Compare commits

...

10 commits

Author SHA1 Message Date
cd17ed372c parameterize directories 2023-01-07 20:32:42 +01:00
5bf6d7acbc move to /srv 2023-01-07 19:08:49 +01:00
5331d25c4a fix some DNS bugs 2023-01-07 13:15:47 +01:00
117d7d2cf4 run nsd on bare metal 2023-01-07 12:02:04 +01:00
9bb44e4978 Merge branch 'master' of github.com:pizzapim/ansible_nucs 2023-01-06 22:50:28 +01:00
1382696ba1 change pizzeria remote to forgejo
add dirty hack to resolve local domains
2023-01-06 22:49:07 +01:00
8463e5c4bf aaaa record weer weggehaald voor kms.geokunis2.nl 2023-01-06 20:11:13 +01:00
6cab50d754 add aaaa record for kms.geokunis2.nl 2023-01-06 20:07:47 +01:00
7e10a78623 fix nsd ipv6 2023-01-06 19:51:28 +01:00
f1c64f4f3e changed nsd config 2023-01-06 18:07:07 +01:00
30 changed files with 147 additions and 155 deletions

View file

@ -1,8 +1,8 @@
# Ansible scripts for our private Intel NUC servers
## TODO
### nsd
- Change IPv6 addresses
- ZSK rollover.
- I always resign the zone, even if nothing has changed.
I could check whether the zone has changed or new keys were generated but that is kind of difficult.

View file

@ -1 +1,2 @@
# Group variables for nucs group
base_data_dir: /data
base_service_dir: /srv

View file

@ -1,3 +1,4 @@
nameserver 192.168.30.1
nameserver 1.1.1.1
nameserver 1.0.0.1
search lan

View file

@ -5,13 +5,13 @@
state: latest
update_cache: yes
cache_valid_time: 86400 # One day
- name: Create /data directory
- name: Create base data directory
file:
path: /data
path: "{{ base_data_dir }}"
state: directory
- name: Create /apps directory
- name: Create base service directory
file:
path: /apps
path: "{{ base_service_dir }}"
state: directory
- name: Disable systemd-resolved
systemd:

View file

@ -29,3 +29,8 @@
name:
- docker
- docker-compose
- name: Start Docker
systemd:
name: docker
enabled: true
state: started

View file

@ -1,31 +1,31 @@
- name: Create app directory
file:
path: /apps/forgejo
path: "{{ service_dir }}"
state: directory
- name: Copy Docker Compose script
copy:
src: "{{ role_path }}/files/docker-compose.yml"
dest: /apps/forgejo/docker-compose.yml
template:
src: "{{ role_path }}/templates/docker-compose.yml.j2"
dest: "{{ service_dir }}/docker-compose.yml"
- name: Create data directory
file:
path: /data/forgejo
path: "{{ data_dir }}"
state: directory
owner: 1000
group: 1000
- name: Copy conf directory
file:
path: /apps/forgejo/conf
path: "{{ service_dir }}/conf"
state: directory
owner: 1000
group: 1000
- name: Copy app.ini
template:
src: "{{ role_path }}/templates/app.ini"
dest: /apps/forgejo/conf/app.ini
dest: "{{ service_dir }}/conf/app.ini"
register: config
- name: Start the Docker Compose
community.docker.docker_compose:
project_src: /apps/forgejo
docker_compose:
project_src: "{{ service_dir }}"
pull: true
remove_orphans: true
restarted: "{{ config.changed }}"

View file

@ -15,8 +15,8 @@ services:
networks:
- traefik
volumes:
- /data/forgejo:/data
- /apps/forgejo/conf:/data/gitea/conf
- {{ data_dir }}:/data
- {{ service_dir }}/conf:/data/gitea/conf
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro
labels:

View file

@ -1,3 +1,7 @@
service_name: forgejo
data_dir: "{{ base_data_dir }}/{{ service_name }}"
service_dir: "{{ base_service_dir }}/{{ service_name }}"
forgejo:
root_url: "https://git.pizzapim.nl"
mailer_host: "smtp.tweak.nl"

View file

@ -1,14 +1,14 @@
- name: Create app directory
file:
path: /apps/kms
path: "{{ service_dir }}"
state: directory
- name: Copy Docker Compose script
copy:
src: "{{ role_path }}/files/docker-compose.yml"
dest: /apps/kms/docker-compose.yml
dest: "{{ service_dir }}/docker-compose.yml"
- name: Start the Docker Compose
community.docker.docker_compose:
project_src: /apps/kms
docker_compose:
project_src: "{{ service_dir }}"
pull: true
remove_orphans: true

2
roles/kms/vars/main.yml Normal file
View file

@ -0,0 +1,2 @@
service_name: kms
service_dir: "{{ base_service_dir }}/{{ service_name }}"

View file

@ -1,22 +1,22 @@
- name: Create Mastodon app directory
file:
path: /apps/mastodon
path: "{{ service_dir }}"
state: directory
- name: Copy .env.production
copy:
src: "{{ role_path }}/files/.env.production"
dest: /apps/mastodon/.env.production
dest: "{{ service_dir }}.env.production"
- name: Copy Docker Compose script
template:
src: "{{ role_path }}/templates/docker-compose.yml.j2"
dest: /apps/mastodon/docker-compose.yml
dest: "{{ service_dir }}/docker-compose.yml"
- name: Create Mastodon data directory
file:
path: /data/mastodon
path: "{{ data_dir }}"
state: directory
mode: 0777
- name: Start Docker Compose
docker_compose:
project_src: /apps/mastodon
project_src: "{{ service_dir }}"
pull: true
remove_orphans: true

View file

@ -9,7 +9,7 @@ services:
healthcheck:
test: ['CMD', 'pg_isready', '-U', 'postgres']
volumes:
- /data/mastodon/postgres14:/var/lib/postgresql/data
- {{ data_dir }}/postgres14:/var/lib/postgresql/data
environment:
- 'POSTGRES_HOST_AUTH_METHOD=trust'
- 'POSTGRES_PASSWORD={{ mastodon_postgres_password }}'
@ -24,7 +24,7 @@ services:
healthcheck:
test: ['CMD', 'redis-cli', 'ping']
volumes:
- /data/mastodon/redis:/data
- {{ data_dir }}/redis:/data
environment:
- 'REDIS_PASSWORD={{ mastodon_redis_password }}'
@ -46,7 +46,7 @@ services:
- db
- redis
volumes:
- /data/mastodon/public/system:/mastodon/public/system
- {{ data_dir }}/public/system:/mastodon/public/system
labels:
- traefik.http.routers.mastodon.entrypoints=websecure
- traefik.http.routers.mastodon.rule=Host(`social.pizzapim.nl`)
@ -91,7 +91,7 @@ services:
networks:
- default
volumes:
- /data/mastodon/public/system:/mastodon/public/system
- {{ data_dir }}/public/system:/mastodon/public/system
healthcheck:
test: ['CMD-SHELL', "ps aux | grep '[s]idekiq\ 6' || false"]

View file

@ -1,3 +1,7 @@
service_name: mastodon
data_dir: "{{ base_data_dir }}/{{ service_name }}"
service_dir: "{{ base_service_dir }}/{{ service_name }}"
mastodon_postgres_password: !vault |
$ANSIBLE_VAULT;1.1;AES256
34643131323762373635383736636432643161646130373565333432323337646435656233383131

View file

@ -1,18 +0,0 @@
version: '3.7'
services:
nsd:
container_name: nsd
restart: always
image: ghcr.io/the-kube-way/nsd:v4.6.0
read_only: true
tmpfs:
- /tmp
- /var/db/nsd
volumes:
- /apps/nsd/conf:/etc/nsd:ro
- /apps/nsd/zones:/zones
- /apps/nsd/keys:/keys
ports:
- 53:53
- 53:53/udp

View file

@ -1,8 +1,11 @@
server:
ip-address: enp3s0
server-count: 1
verbosity: 1
hide-version: yes
zonesdir: "/zones"
zonesdir: "/etc/nsd/zones"
ip-transparent: yes
ip-freebind: yes
zone:
name: pizzapim.nl

View file

@ -1,19 +1,18 @@
$ORIGIN geokunis2.nl.
$TTL 60
geokunis2.nl. IN SOA ns.geokunis2.nl. niels.kunis.nl. 2022103001 1800 3600 1209600 3600
geokunis2.nl. IN SOA ns.geokunis2.nl. niels.kunis.nl. 2023010601 1800 3600 1209600 3600
NS ns.geokunis2.nl.
NS ns0.transip.net.
NS ns1.transip.nl.
NS ns2.transip.eu.
A 82.197.212.198
AAAA 2a02:58:19a:f730:da5e:d3ff:fe47:336e
A 84.245.14.149
AAAA 2a02:58:19a:f730:b62e:99ff:fe77:1bda
MX 0 .
TXT "v=spf1 -all"
CAA 0 issue "letsencrypt.org"
jenl IN A 217.123.41.225
kms IN A 82.197.212.198
ovh IN A 57.128.45.138
kms IN A 84.245.14.149
_dmarc IN TXT "v=DMARC1; p=reject; fo=0; adkim=s; aspf=s; pct=100; rf=afrf; sp=reject"
ns A 82.197.212.198
AAAA 2a02:58:19a:f730:da5e:d3ff:fe47:336e
ns A 84.245.14.149
AAAA 2a02:58:19a:f730:b62e:99ff:fe77:1bda

View file

@ -1,26 +1,24 @@
$ORIGIN pizzapim.nl.
$TTL 60
pizzapim.nl. IN SOA ns.pizzapim.nl. pim.kunis.nl. 2022122900 1800 3600 1209600 3600
pizzapim.nl. IN SOA ns.pizzapim.nl. pim.kunis.nl. 2023010701 1800 3600 1209600 3600
NS ns.pizzapim.nl.
NS ns0.transip.net.
NS ns1.transip.nl.
NS ns2.transip.eu.
A 82.197.212.198
AAAA 2a02:58:19a:f730:da5e:d3ff:fe47:336e
A 84.245.14.149
AAAA 2a02:58:19a:f730:b62e:99ff:fe77:1bda
TXT "v=spf1 ~all"
CAA 0 issue "letsencrypt.org"
www IN CNAME @
ns IN A 82.197.212.198
AAAA 2a02:58:19a:f730:da5e:d3ff:fe47:336e
_dmarc IN TXT "v=DMARC1; p=reject; aspf=s; adkim=s; rua=mailto:wpux1bq8@ag.eu.dmarcian.com;"
cloud IN A 82.197.212.198
AAAA 2a02:58:19a:f730:da5e:d3ff:fe47:336e
social IN A 82.197.212.198
AAAA 2a02:58:19a:f730:da5e:d3ff:fe47:336e
dav IN A 82.197.212.198
AAAA 2a02:58:19a:f730:da5e:d3ff:fe47:336e
git IN A 82.197.212.198
AAAA 2a02:58:19a:f730:da5e:d3ff:fe47:336e
www IN A 84.245.14.149
AAAA 2a02:58:19a:f730:b62e:99ff:fe77:1bda
ns IN A 84.245.14.149
AAAA 2a02:58:19a:f730:b62e:99ff:fe77:1bda
cloud IN CNAME www.pizzapim.nl.
social IN CNAME www.pizzapim.nl.
dav IN CNAME www.pizzapim.nl.
git IN CNAME www.pizzapim.nl.

View file

@ -1,3 +0,0 @@
dependencies:
- role: common
- role: docker

View file

@ -1,86 +1,69 @@
- name: Create nsd app directory
file:
path: /apps/nsd
state: directory
- name: Create nsd configuration directory
file:
path: /apps/nsd/conf
state: directory
owner: 991
group: 991
- name: Install nsd
apt:
pkg:
- nsd
- ldnsutils
- name: Copy nsd.conf
copy:
src: "{{ role_path }}/files/nsd.conf"
dest: /apps/nsd/conf/nsd.conf
- name: Create nsd zones directory
dest: /etc/nsd/nsd.conf
- name: Create zones directory
file:
path: /apps/nsd/zones
path: /etc/nsd/zones
state: directory
owner: 991
group: 991
- name: Copy zone files
copy:
src: "{{ role_path }}/files/zones/"
dest: /apps/nsd/zones
- name: Create nsd keys directory
dest: /etc/nsd/zones
- name: Create keys directory
file:
path: /apps/nsd/keys
path: /etc/nsd/keys
state: directory
owner: 991
group: 991
- name: Copy KSK private keys
template:
src: "{{ item }}"
dest: "/apps/nsd/keys/{{ item | basename }}"
dest: "/etc/nsd/keys/{{ item | basename }}"
with_fileglob:
- "{{ role_path }}/files/keys/*.ksk.private"
- name: Copy KSK keys
copy:
src: "{{ item }}"
dest: "/apps/nsd/keys/{{ item | basename }}"
dest: "/etc/nsd/keys/{{ item | basename }}"
with_fileglob:
- "{{ role_path }}/files/keys/*.ksk.key"
- name: Copy Docker Compose script
copy:
src: "{{ role_path }}/files/docker-compose.yml"
dest: /apps/nsd/docker-compose.yml
- name: Start Docker Compose
docker_compose:
project_src: /apps/nsd
pull: true
remove_orphans: true
- name: Check if ZSKs exist
stat:
path: "/apps/nsd/keys/K{{ item | basename }}.zsk.key"
path: "/etc/nsd/keys/K{{ item | basename }}.zsk.key"
register: zsks_exists
with_fileglob:
- "{{ role_path }}/files/zones/*"
- name: Create ZSK
command:
cmd: "docker-compose exec -w /keys nsd ldns-keygen -a ED25519 {{ item.item | basename }}"
chdir: /apps/nsd
cmd: "ldns-keygen -a ED25519 {{ item.item | basename }}"
chdir: /etc/nsd/keys
register: create_zsk
when: not item.stat.exists
with_items: "{{ zsks_exists.results }}"
- name: Rename ZSK key
command:
cmd: "docker-compose exec -w /keys nsd mv {{ item.stdout }}.key K{{ item.item.item | basename }}.zsk.key"
chdir: /apps/nsd
cmd: "mv {{ item.stdout }}.key K{{ item.item.item | basename }}.zsk.key"
chdir: /etc/nsd/keys
when: item.changed
with_items: "{{ create_zsk.results }}"
- name: Rename ZSK private key
command:
cmd: "docker-compose exec -w /keys nsd mv {{ item.stdout }}.private K{{ item.item.item | basename }}.zsk.private"
chdir: /apps/nsd
cmd: "mv {{ item.stdout }}.private K{{ item.item.item | basename }}.zsk.private"
chdir: /etc/nsd/keys
when: item.changed
with_items: "{{ create_zsk.results }}"
- name: Sign zones
command:
cmd: 'docker-compose exec -w /zones nsd ldns-signzone {{ item | basename }} /keys/K{{ item | basename }}.zsk /keys/K{{ item | basename }}.ksk'
chdir: /apps/nsd
cmd: "ldns-signzone {{ item | basename }} /etc/nsd/keys/K{{ item | basename }}.zsk /etc/nsd/keys/K{{ item | basename }}.ksk"
chdir: /etc/nsd/zones
with_fileglob:
- "{{ role_path }}/files/zones/*"
- name: Restart Docker Compose
docker_compose:
project_src: /apps/nsd
restarted: true
- name: Restart NSD
systemd:
name: nsd
enabled: true
state: reloaded

View file

@ -1,9 +1,9 @@
- name: Clone pizzeria repository
git:
repo: https://github.com/pizzapim/pizzeria
dest: /apps/pizzeria
repo: "{{ git_origin }}"
dest: "{{ service_dir }}"
- name: Start the Docker Compose
community.docker.docker_compose:
project_src: /apps/pizzeria
docker_compose:
project_src: "{{ service_dir }}"
pull: true
remove_orphans: true

View file

@ -0,0 +1,4 @@
service_name: pizzeria
data_dir: "{{ base_data_dir }}/{{ service_name }}"
service_dir: "{{ base_service_dir }}/{{ service_name }}"
git_origin: https://git.pizzapim.nl/pim/pizzeria.git

View file

@ -1,29 +1,29 @@
- name: Create Radicale app directory
file:
path: /apps/radicale
path: "{{ service_dir }}"
state: directory
- name: Copy docker-compose.yml file
copy:
src: "{{ role_path }}/files/docker-compose.yml"
dest: /apps/radicale/docker-compose.yml
template:
src: "{{ role_path }}/templates/docker-compose.yml.j2"
dest: "{{ service_dir }}/docker-compose.yml"
- name: Create Radicale config directory
file:
path: /apps/radicale/config
path: "{{ service_dir }}/config"
state: directory
- name: Copy radicale.conf
copy:
src: "{{ role_path }}/files/radicale.conf"
dest: /apps/radicale/config/radicale.conf
dest: "{{ service_dir }}/config/radicale.conf"
- name: Copy users file
copy:
src: "{{ role_path }}/files/users"
dest: /apps/radicale/config/users
dest: "{{ service_dir }}/config/users"
- name: Create Radicale data directory
file:
path: /data/radicale
path: "{{ data_dir }}"
state: directory
- name: Start Docker Compose
docker_compose:
project_src: /apps/radicale
project_src: "{{ service_dir }}"
pull: true
remove_orphans: true

View file

@ -9,8 +9,8 @@ services:
restart: always
image: mailu/radicale:1.9
volumes:
- /data/radicale:/data
- /apps/radicale/config:/radicale
- {{ data_dir }}:/data
- {{ service_dir }}/config:/radicale
command: radicale -S -C /radicale/radicale.conf
networks:
- traefik

View file

@ -0,0 +1,3 @@
service_name: radicale
data_dir: "{{ base_data_dir }}/{{ service_name }}"
service_dir: "{{ base_service_dir }}/{{ service_name }}"

View file

@ -1,34 +1,34 @@
- name: Create Syncthing app directory
file:
path: /apps/syncthing
path: "{{ service_dir }}"
state: directory
- name: Create Syncthing configuration directory
file:
path: /apps/syncthing/config
path: "{{ service_dir }}/config"
state: directory
- name: Copy Syncthing private key
copy:
src: "{{ role_path }}/files/key.pem"
dest: /apps/syncthing/config/key.pem
dest: "{{ service_dir }}/config/key.pem"
- name: Copy Syncthing certificate
copy:
src: "{{ role_path }}/files/cert.pem"
dest: /apps/syncthing/config/cert.pem
dest: "{{ service_dir }}/config/cert.pem"
- name: Copy Syncthing configuration
template:
src: "{{ role_path }}/templates/config.xml.j2"
dest: /apps/syncthing/config/config.xml
dest: "{{ service_dir }}/config/config.xml"
- name: Create Syncthing data directory
file:
path: /data/syncthing
path: "{{ data_dir }}"
state: directory
mode: 0777
- name: Copy Docker Compose script
copy:
src: "{{ role_path }}/files/docker-compose.yml"
dest: /apps/syncthing/docker-compose.yml
template:
src: "{{ role_path }}/templates/docker-compose.yml.j2"
dest: "{{ service_dir }}/docker-compose.yml"
- name: Start Docker Compose
docker_compose:
project_src: /apps/syncthing
project_src: "{{ service_dir }}"
pull: true
remove_orphans: true

View file

@ -10,8 +10,8 @@ services:
- PGID=1000
- TZ=Europe/Amsterdam
volumes:
- /apps/syncthing/config:/config
- /data/syncthing:/data
- {{ service_dir }}/config:/config
- {{ data_dir }}:/data
ports:
- 8384:8384
- 22000:22000/tcp

View file

@ -1,3 +1,7 @@
service_name: syncthing
data_dir: "{{ base_data_dir }}/{{ service_name }}"
service_dir: "{{ base_service_dir }}/{{ service_name }}"
syncthing:
apikey: !vault |
$ANSIBLE_VAULT;1.1;AES256

View file

@ -1,30 +1,30 @@
- name: Create traefik app directory
file:
path: /apps/traefik
path: "{{ service_dir }}"
state: directory
- name: Create acme file
copy:
content: ""
dest: /apps/traefik/acme.json
dest: "{{ service_dir }}/acme.json"
force: no
mode: 0600
- name: Copy Docker Compose script
copy:
src: "{{ role_path }}/files/docker-compose.yml"
dest: /apps/traefik/docker-compose.yml
template:
src: "{{ role_path }}/templates/docker-compose.yml.j2"
dest: "{{ service_dir }}/docker-compose.yml"
- name: Copy traefik.toml
copy:
src: "{{ role_path }}/files/traefik.toml"
dest: /apps/traefik/traefik.toml
dest: "{{ service_dir }}/traefik.toml"
- name: Copy services.toml
copy:
src: "{{ role_path }}/files/services.toml"
dest: /apps/traefik/services.toml
dest: "{{ service_dir }}/services.toml"
- name: Create traefik network
docker_network:
name: "traefik"
- name: Start Docker Compose
docker_compose:
project_src: /apps/traefik
project_src: "{{ service_dir }}"
pull: true
remove_orphans: true

View file

@ -20,9 +20,9 @@ services:
- "56287:56287"
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- /apps/traefik/traefik.toml:/etc/traefik/traefik.toml
- /apps/traefik/services.toml:/etc/traefik/services.toml
- /apps/traefik/acme.json:/acme.json
- {{ service_dir }}/traefik.toml:/etc/traefik/traefik.toml
- {{ service_dir }}/services.toml:/etc/traefik/services.toml
- {{ service_dir }}/acme.json:/acme.json
networks:
- traefik
labels:

View file

@ -0,0 +1,2 @@
service_name: traefik
service_dir: "{{ base_service_dir }}/{{ service_name }}"