name 'gtw' ### # Cookbooks location ### # ESH default_source :chef_repo, '../cookbooks' # Community default_source :supermarket, 'https://supermarket.chef.io' ### # Run List ### run_list %w( esh_system::hostname esh_system::sshd esh_ufw::rules esh_wireguard::server esh_haproxy::config esh_letsencrypt::snap esh_letsencrypt::certs esh_letsencrypt::serve ) ### # Attributes ### ### # esh_system ### default['esh']['system']['hostname']['fqdn'] = 'gtw.benoit.jp.net' default['esh']['system']['sshd']['port'] = '28' default['esh']['system']['sshd']['permitrootlogin'] = 'prohibit-password' default['esh']['system']['sshd']['passwordauthentication'] = 'no' default['esh']['system']['sshd']['maxauthtries'] = '3' default['esh']['system']['sshd']['maxsessions'] = '5' default['esh']['system']['sshd']['otp'] = false ### # esh_ufw ### default['esh']['ufw']['rules']['list'] = [ 'limit from any to any port 22', 'limit from any to any port 28', 'allow from any to any port 25', 'allow from any to any port 80', 'allow from any to any port 443', 'allow from any to any port 465', 'allow from any to any port 853', 'allow from any to any port 993', 'allow from any to any port 4190', 'allow from 10.10.10.3 to 10.10.10.1 port 8898', 'allow from any to any port 51820', ] ### # esh_wireguard ### default['esh']['wireguard']['server']['privkey'] = '=' default['esh']['wireguard']['server']['pubkey'] = '3JJ00aMP/1mPJeUW0sci4dIK4S4XBiTWWaBgZgq+LCQ=' default['esh']['wireguard']['server']['address'] = '10.10.10.1/24, fdaf:345d:a5fc::1/64' default['esh']['wireguard']['server']['listenport'] = '51820' default['esh']['wireguard']['server']['pubint'] = 'enp1s0' default['esh']['wireguard']['server']['routing'] = true default['esh']['wireguard']['server']['peers'] = { '3HNAZfx02qnpw2Tglrjs7KEnO3lUz1SZ/xUZUYGV6mo=': '10.10.10.3,fdaf:345d:a5fc::3,10.78.127.0/24,fd42:d7a4:755b:7893::/64', 'agIabJemiFUD+u8BCNmyO2PIgg2SGjQX573AIIkgExs=': '10.10.10.6,fdaf:345d:a5fc::6,10.121.231.1/24,fd42:4a26:3578:a318::1/64', } #'8j2fzeFgxk33a+cDemZluPAxlRN21bdmTMHVpayIhQg=': '10.10.10.4,fdaf:345d:a5fc::4,10.78.127.0/24,fd42:d7a4:755b:7893::/64', #'2o41xCeNiUsfRMFg+fvbRIqTdAWjdPptMu8aRnZ3zyk=': '10.10.10.5' ### # esh_lestencrypt ### default['esh']['letsencrypt']['certs']['email'] = 'certbot@benpro.fr' default['esh']['letsencrypt']['certs']['list'] = [ ] default['esh']['letsencrypt']['serve']['auth'] = '' default['esh']['letsencrypt']['serve']['miniserve_url'] = 'https://github.com/svenstaro/miniserve/releases/download/v0.22.0/miniserve-0.22.0-x86_64-unknown-linux-gnu' default['esh']['letsencrypt']['serve']['listen'] = '10.10.10.1' ### # esh_haproxy ### default['esh']['haproxy']['config']['stats_password'] = '' default['esh']['haproxy']['config']['listen'] = { 'ssh': { 'bind': '22', 'mode': 'tcp', 'server': 'git-ssh 10.78.127.119:10022 send-proxy', }, 'smtp': { 'bind': '25', 'mode': 'tcp', 'server': 'mail 10.78.127.231:10025 send-proxy', }, 'smtps': { 'bind': '465', 'mode': 'tcp', 'server': 'mail 10.78.127.231:10465 send-proxy', }, 'imaps': { 'bind': '993', 'mode': 'tcp', 'server': 'mail 10.78.127.231:10993 send-proxy', }, 'sieve': { 'bind': '4190', 'mode': 'tcp', 'server': 'mail 10.78.127.231:14190 send-proxy', }, 'adguard-dot': { 'bind': '853', 'mode': 'tcp', 'server': 'adguard 10.78.127.201:10853 send-proxy', }, } default['esh']['haproxy']['config']['acls'] = { 'mail': { 'hosts': [ 'mail.benoit.jp.net', ], 'denies': [ '!JP !letsencrypt', ], 'backend': 'mail', }, 'archive': { 'hosts': [ 'blog.benpro.fr.archive.benoit.jp.net', 'lekernelpanique.fr.archive.benoit.jp.net', 'sysadmin-bookmarks.archive.benoit.jp.net', ], 'denies': [], 'backend': 'archive', }, 'mkdocs': { 'hosts': [ 'www.benoit.jp.net', 'benoit.jp.net', ], 'denies': [], 'backend': 'mkdocs', }, 'mkdocs-laminar': { 'hosts': [ 'laminar.benoit.jp.net', ], 'denies': [], 'backend': 'mkdocs-laminar', }, 'mkdocs-webhook': { 'hosts': [ 'webhook.benoit.jp.net', ], 'denies': [], 'backend': 'mkdocs-webhook', }, 'flux': { 'hosts': [ 'flux.benoit.jp.net', ], 'denies': [ '!JP !letsencrypt' ], 'backend': 'flux', }, 'dns': { 'hosts': [ 'dns.benoit.jp.net', 'tangorpro.dns.benoit.jp.net', 'bluejay.dns.benoit.jp.net', ], 'denies': [ '!JP !SG !letsencrypt' ], 'backend': 'dns', }, 'git': { 'hosts': [ 'git.benoit.jp.net', ], 'denies': [], 'backend': 'git', }, 'photos': { 'hosts': [ 'photos.benoit.jp.net', ], 'denies': [ '!JP !FR !letsencrypt', ], 'backend': 'photos', }, 'kb': { 'hosts': [ 'kb.benoit.jp.net', ], 'denies': [ '!JP !letsencrypt', ], 'backend': 'kb', }, 'pwd': { 'hosts': [ 'pwd.benoit.jp.net', ], 'denies': [ '!JP !letsencrypt', ], 'backend': 'pwd', }, 'risanokyoku': { 'hosts': [ 'risanokyoku.benoit.jp.net', ], 'denies': [ '!JP !letsencrypt', ], 'backend': 'risanokyoku', }, 'ytb': { 'hosts': [ 'ytb.benoit.jp.net', 'ytb-proxy.benoit.jp.net', 'ytb-api.benoit.jp.net', ], 'denies': [ '!JP !letsencrypt', ], 'backend': 'ytb', }, } default['esh']['haproxy']['config']['backends'] = { 'archive': 'archive 10.78.127.252:80 check', 'dns': 'dns 10.78.127.201:443 check ssl verify none', 'flux': 'flux 10.78.127.111:8080 check', 'git': 'git 10.78.127.119:3000 check', 'kb': 'kb 10.78.127.127:80 check', 'mail': 'mail 10.78.127.231:80 check', 'mkdocs': 'mkdocs 10.78.127.73:80 check', 'mkdocs-laminar': 'mkdocs-laminar 10.78.127.73:8080 check', 'mkdocs-webhook': 'mkdocs-webhook 10.78.127.73:9000 check', 'photos': 'photos 10.78.127.121:2342 check', 'pwd': 'pwd 10.78.127.195:80 check', 'risanokyoku': 'risanokyoku 10.121.231.3:4533 check', 'ytb': 'ytb 10.78.127.55:8080 check', } default['esh']['haproxy']['config']['maxmind_key'] = '' default['esh']['haproxy']['config']['hc_url'] = 'https://hc-ping.com/'