393362643061383433343664383463353739363732363835663635343337643161
 65366435316238653631323561393836326137636361386264396163376166373438383239386234
 39646331393638646333386361316366376636333233363736613737613062653962373432306238
 34326265373862386635376335616137373932626662663965326266633063333565326434303130
 613832323738326232303464626462663538
--- a/ansible/inventory/hosts.yml
+++ b/ansible/inventory/hosts.yml
@ -26,3 +26,10 @@ all:
      hosts:
        vm-tools:
          ansible_host: 192.168.1.52
    vps:
      hosts:
        vps-gateway:
          ansible_host: 51.158.126.113
          ansible_user: Elewyn
          ansible_ssh_private_key_file: ~/.ssh/homelab
--- a/ansible/playbooks/gateway.yml
+++ b/ansible/playbooks/gateway.yml
@ -38,7 +38,7 @@
        dest: /etc/wireguard/wg0.conf
        mode: "0600"
      notify: restart wireguard
-      when: wireguard_configured | default(false)
+      when: vault_wireguard_configured | default(false)
      tags: [wireguard]
    # -- Caddy --
--- a/ansible/playbooks/nextcloud.yml
+++ b/ansible/playbooks/nextcloud.yml
@ -82,6 +82,23 @@
      changed_when: false
      tags: [nextcloud]
    - name: Attendre que Nextcloud soit pret
      ansible.builtin.shell: >
        docker exec nextcloud php occ status --output=json
      register: nc_status
      retries: 15
      delay: 10
      until: nc_status.rc == 0
      changed_when: false
      tags: [nextcloud]
    - name: Ajout trusted_domain cloud.elewyn.dev
      ansible.builtin.shell: >
        docker exec nextcloud php occ config:system:set
        trusted_domains 2 --value={{ vault_nextcloud_domain }}
      changed_when: true
      tags: [nextcloud]
    - name: Ouverture port Nextcloud
      ansible.posix.firewalld:
        port: 8080/tcp
--- a/ansible/playbooks/templates/Caddyfile-vps.j2
+++ b/ansible/playbooks/templates/Caddyfile-vps.j2
@ -0,0 +1,7 @@
 forge.elewyn.dev {
    reverse_proxy 192.168.1.50:3000
 }
 cloud.elewyn.dev {
    reverse_proxy 192.168.1.51:8080
 }
--- a/ansible/playbooks/templates/wg0-vps.conf.j2
+++ b/ansible/playbooks/templates/wg0-vps.conf.j2
@ -0,0 +1,13 @@
 [Interface]
 Address = 10.0.0.1/24
 PrivateKey = {{ wg_vps_private_key }}
 ListenPort = 51820
 # Trafic sortant vers internet via le VPS
 PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
 PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
 [Peer]
 # Gateway homelab
 PublicKey = {{ wg_gateway_public_key }}
 AllowedIPs = 10.0.0.2/32, 192.168.1.0/24
--- a/ansible/playbooks/templates/wg0.conf.j2
+++ b/ansible/playbooks/templates/wg0.conf.j2
@ -1,14 +1,13 @@
 # WireGuard - A configurer a la phase 5 (VPS)
 # Generer les cles : wg genkey | tee privatekey | wg pubkey > publickey
 [Interface]
 Address = 10.0.0.2/24
-PrivateKey = {{ wireguard_private_key }}
+PrivateKey = {{ vault_wg_gateway_private_key }}
 ListenPort = 51820
 PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
 PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -D FORWARD -o wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
 [Peer]
-# VPS
+# VPS Scaleway
-PublicKey = {{ wireguard_vps_public_key }}
+PublicKey = {{ vault_wg_vps_public_key }}
-Endpoint = {{ wireguard_vps_ip }}:51820
+Endpoint = 51.158.126.113:51820
-AllowedIPs = 10.0.0.1/32
+AllowedIPs = 10.0.0.0/24
 PersistentKeepalive = 25
--- a/ansible/playbooks/vps.yml
+++ b/ansible/playbooks/vps.yml
@ -0,0 +1,210 @@
 ---
 # VPS Scaleway : point d'entree public
 # - Hardening Debian
 # - WireGuard (tunnel vers gateway homelab)
 # - Caddy (reverse proxy + TLS Let's Encrypt)
 - name: Configuration VPS
  hosts: vps
  become: true
  vars:
    wg_vps_private_key: "{{ vault_wg_vps_private_key }}"
    wg_gateway_public_key: "{{ vault_wg_gateway_public_key }}"
  tasks:
    # -- Hardening de base --
    - name: Mise a jour des paquets
      ansible.builtin.apt:
        update_cache: true
        upgrade: dist
      tags: [base]
    - name: Installation paquets utilitaires
      ansible.builtin.apt:
        name:
          - vim
          - curl
          - wget
          - ufw
          - wireguard
          - python3
        state: present
      tags: [base]
    - name: Creation utilisateur {{ admin_user }}
      ansible.builtin.user:
        name: "{{ admin_user }}"
        groups: sudo
        shell: /bin/bash
        create_home: true
        password: "{{ vault_admin_password | password_hash('sha512') }}"
        state: present
      tags: [base]
    - name: Cle SSH pour {{ admin_user }}
      ansible.posix.authorized_key:
        user: "{{ admin_user }}"
        key: "{{ lookup('file', '~/.ssh/homelab.pub') }}"
        state: present
      tags: [base]
    - name: Sudo sans mot de passe pour sudo group
      ansible.builtin.lineinfile:
        path: /etc/sudoers.d/sudo-nopasswd
        line: "%sudo ALL=(ALL) NOPASSWD: ALL"
        create: true
        mode: "0440"
        validate: "visudo -cf %s"
      tags: [base]
    - name: Desactiver login root SSH
      ansible.builtin.lineinfile:
        path: /etc/ssh/sshd_config
        regexp: "^#?PermitRootLogin"
        line: "PermitRootLogin no"
      notify: restart sshd
      tags: [base]
    - name: Desactiver auth par mot de passe SSH
      ansible.builtin.lineinfile:
        path: /etc/ssh/sshd_config
        regexp: "^#?PasswordAuthentication"
        line: "PasswordAuthentication no"
      notify: restart sshd
      tags: [base]
    # -- Firewall UFW --
    - name: Autoriser SSH
      community.general.ufw:
        rule: allow
        port: "22"
        proto: tcp
      tags: [firewall]
    - name: Autoriser HTTP
      community.general.ufw:
        rule: allow
        port: "80"
        proto: tcp
      tags: [firewall]
    - name: Autoriser HTTPS
      community.general.ufw:
        rule: allow
        port: "443"
        proto: tcp
      tags: [firewall]
    - name: Autoriser WireGuard
      community.general.ufw:
        rule: allow
        port: "51820"
        proto: udp
      tags: [firewall]
    - name: Activer UFW
      community.general.ufw:
        state: enabled
        policy: deny
      tags: [firewall]
    # -- WireGuard --
    - name: Activation IP forwarding
      ansible.posix.sysctl:
        name: net.ipv4.ip_forward
        value: "1"
        sysctl_set: true
        reload: true
      tags: [wireguard]
    - name: Creation repertoire WireGuard
      ansible.builtin.file:
        path: /etc/wireguard
        state: directory
        mode: "0700"
      tags: [wireguard]
    - name: Deploiement config WireGuard VPS
      ansible.builtin.template:
        src: wg0-vps.conf.j2
        dest: /etc/wireguard/wg0.conf
        mode: "0600"
      notify: restart wireguard
      tags: [wireguard]
    - name: Activation WireGuard au boot
      ansible.builtin.systemd:
        name: wg-quick@wg0
        state: started
        enabled: true
      tags: [wireguard]
    # -- Caddy --
    - name: Installation des prerequis Caddy
      ansible.builtin.apt:
        name:
          - debian-keyring
          - debian-archive-keyring
          - apt-transport-https
        state: present
      tags: [caddy]
    - name: Ajout cle GPG Caddy
      ansible.builtin.shell: |
        curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' \
        | gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg
      args:
        creates: /usr/share/keyrings/caddy-stable-archive-keyring.gpg
      tags: [caddy]
    - name: Ajout repo Caddy
      ansible.builtin.shell: |
        curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' \
        | tee /etc/apt/sources.list.d/caddy-stable.list
      args:
        creates: /etc/apt/sources.list.d/caddy-stable.list
      notify: apt update
      tags: [caddy]
    - name: Installation Caddy
      ansible.builtin.apt:
        name: caddy
        state: present
        update_cache: true
      tags: [caddy]
    - name: Deploiement Caddyfile
      ansible.builtin.template:
        src: Caddyfile-vps.j2
        dest: /etc/caddy/Caddyfile
        mode: "0644"
      notify: restart caddy
      tags: [caddy]
    - name: Activation Caddy
      ansible.builtin.systemd:
        name: caddy
        state: started
        enabled: true
      tags: [caddy]
  handlers:
    - name: restart sshd
      ansible.builtin.systemd:
        name: sshd
        state: restarted
    - name: restart wireguard
      ansible.builtin.systemd:
        name: wg-quick@wg0
        state: restarted
    - name: restart caddy
      ansible.builtin.systemd:
        name: caddy
        state: restarted
    - name: apt update
      ansible.builtin.apt:
        update_cache: true
--- a/ansible/site.yml
+++ b/ansible/site.yml
@ -22,3 +22,6 @@
 - name: Deploiement outils
  ansible.builtin.import_playbook: playbooks/tools.yml
 - name: Configuration VPS
  ansible.builtin.import_playbook: playbooks/vps.yml
--- a/docker/forgejo/docker-compose.yml
+++ b/docker/forgejo/docker-compose.yml
@ -19,7 +19,7 @@ services:
      - FORGEJO__server__DOMAIN=${FORGEJO_DOMAIN:-forgejo.local}
      - FORGEJO__server__SSH_DOMAIN=${FORGEJO_DOMAIN:-forgejo.local}
      - FORGEJO__server__SSH_PORT=2222
-      - FORGEJO__server__ROOT_URL=http://${FORGEJO_DOMAIN:-forgejo.local}:3000/
+      - FORGEJO__server__ROOT_URL=https://${FORGEJO_DOMAIN:-forgejo.local}/
    ports:
      - "3000:3000"
      - "2222:22"
--- a/homelab.md
+++ b/homelab.md
@ -3,9 +3,8 @@
 ## Infrastructure physique
 ### HPE ML110 - Proxmox (192.168.1.242)
- **CPU** : 16 x Intel Xeon Silver 4110 @ 2.10GHz (1 Socket)
+- **CPU** : Intel Xeon Gold 5120 (14 cores / 28 threads @ 2.20GHz)
- **RAM** : 32 Go (upgrade en commande : +16 Go HP PC4 1RX4 2666 MHz → 48 Go total)
+- **RAM** : 48 Go (HP PC4 1RX4 2666 MHz)
 - **CPU upgrade en commande** : Intel Xeon Gold 5120 (14 cores / 28 threads @ 2.20GHz)
 - **Boot** : EFI
 - **Kernel** : Linux 6.5.11-8-pve
 - **Reseau** : vmbr0 (Linux bridge)
@ -20,7 +19,7 @@
 ### QNAP TS-431P2 (192.168.1.208)
 - **CPU** : Alpine AL-314 (ARM Cortex-A15 quad-core)
 - **RAM** : 8 Go
- **Disques** : 4 baies, RAID 1, disque remplace + RAID reconstruit
+- **Disques** : 4 baies, RAID 1
 - **OS** : QTS (on ne touche pas)
 - **Services actuels** : Plex, bots Discord, NFS/SMB
@ -88,11 +87,13 @@ Template cloud-init : Rocky Linux 9 (VMID 9000)
 ## Architecture reseau cible (avec VPS)
 ```
-Internet --> [VPS Hetzner CX22 ~4 EUR/mois]
+Internet --> [VPS Scaleway PLAY2-PICO - 51.158.126.113]
                |  Caddy (reverse proxy + TLS Let's Encrypt)
-                |  CrowdSec
+                |  forge.elewyn.dev -> 192.168.1.50:3000
                |  cloud.elewyn.dev -> 192.168.1.51:8080
                |
             WireGuard tunnel (10.0.0.0/24)
             VPS: 10.0.0.1  Gateway: 10.0.0.2
                |
            [VM gateway - 192.168.1.254]
                |
@ -193,11 +194,11 @@ Internet --> [VPS Hetzner CX22 ~4 EUR/mois]
 - [x] NFS QNAP monte (nextcloud-data, backups crees sur QNAP)
 ### Phase 5 - Exposition externe
- [ ] Acheter NDD (~7 EUR/an)
+- [x] Acheter NDD elewyn.dev (~7 EUR/an)
- [ ] Louer VPS Hetzner CX22 (~4 EUR/mois)
+- [x] Louer VPS Scaleway PLAY2-PICO (~4 EUR/mois) - 51.158.126.113
- [ ] WireGuard VPS <-> gateway
+- [x] WireGuard VPS <-> gateway (10.0.0.1 <-> 10.0.0.2)
- [ ] Caddy reverse proxy + TLS
+- [x] Caddy reverse proxy + TLS Let's Encrypt
- [ ] DNS Cloudflare
+- [x] DNS Cloudflare (forge.elewyn.dev, cloud.elewyn.dev)
 ### Phase 6 - QNAP
 - [x] Creer shares NFS (nextcloud-data)
@ -217,7 +218,7 @@ Internet --> [VPS Hetzner CX22 ~4 EUR/mois]
 | Poste | Cout |
 |-------|------|
-| NDD .fr | ~7 EUR/an |
+| NDD elewyn.dev | ~7 EUR/an |
-| VPS Hetzner CX22 | ~48 EUR/an |
+| VPS Scaleway PLAY2-PICO | ~48 EUR/an |
 | Disque QNAP remplacement | ~20-30 EUR (une fois) |
 | **Total premiere annee** | **~80 EUR** |