esh/cinc-repo/policyfiles/gtw.rb

name 'gtw'

###
# Cookbooks location
###

# ESH
default_source :chef_repo, '../cookbooks'

# Community
default_source :supermarket, 'https://supermarket.chef.io'

###
# Run List
###

run_list %w(
  esh_system::hostname
  esh_system::sshd
  esh_ufw::rules
  esh_wireguard::server
  esh_haproxy::config
  esh_letsencrypt::snap
  esh_letsencrypt::certs
  esh_letsencrypt::serve
)

###
# Attributes
###

###
# esh_system
###

default['esh']['system']['hostname']['fqdn'] = 'gtw.benoit.jp.net'

default['esh']['system']['sshd']['port'] = '28'
default['esh']['system']['sshd']['permitrootlogin'] = 'prohibit-password'
default['esh']['system']['sshd']['passwordauthentication'] = 'no'
default['esh']['system']['sshd']['maxauthtries'] = '3'
default['esh']['system']['sshd']['maxsessions'] = '5'
default['esh']['system']['sshd']['otp'] = false

###
# esh_ufw
###

default['esh']['ufw']['rules']['list'] = [
  'limit from any to any port 22',
  'limit from any to any port 28',
  'allow from any to any port 25',
  'allow from any to any port 80',
  'allow from any to any port 443',
  'allow from any to any port 465',
  'allow from any to any port 853',
  'allow from any to any port 993',
  'allow from any to any port 4190',
  'allow from 10.10.10.3 to 10.10.10.1 port 8898',
  'allow from any to any port 51820',
]

###
# esh_wireguard
###

default['esh']['wireguard']['server']['privkey'] = '='
default['esh']['wireguard']['server']['pubkey'] = '3JJ00aMP/1mPJeUW0sci4dIK4S4XBiTWWaBgZgq+LCQ='
default['esh']['wireguard']['server']['address'] = '10.10.10.1/24, fdaf:345d:a5fc::1/64'
default['esh']['wireguard']['server']['listenport'] = '51820'
default['esh']['wireguard']['server']['pubint'] = 'enp1s0'
default['esh']['wireguard']['server']['routing'] = true
default['esh']['wireguard']['server']['peers'] = {
  '3HNAZfx02qnpw2Tglrjs7KEnO3lUz1SZ/xUZUYGV6mo=': '10.10.10.3,fdaf:345d:a5fc::3,10.78.127.0/24,fd42:d7a4:755b:7893::/64',
  'agIabJemiFUD+u8BCNmyO2PIgg2SGjQX573AIIkgExs=': '10.10.10.6,fdaf:345d:a5fc::6,10.121.231.1/24,fd42:4a26:3578:a318::1/64',
}
  #'8j2fzeFgxk33a+cDemZluPAxlRN21bdmTMHVpayIhQg=': '10.10.10.4,fdaf:345d:a5fc::4,10.78.127.0/24,fd42:d7a4:755b:7893::/64',
  #'2o41xCeNiUsfRMFg+fvbRIqTdAWjdPptMu8aRnZ3zyk=': '10.10.10.5'

###
# esh_lestencrypt
###

default['esh']['letsencrypt']['certs']['email'] = 'certbot@benpro.fr'
default['esh']['letsencrypt']['certs']['list'] = [
 
]
default['esh']['letsencrypt']['serve']['auth'] = ''
default['esh']['letsencrypt']['serve']['miniserve_url'] = 'https://github.com/svenstaro/miniserve/releases/download/v0.22.0/miniserve-0.22.0-x86_64-unknown-linux-gnu'
default['esh']['letsencrypt']['serve']['listen'] = '10.10.10.1'

###
# esh_haproxy
###

default['esh']['haproxy']['config']['stats_password'] = ''

default['esh']['haproxy']['config']['listen'] = {
   'ssh': {
      'bind': '22',
      'mode': 'tcp',
      'server': 'git-ssh 10.78.127.119:10022 send-proxy',
   },
   'smtp': {
      'bind': '25',
      'mode': 'tcp',
      'server': 'mail 10.78.127.231:10025 send-proxy',
   },
   'smtps': {
      'bind': '465',
      'mode': 'tcp',
      'server': 'mail 10.78.127.231:10465 send-proxy',
   },
   'imaps': {
      'bind': '993',
      'mode': 'tcp',
      'server': 'mail 10.78.127.231:10993 send-proxy',
   },
   'sieve': {
      'bind': '4190',
      'mode': 'tcp',
      'server': 'mail 10.78.127.231:14190 send-proxy',
   },
   'adguard-dot': {
      'bind': '853',
      'mode': 'tcp',
      'server': 'adguard 10.78.127.201:10853 send-proxy',
   },
}

default['esh']['haproxy']['config']['acls'] = {
  'mail': {
    'hosts': [
      'mail.benoit.jp.net',
    ],
    'denies': [
      '!JP !letsencrypt',
    ],
    'backend': 'mail',
  },
  'archive': {
    'hosts': [
      'blog.benpro.fr.archive.benoit.jp.net',
      'lekernelpanique.fr.archive.benoit.jp.net',
      'sysadmin-bookmarks.archive.benoit.jp.net',
    ],
    'denies': [],
    'backend': 'archive',
  },
  'mkdocs': {
    'hosts': [
      'www.benoit.jp.net',
      'benoit.jp.net',
    ],
    'denies': [],
    'backend': 'mkdocs',
  },
  'mkdocs-laminar': {
    'hosts': [
      'laminar.benoit.jp.net',
    ],
    'denies': [],
    'backend': 'mkdocs-laminar',
  },
  'mkdocs-webhook': {
    'hosts': [
      'webhook.benoit.jp.net',
    ],
    'denies': [],
    'backend': 'mkdocs-webhook',
  },
  'flux': {
    'hosts': [
      'flux.benoit.jp.net',
    ],
    'denies': [
      '!JP !letsencrypt'
    ],
    'backend': 'flux',
  },
  'dns': {
    'hosts': [
      'dns.benoit.jp.net',
      'tangorpro.dns.benoit.jp.net',
      'bluejay.dns.benoit.jp.net',
    ],
    'denies': [
      '!JP !SG !letsencrypt'
    ],
    'backend': 'dns',
  },
  'git': {
    'hosts': [
      'git.benoit.jp.net',
    ],
    'denies': [],
    'backend': 'git',
  },
  'photos': {
    'hosts': [
      'photos.benoit.jp.net',
    ],
    'denies': [
      '!JP !FR !letsencrypt',
    ],
    'backend': 'photos',
  },
  'kb': {
    'hosts': [
      'kb.benoit.jp.net',
    ],
    'denies': [
      '!JP !letsencrypt',
    ],
    'backend': 'kb',
  },
  'pwd': {
    'hosts': [
      'pwd.benoit.jp.net',
    ],
    'denies': [
      '!JP !letsencrypt',
    ],
    'backend': 'pwd',
  },
  'risanokyoku': {
    'hosts': [
      'risanokyoku.benoit.jp.net',
    ],
    'denies': [
      '!JP !letsencrypt',
    ],
    'backend': 'risanokyoku',
  },
  'ytb': {
    'hosts': [
      'ytb.benoit.jp.net',
      'ytb-proxy.benoit.jp.net',
      'ytb-api.benoit.jp.net',
    ],
    'denies': [
      '!JP !letsencrypt',
    ],
    'backend': 'ytb',
  },
}

default['esh']['haproxy']['config']['backends'] = {
  'archive': 'archive 10.78.127.252:80 check',
  'dns': 'dns 10.78.127.201:443 check ssl verify none',
  'flux': 'flux 10.78.127.111:8080 check',
  'git': 'git 10.78.127.119:3000 check',
  'kb': 'kb 10.78.127.127:80 check',
  'mail': 'mail 10.78.127.231:80 check',
  'mkdocs': 'mkdocs 10.78.127.73:80 check',
  'mkdocs-laminar': 'mkdocs-laminar 10.78.127.73:8080 check',
  'mkdocs-webhook': 'mkdocs-webhook 10.78.127.73:9000 check',
  'photos': 'photos 10.78.127.121:2342 check',
  'pwd': 'pwd 10.78.127.195:80 check',
  'risanokyoku': 'risanokyoku 10.121.231.3:4533 check',
  'ytb': 'ytb 10.78.127.55:8080 check',
}

default['esh']['haproxy']['config']['maxmind_key'] = ''
default['esh']['haproxy']['config']['hc_url'] = 'https://hc-ping.com/'
Archive abandoned project 2025-02-15 00:56:26 +09:00			`name 'gtw'`

			`###`
			`# Cookbooks location`
			`###`

			`# ESH`
			`default_source :chef_repo, '../cookbooks'`

			`# Community`
			`default_source :supermarket, 'https://supermarket.chef.io'`

			`###`
			`# Run List`
			`###`

			`run_list %w(`
			`esh_system::hostname`
			`esh_system::sshd`
			`esh_ufw::rules`
			`esh_wireguard::server`
			`esh_haproxy::config`
			`esh_letsencrypt::snap`
			`esh_letsencrypt::certs`
			`esh_letsencrypt::serve`
			`)`

			`###`
			`# Attributes`
			`###`

			`###`
			`# esh_system`
			`###`

			`default['esh']['system']['hostname']['fqdn'] = 'gtw.benoit.jp.net'`

			`default['esh']['system']['sshd']['port'] = '28'`
			`default['esh']['system']['sshd']['permitrootlogin'] = 'prohibit-password'`
			`default['esh']['system']['sshd']['passwordauthentication'] = 'no'`
			`default['esh']['system']['sshd']['maxauthtries'] = '3'`
			`default['esh']['system']['sshd']['maxsessions'] = '5'`
			`default['esh']['system']['sshd']['otp'] = false`

			`###`
			`# esh_ufw`
			`###`

			`default['esh']['ufw']['rules']['list'] = [`
			`'limit from any to any port 22',`
			`'limit from any to any port 28',`
			`'allow from any to any port 25',`
			`'allow from any to any port 80',`
			`'allow from any to any port 443',`
			`'allow from any to any port 465',`
			`'allow from any to any port 853',`
			`'allow from any to any port 993',`
			`'allow from any to any port 4190',`
			`'allow from 10.10.10.3 to 10.10.10.1 port 8898',`
			`'allow from any to any port 51820',`
			`]`

			`###`
			`# esh_wireguard`
			`###`

			`default['esh']['wireguard']['server']['privkey'] = '='`
			`default['esh']['wireguard']['server']['pubkey'] = '3JJ00aMP/1mPJeUW0sci4dIK4S4XBiTWWaBgZgq+LCQ='`
			`default['esh']['wireguard']['server']['address'] = '10.10.10.1/24, fdaf:345d:a5fc::1/64'`
			`default['esh']['wireguard']['server']['listenport'] = '51820'`
			`default['esh']['wireguard']['server']['pubint'] = 'enp1s0'`
			`default['esh']['wireguard']['server']['routing'] = true`
			`default['esh']['wireguard']['server']['peers'] = {`
			`'3HNAZfx02qnpw2Tglrjs7KEnO3lUz1SZ/xUZUYGV6mo=': '10.10.10.3,fdaf:345d:a5fc::3,10.78.127.0/24,fd42:d7a4:755b:7893::/64',`
			`'agIabJemiFUD+u8BCNmyO2PIgg2SGjQX573AIIkgExs=': '10.10.10.6,fdaf:345d:a5fc::6,10.121.231.1/24,fd42:4a26:3578:a318::1/64',`
			`}`
			`#'8j2fzeFgxk33a+cDemZluPAxlRN21bdmTMHVpayIhQg=': '10.10.10.4,fdaf:345d:a5fc::4,10.78.127.0/24,fd42:d7a4:755b:7893::/64',`
			`#'2o41xCeNiUsfRMFg+fvbRIqTdAWjdPptMu8aRnZ3zyk=': '10.10.10.5'`

			`###`
			`# esh_lestencrypt`
			`###`

			`default['esh']['letsencrypt']['certs']['email'] = 'certbot@benpro.fr'`
			`default['esh']['letsencrypt']['certs']['list'] = [`

			`]`
			`default['esh']['letsencrypt']['serve']['auth'] = ''`
			`default['esh']['letsencrypt']['serve']['miniserve_url'] = 'https://github.com/svenstaro/miniserve/releases/download/v0.22.0/miniserve-0.22.0-x86_64-unknown-linux-gnu'`
			`default['esh']['letsencrypt']['serve']['listen'] = '10.10.10.1'`

			`###`
			`# esh_haproxy`
			`###`

			`default['esh']['haproxy']['config']['stats_password'] = ''`

			`default['esh']['haproxy']['config']['listen'] = {`
			`'ssh': {`
			`'bind': '22',`
			`'mode': 'tcp',`
			`'server': 'git-ssh 10.78.127.119:10022 send-proxy',`
			`},`
			`'smtp': {`
			`'bind': '25',`
			`'mode': 'tcp',`
			`'server': 'mail 10.78.127.231:10025 send-proxy',`
			`},`
			`'smtps': {`
			`'bind': '465',`
			`'mode': 'tcp',`
			`'server': 'mail 10.78.127.231:10465 send-proxy',`
			`},`
			`'imaps': {`
			`'bind': '993',`
			`'mode': 'tcp',`
			`'server': 'mail 10.78.127.231:10993 send-proxy',`
			`},`
			`'sieve': {`
			`'bind': '4190',`
			`'mode': 'tcp',`
			`'server': 'mail 10.78.127.231:14190 send-proxy',`
			`},`
			`'adguard-dot': {`
			`'bind': '853',`
			`'mode': 'tcp',`
			`'server': 'adguard 10.78.127.201:10853 send-proxy',`
			`},`
			`}`

			`default['esh']['haproxy']['config']['acls'] = {`
			`'mail': {`
			`'hosts': [`
			`'mail.benoit.jp.net',`
			`],`
			`'denies': [`
			`'!JP !letsencrypt',`
			`],`
			`'backend': 'mail',`
			`},`
			`'archive': {`
			`'hosts': [`
			`'blog.benpro.fr.archive.benoit.jp.net',`
			`'lekernelpanique.fr.archive.benoit.jp.net',`
			`'sysadmin-bookmarks.archive.benoit.jp.net',`
			`],`
			`'denies': [],`
			`'backend': 'archive',`
			`},`
			`'mkdocs': {`
			`'hosts': [`
			`'www.benoit.jp.net',`
			`'benoit.jp.net',`
			`],`
			`'denies': [],`
			`'backend': 'mkdocs',`
			`},`
			`'mkdocs-laminar': {`
			`'hosts': [`
			`'laminar.benoit.jp.net',`
			`],`
			`'denies': [],`
			`'backend': 'mkdocs-laminar',`
			`},`
			`'mkdocs-webhook': {`
			`'hosts': [`
			`'webhook.benoit.jp.net',`
			`],`
			`'denies': [],`
			`'backend': 'mkdocs-webhook',`
			`},`
			`'flux': {`
			`'hosts': [`
			`'flux.benoit.jp.net',`
			`],`
			`'denies': [`
			`'!JP !letsencrypt'`
			`],`
			`'backend': 'flux',`
			`},`
			`'dns': {`
			`'hosts': [`
			`'dns.benoit.jp.net',`
			`'tangorpro.dns.benoit.jp.net',`
			`'bluejay.dns.benoit.jp.net',`
			`],`
			`'denies': [`
			`'!JP !SG !letsencrypt'`
			`],`
			`'backend': 'dns',`
			`},`
			`'git': {`
			`'hosts': [`
			`'git.benoit.jp.net',`
			`],`
			`'denies': [],`
			`'backend': 'git',`
			`},`
			`'photos': {`
			`'hosts': [`
			`'photos.benoit.jp.net',`
			`],`
			`'denies': [`
			`'!JP !FR !letsencrypt',`
			`],`
			`'backend': 'photos',`
			`},`
			`'kb': {`
			`'hosts': [`
			`'kb.benoit.jp.net',`
			`],`
			`'denies': [`
			`'!JP !letsencrypt',`
			`],`
			`'backend': 'kb',`
			`},`
			`'pwd': {`
			`'hosts': [`
			`'pwd.benoit.jp.net',`
			`],`
			`'denies': [`
			`'!JP !letsencrypt',`
			`],`
			`'backend': 'pwd',`
			`},`
			`'risanokyoku': {`
			`'hosts': [`
			`'risanokyoku.benoit.jp.net',`
			`],`
			`'denies': [`
			`'!JP !letsencrypt',`
			`],`
			`'backend': 'risanokyoku',`
			`},`
			`'ytb': {`
			`'hosts': [`
			`'ytb.benoit.jp.net',`
			`'ytb-proxy.benoit.jp.net',`
			`'ytb-api.benoit.jp.net',`
			`],`
			`'denies': [`
			`'!JP !letsencrypt',`
			`],`
			`'backend': 'ytb',`
			`},`
			`}`

			`default['esh']['haproxy']['config']['backends'] = {`
			`'archive': 'archive 10.78.127.252:80 check',`
			`'dns': 'dns 10.78.127.201:443 check ssl verify none',`
			`'flux': 'flux 10.78.127.111:8080 check',`
			`'git': 'git 10.78.127.119:3000 check',`
			`'kb': 'kb 10.78.127.127:80 check',`
			`'mail': 'mail 10.78.127.231:80 check',`
			`'mkdocs': 'mkdocs 10.78.127.73:80 check',`
			`'mkdocs-laminar': 'mkdocs-laminar 10.78.127.73:8080 check',`
			`'mkdocs-webhook': 'mkdocs-webhook 10.78.127.73:9000 check',`
			`'photos': 'photos 10.78.127.121:2342 check',`
			`'pwd': 'pwd 10.78.127.195:80 check',`
			`'risanokyoku': 'risanokyoku 10.121.231.3:4533 check',`
			`'ytb': 'ytb 10.78.127.55:8080 check',`
			`}`

			`default['esh']['haproxy']['config']['maxmind_key'] = ''`
			`default['esh']['haproxy']['config']['hc_url'] = 'https://hc-ping.com/'`