main.yml - infra - Terraform IoC for my remote (Hetzner) and local (Incus) servers.
HTML git clone git://jay.scot/infra
DIR Log
DIR Files
DIR Refs
DIR README
---
main.yml (1476B)
---
1 #cloud-config
2
3 ssh_pwauth: false
4 hostname: jay.scot
5 timezone: Europe/London
6 package_update: true
7
8 packages:
9 - caddy
10 - git
11 - git-daemon-sysvinit
12 - unattended-upgrades
13
14 users:
15 - name: jay
16 groups: users,wheel
17 sudo: ALL=(ALL) NOPASSWD:ALL
18 shell: /bin/bash
19 lock_passwd: true
20 ssh_authorized_keys:
21 - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDLmKYxwXTbyRWLG0S24RTpyfyBO6AL8Dcy0XvVZ97Do
22
23 - name: git
24 shell: /usr/bin/git-shell
25 homedir: /srv/git
26 ssh_authorized_keys:
27 - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDLmKYxwXTbyRWLG0S24RTpyfyBO6AL8Dcy0XvVZ97Do
28
29 write_files:
30 - path: /etc/default/git-daemon
31 permissions: '0644'
32 content: |
33 GIT_DAEMON_ENABLE=true
34 GIT_DAEMON_USER=git
35 GIT_DAEMON_BASE_PATH=/srv/git
36 GIT_DAEMON_DIRECTORY=/srv/git
37 GIT_DAEMON_OPTIONS="--export-all"
38
39 - path: /etc/caddy/Caddyfile
40 permissions: '0644'
41 content: |
42 jay.scot {
43 tls me@jay.scot
44 root * /srv/www
45 encode gzip
46 file_server
47 header / {
48 -Server
49 X-Content-Type-Options nosniff
50 X-Frame-Options DENY
51 Referrer-Policy "no-referrer-when-downgrade"
52 Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
53 Permissions-Policy interest-cohort=()
54 Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self'; font-src 'self'; img-src 'self';"
55 }
56 }