c0ntora.etc/ansible-meta-c0ntora
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
Ansible meta repo for c0ntora infrastructure
55 commits 1 branch 0 tags 170 KiB
Find a file
Exact
Nikki Claude ebdf031565
Some checks failed
Gitleaks Secret Scan / scan-1 (push) Failing after 5s
Details
Gitleaks Secret Scan / scan (push) Failing after 0s
Details
feat(vpn): setup-iptables submodule + firewall vars + Play 5 
iptables hardening: SSH/HTTP/HTTPS/1194 UDP, admin networks (WG+ovpn),
Docker-safe DROP rule, persist via netfilter-persistent.

Signed-off-by: Nikki Claude <nikki.claude@avallon.pw>
2026-06-08 02:34:44 +07:00
.forgejo/workflows ci: use reusable gitleaks workflow from c0ntora.etc/devops, update submodule refs 2026-04-08 12:48:35 +07:00
group_vars feat: add openbao-fetch role, refactor Play 1 in BAO playbooks 2026-05-13 09:32:16 +07:00
inventory feat(vpn): setup-iptables submodule + firewall vars + Play 5 2026-06-08 02:34:44 +07:00
playbooks feat(vpn): setup-iptables submodule + firewall vars + Play 5 2026-06-08 02:34:44 +07:00
roles feat(vpn): setup-iptables submodule + firewall vars + Play 5 2026-06-08 02:34:44 +07:00
.gitignore add: .gitignore blacklist .ssh 2026-05-20 09:44:36 +07:00
.gitleaks.toml ci: add gitleaks workflow to meta repo + update submodule pointers 2026-04-08 12:32:44 +07:00
.gitmodules feat(vpn): setup-iptables submodule + firewall vars + Play 5 2026-06-08 02:34:44 +07:00
ansible.cfg refactor: migrate inventory from INI to YAML format 2026-05-13 08:58:46 +07:00
README.md feat: README, inventory, mm-deploy/wg-s2c roles, new playbooks 2026-04-25 11:33:07 +07:00

README.md

ansible-meta-c0ntora

Ansible meta-repo for c0ntora.ru infrastructure. Roles are git submodules from c0ntora.etc org on forge.avallon.pw.

Hosts

Host IP Role
c0ntora-main main c0ntora server (bare-metal/VM)
vm-c0ntora-router 185.84.163.118 nginx reverse proxy + WireGuard hub
vm-kp3-mattermost 10.174.80.241 Mattermost + PostgreSQL (internal)

Roles

Role Description
nginx-router Dockerized nginx with certbot, conf.d, custom.d, trusted_networks
mm Mattermost nginx vhost (WebSocket, TLS toggle)
mm-deploy Mattermost + PostgreSQL docker-compose on backend VM
docs Confluence nginx vhost (Synchrony WS, DAV, trusted_networks)
contora c0ntora.ru main vhost + mp4 aliases (~40 entries)
mojopaste Mojopaste nginx vhost (p.c0ntora.ru, paste.c0ntora.ru)
privoxy Privoxy HTTP proxy docker-compose
vpns VPN configs
wg-s2c WireGuard site-to-client tunnel (router ↔ mm VM)

Playbooks

playbooks/
  setup-nginx-router.yml    # deploy nginx-router role
  setup-mm.yml              # deploy mm nginx vhost
  setup-docs.yml            # deploy docs nginx vhost
  setup-contora.yml         # deploy contora vhost + mp4 aliases
  setup-mojopaste.yml       # deploy mojopaste vhost
  setup-privoxy.yml         # deploy privoxy
  setup-vpns.yml            # deploy vpn configs
  setup-wg-s2c.yml          # configure WireGuard s2c tunnel
  deploy-mm.yml             # deploy Mattermost + PG on backend VM
  backup-mm.yml             # backup Mattermost data
  bootstrap-openbao-c0ntora.yml  # bootstrap OpenBao secrets

Network topology

internet
  └─ vm-c0ntora-router (185.84.163.118)
       nginx-router (docker)
         conf.d/: mm.conf, docs.conf, paste.conf, c0ntora.conf
         custom.d/: trusted_networks.inc (Russian ISP CIDR allowlist)
       WireGuard wg0: 10.9.0.1/24
         └─ vm-kp3-mattermost: 10.9.0.3
              Mattermost :8065
              PostgreSQL 15

Secrets

Sensitive vars go in inventory/host_vars/<host>/vault.yml (ansible-vault). See vault.yml.example for required keys.

Never commit: *.pem, *.key, letsencrypt/, certbot/conf/.

CI

Gitleaks secret scan runs on every push/PR via c0ntora.etc/devops reusable workflow.