fix #2

Reviewed-on: https://git.pim.kunis.nl/home/max/pulls/3

.gitignore

@@ -1 +1,38 @@
+# Local .terraform directories
+**/.terraform/*
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+
+# Crash log files
+crash.log
+crash.*.log
+
+# Exclude all .tfvars files, which are likely to contain sensitive data, such as
+# password, private keys, and other secrets. These should not be part of version
+# control as they are data points which are potentially sensitive and subject
+# to change depending on the environment.
+*.tfvars
+*.tfvars.json
+
+# Ignore override files as they are usually used to override resources locally and so
+# are not checked in
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+
+# Include override files you do wish to add to version control using negated pattern
+# !example_override.tf
+
+# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
+# example: *tfplan*
+
+# Ignore CLI configuration files
+.terraformrc
+terraform.rc
+.terraform.lock.hcl
+*.tfbackend
+
 .vault_password

ansible.cfg

@@ -1,5 +1,4 @@
 [defaults]
-# (pathspec) Colon separated paths in which Ansible will search for Roles.
 roles_path=~/.ansible/roles:/usr/share/ansible/roles:/etc/ansible/roles:roles
 inventory=inventory
 vault_password_file=util/secret-service-client.sh

data/main.tf

@@ -0,0 +1,30 @@
+terraform {
+  backend "pg" {
+    schema_name = "max-data"
+    conn_str    = "postgres://terraform@10.42.0.1/terraform_state"
+  }
+
+  required_providers {
+    libvirt = {
+      source = "dmacvicar/libvirt"
+    }
+  }
+}
+
+provider "libvirt" {
+  uri = "qemu+ssh://root@atlas.lan/system"
+}
+
+resource "libvirt_volume" "data" {
+  name = "max-data"
+  pool = "data"
+  size = 1024 * 1024 * 1024 * 65
+
+  lifecycle {
+    prevent_destroy = true
+  }
+}
+
+output "data_disk_id" {
+  value = libvirt_volume.data.id
+}

inventory/host_vars/max.yml

@@ -1,4 +1,4 @@
-base_data_dir: /data
+base_data_dir: /mnt/data
 base_service_dir: /srv
 
 # Additional open ports

inventory/hosts.yml

@@ -1,7 +1,5 @@
 all:
-  children:
+  hosts:
-    homeserver:
+    max:
-      hosts:
+      ansible_user: root
-        max:
+      ansible_host: max.dmz
-          ansible_user: root
-          ansible_host: max.dmz

main.tf

@@ -0,0 +1,26 @@
+terraform {
+  backend "pg" {
+    schema_name = "max"
+    conn_str    = "postgres://terraform@10.42.0.1/terraform_state"
+  }
+
+  required_providers {
+    libvirt = {
+      source = "dmacvicar/libvirt"
+    }
+  }
+}
+
+provider "libvirt" {
+  uri = "qemu+ssh://root@atlas.lan/system"
+}
+
+module "tf-datatest" {
+  source            = "git::https://git.pim.kunis.nl/home/tf-modules.git//debian"
+  name              = "max"
+  domain_name       = "tf-max"
+  data_disk         = "/kvm/data/max-data"
+  #ansible_command   = "ansible-playbook max.yml"
+  memory            = 1024 * 8
+  mac               = "CA:FE:C0:FF:EE:03"
+}

max.yml

@@ -1,7 +1,26 @@
 - name: Setup homeserver
-  hosts: homeserver
+  hosts: max
+  gather_facts: no
+
+  pre_tasks:
+  - name: Wait for host to come up
+    wait_for:
+      state: started
+      port: 22
+      host: max.dmz
+      timeout: 300
+      connect_timeout: 300
+      search_regex: OpenSSH
+    delegate_to: localhost
+  - name: Wait for cloud-init to finish
+    shell:
+      cmd: "cloud-init status --wait"
+    register: cloudinit
+    changed_when: "'..' in cloudinit.stdout"
+  - name: Gather facts
+    setup:
+
   roles:
-    - {role: 'ssh', tags: 'ssh'}
     - {role: 'watchtower', tags: 'watchtower'}
     - {role: 'forgejo', tags: 'forgejo'}
     - {role: 'syncthing', tags: 'syncthing'}
@@ -11,7 +30,7 @@
     - {role: 'mastodon', tags: 'mastodon'}
     - {role: 'seafile', tags: 'seafile'}
     - {role: 'jitsi', tags: 'jitsi'}
-    - {role: 'freshrss', tags: 'freshrss'}
+    # - {role: 'freshrss', tags: 'freshrss'}
     - {role: 'static', tags: 'static'}
     - {role: 'inbucket', tags: 'inbucket'}
     - {role: 'prometheus', tags: 'prometheus'}

roles/common/files/resolv.conf

@@ -1,5 +0,0 @@
-nameserver 192.168.30.7
-nameserver 192.168.30.1
-nameserver 1.1.1.1
-nameserver 1.0.0.1
-search lan

roles/common/tasks/main.yml

@@ -9,13 +9,9 @@
   file:
     path: "{{ base_service_dir }}"
     state: directory
-- name: Disable systemd-resolved
+- name: Delete externally managed environment file
-  systemd:
+  shell:
-    name: systemd-resolved
+    cmd: "rm /usr/lib/python*/EXTERNALLY-MANAGED"
-    enabled: false
+  register: rm
-    state: stopped
+  changed_when: "rm.rc == 0"
-- name: Copy resolv.conf
+  failed_when: "false"
-  copy:
-    src: "{{ role_path }}/files/resolv.conf"
-    dest: /etc/resolv.conf
-    follow: true

roles/docker/tasks/main.yml

@@ -12,7 +12,7 @@
     keyring: /etc/apt/keyrings/docker.gpg
 - name: Add Docker repository
   apt_repository:
-    repo: "deb [signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu {{ ansible_distribution_release }} stable"
+    repo: "deb [signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable"
   register: apt_repository
 - name: Update APT cache
   apt:

roles/radicale/files/radicale.conf

@@ -9,7 +9,7 @@ stock = utf-8
 [auth]
 realm = Radicale - Password Required
 type = htpasswd
-htpasswd_filename = /radicale/users
+htpasswd_filename = /config/users
 htpasswd_encryption = md5
 
 [rights]

roles/radicale/tasks/main.yml

@@ -13,7 +13,7 @@
 - name: Copy radicale.conf
   copy:
     src: "{{ role_path }}/files/radicale.conf"
-    dest: "{{ service_dir }}/config/radicale.conf"
+    dest: "{{ service_dir }}/config/config"
 - name: Copy users file
   copy:
     src: "{{ role_path }}/files/users"

roles/radicale/templates/docker-compose.yml.j2

@@ -1,18 +1,28 @@
-version: '3'
+version: '3.7'
-
-networks:
-  traefik:
-    external: true
 
 services:
   radicale:
-    restart: always
+    image: tomsquest/docker-radicale
-    image: mailu/radicale:1.9
     container_name: radicale
+    init: true
+    read_only: true
+    security_opt:
+      - no-new-privileges:true
+    cap_drop:
+      - ALL
+    cap_add:
+      - SETUID
+      - SETGID
+      - CHOWN
+      - KILL
+    healthcheck:
+      test: curl -f http://127.0.0.1:5232 || exit 1
+      interval: 30s
+      retries: 3
+    restart: unless-stopped
     volumes:
       - {{ data_dir }}:/data
-      - {{ service_dir }}/config:/radicale
+      - {{ service_dir }}/config:/config:ro
-    command: radicale -S -C /radicale/radicale.conf
     networks:
       - traefik
     labels:
@@ -23,3 +33,7 @@ services:
       - traefik.http.routers.radicale.tls.certresolver=letsencrypt
       - traefik.http.routers.radicale.service=radicale
       - traefik.http.services.radicale.loadbalancer.server.port=5232
+
+networks:
+  traefik:
+    external: true

roles/static/vars/main.yml

@@ -1,3 +1,3 @@
 service_name: static
 service_dir: "{{ base_service_dir }}/{{ service_name }}"
-git_origin: "http://localhost:{{ internal_forgejo_port }}/pim/static.git"
+git_origin: "http://git.pim.kunis.nl/pim/static.git"