From 106116528d0e5ca025e8a09918259b6bf1f987ce Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Wed, 17 May 2023 11:00:17 +0200 Subject: [PATCH] change structure add alerts --- ansible.cfg => ansible/ansible.cfg | 0 .../inventory}/host_vars/lewis.yml | 4 - {inventory => ansible/inventory}/hosts.yml | 0 lewis.yml => ansible/lewis.yml | 0 requirements.yml => ansible/requirements.yml | 0 ansible/roles/alerts/docker-compose.yml | 29 ++ ansible/roles/alerts/ntfy_server.yml | 321 ++++++++++++++++++ ansible/roles/alerts/tasks/main.yml | 20 ++ .../roles}/uptime_kuma/docker-compose.yml.j2 | 0 .../roles}/uptime_kuma/tasks/main.yml | 5 - .../sshd_user_certificates.conf | 0 .../util}/secret-service-client.sh | 0 terraform/.gitignore | 36 ++ terraform/main.tf | 26 ++ 14 files changed, 432 insertions(+), 9 deletions(-) rename ansible.cfg => ansible/ansible.cfg (100%) rename {inventory => ansible/inventory}/host_vars/lewis.yml (67%) rename {inventory => ansible/inventory}/hosts.yml (100%) rename lewis.yml => ansible/lewis.yml (100%) rename requirements.yml => ansible/requirements.yml (100%) create mode 100644 ansible/roles/alerts/docker-compose.yml create mode 100644 ansible/roles/alerts/ntfy_server.yml create mode 100644 ansible/roles/alerts/tasks/main.yml rename {roles => ansible/roles}/uptime_kuma/docker-compose.yml.j2 (100%) rename {roles => ansible/roles}/uptime_kuma/tasks/main.yml (74%) rename sshd_user_certificates.conf => ansible/sshd_user_certificates.conf (100%) rename {util => ansible/util}/secret-service-client.sh (100%) create mode 100644 terraform/.gitignore create mode 100644 terraform/main.tf diff --git a/ansible.cfg b/ansible/ansible.cfg similarity index 100% rename from ansible.cfg rename to ansible/ansible.cfg diff --git a/inventory/host_vars/lewis.yml b/ansible/inventory/host_vars/lewis.yml similarity index 67% rename from inventory/host_vars/lewis.yml rename to ansible/inventory/host_vars/lewis.yml index 2dc05ac..9a5e12d 100644 --- a/inventory/host_vars/lewis.yml +++ b/ansible/inventory/host_vars/lewis.yml @@ -1,10 +1,6 @@ backup_mount_point: "/mnt/backups" backup_uuid: "622a8d81-aa2f-460b-a563-c3cdb6285609" -admin_public_keys: - - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINUZp4BCxf7uLa1QWonx/Crf8tYZ5MKIZ+EuaBa82LrV user@user-laptop" - - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOodpLr+FDRyKyHjucHizNLVFHZ5AQmE9GmxMnOsSoaw pimkunis@thinkpadpim" - hyp_user_ca_public_key: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHZreEhS/rMHfJB7IenEEfk38zCjmyce+X2AWxzU/N81 User Certificate Authority for *.hyp" backup_hosts: diff --git a/inventory/hosts.yml b/ansible/inventory/hosts.yml similarity index 100% rename from inventory/hosts.yml rename to ansible/inventory/hosts.yml diff --git a/lewis.yml b/ansible/lewis.yml similarity index 100% rename from lewis.yml rename to ansible/lewis.yml diff --git a/requirements.yml b/ansible/requirements.yml similarity index 100% rename from requirements.yml rename to ansible/requirements.yml diff --git a/ansible/roles/alerts/docker-compose.yml b/ansible/roles/alerts/docker-compose.yml new file mode 100644 index 0000000..def19d0 --- /dev/null +++ b/ansible/roles/alerts/docker-compose.yml @@ -0,0 +1,29 @@ +version: "3" + +services: + ntfy: + image: binwiederhier/ntfy + ports: + - 3002:80 + restart: always + command: + - serve + environment: + - TZ=Europe/Amsterdam + volumes: + - /mnt/backups/alerts/ntfy_cache:/var/cache/ntfy + - /mnt/backups/alerts/ntfy_data:/var/lib/ntfy + - /mnt/backups/alerts/ntfy_server.yml:/etc/ntfy/server.yml + healthcheck: + test: ["CMD-SHELL", "wget -q --tries=1 http://localhost:80/v1/health -O - | grep -Eo '\"healthy\"\\s*:\\s*true' || exit 1"] + interval: 60s + timeout: 10s + retries: 3 + start_period: 40s + + apprise: + image: caronc/apprise:v0.9.0 + - 3003:8000 + restart: always + volumes: + - /mnt/backups/alerts/apprise:/config diff --git a/ansible/roles/alerts/ntfy_server.yml b/ansible/roles/alerts/ntfy_server.yml new file mode 100644 index 0000000..0735d6a --- /dev/null +++ b/ansible/roles/alerts/ntfy_server.yml @@ -0,0 +1,321 @@ +# ntfy server config file +# +# Please refer to the documentation at https://ntfy.sh/docs/config/ for details. +# All options also support underscores (_) instead of dashes (-) to comply with the YAML spec. + +# Public facing base URL of the service (e.g. https://ntfy.sh or https://ntfy.example.com) +# +# This setting is required for any of the following features: +# - attachments (to return a download URL) +# - e-mail sending (for the topic URL in the email footer) +# - iOS push notifications for self-hosted servers (to calculate the Firebase poll_request topic) +# - Matrix Push Gateway (to validate that the pushkey is correct) +# +base-url: https://ntfy.pim.kunis.nl + +# Listen address for the HTTP & HTTPS web server. If "listen-https" is set, you must also +# set "key-file" and "cert-file". Format: []:, e.g. "1.2.3.4:8080". +# +# To listen on all interfaces, you may omit the IP address, e.g. ":443". +# To disable HTTP, set "listen-http" to "-". +# +# listen-http: ":80" +# listen-https: + +# Listen on a Unix socket, e.g. /var/lib/ntfy/ntfy.sock +# This can be useful to avoid port issues on local systems, and to simplify permissions. +# +# listen-unix: +# listen-unix-mode: + +# Path to the private key & cert file for the HTTPS web server. Not used if "listen-https" is not set. +# +# key-file: +# cert-file: + +# If set, also publish messages to a Firebase Cloud Messaging (FCM) topic for your app. +# This is optional and only required to save battery when using the Android app. +# +# firebase-key-file: + +# If "cache-file" is set, messages are cached in a local SQLite database instead of only in-memory. +# This allows for service restarts without losing messages in support of the since= parameter. +# +# The "cache-duration" parameter defines the duration for which messages will be buffered +# before they are deleted. This is required to support the "since=..." and "poll=1" parameter. +# To disable the cache entirely (on-disk/in-memory), set "cache-duration" to 0. +# The cache file is created automatically, provided that the correct permissions are set. +# +# The "cache-startup-queries" parameter allows you to run commands when the database is initialized, +# e.g. to enable WAL mode (see https://phiresky.github.io/blog/2020/sqlite-performance-tuning/)). +# Example: +# cache-startup-queries: | +# pragma journal_mode = WAL; +# pragma synchronous = normal; +# pragma temp_store = memory; +# pragma busy_timeout = 15000; +# vacuum; +# +# The "cache-batch-size" and "cache-batch-timeout" parameter allow enabling async batch writing +# of messages. If set, messages will be queued and written to the database in batches of the given +# size, or after the given timeout. This is only required for high volume servers. +# +# Debian/RPM package users: +# Use /var/cache/ntfy/cache.db as cache file to avoid permission issues. The package +# creates this folder for you. +# +# Check your permissions: +# If you are running ntfy with systemd, make sure this cache file is owned by the +# ntfy user and group by running: chown ntfy.ntfy . +# +cache-file: /var/cache/ntfy/cache.db +# cache-duration: "12h" +# cache-startup-queries: +# cache-batch-size: 0 +# cache-batch-timeout: "0ms" + +# If set, access to the ntfy server and API can be controlled on a granular level using +# the 'ntfy user' and 'ntfy access' commands. See the --help pages for details, or check the docs. +# +# - auth-file is the SQLite user/access database; it is created automatically if it doesn't already exist +# - auth-default-access defines the default/fallback access if no access control entry is found; it can be +# set to "read-write" (default), "read-only", "write-only" or "deny-all". +# - auth-startup-queries allows you to run commands when the database is initialized, e.g. to enable +# WAL mode. This is similar to cache-startup-queries. See above for details. +# +# Debian/RPM package users: +# Use /var/lib/ntfy/user.db as user database to avoid permission issues. The package +# creates this folder for you. +# +# Check your permissions: +# If you are running ntfy with systemd, make sure this user database file is owned by the +# ntfy user and group by running: chown ntfy.ntfy . +# +auth-file: /var/lib/ntfy/user.db +auth-default-access: "deny-all" +# auth-startup-queries: + +# If set, the X-Forwarded-For header is used to determine the visitor IP address +# instead of the remote address of the connection. +# +# WARNING: If you are behind a proxy, you must set this, otherwise all visitors are rate limited +# as if they are one. +# +behind-proxy: true + +# If enabled, clients can attach files to notifications as attachments. Minimum settings to enable attachments +# are "attachment-cache-dir" and "base-url". +# +# - attachment-cache-dir is the cache directory for attached files +# - attachment-total-size-limit is the limit of the on-disk attachment cache directory (total size) +# - attachment-file-size-limit is the per-file attachment size limit (e.g. 300k, 2M, 100M) +# - attachment-expiry-duration is the duration after which uploaded attachments will be deleted (e.g. 3h, 20h) +# +attachment-cache-dir: /var/cache/ntfy/attachments +# attachment-total-size-limit: "5G" +# attachment-file-size-limit: "15M" +# attachment-expiry-duration: "3h" + +# If enabled, allow outgoing e-mail notifications via the 'X-Email' header. If this header is set, +# messages will additionally be sent out as e-mail using an external SMTP server. +# +# As of today, only SMTP servers with plain text auth (or no auth at all), and STARTLS are supported. +# Please also refer to the rate limiting settings below (visitor-email-limit-burst & visitor-email-limit-burst). +# +# - smtp-sender-addr is the hostname:port of the SMTP server +# - smtp-sender-from is the e-mail address of the sender +# - smtp-sender-user/smtp-sender-pass are the username and password of the SMTP user (leave blank for no auth) +# +# smtp-sender-addr: +# smtp-sender-from: +# smtp-sender-user: +# smtp-sender-pass: + +# If enabled, ntfy will launch a lightweight SMTP server for incoming messages. Once configured, users can send +# emails to a topic e-mail address to publish messages to a topic. +# +# - smtp-server-listen defines the IP address and port the SMTP server will listen on, e.g. :25 or 1.2.3.4:25 +# - smtp-server-domain is the e-mail domain, e.g. ntfy.sh +# - smtp-server-addr-prefix is an optional prefix for the e-mail addresses to prevent spam. If set to "ntfy-", +# for instance, only e-mails to ntfy-$topic@ntfy.sh will be accepted. If this is not set, all emails to +# $topic@ntfy.sh will be accepted (which may obviously be a spam problem). +# +# smtp-server-listen: +# smtp-server-domain: +# smtp-server-addr-prefix: + +# Interval in which keepalive messages are sent to the client. This is to prevent +# intermediaries closing the connection for inactivity. +# +# Note that the Android app has a hardcoded timeout at 77s, so it should be less than that. +# +# keepalive-interval: "45s" + +# Interval in which the manager prunes old messages, deletes topics +# and prints the stats. +# +# manager-interval: "1m" + +# Defines topic names that are not allowed, because they are otherwise used. There are a few default topics +# that cannot be used (e.g. app, account, settings, ...). To extend the default list, define them here. +# +# Example: +# disallowed-topics: +# - about +# - pricing +# - contact +# +# disallowed-topics: + +# Defines the root path of the web app, or disables the web app entirely. +# +# Can be any simple path, e.g. "/", "/app", or "/ntfy". For backwards-compatibility reasons, +# the values "app" (maps to "/"), "home" (maps to "/app"), or "disable" (maps to "") to disable +# the web app entirely. +# +# web-root: / + +# Various feature flags used to control the web app, and API access, mainly around user and +# account management. +# +# - enable-signup allows users to sign up via the web app, or API +# - enable-login allows users to log in via the web app, or API +# - enable-reservations allows users to reserve topics (if their tier allows it) +# +# enable-signup: false +enable-login: true +# enable-reservations: false + +# Server URL of a Firebase/APNS-connected ntfy server (likely "https://ntfy.sh"). +# +# iOS users: +# If you use the iOS ntfy app, you MUST configure this to receive timely notifications. You'll like want this: +# upstream-base-url: "https://ntfy.sh" +# +# If set, all incoming messages will publish a "poll_request" message to the configured upstream server, containing +# the message ID of the original message, instructing the iOS app to poll this server for the actual message contents. +# This is to prevent the upstream server and Firebase/APNS from being able to read the message. +# +# upstream-base-url: + +# Rate limiting: Total number of topics before the server rejects new topics. +# +# global-topic-limit: 15000 + +# Rate limiting: Number of subscriptions per visitor (IP address) +# +# visitor-subscription-limit: 30 + +# Rate limiting: Allowed GET/PUT/POST requests per second, per visitor: +# - visitor-request-limit-burst is the initial bucket of requests each visitor has +# - visitor-request-limit-replenish is the rate at which the bucket is refilled +# - visitor-request-limit-exempt-hosts is a comma-separated list of hostnames, IPs or CIDRs to be +# exempt from request rate limiting. Hostnames are resolved at the time the server is started. +# Example: "1.2.3.4,ntfy.example.com,8.7.6.0/24" +# +# visitor-request-limit-burst: 60 +# visitor-request-limit-replenish: "5s" +# visitor-request-limit-exempt-hosts: "" + +# Rate limiting: Hard daily limit of messages per visitor and day. The limit is reset +# every day at midnight UTC. If the limit is not set (or set to zero), the request +# limit (see above) governs the upper limit. +# +# visitor-message-daily-limit: 0 + +# Rate limiting: Allowed emails per visitor: +# - visitor-email-limit-burst is the initial bucket of emails each visitor has +# - visitor-email-limit-replenish is the rate at which the bucket is refilled +# +# visitor-email-limit-burst: 16 +# visitor-email-limit-replenish: "1h" + +# Rate limiting: Attachment size and bandwidth limits per visitor: +# - visitor-attachment-total-size-limit is the total storage limit used for attachments per visitor +# - visitor-attachment-daily-bandwidth-limit is the total daily attachment download/upload traffic limit per visitor +# +# visitor-attachment-total-size-limit: "100M" +# visitor-attachment-daily-bandwidth-limit: "500M" + +# Rate limiting: Enable subscriber-based rate limiting (mostly used for UnifiedPush) +# +# If enabled, subscribers may opt to have published messages counted against their own rate limits, as opposed +# to the publisher's rate limits. This is especially useful to increase the amount of messages that high-volume +# publishers (e.g. Matrix/Mastodon servers) are allowed to send. +# +# Once enabled, a client may send a "Rate-Topics: ,,..." header when subscribing to topics via +# HTTP stream, or websockets, thereby registering itself as the "rate visitor", i.e. the visitor whose rate limits +# to use when publishing on this topic. Note: Setting the rate visitor requires READ-WRITE permission on the topic. +# +# UnifiedPush only: If this setting is enabled, publishing to UnifiedPush topics will lead to a HTTP 507 response if +# no "rate visitor" has been previously registered. This is to avoid burning the publisher's "visitor-message-daily-limit". +# +# visitor-subscriber-rate-limiting: false + +# Payments integration via Stripe +# +# - stripe-secret-key is the key used for the Stripe API communication. Setting this values +# enables payments in the ntfy web app (e.g. Upgrade dialog). See https://dashboard.stripe.com/apikeys. +# - stripe-webhook-key is the key required to validate the authenticity of incoming webhooks from Stripe. +# Webhooks are essential up keep the local database in sync with the payment provider. See https://dashboard.stripe.com/webhooks. +# - billing-contact is an email address or website displayed in the "Upgrade tier" dialog to let people reach +# out with billing questions. If unset, nothing will be displayed. +# +# stripe-secret-key: +# stripe-webhook-key: +# billing-contact: + +# Metrics +# +# ntfy can expose Prometheus-style metrics via a /metrics endpoint, or on a dedicated listen IP/port. +# Metrics may be considered sensitive information, so before you enable them, be sure you know what you are +# doing, and/or secure access to the endpoint in your reverse proxy. +# +# - enable-metrics enables the /metrics endpoint for the default ntfy server (i.e. HTTP, HTTPS and/or Unix socket) +# - metrics-listen-http exposes the metrics endpoint via a dedicated [IP]:port. If set, this option implicitly +# enables metrics as well, e.g. "10.0.1.1:9090" or ":9090" +# +# enable-metrics: false +# metrics-listen-http: + +# Profiling +# +# ntfy can expose Go's net/http/pprof endpoints to support profiling of the ntfy server. If enabled, ntfy will listen +# on a dedicated listen IP/port, which can be accessed via the web browser on http://:/debug/pprof/. +# This can be helpful to expose bottlenecks, and visualize call flows. See https://pkg.go.dev/net/http/pprof for details. +# +# profile-listen-http: + +# Logging options +# +# By default, ntfy logs to the console (stderr), with an "info" log level, and in a human-readable text format. +# ntfy supports five different log levels, can also write to a file, log as JSON, and even supports granular +# log level overrides for easier debugging. Some options (log-level and log-level-overrides) can be hot reloaded +# by calling "kill -HUP $pid" or "systemctl reload ntfy". +# +# - log-format defines the output format, can be "text" (default) or "json" +# - log-file is a filename to write logs to. If this is not set, ntfy logs to stderr. +# - log-level defines the default log level, can be one of "trace", "debug", "info" (default), "warn" or "error". +# Be aware that "debug" (and particularly "trace") can be VERY CHATTY. Only turn them on briefly for debugging purposes. +# - log-level-overrides lets you override the log level if certain fields match. This is incredibly powerful +# for debugging certain parts of the system (e.g. only the account management, or only a certain visitor). +# This is an array of strings in the format: +# - "field=value -> level" to match a value exactly, e.g. "tag=manager -> trace" +# - "field -> level" to match any value, e.g. "time_taken_ms -> debug" +# Warning: Using log-level-overrides has a performance penalty. Only use it for temporary debugging. +# +# Example (good for production): +# log-level: info +# log-format: json +# log-file: /var/log/ntfy.log +# +# Example level overrides (for debugging, only use temporarily): +# log-level-overrides: +# - "tag=manager -> trace" +# - "visitor_ip=1.2.3.4 -> debug" +# - "time_taken_ms -> debug" +# +# log-level: info +# log-level-overrides: +# log-format: text +# log-file: diff --git a/ansible/roles/alerts/tasks/main.yml b/ansible/roles/alerts/tasks/main.yml new file mode 100644 index 0000000..7e2be27 --- /dev/null +++ b/ansible/roles/alerts/tasks/main.yml @@ -0,0 +1,20 @@ +- name: Create working directory + file: + path: /srv/alerts + state: directory + +- name: Copy ntfy config + copy: + src: ntfy_server.yml + dest: /srv/alerts/ntfy_server.yml + +- name: Copy Docker compose file + copy: + src: "{{ role_path }}/docker-compose.yml" + dest: /srv/alerts/docker-compose.yml + +- name: Deploy Docker compose + docker_compose: + project_src: /srv/alerts + pull: true + remove_orphans: true diff --git a/roles/uptime_kuma/docker-compose.yml.j2 b/ansible/roles/uptime_kuma/docker-compose.yml.j2 similarity index 100% rename from roles/uptime_kuma/docker-compose.yml.j2 rename to ansible/roles/uptime_kuma/docker-compose.yml.j2 diff --git a/roles/uptime_kuma/tasks/main.yml b/ansible/roles/uptime_kuma/tasks/main.yml similarity index 74% rename from roles/uptime_kuma/tasks/main.yml rename to ansible/roles/uptime_kuma/tasks/main.yml index bf6d025..8369759 100644 --- a/roles/uptime_kuma/tasks/main.yml +++ b/ansible/roles/uptime_kuma/tasks/main.yml @@ -1,8 +1,3 @@ -- name: Create working directory - file: - path: /srv/uptime-kuma - state: directory - - name: Copy Docker compose file template: src: "{{ role_path }}/docker-compose.yml.j2" diff --git a/sshd_user_certificates.conf b/ansible/sshd_user_certificates.conf similarity index 100% rename from sshd_user_certificates.conf rename to ansible/sshd_user_certificates.conf diff --git a/util/secret-service-client.sh b/ansible/util/secret-service-client.sh similarity index 100% rename from util/secret-service-client.sh rename to ansible/util/secret-service-client.sh diff --git a/terraform/.gitignore b/terraform/.gitignore new file mode 100644 index 0000000..3906290 --- /dev/null +++ b/terraform/.gitignore @@ -0,0 +1,36 @@ +# Local .terraform directories +**/.terraform/* + +# .tfstate files +*.tfstate +*.tfstate.* + +# Crash log files +crash.log +crash.*.log + +# Exclude all .tfvars files, which are likely to contain sensitive data, such as +# password, private keys, and other secrets. These should not be part of version +# control as they are data points which are potentially sensitive and subject +# to change depending on the environment. +*.tfvars +*.tfvars.json + +# Ignore override files as they are usually used to override resources locally and so +# are not checked in +override.tf +override.tf.json +*_override.tf +*_override.tf.json + +# Include override files you do wish to add to version control using negated pattern +# !example_override.tf + +# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan +# example: *tfplan* + +# Ignore CLI configuration files +.terraformrc +terraform.rc +.terraform.lock.hcl +*.tfbackend diff --git a/terraform/main.tf b/terraform/main.tf new file mode 100644 index 0000000..68a5741 --- /dev/null +++ b/terraform/main.tf @@ -0,0 +1,26 @@ +terraform { + backend "pg" { + schema_name = "alexander" + conn_str = "postgres://terraform@10.42.0.1/terraform_state" + } + + required_providers { + libvirt = { + source = "dmacvicar/libvirt" + } + } +} + +provider "libvirt" { + uri = "qemu+ssh://root@lewis.hyp/system" +} + +module "alexander" { + source = "git::https://git.pim.kunis.nl/home/tf-modules.git//debian" + name = "alexander" + domain_name = "tf-alexander" + hypervisor_host = "lewis.hyp" + mac = "CA:FE:C0:FF:EE:0B" + memory = 1024 * 2 + insecure_password = true +}