From b58d50a974cf26a8dc88382a6102ba0cfe45f06c Mon Sep 17 00:00:00 2001 From: "Tobias J. Endres" Date: Tue, 2 Sep 2025 17:41:46 +0200 Subject: [PATCH] docs: Add planning, lessons learned, requirements, and firewall documentation --- FIREWALL.md | 9 +++++++++ LESSONS_LEARNED.md | 6 ++++++ REQUIREMENTS.md | 13 +++++++++++++ 3 files changed, 28 insertions(+) create mode 100644 FIREWALL.md create mode 100644 LESSONS_LEARNED.md create mode 100644 REQUIREMENTS.md diff --git a/FIREWALL.md b/FIREWALL.md new file mode 100644 index 0000000..a393663 --- /dev/null +++ b/FIREWALL.md @@ -0,0 +1,9 @@ +# Firewall Configuration + +Based on the deployment plan, the following ports need to be opened on the firewall for the host **Scully**: + +* `80/tcp`: For HTTP traffic, primarily used by Let's Encrypt for certificate validation. +* `443/tcp`: For HTTPS traffic to access all web services. +* `51820/udp`: For the WireGuard VPN tunnel. + +No ports need to be opened on the firewall for the host **Mulder**, as Gitea will be accessed through the reverse proxy on Scully. diff --git a/LESSONS_LEARNED.md b/LESSONS_LEARNED.md new file mode 100644 index 0000000..c1e4cbe --- /dev/null +++ b/LESSONS_LEARNED.md @@ -0,0 +1,6 @@ +# Lessons Learned + +* The `network` role in this repository is a powerful tool that sets up a complete network stack, including Nginx Proxy Manager for reverse proxying and `wireguard-easy` for a WireGuard web UI. +* The `gitea` and `postgres` roles use Docker Compose to deploy their respective services. +* Properly managing variables, especially secrets like passwords and API keys, is crucial. Using `group_vars` and a `.gitignore`d `secrets` directory is a good practice. +* It's important to have a clear plan and get user feedback before making any changes. The "planning mode" and "acting mode" paradigm is a good way to structure the workflow. diff --git a/REQUIREMENTS.md b/REQUIREMENTS.md new file mode 100644 index 0000000..f05a907 --- /dev/null +++ b/REQUIREMENTS.md @@ -0,0 +1,13 @@ +# Project Requirements + +* Deploy Ansible scripts to two hosts: Mulder and Scully. +* Use a Git repository for version control of the Ansible playbooks. +* Manage SSH keys securely within the project. +* Deploy Gitea on Mulder. +* Deploy Keycloak on Scully. +* Apply a `common` set of configurations to both hosts. +* Set up a reverse proxy with Nginx on Scully. +* Secure all web services with HTTPS and Let's Encrypt certificates. +* Access services via subdomains (e.g., `gitea.my-url.com`, `keycloak.my-url.com`). +* Provide a web interface for managing WireGuard. +* The user wants to be involved in the planning process and approve all changes before they are applied.