Commit initial : infrastructure Ansible pour homeserver

- Playbooks Ansible avec rôles (common, cockpit, docker, services) - 30+ stacks Docker Compose avec reverse proxy Traefik - Ansible Vault pour gestion secrets - Intégration CrowdSec pour détection intrusions - Versions images Docker fixées pour reproductibilité
2025-11-23 19:40:17 +01:00 · 2025-11-23 19:40:17 +01:00 · fd01ea59ee
commit fd01ea59ee
125 changed files with 4768 additions and 0 deletions
--- a/stacks/traefik/compose.yml
+++ b/stacks/traefik/compose.yml
@ -0,0 +1,62 @@
+services:
+  traefik-public:
+    image: traefik:v3
+    container_name: traefik-public
+    restart: unless-stopped
+    ports:
+      - "192.168.1.2:80:80"
+      - "192.168.1.2:443:443"
+    extra_hosts:
+      - "host.docker.internal:host-gateway"
+    networks:
+      - traefik_network
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - ./traefik-public.yml:/etc/traefik/traefik.yml:ro
+      - ./dynamic-public:/etc/traefik/dynamic:ro
+      - ./letsencrypt-public:/letsencrypt
+      - /var/log/traefik:/var/log/traefik
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.traefik-dashboard-public.rule=Host(`traefik-public.local.tellserv.fr`)"
+      - "traefik.http.routers.traefik-dashboard-public.entrypoints=local"
+      - "traefik.http.routers.traefik-dashboard-public.tls.certresolver=cloudflare-local"
+      - "traefik.http.routers.traefik-dashboard-public.tls=true"
+      - "traefik.http.routers.traefik-dashboard-public.service=api@internal"
+      - "traefik.http.middlewares.crowdsec-bouncer.forwardauth.address=http://crowdsec-bouncer:8080/api/v1/forwardAuth"
+      - "traefik.http.middlewares.crowdsec-bouncer.forwardauth.trustForwardHeader=true"
+    environment:
+      - CF_DNS_API_TOKEN=${CF_DNS_API_TOKEN}
+      - TZ=Europe/Paris
+
+  traefik-private:
+    image: traefik:v3
+    container_name: traefik-private
+    restart: unless-stopped
+    ports:
+      - "192.168.1.3:80:80"
+      - "192.168.1.3:443:443"
+    extra_hosts:
+      - "host.docker.internal:host-gateway"
+    networks:
+      - traefik_network
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - ./traefik-private.yml:/etc/traefik/traefik.yml:ro
+      - ./dynamic-private:/etc/traefik/dynamic:ro
+      - ./letsencrypt-private:/letsencrypt
+      - /var/log/traefik-local:/var/log/traefik-local
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.traefik-dashboard-local.rule=Host(`traefik-private.local.tellserv.fr`)"
+      - "traefik.http.routers.traefik-dashboard-local.entrypoints=local"
+      - "traefik.http.routers.traefik-dashboard-local.tls.certresolver=cloudflare-local"
+      - "traefik.http.routers.traefik-dashboard-local.tls=true"
+      - "traefik.http.routers.traefik-dashboard-local.service=api@internal"
+    environment:
+      - TZ=Europe/Paris
+      - CF_DNS_API_TOKEN=${CF_DNS_API_TOKEN}
+
+networks:
+  traefik_network:
+    external: true
--- a/stacks/traefik/dynamic-private/cockpit.yml
+++ b/stacks/traefik/dynamic-private/cockpit.yml
@ -0,0 +1,25 @@
+http:
+  routers:
+    cockpit-rtr:
+      rule: "Host(`cockpit.local.tellserv.fr`)"
+      entryPoints:
+        - local
+      service: cockpit-svc
+      tls:
+        certResolver: cloudflare-local
+      middlewares:
+        - cockpit-headers
+
+  services:
+    cockpit-svc:
+      loadBalancer:
+        passHostHeader: true
+        servers:
+          - url: "http://host.docker.internal:9090"
+
+  middlewares:
+    cockpit-headers:
+      headers:
+        customRequestHeaders:
+          X-Forwarded-Proto: "https"
+          X-Forwarded-Port: "443"
--- a/stacks/traefik/dynamic-private/middlewares.yml
+++ b/stacks/traefik/dynamic-private/middlewares.yml
@ -0,0 +1,23 @@
+http:
+  middlewares:
+    ratelimit:
+      rateLimit:
+        average: 100
+        burst: 50
+        period: 1s
+    secheaders:
+      headers:
+        stsSeconds: 31536000
+        forceSTSHeader: true
+    evasive:
+      rateLimit:
+        average: 3
+        burst: 5
+        period: 1s
+    localonly:
+      ipWhiteList:
+        sourceRange:
+          - "127.0.0.1/32"
+          - "192.168.1.0/24"
+          - "100.64.0.0/10"
+          - "172.18.0.0/16"
--- a/stacks/traefik/dynamic-private/proxmox.yml
+++ b/stacks/traefik/dynamic-private/proxmox.yml
@ -0,0 +1,25 @@
+http:
+  routers:
+    proxmox-rtr:
+      rule: "Host(`proxmox.local.tellserv.fr`)"
+      entryPoints:
+        - local
+      service: proxmox-svc
+      tls:
+        certResolver: cloudflare-local
+      middlewares:
+        - proxmox-headers
+
+  services:
+    proxmox-svc:
+      loadBalancer:
+        passHostHeader: true
+        servers:
+          - url: "https://192.168.1.29:8006"
+
+  middlewares:
+    proxmox-headers:
+      headers:
+        customRequestHeaders:
+          X-Forwarded-Proto: "https"
+          X-Forwarded-Port: "443"
--- a/stacks/traefik/dynamic-public/middlewares.yml
+++ b/stacks/traefik/dynamic-public/middlewares.yml
@ -0,0 +1,16 @@
+http:
+  middlewares:
+    ratelimit:
+      rateLimit:
+        average: 100
+        burst: 50
+        period: 1s
+    secheaders:
+      headers:
+        stsSeconds: 31536000
+        forceSTSHeader: true
+    evasive:
+      rateLimit:
+        average: 3
+        burst: 5
+        period: 1s
--- a/stacks/traefik/traefik-private.yml
+++ b/stacks/traefik/traefik-private.yml
@ -0,0 +1,53 @@
+api:
+  dashboard: true
+  insecure: false
+
+entryPoints:
+  weblocal:
+    address: ":80"
+    http:
+      redirections:
+        entryPoint:
+          to: local
+          scheme: https
+          permanent: true
+
+  local:
+    address: ":443"
+    http:
+      middlewares:
+        - localonly@file
+
+certificatesResolvers:
+  cloudflare-local:
+    acme:
+      email: "mamaloubene@yahoo.fr"
+      storage: /letsencrypt/cloudflare_acme.json
+      caServer: "https://acme-v02.api.letsencrypt.org/directory"
+      keyType: EC256
+      dnsChallenge:
+        provider: cloudflare
+        resolvers:
+          - "1.1.1.1:53"
+          - "8.8.8.8:53"
+
+log:
+  level: DEBUG
+  filePath: "/var/log/traefik-local/traefik.log"
+
+accessLog:
+  filePath: "/var/log/traefik-local/access.log"
+  format: "json"
+
+providers:
+  docker:
+    exposedByDefault: false
+    endpoint: "unix:///var/run/docker.sock"
+    network: traefik_network
+    watch: true
+  file:
+    directory: "/etc/traefik/dynamic"
+    watch: true
+
+serversTransport:
+  insecureSkipVerify: true
--- a/stacks/traefik/traefik-public.yml
+++ b/stacks/traefik/traefik-public.yml
@ -0,0 +1,58 @@
+api:
+  dashboard: true
+  insecure: false
+
+entryPoints:
+  web:
+    address: ":80"
+    http:
+      redirections:
+        entryPoint:
+          to: websecure
+          scheme: https
+          permanent: true
+
+  websecure:
+    address: ":443"
+    http:
+      middlewares:
+        - crowdsec-bouncer@docker
+        - secheaders@file
+        - ratelimit@file
+    transport:
+      respondingTimeouts:
+        idleTimeout: 300s
+
+certificatesResolvers:
+  cloudflare:
+    acme:
+      email: "mamaloubene@yahoo.fr"
+      storage: /letsencrypt/cloudflare_acme.json
+      caServer: "https://acme-v02.api.letsencrypt.org/directory"
+      keyType: EC256
+      dnsChallenge:
+        provider: cloudflare
+        resolvers:
+          - "1.1.1.1:53"
+          - "8.8.8.8:53"
+
+log:
+  level: DEBUG
+  filePath: "/var/log/traefik/traefik.log"
+
+accessLog:
+  filePath: "/var/log/traefik/access.log"
+  format: "json"
+
+providers:
+  docker:
+    exposedByDefault: false
+    endpoint: "unix:///var/run/docker.sock"
+    network: traefik_network
+    watch: true
+  file:
+    directory: "/etc/traefik/dynamic"
+    watch: true
+
+serversTransport:
+  insecureSkipVerify: true