Refactor and enhance Ansible configurations for dev-02 and nginx proxy setup
- Updated host_vars for dev-02 to include login history settings and modified code server authentication. - Adjusted opencode server configurations and reduced resource allocation. - Introduced a new playbook for configuring nginx reverse proxy with TLS and OAuth2. - Enhanced linux_dev_station role defaults and tasks, including package updates and service configurations. - Removed unnecessary credential assertions in linux_dev_station tasks. - Created nginx_proxy role with tasks for certbot, nginx installation, and oauth2-proxy setup. - Added templates for nginx and oauth2-proxy configurations. - Updated terraform configuration to reflect new DNS records for ide and agent services. - Documented changes and configurations in linux_dev_station.md for clarity and future reference.
This commit is contained in:
@@ -1,8 +1,10 @@
|
||||
---
|
||||
hostname: dev-02.lab.alexpires.me
|
||||
ansible_user: "{{ lookup('env', 'ANSIBLE_USER') }}"
|
||||
ansible_host: "10.19.4.210"
|
||||
|
||||
# Users
|
||||
login_disable_history: false
|
||||
login_users:
|
||||
- username: "{{ ansible_user }}"
|
||||
comment: "Managed by Ansible"
|
||||
@@ -26,11 +28,9 @@ linux_dev_station_workspace_dir: "/home/devstation/projects"
|
||||
linux_dev_station_scripts_dir: "/home/devstation/scripts"
|
||||
linux_dev_station_logs_dir: "/home/devstation/.local/state/logs"
|
||||
|
||||
linux_dev_station_code_server_host: "0.0.0.0"
|
||||
linux_dev_station_code_server_port: 3000
|
||||
linux_dev_station_code_server_auth: "password"
|
||||
linux_dev_station_code_server_auth: "none"
|
||||
|
||||
linux_dev_station_opencode_server_host: "0.0.0.0"
|
||||
linux_dev_station_opencode_server_port: 4096
|
||||
linux_dev_station_manage_systemd: true
|
||||
linux_dev_station_oh_my_zsh_enabled: true
|
||||
@@ -88,28 +88,10 @@ linux_dev_station_opencode_config:
|
||||
timeout: 3000000
|
||||
chunkTimeout: 3000000
|
||||
models:
|
||||
gemma-4-12b-q8-0:
|
||||
name: "gemma-4-12b-q8-0"
|
||||
gemma-4-26b-a4b-ud-iq4-xs:
|
||||
name: "gemma-4-26b-a4b-ud-iq4-xs"
|
||||
gemma-4-31b-iq4-xs:
|
||||
name: "gemma-4-31b-iq4-xs"
|
||||
gpt-oss-20b-q4-0:
|
||||
name: "gpt-oss-20b-q4-0"
|
||||
gpt-oss-20b-q8-0:
|
||||
name: "gpt-oss-20b-q8-0"
|
||||
qwen3-5-35b-a3b-q4-k-m:
|
||||
name: "qwen3-5-35b-a3b-q4-k-m"
|
||||
qwen3-5-9b-q8-0:
|
||||
name: "qwen3-5-9b-q8-0"
|
||||
qwen3-6-27b-mtp-q4-0:
|
||||
name: "qwen3-6-27b-mtp-q4-0"
|
||||
qwen3-6-27b-q4-k-m:
|
||||
name: "qwen3-6-27b-q4-k-m"
|
||||
qwen3-6-35b-a3b-mtp-ud-q4-m:
|
||||
name: "qwen3-6-35b-a3b-mtp-ud-q4-m"
|
||||
qwen3-6-35b-a3b-ud-q4-k-m:
|
||||
name: "qwen3-6-35b-a3b-ud-q4-k-m"
|
||||
mcp:
|
||||
deepwiki:
|
||||
type: "remote"
|
||||
@@ -174,14 +156,46 @@ linux_dev_station_opencode_config:
|
||||
linux_dev_station_service_user_ssh_enabled: true
|
||||
linux_dev_station_service_user_ssh_authorized_keys: []
|
||||
|
||||
# Bind services to localhost (nginx handles TLS+auth)
|
||||
linux_dev_station_code_server_bind_to_localhost: true
|
||||
linux_dev_station_opencode_bind_to_localhost: true
|
||||
|
||||
# nginx_proxy: TLS + OAuth2/OIDC SSO
|
||||
nginx_proxy_certbot_email: "admin@alexpires.me"
|
||||
nginx_proxy_oauth2_proxy_enabled: true
|
||||
nginx_proxy_oauth2_proxy_provider: "oidc"
|
||||
nginx_proxy_oauth2_proxy_provider_url: "https://code.alexpires.me"
|
||||
nginx_proxy_oauth2_proxy_cookie_domain: ".lab.alexpires.me"
|
||||
nginx_proxy_oauth2_proxy_redirect_urls:
|
||||
- "https://ide.lab.alexpires.me/oauth2/callback"
|
||||
- "https://agent.lab.alexpires.me/oauth2/callback"
|
||||
nginx_proxy_oauth2_proxy_email_domains:
|
||||
- "*"
|
||||
nginx_proxy_oauth2_proxy_cookie_secret: "{{ lookup('env', 'OAUTH2_PROXY_COOKIE_SECRET', default='') }}"
|
||||
nginx_proxy_oauth2_proxy_client_id: "{{ lookup('env', 'OAUTH2_PROXY_CLIENT_ID', default='') }}"
|
||||
nginx_proxy_oauth2_proxy_client_secret: "{{ lookup('env', 'OAUTH2_PROXY_CLIENT_SECRET', default='') }}"
|
||||
nginx_proxy_sites:
|
||||
- name: ide
|
||||
server_name: "ide.lab.alexpires.me"
|
||||
upstream:
|
||||
host: "127.0.0.1"
|
||||
port: "{{ linux_dev_station_code_server_port }}"
|
||||
websocket: true
|
||||
- name: agent
|
||||
server_name: "agent.lab.alexpires.me"
|
||||
upstream:
|
||||
host: "127.0.0.1"
|
||||
port: "{{ linux_dev_station_opencode_server_port }}"
|
||||
websocket: true
|
||||
|
||||
# Firewall ports
|
||||
ufw_enable: true
|
||||
fw_allowed_ports:
|
||||
- { rule: "allow", port: "22", proto: "tcp", from: "10.5.5.5/32" } # SSH Access (VPN device)
|
||||
- { rule: "allow", port: "22", proto: "tcp", from: "10.19.4.0/24" } # SSH Access (local network)
|
||||
- { rule: "allow", port: "3000", proto: "tcp", from: "10.19.4.0/24" } # code-server (local network only)
|
||||
- { rule: "allow", port: "4096", proto: "tcp", from: "10.19.4.0/24" } # opencode (local network only)
|
||||
- { rule: "allow", port: "9090", proto: "tcp", from: "10.19.4.0/24" } # opencode (local network only)
|
||||
- { rule: "allow", port: "22", proto: "tcp", from: "10.5.5.5/32" } # SSH (VPN device)
|
||||
- { rule: "allow", port: "22", proto: "tcp", from: "10.19.4.0/24" } # SSH (local network)
|
||||
- { rule: "allow", port: "443", proto: "tcp", from: "10.19.4.0/24" } # HTTPS (nginx reverse proxy)
|
||||
- { rule: "allow", port: "443", proto: "tcp", from: "10.5.5.5/32" } # HTTPS (VPN device)
|
||||
- { rule: "allow", port: "9090", proto: "tcp", from: "10.19.4.0/24" } # Prometheus node-exporter
|
||||
|
||||
linux_dev_station_oh_my_zsh_theme: "agnoster"
|
||||
linux_dev_station_oh_my_zsh_plugins:
|
||||
|
||||
Reference in New Issue
Block a user